diff --git a/.gitignore b/.gitignore
index 378eac25d3..d59a62b7e1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 build
+tmp
diff --git a/.gitmodules b/.gitmodules
index e2dcd2b8a4..95053091cf 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,12 +1,18 @@
 [submodule "aux/bro-aux"]
 	path = aux/bro-aux
-	url = git://git.icir.org/bro-aux
+	url = git://git.bro-ids.org/bro-aux
 [submodule "aux/binpac"]
 	path = aux/binpac
-	url = git://git.icir.org/binpac
+	url = git://git.bro-ids.org/binpac
 [submodule "aux/broccoli"]
 	path = aux/broccoli
-	url = git://git.icir.org/broccoli
+	url = git://git.bro-ids.org/broccoli
 [submodule "aux/broctl"]
 	path = aux/broctl
-	url = git://git.icir.org/broctl
+	url = git://git.bro-ids.org/broctl
+[submodule "aux/btest"]
+	path = aux/btest
+	url = git://git.bro-ids.org/btest
+[submodule "cmake"]
+	path = cmake
+	url = git://git.bro-ids.org/cmake
diff --git a/CHANGES b/CHANGES
index f2f271e141..9286a5409e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,1746 @@
-@(#) $Id: CHANGES 7076 2010-09-13 02:42:27Z vern $
 
--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+2.0-57 | 2012-02-10 00:02:35 -0800
+
+  * Fix typos in the documentation. (Daniel Thayer)
+
+  * Fix compiler warning about Brofiler ctor init list order. (Jon Siwek)
+
+  * Fix missing optional field access in webapp signature_match handler. (Jon Siwek)
+
+2.0-41 | 2012-02-03 04:10:53 -0500
+
+  * Updates to the Software framework to simplify the API. (Bernhard
+    Amann)
+
+2.0-40 | 2012-02-03 01:55:27 -0800
+
+  * Fix typos in documentation. (Daniel Thayer)
+    
+  * Fix sorting of lines in Brofiler coverage.log. (Daniel Thayer)
+    
+2.0-38 | 2012-01-31 11:50:53 -0800
+
+  * Canonify sorting of lines in Brofiler coverage.log. (Daniel
+    Thayer)
+
+2.0-36 | 2012-01-27 10:38:14 -0800
+
+  * New "Brofiler" mode that tracks and records script statements
+    executed during runtime. (Jon Siwek)
+
+    Use the BROFILER_FILE environment variable to point to a file in
+    which statement usage statistics from Bro script-layer can be
+    output.
+
+    Script statements that should be ignored can be marked with a "#
+    @no-test" comment. For example:
+
+        print "don't cover"; # @no-test
+
+        if ( F )
+            { # @no-test
+            ...
+            }
+
+  * Integrated coverage measurement into test-suite. (Jon Siwek)
+
+2.0-20 | 2012-01-25 16:34:51 -0800
+
+  * BiF cleanup (Matthias Vallentin)
+
+      - Rename NFS3::mode2string to a more generic file_mode().
+
+      - Unify do_profiling()/make_connection_persistent()/expect_connection()
+        to return any (i.e., nothing) instead of bools.
+
+      - Perform type checking on count-to-port conversion. Related to #684.
+
+      - Remove redundant connection_record() BiF. The same
+        functionality is provided by lookup_connection().
+
+      - Remove redundant active_connection() BiF. The same
+        functionality is provided by connection_exists().
+
+      - exit() now takes the exit code as argument.
+
+      - to_port() now received a string instead of a count.
+        
+2.0-9 | 2012-01-25 13:47:13 -0800
+
+  * Allow local table variables to be initialized with {} list
+    expressions. (Jon Siwek)
+
+2.0-7 | 2012-01-25 13:38:09 -0800
+
+  * Teach CompHash to allow indexing by records with vector/table/set
+    fields. Addresses #464. (Jon Siwek)
+
+2.0-5 | 2012-01-25 13:25:19 -0800
+
+  * Fixed a bug resulting in over-logging of detected webapps. (Seth Hall)
+
+  * Make communication log baseline test more reliable. (Jon Siwek)
+    
+  * Fixed some broken links in documentation. (Daniel Thayer)
+    
+2.0 | 2012-01-11 13:52:22 -0800
+
+  * Adding script reference documentation. (The Team).
+
+2.0-beta-194 | 2012-01-10 10:44:32 -0800
+
+  * Added an option for filtering out URLs before they are turned into
+    HTTP::Incorrect_File_Type notices. (Seth Hall)
+
+  * Fix ref counting bug in BIFs that call internal_type. Addresses
+    #740. (Jon Siwek)
+
+  * Adding back the stats.bro file. (Seth Hall)
+
+
+2.0-beta-188 | 2012-01-10 09:49:29 -0800
+
+  * Change SFTP/SCP log rotators to use 4-digit year in filenames
+    Fixes #745. (Jon Siwek)
+
+  * Adding back the stats.bro file. Addresses #656. (Seth Hall)
+
+2.0-beta-185 | 2012-01-09 18:00:50 -0800
+
+  * Tweaks for OpenBSD support. (Jon Siwek)
+
+2.0-beta-181 | 2012-01-08 20:49:04 -0800
+
+  * Add SFTP log postprocessor that transfers logs to remote hosts.
+    Addresses #737. (Jon Siwek)
+
+  * Add FAQ entry about disabling NIC offloading features. (Jon Siwek)
+    
+  * Add a file NEWS with release notes. (Robin Sommer)
+
+2.0-beta-177 | 2012-01-05 15:01:07 -0800
+
+  * Replace the --snaplen/-l command line option with a
+    scripting-layer option called "snaplen" (which can also be
+    redefined on the command line, e.g. `bro -i eth0 snaplen=65535`).
+
+  * Reduce snaplen default from 65535 to old default of 8192. Fixes
+    #720. (Jon Siwek)
+
+2.0-beta-174 | 2012-01-04 12:47:10 -0800
+
+  * SSL improvements. (Seth Hall)
+    
+    - Added the ssl_session_ticket_handshake event back.
+
+    - Fixed a few bugs.
+      
+    - Removed the SSLv2.cc file since it's not used.
+      
+2.0-beta-169 | 2012-01-04 12:44:39 -0800
+
+  * Tuning the pretty-printed alarm mails, which now include the
+    covered time range into the subject. (Robin Sommer)
+
+  * Adding top-level "test" target to Makefile. (Robin Sommer)
+    
+  * Adding SWIG as dependency to INSTALL. (Robin Sommer)
+    
+2.0-beta-155 | 2012-01-03 15:42:32 -0800
+
+  * Remove dead code related to record type inheritance. (Jon Siwek)
+
+2.0-beta-152 | 2012-01-03 14:51:34 -0800
+
+  * Notices now record the transport-layer protocol. (Bernhard Amann)
+
+2.0-beta-150 | 2012-01-03 14:42:45 -0800
+
+  * CMake 2.6 top-level 'install' target compat. Fixes #729. (Jon Siwek)
+
+  * Minor fixes to test process. Addresses #298.
+    
+  * Increase timeout interval of communication-related btests. (Jon Siwek)
+
+2.0-beta-145 | 2011-12-19 11:37:15 -0800
+
+  * Empty fields are now logged as "(empty)" by default. (Robin
+    Sommer)
+
+  * In log headers, only escape information when necessary. (Robin
+    Sommer)
+
+2.0-beta-139 | 2011-12-19 07:06:29 -0800
+
+  * The hostname notice email extension works now, plus a general
+    mechanism for adding delayed information to notices. (Seth Hall)
+
+  * Fix &default fields in records not being initialized in coerced
+    assignments. Addresses #722. (Jon Siwek)
+
+  * Make log headers include the type of data stored inside a set or
+    vector ("vector[string]"). (Bernhard Amann)
+
+2.0-beta-126 | 2011-12-18 15:18:05 -0800
+
+  * DNS updates.  (Seth Hall)
+
+    - Fixed some bugs with capturing data in the base DNS script.
+
+    - Answers and TTLs are now vectors.
+      
+    - A warning that was being generated (dns_reply_seen_after_done)
+      from transaction ID reuse is fixed.
+
+  * SSL updates. (Seth Hall)
+
+    - Added is_orig fields to the SSL events and adapted script.
+      
+    - Added a field named last_alert to the SSL log.
+      
+    - The x509_certificate function has an is_orig field now instead
+      of is_server and its position in the argument list has moved.
+
+    - A bit of reorganization and cleanup in the core analyzer. (Seth
+      Hall)
+
+2.0-beta-121 | 2011-12-18 15:10:15 -0800
+
+  * Enable warnings for malformed Broxygen xref roles. (Jon Siwek)
+
+  * Fix Broxygen confusing scoped IDs at start of line as function
+    parameter. (Jon Siwek)
+
+  * Allow Broxygen markup "##<" for more general use. (Jon Siwek)
+    
+2.0-beta-116 | 2011-12-16 02:38:27 -0800
+
+  * Cleanup some misc Broxygen css/js stuff. (Jon Siwek)
+
+  * Add search box to Broxygen docs. Fixes #726. (Jon Siwek)
+
+  * Fixed major bug with cluster synchronization, which was not
+    working. (Seth Hall)
+
+  * Fix missing action in notice policy for looking up GeoIP data.
+    (Jon Siwek)
+
+  * Better persistent state configuration warning messages (fixes
+    #433). (Jon Siwek)
+
+  * Renaming HTTP::SQL_Injection_Attack_Against to
+    HTTP::SQL_Injection_Victim. (Seth Hall).
+
+  * Fixed DPD signatures for IRC. Fixes #311. (Seth Hall)
+    
+  * Removing Off_Port_Protocol_Found notice. (Seth Hall)
+
+  * Teach Broxygen to more generally reference attribute values by name. (Jon Siwek)
+
+  * SSH::Interesting_Hostname_Login cleanup.  Fixes #664. (Seth Hall)
+    
+  * Fixed bug that was causing the malware hash registry script to
+    break. (Seth Hall)
+
+  * Remove remnant of libmagic optionality. (Jon Siwek)
+
+2.0-beta-98 | 2011-12-07 08:12:08 -0800
+
+  * Adapting test-suite's diff-all so that it expands globs in both
+    current and baseline directory. Closes #677. (Robin Sommer)
+
+2.0-beta-97 | 2011-12-06 11:49:29 -0800
+
+  * Omit loading local-<node>.bro scripts from base cluster framework.
+    Addresses #663 (Jon Siwek)
+
+2.0-beta-94 | 2011-12-03 15:57:19 -0800
+
+  * Adapting attribute serialization when talking to Broccoli. (Robin
+    Sommer)
+
+2.0-beta-92 | 2011-12-03 15:56:03 -0800
+
+  * Changes to Broxygen master script package index.  (Jon Siwek)
+
+    - Now only lists packages as those directories in the script hierarchy
+      that contain an __load__.bro file.
+
+    - Script packages (dirs with a __load__.bro file), can now include
+      a README (in reST format) that will automatically be appended
+      under the link to a specific package in the master package
+      index.
+
+2.0-beta-88 | 2011-12-02 17:00:58 -0800
+
+  * Teach LogWriterAscii to use BRO_LOG_SUFFIX environemt variable.
+    Addresses #704. (Jon Siwek)
+
+  * Fix double-free of DNS_Mgr_Request object. Addresses #661.
+    
+  * Add a remote_log_peer event which comes with an event_peer record
+    parameter. Addresses #493. (Jon Siwek)
+
+  * Remove example redef of SMTP::entity_excerpt_len from local.bro.
+    Fixes error emitted when loading local.bro in bare mode. (Jon
+    Siwek)
+
+  * Add missing doc targets to top Makefile; remove old doc/Makefile.
+    Fixes #705. (Jon Siwek)
+
+  * Turn some globals into constants. Addresses #633. (Seth Hall)
+    
+  * Rearrange packet filter and DPD documentation. (Jon Siwek)
+    
+2.0-beta-72 | 2011-11-30 20:16:09 -0800
+
+  * Fine-tuning the Sphinx layout to better match www. (Jon Siwek and
+    Robin Sommer)
+
+2.0-beta-69 | 2011-11-29 16:55:31 -0800
+
+  * Fixing ASCII logger to escape the unset-field place holder if
+    written out literally. (Robin Sommer)
+
+2.0-beta-68 | 2011-11-29 15:23:12 -0800
+
+  * Lots of documentation polishing. (Jon Siwek)
+
+  * Teach Broxygen the ".. bro:see::" directive. (Jon Siwek)
+
+  * Teach Broxygen :bro:see: role for referencing any identifier in
+    the Bro domain. (Jon Siwek)
+
+  * Teach Broxygen to generate an index of Bro notices. (Jon Siwek)
+
+  * Fix order of include directories. (Jon Siwek)
+
+  * Catch if logged vectors do not contain only atomic types.
+    (Bernhard Amann)
+
+2.0-beta-47 | 2011-11-16 08:24:33 -0800
+
+  * Catch if logged sets do not contain only atomic types. (Bernhard
+    Amann)
+
+  * Promote libz and libmagic to required dependencies. (Jon Siwek)
+    
+  * Fix parallel make from top-level to work on more platforms. (Jon
+    Siwek)
+
+  * Add decode_base64_custom(). Addresses #670 (Jon Siwek)
+    
+  * A bunch of Sphinx-doc reorgs and polishing. (Jon Siwek)
+    
+2.0-beta-28 | 2011-11-14 20:09:28 -0800
+
+  * Binary packaging script tweaks. We now require CMake 2.8.6. (Jon Siwek)
+
+  * More default "weird" tuning for the "SYN_with_data" notice. (Seth
+    Hall)
+
+  * Tiny bugfix for http file extraction along with test. (Seth Hall)
+    
+2.0-beta-21 | 2011-11-06 19:27:22 -0800
+
+  * Quickstart doc fixes. (Jon Siwek)
+
+2.0-beta-19 | 2011-11-03 17:41:00 -0700
+
+  * Fixing packet filter test. (Robin Sommer)
+
+2.0-beta-12 | 2011-11-03 15:21:08 -0700
+
+  * No longer write to the PacketFilter::LOG stream if not reading
+    traffic. (Seth Hall)
+
+2.0-beta-10 | 2011-11-03 15:17:08 -0700
+
+  * Notice framework documentation update. (Seth Hall)
+
+  * Fixing compiler warnings (addresses #388) (Jon Siwek)
+
+2.0-beta | 2011-10-27 17:46:28 -0700
+
+  * Preliminary fix for SSH login detection: we need a counted measure
+    of payload bytes (not ack tracking and not with the IP header
+    which is what we have now). (Seth Hall)
+
+  * Fixing send_id() problem. We no longer update &redef functions.
+    Updating code on the fly isn't fully supported. (Robin Sommer)
+
+  * Tuning the format of the pretty-printed alarm summaries. (Robin
+    Sommer)
+
+1.6-dev-1508 | 2011-10-26 17:24:50 -0700
+
+  * Updating submodule(s). (Robin Sommer)
+
+1.6-dev-1507 | 2011-10-26 15:10:18 -0700
+
+  * Baseline updates. (Robin Sommer)
+
+1.6-dev-1506 | 2011-10-26 14:48:43 -0700
+
+  * Updating submodule(s). (Robin Sommer)
+
+1.6-dev-1505 | 2011-10-26 14:43:58 -0700
+
+  * A new base script that pretty-prints alarms in the regular
+    summary. (Robin Sommer)
+
+  * Adding a dummy log writer WRITER_NONE that just discards
+    everything. (Robin Sommer)
+
+1.6-dev-1498 | 2011-10-26 14:30:15 -0700
+
+  * Adding instructions to local.bro how to do ACTION_ALARM by
+  default. (Seth Hall)
+
+1.6-dev-1495 | 2011-10-26 10:15:58 -0500
+
+  * Updated unit test baselines. (Seth Hall)
+
+1.6-dev-1491 | 2011-10-25 20:22:56 -0700
+
+  * Updating submodule(s). (Robin Sommer)
+
+1.6-dev-1482 | 2011-10-25 19:08:32 -0700
+
+  * Fixing bug in log managers predicate evaluation. (Robin Sommer)
+
+1.6-dev-1481 | 2011-10-25 18:17:03 -0700
+
+  * Fix a problem with DNS servers being logged that aren't actually
+    servers. (Seth Hall)
+
+  * Changed generated root cert DN format for RFC2253 compliance. (Jon
+    Siwek)
+
+  * Removed :bro doc directives from notice documentation. (Seth Hall)
+
+  * New notice framework docs. (Seth Hall)
+
+  * Adding sub messages to emails. (Seth Hall)
+
+  * Adding extra fields to smtp and http to track transaction depth.
+    (Seth Hall)
+
+  * Fix for SSH login detection heuristic. (Seth Hall)
+
+  * Removed some fields from http analysis that weren't commonly
+    needed or were wrong. (Seth Hall)
+
+  * Updated/fixed MSIE version parsing in the software framework.
+    (Seth Hall)
+
+  * Update Mozilla trust roots to index certs by subject distinguished
+    name. (Jon Siwek)
+
+  * weird.bro rewrite. (Seth Hall)
+
+  * More notice email tuning. (Seth Hall)
+
+  * Slightly restructured http file hashing to fix a bug. (Seth Hall)
+
+  * Changed the notice name for interesting ssh logins to correctly
+    reflect semantics of the notice.  (Seth Hall)
+
+  * Field name change to notice framwork.  $result -> $action
+
+    - $result is renamed to $action to reflect changes to the notice
+      framework since there is already another result-like field
+      ($suppress_for) and there may be more in the future.
+
+    - Slipped in a change to add connection information to notice
+      emails too. (Seth Hall)
+
+  * Small script refinements and documentation updates. (Seth Hall)
+
+  * Pass over upgrade guide. (Robin Sommer)
+
+
+1.6-dev-1430 | 2011-10-21 10:39:09 -0700
+
+  * Fixing crash with unknown debug streams. Closes #643. (Robin
+    Sommer)
+
+  * Code to better handle interpreter errors, which can now be turned
+    into non-fatal runtime errors rather than immediate aborts. (Robin
+    Sommer).
+
+  * Remove old make-src-packages script. (Jon Siwek)
+
+  * Fixing a bunch of format strings. Closes #567. (Robin Sommer)
+
+  * Cleaning up some distribution files. (Robin Sommer)
+
+  * Various test, doc, and installation fixes/tweaks. (Seth Hall, Jon
+    Siwek and Robin Sommer).
+
+  * Varios smaller policy fixes and tweaks (Seth Hall).
+
+  * Moving docs from web server into distribution. (Robin Sommer)
+
+  * Fixing more (small) memory leaks. (Robin Sommer)
+
+  * Profiling support for DNS_Mgr and triggers. With
+    misc/profiling.bro, both now report a line in prof.log with some
+    counters on usage. (Robin Sommer)
+
+  * Fixing DNS memory leaks. Closes #534. (Robin Sommer)
+
+  * Fix code for disabling analyzers. Closes #577. (Robin Sommer)
+
+  * Changed communication option from listen_encrypted to listen_ssl.
+    (Seth Hall)
+
+  * Modification to the Communication framework API. (Seth Hall)
+
+    - Simplified the communication API and made it easier to change
+      to encrypted connections by not having separate variables to
+      define encrypted and unencrypted ports.
+
+    - Now, to enable listening without configuring nodes just
+      load the frameworks/communication/listen script.
+
+    - If encrypted listening is desired set the following:
+    	redef Communication::listen_encrypted=T;
+
+  * Connection compressor now disabled by default. Addresses #559.
+    (Robin Sommer)
+
+
+1.6-dev-1372 | 2011-10-06 18:09:17 -0700
+
+  * Filtering some potentially high-volume DNS weirds. (Robin Sommer)
+
+  * DNS now raises DPD events. Closes #577. (Robin Sommer)
+
+  * Fixing a bunch of compiler warnings. (Robin Sommer)
+
+  * Remote logs are auto-flushed if the last write was longer than a
+    second ago. Addresses #498. (Robin Sommer)
+
+  * Fix missing from previous MIME commit. (Robin Sommer)
+
+1.6-dev-1366 | 2011-10-06 17:05:21 -0700
+
+  * Make CompHash computation/recovery for functions deterministic.
+    Closes #636. (Jon Siwek)
+
+  * Removing unnecessary @load in local.bro. (Robin Sommer)
+
+  * Optimizing some MIME code. (Robin Sommer)
+
+  * Speed improvements in logging code. (Robin Sommer)
+
+  * Consolidating some node-specific functionality from scripts in
+    broctl repo. (Jon Siwek)
+
+  * Another fix the for 1xx script code. (Robin Sommer)
+
+1.6-dev-1352 | 2011-10-05 16:20:51 -0700
+
+  * Fix for optional HTTP::Info status_code. (Jon Siwek)
+
+  * Teaking some external testing scripts. (Jon Siwek)
+
+  * HTTP bug fix reported by Martin Holste. (Seth Hall)
+
+  * More script tuning. (Seth Hall)
+
+    - Moved some of the weird events back to the base/ directory.
+
+    - SSL fixes, updates, and performance optimization.
+
+  * More adjustment to reduce Weird volumes. (Seth Hall)
+
+  * Fixed an error when calculating x509 certificate hashes (reported
+    by Martin Holste). (Seth Hall)
+
+  * Clean up to cluster framework to make event handling clearer.
+    (Seth Hall)
+
+  * Fixed a bug in the notice framework. (Seth Hall)
+
+  * Bug fix for FTP analysis script. (Seth Hall)
+
+1.6-dev-1333 | 2011-09-29 22:29:51 -0700
+
+  * Fixing a number of memory leaks. (Robin Sommer)
+
+  * Loaded_scripts.log is indented with spaces now and makes more
+     sense to look at. (Seth Hall)
+
+  * Teach HTTP parser to derive content length of multipart/byteranges
+     bodies. Addresses #488. (Jon Siwek)
+
+  * Change logging of HTTP 1xx responses to occur in their own
+    columns. Addresses #411. (Jon Siwek)
+
+  * Fix handling of HTTP 1xx response codes. Addresses #411).
+
+  * Taking advantage of yet another trick to get installed browser
+  plugins. (Seth Hall)
+
+    - With the software-browser-plugins script you can watch for Omniture
+      advertising servers to grab the list of installed plugins.
+
+    - I reorganized the plugin detection a bit too to abstract it better.
+
+    - Removed the WEB_ prefix from all of the Software::Type HTTP enums.
+      They were essentially redundant due to the full name already being
+      HTTP::SERVER (for example).
+
+1.6-dev-1316 | 2011-09-28 16:50:05 -0700
+
+  * Unit test cleanup. Updated README and collected coverage-related
+    tests in a common dir. (Jon Siwek)
+
+  * Fixes for known-services. (Seth Hall)
+
+  * Ported and 2.0ized the capture-loss script. (Seth Hall)
+
+  * Communication fix and extension.(Robin Sommer)
+
+    - Removing unnecessary log flushing. Closes #498.
+
+    - Adding new BiF disconnect() that shuts a connection to a peer down.
+
+    - terminate_connection() now first flushes any still buffered log
+      messages.
+
+  * Fix for high SSL memory usage by adding &transient attribute to
+    top-level SSL pac array type. Closes #574. (Robin Sommer)
+
+  * Fix a small bug in the metrics framework. (Seth Hall)
+
+  * Temporarily removing scripts that aren't ready to be included.
+    Will return before next release.  (Seth Hall)
+
+  * New SSL policy scripts.  (Seth Hall)
+
+    - protocols/ssl/expiring-certs uses time based information from
+      certificates to determine if they will expire soon, have already
+      expired, or haven't yet become valid.
+
+    - protocols/ssl/extract-certs-pem is a script for taking certs off
+      the line and converting them to PEM certificates with the openssl
+      command line tool then dumping them to a file.
+
+  * Notice::type_suppression_intervals: table[Notice::Type] of
+    interval can be used to modify the suppression intervals for
+    entire types of notices. (Seth Hall)
+
+  * EOF SSL protocol violations are only generated a single time now.
+    (Seth Hall)
+
+  * Script level fixes.  (Seth Hall)
+
+    - Fixed a type name conflict in the Known namespace.
+
+    - Fixed a DPD framework bug that was causing Reporter messages.
+
+    - Fixed the notice_policy log.
+
+    - Predicate functions are now logged.
+
+    - Predicate functions are now optional.  If not given, it's assumed that
+      the result should always apply. (Seth Hall)
+
+    - Fix a problem with accidental and mistaken HTTP log lines.
+
+1.6-dev-1293 | 2011-09-22 19:44:37 -0700
+
+  * Smaller script tweaks. (Seth Hall)
+
+  * Duplicate notice suppression. (Seth Hall)
+
+    - Duplicate notices are discovered with the new Notice::Info
+      field $identifier.  It's a string that is left up to the
+      notice implementor to define which would indicate a
+      fundamentally duplicate notice.  The field is optional and
+      if it's not included it's not possible for notice
+      suppression to take place.
+
+    - Duplicate notices are suppressed by default for the interval
+      defined by the Notice::default_suppression_interval variable
+      (1 hour by default).
+
+    - A new notice action was defined ACTION_NO_SUPPRESS to prevent
+      suppression for a specific notice instance.  A convenience set
+      named not_suppressed_types was also created to not suppress
+      entire notice types.
+
+    - A new field was added to the PolicyItem type to modify the length
+      of time a notice should be suppressed if the predicate matches.
+      The field is named $suppress_for.  This name makes the code more
+      readable like this: $suppress_for = 1day
+
+    - New events were created to give visibility into the notice
+      framework's suppression activity.
+      - event Notice::begin_suppression(n: Notice::Info)
+      - event Notice::suppressed(n: Notice::Info)
+      - event Notice::end_suppression(n: Notice::Info)
+
+    - The suppression.bro script doesn't have a baseline because
+      it is causing a segfault in Bro.  This one test is the
+      reason that this is being integrated into a branch instead
+      of master. (Seth Hall)
+
+  * Fix crash on exit. Addresses #607. (Jon Siwek)
+
+  * Fix PktSrc setting next_timestamp even when no packet available.
+    (Jon Siwek)
+
+  * Fix lack of NUL-termination in to_upper/to_lower BIF's return val.
+    (Jon Siwek)
+
+  * Fixing unit tests and some minor bugs. (Jon Siwek)
+
+  * Fix broctl cluster log rotation. Addresses #619. (Jon Siwek)
+
+  * Added session ID to the SSL logging. (Seth Hall)
+
+  * Adding "install-aux" target + updating bro-aux submodule. (Jon
+    Siwek)
+
+  * Cleaning up INSTALL and README. (Jon Siwek)
+
+  * Remove $Id$ tags. (Jon Siwek)
+
+  * Remove policy.old directory. Addresses #511. (Jon Siwek)
+
+  * Small rework with ssl base script to reduce memory usage. (Seth
+    Hall)
+
+  * Updated the mozilla root certs. (Seth Hall)
+
+1.6-dev-1261 | 2011-09-15 17:13:55 -0700
+
+  * Memory leak fixes. Addresses #574 (Jon Siwek)
+
+  * Add configure options for ruby/bindings integration. (Jon Siwek)
+
+  * Fix filter path_func to allow record argument as a subset of
+    stream's columns. Addresses #600. (Jon Siwek)
+
+  * Log rotation is now controlled directly through Filter records. (Jon Siwek)
+
+  * Fix indexing for record types with optional fields. Addresses #378
+    (Jon Siwek)
+
+1.6-dev-1248 | 2011-09-15 16:01:32 -0700
+
+  * Removed custom malloc() implementation for FreeBSD. Closes #557.
+    (Jon Siwek)
+
+  * Testing/external scripts no longer compute MD5 checksums for SMTP
+    entities. (Robin Sommer)
+
+  * External tests no longer include the full content of mismatching
+    files in the diagnostics output. (Robin Sommer)
+
+1.6-dev-1241 | 2011-09-14 22:51:52 -0400
+
+  * Fixing a major memory utilization issues with SSL analysis. (Seth
+    Hall)
+
+  * Enhancements to HTTP analysis: (Seth Hall)
+
+      - More options for the header-names.bro script.
+
+      - New script for logging header names and values. Closes #519.
+        (Seth Hall)
+
+      - HTTP body size measurement added to http.log.
+
+      - The value of the content-length headers has now been removed
+        in the default output but it could be added back locally at an
+        installation by a user.
+
+      - Added fields to indicate if some parsing interruption happened
+        during the body transfer. Closes #581 (Seth Hall)
+
+  * Misc smaller usability and correctness updates: (Seth Hall)
+
+    - Removed an notice definition from the base SSL scripts.
+
+    - Moved a logging stream ID into the export section for known-services
+      and bumped priority for creating the stream.
+
+    - Adding configuration knobs for the SQL injection attack detection
+      script and renaming the HTTP::SQL_Injection_Attack notice to
+      HTTP::SQL_Injection_Attack_Against
+
+    - Bumped priority when creating Known::CERTS_LOG.
+
+    - Fixing a warning from the cluster framework. (Seth Hall)
+
+  * Bugfix for log writer, which didn't escape binary stuff in some
+    situations. Closes #585. (Robin Sommer)
+
+  * A larget set of changes to the testing/external infrastructure.
+    The traces for external test-suites are no longer kept inside the
+    repositories themselves but downloaded separately via curl. This
+    is because git is pretty bad at dealing with large files. See the
+    README for more information. (Robin Sommer)
+
+1.6-dev-1221 | 2011-09-08 08:41:17 -0700
+
+  * Updates for documentation framework and script docs. (Jon Siwek)
+
+  * The script level PF_RING support isn't working so removing it.
+    (Seth Hall)
+
+  * Delete SSL certificates from memory after ssl_established event.
+    (Seth Hall)
+
+  * Small fixes for SSL analysis. (Seth Hall)
+
+1.6-dev-1212 | 2011-09-07 16:15:28 -0700
+
+  * Internally, the UID generation can now return values from
+    different pool for better reproducability in testing mode.
+    (Gilbert Clark).
+
+  * Added new BiF unique_id_from(pool: string, prefix: string) that
+    allows the user to specify a randomness pool. (Gilbert Clark)
+
+1.6-dev-1198 | 2011-09-07 11:03:36 -0700
+
+  * Extended header for ASCII log that make it easier for scripts to
+    parse Bro log files. (Gilbert Clark)
+
+  * Potential fix for rotation crashes. Addresses #588. (Robin Sommer)
+
+  * Added PF_RING load balancing support to the scripting layer,
+    enabled by loading the misc/pf-ring-load-balancing script. (Seth
+    Hall)
+
+  * Added a BiF setenv() for setting environment variables. (Seth
+    Hall)
+
+1.6-dev-1184 | 2011-09-04 09:34:50 -0700
+
+  * FindPCAP now links against thread library when necessary (e.g.
+    PF_RING's libpcap). (Jon Siwek)
+
+  * Install binaries with an RPATH. (Jon Siwek)
+
+  * Fix for a case where nested records weren't coerced even though
+    possible. (Jon Siwek)
+
+  * Changed ASCII writer to delay creation of log after rotation until
+    next write.
+
+  * Changed default snaplen to 65535 and added a -l/--snaplen command
+    line option to set it explicitly. Addresses #447. (Jon Siwek)
+
+  * Various updates to logging framework. (Seth Hall)
+
+  * Changed presentation of enum labels to include namespace. (Jon
+    Siwek)
+
+  * HTTP analyzer is now enabled with any of the HTTP events. (Seth
+    Hall)
+
+  * Fixed missing format string that caused some segfaults. (Gregor
+    Maier)
+
+  * ASCII writer nows prints time interval with 6 decimal places.
+    (Gregor Maier)
+
+  * Added a Reporter::fatal BIF. (Jon Siwek)
+
+  * Fixes for GeoIP support. Addresses #538. (Jon Siwek)
+
+  * Fixed excessive memory usage of SSL analyzer on connections with
+    gaps. (Gregor Maier)
+
+  * Added a log postprocessing function that can SCP rotated logs to
+    remote hosts. (Jon Siwek)
+
+  * Added a BiF for getting the current Bro version string. (Jon
+    Siwek)
+
+  * Misc. doc/script/test cleanup. (Jon Siwek)
+
+  * Fixed bare-mode @load dependency problems. (Jon Siwek)
+
+  * Fixed check_for_unused_event_handlers option. (Jon Siwek)
+
+  * Fixing some more bare-mode @load dependency issues (Jon Siwek)
+
+  * Reorganizing btest/policy directory to match new scripts/
+    organization. Addresses #545 (Jon Siwek)
+
+  * bro scripts generated from bifs now install to
+    $prefix/share/bro/base. Addresses #545 (Jon Siwek)
+
+  * Changeed/fixed some cluster script error reporting. (Jon Siwek)
+
+  * Various script normalization. (Jon Siwek)
+
+  * Add a test that checks each individual script can be loaded in
+    bare-mode. Adressess #545. (Jon Siwek)
+
+  * Tune when c$conn is set. Addresses #554. (Gregor Maier)
+
+  * Add ConnSize_Analyzer's fields to conn.log. (Gregor Maier)
+
+  * Fixing bug in "interesting hostnames" detection. (Seth Hall)
+
+  * Adding metrics framework intermediate updates. (Seth Hall)
+
+1.6-dev-1120 | 2011-08-19 19:00:15 -0700
+
+  * Fix for the CompHash fix. (Robin Sommer)
+
+1.6-dev-1118 | 2011-08-18 14:11:55 -0700
+
+  * Fixing key size calculation in composite hash code. (Robin Sommer)
+
+1.6-dev-1116 | 2011-08-18 10:05:07 -0700
+
+  * Remove the 'net' type from Bro (addresses #535).
+
+  * Fix H3 assumption of an 8-bit byte/char. (Jon Siwek)
+
+  * Allow reading from interface without additional script arguments.
+    Explicitly passing in '-' as an additional command line argument
+    still allows reading a script from stdin. (Jon Siwek)
+
+  * SSH bruteforcing detection now done with metrics framework. (Seth
+    Hall)
+
+  * Updates for SQL injection attack detection to match the metrics
+    framework updates. (Seth Hall)
+
+  * Metrics framework now works on cluster setups. (Seth Hall)
+
+  * Reclassifying more DNS manager errors as non-fatal errors. (Robin
+    Sommer)
+
+  * Fix ConnSize_Analyzer when used in conjunction with connection
+    compressor. (Gregor Maier)
+
+  * Fix reporter using part of the actual message as a format string.
+    (Jon Siwek)
+
+1.6-dev-1095 | 2011-08-13 11:59:07 -0700
+
+  * A larger number of script documentation updates. Closes #543. (Jon
+    Siwek)
+
+  * Workaround for FreeBSD CMake port missing debug flags. (Jon Siwek)
+
+  * piped_exec() can now deal with null bytes. (Seth Hall)
+
+  * Fix vector initialization for lists of records with optional
+    types. Closes #485. (Jon Siwek)
+
+  * Fix redef'ing records with &default empty set fields. Closes #460.
+    (Jon Siwek)
+
+  * Fix ConnSize_Analyzer when used in conjunction with the connection
+    compressor. (Gregor Maier)
+
+  * Fix reporter using part of the actual message as a format string.
+    (Jon Siwek)
+
+  * Fixing reporter's location tracking. Closes #492. (Robin Sommer)
+
+  * Turning DNS errors into warnings. Closes #255. (Robin Sommer)
+
+  * Logging's path_func now receives the log record as argument.
+    Closes #555. (Robin Sommer)
+
+  * Functions can now be logged; their full body gets recorded.
+    Closes #506. (Robin Sommer)
+
+  * Bugfix for hostname notice email extension. (Seth Hall)
+
+  * Updates for notice framework. (Seth Hall)
+
+    - New ACTION_ADD_GEODATA to add geodata to notices in an extension
+      field named remote_location.
+
+    - Loading extend-email/hostnames by default now that it only does
+      anything when the ACTION_EMAIL action is applied (finally).
+
+  * Updates to local.bro (Seth Hall)
+
+  * Added the profiling script. (Seth Hall)
+
+  * Updates for SSH scripts. (Seth Hall)
+
+  * ConnSize analyzer is turned on by default now. (Seth Hall)
+
+  * Updates for the build system and site local scripts for cluster.
+    (Seth Hall)
+
+  * HTTP now uses the extract_filename_from_content_disposition function. (Seth Hall)
+
+  * Major SMTP script refactor. Closes #509. (Jon Siwek and Seth Hall)
+
+  * New variable Site::local_nets_table in utils/site for mapping
+    address to defined local subnet.
+
+  * Metrics framework updates, more to come. (Seth Hall)
+
+
+1.6-dev-1061 | 2011-08-08 18:25:27 -0700
+
+  * A set of new/changed tests regarding the new policy script
+    organisation. (Robin Sommer)
+
+1.6-dev-1058 | 2011-08-08 16:15:18 -0700
+
+  * Reorganisation of the scripts that Bro loads by default. (Seth
+    Hall)
+
+    - policy/ renamed to scripts/
+
+    - By default BROPATH now contains:
+    	- scripts/
+    	- scripts/policy
+    	- scripts/site
+
+    - The scripts in scripts/base/protocols/ only do logging and state
+      building.
+
+    - All of scripts/base/ is loaded by by default. This can however
+      be disabled by switching Bro into "bare mode" using the new
+      command-line option --bare-mode (or -b). The cripts in
+      scripts/base/ don't use relative path loading to ease use of
+      bare mode (to copy and paste that script).
+
+    - The scripts in scripts/base/frameworks/ add functionality
+      without causing any additional overhead.
+
+    - All "detection" activity happens through scripts in
+      scripts/policy/.
+
+    - bro.init was renamed to base/init-bare.bro, and base/all.bro was
+      renamed to init-default.bro.
+
+    - local.bro now loads more functionality from policy/ and adds
+      more documentation. (Seth Hall)
+
+  * Adding default_path_func() to the logging framework that makes the
+    default naming scheme script-level controlled. (Robin Sommer)
+
+  * Reworking logging's postprocessor logic so that postprocessor
+    commands are no longer run by the log writers themselves, but
+    instead by a script level function. (Robin Sommer)
+
+  * The communication subsystem is now by default off and must be
+    enabled explicitly with a new BiF, enable_communication(). Closes
+    #540. (Robin Sommer)
+
+  * The hostname notice email extension now only add hostnames for
+    emailed noticed. (Seth Hall)
+
+  * Cleaning up doc generation. (Seth Hall)
+
+1.6-dev-1044 | 2011-08-05 19:07:32 -0700
+
+  * Fixing memory (and CPU) leak in log writer.
+
+  * Fixing crash in memory profiling. (Robin Sommer)
+
+  * Fix compiler warning. (Robin Sommer)
+
+  * Fixing missing sync in cluster setup. (Robin Sommer)
+
+
+1.6-dev-1038 | 2011-08-05 18:25:44 -0700
+
+  * Smaller updates to script docs and their generation. (Jon Siwek)
+
+  * When using a `print` statement to write to a file that has raw output
+    enabled, NUL characters in string are no longer interpreted into "\0",
+    no newline is appended afterwards, and each argument to `print` is
+    written to the file without any additional separation. (Jon Siwek)
+
+  * Test portatibility tweaks. (Jon Siwek)
+
+  * Fixing PktSrc::Statistics() which retured bogus information
+    offline mode. Closes #500. (Jon Siwek)
+
+  * --with-perftools configure option now assumes --enable-perftools.
+    Closes #527. (Jon Siwek)
+
+1.6-dev-1018 | 2011-07-31 21:30:31 -0700
+
+  * Updating CHANGES. (Robin Sommer)
+
+1.6-dev-1016 | 2011-07-30 18:34:28 -0700
+
+  * Install example config files dynamically. They'll only get
+    installed when the distribution version differs from existing
+    version on disk. (Jon Siwek)
+
+  * Fixed memory leak in SSL analyzer. (Seth Hall)
+
+  * Beginning rework of metrics interface. (Seth Hall)
+
+  * New/updated unit tests for scripts. (Jon Siwek)
+
+  * New/updated documentstion for scripts. (Jon Siwek)
+
+  * A number of fixes for scripts in utils/. (Jon Siwek)
+
+1.6-dev.244 Thu Jul 28 17:08:21 PDT 2011
+
+- mask_addr() now returns subnet (addresses #512). (Jon Siwek)
+
+- Normalize Notice::Type identifiers per convention (closes #484).
+  (Jon Siwek)
+
+- Fixing default-loaded-scripts test for BSD systems. (Jon Siwek)
+
+- New piped_exec() BiF for pipeing data into an external command. (Jon
+  Siwek)
+
+1.6-dev.242 Mon Jul 25 21:42:39 PDT 2011
+
+- Adding a documentation coverage test. (Jon Siwek)
+
+- The CMake targets for generating reST docs from policy scripts are
+  now automatically generated via the genDocSourcesList.sh script.
+  (Jon Siwek)
+
+- Fixed a number of script error. (Jon Siwek)
+
+- Fixes to relative @load'ing.  (Jon Siwek)
+
+- Fixes to tests. (Robin Sommer)
+
+1.6-dev.240 Sun Jul 24 15:14:26 PDT 2011
+
+- Updated tests and test baselines. (Jon Siwek)
+
+- ASCII log writer now prints time values w/ constant 6 digit
+  precision. (Jon Siwek)
+
+- Many policy script updates acrsso the board (Seth Hall).
+
+- Moving devel-tools to bro-aux. (Robin Sommer)
+
+- BugFix for disable_analyzer(), which could cause crashes with some
+  analyzers. (Robin Sommer)
+
+- Bugfix for potential segfault in DebugLogger. (Robin Sommer)
+
+1.6-dev.226 Thu Jul 21 15:23:39 PDT 2011
+
+- Extensions to the @load and @unload process. (Jon Siwek)
+
+    * Make @load statements recognize relative paths. For example a
+      script can do "@load ./foo" to load a script named foo.bro that
+      lives in the same directory or "@load ../bar" to load a script
+      named bar.bro in the parent directory, even if those directories
+      are not contained in BROPATH.
+
+    * Reimplementation of the @prefixes statement. (Closes #486)
+
+      Any added prefixes are now used *after* all input files have
+      been parsed to look for a prefixed, flattened version of the
+      input file somewhere in BROPATH and, if found, load it. For
+      example, if "lcl" is in @prefixes, and site.bro is loaded, then
+      a file named "lcl.site.bro" that's in BROPATH would end up being
+      automatically loaded as well. Packages work similarly, e.g.
+      loading "protocols/http" means a file named
+      "lcl.protocols.http.bro" in BROPATH gets loaded automatically.
+
+    * Fix @unload'd files from generating bro_script_loaded event.
+
+    * Updates to tests.
+
+1.6-dev.225 Wed Jul 20 17:10:41 PDT 2011
+
+- IRC improvements (Jon Siwek). Including:
+
+    * Shorten what's displayed in the IRC's log mime_type column for
+      DCC transfers.
+
+    * Add IRC unit tests.
+
+    * Fix IRC analyzer supplying wrong type to irc_dcc_message event.
+
+    * Removed irc_client and irc_server events.
+
+    * Added is_orig arguments to all other irc events.
+
+    * Fix analyzer not recognizing Turbo DCC extension message format.
+
+    * Fix analyzer not generating irc_dcc_message event when irc_privmsg_message
+      event doesn't have a handler registered.
+
+- Fixing tests that need a diff canonifier. (Jon Siwek)
+
+1.6-dev.223 Tue Jul 19 19:10:36 PDT 2011
+
+- Adding a script to update CHANGES and VERSION. (Robin Sommer)
+
+1.6-dev.218 Tue Jul 19 18:16:44 PDT 2011
+
+- Comprehensive policy script overhaul/rewrite. (Seth Hall)
+
+  Changes are too extensive to list individually.
+
+- Removing undocumented -H command line flag. (Robin Sommer)
+
+- Fixing many tests. (Everybody)
+
+- Fixing 0-chunk bug in remote logging. (Robin Sommer)
+
+- $PATH is now appropriately set by the bro-path-dev.(sh|csh) scripts.
+  (Seth Hall)
+
+- Making valgrind a bit more happy. (Robin Sommer)
+
+- New BiF record_field_vals() that returns the fields of a record in a
+  table with meta-information. (Robin Sommer)
+
+- Adding a script in aux/devel-tools that extracts a connection from a
+  trace based on uid. (Robin Sommer)
+
+- Fixing bug causing crash when running without arguments. (Robin Sommer)
+
+- A new event bro_script_loaded() raised for each policy script
+  loaded. Also removing the -l command-line option as that can now be
+  done at the script-level. (Robin Sommer)
+
+- Fixing memory leaks. (Gilbert Clark, Seth Hall, Robin Sommer)
+
+- Many SSL analysis improvements and fixes. (Seth Hall)
+
+- Fixing bug with event priorities potentially being ignored for the
+  handler. (Robin Sommer)
+
+- Overhauling the internal reporting of messages to the user. The new
+  Reporter class is now in charge of reporting all errors, warnings,
+  informational messages, weirds, and syslogs; and it passes
+  everything through the script layer. (Robin Sommer)
+
+* Removed the alarm statement and the alarm_hook event. (Robin Sommer)
+
+- Adding new policy file test-all.bro that loads all other policies.
+  This is for testing only. (Robin Sommer)
+
+- A new framework for doing regression testing with larger traces and
+  more complex Bro configurations in testing/external. (Robin Sommer)
+
+- Many updates to script doc generation.  (Jon Siwek)
+
+1.6-dev.146 Sat Jun 25 18:12:27 PDT 2011
+
+- DNS mapping are now becoming invalid when an entry's TTL expires.
+  (Thomas Other)
+
+- Reworking how Bro tracks which scripts are already loaded. Rather
+  than paths, Bro now tracks inode numbers. (Jon Siwek)
+
+- New BiF netstats() to query packet capture statistics. The netstats
+  script now uses the new BiF to periocally report packets drops. The
+  net_stats_update() event and the heartbeat_interval global went
+  away. (Seth Hall)
+
+- Fixing bug with logging &optional records. Closes #476. (Robin
+  Sommer)
+
+- Fixing istate.events-ssl test failing because of expired cert. (Jon
+  Siwek)
+
+- A large number of improvements and fixes for Bro's doc mode. (Jon
+  Siwek)
+
+- Significant updates for RPC and NFS analyzers (Gregor Maier)
+
+    * Unify semantics for UDP and TCP connections.
+
+    * RPC can now log to a log file if desired.
+
+    * Portmapper can now log general activity to a log file and also log
+      actual port mappings.
+
+    * NFS analyzer now supports significantly more procedure calls as
+      as file name tracking and file content extraction.
+
+- NetBIOS fixes. (Jon Siwek)
+
+- A number of unit tests are more robust and portable.  (Jon Siwek)
+
+- A new BiF unique_id() that returns a string that's unique across Bro
+  instaces with high probablity.  (Robin Sommer)
+
+- Complete rewrite of the BinPAC SSL analyzer. (Seth Hall)
+
+    * DER certificates are extracted as strings to be used with
+      corresponding BiFs.
+
+    * x509_verify function to verify single certs and/or full
+      certificate chains.
+
+    * Removed hand written SSL analyzer.
+
+    * The ssl.bro script is just a place-holder for now. New version
+      will come with the other new scripts.
+
+- New syslog analyzer. (Seth Hall)
+
+- @load now supports loading a directory. With a directory "foo"
+  somewhere in BROPATH, "@load foo" now checks if there's a file
+  "foo/__load__.bro". If so, it reads that file in. (Robin Sommer)
+
+- ASCII logger now escapes non-printable characters. Closes #450.
+  (Robin Sommer)
+
+- Packaging tweaks and rewrite of 'dist' target. (Jon Siwek)
+
+- Changes to allow DEB packaging via CPack, addresses #458. (Jon
+  Siwek)
+
+- An extension to the ICMP analyzer to handle redirects. Julien
+  Sentier
+
+- Removing old istate test-suite. (Robin Sommer)
+
+- A hack to report missing GeoIP support only once. This closes #357,
+  but #455 captures the need for a more general solution. (Robin
+  Sommer)
+
+- Bugfix: vectors in records were not initalized. Closes #421. (Robin
+  Sommer)
+
+- If IPv6 default is not compiled in, the default BPF filters now
+  excludes IPv6 packets. (Robin Sommer)
+
+- New bif bro_has_ipv6() to check whether IPv6 support is compiled in.
+  (Robin Sommer)
+
+- Updating btests and a Makefile. "make" now runs all the tests.
+  (Robin Sommer)
+
+- Moving the test-scripts from the old test-suite over to btest.
+  (Robin Sommer)
+
+- Fix for major bug in POP3 analyzer, which didn't recognize '.'
+  terminators in multi-line replies if the terminator was bare (no
+  newline). This caused it to ignore the rest of the session that it's
+  analyzing. (Vern Paxson)
+
+- Fix compiler warning with gcc-4.4.4 (Gregor Maier)
+
+- Adding example documentation for a script's use of logging features.
+  (Jon Siwek)
+
+- Adding &log attribute to static attr_names array. (Jon Siwek)
+
+- Bro can now track packet and byte counts per connection. (Gregor
+  Maier)
+
+    * If 'use_conn_size_analyzer' is true, the event engine tracks
+      number of packets and raw IP bytes per connection. If
+      report_conn_size_analyzer is true, these values are included as
+      four new columns into conn.log
+
+    * I changed conn.bro so that the value of
+      report_conn_size_analyzer follows that of
+      use_conn_size_analyzer. For the new conn.log, we probably want
+      to get rid of report_conn_size_analyzer anyway.
+
+- Fixing numerous compiler warnings and portability issues. (All)
+
+- Switching vectors from being 1-based to 0-based. Note that this is a
+  change that break backwards-compatibility. (Robin Sommer)
+
+- Increasing serialization format version for the recent 64-bit
+  changes. (Robin Sommer)
+
+- Support for (mixed) MPLS and VLAN traffic, and a new default BPF
+  filter. (Seth Hall and Robin Sommer)
+
+    * Merging in the patch from #264, which provides support for mixed
+      VLAN and MPLS traffic.
+
+    * Changing Bro's default filter from being built dynamically to
+      being a static "ip or not ip". To get the old behaviour back
+      (i.e., the dynamically built filter), redef "all_packets" to
+      false.
+
+    * print-filter.bro now always prints the filter that Bro is
+      actually using, even if overriden from the command line. (Robin
+      Sommer)
+
+- Changing the HTTP's analyzers internals to use 64-bit integers.
+  (Gregor Maier).
+
+- Fixing bug with deleting still unset record fields of table type.
+  (Robin Sommer)
+
+1.6-dev.99 Fri Apr 22 22:10:03 PDT 2011
+
+- Extending the connection record with a unique identifier. (Robin
+  Sommer)
+
+    type connection: record {
+        [...]
+        id: string;
+   };
+
+  These identifiers very likely unique even across independent Bro
+  runs.
+
+- Delete operator for record fields. (Robin Sommer)
+
+  "delete x$y" now resets record field "x" back to its original state
+  if it is either &optional or has a &default. "delete" may not be
+  used with non-optional/default fields.
+
+- Fixing bug with nested record coercions. (Robin Sommer)
+
+- Fixing a do_split() bug. (Seth Hall)
+
+
+1.6-dev.94 Thu Apr 21 19:51:38 PDT 2011
+
+- Fixing generation of config.h. (Jon Siwek)
+
+- Updates and tests for NetBIOS name BiF. (Seth Hall)
+
+- Fixing do_split bug(), and adding a test. (Seth Hall)
+
+- When Bro is given a PRNG seed, it now uses its own internal random
+  number generator that produces consistent results across sytems.
+  Note that this internal generator isn't very good, so it should only
+  be used for testing purpses. (Robin Sommer)
+
+- The BTest configuration now sets the environemnt variables TZ=UTC
+  and LANG=C to ensure consistent results. (Robin Sommer)
+
+- Logging fixes. (Robin Sommer)
+
+1.6-dev.88 Wed Apr 20 20:43:48 PDT 2011
+
+- Implementation of Bro's new logging framework. We will document this
+  separately. (Robin Sommer)
+
+- Already defined record types can now be further extended via the
+  '+=' operator. The added fields must be either &optional or have a
+  &default value. (Robin Sommer)
+
+  Example:
+
+        type Foo: record {
+            a: count;
+            b: count &optional;
+        };
+
+        redef record Foo += {
+            c: count &default=42;
+            d: count &optional;
+        };
+
+        global f: Foo = [$a=21];
+
+        print f;
+
+  Output:
+
+        [a=21, b=<uninitialized>, c=42, d=<uninitialized>]
+
+- Enabling assignment of empty vectors ("vector()"). (Robin Sommer)
+
+- Fixing attributes to allow &default attributes to be associated with
+  records fields of type tables/sets/vector. (Robin Sommer)
+
+- '[]' is now a valid record constructor. (Robin Sommer)
+
+- A instance of a record type A is now coercable into one of type B if
+  the fields of type A are a subset of those of type B. (Robin Sommer)
+
+- A number of bug fixes and enhancements for record/set/table/vector
+  coercion. (Robin Sommer)
+
+- Fixing a problem with records that have optional fields when used as
+  table/set indices. Addresses #367. (Robin Sommer)
+
+- Fixing an off-by-one error in join_string_vec(). (Seth Hall)
+
+- Updating to_count() to cope with 64bit ints. (Seth Hall)
+
+- A new BiF count_to_v4_addr() to turn a count into an IPv4 address.
+  (Seth Hall)
+
+1.6-dev.80 Mon Apr 18 14:50:54 PDT 2011
+
+- New framework for generating documentation from Bro scripts. (Jon
+  Siwek)
+
+  This includes:
+
+    * Changes to Bro's scanner/parser to facilitate automatic
+      generation of Bro policy script documentation in
+      reStructuredText format.
+
+    * New command line flags -Z/--doc-scripts to enable the new doc
+      generation mode.
+
+    * Changes to bifcl to pass comments starting with "##" through
+      into the generated .bro script.
+
+    * A "doc" build target for the top-level Makefile to first
+      generate reStructuredText for a defined set of Bro policy
+      scripts, and then run that through Sphinx to create HTML
+      documentation.
+
+1.6-dev.78 Mon Apr 18 12:52:55 PDT 2011
+
+- Adding files to CMake build targets so they show up in generated IDE
+  projects. This addresses #413. (Jon Siwek)
+
+- Fix unnecessary config.h preprocessor (re)definitions. This
+  addresses #414. (Jon Siwek)
+
+- Updating istate tests. (Robin Sommer)
+
+- Adding files to CMake build targets so they show up in generated IDE
+  projects.
+
+- Adding new environment variable BRO_SEED_FILE to set the seed file
+  for the random number generator. (Robin Sommer)
+
+1.6-dev.71 Fri Apr  1 16:06:33 PDT 2011
+
+- Removing code for the following no longer supported functionality.
+
+    * Trace rewriting.
+    * DFA state expiration in regexp engine.
+    * Active mapping.
+    * Unused hash functions.
+
+  (Robin Sommer)
+
+- Fixing crashes when SSL is not configured correctly. (Robin Sommer)
+
+1.6-dev.66 Tue Mar 29 21:52:01 PDT 2011
+
+- Initial btest setup (Don Appleman and Robin Sommer)
+
+- Porting the istate tests to btest (not finished) (Robin Sommer)
+
+1.6-dev.63 Mon Mar 21 16:31:15 PDT 2011
+
+- Changes to the way user-modifiable config files are installed  (Jon Siwek)
+
+    * Duplicates of the distribution's configuration files are now
+      always installed with a .example suffix
+
+    * Added --binary-package configure option to toggle configure
+      logic specific to the creation of binary packages.
+
+    * When not in binary packaging mode, `make install` never
+      overwrites existing configure files in case they've been
+      modified. The previous behavior (CMake's default) would only
+      avoid overwriting modified files if one consistently uses the
+      same build directory and doesn't reconfigure.
+
+- Fixed an issue with Mac package's pre-install script not preserving
+  ACLs. (Jon Siwek)
+
+- Minor cleanup/refactor of the make-mac/rpm-packages scripts. (Jon
+  Siwek)
+
+- Add explicit CMake check for compiler. (Jon Siwek)
+
+- Add alternative way to set BROPATH for running bro from build/ dir.
+  (Jon Siwek)
+
+- Fixing compiler warnings (Gregor Maier)
+
+- Remvoing leftover local variables that caused compile error on Mac
+  OS X. (Gregor Maier)
+
+1.6-dev.53 Fri Feb 25 17:03:05 PST 2011
+
+- Fixing file detector leak in remote communication module. (Scott
+  Campbell)
+
+- Updating independent-state tests to work with new setup. (Robin
+  Sommer)
+
+1.6-dev.49 Fri Feb 25 15:37:28 PST 2011
+
+- Enum IDs can have explicitly defined values. (Gregor Maier)
+
+- Extensions for the built-in function compiler, bifcl. (Gregor Maier)
+
+    * Support for policy-layer namespaces.
+    * Support for type declarations in bif files (with access them
+      from C++)
+    * Extended const declarations in bif files.
+
+  See http://bro.icir.org/devel/bif-doc for more information.
+
+1.6-dev.48 Fri Feb 25 10:53:04 PST 2011
+
+- Preliminary TCP Reassembler fix: deliver data after 2GB by disabling
+  the unused seq_to_skip feature. (Gregor Maier)
+
+1.6-dev.47 Fri Feb 25 10:40:22 PST 2011
+
+- Fixing endianess error in XDR when data is not 4-byte aligned.
+  (Gregor Maier)
+
+- Fix for Val constructor with new int64 typedefs. (Gregor Maier)
+
+- Updated fix for OS X 10.5 compile error wrt llabs(). (Gregor Maier)
+
+- Fix more compiler warning wrt printf format strings.  (Gregor Maier)
+
+1.6-dev.45 Tue Feb  8 21:28:01 PST 2011
+
+- Fixing a number of compiler warnings. (Seth Hall and Robin Sommer)
+
+1.6-dev.44 Tue Feb  8 20:11:44 PST 2011
+
+- A number of updates to the SSL analyzer, including support for new
+  ciphers; SSL extensions; and bug fixes. The analyzer does not longer
+  throw weird for exceeding a predefined cipherspec_size anymore.
+  (Seth Hall and Rmkml).
+
+- The various split*() BiFs now handle strings containing null bytes
+  correctly. (Seth Hall)
+
+- Adding new aux/btest submodule. This is a framework we will use in
+  the future for doing unit tests. (Robin Sommer)
+
+1.6-dev.41 Mon Feb  7 13:43:56 PST 2011
+
+- Smarter way to increase the parent/child pipe's socket buffer.
+  (Craig Leres).
+
+- Fixing bug with defining bro_int_t and bro_uint_t to be 64 bits wide
+  on some platforms. (Robin Sommer)
+
+1.6-dev.39 Mon Jan 31 16:42:23 PST 2011
+
+- Login's confused messages now go through weird.bro. (Robin Sommer)
+
+1.6-dev.36 Mon Jan 31 08:45:35 PST 2011
+
+- Adding more configure options for finding dependencies, (Jon Siwek)
+
+    --with-flex=PATH       path to flex executable
+    --with-bison=PATH      path to bison executable
+    --with-perl=PATH       path to perl executable
+    --with-python=PATH     path to Python interpreter
+    --with-python-lib=PATH path to libpython
+    --with-python-inc=PATH path to Python headers
+    --with-swig=PATH       path to SWIG executable
+
+- Fixing typo in PCAPTests.cmake  (Jon Siwek)
+
+
+1.6-dev.33 Mon Jan 24 15:29:04 PST 2011
+
+- Fixing bug in SMB analyzer. (Robin Sommer)
+
+- Configure wrapper now deletes previous CMake cache (Jon Siwek)
+
+- Fix for the --with-binpac configure option. (Jon Siwek)
+
+1.6-dev.30 Thu Jan 20 16:32:43 PST 2011
+
+- Changed configure wrapper to create config.status. (Jon Siwek)
+
+1.6-dev.29 Thu Jan 20 16:29:56 PST 2011
+
+- Fixing little problem with initialization of Bro-to-Bro event
+  communication. (Christian Kreibich)
+
+
+1.6-dev.27 Thu Jan 20 13:52:25 PST 2011
+
+- Fine-tuning of the HTTP analyzer in terms of raising protocol
+  violations and interrupted transfers. (Gregor Maier)
+
+
+1.6-dev.21 Wed Jan 19 17:36:02 PST 2011
+
+- Added 4 new BiFs and a new record type for testing the entropy of
+  strings. (Seth Hall)
+
+    find_entropy(data: string): entropy_test_result
+        This is a one shot function that accepts a string and
+        returns the result of the entropy calculations.
+
+    entropy_test_init(index: any): bool
+        This and the next two functions are for calculating entropy
+        piece-wise. It only needs an index which can be any type of
+        variable. It needs to be something that uniquely identifies
+        the data stream that is currently having it's entropy
+        calculated.
+
+    entropy_test_add(index: any, data: string): bool
+        This function is used to add data into the entropy
+        calculation. It takes the index used in the function above
+        and the data that you are adding and returns true if
+        everything seemed to work, false otherwise.
+
+     entropy_test_finish(index: any): entropy_test_result
+        Calling this function indicates that all of the desired data
+        has been inserted into the entropy_test_add function and the
+        entropy should be calculated. This function *must* be called
+        in order to clean up an internal state tracking variable.
+        If this is never called on an index, it will result in a
+        memory leak.
+
+  The entropy_test_result values have several measures of the
+  entropy, but a good one to work with is the "entropy" attribute.
+  It's a double and as the value approaches 8.0 it can be considered
+  more and more random.  For example, a value of 7.832 would be
+  quite random but a value of 4.671 is not very random.
+
+1.6-dev.20 Wed Jan 19 17:30:11 PST 2011
+
+- BRO_DNS_FAKE is now listed in the --help output. (Seth Hall)
+
+
+1.6-dev.18 Wed Jan 19 16:37:13 PST 2011
+
+- Removing unnecessary expire timer from http_sessions. (Gregor
+  Maier)
+
+
+1.6-dev.16 Sat Jan 15 14:14:21 PST 2011
+
+- Updates to the build system. (Jonathan Siwek)
+
+    * ``make dist`` is now available to be used with the top-level
+      Makefile for creating source packages according to #344.
+
+    * ``make-rpm-packages`` and ``make-mac-packages`` scripts can
+      now generate binary packages according to #295.
+
+    * Additional configure options to change packaging behavior.
+
+    * OS X builds will now prefer to link static libraries of
+      optional dependencies that don't come with the vanilla
+      operating system.
+
+    * Fix for OS X 10.5 compile error dealing with the llabs()
+      function from stdlib.
+
+    * Installing as a different user than the one that
+      configured/built now works (although, a harmless error message
+      about not being able to write the install manifest may occur).
+
 
 1.6-dev.3 Wed Dec  8 04:09:38 PST 2010
 
@@ -31,7 +1771,7 @@
 
 - The Bro source code is now developed in the new git repositories.
   See the developer pages at http://www.bro-ids.org for more
-  information on the new development process. 
+  information on the new development process.
 
 - Bro's build and installation setup has been moved from GNU
   autotools to CMake. As a result of that, layout and specifics of
@@ -54,7 +1794,7 @@
   and can no longer be disabled.
 
 - ClamAV support has been removed, which has been non-functional for
-  a while already. 
+  a while already.
 
 1.5.2.7 Sun Sep 12 19:39:49 PDT 2010
 
@@ -432,7 +2172,7 @@
  (1) Remote communication now no longer includes location information for
  serialized objects; that removes quite a bit of redundacy from the network
  traffic.
- 
+
  (2) The new option 'remote_check_sync_consistency" disables the cross-check
  on the receiving side of &synchronized state of whether the current value
  of a variable has the value expected by the sender. Transmitting the
@@ -449,7 +2189,7 @@
  we maintain *two* caches independently for these types of objects; one
  with a low turn-over one and another with a high one.  This should reduce
  CPU load on both sender and receiver sides.
- 
+
  The new scheme is only used if both communicating Bros support it; with
  older Bros, as well as with Broccoli, we continue using the old scheme.
 
@@ -643,12 +2383,12 @@
 		      bro -Y 0.0.0.0:5555 netflow
 		      bro -i eth0 -Y 10.0.0.1:1234=src1 brolite netflow
 
-	  -y|--flowfile <file>[=<ident>] 
+	  -y|--flowfile <file>[=<ident>]
 
 	    Used to read from a file. You can optionally include an
 	    identifier for the source.
 
-	    Examples: 
+	    Examples:
 		      bro -y myflowfile netflow
 		      bro -y myflowfile=src1 otherflowfile=src2 netflow
 
@@ -817,7 +2557,7 @@
 
   So, to drop all sources triggering a specific notice, one can now, e.g.,
   write:
-  
+
 	redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source };
 
   Related to this change, notice_info has a new field $dropped, set to
@@ -848,8 +2588,8 @@
 	   before starting the main packet loop and another one when
 	   finished. These snapshots can then be analyzed with pprof.
 
-  For more information about the perftools see 
-  
+  For more information about the perftools see
+
 	http://code.google.com/p/google-perftools
 
 - Notice tags are now generated in a pseudo-unique fashion that, with high
@@ -923,7 +2663,7 @@
 	detector tables.
 
 - When Bro serializes functions, it now does so by default using only
-  their name, rather than their full value (Robin Sommer).  This prevents 
+  their name, rather than their full value (Robin Sommer).  This prevents
   propagation of expiration functions associated with tables and sets.
   Note, currently there is no mechanism provided to switch from the
   default behavior, but the internal hooks are in place to do so.
@@ -1188,7 +2928,7 @@
 - An arbitrary tag can now be past to post-processors for log rotation
   (Robin Sommer).
 
-- Default inactivity timeouts for interactive services shortened to 
+- Default inactivity timeouts for interactive services shortened to
   1 hour (Robin Sommer).
 
 - The scanning variables distinct_{peers,ports,low_ports} are now
@@ -1501,7 +3241,7 @@
   This fixes a long-standing problem of sometimes $addl fields not showing
   up in connection summaries.
 
-- The new expressions record(...), table(...), set(...) and vector(...) 
+- The new expressions record(...), table(...), set(...) and vector(...)
   are constructors for the corresponding aggregate types (Vern Paxson).
   For example,
 
@@ -1655,7 +3395,7 @@
 - A new notice_action_filter, tally_notice_type_and_ignore, works the same
   as tally_notice_type but returns IGNORE (Robin Sommer)
 
-- Setting summary_interval == 0 disables the creation of irc-bots.summary.log 
+- Setting summary_interval == 0 disables the creation of irc-bots.summary.log
   (Robin Sommer).
 
 - If you @load foo and a directory "foo" is in your path, Bro no longer
@@ -1772,9 +3512,9 @@
 
 - Fixed using "time" values as table indices.
 
-- Added ssh to default brolite DPD configuration. 
+- Added ssh to default brolite DPD configuration.
 
-- Fixed catching up to real-time in case of lull. 
+- Fixed catching up to real-time in case of lull.
 
 - Fixed Broccoli "BRO_DATA_FORMAT_VERSION" to match version in Bro.
 
@@ -1784,11 +3524,11 @@
 
 - Added Linux tuning to brolite install script.
 
-- Modified Makefile to include broccoli/contrib. 
+- Modified Makefile to include broccoli/contrib.
 
-- Adding missing initialization to remote serializer. 
+- Adding missing initialization to remote serializer.
 
-- Minor documentation updates for reference manual and Broccoli. 
+- Minor documentation updates for reference manual and Broccoli.
 
 
 1.2 Tue Oct 17 12:09:49 PDT 2006
@@ -2007,7 +3747,7 @@
 
 	- notice_action_filters now reside in the new script
 	  notice-action-filter.bro (automatically loaded by notice.bro).
-        
+
 	- The notice actions NOTICE_ALARM_PER_CONN, NOTICE_ALARM_PER_ORIG,
 	  and NOTICE_ALARM_ONCE have been removed, as they were never
 	  actually implemented.
@@ -2027,7 +3767,7 @@
 
 - TRW analysis now skips UDP traffic because it currently treats
   all UDP connections as failures (Robin Sommer).
-     
+
 - trw.bro has been split into trw-impl.bro (the algorithm) and
   trw.bro (which simply activates the analysis), to facilitate writing
   scripts that have hooks into TRW analysis but don't presume it's
@@ -2160,7 +3900,7 @@
   (Robin Sommer).  This appears to still need some work, as now
   it generates redundant events.
 
-- Fix for initial exchange of &sync state which could lead to 
+- Fix for initial exchange of &sync state which could lead to
   referencing unknown IDs (Robin Sommer).
 
 - Fix to scan detection for differing semantics of connection compressor
@@ -2469,7 +4209,7 @@
 
 	- the new variable dump_backdoor_packets (default F) if set causes
 	  the packet that triggered the backdoor detection to be written to
-	  backdoor-packets/<tag>:<time> 
+	  backdoor-packets/<tag>:<time>
 
 	- the new variable backdoor_ignore_host_port_pairs is a set[addr, port]
 	  specify host/port combinations to ignore
@@ -2623,7 +4363,7 @@
 	- Now can ignore specific connections dynamically.
 
 	- TCP content gaps are now recognized and ADU delivery is for now
-	  stopped for such flows, unless explicitly requested. 
+	  stopped for such flows, unless explicitly requested.
 
 	- No longer logs to file in test mode.
 
@@ -2634,7 +4374,7 @@
 - Bro now performs serialization (such as when checkpointing &persistent
   tables or communicating them between Bro's) in an incremental fashion,
   intermingling transfers of large tables with ongoing packet processing
-  (Robin Sommer).  Doing so helps avoid packet drops for large items. 
+  (Robin Sommer).  Doing so helps avoid packet drops for large items.
   This has not yet been implemented for the initial handshake done
   for &synchronized items.
 
@@ -2697,7 +4437,7 @@
 
 - Notices now report current time for remotely-received notices rather
   than network time (Brian Tierney).
-  
+
 - Notices now include a tag es=<peer_description> any time a peer
   description is defined, not just for remote notices (Robin Sommer).
 
@@ -2901,9 +4641,9 @@
 
 - Bug fix for exchanging peer descriptions (Robin Sommer).
 
-- Bug fix for processing multipart-MIME HTTP messages with content-length 
+- Bug fix for processing multipart-MIME HTTP messages with content-length
   headers (Ruoming Pang).
-  
+
 - Bug fix for failing to escape "'s in HTTP server replies (Robin Sommer).
 
 - Bug fix for propagating increment operations on tables (Robin Sommer).
@@ -2917,7 +4657,7 @@
 - Bug fix for printing enum's (Christian Kreibich).
 
 - When not configured with --enable debug, Bro now still accepts (yet ignores)
-  option -B (Robin Sommer). 
+  option -B (Robin Sommer).
 
 - Serialization enhancements and fixes, including a change of the
   protocol version number (Robin Sommer).
@@ -2958,7 +4698,7 @@
 
 - Fix for connection compressor bug in tracking connection history
   (Robin Sommer).
-  
+
 - Bug fix for potential floating point exception in signature engine's
   resource-profiling code (Robin Sommer).
 
@@ -3084,7 +4824,7 @@
 	smb_get_dfs_referral(c: connection, max_referral_level: count,
 				file_name: string)
 		generated for SMB DFS referal requests
- 
+
 	dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
 		low-level event generated for each DNS request/reponse
 
@@ -3158,7 +4898,7 @@
 - The "bif" compiler for compiling Bro built-in functions now supports
   an "enum" type (Ruoming Pang).  The syntax is:
 
-	enum dce_rpc_ptype 
+	enum dce_rpc_ptype
 	%{
 		DCE_RPC_REQUEST,
 		DCE_RPC_PING,
@@ -3167,7 +4907,7 @@
 
   which is translated to an enum declaration of "dce_rpc_ptype" in
   Bro, an EnumType* enum_dce_rpc_ptype in NetVar.{h,cc} and a C++ enum
-  BroEnum::dce_rpc_ptype {...}. 
+  BroEnum::dce_rpc_ptype {...}.
 
   One limitation is that redef's on enum types cannot be taken into
   account because the bif is parsed at compile time.
@@ -3311,7 +5051,7 @@
   specify whether to broadcast events/state received from one peer to other
   peers (Robin Sommer).  Both default to F.  Note, these options are temporary;
   they will disappear when we add a more sophisticated script-level
-  communication framework. 
+  communication framework.
 
 - Vectors can now be initialized using the syntax such as
 
@@ -3353,11 +5093,11 @@
     //      VERSION messages must be exchanged.
     //      Ends when both peers have sent VERSION.
     //  Handshake:
-    //      REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs 
+    //      REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs
     //        may be exchanged.
     //      Phase ends when both peers have sent PHASE_DONE.
     //  State synchronization:
-    //      Entered iff at least one of the peers has sent REQUEST_SYNC.    
+    //      Entered iff at least one of the peers has sent REQUEST_SYNC.
     //      The peer with the smallest runtime (incl. in VERSION msg) sends
     //        SERIAL messages comprising all of its state.
     //      Phase ends when peer sends another PHASE_DONE.
@@ -4245,7 +5985,7 @@
 - A new flag, -e, lets you specify Bro code to execute via the command
   line (Christian Kreibich).  So, for example,
 
-	bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp 
+	bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp
 
   will run tcp.bro on the trace "mytrace.tcpdump", but with
   traditional_conn_format redefined to be true.  Note that statements
@@ -4342,7 +6082,7 @@
 - The new "weird" type "base64_illegal_encoding" takes the place of
   some previously unstructured Base64 "weird" errors.
 
-- A tweak to ftp.bro will give it slightly more consistent results 
+- A tweak to ftp.bro will give it slightly more consistent results
   for some forms of unusual traffic.
 
 
@@ -4419,7 +6159,7 @@
 
 - The new built-ins any_set() and all_set() return true if for a given
   boolean vector any element is true or all of the elements is true
-  (Umesh Shankar).  So, for example, "any_set(x < 0)" returns T if 
+  (Umesh Shankar).  So, for example, "any_set(x < 0)" returns T if
   an element of x is less than zero.
 
 - The new built-in sort() takes a vector as an argument and sorts it
@@ -4790,7 +6530,7 @@
   current CPU load. If the load is below cpu_lower_limit (default 40%),
   the load-level is decreased.  If it's above cpu_upper_limit (default
   90%), it's increased.  (Robin Sommer)
- 
+
 - The new policy script hand-over.bro can be used for a new running
   instance of Bro to smoothly take over operation from an old instance,
   i.e., it implements hand-over of state between two Bro instances when
@@ -4976,7 +6716,7 @@
 	$priority - type must be arithmetic (count, int, double).  This
 		  is the priority associated with the match of EXPR1
 		  if $pred returns true.
-  
+
   The way the expression works is that EXPR1 is evaluated yielding a
   value V.  EXPR2 is then evaluated yielding a set of records whose
   type includes the above fields.  Bro then spins through each of the
@@ -5311,8 +7051,8 @@
   Sommer).  The format is simple, just "include" or "ignore" followed
   by the SID number:
 
-	# sid-526 BAD TRAFFIC data in TCP SYN packet 
-	ignore	526 
+	# sid-526 BAD TRAFFIC data in TCP SYN packet
+	ignore	526
 
 	# sid-623 matches a null-flags stealth scan.  Include it even
 	# if we build with -p, since it doesn't tend to generate any
@@ -5465,7 +7205,7 @@
   A new function, get_event_source(), returns a record event_source
   describing the source that raised the last event.
 
-  See doc/ssl.txt for an explanation of how to create the keys/certificates.   
+  See doc/ssl.txt for an explanation of how to create the keys/certificates.
 
 - A fledgling Gnutella analyzer has been contributed (Mark Allman).
   It generates the following events:
@@ -5493,7 +7233,7 @@
 	  redef secondary_filters += {
 		  ["tcp[13] & 7 != 0"] = rst_syn_fin_flag,
 	  }
-  
+
   will invoke rst_syn_fin_flag() anytime a TCP packet is seen for
   which the SYN/FIN/RST bits are non-zero.  The event handler will
   be passed the string "tcp[13] & 7 != 0" (so it can tell which
@@ -5551,7 +7291,7 @@
   public key; it's used to then embed a Blowfish session key.  (Robin Sommer)
 
   A new utility, aux/bdcat/bdcat ("Bro decrypt cat") can be used to decrypt
-  the files. 
+  the files.
 
 - The internal structure of TCP analysis has been significantly altered.
   Previously, TCP_Endpoint tracked endpoint state and TCP_EndpointContents
@@ -5628,7 +7368,7 @@
     const remote_peers_ssl : table[addr, port] of Peer &redef;
     [...]
     for ( [ip, p] in remote_peers_ssl )
-        connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry); 
+        connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry);
 
 - Checkpointing of persistent state on SIGHUP now happens via bro.init
   (Robin Sommer).  Not tested.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a86e0b7d70..241a5b29d2 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,58 +1,36 @@
-project(Bro)
-
-########################################################################
-## CMake Configuration
+project(Bro C CXX)
 cmake_minimum_required(VERSION 2.6 FATAL_ERROR)
-
-# Prohibit in-source builds.
-if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
-    message(FATAL_ERROR "In-source builds are not allowed. Please use "
-                        "./configure to choose a build directory and "
-                        "initialize the build configuration.")
-endif ()
-
-set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake)
-
-if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}")
-    # uninstall target
-    configure_file("${CMAKE_CURRENT_SOURCE_DIR}/cmake/cmake_uninstall.cmake.in"
-                   "${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
-                    @ONLY)
-
-    add_custom_target(uninstall COMMAND
-        ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)
-endif ()
+include(cmake/CommonCMakeConfig.cmake)
 
 ########################################################################
 ## Project/Build Configuration
 
 set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
-if (NOT POLICYDIR)
-    # set the default policy installation path (user did not specify one)
-    set(POLICYDIR ${BRO_ROOT_DIR}/share/bro)
+if (NOT BRO_SCRIPT_INSTALL_PATH)
+    # set the default Bro script installation path (user did not specify one)
+    set(BRO_SCRIPT_INSTALL_PATH ${BRO_ROOT_DIR}/share/bro)
 endif ()
+set(BRO_SCRIPT_SOURCE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/scripts)
 
-# sanitize the policy install directory into an absolute path
+# sanitize the Bro script install directory into an absolute path
 # (CMake is confused by ~ as a representation of home directory)
-get_filename_component(POLICYDIR ${POLICYDIR} ABSOLUTE)
+get_filename_component(BRO_SCRIPT_INSTALL_PATH ${BRO_SCRIPT_INSTALL_PATH}
+    ABSOLUTE)
 
 configure_file(bro-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev)
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.sh
+     "export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
+     "export PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
+     "setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
+     "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
-
-set(EXTRA_COMPILE_FLAGS "-Wall -Wno-unused")
-
-if (ENABLE_DEBUG)
-    set(CMAKE_BUILD_TYPE Debug)
-    set(EXTRA_COMPILE_FLAGS "${EXTRA_COMPILE_FLAGS} -DDEBUG")
-else ()
-    set(CMAKE_BUILD_TYPE RelWithDebInfo)
-endif ()
-
-# Compiler flags may already exist in CMake cache (e.g. when specifying
-# CFLAGS environment variable before running cmake for the the first time)
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_COMPILE_FLAGS}")
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${EXTRA_COMPILE_FLAGS}")
+string(REPLACE "." " " version_numbers ${VERSION})
+separate_arguments(version_numbers)
+list(GET version_numbers 0 VERSION_MAJOR)
+list(GET version_numbers 1 VERSION_MINOR)
+set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}")
 
 ########################################################################
 ## Dependency Configuration
@@ -75,8 +53,11 @@ FindRequiredPackage(BISON)
 FindRequiredPackage(PCAP)
 FindRequiredPackage(OpenSSL)
 FindRequiredPackage(BIND)
+FindRequiredPackage(LibMagic)
+FindRequiredPackage(ZLIB)
 
-if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt)
+if (NOT BinPAC_ROOT_DIR AND
+    EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt)
     add_subdirectory(aux/binpac)
 endif ()
 FindRequiredPackage(BinPAC)
@@ -93,26 +74,12 @@ include_directories(BEFORE
                     ${OpenSSL_INCLUDE_DIR}
                     ${BIND_INCLUDE_DIR}
                     ${BinPAC_INCLUDE_DIR}
+                    ${LibMagic_INCLUDE_DIR}
+                    ${ZLIB_INCLUDE_DIR}
 )
 
 # Optional Dependencies
 
-set(HAVE_LIBMAGIC false)
-find_package(LibMagic)
-if (LIBMAGIC_FOUND)
-    set(HAVE_LIBMAGIC true)
-    include_directories(BEFORE ${LibMagic_INCLUDE_DIR})
-    list(APPEND OPTLIBS ${LibMagic_LIBRARY})
-endif ()
-
-set(HAVE_LIBZ false)
-find_package(ZLIB)
-if (ZLIB_FOUND)
-    set(HAVE_LIBZ true)
-    include_directories(BEFORE ${ZLIB_INCLUDE_DIR})
-    list(APPEND OPTLIBS ${ZLIB_LIBRARY})
-endif ()
-
 set(USE_GEOIP false)
 find_package(LibGeoIP)
 if (LIBGEOIP_FOUND)
@@ -131,6 +98,16 @@ if (ENABLE_PERFTOOLS)
     endif ()
 endif ()
 
+set(brodeps
+    ${BinPAC_LIBRARY}
+    ${PCAP_LIBRARY}
+    ${OpenSSL_LIBRARIES}
+    ${BIND_LIBRARY}
+    ${LibMagic_LIBRARY}
+    ${ZLIB_LIBRARY}
+    ${OPTLIBS}
+)
+
 ########################################################################
 ## System Introspection
 
@@ -155,85 +132,30 @@ include_directories(${CMAKE_CURRENT_BINARY_DIR})
 ## Recurse on sub-directories
 
 add_subdirectory(src)
-add_subdirectory(policy)
-#add_subdirectory(scripts)
-#add_subdirectory(doc)
+add_subdirectory(scripts)
+add_subdirectory(doc)
 
-if (INSTALL_BROCCOLI)
-    if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/broccoli/CMakeLists.txt)
-        add_subdirectory(aux/broccoli)
-    else ()
-        message(FATAL_ERROR "Broccoli selected for installation, "
-                            "but the source code does not exist in "
-                            "${CMAKE_CURRENT_SOURCE_DIR}/aux/broccoli")
-    endif ()
-endif ()
+include(CheckOptionalBuildSources)
 
-if (INSTALL_BROCTL)
-    if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/broctl/CMakeLists.txt)
-        add_subdirectory(aux/broctl)
-    else ()
-        message(FATAL_ERROR "Broctl selected for installation, "
-                            "but the source code does not exist in "
-                            "${CMAKE_CURRENT_SOURCE_DIR}/aux/broctl")
-    endif ()
-endif ()
-
-if (INSTALL_AUX_TOOLS)
-    if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/bro-aux/CMakeLists.txt)
-        add_subdirectory(aux/bro-aux)
-    else ()
-        message(FATAL_ERROR "Bro auxilliary tools selected for installation, "
-                            "but the source code does not exist in "
-                            "${CMAKE_CURRENT_SOURCE_DIR}/aux/bro-aux")
-    endif ()
-endif ()
+CheckOptionalBuildSources(aux/broctl   Broctl   INSTALL_BROCTL)
+CheckOptionalBuildSources(aux/bro-aux  Bro-Aux  INSTALL_AUX_TOOLS)
+CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)
 
 ########################################################################
 ## Packaging Setup
 
-include(SetPackageVersion)
-SetPackageVersion(${VERSION})
-include(SetPackageGenerators)
-include(SetPackageFileName)
-
-set(CPACK_PACKAGE_VENDOR "Lawrence Berkeley National Laboratory")
-set(CPACK_PACKAGE_CONTACT "info@bro-ids.org")
-set(CPACK_PACKAGE_DESCRIPTION_SUMMARY
-    "The Bro Network Intrusion Detection System")
-
-# CPack may enforce file name extensions for certain package generators
-configure_file(${CMAKE_CURRENT_SOURCE_DIR}/README
-               ${CMAKE_CURRENT_BINARY_DIR}/README.txt
-                COPYONLY)
-configure_file(${CMAKE_CURRENT_SOURCE_DIR}/COPYING
-               ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt
-                COPYONLY)
-
-set(CPACK_PACKAGE_DESCRIPTION_FILE ${CMAKE_CURRENT_BINARY_DIR}/README.txt)
-set(CPACK_RESOURCE_FILE_LICENSE ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt)
-set(CPACK_RESOURCE_FILE_README ${CMAKE_CURRENT_BINARY_DIR}/README.txt)
-set(CPACK_RESOURCE_FILE_WELCOME ${CMAKE_CURRENT_BINARY_DIR}/README.txt)
-
-if (APPLE)
-    # /usr prefix is hardcoded for PackageMaker generator, but that
-    # directory may not be ideal for OS X (it's tricky to remove
-    # packages installed there).  So instead we rely on CMAKE_INSTALL_PREFIX
-    # and set the following variable to workaround the hardcoded /usr prefix
-    set(CPACK_PACKAGING_INSTALL_PREFIX "/")
-    set(CPACK_PACKAGE_DEFAULT_LOCATION ${CMAKE_INSTALL_PREFIX})
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
-    # A prefix of /usr would follow Filesystem Hierarchy Standard.
-    # For RPM packaging by CPack, /usr should be a default, but
-    # CMAKE_INSTALL_PREFIX also needs to be set to /usr so that
-    # the default BROPATH is set right at build time
-    set(CPACK_RPM_PACKAGE_LICENSE "BSD")
+if (INSTALL_BROCTL)
+    # CPack RPM Generator may not automatically detect this
+    set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.4.0")
 endif ()
 
-# Ignore the build directory
-set(CPACK_SOURCE_IGNORE_FILES ${CMAKE_BINARY_DIR} ".git")
-
-include(CPack)
+# If this CMake project is a sub-project of another, we will not
+# configure the generic packaging because CPack will fail in the case
+# that the parent project has already configured packaging
+if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}")
+    include(ConfigurePackaging)
+    ConfigurePackaging(${VERSION})
+endif ()
 
 ########################################################################
 ## Build Summary
@@ -242,21 +164,11 @@ if (CMAKE_BUILD_TYPE)
     string(TOUPPER ${CMAKE_BUILD_TYPE} BuildType)
 endif ()
 
-if (INSTALL_BROCTL)
-    if (STANDALONE)
-        set(BROCTL_INSTALL_MODE "standalone")
-    else ()
-        set(BROCTL_INSTALL_MODE "cluster")
-    endif ()
-else ()
-    set(BROCTL_INSTALL_MODE "false")
-endif ()
-
 message(
     "\n====================|  Bro Build Summary  |====================="
     "\n"
     "\nInstall prefix:    ${CMAKE_INSTALL_PREFIX}"
-    "\nPolicy dir:        ${POLICYDIR}"
+    "\nBro Script Path:   ${BRO_SCRIPT_INSTALL_PATH}"
     "\nDebug mode:        ${ENABLE_DEBUG}"
     "\n"
     "\nCC:                ${CMAKE_C_COMPILER}"
@@ -266,13 +178,13 @@ message(
     "\nCPP:               ${CMAKE_CXX_COMPILER}"
     "\n"
     "\nBroccoli:          ${INSTALL_BROCCOLI}"
-    "\nBroctl:            ${BROCTL_INSTALL_MODE}"
+    "\nBroctl:            ${INSTALL_BROCTL}"
     "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
     "\n"
     "\nGeoIP:             ${USE_GEOIP}"
-    "\nlibz:              ${HAVE_LIBZ}"
-    "\nlibmagic:          ${HAVE_LIBMAGIC}"
     "\nGoogle perftools:  ${USE_PERFTOOLS}"
     "\n"
     "\n================================================================\n"
 )
+
+include(UserChangedWarning)
diff --git a/COPYING b/COPYING
index f9bba2b90e..7b0a94a03b 100644
--- a/COPYING
+++ b/COPYING
@@ -1,11 +1,12 @@
-Copyright (c) 1995-2010, The Regents of the University of California,
-through Lawrence Berkeley National Laboratory. All rights reserved.
+Copyright (c) 1995-2012, The Regents of the University of California
+through the Lawrence Berkeley National Laboratory and the
+International Computer Science Institute. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
 
-(1) Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
 
 (2) Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
@@ -29,20 +30,5 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
-Note that some files in the Bro distribution carry their own copyright
-notices.  The above applies to the Bro scripts in policy/ (other than as
-noted below) and the source files in src/, other than:
-
-	policy/sigs/p0fsyn.osf
-	src/H3.h
-	src/OSFinger.cc
-	src/OSFinger.h
-	src/bsd-getopt-long.c
-	src/bsd-getopt-long.h
-	src/md5.c
-	src/md5.h
-	src/patricia.c
-	src/patricia.h
-
-In addition, other components, such as the build system, may have
-separate copyrights.
+Note that some files in the distribution may carry their own copyright
+notices.
diff --git a/Checklist-for-Release b/Checklist-for-Release
deleted file mode 100644
index e0d0572872..0000000000
--- a/Checklist-for-Release
+++ /dev/null
@@ -1,45 +0,0 @@
-
-TODO: Needs update. -Robin
-
-- Make sure BroV6 works.
-
-- Make sure --enable-int64 builds w/o warnings.
-
-- Update TODO-For-Next-Release.
-
-- Build distribution on a system with an up-to-date yacc (MacOS suffices).
-
-- make distcheck
-
-- Edit CHANGES to final version.
-
-- Fix VERSION to final value.
-
-- Update version info (and perhaps other stuff) in README.
-
-- Check everything in.
-
-- Make an SVN branch for the release:
-
-    svn cp svn+ssh://svn.icir.org/bro/trunk \
-	    svn+ssh://svn.icir.org/bro/releases/release_1_X
-
-- scp bro-XXX.tar.gz crd.lbl.gov:/ftp/BROIDS/
-  scp CHANGES crd.lbl.gov:/ftp/BROIDS/bro-change-log.txt
-
-- Fix symlinks on crd:
-
-	bro-1.X-release.tar.gz
-	bro-1.X-current.tar.gz
-	bro-1.<n>-release.tar.gz
-
-- Update crd:/www/BROIDS/download.html to reflect new version.  This page
-  is generated from trunk/bro-web/download.xml.  Edit this file, and also
-  update the (web page) version in build.xml, the copyright year in
-  navigation.xml, and create a news entry in news.xml.
-
-  Type 'ant style' on a machine with 'ant' installed, and copy
-  html/*.html to crd.lbl.gov:/www/BROIDS/ .
-
-- Send email to bro@bro-ids.org.  Look for "release now available" in
-  previous messages as a template.
diff --git a/INSTALL b/INSTALL
index c8e08b3000..73b824b2b7 100644
--- a/INSTALL
+++ b/INSTALL
@@ -2,90 +2,91 @@
 Installing Bro
 ==============
 
-
 Prerequisites
 =============
 
 Bro relies on the following libraries and tools, which need to be installed
 before you begin:
 
-    * Libpcap headers and libraries
-       Network traffic capture library
+    * CMake 2.6 or greater              http://www.cmake.org
 
-    * Flex (Fast Lexical Analyzer)
-       Flex is already installed on most systems, so with luck you can
-       skip having to install it yourself.
+    * Libpcap (headers and libraries)   http://www.tcpdump.org
 
-    * Bison (GNU Parser Generator)
-       This comes with many systems, but if you get errors compiling
-       parse.y, you will need to install it.
+    * OpenSSL (headers and libraries)   http://www.openssl.org
 
-    * Perl
-       Used only during the Bro build process
-
-    * sed
-       Used only during the Bro build process
-
-    * BIND8 headers and libraries
-       These are usually already installed as well.
-
-    * OpenSSL headers and libraries
-        For analysis of SSL certificates by the HTTP analyzer, and
-        for encrypted Bro-to-Bro communication. These are likely installed,
-        though some platforms may require installation of a 'devel' package
-         for the headers.
-
-    * CMake 2.8 or greater
-       CMake is a cross-platform, open-source build system, typically
-       not installed by default.  See http://www.cmake.org for more
-       information regarding CMake and the installation steps below for
-       how to use it to build this distribution.  CMake generates native
-       Makefiles that depend on GNU Make by default.
-
-Bro can also make uses of some optional libraries if they are found at
-installation time:
+    * SWIG                              http://www.swig.org
 
     * Libmagic
-      For identifying file types (e.g., in FTP transfers).
-
-    * LibGeoIP
-       For geo-locating IP addresses.
 
     * Libz
-       For decompressing HTTP bodies by the HTTP analyzer, and for
-       compressed Bro-to-Bro communication.
+
+Bro can make uses of some optional libraries if they are found at
+installation time:
+
+    * LibGeoIP  For geo-locating IP addresses.
+
+Bro also needs the following tools, but on most systems they will
+already come preinstalled:
+
+    * Bash  (For Bro Control).
+    * BIND8 (headers and libraries)
+    * Bison (GNU Parser Generator)
+    * Flex  (Fast Lexical Analyzer)
+    * Perl  (Used only during the Bro build process)
+
 
 Installation
 ============
 
-To build and install into /usr/local/bro:
+To build and install into ``/usr/local/bro``::
 
-    > ./configure
-    > cd build
-    > make
-    > make install
+    ./configure
+    make
+    make install
 
-This will perform an out-of-source build into a directory called
-build/, using default build options. It then installs the Bro binary
-into /usr/local/bro/bin. Depending on the Bro package you
-downloaded, there may be auxiliary tools and libraries available in
-the aux/ directory. If so, they will be installed by default as well
-if not explicitly disabled via configure options.
+This will first build Bro into a directory inside the distribution
+called ``build/``, using default build options. It then installs all
+required files into ``/usr/local/bro``, including the Bro binary in
+``/usr/local/bro/bin/bro``.
 
-You can specify a different installation directory with
+You can specify a different installation directory with::
 
-    > ./configure --prefix=<dir>
+    ./configure --prefix=<dir>
 
-Run "./configure --help" for more options.
+Note that ``/usr`` and ``/opt/bro`` are the standard prefixes for
+binary Bro packages to be installed, so those are typically not good
+choices unless you are creating such a package.
+
+Run ``./configure --help`` for more options.
+
+Depending on the Bro package you downloaded, there may be auxiliary
+tools and libraries available in the ``aux/`` directory. All of them
+except for ``aux/bro-aux`` will also be built and installed by doing
+``make install``.  To install the programs that come in the
+``aux/bro-aux`` directory, use ``make install-aux``. There are
+``--disable-*`` options that can be given to the configure script to
+turn off unwanted auxiliary projects.
+
+OpenBSD users, please see our `FAQ
+<http://www.bro-ids.org/documentation/faq.html>` if you are having
+problems installing Bro.
 
 Running Bro
 ===========
 
 Bro is a complex program and it takes a bit of time to get familiar
-with it. In the following we give a few simple examples.  See the
-quickstart guide at http://www.bro-ids.org for more information; you
-can the source that in doc/quick-start.
+with it.  A good place for newcomers to start is the Quickstart Guide
+at http://www.bro-ids.org/documentation/quickstart.html.
 
-For developers that wish to run Bro after performing "make", but
-without performing "make install", see build/bro-path-dev for
-an example.
+For developers that wish to run Bro directly from the ``build/``
+directory (i.e., without performing ``make install``), they will have
+to first adjust ``BROPATH`` to look for scripts inside the build
+directory.  Sourcing either ``build/bro-path-dev.sh`` or
+``build/bro-path-dev.csh`` as appropriate for the current shell
+accomplishes this and also augments your ``PATH`` so you can use the
+Bro binary directly::
+
+    ./configure
+    make
+    source build/bro-path-dev.sh
+    bro <options>
diff --git a/Makefile b/Makefile
index 10f64df310..455fa6ed88 100644
--- a/Makefile
+++ b/Makefile
@@ -2,27 +2,69 @@
 # A simple static wrapper for a number of standard Makefile targets,
 # mostly just forwarding to build/Makefile. This is provided only for
 # convenience and supports only a subset of what CMake's Makefile
-# to offer. For more, execute that one directly. 
+# offers. For more, execute that one directly. 
 #
 
 BUILD=build
+REPO=`basename \`git config --get remote.origin.url\``
+VERSION_FULL=$(REPO)-`cat VERSION`
+VERSION_MIN=$(REPO)-`cat VERSION`-minimal
+HAVE_MODULES=git submodule | grep -v cmake >/dev/null
 
 all: configured
-	( cd $(BUILD) && make )
+	$(MAKE) -C $(BUILD) $@
 
-install: configured
-	( cd $(BUILD) && make install )
+install: configured all
+	$(MAKE) -C $(BUILD) $@
 
-clean: configured
-	( cd $(BUILD) && make clean )
+install-aux: configured
+	$(MAKE) -C $(BUILD) $@
 
-dist: configured
-	( cd $(BUILD) && make package_source )
+clean: configured docclean
+	$(MAKE) -C $(BUILD) $@
+
+doc: configured
+	$(MAKE) -C $(BUILD) $@
+
+docclean: configured
+	$(MAKE) -C $(BUILD) $@
+
+restdoc: configured
+	$(MAKE) -C $(BUILD) $@
+
+restclean: configured
+	$(MAKE) -C $(BUILD) $@
+
+broxygen: configured
+	$(MAKE) -C $(BUILD) $@
+
+broxygenclean: configured
+	$(MAKE) -C $(BUILD) $@
+
+dist:
+	@rm -rf $(VERSION_FULL) $(VERSION_FULL).tgz
+	@rm -rf $(VERSION_MIN) $(VERSION_MIN).tgz
+	@mkdir $(VERSION_FULL)
+	@tar --exclude=$(VERSION_FULL)* --exclude=$(VERSION_MIN)* --exclude=.git -cf - . | ( cd $(VERSION_FULL) && tar -xpf - )
+	@( cd $(VERSION_FULL) && cp -R ../.git . && git reset -q --hard HEAD && git clean -xdfq && rm -rf .git )
+	@tar -czf $(VERSION_FULL).tgz $(VERSION_FULL) && echo Package: $(VERSION_FULL).tgz && rm -rf $(VERSION_FULL)
+	@$(HAVE_MODULES) && mkdir $(VERSION_MIN) || exit 0
+	@$(HAVE_MODULES) && tar --exclude=$(VERSION_FULL)* --exclude=$(VERSION_MIN)* --exclude=.git `git submodule | awk '{print "--exclude="$$2}' | grep -v cmake | tr '\n' ' '` -cf - . | ( cd $(VERSION_MIN) && tar -xpf - ) || exit 0
+	@$(HAVE_MODULES) && ( cd $(VERSION_MIN) && cp -R ../.git . && git reset -q --hard HEAD && git clean -xdfq && rm -rf .git ) || exit 0
+	@$(HAVE_MODULES) && tar -czf $(VERSION_MIN).tgz $(VERSION_MIN) && echo Package: $(VERSION_MIN).tgz && rm -rf $(VERSION_MIN) || exit 0
+
+bindist:
+	@( cd pkg && ( ./make-deb-packages || ./make-mac-packages || \
+	               ./make-rpm-packages ) )
 
 distclean:
 	rm -rf $(BUILD)
 
-.PHONY : configured
+test:
+	@(cd testing && make )
+
 configured:
 	@test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 )
 	@test -e $(BUILD)/Makefile || ( echo "Error: No build/Makefile found. Did you run configure?" && exit 1 )
+
+.PHONY : all install clean doc docclean dist bindist distclean configured
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000000..1a257ce18f
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,64 @@
+
+Release Notes
+=============
+
+This document summarizes the most important changes in the current Bro
+release. For a complete list of changes, see the ``CHANGES`` file.
+
+Bro 2.0
+-------
+
+As the version number jump suggests, Bro 2.0 is a major upgrade and
+lots of things have changed. We have assembled a separate upgrade
+guide with the most important changes compared to Bro 1.5 at
+http://www.bro-ids.org/documentation/upgrade.html. You can find
+the offline version of that document in ``doc/upgrade.rst.``.
+
+Compared to the earlier 2.0 Beta version, the major changes in the
+final release are:
+
+    * The default scripts now come with complete reference
+      documentation. See
+      http://www.bro-ids.org/documentation/index.html.
+
+    * libz and libmagic are now required dependencies.
+
+    * Reduced snaplen default from 65535 to old default of 8192. The
+      large value was introducing performance problems on many
+      systems.
+
+    * Replaced the --snaplen/-l command line option with a
+      scripting-layer option called "snaplen". The new option can also
+      be redefined on the command line, e.g. ``bro -i eth0
+      snaplen=65535``.
+
+    * Reintroduced the BRO_LOG_SUFFIX environment variable that the
+      ASCII logger now respects to add a suffix to the log files it
+      creates.
+
+    * The ASCII logs now include further header information, and 
+      fields set to an empty value are now logged as ``(empty)`` by
+      default (instead of ``-``, which is already used for fields that
+      are not set at all).
+
+    * Some NOTICES were renamed, and the signatures of some SSL events
+      have changed.
+
+    * bro-cut got some new capabilities:
+
+        - If no field names are given on the command line, we now pass
+          through all fields.
+
+        - New options -u/-U for time output in UTC.
+
+        - New option -F to give output field separator.
+
+    * Broccoli supports more types internally, allowing to send
+      complex records.
+
+    * Many smaller bug fixes, portability improvements, and general
+      polishing across all modules.
+
+
+
+
diff --git a/README b/README
index 66a580fa19..c837afaf92 100644
--- a/README
+++ b/README
@@ -1,31 +1,21 @@
-This is release 1.6 of Bro, a system for detecting network intruders in
-real-time using passive network monitoring.
+============================
+Bro Network Security Monitor
+============================
 
-Please see the file INSTALL for installation instructions and
-pointers for getting started. For more documentation, see the
-documentation on Bro's home page:
+Bro is a powerful framework for network analysis and security
+monitoring. Please see the INSTALL file for installation instructions
+and pointers for getting started. NEWS contains release notes for the
+current version, and CHANGES has the complete history of changes.
+Please see COPYING for licensing information.
 
-    http://www.bro-ids.org/docs
+For more documentation, research publications, and community contact
+information, please see Bro's home page:
 
-The main parts of Bro's documentation are also available in the doc/
-directory of the distribution. (Please note that the documentation
-is still a work in progress; there will be more in future releases.)
+    http://www.bro-ids.org
 
-Numerous other Bro-related publications, including a paper describing the
-system, can be found at
-
-    http://www.bro-ids.org/publications.html
-
-Send comments, etc., to the Bro mailing list, bro@bro-ids.org.
-However, please note that you must first subscribe to the list in
-order to be able to post to it.
-
-- Vern Paxson & Robin Sommer, on behalf of the Bro development team
+On behalf of the Bro Development Team,
 
+Vern Paxson & Robin Sommer,
+International Computer Science Institute &
 Lawrence Berkeley National Laboratory
-University of California, Berkeley  USA
-
-ICSI Center for Internet Research (ICIR)
-International Computer Science Institute
-Berkeley, CA  USA
 vern@icir.org / robin@icir.org
diff --git a/VERSION b/VERSION
index c83f86baee..8dd930b077 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.6-dev.3
+2.0-57
diff --git a/aux/binpac b/aux/binpac
index 4e1dad4ee6..43308aab47 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 4e1dad4ee69b85d04af72c0faaff47fddf3240e2
+Subproject commit 43308aab47a3357ca1885e1b6954154a2744d821
diff --git a/aux/bro-aux b/aux/bro-aux
index 7b829fbe8d..139cc2e1e0 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 7b829fbe8d6fa36c33c0c07a8f09cc0d68cd17f1
+Subproject commit 139cc2e1e049c4e1cc7e95f20866102be1d3d599
diff --git a/aux/broccoli b/aux/broccoli
index 2bf6c82eed..930e7c7822 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 2bf6c82eed841d2a8e7104875717296fe50ca126
+Subproject commit 930e7c78221929849086a578308e2fdc99ac3fb8
diff --git a/aux/broctl b/aux/broctl
index 0d8b64252f..e908ba686d 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 0d8b64252f00f147f31f5e8c02a6a710699b67d9
+Subproject commit e908ba686dceb56065bdf569c18dd0f67f662f6b
diff --git a/aux/btest b/aux/btest
new file mode 160000
index 0000000000..ee87db37b5
--- /dev/null
+++ b/aux/btest
@@ -0,0 +1 @@
+Subproject commit ee87db37b520b88a55323a9767234c30b801e439
diff --git a/bro-path-dev.in b/bro-path-dev.in
index aad1b72dbd..81d4f111fc 100755
--- a/bro-path-dev.in
+++ b/bro-path-dev.in
@@ -1,20 +1,19 @@
-# After configured by CMake, this file prints the absolute path to policy
-# files that come with the source distributions of Bro and Broctl as well
-# as policy files that are generated by the BIF compiler at compile time
+#!/bin/sh
+# After configured by CMake, this file prints the absolute path to Bro scripts
+# that come with the source distributions of Bro as well as scripts that are
+# generated by the BIF compiler at compile time.
 #
 # The intended use of this script is to make it easier to run Bro from
 # the build directory, avoiding the need to install it.  This could be
 # done like:
 #
-#     BROPATH=`source bro-path-dev` ./src/bro
+#     BROPATH=`./bro-path-dev` ./src/bro
 #
 
-broPolicies=${PROJECT_SOURCE_DIR}/policy:${PROJECT_SOURCE_DIR}/policy/sigs:${PROJECT_SOURCE_DIR}/policy/time-machine
+broPolicies=${BRO_SCRIPT_SOURCE_PATH}:${BRO_SCRIPT_SOURCE_PATH}/policy:${BRO_SCRIPT_SOURCE_PATH}/site
 
 broGenPolicies=${CMAKE_BINARY_DIR}/src
 
-broctlPolicies=${PROJECT_SOURCE_DIR}/aux/broctl/policy:${CMAKE_BINARY_DIR}/aux/broctl/policy/local
+installedPolicies=${BRO_SCRIPT_INSTALL_PATH}:${BRO_SCRIPT_INSTALL_PATH}/site
 
-installedPolicies=${POLICYDIR}:${POLICYDIR}/sigs:${POLICYDIR}/time-machine:${POLICYDIR}/site
-
-echo .:$broPolicies:$broGenPolicies:$broctlPolicies
+echo .:$broPolicies:$broGenPolicies
diff --git a/cmake b/cmake
new file mode 160000
index 0000000000..2cc1055770
--- /dev/null
+++ b/cmake
@@ -0,0 +1 @@
+Subproject commit 2cc105577044a2d214124568f3f2496ed2ccbb34
diff --git a/cmake/ChangeMacInstallNames.cmake b/cmake/ChangeMacInstallNames.cmake
deleted file mode 100644
index 1e7370d3e7..0000000000
--- a/cmake/ChangeMacInstallNames.cmake
+++ /dev/null
@@ -1,87 +0,0 @@
-# Calling this macro with the name of a list variable will modify that
-# list such that any third party libraries that do not come with a
-# vanilla Mac OS X system will be replaced by an adjusted library that
-# has an install_name relative to the location of any executable that
-# links to it.
-#
-# Also, it will schedule the modified libraries for installation in a
-# 'support_libs' subdirectory of the CMAKE_INSTALL_PREFIX.
-#
-# The case of third party libraries depending on other third party
-# libraries is currently not handled by this macro.
-#
-# Ex.
-#
-# set(libs /usr/lib/libz.dylib
-#             /usr/lib/libssl.dylib
-#             /usr/local/lib/libmagic.dylib
-#             /usr/local/lib/libGeoIP.dylib
-#             /usr/local/lib/somestaticlib.a)
-#
-# include(ChangeMacInstallNames)
-# ChangeMacInstallNames(libs)
-#
-# Should result in ${libs} containing:
-#             /usr/lib/libz.dylib
-#             /usr/lib/libssl.dylib
-#             ${CMAKE_BINARY_DIR}/darwin_support_libs/libmagic.dylib
-#             ${CMAKE_BINARY_DIR}/darwin_support_libs/libGeoIP.dylib
-#             /usr/local/lib/somestaticlib.a
-#
-# such that we can now do:
-#
-# add_executable(some_exe ${srcs})
-# target_link_libraries(some_exe ${libs})
-#
-# Any binary packages created from such a build should be self-contained
-# and provide working installs on vanilla OS X systems.
-
-macro(ChangeMacInstallNames libListVar)
-    if (APPLE)
-        find_program(INSTALL_NAME_TOOL install_name_tool)
-
-        set(MAC_INSTALL_NAME_DEPS)
-        set(SUPPORT_BIN_DIR ${CMAKE_BINARY_DIR}/darwin_support_libs)
-        set(SUPPORT_INSTALL_DIR support_libs)
-
-        file(MAKE_DIRECTORY ${SUPPORT_BIN_DIR})
-
-        foreach (_lib ${${libListVar}})
-            # only care about install_name for shared libraries that are
-            # not shipped in Apple's vanilla OS X installs
-            string(REGEX MATCH ^/usr/lib/* apple_provided_lib ${_lib})
-            string(REGEX MATCH dylib$ is_shared_lib ${_lib})
-
-            if (NOT apple_provided_lib AND is_shared_lib)
-                get_filename_component(_libname ${_lib} NAME)
-                set(_adjustedLib ${SUPPORT_BIN_DIR}/${_libname})
-                set(_tmpLib
-                    ${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${_libname})
-
-                # make a tempory copy so we can adjust permissions
-                configure_file(${_lib} ${_tmpLib} COPYONLY)
-
-                # copy to build directory with correct write permissions
-                file(COPY ${_tmpLib}
-                    DESTINATION ${SUPPORT_BIN_DIR}
-                    FILE_PERMISSIONS OWNER_READ OWNER_WRITE
-                                     GROUP_READ WORLD_READ)
-
-                # remove the old library from the list provided as macro
-                # argument and add the new library with modified install_name
-                list(REMOVE_ITEM ${libListVar} ${_lib})
-                list(APPEND ${libListVar} ${_adjustedLib})
-
-                # update the install target to install the third party libs
-                # with modified install_name
-                install(FILES ${_adjustedLib}
-                    DESTINATION ${SUPPORT_INSTALL_DIR})
-
-                # perform the install_name change
-                execute_process(COMMAND install_name_tool -id
-                    @executable_path/../${SUPPORT_INSTALL_DIR}/${_libname}
-                    ${_adjustedLib})
-            endif ()
-        endforeach ()
-    endif ()
-endmacro()
diff --git a/cmake/CheckFunctions.cmake b/cmake/CheckFunctions.cmake
deleted file mode 100644
index 0ea7bdc2e1..0000000000
--- a/cmake/CheckFunctions.cmake
+++ /dev/null
@@ -1,15 +0,0 @@
-include(CheckFunctionExists)
-
-check_function_exists(getopt_long HAVE_GETOPT_LONG)
-check_function_exists(mallinfo HAVE_MALLINFO)
-check_function_exists(strcasestr HAVE_STRCASESTR)
-check_function_exists(strerror HAVE_STRERROR)
-check_function_exists(strsep HAVE_STRSEP)
-check_function_exists(sigset HAVE_SIGSET)
-
-if (HAVE_SIGSET)
-    set(SIG_FUNC sigset)
-else ()
-    set(SIG_FUNC signal)
-    check_function_exists(sigaction HAVE_SIGACTION)
-endif ()
diff --git a/cmake/CheckHeaders.cmake b/cmake/CheckHeaders.cmake
deleted file mode 100644
index ff206679d2..0000000000
--- a/cmake/CheckHeaders.cmake
+++ /dev/null
@@ -1,28 +0,0 @@
-include(CheckIncludeFiles)
-include(CheckStructHasMember)
-
-check_include_files(getopt.h HAVE_GETOPT_H)
-check_include_files(magic.h HAVE_MAGIC_H)
-check_include_files(memory.h HAVE_MEMORY_H)
-check_include_files("sys/socket.h;netinet/in.h;net/if.h;netinet/if_ether.h"
-                    HAVE_NETINET_IF_ETHER_H)
-check_include_files("sys/socket.h;netinet/in.h;net/if.h;netinet/ip6.h"
-                    HAVE_NETINET_IP6_H)
-check_include_files("sys/socket.h;net/if.h;net/ethernet.h" HAVE_NET_ETHERNET_H)
-check_include_files(sys/ethernet.h HAVE_SYS_ETHERNET_H)
-check_include_files(sys/time.h HAVE_SYS_TIME_H)
-check_include_files("time.h;sys/time.h" TIME_WITH_SYS_TIME)
-check_include_files(os-proto.h HAVE_OS_PROTO_H)
-
-check_struct_has_member(HISTORY_STATE entries "stdio.h;readline/readline.h"
-                        HAVE_READLINE_HISTORY_ENTRIES)
-check_include_files("stdio.h;readline/readline.h" HAVE_READLINE_READLINE_H)
-check_include_files("stdio.h;readline/history.h" HAVE_READLINE_HISTORY_H)
-
-if (HAVE_READLINE_READLINE_H AND
-    HAVE_READLINE_HISTORY_H AND
-    HAVE_READLINE_HISTORY_ENTRIES)
-    set(HAVE_READLINE true)
-endif ()
-
-check_struct_has_member("struct sockaddr_in" sin_len "netinet/in.h" SIN_LEN)
diff --git a/cmake/CheckNameserCompat.cmake b/cmake/CheckNameserCompat.cmake
deleted file mode 100644
index 1a71411f1b..0000000000
--- a/cmake/CheckNameserCompat.cmake
+++ /dev/null
@@ -1,21 +0,0 @@
-include(CheckCSourceCompiles)
-
-# Check whether the namser compatibility header is required
-# This can be the case on the Darwin platform
-
-check_c_source_compiles("
-    #include <arpa/nameser.h>
-    int main() { HEADER *hdr; int d = NS_IN6ADDRSZ; return 0; }"
-    have_nameser_header)
-
-if (NOT have_nameser_header)
-    check_c_source_compiles("
-        #include <arpa/nameser.h>
-        #include <arpa/nameser_compat.h>
-        int main() { HEADER *hdr; int d = NS_IN6ADDRSZ; return 0; }"
-        NEED_NAMESER_COMPAT_H)
-    if (NOT NEED_NAMESER_COMPAT_H)
-        message(FATAL_ERROR
-            "Asynchronous DNS support compatibility check failed.")
-    endif ()
-endif ()
diff --git a/cmake/CheckTypes.cmake b/cmake/CheckTypes.cmake
deleted file mode 100644
index ca11b41933..0000000000
--- a/cmake/CheckTypes.cmake
+++ /dev/null
@@ -1,46 +0,0 @@
-include(CheckTypeSize)
-
-check_type_size("long int" SIZEOF_LONG_INT)
-check_type_size("long long" SIZEOF_LONG_LONG)
-check_type_size("void *" SIZEOF_VOID_P)
-
-set(CMAKE_EXTRA_INCLUDE_FILES sys/types.h)
-
-check_type_size(int32_t INT32_T)
-if (INT32_T)
-    set(INT32_T int32_t)
-else()
-    set(INT32_T int)
-endif()
-
-check_type_size(u_int32_t U_INT32_T)
-if (U_INT32_T)
-    set(U_INT32_T u_int32_t)
-else ()
-    set(INT32_T u_int)
-endif ()
-
-check_type_size(u_int16_t U_INT16_T)
-if (U_INT16_T)
-    set(U_INT16_T u_int16_t)
-else ()
-    set(INT16_T u_short)
-endif ()
-
-check_type_size(u_int8_t U_INT8_T)
-if (U_INT8_T)
-    set(U_INT8_T u_int8_t)
-else ()
-    set(INT8_T u_char)
-endif ()
-
-set(CMAKE_EXTRA_INCLUDE_FILES)
-
-set(CMAKE_EXTRA_INCLUDE_FILES sys/socket.h)
-check_type_size(socklen_t SOCKLEN_T)
-if (SOCKLEN_T)
-    set(SOCKLEN_T socklen_t)
-else ()
-    set(SOCKLEN_T int)
-endif ()
-set(CMAKE_EXTRA_INCLUDE_FILES)
diff --git a/cmake/FindBIND.cmake b/cmake/FindBIND.cmake
deleted file mode 100644
index 4cbc481ae6..0000000000
--- a/cmake/FindBIND.cmake
+++ /dev/null
@@ -1,101 +0,0 @@
-# - Try to find libpcap include dirs and libraries 
-#
-# Usage of this module as follows:
-#
-#     find_package(BIND)
-#
-# Variables used by this module, they can change the default behaviour and need
-# to be set before calling find_package:
-#
-#  BIND_ROOT_DIR             Set this variable to the root installation of BIND
-#                            if the module has problems finding the proper
-#                            installation path.
-#
-# Variables defined by this module:
-#
-#  BIND_FOUND                System has BIND, include and library dirs found
-#  BIND_INCLUDE_DIR          The BIND include directories. 
-#  BIND_LIBRARY              The BIND library (if any) required for
-#                            ns_inittab and res_mkquery symbols
-
-find_path(BIND_ROOT_DIR
-    NAMES include/resolv.h
-)
-
-find_path(BIND_INCLUDE_DIR
-    NAMES resolv.h
-    HINTS ${BIND_ROOT_DIR}/include
-)
-
-if (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
-    # the static resolv library is preferred because
-    # on some systems, the ns_initparse symbol is not
-    # exported in the shared library (strangely)
-    # see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291609
-    set(bind_libs none libresolv.a resolv bind)
-else ()
-    set(bind_libs none resolv bind)
-endif ()
-
-include(CheckCSourceCompiles)
-
-# Find which library has the res_mkquery and ns_initparse symbols
-set(CMAKE_REQUIRED_INCLUDES ${BIND_INCLUDE_DIR})
-foreach (bindlib ${bind_libs})
-    if (NOT ${bindlib} MATCHES "none")
-        find_library(BIND_LIBRARY
-            NAMES ${bindlib}
-            HINTS ${BIND_ROOT_DIR}/lib
-        )
-    endif ()
-
-    set(CMAKE_REQUIRED_LIBRARIES ${BIND_LIBRARY})
-
-    check_c_source_compiles("
-        #include <arpa/nameser.h>
-        int main() {
-            ns_initparse(0, 0, 0);
-            return 0;
-        }
-" ns_initparse_works_${bindlib})
-
-    check_c_source_compiles("
-        #include <sys/types.h>
-        #include <sys/socket.h>
-        #include <netinet/in.h>
-        #include <arpa/nameser.h>
-        #include <resolv.h>
-        int main() {
-            int (*p)() = res_mkquery;
-        }
-" res_mkquery_works_${bindlib})
-
-    set(CMAKE_REQUIRED_LIBRARIES)
-
-    if (ns_initparse_works_${bindlib} AND res_mkquery_works_${bindlib})
-        break ()
-    else ()
-        set(BIND_LIBRARY BIND_LIBRARY-NOTFOUND)
-    endif ()
-endforeach ()
-set(CMAKE_REQUIRED_INCLUDES)
-
-include(FindPackageHandleStandardArgs)
-
-if (ns_initparse_works_none AND res_mkquery_works_none)
-    # system does not require linking to a BIND library
-    find_package_handle_standard_args(BIND DEFAULT_MSG
-        BIND_INCLUDE_DIR
-    )
-else ()
-    find_package_handle_standard_args(BIND DEFAULT_MSG
-        BIND_LIBRARY
-        BIND_INCLUDE_DIR
-    )
-endif ()
-
-mark_as_advanced(
-    BIND_ROOT_DIR
-    BIND_LIBRARY
-    BIND_INCLUDE_DIR
-)
diff --git a/cmake/FindBISON.cmake b/cmake/FindBISON.cmake
deleted file mode 100644
index 3f6d11d04f..0000000000
--- a/cmake/FindBISON.cmake
+++ /dev/null
@@ -1,221 +0,0 @@
-# - Find bison executable and provides macros to generate custom build rules
-# The module defines the following variables:
-#
-#  BISON_EXECUTABLE - path to the bison program
-#  BISON_VERSION - version of bison
-#  BISON_FOUND - true if the program was found
-#
-# If bison is found, the module defines the macros:
-#  BISON_TARGET(<Name> <YaccInput> <CodeOutput> [VERBOSE <file>]
-#              [COMPILE_FLAGS <string>] [HEADER <FILE>])
-# which will create  a custom rule to generate  a parser. <YaccInput> is
-# the path to  a yacc file. <CodeOutput> is the name  of the source file
-# generated by bison.  A header file containing the token  list is  also
-# generated according to bison's -d option by default  or if the  HEADER
-# option is used, the argument is passed to  bison's --defines option to
-# specify output file.  If COMPILE_FLAGS option is specified,  the  next
-# parameter is  added in the bison  command line.  if  VERBOSE option is
-# specified, <file> is created  and contains verbose descriptions of the
-# grammar and parser. The macro defines a set of variables:
-#  BISON_${Name}_DEFINED - true is the macro ran successfully
-#  BISON_${Name}_INPUT - The input source file, an alias for <YaccInput>
-#  BISON_${Name}_OUTPUT_SOURCE - The source file generated by bison
-#  BISON_${Name}_OUTPUT_HEADER - The header file generated by bison
-#  BISON_${Name}_OUTPUTS - The sources files generated by bison
-#  BISON_${Name}_COMPILE_FLAGS - Options used in the bison command line
-#
-#  ====================================================================
-#  Example:
-#
-#   find_package(BISON)
-#   BISON_TARGET(MyParser parser.y ${CMAKE_CURRENT_BINARY_DIR}/parser.cpp)
-#   add_executable(Foo main.cpp ${BISON_MyParser_OUTPUTS})
-#  ====================================================================
-
-#=============================================================================
-# Copyright 2009 Kitware, Inc.
-# Copyright 2006 Tristan Carel
-# Modified 2010 by Jon Siwek, adding HEADER option
-#
-# Distributed under the OSI-approved BSD License (the "License"):
-# CMake - Cross Platform Makefile Generator
-# Copyright 2000-2009 Kitware, Inc., Insight Software Consortium
-# All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# * Redistributions of source code must retain the above copyright
-#   notice, this list of conditions and the following disclaimer.
-#
-# * Redistributions in binary form must reproduce the above copyright
-#   notice, this list of conditions and the following disclaimer in the
-#   documentation and/or other materials provided with the distribution.
-#
-# * Neither the names of Kitware, Inc., the Insight Software Consortium,
-#   nor the names of their contributors may be used to endorse or promote
-#   products derived from this software without specific prior written
-#   permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-# This software is distributed WITHOUT ANY WARRANTY; without even the
-# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the License for more information.
-#=============================================================================
-
-FIND_PROGRAM(BISON_EXECUTABLE bison DOC "path to the bison executable")
-MARK_AS_ADVANCED(BISON_EXECUTABLE)
-
-IF(BISON_EXECUTABLE)
-
-  EXECUTE_PROCESS(COMMAND ${BISON_EXECUTABLE} --version
-    OUTPUT_VARIABLE BISON_version_output
-    ERROR_VARIABLE BISON_version_error
-    RESULT_VARIABLE BISON_version_result
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  IF(NOT ${BISON_version_result} EQUAL 0)
-    MESSAGE(SEND_ERROR "Command \"${BISON_EXECUTABLE} --version\" failed with output:\n${BISON_version_error}")
-  ELSE()
-    STRING(REGEX REPLACE "^bison \\(GNU Bison\\) ([^\n]+)\n.*" "\\1"
-      BISON_VERSION "${BISON_version_output}")
-  ENDIF()
-
-  # internal macro
-  MACRO(BISON_TARGET_option_verbose Name BisonOutput filename)
-    LIST(APPEND BISON_TARGET_cmdopt "--verbose")
-    GET_FILENAME_COMPONENT(BISON_TARGET_output_path "${BisonOutput}" PATH)
-    GET_FILENAME_COMPONENT(BISON_TARGET_output_name "${BisonOutput}" NAME_WE)
-    ADD_CUSTOM_COMMAND(OUTPUT ${filename}
-      COMMAND ${CMAKE_COMMAND}
-      ARGS -E copy
-      "${BISON_TARGET_output_path}/${BISON_TARGET_output_name}.output"
-      "${filename}"
-      DEPENDS
-      "${BISON_TARGET_output_path}/${BISON_TARGET_output_name}.output"
-      COMMENT "[BISON][${Name}] Copying bison verbose table to ${filename}"
-      WORKING_DIRECTORY ${CMAKE_SOURCE_DIR})
-    SET(BISON_${Name}_VERBOSE_FILE ${filename})
-    LIST(APPEND BISON_TARGET_extraoutputs
-      "${BISON_TARGET_output_path}/${BISON_TARGET_output_name}.output")
-  ENDMACRO(BISON_TARGET_option_verbose)
-
-  # internal macro
-  MACRO(BISON_TARGET_option_extraopts Options)
-    SET(BISON_TARGET_extraopts "${Options}")
-    SEPARATE_ARGUMENTS(BISON_TARGET_extraopts)
-    LIST(APPEND BISON_TARGET_cmdopt ${BISON_TARGET_extraopts})
-  ENDMACRO(BISON_TARGET_option_extraopts)
-
-  #============================================================
-  # BISON_TARGET (public macro)
-  #============================================================
-  #
-  MACRO(BISON_TARGET Name BisonInput BisonOutput)
-    SET(BISON_TARGET_output_header "")
-    #SET(BISON_TARGET_command_opt "")
-    SET(BISON_TARGET_cmdopt "")
-    SET(BISON_TARGET_outputs "${BisonOutput}")
-    IF(NOT ${ARGC} EQUAL 3 AND
-       NOT ${ARGC} EQUAL 5 AND
-       NOT ${ARGC} EQUAL 7 AND
-       NOT ${ARGC} EQUAL 9)
-      MESSAGE(SEND_ERROR "Usage")
-    ELSE()
-      # Parsing parameters
-      IF(${ARGC} GREATER 5 OR ${ARGC} EQUAL 5)
-        IF("${ARGV3}" STREQUAL "VERBOSE")
-          BISON_TARGET_option_verbose(${Name} ${BisonOutput} "${ARGV4}")
-        ENDIF()
-        IF("${ARGV3}" STREQUAL "COMPILE_FLAGS")
-          BISON_TARGET_option_extraopts("${ARGV4}")
-        ENDIF()
-        IF("${ARGV3}" STREQUAL "HEADER")
-          set(BISON_TARGET_output_header "${ARGV4}")
-        ENDIF()
-      ENDIF()
-
-      IF(${ARGC} GREATER 7 OR ${ARGC} EQUAL 7)
-        IF("${ARGV5}" STREQUAL "VERBOSE")
-          BISON_TARGET_option_verbose(${Name} ${BisonOutput} "${ARGV6}")
-        ENDIF()
-      
-        IF("${ARGV5}" STREQUAL "COMPILE_FLAGS")
-          BISON_TARGET_option_extraopts("${ARGV6}")
-        ENDIF()
-
-        IF("${ARGV5}" STREQUAL "HEADER")
-          set(BISON_TARGET_output_header "${ARGV6}")
-        ENDIF()
-      ENDIF()
-
-      IF(${ARGC} EQUAL 9)
-        IF("${ARGV7}" STREQUAL "VERBOSE")
-          BISON_TARGET_option_verbose(${Name} ${BisonOutput} "${ARGV8}")
-        ENDIF()
-      
-        IF("${ARGV7}" STREQUAL "COMPILE_FLAGS")
-          BISON_TARGET_option_extraopts("${ARGV8}")
-        ENDIF()
-
-        IF("${ARGV7}" STREQUAL "HEADER")
-          set(BISON_TARGET_output_header "${ARGV8}")
-        ENDIF()
-      ENDIF()
-
-      IF(BISON_TARGET_output_header)
-          # Header's name passed in as argument to be used in --defines option
-          LIST(APPEND BISON_TARGET_cmdopt
-               "--defines=${BISON_TARGET_output_header}")
-          set(BISON_${Name}_OUTPUT_HEADER ${BISON_TARGET_output_header})
-      ELSE()
-          # Header's name generated by bison (see option -d)
-          LIST(APPEND BISON_TARGET_cmdopt "-d")
-          STRING(REGEX REPLACE "^(.*)(\\.[^.]*)$" "\\2" _fileext "${ARGV2}")
-          STRING(REPLACE "c" "h" _fileext ${_fileext})
-          STRING(REGEX REPLACE "^(.*)(\\.[^.]*)$" "\\1${_fileext}" 
-              BISON_${Name}_OUTPUT_HEADER "${ARGV2}")
-      ENDIF()
-
-      LIST(APPEND BISON_TARGET_outputs "${BISON_${Name}_OUTPUT_HEADER}")
-        
-      ADD_CUSTOM_COMMAND(OUTPUT ${BISON_TARGET_outputs}
-        ${BISON_TARGET_extraoutputs}
-        COMMAND ${BISON_EXECUTABLE}
-        ARGS ${BISON_TARGET_cmdopt} -o ${ARGV2} ${ARGV1}
-        DEPENDS ${ARGV1}
-        COMMENT "[BISON][${Name}] Building parser with bison ${BISON_VERSION}"
-        WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
-    
-      # define target variables
-      SET(BISON_${Name}_DEFINED TRUE)
-      SET(BISON_${Name}_INPUT ${ARGV1})
-      SET(BISON_${Name}_OUTPUTS ${BISON_TARGET_outputs})
-      SET(BISON_${Name}_COMPILE_FLAGS ${BISON_TARGET_cmdopt})
-      SET(BISON_${Name}_OUTPUT_SOURCE "${BisonOutput}")
-
-    ENDIF(NOT ${ARGC} EQUAL 3 AND
-          NOT ${ARGC} EQUAL 5 AND
-          NOT ${ARGC} EQUAL 7 AND
-          NOT ${ARGC} EQUAL 9)
-  ENDMACRO(BISON_TARGET)
-  #
-  #============================================================
-
-ENDIF(BISON_EXECUTABLE)
-
-INCLUDE(FindPackageHandleStandardArgs)
-FIND_PACKAGE_HANDLE_STANDARD_ARGS(BISON DEFAULT_MSG BISON_EXECUTABLE)
-
-# FindBISON.cmake ends here
diff --git a/cmake/FindBinPAC.cmake b/cmake/FindBinPAC.cmake
deleted file mode 100644
index 5cd1697bb3..0000000000
--- a/cmake/FindBinPAC.cmake
+++ /dev/null
@@ -1,53 +0,0 @@
-# - Try to find BinPAC binary and library
-#
-# Usage of this module as follows:
-#
-#     find_package(BinPAC)
-#
-# Variables used by this module, they can change the default behaviour and need
-# to be set before calling find_package:
-#
-#  BinPAC_ROOT_DIR           Set this variable to the root installation of
-#                            BinPAC if the module has problems finding the
-#                            proper installation path.
-#
-# Variables defined by this module:
-#
-#  BINPAC_FOUND              System has BinPAC binary and library
-#  BinPAC_EXE                The binpac executable
-#  BinPAC_LIBRARY            The libbinpac.a library
-#  BinPAC_INCLUDE_DIR        The binpac headers
-
-# look for BinPAC in standard locations or user-provided root
-find_path(BinPAC_ROOT_DIR
-    NAMES include/binpac.h
-)
-
-find_file(BinPAC_EXE
-    NAMES binpac
-    HINTS ${BinPAC_ROOT_DIR}/bin
-)
-
-find_library(BinPAC_LIBRARY
-    NAMES libbinpac.a
-    HINTS ${BinPAC_ROOT_DIR}/lib
-)
-
-find_path(BinPAC_INCLUDE_DIR
-    NAMES binpac.h
-    HINTS ${BinPAC_ROOT_DIR}/include
-)
-
-include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(BinPAC DEFAULT_MSG
-    BinPAC_EXE
-    BinPAC_LIBRARY
-    BinPAC_INCLUDE_DIR
-)
-
-mark_as_advanced(
-    BinPAC_ROOT_DIR
-    BinPAC_EXE
-    BinPAC_LIBRARY
-    BinPAC_INCLUDE_DIR
-)
diff --git a/cmake/FindFLEX.cmake b/cmake/FindFLEX.cmake
deleted file mode 100644
index c56e8edad8..0000000000
--- a/cmake/FindFLEX.cmake
+++ /dev/null
@@ -1,179 +0,0 @@
-# - Find flex executable and provides a macro to generate custom build rules
-#
-# The module defines the following variables:
-#  FLEX_FOUND - true is flex executable is found
-#  FLEX_EXECUTABLE - the path to the flex executable
-#  FLEX_VERSION - the version of flex
-#  FLEX_LIBRARIES - The flex libraries
-#
-# The minimum required version of flex can be specified using the
-# standard syntax, e.g. FIND_PACKAGE(FLEX 2.5.13)
-#
-#
-# If flex is found on the system, the module provides the macro:
-#  FLEX_TARGET(Name FlexInput FlexOutput [COMPILE_FLAGS <string>])
-# which creates a custom command  to generate the <FlexOutput> file from
-# the <FlexInput> file.  If  COMPILE_FLAGS option is specified, the next
-# parameter is added to the flex  command line. Name is an alias used to
-# get  details of  this custom  command.  Indeed the  macro defines  the
-# following variables:
-#  FLEX_${Name}_DEFINED - true is the macro ran successfully
-#  FLEX_${Name}_OUTPUTS - the source file generated by the custom rule, an
-#  alias for FlexOutput
-#  FLEX_${Name}_INPUT - the flex source file, an alias for ${FlexInput}
-#
-# Flex scanners oftenly use tokens  defined by Bison: the code generated
-# by Flex  depends of the header  generated by Bison.   This module also
-# defines a macro:
-#  ADD_FLEX_BISON_DEPENDENCY(FlexTarget BisonTarget)
-# which  adds the  required dependency  between a  scanner and  a parser
-# where  <FlexTarget>  and <BisonTarget>  are  the  first parameters  of
-# respectively FLEX_TARGET and BISON_TARGET macros.
-#
-#  ====================================================================
-#  Example:
-#
-#   find_package(BISON)
-#   find_package(FLEX)
-#
-#   BISON_TARGET(MyParser parser.y ${CMAKE_CURRENT_BINARY_DIR}/parser.cpp
-#   FLEX_TARGET(MyScanner lexer.l  ${CMAKE_CURRENT_BIANRY_DIR}/lexer.cpp)
-#   ADD_FLEX_BISON_DEPENDENCY(MyScanner MyParser)
-#
-#   include_directories(${CMAKE_CURRENT_BINARY_DIR})
-#   add_executable(Foo
-#      Foo.cc
-#      ${BISON_MyParser_OUTPUTS}
-#      ${FLEX_MyScanner_OUTPUTS}
-#   )
-#  ====================================================================
-
-#=============================================================================
-# Copyright 2009 Kitware, Inc.
-# Copyright 2006 Tristan Carel
-# Modified 2010 by Jon Siwek, backporting for CMake 2.6 compat
-#
-# Distributed under the OSI-approved BSD License (the "License"):
-# CMake - Cross Platform Makefile Generator
-# Copyright 2000-2009 Kitware, Inc., Insight Software Consortium
-# All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# * Redistributions of source code must retain the above copyright
-#   notice, this list of conditions and the following disclaimer.
-#
-# * Redistributions in binary form must reproduce the above copyright
-#   notice, this list of conditions and the following disclaimer in the
-#   documentation and/or other materials provided with the distribution.
-#
-# * Neither the names of Kitware, Inc., the Insight Software Consortium,
-#   nor the names of their contributors may be used to endorse or promote
-#   products derived from this software without specific prior written
-#   permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-# This software is distributed WITHOUT ANY WARRANTY; without even the
-# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the License for more information.
-#=============================================================================
-
-FIND_PROGRAM(FLEX_EXECUTABLE flex DOC "path to the flex executable")
-MARK_AS_ADVANCED(FLEX_EXECUTABLE)
-
-FIND_LIBRARY(FL_LIBRARY NAMES fl
-  DOC "path to the fl library")
-MARK_AS_ADVANCED(FL_LIBRARY)
-SET(FLEX_LIBRARIES ${FL_LIBRARY})
-
-IF(FLEX_EXECUTABLE)
-
-  EXECUTE_PROCESS(COMMAND ${FLEX_EXECUTABLE} --version
-    OUTPUT_VARIABLE FLEX_version_output
-    ERROR_VARIABLE FLEX_version_error
-    RESULT_VARIABLE FLEX_version_result
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  IF(NOT ${FLEX_version_result} EQUAL 0)
-    IF(FLEX_FIND_REQUIRED)
-      MESSAGE(SEND_ERROR "Command \"${FLEX_EXECUTABLE} --version\" failed with output:\n${FLEX_version_output}\n${FLEX_version_error}")
-    ELSE()
-      MESSAGE("Command \"${FLEX_EXECUTABLE} --version\" failed with output:\n${FLEX_version_output}\n${FLEX_version_error}\nFLEX_VERSION will not be available")
-    ENDIF()
-  ELSE()
-    STRING(REGEX REPLACE "^flex (.*)$" "\\1"
-      FLEX_VERSION "${FLEX_version_output}")
-  ENDIF()
-
-  #============================================================
-  # FLEX_TARGET (public macro)
-  #============================================================
-  #
-  MACRO(FLEX_TARGET Name Input Output)
-    SET(FLEX_TARGET_usage "FLEX_TARGET(<Name> <Input> <Output> [COMPILE_FLAGS <string>]")
-    IF(${ARGC} GREATER 3)
-      IF(${ARGC} EQUAL 5)
-        IF("${ARGV3}" STREQUAL "COMPILE_FLAGS")
-          SET(FLEX_EXECUTABLE_opts  "${ARGV4}")
-          SEPARATE_ARGUMENTS(FLEX_EXECUTABLE_opts)
-        ELSE()
-          MESSAGE(SEND_ERROR ${FLEX_TARGET_usage})
-        ENDIF()
-      ELSE()
-        MESSAGE(SEND_ERROR ${FLEX_TARGET_usage})
-      ENDIF()
-    ENDIF()
-
-    ADD_CUSTOM_COMMAND(OUTPUT ${Output}
-      COMMAND ${FLEX_EXECUTABLE}
-      ARGS ${FLEX_EXECUTABLE_opts} -o${Output} ${Input}
-      DEPENDS ${Input}
-      COMMENT "[FLEX][${Name}] Building scanner with flex ${FLEX_VERSION}"
-      WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
-
-    SET(FLEX_${Name}_DEFINED TRUE)
-    SET(FLEX_${Name}_OUTPUTS ${Output})
-    SET(FLEX_${Name}_INPUT ${Input})
-    SET(FLEX_${Name}_COMPILE_FLAGS ${FLEX_EXECUTABLE_opts})
-  ENDMACRO(FLEX_TARGET)
-  #============================================================
-
-
-  #============================================================
-  # ADD_FLEX_BISON_DEPENDENCY (public macro)
-  #============================================================
-  #
-  MACRO(ADD_FLEX_BISON_DEPENDENCY FlexTarget BisonTarget)
-
-    IF(NOT FLEX_${FlexTarget}_OUTPUTS)
-      MESSAGE(SEND_ERROR "Flex target `${FlexTarget}' does not exists.")
-    ENDIF()
-
-    IF(NOT BISON_${BisonTarget}_OUTPUT_HEADER)
-      MESSAGE(SEND_ERROR "Bison target `${BisonTarget}' does not exists.")
-    ENDIF()
-
-    SET_SOURCE_FILES_PROPERTIES(${FLEX_${FlexTarget}_OUTPUTS}
-      PROPERTIES OBJECT_DEPENDS ${BISON_${BisonTarget}_OUTPUT_HEADER})
-  ENDMACRO(ADD_FLEX_BISON_DEPENDENCY)
-  #============================================================
-
-ENDIF(FLEX_EXECUTABLE)
-
-INCLUDE(FindPackageHandleStandardArgs)
-FIND_PACKAGE_HANDLE_STANDARD_ARGS(FLEX FLEX_EXECUTABLE
-                                       FLEX_VERSION)
-
-# FindFLEX.cmake ends here
diff --git a/cmake/FindGooglePerftools.cmake b/cmake/FindGooglePerftools.cmake
deleted file mode 100644
index 7ddd5a532e..0000000000
--- a/cmake/FindGooglePerftools.cmake
+++ /dev/null
@@ -1,44 +0,0 @@
-# - Try to find GooglePerftools headers and libraries
-#
-# Usage of this module as follows:
-#
-#     find_package(GooglePerftools)
-#
-# Variables used by this module, they can change the default behaviour and need
-# to be set before calling find_package:
-#
-#  GooglePerftools_ROOT_DIR  Set this variable to the root installation of
-#                            GooglePerftools if the module has problems finding 
-#                            the proper installation path.
-#
-# Variables defined by this module:
-#
-#  GOOGLEPERFTOOLS_FOUND              System has GooglePerftools libs/headers
-#  GooglePerftools_LIBRARIES          The GooglePerftools libraries
-#  GooglePerftools_INCLUDE_DIR        The location of GooglePerftools headers
-
-find_path(GooglePerftools_ROOT_DIR
-    NAMES include/google/heap-profiler.h
-)
-
-find_library(GooglePerftools_LIBRARIES
-    NAMES tcmalloc
-    HINTS ${GooglePerftools_ROOT_DIR}/lib
-)
-
-find_path(GooglePerftools_INCLUDE_DIR
-    NAMES google/heap-profiler.h
-    HINTS ${GooglePerftools_ROOT_DIR}/include
-)
-
-include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(GooglePerftools DEFAULT_MSG
-    GooglePerftools_LIBRARIES
-    GooglePerftools_INCLUDE_DIR
-)
-
-mark_as_advanced(
-    GooglePerftools_ROOT_DIR
-    GooglePerftools_LIBRARIES
-    GooglePerftools_INCLUDE_DIR
-)
diff --git a/cmake/FindLibGeoIP.cmake b/cmake/FindLibGeoIP.cmake
deleted file mode 100644
index ef8529e2e3..0000000000
--- a/cmake/FindLibGeoIP.cmake
+++ /dev/null
@@ -1,44 +0,0 @@
-# - Try to find GeoIP headers and libraries
-#
-# Usage of this module as follows:
-#
-#     find_package(LibGeoIP)
-#
-# Variables used by this module, they can change the default behaviour and need
-# to be set before calling find_package:
-#
-#  LibGeoIP_ROOT_DIR         Set this variable to the root installation of
-#                            libGeoIP if the module has problems finding the
-#                            proper installation path.
-#
-# Variables defined by this module:
-#
-#  LIBGEOIP_FOUND              System has GeoIP libraries and headers
-#  LibGeoIP_LIBRARY            The GeoIP library
-#  LibGeoIP_INCLUDE_DIR        The location of GeoIP headers
-
-find_path(LibGeoIP_ROOT_DIR
-    NAMES include/GeoIPCity.h
-)
-
-find_library(LibGeoIP_LIBRARY
-    NAMES GeoIP
-    HINTS ${LibGeoIP_ROOT_DIR}/lib
-)
-
-find_path(LibGeoIP_INCLUDE_DIR
-    NAMES GeoIPCity.h
-    HINTS ${LibGeoIP_ROOT_DIR}/include
-)
-
-include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(LibGeoIP DEFAULT_MSG
-    LibGeoIP_LIBRARY
-    LibGeoIP_INCLUDE_DIR
-)
-
-mark_as_advanced(
-    LibGeoIP_ROOT_DIR
-    LibGeoIP_LIBRARY
-    LibGeoIP_INCLUDE_DIR
-)
diff --git a/cmake/FindLibMagic.cmake b/cmake/FindLibMagic.cmake
deleted file mode 100644
index e96245e8c0..0000000000
--- a/cmake/FindLibMagic.cmake
+++ /dev/null
@@ -1,44 +0,0 @@
-# - Try to find libmagic header and library
-#
-# Usage of this module as follows:
-#
-#     find_package(LibMagic)
-#
-# Variables used by this module, they can change the default behaviour and need
-# to be set before calling find_package:
-#
-#  LibMagic_ROOT_DIR         Set this variable to the root installation of
-#                            libmagic if the module has problems finding the
-#                            proper installation path.
-#
-# Variables defined by this module:
-#
-#  LIBMAGIC_FOUND              System has libmagic and magic.h
-#  LibMagic_LIBRARY            The libmagic library
-#  LibMagic_INCLUDE_DIR        The location of magic.h
-
-find_path(LibMagic_ROOT_DIR
-    NAMES include/magic.h
-)
-
-find_library(LibMagic_LIBRARY
-    NAMES magic
-    HINTS ${LibMagic_ROOT_DIR}/lib
-)
-
-find_path(LibMagic_INCLUDE_DIR
-    NAMES magic.h
-    HINTS ${LibMagic_ROOT_DIR}/include
-)
-
-include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(LibMagic DEFAULT_MSG
-    LibMagic_LIBRARY
-    LibMagic_INCLUDE_DIR
-)
-
-mark_as_advanced(
-    LibMagic_ROOT_DIR
-    LibMagic_LIBRARY
-    LibMagic_INCLUDE_DIR
-)
diff --git a/cmake/FindOpenSSL.cmake b/cmake/FindOpenSSL.cmake
deleted file mode 100644
index 599a846f0a..0000000000
--- a/cmake/FindOpenSSL.cmake
+++ /dev/null
@@ -1,56 +0,0 @@
-# - Try to find openssl include dirs and libraries 
-#
-# Usage of this module as follows:
-#
-#     find_package(OpenSSL)
-#
-# Variables used by this module, they can change the default behaviour and need
-# to be set before calling find_package:
-#
-#  OpenSSL_ROOT_DIR          Set this variable to the root installation of
-#                            openssl if the module has problems finding the
-#                            proper installation path.
-#
-# Variables defined by this module:
-#
-#  OPENSSL_FOUND             System has openssl, include and library dirs found
-#  OpenSSL_INCLUDE_DIR       The openssl include directories. 
-#  OpenSSL_LIBRARIES         The openssl libraries.
-#  OpenSSL_CYRPTO_LIBRARY    The openssl crypto library.
-#  OpenSSL_SSL_LIBRARY       The openssl ssl library.
-
-find_path(OpenSSL_ROOT_DIR
-    NAMES include/openssl/ssl.h
-)
-
-find_path(OpenSSL_INCLUDE_DIR
-    NAMES openssl/ssl.h
-    HINTS ${OpenSSL_ROOT_DIR}/include
-)
-
-find_library(OpenSSL_SSL_LIBRARY
-    NAMES ssl ssleay32 ssleay32MD
-    HINTS ${OpenSSL_ROOT_DIR}/lib
-)
-
-find_library(OpenSSL_CRYPTO_LIBRARY
-    NAMES crypto
-    HINTS ${OpenSSL_ROOT_DIR}/lib
-)
-
-set(OpenSSL_LIBRARIES ${OpenSSL_SSL_LIBRARY} ${OpenSSL_CRYPTO_LIBRARY}
-    CACHE STRING "OpenSSL SSL and crypto libraries" FORCE)
-
-include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(OpenSSL DEFAULT_MSG
-    OpenSSL_LIBRARIES
-    OpenSSL_INCLUDE_DIR
-)
-
-mark_as_advanced(
-    OpenSSL_ROOT_DIR
-    OpenSSL_INCLUDE_DIR
-    OpenSSL_LIBRARIES
-    OpenSSL_CRYPTO_LIBRARY
-    OpenSSL_SSL_LIBRARY
-)
diff --git a/cmake/FindPCAP.cmake b/cmake/FindPCAP.cmake
deleted file mode 100644
index 61ce602821..0000000000
--- a/cmake/FindPCAP.cmake
+++ /dev/null
@@ -1,44 +0,0 @@
-# - Try to find libpcap include dirs and libraries 
-#
-# Usage of this module as follows:
-#
-#     find_package(PCAP)
-#
-# Variables used by this module, they can change the default behaviour and need
-# to be set before calling find_package:
-#
-#  PCAP_ROOT_DIR             Set this variable to the root installation of
-#                            libpcap if the module has problems finding the
-#                            proper installation path.
-#
-# Variables defined by this module:
-#
-#  PCAP_FOUND                System has libpcap, include and library dirs found
-#  PCAP_INCLUDE_DIR          The libpcap include directories. 
-#  PCAP_LIBRARY              The libpcap library.
-
-find_path(PCAP_ROOT_DIR
-    NAMES include/pcap.h
-)
-
-find_path(PCAP_INCLUDE_DIR
-    NAMES pcap.h
-    HINTS ${PCAP_ROOT_DIR}/include
-)
-
-find_library(PCAP_LIBRARY
-    NAMES pcap
-    HINTS ${PCAP_ROOT_DIR}/lib
-)
-
-include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(PCAP DEFAULT_MSG
-    PCAP_LIBRARY
-    PCAP_INCLUDE_DIR
-)
-
-mark_as_advanced(
-    PCAP_ROOT_DIR
-    PCAP_INCLUDE_DIR
-    PCAP_LIBRARY
-)
diff --git a/cmake/FindRequiredPackage.cmake b/cmake/FindRequiredPackage.cmake
deleted file mode 100644
index ff76b646cc..0000000000
--- a/cmake/FindRequiredPackage.cmake
+++ /dev/null
@@ -1,44 +0,0 @@
-# A wrapper macro around the standard CMake find_package macro that
-# facilitates displaying better error messages by default, or even
-# accepting custom error messages on a per package basis.
-#
-# If a package is not found, then the MISSING_PREREQS variable gets
-# set to true and either a default or custom error message appended
-# to MISSING_PREREQ_DESCS.
-#
-# The caller can use these variables to display a list of any missing
-# packages and abort the build/configuration if there were any.
-# 
-# Use as follows:
-#
-# include(FindRequiredPackage)
-# FindRequiredPackage(Perl)
-# FindRequiredPackage(FLEX "You need to install flex (Fast Lexical Analyzer)")
-#
-# if (MISSING_PREREQS)
-#    foreach (prereq ${MISSING_PREREQ_DESCS})
-#        message(SEND_ERROR ${prereq})
-#    endforeach ()
-#    message(FATAL_ERROR "Configuration aborted due to missing prerequisites")
-# endif ()
-
-macro(FindRequiredPackage packageName)
-    find_package(${packageName})
-    string(TOUPPER ${packageName} canonPackageName)
-    if (NOT ${canonPackageName}_FOUND)
-        set(MISSING_PREREQS true)
-
-        set(customDesc)
-        foreach (descArg ${ARGN})
-            set(customDesc "${customDesc} ${descArg}")
-        endforeach ()
-
-        if (customDesc)
-            # append the custom error message that was provided as an argument
-            list(APPEND MISSING_PREREQ_DESCS ${customDesc})
-        else ()
-            list(APPEND MISSING_PREREQ_DESCS
-                 " Could not find prerequisite package '${packageName}'")
-        endif ()
-    endif ()
-endmacro(FindRequiredPackage)
diff --git a/cmake/MiscTests.cmake b/cmake/MiscTests.cmake
deleted file mode 100644
index da46dd83d7..0000000000
--- a/cmake/MiscTests.cmake
+++ /dev/null
@@ -1,34 +0,0 @@
-include(CheckCXXSourceCompiles)
-include(CheckCSourceCompiles)
-
-# This autoconf variable is obsolete; it's portable to assume C89 and signal
-# handlers returning void
-set(RETSIGTYPE "void")
-set(RETSIGVAL "")
-
-check_c_source_compiles("
-    #include <sys/types.h>
-    #include <sys/socket.h>
-    extern int socket(int, int, int);
-    extern int connect(int, const struct sockaddr *, int);
-    extern int send(int, const void *, int, int);
-    extern int recvfrom(int, void *, int, int, struct sockaddr *, int *);
-    int main() { return 0; }
-" DO_SOCK_DECL)
-if (DO_SOCK_DECL)
-    message(STATUS "socket() and friends need explicit declaration")
-endif ()
-
-check_cxx_source_compiles("
-    #include <stdlib.h>
-    #include <syslog.h>
-    extern \"C\" {
-        int openlog(const char* ident, int logopt, int facility);
-        int syslog(int priority, const char* message_fmt, ...);
-        int closelog();
-    }
-    int main() { return 0; }
-" SYSLOG_INT)
-if (SYSLOG_INT)
-    message(STATUS "syslog prototypes need declaration")
-endif ()
diff --git a/cmake/OSSpecific.cmake b/cmake/OSSpecific.cmake
deleted file mode 100644
index 03788813c3..0000000000
--- a/cmake/OSSpecific.cmake
+++ /dev/null
@@ -1,66 +0,0 @@
-if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
-    # alternate malloc is faster for FreeBSD, but needs more testing
-    # need to add way to set this from the command line
-    set(USE_NMALLOC true)
-
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD")
-    set(USE_NMALLOC true)
-
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
-
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
-    set(HAVE_LINUX true)
-
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "Solaris")
-    set(SOCKET_LIBS nsl socket)
-
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "osf")
-    # Workaround ip_hl vs. ip_vhl problem in netinet/ip.h
-    add_definitions(-D__STDC__=2)
-
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "irix")
-    list(APPEND CMAKE_C_FLAGS -xansi -signed -g3)
-    list(APPEND CMAKE_CXX_FLAGS -xansi -signed -g3)
-
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "ultrix")
-    list(APPEND CMAKE_C_FLAGS -std1 -g3)
-    list(APPEND CMAKE_CXX_FLAGS -std1 -g3)
-    include(CheckCSourceCompiles)
-    check_c_source_compiles("
-        #include <sys/types.h>
-        int main() {
-            void c(const struct a *);
-            return 0;
-        }
-    " have_ultrix_const)
-    if (NOT have_ultrix_const)
-        set(NEED_ULTRIX_CONST_HACK true)
-    endif ()
-
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "hpux" OR
-        ${CMAKE_SYSTEM_NAME} MATCHES "HP-UX")
-    include(CheckCSourceCompiles)
-    set(CMAKE_REQUIRED_FLAGS -Aa)
-    set(CMAKE_REQUIRED_DEFINITIONS -D_HPUX_SOURCE)
-    check_c_source_compiles("
-        #include <sys/types.h>
-        int main() {
-            int frob(int, char *);
-            return 0;
-        }
-    " have_ansi_prototypes)
-    set(CMAKE_REQUIRED_FLAGS)
-    set(CMAKE_REQUIRED_DEFINITIONS)
-
-    if (have_ansi_prototypes)
-        add_definitions(-D_HPUX_SOURCE)
-        list(APPEND CMAKE_C_FLAGS -Aa)
-        list(APPEND CMAKE_CXX_FLAGS -Aa)
-    endif ()
-
-    if (NOT have_ansi_prototypes)
-        message(FATAL_ERROR "Can't get HPUX compiler to handle ANSI prototypes")
-    endif ()
-endif ()
-
-
diff --git a/cmake/OpenSSLTests.cmake b/cmake/OpenSSLTests.cmake
deleted file mode 100644
index 1b418135e4..0000000000
--- a/cmake/OpenSSLTests.cmake
+++ /dev/null
@@ -1,72 +0,0 @@
-include(CheckCSourceCompiles)
-include(CheckCXXSourceCompiles)
-
-set(CMAKE_REQUIRED_LIBRARIES ${OpenSSL_LIBRARIES})
-set(CMAKE_REQUIRED_INCLUDES ${OpenSSL_INCLUDE_DIR})
-
-check_c_source_compiles("
-    #include <openssl/ssl.h>
-    int main() { return 0; }
-" including_ssl_h_works)
-
-if (NOT including_ssl_h_works)
-    # On Red Hat we may need to include Kerberos header.
-    set(CMAKE_REQUIRED_INCLUDES ${OpenSSL_INCLUDE_DIR} /usr/kerberos/include)
-    check_c_source_compiles("
-        #include <krb5.h>
-        #include <openssl/ssl.h>
-        int main() { return 0; }
-    " NEED_KRB5_H)
-    set(CMAKE_REQUIRED_INCLUDES ${OpenSSL_INCLUDE_DIR})
-    if (NOT NEED_KRB5_H)
-        message(FATAL_ERROR
-            "OpenSSL test failure.  See CmakeError.log for details.")
-    else ()
-        message(STATUS "OpenSSL requires Kerberos header")
-        include_directories("/usr/kerberos/include")
-    endif ()
-endif ()
-
-# check for OPENSSL_add_all_algorithms_conf function
-# and thus OpenSSL >= v0.9.7
-check_c_source_compiles("
-    #include <openssl/evp.h>
-    int main() {
-        OPENSSL_add_all_algorithms_conf();
-        return 0;
-    }
-" openssl_greater_than_0_9_7)
-
-if (NOT openssl_greater_than_0_9_7)
-    message(FATAL_ERROR "OpenSSL >= v0.9.7 required")
-endif ()
-
-check_cxx_source_compiles("
-#include <openssl/x509.h>
-    int main() {
-        const unsigned char** cpp = 0;
-        X509** x =0;
-        d2i_X509(x, cpp, 0);
-        return 0;
-    }
-" OPENSSL_D2I_X509_USES_CONST_CHAR)
-
-if (NOT OPENSSL_D2I_X509_USES_CONST_CHAR)
-    # double check that it compiles without const
-    check_cxx_source_compiles("
-        #include <openssl/x509.h>
-        int main() {
-            unsigned char** cpp = 0;
-            X509** x =0;
-            d2i_X509(x, cpp, 0);
-            return 0;
-        }
-        " OPENSSL_D2I_X509_USES_CHAR)
-    if (NOT OPENSSL_D2I_X509_USES_CHAR)
-        message(FATAL_ERROR
-            "Can't determine if openssl_d2i_x509() takes const char parameter")
-    endif ()
-endif ()
-
-set(CMAKE_REQUIRED_INCLUDES)
-set(CMAKE_REQUIRED_LIBRARIES)
diff --git a/cmake/PCAPTests.cmake b/cmake/PCAPTests.cmake
deleted file mode 100644
index 83f79dec53..0000000000
--- a/cmake/PCAPTests.cmake
+++ /dev/null
@@ -1,63 +0,0 @@
-include(CheckFunctionExists)
-include(CheckCSourceCompiles)
-include(CheckIncludeFiles)
-
-set(CMAKE_REQUIRED_INCLUDES ${LIBPCAP_INCLUDE_DIR})
-set(CMAKE_REQUIRED_LIBRARIES ${PCAP_LIBRARY})
-
-check_include_files(pcap-int.h HAVE_PCAP_INT_H)
-
-check_function_exists(pcap_freecode HAVE_LIBPCAP_PCAP_FREECODE)
-if (NOT HAVE_LIBPCAP_PCAP_FREECODE)
-    set(DONT_HAVE_LIBPCAP_PCAP_FREECODE true)
-    message(STATUS "No implementation for pcap_freecode()")
-endif ()
-
-check_c_source_compiles("
-#include <pcap.h>
-int main () {
-    int snaplen;
-    int linktype;
-    struct bpf_program fp;
-    int optimize;
-    bpf_u_int32 netmask;
-    char str[10];
-    char error[1024];
-    snaplen = 50;
-    linktype = DLT_EN10MB;
-    optimize = 1;
-    netmask = 0L;
-    str[0] = 'i'; str[1] = 'p'; str[2] = '\\\\0';
-    (void)pcap_compile_nopcap(
-        snaplen, linktype, &fp, str, optimize, netmask, &error);
-    return 0;
-}
-" LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER)
-if (NOT LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER)
-    # double check
-    check_c_source_compiles("
-#include <pcap.h>
-int main () {
-    int snaplen;
-    int linktype;
-    struct bpf_program fp;
-    int optimize;
-    bpf_u_int32 netmask;
-    char str[10];
-    snaplen = 50;
-    linktype = DLT_EN10MB;
-    optimize = 1;
-    netmask = 0L;
-    str[0] = 'i'; str[1] = 'p'; str[2] = '\\\\0';
-    (void)pcap_compile_nopcap(snaplen, linktype, &fp, str, optimize, netmask);
-    return 0;
-}
-" LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER)
-    if (NOT LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER)
-        message(FATAL_ERROR
-            "Can't determine if pcap_compile_nopcap takes an error parameter")
-    endif ()
-endif ()
-
-set(CMAKE_REQUIRED_INCLUDES)
-set(CMAKE_REQUIRED_LIBRARIES)
diff --git a/cmake/SetPackageFileName.cmake b/cmake/SetPackageFileName.cmake
deleted file mode 100644
index 759f72ab82..0000000000
--- a/cmake/SetPackageFileName.cmake
+++ /dev/null
@@ -1,18 +0,0 @@
-# Sets CPACK_PACKAGE_FILE name in the following format:
-#
-# <project_name>-<version>-<OS/platform>-<arch>
-#
-# The version must already be set in the VERSION variable
-
-set(CPACK_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${VERSION}")
-set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_FILE_NAME}-${CMAKE_SYSTEM_NAME}")
-if (APPLE)
-    # Only Intel-based Macs are supported.  CMAKE_SYSTEM_PROCESSOR may
-    # return the confusing 'i386' if running a 32-bit kernel, but chances
-    # are the binary is x86_64 (or more generally 'Intel') compatible.
-    set(arch "Intel")
-else ()
-    set (arch ${CMAKE_SYSTEM_PROCESSOR})
-endif ()
-
-set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_FILE_NAME}-${arch}")
diff --git a/cmake/SetPackageGenerators.cmake b/cmake/SetPackageGenerators.cmake
deleted file mode 100644
index edd80ee3d6..0000000000
--- a/cmake/SetPackageGenerators.cmake
+++ /dev/null
@@ -1,23 +0,0 @@
-# Sets the list of desired package types to be created by the make
-# package target.  A .tar.gz is always made, and depending on the
-# operating system, more are added:
-#
-# Darwin - PackageMaker
-# Linux - RPM if the platform has rpmbuild installed
-#         DEB is ommitted because CPack does not give enough
-#         control over how the package is created and lacks support
-#         for automatic dependency detection.
-#         
-#
-# CPACK_GENERATOR is set by this module
-
-set(CPACK_GENERATOR TGZ)
-set(CPACK_SOURCE_GENERATOR TGZ)
-if (APPLE)
-    list(APPEND CPACK_GENERATOR PackageMaker)
-elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
-    find_program(RPMBUILD_EXE rpmbuild)
-    if (RPMBUILD_EXE)
-        set(CPACK_GENERATOR ${CPACK_GENERATOR} RPM)
-    endif ()
-endif ()
diff --git a/cmake/SetPackageVersion.cmake b/cmake/SetPackageVersion.cmake
deleted file mode 100644
index 19c9d404e3..0000000000
--- a/cmake/SetPackageVersion.cmake
+++ /dev/null
@@ -1,27 +0,0 @@
-# Sets CPack version variables by splitting the first macro argument
-# using "." as a delimiter.  If the length of the split list is
-# greater than 2, all remaining elements are tacked on to the patch
-# level version.
-
-macro(SetPackageVersion _version)
-    string(REPLACE "." " " version_numbers ${_version})
-    separate_arguments(version_numbers)
-
-    list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MAJOR)
-    list(REMOVE_AT version_numbers 0)
-    list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MINOR)
-    list(REMOVE_AT version_numbers 0)
-    list(LENGTH version_numbers version_length)
-
-    while (version_length GREATER 0)
-        list(GET version_numbers 0 patch_level)
-        if (CPACK_PACKAGE_VERSION_PATCH)
-            set(CPACK_PACKAGE_VERSION_PATCH
-                "${CPACK_PACKAGE_VERSION_PATCH}.${patch_level}")
-        else ()
-            set(CPACK_PACKAGE_VERSION_PATCH ${patch_level})
-        endif ()
-        list(REMOVE_AT version_numbers 0)
-        list(LENGTH version_numbers version_length)
-    endwhile ()
-endmacro(SetPackageVersion)
diff --git a/cmake/cmake_uninstall.cmake.in b/cmake/cmake_uninstall.cmake.in
deleted file mode 100644
index bed4da63d3..0000000000
--- a/cmake/cmake_uninstall.cmake.in
+++ /dev/null
@@ -1,35 +0,0 @@
-function(uninstall_manifest manifestPath)
-    file(READ "${manifestPath}" files)
-    string(REGEX REPLACE "\n" ";" files "${files}")
-    foreach (file ${files})
-        set(fileName $ENV{DESTDIR}${file})
-
-        if (EXISTS "${fileName}" OR IS_SYMLINK "${fileName}")
-            message(STATUS "Uninstalling: ${fileName}")
-
-            execute_process(
-                COMMAND "@CMAKE_COMMAND@" -E remove "${fileName}"
-                OUTPUT_VARIABLE rm_out
-                RESULT_VARIABLE rm_retval
-            )
-
-            if (NOT ${rm_retval} EQUAL 0)
-                message(FATAL_ERROR "Problem when removing: ${fileName}")
-            endif ()
-        else ()
-            message(STATUS "Does not exist: ${fileName}")
-        endif ()
-
-    endforeach ()
-endfunction(uninstall_manifest)
-
-file(GLOB install_manifests @CMAKE_CURRENT_BINARY_DIR@/install_manifest*.txt)
-
-if (install_manifests)
-    foreach (manifest ${install_manifests})
-        uninstall_manifest(${manifest})
-    endforeach ()
-else ()
-    message(FATAL_ERROR "Cannot find any install manifests in: "
-                        "\"@CMAKE_CURRENT_BINARY_DIR@/install_manifest*.txt\"")
-endif ()
diff --git a/config.h.in b/config.h.in
index f1405813fc..261cd0ccb9 100644
--- a/config.h.in
+++ b/config.h.in
@@ -14,18 +14,9 @@
 /* Define if you have the `getopt_long' function. */
 #cmakedefine HAVE_GETOPT_LONG
 
-/* Define if you have the `magic' library (-lmagic). */
-#cmakedefine HAVE_LIBMAGIC
-
-/* Define if you have the `z' library (-lz). */
-#cmakedefine HAVE_LIBZ
-
 /* We are on a Linux system */
 #cmakedefine HAVE_LINUX
 
-/* Define if you have the <magic.h> header file. */
-#cmakedefine HAVE_MAGIC_H
-
 /* Define if you have the `mallinfo' function. */
 #cmakedefine HAVE_MALLINFO
 
@@ -41,8 +32,8 @@
 /* Define if you have the <net/ethernet.h> header file. */
 #cmakedefine HAVE_NET_ETHERNET_H
 
-/* We are on a OpenBSD system */
-#cmakedefine HAVE_OPENBSD
+/* Define if you have the <net/ethertypes.h> header file. */
+#cmakedefine HAVE_NET_ETHERTYPES_H
 
 /* have os-proto.h */
 #cmakedefine HAVE_OS_PROTO_H
@@ -114,6 +105,12 @@
 /* GeoIP geographic lookup functionality */
 #cmakedefine USE_GEOIP
 
+/* Whether the found GeoIP API supports IPv6 Country Edition */
+#cmakedefine HAVE_GEOIP_COUNTRY_EDITION_V6
+
+/* Whether the found GeoIP API supports IPv6 City Edition */
+#cmakedefine HAVE_GEOIP_CITY_EDITION_REV0_V6
+
 /* Use Google's perftools */
 #cmakedefine USE_PERFTOOLS
 
@@ -130,19 +127,28 @@
 #endif
 
 /* Define int32_t */
-#define int32_t @INT32_T@
+#cmakedefine int32_t @int32_t@
 
 /* use sigset() instead of signal() */
-#define signal @SIG_FUNC@
+#ifdef HAVE_SIGSET
+#define signal sigset
+#endif
 
 /* define to int if socklen_t not available */
-#define socklen_t @SOCKLEN_T@
+#cmakedefine socklen_t @socklen_t@
 
 /* Define u_int16_t */
-#define u_int16_t @U_INT16_T@
+#cmakedefine u_int16_t @u_int16_t@
 
 /* Define u_int32_t */
-#define u_int32_t @U_INT32_T@
+#cmakedefine u_int32_t @u_int32_t@
 
 /* Define u_int8_t */
-#define u_int8_t @U_INT8_T@
+#cmakedefine u_int8_t @u_int8_t@
+
+/* OpenBSD's bpf.h may not declare this data link type, but it's supposed to be
+   used consistently for the same purpose on all platforms. */
+#cmakedefine HAVE_DLT_PPP_SERIAL
+#ifndef HAVE_DLT_PPP_SERIAL
+#define DLT_PPP_SERIAL @DLT_PPP_SERIAL@
+#endif
diff --git a/configure b/configure
index ec66a68e98..0f74674c0f 100755
--- a/configure
+++ b/configure
@@ -2,6 +2,8 @@
 # Convenience wrapper for easily viewing/setting options that
 # the project's CMake scripts will recognize
 
+command="$0 $*"
+
 # check for `cmake` command
 type cmake > /dev/null 2>&1 || {
     echo "\
@@ -20,29 +22,48 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
   Installation Directories:
     --prefix=PREFIX        installation directory [/usr/local/bro]
-    --policydir=PATH       policy file installation directory
+    --scriptdir=PATH       root installation directory for Bro scripts
                            [PREFIX/share/bro]
 
   Optional Features:
     --enable-debug         compile in debugging mode
     --enable-brov6         enable IPv6 processing
     --enable-perftools     use Google's perftools
-    --enable-cluster       install Broctl configured for cluster operation
-                           (overridden by --disable-broctl)
     --disable-broccoli     don't build or install the Broccoli library
     --disable-broctl       don't install Broctl
     --disable-auxtools     don't build or install auxilliary tools
+    --disable-python       don't try to build python bindings for broccoli
+    --disable-ruby         don't try to build ruby bindings for broccoli
 
   Required Packages in Non-Standard Locations:
     --with-openssl=PATH    path to OpenSSL install root
     --with-bind=PATH       path to BIND install root
     --with-pcap=PATH       path to libpcap install root
     --with-binpac=PATH     path to BinPAC install root
+    --with-flex=PATH       path to flex executable
+    --with-bison=PATH      path to bison executable
+    --with-perl=PATH       path to perl executable
 
   Optional Packages in Non-Standard Locations:
     --with-libmagic=PATH   path to libmagic install root
     --with-geoip=PATH      path to the libGeoIP install root
     --with-perftools=PATH  path to Google Perftools install root
+    --with-python=PATH     path to Python interpreter
+    --with-python-lib=PATH path to libpython
+    --with-python-inc=PATH path to Python headers
+    --with-ruby=PATH       path to ruby interpreter
+    --with-ruby-lib=PATH   path to ruby library
+    --with-ruby-inc=PATH   path to ruby headers
+    --with-swig=PATH       path to SWIG executable
+
+  Packaging Options (for developers):
+    --binary-package       toggle special logic for binary packaging
+    --ignore-dirs=PATHS    paths to ignore when creating source package
+                           (semicolon delimited and quoted when multiple)
+    --pkg-name-prefix=NAME use the given name as the package prefix instead
+                           of the default CMake project name
+    --osx-sysroot=PATH     path to the OS X SDK to compile against
+    --osx-min-version=VER  minimum OS X version (the deployment target)
 
   Influential Environment Variables (only on first invocation
   per build directory):
@@ -69,7 +90,7 @@ CMakeCacheEntries=""
 append_cache_entry CMAKE_INSTALL_PREFIX PATH   /usr/local/bro
 append_cache_entry BRO_ROOT_DIR         PATH   /usr/local/bro
 append_cache_entry PY_MOD_INSTALL_DIR   PATH   /usr/local/bro/lib/broctl
-append_cache_entry POLICYDIR            STRING /usr/local/bro/share/bro
+append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING /usr/local/bro/share/bro
 append_cache_entry ENABLE_DEBUG         BOOL   false
 append_cache_entry BROv6                BOOL   false
 append_cache_entry ENABLE_PERFTOOLS     BOOL   false
@@ -78,7 +99,7 @@ append_cache_entry BUILD_SHARED_LIBS    BOOL   true
 append_cache_entry INSTALL_AUX_TOOLS    BOOL   true
 append_cache_entry INSTALL_BROCCOLI     BOOL   true
 append_cache_entry INSTALL_BROCTL       BOOL   true
-append_cache_entry STANDALONE           BOOL   true
+append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
 
 # parse arguments
 while [ $# -ne 0 ]; do
@@ -102,13 +123,13 @@ while [ $# -ne 0 ]; do
             append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg
             append_cache_entry BRO_ROOT_DIR         PATH   $optarg
             append_cache_entry PY_MOD_INSTALL_DIR   PATH   $optarg/lib/broctl
-            if [ "$user_set_policydir" != "true" ]; then
-                append_cache_entry POLICYDIR        STRING $optarg/share/bro
+            if [ "$user_set_scriptdir" != "true" ]; then
+                append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $optarg/share/bro
             fi
             ;;
-        --policydir=*)
-            append_cache_entry POLICYDIR            STRING $optarg
-            user_set_policydir="true"
+        --scriptdir=*)
+            append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $optarg
+            user_set_scriptdir="true"
             ;;
         --enable-debug)
             append_cache_entry ENABLE_DEBUG         BOOL   true
@@ -124,16 +145,16 @@ while [ $# -ne 0 ]; do
             ;;
         --disable-broctl)
             append_cache_entry INSTALL_BROCTL       BOOL   false
-            user_disabled_broctl="true"
-            ;;
-        --enable-cluster)
-            if [ "$user_disabled_broctl" != "true" ]; then
-                append_cache_entry STANDALONE       BOOL   false
-            fi
             ;;
         --disable-auxtools)
             append_cache_entry INSTALL_AUX_TOOLS    BOOL   false
             ;;
+        --disable-python)
+            append_cache_entry DISABLE_PYTHON_BINDINGS     BOOL   true
+            ;;
+        --disable-ruby)
+            append_cache_entry DISABLE_RUBY_BINDINGS     BOOL   true
+            ;;
         --with-openssl=*)
             append_cache_entry OpenSSL_ROOT_DIR PATH $optarg
             ;;
@@ -146,6 +167,15 @@ while [ $# -ne 0 ]; do
         --with-binpac=*)
             append_cache_entry BinPAC_ROOT_DIR PATH $optarg
             ;;
+        --with-flex=*)
+            append_cache_entry FLEX_EXECUTABLE PATH $optarg
+            ;;
+        --with-bison=*)
+            append_cache_entry BISON_EXECUTABLE PATH $optarg
+            ;;
+        --with-perl=*)
+            append_cache_entry PERL_EXECUTABLE PATH $optarg
+            ;;
         --with-libmagic=*)
             append_cache_entry LibMagic_ROOT_DIR PATH $optarg
             ;;
@@ -153,8 +183,47 @@ while [ $# -ne 0 ]; do
             append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg
             ;;
         --with-perftools=*)
+            append_cache_entry ENABLE_PERFTOOLS     BOOL   true
             append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
             ;;
+        --with-python=*)
+            append_cache_entry PYTHON_EXECUTABLE    PATH    $optarg
+            ;;
+        --with-python-lib=*)
+            append_cache_entry PYTHON_LIBRARY       PATH    $optarg
+            ;;
+        --with-python-inc=*)
+            append_cache_entry PYTHON_INCLUDE_DIR   PATH    $optarg
+            append_cache_entry PYTHON_INCLUDE_PATH  PATH    $optarg
+            ;;
+        --with-ruby=*)
+            append_cache_entry RUBY_EXECUTABLE    PATH    $optarg
+            ;;
+        --with-ruby-lib=*)
+            append_cache_entry RUBY_LIBRARY       PATH    $optarg
+            ;;
+        --with-ruby-inc=*)
+            append_cache_entry RUBY_INCLUDE_DIRS  PATH    $optarg
+            append_cache_entry RUBY_INCLUDE_PATH  PATH    $optarg
+            ;;
+        --with-swig=*)
+            append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
+            ;;
+        --binary-package)
+            append_cache_entry BINARY_PACKAGING_MODE BOOL true
+            ;;
+        --ignore-dirs=*)
+            append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING $optarg
+            ;;
+        --pkg-name-prefix=*)
+            append_cache_entry PACKAGE_NAME_PREFIX STRING $optarg
+            ;;
+        --osx-sysroot=*)
+            append_cache_entry CMAKE_OSX_SYSROOT PATH $optarg
+            ;;
+        --osx-min-version=*)
+            append_cache_entry CMAKE_OSX_DEPLOYMENT_TARGET STRING $optarg
+            ;;
         *)
             echo "Invalid option '$1'.  Try $0 --help to see available options."
             exit 1
@@ -166,21 +235,9 @@ done
 if [ -d $builddir ]; then
     # If build directory exists, check if it has a CMake cache
     if [ -f $builddir/CMakeCache.txt ]; then
-        # If the Cmake cache exists, then check that it thinks
-        # the source tree exists where it's currently located
-        cmakehomedir=`grep CMAKE_HOME_DIRECTORY $builddir/CMakeCache.txt | \
-                      sed 's/CMAKE_HOME_DIRECTORY:INTERNAL=//g'`
-        if [ "$cmakehomedir" != "$sourcedir" ]; then
-            # The source tree moved since the build was last configured
-            echo "\
-The source tree has been moved from:
-    $cmakehomedir
-to:
-    $sourcedir
-To reconfigure in the new source directory, please delete:
-    $builddir/CMakeCache.txt" >&2
-            exit 1
-        fi
+        # If the CMake cache exists, delete it so that this configuration
+        # is not tainted by a previous one
+        rm -f $builddir/CMakeCache.txt
     fi
 else
     # Create build directory
@@ -196,3 +253,7 @@ if [ -n "$CMakeGenerator" ]; then
 else
     cmake $CMakeCacheEntries $sourcedir
 fi
+
+echo "# This is the command used to configure this build" > config.status
+echo $command >> config.status
+chmod u+x config.status
diff --git a/doc/.gitignore b/doc/.gitignore
new file mode 100644
index 0000000000..15972ee82a
--- /dev/null
+++ b/doc/.gitignore
@@ -0,0 +1,2 @@
+html
+*.pyc
diff --git a/doc/CHANGES b/doc/CHANGES
new file mode 120000
index 0000000000..3e8bc8c0c8
--- /dev/null
+++ b/doc/CHANGES
@@ -0,0 +1 @@
+../CHANGES
\ No newline at end of file
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
new file mode 100644
index 0000000000..bdbb0e7b69
--- /dev/null
+++ b/doc/CMakeLists.txt
@@ -0,0 +1,75 @@
+set(BIF_SRC_DIR ${PROJECT_SOURCE_DIR}/src)
+set(RST_OUTPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/rest_output)
+set(DOC_OUTPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/out)
+set(DOC_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR})
+set(DOC_SOURCE_WORKDIR ${CMAKE_CURRENT_BINARY_DIR}/sphinx-sources)
+
+set(MASTER_POLICY_INDEX ${CMAKE_CURRENT_BINARY_DIR}/scripts/policy_index)
+set(MASTER_PACKAGE_INDEX ${CMAKE_CURRENT_BINARY_DIR}/scripts/pkg_index)
+
+file(GLOB_RECURSE DOC_SOURCES FOLLOW_SYMLINKS "*")
+
+# configure the Sphinx config file (expand variables CMake might know about)
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/conf.py.in
+               ${CMAKE_CURRENT_BINARY_DIR}/conf.py
+               @ONLY)
+
+add_subdirectory(scripts)
+
+# The "broxygen" target generates reST documentation for any outdated bro
+# scripts and then uses Sphinx to generate HTML documentation from the reST
+add_custom_target(broxygen
+                  # copy the template documentation to the build directory
+                  # to give as input for sphinx
+                  COMMAND "${CMAKE_COMMAND}" -E copy_directory
+                          ${DOC_SOURCE_DIR}
+                          ${DOC_SOURCE_WORKDIR}
+                  # copy generated policy script documentation into the
+                  # working copy of the template documentation
+                  COMMAND "${CMAKE_COMMAND}" -E copy_directory
+                          ${RST_OUTPUT_DIR}
+                          ${DOC_SOURCE_WORKDIR}/scripts
+                  # append to the master index of all policy scripts
+                  COMMAND cat ${MASTER_POLICY_INDEX} >>
+                          ${DOC_SOURCE_WORKDIR}/scripts/index.rst
+                  # append to the master index of all policy packages
+                  COMMAND cat ${MASTER_PACKAGE_INDEX} >>
+                          ${DOC_SOURCE_WORKDIR}/scripts/packages.rst
+                  # construct a reST file for each group
+                  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/bin/group_index_generator.py
+                          ${CMAKE_CURRENT_BINARY_DIR}/scripts/group_list
+                          ${CMAKE_CURRENT_BINARY_DIR}/scripts
+                          ${DOC_SOURCE_WORKDIR}/scripts
+                  # tell sphinx to generate html
+                  COMMAND sphinx-build
+                          -b html
+                          -c ${CMAKE_CURRENT_BINARY_DIR}
+                          -d ${DOC_OUTPUT_DIR}/doctrees
+                          ${DOC_SOURCE_WORKDIR}
+                          ${DOC_OUTPUT_DIR}/html
+                  # create symlink to the html output directory for convenience
+                  COMMAND "${CMAKE_COMMAND}" -E create_symlink
+                          ${DOC_OUTPUT_DIR}/html
+                          ${CMAKE_BINARY_DIR}/html
+                  # copy Broccoli API reference into output dir if it exists
+                  COMMAND test -d ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html && ( rm -rf ${CMAKE_BINARY_DIR}/html/broccoli-api && cp -r ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html ${CMAKE_BINARY_DIR}/html/broccoli-api ) || true
+                  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+                  COMMENT "[Sphinx] Generating HTML policy script docs"
+                  # SOURCES just adds stuff to IDE projects as a convenience
+                  SOURCES ${DOC_SOURCES})
+
+# The "sphinxclean" target removes just the Sphinx input/output directories
+# from the build directory.
+add_custom_target(broxygenclean
+                  COMMAND "${CMAKE_COMMAND}" -E remove_directory
+                          ${DOC_SOURCE_WORKDIR}
+                  COMMAND "${CMAKE_COMMAND}" -E remove_directory
+                          ${DOC_OUTPUT_DIR}
+                  VERBATIM)
+
+add_dependencies(broxygen broxygenclean restdoc)
+
+add_custom_target(doc)
+add_custom_target(docclean)
+add_dependencies(doc broxygen)
+add_dependencies(docclean broxygenclean restclean)
diff --git a/doc/INSTALL.rst b/doc/INSTALL.rst
new file mode 120000
index 0000000000..99d491b4f8
--- /dev/null
+++ b/doc/INSTALL.rst
@@ -0,0 +1 @@
+../INSTALL
\ No newline at end of file
diff --git a/doc/README b/doc/README
index 2a34ea6bdf..0ba0a8587f 100644
--- a/doc/README
+++ b/doc/README
@@ -1 +1,47 @@
+
+Documentation
+=============
+
+This directory contains Bro documentation in reStructuredText format
+(see http://docutils.sourceforge.net/rst.html).
+
+It is the root of a Sphinx source tree and can be modified to add more
+common/general documentation, style sheets, JavaScript, etc.  The Sphinx
+config file is produced from ``conf.py.in``, and can be edited to change
+various Sphinx options.
+
+There is also a custom Sphinx domain implemented in ``source/ext/bro.py``
+which adds some reST directives and roles that aid in generating useful
+index entries and cross-references.  Other extensions can be added in
+a similar fashion.
+
+Either the ``make doc`` or ``make broxygen`` targets in the top-level
+Makefile can be used to locally render the reST files into HTML.
+Those targets depend on:
+
+* Python interpreter >= 2.5
+* `Sphinx <http://sphinx.pocoo.org/>`_ >= 1.0.1
+
+After completion, HTML documentation is symlinked in ``build/html``.
+
+There's also ``make docclean`` and ``make broxygenclean`` targets to
+clean the resulting documentation.
+
+Notes for Writing Documentation
+-------------------------------
+
+* If you want to refer to a document that's part of the
+  distribution, it currently needs to be copied or otherwise symlinked
+  somewhere in to this Sphinx source tree. Then, it can be referenced
+  in a toc tree or with the :doc: role.  Use the :download: role to
+  refer to static files that will not undergo sphinx rendering.
+
+* If you want to refer to a page on the Bro web site, use an HTTP URL.
+
+Guidelines
+----------
+
 TODO.
+
+
+
diff --git a/doc/_static/960.css b/doc/_static/960.css
new file mode 100644
index 0000000000..22c5e18180
--- /dev/null
+++ b/doc/_static/960.css
@@ -0,0 +1 @@
+body{min-width:960px}.container_12,.container_16{margin-left:auto;margin-right:auto;width:960px}.grid_1,.grid_2,.grid_3,.grid_4,.grid_5,.grid_6,.grid_7,.grid_8,.grid_9,.grid_10,.grid_11,.grid_12,.grid_13,.grid_14,.grid_15,.grid_16{display:inline;float:left;margin-left:10px;margin-right:10px}.push_1,.pull_1,.push_2,.pull_2,.push_3,.pull_3,.push_4,.pull_4,.push_5,.pull_5,.push_6,.pull_6,.push_7,.pull_7,.push_8,.pull_8,.push_9,.pull_9,.push_10,.pull_10,.push_11,.pull_11,.push_12,.pull_12,.push_13,.pull_13,.push_14,.pull_14,.push_15,.pull_15{position:relative}.container_12 .grid_3,.container_16 .grid_4{width:220px}.container_12 .grid_6,.container_16 .grid_8{width:460px}.container_12 .grid_9,.container_16 .grid_12{width:700px}.container_12 .grid_12,.container_16 .grid_16{width:940px}.alpha{margin-left:0}.omega{margin-right:0}.container_12 .grid_1{width:60px}.container_12 .grid_2{width:140px}.container_12 .grid_4{width:300px}.container_12 .grid_5{width:380px}.container_12 .grid_7{width:540px}.container_12 .grid_8{width:620px}.container_12 .grid_10{width:780px}.container_12 .grid_11{width:860px}.container_16 .grid_1{width:40px}.container_16 .grid_2{width:100px}.container_16 .grid_3{width:160px}.container_16 .grid_5{width:280px}.container_16 .grid_6{width:340px}.container_16 .grid_7{width:400px}.container_16 .grid_9{width:520px}.container_16 .grid_10{width:580px}.container_16 .grid_11{width:640px}.container_16 .grid_13{width:760px}.container_16 .grid_14{width:820px}.container_16 .grid_15{width:880px}.container_12 .prefix_3,.container_16 .prefix_4{padding-left:240px}.container_12 .prefix_6,.container_16 .prefix_8{padding-left:480px}.container_12 .prefix_9,.container_16 .prefix_12{padding-left:720px}.container_12 .prefix_1{padding-left:80px}.container_12 .prefix_2{padding-left:160px}.container_12 .prefix_4{padding-left:320px}.container_12 .prefix_5{padding-left:400px}.container_12 .prefix_7{padding-left:560px}.container_12 .prefix_8{padding-left:640px}.container_12 .prefix_10{padding-left:800px}.container_12 .prefix_11{padding-left:880px}.container_16 .prefix_1{padding-left:60px}.container_16 .prefix_2{padding-left:120px}.container_16 .prefix_3{padding-left:180px}.container_16 .prefix_5{padding-left:300px}.container_16 .prefix_6{padding-left:360px}.container_16 .prefix_7{padding-left:420px}.container_16 .prefix_9{padding-left:540px}.container_16 .prefix_10{padding-left:600px}.container_16 .prefix_11{padding-left:660px}.container_16 .prefix_13{padding-left:780px}.container_16 .prefix_14{padding-left:840px}.container_16 .prefix_15{padding-left:900px}.container_12 .suffix_3,.container_16 .suffix_4{padding-right:240px}.container_12 .suffix_6,.container_16 .suffix_8{padding-right:480px}.container_12 .suffix_9,.container_16 .suffix_12{padding-right:720px}.container_12 .suffix_1{padding-right:80px}.container_12 .suffix_2{padding-right:160px}.container_12 .suffix_4{padding-right:320px}.container_12 .suffix_5{padding-right:400px}.container_12 .suffix_7{padding-right:560px}.container_12 .suffix_8{padding-right:640px}.container_12 .suffix_10{padding-right:800px}.container_12 .suffix_11{padding-right:880px}.container_16 .suffix_1{padding-right:60px}.container_16 .suffix_2{padding-right:120px}.container_16 .suffix_3{padding-right:180px}.container_16 .suffix_5{padding-right:300px}.container_16 .suffix_6{padding-right:360px}.container_16 .suffix_7{padding-right:420px}.container_16 .suffix_9{padding-right:540px}.container_16 .suffix_10{padding-right:600px}.container_16 .suffix_11{padding-right:660px}.container_16 .suffix_13{padding-right:780px}.container_16 .suffix_14{padding-right:840px}.container_16 .suffix_15{padding-right:900px}.container_12 .push_3,.container_16 .push_4{left:240px}.container_12 .push_6,.container_16 .push_8{left:480px}.container_12 .push_9,.container_16 .push_12{left:720px}.container_12 .push_1{left:80px}.container_12 .push_2{left:160px}.container_12 .push_4{left:320px}.container_12 .push_5{left:400px}.container_12 .push_7{left:560px}.container_12 .push_8{left:640px}.container_12 .push_10{left:800px}.container_12 .push_11{left:880px}.container_16 .push_1{left:60px}.container_16 .push_2{left:120px}.container_16 .push_3{left:180px}.container_16 .push_5{left:300px}.container_16 .push_6{left:360px}.container_16 .push_7{left:420px}.container_16 .push_9{left:540px}.container_16 .push_10{left:600px}.container_16 .push_11{left:660px}.container_16 .push_13{left:780px}.container_16 .push_14{left:840px}.container_16 .push_15{left:900px}.container_12 .pull_3,.container_16 .pull_4{left:-240px}.container_12 .pull_6,.container_16 .pull_8{left:-480px}.container_12 .pull_9,.container_16 .pull_12{left:-720px}.container_12 .pull_1{left:-80px}.container_12 .pull_2{left:-160px}.container_12 .pull_4{left:-320px}.container_12 .pull_5{left:-400px}.container_12 .pull_7{left:-560px}.container_12 .pull_8{left:-640px}.container_12 .pull_10{left:-800px}.container_12 .pull_11{left:-880px}.container_16 .pull_1{left:-60px}.container_16 .pull_2{left:-120px}.container_16 .pull_3{left:-180px}.container_16 .pull_5{left:-300px}.container_16 .pull_6{left:-360px}.container_16 .pull_7{left:-420px}.container_16 .pull_9{left:-540px}.container_16 .pull_10{left:-600px}.container_16 .pull_11{left:-660px}.container_16 .pull_13{left:-780px}.container_16 .pull_14{left:-840px}.container_16 .pull_15{left:-900px}.clear{clear:both;display:block;overflow:hidden;visibility:hidden;width:0;height:0}.clearfix:before,.clearfix:after{content:'\0020';display:block;overflow:hidden;visibility:hidden;width:0;height:0}.clearfix:after{clear:both}.clearfix{zoom:1}
diff --git a/doc/_static/basic.css b/doc/_static/basic.css
new file mode 100644
index 0000000000..1332c7b048
--- /dev/null
+++ b/doc/_static/basic.css
@@ -0,0 +1,513 @@
+/*
+ * basic.css
+ * ~~~~~~~~~
+ *
+ * Sphinx stylesheet -- basic theme.
+ *
+ * :copyright: Copyright 2007-2011 by the Sphinx team, see AUTHORS.
+ * :license: BSD, see LICENSE for details.
+ *
+ */
+
+/* -- main layout ----------------------------------------------------------- */
+
+div.clearer {
+    clear: both;
+}
+
+/* -- relbar ---------------------------------------------------------------- */
+
+div.related {
+    width: 100%;
+    font-size: 90%;
+}
+
+div.related h3 {
+    display: none;
+}
+
+div.related ul {
+    margin: 0;
+    padding: 0 0 0 10px;
+    list-style: none;
+}
+
+div.related li {
+    display: inline;
+}
+
+div.related li.right {
+    float: right;
+    margin-right: 5px;
+}
+
+/* -- sidebar --------------------------------------------------------------- */
+
+div.sphinxsidebarwrapper {
+    padding: 10px 5px 0 10px;
+}
+
+div.sphinxsidebar {
+    float: left;
+    width: 230px;
+    margin-left: -100%;
+    font-size: 90%;
+}
+
+div.sphinxsidebar ul {
+    list-style: none;
+}
+
+div.sphinxsidebar ul ul,
+div.sphinxsidebar ul.want-points {
+    margin-left: 20px;
+    list-style: square;
+}
+
+div.sphinxsidebar ul ul {
+    margin-top: 0;
+    margin-bottom: 0;
+}
+
+div.sphinxsidebar form {
+    margin-top: 10px;
+}
+
+div.sphinxsidebar input {
+    border: 1px solid #98dbcc;
+    font-family: sans-serif;
+    font-size: 1em;
+}
+
+div.sphinxsidebar input[type="text"] {
+    width: 170px;
+}
+
+div.sphinxsidebar input[type="submit"] {
+    width: 30px;
+}
+
+img {
+    border: 0;
+}
+
+/* -- search page ----------------------------------------------------------- */
+
+ul.search {
+    margin: 10px 0 0 20px;
+    padding: 0;
+}
+
+ul.search li {
+    padding: 5px 0 5px 20px;
+    background-image: url(file.png);
+    background-repeat: no-repeat;
+    background-position: 0 7px;
+}
+
+ul.search li a {
+    font-weight: bold;
+}
+
+ul.search li div.context {
+    color: #888;
+    margin: 2px 0 0 30px;
+    text-align: left;
+}
+
+ul.keywordmatches li.goodmatch a {
+    font-weight: bold;
+}
+
+/* -- index page ------------------------------------------------------------ */
+
+table.contentstable {
+    width: 90%;
+}
+
+table.contentstable p.biglink {
+    line-height: 150%;
+}
+
+a.biglink {
+    font-size: 1.3em;
+}
+
+span.linkdescr {
+    font-style: italic;
+    padding-top: 5px;
+    font-size: 90%;
+}
+
+/* -- general index --------------------------------------------------------- */
+
+table.indextable {
+    width: 100%;
+}
+
+table.indextable td {
+    text-align: left;
+    vertical-align: top;
+}
+
+table.indextable dl, table.indextable dd {
+    margin-top: 0;
+    margin-bottom: 0;
+}
+
+table.indextable tr.pcap {
+    height: 10px;
+}
+
+table.indextable tr.cap {
+    margin-top: 10px;
+    background-color: #f2f2f2;
+}
+
+img.toggler {
+    margin-right: 3px;
+    margin-top: 3px;
+    cursor: pointer;
+}
+
+div.modindex-jumpbox {
+    border-top: 1px solid #ddd;
+    border-bottom: 1px solid #ddd;
+    margin: 1em 0 1em 0;
+    padding: 0.4em;
+}
+
+div.genindex-jumpbox {
+    border-top: 1px solid #ddd;
+    border-bottom: 1px solid #ddd;
+    margin: 1em 0 1em 0;
+    padding: 0.4em;
+}
+
+/* -- general body styles --------------------------------------------------- */
+
+a.headerlink {
+    visibility: hidden;
+}
+
+div.body p.caption {
+    text-align: inherit;
+}
+
+div.body td {
+    text-align: left;
+}
+
+.field-list ul {
+    padding-left: 1em;
+}
+
+.first {
+    margin-top: 0 !important;
+}
+
+p.rubric {
+    margin-top: 30px;
+    font-weight: bold;
+}
+
+img.align-left, .figure.align-left, object.align-left {
+    clear: left;
+    float: left;
+    margin-right: 1em;
+}
+
+img.align-right, .figure.align-right, object.align-right {
+    clear: right;
+    float: right;
+    margin-left: 1em;
+}
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+    text-align: left;
+}
+
+.align-center {
+    text-align: center;
+}
+
+.align-right {
+    text-align: right;
+}
+
+/* -- sidebars -------------------------------------------------------------- */
+
+div.sidebar {
+    margin: 0 0 0.5em 1em;
+    border: 1px solid #ddb;
+    padding: 7px 7px 0 7px;
+    background-color: #ffe;
+    width: 40%;
+    float: right;
+}
+
+p.sidebar-title {
+    font-weight: bold;
+}
+
+/* -- topics ---------------------------------------------------------------- */
+
+div.topic {
+    border: 1px solid #ccc;
+    padding: 7px 7px 0 7px;
+    margin: 10px 0 10px 0;
+}
+
+p.topic-title {
+    font-size: 1.1em;
+    font-weight: bold;
+    margin-top: 10px;
+}
+
+/* -- admonitions ----------------------------------------------------------- */
+
+div.admonition {
+    margin-top: 10px;
+    margin-bottom: 10px;
+    padding: 7px;
+}
+
+div.admonition dt {
+    font-weight: bold;
+}
+
+div.admonition dl {
+    margin-bottom: 0;
+}
+
+p.admonition-title {
+    margin: 0px 10px 5px 0px;
+    font-weight: bold;
+}
+
+div.body p.centered {
+    text-align: center;
+    margin-top: 25px;
+}
+
+/* -- tables ---------------------------------------------------------------- */
+
+table.field-list td, table.field-list th {
+    border: 0 !important;
+}
+
+table.footnote td, table.footnote th {
+    border: 0 !important;
+}
+
+th {
+    text-align: left;
+    padding-right: 5px;
+}
+
+table.citation {
+    border-left: solid 1px gray;
+    margin-left: 1px;
+}
+
+table.citation td {
+    border-bottom: none;
+}
+
+/* -- other body styles ----------------------------------------------------- */
+
+ol.arabic {
+    list-style: decimal;
+}
+
+ol.loweralpha {
+    list-style: lower-alpha;
+}
+
+ol.upperalpha {
+    list-style: upper-alpha;
+}
+
+ol.lowerroman {
+    list-style: lower-roman;
+}
+
+ol.upperroman {
+    list-style: upper-roman;
+}
+
+dd p {
+    margin-top: 0px;
+}
+
+dd ul, dd table {
+    margin-bottom: 10px;
+}
+
+dd {
+    margin-top: 3px;
+    margin-bottom: 10px;
+    margin-left: 30px;
+}
+
+dt:target, .highlighted {
+    background-color: #fbe54e;
+}
+
+dl.glossary dt {
+    font-weight: bold;
+    font-size: 1.1em;
+}
+
+.field-list ul {
+    margin: 0;
+    padding-left: 1em;
+}
+
+.field-list p {
+    margin: 0;
+}
+
+.refcount {
+    color: #060;
+}
+
+.optional {
+    font-size: 1.3em;
+}
+
+.versionmodified {
+    font-style: italic;
+}
+
+.system-message {
+    background-color: #fda;
+    padding: 5px;
+    border: 3px solid red;
+}
+
+.footnote:target  {
+    background-color: #ffa;
+}
+
+.line-block {
+    display: block;
+    margin-top: 1em;
+    margin-bottom: 1em;
+}
+
+.line-block .line-block {
+    margin-top: 0;
+    margin-bottom: 0;
+    margin-left: 1.5em;
+}
+
+.guilabel, .menuselection {
+    font-family: sans-serif;
+}
+
+.accelerator {
+    text-decoration: underline;
+}
+
+.classifier {
+    font-style: oblique;
+}
+
+abbr, acronym {
+    border-bottom: dotted 1px;
+    cursor: help;
+}
+
+/* -- code displays --------------------------------------------------------- */
+
+pre {
+    overflow: auto;
+    overflow-y: hidden;  /* fixes display issues on Chrome browsers */
+}
+
+td.linenos pre {
+    padding: 5px 0px;
+    border: 0;
+    background-color: transparent;
+    color: #aaa;
+}
+
+table.highlighttable {
+    margin-left: 0.5em;
+}
+
+table.highlighttable td {
+    padding: 0 0.5em 0 0.5em;
+}
+
+tt.descname {
+    background-color: transparent;
+    font-weight: bold;
+#   font-size: 1.2em;
+}
+
+tt.descclassname {
+    background-color: transparent;
+}
+
+tt.xref, a tt {
+    background-color: transparent;
+#    font-weight: bold;
+}
+
+h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
+    background-color: transparent;
+}
+
+.viewcode-link {
+    float: right;
+}
+
+.viewcode-back {
+    float: right;
+    font-family: sans-serif;
+}
+
+div.viewcode-block:target {
+    margin: -1px -10px;
+    padding: 0 10px;
+}
+
+/* -- math display ---------------------------------------------------------- */
+
+img.math {
+    vertical-align: middle;
+}
+
+div.body div.math p {
+    text-align: center;
+}
+
+span.eqno {
+    float: right;
+}
+
+/* -- printout stylesheet --------------------------------------------------- */
+
+@media print {
+    div.document,
+    div.documentwrapper,
+    div.bodywrapper {
+        margin: 0 !important;
+        width: 100%;
+    }
+
+    div.sphinxsidebar,
+    div.related,
+    div.footer,
+    #top-link {
+        display: none;
+    }
+}
diff --git a/doc/_static/broxygen-extra.css b/doc/_static/broxygen-extra.css
new file mode 100644
index 0000000000..051e12e0be
--- /dev/null
+++ b/doc/_static/broxygen-extra.css
@@ -0,0 +1,160 @@
+
+a.toc-backref {
+    color: #333;
+}
+
+h1, h2, h3, h4, h5, h6,
+h1 a, h2 a, h3 a, h4 a, h5 a, h6 a {
+	padding:0 0 0px 0;
+}
+
+ul {
+    padding-bottom: 0px;
+}    
+
+h1 {
+    font-weight: bold;
+    font-size: 32px;
+	line-height:32px;
+    text-align: center;
+    padding-top: 3px;
+    margin-bottom: 30px;
+    font-family: Palatino,'Palatino Linotype',Georgia,serif;;
+    color: #000;
+    border-bottom: 0px;
+}
+
+th.field-name
+{
+    white-space:nowrap;
+}
+
+h2 {
+    margin-top: 50px;
+    padding-bottom: 5px;
+    margin-bottom: 30px;
+    border-bottom: 1px solid;
+    border-color: #aaa;
+    font-style: normal;
+}
+
+div.section h3 {
+    font-style: normal;
+    }
+
+h3 {
+    font-size: 20px;
+    margin-top: 40px;
+    margin-bottom: 0¡px;
+    font-weight: bold;
+    font-style: normal;
+}
+
+h3.widgettitle {
+    font-style: normal;
+}    
+
+h4 {
+    font-size:18px;
+    font-style: normal;
+    margin-bottom: 0em;
+    margin-top: 40px;
+    font-style: italic;
+}
+
+h5 {
+    font-size:16px;
+}
+
+h6 {
+    font-size:15px;
+}
+
+.toc-backref {
+    color: #333;
+}
+
+.contents ul {
+   padding-bottom: 1em;
+}
+
+dl.namespace {
+    display: none;
+}
+
+dl dt {
+    font-weight: normal;
+}
+
+table.docutils tbody {
+    margin: 1em 1em 1em 1em;
+}
+
+table.docutils td {
+    padding: 5pt 5pt 5pt 5pt;
+    font-size: 14px;
+    border-left: 0;
+    border-right: 0;
+}
+
+dl pre {
+    font-size: 14px;
+}
+
+table.docutils th {
+    padding: 5pt 5pt 5pt 5pt;
+    font-size: 14px;
+    font-style: normal;
+    border-left: 0;
+    border-right: 0;
+}
+
+table.docutils tr:first-child td {
+    #border-top: 1px solid #aaa;
+}
+
+.download {
+    font-family:"Courier New", Courier, mono;
+    font-weight: normal;
+}
+
+dt:target, .highlighted {
+    background-color: #ccc;
+}
+
+p {
+    padding-bottom: 0px;
+}
+
+p.last {
+    margin-bottom: 0px;
+}
+
+dl {
+    padding: 1em 1em 1em 1em;
+    background: #fffff0;
+    border: 1px solid #aaa;
+
+}
+
+dl {
+   margin-bottom: 10px;
+}
+
+
+table.docutils {
+    background: #fffff0;
+    border-collapse: collapse;
+    border: 1px solid #ddd;
+}
+
+dl table.docutils {
+    border: 0;
+}
+
+table.docutils dl {
+    border: 1px dashed #666;
+}
+
+
+
diff --git a/policy/ftp-safe-words.bro b/doc/_static/broxygen-extra.js
similarity index 100%
rename from policy/ftp-safe-words.bro
rename to doc/_static/broxygen-extra.js
diff --git a/doc/_static/broxygen.css b/doc/_static/broxygen.css
new file mode 100644
index 0000000000..967dcd6eaa
--- /dev/null
+++ b/doc/_static/broxygen.css
@@ -0,0 +1,437 @@
+/* Automatically generated. Do not edit. */
+
+
+
+
+
+#bro-main, #bro-standalone-main {
+	padding: 0 0 0 0;
+	position:relative;
+	z-index:1;
+}
+
+#bro-main {
+    margin-bottom: 2em;
+    }
+
+#bro-standalone-main {
+    margin-bottom: 0em;
+    padding-left: 50px;
+    padding-right: 50px;
+    }
+
+#bro-outer {
+    color: #333;
+    background: #ffffff;
+}
+
+#bro-title {
+    font-weight: bold;
+    font-size: 32px;
+	line-height:32px;
+    text-align: center;
+    padding-top: 3px;
+    margin-bottom: 30px;
+    font-family: Palatino,'Palatino Linotype',Georgia,serif;;
+    color: #000;
+    }
+
+.opening:first-letter {
+    font-size: 24px;
+    font-weight: bold;
+    letter-spacing: 0.05em;
+    }
+
+.opening {
+    font-size: 17px;
+}
+
+.version {
+    text-align: right;
+    font-size: 12px;
+    color: #aaa;
+   	line-height: 0;
+	height: 0;
+}
+
+.git-info-version {
+    position: relative;
+    height: 2em;
+    top: -1em;
+    color: #ccc;
+    float: left;
+    font-size: 12px;
+}
+
+.git-info-date {
+    position: relative;
+    height: 2em;
+    top: -1em;
+    color: #ccc;
+    float: right;
+    font-size: 12px;
+}
+
+body {
+	font-family:Arial, Helvetica, sans-serif;
+	font-size:15px;
+	line-height:22px;
+    color: #333;
+    margin: 0px;
+}
+
+h1, h2, h3, h4, h5, h6,
+h1 a, h2 a, h3 a, h4 a, h5 a, h6 a {
+	padding:0 0 20px 0;
+	font-weight:bold;
+	text-decoration:none;
+}
+
+div.section h3, div.section h4, div.section h5, div.section h6 {
+    font-style: italic;
+}
+
+h1, h2 {
+	font-size:27px;
+	letter-spacing:-1px;
+}
+
+h3 {
+    margin-top: 1em;
+	font-size:18px;
+}
+
+h4 {
+	font-size:16px;
+}
+
+h5 {
+	font-size:15px;
+}
+
+h6 {
+	font-size:12px;
+}
+
+p {
+	padding:0 0 20px 0;
+}
+
+hr {
+	background:none;
+	height:1px;
+	line-height:1px;
+	border:0;
+	margin:0 0 20px 0;
+}
+
+ul, ol {
+	margin:0 20px 20px 0;
+	padding-left:40px;
+}
+
+ul.simple, ol.simple {
+    margin:0 0px 0px 0;
+}
+
+blockquote {
+	margin:0 0 0 40px;
+}
+
+strong, dfn {
+	font-weight:bold;
+}
+
+em, dfn {
+	font-style:italic;
+}
+
+sup, sub {
+	line-height:0;
+}
+
+pre  {
+	white-space:pre;
+}
+
+pre, code, tt {
+	font-family:"Courier New", Courier, mono;
+}
+
+dl {
+	margin: 0 0 20px 0;
+}
+
+dl dt {
+	font-weight: bold;
+}
+
+dd {
+	margin:0 0 20px 20px;
+}
+
+small {
+	font-size:75%;
+}
+
+a:link,
+a:visited,
+a:active
+{
+    color: #2a85a7;
+}
+
+a:hover
+{
+	color:#c24444;
+}
+
+h1, h2, h3, h4, h5, h6,
+h1 a, h2 a, h3 a, h4 a, h5 a, h6 a
+{
+	color: #333;
+}
+
+hr {
+	border-bottom:1px solid #ddd;
+}
+
+pre {
+    color: #333;
+	background: #FFFAE2;
+	padding: 7px 5px 3px 5px;
+    margin-bottom: 25px;
+    margin-top: 0px;
+}
+
+ul {
+    padding-bottom: 5px;
+    }
+
+h1, h2 {
+	margin-top: 30px;
+    }
+
+h1 {
+	margin-bottom: 50px;
+	margin-bottom: 20px;
+    padding-bottom: 5px;
+    border-bottom: 1px solid;
+    border-color: #aaa;
+    }
+
+h2 {
+	font-size: 24px;
+    }
+
+pre {
+	-moz-box-shadow:0 0 6px #ddd;
+	-webkit-box-shadow:0 0 6px #ddd;
+	box-shadow:0 0 6px #ddd;
+}
+
+a {
+	text-decoration:none;
+    }
+
+p {
+    padding-bottom: 15px;
+    }
+
+p, dd, li {
+    text-align: justify;
+    }
+
+li {
+    margin-bottom: 5px;
+    }
+
+
+
+#footer .widget_links ul a,
+#footer .widget_links ol a
+{
+	color: #ddd;
+}
+
+#footer .widget_links ul a:hover,
+#footer .widget_links ol a:hover
+{
+	color:#c24444;
+}
+
+
+#footer .widget li {
+	padding-bottom:10px;
+}
+
+#footer .widget_links li {
+	padding-bottom:1px;
+}
+
+#footer .widget li:last-child {
+	padding-bottom:0;
+}
+
+#footer .widgettitle {
+	color: #ddd;
+}
+
+
+.widget {
+	margin:0 0 40px 0;
+}
+
+.widget, .widgettitle {
+	font-size:12px;
+	line-height:18px;
+}
+
+.widgettitle {
+	font-weight:bold;
+	text-transform:uppercase;
+	padding:0 0 10px 0;
+	margin:0 0 20px 0;
+	line-height:100%;
+}
+
+.widget UL, .widget OL {
+	list-style-type:none;
+	margin:0;
+	padding:0;
+}
+
+.widget p {
+	padding:0;
+}
+
+.widget li {
+	padding-bottom:10px;
+}
+
+.widget a {
+	text-decoration:none;
+}
+
+#bro-main .widgettitle,
+{
+	color: #333;
+}
+
+
+.widget img.left {
+	padding:5px 10px 10px 0;
+}
+
+.widget img.right {
+	padding:5px 0 10px 10px;
+}
+
+.ads .widgettitle {
+	margin-right:16px;
+}
+
+.widget {
+   margin-left: 1em;
+}
+
+.widgettitle {
+	color: #333;
+}
+
+.widgettitle {
+	border-bottom:1px solid #ddd;
+}
+
+
+.sidebar-toc ul li {
+    padding-bottom: 0px;
+    text-align: left;
+    list-style-type: square;
+    list-style-position: inside;
+    padding-left: 1em;
+    text-indent: -1em;
+    }
+
+.sidebar-toc ul li li {
+    margin-left: 1em;
+    margin-bottom: 0px;
+    list-style-type: square;
+    }
+
+.sidebar-toc ul li li a {
+    font-size: 8pt;
+}
+
+.contents {
+   padding: 10px;
+   background: #FFFAE2;
+   margin: 20px;
+   }
+
+.topic-title {
+   font-size: 20px;
+   font-weight: bold;
+   padding: 0px 0px 5px 0px;
+   text-align: center;
+   padding-top: .5em;
+}
+
+.contents li {
+   margin-bottom: 0px;
+   list-style-type: square;
+}
+
+.contents ul ul li {
+   margin-left: 0px;
+   padding-left: 0px;
+   padding-top: 0em;
+   font-size: 90%;
+   list-style-type: square;
+   font-weight: normal;
+}
+
+.contents ul ul ul li {
+   list-style-type: none;
+}
+
+.contents ul ul ul ul li {
+   display:none;
+}
+
+.contents ul li {
+   padding-top: 1em;
+   list-style-type: none;
+    font-weight: bold;
+}
+
+.contents ul {
+   margin-left: 0px;
+   padding-left: 2em;
+   margin: 0px 0px 0px 0px;
+}
+
+.note, .warning, .error {
+    margin-left: 2em;
+    margin-right: 2em;
+    margin-top: 1.5em;
+    margin-bottom: 1.5em;
+    padding: 0.5em 1em 0.5em 1em;
+    overflow: auto;
+    border-left: solid 3px #aaa;
+    font-size: 15px;
+    color: #333;
+}
+
+.admonition p {
+    margin-left: 1em;
+    }
+
+.admonition-title {
+    font-size: 16px;
+	font-weight: bold;
+    color: #000;
+    padding-bottom: 0em;
+    margin-bottom: .5em;
+    margin-top: 0em;
+}
\ No newline at end of file
diff --git a/doc/_static/logo-bro.png b/doc/_static/logo-bro.png
new file mode 100644
index 0000000000..96cc5d443c
Binary files /dev/null and b/doc/_static/logo-bro.png differ
diff --git a/doc/_static/pygments.css b/doc/_static/pygments.css
new file mode 100644
index 0000000000..3c96f6ae4e
--- /dev/null
+++ b/doc/_static/pygments.css
@@ -0,0 +1,58 @@
+.hll { background-color: #ffffcc }
+.c { color: #aaaaaa; font-style: italic } /* Comment */
+.err { color: #F00000; background-color: #F0A0A0 } /* Error */
+.k { color: #0000aa } /* Keyword */
+.cm { color: #aaaaaa; font-style: italic } /* Comment.Multiline */
+.cp { color: #4c8317 } /* Comment.Preproc */
+.c1 { color: #aaaaaa; font-style: italic } /* Comment.Single */
+.cs { color: #0000aa; font-style: italic } /* Comment.Special */
+.gd { color: #aa0000 } /* Generic.Deleted */
+.ge { font-style: italic } /* Generic.Emph */
+.gr { color: #aa0000 } /* Generic.Error */
+.gh { color: #000080; font-weight: bold } /* Generic.Heading */
+.gi { color: #00aa00 } /* Generic.Inserted */
+.go { color: #888888 } /* Generic.Output */
+.gp { color: #555555 } /* Generic.Prompt */
+.gs { font-weight: bold } /* Generic.Strong */
+.gu { color: #800080; font-weight: bold } /* Generic.Subheading */
+.gt { color: #aa0000 } /* Generic.Traceback */
+.kc { color: #0000aa } /* Keyword.Constant */
+.kd { color: #0000aa } /* Keyword.Declaration */
+.kn { color: #0000aa } /* Keyword.Namespace */
+.kp { color: #0000aa } /* Keyword.Pseudo */
+.kr { color: #0000aa } /* Keyword.Reserved */
+.kt { color: #00aaaa } /* Keyword.Type */
+.m { color: #009999 } /* Literal.Number */
+.s { color: #aa5500 } /* Literal.String */
+.na { color: #1e90ff } /* Name.Attribute */
+.nb { color: #00aaaa } /* Name.Builtin */
+.nc { color: #00aa00; text-decoration: underline } /* Name.Class */
+.no { color: #aa0000 } /* Name.Constant */
+.nd { color: #888888 } /* Name.Decorator */
+.ni { color: #800000; font-weight: bold } /* Name.Entity */
+.nf { color: #00aa00 } /* Name.Function */
+.nn { color: #00aaaa; text-decoration: underline } /* Name.Namespace */
+.nt { color: #1e90ff; font-weight: bold } /* Name.Tag */
+.nv { color: #aa0000 } /* Name.Variable */
+.ow { color: #0000aa } /* Operator.Word */
+.w { color: #bbbbbb } /* Text.Whitespace */
+.mf { color: #009999 } /* Literal.Number.Float */
+.mh { color: #009999 } /* Literal.Number.Hex */
+.mi { color: #009999 } /* Literal.Number.Integer */
+.mo { color: #009999 } /* Literal.Number.Oct */
+.sb { color: #aa5500 } /* Literal.String.Backtick */
+.sc { color: #aa5500 } /* Literal.String.Char */
+.sd { color: #aa5500 } /* Literal.String.Doc */
+.s2 { color: #aa5500 } /* Literal.String.Double */
+.se { color: #aa5500 } /* Literal.String.Escape */
+.sh { color: #aa5500 } /* Literal.String.Heredoc */
+.si { color: #aa5500 } /* Literal.String.Interpol */
+.sx { color: #aa5500 } /* Literal.String.Other */
+.sr { color: #009999 } /* Literal.String.Regex */
+.s1 { color: #aa5500 } /* Literal.String.Single */
+.ss { color: #0000aa } /* Literal.String.Symbol */
+.bp { color: #00aaaa } /* Name.Builtin.Pseudo */
+.vc { color: #aa0000 } /* Name.Variable.Class */
+.vg { color: #aa0000 } /* Name.Variable.Global */
+.vi { color: #aa0000 } /* Name.Variable.Instance */
+.il { color: #009999 } /* Literal.Number.Integer.Long */
diff --git a/doc/_templates/layout.html b/doc/_templates/layout.html
new file mode 100644
index 0000000000..77d9d1de1c
--- /dev/null
+++ b/doc/_templates/layout.html
@@ -0,0 +1,113 @@
+{% extends "!layout.html" %}
+
+{% block extrahead %}
+<link rel="stylesheet" type="text/css" href="{{ pathto('_static/broxygen.css', 1) }}"></script>
+<link rel="stylesheet" type="text/css" href="{{ pathto('_static/960.css', 1) }}"></script>
+<link rel="stylesheet" type="text/css" href="{{ pathto('_static/pygments.css', 1) }}"></script>
+<link rel="stylesheet" type="text/css" href="{{ pathto('_static/broxygen-extra.css', 1) }}"></script>
+
+<script type="text/javascript" src="{{ pathto('_static/broxygen-extra.js', 1) }}"></script>
+{% endblock %}
+
+{% block header %}
+<iframe src="http://www.bro-ids.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
+</iframe>
+{% endblock %}
+
+{% block relbar2 %}{% endblock %}
+{% block relbar1 %}{% endblock %}
+
+{% block content %}
+
+        <div id="bro-main" class="clearfix">
+            <div class="container_12">
+
+                <div class="grid_9">
+
+                    <div>
+                         {{ relbar() }}
+                    </div>
+
+                    <div class="body">
+                        {% block body %}
+                        {% endblock %}
+                    </div>
+                </div>
+
+                <!-- Sidebar -->
+                <div class="grid_3 omega">
+
+                    <div>
+                        <img id="logo" src="{{pathto('_static/logo-bro.png', 1)}}" alt="Logo" />
+                    </div>
+                    <br />
+
+
+                    <div class="widget sidebar-toc">
+                        <h3 class="widgettitle">
+                            Table of Contents
+                        </h3>
+                        <p>
+                            <!-- <ul id="sidebar-toc"></ul> -->
+                            <ul>{{toc}}</ul>
+                        </p>
+                    </div>
+
+                    {% if next %}
+                    <div class="widget">
+                        <h3 class="widgettitle">
+                            Next Page
+                        </h3>
+                        <p>
+                            <a href="{{ next.link|e }}">{{ next.title }}</a>
+                        </p>
+                    </div>
+                    {% endif %}
+
+                    {% if prev %}
+                    <div class="widget">
+                        <h3 class="widgettitle">
+                            Previous Page
+                        </h3>
+                        <p>
+                            <a href="{{ prev.link|e }}">{{ prev.title }}</a>
+                        </p>
+                    </div>
+                    {% endif %}
+
+                    {%- if pagename != "search" %}
+                    <div id="searchbox" style="display: none" class="widget">
+                      <h3 class="widgettitle">{{ _('Search') }}</h3>
+                        <form class="search" action="{{ pathto('search') }}" method="get">
+                          <input type="text" name="q" />
+                          <input type="submit" value="{{ _('Search') }}" />
+                          <input type="hidden" name="check_keywords" value="yes" />
+                          <input type="hidden" name="area" value="default" />
+                        </form>
+                    </div>
+                    <script type="text/javascript">$('#searchbox').show(0);</script>
+                    {%- endif %}
+
+                </div>
+            </div>
+
+            <div class="container_12">
+                <div class="grid_12 alpha omega">
+                    <div class="center">
+                        <small>
+                            Copyright {{ copyright }}.
+                            Last updated on {{ last_updated }}.
+                            Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> {{ sphinx_version }}.
+                        </small>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+
+{% endblock %}
+
+{% block footer %}
+<iframe src="http://www.bro-ids.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
+</iframe>
+{% endblock %}
diff --git a/doc/bin/group_index_generator.py b/doc/bin/group_index_generator.py
new file mode 100755
index 0000000000..720081e8b5
--- /dev/null
+++ b/doc/bin/group_index_generator.py
@@ -0,0 +1,62 @@
+#! /usr/bin/env python
+
+# This script automatically generates a reST documents that lists
+# a collection of Bro scripts that are "grouped" together.
+# The summary text (##! comments) of the script is embedded in the list
+#
+# 1st argument is the file containing list of groups
+# 2nd argument is the directory containing ${group}_files lists of
+#   scripts that belong to the group and ${group}_doc_names lists of
+#   document names that can be supplied to a reST :doc: role
+# 3rd argument is a directory in which write a ${group}.rst file (will
+#   append to existing file) that contains reST style references to
+#   script docs along with summary text contained in original script
+
+import sys
+import os
+import string
+
+group_list = sys.argv[1]
+file_manifest_dir = sys.argv[2]
+output_dir = sys.argv[3]
+
+with open(group_list, 'r') as f_group_list:
+    for group in f_group_list.read().splitlines():
+        #print group
+        file_manifest = os.path.join(file_manifest_dir, group + "_files")
+        doc_manifest = os.path.join(file_manifest_dir, group + "_doc_names")
+        src_files = []
+        doc_names = []
+
+        with open(file_manifest, 'r') as f_file_manifest:
+            src_files = f_file_manifest.read().splitlines()
+
+        with open(doc_manifest, 'r') as f_doc_manifest:
+            doc_names = f_doc_manifest.read().splitlines()
+
+        for i in range(len(src_files)):
+            src_file = src_files[i]
+            #print "\t" + src_file
+            summary_comments = []
+            with open(src_file, 'r') as f_src_file:
+                for line in f_src_file:
+                    sum_pos = string.find(line, "##!")
+                    if sum_pos != -1:
+                        summary_comments.append(line[(sum_pos+3):])
+            #print summary_comments
+            group_file = os.path.join(output_dir, group + ".rst")
+            if not os.path.exists(group_file):
+                if not os.path.exists(os.path.dirname(group_file)):
+                    os.makedirs(os.path.dirname(group_file))
+                with open(group_file, 'w') as f_group_file:
+                    f_group_file.write(":orphan:\n\n")
+                    title = "Package Index: %s\n" % os.path.dirname(group)
+                    f_group_file.write(title);
+                    for n in range(len(title)):
+                        f_group_file.write("=")
+                    f_group_file.write("\n");
+
+            with open(group_file, 'a') as f_group_file:
+                f_group_file.write("\n:doc:`/scripts/%s`\n" % doc_names[i])
+                for line in summary_comments:
+                    f_group_file.write("   " + line)
diff --git a/doc/cluster.rst b/doc/cluster.rst
new file mode 100644
index 0000000000..ba26471edc
--- /dev/null
+++ b/doc/cluster.rst
@@ -0,0 +1,84 @@
+Bro Cluster
+===========
+
+Intro
+------
+
+Bro is not multithreaded, so once the limitations of a single processor core are reached, the only option currently is to spread the workload across many cores or even many physical computers.  The cluster deployment scenario for Bro is the current solution to build these larger systems.  The accompanying tools and scripts provide the structure to easily manage many Bro processes examining packets and doing correlation activities but acting as a singular, cohesive entity.  
+
+Architecture
+---------------
+
+The figure below illustrates the main components of a Bro cluster.
+
+.. image:: images/deployment.png
+
+Tap
+***
+This is a mechanism that splits the packet stream in order to make a copy
+available for inspection. Examples include the monitoring port on a switch and
+an optical splitter for fiber networks.
+
+Frontend 
+********
+This is a discrete hardware device or on-host technique that will split your traffic into many streams or flows.  The Bro binary does not do this job.  There are numerous ways to accomplish this task, some of which are described below in `Frontend Options`_.
+
+Manager
+*******
+This is a Bro process which has two primary jobs.  It receives log messages and notices from the rest of the nodes in the cluster using the Bro communications protocol.  The result is that you will end up with single logs for each log instead of many discrete logs that you have to later combine in some manner with post processing.  The manager also takes the opportunity to de-duplicate notices and it has the ability to do so since it’s acting as the choke point for notices and how notices might be processed into actions such as emailing, paging, or blocking.
+
+The manager process is started first by BroControl and it only opens it’s designated port and waits for connections, it doesn’t initiate any connections to the rest of the cluster.  Once the workers are started and connect to the manager, logs and notices will start arriving to the manager process from the workers.
+
+Proxy
+*****
+This is a Bro process which manages synchronized state.  Variables can be synchronized across connected Bro processes automatically in Bro and proxies will help the workers by alleviating the need for all of the workers to connect directly to each other.  
+
+Examples of synchronized state from the scripts that ship with Bro are things such as the full list of “known� hosts and services which are hosts or services which have been detected as performing full TCP handshakes or an analyzed protocol has been found on the connection.  If worker A detects host 1.2.3.4 as an active host, it would be beneficial for worker B to know that as well so worker A shares that information as an insertion to a set <link to set documentation would be good here> which travels to the cluster’s proxy and the proxy then sends that same set insertion to worker B.  The result is that worker A and worker B have shared knowledge about host and services that are active on the network being monitored.  
+
+The proxy model extends to having multiple proxies as well if necessary for performance reasons, it only adds one additional step for the Bro processes.  Each proxy connects to another proxy in a ring and the workers are shared between them as evenly as possible.  When a proxy receives some new bit of state, it will share that with it’s proxy which is then shared around the ring of proxies and down to all of the workers.  From a practical standpoint, there are no rules of thumb established yet for the number of proxies necessary for the number of workers they are serving.  Best is to start with a single proxy and add more if communication performance problems are found.
+
+Bro processes acting as proxies don’t tend to be extremely intense to CPU or memory and users frequently run proxy processes on the same physical host as the manager.
+
+Worker
+******
+This is the Bro process that sniffs network traffic and does protocol analysis on the reassembled traffic streams.  Most of the work of an active cluster takes place on the workers and as such, the workers typically represent the bulk of the Bro processes that are running in a cluster.  The fastest memory and CPU core speed you can afford is best here since all of the protocol parsing and most analysis will take place here.   There are no particular requirements for the disks in workers since almost all logging is done remotely to the manager and very little is normally written to disk.
+
+The rule of thumb we have followed recently is to allocate approximately 1 core for every 80Mbps of traffic that is being analyzed, however this estimate could be extremely traffic mix specific.  It has generally worked for mixed traffic with many users and servers.  For example, if your traffic peaks around 2Gbps (combined) and you want to handle traffic at peak load, you may want to have 26 cores available (2048 / 80 == 25.6).  If the 80Mbps estimate works for your traffic, this could be handled by 3 physical hosts dedicated to being workers with each one containing dual 6-core processors.  
+
+Once a flow based load balancer is put into place this model is extremely easy to scale as well so it’s recommended that you guess at the amount of hardware you will need to fully analyze your traffic.  If it turns out that you need more, it’s relatively easy to increase the size of the cluster in most cases.
+
+Frontend Options
+----------------
+
+There are many options for setting up a frontend flow distributor and in many cases it may even be beneficial to do multiple stages of flow distribution on the network and on the host.
+
+Discrete hardware flow balancers
+********************************
+
+cPacket
+^^^^^^^
+
+If you are monitoring one or more 10G physical interfaces, the recommended solution is to use either a cFlow or cVu device from cPacket because they are currently being used very successfully at a number of sites.  These devices will perform layer-2 load balancing by rewriting the destination ethernet MAC address to cause each packet associated with a particular flow to have the same destination MAC.  The packets can then be passed directly to a monitoring host where each worker has a BPF filter to limit its visibility to only that stream of flows or onward to a commodity switch to split the traffic out to multiple 1G interfaces for the workers.  This can ultimately greatly reduce costs since workers can use relatively inexpensive 1G interfaces.
+
+OpenFlow Switches
+^^^^^^^^^^^^^^^^^
+
+We are currently exploring the use of OpenFlow based switches to do flow based load balancing directly on the switch which can greatly reduce frontend costs for many users.  This document will be updated when we have more information.
+
+On host flow balancing
+**********************
+
+PF_RING
+^^^^^^^
+
+The PF_RING software for Linux has a “clustering� feature which will do flow based load balancing across a number of processes that are sniffing the same interface.  This will allow you to easily take advantage of multiple cores in a single physical host because Bro’s main event loop is single threaded and can’t natively utilize all of the cores.  More information about Bro with PF_RING can be found here: (someone want to write a quick Bro/PF_RING tutorial to link to here?  document installing kernel module, libpcap wrapper, building Bro with the --with-pcap configure option)
+
+Netmap
+^^^^^^
+
+FreeBSD has an in-progress project named Netmap which will enable flow based load balancing as well.  When it becomes viable for real world use, this document will be updated.
+
+Click! Software Router
+^^^^^^^^^^^^^^^^^^^^^^
+
+Click! can be used for flow based load balancing with a simple configuration.  (link to an example for the config).  This solution is not recommended on Linux due to Bro’s PF_RING support and only as a last resort on other operating systems since it causes a lot of overhead due to context switching back and forth between kernel and userland several times per packet.
diff --git a/doc/components/binpac/README.rst b/doc/components/binpac/README.rst
new file mode 120000
index 0000000000..4eb90ef658
--- /dev/null
+++ b/doc/components/binpac/README.rst
@@ -0,0 +1 @@
+../../../aux/binpac/README
\ No newline at end of file
diff --git a/doc/components/bro-aux/README.rst b/doc/components/bro-aux/README.rst
new file mode 120000
index 0000000000..628879525d
--- /dev/null
+++ b/doc/components/bro-aux/README.rst
@@ -0,0 +1 @@
+../../../aux/bro-aux/README
\ No newline at end of file
diff --git a/doc/components/broccoli-python/README.rst b/doc/components/broccoli-python/README.rst
new file mode 120000
index 0000000000..4187e87202
--- /dev/null
+++ b/doc/components/broccoli-python/README.rst
@@ -0,0 +1 @@
+../../../aux/broccoli/bindings/broccoli-python/README
\ No newline at end of file
diff --git a/doc/components/broccoli-ruby/README.rst b/doc/components/broccoli-ruby/README.rst
new file mode 120000
index 0000000000..da71663099
--- /dev/null
+++ b/doc/components/broccoli-ruby/README.rst
@@ -0,0 +1 @@
+../../../aux/broccoli/bindings/broccoli-ruby/README
\ No newline at end of file
diff --git a/doc/components/broccoli/README.rst b/doc/components/broccoli/README.rst
new file mode 120000
index 0000000000..d32c70ccd9
--- /dev/null
+++ b/doc/components/broccoli/README.rst
@@ -0,0 +1 @@
+../../../aux/broccoli/README
\ No newline at end of file
diff --git a/doc/components/broccoli/broccoli-manual.rst b/doc/components/broccoli/broccoli-manual.rst
new file mode 120000
index 0000000000..bd5e8d711f
--- /dev/null
+++ b/doc/components/broccoli/broccoli-manual.rst
@@ -0,0 +1 @@
+../../../aux/broccoli/doc/broccoli-manual.rst
\ No newline at end of file
diff --git a/doc/components/broctl/README.rst b/doc/components/broctl/README.rst
new file mode 120000
index 0000000000..cba305f48a
--- /dev/null
+++ b/doc/components/broctl/README.rst
@@ -0,0 +1 @@
+../../../aux/broctl/doc/broctl.rst
\ No newline at end of file
diff --git a/doc/components/btest/README.rst b/doc/components/btest/README.rst
new file mode 120000
index 0000000000..0da2935df1
--- /dev/null
+++ b/doc/components/btest/README.rst
@@ -0,0 +1 @@
+../../../aux/btest/README
\ No newline at end of file
diff --git a/doc/components/capstats/README.rst b/doc/components/capstats/README.rst
new file mode 120000
index 0000000000..cb2380145d
--- /dev/null
+++ b/doc/components/capstats/README.rst
@@ -0,0 +1 @@
+../../../aux/broctl/aux/capstats/README
\ No newline at end of file
diff --git a/doc/components/pysubnettree/README.rst b/doc/components/pysubnettree/README.rst
new file mode 120000
index 0000000000..42ce17d303
--- /dev/null
+++ b/doc/components/pysubnettree/README.rst
@@ -0,0 +1 @@
+../../../aux/broctl/aux/pysubnettree/README
\ No newline at end of file
diff --git a/doc/components/trace-summary/README.rst b/doc/components/trace-summary/README.rst
new file mode 120000
index 0000000000..78778364bd
--- /dev/null
+++ b/doc/components/trace-summary/README.rst
@@ -0,0 +1 @@
+../../../aux/broctl/aux/trace-summary/README
\ No newline at end of file
diff --git a/doc/conf.py.in b/doc/conf.py.in
new file mode 100644
index 0000000000..2e93e82502
--- /dev/null
+++ b/doc/conf.py.in
@@ -0,0 +1,222 @@
+# -*- coding: utf-8 -*-
+#
+# Bro documentation build configuration file, created by sphinx-quickstart
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import sys, os
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+sys.path.insert(0, os.path.abspath('sphinx-sources/ext'))
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = ['bro', 'rst_directive', 'sphinx.ext.todo', 'adapt-toc']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['sphinx-sources/_templates', 'sphinx-sources/_static']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'Bro'
+copyright = u'2012, The Bro Project'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+version = '@VERSION_MAJ_MIN@'
+# The full version, including alpha/beta/rc tags.
+release = '@VERSION@'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = []
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+show_authors = True
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+
+# -- Options for HTML output ---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+html_theme = 'basic'
+
+html_last_updated_fmt = '%B %d, %Y'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+html_theme_options = { }
+
+# Add any paths that contain custom themes here, relative to this directory.
+#html_theme_path = []
+
+# The name for this set of Sphinx documents.  If None, it defaults to
+# "<project> v<release> Documentation".
+#html_title = None
+
+# A shorter title for the navigation bar.  Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#html_logo = None
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['sphinx-sources/_static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+#html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+html_sidebars = {
+'**': ['localtoc.html', 'sourcelink.html', 'searchbox.html'],
+}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_domain_indices = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#html_show_sourcelink = True
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+#html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it.  The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'Broxygen'
+
+html_add_permalinks = None
+
+# -- Options for LaTeX output --------------------------------------------------
+
+# The paper size ('letter' or 'a4').
+#latex_paper_size = 'letter'
+
+# The font size ('10pt', '11pt' or '12pt').
+#latex_font_size = '10pt'
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+  ('index', 'Bro.tex', u'Bro Documentation',
+   u'The Bro Project', 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# If true, show page references after internal links.
+#latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#latex_show_urls = False
+
+# Additional stuff for the LaTeX preamble.
+#latex_preamble = ''
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+#latex_domain_indices = True
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    ('index', 'bro', u'Bro Documentation',
+     [u'The Bro Project'], 1)
+]
+
+# -- Options for todo plugin --------------------------------------------
+todo_include_todos=True
diff --git a/doc/ext/adapt-toc.py b/doc/ext/adapt-toc.py
new file mode 100644
index 0000000000..12ee006977
--- /dev/null
+++ b/doc/ext/adapt-toc.py
@@ -0,0 +1,29 @@
+
+import sys
+import re
+
+# Removes the first TOC level, which is just the page title.
+def process_html_toc(app, pagename, templatename, context, doctree):
+
+    if not "toc" in context:
+        return
+
+    toc = context["toc"]
+
+    lines = toc.strip().split("\n")
+    lines = lines[2:-2]
+
+    toc = "\n".join(lines)
+    toc = "<ul>" + toc
+
+    context["toc"] = toc
+
+    # print >>sys.stderr, pagename
+    # print >>sys.stderr, context["toc"]
+    # print >>sys.stderr, "-----"
+    # print >>sys.stderr, toc
+    # print >>sys.stderr, "===="
+
+def setup(app):
+    app.connect('html-page-context', process_html_toc)
+
diff --git a/doc/ext/bro.py b/doc/ext/bro.py
new file mode 100644
index 0000000000..9bdd86bd9a
--- /dev/null
+++ b/doc/ext/bro.py
@@ -0,0 +1,266 @@
+"""
+    The Bro domain for Sphinx.
+"""
+
+def setup(Sphinx):
+    Sphinx.add_domain(BroDomain)
+    Sphinx.add_node(see)
+    Sphinx.add_directive_to_domain('bro', 'see', SeeDirective)
+    Sphinx.connect('doctree-resolved', process_see_nodes)
+
+from sphinx import addnodes
+from sphinx.domains import Domain, ObjType, Index
+from sphinx.locale import l_, _
+from sphinx.directives import ObjectDescription
+from sphinx.roles import XRefRole
+from sphinx.util.nodes import make_refnode
+import string
+
+from docutils import nodes
+from docutils.parsers.rst import Directive
+from docutils.parsers.rst import directives
+from docutils.parsers.rst.roles import set_classes
+
+class see(nodes.General, nodes.Element):
+    refs = []
+
+class SeeDirective(Directive):
+    has_content = True
+
+    def run(self):
+        n = see('')
+        n.refs = string.split(string.join(self.content))
+        return [n]
+
+def process_see_nodes(app, doctree, fromdocname):
+    for node in doctree.traverse(see):
+        content = []
+        para = nodes.paragraph()
+        para += nodes.Text("See also:", "See also:")
+        for name in node.refs:
+            join_str = " "
+            if name != node.refs[0]:
+                join_str  = ", "
+            link_txt = join_str + name;
+
+            if name not in app.env.domaindata['bro']['idtypes']:
+                # Just create the text and issue warning
+                app.env.warn(fromdocname,
+                             'unknown target for ".. bro:see:: %s"' % (name))
+                para += nodes.Text(link_txt, link_txt)
+            else:
+                # Create a reference
+                typ = app.env.domaindata['bro']['idtypes'][name]
+                todocname = app.env.domaindata['bro']['objects'][(typ, name)]
+
+                newnode = nodes.reference('', '')
+                innernode = nodes.literal(_(name), _(name))
+                newnode['refdocname'] = todocname
+                newnode['refuri'] = app.builder.get_relative_uri(
+                    fromdocname, todocname)
+                newnode['refuri'] += '#' + typ + '-' + name
+                newnode.append(innernode)
+                para += nodes.Text(join_str, join_str)
+                para += newnode
+
+        content.append(para)
+        node.replace_self(content)
+
+class BroGeneric(ObjectDescription):
+    def update_type_map(self, idname):
+        if 'idtypes' not in self.env.domaindata['bro']:
+            self.env.domaindata['bro']['idtypes'] = {}
+        self.env.domaindata['bro']['idtypes'][idname] = self.objtype
+
+    def add_target_and_index(self, name, sig, signode):
+        targetname = self.objtype + '-' + name
+        if targetname not in self.state.document.ids:
+            signode['names'].append(targetname)
+            signode['ids'].append(targetname)
+            signode['first'] = (not self.names)
+            self.state.document.note_explicit_target(signode)
+
+            objects = self.env.domaindata['bro']['objects']
+            key = (self.objtype, name)
+            if key in objects:
+                self.env.warn(self.env.docname,
+                              'duplicate description of %s %s, ' %
+                              (self.objtype, name) +
+                              'other instance in ' +
+                              self.env.doc2path(objects[key]),
+                              self.lineno)
+            objects[key] = self.env.docname
+            self.update_type_map(name)
+
+        indextext = self.get_index_text(self.objtype, name)
+        if indextext:
+            self.indexnode['entries'].append(('single', indextext,
+                                              targetname, targetname))
+
+    def get_index_text(self, objectname, name):
+        return _('%s (%s)') % (name, self.objtype)
+
+    def handle_signature(self, sig, signode):
+        signode += addnodes.desc_name("", sig)
+        return sig
+
+class BroNamespace(BroGeneric):
+    def add_target_and_index(self, name, sig, signode):
+        targetname = self.objtype + '-' + name
+        if targetname not in self.state.document.ids:
+            signode['names'].append(targetname)
+            signode['ids'].append(targetname)
+            signode['first'] = (not self.names)
+            self.state.document.note_explicit_target(signode)
+
+            objects = self.env.domaindata['bro']['objects']
+            key = (self.objtype, name)
+            objects[key] = self.env.docname
+            self.update_type_map(name)
+
+        indextext = self.get_index_text(self.objtype, name)
+        self.indexnode['entries'].append(('single', indextext,
+                                          targetname, targetname))
+        self.indexnode['entries'].append(('single',
+                                          "namespaces; %s" % (sig),
+                                          targetname, targetname))
+
+    def get_index_text(self, objectname, name):
+        return _('%s (namespace); %s') % (name, self.env.docname)
+
+    def handle_signature(self, sig, signode):
+        signode += addnodes.desc_name("", sig)
+        return sig
+
+class BroEnum(BroGeneric):
+    def add_target_and_index(self, name, sig, signode):
+        targetname = self.objtype + '-' + name
+        if targetname not in self.state.document.ids:
+            signode['names'].append(targetname)
+            signode['ids'].append(targetname)
+            signode['first'] = (not self.names)
+            self.state.document.note_explicit_target(signode)
+
+            objects = self.env.domaindata['bro']['objects']
+            key = (self.objtype, name)
+            objects[key] = self.env.docname
+            self.update_type_map(name)
+
+        indextext = self.get_index_text(self.objtype, name)
+        #self.indexnode['entries'].append(('single', indextext,
+        #                                  targetname, targetname))
+        m = sig.split()
+        if m[1] == "Notice::Type":
+            if 'notices' not in self.env.domaindata['bro']:
+                self.env.domaindata['bro']['notices'] = []
+            self.env.domaindata['bro']['notices'].append(
+                                (m[0], self.env.docname, targetname))
+        self.indexnode['entries'].append(('single',
+                                          "%s (enum values); %s" % (m[1], m[0]),
+                                          targetname, targetname))
+
+    def handle_signature(self, sig, signode):
+        m = sig.split()
+        name = m[0]
+        signode += addnodes.desc_name("", name)
+        return name
+
+class BroIdentifier(BroGeneric):
+    def get_index_text(self, objectname, name):
+        return name
+
+class BroAttribute(BroGeneric):
+    def get_index_text(self, objectname, name):
+        return _('%s (attribute)') % (name)
+
+class BroNotices(Index):
+    """
+    Index subclass to provide the Bro notices index.
+    """
+
+    name = 'noticeindex'
+    localname = l_('Bro Notice Index')
+    shortname = l_('notices')
+
+    def generate(self, docnames=None):
+        content = {}
+        for n in self.domain.env.domaindata['bro']['notices']:
+            modname = n[0].split("::")[0]
+            entries = content.setdefault(modname, [])
+            entries.append([n[0], 0, n[1], n[2], '', '', ''])
+
+        content = sorted(content.iteritems())
+
+        return content, False
+
+class BroDomain(Domain):
+    """Bro domain."""
+    name = 'bro'
+    label = 'Bro'
+
+    object_types = {
+        'type':             ObjType(l_('type'),             'type'),
+        'namespace':        ObjType(l_('namespace'),        'namespace'),
+        'id':               ObjType(l_('id'),               'id'),
+        'enum':             ObjType(l_('enum'),             'enum'),
+        'attr':             ObjType(l_('attr'),             'attr'),
+    }
+
+    directives = {
+        'type':             BroGeneric,
+        'namespace':        BroNamespace,
+        'id':               BroIdentifier,
+        'enum':             BroEnum,
+        'attr':             BroAttribute,
+    }
+
+    roles = {
+        'type':             XRefRole(),
+        'namespace':        XRefRole(),
+        'id':               XRefRole(),
+        'enum':             XRefRole(),
+        'attr':             XRefRole(),
+        'see':              XRefRole(),
+    }
+
+    indices = [
+        BroNotices,
+    ]
+
+    initial_data = {
+        'objects': {},  # fullname -> docname, objtype
+    }
+
+    def clear_doc(self, docname):
+        for (typ, name), doc in self.data['objects'].items():
+            if doc == docname:
+                del self.data['objects'][typ, name]
+
+    def resolve_xref(self, env, fromdocname, builder, typ, target, node,
+                     contnode):
+        objects = self.data['objects']
+        if typ == "see":
+            if target not in self.data['idtypes']:
+                self.env.warn(fromdocname,
+                              'unknown target for ":bro:see:`%s`"' % (target))
+                return []
+            objtype = self.data['idtypes'][target]
+            return make_refnode(builder, fromdocname,
+                                        objects[objtype, target],
+                                        objtype + '-' + target,
+                                        contnode, target + ' ' + objtype)
+        else:
+            objtypes = self.objtypes_for_role(typ)
+            for objtype in objtypes:
+                if (objtype, target) in objects:
+                    return make_refnode(builder, fromdocname,
+                                        objects[objtype, target],
+                                        objtype + '-' + target,
+                                        contnode, target + ' ' + objtype)
+                else:
+                    self.env.warn(fromdocname,
+                        'unknown target for ":bro:%s:`%s`"' % (typ, target))
+
+    def get_objects(self):
+        for (typ, name), docname in self.data['objects'].iteritems():
+            yield name, name, typ, docname, typ + '-' + name, 1
diff --git a/testing/istate/base/bro-ping/stdout.log b/doc/ext/bro_lexer/__init__.py
similarity index 100%
rename from testing/istate/base/bro-ping/stdout.log
rename to doc/ext/bro_lexer/__init__.py
diff --git a/doc/ext/bro_lexer/__init__.pyc b/doc/ext/bro_lexer/__init__.pyc
new file mode 100644
index 0000000000..1b03eaf1c1
Binary files /dev/null and b/doc/ext/bro_lexer/__init__.pyc differ
diff --git a/doc/ext/bro_lexer/bro.py b/doc/ext/bro_lexer/bro.py
new file mode 100644
index 0000000000..8cb4475f3b
--- /dev/null
+++ b/doc/ext/bro_lexer/bro.py
@@ -0,0 +1,76 @@
+from pygments.lexer import RegexLexer, bygroups, include
+from pygments.token import *
+
+__all__ = ["BroLexer"]
+
+class BroLexer(RegexLexer):
+    name = 'Bro'
+    aliases = ['bro']
+    filenames = ['*.bro']
+
+    _hex = r'[0-9a-fA-F_]+'
+    _float = r'((\d*\.?\d+)|(\d+\.?\d*))([eE][-+]?\d+)?'
+    _h = r'[A-Za-z0-9][-A-Za-z0-9]*'
+
+    tokens = {
+        'root': [
+            # Whitespace
+            ('^@.*?\n', Comment.Preproc),
+            (r'#.*?\n', Comment.Single),
+            (r'\n', Text),
+            (r'\s+', Text),
+            (r'\\\n', Text),
+            # Keywords
+            (r'(add|alarm|break|case|const|continue|delete|do|else|enum|event'
+             r'|export|for|function|if|global|local|module|next'
+             r'|of|print|redef|return|schedule|when|while)\b', Keyword),
+            (r'(addr|any|bool|count|counter|double|file|int|interval|net'
+             r'|pattern|port|record|set|string|subnet|table|time|timer'
+             r'|vector)\b', Keyword.Type),
+            (r'(T|F)\b', Keyword.Constant),
+            (r'(&)((?:add|delete|expire)_func|attr|(create|read|write)_expire'
+             r'|default|disable_print_hook|raw_output|encrypt|group|log'
+             r'|mergeable|optional|persistent|priority|redef'
+             r'|rotate_(?:interval|size)|synchronized)\b', bygroups(Punctuation,
+                 Keyword)),
+            (r'\s+module\b', Keyword.Namespace),
+            # Addresses, ports and networks
+            (r'\d+/(tcp|udp|icmp|unknown)\b', Number),
+            (r'(\d+\.){3}\d+', Number),
+            (r'(' + _hex + r'){7}' + _hex, Number),
+            (r'0x' + _hex + r'(' + _hex + r'|:)*::(' + _hex + r'|:)*', Number),
+            (r'((\d+|:)(' + _hex + r'|:)*)?::(' + _hex + r'|:)*', Number),
+            (r'(\d+\.\d+\.|(\d+\.){2}\d+)', Number),
+            # Hostnames
+            (_h + r'(\.' + _h + r')+', String),
+            # Numeric
+            (_float + r'\s+(day|hr|min|sec|msec|usec)s?\b', Literal.Date),
+            (r'0[xX]' + _hex, Number.Hex),
+            (_float, Number.Float),
+            (r'\d+', Number.Integer),
+            (r'/', String.Regex, 'regex'),
+            (r'"', String, 'string'),
+            # Operators
+            (r'[!%*/+-:<=>?~|]', Operator),
+            (r'([-+=&|]{2}|[+-=!><]=)', Operator),
+            (r'(in|match)\b', Operator.Word),
+            (r'[{}()\[\]$.,;]', Punctuation),
+            # Identfier
+            (r'([_a-zA-Z]\w*)(::)', bygroups(Name, Name.Namespace)),
+            (r'[a-zA-Z_][a-zA-Z_0-9]*', Name)
+        ],
+        'string': [
+            (r'"', String, '#pop'),
+            (r'\\([\\abfnrtv"\']|x[a-fA-F0-9]{2,4}|[0-7]{1,3})', String.Escape),
+            (r'[^\\"\n]+', String),
+            (r'\\\n', String),
+            (r'\\', String)
+        ],
+        'regex': [
+            (r'/', String.Regex, '#pop'),
+            (r'\\[\\nt/]', String.Regex), # String.Escape is too intense.
+            (r'[^\\/\n]+', String.Regex),
+            (r'\\\n', String.Regex),
+            (r'\\', String.Regex)
+        ]
+    }
diff --git a/doc/ext/bro_lexer/bro.pyc b/doc/ext/bro_lexer/bro.pyc
new file mode 100644
index 0000000000..6471e1528d
Binary files /dev/null and b/doc/ext/bro_lexer/bro.pyc differ
diff --git a/doc/ext/rst_directive.py b/doc/ext/rst_directive.py
new file mode 100644
index 0000000000..434eef2c61
--- /dev/null
+++ b/doc/ext/rst_directive.py
@@ -0,0 +1,180 @@
+def setup(app):
+    pass
+
+# -*- coding: utf-8 -*-
+"""
+
+Modified version of the the Pygments reStructuredText directive. -Robin
+
+This provides two new directives:
+
+    - .. code:: [<format>]
+
+      Highlights the following code block according to <format> if
+      given (e.g., "c", "python", etc.).
+
+    - .. console::
+
+      Highlits the following code block as a shell session.
+
+    For compatibility with the original version, "sourcecode" is
+    equivalent to "code".
+
+Original comment:
+
+    The Pygments reStructuredText directive
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    This fragment is a Docutils_ 0.5 directive that renders source code
+    (to HTML only, currently) via Pygments.
+
+    To use it, adjust the options below and copy the code into a module
+    that you import on initialization.  The code then automatically
+    registers a ``sourcecode`` directive that you can use instead of
+    normal code blocks like this::
+
+        .. sourcecode:: python
+
+            My code goes here.
+
+    If you want to have different code styles, e.g. one with line numbers
+    and one without, add formatters with their names in the VARIANTS dict
+    below.  You can invoke them instead of the DEFAULT one by using a
+    directive option::
+
+        .. sourcecode:: python
+            :linenos:
+
+            My code goes here.
+
+    Look at the `directive documentation`_ to get all the gory details.
+
+    .. _Docutils: http://docutils.sf.net/
+    .. _directive documentation:
+       http://docutils.sourceforge.net/docs/howto/rst-directives.html
+
+    :copyright: Copyright 2006-2010 by the Pygments team, see AUTHORS.
+    :license: BSD, see LICENSE for details.
+"""
+
+# Options
+# ~~~~~~~
+
+# Set to True if you want inline CSS styles instead of classes
+INLINESTYLES = False
+
+from pygments.formatters import HtmlFormatter
+
+class MyHtmlFormatter(HtmlFormatter):
+    def format_unencoded(self, tokensource, outfile):
+
+        # A NOP currently.
+        new_tokens = []
+        for (i, piece) in tokensource:
+            new_tokens += [(i, piece)]
+
+        return super(MyHtmlFormatter, self).format_unencoded(new_tokens, outfile)
+
+# The default formatter
+DEFAULT = MyHtmlFormatter(noclasses=INLINESTYLES, cssclass="pygments")
+
+# Add name -> formatter pairs for every variant you want to use
+VARIANTS = {
+    # 'linenos': HtmlFormatter(noclasses=INLINESTYLES, linenos=True),
+}
+
+
+import textwrap
+
+from docutils import nodes
+from docutils.parsers.rst import directives, Directive
+
+from pygments import highlight
+from pygments.lexers import get_lexer_by_name, guess_lexer, TextLexer
+from pygments.token import Text, Keyword, Error, Operator, Name
+from pygments.filter import Filter
+
+# Ugly hack to register the Bro lexer. I'm sure there's a better way to do it,
+# but it's not obvious ...
+from bro_lexer.bro import BroLexer
+from pygments.lexers._mapping import LEXERS
+LEXERS['BroLexer'] = ('bro_lexer.bro', BroLexer.name, BroLexer.aliases, BroLexer.filenames, ())
+
+class Pygments(Directive):
+    """ Source code syntax hightlighting.
+    """
+    #max_line_length = 68
+    max_line_length = 0
+
+    required_arguments = 0
+    optional_arguments = 1
+    final_argument_whitespace = True
+    option_spec = dict([(key, directives.flag) for key in VARIANTS])
+    has_content = True
+
+    def wrapped_content(self):
+        content = []
+
+        if Console.max_line_length:
+            for line in self.content:
+                content += textwrap.wrap(line, Console.max_line_length, subsequent_indent="      ")
+        else:
+            content = self.content
+
+        return u'\n'.join(content)
+
+    def run(self):
+        self.assert_has_content()
+
+        content = self.wrapped_content()
+
+        if len(self.arguments) > 0:
+            try:
+                lexer = get_lexer_by_name(self.arguments[0])
+            except (ValueError, IndexError):
+                # lexer not found, use default.
+                lexer = TextLexer()
+        else:
+            lexer = guess_lexer(content)
+
+        # import sys
+        # print >>sys.stderr, self.arguments, lexer.__class__
+
+        # take an arbitrary option if more than one is given
+        formatter = self.options and VARIANTS[self.options.keys()[0]] or DEFAULT
+        parsed = highlight(content, lexer, formatter)
+        return [nodes.raw('', parsed, format='html')]
+
+class MyFilter(Filter):
+    def filter(self, lexer, stream):
+
+        bol = True
+
+        for (ttype, value) in stream:
+            # Color the '>' prompt sign.
+            if bol and ttype is Text and value == ">":
+                ttype = Name.Variable.Class # This gives us a nice red.
+
+            # Discolor builtin, that can look funny.
+            if ttype is Name.Builtin:
+                ttype = Text
+
+            bol = value.endswith("\n")
+
+            yield (ttype, value)
+
+class Console(Pygments):
+    required_arguments = 0
+    optional_arguments = 0
+
+    def run(self):
+        self.assert_has_content()
+        content = self.wrapped_content()
+        lexer = get_lexer_by_name("sh")
+        lexer.add_filter(MyFilter())
+        parsed = highlight(content, lexer, DEFAULT)
+        return [nodes.raw('', parsed, format='html')]
+
+directives.register_directive('sourcecode', Pygments)
+directives.register_directive('code', Pygments)
+directives.register_directive('console', Console)
diff --git a/doc/faq.rst b/doc/faq.rst
new file mode 100644
index 0000000000..8545cc57ee
--- /dev/null
+++ b/doc/faq.rst
@@ -0,0 +1,171 @@
+
+==========================
+Frequently Asked Questions
+==========================
+
+.. raw:: html
+
+    <div class="faq">
+
+.. contents::
+
+Installation and Configuration
+==============================
+
+How can I tune my operating system for best capture performance?
+----------------------------------------------------------------
+
+Here are some pointers to more information:
+
+* Fabian Schneider's research on `high performance packet capture
+  <http://www.net.t-labs.tu-berlin.de/research/hppc>`_
+
+* `NSMWiki <http://nsmwiki.org/Main_Page>`_ has page on
+  *Collecting Data*.
+
+* An `IMC 2010 paper
+  <http://conferences.sigcomm.org/imc/2010/papers/p206.pdf>`_ by
+  Lothar Braun et. al evaluates packet capture performance on
+  commodity hardware
+
+Are there any gotchas regarding interface configuration for live capture?  Or why might I be seeing abnormally large packets much greater than interface MTU?
+-------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+Some NICs offload the reassembly of traffic into "superpackets" so that
+fewer packets are then passed up the stack (e.g. "TCP segmentation
+offload", or "generic segmentation offload").  The result is that the
+capturing application will observe packets much larger than the MTU size
+of the interface they were captured from and may also interfere with the
+maximum packet capture length, ``snaplen``, so it's a good idea to disable
+an interface's offloading features.
+
+You can use the ``ethtool`` program on Linux to view and disable
+offloading features of an interface.  See this page for more explicit
+directions:
+
+http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
+
+What does an error message like ``internal error: NB-DNS error`` mean?
+---------------------------------------------------------------------------------------------------------------------------------
+
+That often means that DNS is not set up correctly on the system
+running Bro. Try verifying from the command line that DNS lookups
+work, e.g., ``host www.google.com``.
+
+I am using OpenBSD and having problems installing Bro?
+------------------------------------------------------
+
+One potential issue is that the top-level Makefile may not work with
+OpenBSD's default make program, in which case you can either install
+the ``gmake`` package and use it instead or first change into the
+``build/`` directory before doing either ``make`` or ``make install``
+such that the CMake-generated Makefile's are used directly.
+
+Generally, please note that we do not regularly test OpenBSD builds.
+We appreciate any patches that improve Bro's support for this
+platform.
+
+
+Usage
+=====
+
+How can I identify backscatter?
+-------------------------------
+
+Identifying backscatter via connections labeled as ``OTH`` is not a reliable
+means to detect backscatter. Backscatter is however visible by interpreting
+the contents of the ``history`` field in the ``conn.log`` file. The basic idea
+is to watch for connections that never had an initial ``SYN`` but started
+instead with a ``SYN-ACK`` or ``RST`` (though this latter generally is just
+discarded). Here are some history fields which provide backscatter examples:
+``hAFf``, ``r``. Refer to the conn protocol analysis scripts to interpret the
+individual character meanings in the history field.
+
+Is there help for understanding Bro's resource consumption?
+-----------------------------------------------------------
+
+There are two scripts that collect statistics on resource usage:
+``misc/stats.bro`` and ``misc/profiling.bro``. The former is quite
+lightweight, while the latter should only be used for debugging.
+
+How can I capture packets as an unprivileged user?
+--------------------------------------------------
+
+Normally, unprivileged users cannot capture packets from a network interface,
+which means they would not be able to use Bro to read/analyze live traffic.
+However, there are operating system specific ways to enable packet capture
+permission for non-root users, which is worth doing in the context of using
+Bro to monitor live traffic.
+
+With Linux Capabilities
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Fully implemented since Linux kernel 2.6.24, capabilities are a way of
+parceling superuser privileges into distinct units.  Attach capabilities
+required to capture packets to the ``bro`` executable file like this:
+
+.. console::
+
+   sudo setcap cap_net_raw,cap_net_admin=eip /path/to/bro
+
+Now any unprivileged user should have the capability to capture packets
+using Bro provided that they have the traditional file permissions to
+read/execute the ``bro`` binary.
+
+With BPF Devices
+^^^^^^^^^^^^^^^^
+
+Systems using Berkeley Packet Filter (BPF) (e.g. FreeBSD & Mac OS X)
+can allow users with read access to a BPF device to capture packets from
+it using libpcap.
+
+* Example of manually changing BPF device permissions to allow users in
+  the ``admin`` group to capture packets:
+
+.. console::
+
+   sudo chgrp admin /dev/bpf*
+   sudo chmod g+r /dev/bpf*
+
+* Example of configuring devfs to set permissions of BPF devices, adding
+  entries to ``/etc/devfs.conf`` to grant ``admin`` group permission to
+  capture packets:
+
+.. console::
+
+   sudo sh -c 'echo "own    bpf    root:admin" >> /etc/devfs.conf'
+   sudo sh -c 'echo "perm   bpf    0640" >> /etc/devfs.conf'
+   sudo service devfs restart
+
+.. note:: As of Mac OS X 10.6, the BPF device is on devfs, but the used version
+   of devfs isn't capable of setting the device permissions.  The permissions
+   can be changed manually, but they will not survive a reboot.
+
+Why isn't Bro producing the logs I expect? (A Note About Checksums)
+-------------------------------------------------------------------
+
+Normally, Bro's event engine will discard packets which don't have valid
+checksums.  This can be a problem if one wants to analyze locally
+generated/captured traffic on a system that offloads checksumming to the
+network adapter.  In that case, all transmitted/captured packets will have
+bad checksums because they haven't yet been calculated by the NIC, thus
+such packets will not undergo analysis defined in Bro policy scripts as they
+normally would.  Bad checksums in traces may also be a result of some packet
+alteration tools.
+
+Bro has two options to workaround such situations and ignore bad checksums:
+
+1) The ``-C`` command line option to ``bro``.
+2) An option called ``ignore_checksums`` that can be redefined at the
+   policy script layer (e.g. in your ``$PREFIX/share/bro/site/local.bro``):
+
+    .. code:: bro
+
+      redef ignore_checksums = T;
+
+The other alternative is to disable checksum offloading for your
+network adapter, but this is not always possible or desirable.
+
+.. raw:: html
+
+    </div>
diff --git a/doc/geoip.rst b/doc/geoip.rst
new file mode 100644
index 0000000000..bd9ae0c08d
--- /dev/null
+++ b/doc/geoip.rst
@@ -0,0 +1,102 @@
+
+===========
+GeoLocation
+===========
+
+.. rst-class:: opening
+
+    During the process of creating policy scripts the need may arise
+    to find the geographic location for an IP address. Bro has support
+    for the `GeoIP library <http://www.maxmind.com/app/c>`__ at the
+    policy script level beginning with release 1.3 to account for this
+    need.
+
+.. contents::
+
+GeoIPLite Database Installation
+------------------------------------
+
+A country database for GeoIPLite is included when you do the C API
+install, but for Bro, we are using the city database which includes
+cities and regions in addition to countries.
+
+`Download <http://www.maxmind.com/app/geolitecity>`__ the geolitecity
+binary database and follow the directions to install it.
+
+FreeBSD Quick Install
+---------------------
+
+.. console::
+
+    pkg_add -r GeoIP
+    wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
+    gunzip GeoLiteCity.dat.gz
+    mv GeoLiteCity.dat /usr/local/share/GeoIP/GeoIPCity.dat
+    
+    # Set your environment correctly before running Bro's configure script
+    export CFLAGS=-I/usr/local/include
+    export LDFLAGS=-L/usr/local/lib
+
+
+CentOS Quick Install
+--------------------
+
+.. console::
+
+    yum install GeoIP-devel
+    
+    wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
+    gunzip GeoLiteCity.dat.gz
+    mkdir -p /var/lib/GeoIP/
+    mv GeoLiteCity.dat /var/lib/GeoIP/GeoIPCity.dat
+    
+    # Set your environment correctly before running Bro's configure script
+    export CFLAGS=-I/usr/local/include
+    export LDFLAGS=-L/usr/local/lib
+
+
+Usage
+-----
+
+There is a single built in function that provides the GeoIP
+functionality:
+
+.. code:: bro
+
+    function lookup_location(a:addr): geo_location
+
+There is also the ``geo_location`` data structure that is returned
+from the ``lookup_location`` function:
+
+.. code:: bro
+
+    type geo_location: record {
+      country_code: string;
+      region: string;
+      city: string;
+      latitude: double;
+      longitude: double;
+    };
+
+
+Example
+-------
+
+To write a line in a log file for every ftp connection from hosts in
+Ohio, this is now very easy:
+
+.. code:: bro
+
+    global ftp_location_log: file = open_log_file("ftp-location");
+    
+    event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
+    {
+      local client = c$id$orig_h;
+      local loc = lookup_location(client);
+      if (loc$region == "OH" && loc$country_code == "US")
+      {
+        print ftp_location_log, fmt("FTP Connection from:%s (%s,%s,%s)", client, loc$city, loc$region, loc$country_code); 
+      }
+    }
+
+
diff --git a/doc/images/deployment.png b/doc/images/deployment.png
new file mode 100644
index 0000000000..abd9b92722
Binary files /dev/null and b/doc/images/deployment.png differ
diff --git a/doc/index.rst b/doc/index.rst
new file mode 100644
index 0000000000..ec67b76fd8
--- /dev/null
+++ b/doc/index.rst
@@ -0,0 +1,89 @@
+.. Bro documentation master file
+
+=================
+Bro Documentation
+=================
+
+Guides
+------
+
+.. toctree::
+   :maxdepth: 1
+
+   INSTALL
+   quickstart
+   upgrade
+   faq
+   reporting-problems
+
+Frameworks
+----------
+
+.. toctree::
+   :maxdepth: 1
+
+   notice
+   logging
+   cluster
+   signatures
+
+How-Tos
+-------
+
+.. toctree::
+   :maxdepth: 1
+
+   geoip
+
+Script Reference
+----------------
+
+.. toctree::
+   :maxdepth: 1
+
+   scripts/packages
+   scripts/index
+   scripts/builtins
+   scripts/bifs
+
+Other Bro Components
+--------------------
+
+The following are snapshots of documentation for components that come
+with this version of Bro (|version|). Since they can also be used
+independently, see the `download page
+<http://bro-ids.org/download/index.html>`_ for documentation of any
+current, independent component releases.
+
+.. toctree::
+   :maxdepth: 1
+
+   BinPAC - A protocol parser generator <components/binpac/README>
+   Broccoli - The Bro Client Communication Library (README) <components/broccoli/README>
+   Broccoli - User Manual <components/broccoli/broccoli-manual>
+   Broccoli Python Bindings <components/broccoli-python/README>
+   Broccoli Ruby Bindings <components/broccoli-ruby/README>
+   BroControl - Interactive Bro management shell <components/broctl/README>
+   Bro-Aux - Small auxiliary tools for Bro <components/bro-aux/README>
+   BTest - A unit testing framework <components/btest/README>
+   Capstats - Command-line packet statistic tool <components/capstats/README>
+   PySubnetTree - Python module for CIDR lookups<components/pysubnettree/README>
+   trace-summary - Script for generating break-downs of network traffic <components/trace-summary/README>
+
+The `Broccoli API Reference <broccoli-api/index.html>`_ may also be of
+interest.
+
+Other Indices and References
+----------------------------
+
+* :ref:`General Index <genindex>`
+* `Notice Index <bro-noticeindex.html>`_
+* :ref:`search`
+
+Internal References
+-------------------
+
+.. toctree::
+   :maxdepth: 1
+
+   scripts/internal
diff --git a/doc/logging.rst b/doc/logging.rst
new file mode 100644
index 0000000000..30a793df7d
--- /dev/null
+++ b/doc/logging.rst
@@ -0,0 +1,375 @@
+==========================
+Customizing Bro's Logging
+==========================
+
+.. rst-class:: opening
+
+   Bro comes with a flexible key-value based logging interface that
+   allows fine-grained control of what gets logged and how it is
+   logged. This document describes how logging can be customized and
+   extended.
+
+.. contents::
+
+Terminology
+===========
+
+Bro's logging interface is built around three main abstractions:
+
+    Log streams
+        A stream corresponds to a single log. It defines the set of
+        fields that a log consists of with their names and fields.
+        Examples are the ``conn`` for recording connection summaries,
+        and the ``http`` stream for recording HTTP activity.
+
+    Filters
+        Each stream has a set of filters attached to it that determine
+        what information gets written out. By default, each stream has
+        one default filter that just logs everything directly to disk
+        with an automatically generated file name. However, further
+        filters can be added to record only a subset, split a stream
+        into different outputs, or to even duplicate the log to
+        multiple outputs. If all filters are removed from a stream,
+        all output is disabled.
+
+    Writers
+        A writer defines the actual output format for the information
+        being logged. At the moment, Bro comes with only one type of
+        writer, which produces tab separated ASCII files. In the 
+        future we will add further writers, like for binary output and
+        direct logging into a database.
+
+Basics
+======
+
+The data fields that a stream records are defined by a record type
+specified when it is created. Let's look at the script generating Bro's
+connection summaries as an example,
+:doc:`scripts/base/protocols/conn/main`. It defines a record
+:bro:type:`Conn::Info` that lists all the fields that go into
+``conn.log``, each marked with a ``&log`` attribute indicating that it
+is part of the information written out. To write a log record, the
+script then passes an instance of :bro:type:`Conn::Info` to the logging
+framework's :bro:id:`Log::write` function.
+
+By default, each stream automatically gets a filter named ``default``
+that generates the normal output by recording all record fields into a
+single output file.
+
+In the following, we summarize ways in which the logging can be
+customized. We continue using the connection summaries as our example
+to work with.
+
+Filtering
+---------
+
+To create a new output file for an existing stream, you can add a
+new filter. A filter can, e.g., restrict the set of fields being
+logged:
+
+.. code:: bro
+
+    event bro_init()
+        {
+        # Add a new filter to the Conn::LOG stream that logs only
+        # timestamp and originator address.
+        local filter: Log::Filter = [$name="orig-only", $path="origs", $include=set("ts", "id.orig_h")];
+        Log::add_filter(Conn::LOG, filter);
+        }
+
+Note the fields that are set for the filter:
+
+    ``name``
+        A mandatory name for the filter that can later be used
+        to manipulate it further.
+
+    ``path``
+        The filename for the output file, without any extension (which
+        may be automatically added by the writer). Default path values
+        are generated by taking the stream's ID and munging it slightly.
+        :bro:enum:`Conn::LOG` is converted into ``conn``,
+        :bro:enum:`PacketFilter::LOG` is converted into
+        ``packet_filter``, and :bro:enum:`Notice::POLICY_LOG` is
+        converted into ``notice_policy``.
+
+    ``include``
+        A set limiting the fields to the ones given. The names
+        correspond to those in the :bro:type:`Conn::Info` record, with
+        sub-records unrolled by concatenating fields (separated with 
+        dots).
+
+Using the code above, you will now get a new log file ``origs.log``
+that looks like this::
+
+    #separator \x09
+    #path   origs
+    #fields ts      id.orig_h
+    #types  time    addr
+    1128727430.350788       141.42.64.125
+    1128727435.450898       141.42.64.125
+
+If you want to make this the only log file for the stream, you can
+remove the default filter (which, conveniently, has the name
+``default``):
+
+.. code:: bro
+
+    event bro_init()
+        {
+        # Remove the filter called "default".
+        Log::remove_filter(Conn::LOG, "default");
+        }
+
+An alternate approach to "turning off" a log is to completely disable
+the stream:
+
+.. code:: bro
+
+    event bro_init()
+        {
+        Log::disable_stream(Conn::LOG);
+        }
+
+If you want to skip only some fields but keep the rest, there is a
+corresponding ``exclude`` filter attribute that you can use instead of
+``include`` to list only the ones you are not interested in.
+
+A filter can also determine output paths *dynamically* based on the
+record being logged. That allows, e.g., to record local and remote
+connections into separate files. To do this, you define a function
+that returns the desired path:
+
+.. code:: bro
+
+    function split_log(id: Log::ID, path: string, rec: Conn::Info) : string
+        {
+        # Return "conn-local" if originator is a local IP, otherwise "conn-remote".
+        local lr = Site::is_local_addr(rec$id$orig_h) ? "local" : "remote";
+        return fmt("%s-%s", path, lr);
+        }
+
+    event bro_init()
+        {
+        local filter: Log::Filter = [$name="conn-split", $path_func=split_log, $include=set("ts", "id.orig_h")];
+        Log::add_filter(Conn::LOG, filter);
+        }   
+
+Running this will now produce two files, ``local.log`` and
+``remote.log``, with the corresponding entries. One could extend this
+further for example to log information by subnets or even by IP
+address. Be careful, however, as it is easy to create many files very
+quickly ...
+
+.. sidebar:: A More Generic Path Function
+
+    The ``split_log`` method has one draw-back: it can be used
+    only with the :bro:enum:`Conn::LOG` stream as the record type is hardcoded
+    into its argument list. However, Bro allows to do a more generic
+    variant:
+
+    .. code:: bro
+
+        function split_log(id: Log::ID, path: string, rec: record { id: conn_id; } ) : string
+            {
+            return Site::is_local_addr(rec$id$orig_h) ? "local" : "remote";
+            }
+
+    This function can be used with all log streams that have records
+    containing an ``id: conn_id`` field.
+
+While so far we have seen how to customize the columns being logged,
+you can also control which records are written out by providing a
+predicate that will be called for each log record:
+
+.. code:: bro
+
+    function http_only(rec: Conn::Info) : bool
+        {
+        # Record only connections with successfully analyzed HTTP traffic
+        return rec$service == "http";
+        }
+
+    event bro_init()
+        {
+        local filter: Log::Filter = [$name="http-only", $path="conn-http", $pred=http_only];
+        Log::add_filter(Conn::LOG, filter);
+        }
+
+This will result in a log file ``conn-http.log`` that contains only
+traffic detected and analyzed as HTTP traffic.
+
+Extending
+---------
+
+You can add further fields to a log stream by extending the record
+type that defines its content. Let's say we want to add a boolean
+field ``is_private`` to :bro:type:`Conn::Info` that indicates whether the
+originator IP address is part of the :rfc:`1918` space:
+
+.. code:: bro
+
+    # Add a field to the connection log record.
+    redef record Conn::Info += {
+        ## Indicate if the originator of the connection is part of the
+        ## "private" address space defined in RFC1918.
+        is_private: bool &default=F &log;
+    };
+
+
+Now we need to set the field. A connection's summary is generated at
+the time its state is removed from memory. We can add another handler
+at that time that sets our field correctly:
+
+.. code:: bro
+
+    event connection_state_remove(c: connection)
+        {
+        if ( c$id$orig_h in Site::private_address_space )
+            c$conn$is_private = T;
+        }
+
+Now ``conn.log`` will show a new field ``is_private`` of type
+``bool``.
+
+Notes:
+
+- For extending logs this way, one needs a bit of knowledge about how
+  the script that creates the log stream is organizing its state
+  keeping. Most of the standard Bro scripts attach their log state to
+  the :bro:type:`connection` record where it can then be accessed, just
+  as the ``c$conn`` above. For example, the HTTP analysis adds a field
+  ``http`` of type :bro:type:`HTTP::Info` to the :bro:type:`connection`
+  record. See the script reference for more information.
+
+- When extending records as shown above, the new fields must always be
+  declared either with a ``&default`` value or as ``&optional``.
+  Furthermore, you need to add the ``&log`` attribute or otherwise the
+  field won't appear in the output.
+
+Hooking into the Logging
+------------------------
+
+Sometimes it is helpful to do additional analysis of the information
+being logged. For these cases, a stream can specify an event that will
+be generated every time a log record is written to it. All of Bro's
+default log streams define such an event. For example, the connection
+log stream raises the event :bro:id:`Conn::log_conn`. You
+could use that for example for flagging when a connection to a
+specific destination exceeds a certain duration:
+
+.. code:: bro
+
+    redef enum Notice::Type += {
+        ## Indicates that a connection remained established longer 
+        ## than 5 minutes.
+        Long_Conn_Found
+    };
+
+    event Conn::log_conn(rec: Conn::Info)
+        {
+        if ( rec$duration > 5mins )
+            NOTICE([$note=Long_Conn_Found, 
+                    $msg=fmt("unusually long conn to %s", rec$id$resp_h), 
+                    $id=rec$id]);
+        }
+
+Often, these events can be an alternative to post-processing Bro logs
+externally with Perl scripts. Much of what such an external script
+would do later offline, one may instead do directly inside of Bro in
+real-time.
+
+Rotation
+--------
+
+By default, no log rotation occurs, but it's globally controllable for all
+filters by redefining the :bro:id:`Log::default_rotation_interval` option:
+
+.. code:: bro
+
+    redef Log::default_rotation_interval = 1 hr;
+
+Or specifically for certain :bro:type:`Log::Filter` instances by setting
+their ``interv`` field.  Here's an example of changing just the
+:bro:enum:`Conn::LOG` stream's default filter rotation.
+
+.. code:: bro
+
+    event bro_init()
+        {
+        local f = Log::get_filter(Conn::LOG, "default");
+        f$interv = 1 min;
+        Log::remove_filter(Conn::LOG, "default");
+        Log::add_filter(Conn::LOG, f);
+        }
+
+ASCII Writer Configuration
+--------------------------
+
+The ASCII writer has a number of options for customizing the format of
+its output, see :doc:`scripts/base/frameworks/logging/writers/ascii`.
+
+Adding Streams
+==============
+
+It's easy to create a new log stream for custom scripts. Here's an
+example for the ``Foo`` module:
+
+.. code:: bro
+
+    module Foo;
+
+    export {
+        # Create an ID for our new stream. By convention, this is
+        # called "LOG".
+        redef enum Log::ID += { LOG };
+
+        # Define the fields. By convention, the type is called "Info".
+        type Info: record {
+            ts: time     &log;
+            id: conn_id  &log;
+        };
+
+        # Define a hook event. By convention, this is called
+        # "log_<stream>".
+        global log_foo: event(rec: Info);
+        
+    }
+
+    # This event should be handled at a higher priority so that when
+    # users modify your stream later and they do it at priority 0, 
+    # their code runs after this.
+    event bro_init() &priority=5
+        {
+        # Create the stream. This also adds a default filter automatically.
+        Log::create_stream(Foo::LOG, [$columns=Info, $ev=log_foo]);
+        }
+
+You can also add the state to the :bro:type:`connection` record to make
+it easily accessible across event handlers:
+
+.. code:: bro
+
+    redef record connection += {
+        foo: Info &optional;
+        }
+
+Now you can use the :bro:id:`Log::write` method to output log records and 
+save the logged ``Foo::Info`` record into the connection record:
+
+.. code:: bro
+
+    event connection_established(c: connection)
+        {
+        local rec: Foo::Info = [$ts=network_time(), $id=c$id];
+        c$foo = rec;
+        Log::write(Foo::LOG, rec);
+        }
+
+See the existing scripts for how to work with such a new connection
+field. A simple example is :doc:`scripts/base/protocols/syslog/main`. 
+
+When you are developing scripts that add data to the :bro:type:`connection`
+record, care must be given to when and how long data is stored.
+Normally data saved to the connection record will remain there for the
+duration of the connection and from a practical perspective it's not
+uncommon to need to delete that data before the end of the connection.
diff --git a/doc/notice.rst b/doc/notice.rst
new file mode 100644
index 0000000000..5849e605a9
--- /dev/null
+++ b/doc/notice.rst
@@ -0,0 +1,395 @@
+
+Notice Framework
+================
+
+.. rst-class:: opening
+
+    One of the easiest ways to customize Bro is writing a local notice
+    policy. Bro can detect a large number of potentially interesting
+    situations, and the notice policy tells which of them the user wants to be
+    acted upon in some manner. In particular, the notice policy can specify
+    actions to be taken, such as sending an email or compiling regular
+    alarm emails.  This page gives an introduction into writing such a notice
+    policy.
+
+.. contents::
+
+Overview
+--------
+
+Let's start with a little bit of background on Bro's philosophy on reporting
+things. Bro ships with a large number of policy scripts which perform a wide
+variety of analyses. Most of these scripts monitor for activity which might be
+of interest for the user. However, none of these scripts determines the
+importance of what it finds itself. Instead, the scripts only flag situations
+as *potentially* interesting, leaving it to the local configuration to define
+which of them are in fact actionable. This decoupling of detection and
+reporting allows Bro to address the different needs that sites have:
+definitions of what constitutes an attack or even a compromise differ quite a
+bit between environments, and activity deemed malicious at one site might be
+fully acceptable at another.
+
+Whenever one of Bro's analysis scripts sees something potentially
+interesting it flags the situation by calling the :bro:see:`NOTICE`
+function and giving it a single :bro:see:`Notice::Info` record. A Notice
+has a :bro:see:`Notice::Type`, which reflects the kind of activity that
+has been seen, and it is usually also augmented with further context
+about the situation.
+
+More information about raising notices can be found in the `Raising Notices`_
+section.
+
+Once a notice is raised, it can have any number of actions applied to it by
+the :bro:see:`Notice::policy` set which is described in the `Notice Policy`_
+section below. Such actions can be to send a mail to the configured
+address(es) or to simply ignore the notice. Currently, the following actions
+are defined:
+
+.. list-table::
+    :widths: 20 80
+    :header-rows: 1
+
+    * - Action
+      - Description
+
+    * - Notice::ACTION_LOG
+      - Write the notice to the :bro:see:`Notice::LOG` logging stream.
+
+    * - Notice::ACTION_ALARM
+      - Log into the :bro:see:`Notice::ALARM_LOG` stream which will rotate
+        hourly and email the contents to the email address or addresses
+        defined in the :bro:see:`Notice::mail_dest` variable.
+
+    * - Notice::ACTION_EMAIL
+      - Send the notice in an email to the email address or addresses given in
+        the :bro:see:`Notice::mail_dest` variable.
+
+    * - Notice::ACTION_PAGE
+      - Send an email to the email address or addresses given in the
+        :bro:see:`Notice::mail_page_dest` variable.
+
+    * - Notice::ACTION_NO_SUPPRESS
+      - This action will disable the built in notice suppression for the
+        notice. Keep in mind that this action will need to be applied to
+        every notice that shouldn't be suppressed including each of the future
+        notices that would have normally been suppressed.
+
+How these notice actions are applied to notices is discussed in the 
+`Notice Policy`_ and `Notice Policy Shortcuts`_ sections.
+
+Processing Notices
+------------------
+
+Notice Policy
+*************
+
+The predefined set :bro:see:`Notice::policy` provides the mechanism for
+applying actions and other behavior modifications to notices. Each entry
+of :bro:see:`Notice::policy` is a record of the type
+:bro:see:`Notice::PolicyItem` which defines a condition to be matched
+against all raised notices and one or more of a variety of behavior
+modifiers. The notice policy is defined by adding any number of
+:bro:see:`Notice::PolicyItem` records to the :bro:see:`Notice::policy`
+set.
+
+Here's a simple example which tells Bro to send an email for all notices of
+type :bro:see:`SSH::Login` if the server is 10.0.0.1:
+
+.. code:: bro
+
+    redef Notice::policy += {
+      [$pred(n: Notice::Info) = {
+         return n$note == SSH::Login && n$id$resp_h == 10.0.0.1;
+       },
+       $action = Notice::ACTION_EMAIL]
+      };
+
+.. note::
+
+    Keep in mind that the semantics of the SSH::Login notice are
+    such that it is only raised when Bro heuristically detects a successful
+    login. No apparently failed logins will raise this notice.
+
+While the syntax might look a bit convoluted at first, it provides a lot of
+flexibility due to having access to Bro's full programming language.
+
+Predicate Field
+^^^^^^^^^^^^^^^
+
+The :bro:see:`Notice::PolicyItem` record type has a field name ``$pred``
+which defines the entry's condition in the form of a predicate written
+as a Bro function. The function is passed the notice as a
+:bro:see:`Notice::Info` record and it returns a boolean value indicating
+if the entry is applicable to that particular notice.
+
+.. note::
+
+    The lack of a predicate in a ``Notice::PolicyItem`` is implicitly true
+    (``T``) since an implicit false (``F``) value would never be used.
+
+Bro evaluates the predicates of each entry in the order defined by the
+``$priority`` field in :bro:see:`Notice::PolicyItem` records. The valid
+values are 0-10 with 10 being earliest evaluated. If ``$priority`` is
+omitted, the default priority is 5.
+
+Behavior Modification Fields
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+There are a set of fields in the :bro:see:`Notice::PolicyItem` record type that
+indicate ways that either the notice or notice processing should be modified
+if the predicate field (``$pred``) evaluated to true (``T``). Those fields are
+explained in more detail in the following table.
+
+.. list-table::
+    :widths: 20 30 20
+    :header-rows: 1
+
+    * - Field
+      - Description
+      - Example
+
+    * - ``$action=<Notice::Action>``
+      - Each :bro:see:`Notice::PolicyItem` can have a single action
+        applied to the notice with this field.
+      - ``$action = Notice::ACTION_EMAIL``
+
+    * - ``$suppress_for=<interval>`` 
+      - This field makes it possible for a user to modify the behavior of the
+        notice framework's automated suppression of intrinsically similar
+        notices. More information about the notice framework's automated
+        suppression can be found in the `Automated Suppression`_ section of
+        this document.
+      - ``$suppress_for = 10mins``
+
+    * - ``$halt=<bool>``
+      - This field can be used for modification of the notice policy
+        evaluation. To stop processing of notice policy items before
+        evaluating all of them, set this field to ``T`` and make the ``$pred``
+        field return ``T``. :bro:see:`Notice::PolicyItem` records defined at
+        a higher priority as defined by the ``$priority`` field will still be
+        evaluated but those at a lower priority won't.
+      - ``$halt = T``
+
+
+
+.. code:: bro
+
+    redef Notice::policy += {
+      [$pred(n: Notice::Info) = {
+         return n$note == SSH::Login && n$id$resp_h == 10.0.0.1;
+       },
+       $action = Notice::ACTION_EMAIL,
+       $priority=5]
+      };
+
+
+Notice Policy Shortcuts
+***********************
+
+Although the notice framework provides a great deal of flexibility and
+configurability there are many times that the full expressiveness isn't needed
+and actually becomes a hindrance to achieving results. The framework provides
+a default :bro:see:`Notice::policy` suite as a way of giving users the
+shortcuts to easily apply many common actions to notices.
+
+These are implemented as sets and tables indexed with a
+:bro:see:`Notice::Type` enum value. The following table shows and describes
+all of the variables available for shortcut configuration of the notice
+framework.
+
+.. list-table::
+    :widths: 32 40
+    :header-rows: 1
+
+    * - Variable name
+      - Description
+
+    * - :bro:see:`Notice::ignored_types`
+      - Adding a :bro:see:`Notice::Type` to this set results in the notice
+        being ignored. It won't have any other action applied to it, not even
+        :bro:see:`Notice::ACTION_LOG`.
+
+    * - :bro:see:`Notice::emailed_types`
+      - Adding a :bro:see:`Notice::Type` to this set results in
+        :bro:see:`Notice::ACTION_EMAIL` being applied to the notices of
+        that type.
+
+    * - :bro:see:`Notice::alarmed_types`
+      - Adding a :bro:see:`Notice::Type` to this set results in
+        :bro:see:`Notice::ACTION_ALARM` being applied to the notices of
+        that type.
+
+    * - :bro:see:`Notice::not_suppressed_types`
+      - Adding a :bro:see:`Notice::Type` to this set results in that notice
+        no longer undergoing the normal notice suppression that would
+        take place. Be careful when using this in production it could
+        result in a dramatic increase in the number of notices being
+        processed.
+
+    * - :bro:see:`Notice::type_suppression_intervals`
+      - This is a table indexed on :bro:see:`Notice::Type` and yielding an
+        interval.  It can be used as an easy way to extend the default
+        suppression interval for an entire :bro:see:`Notice::Type`
+        without having to create a whole :bro:see:`Notice::policy` entry
+        and setting the ``$suppress_for`` field.
+
+Raising Notices
+---------------
+
+A script should raise a notice for any occurrence that a user may want
+to be notified about or take action on. For example, whenever the base
+SSH analysis scripts sees an SSH session where it is heuristically
+guessed to be a successful login, it raises a Notice of the type
+:bro:see:`SSH::Login`. The code in the base SSH analysis script looks
+like this:
+
+.. code:: bro
+
+    NOTICE([$note=SSH::Login, 
+            $msg="Heuristically detected successful SSH login.",
+            $conn=c]);
+
+:bro:see:`NOTICE` is a normal function in the global namespace which
+wraps a function within the ``Notice`` namespace. It takes a single
+argument of the :bro:see:`Notice::Info` record type. The most common
+fields used when raising notices are described in the following table:
+
+.. list-table::
+    :widths: 32 40
+    :header-rows: 1
+
+    * - Field name
+      - Description
+
+    * - ``$note``
+      - This field is required and is an enum value which represents the
+        notice type.  
+
+    * - ``$msg``
+      - This is a human readable message which is meant to provide more
+        information about this particular instance of the notice type.
+
+    * - ``$sub``
+      - This is a sub-message meant for human readability but will
+        frequently also be used to contain data meant to be matched with the
+        ``Notice::policy``.
+
+    * - ``$conn``
+      - If a connection record is available when the notice is being raised
+        and the notice represents some attribute of the connection, then the
+        connection record can be given here. Other fields such as ``$id`` and
+        ``$src`` will automatically be populated from this value.
+
+    * - ``$id``
+      - If a conn_id record is available when the notice is being raised and
+        the notice represents some attribute of the connection, then the
+        connection can be given here. Other fields such as ``$src`` will
+        automatically be populated from this value.
+
+    * - ``$src``
+      - If the notice represents an attribute of a single host then it's
+        possible that only this field should be filled out to represent the
+        host that is being "noticed".
+
+    * - ``$n``
+      - This normally represents a number if the notice has to do with some
+        number. It's most frequently used for numeric tests in the
+        ``Notice::policy`` for making policy decisions.
+
+    * - ``$identifier``
+      - This represents a unique identifier for this notice. This field is
+        described in more detail in the `Automated Suppression`_ section.
+
+    * - ``$suppress_for``
+      - This field can be set if there is a natural suppression interval for
+        the notice that may be different than the default value. The
+        value set to this field can also be modified by a user's
+        :bro:see:`Notice::policy` so the value is not set permanently
+        and unchangeably.
+
+When writing Bro scripts which raise notices, some thought should be given to
+what the notice represents and what data should be provided to give a consumer
+of the notice the best information about the notice. If the notice is
+representative of many connections and is an attribute of a host (e.g. a
+scanning host) it probably makes most sense to fill out the ``$src`` field and
+not give a connection or conn_id. If a notice is representative of a
+connection attribute (e.g. an apparent SSH login) then it makes sense to fill
+out either ``$conn`` or ``$id`` based on the data that is available when the
+notice is raised. Using care when inserting data into a notice will make later
+analysis easier when only the data to fully represent the occurrence that
+raised the notice is available. If complete connection information is
+available when an SSL server certificate is expiring, the logs will be very
+confusing because the connection that the certificate was detected on is a
+side topic to the fact that an expired certificate was detected. It's possible
+in many cases that two or more separate notices may need to be generated. As
+an example, one could be for the detection of the expired SSL certificate and
+another could be for if the client decided to go ahead with the connection
+neglecting the expired certificate.
+
+Automated Suppression
+---------------------
+
+The notice framework supports suppression for notices if the author of the
+script that is generating the notice has indicated to the notice framework how
+to identify notices that are intrinsically the same. Identification of these
+"intrinsically duplicate" notices is implemented with an optional field in
+:bro:see:`Notice::Info` records named ``$identifier`` which is a simple string.
+If the ``$identifier`` and ``$type`` fields are the same for two notices, the
+notice framework actually considers them to be the same thing and can use that
+information to suppress duplicates for a configurable period of time.
+
+.. note::
+
+    If the ``$identifier`` is left out of a notice, no notice suppression
+    takes place due to the framework's inability to identify duplicates. This
+    could be completely legitimate usage if no notices could ever be
+    considered to be duplicates.
+
+The ``$identifier`` field is typically comprised of several pieces of
+data related to the notice that when combined represent a unique
+instance of that notice. Here is an example of the script
+:doc:`scripts/policy/protocols/ssl/validate-certs` raising a notice
+for session negotiations where the certificate or certificate chain did
+not validate successfully against the available certificate authority
+certificates.
+
+.. code:: bro
+
+    NOTICE([$note=SSL::Invalid_Server_Cert, 
+            $msg=fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status),
+            $sub=c$ssl$subject, 
+            $conn=c,
+            $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status,c$ssl$cert_hash)]);
+
+In the above example you can see that the ``$identifier`` field contains a
+string that is built from the responder IP address and port, the validation
+status message, and the MD5 sum of the server certificate. Those fields in
+particular are chosen because different SSL certificates could be seen on any
+port of a host, certificates could fail validation for different reasons, and
+multiple server certificates could be used on that combination of IP address
+and port with the ``server_name`` SSL extension (explaining the addition of
+the MD5 sum of the certificate). The result is that if a certificate fails
+validation and all four pieces of data match (IP address, port, validation
+status, and certificate hash) that particular notice won't be raised again for
+the default suppression period.
+
+Setting the ``$identifier`` field is left to those raising notices because
+it's assumed that the script author who is raising the notice understands the
+full problem set and edge cases of the notice which may not be readily
+apparent to users. If users don't want the suppression to take place or simply
+want a different interval, they can always modify it with the
+:bro:see:`Notice::policy`.
+
+
+Extending Notice Framework
+--------------------------
+
+Adding Custom Notice Actions
+****************************
+
+Extending Notice Emails
+***********************
+
+Cluster Considerations
+----------------------
+
diff --git a/doc/quickstart.rst b/doc/quickstart.rst
new file mode 100644
index 0000000000..5201420856
--- /dev/null
+++ b/doc/quickstart.rst
@@ -0,0 +1,592 @@
+.. _CMake: http://www.cmake.org
+.. _SWIG: http://www.swig.org
+.. _MacPorts: http://www.macports.org
+.. _Fink: http://www.finkproject.org
+.. _Homebrew: http://mxcl.github.com/homebrew
+.. _bro downloads page: http://bro-ids.org/download/index.html
+
+=================
+Quick Start Guide
+=================
+
+.. rst-class:: opening
+
+   The short story for getting Bro up and running in a simple configuration
+   for analysis of either live traffic from a network interface or a packet
+   capture trace file.
+
+.. contents::
+
+Installation
+============
+
+Bro works on most modern, Unix-based systems and requires no custom
+hardware.  It can be downloaded in either pre-built binary package or
+source code forms.
+
+Pre-Built Binary Release Packages
+---------------------------------
+
+See the `bro downloads page`_ for currently supported/targeted platforms.
+
+* RPM
+
+  .. console::
+
+      sudo yum localinstall Bro-*.rpm
+
+* DEB
+
+  .. console::
+
+      sudo gdebi Bro-*.deb
+
+* MacOS Disk Image with Installer
+
+  Just open the ``Bro-*.dmg`` and then run the ``.pkg`` installer.
+  Everything installed by the package will go into ``/opt/bro``.
+
+The primary install prefix for binary packages is ``/opt/bro``.
+Non-MacOS packages that include BroControl also put variable/runtime
+data (e.g. Bro logs) in ``/var/opt/bro``.
+
+Building From Source
+--------------------
+
+Required Dependencies
+~~~~~~~~~~~~~~~~~~~~~
+
+The following dependencies are required to build Bro:
+
+* RPM/RedHat-based Linux:
+
+  .. console::
+
+     sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel file-devel
+
+* DEB/Debian-based Linux:
+
+  .. console::
+
+     sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
+
+* FreeBSD
+
+  Most required dependencies should come with a minimal FreeBSD install
+  except for the following.
+
+  .. console::
+
+      sudo pkg_add -r bash cmake swig bison python
+
+  Note that ``bash`` needs to be in ``PATH``, which by default it is
+  not. The FreeBSD package installs the binary into
+  ``/usr/local/bin``.
+
+* Mac OS X
+
+  Snow Leopard (10.6) comes with all required dependencies except for CMake_.
+
+  Lion (10.7) comes with all required dependencies except for CMake_ and SWIG_.
+
+  Distributions of these dependencies can be obtained from the project websites
+  linked above, but they're also likely available from your preferred Mac OS X
+  package management system (e.g. MacPorts_, Fink_, or Homebrew_).
+
+  Note that the MacPorts ``swig`` package may not include any specific
+  language support so you may need to also install ``swig-ruby`` and
+  ``swig-python``.
+
+Optional Dependencies
+~~~~~~~~~~~~~~~~~~~~~
+
+Bro can use libGeoIP for geo-locating IP addresses, and sendmail for
+sending emails.
+
+* RPM/RedHat-based Linux:
+
+  .. console::
+
+      sudo yum install GeoIP-devel sendmail
+
+* DEB/Debian-based Linux:
+
+  .. console::
+
+      sudo apt-get install libgeoip-dev sendmail
+
+* Ports-based FreeBSD
+
+  .. console::
+
+      sudo pkg_add -r GeoIP
+
+  sendmail is typically already available.
+
+* Mac OS X
+
+  Vanilla OS X installations don't ship with libmagic or libGeoIP, but
+  if installed from your preferred package management system (e.g. MacPorts,
+  Fink, or Homebrew), they should be automatically detected and Bro will compile
+  against them.
+
+Additional steps may be needed to :doc:`get the right GeoIP database <geoip>`
+
+Compiling Bro Source Code
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Bro releases are bundled into source packages for convenience and
+available from the `bro downloads page`_.
+
+The latest Bro development versions are obtainable through git
+repositories hosted at `git.bro-ids.org <http://git.bro-ids.org>`_.  See
+our `git development documentation
+<http://bro-ids.org/development/process.html>`_ for comprehensive
+information on Bro's use of git revision control, but the short story
+for downloading the full source code experience for Bro via git is:
+
+.. console::
+
+    git clone --recursive git://git.bro-ids.org/bro
+
+.. note:: If you choose to clone the ``bro`` repository non-recursively for
+   a "minimal Bro experience", be aware that compiling it depends on
+   BinPAC, which has its own ``binpac`` repository.  Either install it
+   first or initialize/update the cloned ``bro`` repository's
+   ``aux/binpac`` submodule.
+
+See the ``INSTALL`` file included with the source code for more information
+on compiling, but this is the typical way to build and install from source
+(of course, changing the value of the ``--prefix`` option to point to the
+desired root install path):
+
+.. console::
+
+    ./configure --prefix=/desired/install/path
+    make
+    make install
+
+The default installation prefix is ``/usr/local/bro``, which would typically
+require root privileges when doing the ``make install``.
+
+Configure the Run-Time Environment
+----------------------------------
+
+Just remember that you may need to adjust your ``PATH`` environment variable
+according to the platform/shell/package you're using.  For example:
+
+Bourne-Shell Syntax:
+
+.. console::
+
+   export PATH=/usr/local/bro/bin:$PATH
+
+C-Shell Syntax:
+
+.. console::
+
+   setenv PATH /usr/local/bro/bin:$PATH
+
+Or substitute ``/opt/bro/bin`` instead if you installed from a binary package.
+
+Using BroControl
+================
+
+BroControl is an interactive shell for easily operating/managing Bro
+installations on a single system or even across multiple systems in a
+traffic-monitoring cluster.
+
+.. note:: Below, ``$PREFIX`` is used to reference the Bro installation
+   root directory.
+
+A Minimal Starting Configuration
+--------------------------------
+
+These are the basic configuration changes to make for a minimal BroControl installation
+that will manage a single Bro instance on the ``localhost``:
+
+1) In ``$PREFIX/etc/node.cfg``, set the right interface to monitor.
+2) In ``$PREFIX/etc/networks.cfg``, comment out the default settings and add
+   the networks that Bro will consider local to the monitored environment.
+3) In ``$PREFIX/etc/broctl.cfg``, change the ``MailTo`` email address to a
+   desired recipient and the ``LogRotationInterval`` to a desired log
+   archival frequency.
+
+Now start the BroControl shell like:
+
+.. console::
+
+   broctl
+
+Since this is the first-time use of the shell, perform an initial installation
+of the BroControl configuration:
+
+.. console::
+
+   [BroControl] > install
+
+Then start up a Bro instance:
+
+.. console::
+
+   [BroControl] > start
+
+If there are errors while trying to start the Bro instance, you can
+can view the details with the ``diag`` command.  If started successfully,
+the Bro instance will begin analyzing traffic according to a default
+policy and output the results in ``$PREFIX/logs``.
+
+.. note:: The user starting BroControl needs permission to capture
+   network traffic. If you are not root, you may need to grant further
+   privileges to the account you're using; see the :doc:`FAQ <faq>`.
+   Also, if it looks like Bro is not seeing any traffic, check out
+   the FAQ entry on checksum offloading.
+
+You can leave it running for now, but to stop this Bro instance you would do:
+
+.. console::
+
+   [BroControl] > stop
+
+We also recommend to insert the following entry into `crontab`::
+
+      0-59/5 * * * * $PREFIX/bin/broctl cron
+
+This will perform a number of regular housekeeping tasks, including
+verifying that the process is still running (and restarting if not in
+case of any abnormal termination).
+
+Browsing Log Files
+------------------
+
+By default, logs are written out in human-readable (ASCII) format and
+data is organized into columns (tab-delimited). Logs that are part of
+the current rotation interval are accumulated in
+``$PREFIX/logs/current/`` (if Bro is not running, the directory will
+be empty). For example, the ``http.log`` contains the results of Bro
+HTTP protocol analysis. Here are the first few columns of
+``http.log``::
+
+    # ts          uid          orig_h        orig_p  resp_h         resp_p
+    1311627961.8  HSH4uV8KVJg  192.168.1.100 52303   192.150.187.43 80
+
+Logs that deal with analysis of a network protocol will often start like this:
+a timestamp, a unique connection identifier (UID), and a connection 4-tuple
+(originator host/port and responder host/port).  The UID can be used to
+identify all logged activity (possibly across multiple log files) associated
+with a given connection 4-tuple over its lifetime.
+
+The remaining columns of protocol-specific logs then detail the
+protocol-dependent activity that's occurring.  E.g. ``http.log``'s next few
+columns (shortened for brevity) show a request to the root of Bro website::
+
+    # method   host         uri  referrer  user_agent
+    GET        bro-ids.org  /    -         <...>Chrome/12.0.742.122<...>
+
+Some logs are worth explicit mention:
+
+    ``weird.log``
+        Contains unusual/exceptional activity that can indicate
+        malformed connections, traffic that doesn't conform to a particular
+        protocol, malfunctioning/misconfigured hardware, or even an attacker
+        attempting to avoid/confuse a sensor.  Without context, it's hard to
+        judge whether this category of activity is interesting and so that is
+        left up to the user to configure.
+
+    ``notice.log``
+        Identifies specific activity that Bro recognizes as
+        potentially interesting, odd, or bad. In Bro-speak, such
+        activity is called a "notice".
+
+
+By default, ``BroControl`` regularly takes all the logs from
+``$PREFIX/logs/current`` and archives/compresses them to a directory
+named by date, e.g. ``$PREFIX/logs/2011-10-06``.  The frequency at
+which this is done can be configured via the ``LogRotationInterval``
+option in ``$PREFIX/etc/broctl.cfg``.
+
+Deployment Customization
+------------------------
+
+The goal of most Bro *deployments* may be to send email alarms when a network
+event requires human intervention/investigation, but sometimes that conflicts
+with Bro's goal as a *distribution* to remain policy and site neutral -- the
+events on one network may be less noteworthy than the same events on another.
+As a result, deploying Bro can be an iterative process of
+updating its policy to take different actions for events that are noticed, and
+using its scripting language to programmatically extend traffic analysis
+in a precise way.
+
+One of the first steps to take in customizing Bro might be to get familiar
+with the notices it can generate by default and either tone down or escalate
+the action that's taken when specific ones occur.
+
+Let's say that we've been looking at the ``notice.log`` for a bit and see two
+changes we want to make:
+
+1) ``SSL::Invalid_Server_Cert`` (found in the ``note`` column) is one type of
+   notice that means an SSL connection was established and the server's
+   certificate couldn't be validated using Bro's default trust roots, but
+   we want to ignore it.
+2) ``SSH::Login`` is a notice type that is triggered when an SSH connection
+   attempt looks like it may have been successful, and we want email when
+   that happens, but only for certain servers.
+
+So we've defined *what* we want to do, but need to know *where* to do it.
+The answer is to use a script written in the Bro programming language, so
+let's do a quick intro to Bro scripting.
+
+Bro Scripts
+~~~~~~~~~~~
+
+Bro ships with many pre-written scripts that are highly customizable
+to support traffic analysis for your specific environment.  By
+default, these will be installed into ``$PREFIX/share/bro`` and can be
+identified by the use of a ``.bro`` file name extension.  These files
+should **never** be edited directly as changes will be lost when
+upgrading to newer versions of Bro.  The exception to this rule is the
+directory ``$PREFIX/share/bro/site`` where local site-specific files
+can be put without fear of being clobbered later. The other main
+script directories under ``$PREFIX/share/bro`` are ``base`` and
+``policy``.  By default, Bro automatically loads all scripts under
+``base`` (unless the ``-b`` command line option is supplied), which
+deal either with collecting basic/useful state about network
+activities or providing frameworks/utilities that extend Bro's
+functionality without any performance cost.  Scripts under the
+``policy`` directory may be more situational or costly, and so users
+must explicitly choose if they want to load them.
+
+The main entry point for the default analysis configuration of a standalone
+Bro instance managed by BroControl is the ``$PREFIX/share/bro/site/local.bro``
+script.  So we'll be adding to that in the following sections, but first
+we have to figure out what to add.
+
+Redefining Script Option Variables
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Many simple customizations just require you to redefine a variable
+from a standard Bro script with your own value, using Bro's ``redef``
+operator.
+
+The typical way a standard Bro script advertises tweak-able options to users
+is by defining variables with the ``&redef`` attribute and ``const`` qualifier. 
+A redefineable constant might seem strange, but what that really means is that
+the variable's value may not change at run-time, but whose initial value can be
+modified via the ``redef`` operator at parse-time.
+
+So let's continue on our path to modify the behavior for the two SSL
+and SSH notices.  Looking at :doc:`scripts/base/frameworks/notice/main`,
+we see that it advertises:
+
+.. code:: bro
+
+    module Notice;
+
+    export {
+        ...
+        ## Ignored notice types.
+        const ignored_types: set[Notice::Type] = {} &redef;
+    }
+
+That's exactly what we want to do for the SSL notice.  So add to ``local.bro``:
+
+.. code:: bro
+
+    redef Notice::ignored_types += { SSL::Invalid_Server_Cert };
+
+.. note:: The ``Notice`` namespace scoping is necessary here because the
+   variable was declared and exported inside the ``Notice`` module, but is
+   being referenced from outside of it.  Variables declared and exported
+   inside a module do not have to be scoped if referring to them while still
+   inside the module.
+
+Then go into the BroControl shell to check whether the configuration change
+is valid before installing it and then restarting the Bro instance:
+
+.. console::
+
+   [BroControl] > check
+   bro is ok.
+   [BroControl] > install
+   removing old policies in /usr/local/bro/spool/policy/site ... done.
+   removing old policies in /usr/local/bro/spool/policy/auto ... done.
+   creating policy directories ... done.
+   installing site policies ... done.
+   generating standalone-layout.bro ... done.
+   generating local-networks.bro ... done.
+   generating broctl-config.bro ... done.
+   updating nodes ... done.
+   [BroControl] > restart
+   stopping bro ...
+   starting bro ...
+
+Now that the SSL notice is ignored, let's look at how to send an email on
+the SSH notice.  The notice framework has a similar option called
+``emailed_types``, but that can't differentiate between SSH servers and we
+only want email for logins to certain ones.  Then we come to the ``PolicyItem``
+record and ``policy`` set and realize that those are actually what get used
+to implement the simple functionality of ``ignored_types`` and
+``emailed_types``, but it's extensible such that the condition and action taken
+on notices can be user-defined.
+
+In ``local.bro``, let's add a new ``PolicyItem`` record to the ``policy`` set
+that only takes the email action for SSH logins to a defined set of servers:
+
+.. code:: bro
+
+    const watched_servers: set[addr] = {
+        192.168.1.100,
+        192.168.1.101,
+        192.168.1.102,
+    } &redef;
+
+    redef Notice::policy += {
+        [$action = Notice::ACTION_EMAIL,
+         $pred(n: Notice::Info) =
+            {
+            return n$note == SSH::Login && n$id$resp_h in watched_servers;
+            }
+        ]
+    };
+
+You'll just have to trust the syntax for now, but what we've done is
+first declare our own variable to hold a set of watched addresses,
+``watched_servers``; then added a record to the policy that will generate
+an email on the condition that the predicate function evaluates to true, which
+is whenever the notice type is an SSH login and the responding host stored
+inside the ``Info`` record's connection field is in the set of watched servers.
+
+.. note:: record field member access is done with the '$' character
+   instead of a '.' as might be expected from other languages, in
+   order to avoid ambiguity with the builtin address type's use of '.'
+   in IPv4 dotted decimal representations.
+
+Remember, to finalize that configuration change perform the ``check``,
+``install``, ``restart`` commands in that order inside the BroControl shell.
+
+Next Steps
+----------
+
+By this point, we've learned how to set up the most basic Bro instance and
+tweak the most basic options.  Here's some suggestions on what to explore next:
+
+* We only looked at how to change options declared in the notice framework,
+  there's many more options to look at in other script packages.
+* Look at the scripts in ``$PREFIX/share/bro/policy`` for further ones
+  you may want to load.
+* Reading the code of scripts that ship with Bro is also a great way to gain
+  understanding of the language and how you can start writing your own custom
+  analysis.
+* Review the :doc:`FAQ <faq>`.
+* Continue reading below for another mini-tutorial on using Bro as a standalone
+  command-line utility.
+
+Bro, the Command-Line Utility
+=============================
+
+If you prefer not to use BroControl (e.g. don't need its automation and
+management features), here's how to directly control Bro for your analysis
+activities.
+
+Monitoring Live Traffic
+-----------------------
+
+Analyzing live traffic from an interface is simple:
+
+.. console::
+
+   bro -i en0 <list of scripts to load>
+
+``en0`` can be replaced by the interface of your choice and for the list of
+scripts, you can just use "all" for now to perform all the default analysis
+that's available.
+
+Bro will output log files into the working directory.
+
+.. note:: The :doc:`FAQ <faq>` entries about
+   capturing as an unprivileged user and checksum offloading are particularly
+   relevant at this point.
+
+To use the site-specific ``local.bro`` script, just add it to the
+command-line:
+
+.. console::
+
+   bro -i en0 local
+
+This will cause Bro to print a warning about lacking the
+``Site::local_nets`` variable being configured. You can supply this
+information at the command line like this (supply your "local" subnets
+in place of the example subnets):
+
+.. console::
+
+   bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"
+
+
+Reading Packet Capture (pcap) Files
+-----------------------------------
+
+Capturing packets from an interface and writing them to a file can be done
+like this:
+
+.. console::
+
+   sudo tcpdump -i en0 -s 0 -w mypackets.trace
+
+Where ``en0`` can be replaced by the correct interface for your system as
+shown by e.g. ``ifconfig``. (The ``-s 0`` argument tells it to capture
+whole packets; in cases where it's not supported use ``-s 65535`` instead).
+
+After a while of capturing traffic, kill the ``tcpdump`` (with ctrl-c),
+and tell Bro to perform all the default analysis on the capture which primarily includes :
+
+.. console::
+
+   bro -r mypackets.trace
+
+Bro will output log files into the working directory.
+
+If you are interested in more detection, you can again load the ``local``
+script that we include as a suggested configuration:
+
+.. console::
+
+  bro -r mypackets.trace local
+
+
+Telling Bro Which Scripts to Load
+---------------------------------
+
+A command-line invocation of Bro typically looks like:
+
+.. console::
+
+   bro <options> <policies...>
+
+Where the last arguments are the specific policy scripts that this Bro
+instance will load.  These arguments don't have to include the ``.bro``
+file extension, and if the corresponding script resides under the default
+installation path, ``$PREFIX/share/bro``, then it requires no path
+qualification.  Further, a directory of scripts can be specified as
+an argument to be loaded as a "package" if it contains a ``__load__.bro``
+script that defines the scripts that are part of the package.
+
+This example does all of the base analysis (primarily protocol
+logging) and adds SSL certificate validation.
+
+.. console::
+
+   bro -r mypackets.trace protocols/ssl/validate-certs
+
+You might notice that a script you load from the command line uses the
+``@load`` directive in the Bro language to declare dependence on other scripts.
+This directive is similar to the ``#include`` of C/C++, except the semantics
+are "load this script if it hasn't already been loaded".
+
+.. note:: If one wants Bro to be able to load scripts that live outside the
+   default directories in Bro's installation root, the ``BROPATH`` environment
+   variable will need to be extended to include all the directories that need
+   to be searched for scripts.  See the default search path by doing
+   ``bro --help``.
+
diff --git a/doc/reporting-problems.rst b/doc/reporting-problems.rst
new file mode 100644
index 0000000000..5e55b2ac90
--- /dev/null
+++ b/doc/reporting-problems.rst
@@ -0,0 +1,194 @@
+
+Reporting Problems
+==================
+
+.. rst-class:: opening
+
+    Here we summarize some steps to follow when you see Bro doing
+    something it shouldn't. To provide help, it is often crucial for
+    us to have a way of reliably reproducing the effect you're seeing.
+    Unfortunately, reproducing problems can be rather tricky with Bro
+    because more often than not, they occur only in either very rare
+    situations or only after Bro has been running for some time. In
+    particular, getting a small trace showing a specific effect can be
+    a real problem. In the following, we'll summarize some strategies
+    to this end.
+
+Reporting Problems
+------------------
+
+Generally, when you encounter a problem with Bro, the best thing to do
+is opening a new ticket in `Bro's issue tracker
+<http://tracker.bro-ids.org/>`__ and include information on how to
+reproduce the issue. Ideally, your ticket should come with the
+following:
+
+* The Bro version you're using (if working directly from the git
+  repository, the branch and revision number.)
+
+* The output you're seeing along with a description of what you'd expect
+  Bro to do instead.
+
+* A *small* trace in `libpcap format <http://www.tcpdump.org>`__
+  demonstrating the effect (assuming the problem doesn't happen right
+  at startup already).
+
+* The exact command-line you're using to run Bro with that trace. If
+  you can, please try to run the Bro binary directly from the command
+  line rather than using BroControl.
+
+* Any non-standard scripts you're using (but please only those really
+  necessary; just a small code snippet triggering the problem would
+  be perfect).
+
+* If you encounter a crash, information from the core dump, such as
+  the stack backtrace, can be very helpful. See below for more on
+  this.
+
+
+How Do I Get a Trace File?
+--------------------------
+
+As Bro is usually running live, coming up with a small trace file that
+reproduces a problem can turn out to be quite a challenge. Often it
+works best to start with a large trace that triggers the problem,
+and then successively thin it out as much as possible.
+
+To get to the initial large trace, here are a few things you can try:
+
+* Capture a trace with `tcpdump <http://www.tcpdump.org/>`__, either
+  on the same interface Bro is running on, or on another host where
+  you can generate traffic of the kind likely triggering the problem
+  (e.g., if you're seeing problems with the HTTP analyzer, record some
+  of your Web browsing on your desktop.) When using tcpdump, don't
+  forget to record *complete* packets (``tcpdump -s 0 ...``). You can
+  reduce the amount of traffic captured by using a suitable BPF filter
+  (e.g., for HTTP only, try ``port 80``). 
+
+* Bro's command-line option ``-w <trace>`` records all packets it
+  processes into the given file. You can then later run Bro
+  offline on this trace and it will process the packets in the same
+  way as it did live. This is particularly helpful with problems that
+  only occur after Bro has already been running for some time. For
+  example, sometimes a crash may be triggered by a particular kind of
+  traffic only occurring rarely. Running Bro live with ``-w`` and
+  then, after the crash, offline on the recorded trace might, with a
+  little bit of luck, reproduce the problem reliably. However, be
+  careful with ``-w``: it can result in huge trace files, quickly
+  filling up your disk. (One way to mitigate the space issues is to
+  periodically delete the trace file by configuring
+  ``rotate-logs.bro`` accordingly. BroControl does that for you if you
+  set its ``SaveTraces`` option.)
+
+* Finally, you can try running Bro on a publically available trace
+  file, such as `anonymized FTP traffic <http://www-nrg.ee.lbl.gov
+  /anonymized-traces.html>`__, `headers-only enterprise traffic
+  <http://www.icir.org/enterprise-tracing/Overview.html>`__, or
+  `Defcon traffic <http://cctf.shmoo.com/>`__. Some of these
+  particularly stress certain components of Bro (e.g., the Defcon
+  traces contain tons of scans).
+
+Once you have a trace that demonstrates the effect, you will often
+notice that it's pretty big, in particular if recorded from the link
+you're monitoring. Therefore, the next step is to shrink its size as
+much as possible. Here are a few things you can try to this end:
+
+* Very often, a single connection is able to demonstrate the problem.
+  If you can identify which one it is (e.g., from one of Bro's
+  ``*.log`` files) you can extract the connection's packets from the
+  trace using tcpdump by filtering for the corresponding 4-tuple of
+  addresses and ports:
+
+  .. console::
+    
+    > tcpdump -r large.trace -w small.trace host <ip1> and port <port1> and host <ip2> and port <port2>
+
+* If you can't reduce the problem to a connection, try to identify
+  either a host pair or a single host triggering it, and filter down
+  the trace accordingly.
+
+* You can try to extract a smaller time slice from the trace using 
+  `TCPslice <http://www.tcpdump.org/related.html>`__. For example, to
+  extract the first 100 seconds from the trace:
+
+  .. console::
+
+    # Test comment
+    > tcpslice +100 <in >out
+    
+Alternatively, tcpdump extracts the first ``n`` packets with its
+option ``-c <n>``.
+
+
+Getting More Information After a Crash
+--------------------------------------
+
+If Bro crashes, a *core dump* can be very helpful to nail down the
+problem. Examining a core is not for the faint of heart but can reveal
+extremely useful information.
+
+First, you should configure Bro with the option ``--enable-debug`` and
+recompile; this will disable all compiler optimizations and thus make
+the core dump more useful (don't expect great performance with this
+version though; compiling Bro without optimization has a noticeable
+impact on its CPU usage.). Then enable core dumps if you haven't
+already (e.g., ``ulimit -c unlimited`` if you're using bash).
+
+Once Bro has crashed, start gdb with the Bro binary and the file
+containing the core dump. (Alternatively, you can also run Bro
+directly inside gdb instead of working from a core file.) The first
+helpful information to include with your tracker ticket is a stack
+backtrace, which you get with gdb's ``bt`` command:
+
+.. console::
+    
+    > gdb bro core
+    [...]
+    > bt
+    
+
+If the crash occurs inside Bro's script interpreter, the next thing to
+do is identifying the line of script code processed just before the
+abnormal termination. Look for methods in the stack backtrace which
+belong to any of the script interpreter's classes. Roughly speaking,
+these are all classes with names ending in ``Expr``, ``Stmt``, or
+``Val``. Then climb up the stack with ``up`` until you reach the first
+of these methods. The object to which ``this`` is pointing will have a
+``Location`` object, which in turn contains the file name and line
+number of the corresponding piece of script code. Continuing the
+example from above, here's how to get that information:
+
+.. console::
+
+    [in gdb]
+    > up
+    > ...
+    > up
+    > print this->location->filename
+    > print this->location->first_line
+    
+
+If the crash occurs while processing input packets but you cannot
+directly tell which connection is responsible (and thus not extract
+its packets from the trace as suggested above), try getting the
+4-tuple of the connection currently being processed from the core dump
+by again examining the stack backtrace, this time looking for methods
+belonging to the ``Connection`` class. That class has members
+``orig_addr``/``resp_addr`` and ``orig_port``/``resp_port`` storing
+(pointers to) the IP addresses and ports respectively:
+
+.. console::
+
+    [in gdb]
+    > up
+    > ...
+    > up
+    > printf "%08x:%04x %08x:%04x\n", *this->orig_addr, this->orig_port, *this->resp_addr, this->resp_port
+
+
+Note that these values are stored in `network byte order
+<http://en.wikipedia.org/wiki/Endianness#Endianness_in_networking>`__
+so you will need to flip the bytes around if you are on a low-endian
+machine (which is why the above example prints them in hex). For
+example, if an IP address prints as ``0100007f`` , that's 127.0.0.1 .
+
diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt
new file mode 100644
index 0000000000..33d473b005
--- /dev/null
+++ b/doc/scripts/CMakeLists.txt
@@ -0,0 +1,205 @@
+# find out what BROPATH to use when executing bro
+execute_process(COMMAND ${CMAKE_BINARY_DIR}/bro-path-dev
+                OUTPUT_VARIABLE BROPATH
+                RESULT_VARIABLE retval
+                OUTPUT_STRIP_TRAILING_WHITESPACE)
+if (NOT ${retval} EQUAL 0)
+    message(FATAL_ERROR "Problem setting BROPATH")
+endif ()
+
+# This macro is used to add a new makefile target for reST policy script
+# documentation that can be generated using Bro itself to parse policy scripts.
+# It's called like:
+#
+#     rest_target(srcDir broInput [group])
+#
+# srcDir: the directory which contains broInput
+# broInput: the file name of a bro policy script, any path prefix of this
+#     argument will be used to derive what path under policy/ the generated
+#     documentation will be placed.
+# group: optional name of group that the script documentation will belong to.
+#     If this is not given, .bif files automatically get their own group or
+#     the group is automatically by any path portion of the broInput argument.
+#
+# In addition to adding the makefile target, several CMake variables are set:
+#
+# MASTER_POLICY_INDEX_TEXT: a running list of policy scripts docs that have
+#   been generated so far, formatted such that it can be appended to a file
+#   that ends in a Sphinx toctree directive
+# ALL_REST_OUTPUTS: a running list (the CMake list type) of all reST docs
+#   that are to be generated
+# MASTER_GROUP_LIST: a running list (the CMake list type) of all script groups
+# MASTER_PKG_LIST: a running list (the CMake list type) of all script groups
+#   that were defived from the path portion of the broInput argument
+# ${group}_files: a running list of files belonging to a given group, from
+#   which summary text can be extracted at build time
+# ${group}_doc_names: a running list of reST style document names that can be
+#   given to a :doc: role, shared indices with ${group}_files
+
+macro(REST_TARGET srcDir broInput)
+    set(absSrcPath ${srcDir}/${broInput})
+    get_filename_component(basename ${broInput} NAME)
+    string(REPLACE .bro "" basename ${basename})
+    get_filename_component(extension ${broInput} EXT)
+    get_filename_component(relDstDir ${broInput} PATH)
+
+    set(sumTextSrc ${absSrcPath})
+    set(ogSourceFile ${absSrcPath})
+    if (${extension} STREQUAL ".bif.bro")
+        set(ogSourceFile ${BIF_SRC_DIR}/${basename})
+        # the summary text is taken at configure time, but .bif.bro files
+        # may not have been generated yet, so read .bif file instead
+        set(sumTextSrc ${ogSourceFile})
+    endif ()
+
+    if (NOT relDstDir)
+        set(docName "${basename}")
+        set(dstDir "${RST_OUTPUT_DIR}")
+    else ()
+        set(docName "${relDstDir}/${basename}")
+        set(dstDir "${RST_OUTPUT_DIR}/${relDstDir}")
+    endif ()
+
+    set(restFile "${docName}.rst")
+    string(REPLACE "/" "^" restFile ${restFile})
+    set(restOutput "${dstDir}/${basename}.rst")
+
+    set(MASTER_POLICY_INDEX_TEXT
+        "${MASTER_POLICY_INDEX_TEXT}\n   ${docName} <${docName}>")
+    list(APPEND ALL_REST_OUTPUTS ${restOutput})
+
+    if (NOT "${ARGN}" STREQUAL "")
+        set(group ${ARGN})
+    elseif (${extension} STREQUAL ".bif.bro")
+        set(group bifs)
+    elseif (relDstDir)
+        set(group ${relDstDir}/index)
+        # add package index to master package list if not already in it
+        # and if a __load__.bro exists in the original script directory
+        list(FIND MASTER_PKG_LIST ${relDstDir} _found)
+        if (_found EQUAL -1)
+            if (EXISTS ${CMAKE_SOURCE_DIR}/scripts/${relDstDir}/__load__.bro)
+                list(APPEND MASTER_PKG_LIST ${relDstDir})
+            endif ()
+        endif ()
+    else ()
+        set(group "")
+    endif ()
+
+    if (NOT "${group}" STREQUAL "")
+        # add group to master group list if not already in it
+        list(FIND MASTER_GROUP_LIST ${group} _found)
+        if (_found EQUAL -1)
+            list(APPEND MASTER_GROUP_LIST ${group})
+            if (MASTER_GROUP_LIST_TEXT)
+               set(MASTER_GROUP_LIST_TEXT "${MASTER_GROUP_LIST_TEXT}\n${group}")
+            else ()
+               set(MASTER_GROUP_LIST_TEXT "${group}")
+            endif ()
+        endif ()
+
+        list(APPEND ${group}_files ${sumTextSrc})
+        list(APPEND ${group}_doc_names ${docName})
+    endif ()
+
+    add_custom_command(OUTPUT ${restOutput}
+        # delete any leftover state from previous bro runs
+        COMMAND "${CMAKE_COMMAND}"
+        ARGS -E remove_directory .state
+        # generate the reST documentation using bro
+        COMMAND BROPATH=${BROPATH}:${srcDir} ${CMAKE_BINARY_DIR}/src/bro
+        ARGS -b -Z ${broInput} || (rm -rf .state *.log *.rst && exit 1)
+        # move generated doc into a new directory tree that
+        # defines the final structure of documents
+        COMMAND "${CMAKE_COMMAND}"
+        ARGS -E make_directory ${dstDir}
+        COMMAND "${CMAKE_COMMAND}"
+        ARGS -E copy ${restFile} ${restOutput}
+        # copy the bro or bif script, too
+        COMMAND "${CMAKE_COMMAND}"
+        ARGS -E copy ${ogSourceFile} ${dstDir}
+        # clean up the build directory
+        COMMAND rm
+        ARGS -rf .state *.log *.rst
+        DEPENDS bro
+        DEPENDS ${absSrcPath}
+        WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+        COMMENT "[Bro] Generating reST docs for ${broInput}"
+    )
+
+endmacro(REST_TARGET)
+
+# Schedule Bro scripts for which to generate documentation.
+include(DocSourcesList.cmake)
+
+# create temporary list of all docs to include in the master policy/index file
+file(WRITE ${MASTER_POLICY_INDEX} "${MASTER_POLICY_INDEX_TEXT}")
+
+# create the temporary list of all packages to include in the master
+# policy/packages.rst file
+set(MASTER_PKG_INDEX_TEXT "")
+foreach (pkg ${MASTER_PKG_LIST})
+    set(MASTER_PKG_INDEX_TEXT
+        "${MASTER_PKG_INDEX_TEXT}\n:doc:`${pkg} <${pkg}/index>`\n")
+    if (EXISTS ${CMAKE_SOURCE_DIR}/scripts/${pkg}/README)
+        file(STRINGS ${CMAKE_SOURCE_DIR}/scripts/${pkg}/README pkgreadme)
+        foreach (line ${pkgreadme})
+            set(MASTER_PKG_INDEX_TEXT "${MASTER_PKG_INDEX_TEXT}\n    ${line}")
+        endforeach ()
+        set(MASTER_PKG_INDEX_TEXT "${MASTER_PKG_INDEX_TEXT}\n")
+    endif ()
+endforeach ()
+file(WRITE ${MASTER_PACKAGE_INDEX} "${MASTER_PKG_INDEX_TEXT}")
+
+# create temporary file containing list of all groups
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/group_list
+    "${MASTER_GROUP_LIST_TEXT}")
+
+# create temporary files containing list of each source file in a given group
+foreach (group ${MASTER_GROUP_LIST})
+    if (EXISTS ${CMAKE_CURRENT_BINARY_DIR}/${group}_files)
+        file(REMOVE ${CMAKE_CURRENT_BINARY_DIR}/${group}_files)
+    endif ()
+    if (EXISTS ${CMAKE_CURRENT_BINARY_DIR}/${group}_doc_names)
+        file(REMOVE ${CMAKE_CURRENT_BINARY_DIR}/${group}_doc_names)
+    endif ()
+    foreach (src ${${group}_files})
+        file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/${group}_files "${src}\n")
+    endforeach ()
+    foreach (dname ${${group}_doc_names})
+        file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/${group}_doc_names "${dname}\n")
+    endforeach ()
+endforeach ()
+
+# remove previously generated docs no longer scheduled for generation
+if (EXISTS ${RST_OUTPUT_DIR})
+    file(GLOB_RECURSE EXISTING_REST_DOCS "${RST_OUTPUT_DIR}/*.rst")
+    foreach (_doc ${EXISTING_REST_DOCS})
+        list(FIND ALL_REST_OUTPUTS ${_doc} _found)
+        if (_found EQUAL -1)
+            file(REMOVE ${_doc})
+            message(STATUS "Broxygen: remove stale reST doc: ${_doc}")
+            string(REPLACE .rst .bro _brofile ${_doc})
+            if (EXISTS ${_brofile})
+                file(REMOVE ${_brofile})
+                message(STATUS "Broxygen: remove stale bro source: ${_brofile}")
+            endif ()
+        endif ()
+    endforeach ()
+endif ()
+
+# The "restdoc" target uses Bro to parse policy scripts in order to
+# generate reST documentation from them.
+add_custom_target(restdoc
+                  # create symlink to the reST output directory for convenience
+                  COMMAND "${CMAKE_COMMAND}" -E create_symlink
+                          ${RST_OUTPUT_DIR}
+                          ${CMAKE_BINARY_DIR}/reST
+                  DEPENDS ${ALL_REST_OUTPUTS})
+
+# The "restclean" target removes all generated reST documentation from the
+# build directory.
+add_custom_target(restclean
+                  COMMAND "${CMAKE_COMMAND}" -E remove_directory
+                          ${RST_OUTPUT_DIR}
+                  VERBATIM)
diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake
new file mode 100644
index 0000000000..ade0add875
--- /dev/null
+++ b/doc/scripts/DocSourcesList.cmake
@@ -0,0 +1,143 @@
+# DO NOT EDIT
+# This file is auto-generated from the genDocSourcesList.sh script.
+#
+# This is a list of Bro script sources for which to generate reST documentation.
+# It will be included inline in the CMakeLists.txt found in the same directory
+# in order to create Makefile targets that define how to generate reST from
+# a given Bro script.
+#
+# Note: any path prefix of the script (2nd argument of rest_target macro)
+# will be used to derive what path under scripts/ the generated documentation
+# will be placed.
+
+set(psd ${PROJECT_SOURCE_DIR}/scripts)
+
+rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal)
+rest_target(${psd} base/init-default.bro internal)
+rest_target(${psd} base/init-bare.bro internal)
+
+rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro)
+rest_target(${psd} base/frameworks/cluster/main.bro)
+rest_target(${psd} base/frameworks/cluster/nodes/manager.bro)
+rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro)
+rest_target(${psd} base/frameworks/cluster/nodes/worker.bro)
+rest_target(${psd} base/frameworks/cluster/setup-connections.bro)
+rest_target(${psd} base/frameworks/communication/main.bro)
+rest_target(${psd} base/frameworks/control/main.bro)
+rest_target(${psd} base/frameworks/dpd/main.bro)
+rest_target(${psd} base/frameworks/intel/main.bro)
+rest_target(${psd} base/frameworks/logging/main.bro)
+rest_target(${psd} base/frameworks/logging/postprocessors/scp.bro)
+rest_target(${psd} base/frameworks/logging/postprocessors/sftp.bro)
+rest_target(${psd} base/frameworks/logging/writers/ascii.bro)
+rest_target(${psd} base/frameworks/metrics/cluster.bro)
+rest_target(${psd} base/frameworks/metrics/main.bro)
+rest_target(${psd} base/frameworks/metrics/non-cluster.bro)
+rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro)
+rest_target(${psd} base/frameworks/notice/actions/drop.bro)
+rest_target(${psd} base/frameworks/notice/actions/email_admin.bro)
+rest_target(${psd} base/frameworks/notice/actions/page.bro)
+rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro)
+rest_target(${psd} base/frameworks/notice/cluster.bro)
+rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro)
+rest_target(${psd} base/frameworks/notice/main.bro)
+rest_target(${psd} base/frameworks/notice/weird.bro)
+rest_target(${psd} base/frameworks/packet-filter/main.bro)
+rest_target(${psd} base/frameworks/packet-filter/netstats.bro)
+rest_target(${psd} base/frameworks/reporter/main.bro)
+rest_target(${psd} base/frameworks/signatures/main.bro)
+rest_target(${psd} base/frameworks/software/main.bro)
+rest_target(${psd} base/protocols/conn/contents.bro)
+rest_target(${psd} base/protocols/conn/inactivity.bro)
+rest_target(${psd} base/protocols/conn/main.bro)
+rest_target(${psd} base/protocols/dns/consts.bro)
+rest_target(${psd} base/protocols/dns/main.bro)
+rest_target(${psd} base/protocols/ftp/file-extract.bro)
+rest_target(${psd} base/protocols/ftp/main.bro)
+rest_target(${psd} base/protocols/ftp/utils-commands.bro)
+rest_target(${psd} base/protocols/http/file-extract.bro)
+rest_target(${psd} base/protocols/http/file-hash.bro)
+rest_target(${psd} base/protocols/http/file-ident.bro)
+rest_target(${psd} base/protocols/http/main.bro)
+rest_target(${psd} base/protocols/http/utils.bro)
+rest_target(${psd} base/protocols/irc/dcc-send.bro)
+rest_target(${psd} base/protocols/irc/main.bro)
+rest_target(${psd} base/protocols/smtp/entities-excerpt.bro)
+rest_target(${psd} base/protocols/smtp/entities.bro)
+rest_target(${psd} base/protocols/smtp/main.bro)
+rest_target(${psd} base/protocols/ssh/main.bro)
+rest_target(${psd} base/protocols/ssl/consts.bro)
+rest_target(${psd} base/protocols/ssl/main.bro)
+rest_target(${psd} base/protocols/ssl/mozilla-ca-list.bro)
+rest_target(${psd} base/protocols/syslog/consts.bro)
+rest_target(${psd} base/protocols/syslog/main.bro)
+rest_target(${psd} base/utils/addrs.bro)
+rest_target(${psd} base/utils/conn-ids.bro)
+rest_target(${psd} base/utils/directions-and-hosts.bro)
+rest_target(${psd} base/utils/files.bro)
+rest_target(${psd} base/utils/numbers.bro)
+rest_target(${psd} base/utils/paths.bro)
+rest_target(${psd} base/utils/patterns.bro)
+rest_target(${psd} base/utils/site.bro)
+rest_target(${psd} base/utils/strings.bro)
+rest_target(${psd} base/utils/thresholds.bro)
+rest_target(${psd} policy/frameworks/communication/listen.bro)
+rest_target(${psd} policy/frameworks/control/controllee.bro)
+rest_target(${psd} policy/frameworks/control/controller.bro)
+rest_target(${psd} policy/frameworks/dpd/detect-protocols.bro)
+rest_target(${psd} policy/frameworks/dpd/packet-segment-logging.bro)
+rest_target(${psd} policy/frameworks/metrics/conn-example.bro)
+rest_target(${psd} policy/frameworks/metrics/http-example.bro)
+rest_target(${psd} policy/frameworks/metrics/ssl-example.bro)
+rest_target(${psd} policy/frameworks/software/version-changes.bro)
+rest_target(${psd} policy/frameworks/software/vulnerable.bro)
+rest_target(${psd} policy/integration/barnyard2/main.bro)
+rest_target(${psd} policy/integration/barnyard2/types.bro)
+rest_target(${psd} policy/misc/analysis-groups.bro)
+rest_target(${psd} policy/misc/capture-loss.bro)
+rest_target(${psd} policy/misc/loaded-scripts.bro)
+rest_target(${psd} policy/misc/profiling.bro)
+rest_target(${psd} policy/misc/stats.bro)
+rest_target(${psd} policy/misc/trim-trace-file.bro)
+rest_target(${psd} policy/protocols/conn/known-hosts.bro)
+rest_target(${psd} policy/protocols/conn/known-services.bro)
+rest_target(${psd} policy/protocols/conn/weirds.bro)
+rest_target(${psd} policy/protocols/dns/auth-addl.bro)
+rest_target(${psd} policy/protocols/dns/detect-external-names.bro)
+rest_target(${psd} policy/protocols/ftp/detect.bro)
+rest_target(${psd} policy/protocols/ftp/software.bro)
+rest_target(${psd} policy/protocols/http/detect-MHR.bro)
+rest_target(${psd} policy/protocols/http/detect-intel.bro)
+rest_target(${psd} policy/protocols/http/detect-sqli.bro)
+rest_target(${psd} policy/protocols/http/detect-webapps.bro)
+rest_target(${psd} policy/protocols/http/header-names.bro)
+rest_target(${psd} policy/protocols/http/software-browser-plugins.bro)
+rest_target(${psd} policy/protocols/http/software.bro)
+rest_target(${psd} policy/protocols/http/var-extraction-cookies.bro)
+rest_target(${psd} policy/protocols/http/var-extraction-uri.bro)
+rest_target(${psd} policy/protocols/smtp/blocklists.bro)
+rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro)
+rest_target(${psd} policy/protocols/smtp/software.bro)
+rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro)
+rest_target(${psd} policy/protocols/ssh/geo-data.bro)
+rest_target(${psd} policy/protocols/ssh/interesting-hostnames.bro)
+rest_target(${psd} policy/protocols/ssh/software.bro)
+rest_target(${psd} policy/protocols/ssl/cert-hash.bro)
+rest_target(${psd} policy/protocols/ssl/expiring-certs.bro)
+rest_target(${psd} policy/protocols/ssl/extract-certs-pem.bro)
+rest_target(${psd} policy/protocols/ssl/known-certs.bro)
+rest_target(${psd} policy/protocols/ssl/validate-certs.bro)
+rest_target(${psd} policy/tuning/defaults/packet-fragments.bro)
+rest_target(${psd} policy/tuning/defaults/warnings.bro)
+rest_target(${psd} policy/tuning/track-all-assets.bro)
+rest_target(${psd} site/local-manager.bro)
+rest_target(${psd} site/local-proxy.bro)
+rest_target(${psd} site/local-worker.bro)
+rest_target(${psd} site/local.bro)
+rest_target(${psd} test-all-policy.bro)
diff --git a/doc/scripts/README b/doc/scripts/README
new file mode 100644
index 0000000000..a15812609c
--- /dev/null
+++ b/doc/scripts/README
@@ -0,0 +1,44 @@
+This directory contains scripts and templates that can be used to automate
+the generation of Bro script documentation.  Several build targets are defined
+by CMake and available in the top-level Makefile:
+
+``restdoc``
+
+    This target uses Bro to parse policy scripts in order to generate
+    reStructuredText (reST) documentation from them.  The list of scripts
+    for which to generate reST documentation is defined in the
+    ``CMakeLists.txt`` file in this directory.  Script documentation is
+    rebuild automatically if the policy script from which it is derived
+    or the Bro binary becomes out of date
+
+    The resulting output from this target can be found in the CMake
+    ``build/`` directory inside ``reST`` (a symlink to
+    ``doc/scripts/rest_output``).
+
+``restclean``
+
+    This target removes any reST documentation that has been generated so far.
+
+The ``genDocSourcesList.sh`` script can be run to automatically generate
+``DocSourcesList.cmake``, which is the file CMake uses to define the list
+of documentation targets.  This script should be run after adding new
+Bro script source files, and the changes commited to git.
+
+If a script shouldn't have documentation generated for it, there's also a
+blacklist manifest that can be maintained in the ``genDocSourcesList.sh``
+script.
+
+The blacklist can also be used if you want to define a certain grouping for
+the script's generated docs to belong to (as opposed to the automatic grouping
+the happens for script packages/directories).  To do that, add the
+script's name to the blacklist, then append a ``rest_target()`` to the
+``statictext`` variable where the first argument is the source directory
+containing the policy script to document, the second argument is the file
+name of the policy script, and the third argument is the path/name of a
+pre-created reST document in the ``../`` source directory to which the
+``make doc`` process can append script documentation references.  This
+pre-created reST document should also then be linked to from the TOC tree
+in ``../index.rst``.
+
+See ``example.bro`` for an example of how to document a Bro script such that
+``make doc`` will be able to produce reST/HTML documentation for it.
diff --git a/doc/scripts/bifs.rst b/doc/scripts/bifs.rst
new file mode 100644
index 0000000000..eaae0e13b8
--- /dev/null
+++ b/doc/scripts/bifs.rst
@@ -0,0 +1,5 @@
+.. This is a stub doc to which broxygen appends during the build process
+
+Built-In Functions (BIFs)
+=========================
+
diff --git a/doc/scripts/builtins.rst b/doc/scripts/builtins.rst
new file mode 100644
index 0000000000..3a299bbf69
--- /dev/null
+++ b/doc/scripts/builtins.rst
@@ -0,0 +1,635 @@
+Builtin Types and Attributes
+============================
+
+Types
+-----
+
+The Bro scripting language supports the following built-in types.
+
+.. bro:type:: void
+
+    An internal Bro type representing an absence of a type.  Should
+    most often be seen as a possible function return type.
+
+.. bro:type:: bool
+
+    Reflects a value with one of two meanings: true or false.  The two
+    ``bool`` constants are ``T`` and ``F``.
+
+.. bro:type:: int
+
+    A numeric type representing a signed integer.  An ``int`` constant
+    is a string of digits preceded by a ``+`` or ``-`` sign, e.g.
+    ``-42`` or ``+5``.  When using type inferencing use care so that the
+    intended type is inferred, e.g. ``local size_difference = 0`` will
+    infer :bro:type:`count`, while ``local size_difference = +0``
+    will infer :bro:type:`int`.
+
+.. bro:type:: count
+
+    A numeric type representing an unsigned integer.  A ``count``
+    constant is a string of digits, e.g. ``1234`` or ``0``.
+
+.. bro:type:: counter
+
+    An alias to :bro:type:`count`.
+
+.. TODO: is there anything special about this type?
+
+.. bro:type:: double
+
+    A numeric type representing a double-precision floating-point
+    number.  Floating-point constants are written as a string of digits
+    with an optional decimal point, optional scale-factor in scientific
+    notation, and optional ``+`` or ``-`` sign.  Examples are ``-1234``,
+    ``-1234e0``, ``3.14159``, and ``.003e-23``.
+
+.. bro:type:: time
+
+    A temporal type representing an absolute time.  There is currently
+    no way to specify a ``time`` constant, but one can use the
+    :bro:id:`current_time` or :bro:id:`network_time` built-in functions
+    to assign a value to a ``time``-typed variable.
+
+.. bro:type:: interval
+
+    A temporal type representing a relative time.  An ``interval``
+    constant can be written as a numeric constant followed by a time
+    unit where the time unit is one of ``usec``, ``sec``, ``min``,
+    ``hr``, or ``day`` which respectively represent microseconds,
+    seconds, minutes, hours, and days.  Whitespace between the numeric
+    constant and time unit is optional.  Appending the letter "s" to the
+    time unit in order to pluralize it is also optional (to no semantic
+    effect).  Examples of ``interval`` constants are ``3.5 min`` and
+    ``3.5mins``.  An ``interval`` can also be negated, for example ``-
+    12 hr`` represents "twelve hours in the past".  Intervals also
+    support addition, subtraction, multiplication, division, and
+    comparison operations.
+
+.. bro:type:: string
+
+    A type used to hold character-string values which represent text.
+    String constants are created by enclosing text in double quotes (")
+    and the backslash character (\\) introduces escape sequences.
+
+    Note that Bro represents strings internally as a count and vector of
+    bytes rather than a NUL-terminated byte string (although string
+    constants are also automatically NUL-terminated).  This is because
+    network traffic can easily introduce NULs into strings either by
+    nature of an application, inadvertently, or maliciously.  And while
+    NULs are allowed in Bro strings, when present in strings passed as
+    arguments to many functions, a run-time error can occur as their
+    presence likely indicates a sort of problem.  In that case, the
+    string will also only be represented to the user as the literal
+    "<string-with-NUL>" string.
+
+.. bro:type:: pattern
+
+    A type representing regular-expression patterns which can be used
+    for fast text-searching operations.  Pattern constants are created
+    by enclosing text within forward slashes (/) and is the same syntax
+    as the patterns supported by the `flex lexical analyzer
+    <http://flex.sourceforge.net/manual/Patterns.html>`_.  The speed of
+    regular expression matching does not depend on the complexity or
+    size of the patterns.  Patterns support two types of matching, exact
+    and embedded.
+
+    In exact matching the ``==`` equality relational operator is used
+    with one :bro:type:`string` operand and one :bro:type:`pattern`
+    operand to check whether the full string exactly matches the
+    pattern.  In this case, the ``^`` beginning-of-line and ``$``
+    end-of-line anchors are redundant since pattern is implicitly
+    anchored to the beginning and end of the line to facilitate an exact
+    match.  For example::
+
+        "foo" == /foo|bar/
+
+    yields true, while::
+
+        /foo|bar/ == "foobar"
+
+    yields false.  The ``!=`` operator would yield the negation of ``==``.
+
+    In embedded matching the ``in`` operator is again used with one
+    :bro:type:`string` operand and one :bro:type:`pattern` operand
+    (which must be on the left-hand side), but tests whether the pattern
+    appears anywhere within the given string.  For example::
+
+        /foo|bar/ in "foobar"
+
+    yields true, while::
+
+        /^oob/ in "foobar"
+
+    is false since "oob" does not appear at the start of "foobar".  The
+    ``!in`` operator would yield the negation of ``in``.
+
+.. bro:type:: enum
+
+    A type allowing the specification of a set of related values that
+    have no further structure.  The only operations allowed on
+    enumerations are equality comparisons and they do not have
+    associated values or ordering.  An example declaration:
+
+    .. code:: bro
+
+        type color: enum { Red, White, Blue, };
+
+    The last comma after ``Blue`` is optional.
+
+.. bro:type:: timer
+
+.. TODO: is this a type that's exposed to users?
+
+.. bro:type:: port
+
+    A type representing transport-level port numbers.  Besides TCP and
+    UDP ports, there is a concept of an ICMP "port" where the source
+    port is the ICMP message type and the destination port the ICMP
+    message code.  A ``port`` constant is written as an unsigned integer
+    followed by one of ``/tcp``, ``/udp``, ``/icmp``, or ``/unknown``.
+
+    Ports can be compared for equality and also for ordering.  When
+    comparing order across transport-level protocols, ``unknown`` <
+    ``tcp`` < ``udp`` < ``icmp``, for example ``65535/tcp`` is smaller
+    than ``0/udp``.
+
+.. bro:type:: addr
+
+    A type representing an IP address.  Currently, Bro defaults to only
+    supporting IPv4 addresses unless configured/built with
+    ``--enable-brov6``, in which case, IPv6 addresses are supported.
+
+    IPv4 address constants are written in "dotted quad" format,
+    ``A1.A2.A3.A4``, where Ai all lie between 0 and 255.
+
+    IPv6 address constants are written as colon-separated hexadecimal form
+    as described by :rfc:`2373`.
+
+    Hostname constants can also be used, but since a hostname can
+    correspond to multiple IP addresses, the type of such variable is a
+    :bro:type:`set` of :bro:type:`addr` elements. For example:
+
+    .. code:: bro
+
+        local a = www.google.com;
+
+    Addresses can be compared for (in)equality using ``==`` and ``!=``.
+    They can also be masked with ``/`` to produce a :bro:type:`subnet`:
+
+    .. code:: bro
+
+        local a: addr = 192.168.1.100;
+        local s: subnet = 192.168.0.0/16;
+        if ( a/16 == s )
+            print "true";
+
+    And checked for inclusion within a :bro:type:`subnet` using ``in`` :
+
+    .. code:: bro
+
+        local a: addr = 192.168.1.100;
+        local s: subnet = 192.168.0.0/16;
+        if ( a in s )
+            print "true";
+
+.. bro:type:: subnet
+
+    A type representing a block of IP addresses in CIDR notation.  A
+    ``subnet`` constant is written as an :bro:type:`addr` followed by a
+    slash (/) and then the network prefix size specified as a decimal
+    number.  For example, ``192.168.0.0/16``.
+
+.. bro:type:: any
+
+    Used to bypass strong typing.  For example, a function can take an
+    argument of type ``any`` when it may be of different types.
+
+.. bro:type:: table
+
+    An associate array that maps from one set of values to another.  The
+    values being mapped are termed the *index* or *indices* and the
+    result of the mapping is called the *yield*.  Indexing into tables
+    is very efficient, and internally it is just a single hash table
+    lookup.
+
+    The table declaration syntax is::
+
+        table [ type^+ ] of type
+
+    where *type^+* is one or more types, separated by commas.  For example:
+
+    .. code:: bro
+
+        global a: table[count] of string;
+
+    declares a table indexed by :bro:type:`count` values and yielding
+    :bro:type:`string` values.  The yield type can also be more complex:
+
+    .. code:: bro
+
+        global a: table[count] of table[addr, port] of string;
+
+    which declares a table indexed by :bro:type:`count` and yielding
+    another :bro:type:`table` which is indexed by an :bro:type:`addr`
+    and :bro:type:`port` to yield a :bro:type:`string`.
+
+    Initialization of tables occurs by enclosing a set of initializers within
+    braces, for example:
+
+    .. code:: bro
+
+        global t: table[count] of string = {
+            [11] = "eleven",
+            [5] = "five",
+        };
+
+    Accessing table elements if provided by enclosing values within square
+    brackets (``[]``), for example:
+
+    .. code:: bro
+
+        t[13] = "thirteen";
+
+    And membership can be tested with ``in``:
+
+    .. code:: bro
+
+        if ( 13 in t )
+            ...
+
+    Iterate over tables with a ``for`` loop:
+
+    .. code:: bro
+
+        local t: table[count] of string;
+        for ( n in t )
+            ...
+
+        local services: table[addr, port] of string;
+        for ( [a, p] in services )
+            ...
+
+    Remove individual table elements with ``delete``:
+
+    .. code:: bro
+
+        delete t[13];
+
+    Nothing happens if the element with value ``13`` isn't present in
+    the table.
+
+    Table size can be obtained by placing the table identifier between
+    vertical pipe (|) characters:
+
+    .. code:: bro
+
+        |t|
+
+.. bro:type:: set
+
+    A set is like a :bro:type:`table`, but it is a collection of indices
+    that do not map to any yield value.  They are declared with the
+    syntax::
+
+        set [ type^+ ]
+
+    where *type^+* is one or more types separated by commas.
+
+    Sets are initialized by listing elements enclosed by curly braces:
+
+    .. code:: bro
+
+        global s: set[port] = { 21/tcp, 23/tcp, 80/tcp, 443/tcp };
+        global s2: set[port, string] = { [21/tcp, "ftp"], [23/tcp, "telnet"] };
+
+    The types are explicitly shown in the example above, but they could
+    have been left to type inference.
+
+    Set membership is tested with ``in``:
+
+    .. code:: bro
+
+        if ( 21/tcp in s )
+            ...
+
+    Elements are added with ``add``:
+
+    .. code:: bro
+
+        add s[22/tcp];
+
+    And removed with ``delete``:
+
+    .. code:: bro
+
+        delete s[21/tcp];
+
+    Set size can be obtained by placing the set identifier between
+    vertical pipe (|) characters:
+
+    .. code:: bro
+
+        |s|
+
+.. bro:type:: vector
+
+    A vector is like a :bro:type:`table`, except it's always indexed by a
+    :bro:type:`count`.  A vector is declared like:
+
+    .. code:: bro
+
+        global v: vector of string;
+
+    And can be initialized with the vector constructor:
+
+    .. code:: bro
+
+        global v: vector of string = vector("one", "two", "three");
+
+    Adding an element to a vector involves accessing/assigning it:
+
+    .. code:: bro
+
+        v[3] = "four"
+
+    Note how the vector indexing is 0-based.
+
+    Vector size can be obtained by placing the vector identifier between
+    vertical pipe (|) characters:
+
+    .. code:: bro
+
+        |v|
+
+.. bro:type:: record
+
+    A ``record`` is a collection of values.  Each value has a field name
+    and a type.  Values do not need to have the same type and the types
+    have no restrictions.  An example record type definition:
+
+    .. code:: bro
+
+        type MyRecordType: record {
+            c: count;
+            s: string &optional;
+        };
+
+    Access to a record field uses the dollar sign (``$``) operator:
+
+    .. code:: bro
+
+        global r: MyRecordType;
+        r$c = 13;
+
+    Record assignment can be done field by field or as a whole like:
+
+    .. code:: bro
+
+        r = [$c = 13, $s = "thirteen"];
+
+    When assigning a whole record value, all fields that are not
+    :bro:attr:`&optional` or have a :bro:attr:`&default` attribute must
+    be specified.
+
+    To test for existence of a field that is :bro:attr:`&optional`, use the
+    ``?$`` operator:
+
+    .. code:: bro
+
+        if ( r?$s )
+            ...
+
+.. bro:type:: file
+
+    Bro supports writing to files, but not reading from them.  For
+    example, declare, open, and write to a file and finally close it
+    like:
+
+    .. code:: bro
+
+        global f: file = open("myfile");
+        print f, "hello, world";
+        close(f);
+
+    Writing to files like this for logging usually isn't recommended, for better
+    logging support see :doc:`/logging`.
+
+.. bro:type:: func
+
+    See :bro:type:`function`.
+
+.. bro:type:: function
+
+    Function types in Bro are declared using::
+
+        function( argument*  ): type
+
+    where *argument* is a (possibly empty) comma-separated list of
+    arguments, and *type* is an optional return type.  For example:
+
+    .. code:: bro
+
+        global greeting: function(name: string): string;
+
+    Here ``greeting`` is an identifier with a certain function type.
+    The function body is not defined yet and ``greeting`` could even
+    have different function body values at different times.  To define
+    a function including a body value, the syntax is like:
+
+    .. code:: bro
+
+        function greeting(name: string): string
+            {
+            return "Hello, " + name;
+            }
+
+    Note that in the definition above, it's not necessary for us to have
+    done the first (forward) declaration of ``greeting`` as a function
+    type, but when it is, the argument list and return type much match
+    exactly.
+
+    Function types don't need to have a name and can be assigned anonymously:
+
+    .. code:: bro
+
+        greeting = function(name: string): string { return "Hi, " + name; };
+
+    And finally, the function can be called like:
+
+    .. code:: bro
+
+        print greeting("Dave");
+
+.. bro:type:: event
+
+    Event handlers are nearly identical in both syntax and semantics to
+    a :bro:type:`function`, with the two differences being that event
+    handlers have no return type since they never return a value, and
+    you cannot call an event handler.  Instead of directly calling an
+    event handler from a script, event handler bodies are executed when
+    they are invoked by one of three different methods:
+
+    - From the event engine
+
+        When the event engine detects an event for which you have
+        defined a corresponding event handler, it queues an event for
+        that handler.  The handler is invoked as soon as the event
+        engine finishes processing the current packet and flushing the
+        invocation of other event handlers that were queued first.
+
+    - With the ``event`` statement from a script
+
+        Immediately queuing invocation of an event handler occurs like:
+
+        .. code:: bro
+
+            event password_exposed(user, password);
+
+        This assumes that ``password_exposed`` was previously declared
+        as an event handler type with compatible arguments.
+
+    - Via the ``schedule`` expression in a script
+
+        This delays the invocation of event handlers until some time in
+        the future.  For example:
+
+        .. code:: bro
+
+            schedule 5 secs { password_exposed(user, password) };
+
+    Multiple event handler bodies can be defined for the same event handler
+    identifier and the body of each will be executed in turn.  Ordering
+    of execution can be influenced with :bro:attr:`&priority`.
+
+Attributes
+----------
+
+Attributes occur at the end of type/event declarations and change their
+behavior. The syntax is ``&key`` or ``&key=val``, e.g., ``type T:
+set[count] &read_expire=5min`` or ``event foo() &priority=-3``.  The Bro
+scripting language supports the following built-in attributes.
+
+.. bro:attr:: &optional
+
+    Allows a record field to be missing. For example the type ``record {
+    a: int, b: port &optional }`` could be instantiated both as
+    singleton ``[$a=127.0.0.1]`` or pair ``[$a=127.0.0.1, $b=80/tcp]``.
+
+.. bro:attr:: &default
+
+    Uses a default value for a record field or container elements. For
+    example, ``table[int] of string &default="foo" }`` would create a
+    table that returns the :bro:type:`string` ``"foo"`` for any
+    non-existing index.
+
+.. bro:attr:: &redef
+
+    Allows for redefinition of initial object values. This is typically
+    used with constants, for example, ``const clever = T &redef;`` would
+    allow the constant to be redefined at some later point during script
+    execution.
+
+.. bro:attr:: &rotate_interval
+
+    Rotates a file after a specified interval.
+
+.. bro:attr:: &rotate_size
+
+    Rotates a file after it has reached a given size in bytes.
+
+.. bro:attr:: &add_func
+
+.. TODO: needs to be documented.
+
+.. bro:attr:: &delete_func
+
+.. TODO: needs to be documented.
+
+.. bro:attr:: &expire_func
+
+    Called right before a container element expires.
+
+.. bro:attr:: &read_expire
+
+    Specifies a read expiration timeout for container elements. That is,
+    the element expires after the given amount of time since the last
+    time it has been read. Note that a write also counts as a read.
+
+.. bro:attr:: &write_expire
+
+    Specifies a write expiration timeout for container elements. That
+    is, the element expires after the given amount of time since the
+    last time it has been written.
+
+.. bro:attr:: &create_expire
+
+    Specifies a creation expiration timeout for container elements. That
+    is, the element expires after the given amount of time since it has
+    been inserted into the container, regardless of any reads or writes.
+
+.. bro:attr:: &persistent
+
+    Makes a variable persistent, i.e., its value is writen to disk (per
+    default at shutdown time).
+
+.. bro:attr:: &synchronized
+
+    Synchronizes variable accesses across nodes. The value of a
+    ``&synchronized`` variable is automatically propagated to all peers
+    when it changes.
+
+.. bro:attr:: &postprocessor
+
+.. TODO: needs to be documented.
+
+.. bro:attr:: &encrypt
+
+    Encrypts files right before writing them to disk.
+
+.. TODO: needs to be documented in more detail.
+
+.. bro:attr:: &match
+
+.. TODO: needs to be documented.
+
+.. bro:attr:: &disable_print_hook
+
+    Deprecated. Will be removed.
+
+.. bro:attr:: &raw_output
+
+    Opens a file in raw mode, i.e., non-ASCII characters are not
+    escaped.
+
+.. bro:attr:: &mergeable
+
+    Prefers set union to assignment for synchronized state. This
+    attribute is used in conjunction with :bro:attr:`&synchronized`
+    container types: when the same container is updated at two peers
+    with different value, the propagation of the state causes a race
+    condition, where the last update succeeds. This can cause
+    inconsistencies and can be avoided by unifying the two sets, rather
+    than merely overwriting the old value.
+
+.. bro:attr:: &priority
+
+    Specifies the execution priority of an event handler. Higher values
+    are executed before lower ones. The default value is 0.
+
+.. bro:attr:: &group
+
+    Groups event handlers such that those in the same group can be
+    jointly activated or deactivated.
+
+.. bro:attr:: &log
+
+    Writes a record field to the associated log stream.
+
+.. bro:attr:: &error_handler
+
+.. TODO: needs documented
+
+.. bro:attr:: (&tracked)
+
+.. TODO: needs documented or removed if it's not used anywhere.
diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro
new file mode 100644
index 0000000000..9f6f656ee1
--- /dev/null
+++ b/doc/scripts/example.bro
@@ -0,0 +1,225 @@
+##! This is an example script that demonstrates documentation features.
+##! Comments of the form ``##!`` are for the script summary.  The contents of
+##! these comments are transferred directly into the auto-generated
+##! `reStructuredText <http://docutils.sourceforge.net/rst.html>`_
+##! (reST) document's summary section.
+##!
+##! .. tip:: You can embed directives and roles within ``##``-stylized comments.
+##!
+##! There's also a custom role to reference any identifier node in
+##! the Bro Sphinx domain that's good for "see alsos", e.g.
+##!
+##! See also: :bro:see:`Example::a_var`, :bro:see:`Example::ONE`,
+##! :bro:see:`SSH::Info`
+##!
+##! And a custom directive does the equivalent references:
+##!
+##! .. bro:see:: Example::a_var Example::ONE SSH::Info
+
+# Comments that use a single pound sign (#) are not significant to
+# a script's auto-generated documentation, but ones that use a
+# double pound sign (##) do matter.  In some cases, like record
+# field comments, it's necessary to disambiguate the field with
+# which a comment associates: e.g. "##<" can be used on the same line
+# as a field to signify the comment relates to it and not the
+# following field. "##<" can also be used more generally in any
+# variable declarations to associate with the last-declared identifier.
+#
+# Generally, the auto-doc comments (##) are associated with the
+# next declaration/identifier found in the script, but the doc framework
+# will track/render identifiers regardless of whether they have any
+# of these special comments associated with them.
+#
+# The first sentence contained within the "##"-stylized comments for
+# a given identifier is special in that it will be used as summary
+# text in a table containing all such identifiers and short summaries.
+# If there are no sentences (text terminated with '.'), then everything
+# in the "##"-stylized comments up until the first empty comment
+# is taken as the summary text for a given identifier.
+
+# @load directives are self-documenting
+@load frameworks/software/vulnerable
+
+# "module" statements are self-documenting
+module Example;
+
+# redefinitions of "capture_filters" are self-documenting and
+# go into the generated documentation's "Packet Filter" section
+redef capture_filters += {
+    ["ssl"] = "tcp port 443",
+    ["nntps"] = "tcp port 562",
+};
+
+global example_ports = {
+    443/tcp, 562/tcp,
+} &redef;
+
+# redefinitions of "dpd_config" are self-documenting and
+# go into the generated doc's "Port Analysis" section
+redef dpd_config += {
+    [ANALYZER_SSL] = [$ports = example_ports]
+};
+
+# redefinitions of "Notice::Type" are self-documenting, but
+# more information can be supplied in two different ways
+redef enum Notice::Type += {
+    ## any number of this type of comment
+    ## will document "Notice_One"
+    Notice_One,
+    Notice_Two,  ##< any number of this type of comment
+                 ##< will document "Notice_Two"
+    Notice_Three,
+    Notice_Four,
+};
+
+# Redef'ing the ID enumeration for logging streams is automatically tracked.
+# Comments of the "##" form can be use to further document it, but it's
+# better to do all documentation related to logging in the summary section
+# as is shown above.
+redef enum Log::ID += { LOG };
+
+# Anything declared in the export section will show up in the rendered
+# documentation's "public interface" section
+
+export {
+
+    # these headings don't mean anything special to the
+    # doc framework right now, I'm just including them
+    # to make it more clear to the reader how the doc
+    # framework will actually categorize a script's identifiers
+
+    ############## types ################
+
+    # Note that I'm just mixing the "##" and "##<"
+    # types of comments in the following declarations
+    # as a demonstration.  Normally, it would be good style
+    # to pick one and be consistent.
+
+    ## documentation for "SimpleEnum"
+    ## goes here.
+    type SimpleEnum: enum {
+        ## and more specific info for "ONE"
+        ## can span multiple lines
+        ONE,
+        TWO,  ##< or more info like this for "TWO"
+              ##< can span multiple lines
+        THREE,
+    };
+
+    ## document the "SimpleEnum" redef here
+    redef enum SimpleEnum  += {
+        FOUR, ##< and some documentation for "FOUR"
+        ## also "FIVE" for good measure
+        FIVE
+    };
+
+    ## general documentation for a type "SimpleRecord"
+    ## goes here.
+    type SimpleRecord: record {
+        ## counts something
+        field1: count;
+        field2: bool; ##< toggles something
+    };
+
+    ## document the record extension redef here
+    redef record SimpleRecord += {
+        ## document the extending field here
+        field_ext: string &optional; ##< (or here)
+    };
+
+    ## general documentation for a type "ComplexRecord" goes here
+    type ComplexRecord: record {
+        field1: count;               ##< counts something
+        field2: bool;                ##< toggles something
+        field3: SimpleRecord;
+        msg: string &default="blah"; ##< attributes are self-documenting
+    } &redef;
+
+    ## An example record to be used with a logging stream.
+    type Info: record {
+        ts:       time       &log;
+        uid:      string     &log;
+        status:   count      &log &optional;
+    };
+
+    ############## options ################
+    # right now, I'm just defining an option as
+    # any const with &redef (something that can
+    # change at parse time, but not at run time.
+
+    ## add documentation for "an_option" here
+    const an_option: set[addr, addr, string] &redef;
+
+    # default initialization will be self-documenting
+    const option_with_init = 0.01 secs &redef; ##< More docs can be added here.
+
+    ############## state variables ############
+    # right now, I'm defining this as any global
+    # that's not a function/event.  doesn't matter
+    # if &redef attribute is present
+
+    ## put some documentation for "a_var" here
+    global a_var: bool;
+
+    # attributes are self-documenting
+    global var_with_attr: count &persistent;
+
+    # it's fine if the type is inferred, that information is self-documenting
+    global var_without_explicit_type = "this works";
+
+    ############## functions/events ############
+
+    ## Summarize purpose of "a_function" here.
+    ## Give more details about "a_function" here.
+    ## Separating the documentation of the params/return values with
+    ## empty comments is optional, but improves readability of script.
+    ##
+    ## tag: function arguments can be described
+    ##      like this
+    ## msg: another param
+    ##
+    ## Returns: describe the return type here
+    global a_function: function(tag: string, msg: string): string;
+
+    ## Summarize "an_event" here.
+    ## Give more details about "an_event" here.
+	## Example::an_event should not be confused as a parameter.
+    ## name: describe the argument here
+    global an_event: event(name: string);
+
+    ## This is a declaration of an example event that can be used in
+    ## logging streams and is raised once for each log entry.
+    global log_example: event(rec: Info);
+}
+
+function filter_func(rec: Info): bool
+    {
+    return T;
+    }
+
+# this function is documented in the "private interface" section
+# of generated documentation and any "##"-stylized comments would also
+# be rendered there
+function function_without_proto(tag: string): string
+    {
+    return "blah";
+    }
+
+# this record type is documented in the "private interface" section
+# of generated documentation and any "##"-stylized comments would also
+# be rendered there
+type PrivateRecord: record {
+    field1: bool;
+    field2: count;
+};
+
+event bro_init()
+    {
+    Log::create_stream(Example::LOG, [$columns=Info, $ev=log_example]);
+    Log::add_filter(Example::LOG, [
+        $name="example-filter",
+        $path="example-filter",
+        $pred=filter_func,
+        $exclude=set("ts")
+        ]);
+    }
diff --git a/doc/scripts/example.rst b/doc/scripts/example.rst
new file mode 100644
index 0000000000..b76b9af59b
--- /dev/null
+++ b/doc/scripts/example.rst
@@ -0,0 +1,291 @@
+.. Automatically generated.  Do not edit.
+
+example.bro
+===========
+
+:download:`Original Source File <example.bro>`
+
+Overview
+--------
+This is an example script that demonstrates how to document.  Comments
+of the form ``##!`` are for the script summary.  The contents of
+these comments are transferred directly into the auto-generated
+`reStructuredText <http://docutils.sourceforge.net/rst.html>`_
+(reST) document's summary section.
+
+.. tip:: You can embed directives and roles within ``##``-stylized comments.
+
+:Imports: :doc:`policy/frameworks/software/vulnerable </scripts/policy/frameworks/software/vulnerable>`
+
+Summary
+~~~~~~~
+Options
+#######
+============================================================================ ======================================
+:bro:id:`Example::an_option`: :bro:type:`set` :bro:attr:`&redef`             add documentation for "an_option" here
+
+:bro:id:`Example::option_with_init`: :bro:type:`interval` :bro:attr:`&redef`
+============================================================================ ======================================
+
+State Variables
+###############
+=========================================================================== =======================================
+:bro:id:`Example::a_var`: :bro:type:`bool`                                  put some documentation for "a_var" here
+
+:bro:id:`Example::var_with_attr`: :bro:type:`count` :bro:attr:`&persistent`
+
+:bro:id:`Example::var_without_explicit_type`: :bro:type:`string`
+=========================================================================== =======================================
+
+Types
+#####
+====================================================== ==========================================================
+:bro:type:`Example::SimpleEnum`: :bro:type:`enum`      documentation for "SimpleEnum"
+                                                       goes here.
+
+:bro:type:`Example::SimpleRecord`: :bro:type:`record`  general documentation for a type "SimpleRecord"
+                                                       goes here.
+
+:bro:type:`Example::ComplexRecord`: :bro:type:`record` general documentation for a type "ComplexRecord" goes here
+
+:bro:type:`Example::Info`: :bro:type:`record`          An example record to be used with a logging stream.
+====================================================== ==========================================================
+
+Events
+######
+================================================= =============================================================
+:bro:id:`Example::an_event`: :bro:type:`event`    Summarize "an_event" here.
+
+:bro:id:`Example::log_example`: :bro:type:`event` This is a declaration of an example event that can be used in
+                                                  logging streams and is raised once for each log entry.
+================================================= =============================================================
+
+Functions
+#########
+=============================================== =======================================
+:bro:id:`Example::a_function`: :bro:type:`func` Summarize purpose of "a_function" here.
+=============================================== =======================================
+
+Redefinitions
+#############
+===================================================== ========================================
+:bro:type:`Log::ID`: :bro:type:`enum`
+
+:bro:type:`Example::SimpleEnum`: :bro:type:`enum`     document the "SimpleEnum" redef here
+
+:bro:type:`Example::SimpleRecord`: :bro:type:`record` document the record extension redef here
+===================================================== ========================================
+
+Namespaces
+~~~~~~~~~~
+.. bro:namespace:: Example
+
+Notices
+~~~~~~~
+:bro:type:`Notice::Type`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::Notice_One Notice::Type
+
+         any number of this type of comment
+         will document "Notice_One"
+
+      .. bro:enum:: Example::Notice_Two Notice::Type
+
+         any number of this type of comment
+         will document "Notice_Two"
+
+      .. bro:enum:: Example::Notice_Three Notice::Type
+
+      .. bro:enum:: Example::Notice_Four Notice::Type
+
+Public Interface
+----------------
+Options
+~~~~~~~
+.. bro:id:: Example::an_option
+
+   :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`]
+   :Attributes: :bro:attr:`&redef`
+   :Default: ``{}``
+
+   add documentation for "an_option" here
+
+.. bro:id:: Example::option_with_init
+
+   :Type: :bro:type:`interval`
+   :Attributes: :bro:attr:`&redef`
+   :Default: ``10.0 msecs``
+
+State Variables
+~~~~~~~~~~~~~~~
+.. bro:id:: Example::a_var
+
+   :Type: :bro:type:`bool`
+
+   put some documentation for "a_var" here
+
+.. bro:id:: Example::var_with_attr
+
+   :Type: :bro:type:`count`
+   :Attributes: :bro:attr:`&persistent`
+
+.. bro:id:: Example::var_without_explicit_type
+
+   :Type: :bro:type:`string`
+   :Default: ``"this works"``
+
+Types
+~~~~~
+.. bro:type:: Example::SimpleEnum
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::ONE Example::SimpleEnum
+
+         and more specific info for "ONE"
+         can span multiple lines
+
+      .. bro:enum:: Example::TWO Example::SimpleEnum
+
+         or more info like this for "TWO"
+         can span multiple lines
+
+      .. bro:enum:: Example::THREE Example::SimpleEnum
+
+   documentation for "SimpleEnum"
+   goes here.
+
+.. bro:type:: Example::SimpleRecord
+
+   :Type: :bro:type:`record`
+
+      field1: :bro:type:`count`
+         counts something
+
+      field2: :bro:type:`bool`
+         toggles something
+
+   general documentation for a type "SimpleRecord"
+   goes here.
+
+.. bro:type:: Example::ComplexRecord
+
+   :Type: :bro:type:`record`
+
+      field1: :bro:type:`count`
+         counts something
+
+      field2: :bro:type:`bool`
+         toggles something
+
+      field3: :bro:type:`Example::SimpleRecord`
+
+      msg: :bro:type:`string` :bro:attr:`&default` = ``"blah"`` :bro:attr:`&optional`
+         attributes are self-documenting
+
+   general documentation for a type "ComplexRecord" goes here
+
+.. bro:type:: Example::Info
+
+   :Type: :bro:type:`record`
+
+      ts: :bro:type:`time` :bro:attr:`&log`
+
+      uid: :bro:type:`string` :bro:attr:`&log`
+
+      status: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
+
+   An example record to be used with a logging stream.
+
+Events
+~~~~~~
+.. bro:id:: Example::an_event
+
+   :Type: :bro:type:`event` (name: :bro:type:`string`)
+
+   Summarize "an_event" here.
+   Give more details about "an_event" here.
+   
+   :param name: describe the argument here
+
+.. bro:id:: Example::log_example
+
+   :Type: :bro:type:`event` (rec: :bro:type:`Example::Info`)
+
+   This is a declaration of an example event that can be used in
+   logging streams and is raised once for each log entry.
+
+Functions
+~~~~~~~~~
+.. bro:id:: Example::a_function
+
+   :Type: :bro:type:`function` (tag: :bro:type:`string`, msg: :bro:type:`string`) : :bro:type:`string`
+
+   Summarize purpose of "a_function" here.
+   Give more details about "a_function" here.
+   Separating the documentation of the params/return values with
+   empty comments is optional, but improves readability of script.
+   
+   
+   :param tag: function arguments can be described
+        like this
+   
+   :param msg: another param
+   
+   
+   :returns: describe the return type here
+
+Redefinitions
+~~~~~~~~~~~~~
+:bro:type:`Log::ID`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::LOG Log::ID
+
+:bro:type:`Example::SimpleEnum`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::FOUR Example::SimpleEnum
+
+         and some documentation for "FOUR"
+
+      .. bro:enum:: Example::FIVE Example::SimpleEnum
+
+         also "FIVE" for good measure
+
+   document the "SimpleEnum" redef here
+
+:bro:type:`Example::SimpleRecord`
+
+   :Type: :bro:type:`record`
+
+      field_ext: :bro:type:`string` :bro:attr:`&optional`
+         document the extending field here
+         (or here)
+
+   document the record extension redef here
+
+Port Analysis
+-------------
+:ref:`More Information <common_port_analysis_doc>`
+
+SSL::
+
+    [ports={
+        443/tcp,
+        562/tcp
+    }]
+
+Packet Filter
+-------------
+:ref:`More Information <common_packet_filter_doc>`
+
+Filters added::
+
+    [ssl] = tcp port 443,
+    [nntps] = tcp port 562
+
diff --git a/doc/scripts/genDocSourcesList.sh b/doc/scripts/genDocSourcesList.sh
new file mode 100755
index 0000000000..a10121221a
--- /dev/null
+++ b/doc/scripts/genDocSourcesList.sh
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+
+# ./genDocSourcesList.sh [output file]
+#
+# Run this script to a generate file that's used to tell CMake about all the
+# possible scripts for which reST documentation can be created.
+#
+# The optional argument can be used to avoid overwriting the file CMake uses
+# by default.
+#
+# Specific scripts can be blacklisted below when e.g. they currently aren't
+# parseable or they just aren't meant to be documented.
+
+export LC_ALL=C # Make sorting stable.
+
+blacklist ()
+    {
+    if [[ "$blacklist" == "" ]]; then
+        blacklist="$1"
+    else
+        blacklist="$blacklist|$1"
+    fi
+    }
+
+# files passed into this function are meant to be temporary workarounds
+# because they're not finished or otherwise can't be loaded for some reason
+tmp_blacklist ()
+    {
+    echo "Warning: temporarily blacklisted files named '$1'" 1>&2
+    blacklist $1
+    }
+
+blacklist __load__.bro
+blacklist test-all.bro
+blacklist all.bro
+blacklist init-default.bro
+blacklist init-bare.bro
+
+statictext="\
+# DO NOT EDIT
+# This file is auto-generated from the "genDocSourcesList.sh" script.
+#
+# This is a list of Bro script sources for which to generate reST documentation.
+# It will be included inline in the CMakeLists.txt found in the same directory
+# in order to create Makefile targets that define how to generate reST from
+# a given Bro script.
+#
+# Note: any path prefix of the script (2nd argument of rest_target macro)
+# will be used to derive what path under scripts/ the generated documentation
+# will be placed.
+
+set(psd \${PROJECT_SOURCE_DIR}/scripts)
+
+rest_target(\${CMAKE_CURRENT_SOURCE_DIR} example.bro internal)
+rest_target(\${psd} base/init-default.bro internal)
+rest_target(\${psd} base/init-bare.bro internal)
+"
+
+if [[ $# -ge 1 ]]; then
+    outfile=$1
+else
+    outfile=DocSourcesList.cmake
+fi
+
+thisdir="$( cd "$( dirname "$0" )" && pwd )"
+sourcedir=${thisdir}/../..
+
+echo "$statictext" > $outfile
+
+bifs=`( cd ${sourcedir}/src && find . -name \*\.bif | sort )`
+
+for file in $bifs
+do
+    f=${file:2}.bro
+    echo "rest_target(\${CMAKE_BINARY_DIR}/src base/$f)" >> $outfile
+done
+
+scriptfiles=`( cd ${sourcedir}/scripts && find . -name \*\.bro | sort )`
+
+for file in $scriptfiles
+do
+    f=${file:2}
+    if [[ ! $f =~ $blacklist ]]; then
+        echo "rest_target(\${psd} $f)" >> $outfile
+    fi
+done
diff --git a/doc/scripts/index.rst b/doc/scripts/index.rst
new file mode 100644
index 0000000000..bf0fa25f10
--- /dev/null
+++ b/doc/scripts/index.rst
@@ -0,0 +1,8 @@
+.. This is a stub doc to which broxygen appends during the build process
+
+Index of All Individual Bro Scripts
+===================================
+
+.. toctree::
+   :maxdepth: 1
+
diff --git a/doc/scripts/internal.rst b/doc/scripts/internal.rst
new file mode 100644
index 0000000000..a6c10f1cfb
--- /dev/null
+++ b/doc/scripts/internal.rst
@@ -0,0 +1,5 @@
+.. This is a stub doc to which broxygen appends during the build process
+
+Internal Scripts
+================
+
diff --git a/doc/scripts/packages.rst b/doc/scripts/packages.rst
new file mode 100644
index 0000000000..56909ffbc6
--- /dev/null
+++ b/doc/scripts/packages.rst
@@ -0,0 +1,12 @@
+.. This is a stub doc to which broxygen appends during the build process
+
+Index of All Bro Script Packages
+================================
+
+Bro has the following script packages (e.g. collections of related scripts in
+a common directory).  If the package directory contains a ``__load__.bro``
+script, it supports being loaded in mass as a whole directory for convenience.
+
+Packages/scripts in the ``base/`` directory are all loaded by default, while
+ones in ``policy/`` provide functionality and customization options that are
+more appropriate for users to decide whether they'd like to load it or not.
diff --git a/doc/signatures.rst b/doc/signatures.rst
new file mode 100644
index 0000000000..7a1b164dbb
--- /dev/null
+++ b/doc/signatures.rst
@@ -0,0 +1,390 @@
+
+==========
+Signatures
+==========
+
+.. rst-class:: opening
+
+    Bro relies primarily on its extensive scripting language for 
+    defining and analyzing detection policies. In addition, however,
+    Bro also provides an independent *signature language* for doing
+    low-level, Snort-style pattern matching. While signatures are
+    *not* Bro's preferred detection tool, they sometimes come in handy
+    and are closer to what many people are familiar with from using
+    other NIDS. This page gives a brief overview on Bro's signatures
+    and covers some of their technical subtleties.
+
+.. contents::
+    :depth: 2
+
+Basics
+======
+
+Let's look at an example signature first:
+
+.. code:: bro-sig
+
+    signature my-first-sig {
+        ip-proto == tcp
+        dst-port == 80
+        payload /.*root/
+        event "Found root!"
+    }
+    
+
+This signature asks Bro to match the regular expression ``.*root`` on
+all TCP connections going to port 80. When the signature triggers, Bro
+will raise an event :bro:id:`signature_match` of the form:
+
+.. code:: bro
+
+    event signature_match(state: signature_state, msg: string, data: string)
+    
+Here, ``state`` contains more information on the connection that
+triggered the match, ``msg`` is the string specified by the
+signature's event statement (``Found root!``), and data is the last
+piece of payload which triggered the pattern match.
+
+To turn such :bro:id:`signature_match` events into actual alarms, you can
+load Bro's :doc:`/scripts/base/frameworks/signatures/main` script.
+This script contains a default event handler that raises
+:bro:enum:`Signatures::Sensitive_Signature` :doc:`Notices <notice>`
+(as well as others; see the beginning of the script).
+
+As signatures are independent of Bro's policy scripts, they are put
+into their own file(s). There are two ways to specify which files
+contain signatures: By using the ``-s`` flag when you invoke Bro, or
+by extending the Bro variable :bro:id:`signature_files` using the ``+=``
+operator. If a signature file is given without a path, it is searched
+along the normal ``BROPATH``. The default extension of the file name
+is ``.sig``, and Bro appends that automatically when necessary.
+
+Signature language
+==================
+
+Let's look at the format of a signature more closely. Each individual
+signature has the format ``signature <id> { <attributes> }``. ``<id>``
+is a unique label for the signature. There are two types of
+attributes: *conditions* and *actions*. The conditions define when the
+signature matches, while the actions declare what to do in the case of
+a match. Conditions can be further divided into four types: *header*,
+*content*, *dependency*, and *context*. We discuss these all in more
+detail in the following.
+
+Conditions
+----------
+
+Header Conditions
+~~~~~~~~~~~~~~~~~
+
+Header conditions limit the applicability of the signature to a subset
+of traffic that contains matching packet headers. For TCP, this match
+is performed only for the first packet of a connection. For other
+protocols, it is done on each individual packet.
+
+There are pre-defined header conditions for some of the most used
+header fields. All of them generally have the format ``<keyword> <cmp>
+<value-list>``, where ``<keyword>`` names the header field; ``cmp`` is
+one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``; and
+``<value-list>`` is a list of comma-separated values to compare
+against. The following keywords are defined:
+
+``src-ip``/``dst-ip <cmp> <address-list>``
+    Source and destination address, respectively. Addresses can be
+    given as IP addresses or CIDR masks.
+
+``src-port``/``dst-port`` ``<int-list>``
+    Source and destination port, respectively.
+
+``ip-proto tcp|udp|icmp``
+    IP protocol.
+
+For lists of multiple values, they are sequentially compared against
+the corresponding header field. If at least one of the comparisons
+evaluates to true, the whole header condition matches (exception: with
+``!=``, the header condition only matches if all values differ).
+
+In addition to these pre-defined header keywords, a general header
+condition can be defined either as
+
+.. code:: bro-sig
+
+    header <proto>[<offset>:<size>] [& <integer>] <cmp> <value-list>
+
+This compares the value found at the given position of the packet
+header with a list of values. ``offset`` defines the position of the
+value within the header of the protocol defined by ``proto`` (which
+can be ``ip``, ``tcp``, ``udp`` or ``icmp``). ``size`` is either 1, 2,
+or 4 and specifies the value to have a size of this many bytes. If the
+optional ``& <integer>`` is given, the packet's value is first masked
+with the integer before it is compared to the value-list. ``cmp`` is
+one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``. ``value-list`` is
+a list of comma-separated integers similar to those described above.
+The integers within the list may be followed by an additional ``/
+mask`` where ``mask`` is a value from 0 to 32. This corresponds to the
+CIDR notation for netmasks and is translated into a corresponding
+bitmask applied to the packet's value prior to the comparison (similar
+to the optional ``& integer``).
+
+Putting it all together, this is an example condition that is
+equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``:
+
+.. code:: bro-sig
+
+    header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24
+
+Internally, the predefined header conditions are in fact just
+short-cuts and mapped into a generic condition.
+
+Content Conditions
+~~~~~~~~~~~~~~~~~~
+
+Content conditions are defined by regular expressions. We
+differentiate two kinds of content conditions: first, the expression
+may be declared with the ``payload`` statement, in which case it is
+matched against the raw payload of a connection (for reassembled TCP
+streams) or of each packet (for ICMP, UDP, and non-reassembled TCP).
+Second, it may be prefixed with an analyzer-specific label, in which
+case the expression is matched against the data as extracted by the
+corresponding analyzer.
+
+A ``payload`` condition has the form:
+
+.. code:: bro-sig
+
+    payload /<regular expression>/
+
+Currently, the following analyzer-specific content conditions are
+defined (note that the corresponding analyzer has to be activated by
+loading its policy script):
+
+``http-request /<regular expression>/``
+    The regular expression is matched against decoded URIs of HTTP
+    requests. Obsolete alias: ``http``.
+
+``http-request-header /<regular expression>/``
+    The regular expression is matched against client-side HTTP headers.
+
+``http-request-body /<regular expression>/``
+    The regular expression is matched against client-side bodys of
+    HTTP requests.
+
+``http-reply-header /<regular expression>/``
+    The regular expression is matched against server-side HTTP headers.
+
+``http-reply-body /<regular expression>/``
+    The regular expression is matched against server-side bodys of
+    HTTP replys.
+
+``ftp /<regular expression>/``
+    The regular expression is matched against the command line input
+    of FTP sessions.
+
+``finger /<regular expression>/``
+    The regular expression is matched against finger requests.
+
+For example, ``http-request /.*(etc/(passwd|shadow)/`` matches any URI
+containing either ``etc/passwd`` or ``etc/shadow``. To filter on request
+types, e.g. ``GET``, use ``payload /GET /``.
+
+Note that HTTP pipelining (that is, multiple HTTP transactions in a
+single TCP connection) has some side effects on signature matches. If
+multiple conditions are specified within a single signature, this
+signature matches if all conditions are met by any HTTP transaction
+(not necessarily always the same!) in a pipelined connection.
+
+Dependency Conditions
+~~~~~~~~~~~~~~~~~~~~~
+
+To define dependencies between signatures, there are two conditions:
+
+
+``requires-signature [!] <id>``
+    Defines the current signature to match only if the signature given
+    by ``id`` matches for the same connection. Using ``!`` negates the
+    condition: The current signature only matches if ``id`` does not
+    match for the same connection (using this defers the match
+    decision until the connection terminates).
+
+``requires-reverse-signature [!] <id>``
+    Similar to ``requires-signature``, but ``id`` has to match for the
+    opposite direction of the same connection, compared to the current
+    signature. This allows to model the notion of requests and
+    replies.
+
+Context Conditions
+~~~~~~~~~~~~~~~~~~
+
+Context conditions pass the match decision on to other components of
+Bro. They are only evaluated if all other conditions have already
+matched. The following context conditions are defined:
+
+``eval <policy-function>``
+    The given policy function is called and has to return a boolean
+    confirming the match. If false is returned, no signature match is
+    going to be triggered. The function has to be of type ``function
+    cond(state: signature_state, data: string): bool``. Here,
+    ``content`` may contain the most recent content chunk available at
+    the time the signature was matched. If no such chunk is available,
+    ``content`` will be the empty string. ``signature_state`` is
+    defined as follows:
+
+    .. code:: bro
+
+        type signature_state: record {
+            id: string;          # ID of the signature
+            conn: connection;    # Current connection
+            is_orig: bool;       # True if current endpoint is originator
+            payload_size: count; # Payload size of the first packet
+            };
+
+
+``payload-size <cmp> <integer>``
+    Compares the integer to the size of the payload of a packet. For
+    reassembled TCP streams, the integer is compared to the size of
+    the first in-order payload chunk. Note that the latter is not very
+    well defined.
+
+``same-ip``
+    Evaluates to true if the source address of the IP packets equals
+    its destination address.
+
+``tcp-state <state-list>``
+    Imposes restrictions on the current TCP state of the connection.
+    ``state-list`` is a comma-separated list of the keywords
+    ``established`` (the three-way handshake has already been
+    performed), ``originator`` (the current data is send by the
+    originator of the connection), and ``responder`` (the current data
+    is send by the responder of the connection).
+
+
+Actions
+-------
+
+Actions define what to do if a signature matches. Currently, there are
+two actions defined:
+
+``event <string>``
+    Raises a :bro:id:`signature_match` event. The event handler has the
+    following type:
+
+    .. code:: bro
+
+        event signature_match(state: signature_state, msg: string, data: string)
+
+    The given string is passed in as ``msg``, and data is the current
+    part of the payload that has eventually lead to the signature
+    match (this may be empty for signatures without content
+    conditions).
+
+``enable <string>``
+    Enables the protocol analyzer ``<string>`` for the matching
+    connection (``"http"``, ``"ftp"``, etc.). This is used by Bro's
+    dynamic protocol detection to activate analyzers on the fly.
+
+Things to keep in mind when writing signatures
+==============================================
+
+* Each signature is reported at most once for every connection,
+  further matches of the same signature are ignored.
+
+* The content conditions perform pattern matching on elements
+  extracted from an application protocol dialogue. For example, ``http
+  /.*passwd/`` scans URLs requested within HTTP sessions. The thing to
+  keep in mind here is that these conditions only perform any matching
+  when the corresponding application analyzer is actually *active* for
+  a connection. Note that by default, analyzers are not enabled if the
+  corresponding Bro script has not been loaded. A good way to
+  double-check whether an analyzer "sees" a connection is checking its
+  log file for corresponding entries. If you cannot find the
+  connection in the analyzer's log, very likely the signature engine
+  has also not seen any application data.
+
+* As the name indicates, the ``payload`` keyword matches on packet
+  *payload* only. You cannot use it to match on packet headers; use
+  the header conditions for that.
+
+* For TCP connections, header conditions are only evaluated for the
+  *first packet from each endpoint*. If a header condition does not
+  match the initial packets, the signature will not trigger. Bro
+  optimizes for the most common application here, which is header
+  conditions selecting the connections to be examined more closely
+  with payload statements.
+
+* For UDP and ICMP flows, the payload matching is done on a per-packet
+  basis; i.e., any content crossing packet boundaries will not be
+  found. For TCP connections, the matching semantics depend on whether
+  Bro is *reassembling* the connection (i.e., putting all of a
+  connection's packets in sequence). By default, Bro is reassembling
+  the first 1K of every TCP connection, which means that within this
+  window, matches will be found without regards to packet order or
+  boundaries (i.e., *stream-wise matching*).
+
+* For performance reasons, by default Bro *stops matching* on a
+  connection after seeing 1K of payload; see the section on options
+  below for how to change this behaviour. The default was chosen with
+  Bro's main user of signatures in mind: dynamic protocol detection
+  works well even when examining just connection heads.
+
+* Regular expressions are implicitly anchored, i.e., they work as if
+  prefixed with the ``^`` operator. For reassembled TCP connections,
+  they are anchored at the first byte of the payload *stream*. For all
+  other connections, they are anchored at the first payload byte of
+  each packet. To match at arbitrary positions, you can prefix the
+  regular expression with ``.*``, as done in the examples above.
+
+* To match on non-ASCII characters, Bro's regular expressions support
+  the ``\x<hex>`` operator. CRs/LFs are not treated specially by the
+  signature engine and can be matched with ``\r`` and ``\n``,
+  respectively. Generally, Bro follows `flex's regular expression
+  syntax
+  <http://flex.sourceforge.net/manual/Patterns.html>`_.
+  See the DPD signatures in ``base/frameworks/dpd/dpd.sig`` for some examples
+  of fairly complex payload patterns.
+
+* The data argument of the :bro:id:`signature_match` handler might not carry
+  the full text matched by the regular expression. Bro performs the
+  matching incrementally as packets come in; when the signature
+  eventually fires, it can only pass on the most recent chunk of data.
+
+
+Options
+=======
+
+The following options control details of Bro's matching process:
+
+``dpd_reassemble_first_packets: bool`` (default: ``T``)
+    If true, Bro reassembles the beginning of every TCP connection (of
+    up to ``dpd_buffer_size`` bytes, see below), to facilitate
+    reliable matching across packet boundaries. If false, only
+    connections are reassembled for which an application-layer
+    analyzer gets activated (e.g., by Bro's dynamic protocol
+    detection).
+
+``dpd_match_only_beginning : bool`` (default: ``T``)
+    If true, Bro performs packet matching only within the initial
+    payload window of ``dpd_buffer_size``. If false, it keeps matching
+    on subsequent payload as well.
+
+``dpd_buffer_size: count`` (default: ``1024``)
+    Defines the buffer size for the two preceding options. In
+    addition, this value determines the amount of bytes Bro buffers
+    for each connection in order to activate application analyzers
+    even after parts of the payload have already passed through. This
+    is needed by the dynamic protocol detection capability to defer
+    the decision which analyzers to use.
+
+
+So, how about using Snort signatures with Bro?
+==============================================
+
+There was once a script, ``snort2bro``, that converted Snort
+signatures automatically into Bro's signature syntax. However, in our
+experience this didn't turn out to be a very useful thing to do
+because by simply using Snort signatures, one can't benefit from the
+additional capabilities that Bro provides; the approaches of the two
+systems are just too different. We therefore stopped maintaining the
+``snort2bro`` script, and there are now many newer Snort options which
+it doesn't support. The script is now no longer part of the Bro
+distribution.
+
diff --git a/doc/upgrade.rst b/doc/upgrade.rst
new file mode 100644
index 0000000000..9c1537754a
--- /dev/null
+++ b/doc/upgrade.rst
@@ -0,0 +1,247 @@
+
+=============================
+Upgrading From Bro 1.5 to 2.0
+=============================
+
+.. rst-class:: opening
+
+   This guide details differences between Bro versions 1.5 and 2.0
+   that may be important for users to know as they work on updating
+   their Bro deployment/configuration to the later version.
+
+.. contents::
+
+
+Introduction
+============
+
+As the version number jump suggests, Bro 2.0 is a major upgrade and
+lots of things have changed. Most importantly, we have rewritten
+almost all of Bro's default scripts from scratch, using quite
+different structure now and focusing more on operational deployment.
+The result is a system that works much better "out of the box", even
+without much initial site-specific configuration. The down-side is
+that 1.x configurations will need to be adapted to work with the new
+version. The two rules of thumb are:
+
+    (1) If you have written your own Bro scripts
+        that do not depend on any of the standard scripts formerly
+        found in ``policy/``, they will most likely just keep working
+        (although you might want to adapt them to use some of the new
+        features, like the new logging framework; see below).
+
+    (2) If you have custom code that depends on specifics of 1.x
+        default scripts (including most configuration tuning), that is
+        unlikely to work with 2.x. We recommend to start by using just
+        the new scripts first, and then port over any customizations
+        incrementally as necessary (they may be much easier to do now,
+        or even unnecessary). Send mail to the Bro user mailing list
+        if you need help.
+
+Below we summarize changes from 1.x to 2.x in more detail. This list
+isn't complete, see the :download:`CHANGES <CHANGES>` file in the
+distribution for the full story. 
+
+Default Scripts
+===============
+
+Organization
+------------
+
+In versions before 2.0, Bro scripts were all maintained in a flat
+directory called ``policy/`` in the source tree.  This directory is now
+renamed to ``scripts/`` and contains major subdirectories ``base/``,
+``policy/``, and ``site/``, each of which may also be subdivided
+further.
+
+The contents of the new ``scripts/`` directory, like the old/flat
+``policy/`` still gets installed under the ``share/bro``
+subdirectory of the installation prefix path just like previous
+versions.  For example, if Bro was compiled like ``./configure
+--prefix=/usr/local/bro && make && make install``, then the script
+hierarchy can be found in ``/usr/local/bro/share/bro``.
+
+The main
+subdirectories of that hierarchy are as follows:
+
+- ``base/`` contains all scripts that are loaded by Bro by default
+  (unless the ``-b`` command line option is used to run Bro in a
+  minimal configuration). Note that is a major conceptual change:
+  rather than not loading anything by default, Bro now uses an
+  extensive set of default scripts out of the box.
+
+  The scripts under this directory generally either accumulate/log
+  useful state/protocol information for monitored traffic, configure a
+  default/recommended mode of operation, or provide extra Bro
+  scripting-layer functionality that has no significant performance cost.
+
+- ``policy/`` contains all scripts that a user will need to explicitly
+  tell Bro to load.  These are scripts that implement
+  functionality/analysis that not all users may want to use and may have
+  more significant performance costs. For a new installation, you
+  should go through these and see what appears useful to load.
+
+- ``site/`` remains a directory that can be used to store locally 
+  developed scripts. It now comes with some preinstalled example
+  scripts that contain recommended default configurations going beyond
+  the ``base/`` setup. E.g. ``local.bro`` loads extra scripts from
+  ``policy/`` and does extra tuning. These files can be customized in
+  place without being overwritten by upgrades/reinstalls, unlike
+  scripts in other directories.
+
+With version 2.0, the default ``BROPATH`` is set to automatically
+search for scripts in ``policy/``, ``site/`` and their parent
+directory, but **not** ``base/``.  Generally, everything under
+``base/`` is loaded automatically, but for users of the ``-b`` option,
+it's important to know that loading a script in that directory
+requires the extra ``base/`` path qualification.  For example, the
+following two scripts:
+
+* ``$PREFIX/share/bro/base/protocols/ssl/main.bro``
+* ``$PREFIX/share/bro/policy/protocols/ssl/validate-certs.bro``
+
+are referenced from another Bro script like:
+
+.. code:: bro
+
+    @load base/protocols/ssl/main
+    @load protocols/ssl/validate-certs
+
+Notice how ``policy/`` can be omitted as a convenience in the second
+case. ``@load`` can now also use relative path, e.g., ``@load
+../main``.
+
+
+Logging Framework
+-----------------
+
+- The logs generated by scripts that ship with Bro are entirely redone
+  to use a standardized, machine parsable format via the new logging
+  framework. Generally, the log content has been restructured towards
+  making it more directly useful to operations. Also, several
+  analyzers have been significantly extended and thus now log more
+  information. Take a look at ``ssl.log``.
+
+  * A particular format change that may be useful to note is that the
+    ``conn.log`` ``service`` field is derived from DPD instead of
+    well-known ports (while that was already possible in 1.5, it was
+    not the default).
+
+  * Also, ``conn.log`` now reports raw number of packets/bytes per
+    endpoint.
+
+- The new logging framework makes it possible to extend, customize,
+  and filter logs very easily. See the :doc:`logging framework <logging>`
+  for more information on usage.
+
+- A common pattern found in the new scripts is to store logging stream
+  records for protocols inside the ``connection`` records so that
+  state can be collected until enough is seen to log a coherent unit
+  of information regarding the activity of that connection.  This
+  state is now frequently seen/accessible in event handlers, for
+  example, like ``c$<protocol>`` where ``<protocol>`` is replaced by
+  the name of the protocol.  This field is added to the ``connection``
+  record by ``redef``'ing it in a
+  ``base/protocols/<protocol>/main.bro`` script.
+
+- The logging code has been rewritten internally, with script-level
+  interface and output backend now clearly separated. While ASCII
+  logging is still the default, we will add further output types in
+  the future (binary format, direct database logging).
+
+
+Notice Framework
+----------------
+
+The way users interact with "notices" has changed significantly in
+order to make it easier to define a site policy and more extensible
+for adding customized actions. See the :doc:`notice framework <notice>`.
+
+
+New Default Settings
+--------------------
+
+- Dynamic Protocol Detection (DPD) is now enabled/loaded by default.
+
+- The default packet filter now examines all packets instead of
+  dynamically building a filter based on which protocol analysis scripts
+  are loaded. See ``PacketFilter::all_packets`` for how to revert to old
+  behavior.
+
+API Changes
+-----------
+
+- The ``@prefixes`` directive works differently now.
+  Any added prefixes are now searched for and loaded *after* all input
+  files have been parsed.  After all input files are parsed, Bro
+  searches ``BROPATH`` for prefixed, flattened versions of all of the
+  parsed input files.  For example, if ``lcl`` is in ``@prefixes``, and
+  ``site.bro`` is loaded, then a file named ``lcl.site.bro`` that's in
+  ``BROPATH`` would end up being automatically loaded as well.  Packages
+  work similarly, e.g. loading ``protocols/http`` means a file named
+  ``lcl.protocols.http.bro`` in ``BROPATH`` gets loaded automatically.
+
+- The ``make_addr`` BIF now returns a ``subnet`` versus an ``addr``
+
+
+Variable Naming
+---------------
+
+- ``Module`` is more widely used for namespacing. E.g. the new
+  ``site.bro`` exports the ``local_nets`` identifier (among other
+  things) into the ``Site`` module.
+
+- Identifiers may have been renamed to conform to new `scripting
+  conventions
+  <http://www.bro-ids.org/development/script-conventions.html>`_
+
+
+BroControl
+==========
+
+BroControl looks pretty much similar to the version coming with Bro 1.x,
+but has been cleaned up and streamlined significantly internally.
+
+BroControl has a new ``process`` command to process a trace on disk
+offline using a similar configuration to what BroControl installs for
+live analysis.
+
+BroControl now has an extensive plugin interface for adding new
+commands and options. Note that this is still considered experimental.
+
+We have removed the ``analysis`` command, and BroControl currently
+does not send daily alarm summaries anymore (this may be restored
+later).
+
+Removed Functionality
+=====================
+
+We have remove a bunch of functionality that was rarely used and/or
+had not been maintained for a while already:
+
+    - The ``net`` script data type.
+    - The ``alarm`` statement; use the notice framework instead.
+    - Trace rewriting.
+    - DFA state expiration in regexp engine.
+    - Active mapping.
+    - Native DAG support (may come back eventually)
+    - ClamAV support.
+    - The connection compressor is now disabled by default, and will
+      be removed in the future. 
+
+Development Infrastructure
+==========================
+
+Bro development has moved from using SVN to Git for revision control.
+Users that want to use the latest Bro development snapshot by checking it out
+from the source repositories should see the `development process
+<http://www.bro-ids.org/development/process.html>`_. Note that all the various
+sub-components now reside in their own repositories. However, the
+top-level Bro repository includes them as git submodules so it's easy
+to check them all out simultaneously.
+
+Bro now uses `CMake <http://www.cmake.org>`_ for its build system so
+that is a new required dependency when building from source.
+
+Bro now comes with a growing suite of regression tests in
+``testing/``.
diff --git a/pkg/check-cmake b/pkg/check-cmake
new file mode 100755
index 0000000000..17531af2f7
--- /dev/null
+++ b/pkg/check-cmake
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# CMake/CPack versions before 2.8.3 have bugs that can create bad packages
+# Since packages will be built on several different systems, a single
+# version of CMake is required to obtain consistency, but can be increased
+# as new versions of CMake come out that also produce working packages.
+
+CMAKE_PACK_REQ="cmake version 2.8.6"
+CMAKE_VER=`cmake -version`
+
+if [ "${CMAKE_VER}" != "${CMAKE_PACK_REQ}" ]; then
+    echo "Package creation requires ${CMAKE_PACK_REQ}" >&2
+    exit 1
+fi
diff --git a/pkg/make-deb-packages b/pkg/make-deb-packages
new file mode 100755
index 0000000000..432de8336a
--- /dev/null
+++ b/pkg/make-deb-packages
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# This script generates binary DEB packages.
+# They can be found in ../build/ after running.
+
+./check-cmake || { exit 1; }
+
+# The DEB CPack generator depends on `dpkg-shlibdeps` to automatically
+# determine what dependencies to set for the packages
+type dpkg-shlibdeps > /dev/null 2>&1 || {
+    echo "\
+Creating DEB packages requires the "dpkg-shlibs" command, usually provided by
+the 'dpkg-dev' package, please install it first.
+" >&2;
+    exit 1;
+}
+
+prefix=/opt/bro
+
+# During the packaging process, `dpkg-shlibs` will fail if used on a library
+# that links to other internal/project libraries unless an RPATH is used or
+# we set LD_LIBRARY_PATH such that it can find the internal/project library
+# in the temporary packaging tree.
+export LD_LIBRARY_PATH=./${prefix}/lib
+
+cd ..
+
+# Minimum Bro
+./configure --prefix=${prefix} --disable-broccoli --disable-broctl \
+            --pkg-name-prefix=Bro-minimal --binary-package
+( cd build && make package )
+
+# Full Bro package
+./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package
+( cd build && make package )
+
+# Broccoli
+cd aux/broccoli
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv *.deb ../../../build/ )
+cd ../..
+
+# Broctl
+cd aux/broctl
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv *.deb ../../../build/ )
+cd ../..
diff --git a/pkg/make-mac-packages b/pkg/make-mac-packages
new file mode 100755
index 0000000000..829a64ca25
--- /dev/null
+++ b/pkg/make-mac-packages
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# This script creates binary packages for Mac OS X.
+# They can be found in ../build/ after running.
+
+./check-cmake || { exit 1; }
+
+type sw_vers > /dev/null 2>&1 || {
+    echo "Unable to get Mac OS X version" >&2;
+    exit 1;
+}
+
+# Get the OS X minor version
+# 5 = Leopard, 6 = Snow Leopard, 7 = Lion ...
+osx_ver=`sw_vers | sed -n 's/ProductVersion://p' | cut -d . -f 2`
+
+if [ ${osx_ver} -lt 5 ]; then
+    echo "Packages for OS X < 10.5 are not supported" >&2
+    exit 1
+elif [ ${osx_ver} -eq 5 ]; then
+    # On OS X 10.5, the x86_64 version of libresolv is broken,
+    # so we build for i386 as the easiest solution
+    arch=i386
+else
+    # Currently it's just easiest to build the 10.5 package on
+    # on 10.5, but if it weren't for the libresolv issue, we could
+    # potentially build packages for older OS X version by using the
+    # --osx-sysroot and --osx-min-version options
+    arch=x86_64
+fi
+
+prefix=/opt/bro
+
+cd ..
+
+# Minimum Bro
+CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
+    --disable-broccoli --disable-broctl --pkg-name-prefix=Bro-minimal \
+    --binary-package
+( cd build && make package )
+
+# Full Bro package
+CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
+    --pkg-name-prefix=Bro --binary-package
+( cd build && make package )
+
+# Broccoli
+cd aux/broccoli
+CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
+    --binary-package
+( cd build && make package && mv *.dmg ../../../build/ )
+cd ../..
+
+# Broctl
+cd aux/broctl
+CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
+    --binary-package
+( cd build && make package && mv *.dmg ../../../build/ )
+cd ../..
diff --git a/pkg/make-rpm-packages b/pkg/make-rpm-packages
new file mode 100755
index 0000000000..9560cc80ff
--- /dev/null
+++ b/pkg/make-rpm-packages
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# This script generates binary RPM packages.
+# They can be found in ../build/ after running.
+
+./check-cmake || { exit 1; }
+
+# The RPM CPack generator depends on `rpmbuild` to create packages
+type rpmbuild > /dev/null 2>&1 || {
+    echo "\
+Creating RPM packages requires the "rpmbuild" command, usually provided by
+the 'rpm-build' package, please install it first.
+" >&2;
+    exit 1;
+}
+
+prefix=/opt/bro
+
+cd ..
+
+# Minimum Bro
+./configure --prefix=${prefix} --disable-broccoli --disable-broctl \
+            --pkg-name-prefix=Bro-minimal --binary-package
+( cd build && make package )
+
+# Full Bro package
+./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package
+( cd build && make package )
+
+# Broccoli
+cd aux/broccoli
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv *.rpm ../../../build/ )
+cd ../..
+
+# Broctl
+cd aux/broctl
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv *.rpm ../../../build/ )
+cd ../..
diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt
deleted file mode 100644
index a79e841661..0000000000
--- a/policy/CMakeLists.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-install(DIRECTORY ./ DESTINATION ${POLICYDIR} FILES_MATCHING
-        PATTERN "summaries" EXCLUDE
-        PATTERN "all.bro" EXCLUDE
-        PATTERN "bro.init"
-        PATTERN "*.bro"
-        PATTERN "*.sig"
-        PATTERN "*.osf"
-)
-
-install(DIRECTORY DESTINATION ${POLICYDIR}/site)
diff --git a/policy/OS-fingerprint.bro b/policy/OS-fingerprint.bro
deleted file mode 100644
index 8f00fe93fd..0000000000
--- a/policy/OS-fingerprint.bro
+++ /dev/null
@@ -1,18 +0,0 @@
-# $Id: OS-fingerprint.bro 1071 2005-03-08 14:09:31Z vern $
-#
-# Tracks operating system versioning using the "software" framework.
-
-@load software
-
-event OS_version_found(c: connection, host: addr, OS: OS_version)
-	{
-	local version: software_version;
-	version$major = version$minor = version$minor2 = -1;
-	version$addl = OS$detail;
-
-	local sw: software;
-	sw$name = OS$genre;
-	sw$version = version;
-
-	event software_version_found(c, host, sw, "OS");
-	}
diff --git a/policy/adu.bro b/policy/adu.bro
deleted file mode 100644
index 3c2168784a..0000000000
--- a/policy/adu.bro
+++ /dev/null
@@ -1,278 +0,0 @@
-# $Id: adu.bro 5152 2007-12-04 21:48:56Z vern $
-
-@load conn-id
-
-module adu;
-
-# This script parses application-layer data (ADU) units, or "messages",
-# out of the packet streams.  Since the analysis is generic, we define
-# an ADU simply as all application-layer data in a 5-tuple flow going
-# in one direction without any data going the other way.  Once we see
-# data in the other direction, we finish the current ADU and start
-# a new one (going the other way).  While this approach is only
-# approximate, it can work well for both UDP and TCP.
-#
-# The script reports ADUs as strings, up to a configurable maximum size, and
-# up to a configurable depth into the flow.
-#
-# Generated events:
-#
-# - adu_tx(c: connection, a: adu_state) reports an ADU seen from
-#   c's originator to its responder.
-#
-# - adu_rx(c: connection, a: adu_state) reports an ADU seen from
-#   c's responder to the originator.
-#
-# - adu_done(c: connection) indicates that no more ADUs will be seen
-#   on connection c. This is useful to know in case your statekeeping
-#   relies on event connection_state_remove(), which is also used by
-#   adu.bro.
-#
-
-# --- Input configuration -- which ports to look at --------------------
-
-# Right now: everything!
-#
-redef tcp_content_deliver_all_orig = T;
-redef tcp_content_deliver_all_resp = T;
-redef udp_content_deliver_all_orig = T;
-redef udp_content_deliver_all_resp = T;
-
-# --- Debugging -- should really be a separate policy ------------------
-
-# Comment out to disable debugging output:
-#global adu_debug = T;
-
-# Uncomment to enable tests:
-#global adu_test = T;
-
-@ifdef (adu_debug)
-function DBG(msg: string) { print fmt("DBG[adu.bro]: %s", msg); }
-@else
-function DBG(msg: string) { }
-@endif
-
-export {
-
-# --- Constants --------------------------------------------------------
-
-	# The maximum depth in bytes up to which we follow a flow.
-	# This is counting bytes seen in both directions.
-	const adu_conn_max_depth    = 100000 &redef;
-
-	# The maximum message depth that we report.
-	const adu_max_depth         = 3 &redef;
-
-	# The maximum message size in bytes that we report.
-	const adu_max_size          = 1000 &redef;
-
-	# Whether ADUs are reported beyond content gaps.
-	const adu_gaps_ok           = F &redef;
-
-# --- Types ------------------------------------------------------------
-
-	# adu_state records contain the latest ADU and aditional flags to help
-	# the user identify the direction of the message, its depth in the flow,
-	# etc.
-	type adu_state: record {
-		adu: string     &default = "";	# the current ADU
-
-		# Message counter (>= 1), orig->resp and resp->orig.
-		depth_tx: count &default = 1;
-		depth_rx: count &default = 1;
-
-		# TCP: seqno tracking to recognize gaps.
-		seen_tx: count  &default = 0;
-		seen_rx: count  &default = 0;
-
-		size: count     &default = 0;	# total connection size in bytes
-		is_orig: bool   &default = F;	# whether ADU is orig->resp
-		ignore: bool	&default = F;	# ignore future activity on conn
-	};
-
-	# Tell the ADU policy that you do not wish to receive further
-	# adu_tx/adu_rx events for a given connection. Other policies
-	# may continue to process the connection.
-	#
-	global adu_skip_further_processing: function(cid: conn_id);
-}
-
-
-# --- Globals ----------------------------------------------------------
-
-# A global table that tracks each flow's messages.
-global adu_conns: table[conn_id] of adu_state;
-
-# Testing invokes the following events.
-global adu_tx: event(c: connection, astate: adu_state);
-global adu_rx: event(c: connection, astate: adu_state);
-global adu_done: event(c: connection);
-
-# --- Functions --------------------------------------------------------
-
-function adu_skip_further_processing(cid: conn_id)
-	{
-	if ( cid !in adu_conns )
-		return;
-
-	adu_conns[cid]$ignore = T;
-	}
-
-function flow_contents(c: connection, is_orig: bool, seq: count, contents: string)
-	{
-	local astate: adu_state;
-
-	DBG(fmt("contents %s, %s: %s", id_string(c$id), is_orig, contents));
-
-	# Ensure we track the given connection.
-	if ( c$id !in adu_conns )
-		adu_conns[c$id] = astate;
-	else
-		astate = adu_conns[c$id];
-
-	# Forget it if we've been asked to ignore.
-	#
-	if ( astate$ignore == T )
-		return;
-
-	# Don't report if flow is too big.
-	#
-	if ( astate$size >= adu_conn_max_depth )
-		return;
-
-	# If we have an assembled message, we may now have something
-	# to report.
-	if ( |astate$adu| > 0 )
-		{
-		# If application-layer data flow is switching
-		# from resp->orig to orig->resp, report the assembled
-		# message as a received ADU.
-		if ( is_orig && ! astate$is_orig )
-			{
-			event adu_rx(c, copy(astate));
-			astate$adu = "";
-
-			if ( ++astate$depth_rx > adu_max_depth )
-				adu_skip_further_processing(c$id);
-			}
-
-		# If application-layer data flow is switching
-		# from orig->resp to resp->orig, report the assembled
-		# message as a transmitted ADU.
-		#
-		if ( !is_orig && astate$is_orig )
-			{
-			event adu_tx(c, copy(astate));
-			astate$adu = "";
-
-			if ( ++astate$depth_tx > adu_max_depth )
-				adu_skip_further_processing(c$id);
-			}
-		}
-
-	# Check for content gaps. If we identify one, only continue
-	# if user allowed it.
-	#
-	if ( !adu_gaps_ok && seq > 0 )
-		{
-		if ( is_orig )
-			{
-			if ( seq > astate$seen_tx + 1 )
-				return;
-			else
-				astate$seen_tx += |contents|;
-			}
-		else
-			{
-			if ( seq > astate$seen_rx + 1 )
-				return;
-			else
-				astate$seen_rx += |contents|;
-			}
-		}
-
-	# Append the contents to the end of the currently
-	# assembled message, if the message hasn't already
-	# reached the maximum size.
-	#
-	if ( |astate$adu| < adu_max_size )
-		{
-		astate$adu += contents;
-
-		# As a precaution, clip the string to the maximum
-		# size. A long content string with astate$adu just
-		# below its maximum allowed size could exceed that
-		# limit by a lot.
-		### str_clip(astate$adu, adu_max_size);
-		}
-
-
-	# Note that this counter is bumped up even if we have
-	# exceeded the maximum size of an individual message.
-	#
-	astate$size += |contents|;
-
-	astate$is_orig = is_orig;
-	}
-
-# --- Event Handlers ---------------------------------------------------
-
-event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string)
-	{
-	flow_contents(c, is_orig, seq, contents);
-	}
-
-event udp_contents(u: connection, is_orig: bool, contents: string)
-	{
-	flow_contents(u, is_orig, 0, contents);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id !in adu_conns )
-		return;
-
-	local astate = adu_conns[c$id];
-
-	# Forget it if we've been asked to ignore.
-	#
-	if ( astate$ignore == T )
-		return;
-
-	# Report the remaining data now, if any.
-	#
-	if ( |astate$adu| > 0 ) {
-		if ( astate$is_orig )
-			{
-			if ( astate$depth_tx <= adu_max_depth )
-				event adu_tx(c, copy(astate));
-			}
-		else
-			{
-			if ( astate$depth_rx <= adu_max_depth )
-				event adu_rx(c, copy(astate));
-			}
-	}
-
-	delete adu_conns[c$id];
-	event adu_done(c);
-}
-
-
-# --- Tests ------------------------------------------------------------
-
-@ifdef (adu_test)
-
-event adu_tx(c: connection, astate: adu_state)
-	{
-	print fmt("%s ---- %s, %d -> ----", network_time(), id_string(c$id), astate$depth_tx);
-#	print astate$adu;
-	}
-
-event adu_rx(c: connection, astate: adu_state)
-	{
-	print fmt("%s ---- %s, %d <- ----", network_time(), id_string(c$id), astate$depth_rx);
-#	print astate$adu;
-	}
-
-@endif
diff --git a/policy/alarm.bro b/policy/alarm.bro
deleted file mode 100644
index 4c4943c948..0000000000
--- a/policy/alarm.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: alarm.bro 340 2004-09-09 06:38:27Z vern $
-
-redef bro_alarm_file = open_log_file("alarm");
diff --git a/policy/all.bro b/policy/all.bro
deleted file mode 100644
index 4bbe3e8afe..0000000000
--- a/policy/all.bro
+++ /dev/null
@@ -1,141 +0,0 @@
-@load heavy-analysis
-@load OS-fingerprint
-@load adu
-@load alarm
-@load analy
-@load anon
-@load arp
-@load backdoor
-@load bittorrent
-@load blaster
-@load bt-tracker
-@load brolite-backdoor
-@load capture-events
-@load capture-loss
-@load capture-state-updates
-@load checkpoint
-@load clear-passwords
-@load conn-flood
-@load conn-id
-@load conn
-@load contents
-@load cpu-adapt
-@load dce
-@load demux
-@load detect-protocols-http
-@load detect-protocols
-@load dhcp
-@load dns-info
-@load dns-lookup
-@load dns
-@load dpd
-@load drop-adapt
-@load dyn-disable
-@load file-flush
-@load finger
-@load firewall
-@load flag-irc
-@load flag-warez
-@load frag
-@load ftp
-@load gnutella
-@load hot-ids
-@load hot
-@load http-abstract
-@load http-anon-server
-@load http-anon-useragent
-@load http-anon-utils
-@load http-body
-@load http-detect-passwd
-@load http-entity
-@load http-event
-@load http-header
-@load http-identified-files.bro
-@load http-reply
-@load http-request
-@load http-rewriter
-@load http
-@load icmp
-@load ident-rewriter
-@load ident
-@load inactivity
-@load interconn
-@load irc-bot-syslog
-@load irc-bot
-@load irc
-@load large-conns
-@load listen-clear
-@load listen-ssl
-@load load-level
-@load load-sample
-@load log-append
-@load login
-@load mime-pop
-@load mime
-@load mt
-@load ncp
-@load netflow
-@load netstats
-@load nfs
-@load notice-action-filters
-@load notice
-@load ntp
-@load passwords
-@load pcap
-@load pkt-profile
-@load pop3
-@load port-name
-@load portmapper
-@load print-filter
-@load print-globals
-@load print-resources
-@load print-sig-states
-@load profiling
-@load proxy
-@load remote-pcap
-@load remote-ping
-@load remote-print-id-reply
-@load remote-print-id
-@load remote-print
-@load remote-report-notices
-@load remote-send-id
-@load remote
-@load rotate-logs
-@load rsh
-@load scan
-@load secondary-filter
-@load sensor-sshd
-@load server-ports
-@load service-probe
-@load signatures
-@load site
-@load smb
-@load smtp-relay
-@load smtp-rewriter
-@load smtp
-@load snort
-@load software
-@load ssh
-@load ssh-stepping
-@load ssl-alerts
-@load ssl-ciphers
-@load ssl-errors
-@load ssl-worm
-@load ssl
-@load stats
-@load stepping
-@load synflood
-@load targeted-scan
-@load tcp
-@load tftp
-@load trw-impl
-@load trw
-@load udp-common
-@load udp
-@load vlan
-@load weird
-@load worm
-@load notice-policy
-
-# The following keeps us running after the bro_init event.
-redef PrintFilter::terminate_bro = F;
diff --git a/policy/analy.bro b/policy/analy.bro
deleted file mode 100644
index 714c1deb41..0000000000
--- a/policy/analy.bro
+++ /dev/null
@@ -1,16 +0,0 @@
-# Statistical analysis of TCP connection in terms of the packet streams
-# in each direction.
-
-@load dns-lookup
-@load udp
-
-
-event conn_stats(c: connection, os: endpoint_stats, rs: endpoint_stats)
-	{
-	local id = c$id;
-
-	print fmt("%.6f %s %s %s %s %s %s %s %s %s",
-		c$start_time, c$duration, id$orig_p, id$resp_p,
-		conn_size(c$orig, tcp), conn_size(c$resp, tcp),
-		id$orig_h, id$resp_h, os, rs);
-	}
diff --git a/policy/anon.bro b/policy/anon.bro
deleted file mode 100644
index f2532cb38e..0000000000
--- a/policy/anon.bro
+++ /dev/null
@@ -1,193 +0,0 @@
-# $Id: anon.bro 6889 2009-08-21 16:45:17Z vern $
-
-redef anonymize_ip_addr = T;
-
-const orig_addr_anonymization = RANDOM_MD5 &redef;
-const resp_addr_anonymization = RANDOM_MD5 &redef;
-const other_addr_anonymization = SEQUENTIALLY_NUMBERED &redef;
-
-const preserve_orig_addr: set[addr] = {} &redef;
-const preserve_resp_addr: set[addr] = {} &redef;
-const preserve_other_addr: set[addr] = {
-	0.0.0.0,
-} &redef;
-
-const preserved_subnet: set[subnet] = {
-#	192.150.186/23,
-} &redef;
-
-const preserved_net: set[net] = {
-#	192.150.186, 192.150.187,
-} &redef;
-
-global anon_log = open_log_file("anon") &redef;
-
-global anonymized_args: table[string] of string;
-
-global ip_anon_mapping: set[addr, addr];
-
-event bro_init()
-	{
-	for ( n in preserved_net )
-		preserve_net(n);
-	}
-
-function anonymize_address(a: addr, id: conn_id): addr
-	{
-	if ( a == id$orig_h )
-		return anonymize_addr(a, ORIG_ADDR);
-	else if ( a == id$resp_h )
-		return anonymize_addr(a, RESP_ADDR);
-	else
-		return anonymize_addr(a, OTHER_ADDR);
-	}
-
-event anonymization_mapping(orig: addr, mapped: addr)
-	{
-	if ( [orig, mapped] !in ip_anon_mapping )
-		{
-		add ip_anon_mapping[orig, mapped];
-		print anon_log, fmt("%s -> %s", orig, mapped);
-		}
-	}
-
-function string_anonymized(from: string, to: string, seed: count)
-	{
-	print anon_log, fmt("\"%s\" %d=> \"%s\"", from, seed, to);
-	}
-
-global num_string_id: count = 0 &redef;
-global anonymized_strings: table[string] of record {
-	s: string;
-	c: count;
-} &redef;
-
-# Hopefully, the total number of strings to anonymize is much less than
-# 36^unique_string_length.
-const unique_string_length = 8 &redef;
-# const anonymized_string_pattern = /U[0-9a-f]+U/;
-global unique_string_set: set[string];
-
-event bro_init()
-	{
-	for ( s in anonymized_strings )
-		add unique_string_set[anonymized_strings[s]$s];
-	}
-
-function unique_string(s: string, seed: count): string
-	{
-	local t = cat("U", sub_bytes(md5_hmac(seed, s),
-					1, unique_string_length), "U");
-	if ( t in unique_string_set )
-		return unique_string(s, seed+1);
-
-	anonymized_strings[s] = [$s = t, $c = 1];
-	add unique_string_set[t];
-	string_anonymized(s, t, seed);
-
-	return t;
-	}
-
-function anonymize_string(from: string): string
-	{
-	if ( from in anonymized_strings )
-		{
-		++anonymized_strings[from]$c;
-		return anonymized_strings[from]$s;
-		}
-
-	local t = unique_string(from, 0);
-	return t;
-	}
-
-function anonymize_arg(typ: string, arg: string): string
-	{
-	if ( arg == "" )
-		return "";	# an empty argument is safe
-
-	local arg_seed = string_cat(typ, arg);
-
-	if ( arg_seed in anonymized_args )
-		return anonymized_args[arg_seed];
-
-	local a = anonymize_string(arg_seed);
-	anonymized_args[arg_seed] = a;
-
-	print anon_log, fmt("anonymize_arg: (%s) {%s} -> %s ",
-			typ, to_string_literal(arg), to_string_literal(a));
-	return a;
-	}
-
-
-# Does not contain ? and ends with an allowed suffix.
-const path_to_file_pat = 
-	/\/[^?]+\.(html|ico|icon|pdf|ps|doc|ppt|htm|js|crl|swf|shtml|h|old|c|cc|java|class|src|cfm|gif|jpg|php|rdf|rss|asp|bmp|owl|phtml|jpeg|jsp|cgi|png|txt|xml|css|avi|tex|dvi)/
-	;
-
-# Acceptable domain names.
-const kosher_dom_pat =
-	/ar|au|biz|br|ca|cc|cl|cn|co|com|cx|cz|de|ec|es|edu|fi|fm|fr|gov|hn|il|is|it|jp|lv|mx|net|no|nz|org|pe|pl|ru|sk|tv|tw|uk|us|arpa/
-	;
-
-# Simple filename pattern.
-const simple_filename = 
-	/[0-9\-A-Za-z]+\.(html|ico|icon|pdf|ps|doc|ppt|htm|js|crl|swf|shtml|h|old|c|cc|java|class|src|cfm|gif|jpg|php|rdf|rss|asp|bmp|owl|phtml|jpeg|jsp|cgi|png|txt|xml|css|avi|tex|dvi)/
-	;
-
-function anonymize_path(path: string): string
-	{
-	local hashed_path = "";
-
-	if ( to_lower(path) != path_to_file_pat )
-		{
-		hashed_path = anonymize_arg("path", path);
-		return hashed_path;
-		}
-
-	local file_parts = split(path, /\./);
-
-	local i = 1;
-	for ( part in file_parts )
-		{
-		# This looks broken to me - VP.
-		hashed_path = fmt("%s.%s", hashed_path, file_parts[i]);
-		if ( ++i == length(file_parts) )
-			break;
-		}
-
-	return fmt("%s.%s", anonymize_arg("path", hashed_path), file_parts[i]);
-	}
-
-function anonymize_host(host: string): string
-	{
-	local hashed_host = "";
-	local host_parts = split(host, /\./);
-
-	local i = 1;
-	for ( hosty in host_parts )
-		{
-		if ( i == length(host_parts) )
-			break;
-
-		# Check against "kosher" tld list.
-		hashed_host = fmt("%s%s.", hashed_host,
-					anonymize_arg("host", host_parts[i]));
-
-		++i;
-		} 
-
-	if ( host_parts[i] == kosher_dom_pat )
-		return string_cat(hashed_host, host_parts[i]);
-
-	print anon_log, fmt("anonymize_host: non-kosher domain %s", host); 
-	return string_cat(hashed_host, anonymize_arg("host", host_parts[i]));
-	}
-
-event bro_done()
-	{
-	for ( s in anonymized_strings )
-		{
-		print anon_log, fmt("appearance: %d: \"%s\" => \"%s\"",
-			anonymized_strings[s]$c, s, anonymized_strings[s]$s);
-		}
-	}
diff --git a/policy/arp.bro b/policy/arp.bro
deleted file mode 100644
index dfae133b38..0000000000
--- a/policy/arp.bro
+++ /dev/null
@@ -1,160 +0,0 @@
-# $Id: arp.bro 4909 2007-09-24 02:26:36Z vern $
-
-@load notice
-
-module ARP;
-
-export {
-	redef enum Notice += {
-		ARPSourceMAC_Mismatch,	# source MAC doesn't match mappings
-		ARPAddlMAC_Mapping,	# another MAC->addr seen beyond just one
-		ARPUnsolicitedReply,	# could be poisoning; or just gratuitous
-		# ARPRequestProvidesTargetAddr,	# request includes non-triv addr
-
-		# MAC/addr pair seen in request/reply different from
-		# that in the cache.
-		ARPCacheInconsistency,
-
-		# ARP reply gives different value than previously seen.
-		ARPMappingChanged,
-	};
-
-	const arp_log = open_log_file("arp") &redef;
-}
-
-redef capture_filters += { ["arp"] = "arp" };
-
-# Abbreviations taken from RFC 826:
-#
-# SHA: source hardware address
-# SPA: source protocol address (i.e., IP address)
-# THA: target hardware address
-# TPA: target protocol address
-
-# ARP requests indexed on SHA/SPA/TPA (no THA, as it's what it's being
-# queried).
-global arp_requests: set[string, addr, addr] &create_expire = 1 min;
-
-# ARP responses we've seen: indexed by IP address, yielding MAC address.
-global ARP_cache: table[addr] of string;
-
-
-# Bad ARPs can occur when:
-#	- type/size pairs are not OK for HW and L3 addresses (Ethernet=6, IP=4)
-#	- opcode is neither request (1) nor reply (2)
-#	- MAC src address != ARP sender MAC address
-event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string,
-		explanation: string)
-	{
-	print arp_log, fmt("%.06f bad-arp %s(%s) ? %s(%s): %s",
-			network_time(), SPA, SHA, TPA, THA, explanation);
-	}
-
-
-# The first of these maps a MAC address to the last protocol address seen
-# for it.  The second tracks every protocol address seen.
-global mac_addr_map: table[string] of addr;
-global mac_addr_associations: table[string] of set[addr];
-
-# A somewhat general notion of broadcast MAC/IP addresses.
-const broadcast_mac_addrs = { "00:00:00:00:00:00", "ff:ff:ff:ff:ff:ff", };
-const broadcast_addrs = { 0.0.0.0, 255.255.255.255, };
-
-
-# Called to note that we've seen an association between a MAC address
-# and an IP address.  Note that this is *not* an association advertised
-# in an ARP reply (those are tracked in ARP_cache), but instead the
-# pairing of hardware address + protocol address as expressed in
-# an ARP request or reply header.
-function mac_addr_association(mac_addr: string, a: addr)
-	{
-	# Ignore placeholders.
-	if ( mac_addr in broadcast_mac_addrs || a in broadcast_addrs )
-		return;
-
-	local is_addl = F;
-	if ( mac_addr in mac_addr_associations )
-		is_addl = a !in mac_addr_associations[mac_addr];
-	else
-		mac_addr_associations[mac_addr] = set();
-
-	print arp_log, fmt("%.06f association %s -> %s%s", network_time(),
-				mac_addr, a, is_addl ? " <addl>" : "");
-
-	mac_addr_map[mac_addr] = a;
-	add mac_addr_associations[mac_addr][a];
-
-	if ( a in ARP_cache && ARP_cache[a] != mac_addr )
-		NOTICE([$note=ARPCacheInconsistency, $src=a,
-			$msg=fmt("mapping for %s to %s doesn't match cache of %s",
-				mac_addr, a, ARP_cache[a])]);
-	}
-
-# Returns the IP address associated with a MAC address, if we've seen one.
-# Otherwise just returns the MAC address.
-function addr_from_mac(mac_addr: string): string
-	{
-	return mac_addr in mac_addr_map ?
-		fmt("%s", mac_addr_map[mac_addr]) : mac_addr;
-	}
-
-event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
-			TPA: addr, THA: string)
-	{
-	mac_addr_association(SHA, SPA);
-
-	local msg = fmt("%s -> %s who-has %s",
-			addr_from_mac(mac_src), addr_from_mac(mac_dst), TPA);
-
-	local mismatch = SHA != mac_src;
-	if ( mismatch )
-		NOTICE([$note=ARPSourceMAC_Mismatch, $src=SPA, $msg=msg]);
-
-	# It turns out that some hosts fill in the THA field even though
-	# that doesn't make sense.  (The RFC specifically allows this,
-	# however.)  Perhaps there's an attack that can be launched
-	# doing so, but it's hard to see what it might be, so for now
-	# we don't bother notice'ing these.
-	# if ( THA !in broadcast_addrs )
-	# 	NOTICE([$note=ARPRequestProvidesTargetAddr, $src=SPA,
-	# 		$msg=fmt("%s: %s", msg, THA)]);
-
-	print arp_log, fmt("%.06f %s%s", network_time(), msg,
-				mismatch ? " <source-mismatch>" : "");
-
-	add arp_requests[SHA, SPA, TPA];
-	}
-
-event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
-		TPA: addr, THA: string)
-	{
-	mac_addr_association(SHA, SPA);
-	mac_addr_association(THA, TPA);
-
-	local msg = fmt("%s -> %s: %s is-at %s",
-			addr_from_mac(mac_src), addr_from_mac(mac_dst),
-			SPA, SHA);
-
-	local unsolicited = [THA, TPA, SPA] !in arp_requests;
-	delete arp_requests[THA, TPA, SPA];
-	if ( unsolicited )
-		NOTICE([$note=ARPUnsolicitedReply, $src=SPA,
-			$msg=fmt("%s: request[%s, %s, %s]", msg, THA, TPA, SPA)]);
-
-	local mismatch = SHA != mac_src;
-	if ( mismatch )
-		NOTICE([$note=ARPSourceMAC_Mismatch, $src=SPA, $msg=msg]);
-
-	local mapping_changed = SPA in ARP_cache && ARP_cache[SPA] != SHA;
-	if ( mapping_changed )
-		NOTICE([$note=ARPMappingChanged, $src=SPA,
-			$msg=fmt("%s: was %s", msg, ARP_cache[SPA])]);
-
-	print arp_log, fmt("%.06f %s%s%s%s", network_time(), msg,
-				unsolicited ? " <unsolicited>" : "",
-				mismatch ? " <source-mismatch>" : "",
-				mapping_changed ?
-					fmt(" <changed from %s>", ARP_cache[SPA]) : "");
-
-	ARP_cache[SPA] = SHA;
-	}
diff --git a/policy/backdoor.bro b/policy/backdoor.bro
deleted file mode 100644
index f611d424fa..0000000000
--- a/policy/backdoor.bro
+++ /dev/null
@@ -1,559 +0,0 @@
-# $Id: backdoor.bro 4909 2007-09-24 02:26:36Z vern $
-
-# Looks for a variety of applications running on ports other than
-# their usual ports.
-#
-# Note that this script by itself does *not* change capture_filters
-# to add in the extra ports to look at.  You need to specify that
-# separately.
-
-
-# Some tcpdump filters can be used to replace or work together with
-# some detection algorithms.  They could be used with the "secondary
-# filter" for more efficient (but in some cases potentially less reliable)
-# matching:
-#
-# - looking for "SSH-1." or "SSH-2." at the beginning of the packet;
-#   somewhat weaker than ssh-sig in that ssh-sig only looks for such
-#   pattern in the first packet of a connection:
-#
-#	tcp[(tcp[12]>>2):4] = 0x5353482D and
-#	(tcp[((tcp[12]>>2)+4):2] = 0x312e or tcp[((tcp[12]>>2)+4):2] = 0x322e)
-#
-# - looking for pkts with 8k+4 (<=128) bytes of data (combined with ssh-len);
-#   only effective for ssh 1.x:
-#
-#	(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) & 0xFF87 = 4
-#
-# - looking for packets with <= 512 bytes of data that ends with a NUL
-#   (can be potentially combined with rlogin-sig or rlogin-sig-1byte):
-#
-#	(tcp[(ip[2:2] - ((ip[0]&0x0f)<<2))-1] == 0) and
-#	((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) and
-#	((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 512)
-#
-# - looking for telnet negotiation (can be combined with telnet-sig(-3byte)):
-#
-#	(tcp[(tcp[12]>>2):2] > 0xfffa) and
-#	(tcp[(tcp[12]>>2):2] < 0xffff) and
-#	((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12] >> 2)) >= 3)
-#
-# - looking for packets with <= 20 bytes of data (combined with small-pkt):
-#
-#	(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20
-#
-# - looking for FTP servers by the initial "220-" or "220 " sent by the server:
-#
-#	tcp[(tcp[12]>>2):4] = 0x3232302d or tcp[(tcp[12]>>2):4] = 0x32323020
-#
-# - looking for root backdoors by seeing a server payload of exactly "# ":
-#
-#	tcp[(tcp[12]>>2):2] = 0x2320 and
-#	(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) == 2
-#
-# - looking for Napster by the initial "GET" or "SEND" sent by the originator:
-#
-#	((ip[2:2]-((ip[0]&0x0f)<<2)-(tcp[12]>>2))=4 and
-#	tcp[(tcp[12]>>2):4]=0x53454e44) or
-#	((ip[2:2]-((ip[0]&0x0f)<<2)-(tcp[12]>>2))=3 and
-#	tcp[(tcp[12]>>2):2]=0x4745 and tcp[(tcp[12]>>2)+2]=0x54)
-#
-# - looking for Gnutella handshaking "GNUTELLA "
-#
-#	tcp[(tcp[12]>>2):4] = 0x474e5554 and
-#	tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 and
-#	tcp[8+(tcp[12]>>2)] = 0x20
-#
-# - looking for KaZaA via "GIVE " (not present in all connections)
-#
-#	tcp[(tcp[12]>>2):4] = 0x47495645 and
-#	tcp[(4+(tcp[12]>>2)):1] = 0x20
-#
-
-@load site
-@load port-name
-@load demux
-@load notice
-
-redef enum Notice += { BackdoorFound, };
-
-# Set to dump the packets that trigger the backdoor detector to a file.
-const dump_backdoor_packets = F &redef;
-
-redef backdoor_stat_period = 60 sec;
-redef backdoor_stat_backoff = 2.0;
-
-const ssh_min_num_pkts = 8 &redef;
-const ssh_min_ssh_pkts_ratio = 0.6 &redef;
-
-const backdoor_min_num_lines = 2 &redef;
-const backdoor_min_normal_line_ratio = 0.5 &redef;
-
-const backdoor_min_bytes = 10 &redef;
-const backdoor_min_7bit_ascii_ratio = 0.75 &redef;
-
-type rlogin_conn_info : record {
-	o_num_null: count;
-	o_len: count;
-	r_num_null: count;
-	r_len: count;
-};
-
-const backdoor_demux_disabled = T &redef;
-const backdoor_demux_skip_tags: set[string] &redef;
-
-const ftp_backdoor_sigs = "ftp-sig";
-const ssh_backdoor_sigs = { "ssh-sig", "ssh-len-v1.x", "ssh-len-v2.x" };
-const rlogin_backdoor_sigs = { "rlogin-sig", "rlogin-sig-1byte" };
-const root_backdoor_sigs = "root-bd-sig";
-const telnet_backdoor_sigs = { "telnet-sig", "telnet-sig-3byte" };
-const napster_backdoor_sigs = "napster-sig";
-const gnutella_backdoor_sigs = "gnutella-sig";
-const kazaa_backdoor_sigs = "kazaa-sig";
-const http_backdoor_sigs = "http-sig";
-const http_proxy_backdoor_sigs = "http-proxy-sig";
-const smtp_backdoor_sigs = "smtp-sig";
-const irc_backdoor_sigs = "irc-sig";
-const gaobot_backdoor_sigs = "gaobot-sig";
-
-# List of backdoors, so you can use it when defining sets and tables
-# with values over all of them.
-const backdoor_sigs = {
-	ftp_backdoor_sigs, ssh_backdoor_sigs, rlogin_backdoor_sigs,
-	root_backdoor_sigs, telnet_backdoor_sigs,
-	napster_backdoor_sigs, gnutella_backdoor_sigs, kazaa_backdoor_sigs,
-	http_backdoor_sigs, http_proxy_backdoor_sigs,
-	smtp_backdoor_sigs, irc_backdoor_sigs, gaobot_backdoor_sigs,
-};
-
-# List of address-port pairs that if present in a backdoor are ignored.
-# Note that these can be either the client and its source port (unusual)
-# or the server and its service port (the common case).
-const backdoor_ignore_host_port_pairs: set[addr, port] &redef;
-
-const backdoor_ignore_ports: table[string, port] of bool = {
-	# The following ignore backdoors that are detected on their
-	# usual ports.  The definitions for ftp-sig, telnet-sig and
-	# telnet-sig-3byte are somehwat broad since those backdoors
-	# are also frequently triggered for other similar protocols.
-
-	[ftp_backdoor_sigs, [ftp, smtp, 587/tcp ]] = T,
-	[ssh_backdoor_sigs, ssh] = T,
-	[rlogin_backdoor_sigs , [512/tcp, rlogin, 514/tcp]] = T,
-	[root_backdoor_sigs, [telnet, 512/tcp, rlogin, 514/tcp]] = T,
-	[telnet_backdoor_sigs, [telnet, ftp, smtp, 143/tcp, 110/tcp]] = T,
-
-	# The following don't have well-known ports (well, Napster does
-	# somewhat, as shown below), hence the definitions are F rather
-	# than T.
-	[napster_backdoor_sigs, [6688/tcp, 6699/tcp]] = F,
-	[gnutella_backdoor_sigs, 6346/tcp] = F,
-
-	[kazaa_backdoor_sigs, 1214/tcp] = F,
-
-	[http_backdoor_sigs, [http, 8000/tcp, 8080/tcp]] = T,
-
-	[smtp_backdoor_sigs, [smtp, 587/tcp]] = T,
-
-	# Skip FTP, as "USER foo" generates false positives.  There's
-	# also a lot of IRC on 7000/tcp.
-	[irc_backdoor_sigs, [ftp, 6666/tcp, 6667/tcp, 7000/tcp]] = T,
-
-	# The following are examples of wildcards, and since they're defined
-	# to be F, they don't affect the policy unless redefined.
-	["*", http] = F,	# entry for "any backdoor, service http"
-	["ssh-sig", 0/tcp] = F,	# entry for "ssh-sig, any port"
-
-} &redef &default = F;
-
-# Indexed by the backdoor, indicates which backdoors residing on
-# a local (remote) host should be ignored.
-const backdoor_ignore_local: set[string] &redef;
-const backdoor_ignore_remote: set[string] &redef;
-
-# Indexed by the source (destination) address and the backdoor.
-# Also indexed by the /24 and /16 versions of the source address.
-# backdoor "*" means "all backdoors".
-const backdoor_ignore_src_addrs: table[string, addr] of bool &redef &default=F;
-const backdoor_ignore_dst_addrs: table[string, addr] of bool &redef &default=F;
-
-const backdoor_standard_ports = {
-	telnet, rlogin, 512/tcp, 514/tcp, ftp, ssh, smtp, 143/tcp,
-	110/tcp, 6667/tcp,
-} &redef;
-const backdoor_annotate_standard_ports = T &redef;
-
-const backdoor_ignore_hosts: set[addr] &redef;
-const backdoor_ignore_src_nets: set[subnet] &redef;
-const backdoor_ignore_dst_nets: set[subnet] &redef;
-
-# Most backdoors are enabled by default, but a few are disabled by
-# default (T below) because they generated too many false positives
-# (or, for HTTP, too many uninteresting true positives).
-const ftp_sig_disabled			= F &redef;
-const gaobot_sig_disabled		= F &redef;
-const gnutella_sig_disabled		= F &redef;
-const http_proxy_sig_disabled		= T &redef;
-const http_sig_disabled			= T &redef;
-const irc_sig_disabled			= F &redef;
-const kazaa_sig_disabled		= F &redef;
-const napster_sig_disabled		= F &redef;
-const rlogin_sig_1byte_disabled		= T &redef;
-const rlogin_sig_disabled		= T &redef;
-const root_backdoor_sig_disabled	= T &redef;
-const smtp_sig_disabled			= F &redef;
-	# Note, for the following there's a corresponding variable
-	# interconn_ssh_len_disabled in interconn.bro.
-const ssh_len_disabled			= T &redef;
-const ssh_sig_disabled			= F &redef;
-const telnet_sig_3byte_disabled		= T &redef;
-const telnet_sig_disabled		= T &redef;
-
-global ssh_len_conns: set[conn_id];
-global rlogin_conns: table[conn_id] of rlogin_conn_info;
-global root_backdoor_sig_conns: set[conn_id];
-
-global did_sig_conns: table[conn_id] of set[string];
-
-const BACKDOOR_UNKNOWN = 0;
-const BACKDOOR_YES = 1;
-const BACKDOOR_NO = 2;
-const BACKDOOR_SIG_FOUND = 3;
-
-global telnet_sig_conns: table[conn_id] of count;
-global telnet_sig_3byte_conns: table[conn_id] of count;
-
-global smtp_sig_conns: table[conn_id] of count;
-global irc_sig_conns: table[conn_id] of count;
-global gaobot_sig_conns: table[conn_id] of count;
-
-const backdoor_log = open_log_file("backdoor") &redef;
-
-function ignore_backdoor_conn(c: connection, bd: string): bool
-	{
-	local oa = c$id$orig_h;
-	local ra = c$id$resp_h;
-	local op = c$id$orig_p;
-	local rp = c$id$resp_p;
-
-	if ( backdoor_ignore_ports[bd, op] ||
-	     backdoor_ignore_ports[bd, rp] ||
-
-	     # Check port wildcards.
-	     backdoor_ignore_ports[bd, 0/tcp] ||
-
-	     (ra in local_nets && bd in backdoor_ignore_local) ||
-	     (ra !in local_nets && bd in backdoor_ignore_remote) ||
-
-	     backdoor_ignore_src_addrs[bd, oa] ||
-	     backdoor_ignore_src_addrs[bd, mask_addr(oa, 16)] ||
-	     backdoor_ignore_src_addrs[bd, mask_addr(oa, 24)] ||
-
-	     backdoor_ignore_dst_addrs[bd, ra] ||
-	     backdoor_ignore_dst_addrs[bd, mask_addr(ra, 16)] ||
-	     backdoor_ignore_dst_addrs[bd, mask_addr(ra, 24)] )
-		return T;
-
-	if ( [oa, op] in backdoor_ignore_host_port_pairs ||
-	     [ra, rp] in backdoor_ignore_host_port_pairs )
-		return T;
-
-	if ( bd != "*" )
-		# Evaluate again, but for wildcarding the backdoor.
-		return ignore_backdoor_conn(c, "*");
-	else
-		return F;
-	}
-
-function log_backdoor(c: connection, tag: string): bool
-	{
-	if ( ignore_backdoor_conn(c, tag) )
-		return F;
-
-	local id = c$id;
-
-	if ( backdoor_annotate_standard_ports &&
-	     (id$orig_p in backdoor_standard_ports ||
-	      id$resp_p in backdoor_standard_ports) )
-		append_addl(c, fmt("[%s]", tag));
-
-	else if ( id$orig_h in backdoor_ignore_hosts ||
-		  id$resp_h in backdoor_ignore_hosts ||
-		  id$orig_h in backdoor_ignore_src_nets ||
-		  id$resp_h in backdoor_ignore_dst_nets )
-		return F;
-
-	else
-		{
-		print backdoor_log, fmt("%.6f %s > %s %s",
-			c$start_time,
-			endpoint_id(id$orig_h, id$orig_p),
-			endpoint_id(id$resp_h, id$resp_p),
-			tag);
-
-		NOTICE([$note=BackdoorFound, $msg=tag, $conn=c]);
-
-		if ( dump_backdoor_packets )
-			{
-			mkdir("backdoor-packets");
-			local fname = fmt("backdoor-packets/%s:%.2f",
-						tag, current_time());
-			dump_current_packet(fname);
-			}
-
-		if ( backdoor_demux_disabled ||
-		     tag in backdoor_demux_skip_tags )
-			{
-			if ( active_connection(c$id) )
-				skip_further_processing(c$id);
-			}
-		else
-			demux_conn(id, tag, "orig", "resp");
-		}
-
-	return T;
-	}
-
-event new_connection(c: connection)
-	{
-	local id = c$id;
-
-	if ( ! rlogin_sig_disabled || ! rlogin_sig_1byte_disabled )
-		{
-		local i: rlogin_conn_info;
-		i$o_num_null = i$o_len = i$r_num_null = i$r_len = 0;
-
-		rlogin_conns[id] = i;
-		}
-	}
-
-event backdoor_remove_conn(c: connection)
-	{
-	local id = c$id;
-
-	delete ssh_len_conns[id];
-	delete telnet_sig_conns[id];
-	delete telnet_sig_3byte_conns[id];
-	delete rlogin_conns[id];
-	delete root_backdoor_sig_conns[id];
-	delete smtp_sig_conns[id];
-	delete irc_sig_conns[id];
-	delete gaobot_sig_conns[id];
-
-	delete did_sig_conns[id];
-	}
-
-event root_backdoor_signature_found(c: connection)
-	{
-	if ( root_backdoor_sig_disabled ||
-	     ignore_backdoor_conn(c, "root-bd-sig") )
-		return;
-
-	local id = c$id;
-
-	# For root backdoors, don't ignore standard ports.  This is because
-	# we shouldn't see such a backdoor even 23/tcp or 513/tcp!
-
-	if ( id !in root_backdoor_sig_conns )
-		{
-		add root_backdoor_sig_conns[id];
-		log_backdoor(c, "root-bd-sig");
-		}
-	}
-
-function signature_found(c: connection, sig_disabled: bool, sig_name: string)
-	{
-	if ( sig_disabled )
-		return;
-
-	if ( ignore_backdoor_conn(c, sig_name) )
-		return;
-
-	if ( c$id !in did_sig_conns )
-		did_sig_conns[c$id] = set();
-
-	if ( sig_name !in did_sig_conns[c$id] )
-		{
-		add did_sig_conns[c$id][sig_name];
-		log_backdoor(c, sig_name);
-		}
-	}
-
-event ftp_signature_found(c: connection)
-	{
-	signature_found(c, ftp_sig_disabled, "ftp-sig");
-	}
-
-event napster_signature_found(c: connection)
-	{
-	signature_found(c, napster_sig_disabled, "napster-sig");
-	}
-
-event gnutella_signature_found(c: connection)
-	{
-	signature_found(c, gnutella_sig_disabled, "gnutella-sig");
-	}
-
-event kazaa_signature_found(c: connection)
-	{
-	signature_found(c, kazaa_sig_disabled, "kazaa-sig");
-	}
-
-event http_signature_found(c: connection)
-	{
-	signature_found(c, http_sig_disabled, "http-sig");
-	}
-
-event http_proxy_signature_found(c: connection)
-	{
-	signature_found(c, http_proxy_sig_disabled, "http-proxy-sig");
-	}
-
-event ssh_signature_found(c: connection, is_orig: bool)
-	{
-	signature_found(c, ssh_sig_disabled, "ssh-sig");
-	}
-
-event smtp_signature_found(c: connection)
-	{
-	signature_found(c, smtp_sig_disabled, "smtp-sig");
-	}
-
-event irc_signature_found(c: connection)
-	{
-	signature_found(c, irc_sig_disabled, "irc-sig");
-	}
-
-event gaobot_signature_found(c: connection)
-	{
-	signature_found(c, gaobot_sig_disabled, "gaobot-sig");
-	}
-
-event telnet_signature_found(c: connection, is_orig: bool, len: count)
-	{
-	local id = c$id;
-
-	if ( ignore_backdoor_conn(c, "telnet-sig") )
-		return;
-
-	if ( ! telnet_sig_disabled && id !in telnet_sig_conns )
-		telnet_sig_conns[id] = BACKDOOR_SIG_FOUND;
-
-	if ( ! telnet_sig_3byte_disabled && len == 3 &&
-	     id !in telnet_sig_3byte_conns )
-		telnet_sig_3byte_conns[id] = BACKDOOR_SIG_FOUND;
-	}
-
-event rlogin_signature_found(c: connection, is_orig: bool,
-			     num_null: count, len: count)
-	{
-	local id = c$id;
-
-	if ( (rlogin_sig_disabled && rlogin_sig_1byte_disabled) ||
-	     ignore_backdoor_conn(c, "rlogin-sig") )
-		return;
-
-	local ri = rlogin_conns[id];
-	if ( is_orig && ri$o_num_null == 0 )
-		ri$o_num_null = num_null;
-
-	else if ( ! is_orig && ri$r_num_null == 0 )
-		{
-		ri$r_num_null = num_null;
-		ri$r_len = len;
-		}
-	else
-		return;
-
-	if ( ri$o_num_null == 0 || ri$r_num_null == 0 )
-		return;
-
-	if ( ! rlogin_sig_1byte_disabled && ri$r_len == 1 )
-		log_backdoor(c, "rlogin-sig-1byte");
-
-	if ( ! rlogin_sig_disabled )
-		log_backdoor(c, "rlogin-sig");
-	}
-
-
-function ssh_len_stats(c: connection, os: backdoor_endp_stats,
-		       rs: backdoor_endp_stats) : bool
-	{
-	if ( ssh_len_disabled || c$id in ssh_len_conns )
-		return F;
-
-	if ( os$num_pkts == 0 || rs$num_pkts == 0 )
-		return F;
-
-	# xxx: only use ssh-len for partial connection
-
-	local is_partial = os$is_partial || rs$is_partial;
-	if ( ! is_partial )
-		return F;
-
-	local num_pkts = os$num_pkts + rs$num_pkts;
-
-	if ( num_pkts < ssh_min_num_pkts )
-		return F;
-
-	local num_8k0_pkts = os$num_8k0_pkts + rs$num_8k0_pkts;
-	local num_8k4_pkts = os$num_8k4_pkts + rs$num_8k4_pkts;
-
-	local id = c$id;
-	if ( num_8k0_pkts >= num_pkts * ssh_min_ssh_pkts_ratio )
-		{
-		add ssh_len_conns[id];
-		log_backdoor(c, "ssh-len-v2.x");
-		}
-
-	else if ( num_8k4_pkts >= num_pkts * ssh_min_ssh_pkts_ratio )
-		{
-		add ssh_len_conns[id];
-		log_backdoor(c, "ssh-len-v1.x");
-		}
-
-	return T;
-	}
-
-function telnet_stats(c: connection, os: backdoor_endp_stats,
-		      rs: backdoor_endp_stats) : bool
-	{
-	local num_lines = os$num_lines + rs$num_lines;
-	local num_normal_lines = os$num_normal_lines + rs$num_normal_lines;
-
-	if ( num_lines < backdoor_min_num_lines ||
-	     num_normal_lines < num_lines * backdoor_min_normal_line_ratio )
-		return F;
-
-	local num_bytes = os$num_bytes + rs$num_bytes;
-	local num_7bit_ascii = os$num_7bit_ascii + rs$num_7bit_ascii;
-
-	if ( num_bytes < backdoor_min_bytes ||
-	     num_7bit_ascii < num_bytes * backdoor_min_7bit_ascii_ratio )
-		return F;
-
-	local id = c$id;
-
-	if ( id in telnet_sig_conns &&
-	     telnet_sig_conns[id] != BACKDOOR_YES )
-		{
-		telnet_sig_conns[id] = BACKDOOR_YES;
-		log_backdoor(c, "telnet-sig");
-		}
-
-	if ( id in telnet_sig_3byte_conns &&
-	     telnet_sig_3byte_conns[id] != BACKDOOR_YES )
-		{
-		telnet_sig_3byte_conns[id] = BACKDOOR_YES;
-		log_backdoor(c, "telnet-sig-3byte");
-		}
-
-	return T;
-	}
-
-event backdoor_stats(c: connection,
-			os: backdoor_endp_stats, rs: backdoor_endp_stats)
-	{
-	telnet_stats(c, os, rs);
-	ssh_len_stats(c, os, rs);
-	}
diff --git a/policy/bittorrent.bro b/policy/bittorrent.bro
deleted file mode 100644
index 7a1576abf5..0000000000
--- a/policy/bittorrent.bro
+++ /dev/null
@@ -1,277 +0,0 @@
-# $Id:$
-#
-# bittorrent.bro - policy script for analyzing BitTorrent traffic
-# ---------------------------------------------------------------
-# This code contributed by Nadi Sarrar.
-
-@load dpd
-@load weird
-
-module BitTorrent;
-
-export {
-	# Whether to log the length of PDUs.
-	global log_pdu_length = T &redef;
-}
-
-redef capture_filters += { ["bittorrent"] = "tcp" };
-
-type bt_peer_state: enum {
-	choked,	# peer won't receive any responses to requests (initial state)
-	unchoked	# peer may do requests
-};
-
-type bt_peer_info: record {
-	# Total of pure peer wire protocol overhead data (w/o pieces).
-	protocol_total: count &default = 0;
-
-	# State of the peer - choked or unchoked.
-	state: bt_peer_state &default = choked;
-
-	# Total number of seconds the peer was unchoked.
-	unchoked: interval &default = 0 secs;
-
-	# Time of the last received unchoke message.
-	time_last_unchoked: time;
-};
-
-type bt_peer_conn: record {
-	id: count;
-	orig: bt_peer_info;
-	resp: bt_peer_info;
-	weird: bool &default = F;
-};
-
-global bittorrent_log = open_log_file("bittorrent") &redef;
-global bt_peer_conns : table[conn_id] of bt_peer_conn;
-global peer_conn_count = 0;
-
-function record_peer_protocol_traffic(c: connection, is_orig: bool,
-					protocol_len: count): count
-	{
-	if ( c$id in bt_peer_conns )
-		{
-		local pc = bt_peer_conns[c$id];
-
-		if ( is_orig )
-			pc$orig$protocol_total += protocol_len;
-		else
-			pc$resp$protocol_total += protocol_len;
-
-		return pc$id;
-		}
-
-	return 0;
-	}
-
-function record_choke(pi: bt_peer_info, now: time)
-	{
-	if ( pi$state == unchoked )
-		{
-		pi$state = choked;
-		pi$unchoked += now - pi$time_last_unchoked;
-		}
-	}
-
-function record_unchoke(pi: bt_peer_info, now: time)
-	{
-	if ( pi$state == choked )
-		{
-		pi$state = unchoked;
-		pi$time_last_unchoked = now;
-		}
-	}
-
-function lookup_bt_peer(id: conn_id): bt_peer_conn
-	{
-	if ( id in bt_peer_conns )
-		return bt_peer_conns[id];
-
-	local orig: bt_peer_info;
-	local resp: bt_peer_info;
-	local pc: bt_peer_conn;
-	pc$orig = orig;
-	pc$resp = resp;
-	pc$id = ++peer_conn_count;
-	bt_peer_conns[id] = pc;
-
-	return pc;
-	}
-
-function bt_log_id(id: conn_id, cid: count, tag: string, is_orig: bool): string
-	{
-	return fmt("%.6f P%d %s %s:%d %s %s:%d",
-			network_time(), cid, tag, id$orig_h, id$orig_p,
-			is_orig ? ">" : "<", id$resp_h, id$resp_p);
-	}
-
-function pdu_log_len(len: count): string
-	{
-	return log_pdu_length ? fmt("[PDU-len:%d]", len) : "";
-	}
-
-function log_pdu(c: connection, is_orig: bool, tag: string, len: count): count
-	{
-	local cid = record_peer_protocol_traffic(c, is_orig, len);
-	print bittorrent_log,
-		fmt("%s %s", bt_log_id(c$id, cid, tag, is_orig),
-				pdu_log_len(len));
-
-	return cid;
-	}
-
-function log_pdu_str(c: connection, is_orig: bool, tag: string, len: count,
-			str: string)
-	{
-	local cid = record_peer_protocol_traffic(c, is_orig, len);
-	print bittorrent_log,
-		fmt("%s %s %s", bt_log_id(c$id, cid, tag, is_orig),
-				pdu_log_len(len), str);
-	}
-
-function log_pdu_str_n(c: connection, is_orig: bool, tag: string, len: count,
-			n: count, str: string)
-	{
-	local cid = record_peer_protocol_traffic(c, is_orig, len);
-	print bittorrent_log,
-		fmt("%s %s %s", bt_log_id(c$id, cid, tag, is_orig),
-			pdu_log_len(n), str);
-	}
-
-event bittorrent_peer_handshake(c: connection, is_orig: bool, reserved: string,
-				info_hash: string, peer_id: string)
-	{
-	local pc = lookup_bt_peer(c$id);
-	log_pdu_str(c, is_orig, "handshake", 68,
-		fmt("[peer_id:%s info_hash:%s reserved:%s]",
-			bytestring_to_hexstr(peer_id),
-			bytestring_to_hexstr(info_hash),
-			bytestring_to_hexstr(reserved)));
-	}
-
-event bittorrent_peer_keep_alive(c: connection, is_orig: bool)
-	{
-	log_pdu(c, is_orig, "keep-alive", 4);
-	}
-
-event bittorrent_peer_choke(c: connection, is_orig: bool)
-	{
-	local cid = log_pdu(c, is_orig, "choke", 5);
-	if ( cid > 0 )
-		{
-		local pc = bt_peer_conns[c$id];
-		record_choke(is_orig ? pc$resp : pc$orig, network_time());
-		}
-	}
-
-event bittorrent_peer_unchoke(c: connection, is_orig: bool)
-	{
-	local cid = log_pdu(c, is_orig, "unchoke", 5);
-	if ( cid > 0 )
-		{
-		local pc = bt_peer_conns[c$id];
-		record_unchoke(is_orig ? pc$resp : pc$orig, network_time());
-		}
-	}
-
-event bittorrent_peer_interested(c: connection, is_orig: bool)
-	{
-	log_pdu(c, is_orig, "interested", 5);
-	}
-
-event bittorrent_peer_not_interested(c: connection, is_orig: bool)
-	{
-	log_pdu(c, is_orig, "not-interested", 5);
-	}
-
-event bittorrent_peer_have(c: connection, is_orig: bool, piece_index: count)
-	{
-	log_pdu(c, is_orig, "have", 9);
-	}
-
-event bittorrent_peer_bitfield(c: connection, is_orig: bool, bitfield: string)
-	{
-	log_pdu_str(c, is_orig, "bitfield", 5 + byte_len(bitfield), 
-			fmt("[bitfield:%s]",
-				bytestring_to_hexstr(bitfield)));
-	}
-
-event bittorrent_peer_request(c: connection, is_orig: bool, index: count,
-				begin: count, length: count)
-	{
-	log_pdu_str(c, is_orig, "request", 17,
-		fmt("[index:%d begin:%d length:%d]", index, begin, length));
-	}
-
-event bittorrent_peer_piece(c: connection, is_orig: bool, index: count,
-				begin: count, piece_length: count)
-	{
-	log_pdu_str_n(c, is_orig, "piece", 13, 13 + piece_length,
-		fmt("[index:%d begin:%d piece_length:%d]",
-			index, begin, piece_length));
-	}
-
-event bittorrent_peer_cancel(c: connection, is_orig: bool, index: count,
-				begin: count, length: count)
-	{
-	log_pdu_str(c, is_orig, "cancel", 7,
-		fmt("[index:%d begin:%d length:%d]",
-			index, begin, length));
-	}
-
-event bittorrent_peer_port(c: connection, is_orig: bool, listen_port: port)
-	{
-	log_pdu_str(c, is_orig, "port", 5,
-			fmt("[listen_port:%s]", listen_port));
-	}
-
-event bittorrent_peer_unknown(c: connection, is_orig: bool, message_id: count,
-				data: string)
-	{
-	log_pdu_str(c, is_orig, "<unknown>", 5 + byte_len(data),
-			fmt("[message_id:%d]", message_id));
-	}
-
-event bittorrent_peer_weird(c: connection, is_orig: bool, msg: string)
-	{
-	local pc = lookup_bt_peer(c$id);
-	pc$weird = T;
-
-	print bittorrent_log,
-		fmt("%s [%s]", bt_log_id(c$id, pc$id, "<weird>", is_orig), msg);
-
-	event conn_weird(msg, c);
-	}
-
-function log_close(c: connection, pc: bt_peer_conn, is_orig: bool)
-	{
-	local endp = is_orig ? c$orig : c$resp;
-	local peer_i = is_orig ? pc$orig : pc$resp;
-
-	local status =
-		pc$weird ?
-			fmt("size:%d", endp$size) :
-			fmt("unchoked:%.06f size_protocol:%d size_pieces:%d",
-				peer_i$unchoked, peer_i$protocol_total,
-				endp$size - peer_i$protocol_total);
-
-	print bittorrent_log,
-		fmt("%s [duration:%.06f %s]",
-			bt_log_id(c$id, pc$id, "<closed>", is_orig),
-			c$duration, status);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id !in bt_peer_conns )
-		return;
-
-	local pc = bt_peer_conns[c$id];
-	delete bt_peer_conns[c$id];
-
-	record_choke(pc$orig, c$start_time + c$duration);
-	record_choke(pc$resp, c$start_time + c$duration);
-
-	log_close(c, pc, T);
-	log_close(c, pc, F);
-	}
diff --git a/policy/blaster.bro b/policy/blaster.bro
deleted file mode 100644
index 07cc542199..0000000000
--- a/policy/blaster.bro
+++ /dev/null
@@ -1,52 +0,0 @@
-# $Id: blaster.bro 5952 2008-07-13 19:45:15Z vern $
-#
-# Identifies W32.Blaster-infected hosts by observing their scanning
-# activity.
-
-@load notice
-@load site
-
-# Which hosts have scanned which addresses via 135/tcp.
-global w32b_scanned: table[addr] of set[addr] &write_expire = 5min;
-global w32b_reported: set[addr] &persistent;
-
-const W32B_port = 135/tcp;
-const W32B_MIN_ATTEMPTS = 50 &redef;
-
-redef enum Notice += {
-	W32B_SourceLocal,
-	W32B_SourceRemote,
-};
-
-event connection_attempt(c: connection)
-	{
-	if ( c$id$resp_p != W32B_port )
-		return;
-
-	local ip = c$id$orig_h;
-
-	if ( ip in w32b_reported )
-		return;
-
-	if ( ip in w32b_scanned )
-		{
-		add (w32b_scanned[ip])[c$id$resp_h];
-
-		if ( length(w32b_scanned[ip]) >= W32B_MIN_ATTEMPTS )
-			{
-			if ( is_local_addr(ip) )
-				NOTICE([$note=W32B_SourceLocal, $conn=c,
-					$msg=fmt("W32.Blaster local source: %s",
-							ip)]);
-			else
-				NOTICE([$note=W32B_SourceRemote, $conn=c,
-					$msg=fmt("W32.Blaster remote source: %s",
-							ip)]);
-
-			add w32b_reported[ip];
-			}
-		}
-
-	else
-		w32b_scanned[ip] = set(ip) &mergeable;
-	}
diff --git a/policy/bro.init b/policy/bro.init
deleted file mode 100644
index 5b963169df..0000000000
--- a/policy/bro.init
+++ /dev/null
@@ -1,1386 +0,0 @@
-# $Id: bro.init 6887 2009-08-20 05:17:33Z vern $
-
-@load const.bif.bro
-
-global bro_signal: event(signal: count);
-
-# Called (one day) if there's no handler for an internal event.
-global no_handler: event(name: string, val: any);
-
-# Type declarations
-type string_array: table[count] of string;
-type string_set: set[string];
-type index_vec: vector of count;
-type string_vec: vector of string;
-
-type transport_proto: enum { unknown_transport, tcp, udp, icmp };
-
-type conn_id: record {
-	orig_h: addr;
-	orig_p: port;
-	resp_h: addr;
-	resp_p: port;
-};
-
-type icmp_conn: record {
-	orig_h: addr;
-	resp_h: addr;
-	itype: count;
-	icode: count;
-	len: count;
-
-	v6: bool;	# true if it's an ICMPv6 packet.
-};
-
-type icmp_hdr: record {
-	icmp_type: count;	# type of message
-};
-
-type icmp_context: record {
-	id: conn_id;
-	len: count;
-	proto: count;
-	bad_hdr_len: bool;
-	bad_checksum: bool;	# always true for ICMPv6.
-	frag_offset: count;	# always 0 for IMCPv6.
-	MF: bool;		# always false for IMCPv6.
-	DF: bool;		# always true for ICMPv6.
-};
-
-type addr_set: set[addr];
-
-type dns_mapping: record {
-	creation_time: time;
-
-	req_host: string;
-	req_addr: addr;
-
-	valid: bool;
-	hostname: string;
-	addrs: addr_set;
-};
-
-type ftp_port: record {
-	h: addr;
-	p: port;
-	valid: bool;	# true if format was right
-};
-
-type endpoint: record {
-	size: count;
-	state: count;
-};
-
-type endpoint_stats: record {
-	num_pkts: count;
-	num_rxmit: count;
-	num_rxmit_bytes: count;
-	num_in_order: count;
-	num_OO: count;
-	num_repl: count;
-	endian_type: count;
-};
-
-type AnalyzerID: count;
-
-type connection: record {
-	id: conn_id;
-	orig: endpoint;
-	resp: endpoint;
-	start_time: time;
-	duration: interval;
-	service: string_set;	# if empty, service hasn't been determined
-	addl: string;
-	hot: count;		# how hot; 0 = don't know or not hot
-	history: string;
-};
-
-type SYN_packet: record {
-	is_orig: bool;
-	DF: bool;
-	ttl: count;
-	size: count;
-	win_size: count;
-	win_scale: int;
-	MSS: count;
-	SACK_OK: bool;
-};
-
-type bro_resources: record {
-	version: string;        # Bro version string
-	debug: bool;            # true if compiled with --enable-debug
-	start_time: time;	# start time of process
-	real_time: interval;	# elapsed real time since Bro started running
-	user_time: interval;	# user CPU seconds
-	system_time: interval;	# system CPU seconds
-	mem: count;		# maximum memory consumed, in KB
-	minor_faults: count;	# page faults not requiring actual I/O
-	major_faults: count;	# page faults requiring actual I/O
-	num_swap: count;	# times swapped out
-	blocking_input: count;	# blocking input operations
-	blocking_output: count;	# blocking output operations
-	num_context: count;	# number of involuntary context switches
-
-	num_TCP_conns: count;	# current number of TCP connections
-	num_UDP_conns: count;
-	num_ICMP_conns: count;
-	num_fragments: count;	# current number of fragments pending reassembly
-	num_packets: count;	# total number packets processed to date
-	num_timers: count;	# current number of pending timers
-	num_events_queued: count;	# total number of events queued so far
-	num_events_dispatched: count;	# same for events dispatched
-
-	max_TCP_conns: count;	# maximum number of TCP connections, etc.
-	max_UDP_conns: count;
-	max_ICMP_conns: count;
-	max_fragments: count;
-	max_timers: count;
-};
-
-
-# Summary statistics of all DFA_State_Caches.
-type matcher_stats: record {
-	matchers: count;	# number of distinct RE matchers
-	dfa_states: count;	# number of DFA states across all matchers
-	computed: count;	# number of computed DFA state transitions
-	mem: count;		# number of bytes used by DFA states
-	hits: count;		# number of cache hits
-	misses: count;		# number of cache misses
-	avg_nfa_states: count;	# average # NFA states across all matchers
-};
-
-# Info provided to gap_report, and also available by get_gap_summary().
-type gap_info: record {
-	ack_events: count;	# how many ack events *could* have had gaps
-	ack_bytes: count;	# how many bytes those covered
-	gap_events: count;	# how many *did* have gaps
-	gap_bytes: count;	# how many bytes were missing in the gaps:
-};
-
-# This record should be read-only.
-type packet: record {
-	conn: connection;
-	is_orig: bool;
-	seq: count;	# seq=k => it is the kth *packet* of the connection
-	timestamp: time;
-};
-
-type var_sizes: table[string] of count;	# indexed by var's name, returns size
-
-type script_id: record {
-	type_name: string;
-	exported: bool;
-	constant: bool;
-	enum_constant: bool;
-	redefinable: bool;
-	value: any &optional;
-};
-
-type id_table: table[string] of script_id;
-
-# {precompile,install}_pcap_filter identify the filter by IDs
-type PcapFilterID: enum { None };
-
-type IPAddrAnonymization: enum {
-	KEEP_ORIG_ADDR,
-	SEQUENTIALLY_NUMBERED,
-	RANDOM_MD5,
-	PREFIX_PRESERVING_A50,
-	PREFIX_PRESERVING_MD5,
-};
-
-type IPAddrAnonymizationClass: enum {
-	ORIG_ADDR,	# client address
-	RESP_ADDR,	# server address
-	OTHER_ADDR,
-};
-
-
-# Events are generated by event_peer's (which may be either ourselves, or
-# some remote process).
-type peer_id: count;
-
-type event_peer: record {
-	id: peer_id;	# locally unique ID of peer (returned by connect())
-	host: addr;
-	p: port;
-	is_local: bool;	# true if this peer describes the current process.
-	descr: string;	# source's external_source_description
-	class: string &optional;	# self-assigned class of the peer
-};
-
-type rotate_info: record {
-	old_name: string;  # original filename
-	new_name: string;  # file name after rotation
-	open: time;        # time when opened
-	close: time;       # time when closed
-};
-
-
-### The following aren't presently used, though they should be.
-# # Structures needed for subsequence computations (str_smith_waterman):
-# #
-# type sw_variant: enum {
-#	SW_SINGLE,
-#	SW_MULTIPLE,
-# };
-
-type sw_params: record {
-	# Minimum size of a substring, minimum "granularity".
-	min_strlen: count &default = 3;
-
-	# Smith-Waterman flavor to use.
-	sw_variant: count &default = 0;
-};
-
-type sw_align: record {
-	str: string;	# string a substring is part of
-	index: count;	# at which offset
-};
-
-type sw_align_vec: vector of sw_align;
-
-type sw_substring: record {
-	str: string;	# a substring
-	aligns: sw_align_vec;	# all strings of which it's a substring
-	new: bool;	# true if start of new alignment
-};
-
-type sw_substring_vec: vector of sw_substring;
-
-# Policy-level handling of pcap packets.
-type pcap_packet: record {
-	ts_sec: count;
-	ts_usec: count;
-	caplen: count;
-	len: count;
-	data: string;
-};
-
-# GeoIP support.
-type geo_location: record {
-	country_code: string;
-	region: string;
-	city: string;
-	latitude: double;
-	longitude: double;
-};
-
-# Prototypes of Bro built-in functions.
-@load strings.bif.bro
-@load bro.bif.bro
-
-global bro_alarm_file: file &redef;
-global alarm_hook: function(msg: string): bool &redef;
-global log_file_name: function(tag: string): string &redef;
-global open_log_file: function(tag: string): file &redef;
-
-# Where to store the persistent state.
-const state_dir = ".state" &redef;
-
-# Length of the delays added when storing state incrementally.
-const state_write_delay = 0.01 secs &redef;
-
-global done_with_network = F;
-event net_done(t: time) { done_with_network = T; }
-
-const SIGHUP = 1;
-event bro_signal(signal: count)
-	{
-	if ( signal == SIGHUP )
-		{
-		flush_all();
-		checkpoint_state();
-		}
-	}
-
-function log_file_name(tag: string): string
-	{
-	local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX");
-	return fmt("%s.%s", tag, suffix);
-	}
-
-function open_log_file(tag: string): file
-	{
-	return open(log_file_name(tag));
-	}
-
-function add_interface(iold: string, inew: string): string
-	{
-	if ( iold == "" )
-		return inew;
-	else
-		return fmt("%s %s", iold, inew);
-	}
-
-global interfaces = "" &add_func = add_interface;
-
-function add_signature_file(sold: string, snew: string): string
-	{
-	if ( sold == "" )
-		return snew;
-	else
-		return cat(sold, " ", snew);
-	}
-
-global signature_files = "" &add_func = add_signature_file;
-
-const passive_fingerprint_file = "sigs/p0fsyn" &redef;
-
-const ftp = 21/tcp;
-const ssh = 22/tcp;
-const telnet = 23/tcp;
-const smtp = 25/tcp;
-const domain = 53/tcp;	# note, doesn't include UDP version
-const gopher = 70/tcp;
-const finger = 79/tcp;
-const http = 80/tcp;
-const ident = 113/tcp;
-const bgp = 179/tcp;
-const rlogin = 513/tcp;
-
-const TCP_INACTIVE = 0;
-const TCP_SYN_SENT = 1;
-const TCP_SYN_ACK_SENT = 2;
-const TCP_PARTIAL = 3;
-const TCP_ESTABLISHED = 4;
-const TCP_CLOSED = 5;
-const TCP_RESET = 6;
-
-# If true, don't verify checksums.  Useful for running on altered trace
-# files, and for saving a few cycles, but of course dangerous, too ...
-# Note that the -C command-line option overrides the setting of this
-# variable.
-const ignore_checksums = F &redef;
-
-# If true, instantiate connection state when a partial connection
-# (one missing its initial establishment negotiation) is seen.
-const partial_connection_ok = T &redef;
-
-# If true, instantiate connection state when a SYN ack is seen
-# but not the initial SYN (even if partial_connection_ok is false).
-const tcp_SYN_ack_ok = T &redef;
-
-# If a connection state is removed there may still be some undelivered
-# data waiting in the reassembler. If true, pass this to the signature
-# engine before flushing the state.
-const tcp_match_undelivered = T &redef;
-
-# Check up on the result of an initial SYN after this much time.
-const tcp_SYN_timeout = 5 secs &redef;
-
-# After a connection has closed, wait this long for further activity
-# before checking whether to time out its state.
-const tcp_session_timer = 6 secs &redef;
-
-# When checking a closed connection for further activity, consider it
-# inactive if there hasn't been any for this long.  Complain if the
-# connection is reused before this much time has elapsed.
-const tcp_connection_linger = 5 secs &redef;
-
-# Wait this long upon seeing an initial SYN before timing out the
-# connection attempt.
-const tcp_attempt_delay = 5 secs &redef;
-
-# Upon seeing a normal connection close, flush state after this much time.
-const tcp_close_delay = 5 secs &redef;
-
-# Upon seeing a RST, flush state after this much time.
-const tcp_reset_delay = 5 secs &redef;
-
-# Generate a connection_partial_close event this much time after one half
-# of a partial connection closes, assuming there has been no subsequent
-# activity.
-const tcp_partial_close_delay = 3 secs &redef;
-
-# If a connection belongs to an application that we don't analyze,
-# time it out after this interval.  If 0 secs, then don't time it out.
-const non_analyzed_lifetime = 0 secs &redef;
-
-# If a connection is inactive, time it out after this interval.
-# If 0 secs, then don't time it out.
-const tcp_inactivity_timeout = 5 min &redef;
-const udp_inactivity_timeout = 1 min &redef;
-const icmp_inactivity_timeout = 1 min &redef;
-
-# This many FINs/RSTs in a row constitutes a "storm".
-const tcp_storm_thresh = 1000 &redef;
-
-# The FINs/RSTs must come with this much time or less between them.
-const tcp_storm_interarrival_thresh = 1 sec &redef;
-
-# Maximum amount of data that might plausibly be sent in an initial
-# flight (prior to receiving any acks).  Used to determine whether we
-# must not be seeing our peer's acks.  Set to zero to turn off this
-# determination.
-const tcp_max_initial_window = 4096;
-
-# If we're not seeing our peer's acks, the maximum volume of data above
-# a sequence hole that we'll tolerate before assuming that there's
-# been a packet drop and we should give up on tracking a connection.
-# If set to zero, then we don't ever give up.
-const tcp_max_above_hole_without_any_acks = 4096;
-
-# If we've seen this much data without any of it being acked, we give up
-# on that connection to avoid memory exhaustion due to buffering all that
-# stuff.  If set to zero, then we don't ever give up.  Ideally, Bro would
-# track the current window on a connection and use it to infer that data
-# has in fact gone too far, but for now we just make this quite beefy.
-const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024;
-
-# For services without a handler, these sets define which
-# side of a connection is to be reassembled.
-const tcp_reassembler_ports_orig: set[port] = {} &redef;
-const tcp_reassembler_ports_resp: set[port] = {} &redef;
-
-# These sets define destination ports for which the contents
-# of the originator (responder, respectively) stream should
-# be delivered via tcp_contents.
-const tcp_content_delivery_ports_orig: table[port] of bool = {} &redef;
-const tcp_content_delivery_ports_resp: table[port] of bool = {} &redef;
-
-# To have all TCP orig->resp/resp->orig traffic reported via tcp_contents,
-# redef these to T.
-const tcp_content_deliver_all_orig = F &redef;
-const tcp_content_deliver_all_resp = F &redef;
-
-# These sets define destination ports for which the contents
-# of the originator (responder, respectively) stream should
-# be delivered via udp_contents.
-const udp_content_delivery_ports_orig: table[port] of bool = {} &redef;
-const udp_content_delivery_ports_resp: table[port] of bool = {} &redef;
-
-# To have all UDP orig->resp/resp->orig traffic reported via udp_contents,
-# redef these to T.
-const udp_content_deliver_all_orig = F &redef;
-const udp_content_deliver_all_resp = F &redef;
-
-# Check for expired table entries after this amount of time
-const table_expire_interval = 10 secs &redef;
-
-# When expiring/serializing, don't work on more than this many table
-# entries at a time.
-const table_incremental_step = 5000 &redef;
-
-# When expiring, wait this amount of time before checking the next chunk
-# of entries.
-const table_expire_delay = 0.01 secs &redef;
-
-# Time to wait before timing out a DNS/NTP/RPC request.
-const dns_session_timeout = 10 sec &redef;
-const ntp_session_timeout = 300 sec &redef;
-const rpc_timeout = 24 sec &redef;
-
-# Time window for reordering packets (to deal with timestamp
-# discrepency between multiple packet sources).
-const packet_sort_window = 0 usecs &redef;
-
-# How long to hold onto fragments for possible reassembly.  A value
-# of 0.0 means "forever", which resists evasion, but can lead to
-# state accrual.
-const frag_timeout = 0.0 sec &redef;
-
-# If positive, indicates the encapsulation header size that should
-# be skipped over for each captured packet ....
-const encap_hdr_size = 0 &redef;
-# ... or just for the following UDP port.
-const tunnel_port = 0/udp &redef;
-
-const UDP_INACTIVE = 0;
-const UDP_ACTIVE = 1;	# means we've seen something from this endpoint
-
-const ENDIAN_UNKNOWN = 0;
-const ENDIAN_LITTLE = 1;
-const ENDIAN_BIG = 2;
-const ENDIAN_CONFUSED = 3;
-
-function append_addl(c: connection, addl: string)
-	{
-	if ( c$addl == "" )
-		c$addl= addl;
-
-	else if ( addl !in c$addl )
-		c$addl = fmt("%s %s", c$addl, addl);
-	}
-
-function append_addl_marker(c: connection, addl: string, marker: string)
-	{
-	if ( c$addl == "" )
-		c$addl= addl;
-
-	else if ( addl !in c$addl )
-		c$addl = fmt("%s%s%s", c$addl, marker, addl);
-	}
-
-
-# Values for set_contents_file's "direction" argument.
-const CONTENTS_NONE = 0;	# turn off recording of contents
-const CONTENTS_ORIG = 1;	# record originator contents
-const CONTENTS_RESP = 2;	# record responder contents
-const CONTENTS_BOTH = 3;	# record both originator and responder contents
-
-const ICMP_UNREACH_NET = 0;
-const ICMP_UNREACH_HOST = 1;
-const ICMP_UNREACH_PROTOCOL = 2;
-const ICMP_UNREACH_PORT = 3;
-const ICMP_UNREACH_NEEDFRAG = 4;
-const ICMP_UNREACH_ADMIN_PROHIB = 13;
-# The above list isn't exhaustive ...
-
-
-# Definitions for access to packet headers.  Currently only used for
-# discarders.
-const IPPROTO_IP = 0;			# dummy for IP
-const IPPROTO_ICMP = 1;			# control message protocol
-const IPPROTO_IGMP = 2;			# group mgmt protocol
-const IPPROTO_IPIP = 4;			# IP encapsulation in IP
-const IPPROTO_TCP = 6;			# TCP
-const IPPROTO_UDP = 17;			# user datagram protocol
-const IPPROTO_ICMPV6 = 58;		# ICMP for IPv6
-const IPPROTO_RAW = 255;		# raw IP packet
-
-type ip_hdr: record {
-	hl: count;		# header length (in bytes)
-	tos: count;		# type of service
-	len: count;		# total length
-	id: count;		# identification
-	ttl: count;		# time to live
-	p: count;		# protocol
-	src: addr;		# source address
-	dst: addr;		# dest address
-};
-
-# TCP flags.
-const TH_FIN = 1;
-const TH_SYN = 2;
-const TH_RST = 4;
-const TH_PUSH = 8;
-const TH_ACK = 16;
-const TH_URG = 32;
-const TH_FLAGS = 63;		# (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG)
-
-type tcp_hdr: record {
-	sport: port;		# source port
-	dport: port;		# destination port
-	seq: count;		# sequence number
-	ack: count;		# acknowledgement number
-	hl: count;		# header length (in bytes)
-	dl: count;		# data length (xxx: not in original tcphdr!)
-	flags: count;		# flags
-	win: count;		# window
-};
-
-type udp_hdr: record {
-	sport: port;		# source port
-	dport: port;		# destination port
-	ulen: count;		# udp length
-};
-
-
-# Holds an ip_hdr and one of tcp_hdr, udp_hdr, or icmp_hdr.
-type pkt_hdr: record {
-	ip: ip_hdr;
-	tcp: tcp_hdr &optional;
-	udp: udp_hdr &optional;
-	icmp: icmp_hdr &optional;
-};
-
-
-# If you add elements here, then for a given BPF filter as index, when
-# a packet matching that filter is captured, the corresponding event handler
-# will be invoked.
-global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr)
-	&redef;
-
-global discarder_maxlen = 128 &redef;	# maximum amount of data passed to fnc
-
-global discarder_check_ip: function(i: ip_hdr): bool;
-global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
-global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
-global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool;
-# End of definition of access to packet headers, discarders.
-
-
-type net_stats: record {
-	# All counts are cumulative.
-	pkts_recvd: count;	# pkts received by Bro
-	pkts_dropped: count;	# pkts dropped
-	pkts_link: count;	# pkts seen on link (not always available)
-};
-
-
-const watchdog_interval = 10 sec &redef;
-const heartbeat_interval = 10 sec &redef;
-
-# The maximum number of timers to expire after processing each new
-# packet.  The value trades off spreading out the timer expiration load
-# with possibly having to hold state longer.  A value of 0 means
-# "process all expired timers with each new packet".
-const max_timer_expires = 300 &redef;
-
-# With a similar trade-off, this gives the number of remote events
-# to process in a batch before interleaving other activity.
-const max_remote_events_processed = 10 &redef;
-
-# These need to match the definitions in Login.h.
-const LOGIN_STATE_AUTHENTICATE = 0;	# trying to authenticate
-const LOGIN_STATE_LOGGED_IN = 1;	# successful authentication
-const LOGIN_STATE_SKIP = 2;	# skip any further processing
-const LOGIN_STATE_CONFUSED = 3;	# we're confused
-
-# It would be nice to replace these function definitions with some
-# form of parameterized types.
-function min_double(a: double, b: double): double { return a < b ? a : b; }
-function max_double(a: double, b: double): double { return a > b ? a : b; }
-function min_interval(a: interval, b: interval): interval { return a < b ? a : b; }
-function max_interval(a: interval, b: interval): interval { return a > b ? a : b; }
-function min_count(a: count, b: count): count { return a < b ? a : b; }
-function max_count(a: count, b: count): count { return a > b ? a : b; }
-
-global skip_authentication: set[string] &redef;
-global direct_login_prompts: set[string] &redef;
-global login_prompts: set[string] &redef;
-global login_non_failure_msgs: set[string] &redef;
-global login_failure_msgs: set[string] &redef;
-global login_success_msgs: set[string] &redef;
-global login_timeouts: set[string] &redef;
-
-type mime_header_rec: record {
-	name: string;
-	value: string;
-};
-type mime_header_list: table[count] of mime_header_rec;
-global mime_segment_length = 1024 &redef;
-global mime_segment_overlap_length = 0 &redef;
-
-type pm_mapping: record {
-	program: count;
-	version: count;
-	p: port;
-};
-
-type pm_mappings: table[count] of pm_mapping;
-
-type pm_port_request: record {
-	program: count;
-	version: count;
-	is_tcp: bool;
-};
-
-type pm_callit_request: record {
-	program: count;
-	version: count;
-	proc: count;
-	arg_size: count;
-};
-
-# See const.bif
-# const RPC_SUCCESS = 0;
-# const RPC_PROG_UNAVAIL = 1;
-# const RPC_PROG_MISMATCH = 2;
-# const RPC_PROC_UNAVAIL = 3;
-# const RPC_GARBAGE_ARGS = 4;
-# const RPC_SYSTEM_ERR = 5;
-# const RPC_TIMEOUT = 6;
-# const RPC_AUTH_ERROR = 7;
-# const RPC_UNKNOWN_ERROR = 8;
-
-const RPC_status = {
-	[RPC_SUCCESS] = "ok",
-	[RPC_PROG_UNAVAIL] = "prog unavail",
-	[RPC_PROG_MISMATCH] = "mismatch",
-	[RPC_PROC_UNAVAIL] = "proc unavail",
-	[RPC_GARBAGE_ARGS] = "garbage args",
-	[RPC_SYSTEM_ERR] = "system err",
-	[RPC_TIMEOUT] = "timeout",
-	[RPC_AUTH_ERROR] = "auth error",
-	[RPC_UNKNOWN_ERROR] = "unknown"
-};
-
-
-type nfs3_file_type: enum {
-	NFS3_REG, NFS3_DIR, NFS3_BLK, NFS3_CHR, NFS3_LNK, NFS3_SOCK, NFS3_FIFO,
-};
-
-type nfs3_attrs: record {
-	ftype: nfs3_file_type;
-	mode: count;
-	nlink: count;
-	uid: count;
-	gid: count;
-	size: double;
-	used: double;
-	rdev1: count;
-	rdev2: count;
-	fsid: double;
-	fileid: double;
-	atime: time;
-	mtime: time;
-	ctime: time;
-};
-
-type nfs3_opt_attrs: record {
-	attrs: nfs3_attrs &optional;
-};
-
-type nfs3_lookup_args: record {
-	fh: string;	# file handle of directory in which to search
-	name: string;	# name of file to look for in directory
-};
-
-type nfs3_lookup_reply: record {
-	fh: string;	# file handle of object looked up
-	file_attr: nfs3_opt_attrs;	# optional attributes associated w/ file
-	dir_attr: nfs3_opt_attrs;	# optional attributes associated w/ dir.
-};
-
-type nfs3_fsstat: record {
-	attrs: nfs3_opt_attrs;
-	tbytes: double;
-	fbytes: double;
-	abytes: double;
-	tfiles: double;
-	ffiles: double;
-	afiles: double;
-	invarsec: interval;
-};
-
-
-type ntp_msg: record {
-	id: count;
-	code: count;
-	stratum: count;
-	poll: count;
-	precision: int;
-	distance: interval;
-	dispersion: interval;
-	ref_t: time;
-	originate_t: time;
-	receive_t: time;
-	xmit_t: time;
-};
-
-
-# Maps Samba command numbers to descriptive names.
-global samba_cmds: table[count] of string &redef
-			&default = function(c: count): string
-				{ return fmt("samba-unknown-%d", c); };
-
-type smb_hdr : record {
-	command: count;
-	status: count;
-	flags: count;
-	flags2: count;
-	tid: count;
-	pid: count;
-	uid: count;
-	mid: count;
-};
-
-type smb_trans : record {
-	word_count: count;
-	total_param_count: count;
-	total_data_count: count;
-	max_param_count: count;
-	max_data_count: count;
-	max_setup_count: count;
-#	flags: count;
-#	timeout: count;
-	param_count: count;
-	param_offset: count;
-	data_count: count;
-	data_offset: count;
-	setup_count: count;
-	setup0: count;
-	setup1: count;
-	setup2: count;
-	setup3: count;
-	byte_count: count;
-	parameters: string;
-};
-
-type smb_trans_data : record {
-	data : string;
-};
-
-type smb_tree_connect : record {
-	flags: count;
-	password: string;
-	path: string;
-	service: string;
-};
-
-type smb_negotiate : table[count] of string;
-
-# A list of router addresses offered by the server.
-type dhcp_router_list: table[count] of addr;
-
-type dhcp_msg: record {
-	op: count;	# message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
-	m_type: count;	# the type of DHCP message
-	xid: count;	# transaction ID of a DHCP session
-	h_addr: string;	# hardware address of the client
-	ciaddr: addr;	# original IP address of the client
-	yiaddr: addr;	# IP address assigned to the client
-};
-
-type dns_msg: record {
-	id: count;
-
-	opcode: count;
-	rcode: count;
-
-	QR: bool;
-	AA: bool;
-	TC: bool;
-	RD: bool;
-	RA: bool;
-	Z: count;
-
-	num_queries: count;
-	num_answers: count;
-	num_auth: count;
-	num_addl: count;
-};
-
-type dns_soa: record {
-	mname: string;	# primary source of data for zone
-	rname: string;	# mailbox for responsible person
-	serial: count;	# version number of zone
-	refresh: interval;	# seconds before refreshing
-	retry: interval;	# how long before retrying failed refresh
-	expire: interval;	# when zone no longer authoritative
-	minimum: interval;	# minimum TTL to use when exporting
-};
-
-type dns_edns_additional: record {
-	query: string;
-	qtype: count;
-	t: count;
-	payload_size: count;
-	extended_rcode: count;
-	version: count;
-	z_field: count;
-	TTL: interval;
-	is_query: count;
-};
-
-type dns_tsig_additional: record {
-	query: string;
-	qtype: count;
-	alg_name: string;
-	sig: string;
-	time_signed: time;
-	fudge: time;
-	orig_id: count;
-	rr_error: count;
-	is_query: count;
-};
-
-# Different values for "answer_type" in the following.  DNS_QUERY
-# shouldn't occur, it's just for completeness.
-const DNS_QUERY = 0;
-const DNS_ANS = 1;
-const DNS_AUTH = 2;
-const DNS_ADDL = 3;
-
-type dns_answer: record {
-	answer_type: count;
-	query: string;
-	qtype: count;
-	qclass: count;
-	TTL: interval;
-};
-
-# For servers in these sets, omit processing the AUTH or ADDL records
-# they include in their replies.
-global dns_skip_auth: set[addr] &redef;
-global dns_skip_addl: set[addr] &redef;
-
-# If the following are true, then all AUTH or ADDL records are skipped.
-global dns_skip_all_auth = T &redef;
-global dns_skip_all_addl = T &redef;
-
-# If a DNS request includes more than this many queries, assume it's
-# non-DNS traffic and do not process it.  Set to 0 to turn off this
-# functionality.
-global dns_max_queries = 5;
-
-# The maxiumum size in bytes for an SSL cipherspec.  If we see a packet that
-# has bigger cipherspecs, we warn and won't do a comparisons of cipherspecs.
-const ssl_max_cipherspec_size = 45 &redef;
-
-# SSL and X.509 types.
-type cipher_suites_list: set[count];
-type SSL_sessionID: table[count] of count;
-type X509_extension: table[count] of string;
-type X509: record {
-	issuer: string;
-	subject: string;
-	orig_addr: addr;
-};
-
-type http_stats_rec: record {
-	num_requests: count;
-	num_replies: count;
-	request_version: double;
-	reply_version: double;
-};
-
-type http_message_stat: record {
-	start: time;		# when the request/reply line was complete
-	interrupted: bool;	# whether the message is interrupted
-	finish_msg: string;	# reason phrase if interrupted
-	body_length: count;	# length of body processed
-				#  (before finished/interrupted)
-	content_gap_length: count;	# total len of gaps within body_length
-	header_length: count;	# length of headers
-				#  (including the req/reply line,
-				#   but not CR/LF's)
-};
-
-global http_entity_data_delivery_size = 1500 &redef;
-
-# Truncate URIs longer than this to prevent over-long URIs (usually sent
-# by worms) from slowing down event processing.  A value of -1 means "do
-# not truncate".
-const truncate_http_URI = -1 &redef;
-
-# IRC-related globals to which the event engine is sensitive.
-type irc_join_info: record {
-	nick: string;
-	channel: string;
-	password: string;
-	usermode: string;
-};
-type irc_join_list: set[irc_join_info];
-global irc_servers : set[addr] &redef;
-
-# Stepping-stone globals.
-const stp_delta: interval &redef;
-const stp_idle_min: interval &redef;
-
-# Don't do analysis on these sources.  Used to avoid overload from scanners.
-global stp_skip_src: set[addr] &redef;
-
-const interconn_min_interarrival: interval &redef;
-const interconn_max_interarrival: interval &redef;
-const interconn_max_keystroke_pkt_size: count &redef;
-const interconn_default_pkt_size: count &redef;
-const interconn_stat_period: interval &redef;
-const interconn_stat_backoff: double &redef;
-
-type interconn_endp_stats: record {
-	num_pkts: count;
-	num_keystrokes_two_in_row: count;
-	num_normal_interarrivals: count;
-	num_8k0_pkts: count;
-	num_8k4_pkts: count;
-	is_partial: bool;
-	num_bytes: count;
-	num_7bit_ascii: count;
-	num_lines: count;
-	num_normal_lines: count;
-};
-
-const backdoor_stat_period: interval &redef;
-const backdoor_stat_backoff: double &redef;
-
-type backdoor_endp_stats: record {
-	is_partial: bool;
-	num_pkts: count;
-	num_8k0_pkts: count;
-	num_8k4_pkts: count;
-	num_lines: count;
-	num_normal_lines: count;
-	num_bytes: count;
-	num_7bit_ascii: count;
-};
-
-type signature_state: record {
-	id: string;          # ID of the signature
-	conn: connection;    # Current connection
-	is_orig: bool;       # True if current endpoint is originator
-	payload_size: count; # Payload size of the first pkt of curr. endpoint
-
-};
-
-type software_version: record {
-	major: int;	# Major version number
-	minor: int;	# Minor version number
-	minor2: int;	# Minor subversion number
-	addl: string;	# Additional version string (e.g. "beta42")
-};
-
-type software: record {
-	name: string;	# Unique name of a software, e.g., "OS"
-	version: software_version;
-};
-
-# The following describe the quality of signature matches used
-# for passive fingerprinting.
-type OS_version_inference: enum {
-	direct_inference, generic_inference, fuzzy_inference,
-};
-
-type OS_version: record {
-	genre: string;	# Linux, Windows, AIX, ...
-	detail: string;	# kernel version or such
-	dist: count;	# how far is the host away from the sensor (TTL)?
-	match_type: OS_version_inference;
-};
-
-# Defines for which subnets we should do passive fingerprinting.
-global generate_OS_version_event: set[subnet] &redef;
-
-# Type used to report load samples via load_sample().  For now,
-# it's a set of names (event names, source file names, and perhaps
-# <source file, line number>'s, which were seen during the sample.
-type load_sample_info: set[string];
-
-# NetFlow-related data structures.
-
-# The following provides a mean to sort together flow headers and flow
-# records at the script level.  rcvr_id equals the name of the file
-# (e.g., netflow.dat) or the socket address (e.g., 127.0.0.1:5555),
-# or an explicit name if specified to -y or -Y; pdu_id is just a serial
-# number, ignoring any overflows.
-type nfheader_id: record {
-	rcvr_id: string;
-	pdu_id: count;
-};
-
-type nf_v5_header: record {
-	h_id: nfheader_id;	# ID for sorting, per the above
-	cnt: count;
-	sysuptime: interval;	# router's uptime
-	exporttime: time;	# when the data was exported
-	flow_seq: count;
-	eng_type: count;
-	eng_id: count;
-	sample_int: count;
-	exporter: addr;
-};
-
-type nf_v5_record: record {
-	h_id: nfheader_id;
-	id: conn_id;
-	nexthop: addr;
-	input: count;
-	output: count;
-	pkts: count;
-	octets: count;
-	first: time;
-	last: time;
-	tcpflag_fin: bool;	# Taken from tcpflags in NF V5; or directly.
-	tcpflag_syn: bool;
-	tcpflag_rst: bool;
-	tcpflag_psh: bool;
-	tcpflag_ack: bool;
-	tcpflag_urg: bool;
-	proto: count;
-	tos: count;
-	src_as: count;
-	dst_as: count;
-	src_mask: count;
-	dst_mask: count;
-};
-
-
-# The peer record and the corresponding set type used by the
-# BitTorrent analyzer.
-type bittorrent_peer: record {
-	h: addr;
-	p: port;
-};
-type bittorrent_peer_set: set[bittorrent_peer];
-
-# The benc value record and the corresponding table type used by the
-# BitTorrenttracker analyzer.  Note that "benc" = Bencode ("Bee-Encode"),
-# per http://en.wikipedia.org/wiki/Bencode.
-type bittorrent_benc_value: record {
-	i: int &optional;
-	s: string &optional;
-	d: string &optional;
-	l: string &optional;
-};
-type bittorrent_benc_dir: table[string] of bittorrent_benc_value;
-
-# The header table type used by the bittorrenttracker analyzer.
-type bt_tracker_headers: table[string] of string;
-
-@load event.bif.bro
-
-@load common-rw.bif.bro
-@load finger-rw.bif.bro
-@load ftp-rw.bif.bro
-@load ident-rw.bif.bro
-@load smtp-rw.bif.bro
-@load http-rw.bif.bro
-@load dns-rw.bif.bro
-
-function subst(s: string, from: pattern, to: string): string
-	{
-	local p = split_all(s, from);
-
-	for ( p_i in p )
-		if ( p_i % 2 == 0 )
-			p[p_i] = to;
-
-	return cat_string_array(p);
-	}
-
-
-type pattern_match_result: record {
-	matched: bool;
-	str: string;
-	off: count;
-};
-
-function match_pattern(s: string, p:pattern): pattern_match_result
-	{
-	local a = split_n(s, p, T, 1);
-
-	if ( length(a) == 1 )
-		# no match
-		return [$matched = F, $str = "", $off = 0];
-	else
-		return [$matched = T, $str = a[2], $off = byte_len(a[1]) + 1];
-	}
-
-function cut_tail(s: string, tail_len: count): string
-	{
-	local len = byte_len(s);
-
-	if ( tail_len > len )
-		tail_len = len;
-
-	return sub_bytes(s, 1, int_to_count(len - tail_len));
-	}
-
-# Given a string, returns an escaped version.  This means that
-# (1) any occurrences of any character in "chars" are escaped using '\', and
-# (2) any '\'s are likewise escaped.
-function string_escape(s: string, chars: string): string
-	{
-	s = subst_string(s, "\\", "\\\\");
-	for ( c in chars )
-		s = subst_string(s, c, cat("\\", c));
-	return s;
-	}
-
-@load pcap.bro
-
-# Rotate logs every x seconds.
-const log_rotate_interval = 0 sec &redef;
-
-# If set, rotate logs at given time + i * log_rotate_interval.
-# (string is time in 24h format, e.g., "18:00").
-const log_rotate_base_time = "" &redef;
-
-# Rotate logs when they reach this size (in bytes).  Note, the
-# parameter is a double rather than a count to enable easy expression
-# of large values such as 1e7 or exceeding 2^32.
-const log_max_size = 0.0 &redef;
-
-# Default public key for encrypting log files.
-const log_encryption_key = "<undefined>" &redef;
-
-# Write profiling info into this file.
-global profiling_file: file &redef;
-
-# Update interval for profiling (0 disables).
-const profiling_interval = 0 secs &redef;
-
-# Multiples of profiling_interval at which (expensive) memory
-# profiling is done (0 disables).
-const expensive_profiling_multiple = 0 &redef;
-
-# If true, then write segment profiling information (very high volume!)
-# in addition to statistics.
-const segment_profiling = F &redef;
-
-# Output packet profiling information every <freq> secs (mode 1),
-# every <freq> packets (mode 2), or every <freq> bytes (mode 3).
-# Mode 0 disables.
-type pkt_profile_modes: enum {
-	PKT_PROFILE_MODE_NONE,
-	PKT_PROFILE_MODE_SECS,
-	PKT_PROFILE_MODE_PKTS,
-	PKT_PROFILE_MODE_BYTES,
-};
-const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef;
-
-# Frequency associated with packet profiling.
-const pkt_profile_freq = 0.0 &redef;
-
-# File where packet profiles are logged.
-global pkt_profile_file: file &redef;
-
-# Rate at which to generate load_sample events, *if* you've also
-# defined a load_sample handler.  Units are inverse number of packets;
-# e.g., a value of 20 means "roughly one in every 20 packets".
-global load_sample_freq = 20 &redef;
-
-# Rate at which to generate gap_report events assessing to what
-# degree the measurement process appears to exhibit loss.
-const gap_report_freq = 1.0 sec &redef;
-
-# Globals associated with entire-run statistics on gaps (useful
-# for final summaries).
-
-# The CA certificate file to authorize remote Bros.
-const ssl_ca_certificate = "<undefined>" &redef;
-
-# File containing our private key and our certificate.
-const ssl_private_key = "<undefined>" &redef;
-
-# The passphrase for our private key. Keeping this undefined
-# causes Bro to prompt for the passphrase.
-const ssl_passphrase = "<undefined>" &redef;
-
-# Whether the Bro-level packet filter drops packets per default or not.
-const packet_filter_default = F &redef;
-
-# Maximum size of regular expression groups for signature matching.
-const sig_max_group_size = 50 &redef;
-
-# If true, send logger messages to syslog.
-const enable_syslog = T &redef;
-
-# This is transmitted to peers receiving our events.
-const peer_description = "" &redef;
-
-# If true, broadcast events/state received from one peer to other peers.
-# NOTE: These options are only temporary. They will disappear when we get a
-# more sophisticated script-level communication framework.
-const forward_remote_events = F &redef;
-const forward_remote_state_changes = F &redef;
-
-const PEER_ID_NONE = 0;
-
-# Whether to use the connection tracker.
-const use_connection_compressor = T &redef;
-
-# Whether compressor should handle refused connections itself.
-const cc_handle_resets = F &redef;
-
-# Whether compressor should only take care of initial SYNs.
-# (By default on, this is basically "connection compressor lite".)
-const cc_handle_only_syns = T &redef;
-
-# Whether compressor instantiates full state when originator sends a
-# non-control packet.
-const cc_instantiate_on_data = F &redef;
-
-# Signature payload pattern types
-const SIG_PATTERN_PAYLOAD = 0;
-const SIG_PATTERN_HTTP = 1;
-const SIG_PATTERN_FTP = 2;
-const SIG_PATTERN_FINGER = 3;
-
-# Log-levels for remote_log.
-# Eventually we should create a general logging framework and merge these in.
-const REMOTE_LOG_INFO = 1;
-const REMOTE_LOG_ERROR = 2;
-
-# Sources for remote_log.
-const REMOTE_SRC_CHILD = 1;
-const REMOTE_SRC_PARENT = 2;
-const REMOTE_SRC_SCRIPT = 3;
-
-# Synchronize trace processing at a regular basis in pseudo-realtime mode.
-const remote_trace_sync_interval = 0 secs &redef;
-
-# Number of peers across which to synchronize trace processing.
-const remote_trace_sync_peers = 0 &redef;
-
-# Whether for &synchronized state to send the old value as a consistency check.
-const remote_check_sync_consistency = F &redef;
-
-# Prepend the peer description, if set.
-function prefixed_id(id: count): string
-	{
-	if ( peer_description == "" )
-		return fmt("%s", id);
-	else
-		return cat(peer_description, "-", id);
-	}
-
-# Analyzer tags. The core automatically defines constants
-# ANALYZER_<analyzer-name>*, e.g., ANALYZER_HTTP.
-type AnalyzerTag: count;
-
-# DPM configuration.
-
-type dpd_protocol_config: record {
-	ports: set[port] &optional;
-};
-
-const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
-
-# Reassemble the beginning of all TCP connections before doing
-# signature-matching for protocol detection.
-const dpd_reassemble_first_packets = T &redef;
-
-# Size of per-connection buffer in bytes. If the buffer is full, data is
-# deleted and lost to analyzers that are activated afterwards.
-const dpd_buffer_size = 1024 &redef;
-
-# If true, stops signature matching if dpd_buffer_size has been reached.
-const dpd_match_only_beginning = T &redef;
-
-# If true, don't consider any ports for deciding which analyzer to use.
-const dpd_ignore_ports = F &redef;
-
-# Ports which the core considers being likely used by servers.
-const likely_server_ports: set[port] &redef;
-
-# Set of all ports for which we know an analyzer.
-global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
-
-event bro_init()
-	{
-	for ( a in dpd_config )
-		for ( p in dpd_config[a]$ports )
-			{
-			if ( p !in dpd_analyzer_ports )
-				{
-				local empty_set: set[AnalyzerTag];
-				dpd_analyzer_ports[p] = empty_set;
-				}
-
-			add dpd_analyzer_ports[p][a];
-			}
-	}
-
-@load server-ports
-
-# Per-incident timer managers are drained after this amount of inactivity.
-const timer_mgr_inactivity_timeout = 1 min &redef;
-
-# Time-out for expected connections.
-const expected_connection_timeout = 5 min &redef;
-
-# If true, output profiling for time-machine queries.
-const time_machine_profiling = F &redef;
-
-# If true, warns about unused event handlers at startup.
-const check_for_unused_event_handlers = F &redef;
-
-# If true, dumps all invoked event handlers at startup.
-const dump_used_event_handlers = F &redef;
-
-# If true, we suppress prints to local files if we have a receiver for
-# print_hook events.  Ignored for files with a &disable_print_hook attribute.
-const suppress_local_output = F &redef;
-
-# Holds the filename of the trace file given with -w (empty if none).
-const trace_output_file = "";
-  
-# If a trace file is given, dump *all* packets seen by Bro into it.
-# By default, Bro applies (very few) heuristics to reduce the volume.
-# A side effect of setting this to true is that we can write the
-# packets out before we actually process them, which can be helpful
-# for debugging in case the analysis triggers a crash.
-const record_all_packets = F &redef;
diff --git a/policy/brolite-backdoor.bro b/policy/brolite-backdoor.bro
deleted file mode 100644
index 496ee4e075..0000000000
--- a/policy/brolite-backdoor.bro
+++ /dev/null
@@ -1,56 +0,0 @@
-# $Id: brolite-backdoor.bro 2956 2006-05-14 01:08:34Z vern $
-
-# Sample file for running backdoor detector
-#
-# Note, this can consume significant processing resources when running
-# on live traffic.
-#
-# To run bro with this script using a Bro Lite setup:
-#
-#  rename this script to hostname.bro
-#  run: $BROHOME/etc/bro.rc start
-#  	or bro -i interface brolite-backdoor.bro
-
-@load site
-
-@load backdoor
-@load alarm
-@load weird
-
-# By default, do backdoor detection on everything except standard HTTP
-# and SMTP ports.
-redef capture_filters += [ ["tcp"] = "tcp" ];
-redef restrict_filters +=
-	[ ["not-http"] = "not (port 80 or port 8000 or port 8080)" ];
-redef restrict_filters += [ ["not-smtp"] = "not (port 25 or port 587)" ];
-
-redef use_tagging = T;
-
-# Set if you want to dump packets that trigger the detections.
-redef dump_backdoor_packets = T;
-
-# Disable (set to T) if you don't care about this traffic.
-# redef gnutella_sig_disabled = T;
-# redef kazaa_sig_disabled = T;
-
-redef napster_sig_disabled = T;	# too many false positives
-
-# Ignore outgoing, only report incoming backdoors.
-redef backdoor_ignore_remote += {
-	ftp_backdoor_sigs, ssh_backdoor_sigs, rlogin_backdoor_sigs,
-	http_backdoor_sigs, http_proxy_backdoor_sigs, smtp_backdoor_sigs,
-};
-
-# Set these to send mail on backdoor alarms.
-# redef mail_dest = "youremail@yourhost.dom";
-# redef notice_action_filters += {
-#	[BackdoorFound] = send_email_notice,
-#};
-
-# Tuning: use more aggressive timeouts to reduce CPU and memory, as these
-#	have little effect on backdoor analysis.
-redef tcp_SYN_timeout = 1 sec;
-redef tcp_attempt_delay = 1 sec;
-redef tcp_inactivity_timeout = 1 min;
-redef udp_inactivity_timeout = 5 secs;
-redef icmp_inactivity_timeout = 5 secs;
diff --git a/policy/brolite-sigs.bro b/policy/brolite-sigs.bro
deleted file mode 100644
index 82cc3f63bc..0000000000
--- a/policy/brolite-sigs.bro
+++ /dev/null
@@ -1,83 +0,0 @@
-# $Id: brolite-sigs.bro 3856 2006-12-02 00:18:57Z vern $
-
-# Bro Lite signature configuration file
-
-# General policy - these scripts are more infrastructural than service
-# oriented, so in general avoid changing anything here.
-@load alarm	# open logging file for alarm events
-
-# Set global constant.  This can be used in ifdef statements to determine 
-# if signatures are enabled.
-const use_signatures = T;
-
-@load snort		# basic definitions for signatures
-@load signatures	# the signature policy engine
-@load sig-functions	# addl. functions added for signature accuracy
-@load sig-action	# actions related to particular signatures
-
-# Flag HTTP worm sources such as Code Red.
-@load worm
-
-# Do worm processing
-redef notice_action_filters += { [RemoteWorm] = file_notice };
-
-# Ports that need to be captured for signatures to see a useful
-# cross section of traffic.
-redef capture_filters += {
-	["sig-http"] =
-		"tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8001",
-	["sig-ftp"] = "port ftp",
-	["sig-telnet"] = "port telnet",
-	["sig-portmapper"] = "port 111",
-	["sig-smtp"] = "port smtp",
-	["sig-imap"] = "port 143",
-	["sig-snmp"] = "port 161 or port 162",
-	["sig-dns"] = "port 53",
-
-	# rsh/rlogin/rexec
-	["sig-rfoo"] = "port 512 or port 513 or port 515",
-
-	# Range of TCP ports for general RPC traffic.  This can also
-	# occur on other ports, but these should catch a lot without
-	# a major performance hit.  We skip ports assosciated with
-	# HTTP, SSH and M$.
-	["sig-rpc"] = "tcp[2:2] > 32770 and tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139",
-};
-
-### Why is this called "tcp3"?
-# Catch outbound M$ scanning.   Returns filter listing local addresses
-# along with the interesting ports.
-function create_tcp3_filter(): string
-	{
-	local local_addrs = "";
-	local firsttime = T;
-
-	for ( l in local_nets )
-		{
-		if ( firsttime )
-			{
-			local_addrs = fmt("src net %s", l);
-			firsttime = F;
-			}
-		else
-			local_addrs = fmt("%s or src net %s", local_addrs, l);
-		}
-
-	local MS_scan_ports =
-		"dst port 135 or dst port 137 or dst port 139 or dst port 445";
-
-	if ( local_addrs == "" )
-		return MS_scan_ports;
-	else
-		return fmt("(%s) and (%s)", local_addrs, MS_scan_ports);
-	}
-
-# Create and apply the filter.
-redef capture_filters += { ["tcp3"] = create_tcp3_filter()};
-
-# Turn on ICMP analysis.
-redef capture_filters += { ["icmp"] = "icmp"};
-
-# Load the addendum signatures.  These are utility signatures that do not
-# produce event messages.
-redef signature_files += "sig-addendum";
diff --git a/policy/brolite.bro b/policy/brolite.bro
deleted file mode 100644
index 79492143c1..0000000000
--- a/policy/brolite.bro
+++ /dev/null
@@ -1,195 +0,0 @@
-# Bro Lite base configuration file.
-
-# General policy - these scripts are more infrastructural than service
-# oriented, so in general avoid changing anything here.
-
-@load site	# defines local and neighbor networks from static config
-@load tcp	# initialize BPF filter for SYN/FIN/RST TCP packets
-@load weird	# initialize generic mechanism for unusual events
-@load conn	# access and record connection events
-@load hot	# defines certain forms of sensitive access
-@load frag	# process TCP fragments
-@load print-resources	# on exit, print resource usage information
-
-# Scan detection policy.
-@load scan	# generic scan detection mechanism
-@load trw	# additional, more sensitive scan detection
-#@load drop	# include if installation has ability to drop hostile remotes
-
-# Application level policy - these scripts operate on the specific service.
-@load http	# general http analyzer, low level of detail
-@load http-request	# detailed analysis of http requests
-@load http-reply	# detailed analysis of http reply's
-
-# Track software versions; required for some signature matching.  Also
-# can be used by http and ftp policies.
-@load software
-
-@load ftp	# FTP analysis
-@load portmapper	# record and analyze RPC portmapper requests
-@load tftp	# identify and log TFTP sessions
-@load login	# rlogin/telnet analyzer
-@load irc	# IRC analyzer
-@load blaster	# blaster worm detection
-@load stepping	# "stepping stone" detection
-@load synflood	# synflood attacks detection
-@load smtp	# record and analyze email traffic - somewhat expensive
-
-@load notice-policy	# tuning of notices to downgrade some alarms
-
-# off by default
-#@load icmp	# icmp analysis
-
-# Tuning of memory consumption.
-@load inactivity	# time out connections for certain services more quickly
-# @load print-globals	# on exit, print the size of global script variables
-
-# Record system statistics to the notice file
-@load stats
-
-# udp analysis - potentially expensive, depending on a site's traffic profile
-#@load udp.all
-#@load remove-multicast
-
-# Prints the pcap filter and immediately exits.  Not used during
-# normal operation.
-#@load print-filter
-
-## End policy script loading.
-
-## General configuration.
-
-@load rotate-logs
-redef log_rotate_base_time = "0:00";
-redef log_rotate_interval = 24 hr;
-
-
-# Set additional policy prefixes.
-@prefixes += lite
-
-## End basic configuration.
-
-
-## Scan configuration.
-@ifdef ( Scan::analyze_all_services )
-	redef Scan::analyze_all_services = T;
-
-	# The following turns off scan detection.
-	#redef Scan::suppress_scan_checks = T;
-
-	# Be a bit more aggressive than default (though the defaults
-	# themselves should be fixed).
-	redef Scan::report_outbound_peer_scan = { 100, 1000, };
-
-	# These services are skipped for scan detection due to excessive
-	# background noise.
-	redef Scan::skip_services += {
-		http,           # Avoid Code Red etc. overload
-		27374/tcp,      # Massive scanning in Jan 2002
-		1214/tcp,       # KaZaa scans
-		12345/tcp,      # Massive scanning in Apr 2002
-		445/tcp,        # Massive distributed scanning Oct 2002
-		135/tcp,        # These days, NetBIOS scanning is endemic
-		137/udp,	# NetBIOS
-		139/tcp,	# NetBIOS
-		1025/tcp,
-		6129/tcp,       # Dameware
-		3127/tcp,       # MyDoom worms worms worms!
-		2745/tcp,       # Bagel worm
-		1433/tcp,       # Distributed scanning, April 2004
-		5000/tcp,       # Distributed scanning, May 2004
-		5554/tcp,       # More worm food, May 2004
-		9898/tcp,       # Worms attacking worms. ugh - May 2004
-		3410/tcp,       # More worm food, June 2004
-		3140/tcp,       # Dyslexic worm food, June 2004
-		27347/tcp,      # Can't kids type anymore?
-		1023/tcp,       # Massive scanning, July 2004
-		17300/tcp,      # Massive scanning, July 2004
-	};
-
-@endif
-
-@ifdef ( ICMP::detect_scans )
-	# Whether to detect ICMP scans.
-	redef ICMP::detect_scans = F;
-	redef ICMP::scan_threshold = 100;
-@endif
-
-@ifdef ( TRW::TRWAddressScan )
-	# remove logging TRW scan events
-	redef notice_action_filters += {
-		[TRW::TRWAddressScan] = ignore_notice,
-	};
-@endif
-
-# Note: default scan configuration is conservative in terms of memory use and
-# might miss slow scans. Consider uncommenting these based on your sites scan
-# traffic.
-#redef distinct_peers &create_expire = 30 mins;
-#redef distinct_ports &create_expire = 30 mins;
-#redef distinct_low_ports &create_expire= 30 mins;
-
-
-## End scan configuration.
-
-## additional IRC checks
-redef IRC::hot_words += /.*exe/ ;
-
-
-## Dynamic Protocol Detection configuration
-#
-# This is off by default, as it requires a more powerful Bro host.
-# Uncomment next line to activate.
-# const use_dpd = T;
-
-@ifdef ( use_dpd )
-	@load dpd
-	@load irc-bot
-	@load dyn-disable
-	@load detect-protocols
-	@load detect-protocols-http
-	@load proxy
-	@load ssh
-
-	# By default, DPD looks at all traffic except port 80.
-	# For lightly loaded networks, comment out the restrict_filters line.
-	# For heavily loaded networks, try adding addition ports (e.g., 25) to
-	#   the restrict filters.
-	redef capture_filters += [ ["tcp"] = "tcp" ];
-	redef restrict_filters += [ ["not-http"] = "not (port 80)" ];
-@endif
-
-@ifdef ( ProtocolDetector::ServerFound )
-# Report servers on non-standard ports only for local addresses.
-redef notice_policy += {
-	[$pred(a: notice_info) =
-		{ return a$note == ProtocolDetector::ServerFound &&
-					! is_local_addr(a$src); },
-	 $result = NOTICE_FILE,
-	 $priority = 1],
-
-	# Report protocols on non-standard ports only for local addresses
-	# (unless it's IRC).
-	[$pred(a: notice_info) =
-		{ return a$note == ProtocolDetector::ProtocolFound &&
-					! is_local_addr(a$dst) &&
-					a$sub != "IRC"; },
-	 $result = NOTICE_FILE,
-	 $priority = 1],
-};
-@endif
-
-# The following is used to transfer state between Bro's when one
-# takes over from another.
-#
-# NOTE: not implemented in the production version, so ignored for now.
-@ifdef ( remote_peers_clear )
-	redef remote_peers_clear += {
-		[127.0.0.1, 55555/tcp] = [$hand_over = T],
-		[127.0.0.1, 0/tcp] = [$hand_over = T]
-	};
-@endif
-
-# Use tagged log files for alarms and notices.
-redef use_tagging = T;
-
diff --git a/policy/bt-tracker.bro b/policy/bt-tracker.bro
deleted file mode 100644
index dfc948a9e2..0000000000
--- a/policy/bt-tracker.bro
+++ /dev/null
@@ -1,190 +0,0 @@
-# $Id:$
-#
-# bt-tracker.bro - analysis of BitTorrent tracker traffic
-# ------------------------------------------------------------------------------
-# This code contributed by Nadi Sarrar.
-
-@load dpd
-@load weird
-
-module BitTorrent;
-
-export {
-	# Whether to log tracker URIs.
-	global log_tracker_request_uri = F &redef;
-}
-
-redef capture_filters += { ["bittorrent"] = "tcp", };
-
-global bt_tracker_log = open_log_file("bt-tracker") &redef;
-
-global bt_tracker_conns: table[conn_id] of count;
-global tracker_conn_count: count = 0;
-
-
-function bt_log_tag(id: conn_id, cid: count, tag: string, is_orig: bool): string
-	{
-	return fmt("%.6f T%d %s %s:%d %s %s:%d",
-			 network_time(), cid, tag, id$orig_h, id$orig_p,
-			 is_orig ? ">" : "<", id$resp_h, id$resp_p);
-	}
-
-event bt_tracker_request(c: connection, uri: string,
-				headers: bt_tracker_headers)
-	{
-	# Parse and validate URI.
-	local pair = split1(uri, /\?/);
-	local keys = split(pair[2], /&/);
-
-	local info_hash = "";
-	local peer_ide = "";
-	local peer_port = 0/udp;
-	local uploaded = -1;
-	local downloaded = -1;
-	local left = -1;
-	local compact = T;
-	local peer_event = "empty";
-
-	for ( idx in keys )
-		{
-		local keyval = split1(keys[idx], /=/);
-		if ( length(keyval) != 2 )
-			next;
-
-		local key = to_lower(keyval[1]);
-		local val = keyval[2];
-
-		if ( key == "info_hash" )
-			info_hash = unescape_URI(val);
-		else if ( key == "peer_id" )
-			peer_ide = unescape_URI(val);
-		else if ( key == "port" )
-			peer_port = to_port(to_count(val), tcp);
-		else if ( key == "uploaded" )
-			uploaded = to_int(val);
-		else if ( key == "downloaded" )
-			downloaded = to_int(val);
-		else if ( key == "left" )
-			left = to_int(val);
-		else if ( key == "compact" )
-			compact = (to_int(val) == 1);
-
-		else if ( key == "event" )
-			{
-			val = to_lower(val);
-			if ( val == /started|stopped|completed/ )
-				peer_event = val;
-			}
-		}
-
-	if ( info_hash == "" || peer_ide == "" || peer_port == 0/udp )
-		{ # Does not look like BitTorrent.
-		disable_analyzer(c$id, current_analyzer());
-		delete bt_tracker_conns[c$id];
-		return;
-		}
-
-	if ( peer_port != 0/tcp )
-		expect_connection(to_addr("0.0.0.0"), c$id$orig_h,
-					peer_port, ANALYZER_BITTORRENT, 1 min);
-
-	local id: count;
-	if ( c$id in bt_tracker_conns )
-		id = bt_tracker_conns[c$id];
-	else
-		{
-		id = ++tracker_conn_count;
-		bt_tracker_conns[c$id] = id;
-		}
-
-	print bt_tracker_log,
-		fmt("%s [peer_id:%s info_hash:%s port:%s event:%s up:%d down:%d left:%d compact:%s]%s",
-			bt_log_tag(c$id, id, "request", T),
-			bytestring_to_hexstr(peer_ide),
-			bytestring_to_hexstr(info_hash),
-			peer_port, peer_event,
-			uploaded, downloaded, left,
-			compact ? "yes" : "no",
-			log_tracker_request_uri ? fmt(" GET %s", uri) : "");
-	}
-
-function benc_status(benc: bittorrent_benc_dir, tag: string): string
-	{
-	if ( tag !in benc || ! benc[tag]?$i )
-		return "";
-
-	local fmt_tag = sub(tag, / /, "_");
-	return fmt("%s:%d", fmt_tag, benc[tag]$i);
-	}
-
-event bt_tracker_response(c: connection, status: count,
-				headers: bt_tracker_headers,
-				peers: bittorrent_peer_set,
-				benc: bittorrent_benc_dir)
-	{
-	if ( c$id !in bt_tracker_conns )
-		return;
-
-	local id = bt_tracker_conns[c$id];
-
-	for ( peer in peers )
-		expect_connection(c$id$orig_h, peer$h, peer$p,
-					ANALYZER_BITTORRENT, 1 min);
-
-	if ( "failure reason" in benc )
-		{
-		print bt_tracker_log,
-			fmt("%s [failure_reason:\"%s\"]",
-				bt_log_tag(c$id, id, "response", F),
-				benc["failure reason"]?$s ?
-					benc["failure reason"]$s : "");
-		return;
-		}
-
-	print bt_tracker_log,
-		fmt("%s [%s%s%s%s%speers:%d]",
-			bt_log_tag(c$id, id, "response", F),
-			benc_status(benc, "warning message"),
-			benc_status(benc, "complete"),
-			benc_status(benc, "incomplete"),
-			benc_status(benc, "interval"),
-			benc_status(benc, "min interval"),
-			length(peers));
-	}
-
-event bt_tracker_response_not_ok(c: connection, status: count,
-					headers: bt_tracker_headers)
-	{
-	if ( c$id in bt_tracker_conns )
-		{
-		local id = bt_tracker_conns[c$id];
-		print bt_tracker_log,
-			fmt("%s [status:%d]",
-				bt_log_tag(c$id, id, "response", F), status);
-		}
-	}
-
-event bt_tracker_weird(c: connection, is_orig: bool, msg: string)
-	{
-	local id = (c$id in bt_tracker_conns) ? bt_tracker_conns[c$id] : 0;
-	print bt_tracker_log,
-		fmt("%s [%s]", bt_log_tag(c$id, id, "<weird>", is_orig), msg);
-
-	event conn_weird(msg, c);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id !in bt_tracker_conns )
-		return;
-
-	local id = bt_tracker_conns[c$id];
-	delete bt_tracker_conns[c$id];
-
-	print bt_tracker_log,
-		fmt("%s [duration:%.06f total:%d]",
-			# Ideally the direction here wouldn't be T or F
-			# but both, displayed as "<>".
-			bt_log_tag(c$id, id, "<closed>", T), c$duration,
-			c$orig$size + c$resp$size);
-	}
diff --git a/policy/capture-events.bro b/policy/capture-events.bro
deleted file mode 100644
index 2ba6eba7b7..0000000000
--- a/policy/capture-events.bro
+++ /dev/null
@@ -1,9 +0,0 @@
-#! $Id: capture-events.bro 4674 2007-07-30 22:00:43Z vern $
-#
-# Captures all events to events.bst.
-#
-
-event bro_init()
-	{
-	capture_events("events.bst");
-	}
diff --git a/policy/capture-loss.bro b/policy/capture-loss.bro
deleted file mode 100644
index a641749bd4..0000000000
--- a/policy/capture-loss.bro
+++ /dev/null
@@ -1,74 +0,0 @@
-# $Id:$
-
-# Logs evidence regarding the degree to which the packet capture process
-# suffers from measurment loss.
-#
-# By default, only reports loss computed in terms of number of "gap events"
-# (ACKs for a sequence number that's above a gap).  You can also get an
-# estimate in terms of number of bytes missing; this however is sometimes
-# heavily affected by miscomputations due to broken packets with incorrect
-# sequence numbers.  (These packets also affect the first estimator, but
-# only to a quite minor degree.)
-
-@load notice
-
-module CaptureLoss;
-
-export {
-	redef enum Notice += {
-		CaptureLossReport,	# interval report
-		CaptureLossSummary,	# end-of-run summary
-	};
-
-	# Whether to also report byte-weighted estimates.
-	global report_byte_based_estimates = F &redef;
-
-	# Whether to generate per-interval reports even if there
-	# was no evidence of loss.
-	global report_if_none = F &redef;
-
-	# Whether to generate a summary even if there was no
-	# evidence of loss.
-	global summary_if_none = F &redef;
-}
-
-
-# Redefine this to be non-zero to get per-interval reports.
-redef gap_report_freq = 0 sec;
-
-event gap_report(dt: interval, info: gap_info)
-	{
-	if ( info$gap_events > 0 || report_if_none )
-		{
-		local msg = report_byte_based_estimates ?
-			fmt("gap-dt=%.6f acks=%d bytes=%d gaps=%d gap-bytes=%d",
-				dt, info$ack_events, info$ack_bytes,
-				info$gap_events, info$gap_bytes) :
-			fmt("gap-dt=%.6f acks=%d gaps=%d",
-				dt, info$ack_events, info$gap_events);
-
-		NOTICE([$note=CaptureLossReport, $msg=msg]);
-		}
-	}
- 
-event bro_done()
-	{
-	local g = get_gap_summary();
-
-	local gap_rate =
-		g$ack_events == 0 ? 0.0 :
-			(1.0 * g$gap_events) / (1.0 * g$ack_events);
-	local gap_bytes =
-		g$ack_bytes == 0 ? 0.0 :
-			(1.0 * g$gap_bytes) / (1.0 * g$ack_bytes);
-
-	if ( gap_rate == 0.0 && gap_bytes == 0.0 && ! summary_if_none )
-		return;
-
-	local msg = report_byte_based_estimates ?
-		fmt("estimated rate = %g / %g (events/bytes)",
-			gap_rate, gap_bytes) :
-		fmt("estimated rate = %g", gap_rate);
-
-	NOTICE([$note=CaptureLossSummary, $msg=msg]);
-	}
diff --git a/policy/capture-state-updates.bro b/policy/capture-state-updates.bro
deleted file mode 100644
index 7630015365..0000000000
--- a/policy/capture-state-updates.bro
+++ /dev/null
@@ -1,9 +0,0 @@
-#! $Id: capture-events.bro 6 2004-04-30 00:31:26Z jason $
-#
-# Captures all operations on &synchronized variables to state-updates.bst.
-#
-
-event bro_init()
-	{
-	capture_state_updates("state-updates.bst");
-	}
diff --git a/policy/checkpoint.bro b/policy/checkpoint.bro
deleted file mode 100644
index 2222d69c0c..0000000000
--- a/policy/checkpoint.bro
+++ /dev/null
@@ -1,54 +0,0 @@
-# $Id: checkpoint.bro 6724 2009-06-07 09:23:03Z vern $
-#
-# Checkpoints Bro's persistent state at regular intervals and scans
-# the state directory for external updates.
-
-const state_rescan_interval = 15 secs &redef;
-const state_checkpoint_interval = 15 min &redef;
-
-# Services for which the internal connection state is stored.
-const persistent_services = {
-	21/tcp, # ftp
-	22/tcp, # ssh
-	23/tcp, # telnet
-	513/tcp, # rlogin
-} &redef;
-
-# The first timer fires immediately. This flags lets us ignore it.
-global state_ignore_first = T;
-
-event state_checkpoint()
-	{
-	if ( state_ignore_first )
-		state_ignore_first = F;
-
-	else if ( ! bro_is_terminating() )
-		checkpoint_state();
-
-	if ( state_checkpoint_interval > 0 secs )
-		schedule state_checkpoint_interval { state_checkpoint() };
-	}
-
-event state_rescan()
-	{
-	rescan_state();
-
-	if ( state_rescan_interval > 0 secs )
-		schedule state_rescan_interval { state_rescan() };
-	}
-
-event bro_init()
-	{
-	if ( state_checkpoint_interval > 0 secs )
-		schedule state_checkpoint_interval { state_checkpoint() };
-
-	if ( state_rescan_interval > 0 secs )
-		schedule state_rescan_interval { state_rescan() };
-	}
-
-event connection_established(c: connection)
-	{
-	# Buggy?
-	# if ( c$id$resp_p in persistent_services )
-	#	make_connection_persistent(c);
-	}
diff --git a/policy/clear-passwords.bro b/policy/clear-passwords.bro
deleted file mode 100644
index 7607738dcc..0000000000
--- a/policy/clear-passwords.bro
+++ /dev/null
@@ -1,36 +0,0 @@
-# $Id: clear-passwords.bro 4758 2007-08-10 06:49:23Z vern $
-
-# Monitoring for use of cleartext passwords.
-
-@load ftp
-@load login
-@load pop3
-@load irc
-
-const passwd_file = open_log_file("passwords") &redef;
-
-# ftp, login and pop3 call login_{success,failure}, which in turn
-# calls account_tried(), so we can snarf all at once here:
-event account_tried(c: connection, user: string, passwd: string)
-	{
-	print passwd_file, fmt("%s account name '%s', password '%s': %s",
-				is_local_addr(c$id$orig_h) ? "local" : "remote",
-				user, passwd, id_string(c$id));
-	}
-
-# IRC raises a different event on login, so we hook into it here:
-event irc_join_message(c: connection, info_list: irc_join_list)
-	{
-	for ( l in info_list)
-		{
-		print passwd_file,  fmt("IRC JOIN name '%s', password '%s'",
-					l$nick, l$password);
-		}
-	}
-
-# Raised if IRC user tries to become operator:
-event irc_oper_message(c: connection, user: string, password: string)
-	{
-	print passwd_file, fmt("IRC OPER name '%s', password '%s'",
-				user, password);
-	}
diff --git a/policy/conn-flood.bro b/policy/conn-flood.bro
deleted file mode 100644
index 7da1cccff4..0000000000
--- a/policy/conn-flood.bro
+++ /dev/null
@@ -1,71 +0,0 @@
-# $Id$
-#
-# Script which alarms if the number of connections per time interval
-# exceeds a threshold.
-#
-# This script is mainly meant as a demonstration; it hasn't been hardened
-# with/for operational use.
-
-@load notice
-
-module ConnFlood;
-
-export {
-	redef enum Notice += {
-		ConnectionFloodStart, ConnectionFloodEnd,
-	};
-
-	# Thresholds to reports (conns/sec).
-	const thresholds: set[count] =
-		{ 1000, 2000, 4000, 6000, 8000, 10000, 20000, 50000 }
-	&redef;
-
-	# Average over this time interval.
-	const avg_interval = 10 sec &redef;
-}
-
-global conn_counter = 0;
-global last_thresh = 0;
-
-# Note: replace with connection_attempt if too expensive.
-event new_connection(c: connection)
-	{
-	++conn_counter;
-	}
-
-event check_flood()
-	{
-	local thresh = 0;
-	local rate = double_to_count(interval_to_double((conn_counter / avg_interval)));
-
-	# Find the largest threshold reached this interval.
-	for ( i in thresholds )
-		{
-		if ( rate >= i && rate > thresh )
-			thresh = i;
-		}
-
-	# Report if larger than last reported threshold.
-	if ( thresh > last_thresh )
-		{
-		NOTICE([$note=ConnectionFloodStart, $n=thresh,
-			   $msg=fmt("flood begins at rate %d conns/sec", rate)]);
-		last_thresh = thresh;
-		}
-
-	# If no threshold was reached, the flood is over.
-	else if ( thresh == 0 && last_thresh > 0 )
-		{
-		NOTICE([$note=ConnectionFloodEnd, $n=thresh,
-			   $msg=fmt("flood ends at rate %d conns/sec", rate)]);
-		last_thresh = 0;
-		}
-
-	conn_counter = 0;
-	schedule avg_interval { check_flood() };
-	}
-
-event bro_init()
-	{
-	schedule avg_interval { check_flood() };
-	}
diff --git a/policy/conn-id.bro b/policy/conn-id.bro
deleted file mode 100644
index 9a81e307c9..0000000000
--- a/policy/conn-id.bro
+++ /dev/null
@@ -1,24 +0,0 @@
-# $Id: conn-id.bro 45 2004-06-09 14:29:49Z vern $
-
-# Simple functions for generating ASCII connection identifiers.
-
-@load port-name
-
-function id_string(id: conn_id): string
-	{
-	return fmt("%s > %s",
-		endpoint_id(id$orig_h, id$orig_p),
-		endpoint_id(id$resp_h, id$resp_p));
-	}
-
-function reverse_id_string(id: conn_id): string
-	{
-	return fmt("%s < %s",
-		endpoint_id(id$orig_h, id$orig_p),
-		endpoint_id(id$resp_h, id$resp_p));
-	}
-
-function directed_id_string(id: conn_id, is_orig: bool): string
-	{
-	return is_orig ? id_string(id) : reverse_id_string(id);
-	}
diff --git a/policy/conn.bro b/policy/conn.bro
deleted file mode 100644
index 134ac9db13..0000000000
--- a/policy/conn.bro
+++ /dev/null
@@ -1,442 +0,0 @@
-# $Id: conn.bro 6782 2009-06-28 02:19:03Z vern $
-
-@load notice
-@load hot
-@load port-name
-@load netstats
-@load conn-id
-
-redef enum Notice += {
-	SensitiveConnection,	# connection marked "hot"
-};
-
-const conn_closed = { TCP_CLOSED, TCP_RESET };
-
-global have_FTP = F;	# if true, we've loaded ftp.bro
-global have_SMTP = F;	# if true, we've loaded smtp.bro
-global is_ftp_data_conn: function(c: connection): bool;
-
-# Whether to include connection state history in the logs generated
-# by record_connection.
-const record_state_history = F &redef;
-
-# Whether to translate the local address in SensitiveConnection notices
-# to a hostname.  Meant as a demonstration of the "when" construct.
-const xlate_hot_local_addr = F &redef;
-
-# Whether to use DPD for generating the service field in the summaries.
-# Default off, because it changes the format of conn.log in a way
-# potentially incompatible with existing scripts.
-const dpd_conn_logs = F &redef;
-
-# Maps a given port on a given server's address to an RPC service.
-# If we haven't loaded portmapper.bro, then it will be empty
-# (and, ideally, queries to it would be optimized away ...).
-global RPC_server_map: table[addr, port] of string;
-
-const conn_file = open_log_file("conn") &redef;
-
-function conn_state(c: connection, trans: transport_proto): string
-	{
-	local os = c$orig$state;
-	local rs = c$resp$state;
-
-	local o_inactive = os == TCP_INACTIVE || os == TCP_PARTIAL;
-	local r_inactive = rs == TCP_INACTIVE || rs == TCP_PARTIAL;
-
-	if ( trans == tcp )
-		{
-		if ( rs == TCP_RESET )
-			{
-			if ( os == TCP_SYN_SENT || os == TCP_SYN_ACK_SENT ||
-			     (os == TCP_RESET &&
-			      c$orig$size == 0 && c$resp$size == 0) )
-				return "REJ";
-			else if ( o_inactive )
-				return "RSTRH";
-			else
-				return "RSTR";
-			}
-		else if ( os == TCP_RESET )
-			return r_inactive ? "RSTOS0" : "RSTO";
-		else if ( rs == TCP_CLOSED && os == TCP_CLOSED )
-			return "SF";
-		else if ( os == TCP_CLOSED )
-			return r_inactive ? "SH" : "S2";
-		else if ( rs == TCP_CLOSED )
-			return o_inactive ? "SHR" : "S3";
-		else if ( os == TCP_SYN_SENT && rs == TCP_INACTIVE )
-			return "S0";
-		else if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED )
-			return "S1";
-		else
-			return "OTH";
-		}
-
-	else if ( trans == udp )
-		{
-		if ( os == UDP_ACTIVE )
-			return rs == UDP_ACTIVE ? "SF" : "S0";
-		else
-			return rs == UDP_ACTIVE ? "SHR" : "OTH";
-		}
-
-	else
-		return "OTH";
-	}
-
-function conn_size(e: endpoint, trans: transport_proto): string
-	{
-	if ( e$size > 0 || (trans == tcp && e$state == TCP_CLOSED) )
-		return fmt("%d", e$size);
-	else
-		### should return 0 for TCP_RESET that went through TCP_CLOSED
-		return "?";
-	}
-
-function service_name(c: connection): string
-	{
-	local p = c$id$resp_p;
-
-	if ( p in port_names )
-		return port_names[p];
-	else
-		return "other";
-	}
-
-const state_graphic = {
-	["OTH"] = "?>?", ["REJ"] = "[",
-	["RSTO"] = ">]", ["RSTOS0"] = "}]", ["RSTR"] = ">[", ["RSTRH"] = "<[",
-	["S0"] = "}", ["S1"] = ">", ["S2"] = "}2", ["S3"] = "}3",
-	["SF"] = ">", ["SH"] = ">h", ["SHR"] = "<h",
-};
-
-function full_id_string(c: connection): string
-	{
-	local id = c$id;
-	local trans = get_port_transport_proto(id$orig_p);
-	local state = conn_state(c, trans);
-	local state_gr = state_graphic[state];
-	local service = service_name(c);
-
-	if ( state == "S0" || state == "S1" || state == "REJ" )
-		return fmt("%s %s %s/%s %s", id$orig_h, state_gr,
-				id$resp_h, service, c$addl);
-
-	else
-		return fmt("%s %sb %s %s/%s %sb %.1fs %s",
-			id$orig_h, conn_size(c$orig, trans),
-			state_gr, id$resp_h, service,
-			conn_size(c$resp, trans), c$duration, c$addl);
-	}
-
-# The sets are indexed by the complete hot messages.
-global hot_conns_reported: table[conn_id] of set[string];
-
-# Low-level routine that generates the actual SensitiveConnection
-# notice associated with a "hot" connection.
-function do_hot_notice(c: connection, dir: string, host: string)
-	{
-	NOTICE([$note=SensitiveConnection, $conn=c,
-		$msg=fmt("hot: %s %s local host: %s",
-			full_id_string(c), dir, host)]);
-	}
-
-# Generate a SensitiveConnection notice with the local hostname
-# translated.  Mostly intended as a demonstration of using "when".
-function gen_hot_notice_with_hostnames(c: connection)
-	{
-	local id = c$id;
-	local inbound = is_local_addr(id$resp_h);
-	local dir = inbound ? "to" : "from";
-	local local_addr = inbound ? id$orig_h : id$resp_h;
-
-	add_notice_tag(c);
-
-	when ( local hostname = lookup_addr(local_addr) )
-		do_hot_notice(c, dir, hostname);
-	timeout 5 sec
-		{ do_hot_notice(c, dir, fmt("%s", local_addr)); }
-	}
-
-function log_hot_conn(c: connection)
-	{
-	if ( c$id !in hot_conns_reported )
-		hot_conns_reported[c$id] = set() &mergeable;
-
-	local msg = full_id_string(c);
-
-	if ( msg !in hot_conns_reported[c$id] )
-		{
-		if ( xlate_hot_local_addr )
-			gen_hot_notice_with_hostnames(c);
-		else
-			NOTICE([$note=SensitiveConnection, $conn=c,
-				$msg=fmt("hot: %s", full_id_string(c))]);
-
-		add hot_conns_reported[c$id][msg];
-		}
-	}
-
-function determine_service_non_DPD(c: connection) : string
-	{
-	if ( length(c$service) != 0 )
-		{
-		for ( i in c$service )
-			return i;	# return first;
-		}
-
-	else if ( have_FTP && is_ftp_data_conn(c) )
-		return port_names[20/tcp];
-
-	else if ( [c$id$resp_h, c$id$resp_p] in RPC_server_map )
-		# Alternatively, perhaps this should be stored in $addl
-		# rather than $service, so the port number remains
-		# visible .... ?
-		return RPC_server_map[c$id$resp_h, c$id$resp_p];
-
-	else if ( c$orig$state == TCP_INACTIVE )
-		{
-		# We're seeing a half-established connection.  Use the
-		# service of the originator if it's well-known and the
-		# responder isn't.
-		if ( c$id$resp_p !in port_names && c$id$orig_p in port_names )
-			return port_names[c$id$orig_p];
-		}
-
-	return service_name(c);
-	}
-
-function determine_service(c: connection) : string
-	{
-	if ( ! dpd_conn_logs )
-		return determine_service_non_DPD(c);
-
-	if ( [c$id$resp_h, c$id$resp_p] in RPC_server_map )
-		add c$service[RPC_server_map[c$id$resp_h, c$id$resp_p]];
-
-	if ( length(c$service) == 0  )
-		{
-		# Empty service set.  Use port as a hint.
-		if ( c$orig$state == TCP_INACTIVE )
-			{
-			# We're seeing a half-established connection.  Use the
-			# service of the originator if it's well-known and the
-			# responder isn't.
-			if ( c$id$resp_p !in port_names &&
-			     c$id$orig_p in port_names )
-				return fmt("%s?", port_names[c$id$orig_p]);
-			}
-
-		if ( c$id$resp_p in port_names )
-			return fmt("%s?", port_names[c$id$resp_p]);
-
-		return "other";
-		}
-
-	local service = "";
-	for ( s in c$service )
-		{
-		if ( sub_bytes(s, 0, 1) != "-" )
-			service = service == "" ? s : cat(service, ",", s);
-		}
-
-	return service != "" ? to_lower(service) : "other";
-	}
-
-function record_connection(f: file, c: connection)
-	{
-	local id = c$id;
-	local local_init = is_local_addr(id$orig_h);
-
-	local local_addr = local_init ? id$orig_h : id$resp_h;
-	local remote_addr = local_init ? id$resp_h : id$orig_h;
-
-	local flags = local_init ? "L" : "X";
-
-	local trans = get_port_transport_proto(id$orig_p);
-	local duration: string;
-
-	# Do this first so we see the tag in addl.
-	if ( c$hot > 0 )
-		log_hot_conn(c);
-
-	if ( trans == tcp )
-		{
-		if ( c$orig$state in conn_closed || c$resp$state in conn_closed )
-			duration = fmt("%.06f", c$duration);
-		else
-			duration = "?";
-		}
-	else
-		duration = fmt("%.06f", c$duration);
-
-	local addl = c$addl;
-
-@ifdef ( estimate_flow_size_and_remove )
-	# Annotate connection with separately-estimated size, if present.
-	local orig_est = estimate_flow_size_and_remove(id, T);
-	local resp_est = estimate_flow_size_and_remove(id, F);
-
-	if ( orig_est$have_est )
-		addl = fmt("%s olower=%.0fMB oupper=%.0fMB oincon=%s", addl,
-				orig_est$lower / 1e6, orig_est$upper / 1e6,
-				orig_est$num_inconsistent);
-
-	if ( resp_est$have_est )
-		addl = fmt("%s rlower=%.0fMB rupper=%.0fMB rincon=%s", addl,
-				resp_est$lower / 1e6, resp_est$upper / 1e6,
-				resp_est$num_inconsistent);
-@endif
-
-	local service = determine_service(c);
-
-	local log_msg =
-		fmt("%.6f %s %s %s %s %d %d %s %s %s %s %s",
-			c$start_time, duration, id$orig_h, id$resp_h, service,
-			id$orig_p, id$resp_p, trans,
-			conn_size(c$orig, trans), conn_size(c$resp, trans),
-			conn_state(c, trans), flags);
-
-	if ( record_state_history )
-		log_msg = fmt("%s %s", log_msg,
-				c$history == "" ? "X" : c$history);
-
-	if ( addl != "" )
-		log_msg = fmt("%s %s", log_msg, addl);
-
-	print f, log_msg;
-	}
-
-event protocol_confirmation(c: connection, atype: count, aid: count)
-	{
-	if ( ! dpd_conn_logs )
-		return;
-
-	delete c$service[fmt("-%s",analyzer_name(atype))];
-	add c$service[analyzer_name(atype)];
-	}
-
-event protocol_violation(c: connection, atype: count, aid: count,
-				reason: string) &priority = 10
-	{
-	if ( ! dpd_conn_logs )
-		return;
-
-	delete c$service[analyzer_name(atype)];
-	add c$service[fmt("-%s",analyzer_name(atype))];
-	}
-
-event connection_established(c: connection)
-	{
-	Hot::check_hot(c, Hot::CONN_ESTABLISHED);
-
-	if ( c$hot > 0 )
-		log_hot_conn(c);
-	}
-
-event partial_connection(c: connection)
-	{
-	if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE )
-		# This appears to be a stealth scan.  Don't do hot-checking
-		# as there wasn't an established connection.
-		;
-	else
-		{
-		Hot::check_hot(c, Hot::CONN_ESTABLISHED);
-		Hot::check_hot(c, Hot::APPL_ESTABLISHED);	# assume it's been established
-		}
-
-	if ( c$hot > 0 )
-		log_hot_conn(c);
-	}
-
-event connection_attempt(c: connection)
-	{
-	Hot::check_spoof(c);
-	Hot::check_hot(c, Hot::CONN_ATTEMPTED);
-	}
-
-event connection_finished(c: connection)
-	{
-	if ( c$orig$size == 0 || c$resp$size == 0 )
-		# Hard to get excited about this - not worth logging again.
-		c$hot = 0;
-	else
-		Hot::check_hot(c, Hot::CONN_FINISHED);
-	}
-
-event connection_partial_close(c: connection)
-	{
-	if ( c$orig$size == 0 || c$resp$size == 0 )
-		# Hard to get excited about this - not worth logging again.
-		c$hot = 0;
-	else
-		Hot::check_hot(c, Hot::CONN_FINISHED);
-	}
-
-event connection_half_finished(c: connection)
-	{
-	Hot::check_hot(c, Hot::CONN_ATTEMPTED);
-	}
-
-event connection_rejected(c: connection)
-	{
-	Hot::check_hot(c, Hot::CONN_REJECTED);
-	}
-
-event connection_reset(c: connection)
-	{
-	Hot::check_hot(c, Hot::CONN_FINISHED);
-	}
-
-event connection_pending(c: connection)
-	{
-	if ( c$orig$state in conn_closed &&
-	     (c$resp$state == TCP_INACTIVE || c$resp$state == TCP_PARTIAL) )
-		# This is a stray FIN or RST - don't bother reporting.
-		return;
-
-	if ( c$orig$state == TCP_RESET || c$resp$state == TCP_RESET )
-		# We already reported this connection when the RST
-		# occurred.
-		return;
-
-	Hot::check_hot(c, Hot::CONN_FINISHED);
-	}
-
-function connection_gone(c: connection, gone_type: string)
-	{
-	if ( c$orig$size == 0 || c$resp$size == 0 )
-		{
-		if ( c$orig$state == TCP_RESET && c$resp$state == TCP_INACTIVE)
-			# A bare RST, no other context.  Ignore it.
-			return;
-
-		# Hard to get excited about this - not worth logging again,
-		# per connection_finished().
-		c$hot = 0;
-		}
-	else
-		Hot::check_hot(c, Hot::CONN_TIMEOUT);
-	}
-
-event connection_state_remove(c: connection) &priority = -10
-	{
-	local os = c$orig$state;
-	local rs = c$resp$state;
-
-	if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED )
-		# It was still active, no summary generated.
-		connection_gone(c, "remove");
-
-	else if ( (os == TCP_CLOSED || rs == TCP_CLOSED) &&
-		  (os == TCP_ESTABLISHED || rs == TCP_ESTABLISHED) )
-		# One side has closed, the other hasn't - it's in state S2
-		# or S3, hasn't been reported yet.
-		connection_gone(c, "remove");
-
-	record_connection(conn_file, c);
-
-	delete hot_conns_reported[c$id];
-	}
diff --git a/policy/contents.bro b/policy/contents.bro
deleted file mode 100644
index 152b54ed3b..0000000000
--- a/policy/contents.bro
+++ /dev/null
@@ -1,40 +0,0 @@
-# $Id: contents.bro 47 2004-06-11 07:26:32Z vern $
-
-redef capture_filters += { ["contents"] = "tcp" };
-
-# Keeps track of to which given contents files we've written.
-global contents_files: set[string];
-
-event new_connection_contents(c: connection)
-	{
-	local id = c$id;
-
-	local orig_file =
-		fmt("contents.%s.%d-%s.%d",
-			id$orig_h, id$orig_p, id$resp_h, id$resp_p);
-	local resp_file =
-		fmt("contents.%s.%d-%s.%d",
-			id$resp_h, id$resp_p, id$orig_h, id$orig_p);
-
-	local orig_f: file;
-	local resp_f: file;
-
-	if ( orig_file !in contents_files )
-		{
-		add contents_files[orig_file];
-		orig_f = open(orig_file);
-		}
-	else
-		orig_f = open_for_append(orig_file);
-
-	if ( resp_file !in contents_files )
-		{
-		add contents_files[resp_file];
-		resp_f = open(resp_file);
-		}
-	else
-		resp_f = open_for_append(resp_file);
-
-	set_contents_file(id, CONTENTS_ORIG, orig_f);
-	set_contents_file(id, CONTENTS_RESP, resp_f);
-	}
diff --git a/policy/cpu-adapt.bro b/policy/cpu-adapt.bro
deleted file mode 100644
index 7376e0780a..0000000000
--- a/policy/cpu-adapt.bro
+++ /dev/null
@@ -1,62 +0,0 @@
-# $Id: cpu-adapt.bro 1904 2005-12-14 03:27:15Z vern $
-#
-# Adjust load level based on cpu load.
-
-@load load-level
-
-# We increase the load-level if the average CPU load (percentage) is
-# above this limit.
-global cpu_upper_limit = 70.0 &redef;
-
-# We derease the load-level if the average CPU load is below this limit.
-global cpu_lower_limit = 30.0 &redef;
-
-# Time interval over which we average the CPU load.
-global cpu_interval = 1 min &redef;
-
-global cpu_last_proc_time = 0 secs;
-global cpu_last_wall_time: time = 0;
-
-event cpu_measure_load()
-	{
-	local res = resource_usage();
-	local proc_time = res$user_time + res$system_time;
-	local wall_time = current_time();
-
-	if ( cpu_last_proc_time > 0 secs )
-		{
-		local dproc = proc_time - cpu_last_proc_time;
-		local dwall = wall_time - cpu_last_wall_time;
-		local load = dproc / dwall * 100.0;
-
-		print ll_file, fmt("%.6f CPU load %.02f", network_time(), load);
-
-		# Second test is for whether we have any room to change
-		# things.  It shouldn't be hardwired to "xxx10" ....
-		if ( load > cpu_upper_limit &&
-		     current_load_level != LoadLevel10 )
-			{
-			print ll_file, fmt("%.6f CPU load above limit: %.02f",
-						network_time(), load);
-			increase_load_level();
-			}
-
-		else if ( load < cpu_lower_limit &&
-			  current_load_level != LoadLevel1 )
-			{
-			print ll_file, fmt("%.6f CPU load below limit: %.02f",
-						network_time(), load);
-			decrease_load_level();
-			}
-		}
-
-	cpu_last_proc_time = proc_time;
-	cpu_last_wall_time = wall_time;
-
-	schedule cpu_interval { cpu_measure_load() };
-	}
-
-event bro_init()
-	{
-	schedule cpu_interval { cpu_measure_load() };
-	}
diff --git a/policy/dce.bro b/policy/dce.bro
deleted file mode 100644
index 51b82d3894..0000000000
--- a/policy/dce.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-# $Id:$
-
-redef capture_filters += { ["dce"] = "port 135" };
-
-global dce_ports = { 135/tcp } &redef;
-redef dpd_config += { [ANALYZER_DCE_RPC] = [$ports = dce_ports] };
-
-# No default implementation for events.
diff --git a/policy/demux.bro b/policy/demux.bro
deleted file mode 100644
index cfb70d6686..0000000000
--- a/policy/demux.bro
+++ /dev/null
@@ -1,41 +0,0 @@
-# $Id: demux.bro 4758 2007-08-10 06:49:23Z vern $
-
-const demux_dir = log_file_name("xscript") &redef;
-global created_demux_dir = F;
-
-# Table of which connections we're demuxing.
-global demuxed_conn: set[conn_id];
-
-# tag: identifier to use for the reason for demuxing
-# otag: identifier to use for originator side of the connection
-# rtag: identifier to use for responder side of the connection
-function demux_conn(id: conn_id, tag: string, otag: string, rtag: string): bool
-	{
-	if ( id in demuxed_conn || ! active_connection(id) )
-		return F;
-
-	if ( ! created_demux_dir )
-		{
-		mkdir(demux_dir);
-		created_demux_dir = T;
-		}
-
-	local orig_file =
-		fmt("%s/%s.%s.%s.%d-%s.%d", demux_dir, otag, tag,
-			id$orig_h, id$orig_p, id$resp_h, id$resp_p);
-	local resp_file =
-		fmt("%s/%s.%s.%s.%d-%s.%d", demux_dir, rtag, tag,
-			id$resp_h, id$resp_p, id$orig_h, id$orig_p);
-
-	set_contents_file(id, CONTENTS_ORIG, open(orig_file));
-	set_contents_file(id, CONTENTS_RESP, open(resp_file));
-
-	add demuxed_conn[id];
-
-	return T;
-	}
-
-event connection_finished(c: connection)
-	{
-	delete demuxed_conn[c$id];
-	}
diff --git a/policy/detect-protocols-http.bro b/policy/detect-protocols-http.bro
deleted file mode 100644
index fb1fed33ac..0000000000
--- a/policy/detect-protocols-http.bro
+++ /dev/null
@@ -1,156 +0,0 @@
-# $Id: detect-protocols-http.bro,v 1.1.4.2 2006/05/31 00:16:21 sommer Exp $
-#
-# Identifies protocols that use HTTP.
-
-@load detect-protocols
-
-module DetectProtocolHTTP;
-
-export {
-	# Defines characteristics of a protocol.  All attributes must match
-	# to trigger the detection. We match patterns against lower-case
-	# versions of the data.
-	type protocol : record {
-		url: pattern &optional;
-		client_header: pattern &optional;
-		client_header_content: pattern &optional;
-		server_header: pattern &optional;
-		server_header_content: pattern &optional;
-	};
-
-	const protocols: table[string] of protocol = {
-		["Kazaa"] = [$url=/^\/\.hash=.*/, $server_header=/^x-kazaa.*/],
-		["Gnutella"] = [$url=/^\/(uri-res|gnutella).*/,
-				$server_header=/^x-gnutella-.*/],
-		["Gnutella_"] = [$url=/^\/(uri-res|gnutella).*/,
-				$server_header=/^x-(content-urn|features).*/],
-		["Gnutella__"] = [$url=/^\/(uri-res|gnutella).*/,
-				$server_header=/^content-type/,
-				$server_header_content=/.*x-gnutella.*/],
-		["BitTorrent"] = [$url=/^.*\/(scrape|announce)\?.*info_hash.*/],
-		["SOAP"] = [$client_header=/^([:print:]+-)?(soapaction|methodname|messagetype).*/],
-		["Squid"] = [$server_header=/^x-squid.*/],
-	} &redef;
-}
-
-# Bit masks.
-const url_found = 1;
-const client_header_found = 2;
-const server_header_found = 2;
-
-type index : record {
-	id: conn_id;
-	pid: string;
-};
-
-# Maps to characteristics found so far.
-# FIXME: An integer would suffice for the bit-field
-# if we had bit-operations ...
-global conns: table[index] of set[count] &read_expire = 1hrs;
-
-function check_match(c: connection, pid: string, mask: set[count])
-	{
-	conns[[$id=c$id, $pid=pid]] = mask;
-
-	local p = protocols[pid];
-
-	if ( p?$url && url_found !in mask )
-		return;
-
-	if ( p?$client_header && client_header_found !in mask )
-		return;
-
-	if ( p?$server_header && server_header_found !in mask )
-		return;
-
-	# All found.
-
-	ProtocolDetector::found_protocol(c, ANALYZER_HTTP, pid);
-	}
-
-event http_request(c: connection, method: string, original_URI: string,
-			unescaped_URI: string, version: string)
-	{
-	for ( pid in protocols )
-		{
-		local p = protocols[pid];
-
-		if ( ! p?$url )
-			next;
-
-		local mask: set[count];
-		local idx = [$id=c$id, $pid=pid];
-		if ( idx in conns )
-			mask = conns[idx];
-
-		if ( url_found in mask )
-			# Already found a match.
-			next;
-
-		# FIXME: There are people putting NULs into the URLs
-		# (BitTorrent), which to_lower() does not like.  Not sure
-		# what the right fix is, though.
-		unescaped_URI = subst_string(unescaped_URI, "\x00", "");
-
-		if ( to_lower(unescaped_URI) == p$url )
-			{
-			add mask[url_found];
-			check_match(c, pid, mask);
-			}
-		}
-	}
-
-event http_header(c: connection, is_orig: bool, name: string, value: string)
-	{
-	if ( name == /[sS][eE][rR][vV][eE][rR]/ )
-		{
-		# Try to extract the server software.
-		local s = split1(strip(value), /[[:space:]\/]/);
-		if ( s[1] == /[-a-zA-Z0-9_]+/ )
-			ProtocolDetector::found_protocol(c, ANALYZER_HTTP, s[1]);
-		}
-
-	for ( pid in protocols )
-		{
-		local p = protocols[pid];
-
-		local mask: set[count];
-		local idx = [$id=c$id, $pid=pid];
-		if ( idx in conns )
-			mask = conns[idx];
-
-		if ( p?$client_header && is_orig )
-			{
-			if ( client_header_found in mask )
-				return;
-
-			if ( to_lower(name) == p$client_header )
-				{
-				if ( p?$client_header_content )
-					if ( to_lower(value) !=
-					     p$client_header_content )
-						return;
-
-				add mask[client_header_found];
-				check_match(c, pid, mask);
-				}
-			}
-
-		if ( p?$server_header && ! is_orig )
-			{
-			if ( server_header_found in mask )
-				return;
-
-			if ( to_lower(name) == p$server_header )
-				{
-				if ( p?$server_header_content )
-					if ( to_lower(value) !=
-					     p$server_header_content )
-						return;
-
-				add mask[server_header_found];
-				check_match(c, pid, mask);
-				}
-			}
-		}
-	}
diff --git a/policy/dhcp.bro b/policy/dhcp.bro
deleted file mode 100644
index 2c60f73fe4..0000000000
--- a/policy/dhcp.bro
+++ /dev/null
@@ -1,525 +0,0 @@
-# $Id: dhcp.bro 4054 2007-08-14 21:45:58Z pclin $
-
-@load dpd
-@load weird
-
-module DHCP;
-
-export {
-	# Set to false to disable printing to dhcp.log.
-	const logging = T &redef;
-}
-
-# Type of states in DHCP client.  See Figure 5 in RFC 2131.
-# Each state name is prefixed with DHCP_ to avoid name conflicts.
-type dhcp_state: enum {
-
-	DHCP_INIT_REBOOT,
-	DHCP_INIT,
-	DHCP_SELECTING,
-	DHCP_REQUESTING,
-	DHCP_REBINDING,
-	DHCP_BOUND,
-	DHCP_RENEWING,
-	DHCP_REBOOTING,
-
-	# This state is not in Figure 5.  Client has been externally configured.
-	DHCP_INFORM,
-};
-
-global dhcp_log: file;
-
-# Source port 68: client -> server; source port 67: server -> client.
-global dhcp_ports: set[port] = { 67/udp, 68/udp } &redef;
-
-redef dpd_config += { [ANALYZER_DHCP_BINPAC] = [$ports = dhcp_ports] };
-
-# Default handling for peculiarities in DHCP analysis.
-redef Weird::weird_action += {
-	["DHCP_no_type_option"] = Weird::WEIRD_FILE,
-	["DHCP_wrong_op_type"] = Weird::WEIRD_FILE,
-	["DHCP_wrong_msg_type"] = Weird::WEIRD_FILE,
-};
-
-# Types of DHCP messages, identified from the 'options' field.  See RFC 1533.
-global dhcp_msgtype_name: table[count] of string = {
-	[1] = "DHCP_DISCOVER",
-	[2] = "DHCP_OFFER",
-	[3] = "DHCP_REQUEST",
-	[4] = "DHCP_DECLINE",
-	[5] = "DHCP_ACK",
-	[6] = "DHCP_NAK",
-	[7] = "DHCP_RELEASE",
-	[8] = "DHCP_INFORM",
-};
-
-# Type of DHCP client state, inferred from the messages.  See RFC 2131, fig 5.
-global dhcp_state_name: table[dhcp_state] of string = {
-	[DHCP_INIT_REBOOT] = "INIT-REBOOT",
-	[DHCP_INIT]	   = "INIT",
-	[DHCP_SELECTING]   = "SELECTING",
-	[DHCP_REQUESTING]  = "REQUESTING",
-	[DHCP_REBINDING]   = "REBINDING",
-	[DHCP_BOUND]	   = "BOUND",
-	[DHCP_RENEWING]    = "RENEWING",
-	[DHCP_REBOOTING]   = "REBOOTING",
-	[DHCP_INFORM]	   = "INFORM",
-};
-
-type dhcp_session_info: record {
-	state: dhcp_state;	# the state of a DHCP client
-	seq: count;		# sequence of session in the trace
-	lease: interval;	# lease time of an IP address
-	h_addr: string;		# hardware/MAC address of the client
-};
-
-# Track the DHCP session info of each client, indexed by the transaction ID.
-global dhcp_session: table[count] of dhcp_session_info
-	&default = record($state = DHCP_INIT_REBOOT, $seq = 0, $lease = 0 sec,
-				$h_addr = "")
-	&write_expire = 5 min
-;
-
-# We need the following table to track some DHCPINFORM messages since they
-# use xid = 0 (I do not know why), starting from the second pair of INFORM
-# and ACK.  Since the client address is ready before DHCPINFORM, we can use
-# it as the index to find its corresponding xid.
-global session_xid: table[addr] of count &read_expire = 30 sec;
-
-# Count how many DHCP sessions have been detected, for use in dhcp_session_seq.
-global pkt_cnt: count = 0;
-global session_cnt: count = 0;
-
-# Record the address of client that sends a DHCPINFORM message with xid = 0.
-global recent_client: addr;
-
-global BROADCAST_ADDR = 255.255.255.255;
-global NULL_ADDR = 0.0.0.0;
-
-# Used to detect if an ACK is duplicated.  They are used only in dhcp_ack().
-# We put them here since Bro scripts lacks the equivalent of "static" variables.
-global ack_from: addr;
-global duplicated_ack: bool;
-
-
-function warning_wrong_state(msg_type: count): string
-	{
-	return fmt("%s not sent in a correct state.",
-			dhcp_msgtype_name[msg_type]);
-	}
-
-function dhcp_message(c: connection, seq: count, show_conn: bool): string
-	{
-	local conn_info = fmt("%.06f #%d", network_time(), seq);
-	if ( show_conn )
-		return fmt("%s %s > %s", conn_info,
-				endpoint_id(c$id$orig_h, c$id$orig_p),
-				endpoint_id(c$id$resp_h, c$id$resp_p));
-
-	return conn_info;
-	}
-
-function new_dhcp_session(xid: count, state: dhcp_state, h_addr: string)
-: dhcp_session_info
-	{
-	local session: dhcp_session_info;
-	session$state = state;
-	session$seq = ++session_cnt;
-	session$lease = 0 sec;
-	session$h_addr = h_addr;
-
-	dhcp_session[xid] = session;
-
-	return session;
-	}
-
-
-event bro_init()
-	{
-	if ( logging )
-		dhcp_log = open_log_file("dhcp");
-	}
-
-event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr)
-	{
-	local old_session = T;
-
-	if ( msg$xid !in dhcp_session )
-		{
-		local session =
-			new_dhcp_session(msg$xid, DHCP_SELECTING, msg$h_addr);
-		old_session = F;
-		}
-
-	if ( logging )
-		{
-		if ( old_session &&
-		     dhcp_session[msg$xid]$state == DHCP_SELECTING )
-			print dhcp_log, fmt("%s DISCOVER (duplicated)",
-				dhcp_message(c, dhcp_session[msg$xid]$seq, F));
-		else
-			print dhcp_log,
-				fmt("%s DISCOVER (xid = %x, client state = %s)",
-					dhcp_message(c, dhcp_session[msg$xid]$seq, T),
-					msg$xid, dhcp_state_name[dhcp_session[msg$xid]$state]);
-		}
-	}
-
-event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr,
-		router: dhcp_router_list, lease: interval, serv_addr: addr)
-	{
-	local standalone = msg$xid !in dhcp_session;
-	local err_state =
-		standalone && dhcp_session[msg$xid]$state != DHCP_SELECTING;
-
-	if ( logging )
-		{
-		# Note that no OFFER messages are considered duplicated,
-		# since they may come from multiple DHCP servers in a session.
-		if ( standalone )
-			print dhcp_log, fmt("%s OFFER (standalone)",
-				dhcp_message(c, ++session_cnt, T));
-
-		else if ( err_state )
-			print dhcp_log, fmt("%s OFFER (in error state %s)",
-				dhcp_message(c, dhcp_session[msg$xid]$seq, T),
-				dhcp_state_name[dhcp_session[msg$xid]$state]);
-
-		else
-			print dhcp_log, fmt("%s OFFER (client state = %s)",
-				dhcp_message(c, dhcp_session[msg$xid]$seq, T),
-					dhcp_state_name[DHCP_SELECTING]);
-		}
-	}
-
-event dhcp_request(c: connection, msg: dhcp_msg,
-			req_addr: addr, serv_addr: addr)
-	{
-	local log_info: string;
-
-	if ( msg$xid in dhcp_session )
-		{
-		if ( ! logging )
-			return;
-
-		local state = dhcp_session[msg$xid]$state;
-
-		if ( state == DHCP_REBOOTING )
-			recent_client = req_addr;
-		else
-			recent_client = c$id$orig_h;
-
-		session_xid[recent_client] = msg$xid;
-
-		if ( state == DHCP_RENEWING || state == DHCP_REBINDING ||
-		     state == DHCP_REQUESTING || state == DHCP_REBOOTING )
-			print dhcp_log, fmt("%s REQUEST (duplicated)",
-				dhcp_message(c, dhcp_session[msg$xid]$seq, F));
-		else
-			{
-			log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, T);
-			print dhcp_log, fmt("%s REQUEST (in error state %s)",
-						log_info,
-						dhcp_state_name[dhcp_session[msg$xid]$state]);
-			}
-		}
-	else
-		{
-		local d_state = DHCP_REBOOTING;
-
-		if ( c$id$resp_h != BROADCAST_ADDR )
-			d_state = DHCP_RENEWING;
-		else if ( msg$ciaddr != NULL_ADDR )
-			d_state = DHCP_REBINDING;
-		else if ( serv_addr != NULL_ADDR )
-			d_state = DHCP_REQUESTING;
-
-		local session = new_dhcp_session(msg$xid, d_state, msg$h_addr);
-
-		if ( session$state == DHCP_REBOOTING )
-			recent_client = req_addr;
-		else
-			recent_client = c$id$orig_h;
-
-		session_xid[recent_client] = msg$xid;
-
-		if ( logging )
-			{
-			log_info = dhcp_message(c, session$seq, T);
-			if ( req_addr != NULL_ADDR )
-				log_info = fmt("%s REQUEST %As",
-						log_info, req_addr);
-			else
-				log_info = fmt("%s REQUEST", log_info);
-
-			print dhcp_log, fmt("%s (xid = %x, client state = %s)",
-						log_info, msg$xid,
-						dhcp_state_name[session$state]);
-			}
-		}
-	}
-
-event dhcp_decline(c: connection, msg: dhcp_msg)
-	{
-	local old_session = msg$xid in dhcp_session;
-	local err_state = F;
-
-	if ( old_session )
-		{
-		if ( dhcp_session[msg$xid]$state == DHCP_REQUESTING )
-			dhcp_session[msg$xid]$state = DHCP_INIT;
-		else
-			err_state = T;
-		}
-	else
-		new_dhcp_session(msg$xid, DHCP_INIT, "");
-
-	if ( ! logging )
-		return;
-
-	if ( old_session )
-		{
-		if ( err_state )
-			print dhcp_log, fmt("%s DECLINE (in error state %s)",
-				dhcp_message(c, dhcp_session[msg$xid]$seq, T),
-				dhcp_state_name[dhcp_session[msg$xid]$state]);
-		else
-			print dhcp_log, fmt("%s DECLINE (duplicated)",
-				dhcp_message(c, dhcp_session[msg$xid]$seq, F));
-		}
-	else
-		print dhcp_log, fmt("%s DECLINE (xid = %x)",
-			dhcp_message(c, ++session_cnt, T), msg$xid);
-	}
-
-event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr,
-		router: dhcp_router_list, lease: interval, serv_addr: addr)
-	{
-	local log_info: string;
-
-	if ( msg$xid == 0 )
-		{ # An ACK for a DHCPINFORM message with xid = 0.
-		local xid =
-			c$id$orig_h in session_xid ?
-				# An ACK to the client.
-				session_xid[c$id$orig_h]
-			:
-				# Assume ACK from a relay agent to the server.
-				session_xid[recent_client];
-
-		local seq: count;
-
-		if ( xid > 0 )
-			{
-			duplicated_ack = dhcp_session[xid]$state != DHCP_INFORM;
-			dhcp_session[xid]$state = DHCP_BOUND;
-			seq = dhcp_session[xid]$seq;
-			}
-		else
-			{
-			# This is a weird situation.  We arbitrarily set
-			# duplicated_ack to false to have more information
-			# shown.
-			duplicated_ack = F;
-			seq = session_cnt;
-			}
-
-		if ( ! logging )
-			return;
-
-		log_info = dhcp_message(c, seq, F);
-		if ( c$id$orig_h in session_xid )
-			{
-			if ( duplicated_ack )
-				print dhcp_log, fmt("%s ACK (duplicated)",
-							log_info);
-			else
-				print dhcp_log,
-					fmt("%s ACK (client state = %s)",
-						log_info,
-						dhcp_state_name[DHCP_BOUND]);
-			}
-		else
-			print dhcp_log,
-				fmt("%s ACK (relay agent at = %As)",
-					log_info, c$id$orig_h);
-		return;
-		}
-
-	if ( msg$xid in dhcp_session )
-		{
-		local last_state = dhcp_session[msg$xid]$state;
-		local from_reboot_state = last_state == DHCP_REBOOTING;
-
-		if ( last_state == DHCP_REQUESTING ||
-		     last_state == DHCP_REBOOTING ||
-		     last_state == DHCP_RENEWING ||
-		     last_state == DHCP_REBINDING ||
-		     last_state == DHCP_INFORM )
-			{
-			dhcp_session[msg$xid]$state = DHCP_BOUND;
-			dhcp_session[msg$xid]$lease = lease;
-			}
-
-		if ( ! logging )
-			return;
-
-		if ( last_state == DHCP_BOUND )
-			{
-			log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, F);
-			if ( c$id$orig_h == ack_from )
-				log_info = fmt("%s ACK (duplicated)",
-						log_info);
-
-			else
-				# Not a duplicated ACK.
-				log_info = fmt("%s ACK (relay agent at = %As)",
-						log_info, c$id$orig_h);
-			}
-		else
-			{
-			ack_from = c$id$orig_h;
-
-			# If in a reboot state, we had better
-			# explicitly show the original address
-			# and the destination address of ACK,
-			# because the client initally has a
-			# zero address.
-			if ( from_reboot_state )
-				log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, T);
-			else
-				log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, F);
-
-			if ( last_state != DHCP_INFORM &&
-			     lease > 0 sec )
-				log_info = fmt("%s ACK (lease time = %s, ",
-						log_info, lease);
-			else
-				log_info = fmt("%s ACK (", log_info);
-
-			log_info = fmt("%sclient state = %s)",
-					log_info,
-					dhcp_state_name[dhcp_session[msg$xid]$state]);
-			}
-
-		print dhcp_log, log_info;
-		}
-
-	else if ( logging )
-		print dhcp_log, fmt("%s ACK (standalone)",
-					dhcp_message(c, ++session_cnt, T));
-	}
-
-event dhcp_nak(c: connection, msg: dhcp_msg)
-	{
-	if ( msg$xid in dhcp_session )
-		{
-		local last_state = dhcp_session[msg$xid]$state;
-
-		if ( last_state == DHCP_REQUESTING ||
-		     last_state == DHCP_REBOOTING ||
-		     last_state == DHCP_RENEWING ||
-		     last_state == DHCP_REBINDING )
-			dhcp_session[msg$xid]$state = DHCP_INIT;
-
-		if ( logging )
-			print dhcp_log, fmt("%s NAK (client state = %s)",
-				dhcp_message(c, dhcp_session[msg$xid]$seq, F),
-				dhcp_state_name[dhcp_session[msg$xid]$state]);
-		}
-
-	else if ( logging )
-		print dhcp_log, fmt("%s NAK (standalone)",
-			dhcp_message(c, ++session_cnt, T));
-	}
-
-event dhcp_release(c: connection, msg: dhcp_msg)
-	{
-	local old_session = msg$xid in dhcp_session;
-
-	if ( ! old_session )
-		# We assume the client goes back to DHCP_INIT
-		# because the RFC does not specify which state to go to.
-		new_dhcp_session(msg$xid, DHCP_INIT, "");
-
-	if ( ! logging )
-		return;
-
-	if ( old_session )
-		{
-		if ( dhcp_session[msg$xid]$state == DHCP_INIT )
-			print dhcp_log, fmt("%s RELEASE (duplicated)",
-				dhcp_message(c, dhcp_session[msg$xid]$seq, F));
-		else
-			print dhcp_log, fmt("%s RELEASE, (client state = %s)",
-				dhcp_message(c, dhcp_session[msg$xid]$seq, F),
-				dhcp_state_name[dhcp_session[msg$xid]$state]);
-		}
-	else
-		print dhcp_log, fmt("%s RELEASE (xid = %x, IP addr = %As)",
-			dhcp_message(c, session_cnt, T), msg$xid, c$id$orig_h);
-	}
-
-event dhcp_inform(c: connection, msg: dhcp_msg)
-	{
-	recent_client = c$id$orig_h;
-
-	if ( msg$xid == 0 )
-		{
-		# Oops! Try to associate message with transaction ID 0 with
-		# a previous session.
-		local xid: count;
-		local seq: count;
-
-		if ( c$id$orig_h in session_xid )
-			{
-			xid = session_xid[c$id$orig_h];
-			dhcp_session[xid]$state = DHCP_INFORM;
-			seq = dhcp_session[xid]$seq;
-			}
-		else
-			{
-			# Weird: xid = 0 and no previous INFORM-ACK dialog.
-			xid = 0;
-			seq = ++session_cnt;
-
-			# Just record that a INFORM message has appeared,
-			# although the xid is not useful.
-			session_xid[c$id$orig_h] = 0;
-			}
-
-		if ( logging )
-			print dhcp_log,
-				fmt("%s INFORM (xid = %x, client state = %s)",
-					dhcp_message(c, seq, T),
-					xid, dhcp_state_name[DHCP_INFORM]);
-		return;
-		}
-
-	if ( msg$xid in dhcp_session )
-		{
-		if ( logging )
-			if ( dhcp_session[msg$xid]$state == DHCP_INFORM )
-				print dhcp_log, fmt("%s INFORM (duplicated)",
-					dhcp_message(c, dhcp_session[msg$xid]$seq, F));
-			else	{
-				print dhcp_log,
-					fmt("%s INFORM (duplicated, client state = %s)",
-						dhcp_message(c, dhcp_session[msg$xid]$seq, F),
-						dhcp_state_name[dhcp_session[msg$xid]$state]);
-				}
-
-		return;
-		}
-
-	local session = new_dhcp_session(msg$xid, DHCP_INFORM, msg$h_addr);
-
-	# Associate this transaction ID with the host so we can identify
-	# subsequent pairs of INFORM/ACK if client uses xid=0.
-	session_xid[c$id$orig_h] = msg$xid;
-
-	if ( logging )
-		print dhcp_log, fmt("%s INFORM (xid = %x, client state = %s)",
-				dhcp_message(c, session$seq, T),
-				msg$xid, dhcp_state_name[session$state]);
-	}
diff --git a/policy/dns-anonymizer.bro b/policy/dns-anonymizer.bro
deleted file mode 100644
index d85f31a395..0000000000
--- a/policy/dns-anonymizer.bro
+++ /dev/null
@@ -1,107 +0,0 @@
-# $Id:$
-
-@load dns
-@load anon
-
-module DNS;
-
-redef rewriting_dns_trace = T;
-
-event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
-	{
-	if ( get_conn_transport_proto(c$id) == udp )
-		rewrite_dns_message(c, is_orig, msg, len);
-	}
-
-event dns_request(c: connection, msg: dns_msg, query: string,
-			qtype: count, qclass: count)
-	{
-	if ( get_conn_transport_proto(c$id) == udp )
-		rewrite_dns_request(c, anonymize_host(query),
-					msg, qtype, qclass);
-	}
-
-event dns_end(c: connection, msg: dns_msg)
-	{
-	if ( get_conn_transport_proto(c$id) == udp )
-		rewrite_dns_end(c, T);
-	}
-
-event dns_query_reply(c: connection, msg: dns_msg, query: string,
-			qtype: count, qclass: count)
-	{
-	rewrite_dns_reply_question(c, msg, anonymize_host(query),
-					qtype, qclass);
-	}
-
-event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_A_reply(c, msg, ans, anonymize_address(a, c$id));
-	}
-
-#### FIXME: ANONYMIZE!
-event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer,
-			a: addr, astr: string)
-	{
-	ans$query = anonymize_host(ans$query);
-	astr = "::";
-	a = anonymize_address(a, c$id);
-	rewrite_dns_AAAA_reply(c, msg, ans, a, astr);
-	}
-
-event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_NS_reply(c, msg, ans, anonymize_host(name));
-	}
-
-event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer,
-			name: string)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_CNAME_reply(c, msg, ans, anonymize_host(name));
-	}
-
-event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer,
-			name: string, preference: count)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_MX_reply(c, msg, ans, anonymize_host(name), preference);
-	}
-
-event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_PTR_reply(c, msg, ans, anonymize_host(name));
-	}
-
-event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)
-	{
-	soa$mname = anonymize_host(soa$mname);
-	soa$rname = anonymize_host(soa$rname);
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_SOA_reply(c, msg, ans, soa);
-	}
-
-event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer,
-			str: string)
-	{
-	str = anonymize_string(str);
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_TXT_reply(c, msg, ans, str);
-	}
-
-event dns_EDNS_addl (c: connection, msg: dns_msg, ans: dns_edns_additional)
-	{
-	rewrite_dns_EDNS_addl(c, msg, ans);
-	}
-
-event dns_rejected(c: connection, msg: dns_msg, query: string,
-			qtype: count, qclass: count)
-	{
-	#### Hmmm, this is probably not right - we are going to have to look
-	# at the question type to determine how to anonymize this.
-	rewrite_dns_reply_question(c, msg, anonymize_host(query),
-					qtype, qclass);
-	}
diff --git a/policy/dns-info.bro b/policy/dns-info.bro
deleted file mode 100644
index 3ad36d461e..0000000000
--- a/policy/dns-info.bro
+++ /dev/null
@@ -1,81 +0,0 @@
-# $Id: dns-info.bro 3919 2007-01-14 00:27:09Z vern $
-
-# Types, errors, and fields for analyzing DNS data.  A helper file
-# for dns.bro.
-
-const PTR = 12;
-const EDNS = 41;
-const ANY = 255;
-
-const query_types = {
-	[1] = "A", [2] = "NS", [3] = "MD", [4] = "MF",
-	[5] = "CNAME", [6] = "SOA", [7] = "MB", [8] = "MG",
-	[9] = "MR", [10] = "NULL", [11] = "WKS", [PTR] = "PTR",
-	[13] = "HINFO", [14] = "MINFO", [15] = "MX", [16] = "TXT",
-	[17] = "RP", [18] = "AFSDB", [19] = "X25", [20] = "ISDN",
-	[21] = "RT", [22] = "NSAP", [23] = "NSAP-PTR", [24] = "SIG",
-	[25] = "KEY", [26] = "PX" , [27] = "GPOS", [28] = "AAAA",
-	[29] = "LOC", [30] = "EID", [31] = "NIMLOC", [32] = "NB",
-	[33] = "SRV", [34] = "ATMA", [35] = "NAPTR", [36] = "KX",
-	[37] = "CERT", [38] = "A6", [39] = "DNAME", [40] = "SINK",
- 	[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SINK",
-	[45] = "SSHFP", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",
-	[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
-	[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
-	[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",
-	[32768] = "TA", [32769] = "DLV",
-	[ANY] = "*",
-} &default = function(n: count): string { return fmt("query-%d", n); };
-
-const DNS_code_types = {
-	[0] = "X0",
-	[1] = "Xfmt",
-	[2] = "Xsrv",
-	[3] = "Xnam",
-	[4] = "Ximp",
-	[5] = "X[",
-} &default = function(n: count): string { return "?"; };
-
-# Used for non-TSIG/EDNS types.
-const base_error = {
-	[0] = "NOERROR", 	# No Error
-	[1] = "FORMERR", 	# Format Error
-	[2] = "SERVFAIL",	# Server Failure
-	[3] = "NXDOMAIN",	# Non-Existent Domain
-	[4] = "NOTIMP",  	# Not Implemented
-	[5] = "REFUSED", 	# Query Refused
-	[6] = "YXDOMAIN",	# Name Exists when it should not
-	[7] = "YXRRSET", 	# RR Set Exists when it should not
-	[8] = "NXRRSet", 	# RR Set that should exist does not
-	[9] = "NOTAUTH", 	# Server Not Authoritative for zone
-	[10] = "NOTZONE",	# Name not contained in zone
-	[11] = "unassigned-11", # available for assignment
-	[12] = "unassigned-12", # available for assignment
-	[13] = "unassigned-13", # available for assignment
-	[14] = "unassigned-14", # available for assignment
-	[15] = "unassigned-15", # available for assignment
-	[16] = "BADVERS",	# for EDNS, collision w/ TSIG
-	[17] = "BADKEY",	# Key not recognized
-	[18] = "BADTIME",	# Signature out of time window
-	[19] = "BADMODE",	# Bad TKEY Mode
-	[20] = "BADNAME",	# Duplicate key name
-	[21] = "BADALG",	# Algorithm not supported
-	[22] = "BADTRUNC",	# draft-ietf-dnsext-tsig-sha-05.txt
-	[3842] = "BADSIG",	# 16 <= number collision with EDNS(16);
-				# this is a translation from TSIG(16)
-} &default = function(n: count): string { return "?"; };
-
-# This deciphers EDNS Z field values.
-const edns_zfield = {
-	[0] = "NOVALUE",	# regular entry
-	[32768] = "DNS_SEC_OK",	# accepts DNS Sec RRs
-} &default = function(n: count): string { return "?"; };
-
-const dns_class = {
-	[1] = "C_INTERNET",
-	[2] = "C_CSNET",
-	[3] = "C_CHAOS",
-	[4] = "C_HESOD",
-	[254] = "C_NONE",
-	[255] =	"C_ANY",
-} &default = function(n: count): string { return "?"; };
diff --git a/policy/dns-lookup.bro b/policy/dns-lookup.bro
deleted file mode 100644
index 8ef1dd4f0a..0000000000
--- a/policy/dns-lookup.bro
+++ /dev/null
@@ -1,65 +0,0 @@
-# $Id: dns-lookup.bro 340 2004-09-09 06:38:27Z vern $
-
-@load notice
-
-redef enum Notice += {
-	DNS_MappingChanged,	# some sort of change WRT previous Bro lookup
-};
-
-const dns_interesting_changes = {
-	"unverified", "old name", "new name", "mapping",
-} &redef;
-
-function dump_dns_mapping(msg: string, dm: dns_mapping): bool
-	{
-	if ( msg in dns_interesting_changes ||
-	     127.0.0.1 in dm$addrs )
-		{
-		local req = dm$req_host == "" ?
-				fmt("%As", dm$req_addr) : dm$req_host;
-		NOTICE([$note=DNS_MappingChanged,
-			$msg=fmt("DNS %s: %s/%s %s-> %As", msg, req,
-					dm$hostname, dm$valid ?
-						"" : "(invalid) ", dm$addrs),
-			$sub=msg]);
-
-		return T;
-		}
-	else
-		return F;
-	}
-
-event dns_mapping_valid(dm: dns_mapping)
-	{
-	dump_dns_mapping("valid", dm);
-	}
-
-event dns_mapping_unverified(dm: dns_mapping)
-	{
-	dump_dns_mapping("unverified", dm);
-	}
-
-event dns_mapping_new_name(dm: dns_mapping)
-	{
-	dump_dns_mapping("new name", dm);
-	}
-
-event dns_mapping_lost_name(dm: dns_mapping)
-	{
-	dump_dns_mapping("lost name", dm);
-	}
-
-event dns_mapping_name_changed(old_dm: dns_mapping, new_dm: dns_mapping)
-	{
-	if ( dump_dns_mapping("old name", old_dm) )
-		dump_dns_mapping("new name", new_dm);
-	}
-
-event dns_mapping_altered(dm: dns_mapping,
-				old_addrs: set[addr], new_addrs: set[addr])
-	{
-	if ( dump_dns_mapping("mapping", dm) )
-		NOTICE([$note=DNS_MappingChanged,
-			$msg=fmt("changed addresses: %As -> %As", old_addrs, new_addrs),
-			$sub="changed addresses"]);
-	}
diff --git a/policy/dns.bro b/policy/dns.bro
deleted file mode 100644
index 812e7245cc..0000000000
--- a/policy/dns.bro
+++ /dev/null
@@ -1,675 +0,0 @@
-# $Id: dns.bro 6724 2009-06-07 09:23:03Z vern $
-
-@load notice
-@load weird
-@load udp-common
-@load dns-info
-
-module DNS;
-
-export {
-	# Lookups of hosts in here are flagged ...
-	const sensitive_lookup_hosts: set[addr] &redef;
-
-	# ... unless the lookup comes from one of these hosts.
-	const okay_to_lookup_sensitive_hosts: set[addr] &redef;
-
-	# Start considering whether we're seeing PTR scanning if we've seen
-	# at least this many rejected PTR queries.
-	const report_rejected_PTR_thresh = 100 &redef;
-
-	# Generate a PTR_scan event if at any point (once we're above
-	# report_rejected_PTR_thresh) we see this many more distinct
-	# rejected PTR requests than distinct answered PTR requests.
-	const report_rejected_PTR_factor = 2.0 &redef;
-
-	# The following sources are allowed to do PTR scanning.
-	const allow_PTR_scans: set[addr] &redef;
-
-	# Annotations that if returned for a PTR lookup actually indicate
-	# a rejected query; for example, "illegal-address.lbl.gov".
-	const actually_rejected_PTR_anno: set[string] &redef;
-
-	# Hosts allowed to do zone transfers.
-	const zone_transfers_okay: set[addr] &redef;
-
-	# Set to false to disable printing to dns.log.
-	const logging = T &redef;
-
-	redef enum Notice += {
-		SensitiveDNS_Lookup,	# DNS lookup of sensitive hostname/addr
-		DNS_PTR_Scan,		# A set of PTR lookups
-		DNS_PTR_Scan_Summary,	# Summary of a set of PTR lookups
-		ResolverInconsistency,	# DNS answer changed
-		ZoneTransfer,		# a DNS zone transfer request was seen
-
-	};
-
-	# This is a list of domains that have a history of providing
-	# more RR's in response than they are supposed to.  There is
-	# some danger here in that record inconsistancies will not be 
-	# identified for these domains...
-	const bad_domain_resp: set[string] &redef;
-
-	# Same idea, except that it applies to a list of host names.
-	const bad_host_resp: set[string] &redef;
-
-	# Turn resolver consistancy checking on/off.
-	const resolver_consist_check = F &redef;
-
-	# Should queries be checked against 'bad' domains?
-	const check_domain_list = T;
-
-	# List of 'bad' domains.
-	const hostile_domain_list: set[string] &redef;
-
-	# Used for PTR scan detection.  Exported so their timeouts can be
-	# adjusted.
-	global distinct_PTR_requests:
-		table[addr, string] of count &default = 0 &write_expire = 5 min;
-	global distinct_rejected_PTR_requests:
-		table[addr] of count &default = 0 &write_expire = 5 min;
-	global distinct_answered_PTR_requests:
-		table[addr] of count &default = 0 &write_expire = 5 min;
-}
-
-redef capture_filters += { 
-	["dns"] = "port 53",
-	["netbios-ns"] = "udp port 137", 
-};
-
-# DPM configuration.
-global dns_ports = { 53/udp, 53/tcp, 137/udp } &redef;
-redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
-
-global dns_udp_ports = { 53/udp, 137/udp } &redef;
-global dns_tcp_ports = { 53/tcp } &redef;
-redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] };
-redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] };
-
-# Default handling for peculiarities in DNS analysis.  You can redef these
-# again in your site-specific script if you want different behavior.
-redef Weird::weird_action += {
-	["DNS_AAAA_neg_length"]	= Weird::WEIRD_FILE,
-	["DNS_Conn_count_too_large"]	= Weird::WEIRD_FILE,
-	["DNS_NAME_too_long"]	= Weird::WEIRD_FILE,
-	["DNS_RR_bad_length"]	= Weird::WEIRD_FILE,
-	["DNS_RR_length_mismatch"]	= Weird::WEIRD_FILE,
-	["DNS_RR_unknown_type"]	= Weird::WEIRD_FILE,
-	["DNS_label_forward_compress_offset"]	= Weird::WEIRD_FILE,
-	["DNS_label_len_gt_name_len"]	= Weird::WEIRD_FILE,
-	["DNS_label_len_gt_pkt"]	= Weird::WEIRD_FILE,
-	["DNS_label_too_long"]	= Weird::WEIRD_FILE,
-	["DNS_name_too_long"]	= Weird::WEIRD_FILE,
-	["DNS_truncated_RR_rdlength_lt_len"]	= Weird::WEIRD_FILE,
-	["DNS_truncated_ans_too_short"]	= Weird::WEIRD_FILE,
-	["DNS_truncated_len_lt_hdr_len"]	= Weird::WEIRD_FILE,
-	["DNS_truncated_quest_too_short"]	= Weird::WEIRD_FILE,
-};
-
-type dns_session_info: record {
-	id: count;
-	is_zone_transfer: bool;
-	last_active: time;	# when we last saw activity
-
-	# Indexed by query id, returns string annotation corresponding to
-	# queries for which no answer seen yet.
-	pending_queries: table[count] of string;
-};
-
-# Indexed by client and server.
-global dns_sessions: table[addr, addr, count] of dns_session_info;
-global num_dns_sessions = 0;
-
-const PTR_pattern = /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.in-addr\.arpa/;
-
-# Keeps track of for which addresses we processed a PTR_scan event.
-global did_PTR_scan_event: table[addr] of count &default = 0;
-
-# The following definitions relate to tracking when DNS records
-# change and whether they do so in a consistent fashion.
-type dns_response_record: record {
-	dns_name: string;	# domain name in question
-	dns_type: count;	# type of query
-	num_resp: count;	# number of responses
-	resp_count: count;	# how many responses have been registered
-	addrs: set[addr];	# addresses in response
-};
-
-global dns_history: table[string, count, count] of dns_response_record;
-
-global did_zone_transfer_notice: table[addr] of count &default = 0;
-
-# Sample known irregular domains.
-redef bad_domain_resp += { "instacontent.net", "mirror-image.net", };
-
-# Sample hostile domains.
-redef hostile_domain_list += { "undernet.org", "afraid.org", };
-
-global dns_log : file;
-
-event bro_init()
-	{
-	if ( logging )
-		dns_log = open_log_file("dns");
-	}
-
-event remove_name(name: string, qtype: count, id: count)
-	{
-	if ( [name, qtype, id] in dns_history )
-		{
-		# We need to remove the dns_history record and the assosciated
-		# dns_consistency_info records.
-
-		local drr = dns_history[name, qtype, id];
-		local a: addr;
-
-		for ( a in drr$addrs )
-			delete drr$addrs[a];
-
-		delete dns_history[name, qtype, id];
-		}
-	else if ( logging )
-		print dns_log, fmt("ERROR in history session removal: %s/%d doesn't exist", name, qtype);
-	}
-
-# Returns the second-level domain, so for example an argument of "a.b.c.d"
-# returns "c.d".
-function second_level_domain(name: string): string
-	{
-	local split_on_dots = split(name, /\./);
-	local num_dots = length(split_on_dots);
-
-	if ( num_dots <= 1 )
-		return name;
-
-	return fmt("%s.%s", split_on_dots[num_dots-1], split_on_dots[num_dots]);
-	}
-
-function insert_name(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
-	{
-	local drr: dns_response_record;
-
-	if ( [ans$query, ans$qtype, msg$id] !in dns_history )
-		{ # add record
-		drr$dns_name = ans$query;
-		drr$dns_type = ans$qtype;
-
-		# Here we modified the expected number of addresses to allow
-		# for the number of answer RR's along with the provided
-		# additional RR's.
-		drr$num_resp = msg$num_answers+msg$num_addl;
-		drr$resp_count = 0;
-		add drr$addrs[a];
-
-		dns_history[ans$query, ans$qtype, msg$id] = drr;
-
-		if ( ans$TTL < 0 sec )
-			# Strangely enough, the spec allows this,
-			# though it's hard to see why!  But because
-			# of that, we don't generate a Weird, we
-			# just change the TTL to 0.
-			ans$TTL = 0 sec;
-
-		# Check the TTL, but allow a smidgen of skew to avoid
-		# possible race conditions.
-		schedule ans$TTL + 1 sec
-			{ remove_name(ans$query, ans$qtype, msg$id) };
-		}
-	else
-		{ # extract record and do some counting
-		drr = dns_history[ans$query, ans$qtype, msg$id];
-
-		# In some broken records, the number of reported records is 0.
-		# This makes the test below fail, to 'fix' set to 1 ...
-		if ( drr$num_resp == 0 )
-			drr$num_resp = 1;
-
-		# Check if we have filled in the expected number of responses
-		# already - it should be > current responder count to allow
-		# for resolver timeouts.  Addresses are only added if they
-		# are not already prsent.  This comes at a slight performance
-		# cost.
-		if ( a !in drr$addrs ) 
-			{
-			add drr$addrs[a];
-			++drr$resp_count;
-			dns_history[ans$query, ans$qtype, msg$id]=drr;
-			}
-
-		if ( drr$num_resp >= drr$resp_count )
-			return;
-
-		if ( second_level_domain(ans$query) in bad_domain_resp )
-			return;
-
-		if ( ans$query in bad_host_resp )
-			return;
-
-		# Too many responses to the request, or some other
-		# inconsistency has been introduced.
-
-		NOTICE([$note=ResolverInconsistency, $conn=c,
-			$msg=fmt("address inconsistency for %s, %s", ans$query, a),
-			$dst=a]);
-		}
-	}
-
-event expire_DNS_session(orig: addr, resp: addr, trans_id: count)
-	{
-	if ( [orig, resp, trans_id] in dns_sessions )
-		{
-		local session = dns_sessions[orig, resp, trans_id];
-		local last_active = session$last_active;
-		if ( network_time() > last_active + dns_session_timeout ||
-		     done_with_network )
-			{
-			# Flush out any pending requests.
-			if ( logging )
-				{
-				for ( query in session$pending_queries )
-					print dns_log, fmt("%0.6f #%d %s",
-							network_time(), session$id,
-							session$pending_queries[query]);
-
-				print dns_log, fmt("%.06f #%d finish",
-						network_time(), session$id);
-				}
-
-			delete dns_sessions[orig, resp, trans_id];
-			}
-
-		else
-			schedule dns_session_timeout {
-				expire_DNS_session(orig, resp, trans_id)
-			};
-		}
-	}
-
-function lookup_DNS_session(c: connection, trans_id: count): dns_session_info
-	{
-	local id = c$id;
-	local orig = id$orig_h;
-	local resp = id$resp_h;
-
-	if ( [orig, resp, trans_id] !in dns_sessions )
-		{
-		local session: dns_session_info;
-		session$id = ++num_dns_sessions;
-		session$last_active = network_time();
-		session$is_zone_transfer = F;
-
-		if ( logging )
-			print dns_log, fmt("%.06f #%d %s start",
-				c$start_time, session$id, id_string(id));
-
-		dns_sessions[orig, resp, trans_id] = session;
-
-		schedule 15 sec { expire_DNS_session(orig, resp, trans_id) };
-
-		append_addl(c, fmt("#%d", session$id));
-
-		return session;
-		}
-
-	else
-		return dns_sessions[orig, resp, trans_id];
-	}
-
-event sensitive_addr_lookup(c: connection, a: addr, is_query: bool)
-	{
-	local orig = c$id$orig_h;
-	local resp = c$id$resp_h;
-	local holding = 0;
-
-	if ( orig in okay_to_lookup_sensitive_hosts )
-		return;
-
-	local session_id: string;
-	if ( [orig, resp, holding] in dns_sessions )
-		session_id = fmt("#%d", dns_sessions[orig, resp, holding]$id);
-	else
-		session_id = "#?";
-
-	local id = fmt("%s > %s (%s)", orig, resp, session_id);
-
-	if ( is_query )
-		NOTICE([$note=SensitiveDNS_Lookup, $conn=c,
-			$msg=fmt("%s PTR lookup of %s", id, a),
-			$sub="PTR lookup"]);
-	else
-		NOTICE([$note=SensitiveDNS_Lookup, $conn=c,
-			$msg=fmt("%s name lookup of %s", id, a),
-			$sub="name lookup"]);
-	}
-
-function DNS_query_annotation(c: connection, msg: dns_msg, query: string,
-				qtype: count, is_zone_xfer: bool): string
-	{
-	local anno: string;
-
-	if ( (qtype == PTR || qtype == ANY) && query == PTR_pattern )
-		{
-		# convert PTR text to more readable form.
-		local a = ptr_name_to_addr(query);
-		if ( a in sensitive_lookup_hosts && ! is_zone_xfer )
-			event sensitive_addr_lookup(c, a, T);
-
-		anno = fmt("?%s %As", query_types[qtype], a);
-		}
-	else
-		anno = fmt("%s %s", query_types[qtype], query);
-
-	if ( ! is_zone_xfer &&
-	     (msg$num_answers > 0 || msg$num_auth > 0 || msg$num_addl > 0) )
-		anno = fmt("%s <query addl = %d/%d/%d>", anno,
-			msg$num_answers, msg$num_auth, msg$num_addl);
-
-	return anno;
-	}
-
-
-event dns_zone_transfer_request(c: connection, session: dns_session_info,
-				msg: dns_msg, query: string)
-	{
-	session$is_zone_transfer = T;
-
-	if ( ! is_tcp_port(c$id$orig_p) )
-		event conn_weird("UDP_zone_transfer", c);
-
-	local src = c$id$orig_h;
-	if ( src !in zone_transfers_okay &&
-	     ++did_zone_transfer_notice[src] == 1 )
-		{
-		NOTICE([$note=ZoneTransfer, $src=src, $conn=c,
-			$msg=fmt("transfer of %s requested by %s", query, src)]);
-		}
-	}
-
-event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
-	{
-	local id = c$id;
-	local orig = id$orig_h;
-	local resp = id$resp_h;
-	local session = lookup_DNS_session(c, msg$id);
-	local anno = DNS_query_annotation(c, msg, query, qtype, F);
-
-	local report = fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h);
-	local q: string;
-
-	if ( query_types[qtype] == "AXFR" )
-		{
-		event dns_zone_transfer_request(c, session, msg, query);
-
-		q = DNS_query_annotation(c, msg, query, qtype, T);
-		report = fmt("%s ?%s", report, q);
-		}
-	else
-		report = fmt("%s <query ?%s> %s Trunc:%s Recurs:%s",
-			report, query_types[qtype], query, msg$TC, msg$RD);
-
-	if ( logging )
-		print dns_log, fmt("%s", report);
-
-	# Check to see if this is a host or MX lookup for a designated
-	# hostile domain.
-	if ( check_domain_list &&
-	     (query_types[qtype] == "A" || query_types[qtype] == "MX") &&
-	     second_level_domain(query) in hostile_domain_list )
-		{
-		NOTICE([$note=SensitiveDNS_Lookup, $conn=c,
-			$msg=fmt("%s suspicious domain lookup: %s", id, query)]);
-		}
-
-	session$pending_queries[msg$id] = anno;
-	session$last_active = network_time();
-	}
-
-event dns_rejected(c: connection, msg: dns_msg,
-			query: string, qtype: count, qclass: count)
-	{
-	local session = lookup_DNS_session(c, msg$id);
-	local code = DNS_code_types[msg$rcode];
-	local id = msg$id;
-
-	if ( id in session$pending_queries )
-		{
-		if ( logging )
-			print dns_log, fmt("%.06f #%d %s %s", network_time(),
-						session$id,
-						session$pending_queries[id],
-						code);
-
-		delete session$pending_queries[id];
-		}
-
-	else if ( logging )
-		{
-		if ( c$start_time == network_time() )
-			print dns_log, fmt("%.06f #%d [?%s] %s", network_time(),
-						session$id, query, code);
-		else
-			print dns_log, fmt("%.06f #%d %s", network_time(),
-						session$id, code);
-		}
-	}
-
-event PTR_scan_summary(src: addr)
-	{
-	NOTICE([$note=DNS_PTR_Scan_Summary, $src=src,
-		$msg=fmt("%s totaled %d/%d un/successful PTR lookups", src,
-			distinct_rejected_PTR_requests[src],
-			distinct_answered_PTR_requests[src]),
-		$sub="final summary"]);
-	}
-
-event PTR_scan(src: addr)
-	{
-	++did_PTR_scan_event[src];
-
-	if ( src !in allow_PTR_scans && src !in okay_to_lookup_sensitive_hosts )
-		{
-		NOTICE([$note=DNS_PTR_Scan, $src=src,
-			$msg=fmt("%s has made %d/%d un/successful PTR lookups",
-				src, distinct_rejected_PTR_requests[src],
-				distinct_answered_PTR_requests[src]),
-			$sub="scan detected"]);
-
-		schedule 1 day { PTR_scan_summary(src) };
-		}
-	}
-
-function check_PTR_scan(src: addr)
-	{
-	if ( src !in did_PTR_scan_event &&
-	     distinct_rejected_PTR_requests[src] >=
-	     distinct_answered_PTR_requests[src] * report_rejected_PTR_factor )
-		event PTR_scan(src);
-	}
-
-function DNS_answer(c: connection, msg: dns_msg,
-			ans: dns_answer, annotation: string)
-	{
-	local is_answer = ans$answer_type == DNS_ANS;
-	local session = lookup_DNS_session(c, msg$id);
-	local report =
-		fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h);
-	local id = msg$id;
-	local query: string;
-
-	if ( id in session$pending_queries )
-		{
-		query = fmt("%s = <ans %s>", session$pending_queries[id],
-				query_types[ans$qtype]);
-		delete session$pending_queries[id];
-		report = fmt("%s %s", report, query);
-		}
-
-	else if ( session$is_zone_transfer )
-		{ # need to provide the query directly.
-		query = fmt("<ans %s>", query_types[ans$qtype]);
-		report = fmt("%s ?%s", report, query);
-		}
-
-	else
-		{
-		# No corresponding query.  This can happen if it's
-		# already been deleted because we've already processed
-		# an answer to it; or if the session itself was timed
-		# out prior to this answer being generated.  In the
-		# first case, we don't want to provide the query again;
-		# in the second, we do.  We can determine that we're
-		# likely in the second case if either (1) this session
-		# was just now created, or (2) we're now processing the
-		# sole answer to the original query.
-		#
-		# However, for now we punt.
-		#
-		#	if ( c$start_time == network_time() ||
-		#	     (is_answer && msg$num_answers == 1) )
-		#		{
-		#		query = DNS_query_annotation(c, msg, ans$query, ans$qtype, F);
-		#		report = fmt("%s [?%s]", report, query);
-		#		}
-		#	else
-		#		query = "";
-
-		query = fmt("<ans %s>", query_types[ans$qtype]);
-		report = fmt("%s %s", report, query);
-		}
-
-	# Append a bunch of additional annotation.
-	report = fmt("%s %s RCode:%s AA=%s TR=%s %s/%s/%s/%s",
-		report, annotation, base_error[msg$rcode], msg$AA, msg$TC,
-		msg$num_queries, msg$num_answers, msg$num_auth, msg$num_addl );
-
-	local src = c$id$orig_h;
-
-	if ( msg$rcode != 0 )
-		{
-		if ( /\?(PTR|\*.*in-addr).*/ in query )
-			##### should check for private address
-			{
-			if ( ++distinct_PTR_requests[src, query] == 1 &&
-			     ++distinct_rejected_PTR_requests[src] >=
-			       report_rejected_PTR_thresh )
-				check_PTR_scan(src);
-			}
-
-		report = fmt("%s %s", report, DNS_code_types[msg$rcode]);
-		}
-
-	else if ( is_answer )
-		{
-		if ( /\?(PTR|\*.*in-addr).*/ in query )
-			{
-			if ( annotation in actually_rejected_PTR_anno )
-				{
-				if ( ++distinct_PTR_requests[src, query] == 1 &&
-				     ++distinct_rejected_PTR_requests[src] >=
-				       report_rejected_PTR_thresh )
-					check_PTR_scan(src);
-				}
-			else
-				{
-				if ( ++distinct_PTR_requests[src, query] == 1 )
-					++distinct_answered_PTR_requests[src];
-				}
-			}
-		}
-
-	if ( logging )
-		print dns_log, fmt("%s TTL=%g", report, ans$TTL);
-
-	### Note, DNS_AUTH and DNS_ADDL not processed.
-
-	session$last_active = network_time();
-	}
-
-event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
-	{
-	if ( a in sensitive_lookup_hosts )
-		event sensitive_addr_lookup(c, a, F);
-
-	DNS_answer(c, msg, ans, fmt("%As", a));
-
-	if ( resolver_consist_check )
-		insert_name(c, msg, ans, a );
-
-	}
-
-event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
-	{
-	DNS_answer(c, msg, ans, fmt("%s", name));
-	}
-
-event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
-	{
-	DNS_answer(c, msg, ans, fmt("%s %s", query_types[ans$qtype], name));
-	}
-
-event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
-	{
-	DNS_answer(c, msg, ans, fmt("%s", name));
-	}
-
-event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)
-	{
-	DNS_answer(c, msg, ans, fmt("%s", soa$mname));
-	}
-
-event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string,
-			preference: count)
-	{
-	DNS_answer(c, msg, ans, fmt("%s/%d", name, preference));
-	}
-
-event dns_EDNS(c: connection, msg: dns_msg, ans: dns_answer)
-	{
-	DNS_answer(c, msg, ans, "<---?--->");
-	}
-
-
-# From here on down we need to modify the way that data is recorded.  The
-# standard resource record format is no longer universally applicable in
-# that we may see modified structs or some number of value pairs that may take
-# more flexability in reporting.
-
-event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
-	{
-	local session = lookup_DNS_session(c, msg$id);
-	local report =
-		fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h);
-
-	if ( ans$is_query == 1 )
-		report = fmt("%s <addl_edns ?>", report);
-	else
-		report = fmt("%s <addl_edns> ", report);
-
-	if ( logging )
-		print dns_log, fmt("%s pldsize:%s RCode:%s VER:%s Z:%s",
-				report, ans$payload_size,
-				base_error[ans$extended_rcode],
-				ans$version, edns_zfield[ans$z_field]);
-	}
-
-event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional)
-	{
-	local session = lookup_DNS_session(c, msg$id);
-	local report =
-		fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h);
-
-	# Error handling with this is a little odd: number collision with EDNS.
-	# We set the collided value to the first private space number.  gross.
-	local trans_error_num = (ans$rr_error == 16) ?  3842 : ans$rr_error;
-
-	if ( ans$is_query == 1 )
-		report = fmt("%s <addl_tsig ?> ", report);
-	else
-		report = fmt("%s <addl_tsig> ", report);
-
-	if ( logging )
-		print dns_log, fmt("%s name:%s alg:%s origID:%s RCode:%s",
-				report, ans$query, ans$alg_name,
-				ans$orig_id, base_error[trans_error_num]);
-	}
diff --git a/policy/dpd.bro b/policy/dpd.bro
deleted file mode 100644
index 5963e5e7a3..0000000000
--- a/policy/dpd.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: dpd.bro,v 1.1.2.1 2006/05/10 02:10:26 sommer Exp $
-#
-# Activates port-independent protocol detection.
-
-redef signature_files += "dpd.sig";
diff --git a/policy/drop-adapt.bro b/policy/drop-adapt.bro
deleted file mode 100644
index b599770ded..0000000000
--- a/policy/drop-adapt.bro
+++ /dev/null
@@ -1,74 +0,0 @@
-# $Id: drop-adapt.bro 6940 2009-11-14 00:38:53Z robin $
-#
-# Adjust load level based on packet drops.
-#
-
-@load load-level
-
-# Increase load-level if packet drops are successively 'count' times
-# above 'threshold' percent.
-const drop_increase_count = 5 &redef;
-const drop_increase_threshold = 5.0 &redef;
-
-# Same for decreasing load-level.
-const drop_decrease_count = 15 &redef;
-const drop_decrease_threshold = 0.0 &redef;
-
-# Minimum time to wait after a load-level increase before new decrease.
-const drop_decrease_wait = 20 mins &redef;
-
-global drop_last_stat: net_stats;
-global drop_have_stats = F;
-global drop_above = 0;
-global drop_below = 0;
-
-global drop_last_increase: time = 0;
-
-event net_stats_update(t: time, ns: net_stats)
-	{
-	if ( drop_have_stats )
-		{
-		local new_recvd = ns$pkts_recvd - drop_last_stat$pkts_recvd;
-		local new_dropped =
-			ns$pkts_dropped - drop_last_stat$pkts_dropped;
-
-		local p = new_dropped * 100.0 / new_recvd;
-
-		drop_last_stat = ns;
-
-		if ( p >= 0 )
-			{
-			if ( p >= drop_increase_threshold )
-				{
-				if ( ++drop_above >= drop_increase_count )
-					{
-					increase_load_level();
-					drop_above = 0;
-					drop_last_increase = t;
-					}
-				}
-			else
-				drop_above = 0;
-
-			if ( t - drop_last_increase < drop_decrease_wait )
-				return;
-
-			if ( p <= drop_decrease_threshold )
-				{
-				if ( ++drop_below >= drop_decrease_count )
-					{
-					decrease_load_level();
-					drop_below = 0;
-					}
-				}
-			else
-				drop_below = 0;
-
-			}
-		}
-	else
-		{
-		drop_have_stats = T;
-		drop_last_stat = ns;
-		}
-	}
diff --git a/policy/drop.bro b/policy/drop.bro
deleted file mode 100644
index b2e75fa269..0000000000
--- a/policy/drop.bro
+++ /dev/null
@@ -1,340 +0,0 @@
-# $Id:$
-#
-# drop.bro implements a drop/restore policy termed "catch-and-release"
-# whereby the first time an address is dropped, it is restored a while after
-# the last connection attempt seen.  If a connection attempt is subsequently
-# seen, however, then the system is blocked again, and for a longer time.
-#
-# This policy has significant benefits when using Bro to update router
-# ACLs for which:
-#     - The router has a limited number of ACLs slots.
-#     - You care about possible reuse of IP addresses by now-benign hosts,
-#	so don't want blocks to last forever.
-#
-# Original code by Jim Mellander, LBNL.
-# Updated by Brian Tierney, LBNL and by Robin Sommer, ICSI.
-
-@load site
-
-module Drop;
-
-export {
-	redef enum Notice += {
-		# Connectivity with given address has been dropped.
-		AddressDropped,
-
-		# A request to drop connectivity has been ignored.
-		AddressDropIgnored,
-
-		# Connectivity with given address has been restored.
-		AddressRestored,
-
-		AddressAlreadyDropped,	# host is already dropped
-
-		# Previously dropped host connects again.
-		AddressSeenAgain,
-
-		# Previous offenders re-dropped or re-restored.
-		RepeatAddressDropped,
-		RepeatAddressRestored,
-	};
-
-	# True if we have the capability to drop hosts at all.
-	const can_drop_connectivity = F &redef;
-
-	# True if we never want to drop local addresses.
-	const dont_drop_locals = T &redef;
-
-	# True if we should use the catch-and-release scheme.  If not then
-	# we simply drop addresses via the drop_connectivity_script and
-	# never restore them (they must be restored out-of-band).
-	const use_catch_release = F &redef;
-
-	# Catch-and-release parameters.
-
-	# Interval to wait for release following inactivity after
-	# first offense.
-	global drop_time = 5 min &redef;
-
-	# For repeat offenders: if the total time a host has already been
-	# dropped reaches persistent_offender_time, we drop the host for
-	# long_drop_time.  Setting persistent_offender_time to zero disables
-	# this functionality.
-	const persistent_offender_time = 2 hr &redef;
-	global long_drop_time = 12 hr &redef;
-
-	# Scripts to perform the actual dropping/restore. They get the
-	# IP address as their first argument.
-	const drop_connectivity_script = "drop-connectivity" &redef;
-	const restore_connectivity_script = "restore-connectivity" &redef;
-
-	const root_servers = {
-		a.root-servers.net, b.root-servers.net, c.root-servers.net,
-		d.root-servers.net, e.root-servers.net, f.root-servers.net,
-		g.root-servers.net, h.root-servers.net, i.root-servers.net,
-		j.root-servers.net, k.root-servers.net, l.root-servers.net,
-		m.root-servers.net,
-	} &redef;
-
-	const gtld_servers = {
-		a.gtld-servers.net, b.gtld-servers.net, c.gtld-servers.net,
-		d.gtld-servers.net, e.gtld-servers.net, f.gtld-servers.net,
-		g.gtld-servers.net, h.gtld-servers.net, i.gtld-servers.net,
-		j.gtld-servers.net, k.gtld-servers.net, l.gtld-servers.net,
-		m.gtld-servers.net,
-	} &redef;
-
-	const never_shut_down = {
-		root_servers, gtld_servers,
-	} &redef;
-
-	const never_drop_nets: set[subnet] &redef;
-
-	# Drop the connectivity for the address. "msg" gives a reason.
-	# It returns a copy of the NOTICE generated for the drop, which
-	# gives more information about the kind of dropping performed.
-	# If the notice type is NoticeNone, the drop was not successful
-	# (e.g., because this Bro instance is not configured to do drops.)
-	global drop_address: function(a: addr, msg: string) : notice_info;
-
-	# The following events are used to communicate information about the
-	# drops, in particular for C&R in the cluster setting.
-
-	# Address has been dropped.
-	global address_dropped: event(a: addr);
-
-	# Raised when an IP is restored.
-	global address_restored: event(a: addr);
-
-	# Raised when an that was dropped in the past is no
-	# longer monitored specifically for new connections.
-	global address_cleared: event(a: addr);
-
-	const debugging = F &redef;
-	global debug_log: function(msg: string);
-}
-
-type drop_rec: record {
-	tot_drop_count: count &default=0;
-	tot_restore_count: count &default=0;
-	actual_restore_count: count &default=0;
-	tot_drop_time: interval &default=0secs;
-	last_timeout: interval &default=0secs;
-};
-
-global clear_host: function(t: table[addr] of drop_rec, a: addr): interval;
-
-global drop_info: table[addr] of drop_rec
-	&read_expire = 1 days &expire_func=clear_host &persistent;
-
-global last_notice: notice_info;
-
-function do_notice(n: notice_info)
-	{
-	last_notice = n;
-	NOTICE(n);
-	}
-
-function dont_drop(a: addr) : bool
-	{
-	return ! can_drop_connectivity || a in never_shut_down ||
-	       a in never_drop_nets || (dont_drop_locals && is_local_addr(a));
-	}
-
-function is_dropped(a: addr) : bool
-	{
-	if ( a !in drop_info )
-		return F;
-
-	local di = drop_info[a];
-
-	if ( di$tot_drop_count < di$tot_restore_count )
-		{ # This shouldn't happen.
-		# FIXME: We need an assert().
-		print "run-time error: more restores than drops!";
-		return F;
-		}
-
-	return di$tot_drop_count > di$tot_restore_count;
-	}
-
-global debug_log_file: file;
-
-function debug_log(msg: string)
-	{
-	if ( ! debugging )
-		return;
-
-	print debug_log_file,
-		fmt("%.6f [%s] %s", network_time(), peer_description, msg);
-	}
-
-event bro_init()
-	{
-	if ( debugging )
-		{
-		debug_log_file =
-			open_log_file(fmt("drop-debug.%s", peer_description));
-		set_buf(debug_log_file, F);
-		}
-	}
-
-function do_direct_drop(a: addr, msg: string)
-	{
-	if ( msg != "" )
-		msg = fmt(" (%s)", msg);
-
-	if ( a !in drop_info )
-		{
-		local tmp: drop_rec;
-		drop_info[a] = tmp;
-		}
-
-	local di = drop_info[a];
-
-	if ( is_dropped(a) )
-		# Already dropped. Nothing to do.
-		do_notice([$note=Drop::AddressAlreadyDropped, $src=a,
-				$msg=fmt("%s%s", a, msg)]);
-	else
-		{
-		system(fmt("%s %s", Drop::drop_connectivity_script, a));
-
-		debug_log(fmt("sending drop for %s", a));
-		event Drop::address_dropped(a);
-
-		if ( di$tot_drop_count == 0 )
-			do_notice([$note=Drop::AddressDropped, $src=a,
-					$msg=fmt("%s%s", a, msg)]);
-		else
-			{
-			local s = fmt("(%d times)", di$tot_drop_count + 1);
-			do_notice([$note=Drop::RepeatAddressDropped,
-				$src=a, $n=di$tot_drop_count+1,
-				$msg=fmt("%s%s %s", a, msg, s), $sub=s]);
-			}
-		}
-
-	++di$tot_drop_count;
-	debug_log(fmt("dropped %s: tot_drop_count=%d tot_restore_count=%d",
-			a, di$tot_drop_count, di$tot_restore_count));
-	}
-
-# Restore a previously dropped address.
-global do_restore: function(a: addr, force: bool);
-
-event restore_dropped_address(a: addr)
-	{
-	do_restore(a, F);
-	}
-
-function do_catch_release_drop(a: addr, msg: string)
-	{
-	do_direct_drop(a, msg);
-
-	local di = drop_info[a];
-
-	local t = (persistent_offender_time != 0 sec &&
-		   di$tot_drop_time >= persistent_offender_time) ?
-			long_drop_time : drop_time;
-
-	di$tot_drop_time += t;
-	di$last_timeout = t;
-
-	schedule t { restore_dropped_address(a) };
-	}
-
-function do_restore(a: addr, force: bool)
-	{
-	if ( a !in drop_info )
-		return;
-
-	local di = drop_info[a];
-	++drop_info[a]$tot_restore_count;
-	debug_log(fmt("restored %s: tot_drop_count=%d tot_restore_count=%d force=%s", a, drop_info[a]$tot_drop_count, drop_info[a]$tot_restore_count, force));
-
-	if ( di$tot_drop_count == di$tot_restore_count || force )
-		{
-		++di$actual_restore_count;
-		system(fmt("%s %s", Drop::restore_connectivity_script, a));
-
-		debug_log(fmt("sending restored for %s", a));
-		event Drop::address_restored(a);
-
-		local t = di$last_timeout;
-
-		if ( di$actual_restore_count == 1 )
-			{
-			local s1 = fmt("(timeout %.1f)", t);
-			do_notice([$note=Drop::AddressRestored, $src=a,
-				   $msg=fmt("%s %s", a, s1), $sub=s1]);
-			}
-
-		else
-			{
-			local s2 = fmt("(%d times, timeout %.1f)",
-					di$actual_restore_count, t);
-			do_notice([$note=Drop::RepeatAddressRestored, $src=a,
-				   $n=di$tot_restore_count,
-				   $msg=fmt("%s %s", a, s2), $sub=s2]);
-			}
-		}
-	}
-
-function clear_host(t: table[addr] of drop_rec, a: addr): interval
-	{
-	if ( is_dropped(a) )
-		# Restore address.
-		do_restore(a, T);
-
-	debug_log(fmt("sending cleared for %s", a));
-	event Drop::address_cleared(a);
-
-	return 0 secs;
-	}
-
-# Returns true if drop was successful (or IP was already dropped).
-function drop_address(a: addr, msg: string) : notice_info
-	{
-	debug_log(fmt("drop_address(%s, %s)", a, msg));
-
-	last_notice = [$note=NoticeNone];
-
-	if ( dont_drop(a) )
-		do_notice([$note=AddressDropIgnored, $src=a,
-			$msg=fmt("ignoring request to drop %s (%s)", a, msg)]);
-	else if ( use_catch_release )
-		do_catch_release_drop(a, msg);
-	else
-		do_direct_drop(a, msg);
-
-	if ( last_notice$note == NoticeNone )
-		print "run-time error: drop_address did not raise a NOTICE";
-
-	return last_notice;
-	}
-
-event new_connection(c: connection)
-	{
-	if ( ! can_drop_connectivity )
-		return;
-
-	# With Catch & Release, 1 connection from a previously dropped system
-	# triggers an immediate redrop.
-	if ( ! use_catch_release )
-		return;
-
-	local a = c$id$orig_h;
-
-	if ( a !in drop_info )
-		# Never dropped.
-		return;
-
-	local di = drop_info[a];
-	if ( is_dropped(a) )
-		# Still dropped.
-		return;
-
-	NOTICE([$note=AddressSeenAgain, $src=a,
-		$msg=fmt("%s seen again after release", a)]);
-	}
diff --git a/policy/dyn-disable.bro b/policy/dyn-disable.bro
deleted file mode 100644
index b1b5bd937e..0000000000
--- a/policy/dyn-disable.bro
+++ /dev/null
@@ -1,53 +0,0 @@
-# $Id: dyn-disable.bro,v 1.1.4.3 2006/05/31 01:52:02 sommer Exp $
-#
-# When this script is loaded, analyzers that raise protocol_violation events
-# are disabled for the affected connection.
-
-# Note that this a first-shot solution. Eventually, we should make the
-# disable-decision more fine-grained/sophisticated.
-
-@load conn
-@load notice
-
-module DynDisable;
-
-export {
-	redef enum Notice += {
-		ProtocolViolation
-	};
-
-	# Ignore violations which go this many bytes into the connection.
-	const max_volume = 10 * 1024 &redef;
-}
-
-global conns: table[conn_id] of set[count];
-
-event protocol_violation(c: connection, atype: count, aid: count,
-				reason: string)
-	{
-	if ( c$id in conns && aid in conns[c$id] )
-		return;
-
-	local size = c$orig$size + c$resp$size;
-
-	if ( max_volume > 0 && size > max_volume )
-		return;
-
-	# Disable the analyzer that raised the last core-generated event.
-	disable_analyzer(c$id, aid);
-
-	NOTICE([$note=ProtocolViolation, $conn=c,
-		$msg=fmt("%s analyzer %s disabled due to protocol violation",
-				id_string(c$id), analyzer_name(atype)),
-		$sub=reason, $n=atype]);
-
-	if ( c$id !in conns )
-		conns[c$id] = set();
-
-	add conns[c$id][aid];
-	}
-
-event connection_state_remove(c: connection)
-	{
-	delete conns[$id=c$id];
-	}
diff --git a/policy/file-flush.bro b/policy/file-flush.bro
deleted file mode 100644
index 481d078e59..0000000000
--- a/policy/file-flush.bro
+++ /dev/null
@@ -1,18 +0,0 @@
-# $Id: file-flush.bro 786 2004-11-24 08:25:16Z vern $
-
-# Causes all files to be flushed every file_flush_interval seconds.
-# Useful if you want to poke through the log files in real time,
-# particularly if network traffic is light.
-
-global file_flush_interval = 10 sec &redef;
-
-event file_flush_event()
-	{
-	flush_all();
-	schedule file_flush_interval { file_flush_event() };
-	}
-
-event bro_init()
-	{
-	schedule file_flush_interval { file_flush_event() };
-	}
diff --git a/policy/finger.bro b/policy/finger.bro
deleted file mode 100644
index 8cf1dbba65..0000000000
--- a/policy/finger.bro
+++ /dev/null
@@ -1,89 +0,0 @@
-# $Id: finger.bro 4758 2007-08-10 06:49:23Z vern $
-
-module Finger;
-
-export {
-	const hot_names = {
-		"root", "lp", "uucp", "nuucp", "demos", "operator", "sync",
-		"r00t", "tutor", "tour", "admin", "system", "guest", "visitor",
-		"0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
-	} &redef;
-
-	const max_finger_request_len = 80 &redef;
-}
-
-redef capture_filters += { ["finger"] = "port finger" };
-
-# DPM configuration.
-global finger_ports = { 79/tcp } &redef;
-redef dpd_config += { [ANALYZER_FINGER] = [$ports = finger_ports] };
-
-function public_user(user: string): bool
-	{
-	return T;
-	}
-
-function authorized_client(host: addr): bool
-	{
-	return T;
-	}
-
-event finger_request(c: connection, full: bool, username: string, hostname: string)
-	{
-	local id = c$id;
-	local request: string;
-
-	if ( hostname != "" )
-		request = cat(username, "@", hostname);
-	else
-		request = username;
-
-	if ( byte_len(request) > max_finger_request_len )
-		{
-		request = fmt("%s...", sub_bytes(request, 1, max_finger_request_len));
-		++c$hot;
-		}
-
-	if ( hostname != "" )
-		++c$hot;
-
-	if ( username in hot_names )
-		++c$hot;
-
-	local req = request == "" ? "ALL" : fmt("\"%s\"", request);
-
-	if ( full )
-		req = fmt("%s (/W)", req);
-
-	if ( c$addl != "" )
-		# This is an additional request.
-		req = fmt("(%s)", req);
-
-	append_addl_marker(c, req, " *");
-
-	if ( rewriting_finger_trace )
-		rewrite_finger_request(c, full,
-				public_user(username) ? username : "private user",
-				hostname);
-	}
-
-event finger_reply(c: connection, reply_line: string)
-	{
-	local id = c$id;
-	if ( rewriting_finger_trace )
-		rewrite_finger_reply(c,
-				authorized_client(id$orig_h) ? "finger reply ..." : reply_line);
-	}
-
-function is_finger_conn(c: connection): bool
-	{
-	return c$id$resp_p == finger;
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( rewriting_finger_trace && requires_trace_commitment &&
-	     is_finger_conn(c) )
-		# Commit queued packets and all packets in future.
-		rewrite_commit_trace(c, T, T);
-	}
diff --git a/policy/firewall.bro b/policy/firewall.bro
deleted file mode 100644
index adbf7a450c..0000000000
--- a/policy/firewall.bro
+++ /dev/null
@@ -1,195 +0,0 @@
-# $Id: firewall.bro 4758 2007-08-10 06:49:23Z vern $
-#
-# Firewall-like rules.
-
-@load notice
-@load conn
-@load ftp
-
-module Firewall;
-
-export {
-	type action: enum { ALLOW, DENY };
-	type cmp: enum { EQ, NE };
-
-	type rule: record {
-		label: string &default = "<no-label>";
-		orig: subnet &default = 0.0.0.0/0;
-		orig_set: set[addr] &optional;
-		orig_cmp: cmp &default = EQ;
-		orig_p: port &default = 0/tcp;
-		orig_p_cmp: cmp &default = EQ;
-		resp: subnet &default = 0.0.0.0/0;
-		resp_set: set[addr] &optional;
-		resp_cmp: cmp &default = EQ;
-		resp_p: port &default = 0/tcp;
-		resp_p_cmp: cmp &default = EQ;
-		prot: transport_proto &default = unknown_transport;
-		prot_cmp: cmp &default = EQ;
-		state: string &default = "";
-		state_cmp: cmp &default = EQ;
-		is_ftp: bool &default = F;
-
-		action: action &default = ALLOW;
-	};
-
-	redef enum Notice += {
-		DenyRuleMatched
-	};
-
-	global begin: function(c: connection);
-	global match_rule: function(c: connection, r: rule);
-}
-
-const log_file = open_log_file("firewall") &redef;
-
-global stop_matching = F;
-
-function do_match(c: connection, r: rule): bool
-	{
-	if ( r$orig_cmp == EQ )
-		{
-		if ( r?$orig_set )
-			{
-			if ( c$id$orig_h !in r$orig_set && c$id$orig_h !in r$orig )
-				return F;
-			}
-		else
-			{
-			if ( c$id$orig_h !in r$orig )
-				return F;
-			}
-		}
-	else
-		{
-		if ( r?$orig_set )
-			{
-			if ( c$id$orig_h in r$orig_set || c$id$orig_h in r$orig )
-				return F;
-			}
-		else
-			{
-			if ( c$id$orig_h in r$orig )
-				return F;
-			}
-		}
-
-	if ( r$resp_cmp == EQ )
-		{
-		if ( r?$resp_set )
-			{
-			if ( c$id$resp_h !in r$resp_set && c$id$resp_h !in r$resp )
-				return F;
-			}
-		else
-			{
-			if ( c$id$resp_h !in r$resp )
-				return F;
-			}
-		}
-	else
-		{
-		if ( r?$resp_set )
-			{
-			if ( c$id$resp_h in r$resp_set || c$id$resp_h in r$resp )
-				return F;
-			}
-		else
-			{
-			if ( c$id$resp_h in r$resp )
-				return F;
-			}
-		}
-
-	if ( r$orig_p != 0/tcp )
-		{
-		if ( r$orig_p_cmp == EQ )
-			{
-			if ( c$id$orig_p != r$orig_p )
-				return F;
-			}
-		else
-			if ( c$id$orig_p == r$orig_p )
-				return F;
-		}
-
-	if ( r$resp_p != 0/tcp )
-		{
-		if ( r$resp_p_cmp == EQ )
-			{
-			if ( c$id$resp_p != r$resp_p )
-				return F;
-			}
-		else
-			if ( c$id$resp_p == r$resp_p )
-				return F;
-		}
-
-	if ( r$state != "" )
-		{
-		local state = conn_state(c, get_port_transport_proto(c$id$orig_p));
-		if ( r$state_cmp == EQ )
-			{
-			if ( state != r$state )
-				return F;
-			}
-		else
-			if ( state == r$state )
-				return F;
-		}
-
-	if ( r$prot != unknown_transport )
-		{
-		local proto = get_port_transport_proto(c$id$orig_p);
-		if ( r$prot_cmp == EQ )
-			{
-			if ( proto != r$prot )
-				return F;
-			}
-		else
-			if ( proto == r$prot )
-				return F;
-		}
-
-	if ( r$is_ftp && ! is_ftp_data_conn(c) )
-		return F;
-
-	return T;
-	}
-
-
-function report_violation(c: connection, r:rule)
-	{
-	local trans = get_port_transport_proto(c$id$orig_p);
-	local state = conn_state(c, trans);
-
-	NOTICE([$note=DenyRuleMatched,
-			$msg=fmt("%s %s",
-		 	id_string(c$id), trans), $conn=c, $sub=r$label]);
-	append_addl(c, fmt("<%s>", r$label));
-	record_connection(log_file, c);
-	}
-
-function begin(c: connection)
-	{
-	stop_matching = F;
-	}
-
-function match_rule(c: connection, r: rule)
-	{
-	if ( stop_matching )
-		return;
-
-	if ( do_match(c, r) )
-		{
-		stop_matching = T;
-
-		if ( r$action == DENY )
-			report_violation(c, r);
-		}
-	}
-
-event bro_init()
-	{
-	set_buf(log_file, F);
-	}
diff --git a/policy/flag-irc.bro b/policy/flag-irc.bro
deleted file mode 100644
index 60d687bff7..0000000000
--- a/policy/flag-irc.bro
+++ /dev/null
@@ -1,18 +0,0 @@
-# $Id: flag-irc.bro 4758 2007-08-10 06:49:23Z vern $
-#
-# include this module to flag various forms of IRC access.
-
-@load ftp
-
-redef FTP::hot_files +=
-	  /.*eggdrop.*/
-	| /.*eggsun.*/
-	;
-
-redef Hot::flag_successful_inbound_service: table[port] of string += {
-	[[6666/tcp, 6667/tcp]] = "inbound IRC",
-};
-
-redef Hot::hot_dsts: table[addr] of string += {
-	[bitchx.com] = "IRC source sites",
-};
diff --git a/policy/flag-warez.bro b/policy/flag-warez.bro
deleted file mode 100644
index 6781252338..0000000000
--- a/policy/flag-warez.bro
+++ /dev/null
@@ -1,11 +0,0 @@
-# $Id: flag-warez.bro 416 2004-09-17 03:52:28Z vern $
-#
-# include this module to flag various forms of Warez access.
-
-@load hot-ids
-@load ftp
-
-redef FTP::hot_files += /.*[wW][aA][rR][eE][zZ].*/ ;
-
-redef always_hot_ids += { "warez", "hanzwarez", "zeraw", };
-redef hot_ids += { "warez", "hanzwarez", "zeraw", };
diff --git a/policy/frag.bro b/policy/frag.bro
deleted file mode 100644
index fcced8cd9a..0000000000
--- a/policy/frag.bro
+++ /dev/null
@@ -1,6 +0,0 @@
-# Capture TCP fragments, but not UDP (or ICMP), since those are a lot more
-# common due to high-volume, fragmenting protocols such as NFS :-(.
-
-redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" };
-
-redef frag_timeout = 5 min;
diff --git a/policy/ftp-anonymizer.bro b/policy/ftp-anonymizer.bro
deleted file mode 100644
index 560b85119b..0000000000
--- a/policy/ftp-anonymizer.bro
+++ /dev/null
@@ -1,846 +0,0 @@
-# $Id: ftp-anonymizer.bro 47 2004-06-11 07:26:32Z vern $
-
-@load ftp
-@load anon
-
-# Definitions of constants.
-
-# Check if those commands carry any argument; anonymize non-empty
-# argument.
-const ftp_cmds_with_no_arg = {
-	"CDUP", "QUIT", "REIN", "PASV", "STOU",
-	"ABOR", "PWD", "SYST", "NOOP",
-
-	"FEAT",	"XPWD",
-};
-
-const ftp_cmds_with_file_arg = {
-	"APPE", "CWD", "DELE", "LIST", "MKD",
-	"NLST", "RMD", "RNFR", "RNTO", "RETR",
-	"STAT", "STOR", "SMNT",
-	# FTP extensions
-	"SIZE", "MDTM",
-	"MLSD", "MLST",
-	"XCWD",
-};
-
-# For following commands, we check if the argument conforms to the
-# specification -- if so, it is safe to be left in the clear.
-const ftp_cmds_with_safe_arg = {
-	"TYPE", "STRU", "MODE", "ALLO", "REST",
-	"HELP",
-
-	"MACB",	# MacBinary encoding
-};
-
-# ftp_other_cmds can be redefined in site/trace-specific ways.
-const ftp_other_cmds = {
-	"LPRT", "OPTS", "CLNT", "RETP",
-	"EPSV", "XPWD",
-	"SOCK",	# old FTP command (RFC 354)
-} &redef;
-
-# Below defines patterns of arguments of FTP commands
-
-# The following patterns are case-insensitive
-const ftp_safe_cmd_arg_pattern =
-	  /TYPE (([AE]( [NTC])?)|I|(L [0-9]+))/
-	| /STRU [FRP]/
-	| /MODE [SBC]/
-	| /ALLO [0-9]+([ \t]+R[ \t]+[0-9]+)?/
-	| /REST [!-~]+/
-	| /MACB (E|DISABLE|ENABLE)/
-	| /SITE TRUTH ON/
-	&redef;
-
-# The following list includes privacy-safe [cmd, arg] pairs and can be
-# customized for particular traces
-const ftp_safe_arg_list: set[string, string] = {
-} &redef;
-
-# ftp_special_cmd_args offers an even more flexible way of customizing
-# argument anonymization: for each [cmd, arg] pair in the table, the
-# corresponding value will be the anonymized argument.
-const ftp_special_cmd_args: table[string, string] of string = {
-} &redef;
-
-# The following words are safe to be left in the clear as the argument
-# of a HELP command.
-const ftp_help_words = {
-	"USER",	"PORT",	"STOR",	"MSAM",	"RNTO",	"NLST",	"MKD",	"CDUP",
-	"PASS",	"PASV",	"APPE",	"MRSQ",	"ABOR",	"SITE",	"XMKD",	"XCUP",
-	"ACCT",	"TYPE",	"MLFL",	"MRCP",	"DELE",	"SYST",	"RMD",	"STOU",
-	"SMNT",	"STRU",	"MAIL",	"ALLO",	"CWD",	"STAT",	"XRMD",	"SIZE",
-	"REIN",	"MODE",	"MSND",	"REST",	"XCWD",	"HELP",	"PWD",	"MDTM",
-	"QUIT",	"RETR",	"MSOM",	"RNFR",	"LIST",	"NOOP",	"XPWD",
-} &redef;
-
-const ftp_port_pat = /[0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}/;
-
-# Pattern for the argument of EPRT command.
-# TODO: the pattern works fot the common case but is not RFC2428-complete.
-const ftp_eprt_pat = /\|1\|[0-9]{1,3}(\.[0-9]{1,3}){3}\|[0-9]{1,5}\|/;
-
-# IP addresses.
-const ftp_ip_pat = /[0-9]{1,3}(\.[0-9]{1,3}){3}/;
-
-# Domain names (deficiency: domain suffices of countries).
-const ftp_domain_name_pat =
-	/([\-0-9a-zA-Z]+\.)+(com|edu|net|org|gov|mil|uk|fr|nl|es|jp|it)/;
-
-# File names (printable characters).
-const ftp_file_name_pat = /[[:print:]]+/;
-
-# File names that can be left in the clear.
-const ftp_public_files =
-	  /\// | /\.\./		# "/" and ".."
-	| /(\/etc\/|master\.)?(passwd|shadow|s?pwd\.db)/ # ftp_hot_files
-	| /\/(etc|usr\/bin|bin|sbin|kernel)(\/)?/
-	| /\.rhosts/ | /\.forward/			 # ftp_hot_guest_files
-&redef;
-
-const ftp_sensitive_files =
-	  /.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)/ # ftp_hot_files
-	| /\/(etc|usr\/bin|bin|sbin|kernel)\/.*/
-	| /.*\.rhosts/ | /.*\.forward/			 # ftp_hot_guest_files
-&redef;
-
-# Public servers.
-const ftp_public_servers: set[addr] = {} &redef;
-
-# Whether we keep all file names (valid or invalid) for public servers.
-const ftp_keep_all_files_for_public_servers = F &redef;
-
-# Public files.
-const ftp_known_public_files: set[addr, string] = {} &redef;
-
-# Hidden file/directory.
-const ftp_hidden_file = /.*\/\.[^.\/].*/;
-const ftp_public_hidden_file = /0/ &redef;
-
-# Options for file commands (LIST, NLST) that can be left in the clear.
-const ftp_known_option = /-[[:alpha:]]{1,5}[ ]*/;
-
-const ftp_known_site_cmd = {
-	"UMASK", "GROUP", "INDEX", "GROUPS",
-	"IDLE", "GPASS", "EXEC", "CHECKMETHOD",
-	"CHMOD", "NEWER", "ALIAS", "CHECKSUM",
-	"HELP", "MINFO", "CDPATH",
-
-	"TRUTH", "UTIME",
-} &redef;
-
-const ftp_sensitive_ids: set[string] = {
-	"backdoor", "bomb", "diag", "gdm", "issadmin", "msql", "netfrack",
-	"netphrack", "own", "r00t", "root", "ruut", "smtp", "sundiag", "sync",
-	"sys", "sysadm", "sysdiag", "sysop", "sysoper", "system", "toor", "tour",
-	"y0uar3ownd",
-};
-
-redef anonymize_ip_addr = T;
-redef rewriting_ftp_trace = T;
-
-global ftp_anon_log = open_log_file("ftp-anon") &redef;
-
-# Anonymized arguments, indexed by the anonymization seed.
-global anonymized_args: table[string] of string;
-
-# Arguments left in the clear, indexed by the argument and the context.
-global ftp_arg_left_in_the_clear: set[string, string];
-
-# Valid files on public servers.
-global ftp_valid_public_files: set[addr, string];
-
-type ftp_cmd_arg_anon_result: record {
-	anonymized: bool;
-	cmd: string;
-	arg: string;
-};
-
-
-# Whether anonymize_trace_specific_cmd_arg is defined:
-const trace_specific_cmd_arg_anonymization = F &redef;
-
-# This function is to be defined in a trace-specific script. By
-# default, use ftp-anonymizer-trace.bro.
-
-global anonymize_trace_specific_cmd_arg:
-	function(session: ftp_session_info, cmd: string, arg: string):
-		ftp_cmd_arg_anon_result;
-
-
-# Anonymize FTP replies by message patterns.
-const process_ftp_reply_by_message_pattern = F &redef;
-global anonymize_ftp_reply_by_msg_pattern:
-	function(code: count, act_msg: string,
-		cmd_arg: ftp_cmd_arg, session: ftp_session_info): string;
-
-
-# Anonymize an argument *completely* with a hash value of the string,
-# and log the anonymization.
-function anonymize_arg(typ: string, session: ftp_session_info, cmd: string, arg: string, seed: string): string
-	{
-	if ( arg == "" )
-		return ""; # an empty argument is safe
-
-	local arg_seed = string_cat(typ, seed, arg);
-
-	if ( arg_seed in anonymized_args )
-		return anonymized_args[arg_seed];
-
-	local a = anonymize_string(arg_seed);
-	anonymized_args[arg_seed] = a;
-
-	print ftp_anon_log,
-		fmt("anonymize_arg: (%s) {%s} %s \"%s\" to \"%s\" in [%s]",
-				typ, seed, cmd,
-				to_string_literal(arg), to_string_literal(a),
-				id_string(session$connection_id));
-	return a;
-	}
-
-# This function is called whenever an argument is to be left in the
-# clear. It logs the action if it hasn't occurred before.
-function leave_in_the_clear(msg: string, session: ftp_session_info,
-				arg: string, context: string): string
-	{
-	if ( [arg, context] !in ftp_arg_left_in_the_clear )
-		{
-		add ftp_arg_left_in_the_clear[arg, context];
-		print ftp_anon_log, fmt("leave_in_the_clear: (%s) \"%s\" [%s] in [%s]",
-				msg, to_string_literal(arg), context,
-				id_string(session$connection_id));
-		}
-	return arg;
-	}
-
-
-# Sometimes the argument of a file command contains an option string
-# before the file name, such as in 'LIST -l /xyz/', the following
-# function identifies such option strings and separate the argument
-# accordingly.
-
-type separate_option_str_result: record {
-	opt_str: string;
-	file_name: string;
-};
-
-function separate_option_str(file_name: string): separate_option_str_result
-	{
-	local ret: separate_option_str_result;
-	if ( file_name == /-[[:alpha:]]+( .*)?/ )
-		{
-		local parts = split_all(file_name, /-[[:alpha:]]+[ ]*/);
-		ret$opt_str = string_cat(parts[1], parts[2]);
-		parts[1] = ""; parts[2] = "";
-		ret$file_name = cat_string_array(parts);
-		return ret;
-		}
-	else
-		return [$opt_str = "", $file_name = file_name];
-	}
-
-
-# Anonymize a user id
-type login_status_type: enum {
-	LOGIN_PENDING,
-	LOGIN_SUCCESSFUL,
-	LOGIN_FAILED,
-	LOGIN_UNKNOWN,
-};
-
-function anonymize_user_id(session: ftp_session_info, id: string, login_status: login_status_type, msg: string): string
-	{
-	if ( id in ftp_guest_ids )
-		{
-		leave_in_the_clear("guest_id", session, id, msg);
-		return id;
-		}
-
-	else if ( id in ftp_sensitive_ids && login_status == LOGIN_FAILED )
-		{
-		leave_in_the_clear("sensitive_id", session, id, msg);
-		return id;
-		}
-
-	else
-		return anonymize_arg("user_name", session, "USER", id, cat(session$connection_id$resp_h, login_status));
-	}
-
-# Anonymize a file name argument.
-function anonymize_file_name_arg(session: ftp_session_info, cmd: string, arg: string, valid_file_name: bool): string
-	{
-	local file_name = arg;
-	local opt_str = "";
-	if ( cmd == /LIST|NLST/ )
-		{
-		# Separate the option from file name if there is one
-
-		local ret = separate_option_str(file_name);
-		if ( ret$opt_str != "" )
-			{
-			opt_str = ret$opt_str;
-
-			# Shall we anonymize the option string?
-			if ( opt_str != ftp_known_option )
-				{
-				# Anonymize the option conservatively
-				print ftp_anon_log, fmt("option_anonymized: \"%s\" from (%s %s)",
-					to_string_literal(opt_str), cmd, file_name);
-				opt_str = "-<option>";
-				}
-			else
-				# Leave in the clear
-				print ftp_anon_log, fmt("option_left_in_the_clear: \"%s\" from (%s %s)",
-					to_string_literal(opt_str), cmd, file_name);
-
-			file_name = ret$file_name;
-			}
-		}
-
-	if ( file_name == "" )
-		return opt_str;
-
-	if ( file_name != ftp_file_name_pat )
-		{
-		# Log special file names (e.g. those containing
-		# control characters) for manual inspection -- such
-		# file names are rare and may present problems in
-		# reply anonymization.
-
-		print ftp_anon_log, fmt("unrecognized_file_name: \"%s\" (%s) [%s]",
-			to_string_literal(file_name), cmd, id_string(session$connection_id));
-		}
-
-
-	if ( strstr(file_name, " ") > 0 )
-		{
-		# Log file names that contain spaces (for debugging only)
-
-		print ftp_anon_log, fmt("space_in_file_name: \"%s\" (%s) [%s]",
-			to_string_literal(file_name), cmd, id_string(session$connection_id));
-		}
-
-	# Compute the absolute and clean (without '..' and duplicate
-	# '/') path
-	local abs_path = absolute_path(session, file_name);
-	local resp_h = session$connection_id$resp_h;
-	local known_public_file =
-		[resp_h, abs_path] in ftp_known_public_files ||
-		[resp_h, abs_path] in ftp_valid_public_files;
-
-	if ( file_name == ftp_public_files || abs_path == ftp_public_files )
-		{
-		leave_in_the_clear("public_path_name", session,
-			arg, fmt("(%s %s) %s", cmd, file_name, abs_path));
-		}
-
-	else if ( resp_h in ftp_public_servers &&
-		  (abs_path != ftp_hidden_file ||
-		   abs_path == ftp_public_hidden_file) &&
-		  (ftp_keep_all_files_for_public_servers || valid_file_name ||
-		   known_public_file) )
-		{
-		if ( valid_file_name && ! known_public_file )
-			{
-			add ftp_valid_public_files[resp_h, abs_path];
-			print ftp_anon_log,
-				fmt("valid_public_file: [%s, \"%s\"]",
-					resp_h, to_string_literal(abs_path));
-			}
-
-		leave_in_the_clear("file_on_public_server", session, arg,
-			fmt("%s %s:%s", cmd, session$connection_id$resp_h, abs_path));
-		}
-	else
-		{
-		local anon_type: string;
-
-		if ( file_name == ftp_sensitive_files ||
-		     abs_path == ftp_sensitive_files )
-			anon_type = "sensitive_path_name";
-
-		else if ( abs_path == ftp_hidden_file )
-			anon_type = "hidden_path_name";
-
-		else if ( resp_h in ftp_public_servers )
-			anon_type = "invalid_public_file";
-
-		else
-			anon_type = "path_name";
-
-		file_name = anonymize_arg(anon_type, session, cmd, abs_path, cat("file:", session$connection_id$resp_h));
-		}
-
-	# concatenate the option string with the file_name
-	return string_cat(opt_str, file_name);
-	}
-
-
-# The argument is presumably privacy-safe, but we should not assume
-# that it is the case. Instead, we check if the argument is legal and
-# thus privacy-free.
-function check_safe_arg(session: ftp_session_info, cmd: string,
-			arg: string): string
-	{
-	if ( cmd == "HELP" )
-		return ( arg in ftp_help_words ) ?
-				leave_in_the_clear("known_help_word", session,
-					arg,
-					fmt("%s %s", cmd, arg))
-				: anonymize_arg("unknown_help_string", session, cmd, arg, cmd);
-
-	else
-		# Note that we have already checked the (cmd, arg)
-		# against ftp_safe_cmd_arg_pattern. So the argument
-		# here must have an unrecognized pattern and should be
-		# anonymized.
-		return anonymize_arg("illegal_argument", session, cmd, arg, cmd);
-	}
-
-function check_site_arg(session: ftp_session_info, cmd: string,
-			arg: string): string
-	{
-	local site_cmd_arg = split1(arg, /[ \t]*/);
-
-	local site_cmd = site_cmd_arg[1];
-	local site_cmd_upper = to_upper(site_cmd);
-
-	if ( site_cmd_upper in ftp_known_site_cmd )
-		{
-		if ( length(site_cmd_arg) > 1 )
-			{
-			# If the there is an argument after "SITE <cmd>"
-			local site_arg = site_cmd_arg[2];
-			site_arg =
-				anonymize_arg(fmt("arg_of_site_%s", site_cmd),
-						session, cmd, site_arg, cmd);
-			return string_cat(site_cmd, " ", site_arg);
-			}
-		else
-			{
-			return leave_in_the_clear("known_site_command", session,
-						site_cmd,
-						fmt("%s %s", cmd, arg));
-			}
-		}
-	else
-		return anonymize_arg("site_arg", session, cmd, arg, cmd);
-	}
-
-function anonymize_port_arg(session: ftp_session_info, cmd: string,
-				arg: string): string
-	{
-	local data = parse_ftp_port(arg);
-
-	if ( data$valid )
-		{
-		local a: addr;
-		# Anonymize the address part
-		a = anonymize_address(data$h, session$connection_id);
-		return fmt_ftp_port(a, data$p);
-		}
-	else
-		return anonymize_arg("unrecognized_ftp_port", session, cmd, arg, "");
-	}
-
-# EPRT is an extension to the PORT command
-function anonymize_eprt_arg(session: ftp_session_info, cmd: string,
-				arg: string): string
-	{
-	if ( arg != ftp_eprt_pat )
-		return anonymize_arg("unrecognized_EPRT_arg", session, cmd, arg, "");
-
-	local parts = split(arg, /\|/);
-	# Anonymize the address part
-	local a = parse_dotted_addr(parts[3]);
-	a = anonymize_address(a, session$connection_id);
-	return fmt("|%s|%s|%s|", parts[2], a, parts[4]);
-	}
-
-# Anonymize arguments of commands that we do not understand
-function anonymize_other_arg(session: ftp_session_info, cmd: string, arg: string): string
-	{
-	local anon: string;
-
-	# Try to guess what the arg is
-
-	local data = parse_ftp_port(arg);
-	if ( arg == ftp_port_pat && data$valid )
-		# Here we do not check whether data$h == session$connection_id$orig_h
-		# because sometimes it's not the case, but we will try to anonymize it anyway.
-		{
-		anon = anonymize_port_arg(session, cmd, arg);
-		print ftp_anon_log, fmt("anonymize_arg: (%s) {} %s \"%s\" to \"%s\" in [%s]",
-					"port arg of non-port command",
-					cmd, arg, anon, id_string(session$connection_id));
-		}
-
-	else if ( arg == ftp_ip_pat )
-		{
-		local a = parse_dotted_addr(arg);
-		a = anonymize_address(a, session$connection_id);
-		anon = cat(a);
-		}
-
-	else if ( arg == ftp_domain_name_pat )
-		{
-		anon = "<domain name>";
-		}
-
-	else if ( arg == "." )
-		{
-		anon = arg;
-		leave_in_the_clear(".", session, arg, fmt("%s %s", cmd, arg));
-		}
-
-	else
-		# Anonymize by default.
-		anon = anonymize_arg("cannot_understand_arg",
-					session, cmd, arg, cmd);
-
-	return anon;
-	}
-
-# Anonymize the command and argument, and put the results in
-# cmd_arg$anonymized_{cmd, arg}
-function anonymize_ftp_cmd_arg(session: ftp_session_info,
-				cmd_arg: ftp_cmd_arg)
-	{
-	local cmd = cmd_arg$cmd;
-	local arg = cmd_arg$arg;
-	local anon : string;
-
-	cmd_arg$anonymized_cmd = cmd;
-
-	local ret: ftp_cmd_arg_anon_result;
-
-	if ( trace_specific_cmd_arg_anonymization )
-		ret = anonymize_trace_specific_cmd_arg(session, cmd, arg);
-	else
-		ret$anonymized = F;
-
-	if ( ret$anonymized )
-		{
-		# If the trace-specific anonymization applies to the cmd_arg
-			print ftp_anon_log, fmt("anonymize_arg: (%s) \"%s %s\" to \"%s %s\" in [%s]",
-				"trace-specific",
-				cmd, to_string_literal(arg),
-				ret$cmd, to_string_literal(ret$arg),
-				id_string(session$connection_id));
-		cmd_arg$anonymized_cmd = ret$cmd;
-		anon = ret$arg;
-		}
-
-	else if ( [cmd, arg] in ftp_special_cmd_args )
-		{
-		anon = ftp_special_cmd_args[cmd, arg];
-		print ftp_anon_log, fmt("anonymize_arg: (%s) [%s] \"%s\" to \"%s\" in [%s]",
-					"special_arg_transformation",
-					cmd,
-					to_string_literal(arg),
-					to_string_literal(anon),
-					id_string(session$connection_id));
-		}
-
-	else if ( to_upper(string_cat(cmd, " ", arg)) == ftp_safe_cmd_arg_pattern ||
-		  [cmd, arg] in ftp_safe_arg_list )
-		{
-		leave_in_the_clear("safe_arg", session, arg, fmt("%s %s", cmd, arg));
-		anon = arg;
-		}
-
-	else if ( cmd == "USER" || cmd == "ACCT" )
-		anon = (arg in ftp_guest_ids) ?
-			arg : anonymize_user_id(session, arg, LOGIN_PENDING, "");
-
-	else if ( cmd == "PASS" )
-		anon = "<password>";
-
-	else if ( cmd in ftp_cmds_with_no_arg )
-		anon = (arg == "") ?
-			"" :
-			anonymize_arg("should_have_been_empty",
-					session, cmd, arg, cmd);
-
-	else if ( cmd in ftp_cmds_with_file_arg )
-		{
-		if ( session$user in ftp_guest_ids )
-			anon = ( arg == "" ) ? "" : anonymize_file_name_arg(session, cmd, arg, F);
-		else
-			anon = "<path>";
-		}
-
-	else if ( cmd in ftp_cmds_with_safe_arg )
-		anon = check_safe_arg(session, cmd, arg);
-
-	else if ( cmd == "SITE" )
-		anon = check_site_arg(session, cmd, arg);
-
-	else if ( cmd == "PORT" )
-		anon = anonymize_port_arg(session, cmd, arg);
-
-	else if ( cmd == "EPRT" )
-		anon = anonymize_eprt_arg(session, cmd, arg);
-
-	else if ( cmd == "AUTH" )
-		anon = anonymize_arg("rejected_auth_arg", session, cmd, arg, cmd);
-
-	else
-		{
-		if ( cmd == /<.*>/ )
-			cmd_arg$anonymized_cmd = "";
-
-		else if ( cmd !in ftp_other_cmds )
-			{
-			local a = anonymize_string(string_cat("cmd:", cmd));
-			print ftp_anon_log, fmt("anonymize_cmd: (%s) \"%s\" [%s] to \"%s\" in [%s]",
-				"unrecognized command", to_string_literal(cmd),
-				to_string_literal(arg), a,
-				id_string(session$connection_id));
-			cmd_arg$anonymized_cmd = a;
-			}
-
-		anon = anonymize_other_arg(session, cmd, arg);
-		}
-
-	if ( cmd == "USER" )
-		session$anonymized_user = anon;
-
-	cmd_arg$anonymized_arg = anon;
-	}
-
-
-# We delay anonymization of certain requests till we see the reply:
-# when the argument of a USER command is a sensitive user ID, we
-# anonymize the ID if the login is successful and leave the ID in the
-# clear otherwise.
-#
-# The function returns T if the decision should be delayed.
-
-function delay_rewriting_request(session: ftp_session_info, cmd: string,
-				 arg: string): bool
-	{
-	return (cmd == "USER" && arg !in ftp_guest_ids) ||
-		(cmd == "AUTH") ||
-		(cmd in ftp_cmds_with_file_arg &&
-		 session$connection_id$resp_h in ftp_public_servers);
-	}
-
-function ftp_request_rewrite(c: connection, session: ftp_session_info,
-				cmd_arg: ftp_cmd_arg): bool
-	{
-	local cmd = cmd_arg$cmd;
-	local arg = cmd_arg$arg;
-
-	if ( delay_rewriting_request(session, cmd, arg) )
-		{
-		cmd_arg$rewrite_slot = reserve_rewrite_slot(c);
-		session$delayed_request_rewrite[cmd_arg$seq] = cmd_arg;
-		return F;
-		}
-	else
-		{
-		anonymize_ftp_cmd_arg(session, cmd_arg);
-		rewrite_ftp_request(c, cmd_arg$anonymized_cmd,
-					cmd_arg$anonymized_arg);
-		return T;
-		}
-	}
-
-function do_rewrite_delayed_ftp_request(c: connection, delayed: ftp_cmd_arg)
-	{
-	seek_rewrite_slot(c, delayed$rewrite_slot);
-
-	rewrite_ftp_request(c, delayed$cmd == /<.*>/ ? "" : delayed$cmd,
-				delayed$anonymized_arg);
-	release_rewrite_slot(c, delayed$rewrite_slot);
-
-	delayed$rewrite_slot = 0;
-	}
-
-function delayed_ftp_request_rewrite(c: connection, session: ftp_session_info,
-					delayed: ftp_cmd_arg,
-					current: ftp_cmd_arg,
-					reply_code: count)
-	{
-	local cmd = delayed$cmd;
-	local arg = delayed$arg;
-
-	if ( cmd == "USER" )
-		{
-		delayed$anonymized_cmd = cmd;
-
-		local login_status: login_status_type;
-
-		if ( reply_code == 0 )
-			login_status = LOGIN_UNKNOWN;
-
-		else if ( delayed$seq == current$seq ||
-		     current$cmd == "PASS" ||
-		     current$cmd == "ACCT" )
-				{
-			if ( reply_code >= 330 && reply_code < 340 ) # need PASS/ACCT
-				login_status = LOGIN_PENDING; # wait to see outcome of PASS
-
-			else if ( reply_code >= 400 && reply_code < 600 )
-					login_status = LOGIN_FAILED;
-
-			else if ( reply_code >= 230 && reply_code < 240 )
-				login_status = LOGIN_SUCCESSFUL;
-
-			else
-				login_status = LOGIN_UNKNOWN;
-			}
-
-		else if ( current$cmd == "USER" ) # another login attempt
-			login_status = LOGIN_FAILED;
-
-		else if ( reply_code == 230 )
-			login_status = LOGIN_SUCCESSFUL;
-
-		else if ( reply_code == 530 )
-			login_status = LOGIN_FAILED;
-
-		else
-			login_status = LOGIN_UNKNOWN;
-
-		if ( login_status != LOGIN_PENDING )
-			{
-			delayed$anonymized_arg =
-				anonymize_user_id(session, arg, login_status,
-					fmt("(%s %s) %s %s -> %d", cmd, arg, current$cmd, current$arg, reply_code));
-			do_rewrite_delayed_ftp_request(c, delayed);
-			}
-		}
-
-	else if ( cmd == "AUTH" )
-		{
-		delayed$anonymized_cmd = cmd;
-
-		if ( reply_code >= 500 && reply_code < 600 )
-			# if AUTH fails
-			{
-			anonymize_ftp_cmd_arg(session, delayed);
-			do_rewrite_delayed_ftp_request(c, delayed);
-			}
-
-		else if ( reply_code >= 300 && reply_code < 400 )
-			;
-		else 	# otherwise always anonymize the argument
-			{
-			delayed$anonymized_arg = "<auth_mechanism>";
-			do_rewrite_delayed_ftp_request(c, delayed);
-			}
-		}
-
-	else if ( cmd in ftp_cmds_with_file_arg && session$connection_id$resp_h in ftp_public_servers )
-		{
-		delayed$anonymized_cmd = cmd;
-
-		# The argument represents a valid file name on a
-		# public server only if the operation is successful.
-		delayed$anonymized_arg =
-			anonymize_file_name_arg(session, cmd, arg,
-				(cmd != "LIST" && cmd != "NLST" &&
-				 reply_code >= 100 && reply_code < 300));
-		do_rewrite_delayed_ftp_request(c, delayed);
-		}
-
-	else
-		{
-		print ftp_anon_log, "ERROR! unrecognizable delayed ftp request rewrite";
-
-		anonymize_ftp_cmd_arg(session, delayed);
-		do_rewrite_delayed_ftp_request(c, delayed);
-		}
-	}
-
-function process_delayed_rewrites(c: connection, session: ftp_session_info, reply_code: count, cmd_arg: ftp_cmd_arg)
-	{
-	local written: table[count] of ftp_cmd_arg;
-
-	for ( s in session$delayed_request_rewrite )
-		{
-		local ca = session$delayed_request_rewrite[s];
-		delayed_ftp_request_rewrite(c, session, ca, cmd_arg,
-					reply_code);
-
-		if ( ca$rewrite_slot == 0 )
-			written[ca$seq] = ca;
-		}
-
-	for ( s in written )
-		delete session$delayed_request_rewrite[s];
-	}
-
-function ftp_reply_rewrite(c: connection, session: ftp_session_info,
-				code: count, msg: string, cont_resp: bool,
-				cmd_arg: ftp_cmd_arg)
-	{
-	local actual_code = session$reply_code;
-	local xyz = parse_ftp_reply_code(actual_code);
-
-	process_delayed_rewrites(c, session, actual_code, cmd_arg);
-
-	if ( process_ftp_reply_by_message_pattern )
-		{
-		# See *ftp-reply-pattern.bro* for reply anonymization
-		local anon_msg = anonymize_ftp_reply_by_msg_pattern(actual_code, msg,
-					cmd_arg, session);
-		rewrite_ftp_reply(c, code, anon_msg, cont_resp);
-		}
-	else
-		rewrite_ftp_reply(c, code, "<ftp reply message stripped out>", cont_resp);
-	}
-
-
-const eliminate_scans = F &redef;
-const port_scanners: set[addr] &redef;
-global eliminate_scan_for_host: table[addr] of bool;
-
-function eliminate_scan(id: conn_id): bool
-	{
-	local h = id$resp_h;
-
-	if ( h !in eliminate_scan_for_host )
-		{
-		# if the hash string starts with [0-7], i.e. with probability of 50%
-		eliminate_scan_for_host[h] = (/^[0-7]/ in md5_hmac(h));
-		if ( eliminate_scan_for_host[h] )
-			print ftp_anon_log, fmt("eliminate_scans_for_host %s", h);
-		}
-
-	return eliminate_scan_for_host[h];
-	}
-
-redef call_ftp_connection_remove = T;
-
-function ftp_connection_remove(c: connection)
-	{
-	if ( c$id in ftp_sessions )
-		{
-		local session = ftp_sessions[c$id];
-		process_delayed_rewrites(c, session, 0, find_ftp_pending_cmd(session$pending_requests, 0, ""));
-		}
-
-	if ( eliminate_scans && ! requires_trace_commitment )
-		print ftp_anon_log,
-			fmt("ERROR: requires_trace_commitment must be set to true in order to allow scan elimination");
-
-	if ( requires_trace_commitment )
-		{
-		local id = c$id;
-		local eliminate = F;
-
-		if ( eliminate_scans &&
-		     # To check if the connection is part of a port scan
-		     (id !in ftp_sessions ||
-		      ftp_sessions[id]$num_requests == 0 ||
-		      id$orig_h in port_scanners) &&
-		     eliminate_scan(id) )
-			rewrite_commit_trace(c, F, T);
-		else
-			rewrite_commit_trace(c, T, T);
-		}
-	}
diff --git a/policy/ftp-cmd-arg.bro b/policy/ftp-cmd-arg.bro
deleted file mode 100644
index 5bb7d269c8..0000000000
--- a/policy/ftp-cmd-arg.bro
+++ /dev/null
@@ -1,188 +0,0 @@
-# $Id: ftp-cmd-arg.bro 416 2004-09-17 03:52:28Z vern $
-
-# For debugging purpose only
-# global ftp_cmd_reply_log = open_log_file("ftp-cmd-arg") &redef;
-
-const ftp_cmd_reply_code: set[string, count] = {
-	# According to RFC 959
-	["<init>", [120, 220, 421]],
-	["USER", [230, 530, 500, 501, 421, 331, 332]],
-	["PASS", [230, 202, 530, 500, 501, 503, 421, 332]],
-	["ACCT", [230, 202, 530, 500, 501, 503, 421]],
-	["CWD", [250, 500, 501, 502, 421, 530, 550]],
-	["CDUP", [200, 500, 501, 502, 421, 530, 550]],
-	["SMNT", [202, 250, 500, 501, 502, 421, 530, 550]],
-	["REIN", [120, 220, 421, 500, 502]],
-	["QUIT", [221, 500]],
-	["PORT", [200, 500, 501, 421, 530]],
-	["PASV", [227, 500, 501, 502, 421, 530]],
-	["MODE", [200, 500, 501, 504, 421, 530]],
-	["TYPE", [200, 500, 501, 504, 421, 530]],
-	["STRU", [200, 500, 501, 504, 421, 530]],
-	["ALLO", [200, 202, 500, 501, 504, 421, 530]],
-	["REST", [500, 501, 502, 421, 530, 350]],
-	["STOR", [125, 150, 110, 226, 250, 425, 426, 451, 551, 552, 532, 450, 452, 553, 500, 501, 421, 530]],
-	["STOU", [125, 150, 110, 226, 250, 425, 426, 451, 551, 552, 532, 450, 452, 553, 500, 501, 421, 530]],
-	["RETR", [125, 150, 110, 226, 250, 425, 426, 451, 450, 550, 500, 501, 421, 530]],
-	["LIST", [125, 150, 226, 250, 425, 426, 451, 450, 500, 501, 502, 421, 530]],
-	["NLST", [125, 150, 226, 250, 425, 426, 451, 450, 500, 501, 502, 421, 530]],
-	["APPE", [125, 150, 226, 250, 425, 426, 451, 551, 552, 532, 450, 550, 452, 553, 500, 501, 502, 421, 530]],
-	["RNFR", [450, 550, 500, 501, 502, 421, 530, 350]],
-	["RNTO", [250, 532, 553, 500, 501, 502, 503, 421, 530]],
-	["DELE", [250, 450, 550, 500, 501, 502, 421, 530]],
-	["RMD", [250, 500, 501, 502, 421, 530, 550]],
-	["MKD", [257, 500, 501, 502, 421, 530, 550]],
-	["PWD", [257, 500, 501, 502, 421, 550]],
-	["ABOR", [225, 226, 500, 501, 502, 421]],
-	["SYST", [215, 500, 501, 502, 421]],
-	["STAT", [211, 212, 213, 450, 500, 501, 502, 421, 530]],
-	["HELP", [211, 214, 500, 501, 502, 421]],
-	["SITE", [200, 202, 500, 501, 530]],
-	["NOOP", [200, 500, 421]],
-
-	# Extensions
-
-#	["SIZE", [213, 550]],
-#	["SITE", 214],
-#	["MDTM", 213],
-#	["EPSV", 500],
-#	["FEAT", 500],
-#	["OPTS", 500],
-
-#	["CDUP", 250],
-#	["CLNT", 200],
-#	["CLNT", 500],
-#	["EPRT", 500],
-
-#	["FEAT", 211],
-#	["HELP", 200],
-#	["LIST", 550],
-#	["LPRT", 500],
-#	["MACB", 500],
-#	["MDTM", 212],
-#	["MDTM", 500],
-#	["MDTM", 501],
-#	["MDTM", 550],
-#	["MLST", 500],
-#	["MLST", 550],
-#	["MODE", 502],
-#	["NLST", 550],
-#	["OPTS", 501],
-#	["REST", 200],
-#	["SITE", 502],
-#	["SIZE", 500],
-#	["STOR", 550],
-#	["SYST", 530],
-
-	["<init>", 0], # unexpected command-reply pair
-	["<missing>", 0], # unexpected command-reply pair
-	["QUIT", 0], # unexpected command-reply pair
-} &redef;
-
-global ftp_unexpected_cmd_reply: set[string];
-
-type ftp_cmd_arg: record {
-	cmd: string;
-	arg: string;
-	anonymized_cmd: string;
-	anonymized_arg: string;	# anonymized arg
-	seq: count;		# seq number
-	rewrite_slot: count;
-};
-
-type ftp_pending_cmds: record {
-	seq: count;
-	cmds: table[count] of ftp_cmd_arg;
-};
-
-function init_ftp_pending_cmds(): ftp_pending_cmds
-	{
-	local cmds: table[count] of ftp_cmd_arg;
-	return [$seq = 1, $cmds = cmds];
-	}
-
-function ftp_cmd_pending(s: ftp_pending_cmds): bool
-	{
-	return length(s$cmds) > 0;
-	}
-
-function add_to_ftp_pending_cmds(s: ftp_pending_cmds, cmd: string, arg: string)
-	: ftp_cmd_arg
-	{
-	local ca = [$cmd = cmd, $arg = arg, $anonymized_cmd = "<TBD!>",
-			$anonymized_arg = "<TBD!>", $seq = s$seq,
-			$rewrite_slot = 0];
-
-	s$cmds[s$seq] = ca;
-	++s$seq;
-
-	return ca;
-	}
-
-function find_ftp_pending_cmd(s: ftp_pending_cmds, reply_code: count, reply_msg: string): ftp_cmd_arg
-	{
-	if ( length(s$cmds) == 0 )
-		{
-		return [$cmd = "<unknown>", $arg = "",
-			$anonymized_cmd = "<TBD!>", $anonymized_arg = "<TBD!>",
-			$seq = 0, $rewrite_slot = 0];
-		}
-
-	local best_match: ftp_cmd_arg;
-	local best_score: int = -1;
-
-	for ( seq in s$cmds )
-		{
-		local ca = s$cmds[seq];
-		local score: int = 0;
-		# if the command is compatible with the reply code
-		# code 500 (syntax error) is compatible with all commands
-		if ( reply_code == 500 || [ca$cmd, reply_code] in ftp_cmd_reply_code )
-			score = score + 100;
-		# if the command or the command arg appears in the reply message
-		if ( strstr(reply_msg, ca$cmd) > 0 )
-			score = score + 20;
-		if ( strstr(reply_msg, ca$cmd) > 0 )
-			score = score + 10;
-		if ( score > best_score ||
-		     ( score == best_score && ca$seq < best_match$seq ) ) # break tie with sequence number
-			{
-			best_score = score;
-			best_match = ca;
-			}
-		}
-
-	if ( [best_match$cmd, reply_code] !in ftp_cmd_reply_code )
-		{
-		local annotation = "";
-		if ( length(s$cmds) == 1 )
-			annotation = "for sure";
-		else
-			{
-			for ( i in s$cmds )
-				annotation = cat(annotation, " ", s$cmds[i]$cmd);
-			annotation = cat("candidates:", annotation);
-			}
-		# add ftp_unexpected_cmd_reply[fmt("[\"%s\", %d], # %s",
-		#	best_match$cmd, reply_code, annotation)];
-		}
-
-	return best_match;
-	}
-
-function pop_from_ftp_pending_cmd(s: ftp_pending_cmds, ca: ftp_cmd_arg): bool
-	{
-	if ( ca$seq in s$cmds )
-		{
-		delete s$cmds[ca$seq];
-		return T;
-		}
-	else
-		return F;
-	}
-
-event bro_done()
-	{
-	# for ( cmd_reply in ftp_unexpected_cmd_reply )
-	# 	print ftp_cmd_reply_log, fmt("        %s", cmd_reply);
-	}
diff --git a/policy/ftp-reply-pattern.bro b/policy/ftp-reply-pattern.bro
deleted file mode 100644
index 59c507978e..0000000000
--- a/policy/ftp-reply-pattern.bro
+++ /dev/null
@@ -1,1317 +0,0 @@
-# $Id: ftp-reply-pattern.bro 6 2004-04-30 00:31:26Z jason $
-
-@load ftp-anonymizer
-
-redef process_ftp_reply_by_message_pattern = T;
-
-
-# A line of reply message is split into fields with the following
-# regular expression.  The regular expression defines the pattern of
-# field separators. Basically a field separator is blank space
-# enclosed by optional punctuations.
-
-const ftp_msg_field_separator =
-	  /@@BOL@@ [[:space:][:punct:]]*( @@EOL@@)?/
-	| /[[:space:][:punct:]]+/
-	| /[[:space:][:punct:]]* @@EOL@@/
-	;
-
-# Type *msg_format_info* defines a message format extracted from
-# messages.
-
-type msg_format_info: record {
-	parts: string_array;
-	code: count;
-	msg: string;		# one of the original messages
-	hit: count;		# number of messages that match the pattern
-};
-
-type msg_format_group: table[string] of msg_format_info;
-global msg_format_groups: table[string] of msg_format_group;
-
-
-# A pattern string (derived from one or more message formats) contains
-# fields enclosed by '|': e.g.
-#
-#  "211 @@BOL@@ |connected| |to| |~ domain, ~ ip| @@EOL@@"
-#
-# Thus we the field separator can be defined by the following pattern:
-# everything up to the first '|', after the last '|', or between two
-# adjacent '|'s in the middle.
-
-const ftp_pattern_field_separator =
-	  /@@BOL@@ @@EOL@@/
-	| /@@BOL@@ [^|]*\|/
-	| /\|[^|]+\|/
-	| /\|[^|]* @@EOL@@/
-	;
-
-# A message pattern is very similar to a message format, except that
-# the former is for message pattern matching and thus is used in a
-# different phase than a message format, which is used in pattern
-# extraction.
-
-type msg_pattern_info: record {
-	code: count;
-	str: string;
-	num_parts: count;
-	parts: string_array;
-	sep: string_array;
-	tok: string_array;
-	hit: count;
-};
-
-type msg_pattern_group: table[string] of msg_pattern_info;
-global msg_pattern_groups: table[string] of msg_pattern_group;
-
-
-# Here starts patterns of individual fields (numbers, ip address, domain
-# name, etc.) in the reply message:
-
-# Numbers (including float numbers and negative numbers)
-const ftp_number_pat = /[\-]?[0-9]+(\.[0-9]+)?/;
-
-# English words (including 's and 't)
-# const ftp_word_pat =
-	/[[:alpha:]]*('m|'re|[[:alpha:]]'s|s'|n't|'d|'ve|'ll)|[[:alpha:]]+/
-	;
-
-# File modes in ls -l (seen in replies for STAT)
-const ftp_file_mode_pat = /[ld\-]([r-][w-][xs-]){3}/;
-
-# FTP server version string
-const ftp_server_version_pat = /[a-zA-Z0-9]+([\.\-_][a-zA-Z0-9]+)+/ &redef;
-
-# FTP path name
-#
-# As it is not clear how to define a pattern for path names, it is
-# defined in two aspects: first, we define a pattern for strings that
-# are path names *almost for sure*:
-
-const ftp_path_pat = /\/.+\/.*/
-	| /README/
-	| /.*\.(gz|tar|Z|ps|pdf)/ 	# TODO: add other extensions
-	| /[A-Z]:[\\\/].*/ 		# a path name almost for sure
-	;
-
-# Second, we define a pattern for strings that can possibly be a path name:
-# const ftp_file_name_pat = /[[:print:]]+/;
-#
-# Together, we assume that
-# Set(ftp_path_pat) <= Set(path names) <= Set(ftp_file_name_pat)
-
-# DOS file names
-const ftp_dos_path_pat = /[A-Z]:[\\\/].*/;
-
-
-# Finally, a table of message field patterns
-const ftp_msg_part_patterns = {
-	["~ num"] = ftp_number_pat,
-	["~ port"] = ftp_port_pat,
-	["~ ip"] = ftp_ip_pat,
-	["~ domain"] = ftp_domain_name_pat,
-	["~ file_mode"] = ftp_file_mode_pat,
-	["~ time"] = /[0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?/,
-	["~ day"] = /Mon|Tue|Wed|Thu|Fri|Sat|Sun/,
-	["~ month"] = /Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec/,
-	["~ ip,port"] = /[0-9]{1,3}(\.[0-9]{1,3}){3},[0-9]+/,
-	["~ ip:port"] = /[0-9]{1,3}(\.[0-9]{1,3}){3}:[0-9]+/,
-	["~ email"] = /[[:alnum:]\-\._]+@([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/,
-	["~ path"] = ftp_path_pat,
-	["~ url"] = /http:\/\/.+/,
-} &redef;
-
-
-# One critical issue in understanding an FTP reply message is to
-# recognize the request arguments in messages. The argument of an FTP
-# request may appear in various forms in the reply message,
-# e.g. argument "/abc//def/" may appear as "/abc/def/" (eliminate
-# duplicat /), "/abc/def" (w/o last /), or even "def" (base file name
-# only).
-
-# Type *ftp_arg_variant* defines the set of variants of an argument,
-# and function *expand_ftp_arg_variants* expands an argument to
-# its variants.
-
-type ftp_arg_variants: record {
-	arg: string;		# the argument
-	path: string;		# after eliminating options
-	norm_path: string;	# normalized path, after eliminating dup slashes
-	abs_path: string;	# the absolute path
-	base_path: string;	# the base file name only, without the directory part
-};
-
-
-# Trace-specific anonymization of replies
-# 1. Whether function anonymize_trace_specific_reply is defined:
-const trace_specific_reply_anonymization = F &redef;
-
-# 2. Result of message anonymization
-type ftp_reply_anon_result: record {
-	anonymized: bool;
-	msg: string;
-};
-
-# 3. The trace-specific function (to be defined externally)
-global anonymize_trace_specific_reply:
-	function(session: ftp_session_info, code: count, msg: string,
-		cmd_arg: ftp_cmd_arg,
-		arg_var: ftp_arg_variants): ftp_reply_anon_result;
-
-
-# Other global states:
-
-# Reply messages that are entirely stripped out (e.g. server banner message)
-global msg_stripped_out: set[string];
-
-# Remember wildcard matches to suppress the number of outputs
-global all_wildcard_matches: set[string, string];
-
-
-# PART I. Message pattern extraction
-
-function init_msg_format_info(parts: string_array, code: count, msg: string, level: count): msg_format_info
-	{
-	return [$parts = parts,
-		$code = code,
-		$msg = msg,
-		$hit = 0];
-	}
-
-
-# Whether the pattern defined by *parts* is a sub-pattern of
-# *fmt_parts*.
-
-function match_msg_format(fmt_parts: string_array, parts: string_array): bool
-	{
-	if ( length(fmt_parts) != length(parts) )
-		return F;
-
-	for ( i in fmt_parts )
-		{
-		if ( i % 2 == 1 )
-			{
-			local t1 = fmt_parts[i];
-			local t2 = parts[i];
-
-			if ( t1 == t2 || t1 == "~ *" ||
-			     (t1 == "~ path" &&
-			      (t2 == ftp_file_name_pat || t2 == "~ num")) )
-				; # t2 matches t1
-			else
-				return F;
-			}
-		}
-
-	return T;
-	}
-
-
-# Abstract msg_parts[k]. The whole msg_parts is passed because the
-# function needs to look at the context to decide whether a pattern is
-# applicable (in the case of version pattern).
-
-function abstract_msg_part(msg_parts: string_array, k: count, other_pat: table[string] of string): string
-	{
-	local part = msg_parts[k];
-	local abs_part: string;
-
-	if ( part in other_pat )
-		abs_part = other_pat[part];
-	else if ( k > 2 &&
-		  msg_parts[int_to_count(k-2)] == /[Vv]er(sion)?|[Rr]elease|.*ftpd.*|Server|Process/ &&
-		  part == ftp_server_version_pat &&
-		  part != ftp_domain_name_pat )
-		abs_part = "~ version";
-	else if ( part == ftp_msg_part_patterns["~ path"] &&
-		  part == ftp_file_name_pat )
-		abs_part = "~ path";
-	else
-		{
-		local known_pattern = 0;
-
-		for ( pat_ty in ftp_msg_part_patterns )
-			if ( part == ftp_msg_part_patterns[pat_ty] )
-				{
-				++known_pattern;
-				abs_part = pat_ty;
-				}
-		if ( known_pattern > 1 )
-			print ftp_anon_log,
-			    fmt("ERROR: ambiguous ftp msg part pattern: %s", part);
-		if ( known_pattern != 1 )
-			abs_part = part;
-		}
-
-	return abs_part;
-	}
-
-
-# Transform a message format to a pattern string.
-
-function fmt_parts_to_string(parts: string_array): string
-	{
-	local p: string_array;
-	local num_parts = length(parts);
-	for ( i in parts )
-		{
-		local s = parts[i];
-
-		if ( i == 1 || i == num_parts )
-			p[i] = "";
-		else if ( i % 2 == 1 )
-			p[i] = string_cat("|", to_lower(s), "|");
-		else
-			p[i] = " ";
-		}
-	return string_cat("@@BOL@@", cat_string_array(p), "@@EOL@@");
-	}
-
-
-# Extract the format of a message, if it does not match any known
-# format. The message is already splitted into *msg_parts*, and the
-# *act_msg* is only used for logging and debugging. Parameter
-# *other_pat* defines an instance-specific mapping from strings to
-# field types (e.g. "~ cmd", "~ arg"). For example, when "/fileA" is
-# the argument of the corresponding FTP requests, other_pat["/fileA"]
-# = "~ arg".
-
-function extract_ftp_reply_pattern(code: count, act_msg: string, msg_parts: string_array,
-			other_pat: table[string] of string,
-			session: ftp_session_info): bool
-	{
-	local num_parts = length(msg_parts);
-
-	# Abstract each part of the message.
-	local abs_parts: string_array;
-	for ( i in msg_parts )
-		{
-		if ( i % 2 == 1 )
-			abs_parts[i] = abstract_msg_part(msg_parts, i, other_pat);
-		else
-			abs_parts[i] = msg_parts[i];
-		}
-
-	# Derive the abstract message format
-	local abs_msg = fmt_parts_to_string(abs_parts);
-
-	# Locate the corresponding format group
-	local ind = fmt("%3d %3d", code, num_parts);
-	local fmt_group: msg_format_group;
-
-	if ( ind in msg_format_groups )
-		fmt_group = msg_format_groups[ind];
-	else
-		msg_format_groups[ind] = fmt_group;
-
-	# Check existing message formats
-	if ( abs_msg in fmt_group )
-		{
-		++fmt_group[abs_msg]$hit;
-		return F;
-		}
-
-	local the_fmt = init_msg_format_info(abs_parts, code,
-				fmt("%s: %s", id_string(session$connection_id), act_msg), 1);
-	the_fmt$hit = 1;
-
-	# Check whether it is a sub-format of a known format, or vice versa
-
-	# Whether the_fmt is a sub-format of another format
-	local sub_format = F;
-
-	# Which other formats are sub-formats of the_fmt
-	local sub_format_set: set[string];
-
-	for ( fm2 in fmt_group )
-		{
-		local f2 = fmt_group[fm2];
-		if ( match_msg_format(f2$parts, abs_parts) )
-			{
-			sub_format = T;	# abs_parts is a sub-format of f2
-			++f2$hit;
-			}
-		else if ( match_msg_format(abs_parts, f2$parts) )
-			add sub_format_set[fm2];
-		else
-			; # do nothing
-		}
-
-	# Do not add the format if it is a sub-format of another one.
-	if ( ! sub_format )
-		{
-		fmt_group[abs_msg] = the_fmt;
-
-		# remove sub-formats of this message
-		for ( fm3 in sub_format_set )
-			{
-			the_fmt$hit = the_fmt$hit + fmt_group[fm3]$hit;
-			delete fmt_group[fm3];
-			}
-		}
-
-	return T;
-	}
-
-function print_msg_format(the_log: file, ind: string, m: string, f: msg_format_info)
-	{
-	local lm = to_string_literal(m);
-	if ( lm != m )
-		print the_log, fmt("special_character_in_pattern: \"%s\"", lm);
-	local fm = fmt("%d %s", f$code, lm);
-	local pat_ind = fmt("%3d %3d", f$code, length(f$parts));
-
-	print the_log, fmt("reply_pattern: $%s$ \"%s\",  # \"%s\"",
-		ind, fm, f$msg);
-
-	if ( pat_ind in msg_pattern_groups && fm in msg_pattern_groups[pat_ind] )
-		print the_log, fmt("ERROR: pattern_already_exists: \"%s\"", fm);
-	}
-
-event bro_done()
-	{
-	for ( ind in msg_format_groups )
-		{
-		local fmt_group = msg_format_groups[ind];
-		for ( m2 in fmt_group )
-			print_msg_format(ftp_anon_log, ind, m2, fmt_group[m2]);
-		}
-	}
-
-
-# PART II. Read and parse patterns
-
-type msg_pattern_result: record {
-	valid: bool,
-	msg_pat: msg_pattern_info,
-};
-
-
-# Parse message pattern string <fm> -- put the separators in <sep> and
-# tokens in <tok>.
-
-function parse_msg_format(fm: string): msg_pattern_result
-	{
-	local msg_pat: msg_pattern_info;
-	local ret = [$valid = F, $msg_pat = msg_pat];
-
-	# Separate the reply code from the rest of the pattern string
-	local code_fmt = split1(fm, / /);
-	local sep: string_array;
-	local tok: string_array;
-
-	msg_pat$code = to_count(code_fmt[1]);
-	msg_pat$str = fm;
-	# print ftp_anon_log, fmt("msg_format: %d \"%s\"", msg_pat$code, msg_pat$str);
-	msg_pat$sep = sep;
-	msg_pat$tok = tok;
-	msg_pat$hit = 0;
-
-	# Split the pattern string with the pattern field separator
-	local parts = split_all(code_fmt[2], ftp_pattern_field_separator);
-	local num_parts = length(parts);
-	msg_pat$parts = parts;
-	msg_pat$num_parts = num_parts;
-
-	for ( i in parts )
-		{
-		local s = parts[i];
-		local j: count;
-		if ( i % 2 == 0 )
-			{
-			j = int_to_count(i / 2);
-			sep[j] = s;
-			}
-		else if ( i > 1 && i < num_parts )
-			{
-			j = int_to_count((i - 1) / 2);
-			tok[j] = s;
-			}
-		else
-			; # do nothing
-		}
-
-	ret$valid = T;
-	return ret;
-	}
-
-
-# Parse the pattern string and insert the pattern into
-# msg_pattern_groups.
-
-function process_predefined_msg_format(f: string): bool
-	{
-	local r: msg_pattern_result;
-	r = parse_msg_format(f);
-	if ( ! r$valid )
-		return F;
-	local msg_pat = r$msg_pat;
-
-	local pat_ind = fmt("%3d %3d", msg_pat$code, msg_pat$num_parts);
-
-	local pat_group: msg_pattern_group;
-	if ( pat_ind !in msg_pattern_groups )
-		msg_pattern_groups[pat_ind] = pat_group;
-	else
-		pat_group = msg_pattern_groups[pat_ind];
-
-	if ( msg_pat$str in pat_group )
-		return F;	# there should not be duplicates
-	pat_group[msg_pat$str] = msg_pat;
-
-	return T;
-	}
-
-const ftp_msg_format_white_list: set[string] = {} &redef;
-
-event bro_init()
-	{
-	for ( f in ftp_msg_format_white_list )
-		process_predefined_msg_format(f);
-	}
-
-
-# PART III. Merge message patterns
-
-# moved to ftp-merge-pattern.bro
-
-# PART IV. Message pattern matching
-
-# Note that $parts is not redundant with $pat, because each field in
-# $pat may contain multiple patterns, as in
-#
-# "211 @@BOL@@ |connected| |to| |~ domain, ~ ip| @@EOL@@"
-#
-# $parts tells whether "~ domain" or "~ ip" is matched.
-
-type msg_pattern_match_result: record {
-	valid: bool;
-	pat: msg_pattern_info;	# the pattern matched
-	parts: string_array;	# the matched pattern of each part
-};
-
-
-# Return -1 if t1 is more specific than t2, 1 if vice versa, and 0 if
-# t1 equals to t2 or if t1 and t2 are incomparable.
-
-function cmp_pattern_part(t1: string, t2: string): int
-	{
-	if ( t1 == t2 ) return 0;
-
-	local ret: int = 0;
-
-	if ( t1 != /~ .*/ || t2 != /~ .*/ )
-		{
-		if ( t2	== /~ .*/ ) ret = -1; 	# t1 < t2
-		if ( t1 == /~ .*/ ) ret = 1; 	# t2 < t1
-		}
-	else if ( t1 == /~ (arg|cmd)/ || t2 == /~ (arg|cmd)/ )
-		{
-		if ( t2 != /~ (arg|cmd)/ ) ret = -1;	# t1 < t2
-		if ( t1 != /~ (arg|cmd)/ ) ret = 1; 	# t2 < t1
-		}
-	else if ( t1 == "~ ip" && t2 == "~ domain" )
-		ret = -1;
-	else if ( t1 == "~ domain" && t2 == "~ ip" )
-		ret =  1;
-	else if ( t1 == "~ *" || t2 == "~ *" )
-		{
-		if ( t1 != "~ *" ) ret = -1;
-		if ( t2 != "~ *" ) ret = 1;
-		}
-
-	# print ftp_anon_log,
-	#	fmt("compare pattern part: \"%s\" vs. \"%s\" = %d", t1, t2, ret);
-
-	if ( ret == 0 )
-		print ftp_anon_log,
-			fmt("ERROR: cannot compare pattern part: \"%s\" vs. \"%s\"", t1, t2);
-	return ret;
-	}
-
-
-# Which pattern is more specific, returns -1 if m1 < m2, ...
-
-function cmp_msg_pattern_match(m1: msg_pattern_match_result, m2: msg_pattern_match_result): int
-	{
-	local b1 = F;	# whether part of m1 is more specific
-	local b2 = F;	# whether part of m2 is more specific
-
-	for ( i in m1$parts )
-		{
-		local c = cmp_pattern_part(m1$parts[i], m2$parts[i]);
-		if ( c < 0 ) b1 = T;
-		if ( c > 0 ) b2 = T;
-		}
-	if ( b1 && ! b2 ) return -1;
-	if ( ! b1 && b2 ) return 1;
-
-	print ftp_anon_log,
-		fmt("ERROR: cannot compare pattern match: \"%s\" vs. \"%s\"", m1$pat$str, m2$pat$str);
-	return 0;
-	}
-
-
-# Whether data matches pat. Parameter aux_pat contains a set of (data,
-# pat) pairs in addition to the predefined patterns and usually
-# contains pairs such as "~ cmd : USER", "~ arg : anonymous".
-
-function do_match_pattern_part(pat: string, data: string, aux_pat: set[string]): bool
-	{
-	if ( pat == /~ .+[-+]/ ) 	# with a flag
-		pat = cut_tail(pat, 1); # ignore the flag
-
-	if ( string_cat(pat, " : ", data) in aux_pat )
-		return T;
-	else if ( pat != /~ .*/ ) # not an abstract pattern
-		{
-		return ( to_lower(data) == pat );
-		}
-	else if ( pat == "~ *" )
-		return T; 	# always match
-	else if ( pat == "~ path" )
-		{
-		return ( data == ftp_file_name_pat ||
-		         /\// in data || /\\ / in data );
-		}
-	else if ( pat == "~ domain" )
-		{
-		return ( data == /([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/ );
-		}
-	else if ( pat == "~ version" )
-		{
-		return ( data == /[A-Za-z0-9\-\.\_]+/ );
-		}
-	else if ( pat in ftp_msg_part_patterns )
-		{
-		return ( data == ftp_msg_part_patterns[pat] );
-		}
-	else
-		return F;
-	}
-
-
-# Return the most promising part of <pat> that matches <data>, where
-# <pat> = "<pat_1>, [<pat_2>, ...]".
-
-function match_pattern_part(pat: string, data: string, aux_pat: set[string]): string
-	{
-	# print ftp_anon_log, fmt("part_match: \"%s\" ~? \"%s\"", data, pat);
-
-	local best = "~ none";
-	local pp = split(pat, /, /);
-	for ( i in pp )
-		{
-		local p = pp[i];
-		if ( do_match_pattern_part(p, data, aux_pat) )
-			{
-			if ( best == "~ none" || cmp_pattern_part(best, p) > 0 )
-				best = p;
-			}
-		}
-
-	# if ( best != "~ none" )
-	#	print ftp_anon_log, fmt("part_match: \"%s\" ~ \"%s\"", data, best);
-
-	return best;
-	}
-
-
-# Return T if the message (act_msg) matches the pattern; otherwise
-# return F.
-
-function do_msg_pattern_match(act_msg: string, msg_parts: string_array,
-		msg_pat: msg_pattern_info, aux_pat: set[string]): msg_pattern_match_result
-	{
-	local ret: msg_pattern_match_result;
-	ret$valid = F;
-
-	local num_parts = length(msg_parts);
-	local pat = msg_pat$tok;
-
-	local data: string_array;
-	for ( i2 in msg_parts )
-		if ( i2 % 2 == 1 && i2 > 1 && i2 < num_parts )
-			data[int_to_count((i2-1)/2)] = msg_parts[i2];
-
-	if ( length(pat) != length(data) )
-		return ret;
-
-	local matched: string_array;
-
-	for ( i in pat )
-		{
-		local m = match_pattern_part(pat[i], data[i], aux_pat);
-		if ( m == "~ none" )
-			return ret;
-		matched[i] = m;
-		}
-
-	ret$valid = T;
-	ret$parts = matched;
-	ret$pat = msg_pat;
-	return ret;
-	}
-
-
-# Anonymize a data field according to its pattern type.
-
-function anonymize_msg_part(data: string, pat: string,
-		cmd_arg: ftp_cmd_arg, session: ftp_session_info): string
-	{
-	if ( pat == /~ .+[-+]/ )
-		{
-		local pat_len = byte_len(pat);
-		local annotation = sub_bytes(pat, pat_len, 1); # the last character
-		if ( annotation == "+" ) 	# to expose the data
-			return data;
-		else if ( annotation == "-" )	# to hide the data
-			return "<->";
-		pat = cut_tail(pat, 1);		# otherwise ignore the annotation
-		}
-
-	if ( pat == "~ cmd" )
-		return cmd_arg$anonymized_cmd;
-	else if ( pat == "~ arg" )
-		return cmd_arg$anonymized_arg;
-	else if ( pat == "~ num" )
-		return "<num>";			# hide the number by default
-	else if ( pat == "~ port" )
-		return anonymize_port_arg(session, "<port in reply>", data);
-	else if ( pat == "~ ip" )
-		{
-		local a = parse_dotted_addr(data);
-		return cat(anonymize_address(a, session$connection_id));
-		}
-	else if ( pat == "~ domain" )
-		return "<domain>";
-	else if ( pat == "~ file_mode" )
-		return "<file mode>";
-	else if ( pat == "~ time" || pat == "~ day" || pat == "~ month" )
-		return data;
-	else if ( pat == "~ email" )
-		return "<email>";
-	else if ( pat == "~ url" )
-		return "<url>";
-	else if ( pat == "~ ip,port" || pat == "~ ip:port" )
-		{
-		local b = split_all(data, /[:,]/);
-		b[1] = cat(anonymize_address(parse_dotted_addr(b[1]), session$connection_id));
-		return cat_string_array(b);
-		}
-	else if ( pat == "~ path" || pat == "~ dir" )
-		return anonymize_file_name_arg(session, "<ftp reply>", data,
-			(session$reply_code >= 100 && session$reply_code < 300));
-	else if ( pat == "~ version" )
-		return data; 	# keep version of the server
-	else if ( pat == "~ *" )
-		return "<*>";
-	else
-		{
-		return "<!>";
-		print ftp_anon_log, fmt("ERROR: do not know how to anonymize pattern: %s", pat);
-		}
-	}
-
-
-# Compute a unique id that does not appear in <context>.
-
-function get_unique_subst_id(context: string, seed: string): string
-	{
-	local id = string_cat("X", md5_hmac(seed), "X");
-	if ( strstr(context, id) > 0 )
-		return get_unique_subst_id(context, string_cat(seed, "."));
-	return id;
-	}
-
-
-# Substitute all occurances of <part> in <msg1> with a unique id, if
-# the occurrance of <part> is followed by <suffix> (context-sensitive
-# substitution), and add to <subst_map> the mapping <subst_id> ->
-# <part>. It returns the message after substitution.
-
-function subst_part(msg1: string, part: string, suffix: string, subst_map: table[string] of string): string
-	{
-	local ps = string_cat(part, suffix);
-	if ( strstr(msg1, ps) <= 0 ) return msg1;
-	local subst_id = get_unique_subst_id(msg1, part);
-	subst_map[subst_id] = part;
-	return subst_string(msg1, ps, string_cat(subst_id, suffix));
-	}
-
-
-# Expand argument variants (see comments of ftp_arg_variants).
-
-function expand_ftp_arg_variants(session: ftp_session_info, cmd_arg: ftp_cmd_arg): ftp_arg_variants
-	{
-	local var: ftp_arg_variants;
-
-	var$arg = cmd_arg$arg;
-	var$path = "~ none";
-	var$norm_path = "~ none";
-	var$abs_path = "~ none";
-	var$base_path = "~ none";
-
-	if ( cmd_arg$cmd in ftp_cmds_with_file_arg )
-		{
-		local opt_fn = separate_option_str(cmd_arg$arg);
-		var$path = opt_fn$file_name;
-
-		# eliminate duplicate slashes
-		local norm_path = subst(var$path, /\/+|\\+/, "/");
-		# eliminate '/./' (as '/')
-		norm_path = subst(norm_path, /\/(\.\/)+/, "/");
-		if ( norm_path == /.*\/\./ ) # end with '/.'
-			norm_path = cut_tail(norm_path, 1);
-
-		# compress ..
-		norm_path = compress_path(norm_path);
-
-		if ( var$path == ftp_dos_path_pat )
-			{
-			norm_path = subst(norm_path, /\//, "\\");
-			# cut the last '\' off if it is not "C:\"
-			if ( norm_path == /.*\\/ && norm_path != /[[:alpha:]]:\\/ )
-				norm_path = cut_tail(norm_path, 1);
-			}
-		else
-			{
-			if ( norm_path == /.*\// && norm_path != /\//)	# if it is not '/'
-				norm_path = cut_tail(norm_path, 1);
-			}
-
-		var$norm_path = norm_path;
-
-		var$abs_path = absolute_path(session, norm_path);
-
-		var$base_path = subst(norm_path, /.*(\/+|\\+)/, "");
-		# But ignore base path names that only contain whitespace and/or punctuations
-		# if ( var$base_path == ftp_msg_field_separator )
-		if ( var$base_path == "" )
-			var$base_path = "~ none";
-
-		# print ftp_anon_log, fmt("path=\"%s\", norm_path=\"%s\", abs_path = \"%s\", base_path=\"%s\"",
-		# 			var$path, var$norm_path, var$abs_path, var$base_path);
-		}
-
-	return var;
-	}
-
-
-function strstr_clean(big: string, little: string, clean_match: bool): count
-	{
-	local i = strstr(big, little);
-
-	if ( i == 0 ) return i;
-
-	if ( clean_match )
-		{
-		local prefix = sub_bytes(big, 1, i - 1);
-		local suffix = sub_bytes(big, i + byte_len(little), -1);
-
-		# print ftp_anon_log, fmt("prefix = \"%s\", suffix = \"%s\"", prefix, suffix);
-		# if little is not surrounded by blanks or punctuations
-		if ( prefix != /|.*[[:blank:][:punct:]]/ ||
-		     suffix != /|[[:blank:][:punct:]].*/ )
-			return 0;
-		}
-
-	return i;
-	}
-
-
-# Search s for an argument variant. Note that variants are searched in
-# the order of priorities -- the more specific the varient is, the
-# higher priority it gets.
-
-type arg_in_msg: record {
-	arg: string;
-	arg_ind: count;
-	arg_len: count;
-	prefix: string;
-	suffix: string;
-};
-
-function check_arg_variant(s: string, arg: string, v: arg_in_msg, clean_match: bool): bool
-	{
-	if ( arg == "" || arg == "~ none" )
-		return F;
-
-	local i =  strstr_clean(s, arg, clean_match);
-	if ( i <= 0 ) return F;
-
-	local len = byte_len(arg);
-	if ( len <= v$arg_len ) return F;
-
-	v$arg = arg;
-	v$arg_ind = i;
-	v$arg_len = len;
-	v$prefix = sub_bytes(s, 1, i - 1);
-	v$suffix = sub_bytes(s, i + len, -1);
-	return T;
-	}
-
-function expand_path_arg(v: arg_in_msg): bool
-	{
-	if ( v$prefix != /.*\// ) return F;
-
-	local parts = split_all(v$prefix, /([^[:blank:][:punct:]]*\/)+/);
-	local num_parts = length(parts);
-	if ( parts[num_parts] != "" ) return F;
-	local last_part = int_to_count(num_parts - 1);
-	local s = parts[last_part];
-	local s_len = byte_len(s);
-
-	print ftp_anon_log, fmt("expand_path_arg: \"%s\" + \"%s\"", s, v$arg);
-	v$arg_len = v$arg_len + s_len;
-	v$arg_ind = int_to_count(v$arg_ind - s_len);
-	v$arg = string_cat(s, v$arg);
-
-	parts[last_part] = "";
-	v$prefix = cat_string_array(parts);
-	return T;
-	}
-
-function search_arg_variant(s: string, var: ftp_arg_variants, clean_match: bool): string
-	{
-	local v = [$arg = "", $arg_ind = 0, $arg_len = 0, $prefix = "", $suffix = ""];
-
-	check_arg_variant(s, var$arg, v, clean_match);
-	check_arg_variant(s, var$path, v, clean_match);
-	check_arg_variant(s, var$norm_path, v, clean_match);
-	check_arg_variant(s, var$abs_path, v, clean_match);
-	check_arg_variant(s, var$base_path, v, clean_match);
-
-	if ( var$path != "~ none" )
-		expand_path_arg(v);
-
-	return ( v$arg != "" ) ? v$arg : "~ none";
-	}
-
-
-# Substitute <arg> with a unique id in <msg>, store the mapping from
-# the id to <arg> in <subst_map>, and update <other_pat> and <aux_pat>
-# about the argument.
-#
-# It returns the message after substituion.
-
-function process_arg_in_reply(arg_var: ftp_arg_variants, msg: string,
-		other_pat: table[string] of string, aux_pat: set[string],
-		subst_map: table[string] of string): string
-	{
-	add aux_pat[string_cat("~ arg", " : ", arg_var$arg)];
-	add aux_pat[string_cat("~ arg", " : ", arg_var$path)];
-	add aux_pat[string_cat("~ arg", " : ", arg_var$abs_path)];
-	add aux_pat[string_cat("~ arg", " : ", arg_var$norm_path)];
-	add aux_pat[string_cat("~ arg", " : ", arg_var$base_path)];
-
-	local arg = search_arg_variant(msg, arg_var, T);
-	if ( arg != "~ none" )
-		{
-		print ftp_anon_log, fmt("arg_variant_found: \"%s\" in \"%s\"", arg, msg);
-
-		if ( arg != "" )
-			{
-			other_pat[arg] = "~ arg";
-			if ( ftp_msg_field_separator in arg && arg != ftp_msg_field_separator )
-				msg = subst_part(msg, arg, "", subst_map);
-			}
-		}
-
-	return msg;
-	}
-
-
-# Record the message being stripped out
-
-function strip_out_message(session: ftp_session_info, code: count, msg: string): string
-	{
-	local ind = fmt("%d %s", code, msg);
-	if ( ind !in msg_stripped_out )
-		{
-		print ftp_anon_log,
-			fmt("message_stripped_out: %s", msg);
-		add msg_stripped_out[ind];
-		}
-	return "<message stripped out>";
-	}
-
-
-type msg_component: record {
-	msg: pattern;
-	part: pattern;
-	context: pattern;
-};
-
-global msg_components_not_to_split: table[string] of msg_component;
-
-event bro_init()
-{
-	# quoted string
-	msg_components_not_to_split["quoted"] =
-		[$msg = /.*/,
-		 $part = /([^"]|\"\")*/,
-		 $context = /@@BOL@@ *\"([^"]|\"\")*\"/];
-
-	# port numbers in reply to PASV
-	msg_components_not_to_split["port"] =
-		[$msg = /227 .*/,
-		 $part = /[0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}/,
-		 $context = /\([0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}\)/];
-
-	# dotted IP address
-	msg_components_not_to_split["ip"] =
-		[$msg = /.*/,	# any reply code
-		 $part = /[0-9]{1,3}(\.[0-9]{1,3}){3}/,
-		 $context = /[[:space:]\(\[][0-9]{1,3}(\.[0-9]{1,3}){3}[[:space:][:punct:]]/];
-
-	# email
-	msg_components_not_to_split["email"] =
-		[$msg = /.*/,	# any reply code
-		 $part = /[[:alnum:]\-\._]+@([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/,
-		 $context = /[[:space:]\(\[<][[:alnum:]\-\.\_]+@([\-[:alnum:]]+\.)*[\-[:alnum:]]+[[:space:][:punct:]]/];
-
-	# URL
-	msg_components_not_to_split["url"] =
-		[$msg = /.*/,	# any reply code
-		 $part = /(http|ftp):\/\/[[:alnum:][:punct:]]+/,
-		 $context = /(http|ftp):\/\/[[:alnum:][:punct:]]+/];
-
-	# domain name
-	msg_components_not_to_split["domain-version-filename"] =
-		[$msg = /.*/,	# any reply code
-		 $part = /([[:alnum:]]+[\-\.\_])+[[:alnum:]]+/,
-		 $context = /[^\@\.\-\_[:alnum:]]([[:alnum:]]+[\-\.\_])+[[:alnum:]]+[[:space:][:punct:]]/];	# not proceeded by '@' (as in email)
-
-	# UNIX file mode string
-	msg_components_not_to_split["file_mode"] =
-		[$msg = /(211|213) .*/,
-		 $part = /[ld\-]([r-][w-][xs-]){3}/,
-		 $context = /@@BOL@@ [[:blank:]]*[ld\-]([r\-][w\-][xs\-]){3}/];
-
-	# file name in `ls -l`
-	msg_components_not_to_split["ls_l_file_name"] =
-		[$msg = /(211|213) @@BOL@@ [[:blank:]]*[ld\-]([r\-][w\-][xs\-]){3} .*/,
-		 $part = /[^[:blank:]]+/,
-		 $context = /[[:blank:]][^[:blank:]]+ @@EOL@@/];
-
-	# symbolic links in `ls -l`
-	msg_components_not_to_split["ls_l_symbolic_link"] =
-		[$msg = /(211|213) @@BOL@@ [[:blank:]]*[ld\-]([r-][w-][xs-]){3} .*/,
-		 $part = /[^[:blank:]]+/,
-		 $context = /[[:blank:]][^[:blank:]]+ -> /];
-
-	# time
-	msg_components_not_to_split["time"] =
-		[$msg = /.*/,	# any reply code
-		 $part = /[0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?/,
-		 $context = /[[:space:]\(\[][0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?[[:space:][:punct:]]/];
-}
-
-function subst_in_context(msg: string, orig_msg: string, c: msg_component, subst_map: table[string] of string): string
-	{
-	# print ftp_anon_log, fmt("msg = \"%s\", context = %s", msg, c$context);
-
-	if ( orig_msg != c$msg || c$context !in msg )
-		return msg;
-
-	local parts = split_all(msg, c$context);
-	local msg0 = msg;
-
-	for ( i in parts )
-		{
-		# print ftp_anon_log, fmt("part[%d] = \"%s\"", i, parts[i]);
-		if ( i % 2 == 0 )
-			{
-			local s = parts[i];
-			local t = split_all(s, c$part);
-
-			if ( length(t) > 1 && /X[[:alnum:]]{32}X/ !in t[2] )
-				{
-				# print ftp_anon_log, fmt("\"%s\" -> \"%s\" + \"%s\" + \"%s\"",
-				#	to_string_literal(parts[i]), t[1], t[2], t[3]);
-				# print ftp_anon_log, fmt("subst_in_context: \"%s\" [%s].[%s]",
-				#	to_string_literal(s), c$part, c$context);
-
-				local id = get_unique_subst_id(msg0, msg0);
-				msg0 = string_cat(msg0, id);
-				subst_map[id] =	t[2];
-				t[2] = id;
-				parts[i] = cat_string_array(t);
-				# print ftp_anon_log, fmt("subst_in_context: \"%s\"->\"%s\" in \"%s\"",
-				#	subst_map[id], id, to_string_literal(parts[i]));
-				}
-			}
-		}
-
-	return cat_string_array(parts);
-	}
-
-
-# The main function for FTP reply anonymization.  cmd_arg is the
-# corresponding FTP request.
-
-function anonymize_ftp_reply_by_msg_pattern(code: count, act_msg: string,
-			cmd_arg: ftp_cmd_arg, session: ftp_session_info): string
-	{
-	local cmd = cmd_arg$cmd;
-	local arg = cmd_arg$arg;
-	local arg_var = expand_ftp_arg_variants(session, cmd_arg);
-
-	# First check if trace-specific anonymization applies to the message
-	if ( trace_specific_reply_anonymization )
-		{
-		local ret = anonymize_trace_specific_reply(session, code, act_msg, cmd_arg, arg_var);
-		if ( ret$anonymized )
-			{
-			print ftp_anon_log, fmt("trace_specific_reply: %d \"%s\" ->\"%s\"",
-				code, to_string_literal(act_msg), to_string_literal(ret$msg));
-			return ret$msg;
-			}
-		}
-
-	# Extract any prefix of form "<reply code>-"
-	local prefix = "";
-	local msg0 = act_msg;
-
-	if ( code > 0 )
-		{
-		prefix = fmt("%d-", code);
-		if ( strstr(msg0, prefix) == 1 ) # msg0 starts with prefix like '220-'
-			msg0 = sub_bytes(msg0, byte_len(prefix) + 1, -1);
-		else
-			prefix = "";
-		}
-
-
-	# Below we will split the message into fields. However, before
-	# the split we will first substitute certain substrings of the
-	# message with unique ID's and switch the ID's back to the
-	# corresponding strings after the split.
-
-	# This is necessary to keep some part of the message from
-	# being splitted, for instance, we'd like to split the
-	# message:
-	#
-	# "'CWD /My Document/music/' command successful."
-	#
-	# with "/My Document/music/" as a single field instead two
-	# fields: "/My" and "Document/music/".
-
-	# Mark the two ends of the message
-	msg0 = string_cat("@@BOL@@ ", msg0, " @@EOL@@");
-
-	# For pattern extraction -- used by extract_ftp_reply_pattern
-	local other_pat: table[string] of string;
-
-	# For pattern matching -- used by match_pattern_part
-	local aux_pat: set[string];
-
-	local subst_map: table[string] of string;
-
-	local orig_msg = fmt("%d %s", code, msg0);
-	local msg1 = msg0;
-
-	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["file_mode"], subst_map);
-	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ls_l_file_name"], subst_map);
-	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ls_l_symbolic_link"], subst_map);
-
-	# Process command in the reply message
-	if ( cmd != "<missing>" )
-		{
-		other_pat[cmd] = "~ cmd";
-		add aux_pat[string_cat("~ cmd", " : ", cmd)];
-		add aux_pat[string_cat("~ cmd", " : ", to_lower(cmd))];
-		if ( ftp_msg_field_separator in cmd )
-			msg1 = subst_part(msg1, cmd, "", subst_map);
-		}
-
-	# Process arguments in reply. Note that the order is
-	# critical: the argument variants are processed starting from
-	# the most specific one.
-	msg1 = process_arg_in_reply(arg_var, msg1, other_pat, aux_pat, subst_map);
-
-	# Process directory in the reply
-	local dir = "~ none";	# any directory contained in the reply
-	if ( code == 257 || [cmd, code] in ftp_dir_operation )
-		{
-		dir = extract_dir_from_reply(session, msg1, dir);
-		if ( dir != "~ none" )
-			{
-			other_pat[dir] = "~ dir";
-			add aux_pat[string_cat("~ dir", " : ", dir)];
-			if ( ftp_msg_field_separator in dir )
-				msg1 = subst_part(msg1, dir, "", subst_map);
-			}
-		}
-
-	# msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["quoted"], subst_map);
-	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["port"], subst_map);
-	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["email"], subst_map);
-	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["url"], subst_map);
-	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ip"], subst_map);
-	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["domain-version-filename"], subst_map);
-	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["time"], subst_map);
-
-	# Summarize all the substitution for debugging and verification
-	local subst_str = "";
-	if ( length(subst_map) > 0 )
-		{
-		for ( xx in subst_map )
-			{
-			if ( subst_str != "" )
-				subst_str = string_cat(subst_str, ", ");
-			subst_str = string_cat(subst_str, fmt("(\"%s\"->\"%s\")", to_string_literal(subst_map[xx]), xx));
-			}
-		print ftp_anon_log, fmt("substitute: \"%d %s\" with {%s}",
-			code, act_msg, subst_str);
-		}
-
-	# Split the message to parts
-	local msg_parts = split_all(msg1, ftp_msg_field_separator);
-	local num_parts = length(msg_parts);
-
-	# According to subst_map, change substitution ID's back to the
-	# corresponding parts. Note that here we only look at whole
-	# fields to look for substitution ID's.
-	for ( i in msg_parts )
-		{
-		local this_part = msg_parts[i];
-		if ( this_part in subst_map )
-			{
-			msg_parts[i] = subst_map[this_part];
-			# print ftp_anon_log, fmt("substitute_part: \"%s\"", to_string_literal(msg_parts[i]));
-			}
-		}
-
-	# Sanity check for string substitution
-	local msg2 = cat_string_array(msg_parts);
-	# msg2 != msg0 suggests that there is an improper substitution
-	if ( msg2 != msg0 )
-		{
-		print ftp_anon_log, fmt("ERROR: substitution: \"%s\" -> \"%s\" with {%s} in [%s]",
-			to_string_literal(msg0), to_string_literal(msg2),
-			subst_str, id_string(session$connection_id));
-		return strip_out_message(session, code, act_msg);
-		}
-
-	# So far the message is successfully splitted. Now we will try
-	# to find a matching pattern.
-
-	# Look it up in message patterns.
-	local ind = fmt("%3d %3d", code, num_parts);
-
-	if ( ind !in msg_pattern_groups )
-		{
-		print ftp_anon_log, fmt("pattern_not_found: \"%d %s\" in [%s]",
-			code, act_msg, id_string(session$connection_id));
-		extract_ftp_reply_pattern(code, act_msg, msg_parts, other_pat, session);
-		return strip_out_message(session, code, act_msg);
-		}
-
-	local pat_group = msg_pattern_groups[ind];
-
-	# There can be more than one matches ... record all of them
-	# and pick the most promising one.
-	local matches: table[string] of msg_pattern_match_result;
-	local the_pat: msg_pattern_match_result;	# the best match
-	the_pat$valid = F;
-
-	for ( pat_str in pat_group )
-		{
-		local msg_pat = pat_group[pat_str];
-		local tok: string_array;
-		local r = do_msg_pattern_match(act_msg, msg_parts, msg_pat, aux_pat);
-		if ( r$valid )
-			{
-			if ( length(matches) == 0 || cmp_msg_pattern_match(r, the_pat) < 0 )
-				the_pat = r;
-			matches[pat_str] = r;
-			}
-		}
-
-	if ( length(matches) == 0 )
-		{
-		print ftp_anon_log, fmt("pattern_not_found: \"%d %s\" in [%s]",
-			code, act_msg, id_string(session$connection_id));
-
-		extract_ftp_reply_pattern(code, act_msg, msg_parts, other_pat, session);
-
-		return strip_out_message(session, code, act_msg);
-		}
-
-	if ( length(matches) > 1 )
-		print ftp_anon_log, fmt("multiple_patterns: \"%d %s\"", code, act_msg);
-
-	print ftp_anon_log, fmt("message_matched: (%d) \"%d %s\" ~ \"%s\"",
-					length(matches), code, act_msg, the_pat$pat$str);
-
-	++the_pat$pat$hit;
-
-	# Now we anonymize the message according to the_pat. During
-	# the process we log two kinds of anonymization for manual
-	# inspection:
-	# 1) when a field matches the wild card pattern ('~ *'): this
-	# will help us find information that is over-conservatively
-	# anonymized;
-	# 2) when a field matches a pattern with a 'to expose' flag (a
-	# '+' at the end): this will help us to verify that the
-	# exposed data is privacy-safe.
-
-	local anon_parts: string_array;
-	local match_wildcard = "";
-	local match_exposure = "";
-
-	for ( i in msg_parts )
-		{
-		local data = msg_parts[i];
-		if ( i <= 2 || i >= num_parts - 1 )
-			anon_parts[i] = subst(data, /@@BOL@@ | @@EOL@@/, "");
-		else if ( i % 2 == 0 )
-			anon_parts[i] = data;
-		else
-			{
-			local p = the_pat$parts[int_to_count((i-1)/2)];
-			anon_parts[i] = ( p != /~ .*/ ) ? data :
-						anonymize_msg_part(data, p,
-							cmd_arg, session);
-
-			if ( p == /~ .+[+]/ )
-				{
-				if ( match_exposure != "" ) match_exposure = string_cat(match_exposure, "; ");
-				match_exposure = string_cat(match_exposure, data);
-				}
-
-			if ( p == "~ *" )
-				{
-				if ( match_wildcard != "" ) match_wildcard = string_cat(match_wildcard, "; ");
-				match_wildcard = string_cat(match_wildcard, data);
-				}
-			}
-		}
-
-	if ( match_wildcard != "" && [match_wildcard, the_pat$pat$str] !in all_wildcard_matches )
-		{
-		add all_wildcard_matches[match_wildcard, the_pat$pat$str];
-		print ftp_anon_log, fmt("wildcard_match: in pattern: \"%s\" data: [%s] in [%s]",
-			the_pat$pat$str,
-			match_wildcard,
-			id_string(session$connection_id));
-		}
-
-	if ( match_exposure != "" )
-		{
-		print ftp_anon_log, fmt("data_exposure: in pattern: \"%s\" data: [%s] in [%s]",
-			the_pat$pat$str,
-			match_exposure,
-			id_string(session$connection_id));
-		}
-
-	local result = cat_string_array(anon_parts);
-
-	# Stick the prefix back to the message.
-	if ( prefix != "" )
-		result = string_cat(prefix, result);
-
-	return result;
-	}
diff --git a/policy/ftp.bro b/policy/ftp.bro
deleted file mode 100644
index 4fc86df2c4..0000000000
--- a/policy/ftp.bro
+++ /dev/null
@@ -1,868 +0,0 @@
-# $Id: ftp.bro 6726 2009-06-07 22:09:55Z vern $
-
-@load notice
-@load conn
-@load scan
-@load hot-ids
-@load terminate-connection
-
-@load ftp-cmd-arg
-
-module FTP;
-
-export {
-	# Indexed by source & destination addresses and the id.
-	const skip_hot: set[addr, addr, string] &redef;
-
-   # see: http://packetstormsecurity.org/UNIX/penetration/rootkits/index4.html
-   # for current list of rootkits to include here
-
-	const hot_files =
-		  /.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)/
-		| /.*snoop\.(tar|tgz).*/
-		| /.*bnc\.(tar|tgz).*/
-		| /.*datapipe.*/
-		| /.*ADMw0rm.*/
-		| /.*newnick.*/
-		| /.*sniffit.*/
-		| /.*neet\.(tar|tgz).*/
-		| /.*\.\.\..*/
-		| /.*ftpscan.txt.*/
-		| /.*jcc.pdf.*/
-		| /.*\.[Ff]rom.*/
-		| /.*sshd\.(tar|tgz).*/
-		| /.*\/rk7.*/
-		| /.*rk7\..*/
-		| /.*[aA][dD][oO][rR][eE][bB][sS][dD].*/
-		| /.*[tT][aA][gG][gG][eE][dD].*/
-		| /.*shv4\.(tar|tgz).*/
-		| /.*lrk\.(tar|tgz).*/
-		| /.*lyceum\.(tar|tgz).*/
-		| /.*maxty\.(tar|tgz).*/
-		| /.*rootII\.(tar|tgz).*/
-		| /.*invader\.(tar|tgz).*/
-	&redef;
-
-	const hot_guest_files =
-		  /.*\.rhosts/
-		| /.*\.forward/
-		&redef;
-
-	const hot_cmds: table[string] of pattern = {
-		["SITE"] = /[Ee][Xx][Ee][Cc].*/,
-	} &redef;
-
-	const excessive_filename_len = 250 &redef;
-	const excessive_filename_trunc_len = 32 &redef;
-
-	const guest_ids = { "anonymous", "ftp", "guest", } &redef;
-
-	# Invalid PORT/PASV directives that exactly match the following
-	# don't generate notice's.
-	const ignore_invalid_PORT =
-		/,0,0/	# these are common, dunno why
-	&redef;
-
-	# Some servers generate particular privileged PASV ports for benign
-	# reasons (presumably to tunnel through firewalls, sigh).
-	const ignore_privileged_PASVs = { ssh, } &redef;
-
-	# Pairs of IP addresses for which we shouldn't bother logging if one
-	# of them is used in lieu of the other in a PORT or PASV directive.
-
-	const skip_unexpected: set[addr] = {
-		15.253.0.10, 15.253.48.10, 15.254.56.2,		# hp.com
-		gvaona1.cns.hp.com,
-	} &redef;
-
-	const skip_unexpected_net: set[addr] &redef;
-
-	const log_file = open_log_file("ftp") &redef;
-
-	redef enum Notice += {
-		FTP_UnexpectedConn,	# FTP data transfer from unexpected src
-		FTP_ExcessiveFilename,	# very long filename seen
-		FTP_PrivPort,		# privileged port used in PORT/PASV;
-					#   $sub says which
-		FTP_BadPort,		# bad format in PORT/PASV;
-					#   $sub says which
-		FTP_Sensitive,		# sensitive connection -
-					#   not more specific
-		FTP_SiteExecAttack,	# specific "site exec" attack seen
-	};
-
-	type ftp_session_info: record {
-		id: count;
-		connection_id: conn_id;
-		user: string;
-		anonymized_user: string;
-		anonymous_login: bool;
-
-		request: string;	# pending request or requests
-		num_requests: count;	# count of pending requests
-		request_t: time;	# time of request
-		log_if_not_denied: bool;	# log unless code 530 on reply
-		log_if_not_unavail: bool;	# log unless code 550 on reply
-		log_it: bool;		# if true, log the request(s)
-
-		reply_code: count;	# the most recent reply code
-		cwd: string;		# current working directory
-
-		pending_requests: ftp_pending_cmds;	# pending requests
-		delayed_request_rewrite: table[count] of ftp_cmd_arg;
-
-		expected: set[addr, port]; # data connections we expect
-	};
-
-	type ftp_expected_conn: record {
-		host: addr;
-		session: ftp_session_info;
-	};
-
-	global ftp_sessions: table[conn_id] of ftp_session_info &persistent;
-}
-
-
-redef capture_filters += { ["ftp"] = "port ftp" };
-
-# DPM configuration.
-global ftp_ports = { 21/tcp } &redef; 
-redef dpd_config += { [ANALYZER_FTP] = [$ports = ftp_ports] };
-
-function is_ftp_conn(c: connection): bool
-	{
-	return c$id$resp_p == ftp;
-	}
-
-type ftp_reply_code: record {
-	x: count;	# high-order (3rd digit)
-	y: count;	# middle (2nd) digit
-	z: count;	# bottom digit
-};
-
-global ftp_session_id = 0;
-
-# Indexed by the responder pair, yielding the address expected to connect to it.
-global ftp_data_expected: table[addr, port] of ftp_expected_conn &persistent &create_expire = 1 min;
-
-const ftp_init_dir: table[addr, string] of string = {
-	[131.243.1.10, "anonymous"] = "/",
-} &default = "<unknown>/";
-
-const ftp_file_cmds = {
-	"APPE", "CWD", "DELE", "MKD", "RETR", "RMD", "RNFR", "RNTO",
-	"STOR", "STOU",
-};
-
-const ftp_absolute_path_pat = /(\/|[A-Za-z]:[\\\/]).*/;
-
-const ftp_dir_operation = {
-	["CWD", 250],
-	["CDUP", 200],	# typo in RFC?
-	["CDUP", 250],	# as found in traces
-	["PWD", 257],
-	["XPWD", 257],
-};
-
-const ftp_skip_replies = {
-	150,	# "status okay - about to open connection"
-	331	# "user name okay, need password"
-};
-
-const ftp_replies: table[count] of string = {
-	[150] = "ok",
-	[200] = "ok",
-	[220] = "ready for new user",
-	[221] = "closed",
-	[226] = "complete",
-	[230] = "logged in",
-	[250] = "ok",
-	[257] = "done",
-	[331] = "id ok",
-	[500] = "syntax error",
-	[530] = "denied",
-	[550] = "unavail",
-};
-
-const ftp_other_replies = { ftp_replies };
-
-const ftp_all_cmds: set[string] = {
-	"<init>", "<missing>",
-	"USER", "PASS", "ACCT",
-	"CWD", "CDUP", "SMNT",
-	"REIN", "QUIT",
-	"PORT", "PASV", "MODE", "TYPE", "STRU",
-	"ALLO", "REST", "STOR", "STOU", "RETR", "LIST", "NLST", "APPE",
-	"RNFR", "RNTO", "DELE", "RMD", "MKD", "PWD", "ABOR",
-	"SYST", "STAT", "HELP",
-	"SITE", "NOOP",
-
-	# FTP extensions
-	"SIZE", "MDTM", "MLST", "MLSD",
-	"EPRT", "EPSV",
-};
-
-const ftp_tested_cmds: set[string] = {};
-const ftp_untested_cmds: set[string] = { ftp_all_cmds };
-
-global ftp_first_seen_cmds: set[string];
-global ftp_unlisted_cmds: set[string];
-
-# const ftp_state_diagram: table[string] of count = {
-#	["ABOR", "ALLO", "DELE", "CWD", "CDUP",
-#	 "SMNT", "HELP", "MODE", "NOOP", "PASV",
-#	 "QUIT", "SITE", "PORT", "SYST", "STAT",
-#	 "RMD", "MKD", "PWD", "STRU", "TYPE"] = 1,
-#	["APPE", "LIST", "NLST", "RETR", "STOR", "STOU"] = 2,
-#	["REIN"] = 3,
-#	["RNFR", "RNTO"] = 4,
-# };
-
-
-function parse_ftp_reply_code(code: count): ftp_reply_code
-	{
-	local a: ftp_reply_code;
-
-	a$z = code % 10;
-
-	code = code / 10;
-	a$y = code % 10;
-
-	code = code / 10;
-	a$x = code % 10;
-
-	return a;
-	}
-
-event ftp_unexpected_conn_violation(id: conn_id, orig: addr, expected: addr)
-	{
-	NOTICE([$note=FTP_UnexpectedConn, $id=id,
-		$msg=fmt("%s > %s FTP connection from %s",
-			id$orig_h, id$resp_h, orig)]);
-	}
-
-event ftp_unexpected_conn(id: conn_id, orig: addr, expected: addr)
-	{
-	if ( orig in skip_unexpected || expected in skip_unexpected ||
-	     mask_addr(orig, 24) in skip_unexpected_net ||
-	     mask_addr(expected, 24) in skip_unexpected_net )
-		; # don't bother reporting
-
-	else if ( mask_addr(orig, 24) == mask_addr(expected, 24) )
-		; # close enough, probably multi-homed
-
-	else if ( mask_addr(orig, 16) == mask_addr(expected, 16) )
-		; # ditto
-
-	else
-		event ftp_unexpected_conn_violation(id, orig, expected);
-	}
-
-event ftp_connection_expected(c: connection, orig_h: addr, resp_h: addr,
-				resp_p: port, session: ftp_session_info)
-	{
-	}
-
-event expected_connection_seen(c: connection, a: count)
-	{
-	local id = c$id;
-	if ( [id$resp_h, id$resp_p] in ftp_data_expected )
-		add c$service["ftp-data"];
-	}
-
-# Deficiency: will miss data connections if the commands/replies
-# are encrypted.
-function is_ftp_data_conn(c: connection): bool
-	{
-	local id = c$id;
-	if ( [id$resp_h, id$resp_p] in ftp_data_expected )
-		{
-		local expected = ftp_data_expected[id$resp_h, id$resp_p];
-		if ( id$orig_h != expected$host )
-			event ftp_unexpected_conn(expected$session$connection_id,
-				id$orig_h, expected$host);
-
-		return T;
-		}
-
-	else if ( id$orig_p == 20/tcp &&
-	          [$orig_h = id$resp_h, $orig_p = id$resp_p,
-		   $resp_h = id$orig_h, $resp_p = 21/tcp] in ftp_sessions )
-		return T;
-	else
-		return F;
-	}
-
-
-function new_ftp_session(c: connection, add_init: bool)
-	{
-	local session = c$id;
-	local new_id = ++ftp_session_id;
-
-	local info: ftp_session_info;
-	info$id = new_id;
-	info$connection_id = session;
-	info$user = "<unknown>";
-	info$anonymized_user = "<TBD!>";
-	info$anonymous_login = T;
-	info$request = "";
-	info$num_requests = 0;
-	info$request_t = c$start_time;
-	info$log_if_not_unavail = F;
-	info$log_if_not_denied = F;
-	info$log_it = F;
-	info$reply_code = 0;
-	info$cwd = "<before_login>/";
-	info$pending_requests = init_ftp_pending_cmds();
-
-	if ( add_init )
-		add_to_ftp_pending_cmds(info$pending_requests, "<init>", "");
-
-	ftp_sessions[session] = info;
-	append_addl(c, fmt("#%s", prefixed_id(new_id)));
-
-	print log_file, fmt("%.6f #%s %s start", c$start_time, prefixed_id(new_id),
-				id_string(session));
-	}
-
-function ftp_message(id: conn_id, msg: string)
-	{
-	print log_file, fmt("%.6f #%s %s",
-			network_time(), prefixed_id(ftp_sessions[id]$id), msg);
-	}
-
-event ftp_sensitive_file(c: connection, session: ftp_session_info,
-				filename: string)
-	{
-	session$log_if_not_unavail = T;
-	}
-
-event ftp_excessive_filename(session: ftp_session_info,
-				command: string, arg: string)
-	{
-	NOTICE([$note=FTP_ExcessiveFilename, $id=session$connection_id,
-		$user=session$user, $filename=arg,
-		$msg=fmt("%s #%s excessive filename: %s",
-				id_string(session$connection_id),
-				prefixed_id(session$id), arg)]);
-	session$log_it = T;
-	}
-
-global ftp_request_rewrite: function(c: connection, session: ftp_session_info,
-					cmd_arg: ftp_cmd_arg);
-global ftp_reply_rewrite: function(c: connection, session: ftp_session_info,
-					code: count, msg: string,
-					cont_resp: bool, cmd_arg: ftp_cmd_arg);
-
-# Returns true if the given string is at least 25% composed of 8-bit
-# characters.
-function is_string_binary(s: string): bool
-	{
-	return byte_len(gsub(s, /[\x00-\x7f]/, "")) * 100 / byte_len(s) >= 25;
-	}
-
-event ftp_request(c: connection, command: string, arg: string)
-	{
-	# Command may contain garbage, e.g. if we're parsing something
-	# which isn't ftp. Ignore this.
-	if ( is_string_binary(command) )
-		return;
-
-	local id = c$id;
-
-	if ( id !in ftp_sessions )
-		new_ftp_session(c, F);
-
-	local session = ftp_sessions[id];
-
-	# Keep the original command and arg.
-	local cmd_arg =
-		add_to_ftp_pending_cmds(session$pending_requests, command, arg);
-
-	if ( command == "USER" )
-		{
-		if ( arg in hot_ids &&
-		     [id$orig_h, id$resp_h, arg] !in skip_hot )
-			{
-			if ( arg in always_hot_ids )
-				session$log_it = T;
-			else
-				session$log_if_not_denied = T;
-			}
-
-		append_addl(c, arg);
-		session$user = arg;
-
-		if ( arg in forbidden_ids )
-			TerminateConnection::terminate_connection(c);
-		}
-
-	else if ( command == "PASS" )
-		{
-		if ( session$user in forbidden_ids_if_no_password &&
-		     arg == "" )
-			TerminateConnection::terminate_connection(c);
-
-		if ( session$user in guest_ids )
-			append_addl_marker(c, arg, "/");
-		else
-			{
-			event account_tried(c, session$user, arg);
-			arg = "<suppressed>";
-			}
-		}
-
-	else if ( command == "PORT" || command == "EPRT" )
-		{
-		local data = (command == "PORT") ?
-				parse_ftp_port(arg) : parse_eftp_port(arg);
-
-		if ( data$valid )
-			{
-			if ( data$h != id$orig_h )
-				ftp_message(id, fmt("*> PORT host %s doesn't match originator host %s", data$h, id$orig_h));
-
-			if ( data$p < 1024/tcp && data$p in port_names )
-				NOTICE([$note=FTP_PrivPort, $id=id,
-					$user=session$user,
-					$msg=fmt("%s #%s privileged PORT %d: %s",
-						id_string(id),
-						prefixed_id(session$id),
-						data$p, arg),
-					$sub="PORT"]);
-
-			local expected = [$host=c$id$resp_h, $session=session];
-			ftp_data_expected[data$h, data$p] = expected;
-			add session$expected[data$h, data$p];
-
-			expect_connection(c$id$resp_h, data$h, data$p,
-						ANALYZER_FILE, 5 min);
-
-			event ftp_connection_expected(c, c$id$resp_h, data$h,
-							data$p, session);
-			}
-		else if ( arg != ignore_invalid_PORT )
-			NOTICE([$note=FTP_BadPort, $id=id,
-				$user=session$user,
-				$msg=fmt("%s #%s invalid ftp PORT directive: %s",
-						id_string(id),
-						prefixed_id(session$id), arg),
-				$sub="PORT"]);
-		}
-
-	else if ( command in ftp_file_cmds )
-		{
-		if ( arg == hot_files ||
-		     (session$user in guest_ids &&
-		      arg == hot_guest_files) )
-			event ftp_sensitive_file(c, session, arg);
-
-		if ( byte_len(arg) >= excessive_filename_len )
-			{
-			arg = fmt("%s..[%d]..",
-				sub_bytes(arg, 1, excessive_filename_trunc_len),
-				byte_len(arg));
-			event ftp_excessive_filename(session, command, arg);
-			}
-		}
-
-	else if ( command == "ACCT" )
-		append_addl(c, fmt("(account %s)", arg));
-
-	if ( command in hot_cmds && arg == hot_cmds[command] )
-		{
-		session$log_it = T;
-
-		# Special hack for "site exec" attacks.
-		### Obviously, this should be generic and not specialized
-		### like the following.
-		if ( command == "SITE" && /[Ee][Xx][Ee][Cc]/ in arg &&
-		     # We see legit use of "site exec cp / /", God knows why.
-		     byte_len(arg) > 32 )
-			{ # Terminate with extreme prejudice.
-			TerminateConnection::terminate_connection(c);
-			NOTICE([$note=FTP_SiteExecAttack, $conn=c, $conn=c, 
-					$msg=fmt("%s %s", command, arg)]);
-			}
-		}
-
-	local request = arg == "" ? command : cat(command, " ", arg);
-	if ( ++session$num_requests == 1 )
-		{
-		# First pending request
-		session$request = request;
-		session$request_t = network_time();
-		}
-	else
-		{
-		# Don't append PASS commands, unless they're for an
-		# anonymous user.
-
-		### Is it okay to include the args of an ACCT command?
-
-		if ( command == "PASS" )
-			{
-			if ( session$user in guest_ids )
-				{
-				session$request =
-					cat(session$request, "/", arg);
-				}
-
-			# Don't count this as a multiple request.
-			--session$num_requests;
-			}
-		else
-			{
-			if ( byte_len(session$request) < 256 )
-				session$request = cat(session$request, ", ", request);
-			}
-		}
-
-	if ( rewriting_ftp_trace )
-		ftp_request_rewrite(c, session, cmd_arg);
-
-	if ( command in ftp_all_cmds )
-		{
-		if ( command in ftp_untested_cmds )
-			{
-			delete ftp_untested_cmds[command];
-			add ftp_first_seen_cmds[command];
-			}
-		}
-	else
-		add ftp_unlisted_cmds[command];
-	}
-
-event ftp_binary_response(session: ftp_session_info, code: count, msg: string)
-	{
-	print log_file, fmt("%.6f #%s binary response",
-				network_time(), prefixed_id(session$id));
-	}
-
-function extract_dir_from_reply(session: ftp_session_info, msg: string,
-				hint: string): string
-	{
-	const dir_pattern = /\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\"/;
-	local parts = split_all(msg, dir_pattern);
-
-	if ( length(parts) != 3 )
-		{ # not found or ambiguous
-#		print log_file, fmt("%.6f #%s cannot extract directory: \"%s\"",
-#			network_time(), prefixed_id(session$id), msg);
-		return hint;
-		}
-
-	local d = parts[2];
-	return sub_bytes(d, 2, int_to_count(byte_len(d) - 2));
-	}
-
-# Process ..'s and eliminate duplicate '/'s
-# Deficiency: gives wrong results when a symbolic link is followed by ".."
-function compress_path(dir: string): string
-	{
-	const cdup_sep = /((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+)/;
-
-	local parts = split_n(dir, cdup_sep, T, 1);
-	if ( length(parts) > 1 )
-		{
-		parts[2] = "/";
-		dir = cat_string_array(parts);
-		return compress_path(dir);
-		}
-
-	const multislash_sep = /(\/){2,}/;
-	parts = split_all(dir, multislash_sep);
-	for ( i in parts )
-		if ( i % 2 == 0 )
-			parts[i] = "/";
-	dir = cat_string_array(parts);
-
-	return dir;
-	}
-
-# Computes the absolute path with cwd (current working directory).
-function absolute_path(session: ftp_session_info, file_name: string): string
-	{
-	local abs_file_name: string;
-	if ( file_name == ftp_absolute_path_pat ) # start with '/' or 'A:\'
-		abs_file_name = file_name;
-	else
-		abs_file_name = string_cat(session$cwd, "/", file_name);
-	return  compress_path(abs_file_name);
-	}
-
-function do_ftp_reply(c: connection, session: ftp_session_info,
-			code: count, msg: string, cmd: string, arg: string)
-	{
-	local id = c$id;
-
-	if ( session$log_if_not_denied && code != 530 &&
-	     # skip password prompt, which we can get when the requests
-	     # are stacked up
-	     code != 331 )
-		session$log_it = T;
-
-	if ( session$log_if_not_unavail && code != 550 )
-		session$log_it = T;
-
-	if ( code == 227  || code == 229 )
-		{
-		local data = (code == 227) ?
-				parse_ftp_pasv(msg) : parse_ftp_epsv(msg);
-
-		if ( code == 229 && data$h == 0.0.0.0 )
-			data$h = id$resp_h;
-
-		if ( data$valid )
-			{
-			if ( data$h != id$resp_h )
-				ftp_message(id, fmt("*< PASV host %s doesn't match responder host %s", data$h, id$resp_h));
-
-			if ( data$p < 1024/tcp && data$p in port_names &&
-			     data$p !in ignore_privileged_PASVs )
-				NOTICE([$note=FTP_PrivPort, $id=id,
-					$user=session$user, $n=code,
-					$msg=fmt("%s #%s privileged PASV %d: %s",
-						id_string(id), prefixed_id(session$id),
-						data$p, msg),
-					$sub="PASV"]);
-
-			local expected = [$host=id$orig_h, $session=session];
-			ftp_data_expected[data$h, data$p] = expected;
-			add session$expected[data$h, data$p];
-			event ftp_connection_expected(c, c$id$orig_h, data$h,
-							data$p, session);
-
-			expect_connection(id$orig_h, data$h, data$p,
-						ANALYZER_FILE, 5 min);
-
-			msg = endpoint_id(data$h, data$p);
-			}
-
-		else if ( msg != ignore_invalid_PORT )
-			{
-			NOTICE([$note=FTP_BadPort, $id=id,
-				$user=session$user, $n=code,
-				$msg=fmt("%s #%s invalid ftp PASV directive: %s",
-						id_string(id),
-						prefixed_id(session$id), msg),
-				$sub="PASV"]);
-			msg = "invalid PASV";
-			}
-		}
-
-	if ( [cmd, code] in ftp_dir_operation )
-		{
-		local cwd: string;
-
-		if ( cmd == "CWD" )
-			{
-			if ( arg == ftp_absolute_path_pat ) # absolute dir
-				cwd = arg;
-			else
-				cwd = cat(session$cwd, "/", arg);
-			}
-
-		else if ( cmd == "CDUP" )
-			cwd = cat(session$cwd, "/..");
-
-		else if ( cmd == "PWD" || cmd == "XPWD" )
-			# Here we need to guess how to extract the
-			# directory from the reply.
-			cwd = extract_dir_from_reply(session, msg,
-							 session$cwd);
-
-		# cwd = cat(cwd, "/");
-
-		# Process "..", eliminate duplicate '/'s, and eliminate
-		# last '/' if cwd != "/"
-		# session$cwd = compress_path(cwd);
-
-		session$cwd = cwd;
-
-#		print log_file, fmt("*** DEBUG *** %.06f #%s (%s %s) CWD = \"%s\"",
-#				network_time(), prefixed_id(session$id),
-#				cmd, arg, session$cwd);
-		}
-
-	if ( session$num_requests > 0 )
-		{
-		if ( code in ftp_skip_replies )
-			;	# Don't flush request yet.
-
-		else
-			{
-			local reply = code in ftp_replies ? ftp_replies[code] :
-					fmt("%d %s", code, msg);
-
-			local session_msg = fmt("#%s %s%s (%s)",
-					prefixed_id(session$id),
-					session$num_requests > 1 ? "*" : "",
-					session$request, reply);
-
-			if ( session$log_it )
-				NOTICE([$note=FTP_Sensitive, $id=id,
-					$user=session$user, $n=code,
-					$msg=fmt("ftp: %s %s",
-						id_string(id), session_msg)]);
-
-			print log_file, fmt("%.6f %s", session$request_t,
-						session_msg);
-
-			session$request = "";
-			session$num_requests = 0;
-			session$log_if_not_unavail = F;
-			session$log_if_not_denied = F;
-			session$log_it = F;
-			}
-		}
-	else
-		{
-		# An unpaired response.  This can happen in particular
-		# when the session is encrypted, so we check for that here.
-		if ( /[\x80-\xff]{3}/ in msg )
-			# Three 8-bit characters in a row - good enough.
-			# Note, this should of course be customizable.
-			event ftp_binary_response(session, code, msg);
-
-		else
-			print log_file, fmt("%.6f #%s response (%d %s)",
-					network_time(), prefixed_id(session$id), code, msg);
-		}
-	}
-
-function do_ftp_login(c: connection, session: ftp_session_info)
-	{
-	session$cwd = ftp_init_dir[session$connection_id$resp_h, session$user];
-	event login_successful(c, session$user);
-	}
-
-event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
-	{
-	local id = c$id;
-	local response_xyz = parse_ftp_reply_code(code);
-
-	if ( id !in ftp_sessions )
-		new_ftp_session(c, T);
-
-	local session = ftp_sessions[id];
-
-	if ( code != 0 || ! cont_resp )
-		session$reply_code = code;
-
-	local cmd_arg = find_ftp_pending_cmd(session$pending_requests, session$reply_code, msg);
-
-	if ( ! cont_resp )
-		{
-		if ( response_xyz$x == 2 &&	# successful
-		     (cmd_arg$cmd == /USER|PASS|ACCT/) )
-			do_ftp_login(c, session);
-
-		do_ftp_reply(c, session, code, msg, cmd_arg$cmd, cmd_arg$arg);
-		}
-
-	if ( rewriting_ftp_trace )
-		{
-		ftp_reply_rewrite(c, session, code, msg, cont_resp, cmd_arg);
-		}
-
-	if ( ! cont_resp )
-		{
-		if ( ftp_cmd_pending(session$pending_requests) )
-			{
-			if ( response_xyz$x == 1 )
-				# nothing
-				;
-
-			else if ( response_xyz$x >= 2 && response_xyz$x <= 5 )
-				{
-				pop_from_ftp_pending_cmd(session$pending_requests, cmd_arg);
-				# print log_file, fmt("*** DEBUG *** %.06f #%d: [%s %s] [%d %s]",
-				#	network_time(), session$id, cmd_arg$cmd, cmd_arg$arg, code, msg);
-				}
-			}
-
-		else if ( code != 421 ) # closing connection
-			ftp_message(id, fmt("spontaneous response (%d %s)",
-					code, msg));
-		}
-	}
-
-const call_ftp_connection_remove = F &redef;
-global ftp_connection_remove: function(c: connection);
-
-# Use state remove event instead of finish to cover connections terminated by
-# RST.
-event connection_state_remove(c: connection)
-	{
-	local id = c$id;
-
-	if ( is_ftp_conn(c) && call_ftp_connection_remove )
-		ftp_connection_remove(c);
-
-	if ( id in ftp_sessions )
-		{
-		local session = ftp_sessions[id];
-
-		if ( session$num_requests > 0 )
-			{
-			local msg = fmt("#%s %s%s (no reply)",
-					prefixed_id(session$id),
-					session$num_requests > 1 ? "*" : "",
-					session$request);
-
-			if ( session$log_it )
-				NOTICE([$note=FTP_Sensitive, $id=id,
-					$user=session$user,
-					$msg=fmt("ftp: %s %s",
-						id_string(id), msg)]);
-
-			print log_file, fmt("%.6f %s", session$request_t, msg);
-			}
-
-		if ( ftp_cmd_pending(session$pending_requests) )
-			{
-			local ca = find_ftp_pending_cmd(session$pending_requests, 0, "<finish>");
-			# print log_file, fmt("*** DEBUG *** requests pending from %s %s", ca$cmd, ca$arg);
-			}
-
-		for ( [h, p] in session$expected )
-			delete ftp_data_expected[h, p];
-
-		ftp_message(id, "finish");
-
-		delete ftp_sessions[id];
-		}
-	}
-
-event file_transferred(c: connection, prefix: string, descr: string,
-			mime_type: string)
-	{
-	if ( [c$id$resp_h, c$id$resp_p] in ftp_data_expected )
-		{
-		local expected = ftp_data_expected[c$id$resp_h, c$id$resp_p];
-		print log_file, fmt("%.6f #%s ftp-data %s '%s'",
-					c$start_time,
-					prefixed_id(expected$session$id),
-					mime_type, descr);
-		append_addl(c, descr);
-		}
-	}
-
-event file_virus(c: connection, virname: string)
-	{
-	if ( [c$id$resp_h, c$id$resp_p] in ftp_data_expected )
-		{
-		local expected = ftp_data_expected[c$id$resp_h, c$id$resp_p];
-		# FIXME: Throw NOTICE.
-		print log_file, fmt("%.6f #%s VIRUS %s found", c$start_time,
-					prefixed_id(expected$session$id),
-					virname);
-		append_addl(c, fmt("Virus %s", virname));
-		}
-	}
-
-event bro_init()
-	{
-	have_FTP = T;
-	}
diff --git a/policy/gnutella.bro b/policy/gnutella.bro
deleted file mode 100644
index 0fd4429f83..0000000000
--- a/policy/gnutella.bro
+++ /dev/null
@@ -1,61 +0,0 @@
-# $Id: gnutella.bro 4017 2007-02-28 07:11:54Z vern $
-
-redef capture_filters += { ["gnutella"] = "port 6346 or port 8436" };
-
-global gnutella_ports = { 6346/tcp, 8436/tcp } &redef;
-redef dpd_config += { [ANALYZER_GNUTELLA] = [$ports = gnutella_ports] };
-
-event gnutella_text_msg(c: connection, orig: bool, headers: string)
-	{
-	if ( orig )
-		print fmt("gnu txt %s -> %s %s", c$id$orig_h, c$id$resp_h, headers);
-	else
-		print fmt("gnu txt %s -> %s %s", c$id$resp_h, c$id$orig_h, headers);
-	}
-
-
-event gnutella_binary_msg(c: connection, orig: bool, msg_type: count,
-				ttl: count, hops: count, msg_len: count,
-				payload: string, payload_len: count,
-				trunc: bool, complete: bool)
-	{
-	local s = "";
-
-	if ( orig )
-		s = fmt("gnu bin %s -> %s", c$id$orig_h, c$id$resp_h);
-	else
-		s = fmt("gnu bin %s -> %s", c$id$resp_h, c$id$orig_h);
-
-	print fmt("%s %d %d %d %d %d %d %d %s",
-			s, msg_type, ttl, hops, msg_len,
-			trunc, complete, payload_len, payload);
-	}
-
-
-event gnutella_partial_binary_msg(c: connection, orig: bool,
-					msg: string, len: count)
-	{
-	if ( orig )
-		print fmt("gnu pbin %s -> %s", c$id$orig_h, c$id$resp_h);
-	else
-		print fmt("gnu pbin %s -> %s", c$id$resp_h, c$id$orig_h);
-	}
-
-
-event gnutella_establish(c: connection)
-	{
-	print fmt("gnu est %s <-> %s", c$id$orig_h, c$id$resp_h);
-	}
-
-
-event gnutella_not_establish(c: connection)
-	{
-	print fmt("gnu !est %s <-> %s", c$id$orig_h, c$id$resp_h);
-	}
-
-
-event gnutella_http_notify(c: connection)
-	{
-	print fmt("gnu http %s/%s <-> %s/%s", c$id$orig_h, c$id$orig_p,
-			c$id$resp_h, c$id$resp_p);
-	}
diff --git a/policy/hand-over.bro b/policy/hand-over.bro
deleted file mode 100644
index 0b3cf2f195..0000000000
--- a/policy/hand-over.bro
+++ /dev/null
@@ -1,144 +0,0 @@
-# $Id: hand-over.bro 617 2004-11-02 00:54:31Z scottc $
-#
-# Hand-over between two instances of Bro.
-
-@load remote
-
-# The host from which we want to take over the state has to be
-# added to remote_peers_{clear,ssl}, setting hand_over to T.
-#
-# The host which we want to allow to perform a hand-over with us
-# has to be added to remote_peers with a port of 0/tcp and
-# hand_over = T.
-
-function is_it_us(host: addr, p: port): bool
-	{
-@ifdef ( listen_if_clear )
-	if ( is_local_interface(host) && p == listen_port_clear )
-		return T;
-@endif
-
-@ifdef ( listen_if_ssl )
-	if ( is_local_interface(host) && p == listen_port_ssl )
-	    return T;
-@endif
-	return F;
-	}
-
-function is_handover_peer(p: event_peer): bool
-	{
-	local peer: Remote::Destination;
-
-	if ( p$id in Remote::pending_peers )
-		peer = Remote::pending_peers[p$id];
-	else
-		return F;
-
-	return peer$hand_over;
-	}
-
-function handover_start_processing()
-	{
-	uninstall_src_net_filter(0.0.0.0/0);
-	}
-
-event bro_init()
-	{
-	# Disable packet processing.
-	install_src_net_filter(0.0.0.0/0, 0, 100);
-	alarm "waiting for hand-over - packet processing disabled.";
-	}
-
-event remote_connection_error(p: event_peer, reason: string)
-	{
-	if ( is_remote_event() || ! ( p$id in Remote::connected_peers) )
-		return;
-
-	# Seems that the other side in not running.
-	alarm "can't connect for hand-over - starting processing ...";
-	handover_start_processing();
-	}
-
-event remote_connection_established(p: event_peer)
-	{
-	if ( is_remote_event() )
-		return;
-
-	# If [p$id] is defined in Remote::connected_peers and p != 0, we have connected
-	# to the host.
-	if ( p$p != 0/tcp &&
-	     ([p$id] in Remote::connected_peers ) )
-		{
-		if ( ! is_handover_peer(p) )
-			return;
-
-		alarm fmt("requesting hand-over from %s:%d", p$host, p$p);
-
-		request_remote_events(p, /handover_.*|finished_send_state/);
-
-		# Give the remote side some time to register its handlers.
-		schedule 3 secs { handover_request(p$host, p$p) };
-		return;
-		}
-
-	# If the other side connected to us, we will allow the hand-over
-	# if the remote host is defined as a hand-over host in remote_peers.
-	if ( is_handover_peer(p) )
-		{
-		alarm fmt("allowing hand-over from %s:%d", p$host, p$p);
-		request_remote_events(p, /handover_.*|finished_send_state/);
-		}
-	}
-
-event handover_send_state(p: event_peer)
-	{
-	if ( is_remote_event() )
-		return;
-
-	# There may be a serialization in progress in which case
-	# we will have to try again.
-	if ( ! send_state(p) )
-		{
-		alarm "can't send state; serialization in progress";
-		schedule 5 secs { handover_send_state(p$host, p$p) };
-		}
-	}
-
-event handover_request(p: event_peer)
-	{
-	# Make sure the event is for us.
-	if ( ! (is_remote_event() && is_it_us(p$host, p$p)) )
-		return;
-
-	# Send state to other side.
-	schedule 1 sec { handover_send_state(p) };
-	}
-
-event finished_send_state(p: event_peer)
-	{
-	# We will get this event from the remote side.
-	# Make sure it's indeed for us.
-	if ( ! is_remote_event() )
-		 return;
-
-	if ( ! is_handover_peer(p) )
-		 return;
-
-	alarm fmt("full state received from %s:%d - starting processing ...",
-		p$host, p$p);
-
-	event handover_got_state(p);
-
-	# Start processing.
-	handover_start_processing();
-	}
-
-event handover_got_state(p: event_peer)
-	{
-	# Make sure the event is for us.
-	if ( ! (is_remote_event() && is_it_us(p$host, p$p)) )
-		return;
-
-	alarm fmt("%s:%d received our state - terminating", p$host, p$p);
-	terminate();
-	}
diff --git a/policy/heavy-analysis.bro b/policy/heavy-analysis.bro
deleted file mode 100644
index 6d3bf29a0c..0000000000
--- a/policy/heavy-analysis.bro
+++ /dev/null
@@ -1,26 +0,0 @@
-# $Id: heavy-analysis.bro 2771 2006-04-18 23:53:09Z vern $
-#
-# Loading this files enables somewhat more accurate, yet also significantly
-# more expensive, analysis (in terms of memory as well as CPU time).
-#
-# This script only sets core-level options.  Script-level timeouts are
-# adjusted in heavy.*.bro, loaded via Bro's prefix mechanism.  To make this
-# work, the prefix has to be set *before* reading other scripts, either by
-# loading this script first of all, or by manually putting a @prefix
-# at the start of Bro's configuration.
-
-@prefixes += heavy
-
-redef tcp_SYN_timeout = 120 secs;
-redef tcp_session_timer = 30 secs;
-redef tcp_connection_linger = 30 secs;
-redef tcp_attempt_delay = 300 secs;
-redef tcp_close_delay = 15 secs;
-redef tcp_reset_delay = 15 secs;
-redef tcp_partial_close_delay = 10 secs;
-
-redef max_timer_expires = 32;
-
-redef tcp_inactivity_timeout = 2 hrs;
-redef udp_inactivity_timeout = 1 hrs;
-redef icmp_inactivity_timeout = 1 hrs;
diff --git a/policy/heavy.http.bro b/policy/heavy.http.bro
deleted file mode 100644
index f3be0bf058..0000000000
--- a/policy/heavy.http.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: heavy.http.bro 4723 2007-08-07 18:14:35Z vern $
-
-redef http_sessions &write_expire = 5 hrs;
diff --git a/policy/heavy.irc.bro b/policy/heavy.irc.bro
deleted file mode 100644
index 0e2cdf0dbb..0000000000
--- a/policy/heavy.irc.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: heavy.irc.bro 4723 2007-08-07 18:14:35Z vern $
-
-redef active_users &persistent &read_expire = 1 days;
-redef active_channels &persistent &read_expire = 1 days;
diff --git a/policy/heavy.scan.bro b/policy/heavy.scan.bro
deleted file mode 100644
index 570e79bf6a..0000000000
--- a/policy/heavy.scan.bro
+++ /dev/null
@@ -1,6 +0,0 @@
-# $Id: heavy.scan.bro 4758 2007-08-10 06:49:23Z vern $
-
-redef distinct_peers &create_expire = 10 hrs;
-redef distinct_ports &create_expire = 10 hrs;
-redef distinct_low_ports &create_expire = 10 hrs;
-redef possible_scan_sources &create_expire = 10 hrs;
diff --git a/policy/heavy.software.bro b/policy/heavy.software.bro
deleted file mode 100644
index f9e8d0b694..0000000000
--- a/policy/heavy.software.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: heavy.software.bro 2771 2006-04-18 23:53:09Z vern $
-
-redef only_report_local = F;
diff --git a/policy/heavy.trw.bro b/policy/heavy.trw.bro
deleted file mode 100644
index 1bfce8f6b4..0000000000
--- a/policy/heavy.trw.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-# $Id: heavy.trw.bro 4723 2007-08-07 18:14:35Z vern $
-
-redef TRW::scan_sources &write_expire = 1 day;
-redef TRW::benign_sources &write_expire = 1 day;
-redef TRW::failed_locals &write_expire = 12 hrs;
-redef TRW::successful_locals &write_expire = 12 hrs;
-redef TRW::lambda &write_expire = 12 hrs;
-redef TRW::num_scanned_locals &write_expire = 12 hrs;
diff --git a/policy/hot-ids.bro b/policy/hot-ids.bro
deleted file mode 100644
index 64a6a7a71f..0000000000
--- a/policy/hot-ids.bro
+++ /dev/null
@@ -1,29 +0,0 @@
-# @(#) $Id: hot-ids.bro 785 2004-11-24 05:56:06Z rwinslow $ (LBL)
-
-# If these ids are seen, the corresponding connection is terminated.
-const forbidden_ids = {
-	"uucp", "daemon", "rewt", "nuucp",
-	"EZsetup", "OutOfBox", "4Dgifts",
-	"ezsetup", "outofbox", "4dgifts", "sgiweb",
-	"r00t", "ruut", "bomb", "backdoor",
-	"bionic", "warhead", "check_mate", "checkmate", "check_made",
-	"themage", "darkmage", "y0uar3ownd", "netfrack", "netphrack",
-} &redef;
-
-const forbidden_ids_if_no_password = { "lp" } &redef;
-
-const forbidden_id_patterns = /(y[o0]u)(r|ar[e3])([o0]wn.*)/ &redef;
-
-const always_hot_ids = {
-	"sync", "tutor", "tour",
-	"retro", "milk", "moof", "own", "gdm", "anacnd",
-	"lp", "demos", forbidden_ids,
-} &redef;
-
-# The ones here that aren't in always_hot_ids are only hot upon
-# success.
-const hot_ids = {
-	"root", "system", "smtp", "sysadm", "diag", "sysdiag", "sundiag",
-	"operator", "sys", "toor", "issadmin", "msql", "sysop", "sysoper",
-	"wank", always_hot_ids,
-} &redef;
diff --git a/policy/hot.bro b/policy/hot.bro
deleted file mode 100644
index c3434e3a3b..0000000000
--- a/policy/hot.bro
+++ /dev/null
@@ -1,160 +0,0 @@
-# $Id: hot.bro 7057 2010-07-19 23:22:19Z vern $
-
-@load site
-@load port-name
-@load notice
-@load terminate-connection
-
-module Hot;
-
-export {
-	# True if it should be considered a spoofing attack if a connection has
-	# the same local net for source and destination.
-	const same_local_net_is_spoof = F &redef;
-
-	const allow_spoof_services = {
-		110/tcp,	# pop-3
-		139/tcp,	# netbios-ssn
-	} &redef;
-
-	# Indexed by source address and destination address.
-	const allow_pairs: set[addr, addr] &redef;
-
-	const hot_srcs: table[addr] of string = {
-		#	[ph33r.the.eleet.com] = "kidz",
-	} &redef;
-
-	const hot_dsts: table[addr] of string = {
-		[206.101.197.226] = "ILOVEYOU worm destination",
-	} &redef;
-
-	const allow_services = {
-		ssh, http, gopher, ident, smtp, 20/tcp,
-		53/udp,		# DNS queries
-		123/udp,	# NTP
-	} &redef;
-
-	const allow_services_to: set[addr, port] &redef;
-	const allow_services_from: set[addr, port] &redef;
-	const allow_service_pairs: set[addr, addr, port] &redef;
-
-	const flag_successful_service: table[port] of string = {
-		[[31337/tcp]] = "popular backdoors",
-	} &redef;
-
-	const flag_successful_inbound_service: table[port] of string = {
-		[1524/tcp] = "popular backdoor, but with false hits outbound",
-	} &redef;
-
-	const terminate_successful_inbound_service: table[port] of string &redef;
-
-	const flag_rejected_service: table[port] of string &redef;
-
-	# Different values to hand to check_hot() at different stages in
-	# a connection's lifetime.
-	const CONN_ATTEMPTED = 1;
-	const CONN_ESTABLISHED = 2;
-	const APPL_ESTABLISHED = 3;
-	const CONN_FINISHED = 4;
-	const CONN_REJECTED = 5;
-	const CONN_TIMEOUT = 6;
-	const CONN_REUSED = 7;
-
-	global check_hot: function(c: connection, state: count): bool;
-	global check_spoof: function(c: connection): bool;
-}
-
-# An internal function used by check_hot.
-function do_hot_check(c: connection, a: addr, t: table[addr] of string)
-	{
-	if ( a in t )
-		{
-		++c$hot;
-		local hot_msg = fmt("<%s>", t[a]);
-		append_addl(c, hot_msg);
-		}
-	}
-
-function check_spoof(c: connection): bool
-	{
-	local orig = c$id$orig_h;
-	local resp = c$id$resp_h;
-	local service = c$id$resp_p;
-
-	if ( is_local_addr(orig) && is_local_addr(resp) &&
-	     service !in allow_spoof_services )
-		{
-		if ( c$id$orig_p == service && orig == resp )
-			event conn_weird("Land_attack", c);
-
-		if ( same_local_net_is_spoof )
-			++c$hot;
-		}
-
-	return c$hot != 0;
-	}
-
-function check_hot(c: connection, state: count): bool
-	{
-	local id = c$id;
-	local service = id$resp_p;
-
-	if ( service in allow_services || "ftp-data" in c$service )
-		return F;
-
-	if ( state == CONN_ATTEMPTED )
-		check_spoof(c);
-
-	else if ( state == CONN_REJECTED )
-		{
-		check_spoof(c);
-
-		if ( service in flag_rejected_service )
-			++c$hot;
-		}
-
-	else if ( state == CONN_ESTABLISHED )
-		{
-		check_spoof(c);
-
-		local inbound = is_local_addr(id$resp_h);
-
-		if ( (service in flag_successful_service ||
-		      (inbound &&
-		       service in flag_successful_inbound_service)) &&
-		     ([id$resp_h, id$resp_p] !in allow_services_to || 
-		      [id$orig_h, id$resp_p] !in allow_services_from) )
-			{
-			if ( inbound &&
-			     service in terminate_successful_inbound_service )
-				TerminateConnection::terminate_connection(c);
-
-			++c$hot;
-			if ( service in flag_successful_service )
-				append_addl(c, flag_successful_service[service]);
-			else
-				append_addl(c, flag_successful_inbound_service[service]);
-			}
-		}
-
-	else if ( state == APPL_ESTABLISHED ||
-		  ((state == CONN_FINISHED || state == CONN_TIMEOUT ||
-		    state == CONN_REUSED) &&
-		   service != telnet && c$orig$size > 0 && c$resp$size > 0) )
-		{
-		# Connection established and has a non-trivial size.
-		local orig = c$id$orig_h;
-		local resp = c$id$resp_h;
-
-		if ( [resp, service] in allow_services_to ||
-		     [orig, service] in allow_services_from ||
-		     [orig, resp, service] in allow_service_pairs ||
-		     [orig, resp] in allow_pairs )
-			return F;
-
-		do_hot_check(c, resp, hot_srcs);
-		do_hot_check(c, resp, hot_dsts);
-		}
-
-	return c$hot != 0;
-	}
diff --git a/policy/http-abstract.bro b/policy/http-abstract.bro
deleted file mode 100644
index 3eaeb273f0..0000000000
--- a/policy/http-abstract.bro
+++ /dev/null
@@ -1,54 +0,0 @@
-# $Id: http-abstract.bro 47 2004-06-11 07:26:32Z vern $
-
-@load http
-@load http-entity
-
-module HTTP;
-
-export {
-	const abstract_max_length = 512 &redef;
-}
-
-redef http_entity_data_delivery_size = 4096;
-redef include_HTTP_abstract = T;
-
-function skip_abstract(c: connection, is_orig: bool, msg: http_message)
-	{
-	msg$skip_abstract = T;
-	if ( ! process_HTTP_data )
-		skip_http_entity_data(c, is_orig);
-	}
-
-event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
-	{
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-
-	if ( msg$entity_level == 1 && ty == "TEXT" )
-		# Do not skip the body in this case.
-		return;
-
-	skip_abstract(c, is_orig, msg);
-	}
-
-event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
-	{
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-
-	if ( msg$skip_abstract )
-		return;
-
-	local len = byte_len(data);
-	if ( len > abstract_max_length )
-		msg$abstract = sub_bytes(data, 1, abstract_max_length);
-	else
-		msg$abstract = data;
-
-	skip_abstract(c, is_orig, msg);
-
-	# print http_log, fmt("%.6f %s %s %d bytes: \"%s\"",
-	#			network_time(), s$id,
-	#			is_orig ? "=>" : "<=", byte_len(msg$abstract),
-	#			msg$abstract);
-	}
diff --git a/policy/http-anon-server.bro b/policy/http-anon-server.bro
deleted file mode 100644
index ecf755c39a..0000000000
--- a/policy/http-anon-server.bro
+++ /dev/null
@@ -1,209 +0,0 @@
-# $Id:$
-
-# Anonymize values in Server: headers.
-#
-# TODO:
-#
-# - Zedo and IBM web servers can have Apache mods -- the parsing should
-#   be extended to support them
-#
-
-@load anon
-@load http-anon-utils
-
-# ---------------------------------------------------------------------
-#                      Apache (and friends)
-# - abandon all hope ye who enter here .....
-# ---------------------------------------------------------------------
-
-const apache_server =
-	/apache(-ish)?(\/([0-9]+\.)*[0-9]+)? *(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/;
-
-const apache_mod_pat =
-	  /mod_fastcgi\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /openssl\/([0-9]+\.)*[0-9a-z]{1,4}(-beta[0-9]{0,2})?/
-	| /dav\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /php-cgi\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /ben-ssl\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /embperl\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_ruby\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /nexadesic\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /postgresql\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_tsunami\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_auth_svn\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_auth_mda\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /rus\/pl(([0-9]+\.)*[0-9]{1,4})/
-	| /authmysql\/(([0-9]+\.)*[0-9]{1,4})/
-	| /mod_auth_pgsql\/(([0-9]+\.)*[0-9]{1,4})/
-	| /mod_ssl\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /php\/(([0-9]+\.)*[0-9a-z]{1,4})(-[0-9]+)?/
-	| /mod_perl\/(([0-9]+\.)*[0-9a-z]{1,4})(\_[0-9]+)?/
-	| /mod_macro\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_auth_pam\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_oas\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_cap\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /powweb\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_gzip\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /resin\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_jk\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /python\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /perl\/(v)?(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_python\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_log_bytes\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_auth_passthrough\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_bwlimited\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_throttle\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /mod_webapp\/(([0-9]+\.)*[0-9a-z]{1,4})(-dev)?/
-	| /frontpage\/(([0-9]+\.)*[0-9a-z]{1,5})/
-	| /mod_pubcookie\/[0-9a-z]{2}\/[0-9]+\.[0-9]+\-[0-9]+/
-	| /(-)?coyote\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	| /svn\/(([0-9]+\.)*[0-9a-z]{1,4})/
-	;
-
-# Various Apache variants (e.g., stronghold).
-const apache_misc =
-	/stronghold\/(([0-9]+\.)*[0-9]+) apache(\/([0-9]+\.)*[0-9]+)? (c2neteu\/[0-9])? *(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/;
-
-const apache_basic = /apache?(\/([0-9]+\.)*[0-9]+)?/;
-const apache_platforms =
-	/(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/;
-
-# ibm_http_server/1.3.26.2, apache/1.3.26 (unix).
-const IBM_server =
-	/ibm_http_server(\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)?( *apache\/[0-9]+\.[0-9]+\.[0-9]+ \(unix\))?/;
-
-
-# ---------------------------------------------------------------------
-#  Servers values for which we don't retain all values.
-# ---------------------------------------------------------------------
-
-const zope_server =
-	/zope\/\(zope ([0-9]+\.)*[0-9]+-[a-z0-9]{1,2}\, python ([0-9]+\.)*[0-9]+\, linux[0-9]\)/;
-
-const thttp_server = /thttpd\/[0-9]+\.[0-9]+(beta[0-9]+)?/;
-const weblogic_server = /weblogic server [0-9]+\.[0-9]+/;
-const zedo_server = /zedo 3g(\/([0-9]+\.)*[0-9]+)?/;
-const jetty_server = /jetty\/[0-9]+\.[0-9]+/;
-
-# ---------------------------------------------------------------------
-#                      Misc         Servers
-# ---------------------------------------------------------------------
-
-const misc_server =
-	  /dclk creative/
-	| /gws\/[0-9]+\.[0-9]+/
-	| /nfe\/[0-9]+\.[0-9]+/
-	| /gfe\/[0-9]+\.[0-9]+/
-	| /dclk-adsvr/
-	| /rsi/
-	| /swcd\/([0-9]+\.)*[0-9]+/
-	| /microsoft-iis\/[0-9]{1,2}\.[0-9]{1,2}/
-	| /cafe\/[0-9]+\.[0-9]+/
-	| /artblast\/([0-9]+\.)*[0-9]+/
-	| /aolserver\/([0-9]+\.)*[0-9]+/
-	| /resin\/([0-9]+\.)*s?[0-9]+/
-	| /netscape-enterprise\/([0-9]+\.)*[0-9a-z]{1,2}+ *(aol)?/
-	| /mapquest listener/
-	| /miixpc\/[0-9]+\.[0-9]+/
-	| /sun-one-web-server\/[0-9]+\.[0-9]+/
-	| /appledotmacserver/
-	| /cj\/[0-9]+\.[0-9]+/
-	| /jigsaw\/([0-9]+\.)*[0-9]+/
-	| /boa\/[0-9]+\.[0-9]+(\.[0-9]+(rc[0-9]+)?)?/
-	| /tux\/[0-9]+\.[0-9]+ *\(linux\)/
-	| /igfe/
-	| /trafficmarketplace-jforce\/([0-9]+\.)*[0-9]+/
-	| /lighttpd/
-	| /hitbox gateway ([0-9]+\.)*[0-9]+ [a-z][0-9]/
-	| /jbird\/[0-9]+\.[0-9a-z]{1,2}/
-	| /perlbal/
-	| /big-ip/
-	| /konichiwa\/[0-9]+\.[0-9]+/
-	| /footprint [0-9]+\.[0-9]+\/fpmc/
-	| /iii [0-9]+/
-	| /clickability web server\/([0-9]+\.)*[0-9]+ *\(unix\)/
-	| /accipiter-directserver\/([0-9]+\.)*[0-9]+ \(nt; pentium\)/
-	| /ibm-proxy-wte\/([0-9]+\.)*[0-9]+/
-	| /netscape-commerce\/[0-9]+\.[0-9]+/
-	| /nde/
-	;
-
-function do_apache_server(server: string): string
-	{
-	local apache_parts = split_all(server, apache_server);
-	if ( apache_parts[3] == "" )
-		return apache_parts[2];
-
-	local apache_return_string = apache_parts[2];
-	local mod_parts = split(apache_parts[3], / /);
-
-	for ( part in mod_parts )
-		{
-		if ( mod_parts[part] == apache_mod_pat )
-			{
-			apache_return_string =
-				string_cat(apache_return_string,
-					" ");
-			apache_return_string =
-				string_cat(apache_return_string,
-					mod_parts[part]);
-			}
-		else
-			print http_anon_log, fmt("** unknown Apache mod: %s:%s", mod_parts[part], server);
-		}
-
-	return apache_return_string;
-	}
-
-function check_server(server: string, server_pat: pattern): bool
-	{
-	return server_pat in server;
-	}
-
-function do_server(server: string, server_pat: pattern): string
-	{
-	return split_all(server, server_pat)[2];
-	}
-
-function filter_in_http_server(server: string): string
-	{
-	# Vanilla Apache is a hard one and a special case.  Let's get the
-	# nastiness over first.
-
-	if ( apache_server in server )
-		return do_apache_server(server);
-
-	if ( check_server(server, apache_misc) )
-		return do_server(server, apache_misc);
-	if ( check_server(server, IBM_server) )
-		return do_server(server, IBM_server);
-	if ( check_server(server, zedo_server) )
-		return do_server(server, zedo_server);
-	if ( check_server(server, zope_server) )
-		return do_server(server, zope_server);
-	if ( check_server(server, jetty_server) )
-		return do_server(server, jetty_server);
-	if ( check_server(server, thttp_server) )
-		return do_server(server, thttp_server);
-	if ( check_server(server, weblogic_server) )
-		return do_server(server, weblogic_server);
-
-	# Grab bag.
-	if ( misc_server in server )
-		return server;
-
-	# Best guess - unknown Apache variant of some sort.
-	if ( apache_basic in server )
-		{
-		print http_anon_log,
-			fmt("** unknown Apache variant: %s", server);
-
-		return fmt("(bro: unknown) %s %s",
-				split_all(server, apache_basic)[2],
-				split_all(server, apache_platforms)[2]);
-		}
-
-	print http_anon_log, fmt("** unknown server: %s", server);
-
-	return fmt("(bro: unknown) %s", anonymize_arg("server", server));
-	}
diff --git a/policy/http-anon-useragent.bro b/policy/http-anon-useragent.bro
deleted file mode 100644
index b8edd4a637..0000000000
--- a/policy/http-anon-useragent.bro
+++ /dev/null
@@ -1,111 +0,0 @@
-# $Id:$
-
-# Filter-in known "USER-AGENT:" values.
-
-@load anon
-@load http-anon-utils
-
-# ---------------------------------------------------------------------
-#                      Mozilla (and friends)
-# ---------------------------------------------------------------------
-
-const mozilla_full_pat =
-	/mozilla\/[0-9]\.[0-9] \(( *|;|iebar| freebsd i[0-9]{1,4}|fr|-|windows|windows 98|sunos sun4u|compatible|msie [0-9]\.[0-9]|windows nt [0-9]\.[0-9]|google-tr-1|sv1|\.net clr ([0-9]\.)*[0-9]+|x11|en|ppc mac os x|macintosh|u|linux i[0-9]{1,4}|en-us|rv\:([0-9]+\.)*[0-9]+|aol [0-9]\.[0-9]|gnotify ([0-9]+\.)*[0-9]+)*\) *(gecko\/[0-9]+)? *(firefox\/([0-9]+.)*[0-9]+)?/;
-
-const mozilla_head_pat = /mozilla\/[0-9]\.[0-9]/;
-
-const misc_user_pat =
-	  /spiderman/
-	| /w3m\/([0-9]+\.)*[0-9]+/
-	| /java([0-9]+\.)*[0-9]+(_[0-9]+)?/
-	| /java\/([0-9]+\.)*[0-9]+(_[0-9]+)?/
-	| /freecorder/
-	| /industry update control/
-	| /microsoft-cryptoapi\/([0-9]+\.)*[0-9]+/
-	| /ruriko\/([0-9]+\.)*[0-9]+/
-	| /crawler[0-9]\.[0-9]/
-	| /w3search/
-	| /symantec liveupdate/
-	| /davkit\/[0-9]\.[0-9]/
-	| /windows-media-player\/([0-9]+\.)*[0-9]+/
-	| /winamp\/([0-9]+\.)*[0-9]+/
-	| /headdump/
-	;
-
-const misc_cmplx_user_pat =
-	  /lynx\/([0-9]+\.)*[0-9]+.*/
-	| /wget\/([0-9]+\.)*[0-9]+.*/
-	| /yahooseeker\/([0-9]+\.)*[0-9]+.*/
-	| /rma\/([0-9]+\.)*[0-9]+.*/
-	| /aim\/[0-9]+.*/
-	| /ichiro\/([0-9]+\.)*[0-9]+.*/
-	| /unchaos.*/
-	| /irlbot\/[0-9]\.[0-9]+.*/
-	| /msnbot\/([0-9]+\.)*[0-9]+.*/
-	| /opera\/([0-9]+\.)*[0-9]+.*/
-	| /netnewswire\/([0-9]+\.)*[0-9]+.*/
-	| /nsplayer\/([0-9]+\.)*[0-9]+.*/
-	| /aipbot\/([0-9]+\.)*[0-9]+.*/
-	| /mac os x; webservicescore\.framework.*/
-	| /fast-webcrawler\/([0-9]+\.)*[0-9]+.*/
-	| /skype.*/
-	| /googlebot\/([0-9]+\.)*[0-9]+.*/
-	;
-
-const misc_cmplx_user_start =
-	  /lynx\/([0-9]+\.)*[0-9]+/
-	| /wget\/([0-9]+\.)*[0-9]+/
-	| /yahooseeker\/([0-9]+\.)*[0-9]+/
-	| /rma\/([0-9]+\.)*[0-9]+/
-	| /aim\/[0-9]+/
-	| /ichiro\/([0-9]+\.)*[0-9]+/
-	| /unchaos/
-	| /irlbot\/[0-9]\.[0-9]+/
-	| /opera\/([0-9]+\.)*[0-9]+/
-	| /msnbot\/([0-9]+\.)*[0-9]+/
-	| /netnewswire\/([0-9]+\.)*[0-9]+/
-	| /nsplayer\/([0-9]+\.)*[0-9]+/
-	| /aipbot\/([0-9]+\.)*[0-9]+/
-	| /mac os x; webservicescore\.framework/
-	| /fast-webcrawler\/([0-9]+\.)*[0-9]+/
-	| /skype/
-	| /googlebot\/([0-9]+\.)*[0-9]+/
-	;
-
-function filter_in_http_useragent(user: string): string
-	{
-	# Check for an exact match for Mozilla.
-	if ( mozilla_full_pat in user )
-		return split_all(user, mozilla_full_pat)[2];
-
-	# Look for popular Mozilla-compatible crawlers.
-	if ( mozilla_head_pat in user )
-		{
-		local crawler = "(bro: unknown)";
-
-		if ( /.*yahoo\! slurp/ in user )
-			crawler = "(yahoo! slurp)";
-
-		else if ( /.*ask jeeves/ in user )
-			crawler = "(ask jeeves)";
-
-		else
-			print http_anon_log,
-				fmt("*** unknown Mozilla user-agent %s\n", user);
-
-		return fmt("%s %s", split_all(user, mozilla_head_pat)[2],
-				crawler);
-		}
-
-	# Some simple, common user names.
-	if ( misc_user_pat in user )
-		return user;
-
-	# Require some info removal.
-	if ( misc_cmplx_user_pat in user )
-		return split_all(user, misc_cmplx_user_pat)[2];
-
-	print http_anon_log,fmt("*** unknown user agent %s\n", user);
-
-	return fmt("(bro: unknown) %s", anonymize_arg("user-agent", user));
-	}
diff --git a/policy/http-anon-utils.bro b/policy/http-anon-utils.bro
deleted file mode 100644
index 660452cc2f..0000000000
--- a/policy/http-anon-utils.bro
+++ /dev/null
@@ -1,164 +0,0 @@
-# $Id:$
-
-@load anon
-
-global http_anon_log = open_log_file("http-anon") &redef;
-
-const URI_proto_pat = /^ *([a-zA-Z]+)\:\/\// ;
-const known_URI_proto_pat = /^ *(http|https|ftp|ssh)\:\/\// ;
-
-const host_pat = / *^([\-0-9a-zA-Z]+\.)+([\_\-0-9a-zA-Z])*/ ;
-const port_pat = /^ *(\:[0-9]+\.)/ ;
-
-const query_pat = /\?/ ;
-
-function anonymize_http_URI(URI: string): string
-	{
-	URI = to_lower(URI);
-
-	# Strip off protocol.
-	local proto = "";
-	if ( URI_proto_pat in URI )
-		{
-		local proto_part = split(URI, /\:\/\//);
-
-		# Check if we know the protocol.  If not, flag it so we
-		# can update our protocol database.
-
-		if ( known_URI_proto_pat !in URI )
-			{
-			print http_anon_log,
-				fmt("*** protocol %s unknown ", proto_part[1]);
-
-			proto_part[1] =
-				string_cat(" (bro: unknown) ",
-					anonymize_arg("proto", proto_part[1]));
-			}
-
-		proto = string_cat(proto_part[1],"://");
-		URI = proto_part[2];
-		}
-
-	# Strip off domain.
-	local host = "";
-	if ( host_pat in URI )
-		{
-		local base_parts =
-			split_all(URI, / *^([\-\_0-9a-z]+\.)+[\-\_0-9a-z]*/);
-
-		if ( |base_parts| < 2 )
-			{
-			print http_anon_log,
-				fmt (" XXXXXXXXXXXXXXXXXXXXXX BASE %s", URI);
-			return " XXXX processing error XXXX";
-			}
-
-		if ( |base_parts| == 2 )
-			URI =  "";
-
-		else if ( |base_parts| == 3)
-			URI = base_parts[3];
-
-		else if ( |base_parts| > 3)
-			{
-			local patch_me = "";
-			local hack = base_parts[2];
-
-			local i = 1;
-			for ( part in base_parts )
-				{
-				if ( i != 2 )
-					patch_me = string_cat(patch_me,
-								base_parts[i]);
-				i += 1;
-				}
-
-			URI  = patch_me;
-			}
-
-		if ( host == simple_filename )
-			host = anonymize_path(host);
-		else
-			host = anonymize_host(base_parts[2]);
-		}
-
-	# Strip off port (if it exists).
-	local pport = "";
-	if ( port_pat in URI )
-		{
-		print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ";
-		print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ";
-		print "XXXXX anon.bro doing nothing with port XXXXXXXXXXX ";
-		print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ";
-		print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ";
-		}
-
-	# Handle query (if exists).
-	local tail = "";
-	if ( URI == "/" )
-		{
-		# -- pass
-		}
-
-	else if ( query_pat in URI )
-		{
-		local query_part = split(URI, /\?/);
-
-		tail = fmt("%s?%s",
-				anonymize_path(query_part[1]),
-				anonymize_path(query_part[2]));
-		}
-
-	else
-		tail = anonymize_path(URI);
-
-	tail = string_cat("/", tail);
-
-	return fmt("%s%s%s%s", proto, host, pport, tail);
-	}
-
-
-const a_href_pat = /.*\< *a *href.*\>.*/ ;
-	#/.*\< *a *href *= *\"[[:print:]]+\" *\>.*/;
-
-# Doesn't get everything ... but works for most.
-const a_href_split =
-	/\< *a *href *= *(\\)?(\"|\')?([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+(\\)?(\"|\')?/ ;
-
-# Elegant ... yeah ... really .. :-/
-const file_split =
-	/(\"|\')([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+(\"|\')/ ;
-const file_strip_split = /([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+/ ;
-
-function http_doc_link_list(abstract: string): string
-	{
-	abstract = to_lower(abstract);
-
-	if ( abstract == "" )
-		return abstract;
-
-	local concat_key = "";
-	local href_parts = split_all(abstract, a_href_split);
-
-	for ( part in href_parts )
-		{
-		if ( href_parts[part] == a_href_split )
-			{
-			local file_parts =
-				split_all(href_parts[part], file_split);
-			for ( a_part in file_parts )
-				{
-				if ( file_parts[a_part] == file_split )
-					{
-					local file_strip_parts =
-						split_all(file_parts[a_part],
-							file_strip_split);
-					concat_key = fmt("%s %s", concat_key,
-							anonymize_http_URI(file_strip_parts[2]));
-					}
-				}
-			}
-		}
-
-	return concat_key;
-	}
diff --git a/policy/http-anonymizer.bro b/policy/http-anonymizer.bro
deleted file mode 100644
index 21cf8a37a5..0000000000
--- a/policy/http-anonymizer.bro
+++ /dev/null
@@ -1,433 +0,0 @@
-# $Id:$
-
-# We can't do HTTP rewriting unless we process everything in the connection.
-@load http-reply
-@load http-entity
-@load http-anon-server
-@load http-anon-useragent
-@load http-anon-utils
-@load http-abstract
-
-@load anon
-
-module HTTP;
-
-redef rewriting_http_trace = T;
-redef http_entity_data_delivery_size = 18874368;
-redef abstract_max_length = 18874368;
-
-const rewrite_header_in_position = F;
-
-const http_response_reasons = {
-	"no content", "ok", "moved permanently", "not modified",
-	"use local copy", "object not found", "forbidden", "okay",
-	"object moved", "found", "http", "redirecting to main server",
-	"internal server error", "not found", "unauthorized", "moved",
-	"redirected", "continue", "access forbidden", "partial content",
-	"redirect", "<empty>", "authorization required",
-	"request time-out", "moved temporarily", "",
-};
-
-const keep_alive_pat = /(([0-9]+|timeout=[0-9]+|max=[0-9]+),?)*/ ;
-
-const content_type =
-	  /video\/(x-flv)(;)?/ 	# video
-	| /audio\/(x-scpls)/
-	| /image\/(gif|bmp|jpeg|pjpeg|tiff|png|x-icon)(;)?(qs\=[0-9](\.[0-9])?)?,?/
-	| /application\/(octet-stream|x-www-form-urlencoded|x-javascript|rss\+xml|x-gzip|x-ns-proxy-autoconfig|pdf|pkix-crl|x-shockwave-flash|postscript|xml|rdf\+xml|excel|msword|x-wais-source)(;)?(charset=(iso-8859-1|iso8859-1|gb2312|windows-1251|windows-1252|utf-8))?/
-	| /text\/(plain|js|html|\*|css|xml|javascript);?(charset=(iso-8859-1|iso8859-1|gb2312|windows-1251|windows-1252|utf-8))?/
-	| /^unknown$/
-	;
-
-const accept_enc_pat =
-	/(((x-)?deflate|(x-)?compress|\*|identity|(x-)?gzip|bzip|bzip2)(\; *q\=[0-9](\.[0-9])?)?,?)*/ ;
-const accept_charset_pat =
-	/((windows-(1252|1251)|big5|iso-8859-(1|15)|\*|utf-(8|16))(\; *q\=[0-9](\.[0-9])?)?,?)*/ ;
-const connection_pat = /((close|keep\-alive|transfer\-encoding|te),?)*/ ;
-
-const http_methods =
-	/get|put|post|head|propfind|connect|options|proppatch|lock|unlock|move|delete|mkcol/ ;
-
-const http_version = /(1\.0|1\.1)/ ;
-
-const last_modified_pat =
-	  /(Sun|Mon|Tue|Wed|Thu|Fri|Sat), [0-9]+ (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) [0-9][0-9][0-9][0-9] .*/
-	| /(-)?[0-9]+/
-	;
-
-const vary_pat =
-	/((\*| *|accept|accept\-charset|negotiate|host|user\-agent|accept\-language|accept\-encoding|cookie),?)*/ ;
-
-const accept_lang_pat =
-	/(( *|tw|cs|mx|tr|ru|sk|au|hn|sv|no|bg|en|ko|kr|ca|pl|nz|fr|ch|jo|gb|zh|hk|cn|lv|de|nl|dk|fi|nl|es|pe|it|pt|br|ve|cl|ja|jp|he|ha|ar|us|en-us|da)(\; *q\=[0-9](\.[0-9]+)?)?(,|-|\_)?)*/ ;
-
-const accept_pat =
-	/(( *|audio|application|\*|gif|xml|xhtml\+xml|x-rgb|x-xbm|video|x-gsarcade-launch|mpeg|sgml|tiff|x-rgb|x-xbm|postscript|text|html|x-xbitmap|pjpeg|vnd.ms-powerpoint|vnd.ms-excel|msword|salt\+html|xhtml|plain|jpeg|jpg|x-shockwave-flash|x-|css|image|png|\*)(\; *q\=[0-9]*(\.[0-9]+)?)?(,|\/|\+)?)*/ ;
-
-const tcn_pat = /list|choice|adhoc|re-choose|keep/;
-
-const date_pat =
-	  /(sun|mon|tue|wed|thu|fri|sat)\,*[0-9]+ *(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) *[0-9]+ ([0-9]+:)*[0-9]+ gmt/
-	| /(sun|mon|tue|wed|thu|fri|sat)*(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) *[0-9]+ *([0-9]+:)*[0-9]+(am|pm)?( *[0-9]+)?( *gmt)?/ ;
-
-const content_encoding_pat = /gzip|deflate|x-compress|x-gzip/;
-
-const hashed_headers =
-	  /COOKIE/
-	| /AUTHOR/
-	| /CACHE-CONTROL/
-	| /ETAG/
-	| /VIA/
-	| /X-VIA/
-	| /IISEXPORT/
-	| /SET-COOKIE/
-	| /X-JUNK/
-	| /PRAGMA/
-	| /AUTHORIZATION/
-	| /X-POWERED-BY/
-	| /X-CACHE/
-	| /X-FORWARDED-FOR/
-	| /X-PAD/
-	| /X-C/
-	| /XSERVER/
-	| /FROM/
-	| /CONTENT-DISPOSITION/
-	| /X-ASPNET-VERSION/
-	| /GUID/
-	| /REGIONDATA/
-	| /CLIENTID/
-	| /X-CACHE-HEADERS-SET-BY/
-	| /X-CACHE-LOOKUP/
-	| /WARNING/
-	| /MICROSOFTOFFICEWEBSERVER/
-	| /IF-NONE-MATCH/
-	| /X-AMZ-ID-[0-9]/
-	| /X-N/
-	| /X-TR/
-	| /X-RSN/
-	#| /X-POOKIE/	# these are weird ... next two are from slashdot
-	#| /X-FRY/
-	#| /X-BENDER/
-	| /RANGE/
-	| /IF-RANGE/
-	| /CONTENT-RANGE/
-	| /AD-REACH/
-	| /HMSERVER/
-	| /STATUS/
-	| /X-SERVED/
-	| /WWW-AUTHENTICATE/
-	| /X-RESPONDING-SERVER/
-	| /MAX-AGE/
-	| /POST-CHECK/
-	| /PRE-CHECK/
-	| /X-CONTENT-ENCODED-BY/
-	| /X-USER-IP/
-	| /X-ICAP-VERSION/
-	| /X-DELPHI/
-	| /AUTHENTICATION-INFO/
-	| /PPSERVER/
-	| /EDGE-CONTROL/
-	| /COMPRESSION-CONTROL/
-	| /CONTENT-MD5/
-	| /X-HOST/
-	| /P3P/
-	;
-
-event http_request(c: connection, method: string,
-		   original_URI: string, unescaped_URI: string, version: string)
-	{
-	if (! rewriting_trace() )
-		return;
-
-	print http_anon_log,
-		fmt(" > %s %s %s ", method, original_URI, version);
-
-	if ( to_lower(method) != http_methods )
-		{
-		print http_anon_log, fmt("*** Unknown method %s", method);
-		method = string_cat(" (anon-unknown) ", anonymize_string(method));
-		}
-
-	original_URI = anonymize_http_URI(original_URI);
-
-	if ( version != http_version )
-		{
-		print http_anon_log, fmt("*** Unknown version %s ", version);
-		version = string_cat(" (anon-unknown) ", anonymize_string(version));
-		}
-
-	print http_anon_log, fmt(" < %s %s %s ", method, original_URI, version);
-
-	rewrite_http_request(c, method, original_URI, version);
-	}
-
-event http_reply(c: connection, version: string, code: count, reason: string)
-	{
-	if ( rewriting_trace() )
-		{
-		reason = to_lower(strip(reason));
-		if ( reason !in http_response_reasons )
-			{
-			print http_anon_log,
-				fmt("*** Unknown reply reason %s ", reason);
-			rewrite_http_reply(c, version, code,
-				anonymize_string(reason));
-			}
-		else
-			rewrite_http_reply(c, version, code, reason);
-		}
-	}
-
-function check_pat(value: string, pat: pattern, name: string): string
-	{
-	if ( value == pat )
-		return value;
-
-	print http_anon_log, fmt("*** invalid %s: %s", name, value);
-	return "(anon-unknown): ";
-	}
-
-function check_pat2(value: string, pat: pattern, name: string): string
-	{
-	if ( value == pat )
-		return value;
-
-	print http_anon_log, fmt("*** invalid %s: %s", name, value);
-	return fmt("(anon-unknown): %s", anonymize_string(value));
-	}
-
-function check_pat3(value: string, pat: pattern): string
-	{
-	if ( value == pat )
-		return value;
-
-	return fmt("(anon-unknown): %s", anonymize_string(value));
-	}
-
-event http_header(c: connection, is_orig: bool, name: string, value: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	# Only rewrite top-level headers.
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-
-	if ( msg$entity_level != 1 )
-		return;
-
-	value = strip(value);
-
-	if ( name == "CONTENT-LENGTH" )
-		{
-		# if ( rewrite_header_in_position )
-		# {
-		#     local p = current_packet(c);
-		#     if ( p$is_orig == is_orig )
-		#     {
-		#         # local s = lookup_http_request_stream(c);
-		#         # local msg = get_http_message(s, is_orig);
-		#         if ( msg$header_slot == 0 )
-		#             msg$header_slot = reserve_rewrite_slot(c);
-		#     }
-		#     else
-		#         print fmt("cannot reserve a slot at %.6f", network_time());
-		# }
-		print http_anon_log,
-			fmt("X-Original-Content-Length: %s --", value);
-		name = "X-Original-Content-Length";
-		}
-
-	else if ( name == "TRANSFER-ENCODING" || name == "TE" )
-		{
-		print http_anon_log, fmt("TRANSFER-ENCOODING: %s --", value);
-		name = "X-Original-Transfer-Encoding";
-		}
-
-	else if ( name == "HOST" )
-		{
-		local anon_host = "";
-
-		if ( value == simple_filename )
-			anon_host = anonymize_path(value);
-		else
-			anon_host = anonymize_host(value);
-
-		print http_anon_log, fmt("HOST: %s > %s", value, anon_host);
-		value = anon_host;
-		}
-
-	else if ( name == "REFERER" )
-		{
-		local anon_ref = anonymize_http_URI(value);
-		print http_anon_log, fmt("REFERER: %s > %s", value, anon_ref);
-		value = anon_ref;
-		}
-
-	else if ( name == "LOCATION" || name == "CONTENT-LOCATION" )
-		value = anonymize_http_URI(value);
-
-	else if ( name == "SERVER" )
-		value = filter_in_http_server(to_lower(value));
-
-	else if ( name == "USER-AGENT" )
-		value = filter_in_http_useragent(to_lower(value));
-
-	else if ( name == "KEEP-ALIVE" )
-		value = check_pat(value, keep_alive_pat, "keep-alive");
-
-	else if ( name == "DATE" || name == "IF-MODIFIED-SINCE" ||
-		  name == "UNLESS-MODIFIED-SINCE" )
-		value = check_pat2(to_lower(value), date_pat, "date");
-
-	else if ( name == "ACCEPT-CHARSET" )
-		value = check_pat(to_lower(value), accept_charset_pat,
-					"accept-charset");
-
-	else if ( name == "CONTENT-TYPE" )
-		{
-		value = check_pat2(to_lower(value), content_type, "content-type");
-		# local stream = lookup_http_request_stream(c);
-		# local the_http_msg = get_http_message(stream, is_orig);
-		# the_http_msg$content_type = value;
-		}
-
-	else if ( name == "ACCEPT-ENCODING" )
-		value = check_pat2(to_lower(value), accept_enc_pat,
-					"accept-encoding");
-
-	else if ( name == "PAGE-COMPLETION-STATUS" )
-		value = check_pat2(to_lower(value), /(ab)?normal/,
-					"page-completion-status");
-
-	else if ( name == "CONNECTION" || name == "PROXY-CONNECTION" )
-		value = check_pat2(to_lower(value), connection_pat,
-					"connection type");
-
-	else if ( name == "LAST-MODIFIED" || name == "EXPIRES" )
-		value = check_pat(value, last_modified_pat, name);
-
-	else if (name == "ACCEPT-LANGUAGE" || name == "LANGUAGE")
-		value = check_pat2(to_lower(value), accept_lang_pat,
-					"accept-language");
-
-	else if ( name == "ACCEPT" )
-		value = check_pat(to_lower(value), accept_pat, "accept");
-
-	else if ( name == "ACCEPT-RANGES" )
-		value = check_pat2(to_lower(value), /(bytes|none) */,
-					"accept-ranges");
-
-	else if ( name == "MIME-VERSION" )
-		value = check_pat3(value, /[0-9]\.[0-9]/);
-
-	else if ( name == "TCN" )
-		value = check_pat3(value, tcn_pat);
-
-	else if ( name == "CONTENT-ENCODING" )
-		value = check_pat2(value, content_encoding_pat,
-					"content-encoding");
-
-	else if ( name == "CONTENT-LANGUAGE" )
-		value = check_pat2(value, accept_lang_pat, "content-language");
-
-	else if ( name == "ALLOW" )
-		value = check_pat3(value, http_methods);
-
-	else if ( name == "AGE" || name == "BANDWIDTH" )
-		value = check_pat3(value, /[0-9]+/);
-
-	else if ( name == "VARY" )
-		value = check_pat2(value, vary_pat, "vary");
-
-	else if ( name == hashed_headers )
-		value = anonymize_string(value);
-
-	else
-		{
-		print http_anon_log, fmt("unknown header: %s : %s", name, value);
-		value = string_cat("(anon-unknown): ", anonymize_string(value));
-		}
-
-	rewrite_http_header(c, is_orig, name, value);
-	}
-
-event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	if ( rewrite_header_in_position )
-		{
-		local p = current_packet(c);
-		if ( p$is_orig == is_orig )
-			{
-			local s = lookup_http_request_stream(c);
-			local msg = get_http_message(s, is_orig);
-			if ( msg$header_slot == 0 )
-				msg$header_slot = reserve_rewrite_slot(c);
-			}
-		else
-			print fmt("cannot reserve a slot at %.6f", network_time());
-
-		# An empty line to mark the end of headers.
-		rewrite_http_data(c, is_orig, "\r\n");
-		}
-	}
-
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	if ( stat$interrupted )
-		{
-		print http_log,
-			fmt("%.6f %s message interrupted at length=%d \"%s\"",
-				network_time(), id_string(c$id),
-				stat$body_length, stat$finish_msg);
-		}
-
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-	if ( msg$header_slot > 0 )
-		seek_rewrite_slot(c, msg$header_slot);
-
-	local data_length = 0;
-	local data_hash = "";
-	local sanitized_abstract = "";
-
-	if ( ! is_orig || stat$body_length > 0 )
-		{
-		data_length = byte_len(msg$abstract);
-		data_hash = anonymize_string(msg$abstract);
-		sanitized_abstract = string_fill(data_length, data_hash);
-
-		data_length += stat$content_gap_length;
-
-		rewrite_http_header(c, is_orig, "Content-Length",
-					fmt(" %d", data_length));
-
-		rewrite_http_header(c, is_orig, "X-anon-content-hash",
-					fmt(" %s", data_hash));
-
-		rewrite_http_header(c, is_orig, "X-Actual-Data-Length",
-					fmt(" %d; gap=%d, content-length=%s",
-						stat$body_length,
-						stat$content_gap_length,
-						msg$content_length));
-		}
-
-	if ( msg$header_slot > 0 )
-		{
-		release_rewrite_slot(c, msg$header_slot);
-		msg$header_slot = 0;
-		}
-
-	if ( ! rewrite_header_in_position )
-		# An empty line to mark the end of headers.
-		rewrite_http_data(c, is_orig, "\r\n");
-
-	if ( data_length > 0 )
-		rewrite_http_data(c, is_orig, sanitized_abstract);
-	}
diff --git a/policy/http-body.bro b/policy/http-body.bro
deleted file mode 100644
index 77c1c30680..0000000000
--- a/policy/http-body.bro
+++ /dev/null
@@ -1,60 +0,0 @@
-# $Id: http-body.bro 5230 2008-01-14 01:38:18Z vern $
-
-# Counts length of data.
-#
-# If log_HTTP_data = T, it also outputs an abstract of data.
-
-@load http
-
-module HTTP;
-
-redef process_HTTP_data = T;
-redef log_HTTP_data = T;
-
-export {
-	# If the following is > 0, then when logging contents, they will be
-	# truncated beyond this many bytes.
-	global content_truncation_limit = 40 &redef;
-}
-
-event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
-	{
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-	local len = byte_len(data);
-
-	msg$data_length = msg$data_length + length;
-
-	if ( log_HTTP_data )
-		{
-		local abstract: string;
-		if ( content_truncation_limit > 0 &&
-		     len > content_truncation_limit )
-			abstract = cat(sub_bytes(data, 1, content_truncation_limit), "...");
-		else
-			abstract = data;
-
-		print http_log, fmt("%.6f %s %s %d bytes: \"%s\"",
-					network_time(), s$id,
-					is_orig ? "=>" : "<=", length,
-					abstract);
-		}
-	}
-
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-
-	# This is for debugging purpose only
-	if ( msg$data_length > 0 &&
-	     stat$body_length != msg$data_length + stat$content_gap_length)
-		{
-		# This can happen for multipart messages with a
-		# 'content-length' header, which is not required for multipart
-		# messages.
-		alarm fmt("length mismatch: %s %d %d %d",
-			id_string(c$id), stat$body_length, msg$data_length,
-			stat$content_gap_length);
-		}
-	}
diff --git a/policy/http-detect-passwd.bro b/policy/http-detect-passwd.bro
deleted file mode 100644
index 8ad71168c2..0000000000
--- a/policy/http-detect-passwd.bro
+++ /dev/null
@@ -1,45 +0,0 @@
-@load http
-
-module HTTP;
-
-export {
-	redef enum Notice += {
-		PasswordFullFetch,	# they got back the whole thing
-		PasswordShadowFetch,	# they got back a shadowed version
-	};
-
-	# Pattern to search for in replies indicating that a full password
-	# file was returned.
-	const full_fetch =
-		/[[:alnum:]]+\:[[:alnum:]]+\:[[:digit:]]+\:[[:digit:]]+\:/
-	&redef;
-
-	# Same, but indicating a shadow password file was returned.
-	const shadow_fetch =
-		/[[:alnum:]]+\:\*\:[[:digit:]]+\:[[:digit:]]+\:/
-	&redef;
-}
-
-event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
-	{
-	local s = lookup_http_request_stream(c);
-	local n = s$first_pending_request;
-	if ( n !in s$requests )
-		return;
-
-	local req = s$requests[n];
-	local passwd_request = req$passwd_req;
-	if ( ! passwd_request )
-		return;
-
-	if ( full_fetch in data )
-		NOTICE([$note=PasswordFullFetch,
-			$conn=c, $method=req$method, $URL=req$URI,
-			$msg=fmt("%s %s: %s %s", id_string(c$id), c$addl,
-					req$method, req$URI)]);
-	else if ( shadow_fetch in data )
-		NOTICE([$note=PasswordShadowFetch,
-			$conn=c, $method=req$method, $URL=req$URI,
-			$msg=fmt("%s %s: %s %s", id_string(c$id), c$addl,
-					req$method, req$URI)]);
-	}
diff --git a/policy/http-entity.bro b/policy/http-entity.bro
deleted file mode 100644
index 9084b65661..0000000000
--- a/policy/http-entity.bro
+++ /dev/null
@@ -1,20 +0,0 @@
-# $Id: http-entity.bro 6 2004-04-30 00:31:26Z jason $
-
-# Counts entity_level.
-
-module HTTP;
-
-event http_begin_entity(c: connection, is_orig: bool)
-	{
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-	++msg$entity_level;
-	}
-
-event http_end_entity(c: connection, is_orig: bool)
-	{
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-	if ( msg$entity_level > 0 )
-		--msg$entity_level;
-	}
diff --git a/policy/http-event.bro b/policy/http-event.bro
deleted file mode 100644
index 450be5cf1d..0000000000
--- a/policy/http-event.bro
+++ /dev/null
@@ -1,12 +0,0 @@
-# $Id: http-event.bro 6 2004-04-30 00:31:26Z jason $
-
-@load http
-
-module HTTP;
-
-event http_event(c: connection, event_type: string, detail: string)
-	{
-	print http_log, fmt("%.6f %s HTTP event: [%s] \"%s\"",
-				network_time(), id_string(c$id),
-				event_type, detail);
-	}
diff --git a/policy/http-extract-items.bro b/policy/http-extract-items.bro
deleted file mode 100644
index 4c7b1a1c0d..0000000000
--- a/policy/http-extract-items.bro
+++ /dev/null
@@ -1,41 +0,0 @@
-# $Id:$
-
-# Extracts the items from HTTP traffic, one per file.
-# Files are named:
-#
-#    <prefix>.<n>.<orig-addr>_<orig-port>.<resp-addr>_<resp-port>.<is-orig>
-#
-# where <prefix> is a redef'able prefix (default: "http-item"), <n> is
-# a number uniquely identifying the item, the next four are describe
-# the connection tuple, and <is-orig> is "orig" if the item was transferred
-# from the originator to the responder, "resp" otherwise.
-
-@load http-reply
-
-module HTTP_extract_items;
-
-global prefix = "http-item" &redef;
-global item_file: table[conn_id] of file;
-global nitems = 0;
-
-event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
-	{
-	local id = c$id;
-	if ( id !in item_file )
-		{
-		# Create a new file for this one.
-		local fname = fmt("%s.%d.%s_%d.%s_%d.%s",
-					prefix, ++nitems,
-					id$orig_h, id$orig_p,
-					id$resp_h, id$resp_p,
-					is_orig ? "orig" : "resp");
-		item_file[id] = open(fname);
-		}
-
-	write_file(item_file[id], data);
-	}
-
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	delete item_file[c$id];
-	}
diff --git a/policy/http-header.bro b/policy/http-header.bro
deleted file mode 100644
index 3d676488ff..0000000000
--- a/policy/http-header.bro
+++ /dev/null
@@ -1,34 +0,0 @@
-# $Id: http-header.bro 7073 2010-09-13 00:45:02Z vern $
-
-# Prints out detailed HTTP headers.
-
-module HTTP;
-
-export {
-	# The following lets you specify headers that you don't want
-	# to print out.
-	global skip_header: set[string] &redef;
-
-	# If you add anything to the following table, *only* the headers
-	# included will be recorded.
-	global include_header: set[string] &redef;
-
-	# For example:
-	# 	redef skip_header += { "COOKIE", "SET-COOKIE" };
-	# will refrain from printing cookies.
-}
-
-event http_header(c: connection, is_orig: bool, name: string, value: string)
-	{
-	if ( name in skip_header )
-		return;
-
-	if ( |include_header| > 0 && name !in include_header )
-		return;
-
-	local s = lookup_http_request_stream(c);
-
-	print http_log, fmt("%.6f %s %s %s: %s",
-				network_time(), s$id,
-				is_orig ? ">" : "<", name, value);
-	}
diff --git a/policy/http-identified-files.bro b/policy/http-identified-files.bro
deleted file mode 100644
index a4ecd2cf7f..0000000000
--- a/policy/http-identified-files.bro
+++ /dev/null
@@ -1,115 +0,0 @@
-# $Id:$
-#
-# Analyze HTTP entities for sensitive types (e.g., executables).
-#
-# Contributed by Seth Hall.
-
-@load http-reply
-
-module HTTP;
-
-const http_identified_log = open_log_file("http-id");
-
-export {
-	# Base the libmagic analysis on this many bytes.  Currently,
-	# we will in fact use fewer (basically, just what's in the
-	# first data packet).
-	const magic_content_limit = 1024 &redef;
-
-	# These MIME types are logged and generate a Notice.  The patterns
-	# need to match the entire description as returned by libMagic.
-	# For example, for plain text it can return
-	# "text/plain charset=us-ascii", so you might want to use
-	# /text\/plain.*/.
-	const watched_mime_types =
-		  /application\/x-dosexec/	# Windows and DOS executables
-		| /application\/x-executable/	# *NIX executable binary
-	&redef;
-
-	const watched_descriptions = /PHP script text/ &redef;
-
-	# URLs included here are not logged and notices are not generated.
-	# Take care when defining patterns to not be overly broad.
-	const ignored_urls =
-		/^http:\/\/www\.download\.windowsupdate\.com\// &redef;
-
-	redef enum Notice += {
-		# Generated when we see a MIME type we flagged for watching.
-		HTTP_WatchedMIMEType,
-
-		# Generated when the file extension doesn't match
-		# the file contents.
-		HTTP_IncorrectFileType,
-	};
-
-	# Create patterns that *should* be in the URLs for specific MIME types.
-	# Notices are generated if the pattern doesn't match.
-	const mime_types_extensions = {
-		["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/,
-	} &redef;
-}
-
-event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
-	{
-	if ( is_orig )
-		# For now we only inspect server responses.
-		return;
-
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-
-@ifndef	( content_truncation_limit )
-	# This is only done if http-body.bro is not loaded.
-	msg$data_length = msg$data_length + length;
-@endif
-
-	# For the time being, we'll just use the data from the first packet.
-	# Don't continue until we have enough data.
-	# if ( msg$data_length < magic_content_limit )
-	#	return;
-
-	# Right now, only try this for the first chunk of data
-	if ( msg$data_length > length )
-		return;
-
-	local abstract = sub_bytes(data, 1, magic_content_limit);
-	local magic_mime = identify_data(abstract, T);
-	local magic_descr = identify_data(abstract, F);
-
-	if ( (magic_mime == watched_mime_types ||
-	      watched_descriptions in magic_descr) &&
-	     s$first_pending_request in s$requests )
-		{
-		local r = s$requests[s$first_pending_request];
-		local host = (s$next_request$host=="") ?
-			fmt("%s", c$id$resp_h) : s$next_request$host;
-
-		event file_transferred(c, abstract, magic_descr, magic_mime);
-
-		local url = fmt("http://%s%s", host, r$URI);
-		if ( ignored_urls in url )
-			return;
-
-		local file_type = "";
-		if ( magic_mime == watched_mime_types )
-			file_type = magic_mime;
-		else
-			file_type = magic_descr;
-
-		local message = fmt("%s %s %s %s",
-				id_string(c$id), file_type, r$method, url);
-
-		NOTICE([$note=HTTP_WatchedMIMEType, $msg=message, $conn=c,
-			$method=r$method, $URL=url]);
-
-		print http_identified_log, fmt("%.06f %s %s",
-			network_time(), s$id, message);
-
-		if ( (magic_mime in mime_types_extensions &&
-		      mime_types_extensions[magic_mime] !in url) ||
-		     (magic_descr in mime_types_extensions &&
-		      mime_types_extensions[magic_descr] !in url) )
-			NOTICE([$note=HTTP_IncorrectFileType, $msg=message,
-				$conn=c, $method=r$method, $URL=url]);
-		}
-	}
diff --git a/policy/http-reply.bro b/policy/http-reply.bro
deleted file mode 100644
index e410b1fc34..0000000000
--- a/policy/http-reply.bro
+++ /dev/null
@@ -1,117 +0,0 @@
-# $Id: http-reply.bro 2694 2006-04-02 22:50:00Z vern $
-
-@load http-request
-
-module HTTP;
-
-redef capture_filters += {
-	["http-reply"] = "tcp src port 80 or tcp src port 8080 or tcp src port 8000"
-};
-
-redef process_HTTP_replies = T;
-
-event http_reply(c: connection, version: string, code: count, reason: string)
-	{
-	local s = lookup_http_request_stream(c);
-	local msg = s$next_reply;
-
-	init_http_message(msg);
-
-	msg$initiated = T;
-	msg$code = code;
-	msg$reason = reason;
-	}
-
-function http_request_done(c: connection, stat: http_message_stat)
-	{
-	local s = lookup_http_request_stream(c);
-	local msg = s$next_request;
-	msg$initiated = F;
-	}
-
-function http_reply_done(c: connection, stat: http_message_stat)
-	{
-	local s = lookup_http_request_stream(c);
-	local req_msg = s$next_request;
-	local msg = s$next_reply;
-	local req: string;
-	local have_request = F;
-	local log_it: bool;
-
-	if ( s$num_pending_requests == 0 )
-		{
-		# Weird - reply w/o request - perhaps due to cold start?
-		req = "<unknown request>";
-		log_it = F;
-		}
-	else
-		{
-		local r = s$requests[s$first_pending_request];
-		have_request = T;
-
-		# Remove pending request.
-		delete s$requests[s$first_pending_request];
-		--s$num_pending_requests;
-		++s$first_pending_request;
-
-		req = fmt("%s %s", r$method, r$URI);
-		log_it = r$log_it;
-		}
-
-	local req_rep =
-		fmt("%s (%d \"%s\" [%d%s]%s)",
-			req, msg$code, string_escape(msg$reason, "\""),
-			stat$body_length,
-			stat$interrupted ? " (interrupted)" : "",
-			have_request ? fmt(" %s", req_msg$host) : "");
-
-	# The following is a more verbose form:
-# 	local req_rep =
-# 		fmt("%s (%d \"%s\" [\"%s\", %d%s%s])",
-# 			req, msg$code, msg$reason,
-# 			msg$content_length, stat$body_length,
-# 			stat$interrupted ? " (interrupted)" : "",
-# 			stat$content_gap_length > 0 ?
-# 				fmt(" (gap = %d bytes)", stat$content_gap_length) : "");
-
-	if ( log_it )
-		NOTICE([$note=HTTP_SensitiveURI, $conn=c,
-			$method = r$method, $URL = r$URI,
-			$n = msg$code,
-			$msg = fmt("%s %s: %s",
-				id_string(c$id), c$addl, req_rep)]);
-
-	print http_log, fmt("%.6f %s %s", network_time(), s$id, req_rep);
-
-	msg$initiated = F;
-	}
-
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	if ( is_orig )
-		http_request_done(c, stat);
-	else
-		http_reply_done(c, stat);
-	}
-
-@load http-entity
-event http_header(c: connection, is_orig: bool, name: string, value: string)
-	{
-	# Only rewrite top-level headers.
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-
-	if ( msg$entity_level == 1 )
-		{
-		if ( name == "CONTENT-LENGTH" )
-			msg$content_length = value;
-
-		else if ( is_orig && name == "HOST" )
-			{ # suppress leading blank
-			if ( /^ / in value )
-				msg$host = sub_bytes(value, 2, -1);
-			else
-				msg$host = value;
-			}
-		}
-	}
diff --git a/policy/http-request.bro b/policy/http-request.bro
deleted file mode 100644
index d5d647c977..0000000000
--- a/policy/http-request.bro
+++ /dev/null
@@ -1,104 +0,0 @@
-# $Id: http-request.bro 6726 2009-06-07 22:09:55Z vern $
-
-# Analysis of HTTP requests.
-
-@load http
-
-module HTTP;
-
-export {
-	const sensitive_URIs =
-		  /etc\/(passwd|shadow|netconfig)/
-		| /IFS[ \t]*=/
-		| /nph-test-cgi\?/
-		| /(%0a|\.\.)\/(bin|etc|usr|tmp)/
-		| /\/Admin_files\/order\.log/
-		| /\/carbo\.dll/
-		| /\/cgi-bin\/(phf|php\.cgi|test-cgi)/
-		| /\/cgi-dos\/args\.bat/
-		| /\/cgi-win\/uploader\.exe/
-		| /\/search97\.vts/
-		| /tk\.tgz/
-		| /ownz/	# somewhat prone to false positives
-		| /viewtopic\.php.*%.*\(.*\(/	# PHP attack, 26Nov04
-		# a bunch of possible rootkits
-		| /sshd\.(tar|tgz).*/
-		| /[aA][dD][oO][rR][eE][bB][sS][dD].*/
-		# | /[tT][aA][gG][gG][eE][dD].*/	# prone to FPs
-		| /shv4\.(tar|tgz).*/
-		| /lrk\.(tar|tgz).*/
-		| /lyceum\.(tar|tgz).*/
-		| /maxty\.(tar|tgz).*/
-		| /rootII\.(tar|tgz).*/
-		| /invader\.(tar|tgz).*/
-	&redef;
-
-	# Used to look for attempted password file fetches.
-	const passwd_URI = /passwd/ &redef;
-
-	# URIs that match sensitive_URIs but can be generated by worms,
-	# and hence should not be flagged (because they're so common).
-	const worm_URIs =
-		  /.*\/c\+dir/
-		| /.*cool.dll.*/
-		| /.*Admin.dll.*Admin.dll.*/
-	&redef;
-
-	# URIs that should not be considered sensitive if accessed by
-	# a local client.
-	const skip_remote_sensitive_URIs =
-		/\/cgi-bin\/(phf|php\.cgi|test-cgi)/
-	&redef;
-
-	const sensitive_post_URIs = /wwwroot|WWWROOT/ &redef;
-}
-
-redef capture_filters +=  {
-	["http-request"] = "tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000"
-};
-
-event http_request(c: connection, method: string, original_URI: string,
-			unescaped_URI: string, version: string)
-	{
-	local log_it = F;
-	local URI = unescaped_URI;
-
-	if ( (sensitive_URIs in URI && URI != worm_URIs) ||
-	     (method == "POST" && sensitive_post_URIs in URI) )
-		{
-		if ( is_local_addr(c$id$orig_h) &&
-		     skip_remote_sensitive_URIs in URI )
-			; # don't flag it after all
-		else
-			log_it = T;
-		}
-
-	local s = lookup_http_request_stream(c);
-
-	if ( process_HTTP_replies )
-		{
-		# To process HTTP replies, we need to record the corresponding
-		# requests.
-		local n = s$first_pending_request + s$num_pending_requests;
-
-		s$requests[n] = [$method=method, $URI=URI, $log_it=log_it,
-					$passwd_req=passwd_URI in URI];
-		++s$num_pending_requests;
-
-		# if process_HTTP_messages
-		local msg = s$next_request;
-
-		init_http_message(msg);
-		msg$initiated = T;
-		}
-	else
-		{
-		if ( log_it )
-			NOTICE([$note=HTTP_SensitiveURI, $conn=c,
-				$method = method, $URL = URI,
-				$msg=fmt("%s %s: %s %s",
-					id_string(c$id), c$addl, method, URI)]);
-		print http_log,
-			fmt("%.6f %s %s %s", network_time(), s$id, method, URI);
-		}
-	}
diff --git a/policy/http-rewriter.bro b/policy/http-rewriter.bro
deleted file mode 100644
index 3b8222c21a..0000000000
--- a/policy/http-rewriter.bro
+++ /dev/null
@@ -1,137 +0,0 @@
-# $Id: http-rewriter.bro 416 2004-09-17 03:52:28Z vern $
-
-# We can't do HTTP rewriting unless we process everything in the connection.
-@load http-reply
-@load http-entity
-
-module HTTP;
-
-redef rewriting_http_trace = T;
-redef http_entity_data_delivery_size = 4096;
-
-const rewrite_header_in_position = F;
-
-event http_request(c: connection, method: string,
-		   original_URI: string, unescaped_URI: string, version: string)
-	{
-	if ( rewriting_trace() )
-		rewrite_http_request(c, method, original_URI, version);
-	}
-
-event http_reply(c: connection, version: string, code: count, reason: string)
-	{
-	if ( rewriting_trace() )
-		rewrite_http_reply(c, version, code, reason);
-	}
-
-event http_header(c: connection, is_orig: bool, name: string, value: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	# Only rewrite top-level headers.
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-
-	if ( msg$entity_level == 1 )
-		{
-		if ( name == "CONTENT-LENGTH" )
-			{
-			if ( rewrite_header_in_position )
-				{
-				local p = current_packet(c);
-				if ( p$is_orig == is_orig )
-					{
-					# local s = lookup_http_request_stream(c);
-					# local msg = get_http_message(s, is_orig);
-					if ( msg$header_slot == 0 )
-						msg$header_slot = reserve_rewrite_slot(c);
-					}
-				else
-					print fmt("cannot reserve a slot at %.6f", network_time());
-				}
-			# rewrite_http_header(c, is_orig,
-			#		"X-Original-Content-Length", value);
-			}
-
-		else if ( name == "TRANSFER-ENCODING" )
-			rewrite_http_header(c, is_orig,
-					"X-Original-Transfer-Encoding", value);
-
-		else
-			rewrite_http_header(c, is_orig, name, value);
-		}
-	}
-
-event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	if ( rewrite_header_in_position )
-		{
-		local p = current_packet(c);
-		if ( p$is_orig == is_orig )
-			{
-			local s = lookup_http_request_stream(c);
-			local msg = get_http_message(s, is_orig);
-			if ( msg$header_slot == 0 )
-				msg$header_slot = reserve_rewrite_slot(c);
-			}
-		else
-			print fmt("cannot reserve a slot at %.6f", network_time());
-
-	      # An empty line to mark the end of headers.
-	      rewrite_http_data(c, is_orig, "\r\n");
-	      }
-	}
-
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-	local data_length = 0;
-
-	if ( stat$interrupted )
-		{
-		print http_log,
-			fmt("%.6f %s message interrupted at length=%d \"%s\"",
-				network_time(), id_string(c$id),
-				stat$body_length, stat$finish_msg);
-		}
-
-	if ( msg$header_slot > 0 )
-		seek_rewrite_slot(c, msg$header_slot);
-
-	if ( ! is_orig || stat$body_length > 0 )
-		{
-		if ( include_HTTP_abstract )
-			data_length = byte_len(msg$abstract);
-
-		data_length = data_length + stat$content_gap_length;
-
-		rewrite_http_header(c, is_orig, "Content-Length",
-					fmt(" %d", data_length));
-		}
-
-	rewrite_http_header(c, is_orig, "X-Actual-Data-Length",
-				fmt(" %d; gap=%d, content-length=%s",
-					stat$body_length,
-					stat$content_gap_length,
-					msg$content_length));
-	if ( msg$header_slot > 0 )
-		{
-		release_rewrite_slot(c, msg$header_slot);
-		msg$header_slot = 0;
-		}
-
-	if ( ! rewrite_header_in_position )
-		# An empty line to mark the end of headers.
-		rewrite_http_data(c, is_orig, "\r\n");
-
-	if ( data_length > 0 )
-		rewrite_http_data(c, is_orig, msg$abstract);
-	}
diff --git a/policy/http.bro b/policy/http.bro
deleted file mode 100644
index 90b0aa2daa..0000000000
--- a/policy/http.bro
+++ /dev/null
@@ -1,236 +0,0 @@
-# $Id: http.bro 6726 2009-06-07 22:09:55Z vern $
-
-@load notice
-@load site
-@load conn-id
-
-module HTTP;
-
-export {
-	redef enum Notice += {
-		HTTP_SensitiveURI,	# sensitive URI in GET/POST/HEAD
-	};
-}
-
-# DPM configuration.
-global http_ports = {
-	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
-	8000/tcp, 8080/tcp, 8888/tcp,
-};
-redef dpd_config += { [ANALYZER_HTTP] = [$ports = http_ports] };
-redef dpd_config += { [ANALYZER_HTTP_BINPAC] = [$ports = http_ports] };
-
-# HTTP processing options.
-export {
-	const process_HTTP_replies = F &redef;
-	const process_HTTP_data = F &redef;
-	const include_HTTP_abstract = F &redef;
-	const log_HTTP_data = F &redef;
-}
-
-type http_pending_request: record {
-	method: string;
-	URI: string;
-	log_it: bool;
-
-	# Whether we determined it's an attempted passwd file fetch.
-	passwd_req: bool;
-};
-
-# Eventually we will combine http_pending_request and http_message.
-
-type http_message: record {
-	initiated: bool;
-	code: count;		# for HTTP reply message
-	reason: string;		# for HTTP reply message
-	entity_level: count;	# depth of enclosing MIME entities
-	data_length: count;	# actual length of data delivered
-	content_length: string;	# length specified in CONTENT-LENGTH header
-	header_slot: count;	# rewrite slot at the end of headers
-	abstract: string;	# data abstract
-	skip_abstract: bool;	# to skip abstract for certain content types
-	host: string;		# host indicated in Host header
-};
-
-type http_pending_request_stream: record {
-	# Number of first pending request.
-	first_pending_request: count &default = 0;
-
-	# Total number of pending requests.
-	num_pending_requests: count &default = 0;
-
-	# Indexed from [first_pending_request ..
-	#		(first_pending_request + num_pending_requests - 1)]
-	requests: table[count] of http_pending_request;
-
-	next_request: http_message; 	# the on-going request
-	next_reply: http_message;	# the on-going reply
-
-	# len_next_reply: count;	# 0 means unspecified
-	# len_next_request: count;
-
-	id: string;	# repeated from http_session_info, for convenience
-};
-
-type http_session_info: record {
-	id: string;
- 	request_stream: http_pending_request_stream;
-};
-
-const http_log = open_log_file("http") &redef;
-
-# Called when an HTTP session times out.
-global expire_http_session:
-	function(t: table[conn_id] of http_session_info, id: conn_id)
-		: interval;
-
-export {
-	# Indexed by conn_id.
-	# (Exported so that we can define a timeout on it.)
-	global http_sessions: table[conn_id] of http_session_info
-			&expire_func = expire_http_session
-			&read_expire = 15 min;
-}
-
-global http_session_id = 0;
-
-function init_http_message(msg: http_message)
-	{
-	msg$initiated = F;
-	msg$code = 0;
-	msg$reason = "";
-	msg$entity_level = 0;
-	msg$data_length = 0;
-	msg$content_length = "";
-	msg$header_slot = 0;
-	msg$abstract = "";
-	msg$skip_abstract = F;
-	msg$host = "";
-	}
-
-function new_http_message(): http_message
-	{
-	local msg: http_message;
-	init_http_message(msg);
-	return msg;
-	}
-
-function new_http_session(c: connection): http_session_info
-	{
-	local session = c$id;
-	local new_id = ++http_session_id;
-
-	local info: http_session_info;
-	info$id = fmt("%%%s", prefixed_id(new_id));
-
-	local rs: http_pending_request_stream;
-
-	rs$first_pending_request = 1;
-	rs$num_pending_requests = 0;
-	rs$id = info$id;
-
-	rs$next_request = new_http_message();
-	rs$next_reply = new_http_message();
-	rs$requests = table();
-
-	info$request_stream = rs;
-
-	http_sessions[session] = info;
-
-	print http_log, fmt("%.6f %s start %s:%d > %s:%d", network_time(),
-				info$id, c$id$orig_h,
-				c$id$orig_p, c$id$resp_h, c$id$resp_p);
-
-	return info;
-	}
-
-function lookup_http_session(c: connection): http_session_info
-	{
-	local s: http_session_info;
-	local id = c$id;
-
-	s = id in http_sessions ? http_sessions[id] : new_http_session(c);
-
-	append_addl(c, s$id);
-
-	return s;
-	}
-
-function lookup_http_request_stream(c: connection): http_pending_request_stream
-	{
-	local s = lookup_http_session(c);
-
-	return s$request_stream;
-	}
-
-function get_http_message(s: http_pending_request_stream, is_orig: bool): http_message
-	{
-	return is_orig ? s$next_request : s$next_reply;
-	}
-
-function finish_stream(session: conn_id, id: string,
-			rs: http_pending_request_stream)
-	{
-	### We really want to do this in sequential order, not table order.
-	for ( i in rs$requests )
-		{
-		local req = rs$requests[i];
-
-		if ( req$log_it )
-			NOTICE([$note=HTTP_SensitiveURI,
-				$src=session$orig_h, $dst=session$resp_h,
-				$URL=req$URI,
-				$method=req$method,
-				$msg=fmt("%s:%d -> %s:%d %s: <no reply>",
-					session$orig_h, session$orig_p,
-					session$resp_h, session$resp_p, id)]);
-
-		local msg = fmt("%s %s <no reply>", req$method, req$URI);
-		print http_log, fmt("%.6f %s %s", network_time(), rs$id, msg);
-		}
-	}
-
-event connection_state_remove(c: connection)
-	{
-	local id = c$id;
-
-	if ( id !in http_sessions )
-		return;
-
-	local s = http_sessions[id];
-	finish_stream(id, s$id, s$request_stream);
-	delete http_sessions[c$id];
-	}
-
-function expire_http_session(t: table[conn_id] of http_session_info,
-				id: conn_id): interval
-	{
-	### FIXME: not really clear that we need this function at all ...
-	#
-	# One would think that connection_state_remove() already takes care
-	# of everything.  However, without this expire-handler, some requests
-	# don't show up with the test-suite (but haven't reproduced with
-	# smaller traces) - Robin.
-
-	local s = http_sessions[id];
-	finish_stream(id, s$id, s$request_stream);
-	return 0 sec;
-	}
-
-# event connection_timeout(c: connection)
-# 	{
-# 	if ( ! maintain_http_sessions )
-# 		{
-# 		local id = c$id;
-# 		if ( [id$orig_h, id$resp_h] in http_sessions )
-# 			delete http_sessions[id$orig_h, id$resp_h];
-# 		}
-# 	}
-
-# event http_stats(c: connection, stats: http_stats_rec)
-# 	{
-# 	if ( stats$num_requests == 0 && stats$num_replies == 0 )
-# 		return;
-#
-# 	c$addl = fmt("%s (%d v%.1f v%.1f)", c$addl, stats$num_requests, stats$request_version, stats$reply_version);
-# 	}
diff --git a/policy/icmp.bro b/policy/icmp.bro
deleted file mode 100644
index d5e06c4afa..0000000000
--- a/policy/icmp.bro
+++ /dev/null
@@ -1,353 +0,0 @@
-# $Id: icmp.bro 6883 2009-08-19 21:08:09Z vern $
-
-@load hot
-@load weird
-@load conn
-@load scan
-
-global icmp_file = open_log_file("icmp");
-
-redef capture_filters += { ["icmp"] = "icmp" };
-
-module ICMP;
-
-export {
-
-	redef enum Notice += {
-		ICMPAsymPayload,	# payload in echo req-resp not the same
-		ICMPConnectionPair,	# too many ICMPs between hosts
-		ICMPAddressScan,
-	        ICMPRogueRouter,	# v6 advertisement from unknown router
-
-		# The following isn't presently sufficiently useful due
-		# to cold start and packet drops.
-		# ICMPUnpairedEchoReply,	# no EchoRequest seen for EchoReply
-	};
-
-	# Whether to log detailed information icmp.log.
-	const log_details = T &redef;
-
-	# ICMP scan detection.
-	const detect_scans = T &redef;
-	const scan_threshold = 25 &redef;
-
-	# Analysis of connection pairs.
-	const detect_conn_pairs = F &redef;	# switch for connection pair
-	const detect_payload_asym = F &redef;	# switch for echo payload
-	const conn_pair_threshold = 200 &redef;
-
-	# If the IPv6 routers in a network are all known, they can be
-	# whitelisted here. If so, any other router seen sending an
-	# announcement will be reported. If this set remains empty, no such
-	# detection will be done.
-	const router_whitelist: set[addr] &redef;
-}
-
-global conn_pair:table[addr] of set[addr] &create_expire = 1 day;
-global conn_pair_thresh_reached: table[addr] of bool &default=F;
-
-
-
-type flow_id: record {
-	orig_h: addr;
-	resp_h: addr;
-	id: count;
-};
-
-type flow_info: record {
-	start_time: time;
-	last_time: time;
-	orig_bytes: count;
-	resp_bytes: count;
-	payload: string;
-};
-
-const names: table[count] of string = {
-	[0] = "echo_reply",
-	[1] = "unreach",		# icmpv6
-	[2] = "too_big",		# icmpv6
-	[3] = "unreach",
-	[4] = "quench",
-	[5] = "redirect",
-	[8] = "echo_req",
-	[9] = "router_adv",
-	[10] = "router_sol",
-	[11] = "time_xcd",
-	[12] = "param_prob",
-	[13] = "tstamp_req",
-	[14] = "tstamp_reply",
-	[15] = "info_req",
-	[16] = "info_reply",
-	[17] = "mask_req",
-	[18] = "mask_reply",
-	[128] = "echo_req",		# icmpv6
-	[129] = "echo_reply",		# icmpv6
-	[130] = "group_memb_query",	# icmpv6
-	[131] = "group_memb_report",	# icmpv6
-	[132] = "group_memb_reduct",	# icmpv6
-	[133] = "router_sol",		# icmpv6
-	[134] = "router_ad",		# icmpv6
-	[135] = "neighbor_sol", 	# icmpv6
-	[136] = "neighbor_ad", 		# icmpv6
-	[137] = "redirect",		# icmpv6
-	[138] = "router_renum",		# icmpv6
-	[139] = "node_info_query",	# icmpv6
-	[140] = "node_info_resp",	# icmpv6
-	[141] = "inv_neigh_disc_sol",	# icmpv6
-	[142] = "inv_neigh_disc_ad",	# icmpv6
-	[143] = "mul_lis_report",	# icmpv6
-	[144] = "home_agent_addr_req",	# icmpv6
-	[145] = "home_agent_addr_reply",# icmpv6
-	[146] = "mobible_prefx_sol",	# icmpv6
-	[147] = "mobible_prefx_ad",	# icmpv6
-	[148] = "cert_path_sol",	# icmpv6
-	[149] = "cert_path_ad",		# icmpv6
-	[150] = "experimental",		# icmpv6
-	[151] = "mcast_router_ad", 	# icmpv6
-	[152] = "mcast_router_sol",	# icmpv6
-	[153] = "mcast_router_term",	# icmpv6
-	[154] = "fmip",			# icmpv6
-} &default = function(n: count): string { return fmt("icmp-%d", n); };
-
-
-# Map IP protocol number to the protocol's name.
-const IP_proto_name: table[count] of string = {
-	[1]  = "ICMP",
-	[2]  = "IGMP",
-	[6]  = "TCP",
-	[17] = "UDP",
-	[41] = "IPV6",
-	[58] = "ICMPV6",
-} &default = function(n: count): string { return fmt("%s", n); }
-  &redef;
-
-# Print a report for the given ICMP flow.
-function generate_flow_summary(flow: flow_id, fi: flow_info)
-	{
-	local local_init = is_local_addr(flow$orig_h);
-	local local_addr = local_init ? flow$orig_h : flow$resp_h;
-	local remote_addr = local_init ? flow$resp_h : flow$orig_h;
-	local flags = local_init ? "L" : "";
-
-	local state: string;
-	if ( fi$orig_bytes > 0 )
-		{
-		if ( fi$resp_bytes > 0 )
-			state = "SF";
-		else
-			state = "SH";
-		}
-	else if ( fi$resp_bytes > 0 )
-		state = "SHR";
-	else
-		state = "OTH";
-
-	print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s",
-		fi$start_time, fi$last_time - fi$start_time,
-		flow$orig_h, flow$resp_h, "icmp_echo",
-		fi$orig_bytes, fi$resp_bytes, state, flags);
-	}
-
-# Called when a flow is expired in order to generate a report for it.
-function flush_flow(ft: table[flow_id] of flow_info, fi: flow_id): interval
-	{
-	generate_flow_summary(fi, ft[fi]);
-	return 0 sec;
-	}
-
-# Table to track each active flow.
-global flows: table[flow_id] of flow_info
-		&read_expire = 45 sec
-		&expire_func = flush_flow;
-
-function print_log(c: connection, icmp: icmp_conn, addl: string)
-	{
-	if ( ! log_details )
-	    return;
-
-	print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s %s",
-		network_time(), 0.0, icmp$orig_h, icmp$resp_h,
-		names[icmp$itype], icmp$itype, icmp$icode,
-		icmp$v6 ? "icmp6" : "icmp", icmp$len, addl);
-	}
-
-function print_log_with_context(c: connection, icmp: icmp_conn, context: icmp_context, addl: string)
-	{
-	# Due to the connection data contained *within*
-	# them, each log line will contain two connections' worth
-	# of data.  The initial ICMP connection info is the same
-	# as logged for connections.
-
-	local ctx = fmt("0 EncapPkt: %s %s %s %s %s %s %s %s %s",
-		context$id$orig_h, context$id$orig_p,
-		context$id$resp_h, context$id$resp_p,
-		context$len, IP_proto_name[context$proto],
-		context$len, context$bad_hdr_len,
-		context$bad_checksum);
-
-	print_log(c, icmp, ctx);
-	}
-
-
-event icmp_sent(c: connection, icmp: icmp_conn)
-	{
-	print_log(c, icmp, "0 SH");
-	}
-
-event flow_summary(flow: flow_id, last_time: time)
-	{
-	if ( flow !in flows )
-		return;
-
-	local fi = flows[flow];
-
-	if ( fi$last_time == last_time )
-		{
-		generate_flow_summary(flow, fi);
-		delete flows[flow];
-		}
-	}
-
-function update_flow(icmp: icmp_conn, id: count, is_orig: bool, payload: string)
-	{
-	local fid: flow_id;
-	fid$orig_h = is_orig ? icmp$orig_h : icmp$resp_h;
-	fid$resp_h = is_orig ? icmp$resp_h : icmp$orig_h;
-	fid$id = id;
-
-	if ( fid !in flows )
-		{
-		local info: flow_info;
-		info$start_time = network_time();
-		info$orig_bytes = info$resp_bytes = 0;
-		info$payload = payload;	# checked in icmp_echo_reply
-		flows[fid] = info;
-		}
-
-	local fi = flows[fid];
-
-	fi$last_time = network_time();
-
-	if ( is_orig )
-		fi$orig_bytes = fi$orig_bytes + byte_len(payload);
-	else
-		fi$resp_bytes = fi$resp_bytes + byte_len(payload);
-
-	schedule +30sec { flow_summary(fid, fi$last_time) };
-	}
-
-
-event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
-	{
-	print_log_with_context(c, icmp, context, "");
-	}
-
-event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
-	{
-	update_flow(icmp, id, T, payload);
-
-	local orig = icmp$orig_h;
-	local resp = icmp$resp_h;
-
-	# Simple ping scan detector.
-	if ( detect_scans &&
-	     (orig !in Scan::distinct_peers ||
-	      resp !in Scan::distinct_peers[orig]) )
-		{
-		if ( orig !in Scan::distinct_peers )
-			{
-			local empty_peer_set: set[addr] &mergeable;
-			Scan::distinct_peers[orig] = empty_peer_set;
-			}
-
-		if ( resp !in Scan::distinct_peers[orig] )
-			add Scan::distinct_peers[orig][resp];
-
-		if ( ! Scan::shut_down_thresh_reached[orig] &&
-		     orig !in Scan::skip_scan_sources &&
-		     orig !in Scan::skip_scan_nets &&
-		     |Scan::distinct_peers[orig]| >= scan_threshold )
-			{
-			NOTICE([$note=ICMPAddressScan, $src=orig,
-				$n=scan_threshold,
-				$msg=fmt("%s has icmp echo scanned %s hosts",
-				orig, scan_threshold)]);
-
-			Scan::shut_down_thresh_reached[orig] = T;
-			}
-		}
-
-	if ( detect_conn_pairs )
-		{
-		if ( orig !in conn_pair )
-			{
-			local empty_peer_set2: set[addr] &mergeable;
-			conn_pair[orig] = empty_peer_set2;
-			}
-
-		if ( resp !in conn_pair[orig] )
-			add conn_pair[orig][resp];
-
-		if ( ! conn_pair_thresh_reached[orig] &&
-		     |conn_pair[orig]| >= conn_pair_threshold )
-			{
-			NOTICE([$note=ICMPConnectionPair,
-				$msg=fmt("ICMP connection threshold exceeded : %s -> %s",
-				orig, resp)]);
-			conn_pair_thresh_reached[orig] = T;
-			}
-		}
-	}
-
-event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count,
-			seq: count, payload: string)
-	{
-	# Check payload with the associated flow.
-
-	local fid: flow_id;
-	fid$orig_h = icmp$resp_h;	# We know the expected results since
-	fid$resp_h = icmp$orig_h;	# it's an echo reply.
-	fid$id = id;
-
-	if ( fid !in flows )
-		{
-# 		NOTICE([$note=ICMPUnpairedEchoReply,
-# 			$msg=fmt("ICMP echo reply w/o request: %s -> %s",
-# 				icmp$orig_h, icmp$resp_h)]);
-		}
-	else
-		{
-		if ( detect_payload_asym )
-			{
-			local fi = flows[fid];
-			local pl = fi$payload;
-
-			if ( pl != payload )
-				{
-				NOTICE([$note=ICMPAsymPayload,
-					$msg=fmt("ICMP payload inconsistancy: %s(%s) -> %s(%s)",
-					icmp$orig_h, byte_len(fi$payload),
-					icmp$resp_h, byte_len(payload))]);
-				}
-			}
-		}
-
-	update_flow(icmp, id, F, payload);
-	}
-
-event icmp_unreachable(c: connection, icmp: icmp_conn, code: count,
-			context: icmp_context)
-	{
-	print_log_with_context(c, icmp, context, "");
-	}
-
-event icmp_router_advertisement(c: connection, icmp: icmp_conn)
-	{
-	print_log(c, icmp, "");
-
-	if ( |router_whitelist| == 0 || icmp$orig_h in router_whitelist )
-	    return;
-
-	NOTICE([$note=ICMPRogueRouter,
-		$msg=fmt("rouge router advertisement from %s", icmp$orig_h)]);
-	}
diff --git a/policy/ident-rewriter.bro b/policy/ident-rewriter.bro
deleted file mode 100644
index 2cf1d03720..0000000000
--- a/policy/ident-rewriter.bro
+++ /dev/null
@@ -1,115 +0,0 @@
-# $Id: ident-rewriter.bro 47 2004-06-11 07:26:32Z vern $
-
-@load ident
-
-redef rewriting_ident_trace = T;
-
-global public_ident_user_ids = { "root", } &redef;
-global public_ident_systems = { "UNIX", } &redef;
-
-const delay_rewriting_request = T;
-
-function public_ident_user(id: string): bool
-	{
-	return id in public_ident_user_ids;
-	}
-
-function public_system(system: string): bool
-	{
-	return system in public_ident_systems;
-	}
-
-type ident_req: record {
-	lport: port;
-	rport: port;
-	rewrite_slot: count;
-};
-
-# Does not support pipelining ....
-global ident_req_slots: table[addr, port, addr, port] of ident_req;
-
-event ident_request(c: connection, lport: port, rport: port)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local id = c$id;
-	if ( delay_rewriting_request )
-		{
-		local slot = reserve_rewrite_slot(c);
-		ident_req_slots[id$orig_h, id$orig_p, id$resp_h, id$resp_p] =
-			[$lport = lport, $rport = rport, $rewrite_slot = slot];
-		}
-	else
-		rewrite_ident_request(c, lport, rport);
-	}
-
-event ident_reply(c: connection, lport: port, rport: port,
-		user_id: string, system: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local id = c$id;
-
-	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p] in ident_req_slots )
-		{
-		local req = ident_req_slots[id$orig_h, id$orig_p,
-						id$resp_h, id$resp_p];
-
-		seek_rewrite_slot(c, req$rewrite_slot);
-		rewrite_ident_request(c, req$lport, req$rport);
-		release_rewrite_slot(c, req$rewrite_slot);
-
-		delete ident_req_slots[id$orig_h, id$orig_p,
-					id$resp_h, id$resp_p];
-		}
-
-	rewrite_ident_reply(c, lport, rport,
-			public_system(system) ? system : "OTHER",
-			public_ident_user(user_id) ? user_id : "private user");
-	}
-
-event ident_error(c: connection, lport: port, rport: port, line: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local id = c$id;
-
-	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p] in ident_req_slots )
-		{
-		local req = ident_req_slots[id$orig_h, id$orig_p,
-						id$resp_h, id$resp_p];
-
-		seek_rewrite_slot(c, req$rewrite_slot);
-		rewrite_ident_request(c, req$lport, req$rport);
-		release_rewrite_slot(c, req$rewrite_slot);
-
-		delete ident_req_slots[id$orig_h, id$orig_p,
-					id$resp_h, id$resp_p];
-		}
-
-	rewrite_ident_error(c, lport, rport, line);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local id = c$id;
-
-	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p] in ident_req_slots )
-		{
-		local req = ident_req_slots[id$orig_h, id$orig_p,
-						id$resp_h, id$resp_p];
-
-		seek_rewrite_slot(c, req$rewrite_slot);
-		rewrite_ident_request(c, req$lport, req$rport);
-		release_rewrite_slot(c, req$rewrite_slot);
-
-		delete ident_req_slots[id$orig_h, id$orig_p,
-					id$resp_h, id$resp_p];
-		}
-	}
diff --git a/policy/ident.bro b/policy/ident.bro
deleted file mode 100644
index d52265db65..0000000000
--- a/policy/ident.bro
+++ /dev/null
@@ -1,68 +0,0 @@
-# $Id: ident.bro 5948 2008-07-11 22:29:49Z vern $
-
-@load notice
-@load hot-ids
-
-module Ident;
-
-export {
-	redef enum Notice += {
-		IdentSensitiveID,	# sensitive username in Ident lookup
-	};
-
-	const hot_ident_ids = { always_hot_ids, } &redef;
-	const hot_ident_exceptions = { "uucp", "nuucp", "daemon", } &redef;
-}
-
-redef capture_filters += { ["ident"] = "tcp port 113" };
-
-global ident_ports = { 113/tcp } &redef;
-redef dpd_config += { [ANALYZER_IDENT] = [$ports = ident_ports] };
-
-global pending_ident_requests: set[addr, port, addr, port, port, port];
-
-event ident_request(c: connection, lport: port, rport: port)
-	{
-	local id = c$id;
-	add pending_ident_requests[id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport];
-	}
-
-function add_ident_tag(c: connection, lport: port, rport: port, tag: string)
-: connection
-	{
-	local id = c$id;
-	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport] in
-	     pending_ident_requests )
-		delete pending_ident_requests[id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport];
-	else
-		tag = fmt("orphan-%s", tag);
-
-	local c_orig_id = [$orig_h = id$resp_h, $orig_p = rport,
-				$resp_h = id$orig_h, $resp_p = lport];
-
-	local c_orig = active_connection(c_orig_id) ?
-			connection_record(c_orig_id) : c;
-
-	append_addl(c_orig, tag);
-
-	return c_orig;
-	}
-
-event ident_reply(c: connection, lport: port, rport: port,
-		user_id: string, system: string)
-	{
-	local c_orig = add_ident_tag(c, lport, rport, fmt("ident/%s", user_id));
-
-	if ( user_id in hot_ident_ids && user_id !in hot_ident_exceptions )
-		{
-		++c_orig$hot;
-		NOTICE([$note=IdentSensitiveID, $conn=c,
-			$msg=fmt("%s hot ident: %s",
-				$user=c_orig$addl, id_string(c_orig$id))]);
-		}
-	}
-
-event ident_error(c: connection, lport: port, rport: port, line: string)
-	{
-	add_ident_tag(c, lport, rport, fmt("iderr/%s", line));
-	}
diff --git a/policy/inactivity.bro b/policy/inactivity.bro
deleted file mode 100644
index ea984a2fc2..0000000000
--- a/policy/inactivity.bro
+++ /dev/null
@@ -1,31 +0,0 @@
-# $Id: inactivity.bro 7073 2010-09-13 00:45:02Z vern $
-
-@load port-name
-
-const inactivity_timeouts: table[port] of interval = {
-	# For interactive services, allow longer periods of inactivity.
-	[[telnet, rlogin, ssh, ftp]] = 1 hrs,
-} &redef;
-
-function determine_inactivity_timeout(c: connection)
-	{
-	local service = c$id$resp_p;
-
-	# Determine service (adapted from hot.bro)
-	if ( c$orig$state == TCP_INACTIVE )
-		{
-		# We're seeing a half-established connection. Use the
-		# service of the originator if it's well-known and the
-		# responder isn't.
-		if ( service !in port_names && c$id$orig_p in port_names )
-			service = c$id$orig_p;
-		}
-
-	if ( service in inactivity_timeouts )
-		set_inactivity_timeout(c$id, inactivity_timeouts[service]);
-	}
-
-event connection_established(c: connection)
-	{
-	determine_inactivity_timeout(c);
-	}
diff --git a/policy/interconn.bro b/policy/interconn.bro
deleted file mode 100644
index ff545d4eef..0000000000
--- a/policy/interconn.bro
+++ /dev/null
@@ -1,318 +0,0 @@
-# $Id: interconn.bro 3997 2007-02-23 00:31:19Z vern $
-#
-# interconn - generic detection of interactive connections.
-
-@load port-name
-@load demux
-
-# The following must be defined for the event engine to generate
-# interconn events.
-redef interconn_min_interarrival = 0.01 sec;
-redef interconn_max_interarrival = 2.0 sec;
-redef interconn_max_keystroke_pkt_size = 20;
-redef interconn_default_pkt_size = 512;
-redef interconn_stat_period = 15.0 sec;
-redef interconn_stat_backoff = 1.5;
-
-const interconn_min_num_pkts = 10 &redef; # min num of pkts sent
-const interconn_min_duration = 2.0 sec &redef; # min duration for the connection
-
-const interconn_ssh_len_disabled = T &redef;
-const interconn_min_ssh_pkts_ratio = 0.6 &redef;
-
-const interconn_min_bytes = 10 &redef;
-const interconn_min_7bit_ascii_ratio = 0.75 &redef;
-
-const interconn_min_num_lines = 2 &redef;
-const interconn_min_normal_line_ratio = 0.5 &redef;
-
-# alpha: portion of interarrival times within range
-#	[interconn_min_interarrival, interconn_max_interarrival]
-#
-#	alpha should be >= interconn_min_alpha
-#
-# gamma: num_keystrokes_two_in_row / num_pkts
-#	gamma indicates the portion of keystrokes in the overall traffic
-#
-#	gamma should be >= interconn_min_gamma
-
-const interconn_min_alpha = 0.2 &redef; # minimum required alpha
-const interconn_min_gamma = 0.2 &redef; # minimum required gamma
-
-const interconn_standard_ports = { telnet, rlogin, ftp, ssh, smtp, 143/tcp, 110/tcp  } &redef;
-const interconn_ignore_standard_ports = F &redef;
-
-const interconn_demux_disabled = T &redef;
-
-const INTERCONN_UNKNOWN = 0;	# direction/interactivity is unknown
-
-const INTERCONN_FORWARD = 1;	# forward: a conn's orig is true originator
-const INTERCONN_BACKWARD = 2;	# backward: a conn's resp is true originator
-
-const INTERCONN_INTERACTIVE = 1;	# a conn is interactive
-const INTERCONN_STANDARD_PORT = 2;	# conn involves a standard port to ignore
-
-type conn_info : record {
-	interactive: count; # interactivity: unknown/interactive/standard_port
-	dir: count; # direction: unknown/forward/backward
-};
-
-global interconn_conns: table [conn_id] of conn_info; # table for all connections
-
-# Table for resp_endp's of those established (non-partial) conn's.
-# If a partial conn connects to one of such resp's, we can infer
-# its direction.
-global interconn_resps: table [addr, port] of count &default = 0;
-
-global interconn_log = open_log_file("interconn") &redef;
-
-global num_interconns = 0;
-
-function interconn_conn_string(c: connection): string
-	{
-	return fmt("%.6f %s.%d > %s.%d",
-		c$start_time,
-		c$id$orig_h, c$id$orig_p,
-		c$id$resp_h, c$id$resp_p);
-	}
-
-function interconn_weird(c: connection, s: string)
-	{
-	print fmt("%s interconn_weird: %s %s", network_time(), interconn_conn_string(c), s);
-	}
-
-function get_direction(c: connection): count
-	{
-	local id = c$id;
-
-	if ( interconn_conns[id]$dir != INTERCONN_UNKNOWN )
-		return interconn_conns[id]$dir;
-
-	# The connection is not established yet, but one endpoint
-	# is a known resp_endp
-	if ( [id$resp_h, id$resp_p] in interconn_resps )
-		{
-		interconn_conns[id]$dir = INTERCONN_FORWARD;
-		++interconn_resps[id$resp_h, id$resp_p];
-
-		return INTERCONN_FORWARD;
-		}
-
-	else if ( [id$orig_h, id$orig_p] in interconn_resps )
-		{
-		interconn_conns[id]$dir = INTERCONN_BACKWARD;
-		++interconn_resps[id$orig_h, id$orig_p];
-
-		return INTERCONN_BACKWARD;
-		}
-
-	return INTERCONN_UNKNOWN;
-	}
-
-function comp_gamma(s: interconn_endp_stats): double
-	{
-	return s$num_pkts >= interconn_min_num_pkts ?
-		(1.0 * s$num_keystrokes_two_in_row) / s$num_pkts : 0.0;
-	}
-
-function comp_alpha(s: interconn_endp_stats) : double
-	{
-	return ( s$num_keystrokes_two_in_row > 0 ) ?
-		(1.0 * s$num_normal_interarrivals / s$num_keystrokes_two_in_row) : 0.0;
-	}
-
-function skip_further_interconn_processing(c: connection)
-	{
-	# This used to call skip_further_processing()
-	# (if active_connection(c$id) returned T).  But that's
-	# clearly wrong *if* we're also doing additional analysis
-	# on the connection.  So do nothing.
-	}
-
-function log_interconn(c: connection, tag: string)
-	{
-	print interconn_log, fmt("%s %s", interconn_conn_string(c), tag);
-
-	local id = c$id;
-
-	if ( interconn_demux_disabled )
-		skip_further_interconn_processing(c);
-	else
-		demux_conn(id, tag, "orig", "resp");
-	}
-
-function is_interactive_endp(s: interconn_endp_stats): bool
-	{
-	# Criteria 1: num_pkts >= interconn_min_num_pkts.
-	if ( s$num_pkts < interconn_min_num_pkts )
-		return F;
-
-	# Criteria 2: gamma >= interconn_min_gamma.
-	if ( comp_gamma(s) < interconn_min_gamma )
-		return F;
-
-	# Criteria 3: alpha >= interconn_min_alpha.
-	if ( comp_alpha(s) < interconn_min_alpha )
-		return F;
-
-	return T;
-	}
-
-event connection_established(c: connection)
-	{
-	local id = c$id;
-	local dir = interconn_conns[id]$dir;
-
-	if ( dir == INTERCONN_FORWARD )
-		return;
-
-	if ( dir == INTERCONN_BACKWARD )
-		{
-		interconn_weird(c, "inconsistent direction");
-		return;
-		}
-
-	interconn_conns[id]$dir = INTERCONN_FORWARD;
-	++interconn_resps[id$resp_h, id$resp_p];
-	}
-
-event new_connection(c: connection)
-	{
-	local id = c$id;
-
-	local info: conn_info;
-	info$dir = INTERCONN_UNKNOWN;
-
-	if ( interconn_ignore_standard_ports &&
-	     (id$orig_p in interconn_standard_ports ||
-	      id$resp_p in interconn_standard_ports) )
-		{
-		info$interactive = INTERCONN_STANDARD_PORT;
-		skip_further_interconn_processing(c);
-		}
-
-	else
-		info$interactive = INTERCONN_UNKNOWN;
-
-	interconn_conns[id] = info;
-	}
-
-event interconn_remove_conn(c: connection)
-	{
-	local id = c$id;
-
-	if ( id !in interconn_conns )
-		# This can happen for weird connections such as those
-		# with an initial SYN+FIN packet.
-		return;
-
-	local dir = interconn_conns[id]$dir;
-
-	delete interconn_conns[id];
-	delete demuxed_conn[c$id];
-
-	if ( dir == INTERCONN_FORWARD )
-		{
-		if ( --interconn_resps[id$resp_h, id$resp_p] == 0 )
-			delete interconn_resps[id$resp_h, id$resp_p];
-		}
-
-	else if ( dir == INTERCONN_BACKWARD )
-		{
-		if ( --interconn_resps[id$orig_h, id$orig_p] == 0 )
-			delete interconn_resps[id$orig_h, id$orig_p];
-		}
-	}
-
-event interconn_stats(c: connection,
-			os: interconn_endp_stats, rs: interconn_endp_stats)
-	{
-	local id = c$id;
-
-	if ( id !in interconn_conns )
-		return;
-
-	if ( interconn_conns[id]$interactive != INTERCONN_UNKNOWN )
-		return; # already classified
-
-	if ( c$duration < interconn_min_duration )
-		# forget about excessively short connections
-		return;
-
-	local dir = get_direction(c);
-
-	# Criteria:
-	#
-	#	if ( dir == FORWARD )
-	#		(os) is interactive
-	#	else if ( dir == BACKWARD )
-	#		(rs) is interactive
-	#	else
-	#		either (os) or (rs) is interactive
-	if ( dir == INTERCONN_FORWARD )
-		{
-		if ( ! is_interactive_endp(os) )
-			return;
-		}
-
-	else if ( dir == INTERCONN_BACKWARD )
-		{
-		if ( ! is_interactive_endp(rs) )
-			return;
-		}
-
-	else
-		{
-		if ( ! is_interactive_endp(os) && ! is_interactive_endp(rs) )
-			return;
-		}
-
-	local tag: string;
-
-	if ( ! interconn_ssh_len_disabled && (os$is_partial || rs$is_partial) )
-		{
-		local num_pkts = os$num_pkts + rs$num_pkts;
-		local num_8k0_pkts = os$num_8k0_pkts + rs$num_8k0_pkts;
-		local num_8k4_pkts = os$num_8k4_pkts + rs$num_8k4_pkts;
-
-		if ( num_8k0_pkts > num_pkts * interconn_min_ssh_pkts_ratio )
-			{
-			# c now considered as interactive.
-			interconn_conns[id]$interactive = INTERCONN_INTERACTIVE;
-			tag = fmt("interconn.%d.ssh2", ++num_interconns);
-			}
-		else if ( num_8k4_pkts > num_pkts * interconn_min_ssh_pkts_ratio )
-			{
-			# c now considered as interactive.
-			interconn_conns[id]$interactive = INTERCONN_INTERACTIVE;
-			tag = fmt("interconn.%d.ssh1", ++num_interconns);
-			}
-		}
-
-	# Criteria 4:	num_7bit_ascii / num_bytes is big enough; AND
-	#		enough number of normal lines
-	if ( interconn_conns[id]$interactive != INTERCONN_INTERACTIVE )
-		{
-		local num_bytes = os$num_bytes + rs$num_bytes;
-		local num_7bit_ascii = os$num_7bit_ascii + rs$num_7bit_ascii;
-
-		if ( num_bytes < interconn_min_bytes ||
-		     num_7bit_ascii < num_bytes * interconn_min_7bit_ascii_ratio )
-			return;
-
-		local num_lines = os$num_lines + rs$num_lines;
-		local num_normal_lines = os$num_normal_lines +
-					 rs$num_normal_lines;
-
-		if ( num_lines < interconn_min_num_lines ||
-		     num_normal_lines < num_lines * interconn_min_normal_line_ratio )
-			return;
-
-		# c now considered as interactive.
-		interconn_conns[id]$interactive = INTERCONN_INTERACTIVE;
-
-		tag = fmt("interconn.%d", ++num_interconns);
-		}
-
-	log_interconn(c, tag);
-	}
diff --git a/policy/irc-bot-syslog.bro b/policy/irc-bot-syslog.bro
deleted file mode 100644
index 6ca1281db3..0000000000
--- a/policy/irc-bot-syslog.bro
+++ /dev/null
@@ -1,79 +0,0 @@
-# $Id: irc-bot-syslog.bro,v 1.1.4.2 2006/05/31 00:16:21 sommer Exp $
-#
-# Passes current bot-state to syslog.
-#
-# - When a new server/client is found, we syslog it immediately.
-# - Every IrcBot::summary_interval we dump the current set.
-
-@load irc-bot
-
-module IrcBotSyslog;
-
-export {
-	# Prefix for all messages for easy grepping.
-	const prefix = "irc-bots" &redef;
-}
-
-# For debugging, everything which goes to syslog also goes here.
-global syslog_file = open_log_file("irc-bots.syslog");
-
-function fmt_time(t: time) : string
-	{
-	return strftime("%Y-%m-%d-%H-%M-%S", t);
-	}
-
-function log_server(ip: addr, new: bool)
-	{
-	local s = IrcBot::servers[ip];
-	local ports = IrcBot::portset_to_str(s$p);
-
-	local msg = fmt("%s ip=%s new=%d local=%d server=1 first_seen=%s last_seen=%s ports=%s",
-			prefix, ip, new, is_local_addr(ip),
-			fmt_time(s$first_seen), fmt_time(s$last_seen), ports);
-
-	syslog(msg);
-	print syslog_file, fmt("%.6f %s", network_time(), msg);
-	}
-
-function log_client(ip: addr, new: bool)
-	{
-	local c = IrcBot::clients[ip];
-	local servers = IrcBot::addrset_to_str(c$servers);
-
-	local msg = fmt("%s ip=%s new=%d local=%d server=0 first_seen=%s last_seen=%s user=%s nick=%s realname=%s servers=%s",
-			prefix, ip, new, is_local_addr(ip),
-			fmt_time(c$first_seen), fmt_time(c$last_seen),
-				  c$user, c$nick, c$realname, servers);
-
-	syslog(msg);
-	print syslog_file, fmt("%.6f %s", network_time(), msg);
-	}
-
-event print_bot_state()
-	{
-	for ( s in IrcBot::confirmed_bot_servers )
-		log_server(s, F);
-
-	for ( c in IrcBot::confirmed_bot_clients )
-		log_client(c, F);
-	}
-
-event bro_init()
-	{
-	set_buf(syslog_file, F);
-	}
-
-redef notice_policy += {
-	[$pred(a: notice_info) =
-		{
-		if ( a$note == IrcBot::IrcBotServerFound )
-			log_server(a$src, T);
-
-		if ( a$note == IrcBot::IrcBotClientFound )
-			log_client(a$src, T);
-
-		return F;
-		},
-	 $result = NOTICE_FILE,
-	 $priority = 1]
-};
diff --git a/policy/irc-bot.bro b/policy/irc-bot.bro
deleted file mode 100644
index 8375aa91d6..0000000000
--- a/policy/irc-bot.bro
+++ /dev/null
@@ -1,566 +0,0 @@
-# $Id:$
-
-@load conn
-@load notice
-@load weird
-
-module IrcBot;
-
-export {
-	global detailed_log = open_log_file("irc.detailed") &redef;
-	global bot_log = open_log_file("irc-bots") &redef;
-
-	global summary_interval = 1 min &redef;
-
-	global detailed_logging = T &redef;
-	global content_dir = "irc-bots" &redef;
-
-	global bot_nicks =
-		  /^\[([^\]]+\|)+[0-9]{2,}]/		# [DEU|XP|L|00]
-		| /^\[[^ ]+\]([^ ]+\|)+([0-9a-zA-Z-]+)/	# [0]CHN|3436036 [DEU][1]3G-QE
-		| /^DCOM[0-9]+$/			# DCOM7845
-		| /^\{[A-Z]+\}-[0-9]+/			# {XP}-5021040
-		| /^\[[0-9]+-[A-Z0-9]+\][a-z]+/		# [0058-X2]wpbnlgwf
-		| /^\[[a-zA-Z0-9]\]-[a-zA-Z0-9]+$/	# [SD]-743056826
-		| /^[a-z]+[A-Z]+-[0-9]{5,}$/
-		| /^[A-Z]{3}-[0-9]{4}/			# ITD-1119
-	;
-
-	global bot_cmds =
-		  /(^| *)[.?#!][^ ]{0,5}(scan|ndcass|download|cvar\.|execute|update|dcom|asc|scanall) /
-		| /(^| +\]\[ +)\* (ipscan|wormride)/
-		| /(^| *)asn1/
-	;
-
-	global skip_msgs =
-		  /.*AUTH .*/
-		| /.*\*\*\* Your host is .*/
-		| /.*\*\*\* If you are having problems connecting .*/
-	;
-
-	redef enum Notice += {
-		IrcBotServerFound,
-		IrcBotClientFound,
-	};
-
-	type channel: record {
-		name: string;
-		passwords: set[string];
-		topic: string &default="";
-		topic_history: vector of string;
-	};
-
-	type bot_client: record {
-		host: addr;
-		p: port;
-		nick: string &default="";
-		user: string &default="";
-		realname: string &default="";
-		channels: table[string] of channel;
-		servers: set[addr] &optional;
-		first_seen: time;
-		last_seen: time;
-	};
-
-	type bot_server: record {
-		host: addr;
-		p: set[port];
-		clients: table[addr] of bot_client;
-		global_users: string &default="";
-		passwords: set[string];
-		channels: table[string] of channel;
-		first_seen: time;
-		last_seen: time;
-	};
-
-	type bot_conn: record {
-		client: bot_client;
-		server: bot_server;
-		conn: connection;
-		fd: file;
-		ircx: bool &default=F;
-	};
-
-	# We keep three sets of clients/servers:
-	#  (1) tables containing all IRC clients/servers
-	#  (2) sets containing potential bot hosts
-	#  (3) sets containing confirmend bot hosts
-	#
-	# Hosts are confirmed when a connection is established between
-	# potential bot hosts.
-	#
-	# FIXME: (1) should really be moved into the general IRC script.
-
-	global expire_server:
-		function(t: table[addr] of bot_server, idx: addr): interval;
-	global expire_client:
-		function(t: table[addr] of bot_client, idx: addr): interval;
-
-	global servers: table[addr] of bot_server &write_expire=24 hrs
-			&expire_func=expire_server &persistent;
-	global clients: table[addr] of bot_client &write_expire=24 hrs
-			&expire_func=expire_client &persistent;
-
-	global potential_bot_clients: set[addr] &persistent;
-	global potential_bot_servers: set[addr] &persistent;
-	global confirmed_bot_clients: set[addr] &persistent;
-	global confirmed_bot_servers: set[addr] &persistent;
-
-	# All IRC connections.
-	global conns: table[conn_id] of bot_conn &persistent;
-
-	# Connections between confirmed hosts.
-	global bot_conns: set[conn_id] &persistent;
-
-	# Helper functions for readable output.
-	global strset_to_str: function(s: set[string]) : string;
-	global portset_to_str: function(s: set[port]) : string;
-	global addrset_to_str: function(s: set[addr]) : string;
-}
-
-function strset_to_str(s: set[string]) : string
-	{
-	if ( |s| == 0 )
-		return "<none>";
-
-	local r = "";
-	for ( i in s )
-		{
-		if ( r != "" )
-			r = cat(r, ",");
-		r = cat(r, fmt("\"%s\"", i));
-		}
-
-	return r;
-	}
-
-function portset_to_str(s: set[port]) : string
-	{
-	if ( |s| == 0 )
-		return "<none>";
-
-	local r = "";
-	for ( i in s )
-		{
-		if ( r != "" )
-			r = cat(r, ",");
-		r = cat(r, fmt("%d", i));
-		}
-
-	return r;
-	}
-
-function addrset_to_str(s: set[addr]) : string
-	{
-	if ( |s| == 0 )
-		return "<none>";
-
-	local r = "";
-	for ( i in s )
-		{
-		if ( r != "" )
-			r = cat(r, ",");
-		r = cat(r, fmt("%s", i));
-		}
-
-	return r;
-	}
-
-function fmt_time(t: time) : string
-	{
-	return strftime("%y-%m-%d-%H-%M-%S", t);
-	}
-
-event print_bot_state()
-	{
-	local bot_summary_log = open_log_file("irc-bots.summary");
-	disable_print_hook(bot_summary_log);
-
-	print bot_summary_log, "---------------------------";
-	print bot_summary_log, strftime("%y-%m-%d-%H-%M-%S", network_time());
-	print bot_summary_log, "---------------------------";
-	print bot_summary_log;
-	print bot_summary_log, "Known servers";
-
-	for ( h in confirmed_bot_servers )
-		{
-		local s = servers[h];
-
-		print bot_summary_log,
-			fmt("    %s %s - clients: %d ports %s password(s) %s last-seen %s first-seen %s global-users %s",
-				(is_local_addr(s$host) ? "L" : "R"),
-				s$host, length(s$clients), portset_to_str(s$p),
-				strset_to_str(s$passwords),
-				fmt_time(s$last_seen), fmt_time(s$first_seen),
-				s$global_users);
-
-		for ( name in s$channels )
-			{
-			local ch = s$channels[name];
-			print bot_summary_log,
-				fmt("        channel %s: topic \"%s\", password(s) %s",
-					ch$name, ch$topic,
-					strset_to_str(ch$passwords));
-			}
-		}
-
-	print bot_summary_log, "\nKnown clients";
-
-	for ( h in confirmed_bot_clients )
-		{
-		local c = clients[h];
-		print bot_summary_log,
-			fmt("    %s %s - server(s) %s user %s nick %s realname %s last-seen %s first-seen %s",
-				(is_local_addr(h) ? "L" : "R"), h,
-				addrset_to_str(c$servers),
-				c$user, c$nick, c$realname,
-				fmt_time(c$last_seen), fmt_time(c$first_seen));
-		}
-
-	close(bot_summary_log);
-
-	if ( summary_interval != 0 secs )
-		schedule summary_interval { print_bot_state() };
-	}
-
-event bro_init()
-	{
-	if ( summary_interval != 0 secs )
-		schedule summary_interval { print_bot_state() };
-	}
-
-function do_log_force(c: connection, msg: string)
-	{
-	local id = c$id;
-	print bot_log, fmt("%.6f %s:%d > %s:%d %s %s",
-				network_time(), id$orig_h, id$orig_p,
-				id$resp_h, id$resp_p, c$addl, msg);
-	}
-
-function do_log(c: connection, msg: string)
-	{
-	if ( c$id !in bot_conns )
-		return;
-
-	do_log_force(c, msg);
-	}
-
-function log_msg(c: connection, cmd: string, prefix: string, msg: string)
-	{
-	if ( skip_msgs in msg )
-		return;
-
-	do_log(c, fmt("MSG command=%s prefix=%s msg=\"%s\"", cmd, prefix, msg));
-	}
-
-function update_timestamps(c: connection) : bot_conn
-	{
-	local conn = conns[c$id];
-
-	conn$client$last_seen = network_time();
-	conn$server$last_seen = network_time();
-
-	# To prevent the set of entries from premature expiration,
-	# we need to make a write access (can't use read_expire as we
-	# iterate over the entries on a regular basis).
-	clients[c$id$orig_h] = conn$client;
-	servers[c$id$resp_h] = conn$server;
-
-	return conn;
-	}
-
-function add_server(c: connection) : bot_server
-	{
-	local s_h = c$id$resp_h;
-
-	if ( s_h in servers )
-		return servers[s_h];
-
-	local empty_table1: table[addr] of bot_client;
-	local empty_table2: table[string] of channel;
-	local empty_set: set[string];
-	local empty_set2: set[port];
-
-	local server = [$host=s_h, $p=empty_set2, $clients=empty_table1,
-			$channels=empty_table2, $passwords=empty_set,
-			$first_seen=network_time(), $last_seen=network_time()];
-	servers[s_h] = server;
-
-	return server;
-	}
-
-function add_client(c: connection) : bot_client
-	{
-	local c_h = c$id$orig_h;
-
-	if ( c_h in clients )
-		return clients[c_h];
-
-	local empty_table: table[string] of channel;
-	local empty_set: set[addr];
-	local client = [$host=c_h, $p=c$id$resp_p, $servers=empty_set,
-			$channels=empty_table, $first_seen=network_time(),
-			$last_seen=network_time()];
-	clients[c_h] = client;
-
-	return client;
-	}
-
-function check_bot_conn(c: connection)
-	{
-	if ( c$id in bot_conns )
-		return;
-
-	local client = c$id$orig_h;
-	local server = c$id$resp_h;
-
-	if ( client !in potential_bot_clients || server !in potential_bot_servers )
-		return;
-
-	# New confirmed bot_conn.
-
-	add bot_conns[c$id];
-
-	if ( server !in confirmed_bot_servers )
-		{
-		NOTICE([$note=IrcBotServerFound, $src=server, $p=c$id$resp_p, $conn=c,
-				$msg=fmt("ircbot server found: %s:%d", server, $p=c$id$resp_p)]);
-		add confirmed_bot_servers[server];
-		}
-
-	if ( client !in confirmed_bot_clients )
-		{
-		NOTICE([$note=IrcBotClientFound, $src=client, $p=c$id$orig_p, $conn=c,
-				$msg=fmt("ircbot client found: %s:%d", client, $p=c$id$orig_p)]);
-		add confirmed_bot_clients[client];
-		}
-	}
-
-function get_conn(c: connection) : bot_conn
-	{
-	local conn: bot_conn;
-
-	if ( c$id in conns )
-		{
-		check_bot_conn(c);
-		return update_timestamps(c);
-		}
-
-	local c_h = c$id$orig_h;
-	local s_h = c$id$resp_h;
-
-	local client : bot_client;
-	local server : bot_server;
-
-	if ( c_h in clients )
-		client = clients[c_h];
-	else
-		client = add_client(c);
-
-	if ( s_h in servers )
-		server = servers[s_h];
-	else
-		server = add_server(c);
-
-	server$clients[c_h] = client;
-	add server$p[c$id$resp_p];
-	add client$servers[s_h];
-
-	conn$server = server;
-	conn$client = client;
-	conn$conn = c;
-	conns[c$id] = conn;
-	update_timestamps(c);
-
-	return conn;
-	}
-
-function expire_server(t: table[addr] of bot_server, idx: addr): interval
-	{
-	local server = t[idx];
-	for ( c in server$clients )
-		{
-		local client = server$clients[c];
-		delete client$servers[idx];
-		}
-
-	delete potential_bot_servers[idx];
-	delete confirmed_bot_servers[idx];
-	return 0secs;
-	}
-
-function expire_client(t: table[addr] of bot_client, idx: addr): interval
-	{
-	local client = t[idx];
-	for ( s in client$servers )
-		if ( s in servers )
-			delete servers[s]$clients[idx];
-	delete potential_bot_clients[idx];
-	delete confirmed_bot_clients[idx];
-	return 0secs;
-	}
-
-function remove_connection(c: connection)
-	{
-	local conn = conns[c$id];
-	delete conns[c$id];
-	delete bot_conns[c$id];
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id !in conns )
-		return;
-
-	remove_connection(c);
-	}
-
-event bro_init()
-	{
-	set_buf(detailed_log, F);
-	set_buf(bot_log, F);
-	}
-
-event irc_client(c: connection, prefix: string, data: string)
-	{
-	if ( detailed_logging )
-		print detailed_log, fmt("%.6f %s > (%s) %s", network_time(), id_string(c$id), prefix, data);
-
-	local conn = get_conn(c);
-
-	if ( data == /^ *[iI][rR][cC][xX] *$/ )
-		conn$ircx = T;
-	}
-
-event irc_server(c: connection, prefix: string, data: string)
-	{
-	if ( detailed_logging )
-		print detailed_log, fmt("%.6f %s < (%s) %s", network_time(), id_string(c$id), prefix, data);
-
-	local conn = get_conn(c);
-	}
-
-event irc_user_message(c: connection, user: string, host: string, server: string, real_name: string)
-	{
-	local conn = get_conn(c);
-	conn$client$user = user;
-	conn$client$realname = real_name;
-
-	do_log(c, fmt("USER user=%s host=%s server=%s real_name=%s", user, host, server, real_name));
-	}
-
-function get_channel(conn: bot_conn, channel: string) : channel
-	{
-	if ( channel in conn$server$channels )
-		return conn$server$channels[channel];
-	else
-		{
-		local empty_set: set[string];
-		local empty_vec: vector of string;
-		local ch = [$name=channel, $passwords=empty_set, $topic_history=empty_vec];
-		conn$server$channels[ch$name] = ch;
-		return ch;
-		}
-	}
-
-event irc_join_message(c: connection, info_list: irc_join_list)
-	{
-	local conn = get_conn(c);
-
-	for ( i in info_list )
-		{
-		local ch = get_channel(conn, i$channel);
-
-		if ( i$password != "" )
-			add ch$passwords[i$password];
-
-		conn$client$channels[ch$name] = ch;
-
-		do_log(c, fmt("JOIN channel=%s password=%s", i$channel, i$password));
-		}
-	}
-
-global urls: set[string] &read_expire = 7 days &persistent;
-
-event http_request(c: connection, method: string, original_URI: string,
-			unescaped_URI: string, version: string)
-	{
-	if ( original_URI in urls )
-		do_log_force(c, fmt("Request for URL %s", original_URI));
-	}
-
-event irc_channel_topic(c: connection, channel: string, topic: string)
-	{
-	if ( bot_cmds in topic )
-		{
-		do_log_force(c, fmt("Matching TOPIC %s", topic));
-		add potential_bot_servers[c$id$resp_h];
-		}
-
-	local conn = get_conn(c);
-
-	local ch = get_channel(conn, channel);
-	ch$topic_history[|ch$topic_history| + 1] = ch$topic;
-	ch$topic = topic;
-
-	if ( c$id in bot_conns )
-		{
-		do_log(c, fmt("TOPIC channel=%s topic=\"%s\"", channel, topic));
-
-		local s = split(topic, / /);
-		for ( i in s )
-			{
-			local w = s[i];
-			if ( w == /[a-zA-Z]+:\/\/.*/ )
-				{
-				add urls[w];
-				do_log(c, fmt("URL channel=%s url=\"%s\"",
-						channel, w));
-				}
-			}
-		}
-	}
-
-event irc_nick_message(c: connection, who: string, newnick: string)
-	{
-	if ( bot_nicks in newnick )
-		{
-		do_log_force(c, fmt("Matching NICK %s", newnick));
-		add potential_bot_clients[c$id$orig_h];
-		}
-
-	local conn = get_conn(c);
-	conn$client$nick = newnick;
-
-	do_log(c, fmt("NICK who=%s nick=%s", who, newnick));
-	}
-
-event irc_password_message(c: connection, password: string)
-	{
-	local conn = get_conn(c);
-	add conn$server$passwords[password];
-
-	do_log(c, fmt("PASS password=%s", password));
-	}
-
-event irc_privmsg_message(c: connection, source: string, target: string,
-				message: string)
-	{
-	log_msg(c, "privmsg", source, fmt("->%s %s", target, message));
-	}
-
-event irc_notice_message(c: connection, source: string, target: string,
-				message: string)
-	{
-	log_msg(c, "notice", source, fmt("->%s %s", target, message));
-	}
-
-event irc_global_users(c: connection, prefix: string, msg: string)
-	{
-	local conn = get_conn(c);
-
-	# Better would be to parse the message to extract the counts.
-	conn$server$global_users = msg;
-
-	log_msg(c, "globalusers", prefix, msg);
-	}
diff --git a/policy/irc.bro b/policy/irc.bro
deleted file mode 100644
index 27b905528a..0000000000
--- a/policy/irc.bro
+++ /dev/null
@@ -1,689 +0,0 @@
-# $Id: irc.bro 4758 2007-08-10 06:49:23Z vern $
-
-@load conn-id
-@load notice
-@load weird
-
-@load signatures
-
-module IRC;
-
-export {
-	const log_file = open_log_file("irc") &redef;
-
-	type irc_user: record {
-		u_nick: string;		# nick name
-		u_real: string;		# real name
-		u_host: string;		# client host
-		u_channels: set[string];	# channels the user is member of
-		u_is_operator: bool;	# user is server operator
-		u_conn: connection;	# connection handle
-	};
-
-	type irc_channel: record {
-		c_name: string;		# channel name
-		c_users: set[string];	# users in channel
-		c_ops: set[string];	# channel operators
-		c_type: string;		# channel type
-		c_modes: string;	# channel modes
-		c_topic: string;	# channel topic
-	};
-
-	global expired_user:
-		function(t: table[string] of irc_user, idx: string): interval;
-	global expired_channel:
-		function(t: table[string] of irc_channel, idx: string): interval;
-
-	# Commands to ignore in irc_request/irc_message.
-	const ignore_in_other_msgs = { "PING", "PONG", "ISON" } &redef;
-
-	# Return codes to ignore in irc_response
-	const ignore_in_other_responses: set[count] = {
-		303 # RPL_ISON
-	} &redef;
-
-	# Active users, indexed by nick.
-	global active_users: table[string] of irc_user &read_expire = 6 hrs
-		&expire_func = expired_user &redef;
-
-	# Active channels, indexed by channel name.
-	global active_channels: table[string] of irc_channel
-					&read_expire = 6 hrs
-					&expire_func = expired_channel &redef;
-
-	# Strings that generate a notice if found in session dialog.
-	const hot_words =
-		  /.*etc\/shadow.*/
-		| /.*etc\/ldap.secret.*/
-		| /.*phatbot.*/
-		| /.*botnet.*/
-	&redef;
-
-	redef enum Notice += {
-		IRC_HotWord,
-	};
-}
-
-
-# IRC ports.  This could be widened to 6660-6669, say.
-redef capture_filters += { ["irc-6666"] = "port 6666" };
-redef capture_filters += { ["irc-6667"] = "port 6667" };
-
-# DPM configuration.
-global irc_ports = { 6666/tcp, 6667/tcp } &redef;
-redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] };
-
-redef Weird::weird_action += {
-	["irc_invalid_dcc_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_invite_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_kick_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_line"]	= Weird::WEIRD_FILE,
-	["irc_invalid_mode_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_names_line"]	= Weird::WEIRD_FILE,
-	["irc_invalid_njoin_line"]	= Weird::WEIRD_FILE,
-	["irc_invalid_notice_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_oper_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_privmsg_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_reply_number"]	= Weird::WEIRD_FILE,
-	["irc_invalid_squery_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_who_line"]	= Weird::WEIRD_FILE,
-	["irc_invalid_who_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_whois_channel_line"]	= Weird::WEIRD_FILE,
-	["irc_invalid_whois_message_format"]	= Weird::WEIRD_FILE,
-	["irc_invalid_whois_operator_line"]	= Weird::WEIRD_FILE,
-	["irc_invalid_whois_user_line"]	= Weird::WEIRD_FILE,
-	["irc_line_size_exceeded"]	= Weird::WEIRD_FILE,
-	["irc_line_too_short"]	= Weird::WEIRD_FILE,
-	["irc_partial_request"]	= Weird::WEIRD_FILE,
-	["irc_too_many_invalid"]	= Weird::WEIRD_FILE,
-};
-
-# # IRC servers to identify server-to-server connections.
-# redef irc_servers = {
-# 	# German IRCnet servers
-# 	irc.leo.org,
-# 	irc.fu-berlin.de,
-# 	irc.uni-erlangen.de,
-# 	irc.belwue.de,
-# 	irc.freenet.de,
-# 	irc.tu-ilmenau.de,
-# 	irc.rz.uni-karlsruhe.de,
-# };
-
-global conn_list: table[conn_id] of count;
-global conn_ID = 0;
-global check_connection: function(c: connection);
-
-function irc_check_hot(c: connection, s: string, context: string)
-	{
-	if ( s == hot_words )
-		NOTICE([$note=IRC_HotWord, $conn=c,
-			$msg=fmt("IRC hot word in: %s", context)]);
-	}
-
-function log_activity(c: connection, msg: string)
-	{
-	print log_file, fmt("%.6f #%s %s",
-				network_time(), conn_list[c$id], msg);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	delete conn_list[c$id];
-	}
-
-event irc_request(c: connection, prefix: string,
-			command: string, arguments: string)
-	{
-	check_connection(c);
-
-	local context = fmt("%s %s", command, arguments);
-	irc_check_hot(c, command, context);
-	irc_check_hot(c, arguments, context);
-
-	if ( command !in ignore_in_other_msgs )
-		log_activity(c, fmt("other request%s%s: %s",
-					prefix == "" ? "" : " ",
-					prefix, context));
-	}
-
-event irc_reply(c: connection, prefix: string, code: count, params: string)
-	{
-	check_connection(c);
-
-	local context = fmt("%s %s", code, params);
-	irc_check_hot(c, params, context);
-
-	if ( code !in ignore_in_other_responses )
-		log_activity(c, fmt("other response from %s: %s",
-					prefix, context));
-	}
-
-event irc_message(c: connection, prefix: string,
-			command: string, message: string)
-	{
-	check_connection(c);
-
-	# Sanity checks whether this is indeed IRC.
-	#
-	# If we happen to parse an HTTP connection, the server "commands" will
-	# end with ":".
-	if ( command == /.*:$/ )
-		{
-		local aid = current_analyzer();
-		event protocol_violation(c, ANALYZER_IRC, aid, "broken server response");
-		return;
-		}
-
-	local context = fmt("%s %s", command, message);
-	irc_check_hot(c, command, context);
-	irc_check_hot(c, message, context);
-
-	if ( command !in ignore_in_other_msgs )
-		log_activity(c, fmt("other server message from %s: %s",
-					prefix, context));
-	}
-
-event irc_user_message(c: connection, user: string, host: string,
-			server: string, real_name: string)
-	{
-	check_connection(c);
-
-	log_activity(c, fmt("new user, user='%s', host='%s', server='%s', real = '%s'",
-				user, host, server, real_name));
-
-	if ( user in active_users )
-		active_users[user]$u_conn = c;
-	else
-		{
-		local u: irc_user;
-		u$u_nick = user;
-		u$u_real = real_name;
-		u$u_conn = c;
-		u$u_host = "";
-		u$u_is_operator = F;
-		active_users[user] = u;
-		}
-	}
-
-event irc_quit_message(c: connection, nick: string, message: string)
-	{
-	check_connection(c);
-
-	log_activity(c, fmt("user '%s' leaving%s", nick,
-				message == "" ? "" : fmt(", \"%s\"", message)));
-
-	# Remove from lists.
-	if ( nick in active_users )
-		{
-		delete active_users[nick];
-		for ( my_channel in active_channels )
-			delete active_channels[my_channel]$c_users[nick];
-		}
-	}
-
-function check_message(c: connection, source: string, target: string,
-			msg: string, msg_type: string)
-	{
-	check_connection(c);
-	irc_check_hot(c, msg, msg);
-	log_activity(c, fmt("%s%s to '%s': %s", msg_type,
-				source != "" ? fmt(" from '%s'", source) : "",
-				target, msg));
-	}
-
-event irc_privmsg_message(c: connection, source: string, target: string,
-				message: string)
-	{
-	check_message(c, source, target, message, "message");
-	}
-
-event irc_notice_message(c: connection, source: string, target: string,
-				message: string)
-	{
-	check_message(c, source, target, message, "notice");
-	}
-
-event irc_squery_message(c: connection, source: string, target: string,
-				message: string)
-	{
-	check_message(c, source, target, message, "squery");
-	}
-
-event irc_join_message(c: connection, info_list: irc_join_list)
-	{
-	check_connection(c);
-
-	for ( l in info_list )
-		{
-		log_activity(c, fmt("user '%s' joined '%s'%s",
-					l$nick, l$channel,
-					l$password != "" ?
-						fmt("with password '%s'",
-							l$password) : ""));
-
-		if ( l$nick == "" )
-			next;
-
-		if ( l$nick in active_users )
-			add (active_users[l$nick]$u_channels)[l$channel];
-		else
-			{
-			local user: irc_user;
-			user$u_nick = l$nick;
-			user$u_real = "";
-			user$u_conn = c;
-			user$u_host = "";
-			user$u_is_operator = F;
-			add user$u_channels[l$channel];
-
-			active_users[l$nick] = user;
-			}
-
-		# Add channel to lists.
-		if ( l$channel in active_channels )
-			add (active_channels[l$channel]$c_users)[l$nick];
-		else
-			{
-			local my_c: irc_channel;
-			my_c$c_name = l$channel;
-			add my_c$c_users[l$nick];
-
-			my_c$c_type = my_c$c_modes = "";
-
-			active_channels[l$channel] = my_c;
-			}
-		}
-	}
-
-event irc_part_message(c: connection, nick: string,
-			chans: string_set, message: string)
-	{
-	check_connection(c);
-
-	local channel_str = "";
-	for ( ch in chans )
-		channel_str = channel_str == "" ?
-			ch : fmt("%s, %s", channel_str, ch);
-
-	log_activity(c, fmt("%s channel '%s'%s",
-				nick == "" ? "leaving" :
-					fmt("user '%s' leaving", nick),
-				channel_str,
-				message == "" ?
-					"" : fmt("with message '%s'", message)));
-
-	# Remove user from channel.
-	if ( nick == "" )
-		return;
-
-	for ( ch in active_channels )
-		{
-		delete (active_channels[ch]$c_users)[nick];
-		delete (active_channels[ch]$c_ops)[nick];
-		if ( nick in active_users )
-			delete (active_users[nick]$u_channels)[ch];
-		}
-	}
-
-event irc_nick_message(c: connection, who: string, newnick: string)
-	{
-	check_connection(c);
-
-	log_activity(c, fmt("%s nick name to '%s'",
-				who == "" ?  "changing" :
-						fmt("user '%s' changing", who),
-				newnick));
-	}
-
-event irc_invalid_nick(c: connection)
-	{
-	check_connection(c);
-	log_activity(c, "changing nick name failed");
-	}
-
-event irc_network_info(c: connection, users: count, services: count,
-			servers: count)
-	{
-	check_connection(c);
-	log_activity(c, fmt("network includes %d users, %d services, %d servers",
-				users, services, servers));
-	}
-
-event irc_server_info(c: connection, users: count, services: count,
-			servers: count)
-	{
-	check_connection(c);
-	log_activity(c, fmt("server includes %d users, %d services, %d peers",
-				users, services, servers));
-	}
-
-event irc_channel_info(c: connection, chans: count)
-	{
-	check_connection(c);
-	log_activity(c, fmt("network includes %d channels", chans));
-	}
-
-event irc_who_line(c: connection, target_nick: string, channel: string,
-			user: string, host: string, server: string,
-			nick: string, params: string, hops: count,
-			real_name: string)
-	{
-	check_connection(c);
-
-	log_activity(c, fmt("channel '%s' includes '%s' on %s connected to %s with nick '%s', real name '%s', params %s",
-				channel, user, host, server,
-				nick, real_name, params));
-
-	if ( nick == "" || channel == "" )
-		return;
-
-	if ( nick in active_users )
-		active_users[nick]$u_conn = c;
-
-	else
-		{
-		local myuser: irc_user;
-		myuser$u_nick = nick;
-		myuser$u_real = real_name;
-		myuser$u_conn = c;
-		myuser$u_host = host;
-		myuser$u_is_operator = F;
-		add myuser$u_channels[channel];
-
-		active_users[nick] = myuser;
-
-		if ( channel in active_channels )
-			add (active_channels[channel]$c_users)[nick];
-		else
-			{
-			local my_c: irc_channel;
-			my_c$c_name = channel;
-			add my_c$c_users[nick];
-			my_c$c_type = "";
-			my_c$c_modes = "";
-
-			active_channels[channel] = my_c;
-			}
-		}
-	}
-
-event irc_who_message(c: connection, mask: string, oper: bool)
-	{
-	check_connection(c);
-
-	log_activity(c, fmt("WHO with mask %s%s", mask,
-				oper ? ", only operators" : ""));
-	}
-
-event irc_whois_message(c: connection, server: string, users: string)
-	{
-	check_connection(c);
-
-	log_activity(c, fmt("WHOIS%s for user(s) %s",
-				server == "" ?
-					server : fmt(" to server %s", server),
-				users));
-	}
-
-event irc_whois_user_line(c: connection, nick: string,
-				user: string, host: string, real_name: string)
-	{
-	check_connection(c);
-
-	log_activity(c, fmt("user '%s' with nick '%s' on host %s has real name '%s'",
-				user, nick, host, real_name));
-
-	if ( nick in active_users )
-		{
-		active_users[nick]$u_real = real_name;
-		active_users[nick]$u_host = host;
-		}
-	else
-		{
-		local u: irc_user;
-		u$u_nick = nick;
-		u$u_real = real_name;
-		u$u_conn = c;
-		u$u_host = host;
-		u$u_is_operator = F;
-
-		active_users[nick] = u;
-		}
-	}
-
-event irc_whois_operator_line(c: connection, nick: string)
-	{
-	check_connection(c);
-	log_activity(c, fmt("user '%s' is an IRC operator", nick));
-
-	if ( nick in active_users )
-		active_users[nick]$u_is_operator = T;
-	else
-		{
-		local u: irc_user;
-		u$u_nick = nick;
-		u$u_real = "";
-		u$u_conn = c;
-		u$u_host = "";
-		u$u_is_operator = T;
-
-		active_users[nick] = u;
-		}
-	}
-
-event irc_whois_channel_line(c: connection, nick: string, chans: string_set)
-	{
-	check_connection(c);
-
-	local message = fmt("user '%s' is on channels:", nick);
-	for ( channel in chans )
-		message = fmt("%s %s", message, channel);
-
-	log_activity(c, message);
-
-	if ( nick in active_users )
-		{
-		for ( ch in chans )
-			add active_users[nick]$u_channels[ch];
-		}
-	else
-		{
-		local u: irc_user;
-		u$u_nick = nick;
-		u$u_real = "";
-		u$u_conn = c;
-		u$u_host = "";
-		u$u_is_operator = F;
-		u$u_channels = chans;
-
-		active_users[nick] = u;
-		}
-
-	for ( ch in chans )
-		{
-		if ( ch in active_channels )
-			add (active_channels[ch]$c_users)[nick];
-		else
-			{
-			local my_c: irc_channel;
-			my_c$c_name = ch;
-			add my_c$c_users[nick];
-			my_c$c_type = "";
-			my_c$c_modes = "";
-
-			active_channels[ch] = my_c;
-			}
-		}
-	}
-
-event irc_oper_message(c: connection, user: string, password: string)
-	{
-	check_connection(c);
-	log_activity(c, fmt("user requests operator status with name '%s', password '%s'",
-				user, password));
-	}
-
-event irc_oper_response(c: connection, got_oper: bool)
-	{
-	check_connection(c);
-	log_activity(c, fmt("user %s operator status",
-				got_oper ? "received" : "did not receive"));
-	}
-
-event irc_kick_message(c: connection, prefix: string, chans: string,
-			users: string, comment: string)
-	{
-	check_connection(c);
-	log_activity(c, fmt("user '%s' requested to kick '%s' from channel(s) %s with comment %s",
-				prefix, users, chans, comment));
-	}
-
-event irc_error_message(c: connection, prefix: string, message: string)
-	{
-	check_connection(c);
-	log_activity(c, fmt("error message%s: %s",
-				prefix == "" ? "" : fmt("from '%s'", prefix),
-				message));
-	}
-
-event irc_invite_message(c: connection, prefix: string,
-				nickname: string, channel: string)
-	{
-	check_connection(c);
-	log_activity(c, fmt("'%s' invited to channel %s%s",
-				nickname, channel,
-				prefix == "" ? "" : fmt(" by %s", prefix)));
-	}
-
-event irc_mode_message(c: connection, prefix: string, params: string)
-	{
-	check_connection(c);
-	log_activity(c, fmt("mode command%s: %s",
-				prefix == "" ? "" : fmt(" from '%s'", prefix),
-				params));
-	}
-
-event irc_squit_message(c: connection, prefix: string,
-			server: string, message: string)
-	{
-	check_connection(c);
-
-	log_activity(c, fmt("server disconnect attempt%s for %s with comment %s",
-				prefix == "" ? "" : fmt(" from '%s'", prefix),
-				server, message));
-	}
-
-event irc_names_info(c: connection, c_type: string, channel: string,
-			users: string_set)
-	{
-	check_connection(c);
-
-	local chan_type =
-		c_type == "@" ? "secret" :
-			(c_type == "*" ? "private" : "public");
-
-	local message = fmt("channel '%s' (%s) contains users:",
-				channel, chan_type);
-
-	for ( user in users )
-		message = fmt("%s %s", message, user);
-
-	log_activity(c, message);
-
-	if ( channel in active_channels )
-		{
-		for ( u in users )
-			add (active_channels[channel]$c_users)[u];
-		}
-	else
-		{
-		local my_c: irc_channel;
-		my_c$c_name = channel;
-		my_c$c_users = users;
-		my_c$c_type = "";
-		my_c$c_modes = "";
-
-		active_channels[channel] = my_c;
-		}
-
-	for ( nick in users )
-		{
-		if ( nick in active_users )
-			add (active_users[nick]$u_channels)[channel];
-		else
-			{
-			local usr: irc_user;
-			usr$u_nick = nick;
-			usr$u_real = "";
-			usr$u_conn = c;
-			usr$u_host = "";
-			usr$u_is_operator = F;
-			add usr$u_channels[channel];
-
-			active_users[nick] = usr;
-			}
-		}
-	}
-
-event irc_dcc_message(c: connection, prefix: string, target: string,
-			dcc_type: string, argument: string,
-			address: addr, dest_port: count, size: count)
-	{
-	check_connection(c);
-
-	log_activity(c, fmt("DCC %s invitation for '%s' to host %s on port %s%s",
-				dcc_type, target, address, dest_port,
-				dcc_type == "SEND" ?
-					fmt(" (%s: %s bytes)", argument, size) :
-					""));
-	}
-
-event irc_channel_topic(c: connection, channel: string, topic: string)
-	{
-	check_connection(c);
-	log_activity(c, fmt("topic for %s is '%s'", channel, topic));
-	}
-
-event irc_password_message(c: connection, password: string)
-	{
-	check_connection(c);
-	log_activity(c, fmt("password %s", password));
-	}
-
-function expired_user(t: table[string] of irc_user, idx: string): interval
-	{
-	for ( my_c in active_users[idx]$u_channels )
-		{
-		suspend_state_updates();
-		delete active_channels[my_c]$c_users[idx];
-		delete active_channels[my_c]$c_ops[idx];
-		resume_state_updates();
-		}
-
-	return 0 secs;
-	}
-
-function expired_channel(t:table[string] of irc_channel, idx: string): interval
-	{
-	for ( my_u in active_channels[idx]$c_users )
-		if ( my_u in active_users )
-			delete active_users[my_u]$u_channels[idx];
-		# Else is there a possible state leak?  How could it not
-		# be in active_users?  Yet sometimes it isn't, which
-		# is why we needed to add the above test.
-
-	return 0 secs;
-	}
-
-function check_connection(c: connection)
-	{
-	if ( c$id !in conn_list )
-		{
-		++conn_ID;
-		append_addl(c, fmt("#%d", conn_ID));
-		conn_list[c$id] = conn_ID;
-
-		log_activity(c, fmt("new connection %s", id_string(c$id)));
-		}
-	}
diff --git a/policy/large-conns.bro b/policy/large-conns.bro
deleted file mode 100644
index 7c55c8ff1c..0000000000
--- a/policy/large-conns.bro
+++ /dev/null
@@ -1,336 +0,0 @@
-# $Id: large-conns.bro 1332 2005-09-07 17:39:17Z vern $
-
-# Written by Chema Gonzalez.
-
-
-# Estimates the size of large "flows" (i.e., each direction of a TCP
-# connection) by noting when their sequence numbers cross a set of regions
-# in the sequence space.  This can be done using a static packet filter,
-# so is very efficient.  It works for (TCP) traffic that Bro otherwise doesn't
-# see.
-
-# Usage
-#
-# 1) Set the appropriate number_of_regions and region_size:
-#
-#    Modify the number_of_regions and (perhaps) region_size global
-#    variables.  You do this *prior* to loading this script, so
-#    for example:
-#
-#	const number_of_regions = 32;
-#	@load large-conns
-#
-#    You do *not* redef them like you would with other script variables
-#    (this is because they need to be used directly in the initializations
-#    of other variables used by this script).
-#
-#    Note that number_of_regions affects the granularity
-#    and definition of the script (see below).
-#
-# 2) To get an estimate of the true size of a flow, call:
-#
-#	function estimate_flow_size_and_remove(cid: conn_id, orig: bool):
-#								flow_size_est
-#
-#    If orig=T, then an estimate of the size of the forward (originator)
-#    direction is returned.  If orig=F, then the reverse (responder)
-#    direction is returned.  In both cases, what's returned is a
-#    flow_size_est, which includes a flag indicating whether there was
-#    any estimate formed, and, if the flag is T, a lower bound, an upper bound,
-#    and an inconsistency-count (which, if > 0, means that the estimates
-#    came from sequence numbers that were inconsistent, and thus something
-#    is wrong - perhaps packet drops by the secondary filter).  Finally,
-#    calling this function causes the flow's record to be deleted.  Perhaps
-#    at some point we'll need to add a version that just retrieves the
-#    estimate.
-
-type flow_size_est: record {
-	have_est: bool;
-	lower: double &optional;
-	upper: double &optional;
-	num_inconsistent: count &optional;
-};
-
-global estimate_flow_size_and_remove:
-	function(cid: conn_id, orig: bool): flow_size_est;
-
-module LargeConn;
-
-
-# Rationale
-#
-# One of the mechanisms that Bro uses to detect large TCP flows is 
-# to calculate the difference in the sequence number (seq) field contents 
-# between the last packet (FIN or RST) and the first packet (SYN). This 
-# method may be wrong if a) the seq number is busted (which can happen
-# frequently with RST termination), or b) the seq number wraps around
-# the 4GB sequence number space (note that this is OK for TCP while
-# there is no ambiguity on what a packet's sequence number means,
-# due to its use of a window <= 2 GB in size).
-#
-# The purpose of this script is to resolve these ambiguities. In other 
-# words, help with differentiating truly large flows from flows with
-# a busted seq, and detecting very large flows that wrap around the
-# 4GB seq space. 
-#
-# To do so, large-flow listens to a small group of thin regions in
-# the sequence space, located at equal distances from each other. The idea 
-# is that a truly large flow will pass through the regions in 
-# an orderly fashion, maybe several times. This script keeps track of 
-# all packets that pass through any of the regions, counting the number 
-# of times a packet from a given flow passes through consecutive regions. 
-#
-# Note that the exact number of regions, and the size of each region, can 
-# be controlled by redefining the global variables number_of_regions 
-# and region_size, respectively.  Both should be powers of two (if not,
-# they are rounded to be such), and default to 4 and 16KB, respectively. 
-# The effect of varying these parameters is the following:
-#
-# - Increasing number_of_regions will increase the granularity of the 
-#   script, at the cost of elevating its cost in both processing (more 
-#   packets will be seen) and memory (more flows will be seen). 
-#   The granularity of the script is defined as the minimum variation 
-#   in size the script can see. Its value is: 
-#
-#     granularity = (4GB / number_of_regions)
-#
-#   For example, if we're using 4 regions, the minimum flow size difference
-#   that the script can see is 1GB.
-#
-#   number_of_regions also affects the script definition, defined as the 
-#   smallest size of a flow which ensures that the flow will be seen by
-#   the script. The script definition is:
-#
-#     definition = (2 * granularity)
-#
-#   The script sees no flow smaller than the granularity, some flows with
-#   size between granularity and definition, and all flows larger than
-#   definition. In our example, the script definition is 2GB (it will see
-#   for sure only flows bigger than 2GB). 
-#
-# - Increasing region_size will only increase the resilience of the script 
-#   to lost packets, at the cost of augmenting the cost in both processing 
-#   and memory (see above). The default value of 16 KB is chosen to work
-#   in the presence of largish packets without too much additional work.
-
-# Set up defaults, unless the user has already specified these.  Note that
-# these variables are *not* redef'able, since they are used in initializations
-# later in this script (so a redef wouldn't be "seen" in time).
-@ifndef ( number_of_regions )
-	const number_of_regions = 4;
-@endif
-@ifndef ( region_size )
-	const region_size = 16 * 1024;	# 16 KB
-@endif
-
-
-# Track the regions visited for each flow.
-type t_info: record {
-	last_region: count;	# last region visited
-	num_regions: count;	# number of regions visited
-	num_inconsistent: count;	# num. inconsistent region crossings
-};
-
-# The state expiration for this table needs to be generous, as it's
-# for tracking very large flows, which could be quite long-lived.
-global flow_region_info: table[conn_id] of t_info &write_expire = 6 hr;
-
-
-# Returns the integer logarithm in base b.
-function logarithm(base: count, x: count): count
-	{
-	if ( x < base )
-		return 0;
-	else
-		return 1 + logarithm(base, x / base);
-	}
-
-
-# Function used to get around Bro's lack of real ordered loop.
-function do_while(i: count, max: count, total: count,
-			f: function(i: count, total: count): count): count
-	{
-	if ( i >= max )
-		return total;
-	else
-		return do_while(++i, max, f(--i, total), f);
-	}
-
-function fn_mask_location(i: count, total: count): count
-	{
-	return total * 2 + 1;
-	}
-
-function fn_filter_location(i: count, total: count): count
-	{
-	# The location pattern is 1010101010...
-	return total * 2 + (i % 2 == 0 ? 1 : 0);
-	}
-
-function fn_common_region_size(i: count, total: count): count
-	{
-	return total * 2;
-	}
-
-
-function get_interregion_distance(number_of_regions: count,
-					region_size: count): count
-	{
-	local bits_number_of_regions = logarithm(2, number_of_regions);
-	local bits_other = int_to_count(32 - bits_number_of_regions);
-
-	return do_while(0, bits_other, 1, fn_common_region_size);
-	}
-
-
-global interregion_distance =
-	get_interregion_distance(number_of_regions, region_size);
-
-
-# Returns an estiamte of size of the flow (one direction of a TCP connection)
-# that this script has seen. This is based on the number of consecutive
-# regions a flow has visited, weighted with the distance between regions.  
-#
-# We know that the full sequence number space accounts for 4GB. This 
-# space comprises number_of_regions regions, separated from each other 
-# a (4GB / number_of_regions) distance. If a flow has been seen 
-# in X consecutive regions, it means that the size of the flow is 
-# greater than ((X - 1) * distance_between_regions) GB. 
-#
-# Note that seeing a flow in just one region is no different from 
-# not seeing it at all. 
-function estimate_flow_size_and_remove(cid: conn_id, orig: bool): flow_size_est
-	{
-	local id = orig ? cid :
-			  [$orig_h = cid$resp_h, $orig_p = cid$resp_p,
-			   $resp_h = cid$orig_h, $resp_p = cid$orig_p];
-
-	if ( id !in flow_region_info )
-		return [$have_est = F];
-
-	local regions_crossed =
-		int_to_count(flow_region_info[id]$num_regions - 1);
-
-	local lower = regions_crossed * interregion_distance * 1.0;
-	local upper = lower + interregion_distance * 2.0;
-	local num_inconsis = flow_region_info[id]$num_inconsistent;
-
-	delete flow_region_info[id];
-
-	return [$have_est = T, $lower = lower, $upper = upper,
-		$num_inconsistent = num_inconsis];
-	}
-
-
-# Returns a tcpdump filter corresponding to the number of regions and 
-# region size requested by the user.
-#
-# How to calculate the tcpdump filter used to hook packet_event to the 
-# secondary filter system?  We are interested only in TCP packets whose
-# seq number belongs to any of the test slices. Let's focus on the case
-# of 4 regions, 16KB per region.
-#
-# The mask should be: [ x x  L L L ... L L L  x x ... x ]
-#                      <---><---------------><--------->
-#                       |          |            |
-#                       |          |            +-> suffix: region size
-#                       |          +-> location: remaining bits
-#                       +-> prefix: number of equidistant regions
-#
-# The 32-bit seq number is masked as follows: 
-#
-#   - suffix: defines size of the regions (16KB implies log_2(16KB) = 14 bits)
-#
-#   - location: defines the exact location of the 4 regions. Note that, to 
-#     minimize the amount of data we keep, the location will be distinct from
-#     zero, so segments with seq == 0 are not in a valid region
-#
-#   - prefix: defines number of regions (4 implies log_2(4) = 2 bits)
-#
-# E.g., the mask will be seq_number & 0011...1100..00_2 = 00LL..LL00..00_2,
-# which, by setting the location to 1010101010101010, will finally be
-# seq_number & 0011...1100..00_2 = 00101010101010101000..00_2, i.e., 
-# seq_number & 0x3fffc000 = 0x2aaa8000. 
-#
-# For that particular parameterization, we'd like to wind up with a
-# packet event filter of "(tcp[4:4] & 0x3fffc000) == 0x2aaa8000".
-
-function get_event_filter(number_of_regions: count, region_size: count): string
-	{
-	local bits_number_of_regions = logarithm(2, number_of_regions);
-	local bits_region_size = logarithm(2, region_size);
-	local bits_remaining = 
-		int_to_count(32 - bits_number_of_regions - bits_region_size);
-
-	# Set the bits corresponding to the location:
-	#	i = 0;
-	#	while ( i < bits_remaining )
-	#		{
-	#		mask = (mask * 2) + 1;
-	#		filter = (filter * 2) + (((i % 2) == 0) ? 1 : 0);
-	#		++i;
-	#		}
-	local mask = do_while(0, bits_remaining, 0, fn_mask_location);
-	local filter = do_while(0, bits_remaining, 0, fn_filter_location);
-
-	# Set the bits corrsponding to the region size
-	#	i = 0;
-	#	while ( i < bits_region_size )
-	#		{
-	#		mask = mask * 2;
-	#		filter = filter * 2;
-	#		++i;
-	#		}
-	mask = do_while(0, bits_region_size, mask, fn_common_region_size);
-	filter = do_while(0, bits_region_size, filter, fn_common_region_size);
-
-	return fmt("(tcp[4:4] & 0x%x) == 0x%x", mask, filter);
-	}
-
-
-# packet_event --
-#
-# This event is raised once per (TCP) packet falling into any of the regions. 
-# It updates the flow_region_info table. 
-event packet_event(filter: string, pkt: pkt_hdr)
-	{
-	# Distill the region from the seq number.
-	local region = pkt$tcp$seq / interregion_distance;
-
-	# Get packet info and update global counters.
-	local cid = [$orig_h = pkt$ip$src, $orig_p = pkt$tcp$sport,
-			$resp_h = pkt$ip$dst, $resp_p = pkt$tcp$dport];
-
-	if ( cid !in flow_region_info )
-		{
-		flow_region_info[cid] =
-			[$last_region = region, $num_regions = 1,
-			 $num_inconsistent = 0];
-		return;
-		}
-
-	local info = flow_region_info[cid];
-	local next_region = (info$last_region + 1) % number_of_regions;
-
-	if ( region == next_region )
-		{ # flow seen in the next region
-		info$last_region = region;
-		++info$num_regions;
-		}
-
-	else if ( region == info$last_region )
-		{ # flow seen in the same region, ignore
-		}
-	else 
-		{
-		# Flow seen in another region (not the next one).
-		info$last_region = region;
-		info$num_regions = 1;	# restart accounting
-		++info$num_inconsistent;
-		}
-	}
-
-
-# Glue the filter into the secondary filter hookup.
-global packet_event_filter = get_event_filter(number_of_regions, region_size);
-redef secondary_filters += { [packet_event_filter] = packet_event };
diff --git a/policy/listen-clear.bro b/policy/listen-clear.bro
deleted file mode 100644
index 0922bc053e..0000000000
--- a/policy/listen-clear.bro
+++ /dev/null
@@ -1,16 +0,0 @@
-# $Id: listen-clear.bro 416 2004-09-17 03:52:28Z vern $
-#
-# Listen for other Bros (non-SSL).
-
-@load remote
-
-# On which port to listen.
-const listen_port_clear = Remote::default_port_clear &redef;
-
-# On which IP to bind (0.0.0.0 for any interface)
-const listen_if_clear = 0.0.0.0 &redef;
-
-event bro_init()
-	{
-	listen(listen_if_clear, listen_port_clear, F);
-	}
diff --git a/policy/listen-ssl.bro b/policy/listen-ssl.bro
deleted file mode 100644
index fdf22a8e30..0000000000
--- a/policy/listen-ssl.bro
+++ /dev/null
@@ -1,16 +0,0 @@
-# $Id: listen-ssl.bro 1015 2005-01-31 13:46:50Z kreibich $
-#
-# Listen for other Bros (SSL).
-
-@load remote
-
-# On which port to listen.
-const listen_port_ssl = Remote::default_port_ssl &redef;
-
-# On which IP to bind (0.0.0.0 for any interface)
-const listen_if_ssl = 0.0.0.0 &redef;
-
-event bro_init()
-	{
-	listen(listen_if_ssl, listen_port_ssl, T);
-	}
diff --git a/policy/load-level.bro b/policy/load-level.bro
deleted file mode 100644
index b8f9730bde..0000000000
--- a/policy/load-level.bro
+++ /dev/null
@@ -1,194 +0,0 @@
-# $Id: load-level.bro 1904 2005-12-14 03:27:15Z vern $
-#
-# Support for shedding/reinstating load.
-
-@load notice
-
-# If no load_level is given, a filter is always activated.
-#
-# If a level is given for a filter (using the same ID than in
-# {capture,restrict}_filter), then:
-#
-#     -  a capture_filter is activated if current load_level is <=
-#     -  a restrict_filter is activated if current load_level is >=
-
-global capture_load_levels: table[string] of PcapFilterID &redef;
-global restrict_load_levels: table[string] of PcapFilterID &redef;
-
-redef enum PcapFilterID += {
-	LoadLevel1, LoadLevel2, LoadLevel3, LoadLevel4, LoadLevel5,
-	LoadLevel6, LoadLevel7, LoadLevel8, LoadLevel9, LoadLevel10,
-};
-
-const Levels = {
-	LoadLevel1, LoadLevel2, LoadLevel3, LoadLevel4, LoadLevel5,
-	LoadLevel6, LoadLevel7, LoadLevel8, LoadLevel9, LoadLevel10
-};
-
-# The load-level cannot not leave this interval.
-const MinLoad = LoadLevel1;
-const MaxLoad = LoadLevel10;
-
-# The initial load-level.
-global default_load_level = LoadLevel10 &redef;
-
-# Set to 0 to turn off any changes of the filter.
-global can_adjust_filter = T &redef;
-
-global current_load_level = DefaultPcapFilter;
-
-global ll_file = open_log_file("load-level");
-
-# Interface functions for switching load levels.
-
-function set_load_level(level: PcapFilterID): bool
-	{
-	if ( level == current_load_level )
-		return T;
-
-	if ( ! can_adjust_filter )
-		{
-		print ll_file, fmt("%.6f can't set %s (load-levels are turned off)", network_time(), level);
-		return F;
-		}
-
-	if ( ! install_pcap_filter(level) )
-		{
-		print ll_file, fmt("%.6f can't set %s (install failed)", network_time(), level);
-
-		# Don't try again.
-		can_adjust_filter = F;
-		return F;
-		}
-
-	current_load_level = level;
-
-	print ll_file, fmt("%.6f switched to %s", network_time(), level);
-
-	return T;
-	}
-
-# Too bad that we can't use enums like integers...
-const IncreaseLoadLevelTab = {
-	[LoadLevel1] = LoadLevel2,
-	[LoadLevel2] = LoadLevel3,
-	[LoadLevel3] = LoadLevel4,
-	[LoadLevel4] = LoadLevel5,
-	[LoadLevel5] = LoadLevel6,
-	[LoadLevel6] = LoadLevel7,
-	[LoadLevel7] = LoadLevel8,
-	[LoadLevel8] = LoadLevel9,
-	[LoadLevel9] = LoadLevel10,
-	[LoadLevel10] = LoadLevel10,
-};
-
-const DecreaseLoadLevelTab = {
-	[LoadLevel1] = LoadLevel1,
-	[LoadLevel2] = LoadLevel1,
-	[LoadLevel3] = LoadLevel2,
-	[LoadLevel4] = LoadLevel3,
-	[LoadLevel5] = LoadLevel4,
-	[LoadLevel6] = LoadLevel5,
-	[LoadLevel7] = LoadLevel6,
-	[LoadLevel8] = LoadLevel7,
-	[LoadLevel9] = LoadLevel8,
-	[LoadLevel10] = LoadLevel9,
-};
-
-const LoadLevelToInt = {
-	[DefaultPcapFilter] = 0,
-	[LoadLevel1] = 1,
-	[LoadLevel2] = 2,
-	[LoadLevel3] = 3,
-	[LoadLevel4] = 4,
-	[LoadLevel5] = 5,
-	[LoadLevel6] = 6,
-	[LoadLevel7] = 7,
-	[LoadLevel8] = 8,
-	[LoadLevel9] = 9,
-	[LoadLevel10] = 10,
-};
-
-function increase_load_level()
-	{
-	set_load_level(IncreaseLoadLevelTab[current_load_level]);
-	}
-
-function decrease_load_level()
-	{
-	set_load_level(DecreaseLoadLevelTab[current_load_level]);
-	}
-
-
-# Internal functions.
-
-function load_level_error()
-	{
-	print ll_file, fmt("%.6f Error, switching back to DefaultPcapFilter",
-				network_time());
-
-	install_default_pcap_filter();
-
-	# Don't try changing the load level any more.
-	can_adjust_filter = F;
-	}
-
-function build_load_level_filter(level: PcapFilterID): string
-	{
-	# Build up capture_filter.
-	local cfilter = "";
-
-	for ( id in capture_filters )
-		{
-		if ( id !in capture_load_levels ||
-		     LoadLevelToInt[level] <= LoadLevelToInt[capture_load_levels[id]] )
-			cfilter = add_to_pcap_filter(cfilter, capture_filters[id], "or");
-		}
-
-	# Build up restrict_filter.
-	local rfilter = "";
-	for ( id in restrict_filters )
-		{
-		if ( id !in restrict_load_levels ||
-		     LoadLevelToInt[level] >= LoadLevelToInt[restrict_load_levels[id]] )
-			rfilter = add_to_pcap_filter(rfilter, restrict_filters[id], "and");
-		}
-
-	return join_filters(cfilter, rfilter);
-	}
-
-function precompile_load_level_filters(): bool
-	{
-	print ll_file, fmt("%.6f <<< Begin of precompilation", network_time() );
-
-	for ( i in Levels )
-		{
-		local filter = build_load_level_filter(i);
-
-		if ( ! precompile_pcap_filter(i, filter) )
-			{
-			print ll_file, fmt("%.6f Level %d: %s",
-				network_time(), LoadLevelToInt[i], pcap_error());
-			load_level_error();
-			return F;
-			}
-
-		print ll_file, fmt("%.6f  Level %2d: %s", network_time(), LoadLevelToInt[i], filter);
-		}
-
-	print ll_file, fmt("%.6f >>> End of precompilation", network_time() );
-
-	return T;
-	}
-
-
-event bro_init()
-	{
-	set_buf(ll_file, F);
-	precompile_load_level_filters();
-	set_load_level(default_load_level);
-
-	# Don't adjust the filter when reading a trace.
-	if ( ! reading_live_traffic() )
-		can_adjust_filter = F;
-	}
diff --git a/policy/load-sample.bro b/policy/load-sample.bro
deleted file mode 100644
index 16b26580ab..0000000000
--- a/policy/load-sample.bro
+++ /dev/null
@@ -1,43 +0,0 @@
-# $Id: load-sample.bro 1758 2005-11-22 00:58:10Z vern $
-
-# A simple form of profiling based on sampling the work done per-packet.
-# load_sample() is generated every load_sample_freq packets (roughly;
-# it's randomized).  For each sampled packet, "samples" contains a set
-# of the functions, event handlers, and their source files that were accessed
-# during the processing of that packet, along with an estimate of the
-# CPU cost of processing the packet and (currently broken) memory allocated/
-# freed.
-
-global sampled_count: table[string] of count &default = 0;
-global sampled_CPU: table[string] of interval &default = 0 sec;
-global sampled_mem: table[string] of int &default = +0;
-
-global num_samples = 0;
-global total_sampled_CPU = 0 sec;
-global total_sampled_mem = +0;
-
-event load_sample(samples: load_sample_info, CPU: interval, dmem: int)
-	{
-	++num_samples;
-	total_sampled_CPU += CPU;
-	total_sampled_mem += dmem;
-
-	if ( |samples| == 0 )
-		add samples["<nothing>"];
-
-	for ( i in samples )
-		{
-		++sampled_count[i];
-		sampled_CPU[i] += CPU;
-		sampled_mem[i] += dmem;
-		}
-	}
-
-event bro_done()
-	{
-	for ( i in sampled_CPU )
-		print fmt("%s: %d%% pkts, %.1f%% CPU",
-			i, sampled_count[i] * 100 / num_samples,
-			sampled_CPU[i] * 100 / total_sampled_CPU);
-			# sampled_mem[i] / total_sampled_mem;
-	}
diff --git a/policy/log-append.bro b/policy/log-append.bro
deleted file mode 100644
index 440b78a894..0000000000
--- a/policy/log-append.bro
+++ /dev/null
@@ -1,10 +0,0 @@
-# $Id: log-append.bro 2797 2006-04-23 05:56:24Z vern $
-
-# By default, logs are overwritten when opened, deleting the contents
-# of any existing log of the same name.  Loading this module changes the
-# behavior to appending.
-
-function open_log_file(tag: string): file
-	{
-	return open_for_append(log_file_name(tag));
-	}
diff --git a/policy/login.bro b/policy/login.bro
deleted file mode 100644
index 26d32ca08c..0000000000
--- a/policy/login.bro
+++ /dev/null
@@ -1,680 +0,0 @@
-# $Id: login.bro 6481 2008-12-15 00:47:57Z vern $
-
-@load notice
-@load weird
-@load hot-ids
-@load conn
-# scan.bro is needed for "account_tried" event.
-@load scan
-@load demux
-@load terminate-connection
-
-module Login;
-
-global telnet_ports = { 23/tcp } &redef;
-redef dpd_config += { [ANALYZER_TELNET] = [$ports = telnet_ports] };
-
-global rlogin_ports = { 513/tcp } &redef;
-redef dpd_config += { [ANALYZER_RLOGIN] = [$ports = rlogin_ports] };
-
-export {
-	redef enum Notice += {
-		SensitiveLogin,		# interactive login using sensitive username
-
-		# Interactive login seen using forbidden username, but the analyzer
-		# was confused in following the login dialog, so may be in error.
-		LoginForbiddenButConfused,
-
-		# During a login dialog, a sensitive username (e.g., "rewt") was
-		# seen in the user's *password*.  This is reported as a notice
-		# because it could be that the login analyzer didn't track the
-		# authentication dialog correctly, and in fact what it thinks is
-		# the user's password is instead the user's username.
-		SensitiveUsernameInPassword,
-	};
-
-	# If these patterns appear anywhere in the user's keystrokes, do a notice.
-	const input_trouble =
-		  /rewt/
-		| /eggdrop/
-		| /\/bin\/eject/
-		| /oir##t/
-		| /ereeto/
-		| /(shell|xploit)_?code/
-		| /execshell/
-		| /ff\.core/
-		| /unset[ \t]+(histfile|history|HISTFILE|HISTORY)/
-		| /neet\.tar/
-		| /r0kk0/
-		| /su[ \t]+(daemon|news|adm)/
-		| /\.\/clean/
-		| /rm[ \t]+-rf[ \t]+secure/
-		| /cd[ \t]+\/dev\/[a-zA-Z]{3}/
-		| /solsparc_lpset/
-		| /\.\/[a-z]+[ \t]+passwd/
-		| /\.\/bnc/
-		| /bnc\.conf/
-		| /\"\/bin\/ksh\"/
-		| /LAST STAGE OF DELIRIUM/
-		| /SNMPXDMID_PROG/
-		| /snmpXdmid for solaris/
-		| /\"\/bin\/uname/
-		| /gcc[ \t]+1\.c/
-		| />\/etc\/passwd/
-		| /lynx[ \t]+-source[ \t]+.*(packetstorm|shellcode|linux|sparc)/
-		| /gcc.*\/bin\/login/
-		| /#define NOP.*0x/
-		| /printf\(\"overflowing/
-		| /exec[a-z]*\(\"\/usr\/openwin/
-		| /perl[ \t]+.*x.*[0-9][0-9][0-9][0-9]/
-		| /ping.*-s.*%d/
-	&redef;
-
-	# If this pattern appears anywhere in the user's input after applying
-	# <backspace>/<delete> editing, do a notice ...
-	const edited_input_trouble =
-		/[ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[ \t]+((['"]?\.\.\.)|(["'](\.*)[ \t]))/
-	&redef;
-
-	# ... *unless* the corresponding output matches this:
-	const output_indicates_input_not_trouble = /No such file or directory/ &redef;
-
-	# NOTICE on these, but only after waiting for the corresponding output,
-	# so it can be displayed at the same time.
-	const input_wait_for_output = edited_input_trouble &redef;
-
-	# If the user's entire input matches this pattern, do a notice.  Putting
-	# "loadmodule" here rather than in input_trouble is just to illustrate
-	# the idea, it could go in either.
-	const full_input_trouble = /.*loadmodule.*/ &redef;
-
-	# If the following appears anywhere in the user's output, do a notice.
-	const output_trouble =
-		  /^-r.s.*root.*\/bin\/(sh|csh|tcsh)/
-		| /Jumping to address/
-		| /Jumping Address/
-		| /smashdu\.c/
-		| /PATH_UTMP/
-		| /Log started at =/
-		| /www\.anticode\.com/
-		| /www\.uberhax0r\.net/
-		| /smurf\.c by TFreak/
-		| /Super Linux Xploit/
-		| /^# \[root@/
-		| /^-r.s.*root.*\/bin\/(time|sh|csh|tcsh|bash|ksh)/
-		| /invisibleX/
-		| /PATH_(UTMP|WTMP|LASTLOG)/
-		| /[0-9]{5,} bytes from/
-		| /(PATH|STAT):\ .*=>/
-		| /----- \[(FIN|RST|DATA LIMIT|Timed Out)\]/
-		| /IDLE TIMEOUT/
-		| /DATA LIMIT/
-		| /-- TCP\/IP LOG --/
-		| /STAT: (FIN|TIMED_OUT) /
-		| /(shell|xploit)_code/
-		| /execshell/
-		| /x86_bsd_compaexec/
-		| /\\xbf\\xee\\xee\\xee\\x08\\xb8/	# from x.c worm
-		| /Coded by James Seter/
-		| /Irc Proxy v/
-		| /Daemon port\.\.\.\./
-		| /BOT_VERSION/
-		| /NICKCRYPT/
-		| /\/etc\/\.core/
-		| /exec.*\/bin\/newgrp/
-		| /deadcafe/
-		| /[ \/]snap\.sh/
-		| /Secure atime,ctime,mtime/
-		| /Can\'t fix checksum/
-		| /Promisc Dectection/
-		| /ADMsn0ofID/
-		| /(cd \/; uname -a; pwd; id)/
-		| /drw0rm/
-		| /[Rr][Ee3][Ww][Tt][Ee3][Dd]/
-		| /rpc\.sadmin/
-		| /AbraxaS/
-		| /\[target\]/
-		| /ID_SENDSYN/
-		| /ID_DISTROIT/
-		| /by Mixter/
-		| /rap(e?)ing.*using weapons/
-		| /spsiod/
-		| /[aA][dD][oO][rR][eE][bB][sS][dD]/	# rootkit
-	&redef;
-
-	# Same, but must match entire output.
-	const full_output_trouble = /.*Trojaning in progress.*/ &redef;
-
-	const backdoor_prompts =
-		  /^[!-~]*( ?)[#%$] /
-		| /.*no job control/
-		| /WinGate>/
-	&redef;
-
-	const non_backdoor_prompts = /^ *#.*#/ &redef;
-	const hot_terminal_types = /VT666|007/ &redef;
-	const hot_telnet_orig_ports = { 53982/tcp, } &redef;
-	const router_prompts: set[string] &redef;
-	const non_ASCII_hosts: set[addr] &redef;
-	const skip_logins_to = { non_ASCII_hosts, } &redef;
-	const always_hot_login_ids = { always_hot_ids } &redef;
-	const hot_login_ids = { hot_ids } &redef;
-	const rlogin_id_okay_if_no_password_exposed = { "root", } &redef;
-
-	const BS = "\x08";
-	const DEL = "\x7f";
-
-	global new_login_session:
-		function(c: connection, pid: peer_id, output_line: count);
-	global remove_login_session: function(c: connection, pid: peer_id);
-	global ext_set_login_state:
-		function(cid: conn_id, pid: peer_id, state: count);
-	global ext_get_login_state:
-		function(cid: conn_id, pid: peer_id): count;
-}
-
-redef capture_filters += { ["login"] = "port telnet or tcp port 513" };
-
-redef skip_authentication = {
-	"WELCOME TO THE BERKELEY PUBLIC LIBRARY",
-};
-
-redef direct_login_prompts = { "TERMINAL?", };
-
-redef login_prompts = {
-	"Login:", "login:", "Name:", "Username:", "User:", "Member Name",
-	"User Access Verification", "Cisco Systems Console",
-	direct_login_prompts
-};
-
-redef login_non_failure_msgs = {
-	"Failures", "failures",	# probably is "<n> failures since last login"
-	"failure since last successful login",
-	"failures since last successful login",
-};
-
-redef login_non_failure_msgs = {
-	"Failures", "failures",	# probably is "<n> failures since last login"
-	"failure since last successful login",
-	"failures since last successful login",
-} &redef;
-
-redef login_failure_msgs = {
-	"invalid", "Invalid", "incorrect", "Incorrect", "failure", "Failure",
-	# "Unable to authenticate", "unable to authenticate",
-	"User authorization failure",
-	"Login failed",
-	"INVALID", "Sorry.", "Sorry,",
-};
-
-redef login_success_msgs = {
-	"Last login",
-	"Last successful login", "Last   successful login",
-	"checking for disk quotas", "unsuccessful login attempts",
-	"failure since last successful login",
-	"failures since last successful login",
-	router_prompts,
-};
-
-redef login_timeouts = {
-	"timeout", "timed out", "Timeout", "Timed out",
-	"Error reading command input",	# VMS
-};
-
-
-type check_info: record {
-	expanded_line: string;	# line with all possible editing seqs
-	hot: bool;	# whether any editing sequence was a hot user id
-	hot_id: string;	# the ID considered hot
-	forbidden: bool;	# same, but forbidden user id
-};
-
-type login_session_info: record {
-	user: string;
-	output_line: count;	# number of lines seen
-
-	# input string for which we want to match the output.
-	waiting_for_output: string;
-	waiting_for_output_line: count;	# output line we want to match it to
-	state: count;	# valid for external connections only
-};
-
-global login_sessions: table[peer_id, conn_id] of login_session_info;
-
-
-# The next two functions are "external-to-the-event-engine",
-# hence the ext_ prefix.  They're used by the script to manage
-# login state so that they can work with login sessions unknown
-# to the event engine (such as those received from remote peers).
-
-function ext_get_login_state(cid: conn_id, pid: peer_id): count
-	{
-	if ( pid == PEER_ID_NONE )
-		return get_login_state(cid);
-
-	return login_sessions[pid, cid]$state;
-	}
-
-function ext_set_login_state(cid: conn_id, pid: peer_id, state: count)
-	{
-	if ( pid == PEER_ID_NONE )
-		set_login_state(cid, state);
-	else
-		login_sessions[pid, cid]$state = state;
-	}
-
-function new_login_session(c: connection, pid: peer_id, output_line: count)
-	{
-	local s: login_session_info;
-	s$waiting_for_output = s$user = "";
-	s$output_line = output_line;
-	s$state = LOGIN_STATE_AUTHENTICATE;
-
-	login_sessions[pid, c$id] = s;
-	}
-
-function remove_login_session(c: connection, pid: peer_id)
-	{
-	delete login_sessions[pid, c$id];
-	}
-
-function is_login_conn(c: connection): bool
-	{
-	return c$id$resp_p == telnet || c$id$resp_p == rlogin;
-	}
-
-function hot_login(c: connection, pid: peer_id, msg: string, tag: string)
-	{
-	if ( [pid, c$id] in login_sessions )
-		NOTICE([$note=SensitiveLogin, $conn=c,
-			$user=login_sessions[pid, c$id]$user, $msg=msg]);
-	else
-		NOTICE([$note=SensitiveLogin, $conn=c, $msg=msg]);
-
-	++c$hot;
-	demux_conn(c$id, tag, "keys", service_name(c));
-	}
-
-function is_hot_id(id: string, successful: bool, confused: bool): bool
-	{
-	return successful ? id in hot_login_ids :
-		(confused ? id in forbidden_ids :
-			id in always_hot_login_ids);
-	}
-
-function is_forbidden_id(id: string): bool
-	{
-	return id in forbidden_ids || id == forbidden_id_patterns;
-	}
-
-function edit_and_check_line(c: connection, pid: peer_id, line: string,
-				successful: bool): check_info
-	{
-	line = to_lower(line);
-
-	local ctrl_H_edit = edit(line, BS);
-	local del_edit = edit(line, DEL);
-
-	local confused =
-		(ext_get_login_state(c$id, pid) == LOGIN_STATE_CONFUSED);
-	local hot = is_hot_id(line, successful, confused);
-	local hot_id = hot ? line : "";
-	local forbidden = is_forbidden_id(line);
-
-	local eline = line;
-
-	if ( ctrl_H_edit != line )
-		{
-		eline = fmt("%s,%s", eline, ctrl_H_edit);
-		if ( ! hot && is_hot_id(ctrl_H_edit, successful, confused) )
-			{
-			hot = T;
-			hot_id = ctrl_H_edit;
-			}
-
-		forbidden = forbidden || is_forbidden_id(ctrl_H_edit);
-		}
-
-	if ( del_edit != line )
-		{
-		eline = fmt("%s,%s", eline, del_edit);
-		if ( ! hot && is_hot_id(del_edit, successful, confused) )
-			{
-			hot = T;
-			hot_id = del_edit;
-			}
-
-		forbidden = forbidden || is_forbidden_id(del_edit);
-		}
-
-	local results: check_info;
-	results$expanded_line = eline;
-	results$hot = hot;
-	results$hot_id = hot_id;
-	results$forbidden = forbidden;
-
-	return results;
-	}
-
-function edit_and_check_user(c: connection, pid: peer_id, user: string,
-				successful: bool, fmt_s: string): bool
-	{
-	local check = edit_and_check_line(c, pid, user, successful);
-
-	if ( [pid, c$id] !in login_sessions )
-		new_login_session(c, pid, 9999);
-
-	login_sessions[pid, c$id]$user = check$expanded_line;
-
-	c$addl = fmt(fmt_s, c$addl, check$expanded_line);
-
-	if ( check$hot )
-		{
-		++c$hot;
-		demux_conn(c$id, check$hot_id, "keys", service_name(c));
-		}
-
-	if ( check$forbidden )
-		{
-		if ( ext_get_login_state(c$id, pid) == LOGIN_STATE_CONFUSED )
-			NOTICE([$note=LoginForbiddenButConfused, $conn=c,
-				$user = user,
-				$msg=fmt("not terminating %s because confused about state", full_id_string(c))]);
-		else
-			TerminateConnection::terminate_connection(c);
-		}
-
-	return c$hot > 0;
-	}
-
-function edit_and_check_password(c: connection, pid: peer_id, password: string)
-	{
-	local check = edit_and_check_line(c, pid, password, T);
-	if ( check$hot )
-		{
-		++c$hot;
-		NOTICE([$note=SensitiveUsernameInPassword, $conn=c,
-			$user=password,
-			$msg=fmt("%s password: \"%s\"",
-				id_string(c$id), check$expanded_line)]);
-		}
-	}
-
-event login_failure(c: connection, user: string, client_user: string,
-			password: string, line: string)
-	{
-	local pid = get_event_peer()$id;
-
-	event account_tried(c, user, password);
-	edit_and_check_password(c, pid, password);
-
-	if ( c$hot == 0 && password == "" &&
-	     ! edit_and_check_line(c, pid, user, F)$hot )
-		# Don't both reporting it, this was clearly a half-hearted
-		# attempt and it's not a sensitive username.
-		return;
-
-	local user_hot = edit_and_check_user(c, pid, user, F, "%sfail/%s ");
-	if ( client_user != "" && client_user != user &&
-	     edit_and_check_user(c, pid, client_user, F, "%s(%s) ") )
-		user_hot = T;
-
-	if ( user_hot || c$hot > 0 )
-		NOTICE([$note=SensitiveLogin, $conn=c,
-			$user=user, $sub=client_user,
-			$msg=fmt("%s %s", id_string(c$id), c$addl)]);
-	}
-
-event login_success(c: connection, user: string, client_user: string,
-			password: string, line: string)
-	{
-	local pid = get_event_peer()$id;
-
-	Hot::check_hot(c, Hot::APPL_ESTABLISHED);
-	event account_tried(c, user, password);
-	edit_and_check_password(c, pid, password);
-
-	# Look for whether the user name is sensitive; but allow for
-	# some ids being okay if no password was exposed accessing them.
-	local user_hot = F;
-	if ( c$id$resp_p == rlogin && password == "<none>" &&
-	     user in rlogin_id_okay_if_no_password_exposed )
-		append_addl(c, fmt("\"%s\"", user));
-
-	else
-		user_hot = edit_and_check_user(c, pid, user, T, "%s\"%s\" ");
-
-	if ( c$id$resp_p == rlogin && client_user in always_hot_login_ids )
-		{
-		append_addl(c, fmt("(%s)", client_user));
-		demux_conn(c$id, client_user, "keys", service_name(c));
-		user_hot = T;
-		}
-
-	if ( user_hot || c$hot > 0 )
-		NOTICE([$note=SensitiveLogin, $conn=c,
-			$user=user, $sub=client_user,
-			$msg=fmt("%s %s", id_string(c$id), c$addl)]);
-
-	# else if ( password == "" )
-	# 	alarm fmt("%s %s <no password>", id_string(c$id), c$addl);
-
-### use the following if no login_input_line/login_output_line
-# 	else
-# 		{
-# 		set_record_packets(c$id, F);
-# 		skip_further_processing(c$id);
-# 		}
-	}
-
-event login_input_line(c: connection, line: string)
-	{
-	local pid = get_event_peer()$id;
-	local BS_line = edit(line, BS);
-	local DEL_line = edit(line, DEL);
-	if ( input_trouble in line ||
-	### need to merge input_trouble and edited_input_trouble here
-	### ideally, match on input_trouble would tell whether we need
-	### to invoke the edit functions, as an attribute of a .*(^H|DEL)
-	### rule.
-	     input_trouble in BS_line || input_trouble in DEL_line ||
-	     (edited_input_trouble in BS_line &&
-	      # If one is in but the other not, then the one that's not
-	      # is presumably the correct edit, and the one that is, isn't
-	      # in fact edited at all
-	      edited_input_trouble in DEL_line) ||
-	     line == full_input_trouble )
-		{
-		if ( [pid, c$id] !in login_sessions )
-			new_login_session(c, pid, 9999);
-
-		if ( edited_input_trouble in BS_line &&
-		     edited_input_trouble in DEL_line )
-			{
-			login_sessions[pid, c$id]$waiting_for_output = line;
-			login_sessions[pid, c$id]$waiting_for_output_line =
-				# We don't want the *next* line, that's just
-				# the echo of this input.
-				login_sessions[pid, c$id]$output_line + 2;
-			}
-
-		else if ( ++c$hot <= 2 )
-			hot_login(c, pid, fmt("%s input \"%s\"", id_string(c$id), line), "trb");
-		}
-	}
-
-event login_output_line(c: connection, line: string)
-	{
-	local pid = get_event_peer()$id;
-	if ( [pid, c$id] !in login_sessions )
-		new_login_session(c, pid, 9999);
-
-	local s = login_sessions[pid, c$id];
-
-	if ( line != "" && ++s$output_line == 1 )
-		{
-		if ( byte_len(line) < 40 &&
-		     backdoor_prompts in line && non_backdoor_prompts !in line )
-			hot_login(c, pid, fmt("%s possible backdoor \"%s\"", id_string(c$id), line), "trb");
-		}
-
-	if ( s$waiting_for_output != "" &&
-	     s$output_line >= s$waiting_for_output_line )
-		{
-		if ( output_indicates_input_not_trouble !in line )
-			hot_login(c, pid,
-				fmt("%s input \"%s\" yielded output \"%s\"",
-					id_string(c$id),
-					s$waiting_for_output,
-					line),
-				"trb");
-
-		s$waiting_for_output = "";
-		}
-
-	if ( byte_len(line) < 256 &&
-	     (output_trouble in line || line == full_output_trouble) &&
-	     ++c$hot <= 2 )
-		hot_login(c, pid, fmt("%s output \"%s\"", id_string(c$id), line), "trb");
-	}
-
-event login_confused(c: connection, msg: string, line: string)
-	{
-	Hot::check_hot(c, Hot::APPL_ESTABLISHED);
-
-	append_addl(c, "<confused>");
-
-	if ( line == "" )
-		print Weird::weird_file, fmt("%.6f %s %s", network_time(), id_string(c$id), msg);
-	else
-		print Weird::weird_file, fmt("%.6f %s %s (%s)", network_time(), id_string(c$id), msg, line);
-
-	set_record_packets(c$id, T);
-	}
-
-event login_confused_text(c: connection, line: string)
-	{
-	local pid = get_event_peer()$id;
-	if ( c$hot == 0 && edit_and_check_line(c, pid, line, F)$hot )
-		{
-		local ignore =
-			edit_and_check_user(c, pid, line, F, "%sconfused/%s ");
-		NOTICE([$note=SensitiveLogin, $conn=c,
-			$user=line,
-			$msg=fmt("%s %s", id_string(c$id), c$addl)]);
-		set_record_packets(c$id, T);
-		}
-	}
-
-event login_terminal(c: connection, terminal: string)
-	{
-	local pid = get_event_peer()$id;
-	if ( hot_terminal_types in terminal )
-		hot_login(c, pid,
-			fmt("%s term %s", id_string(c$id), terminal), "trb");
-	}
-
-event login_prompt(c: connection, prompt: string)
-	{
-	# Could check length >= 6, per Solaris exploit ...
-	local pid = get_event_peer()$id;
-	hot_login(c, pid,
-		fmt("%s $TTYPROMPT %s", id_string(c$id), prompt), "trb");
-	}
-
-event excessive_line(c: connection)
-	{
-	if ( is_login_conn(c) )
-		{
-		local pid = get_event_peer()$id;
-
-		if ( ! c$hot && c$id$resp_h in non_ASCII_hosts )
-			{
-			ext_set_login_state(c$id, pid, LOGIN_STATE_SKIP);
-			set_record_packets(c$id, F);
-			}
-		else if ( ext_get_login_state(c$id, pid) == LOGIN_STATE_AUTHENTICATE )
-			{
-			event login_confused(c, "excessive_line", "");
-			ext_set_login_state(c$id, pid, LOGIN_STATE_CONFUSED);
-			}
-		}
-	}
-
-event inconsistent_option(c: connection)
-	{
-	print Weird::weird_file, fmt("%.6f %s inconsistent option", network_time(), id_string(c$id));
-	}
-
-event bad_option(c: connection)
-	{
-	print Weird::weird_file, fmt("%.6f %s bad option", network_time(), id_string(c$id));
-	}
-
-event bad_option_termination(c: connection)
-	{
-	print Weird::weird_file, fmt("%.6f %s bad option termination", network_time(), id_string(c$id));
-	}
-
-event authentication_accepted(name: string, c: connection)
-	{
-	local addl_msg = fmt("auth/%s", name);
-	append_addl(c, addl_msg);
-	}
-
-event authentication_rejected(name: string, c: connection)
-	{
-	append_addl(c, fmt("auth-failed/%s", name));
-	}
-
-event authentication_skipped(c: connection)
-	{
-	append_addl(c, "(skipped)");
-	skip_further_processing(c$id);
-
-	if ( ! c$hot )
-		set_record_packets(c$id, F);
-	}
-
-event connection_established(c: connection)
-	{
-	if ( is_login_conn(c) )
-		{
-		local pid = get_event_peer()$id;
-
-		new_login_session(c, pid, 0);
-
-		if ( c$id$resp_h in skip_logins_to )
-			event authentication_skipped(c);
-
-		if ( c$id$resp_p == telnet &&
-		     c$id$orig_p in hot_telnet_orig_ports )
-			hot_login(c, pid, fmt("%s hot_orig_port", id_string(c$id)), "orig");
-		}
-	}
-
-event partial_connection(c: connection)
-	{
-	if ( is_login_conn(c) )
-		{
-		local pid = get_event_peer()$id;
-		new_login_session(c, pid, 9999);
-		ext_set_login_state(c$id, pid, LOGIN_STATE_CONFUSED);
-
-		if ( c$id$resp_p == telnet &&
-		     c$id$orig_p in hot_telnet_orig_ports )
-			hot_login(c, pid, fmt("%s hot_orig_port", id_string(c$id)), "orig");
-		}
-	}
-
-event connection_finished(c: connection)
-	{
-	local pid = get_event_peer()$id;
-	remove_login_session(c, pid);
-	}
-
-event activating_encryption(c: connection)
-	{
-	if ( is_login_conn(c) )
-		append_addl(c, "(encrypted)");
-	}
diff --git a/policy/mime-pop.bro b/policy/mime-pop.bro
deleted file mode 100644
index eed2565036..0000000000
--- a/policy/mime-pop.bro
+++ /dev/null
@@ -1,180 +0,0 @@
-# $Id: mime-pop.bro 4758 2007-08-10 06:49:23Z vern $
-#
-# A stripped-down version of mime.bro adapted to work on POP3 events.
-#
-# FIXME: What's the best way to merge mime.bro and mime-pop3.bro?
-
-@load pop3
-
-module MIME_POP3;
-	
-const mime_log = open_log_file("mime-pop") &redef;
-
-type mime_session_info: record {
-	id: count;
-	connection_id: conn_id;
-	level: count;
-	data_offset: count;
-};
-
-global mime_session_id = 0;
-global mime_sessions: table[conn_id] of mime_session_info;
-
-function mime_session_string(session: mime_session_info): string
-	{
-	return fmt("#%s %s +%d", prefixed_id(session$id),
-			id_string(session$connection_id), session$level);
-	}
-
-function mime_log_warning(what: string)
-	{
-	print mime_log, fmt("%.6f warning: %s", network_time(), what);
-	}
-
-function mime_log_msg(session: mime_session_info, where: string, what: string)
-	{
-	print mime_log, fmt("%.6f %s: [%s] %s",
-				network_time(),
-				mime_session_string(session),
-				where,
-				what);
-	}
-
-function new_mime_session(c: connection)
-	{
-	local id = c$id;
-	local session_id = ++mime_session_id;
-	local info: mime_session_info;
-
-	info$id = session_id;
-	info$connection_id = id;
-	info$level = 0;
-	info$data_offset = 0;
-
-	mime_sessions[id] = info;
-	mime_log_msg(info, "start", "");
-	}
-
-function get_mime_session(c: connection, new_session_ok: bool): mime_session_info
-	{
-	local id = c$id;
-
-	if ( id !in mime_sessions )
-		{
-		if ( ! new_session_ok )
-			mime_log_warning(fmt("begin_entity missing for new MIME session %s", id_string(id)));
-
-		new_mime_session(c);
-		}
-
-	return mime_sessions[id];
-	}
-
-function end_mime_session(session: mime_session_info)
-	{
-	mime_log_msg(session, "finish", "");
-	delete mime_sessions[session$connection_id];
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id$resp_p != 110/tcp )
-		return;
-	
-	local id = c$id;
-
-	if ( id in mime_sessions )
-		{
-		mime_log_msg(mime_sessions[id], "state remove", "");
-		delete mime_sessions[id];
-		}
-	}
-
-function do_mime_begin_entity(c: connection)
-	{
-	local session = get_mime_session(c, T);
-
-	++session$level;
-	session$data_offset = 0;
-	mime_log_msg(session, "begin entity", "");
-	}
-
-event mime_begin_entity(c: connection)
-	{
-	if ( c$id$resp_p != 110/tcp )
-		return;
-	
-	do_mime_begin_entity(c);
-	}
-
-function do_mime_end_entity(c: connection)
-	{
-	local session = get_mime_session(c, T);
-
-	mime_log_msg(session, "end entity", "");
-
-	if ( session$level > 0 )
-		{
-		--session$level;
-		if ( session$level == 0 )
-			end_mime_session(session);
-		}
-	else
-		mime_log_warning(fmt("unmatched end_entity for MIME session %s",
-					mime_session_string(session)));
-	}
-
-event mime_end_entity(c: connection)
-	{
-	if ( c$id$resp_p != 110/tcp )
-		return;
-	
-	do_mime_end_entity(c);
-	}
-
-event mime_next_entity(c: connection)
-	{
-	if ( c$id$resp_p != 110/tcp )
-		return;
-	
-	do_mime_end_entity(c);
-	do_mime_begin_entity(c);
-	}
-
-event mime_all_headers(c: connection, hlist: mime_header_list)
-	{
-	if ( c$id$resp_p != 110/tcp )
-		return;
-	
-	local session = get_mime_session(c, T);
-	local i = 0;
-
-	for ( i in hlist )
-		{
-		local h = hlist[i];
-		mime_log_msg(session, "header",
-				fmt("%s: \"%s\"", h$name, h$value));
-		}
-	}
-
-event mime_segment_data(c: connection, length: count, data: string)
- 	{
-	if ( c$id$resp_p != 110/tcp )
-		return;
-	
-	local session = get_mime_session(c, T);
-
- 	if ( session$data_offset < 256 )
- 		mime_log_msg(session, "data", fmt("%d: %s", length, data));
-
- 	session$data_offset = session$data_offset + length;
- 	}
-
-event mime_event(c: connection, event_type: string, detail: string)
-	{
-	if ( c$id$resp_p != 110/tcp )
-		return;
-	
-	local session = get_mime_session(c, T);
-	mime_log_msg(session, "event", fmt("%s: %s", event_type, detail));
-	}
diff --git a/policy/mime.bro b/policy/mime.bro
deleted file mode 100644
index 7f923aac08..0000000000
--- a/policy/mime.bro
+++ /dev/null
@@ -1,259 +0,0 @@
-# $Id: mime.bro 6724 2009-06-07 09:23:03Z vern $
-
-@load smtp
-
-module MIME;
-
-export {
-	const mime_log = open_log_file("mime") &redef;
-
-	type mime_session_info: record {
-		id: count;
-		connection_id: conn_id;
-		smtp_session: SMTP::smtp_session_info;
-		level: count;
-		data_offset: count;
-		content_hash: string;
-	};
-
-	global get_session:
-		function(c: connection, new_session_ok: bool): mime_session_info;
-}
-
-function mime_header_default_handler(session: mime_session_info,
-					name: string, arg: string)
-	{
-	}
-
-type mime_header_handler_func:
-	function(session: mime_session_info, name: string, arg: string);
-
-type mime_header_handler_table: table[string] of mime_header_handler_func;
-
-export {
-	global mime_header_handler: mime_header_handler_table &redef &default
-	= function(name: string): mime_header_handler_func
-		{
-		# This looks a little weird, but there is no other way
-		# to specify a function as the default *value*
-		return mime_header_default_handler;
-		};
-}
-
-global mime_session_id = 0;
-global mime_sessions: table[conn_id] of mime_session_info;
-
-function mime_session_string(session: mime_session_info): string
-	{
-	return fmt("#%s %s +%d", prefixed_id(session$id),
-			id_string(session$connection_id), session$level);
-	}
-
-function mime_log_warning(what: string)
-	{
-	print mime_log, fmt("%.6f warning: %s", network_time(), what);
-	}
-
-function mime_log_msg(session: mime_session_info, where: string, what: string)
-	{
-	print mime_log, fmt("%.6f %s: [%s] %s",
-				network_time(),
-				mime_session_string(session),
-				where,
-				what);
-	}
-
-function mime_header_subject(session: mime_session_info,
-				name: string, arg: string)
-	{
-	if ( session$level == 1 )
-		session$smtp_session$subject = arg;
-	}
-
-
-### This is a bit clunky.  These are functions we call out to, defined
-# elsewhere.  The way we really ought to do this is to have them passed
-# in during initialization.  But for now, we presume knowledge of their
-# names in global scope.
-module GLOBAL;
-global check_relay_3:
-	function(session: MIME::mime_session_info, msg_id: string);
-global check_relay_4:
-	function(session: MIME::mime_session_info, content_hash: string);
-module MIME;
-
-function mime_header_message_id(session: mime_session_info, name: string, arg: string)
-	{
-	local s = arg;
-
-	local t = split1(s, /</);
-	if ( length(t) != 2 )
-		{
-		mime_log_msg(session, "event",
-			fmt("message id does not contain '<': %s", arg));
-		return;
-		}
-
-	s = t[2];
-
-	t = split1(s, />/);
-	if ( length(t) != 2 )
-		{
-		mime_log_msg(session, "event",
-			fmt("message id does not contain '>': %s", arg));
-		return;
-		}
-
-	s = t[1];
-
-	if ( session$level == 1 && SMTP::process_smtp_relay )
-		check_relay_3(session, s);
-	}
-
-redef mime_header_handler = {
-	["SUBJECT"] = mime_header_subject,
-	["MESSAGE-ID"] = mime_header_message_id,
-};
-
-function new_mime_session(c: connection)
-	{
-	local id = c$id;
-	local session_id = ++mime_session_id;
-	local info: mime_session_info;
-
-	info$id = session_id;
-	info$connection_id = id;
-	info$level = 0;
-	info$data_offset = 0;
-	info$content_hash = "";
-
-	if ( id !in SMTP::smtp_sessions )
-		SMTP::new_smtp_session(c);
-
-	info$smtp_session = SMTP::smtp_sessions[id];
-
-	mime_sessions[id] = info;
-	mime_log_msg(info, "start", "");
-	}
-
-function get_session(c: connection, new_session_ok: bool): mime_session_info
-	{
-	local id = c$id;
-
-	if ( id !in mime_sessions )
-		{
-		if ( ! new_session_ok )
-			mime_log_warning(fmt("begin_entity missing for new MIME session %s", id_string(id)));
-
-		new_mime_session(c);
-		}
-
-	return mime_sessions[id];
-	}
-
-function end_mime_session(session: mime_session_info)
-	{
-	mime_log_msg(session, "finish", "");
-	delete mime_sessions[session$connection_id];
-	}
-
-event connection_state_remove(c: connection)
-	{
-	local id = c$id;
-
-	if ( id in mime_sessions )
-		{
-		mime_log_msg(mime_sessions[id], "state remove", "");
-		delete mime_sessions[id];
-		}
-	}
-
-function do_mime_begin_entity(c: connection)
-	{
-	local session = get_session(c, T);
-
-	++session$level;
-	session$data_offset = 0;
-	mime_log_msg(session, "begin entity", "");
-	}
-
-event mime_begin_entity(c: connection)
-	{
-	do_mime_begin_entity(c);
-	}
-
-function do_mime_end_entity(c: connection)
-	{
-	local session = get_session(c, T);
-
-	mime_log_msg(session, "end entity", "");
-
-	session$smtp_session$num_bytes_in_body =
-		session$smtp_session$num_bytes_in_body + session$data_offset;
-
-	if ( session$level > 0 )
-		{
-		--session$level;
-		if ( session$level == 0 )
-			end_mime_session(session);
-		}
-	else
-		mime_log_warning(fmt("unmatched end_entity for MIME session %s",
-					mime_session_string(session)));
-	}
-
-event mime_end_entity(c: connection)
-	{
-	do_mime_end_entity(c);
-	}
-
-event mime_next_entity(c: connection)
-	{
-	do_mime_end_entity(c);
-	do_mime_begin_entity(c);
-	}
-
-# event mime_one_header(c: connection, h: mime_header_rec)
-#	{
-#	local session = get_session(c, T);
-#	mime_log_msg(session, "header",
-#			fmt("%s: \"%s\"", h$name, h$value));
-#	mime_header_handler[h$name](session, h$name, h$value);
-#	}
-
-event mime_all_headers(c: connection, hlist: mime_header_list)
-	{
-	local session = get_session(c, T);
-	local i = 0;
-
-	for ( i in hlist )
-		{
-		local h = hlist[i];
-		mime_log_msg(session, "header",
-				fmt("%s: \"%s\"", h$name, h$value));
-		mime_header_handler[h$name](session, h$name, h$value);
-		}
-	}
-
-event mime_segment_data(c: connection, length: count, data: string)
-	{
-	local session = get_session(c, T);
-
-	if ( session$data_offset < 256 )
-		mime_log_msg(session, "data", fmt("%d: %s", length, data));
-
-	session$data_offset = session$data_offset + length;
-	}
-
-# event mime_entity_data(c: connection, length: count, data: string)
-# 	{
-#  	local session = get_session(c, T);
-#
-# 	mime_log_msg(session, "data", fmt("%d: %s", length, sub_bytes(data, 0, 256)));
-# 	}
-
-event mime_event(c: connection, event_type: string, detail: string)
-	{
-	local session = get_session(c, T);
-	mime_log_msg(session, "event", fmt("%s: %s", event_type, detail));
-	}
diff --git a/policy/mt.bro b/policy/mt.bro
deleted file mode 100644
index 456708c4ea..0000000000
--- a/policy/mt.bro
+++ /dev/null
@@ -1,16 +0,0 @@
-# $Id: mt.bro 340 2004-09-09 06:38:27Z vern $
-
-@load alarm
-@load dns-lookup
-@load hot
-@load frag
-@load tcp
-@load scan
-@load weird
-@load finger
-@load ident
-@load ftp
-@load login
-@load portmapper
-@load ntp
-@load tftp
diff --git a/policy/ncp.bro b/policy/ncp.bro
deleted file mode 100644
index 53a798eec3..0000000000
--- a/policy/ncp.bro
+++ /dev/null
@@ -1,101 +0,0 @@
-# $Id:$
-
-@load conn-id
-
-module NCP;
-
-global ncp_log = open_log_file("ncp") &redef;
-
-redef capture_filters += {["ncp"] = "tcp port 524"};
-
-export {
-
-const ncp_frame_type_name = {
-	[ 0x1111 ] = "NCP_ALLOC_SLOT",
-	[ 0x2222 ] = "NCP_REQUEST",
-	[ 0x3333 ] = "NCP_REPLY",
-	[ 0x5555 ] = "NCP_DEALLOC_SLOT",
-	[ 0x7777 ] = "NCP_BURST",
-	[ 0x9999 ] = "NCP_ACK",
-} &default = function(code: count): string
-	{
-	return fmt("NCP_UNKNOWN_FRAME_TYPE(%x)", code);
-	};
-
-const ncp_function_name = {
-	[ 0x01 ] = "NCP_FILE_SET_LOCK",
-	[ 0x02 ] = "NCP_FILE_RELEASE_LOCK",
-	[ 0x03 ] = "NCP_LOG_FILE",
-	[ 0x04 ] = "NCP_LOCK_FILE_SET",
-	[ 0x05 ] = "NCP_RELEASE_FILE",
-	[ 0x06 ] = "NCP_RELEASE_FILE_SET",
-	[ 0x07 ] = "NCP_CLEAR_FILE",
-	[ 0x08 ] = "NCP_CLEAR_FILE_SET",
-	[ 0x09 ] = "NCP_LOG_LOGICAL_RECORD",
-	[ 0x0a ] = "NCP_LOCK_LOGICAL_RECORD_SET",
-	[ 0x0b ] = "NCP_CLEAR_LOGICAL_RECORD",
-	[ 0x0c ] = "NCP_RELEASE_LOGICAL_RECORD",
-	[ 0x0d ] = "NCP_RELEASE_LOGICAL_RECORD_SET",
-	[ 0x0e ] = "NCP_CLEAR_LOGICAL_RECORD_SET",
-	[ 0x0f ] = "NCP_ALLOC_RESOURCE",
-	[ 0x10 ] = "NCP_DEALLOC_RESOURCE",
-	[ 0x11 ] = "NCP_PRINT",
-	[ 0x15 ] = "NCP_MESSAGE",
-	[ 0x16 ] = "NCP_DIRECTORY",
-	[ 0x17 ] = "NCP_BINDARY_AND_MISC",
-	[ 0x18 ] = "NCP_END_OF_JOB",
-	[ 0x19 ] = "NCP_LOGOUT",
-	[ 0x1a ] = "NCP_LOG_PHYSICAL_RECORD",
-	[ 0x1b ] = "NCP_LOCK_PHYSICAL_RECORD_SET",
-	[ 0x1c ] = "NCP_RELEASE_PHYSICAL_RECORD",
-	[ 0x1d ] = "NCP_RELEASE_PHYSICAL_RECORD_SET",
-	[ 0x1e ] = "NCP_CLEAR_PHYSICAL_RECORD",
-	[ 0x1f ] = "NCP_CLEAR_PHYSICAL_RECORD_SET",
-	[ 0x20 ] = "NCP_SEMAPHORE",
-	[ 0x22 ] = "NCP_TRANSACTION_TRACKING",
-	[ 0x23 ] = "NCP_AFP",
-	[ 0x42 ] = "NCP_CLOSE_FILE",
-	[ 0x47 ] = "NCP_GET_FILE_SIZE",
-	[ 0x48 ] = "NCP_READ_FILE",
-	[ 0x49 ] = "NCP_WRITE_FILE",
-	[ 0x56 ] = "NCP_EXT_ATTR",
-	[ 0x57 ] = "NCP_FILE_DIR",
-	[ 0x58 ] = "NCP_AUDITING",
-	[ 0x5a ] = "NCP_MIGRATION",
-	[ 0x60 ] = "NCP_PNW",
-	[ 0x61 ] = "NCP_GET_MAX_PACKET_SIZE",
-	[ 0x68 ] = "NCP_NDS",
-	[ 0x6f ] = "NCP_SEMAPHORE_NEW",
-	[ 0x7b ] = "NCP_7B",
-
-	[ 0x5701 ] = "NCP_CREATE_FILE_DIR",
-	[ 0x5702 ] = "NCP_INIT_SEARCH",
-	[ 0x5703 ] = "NCP_SEARCH_FILE_DIR",
-	[ 0x5704 ] = "NCP_RENAME_FILE_DIR",
-	[ 0x5706 ] = "NCP_OBTAIN_FILE_DIR_INFO",
-	[ 0x5707 ] = "NCP_MODIFY_FILE_DIR_DOS_INFO",
-	[ 0x5708 ] = "NCP_DELETE_FILE_DIR",
-	[ 0x5709 ] = "NCP_SET_SHORT_DIR_HANDLE",
-	[ 0x5714 ] = "NCP_SEARCH_FOR_FILE_DIR_SET",
-	[ 0x5718 ] = "NCP_GET_NAME_SPACE_LOADED_LIST",
-	[ 0x5742 ] = "NCP_GET_CURRENT_SIZE_OF_FILE",
-
-} &default = function(code: count): string
-	{
-	return fmt("NCP_UNKNOWN_FUNCTION(%x)", code);
-	};
-
-} # export
-
-event ncp_request(c: connection, frame_type: count, length: count, func: count)
-	{
-	print ncp_log, fmt("%.6f %s NCP request type=%s function=%s",
-		network_time(), id_string(c$id),
-		ncp_frame_type_name[frame_type],
-		ncp_function_name[func]);
-	}
-
-event ncp_reply(c: connection, frame_type: count, length: count,
-		req_frame: count, req_func: count, completion_code: count)
-	{
-	}
diff --git a/policy/netflow.bro b/policy/netflow.bro
deleted file mode 100644
index 4fb1ac0fd0..0000000000
--- a/policy/netflow.bro
+++ /dev/null
@@ -1,106 +0,0 @@
-# $Id:$
-#
-# Netflow data-dumper and proof-of-concept flow restitcher.
-# Written by Bernhard Ager (2007).
-
-module NetFlow;
-
-export {
-	# Perform flow restitching?
-	global netflow_restitch = T &redef;
-
-	# How long to wait for additional flow records after a RST or FIN,
-	# so we can compress multiple RST/FINs for the same flow rather than
-	# treating them as separate flows.  It's not clear what's the best
-	# setting for this timer, but for now we use something larger
-	# than the NetFlow inactivity timeout (5 minutes).
-	global netflow_finished_conn_expire = 310 sec &redef;
-}
-
-global netflow_log = open_log_file("netflow") &redef;
-
-# Should be larger than activity timeout.  Setting only affects table
-# declaration, therefore &redef useless.
-const netflow_table_expire = 31 min;
-
-type flow: record {
-	cnt: count;
-	pkts: count;
-	octets: count;
-	syn: bool;
-	fin: bool;
-	first: time;
-	last: time;
-};
-
-function new_flow(r: nf_v5_record): flow
-	{
-	return [ $cnt = 1,
-		 $pkts = r$pkts,
-		 $octets = r$octets,
-	         $syn = r$tcpflag_syn,
-		 $fin = r$tcpflag_fin,
-		 $first = r$first,
-		 $last = r$last ];
-	}
-
-function update_flow(f: flow, r: nf_v5_record)
-	{
-	f$pkts += r$pkts;
-	f$octets += r$octets;
-	++f$cnt;
-	f$syn = f$syn || r$tcpflag_syn;
-	f$fin = f$fin || r$tcpflag_fin;
-
-	if ( r$first < f$first )
-		f$first = r$first;
-	if ( r$last > f$last )
-		f$last = r$last;
-	}
-
-function print_flow(t: table[conn_id] of flow, idx: conn_id): interval
-	{
-	print netflow_log, fmt("%.6f flow %s: %s", network_time(), idx, t[idx]);
-	return -1 sec;
-	}
-
-event v5flow_finished(t: table[conn_id] of flow, idx: conn_id)
-	{
-        if ( idx in t )
-		{
-		print_flow(t, idx);
-		delete t[idx];
-		}
-	}
-
-global flows: table[conn_id] of flow &write_expire = netflow_table_expire
-				     &expire_func = print_flow;
-
-event netflow_v5_header(h: nf_v5_header)
-	{
-	print netflow_log, fmt("%.6f header %s", network_time(), h);
-	}
-
-event netflow_v5_record (r: nf_v5_record)
-	{
-	if ( netflow_restitch )
-		{
-		if ( r$id in flows )
-			update_flow (flows[r$id], r);
-		else
-			flows[r$id] = new_flow (r);
-
-		if ( r$tcpflag_fin || r$tcpflag_rst )
-			schedule netflow_finished_conn_expire {
-				v5flow_finished (flows, r$id)
-			};
-		}
-
-	print netflow_log, fmt("%.6f record %s", network_time(), r);
-	}
-
-event bro_done ()
-	{
-	for ( f_id in flows )
-		print_flow(flows, f_id);
-	}
diff --git a/policy/netstats.bro b/policy/netstats.bro
deleted file mode 100644
index eca27cc9b5..0000000000
--- a/policy/netstats.bro
+++ /dev/null
@@ -1,34 +0,0 @@
-# $Id: netstats.bro 564 2004-10-23 02:27:57Z vern $
-
-@load notice
-
-redef enum Notice += {
-	DroppedPackets,	# Bro reported packets dropped by the packet filter
-};
-
-global last_stat: net_stats;
-global last_stat_time: time;
-global have_stats = F;
-
-event net_stats_update(t: time, ns: net_stats)
-	{
-	if ( have_stats )
-		{
-		local new_dropped = ns$pkts_dropped - last_stat$pkts_dropped;
-		if ( new_dropped > 0 )
-			{
-			local new_recvd = ns$pkts_recvd - last_stat$pkts_recvd;
-			local new_link = ns$pkts_link - last_stat$pkts_link;
-			NOTICE([$note=DroppedPackets,
-				$msg=fmt("%d packets dropped after filtering, %d received%s",
-					new_dropped, new_recvd + new_dropped,
-					new_link != 0 ?
-						fmt(", %d on link", new_link) : "")]);
-			}
-		}
-	else
-		have_stats = T;
-
-	last_stat = ns;
-	last_stat_time = t;
-	}
diff --git a/policy/nfs.bro b/policy/nfs.bro
deleted file mode 100644
index dec46d593e..0000000000
--- a/policy/nfs.bro
+++ /dev/null
@@ -1,100 +0,0 @@
-# $Id: nfs.bro 4017 2007-02-28 07:11:54Z vern $
-
-@load udp
-
-module NFS;
-
-export {
-	global log_file = open_log_file("nfs") &redef;
-}
-
-redef capture_filters += { 
-	["nfs"] = "port 2049",
-	# NFS UDP packets are often fragmented.
-	["nfs-frag"] = "(ip[6:2] & 0x3fff != 0) and udp",
-};
-
-global nfs_ports = { 2049/tcp, 2049/udp } &redef;
-redef dpd_config += { [ANALYZER_NFS] = [$ports = nfs_ports] };
-
-# Maps opaque file handles to numbers for easier tracking.
-global num_fhs = 0;
-global fh_map: table[string] of count;
-
-function map_fh(fh: string): string
-	{
-	if ( fh !in fh_map )
-		fh_map[fh] = ++num_fhs;
-
-	return cat("FH", fh_map[fh]);
-	}
-
-
-function NFS_request(n: connection, req: string, addl: string)
-	{
-	print log_file, fmt("%.06f %s NFS %s: %s",
-				network_time(), id_string(n$id), req, addl);
-	}
-
-function NFS_attempt(n: connection, req: string, status: count, addl: string)
-	{
-	print log_file, fmt("%.06f %s NFS attempt %s (%d): %s",
-			network_time(), id_string(n$id), req, status, addl);
-	}
-
-
-event nfs_request_null(n: connection)
-	{
-	NFS_request(n, "null", "");
-	}
-
-event nfs_attempt_null(n: connection, status: count)
-	{
-	NFS_attempt(n, "null", status, "");
-	}
-
-
-event nfs_request_getattr(n: connection, fh: string, attrs: nfs3_attrs)
-	{
-	NFS_request(n, "getattr", fmt("%s -> %s", map_fh(fh), attrs));
-	}
-
-event nfs_attempt_getattr(n: connection, status: count, fh: string)
-	{
-	NFS_attempt(n, "getattr", status, map_fh(fh));
-	}
-
-
-function opt_attr_fmt(a: nfs3_opt_attrs): string
-	{
-	return a?$attrs ? fmt("%s", a$attrs) : "<missing>";
-	}
-
-event nfs_request_lookup(n: connection, req: nfs3_lookup_args, rep: nfs3_lookup_reply)
-	{
-	NFS_request(n, "lookup", fmt("%s -> %s (file-attr: %s, dir-attr: %s)",
-			req, rep$fh,
-			opt_attr_fmt(rep$file_attr),
-			opt_attr_fmt(rep$dir_attr)));
-	}
-
-event nfs_attempt_lookup(n: connection, status: count, req: nfs3_lookup_args)
-	{
-	NFS_attempt(n, "lookup", status, fmt("%s", req));
-	}
-
-
-event nfs_request_fsstat(n: connection, root_fh: string, stat: nfs3_fsstat)
-	{
-	NFS_request(n, "fsstat", fmt("%s -> attr: %s, tbytes: %s, fbytes: %s, abytes: %s, tfiles: %s, ffiles: %s, afiles: %s, invarsec: %s",
-		map_fh(root_fh),
-		opt_attr_fmt(stat$attrs),
-		stat$tbytes, stat$fbytes, stat$abytes,
-		stat$tfiles, stat$ffiles, stat$afiles,
-		stat$invarsec));
-	}
-
-event nfs_attempt_fsstat(n: connection, status: count, root_fh: string)
-	{
-	NFS_attempt(n, "fsstat", status, map_fh(root_fh));
-	}
diff --git a/policy/notice-action-filters.bro b/policy/notice-action-filters.bro
deleted file mode 100644
index 0a6e83d1d3..0000000000
--- a/policy/notice-action-filters.bro
+++ /dev/null
@@ -1,121 +0,0 @@
-# $Id:$
-#
-# A few predefined notice_action_filters (see notice.bro).
-
-@load notice
-@load site
-@load terminate-connection
-
-function ignore_notice(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	return NOTICE_IGNORE;
-	}
-
-function file_notice(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	return NOTICE_FILE;
-	}
-
-function send_email_notice(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	return NOTICE_EMAIL;
-	}
-
-function send_page_notice(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	return NOTICE_PAGE;
-	}
-
-global notice_tallies: table[string] of count &default = 0;
-
-function tally_notice(s: string)
-	{
-	++notice_tallies[s];
-	}
-
-function tally_notice_type(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	tally_notice(fmt("%s", n$note));
-	return NOTICE_FILE;
-	}
-
-function tally_notice_type_and_ignore(n: notice_info, a: NoticeAction)
-		: NoticeAction
-	{
-	tally_notice(fmt("%s", n$note));
-	return NOTICE_IGNORE;
-	}
-
-function file_local_bro_notices(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	if ( n$src_peer$is_local )
-		return NOTICE_FILE;
-
-	return a;
-	}
-
-function file_if_remote(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	if ( n?$src && ! is_local_addr(n$src) )
-		return NOTICE_FILE;
-
-	return a;
-	}
-
-function drop_source(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	return NOTICE_DROP;
-	}
-
-function drop_source_and_terminate(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	if ( n?$conn )
-		TerminateConnection::terminate_connection(n$conn);
-
-	return NOTICE_DROP;
-	}
-
-event bro_done()
-	{
-	for ( s in notice_tallies )
-		{
-		local n = notice_tallies[s];
-		local msg = fmt("%s (%d time%s)", s, n, n > 1 ? "s" : "");
-		NOTICE([$note=NoticeTally, $msg=msg, $n=n]);
-		}
-	}
-
-# notice_alarm_per_orig.
-#
-# Reports a specific NoticeType the first time we see it for a source.  From
-# then on, we tally instances per source.
-
-global notice_once_per_orig: table[Notice, addr] of count
-	&default=0 &read_expire=5hrs;
-global notice_once_per_orig_tally_interval = 1 hr &redef;
-
-event notice_alarm_per_orig_tally(n: notice_info, host: addr)
-	{
-	local i = notice_once_per_orig[n$note, host];
-	if ( i > 1 )
-		{
-		local msg = fmt("%s seen %d time%s from %s",
-				n$note, i, i > 1 ? "s" : "", host);
-		NOTICE([$note=NoticeTally, $msg=msg, $src=host, $n=i]);
-		}
-	}
-
-function notice_alarm_per_orig(n: notice_info, a: NoticeAction): NoticeAction
-	{
-	local host = n$src;
-
-	++notice_once_per_orig[n$note, host];
-
-	if ( notice_once_per_orig[n$note, host] > 1 )
-		return NOTICE_FILE;
-
-	schedule notice_once_per_orig_tally_interval
-		{ notice_alarm_per_orig_tally(n, host) };
-
-	return NOTICE_ALARM_ALWAYS;
-	}
diff --git a/policy/notice-policy.bro b/policy/notice-policy.bro
deleted file mode 100644
index 78d26c26ed..0000000000
--- a/policy/notice-policy.bro
+++ /dev/null
@@ -1,72 +0,0 @@
-# $Id: notice-policy.bro 4758 2007-08-10 06:49:23Z vern $
-
-# Examples of using notice_policy and other mechanisms to filter out
-# alarms that are not interesting.
-
-# Note: this file is not self-contained, in that it refers to Notice
-# names that will only be defined if you've loaded other files (e.g.,
-# print-resources for the ResourceSummary notice).  The full list of
-# policy files it needs is:
-#
-#	blaster.bro
-#	conn.bro
-#	http-request.bro
-#	netstats.bro
-#	print-resources.bro
-#	trw.bro
-#	weird.bro
-
-
-# Remove these notices from logging since they can be too noisy.
-redef notice_action_filters += {
-        [[Weird::ContentGap, Weird::AckAboveHole]] = ignore_notice,
-};
-
-# Send these only to the notice log, not the alarm log.
-redef notice_action_filters += {
-        [[Drop::AddressDropIgnored, DroppedPackets,
-	  ResourceSummary, W32B_SourceRemote,
-	  TRW::TRWScanSummary, Scan::BackscatterSeen,
-	  Weird::WeirdActivity,
-	  Weird::RetransmissionInconsistency]] = file_notice,
-};
-
-# Other example use of notice_action_filters:
-#
-# To just get a summary Notice when Bro is shutdown/checkpointed, use
-# tally_notice_type, such as:
-#redef notice_action_filters += {
-# 	[[RetransmissionInconsistency, ContentGap, AckAboveHole]] =
-#	 	tally_notice_type,
-#};
-
-# To get a summary once every hour per originator, use notice_alarm_per_orig,
-# such as:
-#redef notice_action_filters += {
-# 	[[ BackscatterSeen, RetransmissionInconsistency]] =
-# 		notice_alarm_per_orig,
-#};
-
-
-# Fine-grained filtering of specific alarms.
-redef notice_policy += {
-
-	# Connections to 2766/tcp ("Solaris listen service") appear
-	# nearly always actually due to P2P apps.
-        [$pred(n: notice_info) =
-		{
-		return n$note == SensitiveConnection &&
- 		       /Solaris listen service/ in n$msg;
-		},
-         $result = NOTICE_FILE,
-         $priority = 1],
-
-	# Ignore sensitive URLs that end in .gif, .jpg, .png
-	[$pred(n: notice_info) =
-		{
-		return n$note == HTTP::HTTP_SensitiveURI &&
-		       n$URL == /.*\.(gif|GIF|png|PNG|jpg|JPG)/; 
-		},
-	 $result = NOTICE_FILE,
-	 $priority = 1],
-};
diff --git a/policy/notice.bro b/policy/notice.bro
deleted file mode 100644
index 9b434032f0..0000000000
--- a/policy/notice.bro
+++ /dev/null
@@ -1,410 +0,0 @@
-# $Id: notice.bro 6756 2009-06-14 21:31:19Z vern $
-
-const use_tagging = F &redef;
-
-type Notice: enum {
-	NoticeNone,	# placeholder
-	NoticeTally,	# notice reporting count of how often a notice occurred
-};
-
-type NoticeAction: enum {
-	# Similar to WeirdAction in weird.bro.
-	NOTICE_UNKNOWN,	# placeholder
-	NOTICE_IGNORE, NOTICE_FILE, NOTICE_ALARM_ALWAYS,
-	NOTICE_EMAIL, NOTICE_PAGE,
-	NOTICE_DROP,	# drops the address via Drop::drop_address, and alarms
-};
-
-
-type notice_info: record {
-	note: Notice;
-	msg: string &default="";
-	sub: string &optional;	# sub-message
-
-	conn: connection &optional;	# connection associated with notice
-	iconn: icmp_conn &optional;	# associated ICMP "connection"
-	id: conn_id &optional;	# connection-ID, if we don't have a connection handy
-	src: addr &optional;	# source address, if we don't have a connection
-	dst: addr &optional;	# destination address
-
-	p: port &optional;	# associated port, if we don't have a conn.
-
-	# The following are detailed attributes that are associated with some
-	# notices, but not all.
-
-	user: string &optional;
-
-	filename: string &optional;
-
-	method: string &optional;
-	URL: string &optional;
-
-	n: count &optional;	# associated count, or perhaps status code
-
-	aux: table[string] of string &optional;	# further NOTICE-specific data
-
-	# Automatically set attributes.
-	action: NoticeAction &default=NOTICE_UNKNOWN; # once action determined
-	src_peer: event_peer &optional;	# source that raised this notice
-	tag: string &optional;	# tag associated with this notice
-	dropped: bool &optional &default=F; # true if src successfully dropped
-
-	# If we asked the Time Machine to capture, the filename prefix.
-	captured: string &optional;
-
-	# If false, don't alarm independent of the determined notice action.
-	# If true, alarm dependening on notice action.
-	do_alarm: bool &default=T;
-
-};
-
-type notice_policy_item: record {
-	result: NoticeAction &default=NOTICE_FILE;
-	pred: function(n: notice_info): bool;
-	priority: count &default=1;
-};
-
-global notice_policy: set[notice_policy_item] = {
-	[$pred(n: notice_info) = { return T; },
-	 $result = NOTICE_ALARM_ALWAYS,
-	 $priority = 0],
-} &redef;
-
-global NOTICE: function(n: notice_info);
-
-# Variables the control email notification.
-const mail_script = "/bin/mail" &redef;	# local system mail program
-const mail_dest = "" &redef;	# email address to send mail to
-const mail_page_dest = "bro-page" &redef;	# email address of pager
-
-
-# Table that maps notices into a function that should be called
-# to determine the action.
-global notice_action_filters:
-	table[Notice] of
-		function(n: notice_info, a: NoticeAction): NoticeAction &redef;
-
-
-# Each notice has a unique ID associated with it.
-global notice_id = 0;
-
-# This should have a high probability of being unique without
-# generating overly long tags.  This is redef'able in case you need
-# determinism in tags (such as for regression testing).
-global notice_tag_prefix =
-		fmt("%x-%x-",
-			double_to_count(time_to_double(current_time())) % 255,
-			getpid())
-		&redef;
-
-# Likewise redef'able for regression testing.
-global new_notice_tag =
-	function(): string
-		{
-		return fmt("%s%x", notice_tag_prefix, ++notice_id);
-		}
-	&redef;
-
-# Function to add a unique NOTICE tag to a connection.  This is done
-# automatically whenever a NOTICE is raised, but sometimes one might need
-# to call this function in advance of that to ensure that the tag appears
-# in the connection summaries (i.e., when connection_state_remove() can be
-# raised before the NOTICE is generated.)
-global notice_tags: table[conn_id] of string;
-
-function add_notice_tag(c: connection): string
-	{
-	if ( c$id in notice_tags )
-		return notice_tags[c$id];
-
-	local tag_id = new_notice_tag();
-	append_addl(c, fmt("@%s", tag_id));
-	notice_tags[c$id] = tag_id;
-
-	return tag_id;
-	}
-
-event delete_notice_tags(c: connection)
-	{
-	delete notice_tags[c$id];
-	}
-
-event connection_state_remove(c: connection)
-	{
-	# We do not delete the tag right here because there may be other
-	# connection_state_remove handlers invoked after us which
-	# want to generate a notice.
-	schedule 1 secs { delete_notice_tags(c) };
-	}
-
-const notice_file = open_log_file("notice") &redef;
-
-# This handler is useful for processing notices after the notice filters
-# have been applied and yielded an NoticeAction.
-#
-# It's tempting to make the default handler do the logging and
-# printing to notice_file, rather than NOTICE.  I hesitate to do that,
-# though, because it perhaps could slow down notification, because
-# in the absence of event priorities, the event would have to wait
-# behind any other already-queued events.
-
-event notice_action(n: notice_info, action: NoticeAction)
-	{
-	}
-
-# Do not generate notice_action events for these NOTICE types.
-global suppress_notice_actions: set[Notice] &redef; 
-
-# Similar to notice_action but only generated if the notice also
-# triggers an alarm.
-event notice_alarm(n: notice_info, action: NoticeAction)
-	{
-	}
-
-# Hack to suppress duplicate notice_actions for remote notices.
-global suppress_notice_action = F;
-
-function notice_info_tags(n: notice_info) : table[string] of string
-	{
-	local tags: table[string] of string;
-
-	local t = is_remote_event() ? current_time() : network_time();
-	tags["t"] = fmt("%.06f", t);
-	tags["no"] = fmt("%s", n$note);
-	tags["na"] = fmt("%s", n$action);
-	tags["sa"] = n?$src ? fmt("%s", n$src) : "";
-	tags["sp"] = n?$id && n$id$orig_h == n$src ? fmt("%s", n$id$orig_p) : "";
-	tags["da"] = n?$dst ? fmt("%s", n$dst) : "";
-	tags["dp"] = n?$id && n$id$resp_h == n$dst ? fmt("%s", n$id$resp_p) : "";
-	tags["p"] = n?$p ? fmt("%s", n$p) : "";
-	tags["user"] = n?$user ? n$user : "";
-	tags["file"] = n?$filename ? n$filename : "";
-	tags["method"] =  n?$method ? n$method : "";
-	tags["url"] = n?$URL ? n$URL : "";
-	tags["num"] = n?$n ? fmt("%s", n$n) : "";
-	tags["msg"] = n?$msg ? n$msg : "";
-	tags["sub"] = n?$sub ? n$sub : "";
-	tags["captured"] = n?$captured ? n$captured : "";
-	tags["tag"] = fmt("@%s", n$tag);
-	tags["dropped"] = n$dropped ? "1" : "";
-
-	if ( n?$aux )
-		{
-		for ( a in n$aux )
-			tags[fmt("aux_%s", a)] = n$aux[a];
-		}
-
-	if ( is_remote_event() )
-		{
-		if ( n$src_peer$descr != "" )
-			tags["es"] = n$src_peer$descr;
-		else
-			tags["es"] = fmt("%s/%s", n$src_peer$host, n$src_peer$p);
-		}
-
-	else
-		tags["es"] = peer_description;
-
-	return tags;
-	}
-
-function build_notice_info_string_untagged(n: notice_info) : string
-	{
-	# We add the fields in this order. Fields not listed won't be added.
-	local fields = vector("t", "no", "na", "es", "sa", "sp", "da", "dp", 
-		"user", "file", "method", "url", "num", "msg", "sub", "tag");
-
-	local tags = notice_info_tags(n);
-	local cur_info = "";
-
-	for ( i in fields )
-		{
-		local val = tags[fields[i]];
-		val = string_escape(val, ":");
-
-		if ( cur_info == "" )
-			cur_info = val;
-		else
-			cur_info = fmt("%s:%s", cur_info, val);
-		}
-
-	return cur_info;
-	}
-
-function build_notice_info_string_tagged(n: notice_info) : string
-	{
-	# We add the fields in this order. Fields not listed won't be added
-	# (except aux_*).
-	local fields = vector("t", "no", "na", "dropped", "es", "sa", "sp",
-			"da", "dp", "p", "user", "file", "method", "url",
-			"num", "msg", "sub", "captured", "tag");
-
-	local tags = notice_info_tags(n);
-	local cur_info = "";
-
-	for ( i in fields )
-		{
-		local val = tags[fields[i]];
-		local f = fields[i];
-
-		if ( val == "" )
-			next;
-
-		val = string_escape(val, "= ");
-
-		if ( cur_info == "" )
-			cur_info = fmt("%s=%s", f, val);
-		else
-			cur_info = fmt("%s %s=%s", cur_info, f, val);
-		}
-
-	for ( t in tags )
-		{
-		if ( t == /aux_.*/ )
-			{
-			if ( cur_info == "" )
-				cur_info = fmt("%s=%s", t, tags[t]);
-			else
-				cur_info = fmt("%s %s=%s", cur_info, t, tags[t]);
-			}
-		}
-
-	return cur_info;
-	}
-
-global email_notice_to: function(n: notice_info, dest: string) &redef;
-
-function email_notice_to(n: notice_info, dest: string)
-	{
-	if ( reading_traces() || dest == "" )
-		return;
-
-	# The contortions here ensure that the arguments to the mail
-	# script will not be confused.  Re-evaluate if 'system' is reworked.
-	local mail_cmd =
-		fmt("echo \"%s\" | %s -s \"[Bro Alarm] %s\" %s",
-			str_shell_escape(n$msg), mail_script, n$note, dest);
-
-	system(mail_cmd);
-	}
-
-function email_notice(n: notice_info, action: NoticeAction)
-	{
-	# Choose destination address based on action type.
-	local destination =
-		(action == NOTICE_EMAIL) ?  mail_dest : mail_page_dest;
-
-	email_notice_to(n, destination);
-	}
-
-# Executes a script with all of the notice fields put into the
-# new process' environment as "BRO_ARG_<field>" variables.
-function execute_with_notice(cmd: string, n: notice_info)
-	{
-	local tags = notice_info_tags(n);
-	system_env(cmd, tags);
-	}
-
-# Can't load it at the beginning due to circular dependencies.
-@load drop
-
-function NOTICE(n: notice_info)
-	{
-	# Fill in some defaults.
-	if ( ! n?$id && n?$conn )
-		n$id = n$conn$id;
-
-	if ( ! n?$src && n?$id )
-		n$src = n$id$orig_h;
-	if ( ! n?$dst && n?$id )
-		n$dst = n$id$resp_h;
-
-	if ( ! n?$p && n?$id )
-		n$p = n$id$resp_p;
-
-	if ( ! n?$src && n?$iconn )
-		n$src = n$iconn$orig_h;
-	if ( ! n?$dst && n?$iconn )
-		n$dst = n$iconn$resp_h;
-
-	if ( ! n?$src_peer )
-		n$src_peer = get_event_peer();
-
-	if ( n?$conn )
-		n$tag = add_notice_tag(n$conn);
-
-	if ( ! n?$tag )
-		n$tag = new_notice_tag();
-
-	local action = match n using notice_policy;
-
-	local n_id = "";
-
-	if ( action != NOTICE_IGNORE && action != NOTICE_FILE &&
-		n$note in notice_action_filters )
-		action = notice_action_filters[n$note](n, action);
-
-	n$action = action;
-
-	if ( action == NOTICE_EMAIL || action == NOTICE_PAGE )
-		email_notice(n, action);
-
-	if ( action == NOTICE_DROP )
-		{
-		local drop = Drop::drop_address(n$src, "");
-		local addl = drop?$sub ? fmt(" %s", drop$sub) : "";
-		n$dropped = drop$note != Drop::AddressDropIgnored;
-		n$msg += fmt(" [%s%s]", drop$note, addl);
-		}
-
-	if ( action != NOTICE_IGNORE )
-		{
-		# Build the info here after we had a chance to set the
-		# $dropped field.
-		local info: string;
-		if ( use_tagging )
-			info = build_notice_info_string_tagged(n);
-		else
-			info = build_notice_info_string_untagged(n);
-
-		print notice_file, info;
-
-		if ( action != NOTICE_FILE && n$do_alarm )
-			{
-			if ( use_tagging )
-				{
-				alarm info;
-				event notice_alarm(n, action);
-				}
-			else
-				{
-				local descr = "";
-				if ( is_remote_event() )
-					{
-					if ( n$src_peer$descr != "" )
-						descr = fmt("<%s> ",
-							n$src_peer$descr);
-					else
-						descr = fmt("<%s:%s> ",
-							n$src_peer$host,
-							n$src_peer$p);
-					}
-
-				alarm fmt("%s %s%s", n$note, descr, n$msg);
-				event notice_alarm(n, action);
-				}
-			}
-		}
-
-@ifdef ( IDMEF_support )
-	if ( n?$id )
-		generate_idmef(n$id$orig_h, n$id$orig_p,
-			       n$id$resp_h, n$id$resp_p);
-@endif
-
-	if ( ! suppress_notice_action && n$note !in suppress_notice_actions )
-		event notice_action(n, action);
-	}
-
-
-@load notice-action-filters
diff --git a/policy/ntp.bro b/policy/ntp.bro
deleted file mode 100644
index eb746bc830..0000000000
--- a/policy/ntp.bro
+++ /dev/null
@@ -1,53 +0,0 @@
-# $Id: ntp.bro 4758 2007-08-10 06:49:23Z vern $
-
-@load udp-common
-
-redef capture_filters += { ["ntp"] = "udp port 123" };
-
-module NTP;
-
-export {
-	const excessive_ntp_request = 48 &redef;
-	const allow_excessive_ntp_requests: set[addr] &redef;
-}
-
-# DPM configuration.
-global ntp_ports = { 123/udp } &redef;
-redef dpd_config += { [ANALYZER_NTP] = [$ports = ntp_ports] };
-
-const ntp_code: table[count] of string = {
-	[0] = "unspec",
-	[1] = "sym_act",
-	[2] = "sym_psv",
-	[3] = "client",
-	[4] = "server",
-	[5] = "bcast",
-	[6] = "rsv1",
-	[7] = "rsv2",
-};
-
-event ntp_message(u: connection, msg: ntp_msg, excess: string)
-	{
-	local id = u$id;
-
-	if ( id !in udp_rep_count && id !in udp_req_count )
-		{
-		Hot::check_hot(u, Hot::CONN_ATTEMPTED);
-		Scan::check_scan(u, F, F);
-		}
-
-	if ( msg$code == 4 )
-		# "server"
-		++udp_rep_count[id];
-	else
-		# anything else
-		++udp_req_count[id];
-
-	local n_excess = byte_len(excess);
-	if ( n_excess > excessive_ntp_request &&
-	     id$orig_h !in allow_excessive_ntp_requests )
-		{
-		append_addl_marker(u, fmt("%s", n_excess), ",");
-		++u$hot;
-		}
-	}
diff --git a/policy/passwords.bro b/policy/passwords.bro
deleted file mode 100644
index 84e98ec3ff..0000000000
--- a/policy/passwords.bro
+++ /dev/null
@@ -1,29 +0,0 @@
-# $Id: passwords.bro 688 2004-11-02 23:59:55Z vern $
-
-# Generates notices of exposed passwords.  Currently just works
-# on telnet/rlogin access.  Should be extended to do FTP, HTTP, etc.
-
-@load login
-
-redef enum Notice += {
-	PasswordExposed,
-};
-
-# Usernames which we ignore.
-global okay_usernames: set[string] &redef;
-
-# Passwords which we ignore.
-global okay_passwords = { "", "<none>" } &redef;
-
-event login_success(c:connection, user: string, client_user: string,
-			password: string, line: string)
-	{
-	if ( user in okay_usernames || password in okay_passwords )
-		return;
-
-	NOTICE([$note=PasswordExposed,
-		$conn=c,
-		$user=user,
-		$sub=password,
-		$msg="login exposed user's password"]);
-	}
diff --git a/policy/pcap.bro b/policy/pcap.bro
deleted file mode 100644
index 091233dd52..0000000000
--- a/policy/pcap.bro
+++ /dev/null
@@ -1,100 +0,0 @@
-# $Id: pcap.bro 261 2004-08-31 19:25:40Z vern $
-
-# The set of capture_filters indexed by some user-definable ID.
-global capture_filters: table[string] of string &redef;
-global restrict_filters: table[string] of string &redef;
-
-# Filter string which is unconditionally or'ed to every pcap filter.
-global unrestricted_filter = "" &redef;
-
-redef enum PcapFilterID += {
-	DefaultPcapFilter,
-};
-
-function add_to_pcap_filter(fold: string, fnew: string, op: string): string
-	{
-	if ( fold == "" )
-		return fnew;
-	else if ( fnew == "" )
-		return fold;
-	else
-		return fmt("(%s) %s (%s)", fold, op, fnew);
-	}
-
-function join_filters(capture_filter: string, restrict_filter: string): string
-	{
-	local filter: string;
-
-	if ( capture_filter != "" && restrict_filter != "" )
-		filter = fmt( "(%s) and (%s)", restrict_filter, capture_filter );
-	else if ( capture_filter != "" )
-		filter = capture_filter;
-
-	else if ( restrict_filter != "" )
-		filter = restrict_filter;
-
-	else
-		filter = "tcp or udp or icmp";
-
-	if ( unrestricted_filter != "" )
-		filter = fmt( "(%s) or (%s)", unrestricted_filter, filter );
-
-	return filter;
-	}
-
-function build_default_pcap_filter(): string
-	{
-	# Build capture_filter.
-	local cfilter = "";
-
-	for ( id in capture_filters )
-		cfilter = add_to_pcap_filter(cfilter, capture_filters[id], "or");
-
-	# Build restrict_filter.
-	local rfilter = "";
-	local saw_VLAN = F;
-	for ( id in restrict_filters )
-		{
-		if ( restrict_filters[id] == "vlan" )
-			# These are special - they need to come first.
-			saw_VLAN = T;
-		else
-			rfilter = add_to_pcap_filter(rfilter, restrict_filters[id], "and");
-		}
-
-	if ( saw_VLAN )
-		rfilter = add_to_pcap_filter("vlan", rfilter, "and");
-
-	return join_filters(cfilter, rfilter);
-	}
-
-function install_default_pcap_filter()
-	{
-	if ( ! install_pcap_filter(DefaultPcapFilter) )
-		 {
-		 ### This could be due to a true failure, or simply
-		 # because the user specified -f.  Since we currently
-		 # don't have an easy way to distinguish, we punt on
-		 # reporting it for now.
-		 }
-	}
-
-global default_pcap_filter = "<not set>";
-
-function update_default_pcap_filter()
-	{
-	default_pcap_filter = build_default_pcap_filter();
-
-	if ( ! precompile_pcap_filter(DefaultPcapFilter, default_pcap_filter) )
-		 {
-		 print fmt("can't compile filter %s", default_pcap_filter);
-		 exit();
-		 }
-
-	install_default_pcap_filter();
-	}
-
-event bro_init()
-	{
-	update_default_pcap_filter();
-	}
diff --git a/policy/peer-status.bro b/policy/peer-status.bro
deleted file mode 100644
index 95189873fd..0000000000
--- a/policy/peer-status.bro
+++ /dev/null
@@ -1,84 +0,0 @@
-# $Id: peer-status.bro 5954 2008-07-15 00:07:50Z vern $
-#
-# Emits process status "update" event periodically.
-
-module PeerStatus;
-
-export {
-	type peer_status: record {
-		res: bro_resources;
-		stats: net_stats;
-		current_time: time;
-		cpu: double;		# average CPU load since last update
-		default_filter: string;	# default capture filter
-	};
-
-	# Event sent periodically.
-	global update: event(status: peer_status);
-
-	# Update interval.
-	const update_interval = 1 min;
-
-	# This keeps track of all (local and remote) updates
-	# (indexed by peer ID).
-	global peers: table[peer_id] of peer_status;
-}
-
-global start_time = 0;
-global cpu_last_proc_time = 0 secs;
-global cpu_last_wall_time: time = 0;
-global stats: net_stats;
-global default_filter : string;
-
-event net_stats_update(t: time, ns: net_stats)
-	{
-	stats = ns;
-	}
-
-event emit_update()
-	{
-	# Get CPU load.
-	local res = resource_usage();
-	local proc_time = res$user_time + res$system_time;
-	local wall_time = current_time();
-	local dproc = proc_time - cpu_last_proc_time;
-	local dwall = wall_time - cpu_last_wall_time;
-	local load = dproc / dwall * 100.0;
-	cpu_last_proc_time = proc_time;
-	cpu_last_wall_time = wall_time;
-
-	local status: peer_status;
-	status$res = res;
-	status$stats = stats;
-	status$current_time = current_time();
-	status$cpu = load;
-	status$default_filter = default_filter;
-
-	event PeerStatus::update(status);
-
-	schedule update_interval { emit_update() };
-	}
-
-event bro_init()
-	{
-	default_filter = build_default_pcap_filter();
-
-	local res = resource_usage();
-	cpu_last_proc_time = res$user_time + res$system_time;
-	cpu_last_wall_time = current_time();
-	stats = [$pkts_recvd=0, $pkts_dropped=0, $pkts_link=0];
-
-	schedule update_interval { emit_update() };
-	}
-
-event update(status: peer_status)
-	{
-	local peer = get_event_peer();
-	peers[peer$id] = status;
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	if ( p$id in peers )
-		delete peers[p$id];
-	}
diff --git a/policy/pkt-profile.bro b/policy/pkt-profile.bro
deleted file mode 100644
index a499ec2c6e..0000000000
--- a/policy/pkt-profile.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: pkt-profile.bro 325 2004-09-03 01:33:15Z vern $
-
-redef pkt_profile_file = open_log_file("pkt-prof");
-redef pkt_profile_mode = PKT_PROFILE_MODE_SECS;
-redef pkt_profile_freq = 1.0;
diff --git a/policy/pop3.bro b/policy/pop3.bro
deleted file mode 100644
index 40ae3920a9..0000000000
--- a/policy/pop3.bro
+++ /dev/null
@@ -1,155 +0,0 @@
-# $Id: pop3.bro 4758 2007-08-10 06:49:23Z vern $
-#
-# Analyzer for Post Office Protocol, version 3.
-#
-# If you want to decode the mail itself, also load mime-pop.bro.
-
-@load login
-
-module POP3;
-
-export {
-	# Report if source triggers more ERR messages.
-	const error_threshold: count = 3 &redef;
- 	# Don't log these commands.
-	const ignore_commands: set[string] = { "STAT" } &redef;
-}
-
-redef capture_filters += { ["pop3"] = "port 110" };
-
-global pop3_ports = { 110/tcp } &redef;
-redef dpd_config += { [ANALYZER_POP3] = [$ports = pop3_ports] };
-
-const log_file = open_log_file("pop3") &redef;
-
-type pop3_session_info: record {
-	id: count; 		# Unique session ID.
-	quit_sent: bool;	# Client issued a QUIT.
-	last_command: string;	# Last command of client.
-};
-
-
-global pop_log: function(conn: pop3_session_info,
-				command: string, message: string);
-global get_connection: function(id: conn_id): pop3_session_info;
-
-
-global pop_connections:
-	table[conn_id] of pop3_session_info &read_expire = 60 mins;
-global pop_connection_weirds:
-	table[addr] of count &default=0 &read_expire = 60 mins;
-global pop_session_id = 0;
-
-
-event pop3_request(c: connection, is_orig: bool, command: string, arg: string)
-	{
-	local conn = get_connection(c$id);
-
-	pop_log(conn, command, fmt("%.6f #%s > %s %s",
-		network_time(), prefixed_id(conn$id), command, arg));
-
-	conn$last_command = command;
-
-	if ( command == "QUIT" )
-		conn$quit_sent = T;
-	}
-
-event pop3_reply(c: connection, is_orig: bool, cmd: string, msg: string)
-	{
-	local conn = get_connection(c$id);
-
-	pop_log(conn, cmd,
-		fmt("%.6f #%s < %s %s", network_time(), prefixed_id(conn$id), cmd, msg));
-
-	if ( cmd == "OK" )
-		{
-		if ( conn$quit_sent )
-			delete pop_connections[c$id];
-		}
-
-	else if ( cmd == "ERR" )
-		{
-		++pop_connection_weirds[c$id$orig_h];
-		if ( pop_connection_weirds[c$id$orig_h] > error_threshold )
-			print log_file, fmt("%.6f #%s %s/%d > %s/%d WARNING: error count exceeds threshold",
-					network_time(), prefixed_id(conn$id),
-					c$id$orig_h, c$id$orig_p,
-					c$id$resp_h, c$id$resp_p);
-		}
-	}
-
-event pop3_login_success(c: connection, is_orig: bool,
-				user: string, password: string)
-	{
-	local conn = get_connection(c$id);
-
-	local pw = byte_len(password) != 0 ? password : "<not seen>";
-
-	print log_file, fmt("%.6f #%s > login successful: user %s password: %s",
-				network_time(), prefixed_id(conn$id), user, pw);
-
-	event login_success(c, user, "", password, "");
-	}
-
-event pop3_login_failure(c: connection, is_orig: bool,
-				user: string, password: string)
-	{
-	local conn = get_connection(c$id);
-
-	print log_file, fmt("%.6f #%s > login failed: user %s password: %s",
-			network_time(), prefixed_id(conn$id), user, password);
-
-	event login_failure(c, user, "", password, "");
-	}
-
-# event pop3_data(c: connection, is_orig: bool, data: string)
-# 	{
-# 	# We could instantiate partial connections here if we wished,
-# 	# but at considerable cost in terms of event counts.
-# 	local conn = get_connection(c$id);
-# 	}
-
-event pop3_unexpected(c: connection, is_orig: bool, msg: string, detail: string)
-	{
-	local conn = get_connection(c$id);
-	print log_file, fmt("%.6f #%s unexpected cmd: %s detail: %s",
-				network_time(), prefixed_id(conn$id),
-				msg, detail);
-	}
-
-event pop3_terminate(c: connection, is_orig: bool, msg: string)
-	{
-	delete pop_connections[c$id];
-	}
-
-
-function pop_log(conn: pop3_session_info, command: string, message: string)
-	{
-	if ( command !in ignore_commands )
-		{
-		if ( (command == "OK" || command == "ERR") &&
-		     conn$last_command in ignore_commands )
-			;
-		else
-			print log_file, message;
-		}
-	}
-
-function get_connection(id: conn_id): pop3_session_info
-	{
-	if ( id in pop_connections )
-		return pop_connections[id];
-
-	local conn: pop3_session_info;
-
-	conn$id = ++pop_session_id;
-	conn$quit_sent = F;
-	conn$last_command = "INIT";
-	pop_connections[id] = conn;
-
-	print log_file, fmt("%.6f #%s %s/%d > %s/%d: new connection",
-				network_time(), prefixed_id(conn$id),
-				id$orig_h, id$orig_p, id$resp_h, id$resp_p);
-
-	return conn;
-	}
diff --git a/policy/port-name.bro b/policy/port-name.bro
deleted file mode 100644
index c5b0f8c11f..0000000000
--- a/policy/port-name.bro
+++ /dev/null
@@ -1,63 +0,0 @@
-const port_names: table[port] of string = {
-	[0/icmp] = "icmp-echo",
-	[3/icmp] = "icmp-unreach",
-	[8/icmp] = "icmp-echo",
-
-	[7/tcp] = "echo",
-	[9/tcp] = "discard",
-	[20/tcp] = "ftp-data",
-	[21/tcp] = "ftp",
-	[22/tcp] = "ssh",
-	[23/tcp] = "telnet",
-	[25/tcp] = "smtp",
-	[37/tcp] = "time",
-	[43/tcp] = "whois",
-	[53/tcp] = "dns",
-	[79/tcp] = "finger",
-	[80/tcp] = "http",
-	[109/tcp] = "pop-2",
-	[110/tcp] = "pop-3",
-	[111/tcp] = "portmap",
-	[113/tcp] = "ident",
-	[119/tcp] = "nntp",
-	[135/tcp] = "epmapper",
-	[139/tcp] = "netbios-ssn",
-	[143/tcp] = "imap4",
-	[179/tcp] = "bgp",
-	[389/tcp] = "ldap",
-	[443/tcp] = "https",
-	[445/tcp] = "smb",
-	[512/tcp] = "exec",
-	[513/tcp] = "rlogin",
-	[514/tcp] = "shell",
-	[515/tcp] = "printer",
-	[524/tcp] = "ncp",
-	[543/tcp] = "klogin",
-	[544/tcp] = "kshell",
-	[631/tcp] = "ipp",
-	[993/tcp] = "simap",
-	[995/tcp] = "spop",
-	[1521/tcp] = "oracle-sql",
-	[2049/tcp] = "nfs",
-	[6000/tcp] = "X11",
-	[6001/tcp] = "X11",
-	[6667/tcp] = "IRC",
-
-	[53/udp] = "dns",
-	[69/udp] = "tftp",
-	[111/udp] = "portmap",
-	[123/udp] = "ntp",
-	[137/udp] = "netbios-ns",
-	[138/udp] = "netbios-dgm",
-	[161/udp] = "snmp",
-	[2049/udp] = "nfs",
-
-} &redef;
-
-function endpoint_id(h: addr, p: port): string
-	{
-	if ( p in port_names )
-		return fmt("%s/%s", h, port_names[p]);
-	else
-		return fmt("%s/%d", h, p);
-	}
diff --git a/policy/portmapper.bro b/policy/portmapper.bro
deleted file mode 100644
index ecf952e9fc..0000000000
--- a/policy/portmapper.bro
+++ /dev/null
@@ -1,401 +0,0 @@
-# $Id: portmapper.bro 4758 2007-08-10 06:49:23Z vern $
-
-@load notice
-@load hot
-@load conn
-@load weird
-
-module Portmapper;
-
-export {
-	redef enum Notice += {
-		# Some combination of the service looked up, the host doing the
-		# request, and the server contacted is considered sensitive.
-		SensitivePortmapperAccess,
-	};
-
-	# Kudos to Job de Haas for a lot of these entries.
-
-	const rpc_programs = {
-		[200] = "aarp",
-
-		[100000] = "portmapper", [100001] = "rstatd",
-		[100002] = "rusersd", [100003] = "nfs", [100004] = "ypserv",
-		[100005] = "mountd", [100007] = "ypbind", [100008] = "walld",
-		[100009] = "yppasswdd", [100010] = "etherstatd",
-		[100011] = "rquotad", [100012] = "sprayd",
-		[100013] = "3270_mapper", [100014] = "rje_mapper",
-		[100015] = "selection_svc", [100016] = "database_svc",
-		[100017] = "rexd", [100018] = "alis", [100019] = "sched",
-		[100020] = "llockmgr", [100021] = "nlockmgr",
-		[100022] = "x25.inr", [100023] = "statmon",
-		[100024] = "status", [100026] = "bootparam",
-		[100028] = "ypupdate", [100029] = "keyserv",
-		[100033] = "sunlink_mapper", [100036] = "pwdauth",
-		[100037] = "tfsd", [100038] = "nsed",
-		[100039] = "nsemntd", [100041] = "pnpd",
-		[100042] = "ipalloc", [100043] = "filehandle",
-		[100055] = "ioadmd", [100062] = "NETlicense",
-		[100065] = "sunisamd", [100066] = "debug_svc",
-		[100068] = "cms", [100069] = "ypxfrd",
-		[100071] = "bugtraqd", [100078] = "kerbd",
-		[100083] = "tooltalkdb", [100087] = "admind",
-		[100099] = "autofsd",
-
-		[100101] = "event", [100102] = "logger", [100104] = "sync",
-		[100105] = "diskinfo", [100106] = "iostat",
-		[100107] = "hostperf", [100109] = "activity",
-		[100111] = "lpstat", [100112] = "hostmem",
-		[100113] = "sample", [100114] = "x25", [100115] = "ping",
-		[100116] = "rpcnfs", [100117] = "hostif", [100118] = "etherif",
-		[100119] = "ippath", [100120] = "iproutes",
-		[100121] = "layers", [100122] = "snmp", [100123] = "traffic",
-		[100131] = "layers2", [100135] = "etherif2",
-		[100136] = "hostmem2", [100137] = "iostat2",
-		[100138] = "snmpv2", [100139] = "sender",
-
-		[100221] = "kcms", [100227] = "nfs_acl", [100229] = "metad",
-		[100230] = "metamhd", [100232] = "sadmind", [100233] = "ufsd",
-		[100235] = "cachefsd", [100249] = "snmpXdmid",
-
-		[100300] = "nisd", [100301] = "nis_cache",
-		[100302] = "nis_callback", [100303] = "nispasswd",
-
-		[120126] = "nf_snmd", [120127] = "nf_snmd",
-
-		[150001] = "pcnfsd",
-
-		[300004] = "frameuser", [300009] = "stdfm", [300019] = "amd",
-
-		[300433] = "bssd", [300434] = "drdd",
-
-		[300598] = "dmispd",
-
-		[390100] = "prestoctl_svc",
-
-		[390600] = "arserverd", [390601] = "ntserverd",
-		[390604] = "arservtcd",
-
-		[391000] = "SGI_snoopd", [391001] = "SGI_toolkitbus",
-		[391002] = "SGI_fam", [391003] = "SGI_notepad",
-		[391004] = "SGI_mountd", [391005] = "SGI_smtd",
-		[391006] = "SGI_pcsd", [391007] = "SGI_nfs",
-		[391008] = "SGI_rfind", [391009] = "SGI_pod",
-		[391010] = "SGI_iphone", [391011] = "SGI_videod",
-		[391012] = "SGI_testcd", [391013] = "SGI_ha_hb",
-		[391014] = "SGI_ha_nc", [391015] = "SGI_ha_appmon",
-		[391016] = "SGI_xfsmd", [391017] = "SGI_mediad",
-
-		# 391018 - 391063 = "SGI_reserved"
-
-		[545580417] = "bwnfsd",
-
-		[555555554] = "inetray.start", [555555555] = "inetray",
-		[555555556] = "inetray", [555555557] = "inetray",
-		[555555558] = "inetray", [555555559] = "inetray",
-		[555555560] = "inetray",
-
-		[600100069] = "fypxfrd",
-
-		[1342177279] = "Solaris/CDE",	# = 0x4fffffff
-
-		# Some services that choose numbers but start often at these values.
-		[805306368] = "dmispd",
-		[824395111] = "cfsd", [1092830567] = "cfsd",
-	} &redef;
-
-	const NFS_services = {
-		"mountd", "nfs", "pcnfsd", "nlockmgr", "rquotad", "status"
-	} &redef;
-
-	# Indexed by the host providing the service, the host requesting it,
-	# and the service.
-	const RPC_okay: set[addr, addr, string] &redef;
-	const RPC_okay_nets: set[subnet] &redef;
-	const RPC_okay_services: set[string] &redef;
-	const NFS_world_servers: set[addr] &redef;
-
-	# Indexed by the portmapper request and a boolean that's T if
-	# the request was answered, F it was attempted but not answered.
-	# If there's an entry in the set, then the access won't be logged
-	# (unless the connection is hot for some other reason).
-	const RPC_do_not_complain: set[string, bool] = {
-		["pm_null", [T, F]],
-	} &redef;
-
-	# Indexed by the host requesting the dump and the host from which it's
-	# requesting it.
-	const RPC_dump_okay: set[addr, addr] &redef;
-
-	# Indexed by the host providing the service - any host can request it.
-	const any_RPC_okay = {
-		[NFS_world_servers, NFS_services],
-		[sun-rpc.mcast.net, "ypserv"],	# sigh
-	} &redef;
-}
-
-redef capture_filters += { ["portmapper"] = "port 111" };
-
-const portmapper_ports = { 111/tcp } &redef;
-redef dpd_config += { [ANALYZER_PORTMAPPER] = [$ports = portmapper_ports] };
-
-const portmapper_binpac_ports = { 111/udp } &redef;
-redef dpd_config += { [ANALYZER_RPC_UDP_BINPAC] = [$ports = portmapper_binpac_ports] };
-
-# Indexed by source and destination addresses, plus the portmapper service.
-# If the tuple is in the set, then we already logged it and shouldn't do
-# so again.
-global did_pm_log: set[addr, addr, string];
-
-# Indexed by source and portmapper service.  If set, we already logged
-# and shouldn't do so again.
-global suppress_pm_log: set[addr, string];
-
-
-function RPC_weird_action_filter(c: connection): Weird::WeirdAction
-	{
-	if ( c$id$orig_h in RPC_okay_nets )
-		return Weird::WEIRD_FILE;
-	else
-		return Weird::WEIRD_UNSPECIFIED;
-	}
-
-redef Weird::weird_action_filters += {
-	[["bad_RPC", "excess_RPC", "multiple_RPCs", "partial_RPC"]] =
-		RPC_weird_action_filter,
-};
-
-function rpc_prog(p: count): string
-	{
-	if ( p in rpc_programs )
-		return rpc_programs[p];
-	else
-		return fmt("unknown-%d", p);
-	}
-
-function pm_check_getport(r: connection, prog: string): bool
-	{
-	if ( prog in RPC_okay_services ||
-	     [r$id$resp_h, prog] in any_RPC_okay ||
-	     [r$id$resp_h, r$id$orig_h, prog] in RPC_okay )
-		return F;
-
-	if ( r$id$orig_h in RPC_okay_nets )
-		return F;
-
-	return T;
-	}
-
-function pm_activity(r: connection, log_it: bool, proc: string)
-	{
-	local id = r$id;
-
-	if ( log_it &&
-	     [id$orig_h, id$resp_h, proc] !in did_pm_log &&
-	     [id$orig_h, proc] !in suppress_pm_log )
-		{
-		NOTICE([$note=SensitivePortmapperAccess, $conn=r,
-			$msg=fmt("rpc: %s %s: %s",
-				id_string(r$id), proc, r$addl)]);
-		add did_pm_log[id$orig_h, id$resp_h, proc];
-		}
-	}
-
-function pm_request(r: connection, proc: string, addl: string, log_it: bool)
-	{
-	if ( [proc, T] in RPC_do_not_complain )
-		log_it = F;
-
-	if ( ! is_tcp_port(r$id$orig_p) )
-		{
-		# It's UDP, so no connection_established event - check for
-		# scanning, hot access, here, instead.
-		Scan::check_scan(r, T, F);
-		Hot::check_hot(r, Hot::CONN_ESTABLISHED);
-		}
-
-	if ( r$addl == "" )
-		r$addl = addl;
-
-	else
-		{
-		if ( byte_len(r$addl) > 80 )
-			{
-			# r already has a lot of annotation.  We can sometimes
-			# get *zillions* of successive pm_request's with the
-			# same connection ID, depending on how the RPC client
-			# behaves.  For those, don't add any further, except
-			# add an ellipses if we don't already have one.
-			append_addl(r, "...");
-			}
-		else
-			append_addl_marker(r, addl, ", ");
-		}
-
-	add r$service[proc];
-	Hot::check_hot(r, Hot::CONN_FINISHED);
-	pm_activity(r, log_it || r$hot > 0, proc);
-	}
-
-
-event pm_request_null(r: connection)
-	{
-	pm_request(r, "pm_null", "", F);
-	}
-
-event pm_request_set(r: connection, m: pm_mapping, success: bool)
-	{
-	pm_request(r, "pm_set", fmt("%s %d (%s)",
-		rpc_prog(m$program), m$p, success ? "ok" : "failed"), T);
-	}
-
-event pm_request_unset(r: connection, m: pm_mapping, success: bool)
-	{
-	pm_request(r, "pm_unset", fmt("%s %d (%s)",
-		rpc_prog(m$program), m$p, success ? "ok" : "failed"), T);
-	}
-
-function update_RPC_server_map(server: addr, p: port, prog: string)
-	{
-	if ( [server, p] in RPC_server_map )
-		{
-		if ( prog !in RPC_server_map[server, p] )
-			{
-			RPC_server_map[server, p] =
-				fmt("%s/%s", RPC_server_map[server, p], prog);
-			}
-		}
-	else
-		RPC_server_map[server, p] = prog;
-	}
-
-event pm_request_getport(r: connection, pr: pm_port_request, p: port)
-	{
-	local prog = rpc_prog(pr$program);
-	local log_it = pm_check_getport(r, prog);
-
-	update_RPC_server_map(r$id$resp_h, p, prog);
-
-	pm_request(r, "pm_getport", fmt("%s -> %s", prog, p), log_it);
-	}
-
-function pm_mapping_to_text(server: addr, m: pm_mappings): string
-	{
-	# Used to suppress multiple entries for multiple versions.
-	local mapping_seen: set[count, port];
-	local addls: vector of string;
-	local num_addls = 0;
-
-	for ( mp in m )
-		{
-		local prog = m[mp]$program;
-		local p = m[mp]$p;
-
-		if ( [prog, p] !in mapping_seen )
-			{
-			add mapping_seen[prog, p];
-			addls[++num_addls] = fmt("%s -> %s", rpc_prog(prog), p);
-
-			update_RPC_server_map(server, p, rpc_prog(prog));
-			}
-		}
-
-	local addl_str = fmt("%s", sort(addls, strcmp));
-
-	# Lop off surrounding []'s for compatibility with previous
-	# format.
-	addl_str = sub(addl_str, /^\[/, "");
-	addl_str = sub(addl_str, /\]$/, "");
-
-	return addl_str;
-	}
-
-event pm_request_dump(r: connection, m: pm_mappings)
-	{
-	local log_it = [r$id$orig_h, r$id$resp_h] !in RPC_dump_okay;
-	pm_request(r, "pm_dump", length(m) == 0 ? "(nil)" : "(done)", log_it);
-	append_addl(r, cat("<", pm_mapping_to_text(r$id$resp_h, m), ">"));
-	}
-
-event pm_request_callit(r: connection, call: pm_callit_request, p: port)
-	{
-	local orig_h = r$id$orig_h;
-	local prog = rpc_prog(call$program);
-	local log_it = [orig_h, prog] !in suppress_pm_log;
-
-	pm_request(r, "pm_callit", fmt("%s/%d (%d bytes) -> %s",
-		prog, call$proc, call$arg_size, p), log_it);
-
-	if ( prog == "walld" )
-		add suppress_pm_log[orig_h, prog];
-	}
-
-
-function pm_attempt(r: connection, proc: string, status: rpc_status,
-			addl: string, log_it: bool)
-	{
-	if ( [proc, F] in RPC_do_not_complain )
-		log_it = F;
-
-	if ( ! is_tcp_port(r$id$orig_p) )
-		{
-		# It's UDP, so no connection_attempt event - check for
-		# scanning here, instead.
-		Scan::check_scan(r, F, F);
-		Hot::check_hot(r, Hot::CONN_ATTEMPTED);
-		}
-
-	add r$service[proc];
-	append_addl(r, fmt("(%s)", RPC_status[status]));
-
-	# Current policy is ignore any failed attempts.
-	pm_activity(r, F, proc);
-	}
-
-event pm_attempt_null(r: connection, status: rpc_status)
-	{
-	pm_attempt(r, "pm_null", status, "", T);
-	}
-
-event pm_attempt_set(r: connection, status: rpc_status, m: pm_mapping)
-	{
-	pm_attempt(r, "pm_set", status, fmt("%s %d", rpc_prog(m$program), m$p), T);
-	}
-
-event pm_attempt_unset(r: connection, status: rpc_status, m: pm_mapping)
-	{
-	pm_attempt(r, "pm_unset", status, fmt("%s %d", rpc_prog(m$program), m$p), T);
-	}
-
-event pm_attempt_getport(r: connection, status: rpc_status, pr: pm_port_request)
-	{
-	local prog = rpc_prog(pr$program);
-	local log_it = pm_check_getport(r, prog);
-	pm_attempt(r, "pm_getport", status, prog, log_it);
-	}
-
-event pm_attempt_dump(r: connection, status: rpc_status)
-	{
-	local log_it = [r$id$orig_h, r$id$resp_h] !in RPC_dump_okay;
-	pm_attempt(r, "pm_dump", status, "", log_it);
-	}
-
-event pm_attempt_callit(r: connection, status: rpc_status,
-			call: pm_callit_request)
-	{
-	local orig_h = r$id$orig_h;
-	local prog = rpc_prog(call$program);
-	local log_it = [orig_h, prog] !in suppress_pm_log;
-
-	pm_attempt(r, "pm_callit", status,
-		fmt("%s/%d (%d bytes)", prog, call$proc, call$arg_size),
-		log_it);
-
-	if ( prog == "walld" )
-		add suppress_pm_log[orig_h, prog];
-	}
-
-event pm_bad_port(r: connection, bad_p: count)
-	{
-	event conn_weird_addl("bad_pm_port", r, fmt("port %d", bad_p));
-	}
diff --git a/policy/print-filter.bro b/policy/print-filter.bro
deleted file mode 100644
index 5d8d03b80a..0000000000
--- a/policy/print-filter.bro
+++ /dev/null
@@ -1,26 +0,0 @@
-# $Id: print-filter.bro 4506 2007-06-27 14:40:34Z vern $
-
-module PrintFilter;
-
-export {
-	# If true, terminate Bro after printing the filter.
-	const terminate_bro = T &redef;
-
-	# If true, write to log file instead of stdout.
-	const to_file = F &redef;
-	}
-
-event bro_init()
-	{
-	if ( to_file )
-		{
-		local f = open_log_file("pcap_filter");
-		print f, build_default_pcap_filter();
-		close(f);
-		}
-	else
-		print build_default_pcap_filter();
-
-	if ( terminate_bro )
-		exit();
-	}
diff --git a/policy/print-globals.bro b/policy/print-globals.bro
deleted file mode 100644
index 994ea17eba..0000000000
--- a/policy/print-globals.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-event bro_done()
-	{
-	print global_sizes();
-	}
diff --git a/policy/print-resources.bro b/policy/print-resources.bro
deleted file mode 100644
index 7b069f9415..0000000000
--- a/policy/print-resources.bro
+++ /dev/null
@@ -1,21 +0,0 @@
-# $Id: print-resources.bro 6703 2009-05-13 22:27:44Z vern $
-
-# Logs Bro resource usage information upon termination.
-
-@load notice
-
-redef enum Notice += {
-	ResourceSummary,	# Notice type for this event
-};
- 
-event bro_done()
-	{
-	local res = resource_usage();
-	
-	NOTICE([$note=ResourceSummary,
-		$msg=fmt("elapsed time = %s, total CPU = %s, maximum memory = %d KB, peak connections = %d, peak timers = %d, peak fragments = %d",
-		res$real_time, res$user_time + res$system_time,
-		res$mem / 1024,
-		res$max_TCP_conns + res$max_UDP_conns + res$max_ICMP_conns,
-		res$max_timers, res$max_fragments)]);
-	}
diff --git a/policy/print-sig-states.bro b/policy/print-sig-states.bro
deleted file mode 100644
index c13677f6ca..0000000000
--- a/policy/print-sig-states.bro
+++ /dev/null
@@ -1,18 +0,0 @@
-# $Id: print-sig-states.bro 491 2004-10-05 05:44:59Z vern $
-#
-# Simple profiling script for periodicaly dumping out signature-matching
-# statistics.
-
-global sig_state_stats_interval = 5 mins;
-global sig_state_file = open_log_file("sig-states");
-
-event dump_sig_state_stats()
-	{
-	dump_rule_stats(sig_state_file);
-	schedule sig_state_stats_interval { dump_sig_state_stats() };
-	}
-
-event bro_init()
-	{
-	schedule sig_state_stats_interval { dump_sig_state_stats() };
-	}
diff --git a/policy/profiling.bro b/policy/profiling.bro
deleted file mode 100644
index a8aef46440..0000000000
--- a/policy/profiling.bro
+++ /dev/null
@@ -1,17 +0,0 @@
-# $Id: profiling.bro 1102 2005-03-17 09:17:46Z vern $
-#
-# Turns on profiling of Bro resource consumption.
-
-redef profiling_file = open_log_file("prof");
-
-# Cheap profiling every 15 seconds.
-redef profiling_interval = 15 secs &redef;
-
-# Expensive profiling every 5 minutes.
-redef expensive_profiling_multiple = 20;
-
-event bro_init()
-	{
-	set_buf(profiling_file, F);
-	}
-
diff --git a/policy/proxy.bro b/policy/proxy.bro
deleted file mode 100644
index 1f43308f3a..0000000000
--- a/policy/proxy.bro
+++ /dev/null
@@ -1,99 +0,0 @@
-# $Id: proxy.bro,v 1.1.4.2 2006/05/31 00:16:22 sommer Exp $
-#
-# Finds open proxies by matching incoming HTTP requests with outgoing ones.
-
-@load notice
-
-module Proxy;
-
-export {
-	const KnownProxies: set[addr] = { };
-
-	redef enum Notice += {
-		HTTPProxyFound,
-	};
-}
-
-
-type request: record {
-	p: port;
-	paths: set[string];
-};
-
-# Maps the address of the potential proxy to the paths that
-# have been requested from it.
-global requests: table[addr] of request;
-
-# A parsed URL.
-type url: record {
-	host: string;
-	path: string;
-};
-
-global found_proxies: set[addr] &create_expire = 24 hrs;
-
-function parse_url(u: string) : url
-	{
-	# The URL parsing is imperfect, but should work sufficiently well.
-	local a = split1(u, /:\/\//);
-	if ( |a| == 1 )
-		return [$host="", $path=a[1]];
-
-	local b = split1(a[2], /\//);
-	return [$host=b[1], $path=(|b| == 2 ? cat("/", b[2]) : "/")];
-	}
-
-event http_request(c: connection, method: string, original_URI: string,
-			unescaped_URI: string, version: string)
-	{
-	if ( method != "GET" && method != "CONNECT" )
-		return;
-
-	local client = c$id$orig_h;
-	local server = c$id$resp_h;
-
-	if ( server in KnownProxies )
-		return;
-
-	# FIXME: Which one? original_URI or unescaped_URI?
-	local u = parse_url(original_URI);
-
-	if ( client in requests )
-		{
-		# We have already seen requests to this host.  Let's see
-		# any matches the one we're very currently seeing.
-		local r = requests[client];
-		if ( u$path in r$paths )
-			{
-			if ( client !in found_proxies )
-				{
-				NOTICE([$note=HTTPProxyFound,
-						$conn=c, $src=client,
-						$p=r$p, $URL=original_URI,
-						$msg=fmt("HTTP proxy found %s:%d (%s)",
-						client, r$p, original_URI)]);
-				add found_proxies[client];
-				}
-
-			return;
-			}
-		}
-
-	if ( u$host == "" )
-		# A relative URL. That's fine.
-		return;
-
-	# An absolute URL.  Remember path for later.
-	#
-	# Note: using "when", could even lookup the destination
-	# host and remember that one, too!
-
-	if ( server !in requests )
-		{
-		local empty_set: set[string] &read_expire = 15 secs;
-		local req = [$p=c$id$resp_p, $paths=empty_set];
-		requests[server] = req;
-		}
-
-	add requests[server]$paths[u$path];
-	}
diff --git a/policy/remote-pcap.bro b/policy/remote-pcap.bro
deleted file mode 100644
index 18b124707e..0000000000
--- a/policy/remote-pcap.bro
+++ /dev/null
@@ -1,52 +0,0 @@
-# $Id: remote-pcap.bro 2704 2006-04-04 07:35:46Z vern $
-#
-# Allows remote peers to set our capture filter.
-
-@load remote
-
-# We install a filter which (hopefully) doesn't match anything to avoid Bro's
-# default "tcp or udp" when no other script/peers adds a filter.
-
-## FIXME: We need non-blocking pacp for this to work.
-##
-## ##redef capture_filters["match-nothing"] = "ether src 0:0:0:0:0:0";
-
-function build_capture_filter_index(p: event_peer): string
-	{
-	return fmt("remote-%d", p$id);
-	}
-
-event remote_capture_filter(p: event_peer, filter: string)
-	{
-	# If we send a capture filter to a peer and are subscribed to all
-	# of its events, we will get a remote_capture_filter event back.
-	if ( is_remote_event() )
-		return;
-
-	Remote::do_script_log(p, fmt("received capture filter: %s", filter));
-
-	capture_filters[build_capture_filter_index(p)] = filter;
-
-	# This will recompile the filter, which may take some time.
-	# Thus, setting a new capture_filter may cost us some packets :-(.
-	update_default_pcap_filter();
-
-	Remote::do_script_log(p, fmt("new default pcap filter: %s",
-					default_pcap_filter));
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	local i = build_capture_filter_index(p);
-
-	if ( i in capture_filters )
-		{
-		Remote::do_script_log(p, fmt("removed capture filter: %s",
-					capture_filters[i]));
-		delete capture_filters[i];
-		update_default_pcap_filter();
-		}
-
-	Remote::do_script_log(p, fmt("new default pcap filter: %s",
-				default_pcap_filter));
-	}
diff --git a/policy/remote-ping.bro b/policy/remote-ping.bro
deleted file mode 100644
index c27c8884d2..0000000000
--- a/policy/remote-ping.bro
+++ /dev/null
@@ -1,49 +0,0 @@
-# $Id: remote-ping.bro 2704 2006-04-04 07:35:46Z vern $
-#
-# Exchanges periodic pings between communicating Bro's to measure their
-# processing times.
-
-@load remote
-
-module RemotePing;
-
-export {
-	const ping_interval = 1 secs;
-}
-
-global pings: table[event_peer] of count;
-
-event remote_connection_established(p: event_peer)
-	{
-	pings[p] = 0;
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	delete pings[p];
-	}
-
-event ping()
-	{
-	for ( p in pings )
-		send_ping(p, ++pings[p]);
-
-	schedule ping_interval { ping() };
-	}
-
-event remote_pong(p: event_peer, seq: count,
-			d1: interval, d2: interval, d3: interval)
-	{
-	# We log three times: "time=<t1> [<t2>/<t3>]"
-	#    t1: round-trip between the two parent processes.
-	#    t2: round-trip between the two child processes.
-	#    t3: sum of time spent in client<->parent communication on
-	#	 either side
-	Remote::do_script_log(p, fmt("ping seq=%d time=%.3fs [%.3fs/%.3fs]", seq,
-				d1, d2 - d3, d1 - d2 + d3));
-	}
-
-event bro_init()
-	{
-	schedule ping_interval { ping() };
-	}
diff --git a/policy/remote-print-id-reply.bro b/policy/remote-print-id-reply.bro
deleted file mode 100644
index 81d0efe35e..0000000000
--- a/policy/remote-print-id-reply.bro
+++ /dev/null
@@ -1,17 +0,0 @@
-# $Id:$
-#
-# Load this script to support remote printing of variables.  The remote
-# peer accesses these by loading remote-print-id.bro.
-
-module PrintID;
-
-global request_id_response: event(id: string, content: string);
-
-event request_id(id: string)
-	{
-	if ( ! is_remote_event() )
-		return;
-
-	local val = lookup_ID(id);
-	event request_id_response(id, fmt("%s", val));
-	}
diff --git a/policy/remote-print-id.bro b/policy/remote-print-id.bro
deleted file mode 100644
index 550ff8b8b8..0000000000
--- a/policy/remote-print-id.bro
+++ /dev/null
@@ -1,53 +0,0 @@
-# $Id:$
-#
-# Requests the current value of a variable (identifier) from a remote
-# peer, prints it, and then terminates. The other side must load
-# remote-print-id-reply.bro.
-#
-# Intended to be used from the command line as in:
-#
-# bro -e 'redef PrintID::dst="<dst>" PrintID::id="<name-of-id>"'
-#		<other scripts> remote-print-id
-#
-# The other scripts must set up the connection.  <dst> is an index into
-# Remote::destinations corresponding to the destination.
-
-module PrintID;
-
-@load remote
-@load remote-print-id-reply
-
-export {
-	const dst = "<no-destination-given>" &redef;
-	const id = "<no-id-given>" &redef;
-}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	local peer = Remote::destinations[dst];
-
-	if ( peer$host == p$host )
-		{
-		print fmt("Requesting %s from %s at %s:%d",
-				id, dst, p$host, p$p);
-		event request_id(id);
-		}
-	}
-
-event request_id_response(id: string, content: string)
-	{
-	print fmt("%s = %s", id, content);
-	terminate_communication();
-	}
-
-event bro_init()
-	{
-	if ( dst !in Remote::destinations )
-		{
-		print fmt("Unknown destination %s", dst);
-		terminate();
-		return;
-		}
-
-	Remote::connect_peer(dst);
-	}
diff --git a/policy/remote-print.bro b/policy/remote-print.bro
deleted file mode 100644
index e0d29259c6..0000000000
--- a/policy/remote-print.bro
+++ /dev/null
@@ -1,9 +0,0 @@
-# $Id: remote-print.bro 415 2004-09-17 03:25:12Z vern $
-#
-# Write remote print messages into local files.
-
-event print_hook(f: file, s: string)
-	{
-	if ( is_remote_event() )
-		print f, s;
-	}
diff --git a/policy/remote-report-notices.bro b/policy/remote-report-notices.bro
deleted file mode 100644
index 9b43ad865f..0000000000
--- a/policy/remote-report-notices.bro
+++ /dev/null
@@ -1,14 +0,0 @@
-# $Id:$
-#
-# Forward remote alarms to our local system.
-
-event notice_action(n: notice_info, action: NoticeAction)
-	{
-	if ( is_remote_event() )
-		{
-		# Don't raise this event recursively.
-		suppress_notice_action = T;
-		NOTICE(n);
-		suppress_notice_action = F;
-		}
-	}
diff --git a/policy/remote-send-id.bro b/policy/remote-send-id.bro
deleted file mode 100644
index 15c1df5f75..0000000000
--- a/policy/remote-send-id.bro
+++ /dev/null
@@ -1,45 +0,0 @@
-# $Id:$
-#
-# Sends the current value of an ID to a remote Bro and then terminates
-# processing.
-#
-# Intended to be used from the command line as in:
-#
-# bro -e "redef Send::dst="<dst>" Send::id="<name-of-id>"
-#		<other scripts> remote-send-id
-#
-# The other scripts must set up the connection.  <dst> is an index into
-# Remote::destinations corresponding to the destination.
-
-module Send;
-
-@load remote
-
-export {
-	const dst = "<no-destination-given>" &redef;
-	const id = "<no-id-given>" &redef;
-}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	local peer = Remote::destinations[dst];
-
-	if ( peer$host == p$host )
-		{
-		print fmt("Sending %s to %s at %s:%d", id, dst, p$host, p$p);
-		send_id(p, id);
-		terminate_communication();
-		}
-	}
-
-event bro_init()
-	{
-	if ( dst !in Remote::destinations )
-		{
-		print fmt("Unknown destination %s", dst);
-		terminate();
-		return;
-		}
-
-	Remote::connect_peer(dst);
-	}
diff --git a/policy/remote.bro b/policy/remote.bro
deleted file mode 100644
index fad2beb900..0000000000
--- a/policy/remote.bro
+++ /dev/null
@@ -1,263 +0,0 @@
-# $Id: remote.bro 5101 2007-11-29 07:02:27Z vern $
-#
-# Connect to remote Bros and request some of their events.
-
-module Remote;
-
-export {
-	const default_port_ssl = 47756/tcp &redef;
-	const default_port_clear = 47757/tcp &redef;
-
-	# Default compression level.
-	global default_compression = 0 &redef;
-
-	# A remote peer to which we would like to talk.
-	# If there's no entry for a peer, it may still connect
-	# and request state, but not send us any.
-	type Destination : record {
-		# Destination endpoint.
-		host: addr;
-		p: port &optional;
-
-		# When accepting a connection, the configuration only
-		# applies if the class matches the one transmitted by
-		# the peer.
-		#
-		# When initiating a connection, the class is sent to
-		# the other side.
-		class: string &optional;
-
-		# Events requested from remote side.
-		events: pattern &optional;
-
-		# Whether we are going to connect (rather than waiting
-		# for the other sie to connect to us).
-		connect: bool &default = F;
-
-		# If disconnected, reconnect after this many seconds.
-		retry: interval &default = 0 secs;
-
-		# Whether to accept remote events.
-		accept_input: bool &default = T;
-
-		# Whether to perform state synchronization with peer.
-		sync: bool &default = T;
-
-		# When performing state synchronization, whether we consider
-		# our state to be authoritative.  If so, we will send the peer
-		# our current set when the connection is set up.
-		# (Only one side can be authoritative.)
-		auth: bool &default = F;
-
-		# If not set, no capture filter is sent.
-		# If set to "", the default cature filter is sent.
-		capture_filter: string &optional;
-
-		# Whether to use SSL-based communication.
-		ssl: bool &default = F;
-
-		# Take-over state from this host
-		# (activated by loading hand-over.bro)
-		hand_over: bool &default = F;
-
-		# Compression level is 0-9, with 0 = no compression.
-		compression: count &default = default_compression;
-
-		# Set when connected.
-		peer: event_peer &optional;
-		connected: bool &default = F;
-	};
-
-	const destinations: table[string] of Destination &redef;
-
-	# redef destinations += {
-	#	["foo"] = [$host = foo.bar.com, $events = /.*/, $connect=T, $retry = 60 secs, $ssl=T]
-	# };
-
-	# Write log message into remote.log
-	global do_script_log: function(p: event_peer, msg: string);
-
-	global pending_peers: table[peer_id] of Destination;
-	global connected_peers: table[peer_id] of Destination;
-
-	# Connect to destionations[dst], independent of its "connect" flag.
-	global connect_peer: function(peer: string);
-}
-
-# Called rm_log rather than remote_log because there's an event by that name.
-global rm_log = open_log_file("remote");
-
-global src_names = {
-	[REMOTE_SRC_CHILD] = "[child] ",
-	[REMOTE_SRC_PARENT] = "[parent]",
-	[REMOTE_SRC_SCRIPT] = "[script]",
-};
-
-function do_script_log_common(level: count, src: count, msg: string)
-	{
-	print rm_log,
-		fmt("%.6f %s %s %s", current_time(),
-			(level == REMOTE_LOG_INFO ? "[info] " : "[error]"),
-			src_names[src], msg);
-	}
-
-event remote_log(level: count, src: count, msg: string)
-	{
-	do_script_log_common(level, src, msg);
-	}
-
-function do_script_log(p: event_peer, msg: string)
-	{
-	do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT,
-				  fmt("[#%d/%s:%d] %s", p$id, p$host, p$p, msg));
-	}
-
-function connect_peer(peer: string)
-	{
-	local dst = destinations[peer];
-	local p = dst$ssl ? default_port_ssl : default_port_clear;
-
-	if ( dst?$p )
-		p = dst$p;
-
-	local class = dst?$class ? dst$class : "";
-	local id = connect(dst$host, p, class ,dst$retry, dst$ssl);
-
-	if ( id == PEER_ID_NONE )
-		print rm_log,
-		fmt("%.6f %s/%d can't trigger connect",
-			current_time(), dst$host, p);
-
-	pending_peers[id] = dst;
-	}
-
-event bro_init() &priority = -10	# let others modify destinations
-	{
-	set_buf(rm_log, F);
-
-	for ( tag in destinations )
-		{
-		if ( ! destinations[tag]$connect )
-			next;
-
-		connect_peer(tag);
-		}
-	}
-
-function setup_peer(p: event_peer, dst: Destination)
-	{
-	if ( dst?$events )
-		{
-		do_script_log(p, fmt("requesting events matching %s", dst$events));
-		request_remote_events(p, dst$events);
-		}
-
-	if ( dst?$capture_filter )
-		{
-		local filter = dst$capture_filter;
-		if ( filter == "" )
-			filter = default_pcap_filter;
-
-		do_script_log(p, fmt("sending capture_filter: %s", filter));
-		send_capture_filter(p, filter);
-		}
-
-	if ( dst$accept_input )
-		{
-		do_script_log(p, "accepting state");
-		set_accept_state(p, T);
-		}
-
-	set_compression_level(p, dst$compression);
-
-	if ( dst$sync )
-		{
-		do_script_log(p, "requesting synchronized state");
-		request_remote_sync(p, dst$auth);
-		}
-
-	dst$peer = p;
-	dst$connected = T;
-	connected_peers[p$id] = dst;
-	}
-
-event remote_connection_established(p: event_peer)
-	{
-	if ( is_remote_event() )
-		return;
-
-	do_script_log(p, "connection established");
-
-	if ( p$id in pending_peers )
-		{
-		# We issued the connect.
-		local dst = pending_peers[p$id];
-		setup_peer(p, dst);
-		delete pending_peers[p$id];
-		}
-	else
-		{ # The other side connected to us.
-		local found = F;
-		for ( i in destinations )
-			{
-			dst = destinations[i];
-			if ( dst$host == p$host )
-				{
-				local c = 0;
-
-				# See if classes match = either both have
-				# the same class, or neither of them has
-				# a class.
-				if ( p?$class && p$class != "" )
-					++c;
-
-				if ( dst?$class && dst$class != "" )
-					++c;
-
-				if ( c == 1 ||
-				     (c == 2 && p$class != dst$class) )
-					next;
-
-				found = T;
-				setup_peer(p, dst);
-				break;
-				}
-			}
-
-		if ( ! found )
-			set_compression_level(p, default_compression);
-		}
-
-	complete_handshake(p);
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	if ( is_remote_event() )
-		return;
-
-	do_script_log(p, "connection closed");
-
-	if ( p$id in connected_peers )
-		{
-		local dst = connected_peers[p$id];
-		dst$connected = F;
-
-		delete connected_peers[p$id];
-
-		if ( dst$retry != 0secs )
-			# The core will retry.
-			pending_peers[p$id] = dst;
-		}
-	}
-
-event remote_state_inconsistency(operation: string, id: string,
-				expected_old: string, real_old: string)
-	{
-	if ( is_remote_event() )
-		return;
-
-	print rm_log,
-		fmt("%.6f state inconsistency: %s should be %s but is %s before %s",
-			network_time(), id, expected_old, real_old, operation);
-	}
diff --git a/policy/rotate-logs.bro b/policy/rotate-logs.bro
deleted file mode 100644
index 92ab4cf455..0000000000
--- a/policy/rotate-logs.bro
+++ /dev/null
@@ -1,160 +0,0 @@
-# $Id: rotate-logs.bro 4685 2007-07-30 23:50:26Z vern $
-
-module RotateLogs;
-
-export {
-	# Maps file names to postprocessors.
-	global postprocessors: table[string] of string &redef;
-
-	# Default postprocessor.
-	global default_postprocessor = "" &redef;
-
-	# Files which are to be rotated according to log_rotate_interval
-	# and log_max_size, but aren't represented by a file object.
-	global aux_files: set[string] &redef;
-
-	# For aux_files, the time interval in which we check the files' sizes.
-	global aux_check_size_interval = 30 secs &redef;
-
-	# Callback to provide name for rotated file.
-	global build_name: function(info: rotate_info): string &redef;
-
-	# Default naming suffix format.
-	global date_format = "%y-%m-%d_%H.%M.%S" &redef;
-
-	# Whether to rotate files when shutting down.
-	global rotate_on_shutdown = T &redef;
-
-	# If set, postprocessors get this tag as an additional argument.
-	global tag = "" &redef;
-}
-
-# Default rotation is once per hour.
-redef log_rotate_interval = 1 hr;
-
-# There are other variables that are defined in bro.init.  Here are
-# some example of how these might be redefined.
-# redef log_rotate_base_time = "0:00";
-# redef log_max_size = 1e7;
-# redef log_encryption_key = "mybigsecret";
-
-# Given a rotate info record, returns new rotated filename.
-function build_name(info: rotate_info): string
-	{
-	return fmt("%s-%s", info$old_name, strftime(date_format, info$open));
-	}
-
-# Run post-processor on file. If there isn't any postprocessor defined,
-# we move the file to a nicer name.
-function run_pp(info: rotate_info)
-	{
-	local pp = default_postprocessor;
-
-	if ( info$old_name in postprocessors )
-		pp = postprocessors[info$old_name];
-
-	if ( pp != "" )
-		# The date format is hard-coded here to provide a standardized
-		# script interface.
-		system(fmt("%s %s %s %s %s %s %s",
-				pp, info$new_name, info$old_name,
-				strftime("%y-%m-%d_%H.%M.%S", info$open),
-				strftime("%y-%m-%d_%H.%M.%S", info$close),
-				bro_is_terminating() ? "1" : "0",
-				tag));
-	else
-		system(fmt("/bin/mv %s %s %s",
-				info$new_name, build_name(info), tag));
-	}
-
-# Rotate file.
-function rotate(f: file)
-	{
-	local info = rotate_file(f);
-	if ( info$old_name == "" )
-		# Error.
-		return;
-
-	run_pp(info);
-	}
-
-# Rotate file, but only if we know the name.
-function rotate_by_name(f: string)
-	{
-	local info = rotate_file_by_name(f);
-	if ( info$old_name == "" )
-		# Error.
-		return;
-
-	run_pp(info);
-	}
-
-function make_nice_timestamp(i: interval) : time
-	{
-	# To get nice timestamps, we round the time up to
-	# the next multiple of the rotation interval.
-
-	local nt = time_to_double(network_time());
-	local ri = interval_to_double(i);
-
-	return double_to_time(floor(nt / ri) * ri + ri);
-	}
-
-# Raised when a &rotate_interval expires.
-event rotate_interval(f: file)
-	{
-	if ( bro_is_terminating() && ! rotate_on_shutdown )
-		return;
-
-	rotate(f);
-	}
-
-# Raised when a &rotate_size is reached.
-event rotate_size(f: file)
-	{
-	rotate(f);
-	}
-
-# Raised for aux_files when log_rotate_inverval expires.
-
-global first_aux_rotate_interval = T;
-
-event aux_rotate_interval()
-	{
-	if ( bro_is_terminating() && ! rotate_on_shutdown )
-		return;
-
-	if ( ! first_aux_rotate_interval )
-		for ( f in aux_files )
-			rotate_by_name(f);
-
-	first_aux_rotate_interval = F;
-
-	if ( ! bro_is_terminating() )
-		schedule calc_next_rotate(log_rotate_interval)
-			{ aux_rotate_interval() };
-	}
-
-# Regularly raised to check aux_files' sizes.
-event aux_check_size()
-	{
-	for ( f in aux_files )
-		if ( file_size(f) > log_max_size )
-			rotate_by_name(f);
-
-	if ( ! bro_is_terminating() )
-		schedule aux_check_size_interval { aux_check_size() };
-	}
-
-event bro_init()
-	{
-	if ( length(aux_files) != 0 )
-		{
-		if ( log_rotate_interval != 0 secs )
-			schedule calc_next_rotate(log_rotate_interval)
-				{ aux_rotate_interval() };
-
-		if ( log_max_size != 0 )
-			schedule aux_check_size_interval { aux_check_size() };
-		}
-	}
diff --git a/policy/rsh.bro b/policy/rsh.bro
deleted file mode 100644
index 933d765dc7..0000000000
--- a/policy/rsh.bro
+++ /dev/null
@@ -1,105 +0,0 @@
-# $Id: rsh.bro 4758 2007-08-10 06:49:23Z vern $
-
-@load conn
-@load login
-
-module RSH;
-
-export {
-	redef enum Notice += {
-	# RSH client username and server username differ.
-		DifferentRSH_Usernames,
-
-		# Attempt to authenticate via RSH failed.
-		FailedRSH_Authentication,
-
-		# RSH session appears to be interactive - multiple lines of
-		# user commands.
-		InteractiveRSH,
-
-		SensitiveRSH_Input,
-		SensitiveRSH_Output,
-	};
-
-	const failure_msgs =
-		  /^Permission denied/
-		| /Login failed/
-	&redef;
-}
-
-redef capture_filters += { ["rsh"] = "tcp port 514" };
-
-global rsh_ports = { 514/tcp } &redef;
-redef dpd_config += { [ANALYZER_RSH] = [$ports = rsh_ports] };
-
-type rsh_session_info: record {
-        client_user: string;
-        server_user: string;
-	initial_cmd: string;
-        output_line: count;     # number of lines seen
-};
-
-global rsh_sessions: table[conn_id] of rsh_session_info;
-
-function new_rsh_session(c: connection, client_user: string,
-			 server_user: string, line: string)
-	{
-	if ( c$id in rsh_sessions )
-		delete rsh_sessions[c$id];
-
-	local s: rsh_session_info;
-	s$client_user = client_user;
-	s$server_user = server_user;
-	s$initial_cmd = line;
-        s$output_line = 0;
-
-	rsh_sessions[c$id] = s;
-	}
-
-event rsh_request(c: connection, client_user: string, server_user: string,
-		  line: string, new_session: bool)
-	{
-	local id = c$id;
-
-	local BS_line = edit(line, Login::BS);
-      	local DEL_line = edit(line, Login::DEL);
-
-	if ( new_session )
-		{
-		new_rsh_session(c, client_user, server_user, line);
-
-		if ( client_user != server_user )
-			NOTICE([$note=DifferentRSH_Usernames, $conn=c,
-				$msg=fmt("differing client/server usernames (%s/%s)",
-					client_user, server_user),
-				$sub=client_user, $user=server_user]);
-		}
-
-	local s = rsh_sessions[c$id];
-	if ( s$output_line > 0 )
-		NOTICE([$note=InteractiveRSH, $conn=c,
-			$msg="interactive RSH session, input following output",
-			$sub=s$client_user, $user=s$server_user]);
-
-	if ( Login::input_trouble in line ||
-	     Login::input_trouble in BS_line ||
-	     Login::input_trouble in DEL_line ||
-	     line == Login::full_input_trouble )
-		NOTICE([$note=SensitiveRSH_Input, $conn=c,
-			$msg=line, $sub=s$client_user, $user=s$server_user]);
-	}
-
-event rsh_reply(c: connection, client_user: string, server_user: string,
-		line: string)
-	{
-	local s = rsh_sessions[c$id];
-
-        if ( line != "" && ++s$output_line == 1 && failure_msgs in line )
-		NOTICE([$note=FailedRSH_Authentication, $conn=c,
-			$msg=line, $sub=s$client_user, $user=s$server_user]);
-
-	if ( Login::output_trouble in line ||
-	     line == Login::full_output_trouble )
-		NOTICE([$note=SensitiveRSH_Output, $conn=c,
-			$msg=line, $sub=s$client_user, $user=s$server_user]);
-	}
diff --git a/policy/save-peer-status.bro b/policy/save-peer-status.bro
deleted file mode 100644
index 26481bc093..0000000000
--- a/policy/save-peer-status.bro
+++ /dev/null
@@ -1,53 +0,0 @@
-# $Id$
-#
-# Writes a summary of our peer's status into a file.
-
-@load peer-status
-
-event PeerStatus::update(status: PeerStatus::peer_status) &priority = -5
-	{
-	local f = open_log_file("peer_status");
-
-	for ( id in PeerStatus::peers )
-		{
-		local stat = PeerStatus::peers[id];
-		local host: string;
-
-		if ( id != 0 )
-			{
-			if ( id !in Remote::connected_peers )
-				next;
-
-			host = Remote::connected_peers[id]$peer$descr;
-			}
-		else
-			host = get_local_event_peer()$descr;
-
-		print f, fmt("%18s %s%s %D %D %02.0f%% %4dM #%d %dK/%dK/%dK (%.1f%%)",
-			host, stat$res$version, stat$res$debug ? "-DEBUG" : "",
-			stat$res$start_time, stat$current_time, stat$cpu,
-			stat$res$mem / 1024 / 1024,
-			stat$res$num_TCP_conns + stat$res$num_UDP_conns + stat$res$num_ICMP_conns,
-			stat$stats$pkts_dropped / 1024,
-			stat$stats$pkts_recvd / 1024,
-			stat$stats$pkts_link / 1024,
-			100.0 * stat$stats$pkts_dropped / (stat$stats$pkts_dropped + stat$stats$pkts_recvd));
-		}
-
-	print f, "###";
-
-#	for ( id in PeerStatus::peers )
-#		{
-#		stat = PeerStatus::peers[id];
-#
-#		if ( id != 0 )
-#			host = Remote::connected_peers[id]$peer$descr;
-#		else
-#			host = get_local_event_peer()$descr;
-#
-#		print f, fmt("%10s %s", host, stat$default_filter);
-#		print f;
-#		}
-
-	close(f);
-	}
diff --git a/policy/scan.bro b/policy/scan.bro
deleted file mode 100644
index c1e956125b..0000000000
--- a/policy/scan.bro
+++ /dev/null
@@ -1,706 +0,0 @@
-# $Id: scan.bro 7073 2010-09-13 00:45:02Z vern $
-
-@load conn
-@load notice
-@load port-name
-@load hot
-@load drop
-@load trw-impl
-
-module Scan;
-
-export {
-	redef enum Notice += {
-		PortScan,	# the source has scanned a number of ports
-		AddressScan,	# the source has scanned a number of addrs
-		BackscatterSeen,
-			# apparent flooding backscatter seen from source
-
-		ScanSummary,	# summary of scanning activity
-		PortScanSummary,	# summary of distinct ports per scanner
-		LowPortScanSummary, # summary of distinct low ports per scanner
-
-		PasswordGuessing, # source tried many user/password combinations
-		SuccessfulPasswordGuessing,	# same, but a login succeeded
-
-		Landmine,	# source touched a landmine destination
-		ShutdownThresh,	# source reached shut_down_thresh
-		LowPortTrolling,	# source touched privileged ports
-	};
-
-	# If true, we suppress scan-checking (we still do account-tried
-	# accounting).  This is provided because scan-checking can consume
-	# a lot of memory.
-	const suppress_scan_checks = F &redef;
-
-	# Whether to consider UDP "connections" for scan detection.
-	# Can lead to false positives due to UDP fanout from some P2P apps.
-	const suppress_UDP_scan_checks = F &redef;
-
-	const activate_priv_port_check = T &redef;
-	const activate_landmine_check = F &redef;
-	const landmine_thresh_trigger = 5 &redef;
-
-	const landmine_address: set[addr] &redef;
-
-	const scan_summary_trigger = 25 &redef;
-	const port_summary_trigger = 20 &redef;
-	const lowport_summary_trigger = 10 &redef;
-
-	# Raise ShutdownThresh after this many failed attempts
-	const shut_down_thresh = 100 &redef;
-
-	# Which services should be analyzed when detecting scanning
-	# (not consulted if analyze_all_services is set).
-	const analyze_services: set[port] &redef;
-	const analyze_all_services = T &redef;
-
-	# Track address scaners only if at least these many hosts contacted.
-	const addr_scan_trigger = 0 &redef;
-
-	# Ignore address scanners for further scan detection after
-	# scanning this many hosts.
-	# 0 disables.
-	const ignore_scanners_threshold = 0 &redef;
-
-	# Report a scan of peers at each of these points.
-	const report_peer_scan: vector of count = {
-		20, 100, 1000, 10000, 50000, 100000, 250000, 500000, 1000000,
-	} &redef;
-
-	const report_outbound_peer_scan: vector of count = {
-		100, 1000, 10000,
-	} &redef;
-
-	# Report a scan of ports at each of these points.
-	const report_port_scan: vector of count = {
-		50, 250, 1000, 5000, 10000, 25000, 65000,
-	} &redef;
-
-	# Once a source has scanned this many different ports (to however many
-	# different remote hosts), start tracking its per-destination access.
-	const possible_port_scan_thresh = 20 &redef;
-
-	# Threshold for scanning privileged ports.
-	const priv_scan_trigger = 5 &redef;
-	const troll_skip_service = {
-		smtp, ftp, ssh, 20/tcp, http,
-	} &redef;
-
-	const report_accounts_tried: vector of count = {
-		20, 100, 1000, 10000, 100000, 1000000,
-	} &redef;
-
-	const report_remote_accounts_tried: vector of count = {
-		100, 500,
-	} &redef;
-
-	# Report a successful password guessing if the source attempted
-	# at least this many.
-	const password_guessing_success_threshhold = 20 &redef;
-
-	const skip_accounts_tried: set[addr] &redef;
-
-	const addl_web = {
-		81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, }
-	&redef;
-
-	const skip_services = { ident, } &redef;
-	const skip_outbound_services = { Hot::allow_services, ftp, addl_web, }
-		&redef;
-
-	const skip_scan_sources = {
-		255.255.255.255,	# who knows why we see these, but we do
-
-		# AltaVista.  Here just as an example of what sort of things
-		# you might list.
-		test-scooter.av.pa-x.dec.com,
-	} &redef;
-
-	const skip_scan_nets: set[subnet] = {} &redef;
-
-	# List of well known local server/ports to exclude for scanning
-	# purposes.
-	const skip_dest_server_ports: set[addr, port] = {} &redef;
-
-	# Reverse (SYN-ack) scans seen from these ports are considered
-	# to reflect possible SYN-flooding backscatter, and not true
-	# (stealth) scans.
-	const backscatter_ports = {
-		http, 53/tcp, 53/udp, bgp, 6666/tcp, 6667/tcp,
-	} &redef;
-
-	const report_backscatter: vector of count = {
-		20,
-	} &redef;
-
-	global check_scan:
-		function(c: connection, established: bool, reverse: bool): bool;
-
-	# The following tables are defined here so that we can redef
-	# the expire timeouts.
-	# FIXME: should we allow redef of attributes on IDs which
-	# are not exported?
-
-	# How many different hosts connected to with a possible
-	# backscatter signature.
-	global distinct_backscatter_peers: table[addr] of table[addr] of count
-		&read_expire = 15 min;
-
-	# Expire functions that trigger summaries.
-	global scan_summary:
-		function(t: table[addr] of set[addr], orig: addr): interval;
-	global port_summary:
-		function(t: table[addr] of set[port], orig: addr): interval;
-	global lowport_summary:
-		function(t: table[addr] of set[port], orig: addr): interval;
-
-	# Indexed by scanner address, yields # distinct peers scanned.
-	# pre_distinct_peers tracks until addr_scan_trigger hosts first.
-	global pre_distinct_peers: table[addr] of set[addr]
-		&read_expire = 15 mins &redef;
-
-	global distinct_peers: table[addr] of set[addr]
-		&read_expire = 15 mins &expire_func=scan_summary &redef;
-	global distinct_ports: table[addr] of set[port]
-		&read_expire = 15 mins &expire_func=port_summary &redef;
-	global distinct_low_ports: table[addr] of set[port]
-		&read_expire = 15 mins &expire_func=lowport_summary &redef;
-
-	# Indexed by scanner address, yields a table with scanned hosts
-	# (and ports).
-	global scan_triples: table[addr] of table[addr] of set[port];
-
-	global remove_possible_source:
-		function(s: set[addr], idx: addr): interval;
-	global possible_scan_sources: set[addr]
-		&expire_func=remove_possible_source &read_expire = 15 mins;
-
-	# Indexed by source address, yields user name & password tried.
-	global accounts_tried: table[addr] of set[string, string]
-		&read_expire = 1 days;
-
-	global ignored_scanners: set[addr] &create_expire = 1 day &redef;
-
-	# These tables track whether a threshold has been reached.
-	# More precisely, the counter is the next index of threshold vector.
-	global shut_down_thresh_reached: table[addr] of bool &default=F;
-	global rb_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
-	global rps_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
-	global rops_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
-	global rpts_idx: table[addr,addr] of count
-			&default=1 &read_expire = 1 days &redef;
-	global rat_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
-	global rrat_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
-}
-
-global thresh_check: function(v: vector of count, idx: table[addr] of count,
-				orig: addr, n: count): bool;
-global thresh_check_2: function(v: vector of count,
-				idx: table[addr,addr] of count, orig: addr,
-				resp: addr, n: count): bool;
-
-function scan_summary(t: table[addr] of set[addr], orig: addr): interval
-	{
-	local num_distinct_peers = orig in t ? |t[orig]| : 0;
-
-	if ( num_distinct_peers >= scan_summary_trigger )
-		NOTICE([$note=ScanSummary, $src=orig, $n=num_distinct_peers,
-			$msg=fmt("%s scanned a total of %d hosts",
-					orig, num_distinct_peers)]);
-
-	return 0 secs;
-	}
-
-function port_summary(t: table[addr] of set[port], orig: addr): interval
-	{
-	local num_distinct_ports = orig in t ? |t[orig]| : 0;
-
-	if ( num_distinct_ports >= port_summary_trigger )
-		NOTICE([$note=PortScanSummary, $src=orig, $n=num_distinct_ports,
-			$msg=fmt("%s scanned a total of %d ports",
-					orig, num_distinct_ports)]);
-
-	return 0 secs;
-	}
-
-function lowport_summary(t: table[addr] of set[port], orig: addr): interval
-	{
-	local num_distinct_lowports = orig in t ? |t[orig]| : 0;
-
-	if ( num_distinct_lowports >= lowport_summary_trigger )
-		NOTICE([$note=LowPortScanSummary, $src=orig,
-			$n=num_distinct_lowports,
-			$msg=fmt("%s scanned a total of %d low ports",
-					orig, num_distinct_lowports)]);
-
-	return 0 secs;
-	}
-
-function clear_addr(a: addr)
-	{
-	delete distinct_peers[a];
-	delete distinct_ports[a];
-	delete distinct_low_ports[a];
-	delete scan_triples[a];
-	delete possible_scan_sources[a];
-	delete distinct_backscatter_peers[a];
-	delete pre_distinct_peers[a];
-	delete rb_idx[a];
-	delete rps_idx[a];
-	delete rops_idx[a];
-	delete rat_idx[a];
-	delete rrat_idx[a];
-	delete shut_down_thresh_reached[a];
-	delete ignored_scanners[a];
-	}
-
-function ignore_addr(a: addr)
-	{
-	clear_addr(a);
-	add ignored_scanners[a];
-	}
-
-function check_scan(c: connection, established: bool, reverse: bool): bool
-	{
-	if ( suppress_scan_checks )
-		return F;
-
-	local id = c$id;
-
-	local service = "ftp-data" in c$service ? 20/tcp
-			: (reverse ? id$orig_p : id$resp_p);
-	local rev_service = reverse ? id$resp_p : id$orig_p;
-	local orig = reverse ? id$resp_h : id$orig_h;
-	local resp = reverse ? id$orig_h : id$resp_h;
-	local outbound = is_local_addr(orig);
-
-	# The following works better than using get_conn_transport_proto()
-	# because c might not correspond to an active connection (which
-	# causes the function to fail).
-	if ( suppress_UDP_scan_checks &&
-	     service >= 0/udp && service <= 65535/udp )
-		return F;
-
-	if ( service in skip_services && ! outbound )
-		return F;
-
-	if ( outbound && service in skip_outbound_services )
-		return F;
-
-	if ( orig in skip_scan_sources )
-		return F;
-
-	if ( orig in skip_scan_nets )
-		return F;
-
-	# Don't include well known server/ports for scanning purposes.
-	if ( ! outbound && [resp, service] in skip_dest_server_ports )
-		return F;
-
-	if ( orig in ignored_scanners)
-		return F;
-
-	if ( (! established || service !in Hot::allow_services) &&
-		# not established, service not expressly allowed
-
-		# not known peer set
-	     (orig !in distinct_peers || resp !in distinct_peers[orig]) &&
-
-		# want to consider service for scan detection
-	     (analyze_all_services || service in analyze_services) )
-		{
-		if ( reverse && rev_service in backscatter_ports &&
-		     # reverse, non-priv backscatter port
-		     service >= 1024/tcp )
-			{
-			if ( orig !in distinct_backscatter_peers )
-				{
-				local empty_bs_table:
-					table[addr] of count &default=0;
-				distinct_backscatter_peers[orig] =
-					empty_bs_table;
-				}
-
-			if ( ++distinct_backscatter_peers[orig][resp] <= 2 &&
-			     # The test is <= 2 because we get two check_scan()
-			     # calls, once on connection attempt and once on
-			     # tear-down.
-
-			     distinct_backscatter_peers[orig][resp] == 1 &&
-
-			     # Looks like backscatter, and it's not scanning
-			     # a privileged port.
-
-			     thresh_check(report_backscatter, rb_idx, orig,
-					|distinct_backscatter_peers[orig]|)
-			   )
-				{
-				local rev_svc = rev_service in port_names ?
-					port_names[rev_service] :
-					fmt("%s", rev_service);
-
-				NOTICE([$note=BackscatterSeen, $src=orig,
-					$p=rev_service,
-					$msg=fmt("backscatter seen from %s (%d hosts; %s)",
-						orig, |distinct_backscatter_peers[orig]|, rev_svc)]);
-				}
-
-			if ( ignore_scanners_threshold > 0 &&
-			     |distinct_backscatter_peers[orig]| >
-					ignore_scanners_threshold )
-				ignore_addr(orig);
-			}
-
-		else
-			{ # done with backscatter check
-			local ignore = F;
-
-			local svc = service in port_names ?
-				port_names[service] : fmt("%s", service);
-
-			if ( orig !in distinct_peers && addr_scan_trigger > 0 )
-				{
-				if ( orig !in pre_distinct_peers )
-					pre_distinct_peers[orig] = set();
-
-				add pre_distinct_peers[orig][resp];
-				if ( |pre_distinct_peers[orig]| < addr_scan_trigger )
-					ignore = T;
-				}
-
-			if ( ! ignore )
-				{ # XXXXX
-
-				if ( orig !in distinct_peers )
-					distinct_peers[orig] = set() &mergeable;
-
-				if ( resp !in distinct_peers[orig] )
-					add distinct_peers[orig][resp];
-
-				local n = |distinct_peers[orig]|;
-
-				if ( activate_landmine_check &&
-				     n >= landmine_thresh_trigger &&
-				     mask_addr(resp, 24) in landmine_address )
-					{
-					local msg2 = fmt("landmine address trigger %s%s ", orig, svc);
-					NOTICE([$note=Landmine, $src=orig,
-						$p=service, $msg=msg2]);
-					}
-
-				# Check for threshold if not outbound.
-				if ( ! shut_down_thresh_reached[orig] &&
-				     n >= shut_down_thresh &&
-				     ! outbound && orig !in neighbor_nets )
-					{
-					shut_down_thresh_reached[orig] = T;
-					local msg = fmt("shutdown threshold reached for %s", orig);
-					NOTICE([$note=ShutdownThresh, $src=orig,
-						$p=service, $msg=msg]);
-					}
-
-				else
-					{
-					local address_scan = F;
-					if ( outbound &&
-					     # inside host scanning out?
-					     thresh_check(report_outbound_peer_scan, rops_idx, orig, n) )
-						address_scan = T;
-
-					if ( ! outbound &&
-					     thresh_check(report_peer_scan, rps_idx, orig, n) )
-						address_scan = T;
-
-					if ( address_scan )
-						NOTICE([$note=AddressScan,
-							$src=orig, $p=service,
-							$n=n,
-							$msg=fmt("%s has scanned %d hosts (%s)",
-								orig, n, svc)]);
-
-					if ( address_scan &&
-					     ignore_scanners_threshold > 0 &&
-					     n > ignore_scanners_threshold )
-						ignore_addr(orig);
-					}
-				}
-			} # XXXX
-		}
-
-	if ( established )
-		# Don't consider established connections for port scanning,
-		# it's too easy to be mislead by FTP-like applications that
-		# legitimately gobble their way through the port space.
-		return F;
-
-	# Coarse search for port-scanning candidates: those that have made
-	# connections (attempts) to possible_port_scan_thresh or more
-	# distinct ports.
-	if ( orig !in distinct_ports || service !in distinct_ports[orig] )
-		{
-		if ( orig !in distinct_ports )
-			distinct_ports[orig] = set() &mergeable;
-
-		if ( service !in distinct_ports[orig] )
-			add distinct_ports[orig][service];
-
-		if ( |distinct_ports[orig]| >= possible_port_scan_thresh &&
-			orig !in scan_triples )
-			{
-			scan_triples[orig] = table() &mergeable;
-			add possible_scan_sources[orig];
-			}
-		}
-
-	# Check for low ports.
-	if ( activate_priv_port_check && ! outbound && service < 1024/tcp &&
-	     service !in troll_skip_service )
-		{
-		if ( orig !in distinct_low_ports ||
-		     service !in distinct_low_ports[orig] )
-			{
-			if ( orig !in distinct_low_ports )
-				distinct_low_ports[orig] = set() &mergeable;
-
-			add distinct_low_ports[orig][service];
-
-			if ( |distinct_low_ports[orig]| == priv_scan_trigger &&
-			     orig !in neighbor_nets )
-				{
-				local s = service in port_names ? port_names[service] :
-						fmt("%s", service);
-				local svrc_msg = fmt("low port trolling %s %s", orig, s);
-				NOTICE([$note=LowPortTrolling, $src=orig,
-					$p=service, $msg=svrc_msg]);
-				}
-
-			if ( ignore_scanners_threshold > 0 &&
-			     |distinct_low_ports[orig]| >
-					ignore_scanners_threshold )
-				ignore_addr(orig);
-			}
-		}
-
-	# For sources that have been identified as possible scan sources,
-	# keep track of per-host scanning.
-	if ( orig in possible_scan_sources )
-		{
-		if ( orig !in scan_triples )
-			scan_triples[orig] = table() &mergeable;
-
-		if ( resp !in scan_triples[orig] )
-			scan_triples[orig][resp] = set() &mergeable;
-
-		if ( service !in scan_triples[orig][resp] )
-			{
-			add scan_triples[orig][resp][service];
-
-			if ( thresh_check_2(report_port_scan, rpts_idx,
-					    orig, resp,
-					    |scan_triples[orig][resp]|) )
-				{
-				local m = |scan_triples[orig][resp]|;
-				NOTICE([$note=PortScan, $n=m, $src=orig,
-					$p=service,
-					$msg=fmt("%s has scanned %d ports of %s",
-					orig, m, resp)]);
-				}
-			}
-		}
-
-	return T;
-	}
-
-
-event account_tried(c: connection, user: string, passwd: string)
-	{
-	local src = c$id$orig_h;
-
-	if ( src !in accounts_tried )
-		accounts_tried[src] = set();
-
-	if ( [user, passwd] in accounts_tried[src] )
-		return;
-
-	local threshold_check = F;
-
-	if ( is_local_addr(src) )
-		{
-		if ( thresh_check(report_remote_accounts_tried, rrat_idx, src,
-					|accounts_tried[src]|) )
-			threshold_check = T;
-		}
-	else
-		{
-		if ( thresh_check(report_accounts_tried, rat_idx, src,
-					|accounts_tried[src]|) )
-			 threshold_check = T;
-		}
-
-	if ( threshold_check && src !in skip_accounts_tried )
-		{
-		local m = |accounts_tried[src]|;
-		NOTICE([$note=PasswordGuessing, $src=src, $n=m,
-			$user=user, $sub=passwd, $p=c$id$resp_p,
-			$msg=fmt("%s has tried %d username/password combinations (latest: %s@%s)",
-				src, m,	user, c$id$resp_h)]);
-		}
-
-	add accounts_tried[src][user, passwd];
-	}
-
-# Check for a successful login attempt from a scan.
-event login_successful(c: connection, user: string)
-	{
-	local id = c$id;
-	local src = id$orig_h;
-
-	if ( src in accounts_tried &&
-	     |accounts_tried[src]| >= password_guessing_success_threshhold )
-		NOTICE([$note=SuccessfulPasswordGuessing, $src=src, $conn=c,
-			$msg=fmt("%s successfully logged in user '%s' after trying %d username/password combinations",
-				src, user, |accounts_tried[src]|)]);
-	}
-
-
-# Hook into the catch&release dropping. When an address gets restored, we reset
-# the source to allow dropping it again.
-event Drop::address_restored(a: addr)
-	{
-	Drop::debug_log(fmt("received restored for %s (scan.bro)", a));
-	clear_addr(a);
-	}
-
-event Drop::address_cleared(a: addr)
-	{
-	Drop::debug_log(fmt("received cleared for %s (scan.bro)", a));
-	clear_addr(a);
-	}
-
-# When removing a possible scan source, we automatically delete its scanned
-# hosts and ports.  But we do not want the deletion propagated, because every
-# peer calls the expire_function on its own (and thus applies the delete
-# operation on its own table).
-function remove_possible_source(s: set[addr], idx: addr): interval
-	{
-	suspend_state_updates();
-	delete scan_triples[idx];
-	resume_state_updates();
-
-	return 0 secs;
-	}
-
-# To recognize whether a certain threshhold vector (e.g. report_peer_scans)
-# has been transgressed, a global variable containing the next vector index
-# (idx) must be incremented.  This cumbersome mechanism is necessary because
-# values naturally don't increment by one (e.g. replayed table merges).
-function thresh_check(v: vector of count, idx: table[addr] of count,
-			orig: addr, n: count): bool
-	{
-	if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold )
-		{
-		ignore_addr(orig);
-		return F;
-		}
-
-	if ( idx[orig] <= |v| && n >= v[idx[orig]] )
-		{
-		++idx[orig];
-		return T;
-		}
-	else
-		return F;
-	}
-
-# Same as above, except the index has a different type signature.
-function thresh_check_2(v: vector of count, idx: table[addr, addr] of count,
-			orig: addr, resp: addr, n: count): bool
-	{
-	if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold )
-		{
-		ignore_addr(orig);
-		return F;
-		}
-
-	if ( idx[orig,resp] <= |v| && n >= v[idx[orig, resp]] )
-		{
-		++idx[orig,resp];
-		return T;
-		}
-	else
-		return F;
-	}
-
-event connection_established(c: connection)
-	{
-	local is_reverse_scan = (c$orig$state == TCP_INACTIVE);
-	Scan::check_scan(c, T, is_reverse_scan);
-
-	local trans = get_port_transport_proto(c$id$orig_p);
-	if ( trans == tcp && ! is_reverse_scan && TRW::use_TRW_algorithm )
-		TRW::check_TRW_scan(c, conn_state(c, trans), F);
-	}
-
-event partial_connection(c: connection)
-	{
-	Scan::check_scan(c, T, F);
-	}
-
-event connection_attempt(c: connection)
-	{
-	Scan::check_scan(c, F, c$orig$state == TCP_INACTIVE);
-
-	local trans = get_port_transport_proto(c$id$orig_p);
-	if ( trans == tcp && TRW::use_TRW_algorithm )
-		TRW::check_TRW_scan(c, conn_state(c, trans), F);
-	}
-
-event connection_half_finished(c: connection)
-	{
-	# Half connections never were "established", so do scan-checking here.
-	Scan::check_scan(c, F, F);
-	}
-
-event connection_rejected(c: connection)
-	{
-	local is_reverse_scan = c$orig$state == TCP_RESET;
-
-	Scan::check_scan(c, F, is_reverse_scan);
-
-	local trans = get_port_transport_proto(c$id$orig_p);
-	if ( trans == tcp && TRW::use_TRW_algorithm )
-		TRW::check_TRW_scan(c, conn_state(c, trans), is_reverse_scan);
-	}
-
-event connection_reset(c: connection)
-	{
-	if ( c$orig$state == TCP_INACTIVE || c$resp$state == TCP_INACTIVE )
-		# We never heard from one side - that looks like a scan.
-		Scan::check_scan(c, c$orig$size + c$resp$size > 0,
-				c$orig$state == TCP_INACTIVE);
-	}
-
-event connection_pending(c: connection)
-	{
-	if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE )
-		Scan::check_scan(c, F, F);
-	}
-
-# Report the remaining entries in the tables.
-event bro_done()
-	{
-	for ( orig in distinct_peers )
-		scan_summary(distinct_peers, orig);
-
-	for ( orig in distinct_ports )
-		port_summary(distinct_ports, orig);
-
-	for ( orig in distinct_low_ports )
-		lowport_summary(distinct_low_ports, orig);
-	}
diff --git a/policy/secondary-filter.bro b/policy/secondary-filter.bro
deleted file mode 100644
index 025e450225..0000000000
--- a/policy/secondary-filter.bro
+++ /dev/null
@@ -1,44 +0,0 @@
-# $Id: secondary-filter.bro 6022 2008-07-25 19:15:00Z vern $
-
-# Examples of using the secondary-filter matching path.
-
-event rst_syn_fin_flag(filter: string, pkt: pkt_hdr)
-	{
-	print "rst_syn_fin_flag()";
-	print fmt("    %s:%s -> %s:%s", pkt$ip$src, pkt$tcp$sport,
-			pkt$ip$dst, pkt$tcp$dport);
-	}
-
-event a_udp_event(filter: string, pkt: pkt_hdr)
-	{
-	print "a_udp_event()";
-	print fmt("    %s:%s -> %s:%s", pkt$ip$src, pkt$udp$sport,
-			pkt$ip$dst, pkt$udp$dport);
-	}
-
-event a_tcp_event(filter: string, pkt: pkt_hdr)
-	{
-	print "a_tcp_event()";
-	print fmt("    %s:%s -> %s:%s", pkt$ip$src, pkt$tcp$sport,
-			pkt$ip$dst, pkt$tcp$dport);
-	}
-
-event sampled_1_in_1024_packet(filter: string, pkt: pkt_hdr)
-	{
-	print "sampled packet:";
-	print "ip", pkt$ip;
-
-	if ( pkt?$tcp )
-		print "tcp", pkt$tcp;
-	if ( pkt?$udp )
-		print "udp", pkt$udp;
-	if ( pkt?$icmp )
-		print "icmp", pkt$icmp;
-	}
-
-redef secondary_filters += {
-	["tcp[13] & 7 != 0"] = rst_syn_fin_flag,
-	["udp"] = a_udp_event,
-	["tcp"] = a_tcp_event,
-	["ip[10:2] & 0xffc == 0x398"] = sampled_1_in_1024_packet,
-};
diff --git a/policy/sensor-sshd.bro b/policy/sensor-sshd.bro
deleted file mode 100644
index 060f0cef68..0000000000
--- a/policy/sensor-sshd.bro
+++ /dev/null
@@ -1,276 +0,0 @@
-# $Id: sensor-sshd.bro 4758 2007-08-10 06:49:23Z vern $
-#
-# sshd sensor input, i.e., events received from instrumented SSH servers
-# that communicate with Bro via the Broccoli library.
-
-# We leverage the login analyzer:
-@load login
-@load remote
-
-# To prevent requesting sshd events from any peering Bro that connects,
-# here is a list of our sshds. List the IP addresses of the hosts your
-# sshds are running on here:
-#
-redef Remote::destinations += {
-	["sshd1"] = [$host = 127.0.0.1, $events = /sensor_sshd.*/, $connect=F, $ssl=F]
-};
-
-# A big log file for all kinds of notes:
-#
-global sshd_log: file = open_log_file("sshd");
-
-# A record gathering everything we need to know per connection
-# from an ssh client to the sshd:
-#
-type sshd_conn: record {
-
-	# Connection record we create for connections to sshd
-	conn: connection;
-
-	# A table indexed by channel numbers, yielding files.
-	# For each channel that contains a shell session this
-	# table contains a file to which the session content is
-	# logged.
-	sessions: table[count] of file;
-};
-
-# To avoid reporting IP/port quadruples repeatedly, connections in
-# sshd are identified through a globally unique identifier for the
-# sshd server (a string) plus an numerical identifier for each
-# connection to that sshd.
-#
-global sshd_conns: table[string, count] of sshd_conn;
-
-
-function sshd_conn_new(src_ip: addr, src_p: port,
-		       dst_ip: addr, dst_p: port,
-		       ts: time): sshd_conn
-	{
-	local id: conn_id;
-	id$orig_h = src_ip;
-	id$orig_p = src_p;
-	id$resp_h = dst_ip;
-	id$resp_p = dst_p;
-
-	local orig: endpoint;
-	local resp: endpoint;
-	orig$size = resp$size = 0;
-	orig$state = resp$state = 0;
-
-	local c: connection;
-	c$id = id;
-	c$orig = orig;
-	c$resp = resp;
-	c$start_time = ts;
-	c$duration = 0 sec;
-
-	# We mark this connection so the login analyzer can
-	# understand that it is a login session.
-	add c$service["ssh-login"];
-
-	c$addl = "";
-	c$hot = 0;
-
-	local sc: sshd_conn;
-	sc$conn	= c;
-
-	return sc;
-	}
-
-
-event sensor_sshd_listen(ts: time, sid: string,
-			 server_ip: addr, server_p: port)
-	{
-	print sshd_log, fmt("[%D][%s:%s] sshd listening at %s:%d",
-			    ts, get_event_peer()$host, sid, server_ip, server_p);
-	}
-
-
-event sensor_sshd_restart(ts: time, sid: string)
-	{
-	print sshd_log, fmt("[%D][%s:%s] sshd %s restarted",
-			    ts, get_event_peer()$host, sid, sid);
-	}
-
-
-event sensor_sshd_exit(ts: time, sid: string)
-	{
-	print sshd_log, fmt("[%D][%s:%s] sshd %s exiting",
-			    ts, get_event_peer()$host, sid, sid);
-	}
-
-
-event sensor_sshd_conn_new(ts: time, sid: string, cid: count,
-			   src_ip: addr, src_p: port,
-			   dst_ip: addr, dst_p: port)
-	{
-	local sc = sshd_conn_new(src_ip, src_p, dst_ip, dst_p, ts);
-	sshd_conns[sid, cid] = sc;
-	print sshd_log, fmt("[%D][%s:%s:%d] conn attempt from %s:%d to %s:%d",
-			    ts, get_event_peer()$host, sid, cid, src_ip, sc$conn$id$orig_p,
-			    dst_ip, sc$conn$id$resp_p);
-
-	Login::new_login_session(sc$conn, get_event_peer()$id, 0);
-	}
-
-
-event sensor_sshd_conn_end(ts: time, sid: string, cid: count)
-	{
-	local pid = get_event_peer()$id;
-	local sc = sshd_conns[sid, cid];
-
-	print sshd_log, fmt("[%D][%s:%s:%d] conn terminated",
-		            ts, get_event_peer()$host, sid, cid);
-
-	Login::remove_login_session(sc$conn, pid);
-	delete sshd_conns[sid, cid];
-	}
-
-
-event sensor_sshd_auth_ok(ts: time, sid: string, cid: count,
-			  user: string, uid: int, gid: int)
-	{
-	local pid = get_event_peer()$id;
-	local sc = sshd_conns[sid, cid];
-	print sshd_log, fmt("[%D][%s:%s:%d] auth ok: %s (%d/%d)",
-			    ts, get_event_peer()$host, sid, cid, user, uid, gid);
-
-	Login::ext_set_login_state(sc$conn$id, pid, LOGIN_STATE_LOGGED_IN);
-	event authentication_accepted(user, sc$conn);
-	}
-
-
-event sensor_sshd_auth_failed(ts: time, sid: string, cid: count, user: string)
-	{
-	local sc = sshd_conns[sid, cid];
-	print sshd_log, fmt("[%D][%s:%s:%d] auth reject: user %s from %s:%d",
-			    ts, get_event_peer()$host, sid, cid, user,
-			    sc$conn$id$orig_h, sc$conn$id$orig_p);
-
-	event authentication_rejected(user, sc$conn);
-	}
-
-
-event sensor_sshd_auth_timeout(ts: time, sid: string, cid: count)
-	{
-	local sc = sshd_conns[sid, cid];
-	print sshd_log, fmt("[%D][%s:%s:%d] auth timeout", ts,
-			    sid, get_event_peer()$host, cid);
-	}
-
-
-event sensor_sshd_auth_password_attempt(ts: time, sid: string, cid: count,
-				        user: string, password: string,
-					valid: bool)
-	{
-	local sc = sshd_conns[sid, cid];
-
-	if ( ! valid )
-		{
-		print sshd_log, fmt("[%D][%s:%s:%d] password bad: user %s, password '%s'",
-				    ts, get_event_peer()$host, sid, cid, user, password);
-		event login_failure(sc$conn, user, "", password, "");
-		}
-	else
-		{
-		print sshd_log, fmt("[%D][%s:%s:%d] password ok: user %s, password '%s'",
-				    ts, get_event_peer()$host, sid, cid, user, password);
-		event login_success(sc$conn, user, "", password, "");
-		}
-	}
-
-
-event sensor_sshd_channel_new_session(ts: time, sid: string, cid: count,
-					chan_id: count, stype: string)
-	{
-	local sc = sshd_conns[sid, cid];
-
-	print sshd_log, fmt("[%D][%s:%s:%d:%d] new session: type %s",
-			    ts, get_event_peer()$host, sid, cid, chan_id, stype);
-
-	if ( stype == "shell" )
-		{
-		local filename =
-			fmt("sshd-%s-%s-%d-%d.log",
-				get_event_peer()$host, sid, cid, chan_id);
-		sc$sessions[chan_id] = open(filename);
-		}
-	}
-
-
-event sensor_sshd_channel_new_forward(ts: time, sid: string,
-				      cid: count, chan_id: count,
-				      src_ip: addr, src_p: port,
-				      dst_ip: addr, dst_p: port,
-				      s2h: bool)
-	{
-	if ( s2h )
-		print sshd_log, fmt("[%D][%s:%s:%d:%d] new port channel: %s:%d -> c -> s -> %s:%d",
-				    ts, get_event_peer()$host, sid, cid,
-				    chan_id, src_ip, src_p, dst_ip, dst_p);
-	else
-		print sshd_log, fmt("[%D][%s:%s:%d:%d] new port channel: %s:%d <- c <- s <- %s:%d",
-				    ts, get_event_peer()$host, sid, cid,
-				    chan_id, dst_ip, dst_p, src_ip, src_p);
-	}
-
-
-event sensor_sshd_data_rx(ts: time, sid: string, cid: count, chan_id: count,
-			line: string)
-	{
-	local sc = sshd_conns[sid, cid];
-
-	if ( chan_id in sc$sessions )
-		{
-		print sc$sessions[chan_id],
-			fmt("[%D][%s:%s:%d:%d] rx: %s", ts,
-				get_event_peer()$host, sid, cid, chan_id, line);
-		event login_output_line(sc$conn, line);
-		}
-	}
-
-
-event sensor_sshd_data_tx(ts: time, sid: string, cid: count,
-				chan_id: count, line: string)
-	{
-	local sc: sshd_conn = sshd_conns[sid, cid];
-
-	if ( chan_id in sc$sessions )
-		{
-		print sc$sessions[chan_id],
-			fmt("[%D][%s:%s:%d:%d] tx: %s", ts,
-				get_event_peer()$host, sid, cid, chan_id, line);
-		event login_input_line(sc$conn, line);
-		}
-	}
-
-
-event sensor_sshd_exec(ts: time, sid: string, cid: count,
-			chan_id: count, command: string)
-	{
-	print sshd_log,
-		fmt("[%D][%s:%s:%d:%d] exec: '%s'", ts, get_event_peer()$host,
-			sid, cid, chan_id, command);
-	}
-
-
-event sensor_sshd_channel_exit(ts: time, sid: string, cid: count,
-				chan_id: count, status: int)
-	{
-	print sshd_log,
-		fmt("[%D][%s:%s:%d:%d] channel exit, code %d", ts,
-			get_event_peer()$host, sid, cid, chan_id, status);
-	}
-
-
-event sensor_sshd_channel_cleanup(ts: time, sid: string, cid: count,
-					chan_id: count)
-	{
-	local sc: sshd_conn = sshd_conns[sid, cid];
-
-	print sshd_log, fmt("[%D][%s:%s:%d:%d] channel cleanup",
-			    ts, get_event_peer()$host, sid, cid, chan_id);
-
-	if ( chan_id in sc$sessions )
-		delete sc$sessions[chan_id];
-	}
diff --git a/policy/server-ports.bro b/policy/server-ports.bro
deleted file mode 100644
index 5645b6c716..0000000000
--- a/policy/server-ports.bro
+++ /dev/null
@@ -1,70 +0,0 @@
-# $Id: server-ports.bro,v 1.1.2.1 2006/05/31 23:19:07 sommer Exp $
-#
-# Automatically-loaded script which sets defaults for likely server ports.
-
-redef likely_server_ports += {
-
-	### TCP
-
-	21/tcp,
-	22/tcp,
-	23/tcp,
-	25/tcp,
-	587/tcp,
-	513/tcp,
-	79/tcp,
-	113/tcp,
-	80/tcp,
-	8080/tcp,
-	8000/tcp,
-	8888/tcp,
-	3128/tcp,
-	53/tcp,
-	111/tcp,
-	139/tcp,
-	6346/tcp,
-	8436/tcp,
-	135/tcp,
-	445/tcp,
-	110/tcp,
-	6666/tcp,
-	6667/tcp,
-
-	# SSL-relatd ports/tcp,
-	443/tcp,
-	563/tcp,
-	585/tcp,
-	614/tcp,
-	636/tcp,
-	989/tcp,
-	990/tcp,
-	992/tcp,
-	993/tcp,
-	994/tcp,
-	995/tcp,
-	8443/tcp,
-
-	# Not analyzed (yet), but give a hint which side the server is.
-	143/tcp,	# IMAP
-	497/tcp,	# Dantz
-	515/tcp,	# LPD
-	524/tcp,	# Netware core protocol
-	631/tcp,	# IPP
-	1521/tcp,	# Oracle SQL
-	2049/tcp,	# NFS
-	5730/tcp,	# Calendar
-	6000/tcp,	# X11
-	6001/tcp, 	# X11
-	16384/tcp,	# Connected Backup
-
-	### UDP
-
-	53/udp,
-	111/udp,
-	123/udp,
-	137/udp,
-	138/udp,
-	161/udp,
-	427/udp,	# srvloc
-	2049/udp,	# NFS
-};
diff --git a/policy/service-probe.bro b/policy/service-probe.bro
deleted file mode 100644
index 2cb02a3463..0000000000
--- a/policy/service-probe.bro
+++ /dev/null
@@ -1,97 +0,0 @@
-# $Id: service-probe.bro 5892 2008-07-01 02:37:03Z vern $
-#
-# Detects hosts that continually bang away at a particular service
-# of a local host, for example for brute-forcing passwords.
-#
-# Written by Jim Mellander, LBNL.
-# Updated by Robin Sommer, ICSI.
-
-@load conn
-
-module ServiceProbe;
-
-export {
-	redef enum Notice += { ServiceProbe };
-
-	# No work gets done unless this is set.
-	global detect_probes = F &redef;
-
-	# By default, look for service probes targeting MySQL and SSH.
-	global probe_ports = { 1433/tcp, 22/tcp, } &redef;
-
-	# They have to connect to this many to be flagged.
-	global connect_threshold: table[port] of count &default=100 &redef;
-
-	# How many bytes the connection must have to be considered potentially
-	# a probe.  If missing, then there's no lower/upper bound.
-	#
-	# Note, the attack that motivated including these was SSH password
-	# guessing, where it was empirically determined that connections
-	# with > 1KB and < 2KB bytes transferred appear to be unsuccessful
-	# password guesses.
-	#
-	global min_bytes: table[port] of int &default=-1 &redef;
-	global max_bytes: table[port] of int &default=-1 &redef;
-
-	# How many tries a given originator host has made against a given
-	# port on a given responder host.
-	global tries: table[addr, addr, port] of count
-					&default=0 &read_expire = 10 min;
-}
-
-global reported_hosts: set[addr] &read_expire = 1 day;
-
-function service_probe_check(c: connection)
-	{
-	if ( ! detect_probes )
-		return;
-
-	local id = c$id;
-	local orig = id$orig_h;
-	local resp = id$resp_h;
-	local service = (port_names[20/tcp] in c$service) ? 20/tcp : id$resp_p;
-
-	if ( orig in reported_hosts )
-		# We've already blocked them.
-		return;
-
-	if ( is_local_addr(orig) )
-		# We only analyze probes of local servers.
-		return;
-
-	if ( service !in probe_ports )
-		# Not a port we care about.
-		return;
-
-	local enough_bytes = T;
-	local bytes_xferred = c$orig$size + c$resp$size;
-
-	if ( service in min_bytes && bytes_xferred < min_bytes[service] )
-		enough_bytes = F;
-
-	if ( service in max_bytes && bytes_xferred > max_bytes[service] )
-		enough_bytes = F;
-
-	if ( ! enough_bytes )
-		return;
-
-	local cnt = ++tries[orig, resp, service];
-	if ( cnt == connect_threshold[service] )
-		{
-		local svc = service_name(c);
-
-		NOTICE([$note=ServiceProbe, $src=orig,
-			$msg=fmt("service probing %s -> %s %s",
-			orig, resp, svc)]);
-
-		# Since we've dropped this host, we can now release the space.
-		delete tries[orig, resp, service];
-		add reported_hosts[orig];
-		}
-	}
-
-
-event connection_state_remove(c: connection)
-	{
-	service_probe_check(c);
-	}
diff --git a/policy/signatures.bro b/policy/signatures.bro
deleted file mode 100644
index 5dfe4d6d50..0000000000
--- a/policy/signatures.bro
+++ /dev/null
@@ -1,307 +0,0 @@
-# $Id: signatures.bro 4909 2007-09-24 02:26:36Z vern $
-
-@load notice
-
-redef enum Notice += {
-	SensitiveSignature,	# generic for alarm-worthy
-	MultipleSignatures,	# host has triggered many signatures
-	MultipleSigResponders,	# host has triggered same signature on
-				# multiple responders
-	CountSignature,		# sig. has triggered mutliple times for a dest
-	SignatureSummary,	# summarize # times a host triggered a signature
-};
-
-type SigAction: enum {
-	SIG_IGNORE,	# ignore this sig. completely (even for scan detection)
-	SIG_QUIET,	# process, but don't report individually
-	SIG_FILE,	# write to signatures and notice files
-	SIG_FILE_BUT_NO_SCAN,	# as SIG_FILE, but ignore for scan processing
-	SIG_ALARM,	# alarm and write to signatures, notice, and alarm files
-	SIG_ALARM_PER_ORIG, 	# alarm once per originator
-	SIG_ALARM_ONCE, 	# alarm once and then never again
-	SIG_ALARM_NO_WORM,	# alarm if not originated by a known worm-source
-	SIG_COUNT_PER_RESP,	# count per dest. and alarm if threshold reached
-	SIG_SUMMARY, 	# don't alarm, but generate per-orig summary
-};
-
-# Actions for a signature.
-const signature_actions: table[string] of SigAction =  {
-	["unspecified"] = SIG_IGNORE,	# place-holder
-} &redef &default = SIG_ALARM;
-
-type sig_info: record {
-	note: Notice;			# notice associated with signature event
-	src_addr: addr &optional;
-	src_port: port &optional;
-	dst_addr: addr &optional;
-	dst_port: port &optional;
-	sig_id: string &optional &default="";
-	event_msg: string;
-	sub_msg: string &optional;	# matched payload data or extra message
-	sig_count: count &optional;	# num. sigs, usually from summary count
-	host_count: count &optional;	# num. hosts, from a summary count
-};
-
-global sig_file = open_log_file("signatures");
-
-global sig_summary_interval = 1 day &redef;
-
-# Given a string, returns an escaped version suitable for being
-# printed in the colon-separated notice format.  This means that
-# (1) any colons are escaped using '\', and (2) any '\'s are
-# likewise escaped.
-function signature_escape(s: string): string
-	{
-	s = subst_string(s, "\\", "\\\\");
-	return subst_string(s, ":", "\\:");
-	}
-
-# function call for writing to the signatures log file
-function signature_file_write(s: sig_info)
-	{
-	local t = fmt("%.06f", network_time());
-	local src_addr = s?$src_addr ? fmt("%s", s$src_addr) : "";
-	local src_port = s?$src_port ? fmt("%s", s$src_port) : "";
-	local dst_addr = s?$dst_addr ? fmt("%s", s$dst_addr) : "";
-	local dst_port = s?$dst_port ? fmt("%s", s$dst_port) : "";
-	local sub_msg = s?$sub_msg ? signature_escape(s$sub_msg) : "";
-	local sig_count = s?$sig_count ? fmt("%s", s$sig_count) : "";
-	local host_count = s?$host_count ? fmt("%s", s$host_count) : "";
-
-	local info =
-		fmt("%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s",
-			t, s$note, src_addr, src_port, dst_addr,
-			dst_port, s$sig_id, s$event_msg, sub_msg,
-			sig_count, host_count);
-
-	print sig_file, info;
-	}
-
-
-# Scan detection.
-
-# Alarm if, for a pair [orig, signature], the number of different responders
-# has reached one of the thresholds.
-const horiz_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
-
-# Alarm if, for a pair [orig, resp], the number of different signature matches
-# has reached one of the thresholds.
-const vert_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
-
-# Alarm if a SIG_COUNT_PER_RESP signature is triggered as often as given
-# by one of these thresholds.
-const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef;
-
-type sig_set: set[string];
-type addr_set: set[addr];
-
-# We may need to define some &read_expires on these:
-global horiz_table: table[addr, string] of addr_set &read_expire = 1 hr;
-global vert_table: table[addr, addr] of sig_set &read_expire = 1 hr;
-global last_hthresh: table[addr] of count &default = 0 &read_expire = 1 hr;
-global last_vthresh: table[addr] of count &default = 0 &read_expire = 1 hr;
-global count_per_resp: table[addr, string] of count
-					&default = 0 &read_expire = 1 hr;
-global count_per_orig: table[addr, string] of count
-					&default = 0 &read_expire = 1 hr;
-global did_sig_log: set[string] &read_expire = 1 hr;
-
-event sig_summary(orig: addr, id: string, msg: string)
-	{
-@ifdef ( is_worm_infectee )
-	if ( is_worm_infectee(orig) )
-			return;
-@endif
-
-	NOTICE([$note=SignatureSummary, $src=orig,
-		$filename=id, $msg=fmt("%s: %s", orig, msg),
-		$n=count_per_orig[orig,id] ]);
-	}
-
-event signature_match(state: signature_state, msg: string, data: string)
-	{
-	local id = state$id;
-	local action = signature_actions[id];
-
-	if ( action == SIG_IGNORE )
-		return;
-
-	# We always add it to the connection record.
-	append_addl(state$conn, state$id);
-
-	# Trim the matched data down to something reasonable
-	if ( byte_len(data) > 140 )
-		data = fmt("%s...", sub_bytes(data, 0, 140));
-
-	if ( action != SIG_QUIET && action != SIG_COUNT_PER_RESP )
-		{
-		if ( state$is_orig )
-			{
-			signature_file_write(
-				[$note=SensitiveSignature,
-				 $src_addr=state$conn$id$orig_h,
-				 $src_port=state$conn$id$orig_p,
-				 $dst_addr=state$conn$id$resp_h,
-				 $dst_port=state$conn$id$resp_p,
-				 $sig_id=state$id,
-				 $event_msg=fmt("%s: %s", state$conn$id$orig_h, msg),
-				 $sub_msg=data]);
-			}
-		else
-			{
-			signature_file_write(
-				[$note=SensitiveSignature,
-				 $src_addr=state$conn$id$resp_h,
-				 $src_port=state$conn$id$resp_p,
-				 $dst_addr=state$conn$id$orig_h,
-				 $dst_port=state$conn$id$orig_p,
-				 $sig_id=state$id,
-				 $event_msg=fmt("%s: %s", state$conn$id$resp_h, msg),
-				 $sub_msg=data]);
-			}
-		}
-
-	local notice = F;
-
-	if ( action == SIG_ALARM )
-		notice = T;
-
-@ifdef ( is_worm_infectee )
-	if ( action == SIG_ALARM_NO_WORM &&
-	     ! is_worm_infectee(state$conn$id$orig_h) )
-		notice = T;
-@endif
-
-	if ( action == SIG_COUNT_PER_RESP )
-		{
-		local dst = state$conn$id$resp_h;
-		if ( ++count_per_resp[dst,id] in count_thresholds )
-			{
-			NOTICE([$note=CountSignature, $conn=state$conn,
-				   $msg=msg,
-				   $filename=id,
-				   $n=count_per_resp[dst,id],
-				   $sub=fmt("%d matches of signature %s on host %s",
-						count_per_resp[dst,id],
-						state$id, dst)]);
-			}
-		}
-
-	if ( (action == SIG_ALARM_PER_ORIG || action == SIG_SUMMARY) &&
-	     ++count_per_orig[state$conn$id$orig_h, state$id] == 1 )
-		{
-		if ( action == SIG_ALARM_PER_ORIG )
-			notice = T;
-		else
-			schedule sig_summary_interval
-				{
-				sig_summary(state$conn$id$orig_h, state$id, msg)
-				};
-		}
-
-	if ( action == SIG_ALARM_ONCE )
-		{
-		if ( [state$id] !in did_sig_log )
-			{
-			notice = T;
-			add did_sig_log[state$id];
-			}
-		}
-
-	if ( notice )
-		{
-		local src_addr: addr;
-		local src_port: port;
-		local dst_addr: addr;
-		local dst_port: port;
-
-		if ( state$is_orig )
-			{
-			src_addr = state$conn$id$orig_h;
-			src_port = state$conn$id$orig_p;
-			dst_addr = state$conn$id$resp_h;
-			dst_port = state$conn$id$resp_p;
-			}
-		else
-			{
-			src_addr = state$conn$id$resp_h;
-			src_port = state$conn$id$resp_p;
-			dst_addr = state$conn$id$orig_h;
-			dst_port = state$conn$id$orig_p;
-			}
-
-		NOTICE([$note=SensitiveSignature,
-			$conn=state$conn, $src=src_addr,
-			$dst=dst_addr, $filename=id, $msg=fmt("%s: %s", src_addr, msg),
-			$sub=data]);
-		}
-
-	if ( action == SIG_FILE_BUT_NO_SCAN || action == SIG_SUMMARY )
-		return;
-
-@ifdef ( is_worm_infectee )
-	# Ignore scanning of known worm infectees.
-	if ( is_worm_infectee(state$conn$id$orig_h) )
-		return;
-@endif
-
-	# Keep track of scans.
-	local orig = state$conn$id$orig_h;
-	local resp = state$conn$id$resp_h;
-
-	if ( [orig, id] !in horiz_table )
-		horiz_table[orig, id] = set();
-
-	add horiz_table[orig, id][resp];
-
-	if ( [orig, resp] !in vert_table )
-		vert_table[orig, resp] = set();
-
-	add vert_table[orig, resp][id];
-
-	local hcount = length(horiz_table[orig, id]);
-	local vcount = length(vert_table[orig, resp]);
-
-	if ( hcount in horiz_scan_thresholds && hcount != last_hthresh[orig] )
-		{
-		local horz_scan_msg =
-			fmt("%s has triggered signature %s on %d hosts",
-				orig, id, hcount);
-
-		signature_file_write([$note=MultipleSigResponders,
-			$src_addr=orig, $sig_id=id, $event_msg=msg,
-			$host_count=hcount, $sub_msg=horz_scan_msg]);
-
-		NOTICE([$note=MultipleSigResponders, $src=orig, $filename=id,
-			$msg=msg, $n=hcount, $sub=horz_scan_msg]);
-
-		last_hthresh[orig] = hcount;
-		}
-
-	if ( vcount in vert_scan_thresholds && vcount != last_vthresh[orig] )
-		{
-		local vert_scan_msg =
-			fmt("%s has triggered %d different signatures on host %s",
-				orig, vcount, resp);
-
-		signature_file_write([$note=MultipleSignatures, $src_addr=orig,
-			$dst_addr=resp, $sig_id=id, $sig_count=vcount,
-			$event_msg= fmt("%s different signatures triggered",
-					vcount),
-			$sub_msg=vert_scan_msg]);
-
-		NOTICE([$note=MultipleSignatures, $src=orig, $dst=resp,
-			$filename=id,
-			$msg=fmt("%s different signatures triggered", vcount),
-			$n=vcount, $sub=vert_scan_msg]);
-
-		last_vthresh[orig] = vcount;
-		}
-	}
-
-# Returns true if the given signature has already been triggered for the given
-# [orig, resp] pair.
-function has_signature_matched(id: string, orig: addr, resp: addr): bool
-	{
-	return [orig, resp] in vert_table ? id in vert_table[orig, resp] : F;
-	}
diff --git a/policy/sigs/http-bots.sig b/policy/sigs/http-bots.sig
deleted file mode 100644
index 26f61c7d45..0000000000
--- a/policy/sigs/http-bots.sig
+++ /dev/null
@@ -1,93 +0,0 @@
-# $Id:$
-#
-# Some signatures for detecting certain HTTP-based botnet activity.
-
-signature nethell {
-	http-request /.*php\?userid=/
-	http-request-body /userid=[0-9]{8}_/
-	event "Nethell request"
-}
-
-signature bzub {
-	http-request /.*ver=.*&lg=.*&phid=.*&r=/
-	http-request-body /phid=[A-F0-9]{64}/
-	event "bzub request"
-}
-
-signature iebho {
-	http-request /.*ver=.*&lg=.*&phid=/
-	http-request-body /phid=[A-F0-9]{32}/
-	event "IEBHO request"
-}
-
-signature bebloh {
-	payload /^GET/
-	http-request /.*get\.php\?type=slg&id=/
-	event "Bebloh request"
-}
-
-signature black_enery {
-	payload /^POST/
-	http-request-header /Cache-Control: no-cache/
-	http-request-body /.*id=.*&build_id=.*id=x.+_[0-9A-F]{8}&build_id=.+/
-	event "Black energy request"
-}
-
-signature waledec {
-	payload /^POST/
-	http-request /\/[A-Za-z0-9]+\.[pP][nN][gG]/
-	event "Waledec request"
-}
-
-signature silentbanker {
-	payload /^POST/
-	http-request /.*\/getcfg\.php/
-	event "SilentBanker request"
-}
-
-signature icepack {
-	payload /^GET/
-	http-request /.*\/exe\.php/
-	event "Icepack request"
-}
-
-signature torpig {
-	payload /^POST/
-	http-request /.*\/gate\.php/
-	event "Torpig request"
-}
-
-signature peed {
-	http-request /.*\/controller\.php\?action=/
-	http-request /.*&entity/
-	http-request /.*&rnd=/
-	event "Peed request"
-}
-
-signature gozi {
-	payload /^GET/
-	http-request /.*\?user_id=/
-	http-request /.*&version_id=/
-	http-request /.*&crc=/
-	event "Gozi request"
-}
-
-signature wsnpoem {
-	payload /^GET/
-	http-request /.*\/((cfg|config)[0-9]*)\.bin$/
-	event "wsnpoem request"
-}
-
-signature pinch {
-	payload /^POST/
-	http-request /.*\?act=online&.*s4=.*&s5=.*&nickname=/
-	http-request-body /.*msg_out=/
-	event "pinch request"
-}
-
-signature grum {
-	payload /^GET/
-	http-request /.*s_alive\.php/
-	event "Grum request"
-}
-
diff --git a/policy/site.bro b/policy/site.bro
deleted file mode 100644
index 95c9c5cb89..0000000000
--- a/policy/site.bro
+++ /dev/null
@@ -1,17 +0,0 @@
-# $Id: site.bro 416 2004-09-17 03:52:28Z vern $
-#
-# Definitions describing a site - which networks are "local"
-# and "neighbors", and servers running particular services.
-
-# Networks that are considered "local".
-const local_nets: set[subnet] &redef;
-
-# Networks that are considered "neighbors".
-const neighbor_nets: set[subnet] &redef;
-
-# Function that returns true if an address corresponds to one of
-# the local networks, false if not.
-function is_local_addr(a: addr): bool
-	{
-	return a in local_nets;
-	}
diff --git a/policy/smb-anonymizer.bro b/policy/smb-anonymizer.bro
deleted file mode 100644
index 1051f8843c..0000000000
--- a/policy/smb-anonymizer.bro
+++ /dev/null
@@ -1,80 +0,0 @@
-# $Id:$
-
-redef rewriting_smb_trace = T;
-
-
-event smb_message(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string)
-	{
-	}
-
-event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string, service: string)
-	{
-	}
-
-event smb_com_tree_disconnect(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_nt_create_andx(c: connection, hdr: smb_hdr, name: string)
-	{
-	}
-
-event smb_com_transaction(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_transaction2(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_trans_mailslot(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_trans_rap(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_trans_pipe(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_read_andx(c: connection, hdr: smb_hdr, data: string)
-	{
-	}
-
-event smb_com_write_andx(c: connection, hdr: smb_hdr, data: string)
-	{
-	}
-
-event smb_get_dfs_referral(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string)
-	{
-	}
-
-event smb_com_negotiate(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_negotiate_response(c: connection, hdr: smb_hdr, dialect_index: count)
-	{
-	}
-
-event smb_com_setup_andx(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_generic_andx(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_close(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_logoff_andx(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_error(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string)
-	{
-	}
diff --git a/policy/smb.bro b/policy/smb.bro
deleted file mode 100644
index 4d31393a13..0000000000
--- a/policy/smb.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-# $Id:$
-
-redef capture_filters += { ["smb"] = "port 445" };
-
-global smb_ports = { 445/tcp } &redef;
-redef dpd_config += { [ANALYZER_SMB] = [$ports = smb_ports] };
-
-# No default implementation for events.
diff --git a/policy/smtp-relay.bro b/policy/smtp-relay.bro
deleted file mode 100644
index 0a7f84e7ad..0000000000
--- a/policy/smtp-relay.bro
+++ /dev/null
@@ -1,192 +0,0 @@
-# $Id: smtp-relay.bro 5911 2008-07-03 22:59:01Z vern $
-#
-# Tracks email relaying.
-
-@load smtp
-@load mime
-
-module SMTP;
-
-redef process_smtp_relay = T;
-
-export {
-	const relay_log = open_log_file("relay") &redef;
-}
-
-global print_smtp_relay: function(t: table[count] of smtp_session_info,
-					idx: count): interval;
-
-global smtp_relay_table: table[count] of smtp_session_info
-	&write_expire = 5 min &expire_func = print_smtp_relay;
-
-global smtp_session_by_recipient: table[string] of smtp_session_info
-	&write_expire = 5 min;
-global smtp_session_by_message_id: table[string] of smtp_session_info
-	&write_expire = 5 min;
-global smtp_session_by_content_hash: table[string] of smtp_session_info
-	&write_expire = 5 min;
-
-
-function add_to_smtp_relay_table(session: smtp_session_info)
-	{
-	if ( session$id !in smtp_relay_table )
-		smtp_relay_table[session$id] = session;
-	}
-
-function check_relay_1(session: smtp_session_info, rcpt: string)
-	{
-	if ( session$external_orig && rcpt != local_mail_addr )
-		{
-		smtp_message(session,
-			fmt("relaying(1) message (from %s, to %s) to address %s",
-				session$connection_id$orig_h,
-				session$connection_id$resp_h,
-				rcpt));
-
-		if ( session$relay_1_rcpt != "" )
-			session$relay_1_rcpt = cat(session$relay_1_rcpt, ",");
-
-		session$relay_1_rcpt = cat(session$relay_1_rcpt, rcpt);
-		add_to_smtp_relay_table(session);
-		}
-	}
-
-function check_relay_2(session: smtp_session_info, rcpt: string)
-	{
-	if ( rcpt in smtp_session_by_recipient )
-		{
-		local prev_session = smtp_session_by_recipient[rcpt];
-
-		# Should only check the first condition only (external
-		# followed by internal) but let's include the second one
-		# for testing purposes for now.
-		if ( (prev_session$external_orig && ! session$external_orig) ||
-		     (! prev_session$external_orig && session$external_orig) )
-			{
-			smtp_message(session,
-				fmt("relaying(2) message (seen during #%d) to address %s (%s -> %s, %s -> %s)",
-					prev_session$id, rcpt,
-					prev_session$connection_id$orig_h,
-					prev_session$connection_id$resp_h,
-					session$connection_id$orig_h,
-					session$connection_id$resp_h));
-
-			session$relay_2_from = prev_session$id;
-			++prev_session$relay_2_to;
-
-			add_to_smtp_relay_table(session);
-			add_to_smtp_relay_table(prev_session);
-			}
-		}
-
-	smtp_session_by_recipient[rcpt] = session;
-	}
-
-function check_relay_3(session: MIME::mime_session_info, msg_id: string)
-	{
-	local smtp_session = session$smtp_session;
-
-	if ( msg_id in smtp_session_by_message_id )
-		{
-		local prev_smtp_session = smtp_session_by_message_id[msg_id];
-
-		smtp_message(smtp_session,
-			fmt("relaying(3) message (seen during #%d) with id %s (%s -> %s, %s -> %s)",
-				prev_smtp_session$id, msg_id,
-				prev_smtp_session$connection_id$orig_h,
-				prev_smtp_session$connection_id$resp_h,
-				smtp_session$connection_id$orig_h,
-				smtp_session$connection_id$resp_h));
-
-		smtp_session$relay_3_from = prev_smtp_session$id;
-		++prev_smtp_session$relay_3_to;
-
-		add_to_smtp_relay_table(smtp_session);
-		add_to_smtp_relay_table(prev_smtp_session);
-		}
-	else
-		smtp_session_by_message_id[msg_id] = smtp_session;
-	}
-
-function check_relay_4(session: MIME::mime_session_info, content_hash: string)
-	{
-	local smtp_session = session$smtp_session;
-	smtp_session$content_hash = content_hash;
-
-	if ( content_hash in smtp_session_by_content_hash )
-		{
-		local prev_smtp_session = smtp_session_by_content_hash[content_hash];
-		smtp_message(smtp_session,
-			fmt("relaying(4) message (seen during #%d) with hash %s (%s -> %s, %s -> %s)",
-				prev_smtp_session$id,
-				string_to_ascii_hex(content_hash),
-				prev_smtp_session$connection_id$orig_h,
-				prev_smtp_session$connection_id$resp_h,
-				smtp_session$connection_id$orig_h,
-				smtp_session$connection_id$resp_h));
-
-		smtp_session$relay_4_from = prev_smtp_session$id;
-		++prev_smtp_session$relay_4_to;
-
-		add_to_smtp_relay_table(smtp_session);
-		add_to_smtp_relay_table(prev_smtp_session);
-		}
-	else
-		smtp_session_by_content_hash[content_hash] = smtp_session;
-	}
-
-# event mime_all_data(c: connection, length: count, data: string)
-#  	{
-#  	local session = get_mime_session(c, T);
-#  	session$content_hash = md5_hash(data);
-# 	if ( process_smtp_relay )
-# 	 	check_relay_4(session, session$content_hash);
-#  	# mime_log_msg(session, "all data", fmt("%s", data));
-#  	}
-
-event mime_content_hash(c: connection, content_len: count, hash_value: string)
-	{
-	local session = MIME::get_session(c, T);
-	session$content_hash = hash_value;
-	if ( process_smtp_relay && content_len > 0 )
-		check_relay_4(session, session$content_hash);
-	}
-
-function relay_flow(from: count, to: count): string
-	{
-	if ( from > 0 )
-		return fmt("<#%d", from);
-
-	if ( to > 0 )
-		return fmt(">%d", to);
-
-	return "-";
-	}
-
-function print_smtp_relay(t: table[count] of smtp_session_info,
-				idx: count): interval
-	{
-	local session = t[idx];
-
-	print relay_log, fmt("#%d: %s",
-		session$id,
-		directed_id_string(session$connection_id, T));
-
-	print relay_log, fmt("#%d: RCPT: <%s>, Subject: %s",
-		session$id,
-		session$recipients, session$subject);
-
-	print relay_log, fmt("#%d: detected: [%s %s %s %s] %s",
-		session$id,
-		session$relay_1_rcpt == "" ? "-" : "1",
-		relay_flow(session$relay_2_from, session$relay_2_to),
-		relay_flow(session$relay_3_from, session$relay_3_to),
-		relay_flow(session$relay_4_from, session$relay_4_to),
-		session$content_gap ? "(content gap)" : "");
-
-	print relay_log, fmt("#%d: relay 1: <%s>",
-		session$id,
-		session$relay_1_rcpt);
-
-	return 0 sec;
-	}
diff --git a/policy/smtp-rewriter.bro b/policy/smtp-rewriter.bro
deleted file mode 100644
index be8e726dcc..0000000000
--- a/policy/smtp-rewriter.bro
+++ /dev/null
@@ -1,94 +0,0 @@
-# $Id: smtp-rewriter.bro 4758 2007-08-10 06:49:23Z vern $
-
-@load smtp
-@load mime 	# need mime for content hash
-
-module SMTP;
-
-redef rewriting_smtp_trace = T;
-
-# We want this event handler to execute *after* the one in smtp.bro.
-event smtp_request(c: connection, is_orig: bool, command: string, arg: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local session = smtp_sessions[c$id];
-
-	if ( command != ">" )
-		{
-		if ( command == "." )
-			{
-			# A hack before we have MIME rewriter.
-			# rewrite_smtp_data(c, is_orig, fmt("X-number-of-lines: %d",
-			# 			session$num_lines_in_body));
-			rewrite_smtp_data(c, is_orig, fmt("X-number-of-bytes: %d",
-						session$num_bytes_in_body));
-
-			# Write empty line to avoid MIME analyzer complaints.
-			rewrite_smtp_data(c, is_orig, "");
-			rewrite_smtp_data(c, is_orig, fmt("%s", session$content_hash));
-			}
-
-		if ( command in smtp_legal_cmds )
-			{
-			# Avoid the situation in which we mistake
-			# mail contents for SMTP commands.
-			rewrite_smtp_request(c, is_orig, command, arg);
-			rewrite_push_packet(c, is_orig);
-			}
-		}
-	}
-
-event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
-			msg: string, cont_resp: bool)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	rewrite_smtp_reply(c, is_orig, code, msg, cont_resp);
-	}
-
-function starts_with_leading_whitespace(s: string): bool
-	{
-	return /^[ \t]/ in s;
-	}
-
-function rewrite_smtp_header_line(c: connection, is_orig: bool,
-				session: smtp_session_info, line: string)
-	{
-	if ( starts_with_leading_whitespace(line) )
-		{ # a continuing header
-		if ( session$keep_current_header )
-			rewrite_smtp_data(c, is_orig, line);
-		}
-	else
-		{
-		session$keep_current_header = F;
-
-		local pair = split1(line, /:/);
-		if ( length(pair) < 2 )
-			{
-			session$keep_current_header = T;
-			rewrite_smtp_data(c, is_orig, line);
-			}
-		else
-			{
-			local field_name = to_upper(pair[1]);
-
-			# Currently, the MIME analyzer is sensitive to
-			# CONTENT-TYPE and CONTENT_TRANSFER_ENCODING,
-			# so we want to remove these when anonymizing,
-			# because we can't ensure their integrity when
-			# rewriting message bodies.
-			#
-			# To be conservative, however, we strip out *all*
-			# CONTENT-* headers.
-			if ( /^CONTENT-/ !in field_name )
-				{
-				session$keep_current_header = T;
-				rewrite_smtp_data(c, is_orig, line);
-				}
-			}
-		}
-	}
diff --git a/policy/smtp.bro b/policy/smtp.bro
deleted file mode 100644
index cddb926456..0000000000
--- a/policy/smtp.bro
+++ /dev/null
@@ -1,557 +0,0 @@
-# $Id: smtp.bro 5230 2008-01-14 01:38:18Z vern $
-
-@load conn
-
-module SMTP;
-
-export {
-	redef enum Notice += { HotEmailRecipient, };
-
-	const process_smtp_relay = F &redef;
-
-	const smtp_log = open_log_file("smtp") &redef;
-
-	# Used to detect relaying.
-	const local_mail_addr = /.*@.*lbl.gov/ &redef;
-
-	const hot_recipients = /@/ &redef;
-
-	const smtp_legal_cmds: set[string] = {
-		">", "EHLO", "HELO", "MAIL",
-		"RCPT", "DATA", ".", "QUIT",
-		"RSET", "VRFY", "EXPN", "HELP", "NOOP",
-		"SEND",	"SOML", "SAML", "TURN",
-		"STARTTLS",
-		"BDAT",
-		"ETRN",
-		"AUTH",
-		"***",
-	} &redef;
-
-	const smtp_hot_cmds: table[string] of pattern = {
-		["MAIL"] = /.*<.*@.*:.*>.*/,	# relay path
-		["RCPT"] = /.*<.*@.*:.*>.*/,	# relay path
-		["VRFY"] = /.*/,
-		["EXPN"] = /.*/,
-		["TURN"] = /.*/,
-	} &redef;
-
-	const smtp_sensitive_cmds: set[string] = {
-		"VRFY", "EXPN", "TURN",
-	} &redef;
-
-	const smtp_expected_reply: set[string, count] = {
-		[">", 220],
-		["EHLO", 250],
-		["HELO", 250],
-		["MAIL", 250],
-		["RCPT", 250],
-		["RCPT", 554],	# transaction failed
-		["QUIT", 221],
-		["DATA", 354],
-		[".", 250],	# end of data
-		["RSET", 250],
-		["VRFY", 250],
-		["EXPN", 250],
-		["HELP", 250],
-		["HELP", 502],	# help command not supported
-		["NOOP", 250],
-		["AUTH", 334],		# two round authentication
-		["AUTH", 235],		# one round authentication
-		["AUTH_ANSWER", 334],	# multiple step authentication
-		["AUTH_ANSWER", 235],	# authentication successful
-		["STARTTLS", 220],	# Willing to do TLS
-		["TURN", 502],		# TURN is expected to be rejected
-	};
-
-	type smtp_cmd_info: record {
-		cmd: string;
-		cmd_arg: string;
-		reply: count;
-		reply_arg: string;
-		cont_reply: bool;
-		log_reply: bool;
-	};
-
-	type smtp_cmd_info_list: table[count] of smtp_cmd_info;
-
-	type smtp_session_info: record {
-		id: count;
-		connection_id: conn_id;
-		external_orig: bool;
-		in_data: bool;
-		num_cmds: count;
-		num_replies: count;
-		cmds: smtp_cmd_info_list;
-		in_header: bool;
-		keep_current_header: bool;	# hack till MIME rewriter ready
-		recipients: string;
-		subject: string;
-		content_hash: string;
-		num_lines_in_body: count;
-			# lines in RFC 822 body before MIME decoding
-		num_bytes_in_body: count;
-			# bytes in entity bodies after MIME decoding
-		content_gap: bool;	# whether content gap in conversation
-
-		relay_1_rcpt: string;	# external recipients
-		relay_2_from: count;	# session id of same recipient
-		relay_2_to: count;
-		relay_3_from: count;	# session id of same msg id
-		relay_3_to: count;
-		relay_4_from: count;	# session id of same content hash
-		relay_4_to: count;
-	};
-
-	global smtp_sessions: table[conn_id] of smtp_session_info;
-	global smtp_session_id = 0;
-
-	global new_smtp_session: function(c: connection);
-}
-
-redef capture_filters += { ["smtp"] = "tcp port smtp or tcp port 587" };
-
-# DPM configuration.
-global smtp_ports = { 25/tcp, 587/tcp } &redef;
-redef dpd_config += { [ANALYZER_SMTP] = [$ports = smtp_ports] };
-
-function is_smtp_connection(c: connection): bool
-	{
-	return c$id$resp_p == smtp;
-	}
-
-event bro_init()
-	{
-	have_SMTP = T;
-	}
-
-global add_to_smtp_relay_table: function(session: smtp_session_info);
-
-function new_smtp_command(session: smtp_session_info, cmd: string, arg: string)
-	{
-	++session$num_cmds;
-
-	local cmd_info: smtp_cmd_info;
-	cmd_info$cmd = cmd;
-	cmd_info$cmd_arg = arg;
-	cmd_info$reply = 0;
-	cmd_info$reply_arg = "";
-	cmd_info$cont_reply = F;
-	cmd_info$log_reply = F;
-
-	session$cmds[session$num_cmds] = cmd_info;
-	}
-
-function new_smtp_session(c: connection)
-	{
-	local session = c$id;
-	local new_id = ++smtp_session_id;
-
-	local info: smtp_session_info;
-	local cmds: smtp_cmd_info_list;
-
-	info$id = new_id;
-	info$connection_id = session;
-	info$in_data = F;
-	info$num_cmds = 0;
-	info$num_replies = 0;
-	info$cmds = cmds;
-	info$in_header = F;
-	info$keep_current_header = T;
-	info$external_orig = !is_local_addr(session$orig_h);
-
-	info$subject = "";
-	info$recipients = "";
-	info$content_hash = "";
-	info$num_lines_in_body = info$num_bytes_in_body = 0;
-	info$content_gap = F;
-
-	info$relay_1_rcpt = "";
-	info$relay_2_from = info$relay_2_to = info$relay_3_from =
-		info$relay_3_to = info$relay_4_from = info$relay_4_to = 0;
-
-	new_smtp_command(info, ">", "<connection>");
-
-	smtp_sessions[session] = info;
-	append_addl(c, fmt("#%s", prefixed_id(new_id)));
-
-	print smtp_log, fmt("%.6f #%s %s start %s", c$start_time,
-			prefixed_id(new_id), id_string(session), info$external_orig ?
-			"external" : "internal" );
-	}
-
-function smtp_message(session: smtp_session_info, msg: string)
-	{
-	print smtp_log, fmt("%.6f #%s %s",
-			network_time(), prefixed_id(session$id), msg);
-	}
-
-function smtp_log_msg(session: smtp_session_info, is_orig: bool, msg: string)
-	{
-	print smtp_log, fmt("%.6f #%s %s: %s",
-				network_time(),
-				prefixed_id(session$id),
-				directed_id_string(session$connection_id, is_orig),
-				msg);
-	}
-
-function smtp_log_reject_recipient(session: smtp_session_info, rcpt: string)
-	{
-	if ( rcpt == "" )
-		rcpt = "<none>";
-
-	smtp_message(session, fmt("Recipient addresses rejected: %s", rcpt));
-	}
-
-function smtp_log_command(session: smtp_session_info, is_orig: bool,
-				msg: string, cmd_info: smtp_cmd_info)
-	{
-	smtp_log_msg(session, is_orig, fmt("%s: %s(%s)",
-					msg, cmd_info$cmd, cmd_info$cmd_arg));
-	}
-
-function smtp_log_reply(session: smtp_session_info, is_orig: bool,
-			msg: string, cmd_info: smtp_cmd_info)
-	{
-	smtp_log_msg(session, is_orig, fmt("%s: %s(%s) --> %d(%s)",
-					msg,
-					cmd_info$cmd, cmd_info$cmd_arg,
-					cmd_info$reply, cmd_info$reply_arg));
-	}
-
-event smtp_request(c: connection, is_orig: bool, command: string, arg: string)
-	{
-	local id = c$id;
-
-	if ( id !in smtp_sessions )
-		new_smtp_session(c);
-
-	local session = smtp_sessions[id];
-	new_smtp_command(session, command, arg);
-	local cmd_info = session$cmds[session$num_cmds];
-
-	# Store the command in session record.
-	local log_this_cmd = F;
-
-	if ( command in smtp_hot_cmds && arg == smtp_hot_cmds[command] )
-		{
-		log_this_cmd = T;
-		cmd_info$log_reply = T;
-		}
-
-	if ( command in smtp_sensitive_cmds )
-		{
-		log_this_cmd = T;
-		cmd_info$log_reply = T;
-		}
-
-	if ( log_this_cmd )
-		smtp_log_command(session, is_orig, "unusual command", cmd_info);
-
-	if ( command == "DATA" )
-		{
-		session$in_data = T;
-		session$in_header = T;
-		}
-
-	else if ( command == "." )
-		session$in_data = F;
-	}
-
-function check_cmd_info(session: smtp_session_info): bool
-	{
-	if ( session$num_replies == 0 )
-		return T;
-
-	if ( session$num_replies <= session$num_cmds &&
-	     session$num_replies in session$cmds )
-		return T;
-
-	smtp_message(session, fmt("error: invalid num_replies: %d (num_cmds = %d)",
-				session$num_replies, session$num_cmds));
-	return F;
-	}
-
-function smtp_command_mail(session: smtp_session_info, cmd_info: smtp_cmd_info)
-	{
-	local tokens = split(cmd_info$cmd_arg, /(<|:|>)*/);
-
-	local i = 0;
-	for ( i in tokens )
-		smtp_log_msg(session, T, fmt("%d: \"%s\"", i, tokens[i]));
-	}
-
-function extract_recipient(session: smtp_session_info, rcpt_cmd_arg: string): string
-	{
-	local pair: string_array;
-	local s: string;
-
-	s = rcpt_cmd_arg;
-
-	pair = split1(s, /<( |\t)*/);
-	if ( length(pair) != 2 )
-		{
-		smtp_message(session, fmt("error: '<' not found in argument to RCPT: %s",
-					rcpt_cmd_arg));
-		return "";
-		}
-
-	s = pair[2];
-	# smtp_message(session, fmt("%s<%s", pair[1], pair[2]));
-
-	pair = split1(s, /( |\t)*>/);
-	if ( length(pair) != 2 )
-		{
-		smtp_message(session, fmt("error: '>' not found in argument to RCPT: %s",
-					rcpt_cmd_arg));
-		return "";
-		}
-
-	s = pair[1];
-	# smtp_message(session, fmt("%s>%s", pair[1], pair[2]));
-
-	pair = split1(s, /:/);
-	if ( length(pair) == 2 )
-		{
-		smtp_message(session, fmt("RCPT address is source route path: %s",
-					rcpt_cmd_arg));
-		s = pair[2];
-		}
-
-	# Actually the local part of an address might be case-sensitive,
-	# but in most cases it is not.
-
-	s = to_lower(s);
-
-	return s;
-	}
-
-global check_relay_1: function(session: smtp_session_info, rcpt: string);
-global check_relay_2: function(session: smtp_session_info, rcpt: string);
-
-function smtp_command_rcpt(c: connection, session: smtp_session_info,
-				cmd_info: smtp_cmd_info)
-	{
-	local rcpt = extract_recipient(session, cmd_info$cmd_arg);
-
-	if ( cmd_info$reply == 554 )
-		smtp_log_reject_recipient(session, rcpt);
-
-	else if ( rcpt != "" )
-		{
-		smtp_message(session, fmt("recipient: <%s>", rcpt));
-
-		if ( session$recipients != "" )
-			session$recipients = cat(session$recipients, ",");
-
-		session$recipients = cat(session$recipients, rcpt);
-
-		if ( process_smtp_relay )
-			{
-			check_relay_1(session, rcpt);
-			check_relay_2(session, rcpt);
-			}
-
-		if ( rcpt == hot_recipients )
-			{
-			local src = session$connection_id$orig_h;
-			local dst = session$connection_id$resp_h;
-
-			NOTICE([$note=HotEmailRecipient, $src=src, $conn=c,
-				$user=rcpt,
-				$msg=fmt("hot email recipient %s -> %s@%s",
-					src, rcpt, dst)]);
-			}
-		}
-	}
-
-event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
-			msg: string, cont_resp: bool)
-	{
-	local id = c$id;
-
-	if ( id !in smtp_sessions )
-		new_smtp_session(c);
-
-	local session = smtp_sessions[id];
-	local new_reply = F;
-
-	# Check entry before indexing.
-	if ( ! check_cmd_info(session) )
-		return;
-
-	if ( session$num_replies == 0 ||
-	     ! session$cmds[session$num_replies]$cont_reply )
-		{
-		++session$num_replies;
-		if ( session$num_replies !in session$cmds )
-			{
-			smtp_message(session, fmt("error: unmatched reply: %d %s (%s)",
-							code, msg, cmd));
-			return;
-			}
-
-		new_reply = T;
-		}
-
-	if ( ! check_cmd_info(session) )
-		return;
-
-	local cmd_info = session$cmds[session$num_replies];
-
-	if ( cmd_info$cmd != cmd )
-		{
-		smtp_message(session,
-			fmt("error: command mismatch: %s(%d) %s(%d), %s (%d %s)",
-				cmd_info$cmd, session$num_replies,
-				session$cmds[session$num_cmds], session$num_cmds,
-				cmd, code, msg));
-		return;
-		}
-
-	cmd_info$reply = code;
-	if ( new_reply )
-		cmd_info$reply_arg = msg;
-	else
-		cmd_info$reply_arg = cat(cmd_info$reply_arg, "\r\n", msg);
-
-	cmd_info$cont_reply = cont_resp;
-
-	local log_this_reply = cmd_info$log_reply;
-
-	if ( [cmd, code] !in smtp_expected_reply )
-		log_this_reply = T;
-
-	if ( log_this_reply && ! cont_resp )
-		smtp_log_reply(session, is_orig, "unusual command/reply", cmd_info);
-
-	#	else if ( cmd == "MAIL" && code == 250 )
-	#		smtp_command_mail(session, cmd_info);
-
-	else if ( cmd == "RCPT" )
-		{
-		if ( code == 250 || code == 554 )
-			smtp_command_rcpt(c, session, cmd_info);
-		}
-
-	else if ( cmd == "STARTTLS" && code == 220 )
-		{ # it'll now go encrypted - no more we can do.
-		skip_further_processing(c$id);
-		smtp_message(session, cmd);
-		}
-	}
-
-function reset_on_gap(session: smtp_session_info)
-	{
-	local i: count;
-
-	clear_table(session$cmds);
-
-	session$num_cmds = session$num_replies = 0;
-	session$in_data = F;
-	}
-
-event smtp_unexpected(c: connection, is_orig: bool, msg: string, detail: string)
-	{
-	local id = c$id;
-
-	if ( id !in smtp_sessions )
-		new_smtp_session(c);
-
-	local session = smtp_sessions[id];
-
-	smtp_log_msg(session, is_orig, fmt("unexpected: %s: %s", msg, detail));
-	}
-
-function clear_smtp_session(session: smtp_session_info)
-	{
-	clear_table(session$cmds);
-	}
-
-event content_gap(c: connection, is_orig: bool, seq: count, length: count)
-	{
-	if ( is_smtp_connection(c) )
-		{
-		local id = c$id;
-		if ( id !in smtp_sessions )
-			new_smtp_session(c);
-		local session = smtp_sessions[id];
-		session$content_gap = T;
-		reset_on_gap(session);
-		}
-	}
-
-event connection_finished(c: connection)
-	{
-	local id = c$id;
-	if ( id in smtp_sessions )
-		{
-		local session = smtp_sessions[id];
-		smtp_message(session, "finish");
-		clear_smtp_session(session);
-		delete smtp_sessions[id];
-		}
-	}
-
-event connection_state_remove(c: connection)
-	{
-	local id = c$id;
-	if ( id in smtp_sessions )
-		{
-		local session = smtp_sessions[id];
-		smtp_message(session, "state remove");
-		clear_smtp_session(session);
-		delete smtp_sessions[id];
-		}
-	}
-
-global rewrite_smtp_header_line:
-	function(c: connection, is_orig: bool,
-			session: smtp_session_info, line: string);
-
-function smtp_header_line(c: connection, is_orig: bool,
-				session: smtp_session_info, line: string)
-	{
-	if ( rewriting_smtp_trace )
-		rewrite_smtp_header_line(c, is_orig, session, line);
-	}
-
-function smtp_body_line(c: connection, is_orig: bool,
-			session: smtp_session_info, line: string)
-	{
-	++session$num_lines_in_body;
-	session$num_bytes_in_body =
-		session$num_bytes_in_body + byte_len(line) + 2; # including CRLF
-	}
-
-event smtp_data(c: connection, is_orig: bool, data: string)
-	{
-	local id = c$id;
-	if ( id in smtp_sessions )
-		{
-		local session = smtp_sessions[id];
-		# smtp_log_msg(session, is_orig, fmt("data: %s", data));
-		if ( session$in_header )
-			{
-			if ( data == "" )
-				{
-				session$in_header = F;
-				skip_smtp_data(c);
-				}
-			else
-				{
-				smtp_header_line(c, is_orig, session, data);
-				# smtp_log_msg(session, T, fmt("header: %s", data));
-				}
-			}
-		else
-			{
-			# smtp_body_line(c, is_orig, session, data);
-			}
-		}
-	}
-
-event bro_done()
-	{
-	clear_table(smtp_sessions);
-	}
diff --git a/policy/snort.bro b/policy/snort.bro
deleted file mode 100644
index 16a173de13..0000000000
--- a/policy/snort.bro
+++ /dev/null
@@ -1,21 +0,0 @@
-# $Id: snort.bro 720 2004-11-12 16:45:48Z rwinslow $
-#
-# Definitions needed for signatures converted by snort2bro.
-
-# Servers for some services.
-const dns_servers: set[subnet] = { local_nets } &redef;
-const http_servers: set[subnet] = { local_nets } &redef;
-const smtp_servers: set[subnet] = { local_nets } &redef;
-const telnet_servers: set[subnet] = { local_nets } &redef;
-const sql_servers: set[subnet] = { local_nets } &redef;
-
-const aim_servers: set[subnet] = {
-	64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24,
-	64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24,
-	205.188.9.0/24
-} &redef;
-
-# Ports for some services.
-const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };
-const oracle_ports = { 1521/tcp };
-const non_shellcode_ports = { 80/tcp };
diff --git a/policy/software.bro b/policy/software.bro
deleted file mode 100644
index 0bdeb824b7..0000000000
--- a/policy/software.bro
+++ /dev/null
@@ -1,172 +0,0 @@
-# $Id: software.bro 4907 2007-09-23 23:44:07Z vern $
-#
-# Keeps track of the software running on hosts.
-
-@load site
-@load weird
-
-# Operational use of software.bro on a busy network can result in huge
-# data files.  By default creating a log file is turned off.
-global log_software = F &redef;
-
-# If true, then logging is confined to just software versions of local hosts.
-global only_report_local = T &redef;
-
-global software_file = open_log_file("software");
-
-# Invoked whenever we discover new software for a host (but not for a new
-# version of previously found software).
-global software_new: event(c: connection, host: addr, s: software,
-				descr: string);
-
-# Invoked whenever we discover a new version of previously discovered
-# software.
-global software_version_change: event(c: connection, host: addr, s: software,
-	old_version: software_version, descr: string);
-
-# Index is the name of the software.
-type software_set: table[string] of software;
-
-# You may or may not want to define a timeout for this.
-global software_table: table[addr] of software_set;
-
-# Some software can be installed twice on the same server
-# with different major numbers.
-global software_ident_by_major: set[string] = {
-	"PHP",
-	"WebSTAR",
-} &redef;
-
-# Compare two versions.
-#   Returns -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2.
-#   If the numerical version numbers match, the addl string
-#   is compared lexicographically.
-function software_cmp_version(v1: software_version, v2: software_version): int
-	{
-	if ( v1$major < v2$major )
-		return -1;
-	if ( v1$major > v2$major )
-		return 1;
-
-	if ( v1$minor < v2$minor )
-		return -1;
-	if ( v1$minor > v2$minor )
-		return 1;
-
-	if ( v1$minor2 < v2$minor2 )
-		return -1;
-	if ( v1$minor2 > v2$minor2 )
-		return 1;
-
-	return strcmp(v1$addl, v2$addl);
-	}
-
-# Convert a version into a string "a.b.c-x".
-function software_fmt_version(v: software_version): string
-	{
-	return fmt("%s%s%s%s",
-			v$major >= 0 ? fmt("%d", v$major) : "",
-			v$minor >= 0 ? fmt(".%d", v$minor) : "",
-			v$minor2 >= 0 ? fmt(".%d", v$minor2) : "",
-			v$addl != "" ? fmt("-%s", v$addl) : "");
-	}
-
-# Convert a software into a string "name a.b.cx".
-function software_fmt(s: software): string
-	{
-	return fmt("%s %s", s$name, software_fmt_version(s$version));
-	}
-
-# Insert a mapping into the table
-# Overides old entries for the same software and generates events if needed.
-### FIXME: Do we need a software_unregister() as well?
-function software_register(c: connection, host: addr, s: software,
-				descr: string)
-	{
-	# Host already known?
-	if ( host !in software_table )
-		software_table[host] = set();
-
-	# If a software can be installed more than once on a host
-	# (with a different major version), we identify it by "<name>-<major>"
-	if ( s$name in software_ident_by_major && s$version$major >= 0 )
-		s$name = fmt("%s-%d", s$name, s$version$major);
-
-	local soft_set = software_table[host];
-
-	# Software already registered for this host?
-	if ( s$name in soft_set )
-		{
-		# Is it a different version?
-		local old = soft_set[s$name];
-		if ( software_cmp_version(old$version, s$version) != 0 )
-			event software_version_change(c, host, s, old$version,
-							descr);
-		}
-	else
-		event software_new(c, host, s, descr);
-
-	soft_set[s$name] = s;
-	}
-
-event software_version_found(c: connection, host: addr, s: software,
-				descr: string)
-	{
-	if ( ! only_report_local || is_local_addr(host) )
-		software_register(c, host, s, descr);
-	}
-
-function software_endpoint_name(c: connection, host: addr): string
-	{
-	return fmt("%s %s", host,
-			host == c$id$orig_h ? "client" : "server");
-	}
-
-event software_parse_error(c: connection, host: addr, descr: string)
-	{
-	if ( ! only_report_local || is_local_addr(host) )
-		{
-		# Here we need a little hack, since software_file is
-		# not always there.
-		local msg = fmt("%.6f %s: can't parse '%s'", network_time(),
-				software_endpoint_name(c, host), descr);
-
-		if ( log_software )
-			print software_file, msg;
-		else
-			print Weird::weird_file, msg;
-		}
-	}
-
-event software_new(c: connection, host: addr, s: software, descr: string)
-	{
-	if ( log_software )
-		{
-		print software_file, fmt("%.6f %s uses %s (%s)", network_time(),
-					software_endpoint_name(c, host),
-					software_fmt(s), descr);
-		}
-	}
-
-event software_version_change(c: connection, host: addr, s: software,
-				old_version: software_version, descr: string)
-	{
-	if ( log_software )
-		{
-		local msg = fmt("%.6f %s switched from %s to %s (%s)",
-				network_time(), software_endpoint_name(c, host),
-				software_fmt_version(old_version),
-				software_fmt(s), descr);
-
-		print software_file, msg;
-		}
-	}
-
-event software_unparsed_version_found(c: connection, host: addr, str: string)
-	{
-	if ( log_software )
-		{
-		print software_file, fmt("%.6f %s: [%s]", network_time(),
-					software_endpoint_name(c, host), str);
-		}
-	}
diff --git a/policy/ssh-stepping.bro b/policy/ssh-stepping.bro
deleted file mode 100644
index 5658a56043..0000000000
--- a/policy/ssh-stepping.bro
+++ /dev/null
@@ -1,45 +0,0 @@
-@load stepping
-
-redef capture_filters += { ["ssh-stepping"] = "tcp port 22" };
-
-module SSH_Stepping;
-
-# Keeps track of how many connections each source is responsible for.
-global ssh_src_cnt: table[addr] of count &default=0 &write_expire=15sec;
-
-export {
-	# Threshold above which we stop analyzing a source.
-	# Use 0 to never stop.
-	global src_fanout_no_stp_analysis_thresh = 100 &redef;
-}
-
-event connection_established(c: connection)
-	{
-	if ( c$id$resp_p == ssh )
-		{
-		# No point recording these, and they're potentially huge
-		# due to use of ssh for file transfers.
-		set_record_packets(c$id, F);
-
-		# Keep track of sources that create lots of connections
-		# so we can skip analyzing them - they're very likely
-		# uninteresting for stepping stones, and can present
-		# a large state burden.
-		local src = c$id$orig_h;
-		if ( ++ssh_src_cnt[src] == src_fanout_no_stp_analysis_thresh )
-			add stp_skip_src[src];
-
-		if ( ssh_src_cnt[src] == 1 )
-			# First entry.  It's possible this entry was set
-			# before and has now expired.  If so, stop skipping it.
-			delete stp_skip_src[src];
-		}
-	}
-
-event partial_connection(c: connection)
-	{
-	if ( c$id$orig_p == ssh || c$id$resp_p == ssh )
-		# No point recording these, and they're potentially huge
-		# due to use of ssh for file transfers.
-		set_record_packets(c$id, F);
-	}
diff --git a/policy/ssh.bro b/policy/ssh.bro
deleted file mode 100644
index 5ebd075d7f..0000000000
--- a/policy/ssh.bro
+++ /dev/null
@@ -1,41 +0,0 @@
-# $Id: ssh.bro 6588 2009-02-17 00:02:53Z vern $
-
-module SSH;
-
-export {
-	# If true, we tell the event engine to not look at further data
-	# packets after the initial SSH handshake. Helps with performance
-	# (especially with large file transfers) but precludes some
-	# kinds of analyses (e.g., tracking connection size).
-	const skip_processing_after_handshake = T &redef;
-
-	global ssh_ports = { 22/tcp } &redef;
-}
-
-redef capture_filters += { ["ssh"] = "tcp port 22" };
-
-redef dpd_config += { [ANALYZER_SSH] = [$ports = ssh_ports] };
-
-const ssh_log = open_log_file("ssh") &redef;
-
-# Indexed by address and T for client, F for server.
-global did_ssh_version: table[addr, bool] of count
-				&default = 0 &read_expire = 7 days;
-
-event ssh_client_version(c: connection, version: string)
-	{
-	if ( ++did_ssh_version[c$id$orig_h, T] == 1 )
-		print ssh_log, fmt("%s %s \"%s\"", c$id$orig_h, "C", version);
-
-	if ( skip_processing_after_handshake )
-		{
-		skip_further_processing(c$id);
-		set_record_packets(c$id, F);
-		}
-	}
-
-event ssh_server_version(c: connection, version: string)
-	{
-	if ( ++did_ssh_version[c$id$resp_h, F] == 1 )
-		print ssh_log, fmt("%s %s \"%s\"", c$id$resp_h, "S", version);
-	}
diff --git a/policy/ssl-alerts.bro b/policy/ssl-alerts.bro
deleted file mode 100644
index 1a0d65dead..0000000000
--- a/policy/ssl-alerts.bro
+++ /dev/null
@@ -1,120 +0,0 @@
-# $Id: ssl-alerts.bro 416 2004-09-17 03:52:28Z vern $
-#
-# Interface for SSL/TLS support.
-
-# --- constant definitions of the SSL/TLS alert/error records ---
-
-# --- Error descriptions for SSLv2.
-const SSLv2_PE_NO_CIPHER = 0x0001;
-const SSLv2_PE_NO_CERTIFICATE = 0x0002;
-const SSLv2_PE_BAD_CERTIFICATE = 0x0004;
-const SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE = 0x0006;
-
-# --- Alert descriptions in SSLv3.0 and SSLv3.1.
-const SSLv3x_ALERT_DESCR_CLOSE_NOTIFY = 0;
-const SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE = 10;
-const SSLv3x_ALERT_DESCR_BAD_RECORD_MAC = 20;
-const SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE = 30;
-const SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE = 40;
-const SSLv3x_ALERT_DESCR_BAD_CERTIFICATE = 42;
-const SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE = 43;
-const SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED = 44;
-const SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED = 45;
-const SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN = 46;
-
-# --- Alert descriptions only in SSLv3.0.
-const SSLv30_ALERT_DESCR_NO_CERTIFICATE = 41;
-
-# --- Alert descriptions only in SSLv3.1.
-const SSLv31_ALERT_DESCR_DESCRYPTION_FAILED = 21;
-const SSLv31_ALERT_DESCR_RECORD_OVERFLOW = 22;
-const SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER = 47;
-const SSLv31_ALERT_DESCR_UNKNOWN_CA = 48;
-const SSLv31_ALERT_DESCR_ACCESS_DENIED = 49;
-const SSLv31_ALERT_DESCR_DECODE_ERROR = 50;
-const SSLv31_ALERT_DESCR_DECRYPT_ERROR = 51;
-const SSLv31_ALERT_DESCR_EXPORT_RESTRICTION = 60;
-const SSLv31_ALERT_DESCR_PROTOCOL_VERSION = 70;
-const SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY = 71;
-const SSLv31_ALERT_DESCR_INTERNAL_ERROR = 80;
-const SSLv31_ALERT_DESCR_USER_CANCELED = 90;
-const SSLv31_ALERT_DESCR_NO_RENEGOTIATION = 100;
-
-# --- This is a table of all known alert descriptions.
-# --- It can be used for detecting unknown alerts and for
-# --- converting the alert descriptions constants into a human readable format.
-
-const ssl_alert_desc: table[count] of string = {
-	# --- SSLv2
-	[SSLv2_PE_NO_CIPHER] = "SSLv2_PE_NO_CIPHER",
-	[SSLv2_PE_NO_CERTIFICATE] = "SSLv2_PE_NO_CERTIFICATE",
-	[SSLv2_PE_BAD_CERTIFICATE] = "SSLv2_PE_BAD_CERTIFICATE",
-	[SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE] =
-		"SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE",
-
-	# --- sslv30
-	[SSLv30_ALERT_DESCR_NO_CERTIFICATE] =
-		"SSLv30_ALERT_DESCR_NO_CERTIFICATE",
-
-	# --- sslv31
-	[SSLv31_ALERT_DESCR_DESCRYPTION_FAILED] =
-		"SSLv31_ALERT_DESCR_DESCRYPTION_FAILED",
-	[SSLv31_ALERT_DESCR_RECORD_OVERFLOW] =
-		"SSLv31_ALERT_DESCR_RECORD_OVERFLOW",
-	[SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER] =
-		"SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER",
-	[SSLv31_ALERT_DESCR_UNKNOWN_CA] = "SSLv31_ALERT_DESCR_UNKNOWN_CA",
-	[SSLv31_ALERT_DESCR_ACCESS_DENIED] = "SSLv31_ALERT_DESCR_ACCESS_DENIED",
-	[SSLv31_ALERT_DESCR_DECODE_ERROR] = "SSLv31_ALERT_DESCR_DECODE_ERROR",
-	[SSLv31_ALERT_DESCR_DECRYPT_ERROR] = "SSLv31_ALERT_DESCR_DECRYPT_ERROR",
-	[SSLv31_ALERT_DESCR_EXPORT_RESTRICTION] =
-		"SSLv31_ALERT_DESCR_EXPORT_RESTRICTION",
-	[SSLv31_ALERT_DESCR_PROTOCOL_VERSION] =
-		"SSLv31_ALERT_DESCR_PROTOCOL_VERSION",
-	[SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY] =
-		"SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY",
-	[SSLv31_ALERT_DESCR_INTERNAL_ERROR] =
-		"SSLv31_ALERT_DESCR_INTERNAL_ERROR",
-	[SSLv31_ALERT_DESCR_USER_CANCELED] =
-		"SSLv31_ALERT_DESCR_USER_CANCELED",
-	[SSLv31_ALERT_DESCR_NO_RENEGOTIATION] =
-		"SSLv31_ALERT_DESCR_NO_RENEGOTIATION",
-
-	# -- sslv3.0 and sslv3.1
-	[SSLv3x_ALERT_DESCR_CLOSE_NOTIFY] = "SSLv3x_ALERT_DESCR_CLOSE_NOTIFY",
-	[SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE] =
-		"SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE",
-	[SSLv3x_ALERT_DESCR_BAD_RECORD_MAC] =
-		"SSLv3x_ALERT_DESCR_BAD_RECORD_MAC",
-	[SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE] =
-		"SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE",
-	[SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE] =
-		"SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE",
-	[SSLv3x_ALERT_DESCR_BAD_CERTIFICATE] =
-		"SSLv3x_ALERT_DESCR_BAD_CERTIFICATE",
-	[SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE] =
-		"SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE",
-	[SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED] =
-		"SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED",
-	[SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED] =
-		"SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED",
-	[SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN] =
-		"SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN",
-};
-
-# --- definitions for SSLv2 error levels:
-# NOTE: We currently use the SSLv3x alert levels "WARNING" and "FATAL"
-#       for SSLv2, since SSLv2 does not support an explicit error level.
-
-# --- definitions for SSLv3.0/SSLv3.1 alert levels
-const SSLv3x_ALERT_LEVEL_WARNING = 1;
-const SSLv3x_ALERT_LEVEL_FATAL = 2;
-
-# --- This is a table of all known alert levels.
-# --- It can be used for detecting unknown alert levels and for
-# --- converting the alert level constants into a human readable format.
-
-const ssl_alert_level: table[count] of string = {
-	[SSLv3x_ALERT_LEVEL_WARNING] = "SSLv3x_ALERT_LEVEL_WARNING",
-	[SSLv3x_ALERT_LEVEL_FATAL] = "SSLv3x_ALERT_LEVEL_FATAL",
-};
diff --git a/policy/ssl-ciphers.bro b/policy/ssl-ciphers.bro
deleted file mode 100644
index 143244d364..0000000000
--- a/policy/ssl-ciphers.bro
+++ /dev/null
@@ -1,485 +0,0 @@
-# $Id: ssl-ciphers.bro 5857 2008-06-26 23:00:03Z vern $
-
-# --- constant definitions of the cipher specs ---
-
-# --- sslv2 ---
-const SSLv20_CK_RC4_128_WITH_MD5 = 0x010080;
-const SSLv20_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080;
-const SSLv20_CK_RC2_128_CBC_WITH_MD5 = 0x030080;
-const SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080;
-const SSLv20_CK_IDEA_128_CBC_WITH_MD5 = 0x050080;
-const SSLv20_CK_DES_64_CBC_WITH_MD5 = 0x060040;
-const SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0;
-
-# --- sslv3x ---
-
-const SSLv3x_NULL_WITH_NULL_NULL  = 0x0000;
-
-# The following CipherSuite definitions require that the server
-# provide an RSA certificate that can be used for key exchange.  The
-# server may request either an RSA or a DSS signature-capable
-# certificate in the certificate request message.
-
-const SSLv3x_RSA_WITH_NULL_MD5 = 0x0001;
-const SSLv3x_RSA_WITH_NULL_SHA = 0x0002;
-const SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003;
-const SSLv3x_RSA_WITH_RC4_128_MD5 = 0x0004;
-const SSLv3x_RSA_WITH_RC4_128_SHA = 0x0005;
-const SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006;
-const SSLv3x_RSA_WITH_IDEA_CBC_SHA = 0x0007;
-const SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008;
-const SSLv3x_RSA_WITH_DES_CBC_SHA = 0x0009;
-const SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A;
-
-# The following CipherSuite definitions are used for
-# server-authenticated (and optionally client-authenticated)
-# Diffie-Hellman.  DH denotes cipher suites in which the server's
-# certificate contains the Diffie-Hellman parameters signed by the
-# certificate authority (CA).  DHE denotes ephemeral Diffie-Hellman,
-# where the Diffie-Hellman parameters are signed by a DSS or RSA
-# certificate, which has been signed by the CA.  The signing
-# algorithm used is specified after the DH or DHE parameter.  In all
-# cases, the client must have the same type of certificate, and must
-# use the Diffie-Hellman parameters chosen by the server.
-
-const SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B;
-const SSLv3x_DH_DSS_WITH_DES_CBC_SHA = 0x000C;
-const SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D;
-const SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E;
-const SSLv3x_DH_RSA_WITH_DES_CBC_SHA = 0x000F;
-const SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010;
-const SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011;
-const SSLv3x_DHE_DSS_WITH_DES_CBC_SHA = 0x0012;
-const SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013;
-const SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014;
-const SSLv3x_DHE_RSA_WITH_DES_CBC_SHA = 0x0015;
-const SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016;
-
-#  The following cipher suites are used for completely anonymous
-#  Diffie-Hellman communications in which neither party is
-#  authenticated.  Note that this mode is vulnerable to
-#  man-in-the-middle attacks and is therefore strongly discouraged.
-
-const SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017;
-const SSLv3x_DH_anon_WITH_RC4_128_MD5 = 0x0018;
-const SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019;
-const SSLv3x_DH_anon_WITH_DES_CBC_SHA = 0x001A;
-const SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B;
-
-#   The final cipher suites are for the FORTEZZA token.
-
-const SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C;
-const SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D;
-# This seems to be assigned to a Kerberos cipher in TLS 1.1
-#const SSLv3x_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E; 
-
-
-# Following are some newer ciphers defined in RFC 4346 (TLS 1.1)
-
-# Kerberos ciphers
-
-const SSLv3x_KRB5_WITH_DES_CBC_SHA           = 0x001E;
-const SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA      = 0x001F;
-const SSLv3x_KRB5_WITH_RC4_128_SHA           = 0x0020;
-const SSLv3x_KRB5_WITH_IDEA_CBC_SHA          = 0x0021;
-const SSLv3x_KRB5_WITH_DES_CBC_MD5           = 0x0022;
-const SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5      = 0x0023;
-const SSLv3x_KRB5_WITH_RC4_128_MD5           = 0x0024;
-const SSLv3x_KRB5_WITH_IDEA_CBC_MD5          = 0x0025;
-
-# Kerberos export ciphers
-
-const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026;
-const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027;
-const SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA     = 0x0028;
-const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029;
-const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A;
-const SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5     = 0x002B;
-
-
-# AES ciphers
-
-const SSLv3x_RSA_WITH_AES_128_CBC_SHA        = 0x002F;
-const SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA     = 0x0030;
-const SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA     = 0x0031;
-const SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA    = 0x0032;
-const SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA    = 0x0033;
-const SSLv3x_DH_anon_WITH_AES_128_CBC_SHA    = 0x0034;
-const SSLv3x_RSA_WITH_AES_256_CBC_SHA        = 0x0035;
-const SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA     = 0x0036;
-const SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA     = 0x0037;
-const SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA    = 0x0038;
-const SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA    = 0x0039;
-const SSLv3x_DH_anon_WITH_AES_256_CBC_SHA    = 0x003A;
-
-# Mostly more RFC defined suites
-const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      = 0x0041; # [RFC4132]
-const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA   = 0x0042; # [RFC4132]
-const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA   = 0x0043; # [RFC4132]
-const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  = 0x0044; # [RFC4132]
-const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  = 0x0045; # [RFC4132]
-const TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  = 0x0046; # [RFC4132]
-
-# The following are tagged as "Widely Deployed implementation":
-const TLS_ECDH_ECDSA_WITH_NULL_SHA           = 0x0047;
-const TLS_ECDH_ECDSA_WITH_RC4_128_SHA        = 0x0048;
-const TLS_ECDH_ECDSA_WITH_DES_CBC_SHA        = 0x0049;
-const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA   = 0x004A;
-const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA    = 0x004B;
-const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA    = 0x004C;
-const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5       = 0x0060;
-const TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5   = 0x0061;
-const TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA      = 0x0062;
-const TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA  = 0x0063;
-const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA       = 0x0064;
-const TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA   = 0x0065;
-const TLS_CK_DHE_DSS_WITH_RC4_128_SHA             = 0x0066;
-
-const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA      = 0x0084; # [RFC4132]
-const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA   = 0x0085; # [RFC4132]
-const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA   = 0x0086; # [RFC4132]
-const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  = 0x0087; # [RFC4132]
-const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  = 0x0088; # [RFC4132]
-const TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  = 0x0089; # [RFC4132]
-const TLS_PSK_WITH_RC4_128_SHA               = 0x008A; # [RFC4279]
-const TLS_PSK_WITH_3DES_EDE_CBC_SHA          = 0x008B; # [RFC4279]
-const TLS_PSK_WITH_AES_128_CBC_SHA           = 0x008C; # [RFC4279]
-const TLS_PSK_WITH_AES_256_CBC_SHA           = 0x008D; # [RFC4279]
-const TLS_DHE_PSK_WITH_RC4_128_SHA           = 0x008E; # [RFC4279]
-const TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA      = 0x008F; # [RFC4279]
-const TLS_DHE_PSK_WITH_AES_128_CBC_SHA       = 0x0090; # [RFC4279]
-const TLS_DHE_PSK_WITH_AES_256_CBC_SHA       = 0x0091; # [RFC4279]
-const TLS_RSA_PSK_WITH_RC4_128_SHA           = 0x0092; # [RFC4279]
-const TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA      = 0x0093; # [RFC4279]
-const TLS_RSA_PSK_WITH_AES_128_CBC_SHA       = 0x0094; # [RFC4279]
-const TLS_RSA_PSK_WITH_AES_256_CBC_SHA       = 0x0095; # [RFC4279]
-const TLS_RSA_WITH_SEED_CBC_SHA              = 0x0096; # [RFC4162]
-const TLS_DH_DSS_WITH_SEED_CBC_SHA           = 0x0097; # [RFC4162]
-const TLS_DH_RSA_WITH_SEED_CBC_SHA           = 0x0098; # [RFC4162]
-const TLS_DHE_DSS_WITH_SEED_CBC_SHA          = 0x0099; # [RFC4162]
-const TLS_DHE_RSA_WITH_SEED_CBC_SHA          = 0x009A; # [RFC4162]
-const TLS_DH_anon_WITH_SEED_CBC_SHA          = 0x009B; # [RFC4162]
-
-
-# Cipher specifications native to TLS can be included in Version 2.0 client
-# hello messages using the syntax below. Any V2CipherSpec element with its
-# first byte equal to zero will be ignored by Version 2.0 servers. Clients
-# sending any of the above V2CipherSpecs should also include the TLS equivalent
-# (see Appendix A.5):
-# V2CipherSpec (see TLS name) = { 0x00, CipherSuite };
-
-
-# --- This is a table of all known cipher specs.
-# --- It can be used for detecting unknown ciphers and for
-# --- converting the cipher spec constants into a human readable format.
-
-const ssl_cipher_desc: table[count] of string = {
-	# --- sslv20 ---
-	[SSLv20_CK_RC4_128_EXPORT40_WITH_MD5] =
-		"SSLv20_CK_RC4_128_EXPORT40_WITH_MD5",
-	[SSLv20_CK_RC4_128_WITH_MD5] = "SSLv20_CK_RC4_128_WITH_MD5",
-	[SSLv20_CK_RC2_128_CBC_WITH_MD5] = "SSLv20_CK_RC2_128_CBC_WITH_MD5",
-	[SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5] =
-		"SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5",
-	[SSLv20_CK_IDEA_128_CBC_WITH_MD5] = "SSLv20_CK_IDEA_128_CBC_WITH_MD5",
-	[SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5] =
-		"SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5",
-	[SSLv20_CK_DES_64_CBC_WITH_MD5] = "SSLv20_CK_DES_64_CBC_WITH_MD5",
-
-	# --- sslv3x ---
-	[SSLv3x_NULL_WITH_NULL_NULL] = "SSLv3x_NULL_WITH_NULL_NULL",
-
-	[SSLv3x_RSA_WITH_NULL_MD5] = "SSLv3x_RSA_WITH_NULL_MD5",
-	[SSLv3x_RSA_WITH_NULL_SHA] = "SSLv3x_RSA_WITH_NULL_SHA",
-	[SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5] =
-		"SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5",
-	[SSLv3x_RSA_WITH_RC4_128_MD5] = "SSLv3x_RSA_WITH_RC4_128_MD5",
-	[SSLv3x_RSA_WITH_RC4_128_SHA] = "SSLv3x_RSA_WITH_RC4_128_SHA",
-	[SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5] =
-		"SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
-	[SSLv3x_RSA_WITH_IDEA_CBC_SHA] = "SSLv3x_RSA_WITH_IDEA_CBC_SHA",
-	[SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_RSA_WITH_DES_CBC_SHA] = "SSLv3x_RSA_WITH_DES_CBC_SHA",
-	[SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA] = "SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA",
-
-	[SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DH_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DH_DSS_WITH_DES_CBC_SHA",
-	[SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA",
-	[SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DH_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DH_RSA_WITH_DES_CBC_SHA",
-	[SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA",
-	[SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DHE_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DHE_DSS_WITH_DES_CBC_SHA",
-	[SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-	[SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DHE_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DHE_RSA_WITH_DES_CBC_SHA",
-	[SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-
-	[SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5] =
-		"SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5",
-	[SSLv3x_DH_anon_WITH_RC4_128_MD5] = "SSLv3x_DH_anon_WITH_RC4_128_MD5",
-	[SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DH_anon_WITH_DES_CBC_SHA] = "SSLv3x_DH_anon_WITH_DES_CBC_SHA",
-	[SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA",
-
-	[SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA] =
-		"SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA",
-	[SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA] =
-		"SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA",
-	[SSLv3x_KRB5_WITH_DES_CBC_SHA] =
-		"SSLv3x_KRB5_WITH_DES_CBC_SHA",
-	[SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA",
-	[SSLv3x_KRB5_WITH_RC4_128_SHA] =
-		"SSLv3x_KRB5_WITH_RC4_128_SHA",
-	[SSLv3x_KRB5_WITH_IDEA_CBC_SHA] =
-		"SSLv3x_KRB5_WITH_IDEA_CBC_SHA",
-	[SSLv3x_KRB5_WITH_DES_CBC_MD5] =
-		"SSLv3x_KRB5_WITH_DES_CBC_MD5",
-	[SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5] =
-		"SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5",
-	[SSLv3x_KRB5_WITH_RC4_128_MD5] =
-		"SSLv3x_KRB5_WITH_RC4_128_MD5",
-	[SSLv3x_KRB5_WITH_IDEA_CBC_MD5] =
-		"SSLv3x_KRB5_WITH_IDEA_CBC_MD5",
-	[SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA] =
-		"SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
-	[SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA] =
-		"SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
-	[SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA] =
-		"SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA",
-	[SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5] =
-		"SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
-	[SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5] =
-		"SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
-	[SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5] =
-		"SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5",
-	[SSLv3x_RSA_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_RSA_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DH_anon_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DH_anon_WITH_AES_128_CBC_SHA",
-	[SSLv3x_RSA_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_RSA_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DH_anon_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DH_anon_WITH_AES_256_CBC_SHA",
-		
-    [TLS_RSA_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_ECDH_ECDSA_WITH_NULL_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
-    [TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-    [TLS_ECDH_ECDSA_WITH_DES_CBC_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA",
-    [TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
-    [TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
-    [TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
-    [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5] = 
-        "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5",
-    [TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5] = 
-        "TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5",
-    [TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA] = 
-        "TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA",
-    [TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] = 
-        "TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
-    [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA] = 
-        "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA",
-    [TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA] = 
-        "TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
-    [TLS_CK_DHE_DSS_WITH_RC4_128_SHA] = 
-        "TLS_CK_DHE_DSS_WITH_RC4_128_SHA",
-    [TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_PSK_WITH_RC4_128_SHA] = 
-        "TLS_PSK_WITH_RC4_128_SHA",
-    [TLS_PSK_WITH_3DES_EDE_CBC_SHA] = 
-        "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
-    [TLS_PSK_WITH_AES_128_CBC_SHA] = 
-        "TLS_PSK_WITH_AES_128_CBC_SHA",
-    [TLS_PSK_WITH_AES_256_CBC_SHA] = 
-        "TLS_PSK_WITH_AES_256_CBC_SHA",
-    [TLS_DHE_PSK_WITH_RC4_128_SHA] = 
-        "TLS_DHE_PSK_WITH_RC4_128_SHA",
-    [TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA] = 
-        "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
-    [TLS_DHE_PSK_WITH_AES_128_CBC_SHA] = 
-        "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
-    [TLS_DHE_PSK_WITH_AES_256_CBC_SHA] = 
-        "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
-    [TLS_RSA_PSK_WITH_RC4_128_SHA] = 
-        "TLS_RSA_PSK_WITH_RC4_128_SHA",
-    [TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA] = 
-        "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
-    [TLS_RSA_PSK_WITH_AES_128_CBC_SHA] = 
-        "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
-    [TLS_RSA_PSK_WITH_AES_256_CBC_SHA] = 
-        "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
-    [TLS_RSA_WITH_SEED_CBC_SHA] = 
-        "TLS_RSA_WITH_SEED_CBC_SHA",
-    [TLS_DH_DSS_WITH_SEED_CBC_SHA] = 
-        "TLS_DH_DSS_WITH_SEED_CBC_SHA",
-    [TLS_DH_RSA_WITH_SEED_CBC_SHA] = 
-        "TLS_DH_RSA_WITH_SEED_CBC_SHA",
-    [TLS_DHE_DSS_WITH_SEED_CBC_SHA] = 
-        "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
-    [TLS_DHE_RSA_WITH_SEED_CBC_SHA] = 
-        "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
-    [TLS_DH_anon_WITH_SEED_CBC_SHA] = 
-        "TLS_DH_anon_WITH_SEED_CBC_SHA"
-};
-
-
-# --- the following sets are provided for convenience
-
-# --- this set holds all EXPORT ciphers
-const ssl_cipherset_EXPORT: set[count] = {
-	SSLv20_CK_RC4_128_EXPORT40_WITH_MD5,
-	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5
-};
-
-# --- this set holds all DES ciphers
-const ssl_cipherset_DES: set[count] = {
-	SSLv20_CK_DES_64_CBC_WITH_MD5,
-	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_RSA_WITH_DES_CBC_SHA,
-	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_DES_CBC_SHA,
-	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_anon_WITH_DES_CBC_SHA,
-	SSLv3x_KRB5_WITH_DES_CBC_SHA,
-	SSLv3x_KRB5_WITH_DES_CBC_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5
-};
-
-
-# --- this set holds all 3DES ciphers
-const ssl_cipherset_3DES: set[count] = {
-	SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5,
-	SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5
-};
-
-# --- this set holds all RC2 ciphers
-const ssl_cipherset_RC2: set[count] = {
-	SSLv20_CK_RC2_128_CBC_WITH_MD5,
-	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
-};
-
-# --- this set holds all RC4 ciphers
-const ssl_cipherset_RC4: set[count] = {
-	SSLv20_CK_RC4_128_WITH_MD5,
-	SSLv20_CK_RC4_128_EXPORT40_WITH_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_RSA_WITH_RC4_128_MD5,
-	SSLv3x_RSA_WITH_RC4_128_SHA,
-	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_DH_anon_WITH_RC4_128_MD5,
-	SSLv3x_KRB5_WITH_RC4_128_SHA,
-	SSLv3x_KRB5_WITH_RC4_128_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5
-};
-
-# --- this set holds all IDEA ciphers
-const ssl_cipherset_IDEA: set[count] = {
-	SSLv20_CK_IDEA_128_CBC_WITH_MD5,
-	SSLv3x_RSA_WITH_IDEA_CBC_SHA,
-	SSLv3x_KRB5_WITH_IDEA_CBC_SHA,
-	SSLv3x_KRB5_WITH_IDEA_CBC_MD5
-};
-
-# --- this set holds all AES ciphers
-const ssl_cipherset_AES: set[count] = {
-	SSLv3x_RSA_WITH_AES_128_CBC_SHA,
-	SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA,
-	SSLv3x_DH_anon_WITH_AES_128_CBC_SHA,
-	SSLv3x_RSA_WITH_AES_256_CBC_SHA,
-	SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA,
-	SSLv3x_DH_anon_WITH_AES_256_CBC_SHA
-};
diff --git a/policy/ssl-errors.bro b/policy/ssl-errors.bro
deleted file mode 100644
index 9751174e7d..0000000000
--- a/policy/ssl-errors.bro
+++ /dev/null
@@ -1,74 +0,0 @@
-# $Id: ssl-errors.bro 6 2004-04-30 00:31:26Z jason $
-
-# --- const defns of error messages
-const X509_V_OK = +0;
-const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = +1;
-const X509_V_ERR_UNABLE_TO_GET_CRL = +2;
-const X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = +3;
-const X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = +4;
-const X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = +5;
-const X509_V_ERR_CERT_SIGNATURE_FAILURE = +6;
-const X509_V_ERR_CRL_SIGNATURE_FAILURE = +7;
-const X509_V_ERR_CERT_NOT_YET_VALID = +8;
-const X509_V_ERR_CERT_HAS_EXPIRED = +9;
-const X509_V_ERR_CRL_NOT_YET_VALID = +10;
-const X509_V_ERR_CRL_HAS_EXPIRED = +11;
-const X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = +12;
-const X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = +13;
-const X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = +14;
-const X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = +15;
-const X509_V_ERR_OUT_OF_MEM = +16;
-const X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = +17;
-const X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = +18;
-const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = +19;
-const X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = +20;
-const X509_V_ERR_CERT_CHAIN_TOO_LONG = +21;
-const X509_V_ERR_CERT_REVOKED = +22;
-const X509_V_ERR_INVALID_CA = +23;
-const X509_V_ERR_PATH_LENGTH_EXCEEDED = +24;
-const X509_V_ERR_INVALID_PURPOSE = +25;
-const X509_V_ERR_CERT_UNTRUSTED = +26;
-const X509_V_ERR_CERT_REJECTED = +27;
-const X509_V_ERR_SUBJECT_ISSUER_MISMATCH = +28;
-const X509_V_ERR_AKID_SKID_MISMATCH = +29;
-const X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH = +30;
-const X509_V_ERR_KEYUSAGE_NO_CERTSIGN = +31;
-const X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER = +32;
-const X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION = +33;
-
-const x509_errors: table[int] of string = {
-	[+0] = "X509_V_OK",
-	[+1] = "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT",
-	[+2] = "X509_V_ERR_UNABLE_TO_GET_CRL",
-	[+3] = "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE",
-	[+4] = "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE",
-	[+5] = "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY",
-	[+6] = "X509_V_ERR_CERT_SIGNATURE_FAILURE",
-	[+7] = "X509_V_ERR_CRL_SIGNATURE_FAILURE",
-	[+8] = "X509_V_ERR_CERT_NOT_YET_VALID",
-	[+9] = "X509_V_ERR_CERT_HAS_EXPIRED",
-	[+10] = "X509_V_ERR_CRL_NOT_YET_VALID",
-	[+11] = "X509_V_ERR_CRL_HAS_EXPIRED",
-	[+12] = "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD",
-	[+13] = "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD",
-	[+14] = "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD",
-	[+15] = "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD",
-	[+16] = "X509_V_ERR_OUT_OF_MEM",
-	[+17] = "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT",
-	[+18] = "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN",
-	[+19] = "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY",
-	[+20] = "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE",
-	[+21] = "X509_V_ERR_CERT_CHAIN_TOO_LONG",
-	[+22] = "X509_V_ERR_CERT_REVOKED",
-	[+23] = "X509_V_ERR_INVALID_CA",
-	[+24] = "X509_V_ERR_PATH_LENGTH_EXCEEDED",
-	[+25] = "X509_V_ERR_INVALID_PURPOSE",
-	[+26] = "X509_V_ERR_CERT_UNTRUSTED",
-	[+27] = "X509_V_ERR_CERT_REJECTED",
-	[+28] = "X509_V_ERR_SUBJECT_ISSUER_MISMATCH",
-	[+29] = "X509_V_ERR_AKID_SKID_MISMATCH",
-	[+30] = "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH",
-	[+31] = "X509_V_ERR_KEYUSAGE_NO_CERTSIGN",
-	[+32] = "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER",
-	[+33] = "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION"
-};
diff --git a/policy/ssl-worm.bro b/policy/ssl-worm.bro
deleted file mode 100644
index a8db78eed3..0000000000
--- a/policy/ssl-worm.bro
+++ /dev/null
@@ -1,59 +0,0 @@
-# $Id: ssl-worm.bro 340 2004-09-09 06:38:27Z vern $
-
-@load signatures
-@load software
-@load alarm
-
-redef signature_files += "ssl-worm.sig";
-
-redef capture_filters +=  {
-	["ssl-worm"] = "udp port 2002 and src net 134.96"
-};
-
-function sslworm_is_server_vulnerable(state: signature_state): bool
-	{
-	local ip = state$conn$id$resp_h;
-
-	if ( ip !in software_table )
-		return F;
-
-	local softset = software_table[ip];
-
-	if ( "Apache" !in softset )
-		return F;
-
-	if ( "OpenSSL" !in softset )
-		return F;
-
-	local safe_version: software_version =
-		[$major = +0, $minor = +9, $minor2 = +6, $addl = "e"];
-
-	if ( software_cmp_version(softset["OpenSSL"]$version, safe_version) >= 0 )
-		return F;
-
-	return T;
-	}
-
-function sslworm_has_server_been_probed(state: signature_state): bool
-	{
-	# FIXME: Bro segfaults without the tmp variable
-	local result =
-		has_signature_matched("sslworm-probe",
-				state$conn$id$orig_h, state$conn$id$resp_h);
-
-	return result;
-	}
-
-function sslworm_has_server_been_exploited(state: signature_state): bool
-	{
-	# FIXME: I don't know which side starts the UDP conversation
-	local result =
-		has_signature_matched("sslworm-exploit",
-				state$conn$id$orig_h, state$conn$id$resp_h);
-
-	if ( ! result )
-		result = has_signature_matched("sslworm-exploit",
-				state$conn$id$resp_h, state$conn$id$orig_h);
-
-	return result;
-	}
diff --git a/policy/ssl.bro b/policy/ssl.bro
deleted file mode 100644
index 216abb2d10..0000000000
--- a/policy/ssl.bro
+++ /dev/null
@@ -1,537 +0,0 @@
-# $Id: ssl.bro 5988 2008-07-19 07:02:12Z vern $
-
-@load notice
-@load conn
-@load weird
-@load ssl-ciphers
-@load ssl-errors
-
-global ssl_log = open_log_file("ssl") &redef;
-
-redef enum Notice += {
-	SSL_X509Violation,	# blanket X509 error
-	SSL_SessConIncon,	# session data not consistent with connection
-};
-
-
-const SSLv2  = 0x0002;
-const SSLv3  = 0x0300;
-const TLSv10 = 0x0301;
-const TLSv11 = 0x0302;
-
-# If true, Bro stores the client and server cipher specs and performs
-# additional tests.  This costs an extra amount of memory (normally
-# only for a short time) but enables detecting of non-intersecting
-# cipher sets, for example.
-const ssl_compare_cipherspecs = T &redef;
-
-# Whether to analyze certificates seen in SSL connections.
-const ssl_analyze_certificates = T &redef;
-
-# If we analyze SSL certificates, we can choose to store them.
-const ssl_store_certificates = T &redef;
-
-# Path where we dump the certificates into.  If it's empty,
-# use the current directory.
-const ssl_store_cert_path = "certs" &redef;
-
-# If we analyze SSL certificates, we can choose to verify them.
-const ssl_verify_certificates = T &redef;
-
-# This is the path where OpenSSL looks after the trusted certificates.
-# If empty, the default path will be used.
-const x509_trusted_cert_path = "" &redef;
-
-# Whether to store key-material exchanged in the handshaking phase.
-const ssl_store_key_material = F &redef;
-
-# Report weak/unknown ciphers in CLIENT_HELLO, SSLv2 SERVER_HELLO.
-const ssl_report_client_weak = F &redef;
-const ssl_report_client_unknown = F &redef;
-const ssl_report_server_weak = F &redef;
-
-# Log all ciphers.
-const ssl_log_ciphers = T &redef;
-
-# NOTE: this is a 'local' port format for your site
-# --- well-known ports for ssl ---------
-redef capture_filters += {
-	["ssl"] = "tcp port 443",
-	["nntps"] = "tcp port 563",
-	["imap4-ssl"] = "tcp port 585",
-	["sshell"] = "tcp port 614",
-	["ldaps"] = "tcp port 636",
-	["ftps-data"] = "tcp port 989",
-	["ftps"] = "tcp port 990",
-	["telnets"] = "tcp port 992",
-	["imaps"] = "tcp port 993",
-	["ircs"] = "tcp port 994",
-	["pop3s"] = "tcp port 995"
-};
-
-global ssl_ports = {
-	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
-	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp,
-} &redef;
-
-redef dpd_config += {
-	[[ANALYZER_SSL, ANALYZER_SSL_BINPAC]] = [$ports = ssl_ports]
-};
-
-# --- Weak Cipher Demo -------------
-
-const myWeakCiphers: set[count] = {
-	SSLv20_CK_RC4_128_EXPORT40_WITH_MD5,
-	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-	SSLv20_CK_DES_64_CBC_WITH_MD5,
-
-	SSLv3x_NULL_WITH_NULL_NULL,
-	SSLv3x_RSA_WITH_NULL_MD5,
-	SSLv3x_RSA_WITH_NULL_SHA,
-	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_RSA_WITH_DES_CBC_SHA,
-
-	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_DES_CBC_SHA,
-
-	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_DH_anon_WITH_RC4_128_MD5,
-	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_anon_WITH_DES_CBC_SHA,
-	SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA
-};
-
-const x509_ignore_errors: set[int] = {
-	X509_V_OK,
-	# X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
-};
-
-const x509_hot_errors: set[int] = {
-	X509_V_ERR_CRL_SIGNATURE_FAILURE,
-	X509_V_ERR_CERT_NOT_YET_VALID,
-	X509_V_ERR_CERT_HAS_EXPIRED,
-	X509_V_ERR_CERT_REVOKED,
-	X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
-	# X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE	# for testing
-};
-
-redef Weird::weird_action += {
-	[["SSLv2: Unknown CIPHER-SPEC in CLIENT-HELLO!",
-	  "SSLv2: Client has CipherSpecs > MAX_CIPHERSPEC_SIZE",
-	  "unexpected_SSLv3_record",
-	  "SSLv3_data_without_full_handshake"]]	= Weird::WEIRD_IGNORE
-};
-
-
-global SSL_cipherCount: table[count] of count &default = 0;
-
-type ssl_connection_info: record {
-	id: count;			# the log identifier number
-	connection_id: conn_id;		# IP connection information
-	version: string;		# version assosciated with connection
-	client_cert: X509;
-	server_cert: X509;
-	id_index: string;		# index for associated SSL_sessionID
-	handshake_cipher: string;	# agreed-upon cipher for session/conn.
-};
-
-# SSL_sessionID index - used to track version assosciated with a session id.
-type SSL_sessionID_record: record {
-	num_reuse: count;
-	id: SSL_sessionID;	# literal session ID
-
-	# everything below is an example of session vs connection monitoring.
-	version: string;	# version assosciated with session id
-	client_cert: X509;
-	server_cert: X509;
-	handshake_cipher: string;
-};
-
-global ssl_connections: table[conn_id] of ssl_connection_info;
-global ssl_sessionIDs: table[string] of SSL_sessionID_record
-						&read_expire = 2 hrs;
-global ssl_connection_id = 0;
-
-# Used when there's no issuer/subject/cipher.
-const NONE = "<none>";
-
-# --- SSL helper functions ---------
-function new_ssl_connection(c: connection)
-	{
-	local conn = c$id;
-	local new_id = ++ssl_connection_id;
-
-	local info: ssl_connection_info;
-	info$id = new_id;
-	info$id_index = md5_hash(info$id);
-	info$version = "";
-	info$client_cert$issuer = NONE;
-	info$client_cert$subject = NONE;
-	info$server_cert$issuer = NONE;
-	info$server_cert$subject = NONE;
-	info$handshake_cipher = NONE;
-	info$connection_id = conn;
-
-	ssl_connections[conn] = info;
-	append_addl(c,  fmt("#%d", new_id));
-
-	print ssl_log, fmt("%.6f #%d %s start",
-				network_time(), new_id, id_string(conn));
-	}
-
-function new_sessionID_record(session: SSL_sessionID)
-	{
-	local info: SSL_sessionID_record;
-
-	info$num_reuse = 1;
-	info$client_cert$issuer = NONE;
-	info$client_cert$subject = NONE;
-	info$server_cert$issuer = NONE;
-	info$server_cert$subject = NONE;
-	info$handshake_cipher = NONE;
-
-	local index = md5_hash(session);
-	ssl_sessionIDs[index] = info;
-	}
-
-function ssl_get_cipher_name(cipherSuite: count): string
-	{
-	return cipherSuite in ssl_cipher_desc ?
-		ssl_cipher_desc[cipherSuite] : "UNKNOWN";
-	}
-
-function ssl_get_version_string(version: count): string
-	{
-	if ( version == SSLv2 )
-		return "SSL version 2";
-	else if ( version == SSLv3 )
-		return "SSL version 3";
-	else if ( version == TLSv10 )
-		return "TLS version 1.0";
-	else if ( version == TLSv11 )
-		return "TLS version 1.1";
-	else
-		return "?.?";
-	}
-
-function ssl_con2str(c: connection): string
-	{
-	return fmt("%s:%s -> %s:%s",
-			c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p);
-	}
-
-function lookup_ssl_conn(c: connection, func: string, log_if_new: bool)
-	{
-	if ( c$id !in ssl_connections )
-		{
-		new_ssl_connection(c);
-
-		if ( log_if_new )
-			print ssl_log,
-				fmt("%.6f #%d creating new SSL connection in %s",
-					network_time(), ssl_connections[c$id]$id, func);
-		}
-	}
-
-event ssl_conn_weak(name: string, c: connection)
-	{
-	lookup_ssl_conn(c, "ssl_conn_weak", T);
-	print ssl_log, fmt("%.6f #%d %s",
-		network_time(), ssl_connections[c$id]$id, name);
-	}
-
-# --- SSL events -------------------
-
-event ssl_certificate_seen(c: connection, is_server: bool)
-	{
-	# Called whenever there's an certificate to analyze.
-	# we could do something here, like...
-
-	# if ( c$id$orig_h in hostsToIgnore )
-	#	{
-	#	ssl_store_certificates = F;
-	#	ssl_verify_certificates = F;
-	#	}
-	# else
-	#	{
-	#	ssl_store_certificates = T;
-	#	ssl_verify_certificates = T;
-	#	}
-	}
-
-event ssl_certificate(c: connection, cert: X509, is_server: bool)
-	{
-	local direction = is_local_addr(c$id$orig_h) ? "client" : "server";
-
-	lookup_ssl_conn(c, "ssl_certificate", T);
-	local conn = ssl_connections[c$id];
-
-	if( direction == "client" )
-		conn$client_cert = cert;
-	else
-		{
-		conn$server_cert = cert;
-
-		# We have not filled in the field for the master session
-		# for this connection.  Do it now, but only if this is not a
-		# SSLv2 connection (no session information in that case).
-		if ( conn$id_index in ssl_sessionIDs &&
-		     ssl_sessionIDs[conn$id_index]$server_cert$subject == NONE )
-			ssl_sessionIDs[conn$id_index]$server_cert$subject =
-				cert$subject;
-		}
-
-	print ssl_log, fmt("%.6f #%d X.509 %s issuer %s",
-			network_time(), conn$id, direction, cert$issuer);
-
-	print ssl_log, fmt("%.6f #%d X.509 %s subject %s",
-			network_time(), conn$id, direction, cert$subject);
-	}
-
-event ssl_conn_attempt(c: connection, version: count,
-			ciphers: cipher_suites_list)
-	{
-	lookup_ssl_conn(c, "ssl_conn_attempt", F);
-	local conn = ssl_connections[c$id];
-	local version_string = ssl_get_version_string(version);
-
-	print ssl_log, fmt("%.6f #%d SSL connection attempt %s",
-				network_time(), conn$id, version_string);
-
-	conn$version = version_string;
-
-	for ( cs in ciphers )
-		{ # display a list of the cipher suites
-		# Demo: report clients who support weak ciphers.
-		if ( ssl_report_client_weak && cs in myWeakCiphers )
-			event ssl_conn_weak(
-				fmt("SSL client supports weak cipher: %s (0x%x)",
-					ssl_get_cipher_name(cs), cs), c);
-
-		# Demo: report unknown ciphers.
-		if ( ssl_report_client_unknown && cs !in ssl_cipher_desc )
-			event ssl_conn_weak(
-				fmt("SSL: unknown cipher-spec: %s (0x%x)",
-					ssl_get_cipher_name(cs), cs), c);
-
-		if ( ssl_log_ciphers )
-			print ssl_log, fmt("%.6f #%d client cipher %s (0x%x)",
-					network_time(), conn$id,
-					ssl_get_cipher_name(cs), cs);
-		}
-	}
-
-event ssl_conn_server_reply(c: connection, version: count,
-				ciphers: cipher_suites_list)
-	{
-	lookup_ssl_conn(c, "ssl_conn_server_reply", T);
-
-	local conn = ssl_connections[c$id];
-	local version_string = ssl_get_version_string(version);
-
-	print ssl_log, fmt("%.6f #%d SSL connection server reply, %s",
-				network_time(), conn$id, version_string);
-
-	conn$version = version_string;
-
-	for ( cs in ciphers )
-		{
-		# Demo: report servers who support weak ciphers.
-		if ( ssl_report_server_weak && version == SSLv2 &&
-		     cs in myWeakCiphers )
-			event ssl_conn_weak(
-				fmt("SSLv2 server supports weak cipher: %s (0x%x)",
-					ssl_get_cipher_name(cs), cs), c);
-
-                if ( ssl_log_ciphers )
-                        print ssl_log, fmt("%.6f #%d server cipher %s (0x%x)",
-					network_time(), conn$id,
-                                        ssl_get_cipher_name(cs), cs);
-		}
-	}
-
-event ssl_conn_established(c: connection, version: count, cipher_suite: count)
-	{
-	lookup_ssl_conn(c, "ssl_conn_established", T);
-
-	local conn = ssl_connections[c$id];
-	local version_string = ssl_get_version_string(version);
-
-	print ssl_log,
-		fmt("%.6f #%d handshake finished, %s",
-			network_time(), conn$id, version_string);
-
-	if ( cipher_suite in myWeakCiphers )
-		event ssl_conn_weak(fmt("%.6f #%d weak cipher: %s (0x%x)",
-			network_time(), conn$id,
-			ssl_get_cipher_name(cipher_suite), cipher_suite), c);
-
-	if ( ssl_log_ciphers )
-		print ssl_log, fmt("%.6f #%d connection cipher %s (0x%x)",
-			network_time(), conn$id,
-			ssl_get_cipher_name(cipher_suite), cipher_suite);
-
-	++SSL_cipherCount[cipher_suite];
-
-	# This should be the version identified with the session, unless
-	# there is some renegotiation.  That will be caught later.
-	conn$version = version_string;
-	}
-
-event process_X509_extensions(c: connection, ex: X509_extension)
-	{
-	lookup_ssl_conn(c, "process_X509_extensions", T);
-	local conn = ssl_connections[c$id];
-
-	local msg = fmt("%.6f #%d X.509 extensions: ", network_time(), conn$id);
-	for ( i in ex )
-		msg = fmt("%s, %s", msg, ex[i]);
-
-	print ssl_log, msg;
-	}
-
-event ssl_session_insertion(c: connection, id: SSL_sessionID)
-	{
-	local idd = c$id;
-
-	if ( idd !in ssl_connections)
-		{
-		new_ssl_connection(c);
-
-		print ssl_log,
-			fmt("%.6f #%d creating new SSL connection in ssl_session_insertion",
-				network_time(), ssl_connections[c$id]$id);
-
-		# None of the conn$object values will exist, so we leave this
-		# to prevent needless crashing.
-		return;
-		}
-
-	local conn = ssl_connections[idd];
-	local id_index = md5_hash(id);
-
-	# If there is no session with thIS id we create (a typical) one,
-	# otherwise we move on.
-	if ( id_index !in ssl_sessionIDs )
-		{
-		new_sessionID_record(id);
-
-		local session = ssl_sessionIDs[id_index];
-		session$version = conn$version;
-		session$client_cert$subject = conn$client_cert$subject;
-		session$server_cert$subject = conn$server_cert$subject;
-		session$handshake_cipher = conn$handshake_cipher;
-		session$id = id;
-
-		conn$id_index = id_index;
-		}
-
-	else
-		{ # should we ever get here?
-		session = ssl_sessionIDs[id_index];
-		conn$id_index = id_index;
-		}
-	}
-
-event ssl_conn_reused(c: connection, session_id: SSL_sessionID)
-	{
-	lookup_ssl_conn(c, "ssl_conn_reused", T);
-	local conn = ssl_connections[c$id];
-	local id_index = md5_hash(session_id);
-
-	print ssl_log, fmt("%.6f #%d reusing former SSL session: %s",
-				network_time(), conn$id, id_index);
-
-	# We cannot track sessions with SSLv2.
-	if ( conn$version == ssl_get_version_string(SSLv2) )
-		return;
-
-	if ( id_index !in ssl_sessionIDs )
-		{
-		new_sessionID_record(session_id);
-		local session = ssl_sessionIDs[id_index];
-		session$version = conn$version;
-		session$client_cert$subject = conn$client_cert$subject;
-		session$server_cert$subject = conn$server_cert$subject;
-		session$id = session_id;
-		}
-	else
-		session = ssl_sessionIDs[id_index];
-
-	++session$num_reuse;
-
-	# At this point, the connection values have been set.  We can then
-	# compare session and connection values with some confidence.
-	if ( session$version != conn$version ||
-	     session$handshake_cipher != conn$handshake_cipher )
-		{
-		NOTICE([$note=SSL_SessConIncon, $conn=c,
-			$msg="session violation"]);
-		++c$hot;
-		}
-	}
-
-event ssl_X509_error(c: connection, err: int, err_string: string)
-	{
-	if ( err in x509_ignore_errors )
-		return;
-
-	lookup_ssl_conn(c, "ssl_X509_error", T);
-	local conn = ssl_connections[c$id];
-	local error =
-		err in x509_errors ?  x509_errors[err] : "unknown X.509 error";
-
-	local severity = "warning";
-	if ( err in x509_hot_errors )
-		{
-		NOTICE([$note=SSL_X509Violation, $conn=c, $msg=error]);
-		++c$hot;
-		severity = "error";
-		}
-
-	print ssl_log,
-		fmt("%.6f #%d X.509 %s %s (%s)",
-			network_time(), conn$id, severity, error, err_string);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	delete ssl_connections[c$id];
-	}
-
-event bro_init()
-	{
-	if ( ssl_store_cert_path != "" )
-		# The event engine will generate a run-time if this fails for
-		# reasons other than that the directory already exists.
-		mkdir(ssl_store_cert_path);
-	}
-
-event bro_done()
-	{
-	print ssl_log, "Cipher suite statistics: ";
-	for ( i in SSL_cipherCount )
-		print ssl_log, fmt("%s (0x%x): %d", ssl_get_cipher_name(i), i,
-					SSL_cipherCount[i]);
-
-	print ssl_log, ("count     session ID");
-	print ssl_log, ("-----     ---------------------------------");
-	for ( j in ssl_sessionIDs )
-		if ( ssl_sessionIDs[j]$server_cert$subject != NONE )
-			{
-			print ssl_log,
-				fmt("(%s)      %s   %s",
-					ssl_sessionIDs[j]$num_reuse,
-					ssl_sessionIDs[j]$server_cert$subject,
-					j);
-			}
-	}
diff --git a/policy/stats.bro b/policy/stats.bro
deleted file mode 100644
index b0a35c09a6..0000000000
--- a/policy/stats.bro
+++ /dev/null
@@ -1,133 +0,0 @@
-# $Id: stats.bro 4011 2007-02-28 07:01:12Z vern $
-
-# Track memory/lag statistics.  Differs from profiling.bro in that this
-# is lighter-weight (much less info, and less load to generate).
-
-@load notice
-
-redef enum Notice += {
-	ResourceStats,		# generated when running live packet capture
-	OfflineResourceStats,	# generated when reading trace files
-};
-
-# ResourceStats should by default be sent to the notice file
-redef notice_action_filters += {
-	[[ResourceStats, OfflineResourceStats]] = file_notice
-};
-
-global last_stats_time = current_time();
-global last_stats_CPU_time =
-	resource_usage()$user_time + resource_usage()$system_time;
-
-# Global to store the last net_stats object received.
-global last_packet_stat: net_stats;
-
-# Globals to store the results between reporting intervals
-global stat_packets_received = 0;
-global stat_packets_dropped = 0;
-global stat_packets_link = 0;
-
-global last_packets_processed = 0;
-global last_events_dispatched = 0;
-global last_events_queued = 0;
-
-# Interval in which the results are sent as a notice.  If this is less
-# than heartbeat_interval, then it is set to heartbeat_interval, since
-# some of the reported statistics are only gathered via the heartbeat.
-global stats_report_interval = 10 sec &redef;
-
-event check_stats()
-	{
-	local now = current_time();
-	local lag = now - network_time();
-	local report_delta = now - last_stats_time;
-
-	local res = resource_usage();
-	local mem = res$mem;
-	local total_CPU_time = res$user_time + res$system_time;
-	local CPU_util = (total_CPU_time - last_stats_CPU_time) / report_delta;
-
-	if ( bro_is_terminating() )
-		# No more stats will be written or scheduled when Bro is
-		# shutting down.
-		return;
-
-	local delta_pkts_processed = res$num_packets - last_packets_processed;
-	local delta_events = res$num_events_dispatched - last_events_dispatched;
-	local delta_queued = res$num_events_queued - last_events_queued;
-
-	local stat_msg =
-		fmt("mem=%dMB pkts_proc=%d events_proc=%d events_queued=%d",
-			mem / 1000000, delta_pkts_processed,
-			delta_events, delta_queued);
-
-	if ( reading_live_traffic() )
-		{
-		stat_msg = fmt("%s et=%.2f lag=%fsec util=%.01f%% pkts_rcv=%d pkts_drp=%d pkts_link=%d",
-				stat_msg, report_delta, lag, CPU_util * 100.0,
-				stat_packets_received, stat_packets_dropped,
-				stat_packets_link);
-		NOTICE([$note=ResourceStats, $msg=stat_msg]);
-		}
-
-	else if ( reading_traces() )
-		NOTICE([$note=OfflineResourceStats, $msg=stat_msg]);
-
-	else
-		{
-		# Remote communication only.
-		stat_msg = fmt("mem=%dMB events_proc=%d events_queued=%d lag=%fsec util=%.01f%%",
-				mem / 1000000, delta_events, delta_queued,
-				lag, CPU_util * 100.0 );
-		NOTICE([$note=ResourceStats, $msg=stat_msg]);
-		}
-
-	last_stats_time = now;
-	last_stats_CPU_time = total_CPU_time;
-	last_packets_processed = res$num_packets;
-	last_events_dispatched = res$num_events_dispatched;
-	last_events_queued = res$num_events_queued;
-
-	stat_packets_received = 0;
-	stat_packets_dropped = 0;
-
-	schedule stats_report_interval { check_stats() };
-	}
-
-event net_stats_update(t: time, ns: net_stats)
-	{
-	if ( ns$pkts_recvd > last_packet_stat$pkts_recvd )
-		stat_packets_received +=
-			ns$pkts_recvd - last_packet_stat$pkts_recvd;
-
-	if ( ns$pkts_dropped > last_packet_stat$pkts_dropped )
-		stat_packets_dropped +=
-			ns$pkts_dropped - last_packet_stat$pkts_dropped;
-
-	if ( ns$pkts_link > last_packet_stat$pkts_link )
-		stat_packets_link += ns$pkts_link - last_packet_stat$pkts_link;
-
-	last_packet_stat = ns;
-	}
-
-event start_check_stats()
-	{
-	# Can't start reporting data until network_time() is up.
-	local zero_time: time = 0;
-
-	if ( network_time() > zero_time )
-		schedule stats_report_interval { check_stats() };
-	else
-		schedule stats_report_interval { start_check_stats() };
-	}
-
-event bro_init()
-	{
-	last_packet_stat$pkts_recvd = last_packet_stat$pkts_dropped =
-		last_packet_stat$pkts_link = 0;
-
-	if ( stats_report_interval < heartbeat_interval )
-		stats_report_interval = heartbeat_interval;
-
-	schedule stats_report_interval { start_check_stats() };
-	}
diff --git a/policy/stepping.bro b/policy/stepping.bro
deleted file mode 100644
index e9aed914e1..0000000000
--- a/policy/stepping.bro
+++ /dev/null
@@ -1,485 +0,0 @@
-# $Id: stepping.bro 6481 2008-12-15 00:47:57Z vern $
-
-@load notice
-@load port-name
-@load demux
-@load login
-@load alarm
-
-module Stepping;
-
-export {
-	redef enum Notice += {
-		# A stepping stone was seen in which the first part of
-		# the chain is a clear-text connection but the second part
-		# is encrypted.  This often means that a password or
-		# passphrase has been exposed in the clear, and may also
-		# mean that the user has an incomplete notion that their
-		# connection is protected from eavesdropping.
-		ClearToEncrypted_SS,
-	};
-}
-
-global step_log = open_log_file("step") &redef;
-
-# The following must be defined for the event engine to generate
-# stepping stone events.
-redef stp_delta = 0.08 sec;
-redef stp_idle_min = 0.5 sec;
-
-global stepping_stone: event(c1: connection, c2: connection, method: string);
-
-#### First, tag-based schemes - $DISPLAY, Last Login ####
-
-# If <conn> was a login to <dst> propagating a $DISPLAY of <display>,
-# then we make an entry of [<dst>, <display>] = <conn>.
-global display_pairs: table[addr, string] of connection;
-
-# Maps login tags like "Last login ..." to connections.
-global tag_to_conn_map: table[string] of connection;
-
-type tag_info: record {
-	display: string;	# $DISPLAY, if any
-	tag: string;		# login tag, e.g. "Last login ..."
-};
-
-global conn_tag_info: table[conn_id] of tag_info;
-
-const STONE_DISPLAY = 1;
-const STONE_LOGIN_BANNER = 2;
-const STONE_TIMING = 4;
-### fixme
-global detected_stones: table[addr, port, addr, port, addr, port, addr, port]
-	of count &default = 0;
-global did_stone_summary: table[addr, port, addr, port, addr, port, addr, port]
-	of count &default = 0;
-
-function new_tag_info(c: connection)
-	{
-	local ti: tag_info;
-	ti$tag = ti$display = "";
-	conn_tag_info[c$id] = ti;
-	}
-
-event login_display(c: connection, display: string)
-	{
-	local id = c$id;
-	if ( id !in conn_tag_info )
-		new_tag_info(c);
-
-	conn_tag_info[id]$display = display;
-	display_pairs[id$resp_h, display] = c;
-
-	if ( [id$orig_h, display] in display_pairs )
-		event Stepping::stepping_stone(display_pairs[id$orig_h, display], c, "display");
-	}
-
-event login_output_line(c: connection, line: string)
-	{
-	if  ( /^([Ll]ast +(successful)? *login)/ | /^Last interactive login/
-	     !in line ||
-	      # Some finger output includes "Last login ..." but luckily
-	      # appears to be terminated by ctrl-A.
-	      /\001/ in line )
-		return;
-
-	if ( c$id !in conn_tag_info )
-		new_tag_info(c);
-
-	local ti = conn_tag_info[c$id];
-	local tag = line;
-
-	if ( ti$tag == "" )
-		ti$tag = tag;
-
-	if ( tag in tag_to_conn_map )
-		{
-		local c2 = tag_to_conn_map[tag];
-
-		### Would really like this taken care of by having
-		# tag_to_conn_map[tag] deleted when c2 goes away.
-		if ( active_connection(c2$id) )
-			event Stepping::stepping_stone(c2, c, "login-tag");
-		}
-	else
-		tag_to_conn_map[tag] = c;
-	}
-
-event connection_finished(c: connection)
-	{
-	### would really like some automatic destructors invoked
-	### whenever a connection goes away
-	local id = c$id;
-	if ( id in conn_tag_info )
-		{
-		local ti = conn_tag_info[id];
-		delete display_pairs[id$resp_h, ti$display];
-		delete tag_to_conn_map[ti$tag];
-		delete conn_tag_info[id];
-		}
-	}
-
-
-#### Now, timing-based correlation ####
-
-const stp_ratio_thresh = 0.3 &redef;	# prop. of idle times that must coincide
-
-# Time scale to which following thresholds apply.
-const stp_scale =  100.0 &redef;
-
-const stp_common_host_thresh = 2 &redef; # must be <= stp_random_pair_thresh
-const stp_random_pair_thresh = 4 &redef;
-
-const stp_demux_disabled = T &redef;
-
-# Indexed by the center host (or destination of the first connection,
-# for ABCD stepping stones) and the $addl information associated with
-# the connection (i.e., often username).  If present in the set, then
-# we shouldn't bother generating a report for a clear->ssh stepping stone.
-const skip_clear_ssh_reports: set[addr, string] &redef;
-
-global num_stp_pairs = 0;
-
-type endp_info: record {
-	conn: connection;
-	id: conn_id;
-	resume_time: time; # time when resuming from most recent idle period
-	old_resume_time: time; # time when resuming from penultimate idle period
-	idle_cnt: count; # number of idle periods for this endpoint (flow)
-};
-
-type pair_info: record {
-	is_stp: bool; # true if flow pair considered a stepping stone pair
-	hit: count; # number of coincidences
-	hit_two_in_row: count; # number of coincidences two-in-row
-};
-
-# For connection k:
-#	stp_endps[2k] is the orig endpoint
-#	stp_endps[2k+1] is the resp endpoint
-global stp_endps: table[int] of endp_info;
-
-# Some endpoint pairs are weird, e.g., when two endp's share a common port.
-# Such weird endp pairs may be correlated, but are unlikely to be stepping
-# stone pairs.
-global stp_weird_pairs: set[int, int];
-
-# Normal (i.e., not weird) endp pairs.
-global stp_normal_pairs: table[int, int] of pair_info;
-
-function is_orig(e: int): bool
-	{
-	return (e % 2) == 0;
-	}
-
-function peer(e: int): int
-	{
-	return (e % 2) == 0 ? (e + 1): (e - 1);
-	}
-
-function orig_host(e: int): addr
-	{
-	return stp_endps[e]$id$orig_h;
-	}
-
-function resp_host(e: int): addr
-	{
-	return stp_endps[e]$id$resp_h;
-	}
-
-function orig_port(e: int): port
-	{
-	return stp_endps[e]$id$orig_p;
-	}
-
-function resp_port(e: int): port
-	{
-	return stp_endps[e]$id$resp_p;
-	}
-
-function build_conn(e: int): connection
-	{ # return the id of the orig, not the resp
-	return stp_endps[e]$conn;
-	}
-
-function stp_id_string(id: conn_id): string
-	{
-	return fmt("%s.%d > %s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p);
-	}
-
-function stp_create_weird_pair(e1: int, e2: int)
-	{
-	add stp_weird_pairs[e1, e2];
-	}
-
-function stp_create_normal_pair(e1: int, e2: int)
-	{
-	local pair: pair_info;
-
-	pair$is_stp = F;
-	pair$hit = pair$hit_two_in_row = 0;
-
-	stp_normal_pairs[e1, e2] = pair;
-	}
-
-function stp_correlate_weird_pair(e1: int, e2: int)
-	{ # do nothing right now
-	}
-
-global stp_check_normal_pair: function(e1: int, e2: int): bool;
-
-function stp_correlate_normal_pair(e1: int, e2: int)
-	{
-	if ( stp_normal_pairs[e1, e2]$is_stp )
-		return; # already classified as stepping stone pair
-
-	++stp_normal_pairs[e1, e2]$hit;
-
-	if ( stp_endps[e1]$old_resume_time != 0.0 &&
-	     stp_endps[e2]$old_resume_time != 0.0 )
-		{
-		local dt = stp_endps[e2]$old_resume_time -
-			   stp_endps[e1]$old_resume_time;
-		if ( dt >= 0.0 sec && dt <= stp_delta )
-			++stp_normal_pairs[e1, e2]$hit_two_in_row;
-		}
-	stp_check_normal_pair(e1, e2);
-	}
-
-function stp_check_weird_pair(e1: int, e2: int)
-	{ # do nothing right now
-	}
-
-function stp_check_normal_pair(e1: int, e2: int): bool
-	{
-	if ( stp_normal_pairs[e1, e2]$is_stp )
-		return T; # already classified as stepping stone pair
-
-	local p1 = peer(e1);
-	local p2 = peer(e2);
-	local reverse_exists = [p2, p1] in stp_normal_pairs;
-
-	if ( reverse_exists && stp_normal_pairs[p2, p1]$is_stp )
-		{ # already classified as stepping stone pair
-		stp_normal_pairs[e1, e2]$is_stp = T;
-		return T;
-		}
-
-	local hit_two_in_row = stp_normal_pairs[e1, e2]$hit_two_in_row;
-	if ( reverse_exists )
-		hit_two_in_row = hit_two_in_row +
-				stp_normal_pairs[p2, p1]$hit_two_in_row;
-
-	# Criteria 1:
-	#	if ( e1 and e2 share a common host )
-	#		hit_two_in_row >= stp_common_host_thresh
-	#	else
-	#		hit_two_in_row >= stp_random_pair_thresh
-
-	local factor = max_double(1.0,
-				min_count(stp_endps[e1]$idle_cnt,
-					  stp_endps[e2]$idle_cnt) / stp_scale);
-
-	if ( hit_two_in_row < factor * stp_common_host_thresh )
-		return F;
-
-	if ( hit_two_in_row < factor * stp_random_pair_thresh &&
-	     orig_host(e1) != orig_host(e2) && orig_host(e1) != resp_host(e2) &&
-	     resp_host(e1) != orig_host(e2) && resp_host(e1) != resp_host(e2) )
-		return F;
-
-	# Criteria 2:
-	#	hit_ratio >= stp_ratio_thresh
-
-	local hit_ratio: double;
-	if ( reverse_exists &&
-	     stp_normal_pairs[p2, p1]$hit > stp_normal_pairs[e1, e2]$hit )
-		hit_ratio = (1.0 * stp_normal_pairs[p2, p1]$hit) /
-				min_count(stp_endps[p1]$idle_cnt,
-					  stp_endps[p2]$idle_cnt);
-	else
-		hit_ratio = (1.0 * stp_normal_pairs[e1, e2]$hit) /
-				min_count(stp_endps[e1]$idle_cnt,
-					  stp_endps[e2]$idle_cnt);
-
-	if ( hit_ratio < stp_ratio_thresh )
-		return F;
-
-	stp_normal_pairs[e1, e2]$is_stp = T;
-	event Stepping::stepping_stone(build_conn(e1), build_conn(e2), "timing");
-
-	return T;
-	}
-
-function reverse_id(id: conn_id): conn_id
-	{
-	local rid: conn_id;
-
-	rid$orig_h = id$resp_h;
-	rid$orig_p = id$resp_p;
-	rid$resp_h = id$orig_h;
-	rid$resp_p = id$orig_p;
-
-	return rid;
-	}
-
-event stp_create_endp(c: connection, e: int, is_orig: bool)
-	{
-	local end_i: endp_info;
-
-	end_i$conn = c;
-	end_i$id = is_orig ? c$id : reverse_id(c$id);
-	end_i$resume_time = end_i$old_resume_time = 0.0;
-	end_i$idle_cnt = 0;
-
-	stp_endps[e] = end_i;
-	}
-
-event stp_resume_endp(e: int)
-	{
-	stp_endps[e]$old_resume_time = stp_endps[e]$resume_time;
-	stp_endps[e]$resume_time = network_time();
-	++stp_endps[e]$idle_cnt;
-	}
-
-event stp_correlate_pair(e1: int, e2: int)
-	{
-	local normal = T;
-
-	if ( [e1, e2] in stp_normal_pairs )
-		;
-
-	else if ( [e1, e2] in stp_weird_pairs )
-		normal = F;
-
-	else
-		{
-		# An endpoint pair is considered weird, iff:
-		#	the two flows both originated at same host, or
-		#	both terminated at same host, or
-		#	at least one flow is within a single host, or
-		#	two flows share an endpoint (host, port)
-
-		if ( orig_host(e1) == orig_host(e2) || resp_host(e1) == resp_host(e2) ||
-		     orig_host(e1) == resp_host(e1) || orig_host(e2) == resp_host(e2) ||
-		     (orig_host(e1) == resp_host(e2) && orig_port(e1) == resp_port(e2)) ||
-		     (resp_host(e1) == orig_host(e2) && resp_port(e1) == orig_port(e2)) )
-			{
-			stp_create_weird_pair(e1, e2);
-			normal = F;
-			}
-		else
-			stp_create_normal_pair(e1, e2);
-		}
-
-	if ( normal )
-		stp_correlate_normal_pair(e1, e2);
-	else
-		stp_correlate_weird_pair(e1, e2);
-	}
-
-event stp_remove_pair(e1: int, e2: int)
-	{
-	delete stp_normal_pairs[e1, e2];
-	delete stp_weird_pairs[e1, e2];
-	}
-
-event stp_remove_endp(e: int)
-	{
-	delete stp_endps[e];
-	}
-
-
-function report_stone(id1: conn_id, addl1: string, id2: conn_id, addl2: string)
-: string
-	{
-	if ( id1$resp_h == id2$orig_h )
-		# A single-intermediary stepping stone.
-		return fmt("%s -> %s %s-> %s %s",
-				id1$orig_h,
-				endpoint_id(id1$resp_h, id1$resp_p), addl1,
-				endpoint_id(id2$resp_h, id2$resp_p), addl2);
-	else
-		# A multi-intermediary stepping stone.
-		return fmt("%s -> %s %s... %s -> %s %s",
-				id1$orig_h,
-				endpoint_id(id1$resp_h, id1$resp_p), addl1,
-				id2$orig_h,
-				endpoint_id(id2$resp_h, id2$resp_p), addl2);
-	}
-
-event stone_summary(id1: conn_id, id2: conn_id)
-	{
-	if ( ++did_stone_summary[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p] > 1 )
-		return;
-
-	local detection_type = detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p];
-
-	local report: string;
-
-	if ( detection_type == STONE_DISPLAY )
-		report = "only-display";
-	else if ( detection_type == STONE_LOGIN_BANNER )
-		report = "only-banner";
-	else if ( detection_type == STONE_TIMING )
-		report = "only-timing";
-	else if ( detection_type == STONE_LOGIN_BANNER + STONE_TIMING )
-		report = "stone-both";
-	else
-		report = fmt("stone-other-%d", detection_type);
-
-	print step_log, fmt("%s detected %s %s %d %s %d %s %d %s %d",
-		network_time(), report, id1$orig_h, id1$orig_p, id1$resp_h,
-		id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p);
-	}
-
-event stepping_stone(c1: connection, c2: connection, method: string)
-	{
-	# Put into canonical form: make #1 be the earlier of the two
-	# connections.
-	local id1 = c1$start_time < c2$start_time ? c1$id : c2$id;
-	local id2 = c1$start_time < c2$start_time ? c2$id : c1$id;
-
-	local addl1 = c1$start_time < c2$start_time ? c1$addl : c2$addl;
-	local addl2 = c1$start_time < c2$start_time ? c2$addl : c1$addl;
-
-	if ( id1$orig_h == id2$orig_h || id1$resp_h == id2$resp_h )
-		# of the form A->B, A->C ; or B->A, C->A ; uninteresting.
-		return;
-
-	local tag = fmt("stp.%d", ++num_stp_pairs);
-	local prelude = fmt("%.6f step %s (%s)", network_time(),  num_stp_pairs, method);
-
-	local stone_type = (method == "display" ? STONE_DISPLAY :
-				(method == "login-tag" ? STONE_LOGIN_BANNER :
-					STONE_TIMING));
-
-	local current_stones = detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p];
-
-	if ( (current_stones / stone_type) % 2 == 0 )
-		detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p] = current_stones + stone_type;
-
-	schedule 1 day { stone_summary(id1, id2) };
-
-	print step_log, fmt("%s: %s", prelude, report_stone(id1, addl1, id2, addl2));
-
-	local is_ssh1 = id1$orig_p == ssh || id1$resp_p == ssh;
-	local is_ssh2 = id2$orig_p == ssh || id2$resp_p == ssh;
-
-	if ( ! is_ssh1 && is_ssh2 )
-		{ # Inbound clear-text, outbound ssh.
-		if ( [id1$resp_h, addl1] !in skip_clear_ssh_reports )
-			NOTICE([$note=ClearToEncrypted_SS,
-				# The following isn't sufficient for
-				# A->(B->C)->D stepping stones, only A->B->C.
-				$src=c1$id$orig_h, $conn=c2,
-				$user=addl1, $sub=addl2,
-				$msg=fmt("clear -> ssh: %s", report_stone(id1, addl1, id2, addl2))]);
-		}
-
-	if ( ! stp_demux_disabled )
-		{
-		demux_conn(id1, tag, "keys", "server");
-		demux_conn(id2, tag, "keys", "server");
-		}
-	}
diff --git a/policy/summaries/app-summary.bro b/policy/summaries/app-summary.bro
deleted file mode 100644
index 5be50f661a..0000000000
--- a/policy/summaries/app-summary.bro
+++ /dev/null
@@ -1,57 +0,0 @@
-@load conn-util
-@load conn-app-reduced
-
-global conn_size_table: table[conn_id] of count;
-global conn_size_log = open_log_file("conn-size") &redef;
-
-function add_to_conn_size(id: conn_id, size: count)
-	{
-	if ( id !in conn_size_table )
-		conn_size_table[id] = 0;
-	local previous_size = conn_size_table[id];
-	conn_size_table[id] = conn_size_table[id] + size;
-	if ( conn_size_table[id] < previous_size )
-		{
-		print conn_size_log, fmt("ERROR: %.6f size wrapping around: %s, prev_size = %d, add = %d",
-			network_time(), conn_id_string(id), previous_size, size);
-		}
-	}
-
-event after_connections_state_remove(c: connection)
-	{
-	local id = c$id;
-	local app_size: count;
-	local transport_size: count;
-	if ( id !in conn_size_table )
-		conn_size_table[id] = 0;
-	app_size = conn_size_table[id];
-	transport_size = c$orig$size + c$resp$size;
-	local size_delta: int = transport_size - app_size;
-	local annotation: string = "none";
-	if ( app_size > transport_size )
-		annotation = "negative_transport_overhead";
-	else if ( size_delta > 1000 && 1.0 * size_delta / transport_size > 0.3 )
-		annotation = "suspicious_transport_overhead";
-
-	print conn_size_log, fmt("conn %s app_size %d conn_size %d annotation %s", conn_id_string(id), app_size, transport_size, annotation);
-
-	delete conn_size_table[id];
-	}
-
-event connection_state_remove(c: connection)
-	{
-	event after_connections_state_remove(c);
-	}
-
-function print_app_summary(log: file,
-		id: conn_id, conn_start: time, func: string, start: time,
-		num_req: count, req_size: count, num_resp: count, resp_size: count,
-		extra: string)
-	{
-	add_to_conn_size(id, req_size + resp_size);
-	print log, fmt("conn %s conn_start %.6f app %s app_func %s start %.6f req %d pyld_^ %d reply %d pyld_v %d%s",
-		conn_id_string(id), conn_start, conn_app[id], func, start,
-		num_req, req_size,
-		num_resp, resp_size,
-		byte_len(extra) > 0 ? cat(" ", extra) : "");
-	}
diff --git a/policy/summaries/conn-app-reduced.bro b/policy/summaries/conn-app-reduced.bro
deleted file mode 100644
index 74cce70dee..0000000000
--- a/policy/summaries/conn-app-reduced.bro
+++ /dev/null
@@ -1,37 +0,0 @@
-@load port-name
-
-# Used to annotate apps for connections on ephemeral ports
-global conn_app: table[conn_id] of string &default =
-	function(id: conn_id): string
-		{
-		local p = is_icmp_port(id$resp_p) ? id$orig_p : id$resp_p;
-		if ( p in port_names )
-			return port_names[p];
-		else
-			return fmt("%s", p);
-		};
-
-redef port_names += {
-	[0/icmp]	= "icmp-echo",
-	[8/icmp]	= "icmp-echo",
-	[3/icmp]	= "icmp-unreach",
-
-	[497/tcp]	= "dantz",
-	[554/tcp]	= "rtsp",
-	[5730/tcp]	= "steltor",	# calendar
-	[[7501/tcp, 7502/tcp, 7503/tcp, 7504/tcp, 7505/tcp,
-	  7506/tcp, 7507/tcp, 7508/tcp, 7509/tcp, 7510/tcp]]
-			= "hpss",
-	[[3128/tcp, 8000/tcp, 8080/tcp, 8888/tcp]] = "http",
-	[8443/tcp]	= "https",
-	[3396/tcp]	= "printer-agent",
-	[13782/tcp]	= "veritas-backup-ctrl",
-	[16384/tcp]	= "connected-backup",
-
-	[67/udp]	= "dhcp-s",	# bootstrap for diskless hosts
-	[68/udp]	= "dhcp-c",	# reply-port
-	[427/udp]	= "srvloc",
-	[11001/udp]	= "metasys",	# cardkey
-	[38293/udp]	= "nav-ping",	# norton anti-virus host discovery
-};
-
diff --git a/policy/summaries/conn-app.bro b/policy/summaries/conn-app.bro
deleted file mode 100644
index 243ad03f36..0000000000
--- a/policy/summaries/conn-app.bro
+++ /dev/null
@@ -1,21 +0,0 @@
-@load conn-app-reduced
-
-@load ftp
-@load dce-rpc
-
-event new_connection(c: connection)
-	{
-	local id = c$id;
-	if ( [id$resp_h, id$resp_p] in DCE_RPC::dce_rpc_endpoint )
-		{
-		# local uuid = DCE_RPC::dce_rpc_endpoint[id$resp_h, id$resp_p];
-		# conn_app[id] = fmt("dce-rpc-%s",
-		#	 ( uuid in DCE_RPC::dce_rpc_uuid_name ) ?
-		#	 DCE_RPC::dce_rpc_uuid_name[uuid] : "unknown");
-		conn_app[id] = "dce-rpc";
-		}
-	else if ( FTP::is_ftp_data_connection(c) )
-		{
-		conn_app[id] = "ftp-data";
-		}
-	}
diff --git a/policy/summaries/conn-size.bro b/policy/summaries/conn-size.bro
deleted file mode 100644
index 8001911ed6..0000000000
--- a/policy/summaries/conn-size.bro
+++ /dev/null
@@ -1,83 +0,0 @@
-# const number_of_regions = 32;
-const region_size = 1024 * 1024;	# 1MB
-@load large-conns
-
-global conn_size_log = open_log_file("conn-size") &redef;
-
-function conn_id_string(id: conn_id): string
-	{
-	return fmt("%s/%d=>%s/%s",
-		id$orig_h, id$orig_p,
-		id$resp_h, id$resp_p);
-	}
-
-function report_size_error(c: connection, msg: string)
-	{
-	print conn_size_log, fmt("conn %s start %.6f duration %.6f pkt_^ %d pyld_^ %d pkt_v %d pyld_v %d size_error [%s]",
-		conn_id_string(c$id),
-		c$start_time,
-		c$duration,
-		c$orig$num_pkts, c$orig$size,
-		c$resp$num_pkts, c$resp$size,
-		msg);
-	}
-
-function conn_size(c: connection, is_orig: bool): string
-	{
-	local endp = is_orig ? c$orig : c$resp;
-	local endp_name = is_orig ? "orig" : "resp";
-	local size = endp$size;
-
-	if ( is_tcp_port(c$id$resp_p) )
-		# double check TCP sizes
-		{
-		local est = estimate_flow_size_and_remove(c$id, is_orig);
-		if ( est$have_est )
-			{
-			print conn_size_log,
-				fmt("conn %s endpoint %s size %d low %.0fMB high %.0fMB inconsistent %d",
-					conn_id_string(c$id), endp_name,
-					endp$size,
-					est$lower / 1e6,
-					est$upper / 1e6,
-					est$num_inconsistent);
-
-			if ( est$num_inconsistent > 0 )
-				{
-				report_size_error(c,
-					fmt("%s size error inconsistent %d",
-						endp_name,
-						est$num_inconsistent));
-				return "-";
-				}
-
-			if ( size < est$lower || size > est$upper )
-				{
-				report_size_error(c,
-					fmt("%s size error estimates: %.0fMB - %.0fMB",
-						endp_name,
-						est$lower / 1e6,
-						est$upper / 1e6));
-				return "-";
-				}
-			}
-		}
-	else if ( is_udp_port(c$id$resp_p) )
-		{
-		if ( endp$num_pkts > size && size != 0 )
-			{
-			report_size_error(c,
-				fmt("%s size error: pkt > size",
-					endp_name));
-			return "-";
-			}
-		}
-
-	return fmt("%d", size);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	local orig_size = conn_size(c, T);
-	local resp_size = conn_size(c, F);
-	}
diff --git a/policy/summaries/conn-summary.bro b/policy/summaries/conn-summary.bro
deleted file mode 100644
index dc89e49acc..0000000000
--- a/policy/summaries/conn-summary.bro
+++ /dev/null
@@ -1,99 +0,0 @@
-@load conn-util
-# @load conn-app
-# @load smb-tag
-# @load dce-rpc-tag
-
-module ConnSummary;
-
-# redef capture_filters += { ["TUI"] = "tcp or udp or icmp" };
-redef capture_filters = { ["ip"] = "ip" };	# to also capture IP fragments
-# redef SMB_tag::log_smb_tags = F;
-# redef DCE_RPC_tag::log_dce_rpc_tags = F;
-
-global conn_summary_log = open_log_file("conn-summary") &redef;
-
-global conn_annotation: table[conn_id] of string &default = "";
-
-function add_to_conn_annotation(cid: conn_id, new_annotation: string)
-	{
-	local a: string;
-	if ( cid in conn_annotation )
-		conn_annotation[cid] =
-			cat(conn_annotation[cid], ",", new_annotation);
-	else
-		conn_annotation[cid] = new_annotation;
-	}
-
-# II. Annotation events
-event new_connection(c: connection)
-	{
-	if ( is_tcp_port(c$id$resp_p) )
-		{
-		if ( c$orig$state != TCP_SYN_SENT )
-			{
-			# add_to_conn_annotation(c$id, "partial");
-			}
-		}
-	}
-
-event partial_connection(c: connection)
-	{
-	add_to_conn_annotation(c$id, "partial");
-	}
-
-event connection_established(c: connection)
-	{
-	if ( c$orig$state == TCP_ESTABLISHED && c$resp$state == TCP_ESTABLISHED )
-		{
-		add_to_conn_annotation(c$id, "established");
-		}
-	}
-
-event connection_rejected(c: connection)
-	{
-	add_to_conn_annotation(c$id, "rejected");
-	}
-
-event connection_reset(c: connection)
-	{
-	add_to_conn_annotation(c$id, "reset");
-	}
-
-event connection_attempt(c: connection)
-	{
-	add_to_conn_annotation(c$id, "attempt");
-	}
-
-event connection_finished(c: connection)
-	{
-	add_to_conn_annotation(c$id, "finished");
-	}
-
-event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
-	{
-	add_to_conn_annotation(context$id, "unreach");
-	}
-
-event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
-	{
-	add_to_conn_annotation(context$id, "time_exceeded");
-	}
-
-event connection_state_remove(c: connection)
-	{
-	# local tag_smb = get_smb_tag(c$id);
-	# local tag_dce_rpc = get_dce_rpc_tag(c$id);
-
-	print conn_summary_log, fmt("conn %s start %.6f duration %.6f app %s pkt_^ %d pyld_^ %d pkt_v %d pyld_v %d state %s notes [%s]",
-		conn_id_string(c$id),
-		c$start_time,
-		c$duration,
-		conn_app[c$id],
-		c$orig$num_pkts, c$orig$size,
-		c$resp$num_pkts, c$resp$size,
-		conn_state(c, get_port_transport_proto(c$id$resp_p)),
-		conn_annotation[c$id]);
-
-	delete conn_annotation[c$id];
-	delete conn_app[c$id];
-	}
diff --git a/policy/summaries/conn-util.bro b/policy/summaries/conn-util.bro
deleted file mode 100644
index 623ca04955..0000000000
--- a/policy/summaries/conn-util.bro
+++ /dev/null
@@ -1,55 +0,0 @@
-function conn_id_string(id: conn_id): string
-	{
-	return fmt("%s/%d=>%s/%s",
-		id$orig_h, id$orig_p,
-		id$resp_h, id$resp_p);
-	}
-
-function connection_state(c: connection, trans: transport_proto): string
-	{
-	local os = c$orig$state;
-	local rs = c$resp$state;
-
-	local o_inactive = os == TCP_INACTIVE || os == TCP_PARTIAL;
-	local r_inactive = rs == TCP_INACTIVE || rs == TCP_PARTIAL;
-
-	if ( trans == tcp )
-		{
-		if ( rs == TCP_RESET )
-			{
-			if ( os == TCP_SYN_SENT || os == TCP_SYN_ACK_SENT ||
-			     (os == TCP_RESET &&
-			      c$orig$size == 0 && c$resp$size == 0) )
-				return "REJ";
-			else if ( o_inactive )
-				return "RSTRH";
-			else
-				return "RSTR";
-			}
-		else if ( os == TCP_RESET )
-			return r_inactive ? "RSTOS0" : "RSTO";
-		else if ( rs == TCP_CLOSED && os == TCP_CLOSED )
-			return "SF";
-		else if ( os == TCP_CLOSED )
-			return r_inactive ? "SH" : "S2";
-		else if ( rs == TCP_CLOSED )
-			return o_inactive ? "SHR" : "S3";
-		else if ( os == TCP_SYN_SENT && rs == TCP_INACTIVE )
-			return "S0";
-		else if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED )
-			return "S1";
-		else
-			return "OTH";
-		}
-
-	else if ( trans == udp )
-		{
-		if ( os == UDP_ACTIVE )
-			return rs == UDP_ACTIVE ? "SF" : "S0";
-		else
-			return rs == UDP_ACTIVE ? "SHR" : "OTH";
-		}
-
-	else
-		return "OTH";
-	}
diff --git a/policy/summaries/dce-rpc-summary.bro b/policy/summaries/dce-rpc-summary.bro
deleted file mode 100644
index 0d6ffecf96..0000000000
--- a/policy/summaries/dce-rpc-summary.bro
+++ /dev/null
@@ -1,93 +0,0 @@
-@load conn-util
-@load dce-rpc
-@load app-summary
-
-module DCE_RPC_summary;
-
-global log = open_log_file("dce-rpc-summary") &redef;
-
-type dce_rpc_transaction: record {
-	connection_id: conn_id;
-	conn_start: time;
-	uuid: string;
-	opnum: count;
-	start: time;
-	num_req: count;
-	req_size: count;
-	num_resp: count;
-	resp_size: count;
-};
-
-global conn_uuid: table[conn_id] of string &default = DCE_RPC::null_uuid;
-global dce_rpc_trans_table: table[conn_id] of dce_rpc_transaction;
-# global msg_size: table[conn_id, bool] of count;
-
-function end_dce_rpc_transaction(id: conn_id)
-	{
-	if ( id !in dce_rpc_trans_table )
-		return;
-
-	local t = dce_rpc_trans_table[id];
-	local ifname = DCE_RPC::dce_rpc_uuid_name[t$uuid];
-	local func_name = DCE_RPC::dce_rpc_func_name[ifname, t$opnum];
-	print_app_summary(log,
-		t$connection_id,
-		t$conn_start,
-		fmt("%s/%s", ifname, func_name),
-		t$start,
-		t$num_req, t$req_size,
-		t$num_resp, t$resp_size,
-		fmt("ifname %s", ifname));
-
-	delete dce_rpc_trans_table[id];
-	}
-
-function new_dce_rpc_transaction(c: connection, uuid: string, opnum: count): dce_rpc_transaction
-	{
-	local id = c$id;
-
-	# End any previous trans
-	end_dce_rpc_transaction(id);
-
-	local t = [
-		$connection_id = id, $conn_start = c$start_time,
-		$uuid = uuid, $opnum = opnum,
-		$start = network_time(),
-		$num_req = 0, $req_size = 0,
-		$num_resp = 0, $resp_size = 0];
-
-	dce_rpc_trans_table[id] = t;
-	return t;
-	}
-
-event dce_rpc_message(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string)
-	{
-	# msg_size[c$id, is_orig] = byte_len(msg);
-	}
-
-event dce_rpc_bind(c: connection, uuid: string)
-	{
-	conn_uuid[c$id] = uuid;
-	}
-
-event dce_rpc_request(c: connection, opnum: count, stub: string)
-	{
-	local t = new_dce_rpc_transaction(c, conn_uuid[c$id], opnum);
-	++t$num_req;
-	t$req_size = t$req_size + byte_len(stub);
-	# t$req_size = t$req_size + msg_size[c$id, T];
-	}
-
-event dce_rpc_response(c: connection, opnum: count, stub: string)
-	{
-	local t = dce_rpc_trans_table[c$id];
-	++t$num_resp;
-	t$resp_size = t$resp_size + byte_len(stub);
-	# t$resp_size = t$resp_size + msg_size[c$id, F];
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id in dce_rpc_trans_table )
-		end_dce_rpc_transaction(c$id);
-	}
diff --git a/policy/summaries/dce-rpc-tag.bro b/policy/summaries/dce-rpc-tag.bro
deleted file mode 100644
index b74aaa704b..0000000000
--- a/policy/summaries/dce-rpc-tag.bro
+++ /dev/null
@@ -1,68 +0,0 @@
-@load conn-util
-@load dce-rpc
-
-redef capture_filters += {
-	["dce-rpc"] = "tcp or udp",
-};
-
-global dce_rpc_tag: table[conn_id] of string &default = "";
-
-const log_dce_rpc_tags = T &redef;
-function get_dce_rpc_tag(id: conn_id): string
-	{
-	if ( id in dce_rpc_tag )
-		return dce_rpc_tag[id];
-	else
-		return "";
-	}
-
-module DCE_RPC_tag;
-
-global log = open_log_file("dce_rpc-tag") &redef;
-
-function add_to_dce_rpc_tag(c: connection, name: string): bool
-	{
-	local id = c$id;
-	local orig_tag = dce_rpc_tag[id];
-
-	if ( orig_tag == "" )
-		{
-		dce_rpc_tag[id] = name;
-		}
-	else if ( strstr(orig_tag, name) == 0 )
-		{
-		dce_rpc_tag[id] = cat(orig_tag, ",", name);
-		}
-
-	return T;
-	}
-
-# Deficiency: it only looks at the bind request, but not the reply, so we
-# do not know if the bind is successful.
-
-event dce_rpc_bind(c: connection, uuid: string)
-	{
-	local if_name = DCE_RPC::dce_rpc_uuid_name[uuid];
-	if ( log_dce_rpc_tags )
-		print log, fmt("%.6f %s DCE_RPC_Bind: %s",
-			network_time(), id_string(c$id), if_name);
-	add_to_dce_rpc_tag(c, if_name);
-	}
-
-event delete_dce_rpc_tag(c: connection)
-	{
-	delete dce_rpc_tag[c$id];
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id in dce_rpc_tag )
-		{
-		if ( log_dce_rpc_tags )
-			print log, fmt("conn %s start %.6f DCE/RPC [%s]",
-				conn_id_string(c$id),
-				c$start_time,
-				dce_rpc_tag[c$id]);
-		event delete_dce_rpc_tag(c);
-		}
-	}
diff --git a/policy/summaries/dns-common-summary.bro b/policy/summaries/dns-common-summary.bro
deleted file mode 100644
index 14d4187d3f..0000000000
--- a/policy/summaries/dns-common-summary.bro
+++ /dev/null
@@ -1,245 +0,0 @@
-@load conn-util
-@load app-summary
-@load dns-info
-
-module DNS_common_summary;
-
-
-export {
-
-	global dns_summary_log = open_log_file("dns-common-summary") &redef;
-
-	const server_ports = {
-		53/udp, 53/tcp, 137/udp,
-	} &redef;
-}
-
-redef capture_filters += {
-	["dns"] = "port 53",
-	["netbios-ns"] = "udp port 137",
-};
-
-const dns_op_name = {
-	[0] = "QUERY",
-	[1] = "IQUERY",
-	[2] = "STATUS",
-	[5] = "NB_REGISTER",
-	[6] = "NB_RELEASE",
-	[7] = "NB_WACK",
-	[8] = "NB_REFRESH",
-} &default = function(op: count): string
-	{
-	return fmt("op-%d", op);
-	};
-
-function dns_qtype(qtype: int, server_port: port): string
-	{
-	if ( qtype < 0 )
-		return "none";
-
-	if ( server_port == 137/udp )
-		{
-		if ( qtype == 32 )
-			return "NB";
-		if ( qtype == 33 )
-			return "NBSTAT";
-		}
-
-	return query_types[int_to_count(qtype)];
-	}
-
-function dns_rcode(rcode: int): string
-	{
-	return ( rcode < 0 ) ? "none" :
-		base_error[int_to_count(rcode)];
-	}
-
-const netbios_host_type = {
-	["00"] = "workstation",
-	["03"] = "messenger",
-	["1b"] = "domain_master_browser",
-	["20"] = "server",
-	["1c"] = "domain_group",
-	["1d"] = "master_browser_group",
-	["1e"] = "group",
-} &default = function(t: string): string { return t; };
-
-const dns_transaction_timeout = 30 sec &redef;
-
-type dns_transaction: record {
-	connection_id: conn_id;
-	conn_start: time;
-	func: string;
-	start: time;
-	num_req: count;
-	req_size: count;
-	num_resp: count;
-	resp_size: count;
-
-	num_q: count;
-	qtype: string;
-	query: string;
-	host_type: string;
-	rcode: string;
-	resp_time: time;	# of the first resp
-};
-
-# Use only the client addr and transaction id for index, because
-# Netbios/NS clients sometimes send to broadcast address
-type dns_trans_index: record {
-	client: addr;
-	client_port: port;
-	id: count;
-	server: addr;
-	server_port: port;
-};
-global dns_trans_table: table[dns_trans_index] of dns_transaction;
-
-function fmt_list(x: string): string
-	{
-	if ( strstr(x, ",") > 0 )
-		return cat("[", x, "]");
-	else
-		return x;
-	}
-
-event expire_DNS_transaction(ind: dns_trans_index)
-	{
-	if ( ind !in dns_trans_table )
-		return;
-
-	local t = dns_trans_table[ind];
-	if ( ind$server_port in server_ports )
-		{
-		print_app_summary(dns_summary_log,
-			t$connection_id,
-			t$conn_start,
-			t$func, t$start,
-			t$num_req, t$req_size,
-			t$num_resp, t$resp_size,
-			fmt("qtype %s return %s query '%s' host_type %s latency %.6f",
-				fmt_list(t$qtype), fmt_list(t$rcode),
-				fmt_list(gsub(t$query, / /, "_")),
-				fmt_list(t$host_type),
-				t$resp_time >= t$start ? t$resp_time - t$start : -1 sec));
-		}
-	delete dns_trans_table[ind];
-	}
-
-function lookup_dns_transaction(c: connection, msg: dns_msg, is_orig: bool): dns_transaction
-	{
-	local id = c$id;
-	local client: addr;
-	local server: addr;
-	local client_port: port;
-	local server_port: port;
-
-	if ( ( ! msg$QR && is_orig ) || ( msg$QR && ! is_orig ) )
-		{
-		client = id$orig_h;
-		client_port = id$orig_p;
-		server = id$resp_h;
-		server_port = id$resp_p;
-		}
-	else
-		{
-		client = id$resp_h;
-		client_port = id$resp_p;
-		server = id$orig_h;
-		server_port = id$orig_p;
-		}
-
-	# print fmt("%.6f client %s server %s", network_time(), client, server);
-
-	# Netbios queries are sometimes sent to broadcast addresses,
-	# so we ignore the server part
-	if ( server_port == 137/udp )
-		server = 0.0.0.0;
-
-	local ind = [$client = client, $client_port = client_port,
-			$id = msg$id,
-			$server = server, $server_port = server_port];
-
-	if ( ind !in dns_trans_table )
-		{
-		local t = [
-			$connection_id = id,
-			$conn_start = c$start_time,
-			$func = dns_op_name[msg$opcode],
-			$start = network_time(),
-			$num_req = 0, $req_size = 0,
-			$num_resp = 0, $resp_size = 0,
-			$num_q = 0,
-			$qtype = "none",
-			$query = "none", $host_type = "none",
-			$rcode = "none",
-			$resp_time = network_time() - 1 sec];
-		dns_trans_table[ind] = t;
-		}
-
-	schedule dns_transaction_timeout {
-		expire_DNS_transaction(ind)
-		};
-
-	return dns_trans_table[ind];
-	}
-
-event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
-	{
-	local t = lookup_dns_transaction(c, msg, is_orig);
-	if ( ! msg$QR )
-		{
-		++t$num_req;
-		t$req_size = t$req_size + len;
-		}
-	else
-		{
-		local rcode = dns_rcode(msg$rcode);
-		if ( t$rcode == "none" )
-			t$rcode = rcode;
-		else if ( t$rcode != rcode )
-			t$rcode = cat(t$rcode, ",", rcode);
-		++t$num_resp;
-		t$resp_size = t$resp_size + len;
-		if ( t$num_resp == 1 )
-			t$resp_time = network_time();
-		}
-	}
-
-function append_query(t: dns_transaction, query: string, host_type: string, qtype: string)
-	{
-	++t$num_q;
-	if ( t$num_q == 1 )
-		{
-		t$qtype = qtype;
-		t$query = query;
-		t$host_type = host_type;
-		}
-	else
-		{
-		if ( qtype != t$qtype )
-			t$qtype = cat(t$qtype, ",", qtype);
-		if ( query != t$query )
-			t$query = cat(t$query, ",", query);
-		if ( host_type != t$host_type )
-			t$host_type = cat(t$host_type, ",", host_type);
-		}
-	}
-
-event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
-	{
-	local host_type = "n/a";
-	if ( c$id$resp_p == 137/udp )
-		{
-		query = decode_netbios_name(query);
-		local last_byte = sub_bytes(query, byte_len(query) - 2, 2);
-		host_type = netbios_host_type[last_byte];
-		}
-
-	# print log, fmt("conn %s start %.6f op %d qtype 0x%x name [%s]",
-	#	conn_id_string(c$id), network_time(),
-	#	msg$opcode, qtype, query);
-
-	local t = lookup_dns_transaction(c, msg, T);
-	append_query(t, query, host_type, dns_qtype(qtype, c$id$resp_p));
-	}
diff --git a/policy/summaries/dns-summary.bro b/policy/summaries/dns-summary.bro
deleted file mode 100644
index 327f2f5032..0000000000
--- a/policy/summaries/dns-summary.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-@load dns-common-summary
-
-redef DNS_common_summary::log = open_log_file("dns-summary");
-redef DNS_common_summary::server_ports = { 53/udp, 53/tcp };
-
-redef capture_filters = {
-	["dns"] = "port 53",
-};
diff --git a/policy/summaries/http-rps-summary.bro b/policy/summaries/http-rps-summary.bro
deleted file mode 100644
index 0241a886b7..0000000000
--- a/policy/summaries/http-rps-summary.bro
+++ /dev/null
@@ -1,171 +0,0 @@
-# $Id:$
-
-@load http
-@load app-summary
-
-redef capture_filters = {
-	["http"] = "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8888 or tcp port 3128",
-};
-
-module HTTP_req_per_session;
-
-export {
-	global log = open_log_file("http-rps-summary") &redef;
-	const http_session_idle_timeout = 1 sec &redef;
-}
-
-type http_session: record {
-	# standard stuff
-	connection_id: conn_id;		# of the first conn
-	conn_start: time;
-	func: string;
-	start: time;
-	num_req: count;
-	req_size: count;
-	num_resp: count;
-	resp_size: count;
-
-	# for timeout
-	unfinished_req: count;
-	unfinished_resp: count;
-	last_time: time;
-};
-
-global expire_http_session: function(
-	tbl: table[addr] of http_session, index: addr): interval;
-
-global http_ssn_table: table[addr] of http_session
-	&read_expire = http_session_idle_timeout
-	&expire_func = expire_http_session;
-
-function new_http_session(c: connection): http_session
-	{
-	local t = [
-		$connection_id = c$id,
-		$conn_start = c$start_time,
-		$func = "unknown",
-		$start = network_time(),
-		$num_req = 0, $req_size = 0,
-		$num_resp = 0, $resp_size = 0,
-		$unfinished_req = 0, $unfinished_resp = 0,
-		$last_time = network_time()];
-
-	return t;
-	}
-
-function lookup_http_session(c: connection, is_orig: bool): http_session
-	{
-	local id = c$id;
-	local index = id$orig_h;
-
-	if ( index !in http_ssn_table )
-		{
-		if ( ! is_orig )
-			print fmt("%.6f HTTP session not found for a resposne",
-				network_time(), conn_id_string(id));
-
-		http_ssn_table[index] = new_http_session(c);
-		}
-
-	return http_ssn_table[index];
-	}
-
-function end_http_session(t: http_session)
-	{
-	print_app_summary(log, t$connection_id, t$conn_start, t$func, t$start,
-		t$num_req, t$req_size,
-		t$num_resp, t$resp_size,
-		fmt("duration %.6f", t$last_time - t$start));
-	}
-
-function check_expiration(t: http_session): bool
-	{
-	print fmt("%.6f check expiration http_session %s: %.6f %d,%d %d,%d",
-		network_time(), conn_id_string(t$connection_id),
-		t$last_time,
-		t$num_req, t$num_resp,
-		t$unfinished_req, t$unfinished_resp);
-
-	if ( network_time() - t$last_time < http_session_idle_timeout
-	     || ( t$unfinished_req + t$unfinished_resp > 0 &&
-	          network_time() - t$last_time < 15 min &&
-		  ! done_with_network ) )
-		{
-		print fmt("do not expire");
-		return F;
-		}
-
-	end_http_session(t);
-	return T;
-	}
-
-function expire_http_session(tbl: table[addr] of http_session,
-		index: addr): interval
-	{
-	local t = tbl[index];
-	if ( ! check_expiration(t) )
-		{
-		print fmt("... no, wait one more second: %d, %d",
-			t$unfinished_req, t$unfinished_resp);
-		return 1 sec;
-		}
-	return 0 sec;
-	}
-
-event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
-	{
-	local t = lookup_http_session(c, T);
-	if ( check_expiration(t) )
-		{
-		delete http_ssn_table[c$id$orig_h];
-		t = lookup_http_session(c, T);
-		}
-	t$func = method;
-	++t$num_req;
-	++t$unfinished_req;
-	t$last_time = network_time();
-	}
-
-event http_reply(c: connection, version: string, code: count, reason: string)
-	{
-	# print fmt("http reply");
-	local t = lookup_http_session(c, F);
-	++t$num_resp;
-	++t$unfinished_resp;
-	t$last_time = network_time();
-	}
-
-function http_request_done(c: connection, stat: http_message_stat)
-	{
-	# print fmt("http request done");
-	local t = lookup_http_session(c, T);
-	t$req_size = t$req_size + stat$body_length;
-	if ( t$unfinished_req > 0 )
-		--t$unfinished_req;
-	t$last_time = network_time();
-	}
-
-function http_reply_done(c: connection, stat: http_message_stat)
-	{
-	local t = lookup_http_session(c, F);
-	t$resp_size = t$resp_size + stat$body_length;
-	if ( t$unfinished_resp > 0 )
-		--t$unfinished_resp;
-	t$last_time = network_time();
-	}
-
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	if ( is_orig )
-		http_request_done(c, stat);
-	else
-		http_reply_done(c, stat);
-	}
-
-event bro_done()
-	{
-	for ( index in http_ssn_table )
-		{
-		end_http_session(http_ssn_table[index]);
-		}
-	}
diff --git a/policy/summaries/http-summary.bro b/policy/summaries/http-summary.bro
deleted file mode 100644
index 1f6c1219e4..0000000000
--- a/policy/summaries/http-summary.bro
+++ /dev/null
@@ -1,281 +0,0 @@
-@load http
-@load app-summary
-
-redef capture_filters = {
-	["http"] = "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8888 or tcp port 3128",
-	["ipp"] = "tcp port 631",
-};
-
-module HTTP_summary;
-
-global log = open_log_file("http-summary") &redef;
-
-type http_transaction: record {
-	# standard stuff
-	connection_id: conn_id;
-	conn_start: time;
-	func: string;
-	start: time;
-	num_req: count;
-	req_size: count;
-	num_resp: count;
-	resp_size: count;
-
-	# for tracking the state
-	req_done: bool;
-	resp_done: bool;
-	done: bool;
-
-	# http-specific stuff
-	code: count;
-	req_content_type: string;
-	resp_content_type: string;
-	conditional_get: string;
-	user_agent: string;
-	cache_control: string;
-	last_modified: string;
-	etag: string;
-};
-
-type http_trans_group: record {
-	trans: table[count] of http_transaction;
-	first_req: count;
-	last_req: count;
-};
-
-global http_trans_table: table[conn_id] of http_trans_group;
-
-function lookup_http_trans_group(id: conn_id, create: bool): http_trans_group
-	{
-	if ( id !in http_trans_table )
-		{
-		if ( create )
-			{
-			local trans: table[count] of http_transaction;
-			http_trans_table[id] = [
-				$trans = trans, $first_req = 1, $last_req = 0];
-			}
-		else
-			print fmt("HTTP trans_group not found: %s", conn_id_string(id));
-		}
-
-	return http_trans_table[id];
-	}
-
-function new_http_transaction(c: connection, func: string): http_transaction
-	{
-	# print fmt("new http trans: %.6f %s", network_time(), func);
-	local g = lookup_http_trans_group(c$id, T);
-
-	local t = [
-		$connection_id = c$id,
-		$conn_start = c$start_time,
-		$func = func,
-		$start = network_time(),
-		$num_req = 0, $req_size = 0,
-		$num_resp = 0, $resp_size = 0,
-		$req_done = F, $resp_done = F, $done = F,
-		$code = 0,
-		$req_content_type = "none",
-		$resp_content_type = "none",
-		$conditional_get = "no",
-		$user_agent = "none",
-		$cache_control = "none",
-		$last_modified = "none",
-		$etag = "none"];
-
-	++g$last_req;
-	g$trans[g$last_req] = t;
-
-	return t;
-	}
-
-function lookup_http_transaction(id: conn_id, is_orig: bool): http_transaction
-	{
-	local g = lookup_http_trans_group(id, F);
-	local index = is_orig ? g$last_req : g$first_req;
-
-	if ( index !in g$trans )
-		{
-		print fmt("HTTP transaction not found: %s : %d-%d",
-			conn_id_string(id), g$first_req, g$last_req);
-		}
-
-	return g$trans[index];
-	}
-
-function end_http_transaction(t: http_transaction)
-	{
-	if ( t$req_done && t$resp_done )
-		{
-		if ( t$done )
-			return;
-		t$done = T;
-		print_app_summary(log, t$connection_id, t$conn_start, t$func, t$start,
-			t$num_req, t$req_size,
-			t$num_resp, t$resp_size,
-			fmt("code %d content_type_^ %s content_type_v %s conditional_get %s user_agent %s cache_control %s last_modified %s etag %s",
-				t$code,
-				t$req_content_type, t$resp_content_type,
-				t$conditional_get,
-				subst_string(t$user_agent, " ", "_"),
-				subst_string(t$cache_control, " ", ""),
-				t$last_modified == "none" ? "none" : "present",
-				t$etag == "none" ? "none" : "present"
-				));
-		}
-	}
-
-event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
-	{
-	# print fmt("http request");
-	local t = new_http_transaction(c, method);
-	++t$num_req;
-	t$req_done = F;
-	}
-
-event http_reply(c: connection, version: string, code: count, reason: string)
-	{
-	# print fmt("http reply");
-	local id = c$id;
-	local g = lookup_http_trans_group(id, T);
-	local t: http_transaction;
-	if ( g$first_req in g$trans )
-		t = g$trans[g$first_req];
-	else
-		t = new_http_transaction(c, "none");
-
-	++t$num_resp;
-	t$code = code;
-	t$resp_done = F;
-	}
-
-function http_request_done(c: connection, stat: http_message_stat)
-	{
-	# print fmt("http request done");
-	local t = lookup_http_transaction(c$id, T);
-	t$req_size = t$req_size + stat$body_length;
-	t$req_done = T;
-	end_http_transaction(t);
-	}
-
-function http_reply_done(c: connection, stat: http_message_stat)
-	{
-	# print fmt("http reply done");
-	local t = lookup_http_transaction(c$id, F);
-	t$resp_size = t$resp_size + stat$body_length;
-	if ( t$code >= 200 )
-		{
-		t$resp_done = T;
-		end_http_transaction(t);
-		local g = lookup_http_trans_group(t$connection_id, F);
-		++g$first_req;
-		}
-	}
-
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	if ( is_orig )
-		http_request_done(c, stat);
-	else
-		http_reply_done(c, stat);
-	}
-
-event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
-	{
-	local t = lookup_http_transaction(c$id, is_orig);
-	local type_str = fmt("%s/%s", ty, subty);
-	if ( is_orig )
-		t$req_content_type = type_str;
-	else
-		t$resp_content_type = type_str;
-	}
-
-function http_conditional_get(c: connection, is_orig: bool, h: mime_header_rec)
-	{
-	local t = lookup_http_transaction(c$id, is_orig);
-	t$conditional_get = h$name;
-	}
-
-function http_user_agent(c: connection, is_orig: bool, h: mime_header_rec)
-	{
-	local t = lookup_http_transaction(c$id, is_orig);
-	t$user_agent = h$value;
-	}
-
-function http_cache_control(c: connection, is_orig: bool, h: mime_header_rec)
-	{
-	local t = lookup_http_transaction(c$id, is_orig);
-	t$cache_control = h$value;
-	}
-
-function http_last_modified(c: connection, is_orig: bool, h: mime_header_rec)
-	{
-	local t = lookup_http_transaction(c$id, is_orig);
-	t$last_modified = h$value;
-	}
-
-function http_etag(c: connection, is_orig: bool, h: mime_header_rec)
-	{
-	local t = lookup_http_transaction(c$id, is_orig);
-	t$etag = h$value;
-	}
-
-# type mime_header_rec: record {
-#	name: string;
-#	value: string;
-# };
-# type mime_header_list: table[count] of mime_header_rec;
-
-const conditional_get_headers = {
-	"IF-MODIFIED-SINCE",
-	"IF-UNMODIFIED-SINCE",
-	"IF-MATCH",
-	"IF-NONE-MATCH",
-	"IF-RANGE",
-};
-
-event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
-	{
-	if ( ! is_orig )
-		return;
-
-	for ( i in hlist )
-		{
-		local h = hlist[i];
-		if ( h$name in conditional_get_headers )
-			http_conditional_get(c, is_orig, h);
-		if ( h$name == "USER-AGENT" )
-			http_user_agent(c, is_orig, h);
-		if ( h$name == "CACHE-CONTROL" )
-			http_cache_control(c, is_orig, h);
-		if ( h$name == "LAST-MODIFIED" )
-			http_last_modified(c, is_orig, h);
-		if ( h$name == "ETAG" )
-			http_etag(c, is_orig, h);
-		}
-	}
-
-function end_http_trans_group(g: http_trans_group, index: count)
-	{
-	if ( index !in g$trans )
-		return;
-	local t = g$trans[index];
-
-	t$req_done = T;
-	t$resp_done = T;
-	end_http_transaction(t);
-
-	delete g$trans[index];
-	end_http_trans_group(g, index + 1);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	local id = c$id;
-	if ( id in http_trans_table )
-		{
-		end_http_trans_group(http_trans_table[id], 1);
-		delete http_trans_table[id];
-		}
-	}
diff --git a/policy/summaries/ipp-summary.bro b/policy/summaries/ipp-summary.bro
deleted file mode 100644
index 5bc4c3df86..0000000000
--- a/policy/summaries/ipp-summary.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-@load http-summary
-
-redef HTTP_summary::log = open_log_file("ipp-summary") &redef;
diff --git a/policy/summaries/ncp-summary.bro b/policy/summaries/ncp-summary.bro
deleted file mode 100644
index 89c19c6713..0000000000
--- a/policy/summaries/ncp-summary.bro
+++ /dev/null
@@ -1,78 +0,0 @@
-@load ncp
-@load app-summary
-
-module NCP_summary;
-
-global ncp_summary_log = open_log_file("ncp-summary") &redef;
-
-type ncp_transaction: record {
-	connection_id: conn_id;
-	conn_start: time;
-	func: string;
-	start: time;
-	num_req: count;
-	req_size: count;
-	num_resp: count;
-	resp_size: count;
-	completion_code: int;	# ... of the first reply
-};
-
-global ncp_trans_table: table[conn_id] of ncp_transaction;
-
-function end_ncp_transaction(id: conn_id)
-	{
-	if ( id !in ncp_trans_table )
-		return;
-
-	local t = ncp_trans_table[id];
-	print_app_summary(ncp_summary_log, t$connection_id, t$conn_start, t$func, t$start,
-		t$num_req, t$req_size,
-		t$num_resp, t$resp_size,
-		fmt("completion_code %d", t$completion_code));
-	}
-
-function new_ncp_transaction(c: connection, func: string): ncp_transaction
-	{
-	local id = c$id;
-
-	# End any previous trans
-	end_ncp_transaction(id);
-
-	local t = [
-		$connection_id = id,
-		$conn_start = c$start_time,
-		$func = func,
-		$start = network_time(),
-		$num_req = 0, $req_size = 0,
-		$num_resp = 0, $resp_size = 0,
-		$completion_code = -1];
-
-	ncp_trans_table[id] = t;
-	return t;
-	}
-
-event ncp_request(c: connection, frame_type: count, length: count, func: count)
-	{
-	local f = ( frame_type == 0x2222 ) ?
-			NCP::ncp_function_name[func] :
-			NCP::ncp_frame_type_name[frame_type];
-
-	local t = new_ncp_transaction(c, f);
-	++t$num_req;
-	t$req_size = t$req_size + length;
-	}
-
-event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
-	{
-	local t = ncp_trans_table[c$id];
-	++t$num_resp;
-	if ( t$num_resp == 1 )
-		t$completion_code = completion_code;
-	t$resp_size = t$resp_size + length;
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id in ncp_trans_table )
-		end_ncp_transaction(c$id);
-	}
diff --git a/policy/summaries/ncp-tag.bro b/policy/summaries/ncp-tag.bro
deleted file mode 100644
index 61c63a2f3f..0000000000
--- a/policy/summaries/ncp-tag.bro
+++ /dev/null
@@ -1,26 +0,0 @@
-@load conn-id
-@load ncp
-
-module NCP_tag;
-
-global log = open_log_file("ncp-tag") &redef;
-
-const ncp_request_type = {
-[ 0x11 ] = "print",
-[ 0x16, 0x68 ] = "directory",
-} &default = function(code: count): string
-	{
-	return fmt("unknown(%x)", code);
-	};
-
-event ncp_request(c: connection, frame_type: count, length: count, func: count)
-	{
-	print log, fmt("%.6f %s NCP request type=%s function=%s",
-		network_time(), id_string(c$id),
-		NCP::ncp_frame_type_name[frame_type],
-		NCP::ncp_function_name[func]);
-	}
-
-event ncp_reply(c: connection, frame_type: count, length: count, completion_code: count)
-	{
-	}
diff --git a/policy/summaries/netbios-ns-summary.bro b/policy/summaries/netbios-ns-summary.bro
deleted file mode 100644
index 3587b9a954..0000000000
--- a/policy/summaries/netbios-ns-summary.bro
+++ /dev/null
@@ -1,9 +0,0 @@
-@load dns-common-summary
-
-redef DNS_common_summary::dns_summary_log = open_log_file("netbios-ns-summary");
-redef DNS_common_summary::server_ports = { 137/udp };
-
-redef capture_filters += {
-	["netbios-ns"] = "udp port 137",
-};
-
diff --git a/policy/summaries/netbios-ssn-summary.bro b/policy/summaries/netbios-ssn-summary.bro
deleted file mode 100644
index 5166e56baa..0000000000
--- a/policy/summaries/netbios-ssn-summary.bro
+++ /dev/null
@@ -1,112 +0,0 @@
-@load app-summary
-
-redef capture_filters = {
-	["netbios-ssn"] = "tcp port 139",
-};
-
-module NetbiosSSN_summary;
-
-global netbios_log = open_log_file("netbios-ssn-summary") &redef;
-
-const netbios_msg_types = {
-	[0x0]	= "ssn_message",
-	[0x81]	= "ssn_request",
-	[0x82]	= "positive_resp",
-	[0x83]	= "negative_resp",
-	[0x84]	= "retarget_resp",
-	[0x85]	= "keep_alive",
-} &default = function(msg_type: count): string
-	{
-	return fmt("unknown-0x%x", msg_type);
-	};
-
-type netbios_ssn_transaction: record {
-	connection_id: conn_id;
-	conn_start: time;
-	start: time;
-	num_req: count;
-	req_size: count;
-	num_resp: count;
-	resp_size: count;
-	req_type: string;
-	resp_type: string;	# ... of the first reply
-	raw_ssn_msg: count;
-};
-
-global netbios_ssn_trans_table: table[conn_id] of netbios_ssn_transaction;
-
-function end_netbios_ssn_transaction(id: conn_id)
-	{
-	if ( id !in netbios_ssn_trans_table )
-		return;
-
-	local t = netbios_ssn_trans_table[id];
-	print_app_summary(netbios_log, t$connection_id, t$conn_start,
-		t$req_type, t$start,
-		t$num_req, t$req_size,
-		t$num_resp, t$resp_size,
-		fmt("req_type %s resp_type %s raw %d",
-			t$req_type, t$resp_type, t$raw_ssn_msg));
-
-	delete netbios_ssn_trans_table[id];
-	}
-
-function lookup_netbios_ssn_transaction(c: connection, new_trans: bool): netbios_ssn_transaction
-	{
-	local id = c$id;
-
-	if ( new_trans )
-		{
-		# End any previous trans
-		end_netbios_ssn_transaction(id);
-		}
-
-	if ( id !in netbios_ssn_trans_table )
-		{
-		local t = [
-			$connection_id = id,
-			$conn_start = c$start_time,
-			$start = network_time(),
-			$num_req = 0, $req_size = 0,
-			$num_resp = 0, $resp_size = 0,
-			$req_type = "none", $resp_type = "none",
-			$raw_ssn_msg = 0];
-		netbios_ssn_trans_table[c$id] = t;
-		}
-
-	return netbios_ssn_trans_table[c$id];
-	}
-
-event netbios_ssn_message(c: connection, is_orig: bool, msg_type: count, data_len: count)
-	{
-	local msg_type_name = netbios_msg_types[msg_type];
-	local t: netbios_ssn_transaction;
-	if ( is_orig )
-		{
-		t = lookup_netbios_ssn_transaction(c, T);
-		++t$num_req;
-		if ( t$num_req == 1 )
-			t$req_type = msg_type_name;
-		t$req_size = t$req_size + data_len;
-		}
-	else
-		{
-		t = lookup_netbios_ssn_transaction(c, F);
-		++t$num_resp;
-		if ( t$num_resp == 1 )
-			t$resp_type = msg_type_name;
-		t$resp_size = t$resp_size + data_len;
-		}
-	}
-
-event netbios_session_raw_message(c: connection, is_orig: bool, msg: string)
-	{
-	local t = lookup_netbios_ssn_transaction(c, F);
-	++t$raw_ssn_msg;
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id in netbios_ssn_trans_table )
-		end_netbios_ssn_transaction(c$id);
-	}
diff --git a/policy/summaries/nfs-summary.bro b/policy/summaries/nfs-summary.bro
deleted file mode 100644
index ad1979b33b..0000000000
--- a/policy/summaries/nfs-summary.bro
+++ /dev/null
@@ -1,9 +0,0 @@
-@load sun-rpc-summary
-
-redef SUN_RPC_summary::log = open_log_file("nfs-summary");
-
-redef capture_filters = {
-	["nfs"] = "port 2049",
-	# UDP packets are often fragmented
-	["nfs-frag"] = "ip[6:2] & 0x1fff != 0",
-};
diff --git a/policy/summaries/rexmit-summary.bro b/policy/summaries/rexmit-summary.bro
deleted file mode 100644
index 9f5c1ef0c9..0000000000
--- a/policy/summaries/rexmit-summary.bro
+++ /dev/null
@@ -1,26 +0,0 @@
-# Statistical analysis of TCP connection in terms of the packet streams
-# in each direction.
-
-@load conn-util
-
-redef capture_filters = { ["tcp"] = "tcp" };
-redef ignore_keep_alive_rexmit = T;
-
-global log = open_log_file("rexmit-summary") &redef;
-
-const min_num_pkts = 0;
-
-event conn_stats(c: connection, os: endpoint_stats, rs: endpoint_stats)
-	{
-	if ( os$num_pkts < min_num_pkts && rs$num_pkts < min_num_pkts )
-		return;
-
-	print log, fmt("conn %s start %.6f duration %.6f pkt_^ %d rexmit_pkt_^ %d pyld_^ %d rexmit_pyld_^ %d pkt_v %d rexmit_pkt_v %d pyld_v %d rexmit_pyld_v %d",
-		conn_id_string(c$id), c$start_time, c$duration,
-		os$num_pkts, os$num_rxmit,
-		# os$num_pkts == 0 ? 0.0 : 1.0 * os$num_rxmit / os$num_pkts,
-		c$orig$size, os$num_rxmit_bytes,
-		rs$num_pkts, rs$num_rxmit,
-		# rs$num_pkts == 0 ? 0.0 : 1.0 * rs$num_rxmit / rs$num_pkts,
-		c$resp$size, rs$num_rxmit_bytes);
-	}
diff --git a/policy/summaries/smb-summary.bro b/policy/summaries/smb-summary.bro
deleted file mode 100644
index 4ba9c575a0..0000000000
--- a/policy/summaries/smb-summary.bro
+++ /dev/null
@@ -1,251 +0,0 @@
-@load app-summary
-
-redef capture_filters += {
-	["netbios-dgm"] = "udp port 138",
-	["netbios-ssn"] = "tcp port 139",
-	["microsft-ds"] = "tcp port 445",
-};
-
-module SMB_summary;
-
-global smb_log = open_log_file("smb-summary") &redef;
-global chris_log = open_log_file("chris-summary") &redef;
-
-#const smb_transaction_func = {
-#	["SMB_COM_TRANSACTION", 0x0 ] = "\\PIPE\\LANMAN\\",
-#	["SMB_COM_TRANSACTION", 0x1 ] = "\\MAILSLOT\\",
-#	["SMB_COM_TRANSACTION", 0x54] = "CallNamedPipe",
-#	["SMB_COM_TRANSACTION", 0x53] = "WaitNamedPipe",
-#	["SMB_COM_TRANSACTION", 0x26] = "TransactNmPipe",
-#
-#	["SMB_COM_TRANSACTION2", 0x0] = "TRANS2_OPEN2",
-#	["SMB_COM_TRANSACTION2", 0x1] = "TRANS2_FIND_FIRST2",
-#	["SMB_COM_TRANSACTION2", 0x2] = "TRANS2_FIND_NEXT2",
-#	["SMB_COM_TRANSACTION2", 0x3] = "TRANS2_QUERY_FS_INFORMATION",
-#	["SMB_COM_TRANSACTION2", 0x5] = "TRANS2_QUERY_PATH_INFORMATION",
-#	["SMB_COM_TRANSACTION2", 0x6] = "TRANS2_SET_PATH_INFORMATION",
-#	["SMB_COM_TRANSACTION2", 0x7] = "TRANS2_QUERY_FILE_INFORMATION",
-#	["SMB_COM_TRANSACTION2", 0x8] = "TRANS2_SET_FILE_INFORMATION",
-#	["SMB_COM_TRANSACTION2", 0x0d] = "TRANS2_CREATE_DIRECTORY",
-#	["SMB_COM_TRANSACTION2", 0x0e] = "TRANS2_SESSION_SETUP",
-#	["SMB_COM_TRANSACTION2", 0x10] = "TRANS2_GET_DFS_REFERRAL",
-#} &default = function(cmd: string, subcmd: count): string
-#	{
-#	return fmt("%s/%d", cmd, subcmd);
-#	};
-
-type smb_req_resp: record {
-	connection_id: conn_id;
-	conn_start: time;
-	func: string;
-	cmd: string;
-	start: time;
-	num_req: count;
-	req_size: count;
-	num_resp: count;
-	resp_size: count;
-};
-
-type smb_req_reply_group: record {
-	trans: table[count] of smb_req_resp;
-	first_req: count;
-	last_req: count;
-};
-
-global smb_trans_table: table[conn_id] of smb_req_reply_group;
-
-function lookup_smb_req_reply_group(id: conn_id, create: bool): smb_req_reply_group
-	{
-	if ( id !in smb_trans_table )
-		{
-		if ( create )
-			{
-			local trans: table[count] of smb_req_resp;
-			smb_trans_table[id] = [
-				$trans = trans, $first_req = 1, $last_req = 0];
-			}
-		else
-			print fmt("SMB req_reply_group not found: %s",
-				conn_id_string(id));
-		}
-
-	return smb_trans_table[id];
-	}
-
-function new_smb_req_resp(c: connection, cmd: string): smb_req_resp
-	{
-	local id = c$id;
-	local g = lookup_smb_req_reply_group(id, T);
-
-	if( is_udp_port(id$orig_p) || is_udp_port(id$resp_p) )
-		print fmt("%.6f %s a new req_resp was triggered on a UDP connection!: %s",
-			network_time(), conn_id_string(id), cmd);
-
-	local t = [
-		$connection_id = id, $conn_start = c$start_time,
-		$cmd = cmd, $func = cmd,
-		$start = network_time(),
-		$num_req = 0, $req_size = 0,
-		$num_resp = 0, $resp_size = 0
-		];
-
-	++g$last_req;
-	g$trans[g$last_req] = t;
-
-	return g$trans[g$last_req];
-	}
-
-function end_smb_req_resp(t: smb_req_resp)
-	{
-	print_app_summary(smb_log, t$connection_id, t$conn_start,
-		t$func, t$start,
-		t$num_req, t$req_size,
-		t$num_resp, t$resp_size,
-		fmt("cmd %s", t$cmd));
-	}
-
-function lookup_smb_req_resp(c: connection, is_orig: bool, cmd: string): smb_req_resp
-	{
-	local id = c$id;
-	local g = lookup_smb_req_reply_group(id, T);
-
-	if( is_udp_port(id$orig_p) || is_udp_port(id$resp_p) )
-		print fmt("%.6f %s a lookup was triggered on a UDP connection!: %s",
-			network_time(), conn_id_string(id), cmd);
-
-	if ( g$first_req > g$last_req )
-		{
-		print fmt("%.6f %s request missing: %s",
-			network_time(), conn_id_string(id), cmd);
-		return new_smb_req_resp(c, cmd);
-		}
-
-	if ( is_orig )
-		{
-		return g$trans[g$last_req];
-		}
-	else if ( cmd == "(current)" )
-		{
-		return g$trans[g$first_req];
-		}
-	else
-		{
-		local t = g$trans[g$first_req];
-		if ( g$first_req < g$last_req )
-			{
-			end_smb_req_resp(t);
-			++g$first_req;
-			t = g$trans[g$first_req];
-			}
-		if ( t$cmd != cmd )
-			{
-			if ( g$first_req < g$last_req )
-				return lookup_smb_req_resp(c, is_orig, cmd);
-			print fmt("%.6f %s SMB command-reply mismatch",
-				network_time(), conn_id_string(id));
-			}
-		return t;
-		}
-	}
-
-event smb_message(c: connection, hdr: smb_hdr, is_orig: bool, cmd:
-						string, body_length: count, body : string)
-	{
-	print chris_log, fmt("%.6f %s %s", network_time(), conn_id_string(c$id), cmd);
-
-	local t: smb_req_resp;
-
-	if ( is_udp_port( c$id$orig_p ) || is_udp_port ( c$id$resp_p ) )
-		{
-		# dont need to keep track of UDP smb commands
-		print_app_summary(smb_log, c$id, network_time(),
-			cmd, network_time(),
-			0, 0, 0, 0,
-			fmt("cmd %s", cmd));
-		}
-	else if ( is_orig )
-		{
-		t = new_smb_req_resp(c, cmd);
-		++t$num_req;
-		t$req_size = t$req_size + body_length;
-		}
-	else
-		{
-		t = lookup_smb_req_resp(c, is_orig, cmd);
-		++t$num_resp;
-		t$resp_size = t$resp_size + body_length;
-		}
-	}
-
-event smb_error(c: connection, hdr: smb_hdr,  cmd: count, cmd_str: string, data: string)
-	{
-	print chris_log, fmt("%.6f %s SMB_ERROR:%s", network_time(), conn_id_string(c$id), cmd_str);
-	}
-
-event dce_rpc_bind(c: connection, uuid: string)
-	{
-	local id = c$id;
-	if ( id !in smb_trans_table )
-		return;
-	local t = lookup_smb_req_resp(c, T, "(current)");
-	t$func = "DCE_RPC_BIND";
-	}
-
-event dce_rpc_request(c: connection, opnum: count, stub: string)
-	{
-	local id = c$id;
-	if ( id !in smb_trans_table )
-		return;
-	local t = lookup_smb_req_resp(c, T, "(current)");
-	t$func = "DCE_RPC_CALL";
-	}
-
-event dce_rpc_response(c: connection, opnum: count, stub: string)
-	{
-	local id = c$id;
-	if ( id !in smb_trans_table )
-		return;
-	local t = lookup_smb_req_resp(c, F, "(current)");
-	t$func = "DCE_RPC_CALL";
-	}
-
-event smb_com_transaction(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	if ( is_orig && !is_udp_port( c$id$orig_p ) )
-		{
-		local t = lookup_smb_req_resp(c, T, "(current)");
-		}
-	}
-
-event smb_com_transaction2(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	if ( is_orig && !is_udp_port( c$id$orig_p ) )
-		{
-		local t = lookup_smb_req_resp(c, T, "(current)");
-		}
-	}
-
-function end_smb_req_reply_group(g: smb_req_reply_group, index: count)
-	{
-	if ( index > g$last_req )
-		return;
-
-	if ( index >= g$first_req && index in g$trans )
-		end_smb_req_resp(g$trans[index]);
-
-	if( index in g$trans )
-		{
-		delete g$trans[index];
-		end_smb_req_reply_group(g, index + 1);
-		}
-	}
-
-event connection_state_remove(c: connection)
-	{
-	local id = c$id;
-	if ( !is_udp_port( id$orig_p ) && id in smb_trans_table )
-		{
-		local g = smb_trans_table[id];
-		end_smb_req_reply_group(g, 1);
-		}
-	}
diff --git a/policy/summaries/smb-tag.bro b/policy/summaries/smb-tag.bro
deleted file mode 100644
index 82813b5284..0000000000
--- a/policy/summaries/smb-tag.bro
+++ /dev/null
@@ -1,160 +0,0 @@
-@load conn-util
-
-redef capture_filters += {
-	["smb"] = "tcp port 445",
-	["netbios-ss"] = "tcp port 139",
-};
-
-global smb_filename_tag: table[conn_id] of string &default = "";
-
-const log_smb_tags = T &redef;
-function get_smb_tag(id: conn_id): string
-	{
-	if ( id in smb_filename_tag )
-		return smb_filename_tag[id];
-	else
-		return "";
-	}
-
-module SMB_tag;
-
-global log = open_log_file("smb-tag") &redef;
-
-const well_known_files = {
-	"\\IPC$",
-	"\\print$",
-	"\\LANMAN",
-	"\\atsvc",
-	"\\AudioSrv",
-	"\\browser",
-	"\\cert",
-	"\\Ctx_Winstation_API_Service",
-	"\\DAV",
-	"\\dnsserver",
-	"\\epmapper",
-	"\\eventlog",
-	"\\HydraLsPipe",
-	"\\InitShutdown",
-	"\\keysvc",
-	"\\locator",
-	"\\llsrpc",
-	"\\lsarpc",
-	"\\msgsvc",
-	"\\netdfs",
-	"\\netlogon",
-	"\\ntsvcs",
-	"\\policyagent",
-	"\\ipsec",
-	"\\ProfMapApi",
-	"\\protected_storage",
-	"\\ROUTER",
-	"\\samr",
-	"\\scerpc",
-	"\\SECLOGON",
-	"\\SfcApi",
-	"\\spoolss",
-	"\\srvsvc",
-	"\\ssdpsrv",
-	"\\svcctl",
-	"\\tapsrv",
-	"\\trkwks",
-	"\\W32TIME",
-	"\\W32TIME_ALT",
-	"\\winlogonrpc",
-	"\\winreg",
-	"\\winspipe",
-	"\\wkssvc",
-	"\\lbl.gov",
-	"\\LBL"
-};
-
-function well_known_file(n: string): string
-	{
-	n = to_lower(n);
-	local a = "";
-	for ( p in well_known_files )
-		{
-		if ( strstr(n, to_lower(p)) > 0 )
-			if ( byte_len(p) > byte_len(a) )
-				a = p;
-		}
-	return a;
-	}
-
-function add_to_smb_filename_tag(c: connection, name: string): bool
-	{
-	if ( name == "\\PIPE\\" || name == "" )
-		return F;
-
-	local id = c$id;
-	local orig_tag = smb_filename_tag[id];
-
-	local n = well_known_file(name);
-	if ( n == "" )
-		{
-		if ( log_smb_tags )
-			print log, fmt("%.6f %s regular file: \"%s\"",
-				network_time(), conn_id_string(c$id), name);
-		n = "<file>";
-		}
-
-	n = fmt("\"%s\"", n);
-
-	if ( orig_tag == "" )
-		{
-		smb_filename_tag[id] = n;
-		}
-	else if ( strstr(orig_tag, n) == 0 )
-		{
-		smb_filename_tag[id] = cat(orig_tag, ",", n);
-		}
-
-	return T;
-	}
-
-event smb_com_nt_create_andx(c: connection, name: string)
-	{
-	add_to_smb_filename_tag(c, name);
-	}
-
-event smb_com_transaction(c: connection, is_orig: bool, subcmd: count,
-		name: string, data: string)
-	{
-	add_to_smb_filename_tag(c, name);
-	}
-
-event smb_com_transaction2(c: connection, is_orig: bool, subcmd: count,
-		name: string, data: string)
-	{
-	add_to_smb_filename_tag(c, name);
-	}
-
-event smb_get_dfs_referral(c: connection, max_referral_level: count, file_name: string)
-	{
-	add_to_smb_filename_tag(c, file_name);
-	}
-
-event smb_com_tree_connect_andx(c: connection, path: string, service: string)
-	{
-	local basic = sub(path, /.*\\/, "\\");
-	if ( /\$$/ in basic )
-		add_to_smb_filename_tag(c, basic);
-	}
-
-event delete_smb_tag(c: connection)
-	{
-	delete smb_filename_tag[c$id];
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id in smb_filename_tag )
-		{
-		if ( log_smb_tags )
-			print log, fmt("conn %s start %.6f SMB [%s]",
-				conn_id_string(c$id),
-				c$start_time,
-				smb_filename_tag[c$id]);
-		event delete_smb_tag(c);
-		}
-	}
diff --git a/policy/summaries/sun-rpc-summary.bro b/policy/summaries/sun-rpc-summary.bro
deleted file mode 100644
index 9f0f376cfd..0000000000
--- a/policy/summaries/sun-rpc-summary.bro
+++ /dev/null
@@ -1,46 +0,0 @@
-@load app-summary
-@load rpc
-
-redef capture_filters += {
-	["port-map"] = "port 111",
-	["nfs"] = "port 2049",
-	# UDP packets are often fragmented
-	["nfs-frag"] = "ip[6:2] & 0x1fff != 0",
-};
-
-module SUN_RPC_summary;
-
-export {
-	global log = open_log_file("sun-rpc-summary") &redef;
-}
-
-global nfs_status: table[conn_id] of count;
-
-event nfs_reply_status(n: connection, status: count)
-	{
-	# print fmt("%.6f status = %d", network_time(), status);
-	nfs_status[n$id] = status;
-	}
-
-event rpc_call(c: connection, prog: count, ver: count, proc: count, status: count,
-		start_time: time, call_len: count, reply_len: count)
-	{
-	# print fmt("%.6f rpc_call", network_time());
-	local prog_name = RPC::program_name(prog);
-	local nfs_st = "n/a";
-	if ( c$id in nfs_status )
-		{
-		nfs_st = fmt("%d", nfs_status[c$id]);
-		# print fmt("%.6f get_status = %s", network_time(), nfs_st);
-		delete nfs_status[c$id];
-		}
-
-	print_app_summary(log, c$id, c$start_time,
-		fmt("%sv%d/%s",
-			prog_name,
-			ver,
-			RPC::procedure_name(prog, ver, proc)),
-		start_time,
-		1, call_len, status == RPC_TIMEOUT ? 0 : 1, reply_len,
-		fmt("rpc_status %s nfs_status %s", status, nfs_st));
-	}
diff --git a/policy/synflood.bro b/policy/synflood.bro
deleted file mode 100644
index 3c2ecde4b7..0000000000
--- a/policy/synflood.bro
+++ /dev/null
@@ -1,131 +0,0 @@
-# $Id: synflood.bro 4054 2007-03-05 21:45:58Z vern $
-
-@load notice
-
-redef enum Notice += {
-	SynFloodStart,    # start of syn-flood against a certain victim
-	SynFloodEnd,      # end of syn-flood against a certain victim
-	SynFloodStatus,   # report of ongoing syn-flood
-};
-
-# We report a syn-flood if more than SYNFLOOD_THRESHOLD new connections
-# have been reported within the last SYNFLOOD_INTERVAL for a certain IP.
-# (We sample the conns by one out of SYNFLOOD_SAMPLE_RATE, so the attempt
-# counter is an estimated value.). If a victim is identified, we install a
-# filter via install_dst_filter and sample the packets targeting it by
-# SYNFLOOD_VICTIM_SAMPLE_RATE.
-#
-# Ongoing syn-floods are reported every SYNFLOOD_REPORT_INTERVAL.
-
-global SYNFLOOD_THRESHOLD = 15000 &redef;
-global SYNFLOOD_INTERVAL = 60 secs &redef;
-global SYNFLOOD_REPORT_INTERVAL = 1 mins &redef;
-
-# Sample connections by one out of x.
-global SYNFLOOD_SAMPLE_RATE = 100 &redef;
-
-# Sample packets to known victims with probability x.
-global SYNFLOOD_VICTIM_SAMPLE_RATE = 0.01 &redef;
-
-global conn_attempts: table[addr] of count &default = 0;
-global victim_attempts: table[addr,addr] of count
-	&default = 0  &read_expire = 5mins;
-
-# We remember up to this many number of sources per victim.
-global max_sources = 100;
-global current_victims: table[addr] of set[addr] &read_expire = 60mins;
-global accumulated_conn_attempts: table[addr] of count &default = 0;
-
-global sample_count = 0;
-global interval_start: time = 0;
-
-# Using new_connection() can be quite expensive but connection_attempt() has
-# a rather large lag that may lead to detecting flood too late. Additionally,
-# it does not cover UDP/ICMP traffic.
-event new_connection(c: connection)
-	{
-	if ( c$id$resp_h in current_victims )
-		{
-		++conn_attempts[c$id$resp_h];
-
-		local srcs = current_victims[c$id$resp_h];
-		if ( length(srcs) < max_sources )
-			add srcs[c$id$orig_h];
-		return;
-		}
-
-	if ( ++sample_count % SYNFLOOD_SAMPLE_RATE == 0 )
-		{
-		local ip = c$id$resp_h;
-
-		if ( ++conn_attempts[ip] * SYNFLOOD_SAMPLE_RATE >
-		     SYNFLOOD_THRESHOLD )
-			{
-			NOTICE([$note=SynFloodStart, $src=ip,
-				   $msg=fmt("start of syn-flood against %s; sampling packets now", ip)]);
-
-			add current_victims[ip][c$id$orig_h];
-
-			# Drop most packets to victim.
-			install_dst_addr_filter(ip, 0,
-					1 - SYNFLOOD_VICTIM_SAMPLE_RATE);
-			# Drop all packets from victim.
-			install_src_addr_filter(ip, 0, 1.0);
-			}
-		}
-	}
-
-event check_synflood()
-	{
-	for ( ip in current_victims )
-		{
-		accumulated_conn_attempts[ip] =
-			accumulated_conn_attempts[ip] + conn_attempts[ip];
-
-		if ( conn_attempts[ip] * (1 / SYNFLOOD_VICTIM_SAMPLE_RATE) <
-		     SYNFLOOD_THRESHOLD )
-			{
-			NOTICE([$note=SynFloodEnd, $src=ip, $n=length(current_victims[ip]),
-				   $msg=fmt("end of syn-flood against %s; stopping sampling",
-					ip)]);
-
-			delete current_victims[ip];
-			uninstall_dst_addr_filter(ip);
-			uninstall_src_addr_filter(ip);
-			}
-		}
-
-	clear_table(conn_attempts);
-	schedule SYNFLOOD_INTERVAL { check_synflood() };
-	}
-
-event report_synflood()
-	{
-	for ( ip in current_victims )
-		{
-		local est_num_conn = accumulated_conn_attempts[ip] *
-					(1 / SYNFLOOD_VICTIM_SAMPLE_RATE);
-
-		local interv: interval;
-
-		if ( interval_start != 0 )
-			interv = network_time() - interval_start;
-		else
-			interv = SYNFLOOD_INTERVAL;
-
-		NOTICE([$note=SynFloodStatus, $src=ip, $n=length(current_victims[ip]),
-			   $msg=fmt("syn-flood against %s; estimated %.0f connections in last %s",
-				    ip, est_num_conn, interv)]);
-		}
-
-	clear_table(accumulated_conn_attempts);
-
-	schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() };
-	interval_start = network_time();
-	}
-
-event bro_init()
-	{
-	schedule SYNFLOOD_INTERVAL { check_synflood() };
-	schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() };
-	}
diff --git a/policy/targeted-scan.bro b/policy/targeted-scan.bro
deleted file mode 100644
index 09922644ba..0000000000
--- a/policy/targeted-scan.bro
+++ /dev/null
@@ -1,114 +0,0 @@
-# $Id:$
-#
-# Drop external hosts that continually bang away on a particular open port.
-#
-# Note that we time out identified scanners to avoid excessive memory
-# utilitization in the event of a wide scan across address space.
-
-@load notice
-@load site
-
-module TargetedScan;
-
-export {
-	redef enum Notice += { TargetedScan, };
-
-	# If true, then only consider traffic from external sources.
-	global external_only = T &redef;
-
-	# Which ports to consider.
-	const ports = { 1433/tcp, } &redef;
-
-	# If set, at least/most this many bytes need to be transferred for
-	# a connection using the given port.  These are useful for example
-	# for inferring that SSH connections reflect password-guessing
-	# attempts.
-	const min_bytes: table[port] of count &redef;
-	const max_bytes: table[port] of count &redef;
-
-	# If set, then this is the threshold for reportin accessing
-	# for a given service.
-	const port_threshold: table[port] of count &redef;
-
-	# Otherwise, this is the threshold.
-	const general_threshold = 1000 &redef;
-
-	# The data structure we use to track targeted probing.
-	# It's exported to enable redef'ing the &write_expire value.
-	global targeted_tries: table[addr, addr, port] of count
-		&default=0 &write_expire=10 min &redef;
-}
-
-function delete_targeted_data(orig: addr, resp: addr, service: port)
-	{
-	delete targeted_tries[orig, resp, service];
-	}
-
-function targeted_check(c: connection)
-	{
-	local id = c$id;
-	local orig = id$orig_h;
-	local resp = id$resp_h;
-	local service = ("ftp-data" in c$service) ? 20/tcp : id$resp_p;
-
-	if ( service !in ports || (external_only && is_local_addr(orig)) )
-		return;
-
-	local bytes_xferred = c$orig$size + c$resp$size;
-
-	if ( service in min_bytes && bytes_xferred < min_bytes[service] )
-		return;
-	if ( service in max_bytes && bytes_xferred > max_bytes[service] )
-		return;
-
-	local cnt = ++targeted_tries[orig, resp, service];
-
-	if ( service in port_threshold )
-		{
-		if ( cnt != port_threshold[service] )
-			return;
-		}
-
-	else if ( cnt != general_threshold )
-		return;
-		
-	local svc = service in port_names ?
-			port_names[service] : fmt("%s", service);
-
-	NOTICE([$note=TargetedScan, $src=orig, $dst=resp, $p=service,
-		$msg=fmt("targeted attack on service %s, count = %d", svc, cnt)]);
-
-	# Since we've reported this host, we can stop tracking it.
-	delete targeted_tries[orig, resp, service];
-	}
-
-
-event connection_finished(c: connection)
-	{
-	targeted_check(c);
-	}
-
-event connection_rejected(c: connection)
-	{
-	targeted_check(c);
-	}
-
-event connection_half_finished(c: connection)
-	{
-	targeted_check(c);
-	}
-
-event connection_reset(c: connection)
-	{
-	targeted_check(c);
-	}
-
-event connection_partial_close(c: connection)
-	{
-	targeted_check(c);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	targeted_check(c);
-	}
diff --git a/policy/tcp.bro b/policy/tcp.bro
deleted file mode 100644
index fd561180bb..0000000000
--- a/policy/tcp.bro
+++ /dev/null
@@ -1,6 +0,0 @@
-# Generic TCP connection processing.
-
-@load conn
-
-redef capture_filters += { ["tcp"] = "tcp[13] & 7 != 0" };
-# redef capture_filters += { ["tcp"] = "(tcp[13] & 7 != 0) or (ip6[53] & 7 != 0)" };
diff --git a/policy/terminate-connection.bro b/policy/terminate-connection.bro
deleted file mode 100644
index 8ee6c4f090..0000000000
--- a/policy/terminate-connection.bro
+++ /dev/null
@@ -1,65 +0,0 @@
-# $Id$
-
-@load site
-@load notice
-
-# Ugly: we need the following from conn.bro, but we can't soundly load
-# it because it in turn loads us.
-global full_id_string: function(c: connection): string;
-
-module TerminateConnection;
-
-export {
-	redef enum Notice += {
-		TerminatingConnection,	# connection will be terminated
-		TerminatingConnectionIgnored,	# connection terminated disabled
-	};
-
-	# Whether we're allowed (and/or are capable) to terminate connections
-	# using "rst".
-	const activate_terminate_connection = F &redef;
-
-	# Terminate the given connection.
-	global terminate_connection: function(c: connection);
-
-}
-
-function terminate_connection(c: connection)
-	{
-	local id = c$id;
-
-	if ( activate_terminate_connection )
-		{
-		local local_init = is_local_addr(id$orig_h);
-
-		local term_cmd = fmt("rst %s -n 32 -d 20 %s %d %d %s %d %d",
-					local_init ? "-R" : "",
-					id$orig_h, id$orig_p, get_orig_seq(id),
-					id$resp_h, id$resp_p, get_resp_seq(id));
-
-		if ( reading_live_traffic() )
-			system(term_cmd);
-		else
-			NOTICE([$note=TerminatingConnection, $conn=c,
-				$msg=term_cmd, $sub="first termination command"]);
-
-		term_cmd = fmt("rst %s -r 2 -n 4 -s 512 -d 20 %s %d %d %s %d %d",
-				local_init ? "-R" : "",
-				id$orig_h, id$orig_p, get_orig_seq(id),
-				id$resp_h, id$resp_p, get_resp_seq(id));
-
-		if ( reading_live_traffic() )
-			system(term_cmd);
-		else
-			NOTICE([$note=TerminatingConnection, $conn=c,
-				$msg=term_cmd, $sub="second termination command"]);
-
-		NOTICE([$note=TerminatingConnection, $conn=c,
-			$msg=fmt("terminating %s", full_id_string(c))]);
-		}
-
-	else
-		NOTICE([$note=TerminatingConnectionIgnored, $conn=c,
-			$msg=fmt("ignoring request to terminate %s",
-					full_id_string(c))]);
-	}
diff --git a/policy/tftp.bro b/policy/tftp.bro
deleted file mode 100644
index d1f3e43746..0000000000
--- a/policy/tftp.bro
+++ /dev/null
@@ -1,33 +0,0 @@
-# $Id: tftp.bro 4758 2007-08-10 06:49:23Z vern $
-
-# Very simplistic - doesn't pick up the replies.
-
-@load notice
-@load udp-common
-@load site
-
-module TFTP;
-
-export {
-	redef enum Notice += {
-		OutboundTFTP,		# outbound TFTP seen
-	};
-}
-
-redef capture_filters += { ["tftp"] = "udp port 69" };
-
-global tftp_notice_count: table[addr] of count &default = 0 &read_expire = 7 days;
-
-event udp_request(u: connection)
-	{
-	if ( u$id$resp_p == 69/udp && u$id$orig_p >= 1024/udp )
-		{
-		local src = u$id$orig_h;
-		local dst = u$id$resp_h;
-
-		if ( is_local_addr(src) && ! is_local_addr(dst) &&
-		     ++tftp_notice_count[src] == 1 )
-			NOTICE([$note=OutboundTFTP, $conn=u,
-				$msg=fmt("outbound TFTP: %s -> %s", src, dst)]);
-		}
-	}
diff --git a/policy/time-machine/time-machine.bro b/policy/time-machine/time-machine.bro
deleted file mode 100644
index 98e37437ae..0000000000
--- a/policy/time-machine/time-machine.bro
+++ /dev/null
@@ -1,278 +0,0 @@
-# $Id: time-machine.bro,v 1.1.2.8 2006/01/06 01:51:37 sommer Exp $
-#
-# Low-level time-machine interface.
-
-@load notice
-
-module TimeMachine;
-
-export {
-	# Request to send us a connection.  Automatically subscribes
-	# and suspends cut-off.
-	#
-	#   start : time where to start searching (0 for as early as possible).
-	#   in_mem: only scan TM's memory-buffer but not any on-disk data.
-	#   descr: description to be written to log file to identify the query
-	#
-	# Returns tag of this query.
-	global request_connection:
-		function(c: connection, in_mem: bool, descr: string) : string;
-
-	# id$orig_p = 0/tcp acts as wildcard.
-	global request_connection_id:
-		function(id: conn_id, start: time, in_mem: bool, descr: string)
-		: string;
-
-	# Request to save connection to file in TM host.  Automatically
-	# suspends cut-off.
-	#
-	#   filename: destination file on TM host.
-	#   start   : time where to start searching (0 = as early as possible).
-	#   in_mem  : only scan TM's memory-buffer, but not any on-disk data.
-	global capture_connection:
-		function(filename: string, c: connection, in_mem: bool,
-				descr: string);
-
-	# id$orig_p = 0/tcp acts as wildcard.
-	global capture_connection_id:
-		function(filename: string, id: conn_id, start: time,
-				in_mem: bool, descr: string);
-
-	# Request to send everything involving a certain host to us.
-	# Always searches mem and disk buffers.
-	#
-	#   host : address of host
-	#   start: time where to start searching (0 for as early as possible).
-	#
-	# Returns tag of this query.
-	global request_addr: function(host: addr, start: time,
-				in_mem: bool, descr: string) : string;
-
-	# Don't issue duplicate queries.  Should be on for normal use;
-	# only need to turn off for benchmarking.
-	global filter_duplicates = T &redef;
-
-	# Automatically issue suspend_cutoff as specified above.
-	# Should be on for normal use; off only used for benchmarking.
-	global auto_suspend_cutoff = T &redef;
-
-	# Automatically subscribe as specified above.
-	# Should be on for normal use; off only used for benchmarking.
-	global auto_subscribe = F &redef;
-
-	# Automatically set start time for query.
-	# Should be on for normal use; off only used for benchmarking.
-	global auto_set_start = T &redef;
-
-	# Request to save everything involving a certain host.
-	# Always searches mem and disk buffers.
-	#
-	#   filename: destination file on TM host.
-	#   host : address of host
-	#   start: time where to start searching (0 for as early as possible).
-	#
-	global capture_addr: function(filename: string, host: addr,
-					start: time, in_mem: bool,
-					descr: string);
-
-	# Prevent the TM from cutting the connection off.
-	global suspend_cut_off: function(c: connection, descr: string);
-
-	# id$orig_p = 0/tcp acts as wildcard.
-	global suspend_cut_off_id: function(id: conn_id, descr: string);
-
-	type Direction: enum {
-		ORIG,	# connections originating from host
-		RESP,	# connections responded to by host
-		BOTH	# independent of direction
-	};
-
-	# Change the TM class for given IP.
-	global set_class: function(host: addr, class: string, dir: Direction,
-					descr: string);
-
-	# Revoke class assignment for IP.
-	global unset_class: function(host: addr, descr: string);
-
-	# ID of this Bro instance for TM queries.  Automatically set.
-	global feed_id = "";
-}
-
-global tag = 0;
-
-global cmds: table[string] of string &read_expire = 1 day;
-
-global command: event(cmd: string);
-global descrs: table[string] of string;
-
-global profile: file;
-global logfile = open_log_file("tm");
-
-function id2str(id: conn_id, include_index: bool) : string
-	{
-	local index = "";
-	if ( include_index )
-		index = id$orig_p != 0/tcp ? "connection4 " : "connection3 ";
-
-	if ( id$orig_p != 0/tcp)
-		return fmt("%s\"%s %s:%d %s:%d\"", index,
-			get_port_transport_proto(id$resp_p),
-			id$orig_h, id$orig_p,
-			id$resp_h, id$resp_p);
-	else
-		return fmt("%s\"%s %s %s:%d\"", index,
-			get_port_transport_proto(id$resp_p),
-			id$orig_h,
-			id$resp_h, id$resp_p);
-	}
-
-function issue_query(result: string, add_tag: bool, cmd: string,
-			start: time, in_mem: bool, sub: bool, descr: string) : string
-	{
-	local key = fmt("%s %s", result, cmd);
-	local qtag = "";
-
-	if ( key in cmds && filter_duplicates )
-		return cmds[key];
-
-	if ( add_tag )
-		{
-		qtag = fmt("t%x", ++tag);
-		result = fmt("%s tag %s", result, qtag);
-		}
-
-	local range = "";
-
-	if ( time_to_double(start) > 0.0 && auto_set_start )
-		{ # We subtract a few seconds to allow for clock skew.
-		start = start -  2 secs;
-		range += fmt("start %.6f end 9876543210 ", start);
-		}
-
-	if ( in_mem )
-		range += "mem_only ";
-
-	if ( sub )
-		range += "subscribe ";
-
-	local c = fmt("query %s %s %s", result, cmd, range);
-	descrs[c] = descr;
-
-	if ( time_machine_profiling )
-		print profile, fmt("%.6f %s %s", current_time(),
-					(qtag != "" ? qtag : "-"), c);
-
-	event TimeMachine::command(c);
-
-	cmds[key] = qtag;
-
-	return qtag;
-	}
-
-function issue_command(cmd: string, descr: string)
-	{
-	if ( cmd in cmds && filter_duplicates )
-		return;
-
-	descrs[cmd] = descr;
-	event TimeMachine::command(cmd);
-
-	cmds[cmd] = "";
-	}
-
-function request_connection(c: connection, in_mem: bool, descr: string) : string
-	{
-	return request_connection_id(c$id, c$start_time, in_mem, descr);
-	}
-
-function request_connection_id(id: conn_id, start: time, in_mem: bool,
-				descr: string) : string
-	{
-	if ( auto_suspend_cutoff )
-		suspend_cut_off_id(id, descr);
-	return issue_query(fmt("feed %s", feed_id), T,
-		fmt("index %s", id2str(id, T)), start, in_mem,
-			auto_subscribe, descr);
-	}
-
-function capture_connection(filename: string, c: connection,
-				in_mem: bool, descr: string)
-	{
-	capture_connection_id(filename, c$id, c$start_time, in_mem, descr);
-	}
-
-function capture_connection_id(filename: string, id: conn_id, start: time,
-				in_mem: bool, descr: string)
-	{
-	if ( auto_suspend_cutoff )
-		suspend_cut_off_id(id, descr);
-
-	issue_query(fmt("to_file \"%s\"", filename), F,
-			fmt("index %s", id2str(id, T)),
-			start, in_mem, auto_subscribe, descr);
-	}
-
-function request_addr(host: addr, start: time, in_mem: bool, descr: string)
-: string
-	{
-	return issue_query(fmt("feed %s", feed_id), T,
-			fmt("index ip \"%s\"", host), start, in_mem, F, descr);
-	}
-
-function capture_addr(filename: string, host: addr, start: time,
-			in_mem: bool, descr: string)
-	{
-	issue_query(fmt("to_file \"%s\"", filename), F,
-			fmt("index ip \"%s\"", host), start, in_mem, F, descr);
-	}
-
-function suspend_cut_off(c: connection, descr: string)
-	{
-	suspend_cut_off_id(c$id, descr);
-	}
-
-function suspend_cut_off_id(id: conn_id, descr: string)
-	{
-	issue_command(fmt("suspend_cutoff %s", id2str(id, F)), descr);
-	}
-
-function set_class(host: addr, class: string, dir: Direction, descr: string)
-	{
-	local d = "";
-
-	if ( dir == ORIG )
-		d = " orig";
-	else if ( dir == RESP )
-		d = " resp";
-
-	issue_command(fmt("set_dyn_class %s %s%s", host, class, d), descr);
-	}
-
-function unset_class(host: addr, descr: string)
-	{
-	issue_command(fmt("unset_dyn_class %s", host), descr);
-	}
-
-event command(cmd: string)
-	{
-	# We might not know the command if we're just relaying the event
-	# from external.
-	if ( cmd in descrs )
-		{
-		local descr = descrs[cmd];
-		delete descrs[cmd];
-
-		print logfile, fmt("%.6f %.6f [%s] %s", network_time(), current_time(), descr, cmd);
-		}
-	}
-
-event bro_init()
-	{
-	set_buf(logfile, F);
-
-	# Create a feed ID that's unique across restarts w/ high probability.
-	feed_id = fmt("%s-%d-%d", gethostname(), getpid(), rand(100));
-
-	if ( time_machine_profiling )
-		profile = open_log_file("tm-prof.queries");
-	}
diff --git a/policy/time-machine/tm-capture.bro b/policy/time-machine/tm-capture.bro
deleted file mode 100644
index a322f25263..0000000000
--- a/policy/time-machine/tm-capture.bro
+++ /dev/null
@@ -1,91 +0,0 @@
-# $Id: tm-capture.bro,v 1.1.2.1 2006/01/04 03:52:02 sommer Exp $
-#
-# For each non-scan alert, we can
-#   (a) tell the time-machine to permanently store the connection's packets
-#   (b) request the connection, to store the (reassembled) payload ourselves
-#   (c) request all other traffic from that IP within the last X hours
-#   (d) store all other traffic from that IP within the last X hours
-
-@load time-machine
-@load tm-contents
-@load notice
-@load scan
-
-module TimeMachineCapture;
-
-export {
-	# Request past traffic. Set to 0 to disable.
-	# This does on-disk queries, potentially expensive.
-	const history_interval = 0 hrs &redef;
-
-	# Capture past traffic. Set to 0 to disable.
-	# This does on-disk queries, potentially expensive.
-	const history_capture_interval = 0 hrs &redef;
-
-	const ignore_notices: set[Notice] = {
-		Scan::AddressScan,
-		Scan::PortScan,
-	} &redef;
-}
-
-@ifdef ( TimeMachineGap::ContentGapTmAndLink )
-redef ignore_notices += {
-	TimeMachineGap::ContentGapTmAndLink,
-	TimeMachineGap::ContentGapSolved,
-};
-@endif
-
-global hosts: set[addr] &create_expire = history_capture_interval;
-
-global dbg = open_log_file("tm-capture");
-
-event notice_alarm(n: notice_info, action: NoticeAction)
-	{
-	if ( n$note in ignore_notices )
-		return;
-
-	if ( ! n?$id )
-		return;
-
-	if ( n?$conn && is_external_connection(n$conn) )
-		return;
-
-	local id = n$id;
-	local start: time;
-
-	if ( n?$conn )
-		start = n$conn$start_time;
-	else if ( connection_exists(id) )
-		start = lookup_connection(id)$start_time;
-	else
-		start = network_time() - 5 min;	# shouldn't usually get here
-
-	local tag = fmt("conn.%s", n$tag);
-	n$captured = tag;
-
-	# It should be in the TM's memory.
-	TimeMachine::capture_connection_id(fmt("%s.pcap", tag), id, start,
-						T, "tm-capture");
-
-	if ( get_port_transport_proto(id$resp_p) == tcp )
-		{
-		n$captured += " (contents)";
-		TimeMachine::save_contents_id(tag, id, start, T, "tm-capture");
-		}
-
-	if ( n$src !in hosts )
-		{
-		if ( history_interval != 0 sec )
-			TimeMachine::request_addr(n$src,
-					network_time() - history_interval, F,
-					"tm-capture");
-
-		if ( history_capture_interval != 0secs )
-			TimeMachine::capture_addr(fmt("host.%s.%s.pcap",
-					n$src, n$tag), n$src,
-					network_time() - history_capture_interval, F,
-					"tm-capture");
-
-		add hosts[n$src];
-		}
-	}
diff --git a/policy/time-machine/tm-class.bro b/policy/time-machine/tm-class.bro
deleted file mode 100644
index 4d69308517..0000000000
--- a/policy/time-machine/tm-class.bro
+++ /dev/null
@@ -1,22 +0,0 @@
-# $Id:$
-#
-# Changes the class for addresses that have generated alerts.
-
-@load time-machine
-@load notice
-@load scan
-
-event notice_alarm(n: notice_info, action: NoticeAction)
-	{
-	if ( ! n?$src )
-		return;
-
-	if ( n?$conn && is_external_connection(n$conn) )
-		return;
-
-	local class = "alarm";
-	if ( n$note == Scan::AddressScan || n$note == Scan::PortScan )
-		class = "scanner";
-
-	TimeMachine::set_class(n$src, class, TimeMachine::BOTH, "tm-class");
-	}
diff --git a/policy/time-machine/tm-contents.bro b/policy/time-machine/tm-contents.bro
deleted file mode 100644
index ea921342ae..0000000000
--- a/policy/time-machine/tm-contents.bro
+++ /dev/null
@@ -1,111 +0,0 @@
-# $Id:$
-#
-# Provides a function that requests a particular connection from the
-# Time Machine and stores the subsequent reassembled payload into a
-# local file.
-
-@load time-machine
-
-module TimeMachine;
-
-export {
-	global save_contents:
-		function(filename_prefix: string, c: connection,
-				in_mem: bool, descr: string);
-
-	global save_contents_id:
-		function(filename_prefix: string, id: conn_id, start: time,
-				in_mem: bool, descr: string);
-
-	# Raised when contents have been fully saved.
-	global contents_saved:
-		event(c: connection, orig_file: string, resp_file: string);
-
-	const contents_dir = "tm-contents" &redef;
-	}
-
-# Table associating TM tag with filename.
-global requested_conns: table[string] of string;
-
-type fnames: record {
-	orig: string;
-	resp: string;
-	orig_f: file;
-	resp_f: file;
-	};
-
-global external_conns: table[conn_id] of fnames;
-
-function save_contents(filename_prefix: string, c: connection,
-			in_mem: bool, descr: string)
-	{
-	if ( is_external_connection(c) )
-		return;
-
-	save_contents_id(filename_prefix, c$id, c$start_time, in_mem, descr);
-	}
-
-function save_contents_id(filename_prefix: string, id: conn_id, start: time,
-				in_mem: bool, descr: string)
-	{
-	TimeMachine::suspend_cut_off_id(id, descr);
-	local qtag = TimeMachine::request_connection_id(id, start, in_mem, descr);
-	if ( qtag == "" )
-		return;
-
-	requested_conns[qtag] = filename_prefix;
-	}
-
-event connection_external(c: connection, tag: string)
-	{
-	if ( tag !in requested_conns )
-		return;
-
-	local fn = requested_conns[tag];
-	local id = c$id;
-	local idstr = fmt("%s.%d-%s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p);
-
-	local orig_fn = fmt("%s/%s.%s.orig.dat", contents_dir, fn, idstr);
-	local resp_fn = fmt("%s/%s.%s.resp.dat", contents_dir, fn, idstr);
-	local orig_f = open(orig_fn);
-	local resp_f = open(resp_fn);
-
-	set_contents_file(c$id, CONTENTS_ORIG, orig_f);
-	set_contents_file(c$id, CONTENTS_RESP, resp_f);
-
-	delete requested_conns[tag];
-	external_conns[c$id] =
-		[$orig=orig_fn, $resp=resp_fn, $orig_f=orig_f, $resp_f=resp_f];
-	}
-
-event delayed_contents_saved(c: connection, orig_file: string, resp_file: string)
-	{
-	schedule 2 min { TimeMachine::contents_saved(c, orig_file, resp_file) };
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( ! is_external_connection(c) )
-		return;
-
-	if ( c$id !in external_conns )
-		return;
-
-	local fn = external_conns[c$id];
-
-	close(fn$orig_f);
-	close(fn$resp_f);
-
-	# FIXME: We delay this a bit as there seems to be some race-condition
-	# with the file's data being flushed to disk.  Not sure why, though.
-	# However, we need to delay indirectly through another event to
-	# install it into the global timer manager.
-	event delayed_contents_saved(c, fn$orig, fn$resp);
-
-	delete external_conns[c$id];
-	}
-
-event bro_init()
-	{
-	mkdir(contents_dir);
-	}
diff --git a/policy/time-machine/tm-ftp.bro b/policy/time-machine/tm-ftp.bro
deleted file mode 100644
index cc09fc8328..0000000000
--- a/policy/time-machine/tm-ftp.bro
+++ /dev/null
@@ -1,42 +0,0 @@
-# $Id: tm-ftp.bro,v 1.1.2.1 2006/01/04 03:55:48 sommer Exp $
-#
-# For sensitive FTP connections, request the data connection from the TM.
-# When we get it, we store the reassembled payload and run the file-analyzer
-# (the latter is automatically done by ftp.bro).
-
-@load time-machine
-@load tm-contents
-@load ftp
-
-module TimeMachineFTP;
-
-global data_conns: table[count] of conn_id;
-
-event ftp_sensitive_file(c: connection, session: FTP::ftp_session_info,
-				filename: string)
-	{
-	if ( is_external_connection(c) )
-		return;
-
-	if ( session$id !in data_conns )
-		# Should not happen, as transfer parameters need to be
-		# negotiated first.  We let ftp.bro deal with this, though.
-		return;
-
-	local id = data_conns[session$id];
-	TimeMachine::save_contents(fmt("ftp.%s", session$id), c, T, "tm-ftp");
-	}
-
-event ftp_connection_expected(c: connection, orig_h: addr, resp_h: addr,
-				resp_p: port, session: FTP::ftp_session_info)
-	{
-	data_conns[session$id] =
-		[$orig_h=orig_h, $orig_p=0/tcp, $resp_h=resp_h, $resp_p=resp_p];
-	}
-
-event connection_state_remove(c: connection)
-		&priority = 5 # to be called before FTP's handler
-	{
-	if ( c$id in FTP::ftp_sessions )
-		delete data_conns[FTP::ftp_sessions[c$id]$id];
-	}
diff --git a/policy/time-machine/tm-gap.bro b/policy/time-machine/tm-gap.bro
deleted file mode 100644
index e97d6a848a..0000000000
--- a/policy/time-machine/tm-gap.bro
+++ /dev/null
@@ -1,127 +0,0 @@
-# $Id: tm-gap.bro,v 1.1.2.1 2006/01/05 22:38:37 sommer Exp $
-#
-# When we see a content gap, we request the same connection from the TM.
-# If we get it from there completely, fine.  If not, we check whether the
-# gap is at the same place as before, which would indicate that the packet
-# was indeed missing on the link.
-
-@load conn-id
-@load time-machine
-
-module TimeMachineGap;
-
-export {
-	# If true, we assume a BPF filter that includes *all* data packets.
-	const seeing_all_packets = F &redef;
-
-	# Exclude these ports.
-	const ignore_ports = { 80/tcp, 22/tcp, 443/tcp };
-
-	redef enum Notice += {
-		# A connection has at least one gap that matches a gap
-		# on the link.
-		ContentGapTmAndLink,
-
-		# A connection that had a gap on the link has been fully
-		# received from the TM.
-		ContentGapSolved,
-	};
-}
-
-type gap : record {
-	is_orig: bool;
-	seq: count;
-	length: count;
-};
-
-# Remembers the first gap per connection.
-# (FIXME: Would it make sense to remember all gaps?)
-global conns: table[conn_id] of gap;
-
-global f = open_log_file("gap");
-
-event content_gap(c: connection, is_orig: bool, seq: count, length: count)
-	{
-	if ( ! is_external_connection(c) )
-		{
-		if ( c$id in conns )
-			# We already requested the conn.
-			return;
-
-		if ( c$id$resp_p in ignore_ports )
-			return;
-
-		# It only makes sense to request the connection if we are
-		# not just analyzing TCP control packets for it.  There's
-		# no perfect way to determine whether we do so but, as a
-		# heuristic, we assume that we are supposed to see data
-		# packets if:
-		#
-		# (1) the service port is well-known for one of our analyzers
-		#     (because then the analyzer script is loaded which extends
-		#     the capture filter accordingly; or
-		# (2) the user explicitly tells us they are using a filter that
-		#     includes all packets (e.g., DPD); or
-		# (3) (special case) it's an HTTP reply, but we only
-		#     load http-request.
-
-		if ( ! seeing_all_packets )
-			{
-			if ( c$id$resp_p !in dpd_analyzer_ports )
-				return;
-
-			if ( c$id$resp_p in dpd_analyzer_ports && ! is_orig &&
-			     ANALYZER_HTTP in dpd_analyzer_ports[c$id$resp_p])
-				{
-@ifdef ( process_HTTP_replies )
-				if ( ! process_HTTP_replies )
-@endif
-				return;
-				}
-			}
-
-		local g: gap = [$is_orig=is_orig, $seq=seq, $length=length];
-		conns[c$id] = g;
-
-		# Should be in TM's memory.
-		TimeMachine::request_connection(c, T, "tm-gap");
-
-		print f, "ask", id_string(c$id);
-		}
-
-	else
-		{ # a gap in a connection from the TM
-		if ( c$id !in conns )
-			# Will be reported as ContentGap by weird.bro.
-			return;
-
-		local h = conns[c$id];
-
-		if ( h$is_orig == is_orig && h$seq == seq && h$length == length )
-			{
-			NOTICE([$note=ContentGapTmAndLink, $conn=c,
-				$msg=fmt("%s same content gap on link and from time-machine (%s %d/%d)",
-					 id_string(c$id),
-					 is_orig ? ">" : "<", seq, length)]);
-			}
-
-		delete conns[c$id];
-		}
-	}
-
-event connection_external(c: connection, tag: string)
-	{
-	if ( c$id in conns )
-		print f, "got", id_string(c$id);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id in conns && is_external_connection(c) )
-		{ # It's still in the table, so we got it completely. Yippie!
-		NOTICE([$note=ContentGapSolved, $conn=c,
-			$msg=fmt("%s content gap(s) solved by time-machine",
-					id_string(c$id))]);
-		delete conns[c$id];
-		}
-	}
diff --git a/policy/time-machine/tm-http.bro b/policy/time-machine/tm-http.bro
deleted file mode 100644
index ad9d997ffc..0000000000
--- a/policy/time-machine/tm-http.bro
+++ /dev/null
@@ -1,18 +0,0 @@
-# $Id: tm-http.bro,v 1.1.2.1 2005/11/29 21:39:05 sommer Exp $
-#
-# Requests connections from time-machine for which we have seen a sensitive URI.
-
-@load http
-@load time-machine
-
-redef notice_policy += {
-	[$pred(a: notice_info) =
-		{
-		if ( a$note == HTTP::HTTP_SensitiveURI &&
-		     a?$conn && ! is_external_connection(a$conn) )
-			TimeMachine::request_connection(a$conn, T, "tm-http");
-		return F;
-		},
-	 $result = NOTICE_FILE,	# irrelevant, since we always return F
-	 $priority = 1]
-};
diff --git a/policy/trw-impl.bro b/policy/trw-impl.bro
deleted file mode 100644
index fc3fcd837a..0000000000
--- a/policy/trw-impl.bro
+++ /dev/null
@@ -1,191 +0,0 @@
-# $Id: trw.bro 2911 2006-05-06 17:58:43Z vern $
-
-@load notice
-@load port-name
-@load hot
-
-module TRW;
-
-export {
-	redef enum Notice += {
-		TRWAddressScan,	# source flagged as scanner by TRW algorithm
-		TRWScanSummary,	# summary of scanning activities reported by TRW
-	};
-
-	# Activate TRW if T.
-	global use_TRW_algorithm = F &redef;
-
-	# Tell TRW not to flag a friendly remote.
-	global do_not_flag_friendly_remotes = T &redef;
-
-	# Set of services for outbound connections that are possibly triggered
-	# by incoming connections.
-	const triggered_outbound_services = { ident, finger, 20/tcp, } &redef;
-
-	# The following correspond to P_D and P_F in the TRW paper, i.e., the
-	# desired detection and false positive probabilities.
-	global target_detection_prob = 0.99 &redef;
-	global target_false_positive_prob = 0.01 &redef;
-
-	# Given a legitimate remote, the probability that its connection
-	# attempt will succeed.
-	global theta_zero = 0.8 &redef;
-
-	# Given a scanner, the probability that its connection attempt
-	# will succeed.
-	global theta_one  = 0.2 &redef;
-
-
-	# These variables the user usually won't alter, except they
-	# might want to adjust the expiration times, which is why
-	# they're exported here.
-	global scan_sources: set[addr] &write_expire = 1 hr;
-	global benign_sources: set[addr] &write_expire = 1 hr;
-
-	global failed_locals: set[addr, addr] &write_expire = 30 mins;
-	global successful_locals: set[addr, addr] &write_expire = 30 mins;
-
-	global lambda: table[addr] of double
-		&default = 1.0 &write_expire = 30 mins;
-	global num_scanned_locals:
-		table[addr] of count &default = 0 &write_expire = 30 mins;
-
-	# Function called to perform TRW analysis.
-	global check_TRW_scan: function(c: connection, state: string,
-					reverse: bool): bool;
-}
-
-# Set of remote hosts that have been successfully accessed by local hosts.
-global friendly_remotes: set[addr] &read_expire = 30 mins;
-
-# Set of local honeypot hosts - for internal use at LBL.
-global honeypot: set[addr];
-
-# Approximate solutions for upper and lower thresholds.
-global eta_zero: double;	# initialized when Bro starts
-global eta_one: double;
-
-event bro_init()
-	{
-	eta_zero =
-		(1 - target_detection_prob) / (1 - target_false_positive_prob);
-	eta_one = target_detection_prob / target_false_positive_prob;
-	}
-
-
-event TRW_scan_summary(orig: addr)
-	{
-	NOTICE([$note=TRWScanSummary, $src=orig,
-		$msg=fmt("%s scanned a total of %d hosts",
-		orig, num_scanned_locals[orig])]);
-	}
-
-function check_TRW_scan(c: connection, state: string, reverse: bool): bool
-	{
-	local id = c$id;
-
-	local service = "ftp-data" in c$service ? 20/tcp
-		: (reverse ? id$orig_p : id$resp_p);
-	local orig = reverse ? id$resp_h : id$orig_h;
-	local resp = reverse ? id$orig_h : id$resp_h;
-	local outbound = is_local_addr(orig);
-
-	# Mark a remote as friendly if it is successfully accessed by
-	# a local with protocols other than triggered_outbound_services.
-	# XXX There is an ambiguity to determine who initiated a
-	# connection when the status is "OTH".
-	if ( outbound )
-		{
-		if ( resp !in scan_sources &&
-		     service !in triggered_outbound_services &&
-		     orig !in honeypot && state != "OTH" )
-			add friendly_remotes[resp];
-
-		return F;
-		}
-
-	if ( orig in scan_sources )
-		return T;
-
-	if ( orig in benign_sources )
-		return F;
-
-	if ( do_not_flag_friendly_remotes && orig in friendly_remotes )
-		return F;
-
-	# Start TRW evaluation.
-	local flag = +0;
-	local resp_byte = reverse ? c$orig$size : c$resp$size;
-	local established = T;
-
-	if ( state == "S0" || state == "REJ" || state == "OTH" ||
-	     (state == "RSTOS0" && resp_byte <= 0) )
-		established = F;
-
-	if ( ! established || resp in honeypot )
-		{
-		if ( [orig, resp] !in failed_locals )
-			{
-			flag = 1;
-			add failed_locals[orig, resp];
-			}
-		}
-
-	else if ( [orig, resp] !in successful_locals )
-		{
-		flag = -1;
-		add successful_locals[orig, resp];
-		}
-
-	if ( flag == 0 )
-		return F;
-
-	local ratio = 1.0;
-
-	# Update the corresponding likelihood ratio of orig.
-	if ( theta_zero <= 0 || theta_zero >= 1 || theta_one <= 0 ||
-	     theta_one >= 1 || theta_one >= theta_zero )
-		{
-		# Error: theta_zero should be between 0 and 1.
-		alarm "bad theta_zero/theta_one in check_TRW_scan";
-		use_TRW_algorithm = F;
-		return F;
-		}
-
-	if ( flag == 1 )
-		ratio = (1 - theta_one) / (1 - theta_zero);
-
-	if ( flag == -1 )
-		ratio = theta_one / theta_zero;
-
-	++num_scanned_locals[orig];
-
-	lambda[orig] = lambda[orig] * ratio;
-	local updated_lambda = lambda[orig];
-
-	if ( target_detection_prob <= 0 ||
-	     target_detection_prob >= 1 ||
-	     target_false_positive_prob <= 0 ||
-	     target_false_positive_prob >= 1 )
-		{
-		# Error: target probabilities should be between 0 and 1
-		alarm "bad target probabilities in check_TRW_scan";
-		use_TRW_algorithm = F;
-		return F;
-		}
-
-	if ( updated_lambda > eta_one )
-		{
-		add scan_sources[orig];
-		NOTICE([$note=TRWAddressScan, $src=orig,
-			$msg=fmt("%s scanned a total of %d hosts",
-				orig, num_scanned_locals[orig])]);
-		schedule 1 day { TRW_scan_summary(orig) };
-		return T;
-		}
-
-	if ( updated_lambda < eta_zero )
-		add benign_sources[orig];
-
-	return F;
-	}
diff --git a/policy/trw.bro b/policy/trw.bro
deleted file mode 100644
index 0ffe6246f7..0000000000
--- a/policy/trw.bro
+++ /dev/null
@@ -1,7 +0,0 @@
-# $Id: trw.bro 3297 2006-06-18 00:56:58Z vern $
-#
-# Load this file to actiate TRW analysis.
-
-@load trw-impl
-
-redef TRW::use_TRW_algorithm = T;
diff --git a/policy/udp-common.bro b/policy/udp-common.bro
deleted file mode 100644
index a6ca5a647b..0000000000
--- a/policy/udp-common.bro
+++ /dev/null
@@ -1,46 +0,0 @@
-# $Id: udp-common.bro 4758 2007-08-10 06:49:23Z vern $
-#
-# Performs generic UDP request/reply processing, but doesn't set
-# the packet filter to capture all UDP traffic (use udp.bro for that).
-
-@load hot
-@load conn
-@load scan
-
-global udp_req_count: table[conn_id] of count &default = 0;
-global udp_rep_count: table[conn_id] of count &default = 0;
-
-event udp_request(u: connection)
-	{
-	Scan::check_scan(u, F, F);
-#	if ( TRW::use_TRW_algorithm )
-#		TRW::check_TRW_scan(u, conn_state(u, udp), F);
-
-	Hot::check_hot(u, Hot::CONN_ATTEMPTED);
-	}
-
-event udp_reply(u: connection)
-	{
-	Scan::check_scan(u, T, F);
-#	if ( TRW::use_TRW_algorithm )
-#		TRW::check_TRW_scan(u, conn_state(u, udp), F);
-
-	Hot::check_hot(u, Hot::CONN_ESTABLISHED);
-	Hot::check_hot(u, Hot::CONN_FINISHED);
-	}
-
-function add_req_rep_addl(u: connection)
-	{
-	local id = u$id;
-	if ( udp_req_count[id] > 1 || udp_rep_count[id] > 1 )
-		append_addl(u, fmt("[%d/%d]", udp_req_count[id], udp_rep_count[id]));
-
-	delete udp_req_count[id];
-	delete udp_rep_count[id];
-	}
-
-event udp_session_done(u: connection)
-	{
-	add_req_rep_addl(u);
-	Hot::check_hot(u, Hot::CONN_FINISHED);
-	}
diff --git a/policy/udp.bro b/policy/udp.bro
deleted file mode 100644
index ae5f1834ad..0000000000
--- a/policy/udp.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: udp.bro 1103 2005-03-17 09:18:28Z vern $
-
-@load udp-common
-
-redef capture_filters += { ["udp"] = "udp" };
diff --git a/policy/vlan.bro b/policy/vlan.bro
deleted file mode 100644
index 82fcb75af8..0000000000
--- a/policy/vlan.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: vlan.bro 416 2004-09-17 03:52:28Z vern $
-
-redef restrict_filters += { ["vlan"] = "vlan" };
-
-redef encap_hdr_size = 4;
diff --git a/policy/weird.bro b/policy/weird.bro
deleted file mode 100644
index 245f6b79ac..0000000000
--- a/policy/weird.bro
+++ /dev/null
@@ -1,424 +0,0 @@
-# $Id: weird.bro 6452 2008-12-07 01:19:13Z vern $
-
-@load notice
-@load port-name
-
-module Weird;
-
-export {
-	redef enum Notice += {
-		WeirdActivity,	# generic unusual, alarm-worthy activity
-		RetransmissionInconsistency,
-			# possible evasion; usually just chud
-		AckAboveHole,
-			# could mean packet drop; could also be chud
-		ContentGap,
-			# data has sequence hole; perhaps due to filtering
-	};
-
-	const weird_file = open_log_file("weird") &redef;
-
-	type WeirdAction: enum {
-		WEIRD_UNSPECIFIED, WEIRD_IGNORE, WEIRD_FILE,
-		WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN,
-		WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE,
-	};
-
-	# Which of the above actions lead to logging.  For internal use.
-	const notice_actions = {
-		WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN,
-		WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE,
-	};
-
-	const weird_action: table[string] of WeirdAction = {
-		# tcp_weird
-		["above_hole_data_without_any_acks"]	=	WEIRD_FILE,
-		["active_connection_reuse"]	=	WEIRD_FILE,
-		["bad_HTTP_reply"]	=	WEIRD_FILE,
-		["bad_HTTP_version"]	=	WEIRD_FILE,
-		["bad_ICMP_checksum"]	=	WEIRD_FILE,
-		["bad_ident_port"]	=	WEIRD_FILE,
-		["bad_ident_reply"]	=	WEIRD_FILE,
-		["bad_ident_request"]	=	WEIRD_FILE,
-		["bad_rlogin_prolog"]	=	WEIRD_FILE,
-		["bad_rsh_prolog"] = 	WEIRD_FILE,
-		["rsh_text_after_rejected"] = 	WEIRD_FILE,
-		["bad_RPC"]	=	WEIRD_NOTICE_PER_ORIG,
-		["bad_RPC_program"]	=	WEIRD_FILE,
-		["bad_SYN_ack"]	=	WEIRD_FILE,
-		["bad_TCP_checksum"]	=	WEIRD_FILE,
-		["bad_UDP_checksum"]	=	WEIRD_FILE,
-		["baroque_SYN"]	=	WEIRD_FILE,
-		["base64_illegal_encoding"]	=	WEIRD_FILE,
-		["connection_originator_SYN_ack"]	=	WEIRD_FILE,
-		["corrupt_tcp_options"]	=	WEIRD_FILE,
-		["crud_trailing_HTTP_request"]	=	WEIRD_FILE,
-		["data_after_reset"]	=	WEIRD_FILE,
-		["data_before_established"]	=	WEIRD_FILE,
-		["data_without_SYN_ACK"]	=	WEIRD_FILE,
-		["DHCP_no_type_option"] = 	WEIRD_FILE,
-		["DHCP_wrong_msg_type"] = 	WEIRD_FILE,
-		["DHCP_wrong_op_type"] = 	WEIRD_FILE,
-		["DNS_AAAA_neg_length"] = 	WEIRD_FILE,
-		["DNS_Conn_count_too_large"] = 	WEIRD_FILE,
-		["DNS_NAME_too_long"] = 	WEIRD_FILE,
-		["DNS_RR_bad_length"] = 	WEIRD_FILE,
-		["DNS_RR_length_mismatch"] = 	WEIRD_FILE,
-		["DNS_RR_unknown_type"] = 	WEIRD_FILE,
-		["DNS_label_forward_compress_offset"] = 	WEIRD_NOTICE_PER_ORIG,
-		["DNS_label_len_gt_name_len"] = 	WEIRD_NOTICE_PER_ORIG,
-		["DNS_label_len_gt_pkt"] = 	WEIRD_NOTICE_PER_ORIG,
-		["DNS_label_too_long"] = 	WEIRD_NOTICE_PER_ORIG,
-		["DNS_truncated_RR_rdlength_lt_len"] = 	WEIRD_FILE,
-		["DNS_truncated_ans_too_short"] = 	WEIRD_FILE,
-		["DNS_truncated_len_lt_hdr_len"] = 	WEIRD_FILE,
-		["DNS_truncated_quest_too_short"] = 	WEIRD_FILE,
-		["excessive_data_without_further_acks"] = 	WEIRD_FILE,
-		["excess_RPC"]	=	WEIRD_NOTICE_PER_ORIG,
-		["excessive_RPC_len"]	=	WEIRD_NOTICE_PER_ORIG,
-		["FIN_advanced_last_seq"]	=	WEIRD_FILE,
-		["FIN_after_reset"]	=	WEIRD_IGNORE,
-		["FIN_storm"]	=	WEIRD_NOTICE_ALWAYS,
-		["HTTP_bad_chunk_size"]	=	WEIRD_FILE,
-		["HTTP_chunked_transfer_for_multipart_message"]	=	WEIRD_FILE,
-		["HTTP_overlapping_messages"]	=	WEIRD_FILE,
-		["HTTP_unknown_method"]	=	WEIRD_FILE,
-		["HTTP_version_mismatch"]	=	WEIRD_FILE,
-		["ident_request_addendum"]	=	WEIRD_FILE,
-		["inappropriate_FIN"]	=	WEIRD_FILE,
-		["inflate_data_failed"]	=	WEIRD_FILE,
-		["inflate_failed"]	=	WEIRD_FILE,
-		["invalid_irc_global_users_reply"] = 	WEIRD_FILE,
-		["irc_invalid_command"] = 	WEIRD_FILE,
-		["irc_invalid_dcc_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_invite_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_join_line"] = 	WEIRD_FILE,
-		["irc_invalid_kick_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_line"] = 	WEIRD_FILE,
-		["irc_invalid_mode_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_names_line"] = 	WEIRD_FILE,
-		["irc_invalid_njoin_line"] = 	WEIRD_FILE,
-		["irc_invalid_notice_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_oper_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_privmsg_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_reply_number"] = 	WEIRD_FILE,
-		["irc_invalid_squery_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_topic_reply"] = 	WEIRD_FILE,
-		["irc_invalid_who_line"] = 	WEIRD_FILE,
-		["irc_invalid_who_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_whois_channel_line"] = 	WEIRD_FILE,
-		["irc_invalid_whois_message_format"] = 	WEIRD_FILE,
-		["irc_invalid_whois_operator_line"] = 	WEIRD_FILE,
-		["irc_invalid_whois_user_line"] = 	WEIRD_FILE,
-		["irc_line_size_exceeded"] = 	WEIRD_FILE,
-		["irc_line_too_short"] = 	WEIRD_FILE,
-		["irc_too_many_invalid"] = 	WEIRD_FILE,
-		["line_terminated_with_single_CR"]	=	WEIRD_FILE,
-		["line_terminated_with_single_LF"]	=	WEIRD_FILE,
-		["malformed_ssh_identification"]	= WEIRD_FILE,
-		["malformed_ssh_version"] = 	WEIRD_FILE,
-		["matching_undelivered_data"]	= WEIRD_FILE,
-		["multiple_HTTP_request_elements"]	=	WEIRD_FILE,
-		["multiple_RPCs"]	=	WEIRD_NOTICE_PER_ORIG,
-		["non_IPv4_packet"]	=	WEIRD_NOTICE_ONCE,
-		["NUL_in_line"]	=	WEIRD_FILE,
-		["originator_RPC_reply"]	=	WEIRD_NOTICE_PER_ORIG,
-		["partial_finger_request"]	=	WEIRD_FILE,
-		["partial_ftp_request"]	=	WEIRD_FILE,
-		["partial_ident_request"]	=	WEIRD_FILE,
-		["partial_RPC"]	=	WEIRD_NOTICE_PER_ORIG,
-		["partial_RPC_request"]	=	WEIRD_FILE,
-		["pending_data_when_closed"]	=	WEIRD_FILE,
-		["pop3_bad_base64_encoding"]	=	WEIRD_FILE,
-		["pop3_client_command_unknown"]	=	WEIRD_FILE,
-		["pop3_client_sending_server_commands"]	=	WEIRD_FILE,
-		["pop3_malformed_auth_plain"]	=	WEIRD_FILE,
-		["pop3_server_command_unknown"]	=	WEIRD_FILE,
-		["pop3_server_sending_client_commands"]	=	WEIRD_FILE,
-		["possible_split_routing"]	=	WEIRD_FILE,
-		["premature_connection_reuse"]	=	WEIRD_FILE,
-		["repeated_SYN_reply_wo_ack"]	=	WEIRD_FILE,
-		["repeated_SYN_with_ack"]	=	WEIRD_FILE,
-		["responder_RPC_call"]	=	WEIRD_NOTICE_PER_ORIG,
-		["rlogin_text_after_rejected"]	=	WEIRD_FILE,
-		["RPC_rexmit_inconsistency"]	=	WEIRD_FILE,
-		["RPC_underflow"] = 	WEIRD_FILE,
-		["RST_storm"]	=	WEIRD_NOTICE_ALWAYS,
-		["RST_with_data"]	=	WEIRD_FILE,	# PC's do this
-		["simultaneous_open"]	=	WEIRD_NOTICE_PER_CONN,
-		["spontaneous_FIN"]	=	WEIRD_IGNORE,
-		["spontaneous_RST"]	=	WEIRD_IGNORE,
-		["SMB_parsing_error"] = 	WEIRD_FILE,
-		["no_smb_session_using_parsesambamsg"] = 	WEIRD_FILE,
-		["smb_andx_command_failed_to_parse"] = 	WEIRD_FILE,
-		["transaction_subcmd_missing"] = 	WEIRD_FILE,
-		["SSLv3_data_without_full_handshake"] = 	WEIRD_FILE,
-		["unexpected_SSLv3_record"] = 	WEIRD_FILE,
-		["successful_RPC_reply_to_invalid_request"] = 	WEIRD_NOTICE_PER_ORIG,
-		["SYN_after_close"]	=	WEIRD_FILE,
-		["SYN_after_partial"]	=	WEIRD_NOTICE_PER_ORIG,
-		["SYN_after_reset"]	=	WEIRD_FILE,
-		["SYN_inside_connection"]	=	WEIRD_FILE,
-		["SYN_seq_jump"]	=	WEIRD_FILE,
-		["SYN_with_data"]	=	WEIRD_FILE,
-		["TCP_christmas"]	=	WEIRD_FILE,
-		["truncated_ARP"]	=	WEIRD_FILE,
-		["truncated_NTP"]	=	WEIRD_FILE,
-		["UDP_datagram_length_mismatch"]	=	WEIRD_NOTICE_PER_ORIG,
-		["unexpected_client_HTTP_data"] = 	WEIRD_FILE,
-		["unexpected_multiple_HTTP_requests"]	=	WEIRD_FILE,
-		["unexpected_server_HTTP_data"] = 	WEIRD_FILE,
-		["unmatched_HTTP_reply"]	=	WEIRD_FILE,
-		["unpaired_RPC_response"]	=	WEIRD_FILE,
-		["unsolicited_SYN_response"]	=	WEIRD_IGNORE,
-		["window_recision"]	= WEIRD_FILE,
-		["double_%_in_URI"]	= WEIRD_FILE,
-		["illegal_%_at_end_of_URI"]	= WEIRD_FILE,
-		["unescaped_%_in_URI"]	= WEIRD_FILE,
-		["unescaped_special_URI_char"]	= WEIRD_FILE,
-
-		["UDP_zone_transfer"]	= WEIRD_NOTICE_ONCE,
-
-		["deficit_netbios_hdr_len"]	= WEIRD_FILE,
-		["excess_netbios_hdr_len"]	= WEIRD_FILE,
-		["netbios_client_session_reply"]	= WEIRD_FILE,
-		["netbios_raw_session_msg"]	= WEIRD_FILE,
-		["netbios_server_session_request"]	= WEIRD_FILE,
-		["unknown_netbios_type"]	= WEIRD_FILE,
-
-		# flow_weird
-		["excessively_large_fragment"]	=	WEIRD_NOTICE_ALWAYS,
-
-		# Code Red generates slews ...
-		["excessively_small_fragment"]	=	WEIRD_NOTICE_PER_ORIG,
-
-		["fragment_inconsistency"]	=	WEIRD_NOTICE_ALWAYS,
-		["fragment_overlap"]	=	WEIRD_NOTICE_ALWAYS,
-		["fragment_protocol_inconsistency"]	=	WEIRD_NOTICE_ALWAYS,
-		["fragment_size_inconsistency"]	=	WEIRD_NOTICE_ALWAYS,
-		["fragment_with_DF"]	=	WEIRD_FILE,	# these do indeed happen!
-		["incompletely_captured_fragment"]	=	WEIRD_NOTICE_ALWAYS,
-
-		# net_weird
-		["bad_IP_checksum"]	=	WEIRD_FILE,
-		["bad_TCP_header_len"]	=	WEIRD_FILE,
-		["internally_truncated_header"]	=	WEIRD_NOTICE_ALWAYS,
-		["truncated_IP"]	=	WEIRD_FILE,
-		["truncated_header"]	=	WEIRD_FILE,
-
-		# generated by policy script
-		["Land_attack"]	=		WEIRD_NOTICE_PER_ORIG,
-		["bad_pm_port"]	=		WEIRD_NOTICE_PER_ORIG,
-	} &redef;
-
-	# table that maps weird types into a function that should be called
-	# to determine the action.
-	const weird_action_filters:
-		table[string] of function(c: connection): WeirdAction &redef;
-
-	const weird_ignore_host: set[addr, string] &redef;
-
-	# But don't ignore these (for the weird file), it's handy keeping
-	# track of clustered checksum errors.
-	const weird_do_not_ignore_repeats = {
-		"bad_IP_checksum", "bad_TCP_checksum", "bad_UDP_checksum",
-		"bad_ICMP_checksum",
-	} &redef;
-}
-
-# id/msg pairs that should be ignored (because the problem has already
-# been reported).
-global weird_ignore: table[string] of set[string] &write_expire = 10 min;
-
-# For WEIRD_NOTICE_PER_CONN.
-global did_notice_conn: set[addr, port, addr, port, string]
-							&read_expire = 1 day;
-
-# For WEIRD_NOTICE_PER_ORIG.
-global did_notice_orig: set[addr, string] &read_expire = 1 day;
-
-# For WEIRD_NOTICE_ONCE.
-global did_weird_log: set[string] &read_expire = 1 day;
-
-global did_inconsistency_msg: set[conn_id];
-
-function weird_id_string(id: conn_id): string
-	{
-	return fmt("%s > %s",
-		endpoint_id(id$orig_h, id$orig_p),
-		endpoint_id(id$resp_h, id$resp_p));
-	}
-
-# Used to pass the optional connection into report_weird().
-global current_conn: connection;
-
-function report_weird(t: time, name: string, id: string, have_conn: bool,
-			addl: string, action: WeirdAction, no_log: bool)
-	{
-	if ( action == WEIRD_IGNORE ||
-	     (id in weird_ignore && name in weird_ignore[id]) )
-		return;
-
-	local msg = id;
-
-	if ( action == WEIRD_UNSPECIFIED )
-		{
-		if ( name in weird_action )
-			{
-			action = weird_action[name];
-			if ( action == WEIRD_IGNORE )
-				return;
-
-			msg = fmt("%s: %s", msg, name);
-			}
-		else
-			{
-			action = WEIRD_NOTICE_ALWAYS;
-			msg = fmt("** %s: %s", msg, name);
-			}
-		}
-	else
-		msg = fmt("%s: %s", msg, name);
-
-	if ( addl != "" )
-		msg = fmt("%s (%s)", msg, addl);
-
-	if ( action in notice_actions && ! no_log )
-		{
-		if ( have_conn )
-			NOTICE([$note=WeirdActivity, $conn=current_conn,
-				$msg=msg]);
-		else
-			NOTICE([$note=WeirdActivity, $msg=msg]);
-		}
-
-	else if ( id != "" && name !in weird_do_not_ignore_repeats )
-		{
-		if ( id !in weird_ignore )
-			weird_ignore[id] = set() &mergeable;
-
-		add weird_ignore[id][name];
-		}
-
-	print weird_file, fmt("%.6f %s", t, msg);
-	}
-
-function report_weird_conn(t: time, name: string, id: string, addl: string,
-				c: connection)
-	{
-	if ( [c$id$orig_h, name] in weird_ignore_host ||
-	     [c$id$resp_h, name] in weird_ignore_host )
-		return;
-
-	local no_log = F;
-	local action = WEIRD_UNSPECIFIED;
-
-	if ( name in weird_action )
-		{
-		if ( name in weird_action_filters )
-			action = weird_action_filters[name](c);
-
-		if ( action == WEIRD_UNSPECIFIED )
-			action = weird_action[name];
-
-		local cid = c$id;
-
-		if ( action == WEIRD_NOTICE_PER_CONN )
-			{
-			if ( [cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name] in did_notice_conn )
-				no_log = T;
-			else
-				add did_notice_conn[cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name];
-			}
-
-		else if ( action == WEIRD_NOTICE_PER_ORIG )
-			{
-			if ( [c$id$orig_h, name] in did_notice_orig )
-				no_log = T;
-			else
-				add did_notice_orig[c$id$orig_h, name];
-			}
-
-		else if ( action == WEIRD_NOTICE_ONCE )
-			{
-			if ( name in did_weird_log )
-				no_log = T;
-			else
-				add did_weird_log[name];
-			}
-		}
-
-	current_conn = c;
-	report_weird(t, name, id, T, addl, action, no_log);
-	}
-
-function report_weird_orig(t: time, name: string, id: string, orig: addr)
-	{
-	local no_log = F;
-	local action = WEIRD_UNSPECIFIED;
-
-	if ( name in weird_action )
-		{
-		action = weird_action[name];
-		if ( action == WEIRD_NOTICE_PER_ORIG )
-			{
-			if ( [orig, name] in did_notice_orig )
-				no_log = T;
-			else
-				add did_notice_orig[orig, name];
-			}
-		}
-
-	report_weird(t, name, id, F, "", action, no_log);
-	}
-
-event conn_weird(name: string, c: connection)
-	{
-	report_weird_conn(network_time(), name, weird_id_string(c$id), "", c);
-	}
-
-event conn_weird_addl(name: string, c: connection, addl: string)
-	{
-	report_weird_conn(network_time(), name, weird_id_string(c$id), addl, c);
-	}
-
-event flow_weird(name: string, src: addr, dst: addr)
-	{
-	report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
-	}
-
-event net_weird(name: string)
-	{
-	report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
-	}
-
-event rexmit_inconsistency(c: connection, t1: string, t2: string)
-	{
-	if ( c$id !in did_inconsistency_msg )
-		{
-		NOTICE([$note=RetransmissionInconsistency, $conn=c,
-			$msg=fmt("%s rexmit inconsistency (%s) (%s)",
-				weird_id_string(c$id), t1, t2)]);
-		add did_inconsistency_msg[c$id];
-		}
-	}
-
-event ack_above_hole(c: connection)
-	{
-	NOTICE([$note=AckAboveHole, $conn=c,
-		$msg=fmt("%s ack above a hole", weird_id_string(c$id))]);
-	}
-
-event content_gap(c: connection, is_orig: bool, seq: count, length: count)
-	{
-	NOTICE([$note=ContentGap, $conn=c,
-		$msg=fmt("%s content gap (%s %d/%d)%s",
-			weird_id_string(c$id), is_orig ? ">" : "<", seq, length,
-				 is_external_connection(c) ? " [external]" : "")]);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	delete weird_ignore[weird_id_string(c$id)];
-	delete did_inconsistency_msg[c$id];
-	}
diff --git a/policy/worm.bro b/policy/worm.bro
deleted file mode 100644
index 18e9649096..0000000000
--- a/policy/worm.bro
+++ /dev/null
@@ -1,117 +0,0 @@
-# $Id: worm.bro 4758 2007-08-10 06:49:23Z vern $
-
-@load notice
-@load site
-
-# signatures.bro needs this.
-global is_worm_infectee: function(ip: addr) : bool;
-
-@load signatures
-
-redef enum Notice += {
-	LocalWorm,		# worm seen in local host
-	RemoteWorm,		# worm seen in remote host
-};
-
-# redef capture_filters += { ["worm"] = "tcp dst port 80" };
-
-const worm_log = open_log_file("worm") &redef;
-
-# Maps types of worms to URI patterns.
-const worm_types: table[string] of pattern = {
-	["Code Red 1"] = /\.id[aq]\?.*NNNNNNNNNNNNN/,
-	["Code Red 2"] = /\.id[aq]\?.*XXXXXXXXXXXXX/,
-	["Nimda"] = /\/scripts\/root\.exe\?\/c\+tftp/ |
-			/\/MSADC\/root.exe\?\/c\+dir/ |
-			/cool\.dll.*httpodbc\.dll/,	# 29Oct01 Nimda variant
-} &redef;
-
-# Maps signatures to worm types.
-const worm_sigs: table[string] of string = {
-	["slammer"] = "Slammer",
-	["nimda"] = "Nimda",
-	["bagle-bc"] = "Bagle.bc"
-};
-
-# We handle these ourselves.
-redef signature_actions += {
-	["codered1"] = SIG_IGNORE,
-	["codered2"] = SIG_IGNORE,
-	["slammer"] = SIG_IGNORE,
-	["nimda"] = SIG_IGNORE,
-	["bagle-bc"] = SIG_IGNORE
-};
-
-# Indexed by infectee.
-global worm_list: table[addr] of count &default=0 &read_expire = 2 days;
-
-# Indexed by infectee and type of worm.
-global worm_type_list: table[addr, string] of count
-					&default=0 &read_expire = 2 days;
-
-# Invoked each time a new infectee (or a new type of worm for an existing
-# infectee) is seen.  For the first instance of any type for a new infectee,
-# two events will be generated, one with worm_type of "first instance",
-# and another with the particular worm type.
-global worm_infectee_seen: event(c: connection, is_local: bool, worm_type: string);
-
-# Invoked whenever connection c has included a URI of worm type "worm_type".
-event worm_instance(c: connection, worm_type: string)
-	{
-	local id = c$id;
-	local src = id$orig_h;
-	local is_local = is_local_addr(src);
-
-	if ( ++worm_list[src] == 1 )
-		event worm_infectee_seen(c, is_local, "first instance");
-
-	if ( ++worm_type_list[src, worm_type] == 1 )
-		event worm_infectee_seen(c, is_local, worm_type);
-	}
-
-event worm_infectee_seen(c: connection, is_local: bool, worm_type: string)
-	{
-	if ( worm_type == "first instance" )
-		return;	# just do the reporting for the specific type
-
-	local infectee = c$id$orig_h;
-	local where = is_local ? "local" : "remote";
-	local msg = fmt("%s %s worm source: %s", where, worm_type, infectee);
-
-	if ( is_local )
-		NOTICE([$note=LocalWorm, $conn=c, $src=infectee,
-			$msg=msg, $sub=worm_type]);
-	else
-		NOTICE([$note=RemoteWorm, $conn=c, $src=infectee,
-			$msg=msg, $sub=worm_type]);
-
-	print worm_log, fmt("%.6f %s", network_time(), msg);
-	}
-
-event http_request(c: connection, method: string,
-		   original_URI: string, unescaped_URI: string, version: string)
-	{
-	# It's a pity to do this as a loop.  Better would be if Bro could
-	# search the patterns as one large RE and note which matched.
-
-	for ( wt in worm_types )
-		if ( worm_types[wt] in unescaped_URI )
-			event worm_instance(c, wt);
-	}
-
-event signature_match(state: signature_state, msg: string, data: string)
-	{
-	if ( state$id in worm_sigs )
-		event worm_instance(state$conn, worm_sigs[state$id]);
-	}
-
-# Ignore "weird" events, we get some due to the capture_filter above that
-# only captures the client side of an HTTP session.
-event conn_weird(name: string, c: connection)
-	{
-	}
-
-function is_worm_infectee(ip: addr): bool
-	{
-	return ip in worm_list;
-	}
diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
new file mode 100644
index 0000000000..6d6faf7b4a
--- /dev/null
+++ b/scripts/CMakeLists.txt
@@ -0,0 +1,28 @@
+include(InstallPackageConfigFile)
+
+install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING
+        PATTERN "site/local*" EXCLUDE
+        PATTERN "test-all-policy.bro" EXCLUDE
+        PATTERN "*.bro"
+        PATTERN "*.sig"
+        PATTERN "*.fp"
+)
+
+# Install all local* scripts as config files since they are meant to be
+# user modify-able.
+InstallPackageConfigFile(
+    ${CMAKE_CURRENT_SOURCE_DIR}/site/local.bro
+    ${BRO_SCRIPT_INSTALL_PATH}/site
+    local.bro)
+InstallPackageConfigFile(
+    ${CMAKE_CURRENT_SOURCE_DIR}/site/local-manager.bro
+    ${BRO_SCRIPT_INSTALL_PATH}/site
+    local-manager.bro)
+InstallPackageConfigFile(
+    ${CMAKE_CURRENT_SOURCE_DIR}/site/local-proxy.bro
+    ${BRO_SCRIPT_INSTALL_PATH}/site
+    local-proxy.bro)
+InstallPackageConfigFile(
+    ${CMAKE_CURRENT_SOURCE_DIR}/site/local-worker.bro
+    ${BRO_SCRIPT_INSTALL_PATH}/site
+    local-worker.bro)
diff --git a/scripts/base/frameworks/cluster/__load__.bro b/scripts/base/frameworks/cluster/__load__.bro
new file mode 100644
index 0000000000..0f9003514d
--- /dev/null
+++ b/scripts/base/frameworks/cluster/__load__.bro
@@ -0,0 +1,42 @@
+# Load the core cluster support.
+@load ./main
+
+@if ( Cluster::is_enabled() )
+
+# Give the node being started up it's peer name.
+redef peer_description = Cluster::node;
+
+# Add a cluster prefix.
+@prefixes += cluster
+
+# If this script isn't found anywhere, the cluster bombs out.
+# Loading the cluster framework requires that a script by this name exists
+# somewhere in the BROPATH.  The only thing in the file should be the
+# cluster definition in the :bro:id:`Cluster::nodes` variable.
+@load cluster-layout
+
+@if ( Cluster::node in Cluster::nodes )
+
+@load ./setup-connections
+
+# Don't load the listening script until we're a bit more sure that the
+# cluster framework is actually being enabled.
+@load frameworks/communication/listen
+
+## Set the port that this node is supposed to listen on.
+redef Communication::listen_port = Cluster::nodes[Cluster::node]$p;
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+@load ./nodes/manager
+@endif
+
+@if ( Cluster::local_node_type() == Cluster::PROXY )
+@load ./nodes/proxy
+@endif
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+@load ./nodes/worker
+@endif
+
+@endif
+@endif
diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro
new file mode 100644
index 0000000000..1e89e9b2a7
--- /dev/null
+++ b/scripts/base/frameworks/cluster/main.bro
@@ -0,0 +1,158 @@
+##! A framework for establishing and controlling a cluster of Bro instances.
+##! In order to use the cluster framework, a script named
+##! ``cluster-layout.bro`` must exist somewhere in Bro's script search path
+##! which has a cluster definition of the :bro:id:`Cluster::nodes` variable.
+##! The ``CLUSTER_NODE`` environment variable or :bro:id:`Cluster::node`
+##! must also be sent and the cluster framework loaded as a package like
+##! ``@load base/frameworks/cluster``.
+
+@load base/frameworks/control
+
+module Cluster;
+
+export {
+	## The cluster logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## The record type which contains the column fields of the cluster log.
+	type Info: record {
+		## The time at which a cluster message was generated.
+		ts:       time;
+		## A message indicating information about the cluster's operation.
+		message:  string;
+	} &log;
+
+	## Types of nodes that are allowed to participate in the cluster
+	## configuration.
+	type NodeType: enum {
+		## A dummy node type indicating the local node is not operating
+		## within a cluster.
+		NONE,
+		## A node type which is allowed to view/manipulate the configuration
+		## of other nodes in the cluster.
+		CONTROL,
+		## A node type responsible for log and policy management.
+		MANAGER,
+		## A node type for relaying worker node communication and synchronizing
+		## worker node state.
+		PROXY,
+		## The node type doing all the actual traffic analysis.
+		WORKER,
+		## A node acting as a traffic recorder using the
+		## `Time Machine <http://tracker.bro-ids.org/time-machine>`_ software.
+		TIME_MACHINE,
+	};
+	
+	## Events raised by a manager and handled by the workers.
+	const manager2worker_events = /Drop::.*/ &redef;
+	
+	## Events raised by a manager and handled by proxies.
+	const manager2proxy_events = /EMPTY/ &redef;
+	
+	## Events raised by proxies and handled by a manager.
+	const proxy2manager_events = /EMPTY/ &redef;
+	
+	## Events raised by proxies and handled by workers.
+	const proxy2worker_events = /EMPTY/ &redef;
+	
+	## Events raised by workers and handled by a manager.
+	const worker2manager_events = /(TimeMachine::command|Drop::.*)/ &redef;
+	
+	## Events raised by workers and handled by proxies..
+	const worker2proxy_events = /EMPTY/ &redef;
+	
+	## Events raised by TimeMachine instances and handled by a manager.
+	const tm2manager_events = /EMPTY/ &redef;
+	
+	## Events raised by TimeMachine instances and handled by workers.
+	const tm2worker_events = /EMPTY/ &redef;
+	
+	## Events sent by the control host (i.e. BroControl) when dynamically 
+	## connecting to a running instance to update settings or request data.
+	const control_events = Control::controller_events &redef;
+	
+	## Record type to indicate a node in a cluster.
+	type Node: record {
+		## Identifies the  type of cluster node in this node's configuration.
+		node_type:    NodeType;
+		## The IP address of the cluster node.
+		ip:           addr;
+		## The port to which the this local node can connect when
+		## establishing communication.
+		p:            port;
+		## Identifier for the interface a worker is sniffing.
+		interface:    string      &optional;
+		## Name of the manager node this node uses.  For workers and proxies.
+		manager:      string      &optional;
+		## Name of the proxy node this node uses.  For workers and managers.
+		proxy:        string      &optional;
+		## Names of worker nodes that this node connects with.
+		## For managers and proxies.
+		workers:      set[string] &optional;
+		## Name of a time machine node with which this node connects.
+		time_machine: string      &optional;
+	};
+	
+	## This function can be called at any time to determine if the cluster
+	## framework is being enabled for this run.
+	##
+	## Returns: True if :bro:id:`Cluster::node` has been set.
+	global is_enabled: function(): bool;
+	
+	## This function can be called at any time to determine what type of
+	## cluster node the current Bro instance is going to be acting as.
+	## If :bro:id:`Cluster::is_enabled` returns false, then
+	## :bro:enum:`Cluster::NONE` is returned.
+	##
+	## Returns: The :bro:type:`Cluster::NodeType` the calling node acts as.
+	global local_node_type: function(): NodeType;
+	
+	## This gives the value for the number of workers currently connected to,
+	## and it's maintained internally by the cluster framework.  It's 
+	## primarily intended for use by managers to find out how many workers 
+	## should be responding to requests.
+	global worker_count: count = 0;
+	
+	## The cluster layout definition.  This should be placed into a filter
+	## named cluster-layout.bro somewhere in the BROPATH.  It will be 
+	## automatically loaded if the CLUSTER_NODE environment variable is set.
+	const nodes: table[string] of Node = {} &redef;
+	
+	## This is usually supplied on the command line for each instance
+	## of the cluster that is started up.
+	const node = getenv("CLUSTER_NODE") &redef;
+}
+
+function is_enabled(): bool
+	{
+	return (node != "");
+	}
+
+function local_node_type(): NodeType
+	{
+	return is_enabled() ? nodes[node]$node_type : NONE;
+	}
+
+event remote_connection_handshake_done(p: event_peer) &priority=5
+	{
+	if ( p$descr in nodes && nodes[p$descr]$node_type == WORKER )
+		++worker_count;
+	}
+
+event remote_connection_closed(p: event_peer) &priority=5
+	{
+	if ( p$descr in nodes && nodes[p$descr]$node_type == WORKER )
+		--worker_count;
+	}
+
+event bro_init() &priority=5
+	{
+	# If a node is given, but it's an unknown name we need to fail.
+	if ( node != "" && node !in nodes )
+		{
+		Reporter::error(fmt("'%s' is not a valid node in the Cluster::nodes configuration", node));
+		terminate();
+		}
+	
+	Log::create_stream(Cluster::LOG, [$columns=Info]);
+	}
diff --git a/scripts/base/frameworks/cluster/nodes/manager.bro b/scripts/base/frameworks/cluster/nodes/manager.bro
new file mode 100644
index 0000000000..22d9d539ca
--- /dev/null
+++ b/scripts/base/frameworks/cluster/nodes/manager.bro
@@ -0,0 +1,22 @@
+##! This is the core Bro script to support the notion of a cluster manager.
+##!
+##! The manager is passive (the workers connect to us), and once connected
+##! the manager registers for the events on the workers that are needed
+##! to get the desired data from the workers.  This script will be 
+##! automatically loaded if necessary based on the type of node being started.
+
+##! This is where the cluster manager sets it's specific settings for other
+##! frameworks and in the core.
+
+@prefixes += cluster-manager
+
+## Turn off remote logging since this is the manager and should only log here.
+redef Log::enable_remote_logging = F;
+
+redef Log::default_rotation_interval = 1 hrs;
+
+## Use the cluster's archive logging script.
+redef Log::default_rotation_postprocessor_cmd = "archive-log";
+
+## We're processing essentially *only* remote events.
+redef max_remote_events_processed = 10000;
diff --git a/scripts/base/frameworks/cluster/nodes/proxy.bro b/scripts/base/frameworks/cluster/nodes/proxy.bro
new file mode 100644
index 0000000000..e38a5e9109
--- /dev/null
+++ b/scripts/base/frameworks/cluster/nodes/proxy.bro
@@ -0,0 +1,22 @@
+##! Redefines the options common to all proxy nodes within a Bro cluster.
+##! In particular, proxies are not meant to produce logs locally and they
+##! do not forward events anywhere, they mainly synchronize state between
+##! worker nodes.
+
+@prefixes += cluster-proxy
+
+## The proxy only syncs state; does not forward events.
+redef forward_remote_events = F;
+redef forward_remote_state_changes = T;
+
+## Don't do any local logging.
+redef Log::enable_local_logging = F;
+
+## Make sure that remote logging is enabled.
+redef Log::enable_remote_logging = T;
+
+redef Log::default_rotation_interval = 24hrs;
+
+## Use the cluster's delete-log script.
+redef Log::default_rotation_postprocessor_cmd = "delete-log";
+
diff --git a/scripts/base/frameworks/cluster/nodes/worker.bro b/scripts/base/frameworks/cluster/nodes/worker.bro
new file mode 100644
index 0000000000..61d5228c88
--- /dev/null
+++ b/scripts/base/frameworks/cluster/nodes/worker.bro
@@ -0,0 +1,24 @@
+##! Redefines some options common to all worker nodes within a Bro cluster.
+##! In particular, worker nodes do not produce logs locally, instead they
+##! send them off to a manager node for processing.
+
+@prefixes += cluster-worker
+
+## Don't do any local logging.
+redef Log::enable_local_logging = F;
+
+## Make sure that remote logging is enabled.
+redef Log::enable_remote_logging = T;
+
+redef Log::default_rotation_interval = 24hrs;
+
+## Use the cluster's delete-log script.
+redef Log::default_rotation_postprocessor_cmd = "delete-log";
+
+@load misc/trim-trace-file
+## Record all packets into trace file.
+##
+## Note that this only indicates that *if* we are recording packets, we want all
+## of them (rather than just those the core deems sufficiently important). Setting
+## this does not turn recording on. Use '-w <trace>' for that.
+redef record_all_packets = T;
diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro
new file mode 100644
index 0000000000..b5a0d25e1f
--- /dev/null
+++ b/scripts/base/frameworks/cluster/setup-connections.bro
@@ -0,0 +1,99 @@
+##! This script establishes communication among all nodes in a cluster
+##! as defined by :bro:id:`Cluster::nodes`.
+
+@load ./main
+@load base/frameworks/communication
+
+@if ( Cluster::node in Cluster::nodes )
+
+module Cluster;
+
+event bro_init() &priority=9
+	{
+	local me = nodes[node];
+	
+	for ( i in Cluster::nodes )
+		{
+		local n = nodes[i];
+
+		# Connections from the control node for runtime control and update events.
+		# Every node in a cluster is eligible for control from this host.
+		if ( n$node_type == CONTROL )
+			Communication::nodes["control"] = [$host=n$ip, $connect=F,
+			                                   $class="control", $events=control_events];
+		
+		if ( me$node_type == MANAGER )
+			{
+			if ( n$node_type == WORKER && n$manager == node )
+				Communication::nodes[i] =
+				    [$host=n$ip, $connect=F,
+				     $class=i, $events=worker2manager_events, $request_logs=T];
+			
+			if ( n$node_type == PROXY && n$manager == node )
+				Communication::nodes[i] =
+				    [$host=n$ip, $connect=F,
+				     $class=i, $events=proxy2manager_events, $request_logs=T];
+				
+			if ( n$node_type == TIME_MACHINE && me?$time_machine && me$time_machine == i )
+				Communication::nodes["time-machine"] = [$host=nodes[i]$ip, $p=nodes[i]$p,
+				                                        $connect=T, $retry=1min,
+				                                        $events=tm2manager_events];
+			}
+		
+		else if ( me$node_type == PROXY )
+			{
+			if ( n$node_type == WORKER && n$proxy == node )
+				Communication::nodes[i] =
+					[$host=n$ip, $connect=F, $class=i, $sync=T, $auth=T, $events=worker2proxy_events];
+			
+			# accepts connections from the previous one. 
+			# (This is not ideal for setups with many proxies)
+			# FIXME: Once we're using multiple proxies, we should also figure out some $class scheme ...
+			if ( n$node_type == PROXY )
+				{
+				if ( n?$proxy )
+					Communication::nodes[i]
+					     = [$host=n$ip, $p=n$p,
+					        $connect=T, $auth=F, $sync=T, $retry=1mins];
+				else if ( me?$proxy && me$proxy == i )
+					Communication::nodes[me$proxy]
+					     = [$host=nodes[i]$ip, $connect=F, $auth=T, $sync=T];
+				}
+			
+			# Finally the manager, to send it status updates.
+			if ( n$node_type == MANAGER && me$manager == i )
+				Communication::nodes["manager"] = [$host=nodes[i]$ip, 
+				                                   $p=nodes[i]$p, 
+				                                   $connect=T, $retry=1mins, 
+				                                   $class=node,
+				                                   $events=manager2proxy_events];
+			}
+		else if ( me$node_type == WORKER )
+			{
+			if ( n$node_type == MANAGER && me$manager == i )
+				Communication::nodes["manager"] = [$host=nodes[i]$ip, 
+				                                   $p=nodes[i]$p,
+				                                   $connect=T, $retry=1mins, 
+				                                   $class=node, 
+				                                   $events=manager2worker_events];
+			
+			if ( n$node_type == PROXY && me$proxy == i )
+				Communication::nodes["proxy"] = [$host=nodes[i]$ip, 
+				                                 $p=nodes[i]$p,
+				                                 $connect=T, $retry=1mins, 
+				                                 $sync=T, $class=node, 
+				                                 $events=proxy2worker_events];
+			
+			if ( n$node_type == TIME_MACHINE && 
+			     me?$time_machine && me$time_machine == i )
+				Communication::nodes["time-machine"] = [$host=nodes[i]$ip, 
+				                                        $p=nodes[i]$p,
+				                                        $connect=T, 
+				                                        $retry=1min,
+				                                        $events=tm2worker_events];
+			
+			}
+		}
+	}
+
+@endif
diff --git a/scripts/base/frameworks/communication/__load__.bro b/scripts/base/frameworks/communication/__load__.bro
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/frameworks/communication/__load__.bro
@@ -0,0 +1 @@
+@load ./main
diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro
new file mode 100644
index 0000000000..04772f57aa
--- /dev/null
+++ b/scripts/base/frameworks/communication/main.bro
@@ -0,0 +1,331 @@
+##! Facilitates connecting to remote Bro or Broccoli instances to share state
+##! and/or transfer events.
+
+@load base/frameworks/packet-filter
+
+module Communication;
+
+export {
+
+	## The communication logging stream identifier.
+	redef enum Log::ID += { LOG };
+	
+	## Which interface to listen on (0.0.0.0 for any interface).
+	const listen_interface = 0.0.0.0 &redef;
+	
+	## Which port to listen on.
+	const listen_port = 47757/tcp &redef;
+	
+	## This defines if a listening socket should use SSL.
+	const listen_ssl = F &redef;
+
+	## Default compression level.  Compression level is 0-9, with 0 = no 
+	## compression.
+	global compression_level = 0 &redef;
+
+	## A record type containing the column fields of the communication log.
+	type Info: record {
+		## The network time at which a communication event occurred.
+		ts:                  time   &log;
+		## The peer name (if any) for which a communication event is concerned.
+		peer:                string &log &optional;
+		## Where the communication event message originated from, that is,
+		## either from the scripting layer or inside the Bro process.
+		src_name:            string &log &optional;
+		## .. todo:: currently unused.
+		connected_peer_desc: string &log &optional;
+		## .. todo:: currently unused.
+		connected_peer_addr: addr   &log &optional;
+		## .. todo:: currently unused.
+		connected_peer_port: port   &log &optional;
+		## The severity of the communication event message.
+		level:               string &log &optional;
+		## A message describing the communication event between Bro or
+		## Broccoli instances.
+		message:             string &log;
+	};
+
+	## A remote peer to which we would like to talk.
+	## If there's no entry for a peer, it may still connect
+	## and request state, but not send us any.
+	type Node: record {
+		## Remote address.
+		host: addr;
+		
+		## Port of the remote Bro communication endpoint if we are initiating
+		## the connection based on the :bro:id:`connect` field.
+		p: port &optional;
+
+		## When accepting a connection, the configuration only
+		## applies if the class matches the one transmitted by
+		## the peer.
+		##
+		## When initiating a connection, the class is sent to
+		## the other side.
+		class: string &optional;
+
+		## Events requested from remote side.
+		events: pattern &optional;
+
+		## Whether we are going to connect (rather than waiting
+		## for the other sie to connect to us).
+		connect: bool &default = F;
+
+		## If disconnected, reconnect after this many seconds.
+		retry: interval &default = 0 secs;
+
+		## Whether to accept remote events.
+		accept_input: bool &default = T;
+
+		## Whether to perform state synchronization with peer.
+		sync: bool &default = F;
+
+		## Whether to request logs from the peer.
+		request_logs: bool &default = F;
+
+		## When performing state synchronization, whether we consider
+		## our state to be authoritative.  If so, we will send the peer
+		## our current set when the connection is set up.
+		## (Only one side can be authoritative)
+		auth: bool &default = F;
+
+		## If not set, no capture filter is sent.
+		## If set to "", the default capture filter is sent.
+		capture_filter: string &optional;
+
+		## Whether to use SSL-based communication.
+		ssl: bool &default = F;
+
+		## Compression level is 0-9, with 0 = no compression.
+		compression: count &default = compression_level;
+
+		## The remote peer.
+		peer: event_peer &optional;
+		
+		## Indicates the status of the node.
+		connected: bool &default = F;
+	};
+
+	## The table of Bro or Broccoli nodes that Bro will initiate connections
+	## to or respond to connections from.
+	global nodes: table[string] of Node &redef;
+
+	## A table of peer nodes for which this node issued a
+	## :bro:id:`Communication::connect_peer` call but with which a connection
+	## has not yet been established or with which a connection has been
+	## closed and is currently in the process of retrying to establish.
+	## When a connection is successfully established, the peer is removed
+	## from the table.
+	global pending_peers: table[peer_id] of Node;
+
+	## A table of peer nodes for which this node has an established connection.
+	## Peers are automatically removed if their connection is closed and
+	## automatically added back if a connection is re-established later.
+	global connected_peers: table[peer_id] of Node;
+
+	## Connect to a node in :bro:id:`Communication::nodes` independent
+	## of its "connect" flag.
+	##
+	## peer: the string used to index a particular node within the
+	##      :bro:id:`Communication::nodes` table.
+	global connect_peer: function(peer: string);
+}
+
+const src_names = {
+	[REMOTE_SRC_CHILD]  = "child",
+	[REMOTE_SRC_PARENT] = "parent",
+	[REMOTE_SRC_SCRIPT] = "script",
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Communication::LOG, [$columns=Info]);
+	}
+
+function do_script_log_common(level: count, src: count, msg: string)
+	{
+	Log::write(Communication::LOG, [$ts = network_time(), 
+	                                $level = (level == REMOTE_LOG_INFO ? "info" : "error"),
+	                                $src_name = src_names[src],
+	                                $peer = get_event_peer()$descr,
+	                                $message = msg]);
+	}
+
+# This is a core generated event.
+event remote_log(level: count, src: count, msg: string)
+	{
+	do_script_log_common(level, src, msg);
+	}
+
+# This is a core generated event.
+event remote_log_peer(p: event_peer, level: count, src: count, msg: string)
+	{
+	local rmsg = fmt("[#%d/%s:%d] %s", p$id, p$host, p$p, msg);
+	do_script_log_common(level, src, rmsg);
+	}
+
+function do_script_log(p: event_peer, msg: string)
+	{
+	do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT, msg);
+	}
+
+function connect_peer(peer: string)
+	{
+	local node = nodes[peer];
+	local p = listen_port;
+
+	if ( node?$p )
+		p = node$p;
+
+	local class = node?$class ? node$class : "";
+	local id = connect(node$host, p, class, node$retry, node$ssl);
+    
+	if ( id == PEER_ID_NONE )
+		Log::write(Communication::LOG, [$ts = network_time(), 
+		                                $peer = get_event_peer()$descr,
+		                                $message = "can't trigger connect"]);
+	pending_peers[id] = node;
+	}
+
+
+function setup_peer(p: event_peer, node: Node)
+	{
+	if ( node?$events )
+		{
+		do_script_log(p, fmt("requesting events matching %s", node$events));
+		request_remote_events(p, node$events);
+		}
+
+	if ( node?$capture_filter )
+		{
+		local filter = node$capture_filter;
+		if ( filter == "" )
+			filter = PacketFilter::default_filter;
+
+		do_script_log(p, fmt("sending capture_filter: %s", filter));
+		send_capture_filter(p, filter);
+		}
+
+	if ( node$accept_input )
+		{
+		do_script_log(p, "accepting state");
+		set_accept_state(p, T);
+		}
+
+	set_compression_level(p, node$compression);
+
+	if ( node$sync )
+		{
+		do_script_log(p, "requesting synchronized state");
+		request_remote_sync(p, node$auth);
+		}
+
+	if ( node$request_logs )
+		{
+		do_script_log(p, "requesting logs");
+		request_remote_logs(p);
+		}
+
+	node$peer = p;
+	node$connected = T;
+	connected_peers[p$id] = node;
+	}
+
+event remote_connection_established(p: event_peer)
+	{
+	if ( is_remote_event() )
+		return;
+
+	do_script_log(p, "connection established");
+
+	if ( p$id in pending_peers )
+		{
+		# We issued the connect.
+		local node = pending_peers[p$id];
+		setup_peer(p, node);
+		delete pending_peers[p$id];
+		}
+	else
+		{ # The other side connected to us.
+		local found = F;
+		for ( i in nodes )
+			{
+			node = nodes[i];
+			if ( node$host == p$host )
+				{
+				local c = 0;
+
+				# See if classes match = either both have
+				# the same class, or neither of them has
+				# a class.
+				if ( p?$class && p$class != "" )
+					++c;
+
+				if ( node?$class && node$class != "" )
+					++c;
+
+				if ( c == 1 ||
+				     (c == 2 && p$class != node$class) )
+					next;
+
+				found = T;
+				setup_peer(p, node);
+				break;
+				}
+			}
+
+		if ( ! found )
+			set_compression_level(p, compression_level);
+		}
+
+	complete_handshake(p);
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	if ( is_remote_event() )
+		return;
+
+	do_script_log(p, "connection closed");
+
+	if ( p$id in connected_peers )
+		{
+		local node = connected_peers[p$id];
+		node$connected = F;
+
+		delete connected_peers[p$id];
+
+		if ( node$retry != 0secs )
+			# The core will retry.
+			pending_peers[p$id] = node;
+		}
+	}
+
+event remote_state_inconsistency(operation: string, id: string,
+				expected_old: string, real_old: string)
+	{
+	if ( is_remote_event() )
+		return;
+
+	local msg = fmt("state inconsistency: %s should be %s but is %s before %s",
+	                id, expected_old, real_old, operation);
+	Log::write(Communication::LOG, [$ts = network_time(),
+	                                $peer = get_event_peer()$descr,
+	                                $message = msg]);
+	}
+
+
+# Actually initiate the connections that need to be established.
+event bro_init() &priority = -10 # let others modify nodes
+	{
+	if ( |nodes| > 0 )
+		enable_communication();
+	
+	for ( tag in nodes )
+		{
+		if ( ! nodes[tag]$connect )
+			next;
+
+		connect_peer(tag);
+		}
+	}
diff --git a/scripts/base/frameworks/control/__load__.bro b/scripts/base/frameworks/control/__load__.bro
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/frameworks/control/__load__.bro
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/frameworks/control/main.bro b/scripts/base/frameworks/control/main.bro
new file mode 100644
index 0000000000..4fe8872801
--- /dev/null
+++ b/scripts/base/frameworks/control/main.bro
@@ -0,0 +1,75 @@
+##! The control framework provides the foundation for providing "commands"
+##! that can be taken remotely at runtime to modify a running Bro instance
+##! or collect information from the running instance.
+
+module Control;
+
+export {
+	## The address of the host that will be controlled.
+	const host = 0.0.0.0 &redef;
+
+	## The port of the host that will be controlled.
+	const host_port = 0/tcp &redef;
+
+	## The command that is being done.  It's typically set on the
+	## command line.
+	const cmd = "" &redef;
+
+	## This can be used by commands that take an argument.
+	const arg = "" &redef;
+
+	## Events that need to be handled by controllers.
+	const controller_events = /Control::.*_request/ &redef;
+	
+	## Events that need to be handled by controllees.
+	const controllee_events = /Control::.*_response/ &redef;
+
+	## The commands that can currently be given on the command line for
+	## remote control.
+	const commands: set[string] = {
+		"id_value",
+		"peer_status",
+		"net_stats",
+		"configuration_update",
+		"shutdown",
+	} &redef;
+
+	## Variable IDs that are to be ignored by the update process.
+	const ignore_ids: set[string] = { };
+
+	## Event for requesting the value of an ID (a variable).
+	global id_value_request: event(id: string);
+	## Event for returning the value of an ID after an
+	## :bro:id:`Control::id_value_request` event.
+	global id_value_response: event(id: string, val: string);
+
+	## Requests the current communication status.
+	global peer_status_request: event();
+	## Returns the current communication status.
+	global peer_status_response: event(s: string);
+
+	## Requests the current net_stats.
+	global net_stats_request: event();
+	## Returns the current net_stats.
+	global net_stats_response: event(s: string);
+
+	## Inform the remote Bro instance that it's configuration may have been updated.
+	global configuration_update_request: event();
+	## This event is a wrapper and alias for the
+	## :bro:id:`Control::configuration_update_request` event.
+	## This event is also a primary hooking point for the control framework.
+	global configuration_update: event();
+	## Message in response to a configuration update request.
+	global configuration_update_response: event();
+
+	## Requests that the Bro instance begins shutting down.
+	global shutdown_request: event();
+	## Message in response to a shutdown request.
+	global shutdown_response: event();
+}
+
+
+event terminate_event()
+	{
+	terminate_communication();
+	}
diff --git a/scripts/base/frameworks/dpd/__load__.bro b/scripts/base/frameworks/dpd/__load__.bro
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/frameworks/dpd/__load__.bro
@@ -0,0 +1 @@
+@load ./main
diff --git a/policy/sigs/dpd.sig b/scripts/base/frameworks/dpd/dpd.sig
similarity index 90%
rename from policy/sigs/dpd.sig
rename to scripts/base/frameworks/dpd/dpd.sig
index abc66d8db1..adda0ce54e 100644
--- a/policy/sigs/dpd.sig
+++ b/scripts/base/frameworks/dpd/dpd.sig
@@ -1,4 +1,4 @@
-# ALS signatures for protocol detection.
+# Signatures to initiate dynamic protocol detection.
 
 signature dpd_ftp_client {
   ip-proto == tcp
@@ -80,15 +80,15 @@ signature irc_server_reply {
   tcp-state responder
 }
 
-signature irc_sig3 {
+signature irc_server_to_server1 {
   ip-proto == tcp
-  payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/
+  payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/
 }
 
-signature irc_sig4 {
+signature irc_server_to_server2 {
   ip-proto == tcp
-  payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/
-  requires-reverse-signature irc_sig3
+  payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/
+  requires-reverse-signature irc_server_to_server1
   enable "irc"
 }
 
diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.bro
new file mode 100644
index 0000000000..e8488c3ec1
--- /dev/null
+++ b/scripts/base/frameworks/dpd/main.bro
@@ -0,0 +1,109 @@
+##! Activates port-independent protocol detection and selectively disables
+##! analyzers if protocol violations occur.
+
+module DPD;
+
+## Add the DPD signatures to the signature framework.
+redef signature_files += "base/frameworks/dpd/dpd.sig";
+
+export {
+	## Add the DPD logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## The record type defining the columns to log in the DPD logging stream.
+	type Info: record {
+		## Timestamp for when protocol analysis failed.
+		ts:             time            &log;
+		## Connection unique ID.
+		uid:            string          &log;
+		## Connection ID containing the 4-tuple which identifies endpoints.
+		id:             conn_id         &log;
+		## Transport protocol for the violation.
+		proto:          transport_proto &log;
+		## The analyzer that generated the violation.
+		analyzer:       string          &log;
+		## The textual reason for the analysis failure.
+		failure_reason: string          &log;
+		
+		## Disabled analyzer IDs.  This is only for internal tracking 
+		## so as to not attempt to disable analyzers multiple times.
+		disabled_aids:  set[count];
+	};
+	
+	## Ignore violations which go this many bytes into the connection.
+	## Set to 0 to never ignore protocol violations.
+	const ignore_violations_after = 10 * 1024 &redef;
+}
+
+redef record connection += {
+	dpd: Info &optional;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(DPD::LOG, [$columns=Info]);
+	
+	# Populate the internal DPD analysis variable.
+	for ( a in dpd_config )
+		{
+		for ( p in dpd_config[a]$ports )
+			{
+			if ( p !in dpd_analyzer_ports )
+				dpd_analyzer_ports[p] = set();
+			add dpd_analyzer_ports[p][a];
+			}
+		}
+	}
+
+event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10
+	{
+	local analyzer = analyzer_name(atype);
+	
+	if ( fmt("-%s",analyzer) in c$service )
+		delete c$service[fmt("-%s", analyzer)];
+
+	add c$service[analyzer];
+	}
+
+event protocol_violation(c: connection, atype: count, aid: count,
+                         reason: string) &priority=10
+	{
+	local analyzer = analyzer_name(atype);
+	# If the service hasn't been confirmed yet, don't generate a log message
+	# for the protocol violation.
+	if ( analyzer !in c$service )
+		return;
+		
+	delete c$service[analyzer];
+	add c$service[fmt("-%s", analyzer)];
+	
+	local info: Info;
+	info$ts=network_time();
+	info$uid=c$uid;
+	info$id=c$id;
+	info$proto=get_conn_transport_proto(c$id);
+	info$analyzer=analyzer;
+	info$failure_reason=reason;
+	c$dpd = info;
+	}
+
+event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=5
+	{
+	if ( !c?$dpd || aid in c$dpd$disabled_aids )
+		return;
+
+	local size = c$orig$size + c$resp$size;
+	if ( ignore_violations_after > 0 && size > ignore_violations_after )
+		return;
+	
+	# Disable the analyzer that raised the last core-generated event.
+	disable_analyzer(c$id, aid);
+	add c$dpd$disabled_aids[aid];
+	}
+
+event protocol_violation(c: connection, atype: count, aid: count,
+				reason: string) &priority=-5
+	{
+	if ( c?$dpd )
+		Log::write(DPD::LOG, c$dpd);
+	}
diff --git a/scripts/base/frameworks/intel/__load__.bro b/scripts/base/frameworks/intel/__load__.bro
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/frameworks/intel/__load__.bro
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro
new file mode 100644
index 0000000000..9ee1c75100
--- /dev/null
+++ b/scripts/base/frameworks/intel/main.bro
@@ -0,0 +1,323 @@
+##! The intelligence framework provides a way to store and query IP addresses,
+##! strings (with a subtype), and numeric (with a subtype) data.  Metadata 
+##! also be associated with the intelligence like tags which are arbitrary
+##! strings, time values, and longer descriptive strings.
+
+# Example string subtypes:
+#   url
+#   email
+#   domain
+#   software
+#   user_name
+#   file_name
+#   file_md5
+#   x509_md5
+
+# Example tags: 
+#   infrastructure
+#   malicious
+#   sensitive
+#   canary
+#   friend
+
+@load base/frameworks/notice
+
+module Intel;
+
+export {
+	## The intel logging stream identifier.
+	redef enum Log::ID += { LOG };
+	
+	redef enum Notice::Type += {
+		## This notice should be used in all detector scripts to indicate 
+		## an intelligence based detection.
+		Detection,
+	};
+	
+	## Record type used for logging information from the intelligence framework.
+	## Primarily for problems or oddities with inserting and querying data.  
+	## This is important since the content of the intelligence framework can 
+	## change quite dramatically during runtime and problems may be introduced 
+	## into the data.
+	type Info: record {
+		## The current network time.
+		ts:      time   &log;
+		## Represents the severity of the message. 
+		## This value should be one of: "info", "warn", "error"
+		level:   string &log;
+		## The message.
+		message: string &log;
+	};
+	
+	## Record to represent metadata associated with a single piece of
+	## intelligence.
+	type MetaData: record {
+		## A description for the data.
+		desc:        string      &optional;
+		## A URL where more information may be found about the intelligence.
+		url:         string      &optional;
+		## The time at which the data was first declared to be intelligence.
+		first_seen:  time        &optional;
+		## When this data was most recent inserted into the framework.
+		latest_seen: time        &optional;
+		## Arbitrary text tags for the data.
+		tags:        set[string];
+	};
+	
+	## Record to represent a singular piece of intelligence.
+	type Item: record {
+		## If the data is an IP address, this hold the address.
+		ip:          addr        &optional;
+		## If the data is textual, this holds the text.
+		str:         string      &optional;
+		## If the data is numeric, this holds the number.
+		num:         int         &optional;
+		## The subtype of the data for when either the $str or $num fields are
+		## given.  If one of those fields are given, this field must be present.
+		subtype:     string      &optional;
+		
+		## The next five fields are temporary until a better model for 
+		## attaching metadata to an intelligence item is created.
+		desc:        string      &optional;
+		url:         string      &optional;
+		first_seen:  time        &optional;
+		latest_seen: time        &optional;
+		tags:        set[string];
+		
+		## These single string tags are throw away until pybroccoli supports sets.
+		tag1: string &optional;
+		tag2: string &optional;
+		tag3: string &optional;
+	};
+	
+	## Record model used for constructing queries against the intelligence 
+	## framework.
+	type QueryItem: record {
+		## If an IP address is being queried for, this field should be given.
+		ip:        addr        &optional;
+		## If a string is being queried for, this field should be given.
+		str:       string      &optional;
+		## If numeric data is being queried for, this field should be given.
+		num:       int         &optional;
+		## If either a string or number is being queried for, this field should
+		## indicate the subtype of the data.
+		subtype:   string      &optional;
+		
+		## A set of tags where if a single metadata record attached to an item
+		## has any one of the tags defined in this field, it will match.
+		or_tags:   set[string] &optional;
+		## A set of tags where a single metadata record attached to an item 
+		## must have all of the tags defined in this field.
+		and_tags:  set[string] &optional; 
+		
+		## The predicate can be given when searching for a match.  It will
+		## be tested against every :bro:type:`Intel::MetaData` item associated
+		## with the data being matched on.  If it returns T a single time, the 
+		## matcher will consider that the item has matched.  This field can
+		## be used for constructing arbitrarily complex queries that may not
+		## be possible with the $or_tags or $and_tags fields.
+		pred:      function(meta: Intel::MetaData): bool &optional;
+	};
+	
+	## Function to insert data into the intelligence framework.
+	## 
+	## item: The data item.
+	##
+	## Returns: T if the data was successfully inserted into the framework,
+	##          otherwise it returns F.
+	global insert: function(item: Item): bool;
+	
+	## A wrapper for the :bro:id:`Intel::insert` function.  This is primarily
+	## used as the external API for inserting data into the intelligence 
+	## using Broccoli.
+	global insert_event: event(item: Item);
+	
+	## Function for matching data within the intelligence framework.
+	global matcher: function(item: QueryItem): bool;
+}
+
+type MetaDataStore: table[count] of MetaData;
+type DataStore: record {
+	ip_data:     table[addr] of MetaDataStore;
+	# The first string is the actual value and the second string is the subtype.
+	string_data: table[string, string] of MetaDataStore;
+	int_data:    table[int, string] of MetaDataStore;
+};
+global data_store: DataStore;
+
+event bro_init()
+	{
+	Log::create_stream(Intel::LOG, [$columns=Info]);
+	}
+
+
+function insert(item: Item): bool
+	{
+	local err_msg = "";
+	if ( (item?$str || item?$num) && ! item?$subtype )
+		err_msg = "You must provide a subtype to insert_sync or this item doesn't make sense.";
+	
+	if ( err_msg == "" )
+		{
+		# Create and fill out the meta data item.
+		local meta: MetaData;
+		if ( item?$first_seen )
+			meta$first_seen = item$first_seen;
+		if ( item?$latest_seen )
+			meta$latest_seen = item$latest_seen;
+		if ( item?$tags )
+			meta$tags = item$tags;
+		if ( item?$desc )
+			meta$desc = item$desc;
+		if ( item?$url )
+			meta$url = item$url;
+		
+		
+		# This is hopefully only temporary until pybroccoli supports sets.
+		if ( item?$tag1 )
+			add item$tags[item$tag1];
+		if ( item?$tag2 )
+			add item$tags[item$tag2];
+		if ( item?$tag3 )
+			add item$tags[item$tag3];
+		
+		if ( item?$ip )
+			{
+			if ( item$ip !in data_store$ip_data )
+				data_store$ip_data[item$ip] = table();
+			data_store$ip_data[item$ip][|data_store$ip_data[item$ip]|] = meta;
+			return T;
+			}
+		else if ( item?$str )
+			{
+			if ( [item$str, item$subtype] !in data_store$string_data )
+				data_store$string_data[item$str, item$subtype] = table();
+			
+			data_store$string_data[item$str, item$subtype][|data_store$string_data[item$str, item$subtype]|] = meta;
+			return T;
+			}
+		else if ( item?$num )
+			{
+			if ( [item$num, item$subtype] !in data_store$int_data )
+				data_store$int_data[item$num, item$subtype] = table();
+
+			data_store$int_data[item$num, item$subtype][|data_store$int_data[item$num, item$subtype]|] = meta;
+			return T;
+			}
+		else
+			err_msg = "Failed to insert intelligence item for some unknown reason.";
+		}
+	
+	if ( err_msg != "" )
+		Log::write(Intel::LOG, [$ts=network_time(), $level="warn", $message=fmt(err_msg)]);
+	return F;
+	}
+	
+event insert_event(item: Item)
+	{
+	insert(item);
+	}
+	
+function match_item_with_metadata(item: QueryItem, meta: MetaData): bool
+	{
+	if ( item?$and_tags )
+		{
+		local matched = T;
+		# Every tag given has to match in a single MetaData entry.
+		for ( tag in item$and_tags )
+			{
+			if ( tag !in meta$tags )
+				matched = F;
+			}
+		if ( matched )
+			return T;
+		}
+	else if ( item?$or_tags )
+		{
+		# For OR tags, only a single tag has to match.
+		for ( tag in item$or_tags )
+			{
+			if ( tag in meta$tags )
+				return T;
+			}
+		}
+	else if ( item?$pred )
+		return item$pred(meta);
+
+	# This indicates some sort of failure in the query
+	return F;
+	}
+	
+function matcher(item: QueryItem): bool
+	{
+	local err_msg = "";
+	if ( ! (item?$ip || item?$str || item?$num) )
+		err_msg = "You must supply one of the $ip, $str, or $num fields to search on";
+	else if ( (item?$or_tags || item?$and_tags) && item?$pred )
+		err_msg = "You can't match with both tags and a predicate.";
+	else if ( item?$or_tags && item?$and_tags )
+		err_msg = "You can't match with both OR'd together tags and AND'd together tags";
+	else if ( (item?$str || item?$num) && ! item?$subtype )
+		err_msg = "You must provide a subtype to matcher or this item doesn't make sense.";
+	else if ( item?$str && item?$num )
+		err_msg = "You must only provide $str or $num, not both.";
+		
+	local meta: MetaData;
+
+	if ( err_msg == "" )
+		{
+		if ( item?$ip )
+			{
+			if ( item$ip in data_store$ip_data )
+				{
+				if ( ! item?$and_tags && ! item?$or_tags && ! item?$pred )
+					return T;
+			
+				for ( i in data_store$ip_data[item$ip] )
+					{
+					meta = data_store$ip_data[item$ip][i];
+					if ( match_item_with_metadata(item, meta) )
+						return T;
+					}
+				}
+			}
+		
+		else if ( item?$str )
+			{
+			if ( [item$str, item$subtype] in data_store$string_data )
+				{
+				if ( ! item?$and_tags && ! item?$or_tags && ! item?$pred )
+					return T;
+
+				for ( i in data_store$string_data[item$str, item$subtype] )
+					{
+					meta = data_store$string_data[item$str, item$subtype][i];
+					if ( match_item_with_metadata(item, meta) )
+						return T;
+					}
+				}
+			}
+		
+		else if ( item?$num )
+			{
+			if ( [item$num, item$subtype] in data_store$int_data )
+				{
+				if ( ! item?$and_tags && ! item?$or_tags && ! item?$pred )
+					return T;
+
+				for ( i in data_store$int_data[item$num, item$subtype] )
+					{
+					meta = data_store$int_data[item$num, item$subtype][i];
+					if ( match_item_with_metadata(item, meta) )
+						return T;
+					}
+				}
+			}
+		else
+			err_msg = "Failed to query intelligence data for some unknown reason.";
+		}
+		
+	if ( err_msg != "" )
+		Log::write(Intel::LOG, [$ts=network_time(), $level="error", $message=fmt(err_msg)]);
+	return F;
+	}
diff --git a/scripts/base/frameworks/logging/__load__.bro b/scripts/base/frameworks/logging/__load__.bro
new file mode 100644
index 0000000000..42b2d7c564
--- /dev/null
+++ b/scripts/base/frameworks/logging/__load__.bro
@@ -0,0 +1,3 @@
+@load ./main
+@load ./postprocessors
+@load ./writers/ascii
diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro
new file mode 100644
index 0000000000..2c36b3001e
--- /dev/null
+++ b/scripts/base/frameworks/logging/main.bro
@@ -0,0 +1,452 @@
+##! The Bro logging interface.
+##!
+##! See :doc:`/logging` for a introduction to Bro's logging framework.
+
+module Log;
+
+# Log::ID and Log::Writer are defined in types.bif due to circular dependencies.
+
+export {
+	## If true, local logging is by default enabled for all filters.
+	const enable_local_logging = T &redef;
+
+	## If true, remote logging is by default enabled for all filters.
+	const enable_remote_logging = T &redef;
+
+	## Default writer to use if a filter does not specify
+	## anything else.
+	const default_writer = WRITER_ASCII &redef;
+
+	## Type defining the content of a logging stream.
+	type Stream: record {
+		## A record type defining the log's columns.
+		columns: any;
+
+		## Event that will be raised once for each log entry.
+		## The event receives a single same parameter, an instance of type
+		## ``columns``.
+		ev: any &optional;
+	};
+
+	## Builds the default path values for log filters if not otherwise
+	## specified by a filter. The default implementation uses *id*
+	## to derive a name.
+	##
+	## id: The ID associated with the log stream.
+	##
+	## path: A suggested path value, which may be either the filter's
+	##       ``path`` if defined, else a previous result from the function.
+	##       If no ``path`` is defined for the filter, then the first call
+	##       to the function will contain an empty string.
+	##
+	## rec: An instance of the streams's ``columns`` type with its
+	##      fields set to the values to be logged.
+	##
+	## Returns: The path to be used for the filter.
+	global default_path_func: function(id: ID, path: string, rec: any) : string &redef;
+
+	# Log rotation support.
+
+	## Information passed into rotation callback functions.
+	type RotationInfo: record {
+		writer: Writer;		##< The :bro:type:`Log::Writer` being used.
+		fname: string;		##< Full name of the rotated file.
+		path: string;		##< Original path value.
+		open: time;		##< Time when opened.
+		close: time;		##< Time when closed.
+		terminating: bool;	##< True if rotation occured due to Bro shutting down.
+	};
+
+	## Default rotation interval. Zero disables rotation.
+	const default_rotation_interval = 0secs &redef;
+
+	## Default naming format for timestamps embedded into filenames.
+	## Uses a ``strftime()`` style.
+	const default_rotation_date_format = "%Y-%m-%d-%H-%M-%S" &redef;
+
+	## Default shell command to run on rotated files. Empty for none.
+	const default_rotation_postprocessor_cmd = "" &redef;
+
+	## Specifies the default postprocessor function per writer type.
+	## Entries in this table are initialized by each writer type.
+	const default_rotation_postprocessors: table[Writer] of function(info: RotationInfo) : bool &redef;
+
+	## A filter type describes how to customize logging streams.
+	type Filter: record {
+		## Descriptive name to reference this filter.
+		name: string;
+
+		## The logging writer implementation to use.
+		writer: Writer &default=default_writer;
+
+		## Indicates whether a log entry should be recorded.
+		## If not given, all entries are recorded.
+		##
+		## rec: An instance of the streams's ``columns`` type with its
+		##      fields set to the values to logged.
+		##
+		## Returns: True if the entry is to be recorded.
+		pred: function(rec: any): bool &optional;
+
+		## Output path for recording entries matching this
+		## filter.
+		##
+		## The specific interpretation of the string is up to
+		## the used writer, and may for example be the destination
+		## file name. Generally, filenames are expected to given
+		## without any extensions; writers will add appropiate
+		## extensions automatically.
+		path: string &optional;
+
+		## A function returning the output path for recording entries
+		## matching this filter. This is similar to ``path`` yet allows
+		## to compute the string dynamically. It is ok to return
+		## different strings for separate calls, but be careful: it's
+		## easy to flood the disk by returning a new string for each
+		## connection ...
+		##
+		## id: The ID associated with the log stream.
+		##
+		## path: A suggested path value, which may be either the filter's
+		##       ``path`` if defined, else a previous result from the function.
+		##       If no ``path`` is defined for the filter, then the first call
+		##       to the function will contain an empty string.
+		##
+		## rec: An instance of the streams's ``columns`` type with its
+		##      fields set to the values to be logged.
+		##
+		## Returns: The path to be used for the filter.
+		path_func: function(id: ID, path: string, rec: any): string &optional;
+
+		## Subset of column names to record. If not given, all
+		## columns are recorded.
+		include: set[string] &optional;
+
+		## Subset of column names to exclude from recording. If not given,
+		## all columns are recorded.
+		exclude: set[string] &optional;
+
+		## If true, entries are recorded locally.
+		log_local: bool &default=enable_local_logging;
+
+		## If true, entries are passed on to remote peers.
+		log_remote: bool &default=enable_remote_logging;
+
+		## Rotation interval.
+		interv: interval &default=default_rotation_interval;
+
+		## Callback function to trigger for rotated files. If not set, the
+		## default comes out of :bro:id:`Log::default_rotation_postprocessors`.
+		postprocessor: function(info: RotationInfo) : bool &optional;
+	};
+
+	## Sentinel value for indicating that a filter was not found when looked up.
+	const no_filter: Filter = [$name="<not found>"];
+
+	## Creates a new logging stream with the default filter.
+	##
+	## id: The ID enum to be associated with the new logging stream.
+	##
+	## stream: A record defining the content that the new stream will log.
+	##
+	## Returns: True if a new logging stream was successfully created and
+	##          a default filter added to it.
+	##
+	## .. bro:see:: Log::add_default_filter Log::remove_default_filter
+	global create_stream: function(id: ID, stream: Stream) : bool;
+
+	## Enables a previously disabled logging stream.  Disabled streams
+	## will not be written to until they are enabled again.  New streams
+	## are enabled by default.
+	##
+	## id: The ID associated with the logging stream to enable.
+	##
+	## Returns: True if the stream is re-enabled or was not previously disabled.
+	##
+	## .. bro:see:: Log::disable_stream
+	global enable_stream: function(id: ID) : bool;
+
+	## Disables a currently enabled logging stream.  Disabled streams
+	## will not be written to until they are enabled again.  New streams
+	## are enabled by default.
+	##
+	## id: The ID associated with the logging stream to disable.
+	##
+	## Returns: True if the stream is now disabled or was already disabled.
+	##
+	## .. bro:see:: Log::enable_stream
+	global disable_stream: function(id: ID) : bool;
+
+	## Adds a custom filter to an existing logging stream.  If a filter
+	## with a matching ``name`` field already exists for the stream, it
+	## is removed when the new filter is successfully added.
+	##
+	## id: The ID associated with the logging stream to filter.
+	##
+	## filter: A record describing the desired logging parameters.
+	##
+	## Returns: True if the filter was sucessfully added, false if
+	##          the filter was not added or the *filter* argument was not
+	##          the correct type.
+	##
+	## .. bro:see:: Log::remove_filter Log::add_default_filter
+	##    Log::remove_default_filter
+	global add_filter: function(id: ID, filter: Filter) : bool;
+
+	## Removes a filter from an existing logging stream.
+	##
+	## id: The ID associated with the logging stream from which to
+	##     remove a filter.
+	##
+	## name: A string to match against the ``name`` field of a
+	##       :bro:type:`Log::Filter` for identification purposes.
+	##
+	## Returns: True if the logging stream's filter was removed or
+	##          if no filter associated with *name* was found.
+	##
+	## .. bro:see:: Log::remove_filter Log::add_default_filter
+	##    Log::remove_default_filter
+	global remove_filter: function(id: ID, name: string) : bool;
+
+	## Gets a filter associated with an existing logging stream.
+	##
+	## id: The ID associated with a logging stream from which to
+	##     obtain one of its filters.
+	##
+	## name: A string to match against the ``name`` field of a
+	##       :bro:type:`Log::Filter` for identification purposes.
+	##
+	## Returns: A filter attached to the logging stream *id* matching
+	##          *name* or, if no matches are found returns the
+	##          :bro:id:`Log::no_filter` sentinel value.
+	##
+	## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
+	##              Log::remove_default_filter
+	global get_filter: function(id: ID, name: string) : Filter;
+
+	## Writes a new log line/entry to a logging stream.
+	##
+	## id: The ID associated with a logging stream to be written to.
+	##
+	## columns: A record value describing the values of each field/column
+	##          to write to the log stream.
+	##
+	## Returns: True if the stream was found and no error occurred in writing
+	##          to it or if the stream was disabled and nothing was written.
+	##          False if the stream was was not found, or the *columns*
+	##          argument did not match what the stream was initially defined
+	##          to handle, or one of the stream's filters has an invalid
+	##          ``path_func``.
+	##
+	## .. bro:see: Log::enable_stream Log::disable_stream
+	global write: function(id: ID, columns: any) : bool;
+
+	## Sets the buffering status for all the writers of a given logging stream.
+	## A given writer implementation may or may not support buffering and if it
+	## doesn't then toggling buffering with this function has no effect.
+	##
+	## id: The ID associated with a logging stream for which to
+	##     enable/disable buffering.
+	##
+	## buffered: Whether to enable or disable log buffering.
+	##
+	## Returns: True if buffering status was set, false if the logging stream
+	##          does not exist.
+	##
+	## .. bro:see:: Log::flush
+	global set_buf: function(id: ID, buffered: bool): bool;
+
+	## Flushes any currently buffered output for all the writers of a given
+	## logging stream.
+	##
+	## id: The ID associated with a logging stream for which to flush buffered
+	##     data.
+	##
+	## Returns: True if all writers of a log stream were signalled to flush
+	##          buffered data or if the logging stream is disabled,
+	##          false if the logging stream does not exist.
+	##
+	## .. bro:see:: Log::set_buf Log::enable_stream Log::disable_stream
+	global flush: function(id: ID): bool;
+
+	## Adds a default :bro:type:`Log::Filter` record with ``name`` field
+	## set as "default" to a given logging stream.
+	##
+	## id: The ID associated with a logging stream for which to add a default
+	##     filter.
+	##
+	## Returns: The status of a call to :bro:id:`Log::add_filter` using a
+	##          default :bro:type:`Log::Filter` argument with ``name`` field
+	##          set to "default".
+	##
+	## .. bro:see:: Log::add_filter Log::remove_filter
+	##    Log::remove_default_filter
+	global add_default_filter: function(id: ID) : bool;
+
+	## Removes the :bro:type:`Log::Filter` with ``name`` field equal to
+	## "default".
+	##
+	## id: The ID associated with a logging stream from which to remove the
+	##     default filter.
+	##
+	## Returns: The status of a call to :bro:id:`Log::remove_filter` using
+	##          "default" as the argument.
+	##
+	## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
+	global remove_default_filter: function(id: ID) : bool;
+
+	## Runs a command given by :bro:id:`Log::default_rotation_postprocessor_cmd`
+	## on a rotated file.  Meant to be called from postprocessor functions
+	## that are added to :bro:id:`Log::default_rotation_postprocessors`.
+	##
+	## info: A record holding meta-information about the log being rotated.
+	##
+	## npath: The new path of the file (after already being rotated/processed
+	##        by writer-specific postprocessor as defined in
+	##        :bro:id:`Log::default_rotation_postprocessors`.
+	##
+	## Returns: True when :bro:id:`Log::default_rotation_postprocessor_cmd`
+	##          is empty or the system command given by it has been invoked
+	##          to postprocess a rotated log file.
+	##
+	## .. bro:see:: Log::default_rotation_date_format
+	##    Log::default_rotation_postprocessor_cmd
+	##    Log::default_rotation_postprocessors
+	global run_rotation_postprocessor_cmd: function(info: RotationInfo, npath: string) : bool;
+}
+
+# We keep a script-level copy of all filters so that we can manipulate them.
+global filters: table[ID, string] of Filter;
+
+@load base/logging.bif # Needs Filter and Stream defined.
+
+module Log;
+
+# Used internally by the log manager.
+function __default_rotation_postprocessor(info: RotationInfo) : bool
+	{
+	if ( info$writer in default_rotation_postprocessors )
+		return default_rotation_postprocessors[info$writer](info);
+	}
+
+function default_path_func(id: ID, path: string, rec: any) : string
+	{
+	local id_str = fmt("%s", id);
+	
+	local parts = split1(id_str, /::/);
+	if ( |parts| == 2 )
+		{
+		# The suggested path value is a previous result of this function
+		# or a filter path explicitly set by the user, so continue using it.
+		if ( path != "" )
+			return path;
+		
+		# Example: Notice::LOG -> "notice"
+		if ( parts[2] == "LOG" )
+			{
+			local module_parts = split_n(parts[1], /[^A-Z][A-Z][a-z]*/, T, 4);
+			local output = "";
+			if ( 1 in module_parts )
+				output = module_parts[1];
+			if ( 2 in module_parts && module_parts[2] != "" )
+				output = cat(output, sub_bytes(module_parts[2],1,1), "_", sub_bytes(module_parts[2], 2, |module_parts[2]|));
+			if ( 3 in module_parts && module_parts[3] != "" )
+				output = cat(output, "_", module_parts[3]);
+			if ( 4 in module_parts && module_parts[4] != "" )
+				output = cat(output, sub_bytes(module_parts[4],1,1), "_", sub_bytes(module_parts[4], 2, |module_parts[4]|));
+			return to_lower(output);
+			}
+		
+		# Example: Notice::POLICY_LOG -> "notice_policy"
+		if ( /_LOG$/ in parts[2] )
+			parts[2] = sub(parts[2], /_LOG$/, "");
+		
+		return cat(to_lower(parts[1]),"_",to_lower(parts[2]));
+		}
+	else
+		return to_lower(id_str);
+	}
+
+# Run post-processor on file. If there isn't any postprocessor defined,
+# we move the file to a nicer name.
+function run_rotation_postprocessor_cmd(info: RotationInfo, npath: string) : bool
+	{
+	local pp_cmd = default_rotation_postprocessor_cmd;
+
+	if ( pp_cmd == "" )
+		return T;
+
+	# The date format is hard-coded here to provide a standardized
+	# script interface.
+	system(fmt("%s %s %s %s %s %d",
+               pp_cmd, npath, info$path,
+               strftime("%y-%m-%d_%H.%M.%S", info$open),
+               strftime("%y-%m-%d_%H.%M.%S", info$close),
+               info$terminating));
+
+	return T;
+	}
+
+function create_stream(id: ID, stream: Stream) : bool
+	{
+	if ( ! __create_stream(id, stream) )
+		return F;
+
+	return add_default_filter(id);
+	}
+
+function disable_stream(id: ID) : bool
+	{
+	return __disable_stream(id);
+	}
+
+function add_filter(id: ID, filter: Filter) : bool
+	{
+	# This is a work-around for the fact that we can't forward-declare
+	# the default_path_func and then use it as &default in the record
+	# definition.
+	if ( ! filter?$path_func )
+		filter$path_func = default_path_func;
+	
+	filters[id, filter$name] = filter;
+	return __add_filter(id, filter);
+	}
+
+function remove_filter(id: ID, name: string) : bool
+	{
+	delete filters[id, name];
+	return __remove_filter(id, name);
+	}
+
+function get_filter(id: ID, name: string) : Filter
+	{
+	if ( [id, name] in filters )
+		return filters[id, name];
+
+	return no_filter;
+	}
+
+function write(id: ID, columns: any) : bool
+	{
+	return __write(id, columns);
+	}
+
+function set_buf(id: ID, buffered: bool): bool
+	{
+	return __set_buf(id, buffered);
+	}
+
+function flush(id: ID): bool
+	{
+	return __flush(id);
+	}
+
+function add_default_filter(id: ID) : bool
+	{
+	return add_filter(id, [$name="default"]);
+	}
+
+function remove_default_filter(id: ID) : bool
+	{
+	return remove_filter(id, "default");
+	}
diff --git a/scripts/base/frameworks/logging/postprocessors/__load__.bro b/scripts/base/frameworks/logging/postprocessors/__load__.bro
new file mode 100644
index 0000000000..830a69aa75
--- /dev/null
+++ b/scripts/base/frameworks/logging/postprocessors/__load__.bro
@@ -0,0 +1,2 @@
+@load ./scp
+@load ./sftp
diff --git a/scripts/base/frameworks/logging/postprocessors/scp.bro b/scripts/base/frameworks/logging/postprocessors/scp.bro
new file mode 100644
index 0000000000..3aadc5bbf3
--- /dev/null
+++ b/scripts/base/frameworks/logging/postprocessors/scp.bro
@@ -0,0 +1,72 @@
+##! This script defines a postprocessing function that can be applied
+##! to a logging filter in order to automatically SCP (secure copy)
+##! a log stream (or a subset of it) to a remote host at configurable
+##! rotation time intervals.  Generally, to use this functionality
+##! you must handle the :bro:id:`bro_init` event and do the following
+##! in your handler:
+##!
+##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
+##!    rotation interval, and set the ``postprocessor`` to
+##!    :bro:id:`Log::scp_postprocessor`.
+##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`.
+##! 3) Add a table entry to :bro:id:`Log::scp_destinations` for the filter's
+##!    writer/path pair which defines a set of :bro:type:`Log::SCPDestination`
+##!    records.
+
+module Log;
+
+export {
+	## Secure-copies the rotated-log to all the remote hosts
+	## defined in :bro:id:`Log::scp_destinations` and then deletes
+	## the local copy of the rotated-log.  It's not active when
+	## reading from trace files.
+	##
+	## info: A record holding meta-information about the log file to be
+	##       postprocessed.
+	##
+	## Returns: True if secure-copy system command was initiated or
+	##          if no destination was configured for the log as described
+	##          by *info*.
+	global scp_postprocessor: function(info: Log::RotationInfo): bool;
+
+	## A container that describes the remote destination for the SCP command
+	## argument as ``user@host:path``.
+	type SCPDestination: record {
+		## The remote user to log in as.  A trust mechanism should be
+		## pre-established.
+		user: string;
+		## The remote host to which to transfer logs.
+		host: string;
+		## The path/directory on the remote host to send logs.
+		path: string;
+	};
+
+	## A table indexed by a particular log writer and filter path, that yields
+	## a set remote destinations.  The :bro:id:`Log::scp_postprocessor`
+	## function queries this table upon log rotation and performs a secure
+	## copy of the rotated-log to each destination in the set.  This
+	## table can be modified at run-time.
+	global scp_destinations: table[Writer, string] of set[SCPDestination];
+
+	## Default naming format for timestamps embedded into log filenames
+	## that use the SCP rotator.
+	const scp_rotation_date_format = "%Y-%m-%d-%H-%M-%S" &redef;
+}
+
+function scp_postprocessor(info: Log::RotationInfo): bool
+	{
+	if ( reading_traces() || [info$writer, info$path] !in scp_destinations )
+		return T;
+
+	local command = "";
+	for ( d in scp_destinations[info$writer, info$path] )
+		{
+		local dst = fmt("%s/%s.%s.log", d$path, info$path,
+                        strftime(Log::scp_rotation_date_format, info$open));
+		command += fmt("scp %s %s@%s:%s;", info$fname, d$user, d$host, dst);
+		}
+
+	command += fmt("/bin/rm %s", info$fname);
+	system(command);
+	return T;
+	}
diff --git a/scripts/base/frameworks/logging/postprocessors/sftp.bro b/scripts/base/frameworks/logging/postprocessors/sftp.bro
new file mode 100644
index 0000000000..5a31853063
--- /dev/null
+++ b/scripts/base/frameworks/logging/postprocessors/sftp.bro
@@ -0,0 +1,73 @@
+##! This script defines a postprocessing function that can be applied
+##! to a logging filter in order to automatically SFTP
+##! a log stream (or a subset of it) to a remote host at configurable
+##! rotation time intervals.  Generally, to use this functionality
+##! you must handle the :bro:id:`bro_init` event and do the following
+##! in your handler:
+##!
+##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
+##!    rotation interval, and set the ``postprocessor`` to
+##!    :bro:id:`Log::sftp_postprocessor`.
+##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`.
+##! 3) Add a table entry to :bro:id:`Log::sftp_destinations` for the filter's
+##!    writer/path pair which defines a set of :bro:type:`Log::SFTPDestination`
+##!    records.
+
+module Log;
+
+export {
+	## Securely transfers the rotated-log to all the remote hosts
+	## defined in :bro:id:`Log::sftp_destinations` and then deletes
+	## the local copy of the rotated-log.  It's not active when
+	## reading from trace files.
+	##
+	## info: A record holding meta-information about the log file to be
+	##       postprocessed.
+	##
+	## Returns: True if sftp system command was initiated or
+	##          if no destination was configured for the log as described
+	##          by *info*.
+	global sftp_postprocessor: function(info: Log::RotationInfo): bool;
+
+	## A container that describes the remote destination for the SFTP command,
+	## comprised of the username, host, and path at which to upload the file.
+	type SFTPDestination: record {
+		## The remote user to log in as.  A trust mechanism should be
+		## pre-established.
+		user: string;
+		## The remote host to which to transfer logs.
+		host: string;
+		## The path/directory on the remote host to send logs.
+		path: string;
+	};
+
+	## A table indexed by a particular log writer and filter path, that yields
+	## a set remote destinations.  The :bro:id:`Log::sftp_postprocessor`
+	## function queries this table upon log rotation and performs a secure
+	## transfer of the rotated-log to each destination in the set.  This
+	## table can be modified at run-time.
+	global sftp_destinations: table[Writer, string] of set[SFTPDestination];
+
+	## Default naming format for timestamps embedded into log filenames
+	## that use the SFTP rotator.
+	const sftp_rotation_date_format = "%Y-%m-%d-%H-%M-%S" &redef;
+}
+
+function sftp_postprocessor(info: Log::RotationInfo): bool
+	{
+	if ( reading_traces() || [info$writer, info$path] !in sftp_destinations )
+		return T;
+
+	local command = "";
+	for ( d in sftp_destinations[info$writer, info$path] )
+		{
+		local dst = fmt("%s/%s.%s.log", d$path, info$path,
+		                strftime(Log::sftp_rotation_date_format, info$open));
+		command += fmt("echo put %s %s | sftp -b - %s@%s;", info$fname, dst,
+		               d$user, d$host);
+		}
+
+	command += fmt("/bin/rm %s", info$fname);
+	system(command);
+	return T;
+	}
diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
new file mode 100644
index 0000000000..fa1fcd6797
--- /dev/null
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -0,0 +1,47 @@
+##! Interface for the ASCII log writer.  Redefinable options are available
+##! to tweak the output format of ASCII logs.
+
+module LogAscii;
+
+export {
+	## If true, output everything to stdout rather than
+	## into files. This is primarily for debugging purposes.
+	const output_to_stdout = F &redef;
+
+	## If true, include a header line with column names and description
+	## of the other ASCII logging options that were used.
+	const include_header = T &redef;
+
+	## Prefix for the header line if included.
+	const header_prefix = "#" &redef;
+
+	## Separator between fields.
+	const separator = "\t" &redef;
+
+	## Separator between set elements.
+	const set_separator = "," &redef;
+
+	## String to use for empty fields. This should be different from
+        ## *unset_field* to make the output non-ambigious. 
+	const empty_field = "(empty)" &redef;
+
+	## String to use for an unset &optional field.
+	const unset_field = "-" &redef;
+}
+
+# Default function to postprocess a rotated ASCII log file. It moves the rotated
+# file to a new name that includes a timestamp with the opening time, and then
+# runs the writer's default postprocessor command on it.
+function default_rotation_postprocessor_func(info: Log::RotationInfo) : bool
+	{
+	# Move file to name including both opening and closing time.
+	local dst = fmt("%s.%s.log", info$path,
+			strftime(Log::default_rotation_date_format, info$open));
+
+	system(fmt("/bin/mv %s %s", info$fname, dst));
+
+	# Run default postprocessor.
+	return Log::run_rotation_postprocessor_cmd(info, dst);
+	}
+
+redef Log::default_rotation_postprocessors += { [Log::WRITER_ASCII] = default_rotation_postprocessor_func };
diff --git a/scripts/base/frameworks/metrics/__load__.bro b/scripts/base/frameworks/metrics/__load__.bro
new file mode 100644
index 0000000000..35f6b30fb5
--- /dev/null
+++ b/scripts/base/frameworks/metrics/__load__.bro
@@ -0,0 +1,11 @@
+@load ./main
+
+# The cluster framework must be loaded first.
+@load base/frameworks/cluster
+
+# Load either the cluster support script or the non-cluster support script.
+@if ( Cluster::is_enabled() )
+@load ./cluster
+@else
+@load ./non-cluster
+@endif
\ No newline at end of file
diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro
new file mode 100644
index 0000000000..4804bc5005
--- /dev/null
+++ b/scripts/base/frameworks/metrics/cluster.bro
@@ -0,0 +1,264 @@
+##! This implements transparent cluster support for the metrics framework.
+##! Do not load this file directly.  It's only meant to be loaded automatically
+##! and will be depending on if the cluster framework has been enabled.
+##! The goal of this script is to make metric calculation completely and
+##! transparently automated when running on a cluster.
+##! 
+##! Events defined here are not exported deliberately because they are meant
+##! to be an internal implementation detail.
+
+@load base/frameworks/cluster
+@load ./main
+
+module Metrics;
+
+export {
+	## Allows a user to decide how large of result groups the 
+	## workers should transmit values for cluster metric aggregation.
+	const cluster_send_in_groups_of = 50 &redef;
+	
+	## The percent of the full threshold value that needs to be met 
+	## on a single worker for that worker to send the value to its manager in
+	## order for it to request a global view for that value.  There is no
+	## requirement that the manager requests a global view for the index
+	## since it may opt not to if it requested a global view for the index
+	## recently.
+	const cluster_request_global_view_percent = 0.1 &redef;
+	
+	## Event sent by the manager in a cluster to initiate the 
+	## collection of metrics values for a filter.
+	global cluster_filter_request: event(uid: string, id: ID, filter_name: string);
+
+	## Event sent by nodes that are collecting metrics after receiving
+	## a request for the metric filter from the manager.
+	global cluster_filter_response: event(uid: string, id: ID, filter_name: string, data: MetricTable, done: bool);
+
+	## This event is sent by the manager in a cluster to initiate the
+	## collection of a single index value from a filter.  It's typically
+	## used to get intermediate updates before the break interval triggers
+	## to speed detection of a value crossing a threshold.
+	global cluster_index_request: event(uid: string, id: ID, filter_name: string, index: Index);
+
+	## This event is sent by nodes in response to a 
+	## :bro:id:`Metrics::cluster_index_request` event.
+	global cluster_index_response: event(uid: string, id: ID, filter_name: string, index: Index, val: count);
+
+	## This is sent by workers to indicate that they crossed the percent of the 
+	## current threshold by the percentage defined globally in 
+	## :bro:id:`Metrics::cluster_request_global_view_percent`
+	global cluster_index_intermediate_response: event(id: Metrics::ID, filter_name: string, index: Metrics::Index, val: count);
+
+	## This event is scheduled internally on workers to send result chunks.
+	global send_data: event(uid: string, id: ID, filter_name: string, data: MetricTable);
+	
+}
+
+
+# This is maintained by managers so they can know what data they requested and
+# when they requested it.
+global requested_results: table[string] of time = table() &create_expire=5mins;
+
+# TODO: The next 4 variables make the assumption that a value never 
+#       takes longer than 5 minutes to transmit from workers to manager.  This needs to 
+#       be tunable or self-tuning.  These should also be restructured to be
+#       maintained within a single variable.
+
+# This variable is maintained by manager nodes as they collect and aggregate 
+# results.
+global filter_results: table[string, ID, string] of MetricTable &create_expire=5mins;
+
+# This variable is maintained by manager nodes to track how many "dones" they
+# collected per collection unique id.  Once the number of results for a uid 
+# matches the number of peer nodes that results should be coming from, the 
+# result is written out and deleted from here.
+# TODO: add an &expire_func in case not all results are received.
+global done_with: table[string] of count &create_expire=5mins &default=0;
+
+# This variable is maintained by managers to track intermediate responses as 
+# they are getting a global view for a certain index.
+global index_requests: table[string, ID, string, Index] of count &create_expire=5mins &default=0;
+
+# This variable is maintained by all hosts for different purposes. Non-managers
+# maintain it to know what indexes they have recently sent as intermediate
+# updates so they don't overwhelm their manager. Managers maintain it so they
+# don't overwhelm workers with intermediate index requests. The count that is
+# yielded is the number of times the percentage threshold has been crossed and
+# an intermediate result has been received. The manager may optionally request
+# the index again before data expires from here if too many workers are crossing
+# the percentage threshold (not implemented yet!).
+global recent_global_view_indexes: table[ID, string, Index] of count &create_expire=5mins &default=0;
+
+# Add events to the cluster framework to make this work.
+redef Cluster::manager2worker_events += /Metrics::cluster_(filter_request|index_request)/;
+redef Cluster::worker2manager_events += /Metrics::cluster_(filter_response|index_response|index_intermediate_response)/;
+
+@if ( Cluster::local_node_type() != Cluster::MANAGER )
+# This is done on all non-manager node types in the event that a metric is 
+# being collected somewhere other than a worker.
+function data_added(filter: Filter, index: Index, val: count)
+	{
+	# If an intermediate update for this value was sent recently, don't send
+	# it again.
+	if ( [filter$id, filter$name, index] in recent_global_view_indexes )
+		return;
+		
+	# If val is 5 and global view % is 0.1 (10%), pct_val will be 50.  If that
+	# crosses the full threshold then it's a candidate to send as an 
+	# intermediate update.
+	local pct_val = double_to_count(val / cluster_request_global_view_percent);
+	
+	if ( check_notice(filter, index, pct_val) ) 
+		{
+		# kick off intermediate update
+		event Metrics::cluster_index_intermediate_response(filter$id, filter$name, index, val);
+		
+		++recent_global_view_indexes[filter$id, filter$name, index];
+		}
+	}
+
+event Metrics::send_data(uid: string, id: ID, filter_name: string, data: MetricTable)
+	{
+	#print fmt("WORKER %s: sending data for uid %s...", Cluster::node, uid);
+	
+	local local_data: MetricTable;
+	local num_added = 0;
+	for ( index in data )
+		{
+		local_data[index] = data[index];
+		delete data[index];
+		
+		# Only send cluster_send_in_groups_of at a time.  Queue another
+		# event to send the next group.
+		if ( cluster_send_in_groups_of == ++num_added )
+			break;
+		}
+	
+	local done = F;
+	# If data is empty, this metric is done.
+	if ( |data| == 0 )
+		done = T;
+	
+	event Metrics::cluster_filter_response(uid, id, filter_name, local_data, done);
+	if ( ! done )
+		event Metrics::send_data(uid, id, filter_name, data);
+	}
+
+event Metrics::cluster_filter_request(uid: string, id: ID, filter_name: string)
+	{
+	#print fmt("WORKER %s: received the cluster_filter_request event.", Cluster::node);
+	
+	# Initiate sending all of the data for the requested filter.
+	event Metrics::send_data(uid, id, filter_name, store[id, filter_name]);
+	
+	# Lookup the actual filter and reset it, the reference to the data
+	# currently stored will be maintained interally by the send_data event.
+	reset(filter_store[id, filter_name]);
+	}
+	
+event Metrics::cluster_index_request(uid: string, id: ID, filter_name: string, index: Index)
+	{
+	local val=0;
+	if ( index in store[id, filter_name] )
+		val = store[id, filter_name][index];
+	
+	# fmt("WORKER %s: received the cluster_index_request event for %s=%d.", Cluster::node, index2str(index), val);
+	event Metrics::cluster_index_response(uid, id, filter_name, index, val);
+	}
+
+@endif
+
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+
+# Manager's handle logging.
+event Metrics::log_it(filter: Filter)
+	{
+	#print fmt("%.6f MANAGER: breaking %s filter for %s metric", network_time(), filter$name, filter$id);
+	
+	local uid = unique_id("");
+	
+	# Set some tracking variables.
+	requested_results[uid] = network_time();
+	filter_results[uid, filter$id, filter$name] = table();
+	
+	# Request data from peers.
+	event Metrics::cluster_filter_request(uid, filter$id, filter$name);
+	# Schedule the log_it event for the next break period.
+	schedule filter$break_interval { Metrics::log_it(filter) };
+	}
+
+# This is unlikely to be called often, but it's here in case there are metrics
+# being collected by managers.
+function data_added(filter: Filter, index: Index, val: count)
+	{
+	if ( check_notice(filter, index, val) )
+		do_notice(filter, index, val);
+	}
+	
+event Metrics::cluster_index_response(uid: string, id: ID, filter_name: string, index: Index, val: count)
+	{
+	#print fmt("%0.6f MANAGER: receiving index data from %s", network_time(), get_event_peer()$descr);
+
+	if ( [uid, id, filter_name, index] !in index_requests )
+		index_requests[uid, id, filter_name, index] = 0;
+	
+	index_requests[uid, id, filter_name, index] += val;
+	local ir = index_requests[uid, id, filter_name, index];
+	
+	++done_with[uid];
+	if ( Cluster::worker_count == done_with[uid] )
+		{
+		if ( check_notice(filter_store[id, filter_name], index, ir) )
+			do_notice(filter_store[id, filter_name], index, ir);
+		delete done_with[uid];
+		delete index_requests[uid, id, filter_name, index];
+		}
+	}
+
+# Managers handle intermediate updates here.
+event Metrics::cluster_index_intermediate_response(id: ID, filter_name: string, index: Index, val: count)
+	{
+	#print fmt("MANAGER: receiving intermediate index data from %s", get_event_peer()$descr);
+	#print fmt("MANAGER: requesting index data for %s", index2str(index));
+	
+	local uid = unique_id("");
+	event Metrics::cluster_index_request(uid, id, filter_name, index);
+	++recent_global_view_indexes[id, filter_name, index];
+	}
+
+event Metrics::cluster_filter_response(uid: string, id: ID, filter_name: string, data: MetricTable, done: bool)
+	{
+	#print fmt("MANAGER: receiving results from %s", get_event_peer()$descr);
+	
+	local local_data = filter_results[uid, id, filter_name];
+	for ( index in data )
+		{
+		if ( index !in local_data )
+			local_data[index] = 0;
+		local_data[index] += data[index];
+		}
+	
+	# Mark another worker as being "done" for this uid.
+	if ( done )
+		++done_with[uid];
+	
+	# If the data has been collected from all peers, we are done and ready to log.
+	if ( Cluster::worker_count == done_with[uid] )
+		{
+		local ts = network_time();
+		# Log the time this was initially requested if it's available.
+		if ( uid in requested_results )
+			{
+			ts = requested_results[uid];
+			delete requested_results[uid];
+			}
+		
+		write_log(ts, filter_store[id, filter_name], local_data);
+		
+		# Clean up
+		delete filter_results[uid, id, filter_name];
+		delete done_with[uid];
+		}
+	}
+
+@endif
diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro
new file mode 100644
index 0000000000..d322d128fe
--- /dev/null
+++ b/scripts/base/frameworks/metrics/main.bro
@@ -0,0 +1,320 @@
+##! The metrics framework provides a way to count and measure data.  
+
+@load base/frameworks/notice
+
+module Metrics;
+
+export {
+	## The metrics logging stream identifier.
+	redef enum Log::ID += { LOG };
+	
+	## Identifiers for metrics to collect.
+	type ID: enum {
+		## Blank placeholder value.
+		NOTHING,
+	};
+	
+	## The default interval used for "breaking" metrics and writing the 
+	## current value to the logging stream.
+	const default_break_interval = 15mins &redef;
+	
+	## This is the interval for how often threshold based notices will happen 
+	## after they have already fired.
+	const renotice_interval = 1hr &redef;
+	
+	## Represents a thing which is having metrics collected for it.  An instance
+	## of this record type and a :bro:type:`Metrics::ID` together represent a 
+	## single measurement.
+	type Index: record {
+		## Host is the value to which this metric applies.
+		host:         addr &optional;
+		
+		## A non-address related metric or a sub-key for an address based metric.
+		## An example might be successful SSH connections by client IP address
+		## where the client string would be the index value.
+		## Another example might be number of HTTP requests to a particular
+		## value in a Host header.  This is an example of a non-host based
+		## metric since multiple IP addresses could respond for the same Host
+		## header value.
+		str:        string &optional;
+		
+		## The CIDR block that this metric applies to.  This is typically
+		## only used internally for host based aggregation.
+		network:      subnet &optional;
+	} &log;
+	
+	## The record type that is used for logging metrics.
+	type Info: record {
+		## Timestamp at which the metric was "broken".
+		ts:           time   &log;
+		## What measurement the metric represents.
+		metric_id:    ID     &log;
+		## The name of the filter being logged.  :bro:type:`Metrics::ID` values
+		## can have multiple filters which represent different perspectives on
+		## the data so this is necessary to understand the value.
+		filter_name:  string &log;
+		## What the metric value applies to.
+		index:        Index  &log;
+		## The simple numeric value of the metric.
+		value:        count  &log;
+	};
+	
+    # TODO: configure a metrics filter logging stream to log the current
+	#       metrics configuration in case someone is looking through
+	#       old logs and the configuration has changed since then.
+	
+	## Filters define how the data from a metric is aggregated and handled.  
+	## Filters can be used to set how often the measurements are cut or "broken"
+	## and logged or how the data within them is aggregated.  It's also 
+	## possible to disable logging and use filters for thresholding.
+	type Filter: record {
+		## The :bro:type:`Metrics::ID` that this filter applies to.
+		id:                ID                      &optional;
+		## The name for this filter so that multiple filters can be
+		## applied to a single metrics to get a different view of the same
+		## metric data being collected (different aggregation, break, etc).
+		name:              string                  &default="default";
+		## A predicate so that you can decide per index if you would like
+		## to accept the data being inserted.
+		pred:              function(index: Index): bool &optional;
+		## Global mask by which you'd like to aggregate traffic.
+		aggregation_mask:  count                   &optional;
+		## This is essentially a mapping table between addresses and subnets.
+		aggregation_table: table[subnet] of subnet &optional;
+		## The interval at which this filter should be "broken" and written
+		## to the logging stream.  The counters are also reset to zero at 
+		## this time so any threshold based detection needs to be set to a 
+		## number that should be expected to happen within this period.
+		break_interval:    interval                &default=default_break_interval;
+		## This determines if the result of this filter is sent to the metrics
+		## logging stream.  One use for the logging framework is as an internal
+		## thresholding and statistics gathering utility that is meant to
+		## never log but rather to generate notices and derive data.
+		log:               bool                    &default=T;
+		## If this and a $notice_threshold value are set, this notice type
+		## will be generated by the metrics framework.
+		note:              Notice::Type            &optional;
+		## A straight threshold for generating a notice.
+		notice_threshold:  count                   &optional;
+		## A series of thresholds at which to generate notices.
+		notice_thresholds: vector of count         &optional;
+		## How often this notice should be raised for this filter.  It 
+		## will be generated everytime it crosses a threshold, but if the 
+		## $break_interval is set to 5mins and this is set to 1hr the notice
+		## only be generated once per hour even if something crosses the
+		## threshold in every break interval.
+		notice_freq:       interval                &optional;
+	};
+	
+	## Function to associate a metric filter with a metric ID.
+	## 
+	## id: The metric ID that the filter should be associated with.
+	##
+	## filter: The record representing the filter configuration.
+	global add_filter: function(id: ID, filter: Filter);
+	
+	## Add data into a :bro:type:`Metrics::ID`.  This should be called when
+	## a script has measured some point value and is ready to increment the
+	## counters.
+	##
+	## id: The metric ID that the data represents.
+	##
+	## index: The metric index that the value is to be added to.
+	##
+	## increment: How much to increment the counter by.
+	global add_data: function(id: ID, index: Index, increment: count);
+	
+	## Helper function to represent a :bro:type:`Metrics::Index` value as 
+	## a simple string
+	## 
+	## index: The metric index that is to be converted into a string.
+	##
+	## Returns: A string reprentation of the metric index.
+	global index2str: function(index: Index): string;
+	
+	## Event that is used to "finish" metrics and adapt the metrics
+	## framework for clustered or non-clustered usage.
+	##
+	## ..note: This is primarily intended for internal use.
+	global log_it: event(filter: Filter);
+	
+	## Event to access metrics records as they are passed to the logging framework.
+	global log_metrics: event(rec: Info);
+	
+	## Type to store a table of metrics values.  Interal use only!
+	type MetricTable: table[Index] of count &default=0;
+}
+
+redef record Notice::Info += {
+	metric_index: Index &log &optional;
+};
+
+global metric_filters: table[ID] of vector of Filter = table();
+global filter_store: table[ID, string] of Filter = table();
+
+# This is indexed by metric ID and stream filter name.
+global store: table[ID, string] of MetricTable = table() &default=table();
+
+# This function checks if a threshold has been crossed and generates a 
+# notice if it has.  It is also used as a method to implement 
+# mid-break-interval threshold crossing detection for cluster deployments.
+global check_notice: function(filter: Filter, index: Index, val: count): bool;
+
+# This is hook for watching thresholds being crossed.  It is called whenever
+# index values are updated and the new val is given as the `val` argument.
+global data_added: function(filter: Filter, index: Index, val: count);
+
+# This stores the current threshold index for filters using the
+# $notice_threshold and $notice_thresholds elements.
+global thresholds: table[ID, string, Index] of count = {} &create_expire=renotice_interval &default=0;
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Metrics::LOG, [$columns=Info, $ev=log_metrics]);
+	}
+
+function index2str(index: Index): string
+	{
+	local out = "";
+	if ( index?$host )
+		out = fmt("%shost=%s", out, index$host);
+	if ( index?$network )
+		out = fmt("%s%snetwork=%s", out, |out|==0 ? "" : ", ", index$network);
+	if ( index?$str )
+		out = fmt("%s%sstr=%s", out, |out|==0 ? "" : ", ", index$str);
+	return fmt("metric_index(%s)", out);
+	}
+	
+function write_log(ts: time, filter: Filter, data: MetricTable)
+	{
+	for ( index in data )
+		{
+		local val = data[index];
+		local m: Info = [$ts=ts,
+		                 $metric_id=filter$id,
+		                 $filter_name=filter$name,
+		                 $index=index,
+		                 $value=val];
+		
+		if ( filter$log )
+			Log::write(Metrics::LOG, m);
+		}
+	}
+
+
+function reset(filter: Filter)
+	{
+	store[filter$id, filter$name] = table();
+	}
+
+function add_filter(id: ID, filter: Filter)
+	{
+	if ( filter?$aggregation_table && filter?$aggregation_mask )
+		{
+		print "INVALID Metric filter: Defined $aggregation_table and $aggregation_mask.";
+		return;
+		}
+	if ( [id, filter$name] in store )
+		{
+		print fmt("INVALID Metric filter: Filter with name \"%s\" already exists.", filter$name);
+		return;
+		}
+	if ( filter?$notice_threshold && filter?$notice_thresholds )
+		{
+		print "INVALID Metric filter: Defined both $notice_threshold and $notice_thresholds";
+		return;
+		}
+	
+	if ( ! filter?$id )
+		filter$id = id;
+	
+	if ( id !in metric_filters )
+		metric_filters[id] = vector();
+	metric_filters[id][|metric_filters[id]|] = filter;
+
+	filter_store[id, filter$name] = filter;
+	store[id, filter$name] = table();
+	
+	schedule filter$break_interval { Metrics::log_it(filter) };
+	}
+	
+function add_data(id: ID, index: Index, increment: count)
+	{
+	if ( id !in metric_filters )
+		return;
+	
+	local filters = metric_filters[id];
+	
+	# Try to add the data to all of the defined filters for the metric.
+	for ( filter_id in filters )
+		{
+		local filter = filters[filter_id];
+		
+		# If this filter has a predicate, run the predicate and skip this
+		# index if the predicate return false.
+		if ( filter?$pred && ! filter$pred(index) )
+			next;
+		
+		if ( index?$host )
+			{
+			if ( filter?$aggregation_mask )
+				{
+				index$network = mask_addr(index$host, filter$aggregation_mask);
+				delete index$host;
+				}
+			else if ( filter?$aggregation_table )
+				{
+				# Don't add the data if the aggregation table doesn't include 
+				# the given host address.
+				if ( index$host !in filter$aggregation_table )
+					return;
+				index$network = filter$aggregation_table[index$host];
+				delete index$host;
+				}
+			}
+		
+		local metric_tbl = store[id, filter$name];
+		if ( index !in metric_tbl )
+			metric_tbl[index] = 0;
+		metric_tbl[index] += increment;
+		
+		data_added(filter, index, metric_tbl[index]);
+		}
+	}
+
+function check_notice(filter: Filter, index: Index, val: count): bool
+	{
+	if ( (filter?$notice_threshold &&
+	      [filter$id, filter$name, index] !in thresholds &&
+	      val >= filter$notice_threshold) ||
+	     (filter?$notice_thresholds &&
+	      |filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] &&
+	      val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) )
+		return T;
+	else
+		return F;
+	}
+		
+function do_notice(filter: Filter, index: Index, val: count)
+	{
+	# We include $peer_descr here because the a manager count have actually 
+	# generated the notice even though the current remote peer for the event 
+	# calling this could be a worker if this is running as a cluster.
+	local n: Notice::Info = [$note=filter$note, 
+	                         $n=val, 
+	                         $metric_index=index, 
+	                         $peer_descr=peer_description];
+	n$msg = fmt("Threshold crossed by %s %d/%d", index2str(index), val, filter$notice_threshold);
+	if ( index?$str )
+		n$sub = index$str;
+	if ( index?$host )
+		n$src = index$host;
+	# TODO: not sure where to put the network yet.
+	
+	NOTICE(n);
+	
+	# This just needs set to some value so that it doesn't refire the 
+	# notice until it expires from the table or it crosses the next 
+	# threshold in the case of vectors of thresholds.
+	++thresholds[filter$id, filter$name, index];
+	}
diff --git a/scripts/base/frameworks/metrics/non-cluster.bro b/scripts/base/frameworks/metrics/non-cluster.bro
new file mode 100644
index 0000000000..85c050fb25
--- /dev/null
+++ b/scripts/base/frameworks/metrics/non-cluster.bro
@@ -0,0 +1,21 @@
+@load ./main
+
+module Metrics;
+
+event Metrics::log_it(filter: Filter)
+	{
+	local id = filter$id;
+	local name = filter$name;
+	
+	write_log(network_time(), filter, store[id, name]);
+	reset(filter);
+	
+	schedule filter$break_interval { Metrics::log_it(filter) };
+	}
+	
+	
+function data_added(filter: Filter, index: Index, val: count)
+	{
+	if ( check_notice(filter, index, val) )
+		do_notice(filter, index, val);
+	}
diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.bro
new file mode 100644
index 0000000000..4548e98dc2
--- /dev/null
+++ b/scripts/base/frameworks/notice/__load__.bro
@@ -0,0 +1,23 @@
+@load ./main
+@load ./weird
+
+# There should be no overhead imposed by loading notice actions so we
+# load them all.
+@load ./actions/drop
+@load ./actions/email_admin
+@load ./actions/page
+@load ./actions/add-geodata
+
+# There shouldn't be any default overhead from loading these since they 
+# *should* only do anything when notices have the ACTION_EMAIL action applied.
+@load ./extend-email/hostnames
+
+# The cluster framework must be loaded first.
+@load base/frameworks/cluster
+
+@if ( Cluster::is_enabled() )
+@load ./cluster
+@endif
+
+# Load here so that it can check whether clustering is enabled.
+@load ./actions/pp-alarms
diff --git a/scripts/base/frameworks/notice/actions/add-geodata.bro b/scripts/base/frameworks/notice/actions/add-geodata.bro
new file mode 100644
index 0000000000..9f6909595c
--- /dev/null
+++ b/scripts/base/frameworks/notice/actions/add-geodata.bro
@@ -0,0 +1,52 @@
+##! This script adds geographic location data to notices for the "remote"
+##! host in a connection.  It does make the assumption that one of the 
+##! addresses in a connection is "local" and one is "remote" which is 
+##! probably a safe assumption to make in most cases.  If both addresses
+##! are remote, it will use the $src address.
+
+@load ../main
+@load base/frameworks/notice
+@load base/utils/site
+
+module Notice;
+
+export {
+	redef enum Action += {
+		## Indicates that the notice should have geodata added for the
+		## "remote" host.  :bro:id:`Site::local_nets` must be defined
+		## in order for this to work.
+		ACTION_ADD_GEODATA
+	};
+	
+	redef record Info += {
+		## If libGeoIP support is built in, notices can have geographic
+		## information attached to them.
+		remote_location: geo_location  &log &optional;
+	};
+	
+	## Notice types which should have the "remote" location looked up.
+	## If GeoIP support is not built in, this does nothing.
+	const lookup_location_types: set[Notice::Type] = {} &redef;
+	
+	## Add a helper to the notice policy for looking up GeoIP data.
+	redef Notice::policy += {
+		[$pred(n: Notice::Info) = { return (n$note in Notice::lookup_location_types); },
+		 $action = ACTION_ADD_GEODATA,
+		 $priority = 10],
+	};
+}
+
+# This is handled at a high priority in case other notice handlers 
+# want to use the data.
+event notice(n: Notice::Info) &priority=10
+	{
+	if ( ACTION_ADD_GEODATA in n$actions &&
+	     |Site::local_nets| > 0 &&
+	     ! n?$remote_location )
+		{
+		if ( n?$src && ! Site::is_local_addr(n$src) )
+			n$remote_location = lookup_location(n$src);
+		else if ( n?$dst && ! Site::is_local_addr(n$dst) )
+			n$remote_location = lookup_location(n$dst);
+		}
+	}
diff --git a/scripts/base/frameworks/notice/actions/drop.bro b/scripts/base/frameworks/notice/actions/drop.bro
new file mode 100644
index 0000000000..0116dd4ed4
--- /dev/null
+++ b/scripts/base/frameworks/notice/actions/drop.bro
@@ -0,0 +1,36 @@
+##! This script extends the built in notice code to implement the IP address
+##! dropping functionality.
+
+@load ../main
+
+module Notice;
+
+export {
+	redef enum Action += {
+		## Drops the address via Drop::drop_address, and generates an alarm.
+		ACTION_DROP
+	};
+
+	redef record Info += {
+		## Indicate if the $src IP address was dropped and denied network access.
+		dropped:  bool           &log &default=F;
+	};
+}
+
+# This is a little awkward because we want to inject drop along with the
+# synchronous functions.
+event bro_init()
+	{
+	local drop_func = function(n: Notice::Info)
+		{
+		if ( ACTION_DROP in n$actions )
+			{
+			#local drop = React::drop_address(n$src, "");
+			#local addl = drop?$sub ? fmt(" %s", drop$sub) : "";
+			#n$dropped = drop$note != Drop::AddressDropIgnored;
+			#n$msg += fmt(" [%s%s]", drop$note, addl);
+			}
+		};
+
+	add Notice::sync_functions[drop_func];
+	}
diff --git a/scripts/base/frameworks/notice/actions/email_admin.bro b/scripts/base/frameworks/notice/actions/email_admin.bro
new file mode 100644
index 0000000000..7484a1c606
--- /dev/null
+++ b/scripts/base/frameworks/notice/actions/email_admin.bro
@@ -0,0 +1,35 @@
+##! Adds a new notice action type which can be used to email notices
+##! to the administrators of a particular address space as set by
+##! :bro:id:`Site::local_admins` if the notice contains a source
+##! or destination address that lies within their space.
+
+@load ../main
+@load base/utils/site
+
+module Notice;
+
+export {
+	redef enum Action += {
+		## Indicate that the generated email should be addressed to the 
+		## appropriate email addresses as found by the
+		## :bro:id:`Site::get_emails` function based on the relevant 
+		## address or addresses indicated in the notice.
+		ACTION_EMAIL_ADMIN
+	};
+}
+
+event notice(n: Notice::Info) &priority=-5
+	{
+	if ( |Site::local_admins| > 0 &&
+	     ACTION_EMAIL_ADMIN in n$actions )
+		{
+		local email = "";
+		if ( n?$src && |Site::get_emails(n$src)| > 0 )
+			email = fmt("%s, %s", email, Site::get_emails(n$src));
+		if ( n?$dst && |Site::get_emails(n$dst)| > 0 )
+			email = fmt("%s, %s", email, Site::get_emails(n$dst));
+		
+		if ( email != "" )
+			email_notice_to(n, email, T);
+		}
+	}
diff --git a/scripts/base/frameworks/notice/actions/page.bro b/scripts/base/frameworks/notice/actions/page.bro
new file mode 100644
index 0000000000..16a3463126
--- /dev/null
+++ b/scripts/base/frameworks/notice/actions/page.bro
@@ -0,0 +1,22 @@
+##! Allows configuration of a pager email address to which notices can be sent.
+
+@load ../main
+
+module Notice;
+
+export {
+	redef enum Action += {
+		## Indicates that the notice should be sent to the pager email address
+		## configured in the :bro:id:`Notice::mail_page_dest` variable.
+		ACTION_PAGE
+	};
+	
+	## Email address to send notices with the :bro:enum:`Notice::ACTION_PAGE` action.
+	const mail_page_dest = "" &redef;
+}
+
+event notice(n: Notice::Info) &priority=-5
+	{
+	if ( ACTION_PAGE in n$actions )
+		email_notice_to(n, mail_page_dest, F);
+	}
diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro
new file mode 100644
index 0000000000..82fda6db6c
--- /dev/null
+++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro
@@ -0,0 +1,250 @@
+##! Notice extension that mails out a pretty-printed version of alarm.log
+##! in regular intervals, formatted for better human readability. If activated,
+##! that replaces the default summary mail having the raw log output.
+
+@load base/frameworks/cluster
+@load ../main
+
+module Notice;
+
+export {
+	## Activate pretty-printed alarm summaries.
+	const pretty_print_alarms = T &redef;
+	
+	## Address to send the pretty-printed reports to. Default if not set is
+	## :bro:id:`Notice::mail_dest`.
+	const mail_dest_pretty_printed = "" &redef;
+	## If an address from one of these networks is reported, we mark
+	## the entry with an additional quote symbol (i.e., ">"). Many MUAs
+	## then highlight such lines differently.
+	global flag_nets: set[subnet] &redef;
+	
+	## Function that renders a single alarm. Can be overidden.
+	global pretty_print_alarm: function(out: file, n: Info) &redef;
+	
+	## Force generating mail file, even if reading from traces or no mail
+	## destination is defined. This is mainly for testing.
+	global force_email_summaries = F &redef;
+}
+
+# We maintain an old-style file recording the pretty-printed alarms.
+const  pp_alarms_name = "alarm-mail.txt";
+global pp_alarms: file;
+global pp_alarms_open: bool = F;
+
+# Returns True if pretty-printed alarm summaries are activated.
+function want_pp() : bool
+	{
+	if ( force_email_summaries )
+		return T;
+	
+	return (pretty_print_alarms && ! reading_traces()
+		&& (mail_dest != "" || mail_dest_pretty_printed != ""));
+	}
+
+# Opens and intializes the output file.
+function pp_open()
+	{
+	if ( pp_alarms_open )
+		return;
+	
+	pp_alarms_open = T;
+	pp_alarms = open(pp_alarms_name);
+	}
+
+# Closes and mails out the current output file.
+function pp_send(rinfo: Log::RotationInfo)
+	{
+	if ( ! pp_alarms_open )
+		return;
+	
+	write_file(pp_alarms, "\n\n--\n[Automatically generated]\n\n");
+	close(pp_alarms);
+	pp_alarms_open = F;
+	
+	local from = strftime("%H:%M:%S", rinfo$open);
+	local to = strftime("%H:%M:%S", rinfo$close);
+	local subject = fmt("Alarm summary from %s-%s", from, to);
+	local dest = mail_dest_pretty_printed != "" ? mail_dest_pretty_printed
+		: mail_dest;
+	
+	if ( dest == "" )
+		# No mail destination configured, just leave the file alone. This is mainly for
+		# testing.
+		return;
+	
+	local headers = email_headers(subject, dest);
+	
+	local header_name = pp_alarms_name + ".tmp";
+	local header = open(header_name);
+	write_file(header, headers + "\n");
+	close(header);
+	
+	system(fmt("/bin/cat %s %s | %s -t -oi && /bin/rm -f %s %s",
+		   header_name, pp_alarms_name, sendmail, header_name, pp_alarms_name));
+	}
+
+# Postprocessor function that triggers the email.
+function pp_postprocessor(info: Log::RotationInfo): bool
+	{
+	if ( want_pp() )
+		pp_send(info);
+	
+	return T;
+	}
+
+event bro_init()
+	{
+	if ( ! want_pp() )
+		return;
+	
+	# This replaces the standard non-pretty-printing filter.
+	Log::add_filter(Notice::ALARM_LOG,
+			[$name="alarm-mail", $writer=Log::WRITER_NONE,
+			 $interv=Log::default_rotation_interval,
+			 $postprocessor=pp_postprocessor]);
+	}
+
+event notice(n: Notice::Info) &priority=-5
+	{
+	if ( ! want_pp() )
+		return;
+	
+	if ( ACTION_ALARM !in n$actions )
+		return;
+	
+	if ( ! pp_alarms_open )
+		pp_open();
+	
+	pretty_print_alarm(pp_alarms, n);
+	}
+
+function do_msg(out: file, n: Info, line1: string, line2: string, line3: string, host1: addr, name1: string, host2: addr, name2: string)
+	{
+	local country = "";
+@ifdef ( Notice::ACTION_ADD_GEODATA ) # Make tests happy, cyclic dependency.
+	if ( n?$remote_location && n$remote_location?$country_code  )
+		country = fmt(" (remote location %s)", n$remote_location$country_code);
+@endif
+	
+	line1 = cat(line1, country);
+	
+	local resolved = "";
+	
+	if ( host1 != 0.0.0.0 )
+		resolved = fmt("%s   # %s = %s", resolved, host1, name1);
+	
+	if ( host2 != 0.0.0.0 )
+		resolved = fmt("%s  %s = %s", resolved, host2, name2);
+	
+	print out, line1;
+	print out, line2;
+	if ( line3 != "" )
+		print out, line3;
+	if ( resolved != "" )
+		print out, resolved;
+	print out, "";
+	}
+
+# Default pretty-printer.
+function pretty_print_alarm(out: file, n: Info)
+	{
+	local pdescr = "";
+	
+@if ( Cluster::is_enabled() )
+	pdescr = "local";
+	
+	if ( n?$src_peer )
+		pdescr = n$src_peer?$descr ? n$src_peer$descr : fmt("%s", n$src_peer$host);
+
+	pdescr = fmt("<%s> ", pdescr);
+@endif
+	
+	local msg = fmt( "%s%s", pdescr, n$msg);
+	
+	local who = "";
+	local h1 = 0.0.0.0;
+	local h2 = 0.0.0.0;
+	
+	local orig_p = "";
+	local resp_p = "";
+	
+	if ( n?$id )
+		{
+		h1 = n$id$orig_h;
+		h2 = n$id$resp_h;
+		who = fmt("%s:%s -> %s:%s", h1, n$id$orig_p, h2, n$id$resp_p);
+		}
+	else if ( n?$src && n?$dst )
+		{
+		h1 = n$src;
+		h2 = n$dst;
+		who = fmt("%s -> %s", h1, h2);
+		}
+	else if ( n?$src )
+		{
+		h1 = n$src;
+		who = fmt("%s%s", h1, (n?$p ? fmt(":%s", n$p) : ""));
+		}
+	
+	if ( n?$uid )
+		who = fmt("%s (uid %s)", who, n$uid );
+	
+	local flag = (h1 in flag_nets || h2 in flag_nets);
+	
+	local line1 = fmt(">%s %D %s %s", (flag ? ">" : " "), network_time(), n$note, who);
+	local line2 = fmt("   %s", msg);
+	local line3 = n?$sub ? fmt("   %s", n$sub) : "";
+	
+	if ( h1 == 0.0.0.0 )
+		{
+		do_msg(out, n, line1, line2, line3, h1, "", h2, "");
+		return;
+		}
+	
+	if ( reading_traces() )
+		{
+		do_msg(out, n, line1, line2, line3, h1, "<skipped>", h2, "<skipped>");
+		return;
+		}
+	
+	when ( local h1name = lookup_addr(h1) )
+		{
+		if ( h2 == 0.0.0.0 ) 
+			{
+			do_msg(out, n, line1, line2, line3, h1, h1name, h2, "");
+			return;
+			}
+		
+		when ( local h2name = lookup_addr(h2) )
+			{
+			do_msg(out, n, line1, line2, line3, h1, h1name, h2, h2name);
+			return;
+			}
+		timeout 5secs 
+			{
+			do_msg(out, n, line1, line2, line3, h1, h1name, h2, "(dns timeout)");
+			return;
+			}
+		}
+	
+	timeout 5secs
+		{
+		if ( h2 == 0.0.0.0 ) 
+			{
+			do_msg(out, n, line1, line2, line3, h1,  "(dns timeout)", h2, "");
+			return;
+			}
+		
+		when ( local h2name_ = lookup_addr(h2) )
+			{
+			do_msg(out, n, line1, line2, line3, h1,  "(dns timeout)", h2, h2name_);
+			return;
+			}
+		timeout 5secs
+			{
+			do_msg(out, n, line1, line2, line3, h1,  "(dns timeout)", h2, "(dns timeout)");
+			return;
+			}
+		}
+	}
diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro
new file mode 100644
index 0000000000..281901cf31
--- /dev/null
+++ b/scripts/base/frameworks/notice/cluster.bro
@@ -0,0 +1,55 @@
+##! Implements notice functionality across clusters.  Worker nodes
+##! will disable notice/alarm logging streams and forward notice
+##! events to the manager node for logging/processing.
+
+@load ./main
+@load base/frameworks/cluster
+
+module Notice;
+
+export {
+	## This is the event used to transport notices on the cluster.
+	##
+	## n: The notice information to be sent to the cluster manager for
+	##    further processing.
+	global cluster_notice: event(n: Notice::Info);
+}
+
+## Manager can communicate notice suppression to workers.
+redef Cluster::manager2worker_events += /Notice::begin_suppression/;
+## Workers needs need ability to forward notices to manager.
+redef Cluster::worker2manager_events += /Notice::cluster_notice/;
+
+@if ( Cluster::local_node_type() != Cluster::MANAGER )
+# The notice policy is completely handled by the manager and shouldn't be 
+# done by workers or proxies to save time for packet processing.
+redef policy = {};
+
+event Notice::begin_suppression(n: Notice::Info)
+	{
+	suppressing[n$note, n$identifier] = n;
+	}
+
+event Notice::notice(n: Notice::Info)
+	{
+	# Send the locally generated notice on to the manager.
+	event Notice::cluster_notice(n);
+	}
+
+event bro_init() &priority=-3
+	{
+	# Workers and proxies need to disable the notice streams because notice
+	# events are forwarded directly instead of being logged remotely.
+	Log::disable_stream(Notice::LOG);
+	Log::disable_stream(Notice::POLICY_LOG);
+	Log::disable_stream(Notice::ALARM_LOG);
+	}
+@endif
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event Notice::cluster_notice(n: Notice::Info)
+	{
+	# Raise remotely received notices on the manager
+	NOTICE(n);
+	}
+@endif
diff --git a/scripts/base/frameworks/notice/extend-email/hostnames.bro b/scripts/base/frameworks/notice/extend-email/hostnames.bro
new file mode 100644
index 0000000000..2ec6dbb23f
--- /dev/null
+++ b/scripts/base/frameworks/notice/extend-email/hostnames.bro
@@ -0,0 +1,52 @@
+##! Loading this script extends the :bro:enum:`Notice::ACTION_EMAIL` action
+##! by appending to the email the hostnames associated with
+##! :bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a
+##! DNS lookup.
+
+@load ../main
+
+module Notice;
+
+# We have to store references to the notices here because the when statement
+# clones the frame which doesn't give us access to modify values outside
+# of it's execution scope. (we get a clone of the notice instead of a
+# reference to the original notice)
+global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs;
+
+event Notice::notice(n: Notice::Info) &priority=10
+	{
+	if ( ! n?$src && ! n?$dst )
+		return;
+
+	# This should only be done for notices that are being sent to email.
+	if ( ACTION_EMAIL !in n$actions )
+		return;
+
+	# I'm not recovering gracefully from the when statements because I want
+	# the notice framework to detect that something has exceeded the maximum
+	# allowed email delay and tell the user.
+	local uid = unique_id("");
+	tmp_notice_storage[uid] = n;
+
+	local output = "";
+	if ( n?$src )
+		{
+		add n$email_delay_tokens["hostnames-src"];
+		when ( local src_name = lookup_addr(n$src) )
+			{
+			output = string_cat("orig/src hostname: ", src_name, "\n");
+			tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
+			delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-src"];
+			}
+		}
+	if ( n?$dst )
+		{
+		add n$email_delay_tokens["hostnames-dst"];
+		when ( local dst_name = lookup_addr(n$dst) )
+			{
+			output = string_cat("resp/dst hostname: ", dst_name, "\n");
+			tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
+			delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-dst"];
+			}
+		}
+	}
diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro
new file mode 100644
index 0000000000..e9b29e7392
--- /dev/null
+++ b/scripts/base/frameworks/notice/main.bro
@@ -0,0 +1,662 @@
+##! This is the notice framework which enables Bro to "notice" things which
+##! are odd or potentially bad.  Decisions of the meaning of various notices
+##! need to be done per site because Bro does not ship with assumptions about
+##! what is bad activity for sites.  More extensive documetation about using
+##! the notice framework can be found in :doc:`/notice`.
+
+module Notice;
+
+export {
+	redef enum Log::ID += {
+		## This is the primary logging stream for notices.
+		LOG,
+		## This is the notice policy auditing log.  It records what the current
+		## notice policy is at Bro init time.
+		POLICY_LOG,
+		## This is the alarm stream.
+		ALARM_LOG,
+	};
+
+	## Scripts creating new notices need to redef this enum to add their own
+	## specific notice types which would then get used when they call the
+	## :bro:id:`NOTICE` function.  The convention is to give a general category
+	## along with the specific notice separating words with underscores and
+	## using leading capitals on each word except for abbreviations which are
+	## kept in all capitals.  For example, SSH::Login is for heuristically
+	## guessed successful SSH logins.
+	type Type: enum {
+		## Notice reporting a count of how often a notice occurred.
+		Tally,
+	};
+
+	## These are values representing actions that can be taken with notices.
+	type Action: enum {
+		## Indicates that there is no action to be taken.
+		ACTION_NONE,
+		## Indicates that the notice should be sent to the notice logging stream.
+		ACTION_LOG,
+		## Indicates that the notice should be sent to the email address(es)
+		## configured in the :bro:id:`Notice::mail_dest` variable.
+		ACTION_EMAIL,
+		## Indicates that the notice should be alarmed.  A readable ASCII
+		## version of the alarm log is emailed in bulk to the address(es)
+		## configured in :bro:id:`Notice::mail_dest`.
+		ACTION_ALARM,
+		## Indicates that the notice should not be supressed by the normal
+		## duplicate notice suppression that the notice framework does.
+		ACTION_NO_SUPPRESS,
+	};
+
+	## The notice framework is able to do automatic notice supression by
+	## utilizing the $identifier field in :bro:type:`Notice::Info` records.
+	## Set this to "0secs" to completely disable automated notice suppression.
+	const default_suppression_interval = 1hrs &redef;
+
+	type Info: record {
+		## An absolute time indicating when the notice occurred, defaults
+		## to the current network time.
+		ts:             time           &log &optional;
+
+		## A connection UID which uniquely identifies the endpoints
+		## concerned with the notice.
+		uid:            string         &log &optional;
+
+		## A connection 4-tuple identifying the endpoints concerned with the
+		## notice.
+		id:             conn_id        &log &optional;
+		
+		## A shorthand way of giving the uid and id to a notice.  The
+		## reference to the actual connection will be deleted after applying
+		## the notice policy.
+		conn:           connection     &optional;
+		## A shorthand way of giving the uid and id to a notice.  The
+		## reference to the actual connection will be deleted after applying
+		## the notice policy.
+		iconn:          icmp_conn      &optional;
+
+		## The transport protocol. Filled automatically when either conn, iconn
+		## or p is specified.
+		proto:          transport_proto &log &optional;
+
+		## The :bro:type:`Notice::Type` of the notice.
+		note:           Type           &log;
+		## The human readable message for the notice.
+		msg:            string         &log &optional;
+		## The human readable sub-message.
+		sub:            string         &log &optional;
+
+		## Source address, if we don't have a :bro:type:`conn_id`.
+		src:            addr           &log &optional;
+		## Destination address.
+		dst:            addr           &log &optional;
+		## Associated port, if we don't have a :bro:type:`conn_id`.
+		p:              port           &log &optional;
+		## Associated count, or perhaps a status code.
+		n:              count          &log &optional;
+
+		## Peer that raised this notice.
+		src_peer:       event_peer     &optional;
+		## Textual description for the peer that raised this notice.
+		peer_descr:     string         &log &optional;
+
+		## The actions which have been applied to this notice.
+		actions:        set[Notice::Action] &log &optional;
+
+		## These are policy items that returned T and applied their action
+		## to the notice.
+		policy_items:   set[count]     &log &optional;
+
+		## By adding chunks of text into this element, other scripts can
+		## expand on notices that are being emailed.  The normal way to add text
+		## is to extend the vector by handling the :bro:id:`Notice::notice`
+		## event and modifying the notice in place.
+		email_body_sections:  vector of string &optional;
+
+		## Adding a string "token" to this set will cause the notice framework's
+		## built-in emailing functionality to delay sending the email until
+		## either the token has been removed or the email has been delayed
+		## for :bro:id:`Notice::max_email_delay`.
+		email_delay_tokens:   set[string] &optional;
+
+		## This field is to be provided when a notice is generated for the
+		## purpose of deduplicating notices.  The identifier string should
+		## be unique for a single instance of the notice.  This field should be
+		## filled out in almost all cases when generating notices to define
+		## when a notice is conceptually a duplicate of a previous notice.
+		##
+		## For example, an SSL certificate that is going to expire soon should
+		## always have the same identifier no matter the client IP address
+		## that connected and resulted in the certificate being exposed.  In
+		## this case, the resp_h, resp_p, and hash of the certificate would be
+		## used to create this value.  The hash of the cert is included
+		## because servers can return multiple certificates on the same port.
+		##
+		## Another example might be a host downloading a file which triggered
+		## a notice because the MD5 sum of the file it downloaded was known
+		## by some set of intelligence.  In that case, the orig_h (client)
+		## and MD5 sum would be used in this field to dedup because if the
+		## same file is downloaded over and over again you really only want to
+		## know about it a single time.  This makes it possible to send those
+		## notices to email without worrying so much about sending thousands
+		## of emails.
+		identifier:          string         &optional;
+
+		## This field indicates the length of time that this
+		## unique notice should be suppressed.  This field is automatically
+		## filled out and should not be written to by any other script.
+		suppress_for:        interval       &log &optional;
+	};
+
+	## Ignored notice types.
+	const ignored_types: set[Notice::Type] = {} &redef;
+	## Emailed notice types.
+	const emailed_types: set[Notice::Type] = {} &redef;
+	## Alarmed notice types.
+	const alarmed_types: set[Notice::Type] = {} &redef;
+	## Types that should be suppressed for the default suppression interval.
+	const not_suppressed_types: set[Notice::Type] = {} &redef;
+	## This table can be used as a shorthand way to modify suppression
+	## intervals for entire notice types.
+	const type_suppression_intervals: table[Notice::Type] of interval = {} &redef;
+
+	## This is the record that defines the items that make up the notice policy.
+	type PolicyItem: record {
+		## This is the exact positional order in which the
+		## :bro:type:`Notice::PolicyItem` records are checked.
+		## This is set internally by the notice framework.
+		position: count                            &log &optional;
+		## Define the priority for this check.  Items are checked in ordered
+		## from highest value (10) to lowest value (0).
+		priority: count                            &log &default=5;
+		## An action given to the notice if the predicate return true.
+		action:   Notice::Action                   &log &default=ACTION_NONE;
+		## The pred (predicate) field is a function that returns a boolean T
+		## or F value.  If the predicate function return true, the action in
+		## this record is applied to the notice that is given as an argument
+		## to the predicate function.  If no predicate is supplied, it's
+		## assumed that the PolicyItem always applies.
+		pred:     function(n: Notice::Info): bool  &log &optional;
+		## Indicates this item should terminate policy processing if the
+		## predicate returns T.
+		halt:     bool                             &log &default=F;
+		## This defines the length of time that this particular notice should
+		## be supressed.
+		suppress_for: interval                     &log &optional;
+	};
+	
+	## Defines a notice policy that is extensible on a per-site basis.
+	## All notice processing is done through this variable.
+	const policy: set[PolicyItem] = {
+		[$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); },
+		 $halt=T, $priority = 9],
+		[$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); },
+		 $action = ACTION_NO_SUPPRESS,
+		 $priority = 9],
+		[$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); },
+		 $action = ACTION_ALARM,
+		 $priority = 8],
+		[$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); },
+		 $action = ACTION_EMAIL,
+		 $priority = 8],
+		[$pred(n: Notice::Info) = {
+			if (n$note in Notice::type_suppression_intervals)
+				{
+				n$suppress_for=Notice::type_suppression_intervals[n$note];
+				return T;
+				}
+			return F;
+		 },
+		 $action = ACTION_NONE,
+		 $priority = 8],
+		[$action = ACTION_LOG,
+		 $priority = 0],
+	} &redef;
+
+	## Local system sendmail program.
+	const sendmail            = "/usr/sbin/sendmail" &redef;
+	## Email address to send notices with the :bro:enum:`Notice::ACTION_EMAIL`
+	## action or to send bulk alarm logs on rotation with
+	## :bro:enum:`Notice::ACTION_ALARM`.
+	const mail_dest           = ""                   &redef;
+
+	## Address that emails will be from.
+	const mail_from           = "Big Brother <bro@localhost>" &redef;
+	## Reply-to address used in outbound email.
+	const reply_to            = "" &redef;
+	## Text string prefixed to the subject of all emails sent out.
+	const mail_subject_prefix = "[Bro]" &redef;
+	## The maximum amount of time a plugin can delay email from being sent.
+	const max_email_delay     = 15secs &redef;
+
+	## A log postprocessing function that implements emailing the contents
+	## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`.
+	## The rotated log is removed upon being sent.
+	##
+	## info: A record containing the rotated log file information.
+	##
+	## Returns: True.
+	global log_mailing_postprocessor: function(info: Log::RotationInfo): bool;
+
+	## This is the event that is called as the entry point to the
+	## notice framework by the global :bro:id:`NOTICE` function.  By the time
+	## this event is generated, default values have already been filled out in
+	## the :bro:type:`Notice::Info` record and synchronous functions in the 
+	## :bro:id:`Notice::sync_functions` have already been called.  The notice
+	## policy has also been applied.
+	##
+	## n: The record containing notice data.
+	global notice: event(n: Info);
+
+	## This is a set of functions that provide a synchronous way for scripts
+	## extending the notice framework to run before the normal event based
+	## notice pathway that most of the notice framework takes.  This is helpful
+	## in cases where an action against a notice needs to happen immediately
+	## and can't wait the short time for the event to bubble up to the top of
+	## the event queue.  An example is the IP address dropping script that
+	## can block IP addresses that have notices generated because it
+	## needs to operate closer to real time than the event queue allows it to.
+	## Normally the event based extension model using the
+	## :bro:id:`Notice::notice` event will work fine if there aren't harder
+	## real time constraints.
+	const sync_functions: set[function(n: Notice::Info)] = set() &redef;
+
+	## This event is generated when a notice begins to be suppressed.
+	##
+	## n: The record containing notice data regarding the notice type
+	##    about to be suppressed.
+	global begin_suppression: event(n: Notice::Info);
+
+	## This event is generated on each occurence of an event being suppressed.
+	##
+	## n: The record containing notice data regarding the notice type
+	##    being suppressed.
+	global suppressed: event(n: Notice::Info);
+
+	## This event is generated when a notice stops being suppressed.
+	##
+	## n: The record containing notice data regarding the notice type
+	##    that was being suppressed.
+	global end_suppression: event(n: Notice::Info);
+
+	## Call this function to send a notice in an email.  It is already used
+	## by default with the built in :bro:enum:`Notice::ACTION_EMAIL` and
+	## :bro:enum:`Notice::ACTION_PAGE` actions.
+	##
+	## n: The record of notice data to email.
+	##
+	## dest: The intended recipient of the notice email.
+	##
+	## extend: Whether to extend the email using the ``email_body_sections``
+	##         field of *n*.
+	global email_notice_to: function(n: Info, dest: string, extend: bool);
+
+	## Constructs mail headers to which an email body can be appended for
+	## sending with sendmail.
+	##
+	## subject_desc: a subject string to use for the mail
+	##
+	## dest: recipient string to use for the mail
+	##
+	## Returns: a string of mail headers to which an email body can be appended
+	global email_headers: function(subject_desc: string, dest: string): string;
+	
+	## This event can be handled to access the :bro:type:`Notice::Info`
+	## record as it is sent on to the logging framework.
+	##
+	## rec: The record containing notice data before it is logged.
+	global log_notice: event(rec: Info);
+	
+	## This is an internal wrapper for the global :bro:id:`NOTICE` function;
+	## disregard.
+	##
+	## n: The record of notice data.
+	global internal_NOTICE: function(n: Notice::Info);
+}
+
+# This is used as a hack to implement per-item expiration intervals.
+function per_notice_suppression_interval(t: table[Notice::Type, string] of Notice::Info, idx: any): interval
+	{
+	local n: Notice::Type;
+	local s: string;
+	[n,s] = idx;
+
+	local suppress_time = t[n,s]$suppress_for - (network_time() - t[n,s]$ts);
+	if ( suppress_time < 0secs )
+		suppress_time = 0secs;
+
+	# If there is no more suppression time left, the notice needs to be sent
+	# to the end_suppression event.
+	if ( suppress_time == 0secs )
+		event Notice::end_suppression(t[n,s]);
+
+	return suppress_time;
+	}
+
+# This is the internally maintained notice suppression table.  It's
+# indexed on the Notice::Type and the $identifier field from the notice.
+global suppressing: table[Type, string] of Notice::Info = {}
+		&create_expire=0secs
+		&expire_func=per_notice_suppression_interval;
+
+# This is an internal variable used to store the notice policy ordered by
+# priority.
+global ordered_policy: vector of PolicyItem = vector();
+
+function log_mailing_postprocessor(info: Log::RotationInfo): bool
+	{
+	if ( ! reading_traces() && mail_dest != "" )
+		{
+		local headers = email_headers(fmt("Log Contents: %s", info$fname),
+		                              mail_dest);
+		local tmpfilename = fmt("%s.mailheaders.tmp", info$fname);
+		local tmpfile = open(tmpfilename);
+		write_file(tmpfile, headers);
+		close(tmpfile);
+		system(fmt("/bin/cat %s %s | %s -t -oi && /bin/rm %s %s",
+		       tmpfilename, info$fname, sendmail, tmpfilename, info$fname));
+		}
+	return T;
+	}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice]);
+
+	Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info]);
+	# If Bro is configured for mailing notices, set up mailing for alarms.
+	# Make sure that this alarm log is also output as text so that it can
+	# be packaged up and emailed later.
+	if ( ! reading_traces() && mail_dest != "" )
+		Log::add_filter(Notice::ALARM_LOG,
+		    [$name="alarm-mail", $path="alarm-mail", $writer=Log::WRITER_ASCII,
+		     $interv=24hrs, $postprocessor=log_mailing_postprocessor]);
+	}
+
+# TODO: fix this.
+#function notice_tags(n: Notice::Info) : table[string] of string
+#	{
+#	local tgs: table[string] of string = table();
+#	if ( is_remote_event() )
+#		{
+#		if ( n$src_peer$descr != "" )
+#			tgs["es"] = n$src_peer$descr;
+#		else
+#			tgs["es"] = fmt("%s/%s", n$src_peer$host, n$src_peer$p);
+#		}
+#	else
+#		{
+#		tgs["es"] = peer_description;
+#		}
+#	return tgs;
+#	}
+
+function email_headers(subject_desc: string, dest: string): string
+	{
+	local header_text = string_cat(
+		"From: ", mail_from, "\n",
+		"Subject: ", mail_subject_prefix, " ", subject_desc, "\n",
+		"To: ", dest, "\n",
+		"User-Agent: Bro-IDS/", bro_version(), "\n");
+	if ( reply_to != "" )
+		header_text = string_cat(header_text, "Reply-To: ", reply_to, "\n");
+	return header_text;
+	}
+
+event delay_sending_email(n: Notice::Info, dest: string, extend: bool)
+	{
+	email_notice_to(n, dest, extend);
+	}
+
+function email_notice_to(n: Notice::Info, dest: string, extend: bool)
+	{
+	if ( reading_traces() || dest == "" )
+		return;
+
+	if ( extend )
+		{
+		if ( |n$email_delay_tokens| > 0 )
+			{
+			# If we still are within the max_email_delay, keep delaying.
+			if ( n$ts + max_email_delay > network_time() )
+				{
+				schedule 1sec { delay_sending_email(n, dest, extend) };
+				return;
+				}
+			else
+				{
+				event reporter_info(network_time(),
+					fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens),
+					"");
+				}
+			}
+		}
+
+	local email_text = email_headers(fmt("%s", n$note), dest);
+
+	# First off, finish the headers and include the human readable messages
+	# then leave a blank line after the message.
+	email_text = string_cat(email_text, "\nMessage: ", n$msg);
+	if ( n?$sub )
+		email_text = string_cat(email_text, "\nSub-message: ", n$sub);
+
+	email_text = string_cat(email_text, "\n\n");
+
+	# Next, add information about the connection if it exists.
+	if ( n?$id )
+		{
+		email_text = string_cat(email_text, "Connection: ",
+			fmt("%s", n$id$orig_h), ":", fmt("%d", n$id$orig_p), " -> ",
+			fmt("%s", n$id$resp_h), ":", fmt("%d", n$id$resp_p), "\n");
+		if ( n?$uid )
+			email_text = string_cat(email_text, "Connection uid: ", n$uid, "\n");
+		}
+	else if ( n?$src )
+		email_text = string_cat(email_text, "Address: ", fmt("%s", n$src), "\n");
+
+	# Add the extended information if it's requested.
+	if ( extend )
+		{
+		email_text = string_cat(email_text, "\nEmail Extensions\n");
+		email_text = string_cat(email_text,   "----------------\n");
+		for ( i in n$email_body_sections )
+			{
+			email_text = string_cat(email_text, n$email_body_sections[i], "\n");
+			}
+		}
+
+	email_text = string_cat(email_text, "\n\n--\n[Automatically generated]\n\n");
+	piped_exec(fmt("%s -t -oi", sendmail), email_text);
+	}
+
+event notice(n: Notice::Info) &priority=-5
+	{
+	if ( ACTION_EMAIL in n$actions )
+		email_notice_to(n, mail_dest, T);
+	if ( ACTION_LOG in n$actions )
+		Log::write(Notice::LOG, n);
+	if ( ACTION_ALARM in n$actions )
+		Log::write(Notice::ALARM_LOG, n);
+
+	# Normally suppress further notices like this one unless directed not to.
+	#  n$identifier *must* be specified for suppression to function at all.
+	if ( n?$identifier &&
+	     ACTION_NO_SUPPRESS !in n$actions &&
+	     [n$note, n$identifier] !in suppressing &&
+	     n$suppress_for != 0secs )
+		{
+		suppressing[n$note, n$identifier] = n;
+		event Notice::begin_suppression(n);
+		}
+	}
+	
+## This determines if a notice is being suppressed.  It is only used 
+## internally as part of the mechanics for the global :bro:id:`NOTICE`
+## function.
+function is_being_suppressed(n: Notice::Info): bool
+	{
+	if ( n?$identifier && [n$note, n$identifier] in suppressing )
+		{
+		event Notice::suppressed(n);
+		return T;
+		}
+	else
+		return F;
+	}
+
+# Executes a script with all of the notice fields put into the
+# new process' environment as "BRO_ARG_<field>" variables.
+function execute_with_notice(cmd: string, n: Notice::Info)
+	{
+	# TODO: fix system calls
+	#local tgs = tags(n);
+	#system_env(cmd, tags);
+	}
+
+# This is run synchronously as a function before all of the other
+# notice related functions and events.  It also modifies the
+# :bro:type:`Notice::Info` record in place.
+function apply_policy(n: Notice::Info)
+	{
+	# Fill in some defaults.
+	if ( ! n?$ts )
+		n$ts = network_time();
+
+	if ( n?$conn )
+		{
+		if ( ! n?$id )
+			n$id = n$conn$id;
+		if ( ! n?$uid )
+			n$uid = n$conn$uid;
+		}
+
+	if ( n?$id )
+		{
+		if ( ! n?$src  )
+			n$src = n$id$orig_h;
+		if ( ! n?$dst )
+			n$dst = n$id$resp_h;
+		if ( ! n?$p )
+			n$p = n$id$resp_p;
+		}
+
+	if ( n?$p ) 
+		n$proto = get_port_transport_proto(n$p);
+
+	if ( n?$iconn )
+		{
+		n$proto = icmp;
+		if ( ! n?$src )
+			n$src = n$iconn$orig_h;
+		if ( ! n?$dst )
+			n$dst = n$iconn$resp_h;
+		}
+
+	if ( ! n?$src_peer )
+		n$src_peer = get_event_peer();
+	if ( ! n?$peer_descr )
+		n$peer_descr = n$src_peer?$descr ?
+		                   n$src_peer$descr : fmt("%s", n$src_peer$host);
+
+	if ( ! n?$actions )
+		n$actions = set();
+
+	if ( ! n?$email_body_sections )
+		n$email_body_sections = vector();
+	if ( ! n?$email_delay_tokens )
+		n$email_delay_tokens = set();
+
+	if ( ! n?$policy_items )
+		n$policy_items = set();
+
+	for ( i in ordered_policy )
+		{
+		# If there's no predicate or the predicate returns F.
+		if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) )
+			{
+			add n$actions[ordered_policy[i]$action];
+			add n$policy_items[int_to_count(i)];
+
+			# If the predicate matched and there was a suppression interval,
+			# apply it to the notice now.
+			if ( ordered_policy[i]?$suppress_for )
+				n$suppress_for = ordered_policy[i]$suppress_for;
+
+			# If the policy item wants to halt policy processing, do it now!
+			if ( ordered_policy[i]$halt )
+				break;
+			}
+		}
+
+	# Apply the suppression time after applying the policy so that policy
+	# items can give custom suppression intervals.  If there is no
+	# suppression interval given yet, the default is applied.
+	if ( ! n?$suppress_for )
+		n$suppress_for = default_suppression_interval;
+
+	# Delete the connection record if it's there so we aren't sending that
+	# to remote machines.  It can cause problems due to the size of the
+	# connection record.
+	if ( n?$conn )
+		delete n$conn;
+	if ( n?$iconn )
+		delete n$iconn;
+	}
+
+# Create the ordered notice policy automatically which will be used at runtime
+# for prioritized matching of the notice policy.
+event bro_init() &priority=10
+	{
+	# Create the policy log here because it's only written to in this handler.
+	Log::create_stream(Notice::POLICY_LOG, [$columns=PolicyItem]);
+
+	local tmp: table[count] of set[PolicyItem] = table();
+	for ( pi in policy )
+		{
+		if ( pi$priority < 0 || pi$priority > 10 )
+			Reporter::fatal("All Notice::PolicyItem priorities must be within 0 and 10");
+
+		if ( pi$priority !in tmp )
+			tmp[pi$priority] = set();
+		add tmp[pi$priority][pi];
+		}
+
+	local rev_count = vector(10,9,8,7,6,5,4,3,2,1,0);
+	for ( i in rev_count )
+		{
+		local j = rev_count[i];
+		if ( j in tmp )
+			{
+			for ( pi in tmp[j] )
+				{
+				pi$position = |ordered_policy|;
+				ordered_policy[|ordered_policy|] = pi;
+				Log::write(Notice::POLICY_LOG, pi);
+				}
+			}
+		}
+	}
+
+function internal_NOTICE(n: Notice::Info)
+	{
+	# Suppress this notice if necessary.
+	if ( is_being_suppressed(n) )
+		return;
+
+	# Fill out fields that might be empty and do the policy processing.
+	apply_policy(n);
+
+	# Run the synchronous functions with the notice.
+	for ( func in sync_functions )
+		func(n);
+
+	# Generate the notice event with the notice.
+	event Notice::notice(n);
+	}
+
+module GLOBAL;
+
+## This is the entry point in the global namespace for notice framework.
+function NOTICE(n: Notice::Info)
+	{
+	Notice::internal_NOTICE(n);
+	}
diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro
new file mode 100644
index 0000000000..f894a42464
--- /dev/null
+++ b/scripts/base/frameworks/notice/weird.bro
@@ -0,0 +1,410 @@
+##! This script provides a default set of actions to take for "weird activity"
+##! events generated from Bro's event engine.  Weird activity is defined as
+##! unusual or exceptional activity that can indicate malformed connections,
+##! traffic that doesn't conform to a particular protocol, malfunctioning
+##! or misconfigured hardware, or even an attacker attempting to avoid/confuse
+##! a sensor.  Without context, it's hard to judge whether a particular
+##! category of weird activity is interesting, but this script provides
+##! a starting point for the user.
+
+@load base/utils/conn-ids
+@load base/utils/site
+@load ./main
+
+module Weird;
+
+export {
+	## The weird logging stream identifier.
+	redef enum Log::ID += { LOG };
+	
+	redef enum Notice::Type += {
+		## Generic unusual but notice-worthy weird activity.
+		Activity,
+	};
+	
+	## The record type which contains the column fields of the weird log.
+	type Info: record {
+		## The time when the weird occurred.
+		ts:     time    &log;
+		## If a connection is associated with this weird, this will be the 
+		## connection's unique ID.
+		uid:    string  &log &optional;
+		## conn_id for the optional connection.
+		id:     conn_id &log &optional;
+		## The name of the weird that occurred.
+		name:   string  &log;
+		## Additional information accompanying the weird if any.
+		addl:   string  &log &optional;
+		## Indicate if this weird was also turned into a notice.
+		notice: bool    &log &default=F;
+		## The peer that originated this weird.  This is helpful in cluster
+		## deployments if a particular cluster node is having trouble to help
+		## identify which node is having trouble.
+		peer:   string  &log &optional;
+	};
+
+	## Types of actions that may be taken when handling weird activity events.
+	type Action: enum {
+		## A dummy action indicating the user does not care what internal
+		## decision is made regarding a given type of weird.
+		ACTION_UNSPECIFIED,
+		## No action is to be taken.
+		ACTION_IGNORE,
+		## Log the weird event every time it occurs.
+		ACTION_LOG,
+		## Log the weird event only once.
+		ACTION_LOG_ONCE,
+		## Log the weird event once per connection.
+		ACTION_LOG_PER_CONN,
+		## Log the weird event once per originator host.
+		ACTION_LOG_PER_ORIG,
+		## Always generate a notice associated with the weird event.
+		ACTION_NOTICE, 
+		## Generate a notice associated with the weird event only once.
+		ACTION_NOTICE_ONCE,
+		## Generate a notice for the weird event once per connection.
+		ACTION_NOTICE_PER_CONN,
+		## Generate a notice for the weird event once per originator host.
+		ACTION_NOTICE_PER_ORIG, 
+	};
+
+	## A table specifying default/recommended actions per weird type.
+	const actions: table[string] of Action = {
+		["unsolicited_SYN_response"]            = ACTION_IGNORE,
+		["above_hole_data_without_any_acks"]    = ACTION_LOG,
+		["active_connection_reuse"]             = ACTION_LOG,
+		["bad_HTTP_reply"]                      = ACTION_LOG,
+		["bad_HTTP_version"]                    = ACTION_LOG,
+		["bad_ICMP_checksum"]                   = ACTION_LOG_PER_ORIG,
+		["bad_ident_port"]                      = ACTION_LOG,
+		["bad_ident_reply"]                     = ACTION_LOG,
+		["bad_ident_request"]                   = ACTION_LOG,
+		["bad_rlogin_prolog"]                   = ACTION_LOG,
+		["bad_rsh_prolog"]                      = ACTION_LOG,
+		["rsh_text_after_rejected"]             = ACTION_LOG,
+		["bad_RPC"]                             = ACTION_LOG_PER_ORIG,
+		["bad_RPC_program"]                     = ACTION_LOG,
+		["bad_SYN_ack"]                         = ACTION_LOG,
+		["bad_TCP_checksum"]                    = ACTION_LOG_PER_ORIG,
+		["bad_UDP_checksum"]                    = ACTION_LOG_PER_ORIG,
+		["baroque_SYN"]                         = ACTION_LOG,
+		["base64_illegal_encoding"]             = ACTION_LOG,
+		["connection_originator_SYN_ack"]       = ACTION_LOG_PER_ORIG,
+		["corrupt_tcp_options"]                 = ACTION_LOG_PER_ORIG,
+		["crud_trailing_HTTP_request"]          = ACTION_LOG,
+		["data_after_reset"]                    = ACTION_LOG,
+		["data_before_established"]             = ACTION_LOG,
+		["data_without_SYN_ACK"]                = ACTION_LOG,
+		["DHCP_no_type_option"]                 = ACTION_LOG,
+		["DHCP_wrong_msg_type"]                 = ACTION_LOG,
+		["DHCP_wrong_op_type"]                  = ACTION_LOG,
+		["DNS_AAAA_neg_length"]                 = ACTION_LOG,
+		["DNS_Conn_count_too_large"]            = ACTION_LOG,
+		["DNS_NAME_too_long"]                   = ACTION_LOG,
+		["DNS_RR_bad_length"]                   = ACTION_LOG,
+		["DNS_RR_length_mismatch"]              = ACTION_LOG,
+		["DNS_RR_unknown_type"]                 = ACTION_LOG,
+		["DNS_label_forward_compress_offset"]   = ACTION_LOG_PER_ORIG,
+		["DNS_label_len_gt_name_len"]           = ACTION_LOG_PER_ORIG,
+		["DNS_label_len_gt_pkt"]                = ACTION_LOG_PER_ORIG,
+		["DNS_label_too_long"]                  = ACTION_LOG_PER_ORIG,
+		["DNS_truncated_RR_rdlength_lt_len"]    = ACTION_LOG,
+		["DNS_truncated_ans_too_short"]         = ACTION_LOG,
+		["DNS_truncated_len_lt_hdr_len"]        = ACTION_LOG,
+		["DNS_truncated_quest_too_short"]       = ACTION_LOG,
+		["dns_changed_number_of_responses"]     = ACTION_LOG_PER_ORIG,
+		["dns_reply_seen_after_done"]           = ACTION_LOG_PER_ORIG,
+		["excessive_data_without_further_acks"] = ACTION_LOG,
+		["excess_RPC"]                          = ACTION_LOG_PER_ORIG,
+		["excessive_RPC_len"]                   = ACTION_LOG_PER_ORIG,
+		["FIN_advanced_last_seq"]               = ACTION_LOG,
+		["FIN_after_reset"]                     = ACTION_IGNORE,
+		["FIN_storm"]                           = ACTION_NOTICE_PER_ORIG,
+		["HTTP_bad_chunk_size"]                 = ACTION_LOG,
+		["HTTP_chunked_transfer_for_multipart_message"] = ACTION_LOG,
+		["HTTP_overlapping_messages"]           = ACTION_LOG,
+		["HTTP_unknown_method"]                 = ACTION_LOG,
+		["HTTP_version_mismatch"]               = ACTION_LOG,
+		["ident_request_addendum"]              = ACTION_LOG,
+		["inappropriate_FIN"]                   = ACTION_LOG,
+		["inflate_failed"]                      = ACTION_LOG,
+		["invalid_irc_global_users_reply"]      = ACTION_LOG,
+		["irc_invalid_command"]                 = ACTION_LOG,
+		["irc_invalid_dcc_message_format"]      = ACTION_LOG,
+		["irc_invalid_invite_message_format"]   = ACTION_LOG,
+		["irc_invalid_join_line"]               = ACTION_LOG,
+		["irc_invalid_kick_message_format"]     = ACTION_LOG,
+		["irc_invalid_line"]                    = ACTION_LOG,
+		["irc_invalid_mode_message_format"]     = ACTION_LOG,
+		["irc_invalid_names_line"]              = ACTION_LOG,
+		["irc_invalid_njoin_line"]              = ACTION_LOG,
+		["irc_invalid_notice_message_format"]   = ACTION_LOG,
+		["irc_invalid_oper_message_format"]     = ACTION_LOG,
+		["irc_invalid_privmsg_message_format"]  = ACTION_LOG,
+		["irc_invalid_reply_number"]            = ACTION_LOG,
+		["irc_invalid_squery_message_format"]   = ACTION_LOG,
+		["irc_invalid_topic_reply"]             = ACTION_LOG,
+		["irc_invalid_who_line"]                = ACTION_LOG,
+		["irc_invalid_who_message_format"]      = ACTION_LOG,
+		["irc_invalid_whois_channel_line"]      = ACTION_LOG,
+		["irc_invalid_whois_message_format"]    = ACTION_LOG,
+		["irc_invalid_whois_operator_line"]     = ACTION_LOG,
+		["irc_invalid_whois_user_line"]         = ACTION_LOG,
+		["irc_line_size_exceeded"]              = ACTION_LOG,
+		["irc_line_too_short"]                  = ACTION_LOG,
+		["irc_too_many_invalid"]                = ACTION_LOG,
+		["line_terminated_with_single_CR"]      = ACTION_LOG,
+		["line_terminated_with_single_LF"]      = ACTION_LOG,
+		["malformed_ssh_identification"]        = ACTION_LOG,
+		["malformed_ssh_version"]               = ACTION_LOG,
+		["matching_undelivered_data"]           = ACTION_LOG,
+		["multiple_HTTP_request_elements"]      = ACTION_LOG,
+		["multiple_RPCs"]                       = ACTION_LOG_PER_ORIG,
+		["non_IPv4_packet"]                     = ACTION_LOG_ONCE,
+		["NUL_in_line"]                         = ACTION_LOG,
+		["originator_RPC_reply"]                = ACTION_LOG_PER_ORIG,
+		["partial_finger_request"]              = ACTION_LOG,
+		["partial_ftp_request"]                 = ACTION_LOG,
+		["partial_ident_request"]               = ACTION_LOG,
+		["partial_RPC"]                         = ACTION_LOG_PER_ORIG,
+		["partial_RPC_request"]                 = ACTION_LOG,
+		["pending_data_when_closed"]            = ACTION_LOG,
+		["pop3_bad_base64_encoding"]            = ACTION_LOG,
+		["pop3_client_command_unknown"]         = ACTION_LOG,
+		["pop3_client_sending_server_commands"] = ACTION_LOG,
+		["pop3_malformed_auth_plain"]           = ACTION_LOG,
+		["pop3_server_command_unknown"]         = ACTION_LOG,
+		["pop3_server_sending_client_commands"] = ACTION_LOG,
+		["possible_split_routing"]              = ACTION_LOG,
+		["premature_connection_reuse"]          = ACTION_LOG,
+		["repeated_SYN_reply_wo_ack"]           = ACTION_LOG,
+		["repeated_SYN_with_ack"]               = ACTION_LOG,
+		["responder_RPC_call"]                  = ACTION_LOG_PER_ORIG,
+		["rlogin_text_after_rejected"]          = ACTION_LOG,
+		["RPC_rexmit_inconsistency"]            = ACTION_LOG,
+		["RPC_underflow"]                       = ACTION_LOG,
+		["RST_storm"]                           = ACTION_LOG,
+		["RST_with_data"]                       = ACTION_LOG,
+		["simultaneous_open"]                   = ACTION_LOG_PER_CONN,
+		["spontaneous_FIN"]                     = ACTION_IGNORE,
+		["spontaneous_RST"]                     = ACTION_IGNORE,
+		["SMB_parsing_error"]                   = ACTION_LOG,
+		["no_smb_session_using_parsesambamsg"]  = ACTION_LOG,
+		["smb_andx_command_failed_to_parse"]    = ACTION_LOG,
+		["transaction_subcmd_missing"]          = ACTION_LOG,
+		["successful_RPC_reply_to_invalid_request"] = ACTION_NOTICE_PER_ORIG,
+		["SYN_after_close"]                     = ACTION_LOG,
+		["SYN_after_partial"]                   = ACTION_NOTICE_PER_ORIG,
+		["SYN_after_reset"]                     = ACTION_LOG,
+		["SYN_inside_connection"]               = ACTION_LOG,
+		["SYN_seq_jump"]                        = ACTION_LOG,
+		["SYN_with_data"]                       = ACTION_LOG_PER_ORIG,
+		["TCP_christmas"]                       = ACTION_LOG,
+		["truncated_ARP"]                       = ACTION_LOG,
+		["truncated_NTP"]                       = ACTION_LOG,
+		["UDP_datagram_length_mismatch"]        = ACTION_LOG_PER_ORIG,
+		["unexpected_client_HTTP_data"]         = ACTION_LOG,
+		["unexpected_multiple_HTTP_requests"]   = ACTION_LOG,
+		["unexpected_server_HTTP_data"]         = ACTION_LOG,
+		["unmatched_HTTP_reply"]                = ACTION_LOG,
+		["unpaired_RPC_response"]               = ACTION_LOG,
+		["window_recision"]                     = ACTION_LOG,
+		["double_%_in_URI"]                     = ACTION_LOG,
+		["illegal_%_at_end_of_URI"]             = ACTION_LOG,
+		["unescaped_%_in_URI"]                  = ACTION_LOG,
+		["unescaped_special_URI_char"]          = ACTION_LOG,
+		["deficit_netbios_hdr_len"]             = ACTION_LOG,
+		["excess_netbios_hdr_len"]              = ACTION_LOG,
+		["netbios_client_session_reply"]        = ACTION_LOG,
+		["netbios_raw_session_msg"]             = ACTION_LOG,
+		["netbios_server_session_request"]      = ACTION_LOG,
+		["unknown_netbios_type"]                = ACTION_LOG,
+		["excessively_large_fragment"]          = ACTION_LOG,
+		["excessively_small_fragment"]          = ACTION_LOG_PER_ORIG,
+		["fragment_inconsistency"]              = ACTION_LOG_PER_ORIG,
+		["fragment_overlap"]                    = ACTION_LOG_PER_ORIG,
+		["fragment_protocol_inconsistency"]     = ACTION_LOG,
+		["fragment_size_inconsistency"]         = ACTION_LOG_PER_ORIG,
+		# These do indeed happen!
+		["fragment_with_DF"]                    = ACTION_LOG,
+		["incompletely_captured_fragment"]      = ACTION_LOG,
+		["bad_IP_checksum"]                     = ACTION_LOG_PER_ORIG,
+		["bad_TCP_header_len"]                  = ACTION_LOG,
+		["internally_truncated_header"]         = ACTION_LOG,
+		["truncated_IP"]                        = ACTION_LOG,
+		["truncated_header"]                    = ACTION_LOG,
+	} &default=ACTION_LOG &redef;
+
+	## To completely ignore a specific weird for a host, add the host
+	## and weird name into this set.
+	const ignore_hosts: set[addr, string] &redef;
+
+	## Don't ignore repeats for weirds in this set.  For example,
+	## it's handy keeping track of clustered checksum errors.
+	const weird_do_not_ignore_repeats = {
+		"bad_IP_checksum", "bad_TCP_checksum", "bad_UDP_checksum",
+		"bad_ICMP_checksum",
+	} &redef;
+	
+	## This table is used to track identifier and name pairs that should be
+	## temporarily ignored because the problem has already been reported.
+	## This helps reduce the volume of high volume weirds by only allowing 
+	## a unique weird every ``create_expire`` interval.
+	global weird_ignore: set[string, string] &create_expire=10min &redef;
+
+	## A state set which tracks unique weirds solely by the name to reduce
+	## duplicate logging.  This is not synchronized deliberately because it
+	## could cause overload during storms
+	global did_log: set[string, string] &create_expire=1day &redef;
+
+	## A state set which tracks unique weirds solely by the name to reduce
+	## duplicate notices from being raised.
+	global did_notice: set[string, string] &create_expire=1day &redef;
+
+	## Handlers of this event are invoked one per write to the weird
+	## logging stream before the data is actually written.
+	##
+	## rec: The weird columns about to be logged to the weird stream.
+	global log_weird: event(rec: Info);
+}
+
+# These actions result in the output being limited and further redundant 
+# weirds not progressing to being logged or noticed.
+const limiting_actions = {
+	ACTION_LOG_ONCE,
+	ACTION_LOG_PER_CONN,
+	ACTION_LOG_PER_ORIG,
+	ACTION_NOTICE_ONCE,
+	ACTION_NOTICE_PER_CONN,
+	ACTION_NOTICE_PER_ORIG, 
+};
+
+# This is an internal set to track which Weird::Action values lead to notice
+# creation.
+const notice_actions = {
+	ACTION_NOTICE, 
+	ACTION_NOTICE_PER_CONN, 
+	ACTION_NOTICE_PER_ORIG, 
+	ACTION_NOTICE_ONCE,
+};
+
+# Used to pass the optional connection into report().
+global current_conn: connection;
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird]);
+	}
+
+function flow_id_string(src: addr, dst: addr): string
+	{
+	return fmt("%s -> %s", src, dst);
+	}
+
+function report(t: time, name: string, identifier: string, have_conn: bool, addl: string)
+	{
+	local action = actions[name];
+	
+	# If this weird is to be ignored let's drop out of here very early.
+	if ( action == ACTION_IGNORE || [name, identifier] in weird_ignore )
+		return;
+	
+	if ( action in limiting_actions )
+		{
+		if ( action in notice_actions )
+			{
+			# Handle notices
+			if ( have_conn && action == ACTION_NOTICE_PER_ORIG )
+				identifier = fmt("%s", current_conn$id$orig_h);
+			else if ( action == ACTION_NOTICE_ONCE )
+				identifier = "";
+		
+			# If this weird was already noticed then we're done.
+			if ( [name, identifier] in did_notice )
+				return;
+			add did_notice[name, identifier];
+			}
+		else
+			{
+			# Handle logging.
+			if ( have_conn && action == ACTION_LOG_PER_ORIG )
+				identifier = fmt("%s", current_conn$id$orig_h);
+			else if ( action == ACTION_LOG_ONCE )
+				identifier = "";
+		
+			# If this weird was already logged then we're done.
+			if ( [name, identifier] in did_log )
+				return;
+			add did_log[name, identifier];
+			}
+		}
+	
+	# Create the Weird::Info record.
+	local info: Info;
+	info$ts = t;
+	info$name = name;
+	info$peer = peer_description;
+	if ( addl != "" )
+		info$addl = addl;
+	if ( have_conn )
+		{
+		info$uid = current_conn$uid;
+		info$id = current_conn$id;
+		}
+	
+	if ( action in notice_actions )
+		{
+		info$notice = T;
+		
+		local n: Notice::Info;
+		n$note = Activity;
+		n$msg = info$name;
+		if ( have_conn )
+			n$conn = current_conn;
+		if ( info?$addl )
+			n$sub = info$addl;
+		NOTICE(n);
+		}
+	
+	# This is for the temporary ignoring to reduce volume for identical weirds.
+	if ( name !in weird_do_not_ignore_repeats )
+		add weird_ignore[name, identifier];
+	
+	Log::write(Weird::LOG, info);
+	}
+
+function report_conn(t: time, name: string, identifier: string, addl: string, c: connection)
+	{
+	local cid = c$id;
+	if ( [cid$orig_h, name] in ignore_hosts ||
+	     [cid$resp_h, name] in ignore_hosts )
+		return;
+
+	current_conn = c;
+	report(t, name, identifier, T, addl);
+	}
+
+function report_orig(t: time, name: string, identifier: string, orig: addr)
+	{
+	if ( [orig, name] in ignore_hosts )
+		return;
+	
+	report(t, name, identifier, F, "");
+	}
+
+
+# The following events come from core generated weirds typically.
+event conn_weird(name: string, c: connection, addl: string)
+	{
+	report_conn(network_time(), name, id_string(c$id), addl, c);
+	}
+
+event flow_weird(name: string, src: addr, dst: addr)
+	{
+	report_orig(network_time(), name, flow_id_string(src, dst), src);
+	}
+
+event net_weird(name: string)
+	{
+	report(network_time(), name, "", F, "");
+	}
diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.bro
new file mode 100644
index 0000000000..1d72e1ebe0
--- /dev/null
+++ b/scripts/base/frameworks/packet-filter/__load__.bro
@@ -0,0 +1,2 @@
+@load ./main
+@load ./netstats
diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro
new file mode 100644
index 0000000000..16e3ff9789
--- /dev/null
+++ b/scripts/base/frameworks/packet-filter/main.bro
@@ -0,0 +1,160 @@
+##! This script supports how Bro sets it's BPF capture filter.  By default
+##! Bro sets an unrestricted filter that allows all traffic.  If a filter
+##! is set on the command line, that filter takes precedence over the default
+##! open filter and all filters defined in Bro scripts with the
+##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables.
+
+@load base/frameworks/notice
+
+module PacketFilter;
+
+export {
+	## Add the packet filter logging stream.
+	redef enum Log::ID += { LOG };
+
+	## Add notice types related to packet filter errors.
+	redef enum Notice::Type += {
+		## This notice is generated if a packet filter is unable to be compiled.
+		Compile_Failure,
+	
+		## This notice is generated if a packet filter is fails to install.
+		Install_Failure,
+	};
+
+	## The record type defining columns to be logged in the packet filter
+	## logging stream.
+	type Info: record {
+		## The time at which the packet filter installation attempt was made.
+		ts:     time   &log;
+		
+		## This is a string representation of the node that applied this
+		## packet filter.  It's mostly useful in the context of dynamically
+		## changing filters on clusters.
+		node:   string &log &optional;
+		
+		## The packet filter that is being set.
+		filter: string &log;
+		
+		## Indicate if this is the filter set during initialization.
+		init:   bool   &log &default=F;
+		
+		## Indicate if the filter was applied successfully.
+		success: bool  &log &default=T;
+	};
+
+	## By default, Bro will examine all packets. If this is set to false,
+	## it will dynamically build a BPF filter that only select protocols
+	## for which the user has loaded a corresponding analysis script.
+	## The latter used to be default for Bro versions < 2.0. That has now
+	## changed however to enable port-independent protocol analysis.
+	const all_packets = T &redef;
+	
+	## Filter string which is unconditionally or'ed to the beginning of every 
+	## dynamically built filter.
+	const unrestricted_filter = "" &redef;
+	
+	## Call this function to build and install a new dynamically built
+	## packet filter.
+	global install: function();
+	
+	## This is where the default packet filter is stored and it should not 
+	## normally be modified by users.
+	global default_filter = "<not set yet>";
+}
+
+redef enum PcapFilterID += {
+	DefaultPcapFilter,
+};
+
+function combine_filters(lfilter: string, rfilter: string, op: string): string
+	{
+	if ( lfilter == "" && rfilter == "" )
+		return "";
+	else if ( lfilter == "" )
+		return rfilter;
+	else if ( rfilter == "" )
+		return lfilter;
+	else
+		return fmt("(%s) %s (%s)", lfilter, op, rfilter);
+	}
+
+function build_default_filter(): string
+	{
+	if ( cmd_line_bpf_filter != "" )
+		# Return what the user specified on the command line;
+		return cmd_line_bpf_filter;
+
+	if ( all_packets )
+		{
+		# Return an "always true" filter.
+		if ( bro_has_ipv6() )
+			return "ip or not ip";
+		else
+			return "not ip6";
+		}
+
+	# Build filter dynamically.
+	
+	# First the capture_filter.
+	local cfilter = "";
+	for ( id in capture_filters )
+		cfilter = combine_filters(cfilter, capture_filters[id], "or");
+		
+	# Then the restrict_filter.
+	local rfilter = "";
+	for ( id in restrict_filters )
+		rfilter = combine_filters(rfilter, restrict_filters[id], "and");
+		
+	# Finally, join them into one filter.
+	local filter = combine_filters(rfilter, cfilter, "and");
+	if ( unrestricted_filter != "" )
+		filter = combine_filters(unrestricted_filter, filter, "or");
+	
+	# Exclude IPv6 if we don't support it.
+	if ( ! bro_has_ipv6() )
+		filter = combine_filters(filter, "not ip6", "and");
+	
+	return filter;
+	}
+
+function install()
+	{
+	default_filter = build_default_filter();
+
+	if ( ! precompile_pcap_filter(DefaultPcapFilter, default_filter) )
+		{
+		NOTICE([$note=Compile_Failure, 
+		        $msg=fmt("Compiling packet filter failed"),
+		        $sub=default_filter]);
+		Reporter::fatal(fmt("Bad pcap filter '%s'", default_filter));
+		}
+	
+	# Do an audit log for the packet filter.
+	local info: Info;
+	info$ts = network_time();
+	# If network_time() is 0.0 we're at init time so use the wall clock.
+	if ( info$ts == 0.0 ) 
+		{
+		info$ts = current_time();
+		info$init = T;
+		}
+	info$filter = default_filter;
+	
+	if ( ! install_pcap_filter(DefaultPcapFilter) )
+		{
+		# Installing the filter failed for some reason.
+		info$success = F;
+		NOTICE([$note=Install_Failure, 
+		        $msg=fmt("Installing packet filter failed"),
+		        $sub=default_filter]);
+		}
+	
+	if ( reading_live_traffic() || reading_traces() )
+		Log::write(PacketFilter::LOG, info);
+	}
+
+event bro_init() &priority=10
+	{
+	Log::create_stream(PacketFilter::LOG, [$columns=Info]);
+	PacketFilter::install();
+	}
diff --git a/scripts/base/frameworks/packet-filter/netstats.bro b/scripts/base/frameworks/packet-filter/netstats.bro
new file mode 100644
index 0000000000..9fbaa5cd1d
--- /dev/null
+++ b/scripts/base/frameworks/packet-filter/netstats.bro
@@ -0,0 +1,42 @@
+##! This script reports on packet loss from the various packet sources.
+##! When Bro is reading input from trace files, this script will not
+##! report any packet loss statistics.
+
+@load base/frameworks/notice
+
+module PacketFilter;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates packets were dropped by the packet filter.
+		Dropped_Packets,
+	};
+	
+	## This is the interval between individual statistics collection.
+	const stats_collection_interval = 10secs;
+}
+
+event net_stats_update(last_stat: NetStats)
+	{
+	local ns = net_stats();
+	local new_dropped = ns$pkts_dropped - last_stat$pkts_dropped;
+	if ( new_dropped > 0 )
+		{
+		local new_recvd = ns$pkts_recvd - last_stat$pkts_recvd;
+		local new_link = ns$pkts_link - last_stat$pkts_link;
+		NOTICE([$note=Dropped_Packets,
+		        $msg=fmt("%d packets dropped after filtering, %d received%s",
+		                 new_dropped, new_recvd + new_dropped,
+		                 new_link != 0 ? fmt(", %d on link", new_link) : "")]);
+		}
+	
+	schedule stats_collection_interval { net_stats_update(ns) };
+	}
+
+event bro_init()
+	{
+	# Since this currently only calculates packet drops, let's skip the stats
+	# collection if reading traces.
+	if ( ! reading_traces() )
+		schedule stats_collection_interval { net_stats_update(net_stats()) };
+	}
diff --git a/scripts/base/frameworks/reporter/__load__.bro b/scripts/base/frameworks/reporter/__load__.bro
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/frameworks/reporter/__load__.bro
@@ -0,0 +1 @@
+@load ./main
diff --git a/scripts/base/frameworks/reporter/main.bro b/scripts/base/frameworks/reporter/main.bro
new file mode 100644
index 0000000000..3c19005364
--- /dev/null
+++ b/scripts/base/frameworks/reporter/main.bro
@@ -0,0 +1,59 @@
+##! This framework is intended to create an output and filtering path for 
+##! internal messages/warnings/errors.  It should typically be loaded to 
+##! avoid Bro spewing internal messages to standard error and instead log
+##! them to a file in a standard way.  Note that this framework deals with
+##! the handling of internally-generated reporter messages, for the
+##! interface into actually creating reporter messages from the scripting
+##! layer, use the built-in functions in :doc:`/scripts/base/reporter.bif`.
+
+module Reporter;
+
+export {
+	## The reporter logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## An indicator of reporter message severity.
+	type Level: enum { 
+		## Informational, not needing specific attention.
+		INFO, 
+		## Warning of a potential problem.
+		WARNING, 
+		## A non-fatal error that should be addressed, but doesn't
+		## terminate program execution.
+		ERROR
+	};
+
+	## The record type which contains the column fields of the reporter log.
+	type Info: record {
+		## The network time at which the reporter event was generated.
+		ts:       time   &log;
+		## The severity of the reporter message.
+		level:    Level  &log;
+		## An info/warning/error message that could have either been
+		## generated from the internal Bro core or at the scripting-layer.
+		message:  string &log;
+		## This is the location in a Bro script where the message originated.
+		## Not all reporter messages will have locations in them though.
+		location: string &log &optional;
+	};
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Reporter::LOG, [$columns=Info]);
+	}
+
+event reporter_info(t: time, msg: string, location: string)
+	{
+	Log::write(Reporter::LOG, [$ts=t, $level=INFO, $message=msg, $location=location]);
+	}
+	
+event reporter_warning(t: time, msg: string, location: string)
+	{
+	Log::write(Reporter::LOG, [$ts=t, $level=WARNING, $message=msg, $location=location]);
+	}
+
+event reporter_error(t: time, msg: string, location: string)
+	{
+	Log::write(Reporter::LOG, [$ts=t, $level=ERROR, $message=msg, $location=location]);
+	}
diff --git a/scripts/base/frameworks/signatures/__load__.bro b/scripts/base/frameworks/signatures/__load__.bro
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/frameworks/signatures/__load__.bro
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/frameworks/signatures/main.bro b/scripts/base/frameworks/signatures/main.bro
new file mode 100644
index 0000000000..26f78a68d1
--- /dev/null
+++ b/scripts/base/frameworks/signatures/main.bro
@@ -0,0 +1,305 @@
+##! Script level signature support.  See the
+##! :doc:`signature documentation </signatures>` for more information about
+##! Bro's signature engine.
+
+@load base/frameworks/notice
+
+module Signatures;
+
+export {
+	## Add various signature-related notice types.
+	redef enum Notice::Type += {
+		## Generic notice type for notice-worthy signature matches.
+		Sensitive_Signature,
+		## Host has triggered many signatures on the same host.  The number of 
+		## signatures is defined by the
+		## :bro:id:`Signatures::vert_scan_thresholds` variable.
+		Multiple_Signatures,
+		## Host has triggered the same signature on multiple hosts as defined
+		## by the :bro:id:`Signatures::horiz_scan_thresholds` variable.
+		Multiple_Sig_Responders,
+		## The same signature has triggered multiple times for a host.  The
+		## number of times the signature has been triggered is defined by the 
+		## :bro:id:`Signatures::count_thresholds` variable. To generate this
+		## notice, the :bro:enum:`Signatures::SIG_COUNT_PER_RESP` action must
+		## bet set for the signature.
+		Count_Signature,
+		## Summarize the number of times a host triggered a signature.  The 
+		## interval between summaries is defined by the
+		## :bro:id:`Signatures::summary_interval` variable.
+		Signature_Summary,
+	};
+
+	## The signature logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## These are the default actions you can apply to signature matches.
+	## All of them write the signature record to the logging stream unless
+	## declared otherwise.
+	type Action: enum {
+		## Ignore this signature completely (even for scan detection).  Don't
+		## write to the signatures logging stream.
+		SIG_IGNORE,
+		## Process through the various aggregate techniques, but don't report 
+		## individually and don't write to the signatures logging stream.
+		SIG_QUIET,
+		## Generate a notice.
+		SIG_LOG,
+		## The same as :bro:enum:`Signatures::SIG_LOG`, but ignore for
+		## aggregate/scan processing.
+		SIG_FILE_BUT_NO_SCAN,
+		## Generate a notice and set it to be alarmed upon.
+		SIG_ALARM,
+		## Alarm once per originator.
+		SIG_ALARM_PER_ORIG,
+		## Alarm once and then never again.
+		SIG_ALARM_ONCE,
+		## Count signatures per responder host and alarm with the 
+		## :bro:enum:`Signatures::Count_Signature` notice if a threshold
+		## defined by :bro:id:`Signatures::count_thresholds` is reached.
+		SIG_COUNT_PER_RESP,
+		## Don't alarm, but generate per-orig summary.
+		SIG_SUMMARY,
+	};
+
+	## The record type which contains the column fields of the signature log.
+	type Info: record {
+		## The network time at which a signature matching type of event to
+		## be logged has occurred.
+		ts:         time         &log;
+		## The host which triggered the signature match event.
+		src_addr:   addr         &log &optional;
+		## The host port on which the signature-matching activity occurred.
+		src_port:   port         &log &optional;
+		## The destination host which was sent the payload that triggered the
+		## signature match.
+		dst_addr:   addr         &log &optional;
+		## The destination host port which was sent the payload that triggered
+		## the signature match.
+		dst_port:   port         &log &optional;
+		## Notice associated with signature event
+		note:       Notice::Type &log;
+		## The name of the signature that matched.
+		sig_id:     string       &log &optional;
+		## A more descriptive message of the signature-matching event.
+		event_msg:  string       &log &optional;
+		## Extracted payload data or extra message.
+		sub_msg:    string       &log &optional;
+		## Number of sigs, usually from summary count.
+		sig_count:  count        &log &optional;
+		## Number of hosts, from a summary count.
+		host_count: count        &log &optional;
+	};
+	
+	## Actions for a signature.  
+	const actions: table[string] of Action =  {
+		["unspecified"] = SIG_IGNORE, # place-holder
+	} &redef &default = SIG_ALARM;
+
+	## Signature IDs that should always be ignored.
+	const ignored_ids = /NO_DEFAULT_MATCHES/ &redef;
+	
+	## Generate a notice if, for a pair [orig, signature], the number of
+	## different responders has reached one of the thresholds.
+	const horiz_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
+
+	## Generate a notice if, for a pair [orig, resp], the number of different
+	## signature matches has reached one of the thresholds.
+	const vert_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
+
+	## Generate a notice if a :bro:enum:`Signatures::SIG_COUNT_PER_RESP`
+	## signature is triggered as often as given by one of these thresholds.
+	const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef;
+	
+	## The interval between when :bro:enum:`Signatures::Signature_Summary`
+	## notice are generated.
+	const summary_interval = 1 day &redef;
+
+	## This event can be handled to access/alter data about to be logged
+	## to the signature logging stream.
+	##
+	## rec: The record of signature data about to be logged.
+	global log_signature: event(rec: Info);
+}
+
+global horiz_table: table[addr, string] of addr_set &read_expire = 1 hr;
+global vert_table: table[addr, addr] of string_set &read_expire = 1 hr;
+global last_hthresh: table[addr] of count &default = 0 &read_expire = 1 hr;
+global last_vthresh: table[addr] of count &default = 0 &read_expire = 1 hr;
+global count_per_resp: table[addr, string] of count
+					&default = 0 &read_expire = 1 hr;
+global count_per_orig: table[addr, string] of count
+					&default = 0 &read_expire = 1 hr;
+global did_sig_log: set[string] &read_expire = 1 hr;
+
+
+event bro_init()
+	{
+	Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature]);
+	}
+		
+# Returns true if the given signature has already been triggered for the given
+# [orig, resp] pair.
+function has_signature_matched(id: string, orig: addr, resp: addr): bool
+	{
+	return [orig, resp] in vert_table ? id in vert_table[orig, resp] : F;
+	}
+
+event sig_summary(orig: addr, id: string, msg: string)
+	{
+	NOTICE([$note=Signature_Summary, $src=orig,
+	        $filename=id, $msg=fmt("%s: %s", orig, msg),
+	        $n=count_per_orig[orig,id] ]);
+	}
+
+event signature_match(state: signature_state, msg: string, data: string)
+	{
+	local sig_id = state$sig_id;
+	local action = actions[sig_id];
+
+	if ( action == SIG_IGNORE || ignored_ids in sig_id )
+		return;
+
+	# Trim the matched data down to something reasonable
+	if ( byte_len(data) > 140 )
+		data = fmt("%s...", sub_bytes(data, 0, 140));
+		
+	local src_addr: addr;
+	local src_port: port;
+	local dst_addr: addr;
+	local dst_port: port;
+
+	if ( state$is_orig )
+		{
+		src_addr = state$conn$id$orig_h;
+		src_port = state$conn$id$orig_p;
+		dst_addr = state$conn$id$resp_h;
+		dst_port = state$conn$id$resp_p;
+		}
+	else
+		{
+		src_addr = state$conn$id$resp_h;
+		src_port = state$conn$id$resp_p;
+		dst_addr = state$conn$id$orig_h;
+		dst_port = state$conn$id$orig_p;
+		}
+
+	if ( action != SIG_QUIET && action != SIG_COUNT_PER_RESP )
+		{
+		local info: Info = [$ts=network_time(),
+		                    $note=Sensitive_Signature,
+		                    $src_addr=src_addr,
+		                    $src_port=src_port,
+		                    $dst_addr=dst_addr,
+		                    $dst_port=dst_port,
+		                    $event_msg=fmt("%s: %s", src_addr, msg),
+		                    $sig_id=sig_id,
+		                    $sub_msg=data];
+		Log::write(Signatures::LOG, info);
+		}
+
+	local notice = F;
+	if ( action == SIG_ALARM )
+		notice = T;
+	
+	if ( action == SIG_COUNT_PER_RESP )
+		{
+		local dst = state$conn$id$resp_h;
+		if ( ++count_per_resp[dst,sig_id] in count_thresholds )
+			{
+			NOTICE([$note=Count_Signature, $conn=state$conn,
+				   $msg=msg,
+				   $filename=sig_id,
+				   $n=count_per_resp[dst,sig_id],
+				   $sub=fmt("%d matches of signature %s on host %s",
+						count_per_resp[dst,sig_id],
+						sig_id, dst)]);
+			}
+		}
+
+	if ( (action == SIG_ALARM_PER_ORIG || action == SIG_SUMMARY) &&
+	     ++count_per_orig[state$conn$id$orig_h, sig_id] == 1 )
+		{
+		if ( action == SIG_ALARM_PER_ORIG )
+			notice = T;
+		else
+			schedule summary_interval {
+				sig_summary(state$conn$id$orig_h, sig_id, msg)
+			};
+		}
+
+	if ( action == SIG_ALARM_ONCE )
+		{
+		if ( [sig_id] !in did_sig_log )
+			{
+			notice = T;
+			add did_sig_log[sig_id];
+			}
+		}
+
+	if ( notice )
+		NOTICE([$note=Sensitive_Signature,
+		        $conn=state$conn, $src=src_addr,
+		        $dst=dst_addr, $filename=sig_id, $msg=fmt("%s: %s", src_addr, msg),
+		        $sub=data]);
+	
+	if ( action == SIG_FILE_BUT_NO_SCAN || action == SIG_SUMMARY )
+		return;
+
+	# Keep track of scans.
+	local orig = state$conn$id$orig_h;
+	local resp = state$conn$id$resp_h;
+
+	if ( [orig, sig_id] !in horiz_table )
+		horiz_table[orig, sig_id] = set();
+
+	add horiz_table[orig, sig_id][resp];
+
+	if ( [orig, resp] !in vert_table )
+		vert_table[orig, resp] = set();
+
+	add vert_table[orig, resp][sig_id];
+
+	local hcount = length(horiz_table[orig, sig_id]);
+	local vcount = length(vert_table[orig, resp]);
+
+	if ( hcount in horiz_scan_thresholds && hcount != last_hthresh[orig] )
+		{
+		local horz_scan_msg =
+			fmt("%s has triggered signature %s on %d hosts",
+				orig, sig_id, hcount);
+
+		Log::write(Signatures::LOG, 
+			[$note=Multiple_Sig_Responders,
+		     $src_addr=orig, $sig_id=sig_id, $event_msg=msg,
+		     $host_count=hcount, $sub_msg=horz_scan_msg]);
+
+		NOTICE([$note=Multiple_Sig_Responders, $src=orig, $filename=sig_id,
+			$msg=msg, $n=hcount, $sub=horz_scan_msg]);
+
+		last_hthresh[orig] = hcount;
+		}
+
+	if ( vcount in vert_scan_thresholds && vcount != last_vthresh[orig] )
+		{
+		local vert_scan_msg =
+			fmt("%s has triggered %d different signatures on host %s",
+				orig, vcount, resp);
+
+		Log::write(Signatures::LOG, 
+			[$ts=network_time(),
+			 $note=Multiple_Signatures, 
+			 $src_addr=orig,
+			 $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
+			 $event_msg=fmt("%s different signatures triggered", vcount),
+			 $sub_msg=vert_scan_msg]);
+
+		NOTICE([$note=Multiple_Signatures, $src=orig, $dst=resp,
+			$filename=sig_id,
+			$msg=fmt("%s different signatures triggered", vcount),
+			$n=vcount, $sub=vert_scan_msg]);
+
+		last_vthresh[orig] = vcount;
+		}
+	}
+
diff --git a/scripts/base/frameworks/software/__load__.bro b/scripts/base/frameworks/software/__load__.bro
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/frameworks/software/__load__.bro
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro
new file mode 100644
index 0000000000..7471076335
--- /dev/null
+++ b/scripts/base/frameworks/software/main.bro
@@ -0,0 +1,426 @@
+##! This script provides the framework for software version detection and
+##! parsing but doesn't actually do any detection on it's own.  It relys on
+##! other protocol specific scripts to parse out software from the protocols
+##! that they analyze.  The entry point for providing new software detections
+##! to this framework is through the :bro:id:`Software::found` function.
+
+@load base/utils/directions-and-hosts
+@load base/utils/numbers
+
+module Software;
+
+export {
+	## The software logging stream identifier.
+	redef enum Log::ID += { LOG };
+	
+	## Scripts detecting new types of software need to redef this enum to add
+	## their own specific software types which would then be used when they 
+	## create :bro:type:`Software::Info` records.
+	type Type: enum {
+		## A placeholder type for when the type of software is not known.
+		UNKNOWN,
+	};
+	
+	## A structure to represent the numeric version of software.
+	type Version: record {
+		## Major version number
+		major:  count  &optional;
+		## Minor version number
+		minor:  count  &optional;
+		## Minor subversion number
+		minor2: count  &optional;
+		## Additional version string (e.g. "beta42")
+		addl:   string &optional;
+	} &log;
+	
+	## The record type that is used for representing and logging software.
+	type Info: record {
+		## The time at which the software was detected.
+		ts:               time &log &optional;
+		## The IP address detected running the software.
+		host:             addr &log;
+		## The Port on which the software is running. Only sensible for server software.
+		host_p:           port &log &optional;
+		## The type of software detected (e.g. :bro:enum:`HTTP::SERVER`).
+		software_type:    Type &log &default=UNKNOWN;
+		## Name of the software (e.g. Apache).
+		name:             string &log &optional;
+		## Version of the software.
+		version:          Version &log &optional;
+		## The full unparsed version string found because the version parsing 
+		## doesn't always work reliably in all cases and this acts as a 
+		## fallback in the logs.
+		unparsed_version: string &log &optional;
+		
+		## This can indicate that this software being detected should
+		## definitely be sent onward to the logging framework.  By 
+		## default, only software that is "interesting" due to a change
+		## in version or it being currently unknown is sent to the
+		## logging framework.  This can be set to T to force the record
+		## to be sent to the logging framework if some amount of this tracking
+		## needs to happen in a specific way to the software.
+		force_log:        bool &default=F;
+	};
+	
+	## Hosts whose software should be detected and tracked.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	const asset_tracking = LOCAL_HOSTS &redef;
+	
+	## Other scripts should call this function when they detect software.
+	## id: The connection id where the software was discovered.
+	##
+	## info: A record representing the software discovered.
+	## 
+	## Returns: T if the software was logged, F otherwise.
+	global found: function(id: conn_id, info: Info): bool;
+	
+	## Compare two version records.
+	## 
+	## Returns:  -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2.
+	##           If the numerical version numbers match, the addl string
+	##           is compared lexicographically.
+	global cmp_versions: function(v1: Version, v2: Version): int;
+	
+	## Type to represent a collection of :bro:type:`Software::Info` records.
+	## It's indexed with the name of a piece of software such as "Firefox" 
+	## and it yields a :bro:type:`Software::Info` record with more information
+	## about the  software.
+	type SoftwareSet: table[string] of Info;
+	
+	## The set of software associated with an address.  Data expires from
+	## this table after one day by default so that a detected piece of 
+	## software will be logged once each day.
+	global tracked: table[addr] of SoftwareSet 
+		&create_expire=1day 
+		&synchronized
+		&redef;
+	
+	## This event can be handled to access the :bro:type:`Software::Info`
+	## record as it is sent on to the logging framework.
+	global log_software: event(rec: Info);
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software]);
+	}
+	
+type Description: record {
+	name:             string;
+	version:          Version;
+	unparsed_version: string;
+};
+
+# Defining this here because of a circular dependency between two functions.
+global parse_mozilla: function(unparsed_version: string): Description;
+
+# Don't even try to understand this now, just make sure the tests are 
+# working.
+function parse(unparsed_version: string): Description
+	{
+	local software_name = "<parse error>";
+	local v: Version;
+	
+	# Parse browser-alike versions separately
+	if ( /^(Mozilla|Opera)\/[0-9]\./ in unparsed_version )
+		{
+		return parse_mozilla(unparsed_version);
+		}
+	else
+		{
+		# The regular expression should match the complete version number
+		# and software name.
+		local version_parts = split_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1);
+		if ( 1 in version_parts )
+			{
+			if ( /^\(/ in version_parts[1] )
+				software_name = strip(sub(version_parts[1], /[\(]/, ""));
+			else
+				software_name = strip(version_parts[1]);
+			}
+		if ( |version_parts| >= 2 )
+			{
+			# Remove the name/version separator if it's left at the beginning
+			# of the version number from the previous split_all.
+			local sv = strip(version_parts[2]);
+			if ( /^[\/\-\._v\(]/ in sv )
+				sv = strip(sub(version_parts[2], /^\(?[\/\-\._v\(]/, ""));
+			local version_numbers = split_n(sv, /[\-\._,\[\(\{ ]/, F, 3);
+			if ( 4 in version_numbers && version_numbers[4] != "" )
+				v$addl = strip(version_numbers[4]);
+			else if ( 3 in version_parts && version_parts[3] != "" &&
+				  version_parts[3] != ")" )
+				{
+				if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[3] )
+					{
+					v$addl = split_n(version_parts[3], /[\(\)]/, F, 2)[2];
+					}
+				else
+					{
+					local vp = split_n(version_parts[3], /[\-\._,;\[\]\(\)\{\} ]/, F, 3);
+					if ( |vp| >= 1 && vp[1] != "" )
+						{
+						v$addl = strip(vp[1]);
+						}
+					else if ( |vp| >= 2 && vp[2] != "" )
+						{
+						v$addl = strip(vp[2]);
+						}
+					else if ( |vp| >= 3 && vp[3] != "" )
+						{
+						v$addl = strip(vp[3]);
+						}
+					else
+						{
+						v$addl = strip(version_parts[3]);
+						}
+						
+					}
+				}
+		
+			if ( 3 in version_numbers && version_numbers[3] != "" )
+				v$minor2 = extract_count(version_numbers[3]);
+			if ( 2 in version_numbers && version_numbers[2] != "" )
+				v$minor = extract_count(version_numbers[2]);
+			if ( 1 in version_numbers && version_numbers[1] != "" )
+				v$major = extract_count(version_numbers[1]);
+			}
+		}
+	
+	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
+	}
+
+
+function parse_mozilla(unparsed_version: string): Description
+	{
+	local software_name = "<unknown browser>";
+	local v: Version;
+	local parts: table[count] of string;
+	
+	if ( /Opera [0-9\.]*$/ in unparsed_version )
+		{
+		software_name = "Opera";
+		parts = split_all(unparsed_version, /Opera [0-9\.]*$/);
+		if ( 2 in parts )
+			v = parse(parts[2])$version;
+		}
+	else if ( / MSIE / in unparsed_version )
+		{
+		software_name = "MSIE";
+		if ( /Trident\/4\.0/ in unparsed_version )
+			v = [$major=8,$minor=0];
+		else if ( /Trident\/5\.0/ in unparsed_version )
+			v = [$major=9,$minor=0];
+		else if ( /Trident\/6\.0/ in unparsed_version )
+			v = [$major=10,$minor=0];
+		else
+			{
+			parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/);
+			if ( 2 in parts )
+				v = parse(parts[2])$version;
+			}
+		}
+	else if ( /Version\/.*Safari\// in unparsed_version )
+		{
+		software_name = "Safari";
+		parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
+		if ( 2 in parts )
+			{
+			v = parse(parts[2])$version;
+			if ( / Mobile\/?.* Safari/ in unparsed_version )
+				v$addl = "Mobile";
+			}
+		}
+	else if ( /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/ in unparsed_version )
+		{
+		parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/);
+		if ( 2 in parts )
+			{
+			local tmp_s = parse(parts[2]);
+			software_name = tmp_s$name;
+			v = tmp_s$version;
+			}
+		}
+	else if ( /Chrome\/.*Safari\// in unparsed_version )
+		{
+		software_name = "Chrome";
+		parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/);
+		if ( 2 in parts )
+			v = parse(parts[2])$version;
+		}
+	else if ( /^Opera\// in unparsed_version )
+		{
+		if ( /Opera M(ini|obi)\// in unparsed_version )
+			{
+			parts = split_all(unparsed_version, /Opera M(ini|obi)/);
+			if ( 2 in parts )
+				software_name = parts[2];
+			parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
+			if ( 2 in parts )
+				v = parse(parts[2])$version;
+			else
+				{
+				parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/);
+				if ( 2 in parts )
+					v = parse(parts[2])$version;
+				}
+			}
+		else
+			{
+			software_name = "Opera";
+			parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
+			if ( 2 in parts )
+				v = parse(parts[2])$version;
+			}
+		}
+	else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version )
+		{
+		software_name = "Unspecified WebKit";
+		parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/);
+		if ( 2 in parts )
+			v = parse(parts[2])$version;
+		}
+
+	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
+	}
+
+
+function cmp_versions(v1: Version, v2: Version): int
+	{
+	if ( v1?$major && v2?$major )
+		{
+		if ( v1$major < v2$major )
+			return -1;
+		if ( v1$major > v2$major )
+			return 1;
+		}
+	else
+		{
+		if ( !v1?$major && !v2?$major )
+			{ }
+		else
+			return v1?$major ? 1 : -1;
+		}
+		
+	if ( v1?$minor && v2?$minor )
+		{
+		if ( v1$minor < v2$minor )
+			return -1;
+		if ( v1$minor > v2$minor )
+			return 1;
+		}
+	else
+		{
+		if ( !v1?$minor && !v2?$minor )
+			{ }
+		else
+			return v1?$minor ? 1 : -1;
+		}
+		
+	if ( v1?$minor2 && v2?$minor2 )
+		{
+		if ( v1$minor2 < v2$minor2 )
+			return -1;
+		if ( v1$minor2 > v2$minor2 )
+			return 1;
+		}
+	else
+		{
+		if ( !v1?$minor2 && !v2?$minor2 )
+			{ }
+		else
+			return v1?$minor2 ? 1 : -1;
+		}
+
+	if ( v1?$addl && v2?$addl )
+		return strcmp(v1$addl, v2$addl);
+	else
+		{
+		if ( !v1?$addl && !v2?$addl )
+			return 0;
+		else
+			return v1?$addl ? 1 : -1;
+		}
+	}
+
+function software_endpoint_name(id: conn_id, host: addr): string
+	{
+	return fmt("%s %s", host, (host == id$orig_h ? "client" : "server"));
+	}
+
+# Convert a version into a string "a.b.c-x".
+function software_fmt_version(v: Version): string
+	{
+	return fmt("%d.%d.%d%s", 
+	           v?$major ? v$major : 0,
+	           v?$minor ? v$minor : 0,
+	           v?$minor2 ? v$minor2 : 0,
+	           v?$addl ? fmt("-%s", v$addl) : "");
+	}
+
+# Convert a software into a string "name a.b.cx".
+function software_fmt(i: Info): string
+	{
+	return fmt("%s %s", i$name, software_fmt_version(i$version));
+	}
+
+# Insert a mapping into the table
+# Overides old entries for the same software and generates events if needed.
+event register(id: conn_id, info: Info)
+	{
+	# Host already known?
+	if ( info$host !in tracked )
+		tracked[info$host] = table();
+
+	local ts = tracked[info$host];
+	# Software already registered for this host?  We don't want to endlessly
+	# log the same thing.
+	if ( info$name in ts )
+		{
+		local old = ts[info$name];
+		
+		# If the version hasn't changed, then we're just redetecting the
+		# same thing, then we don't care.  This results in no extra logging.
+		# But if the $force_log value is set then we'll continue.
+		if ( ! info$force_log && cmp_versions(old$version, info$version) == 0 )
+			return;
+		}
+	ts[info$name] = info;
+	
+	Log::write(Software::LOG, info);
+	}
+
+function found(id: conn_id, info: Info): bool
+	{
+	if ( info$force_log || addr_matches_host(info$host, asset_tracking) )
+		{
+		if ( !info?$ts ) 
+			info$ts=network_time();
+		
+		if ( info?$version ) # we have a version number and don't have to parse. check if the name is also set...
+			{
+				if ( ! info?$name ) 
+					{
+					Reporter::error("Required field name not present in Software::found");
+					return F;
+					}
+			}
+		else  # no version present, we have to parse...
+			{
+			if ( !info?$unparsed_version ) 
+				{
+				Reporter::error("No unparsed version string present in Info record with version in Software::found");
+				return F;
+				} 
+			local sw = parse(info$unparsed_version);
+			info$unparsed_version = sw$unparsed_version;
+			info$name = sw$name;
+			info$version = sw$version;
+			}
+		
+		event register(id, info);
+		return T;
+		}
+	else
+		return F;
+	}
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
new file mode 100644
index 0000000000..ced5871ec0
--- /dev/null
+++ b/scripts/base/init-bare.bro
@@ -0,0 +1,2342 @@
+@load base/const.bif
+@load base/types.bif
+
+# Type declarations
+
+## An ordered array of strings. The entries are indexed by succesive numbers. Note
+## that it depends on the usage whether the first index is zero or one.
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type string_array: table[count] of string;
+
+## A set of strings.
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type string_set: set[string];
+
+## A set of addresses.
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type addr_set: set[addr];
+
+## A set of counts.
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type count_set: set[count];
+
+## A vector of counts, used by some builtin functions to store a list of indices.
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type index_vec: vector of count;
+
+## A vector of strings.
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type string_vec: vector of string;
+
+## A table of strings indexed by strings.
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type table_string_of_string: table[string] of string;
+
+## A connection's transport-layer protocol. Note that Bro uses the term
+## "connection" broadly, using flow semantics for ICMP and UDP.
+type transport_proto: enum {
+    unknown_transport,	##< An unknown transport-layer protocol.
+    tcp,	##< TCP.
+    udp,	##< UDP.
+    icmp	##< ICMP.
+};
+
+## A connection's identifying 4-tuple of endpoints and ports.
+##
+## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as
+##    part of the port values, `orig_p` and `resp_p`, and can be extracted from them
+##    with :bro:id:`get_port_transport_proto`.
+type conn_id: record {
+	orig_h: addr;	##< The originator's IP address.
+	orig_p: port;	##< The originator's port number.
+	resp_h: addr;	##< The responder's IP address.
+	resp_p: port;	##< The responder's port number.
+} &log;
+
+## Specifics about an ICMP conversation. ICMP events typically pass this in
+## addition to :bro:type:`conn_id`.
+##
+## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent
+##    icmp_time_exceeded icmp_unreachable
+type icmp_conn: record {
+	orig_h: addr;	##< The originator's IP address.
+	resp_h: addr;	##< The responder's IP address.
+	itype: count;	##< The ICMP type of the packet that triggered the instantiation of the record.
+	icode: count;	##< The ICMP code of the packet that triggered the instantiation of the record.
+	len: count;	##< The length of the ICMP payload of the packet that triggered the instantiation of the record.
+
+	v6: bool;	##< True if it's an ICMPv6 packet.
+};
+
+## Packet context part of an ICMP message. The fields of this record reflect the
+## packet that is described by the context.
+##
+## .. bro:see:: icmp_time_exceeded icmp_unreachable
+type icmp_context: record {
+	id: conn_id;	##< The packet's 4-tuple.
+	len: count;	##< The lenght of the packet's IP header.
+	proto: count;	##< The packet's transport-layer protocol.
+	frag_offset: count;	##< The packet's fragementation offset.
+	## True if the packet's IP header is fully included in the context. If that is not
+	## the case, the other fields will all be set to null values.
+	bad_hdr_len: bool;
+	bad_checksum: bool;	##< True if the packet's IP checksum is not correct.
+	MF: bool;	##< True if the packets *more fragements* flag is set.
+	DF: bool;	##< True if the packets *don't fragment* flag is set.
+};
+
+# A DNS mapping between IP address and hostname resolved by Bro's internal
+# resolver.
+#
+# .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+#    dns_mapping_unverified dns_mapping_valid
+type dns_mapping: record {
+	## The time when the mapping was created, which corresponds to the when the DNS
+	## query was sent out.
+	creation_time: time;
+	## If the mapping is the result of a name lookup, the queried host name; otherwise
+	## empty.
+	req_host: string;
+	## If the mapping is the result of a pointer lookup, the queried address; otherwise
+	## null.
+	req_addr: addr;
+	## True if the lookup returned success. Only then, the result ields are valid.
+	valid: bool;
+	## If the mapping is the result of a pointer lookup, the resolved hostname;
+	## otherwise empty.
+	hostname: string;
+	## If the mapping is the result of an address lookup, the resolved address(es);
+	## otherwise empty.
+	addrs: addr_set;
+};
+
+## A parsed host/port combination describing server endpoint for an upcoming
+## data transfert.
+##
+## .. bro:see:: fmt_ftp_port parse_eftp_port parse_ftp_epsv parse_ftp_pasv
+##    parse_ftp_port
+type ftp_port: record {
+	h: addr;	##< The host's address.
+	p: port;	##< The host's port.
+	valid: bool;	##< True if format was right. Only then, *h* and *p* are valid.
+};
+
+## Statistics about what a TCP endpoint sent.
+##
+## .. bro:see:: conn_stats
+type endpoint_stats: record {
+	num_pkts: count;	##< Number of packets.
+	num_rxmit: count;	##< Number of retransmission.
+	num_rxmit_bytes: count;	##< Number of retransmitted bytes.
+	num_in_order: count;	##< Number of in-order packets.
+	num_OO: count;	##< Number out-of-order packets.
+	num_repl: count;	##< Number of replicated packets (last packet was sent again).
+	## Endian type used by the endpoint, if it it could be determined from the sequence
+	## numbers used. This is one of :bro:see:`ENDIAN_UNKNOWN`, :bro:see:`ENDIAN_BIG`,
+	## :bro:see:`ENDIAN_LITTLE`, and :bro:see:`ENDIAN_CONFUSED`.
+	endian_type: count;
+};
+
+## A unique analyzer instance ID. Each time instantiates a protocol analyzers
+## for a connection, it assigns it a unique ID that can be used to reference
+## that instance.
+##
+## .. bro:see:: analyzer_name disable_analyzer protocol_confirmation
+##    protocol_violation
+##
+## .. todo::While we declare an alias for the type here, the events/functions still
+##    use ``count``. That should be changed.
+type AnalyzerID: count;
+
+## Statistics about an endpoint.
+##
+## todo::Where is this used?
+type endpoint: record {
+	size: count;	##< Logical size of data sent (for TCP: derived from sequence numbers).
+	## Endpoint state. For TCP connection, one of the constants:
+	## :bro:see:`TCP_INACTIVE` :bro:see:`TCP_SYN_SENT` :bro:see:`TCP_SYN_ACK_SENT`
+	## :bro:see:`TCP_PARTIAL` :bro:see:`TCP_ESTABLISHED` :bro:see:`TCP_CLOSED`
+	## :bro:see:`TCP_RESET`. For UDP, one of :bro:see:`UDP_ACTIVE` and
+	## :bro:see:`UDP_INACTIVE`.
+	state: count;
+	## Number of packets sent. Only set if :bro:id:`use_conn_size_analyzer` is true.
+	num_pkts: count &optional;
+	## Number of IP-level bytes sent. Only set if :bro:id:`use_conn_size_analyzer` is
+	## true.
+	num_bytes_ip: count &optional;
+};
+
+# A connection. This is Bro's basic connection type describing IP- and
+# transport-layer information about the conversation. Note that Bro uses a
+# liberal interpreation of "connection" and associates instances of this type
+# also with UDP and ICMP flows.
+type connection: record {
+	id: conn_id;	##< The connection's identifying 4-tuple.
+	orig: endpoint;	##< Statistics about originator side.
+	resp: endpoint;	##< Statistics about responder side.
+	start_time: time;	##< The timestamp of the connection's first packet.
+	## The duration of the conversation. Roughly speaking, this is the interval between
+	## first and last data packet (low-level TCP details may adjust it somewhat in
+	## ambigious cases).
+	duration: interval;
+	## The set of services the connection is using as determined by Bro's dynamic
+	## protocol detection. Each entry is the label of an analyzer that confirmed that
+	## it could parse the connection payload.  While typically, there will be at
+	## most one entry for each connection, in principle it is possible that more than
+	## one protocol analyzer is able to parse the same data. If so, all will
+	## be recorded. Also note that the recorced services are independent of any
+	## transport-level protocols.
+        service: set[string];
+	addl: string;	##< Deprecated.
+	hot: count;	##< Deprecated.
+	history: string;	##< State history of TCP connections. See *history* in :bro:see:`Conn::Info`.
+	## A globally unique connection identifier. For each connection, Bro creates an ID
+	## that is very likely unique across independent Bro runs. These IDs can thus be
+	## used to tag and locate information  associated with that connection.
+	uid: string;
+};
+
+## Fields of a SYN packet.
+##
+## .. bro:see:: connection_SYN_packet
+type SYN_packet: record {
+	is_orig: bool;	##< True if the packet was sent the connection's originator.
+	DF: bool;	##< True if the *don't fragment* is set in the IP header.
+	ttl: count;	##< The IP header's time-to-live.
+	size: count;	##< The size of the packet's payload as specified in the IP header.
+	win_size: count;	##< The window size from the TCP header.
+	win_scale: int;	##< The window scale option if present, or -1 if not.
+	MSS: count;	##< The maximum segement size if present, or 0 if not.
+	SACK_OK: bool;	##< True if the *SACK* option is present.
+};
+
+## Packet capture statistics.  All counts are cumulative.
+##
+## .. bro:see:: net_stats
+type NetStats: record {
+	pkts_recvd:   count &default=0;	##< Packets received by Bro.
+	pkts_dropped: count &default=0;	##< Packets reported dropped by the system.
+	## Packets seen on the link. Note that this may differ
+	## from *pkts_recvd* because of a potential capture_filter. See
+	## :doc:`/scripts/base/frameworks/packet-filter/main`. Depending on the packet
+	## capture system, this value may not be available and will then be always set to
+	## zero.
+	pkts_link:    count &default=0;
+};
+
+## Statistics about Bro's resource consumption.
+##
+## .. bro:see:: resource_usage
+##
+## .. note:: All process-level values refer to Bro's main process only, not to
+##    the child process it spawns for doing communication.
+type bro_resources: record {
+	version: string;	##< Bro version string.
+	debug: bool;	##< True if compiled with --enable-debug.
+	start_time: time;	##< Start time of process.
+	real_time: interval;	##< Elapsed real time since Bro started running.
+	user_time: interval;	##< User CPU seconds.
+	system_time: interval;	##< System CPU seconds.
+	mem: count;		##< Maximum memory consumed, in KB.
+	minor_faults: count;	##< Page faults not requiring actual I/O.
+	major_faults: count;	##< Page faults requiring actual I/O.
+	num_swap: count;	##< Times swapped out.
+	blocking_input: count;	##< Blocking input operations.
+	blocking_output: count;	##< Blocking output operations.
+	num_context: count;	##< Number of involuntary context switches.
+
+	num_TCP_conns: count;	##< Current number of TCP connections in memory.
+	num_UDP_conns: count;	##< Current number of UDP flows in memory.
+	num_ICMP_conns: count;	##< Current number of ICMP flows in memory.
+	num_fragments: count;	##< Current number of fragments pending reassembly.
+	num_packets: count;	##< Total number packets processed to date.
+	num_timers: count;	##< Current number of pending timers.
+	num_events_queued: count;	##< Total number of events queued so far.
+	num_events_dispatched: count;	##< Total number of events dispatched so far.
+
+	max_TCP_conns: count;	##< Maximum number of concurrent TCP connections so far.
+	max_UDP_conns: count;	##< Maximum number of concurrent UDP connections so far.
+	max_ICMP_conns: count;	##< Maximum number of concurrent ICMP connections so far.
+	max_fragments: count;	##< Maximum number of concurrently buffered fragements so far.
+	max_timers: count;	##< Maximum number of concurrent timers pending so far.
+};
+
+## Summary statistics of all regular expression matchers.
+##
+## .. bro:see:: get_matcher_stats
+type matcher_stats: record {
+	matchers: count;	##< Number of distinct RE matchers.
+	dfa_states: count;	##< Number of DFA states across all matchers.
+	computed: count;	##< Number of computed DFA state transitions.
+	mem: count;		##< Number of bytes used by DFA states.
+	hits: count;		##< Number of cache hits.
+	misses: count;		##< Number of cache misses.
+	avg_nfa_states: count;	##< Average number of NFA states across all matchers.
+};
+
+## Statistics about number of gaps in TCP connections.
+##
+## .. bro:see:: gap_report get_gap_summary
+type gap_info: record {
+	ack_events: count;	##< How many ack events *could* have had gaps.
+	ack_bytes: count;	##< How many bytes those covered.
+	gap_events: count;	##< How many *did* have gaps.
+	gap_bytes: count;	##< How many bytes were missing in the gaps.
+};
+
+## Deprecated. 
+## 
+## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
+##    else.  
+type packet: record {
+	conn: connection;
+	is_orig: bool;
+	seq: count;	##< seq=k => it is the kth *packet* of the connection
+	timestamp: time;
+};
+
+## Table type used to map variable names to their memory allocation.
+##
+## .. bro:see:: global_sizes
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type var_sizes: table[string] of count;
+
+## Meta-information about a script-level identifier.
+##
+## .. bro:see:: global_ids id_table
+type script_id: record {
+	type_name: string;	##< The name of the identifier's type.
+	exported: bool;	##< True if the identifier is exported.
+	constant: bool;	##< True if the identifier is a constant.
+	enum_constant: bool;	##< True if the identifier is an enum value.
+	redefinable: bool;	##< True if the identifier is declared with the :bro:attr:`&redef` attribute.
+	value: any &optional;	##< The current value of the identifier.
+};
+
+## Table type used to map script-level identifiers to meta-information
+## describing them.
+##
+## .. bro:see:: global_ids script_id
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type id_table: table[string] of script_id;
+
+## Meta-information about a record-field.
+##
+## .. bro:see:: record_fields record_field_table
+type record_field: record {
+	type_name: string;	##< The name of the field's type.
+	log: bool;	##< True of the field is declared with :bro:attr:`&log` attribute.
+	## The current value of the field in the record instance passed into
+	## :bro:see:`record_fields` (if it has one).
+	value: any &optional;
+	default_val: any &optional;	##< The value of the :bro:attr:`&default` attribute if defined.
+};
+
+## Table type used to map record field declarations to meta-information describing
+## them.
+##
+## .. bro:see:: record_fields record_field
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type record_field_table: table[string] of record_field;
+
+# todo::Do we still needs these here? Can they move into the packet filter
+# framework?
+#
+# The following two variables are defined here until the core is not
+# dependent on the names remaining as they are now.
+
+## Set of BPF capture filters to use for capturing, indexed by a user-definable
+## ID (which must be unique). If Bro is *not* configured to examine
+## :bro:id:`PacketFilter::all_packets`, all packets matching at least
+## one of the filters in this table (and all in :bro:id:`restrict_filters`)
+## will be analyzed.
+##
+## .. bro:see:: PacketFilter PacketFilter::all_packets
+##    PacketFilter::unrestricted_filter restrict_filters
+global capture_filters: table[string] of string &redef;
+
+## Set of BPF filters to restrict capturing, indexed by a user-definable ID (which
+## must be unique). If Bro is *not* configured to examine
+## :bro:id:`PacketFilter::all_packets`, only packets matching *all* of the
+## filters in this table (and any in :bro:id:`capture_filters`) will be
+## analyzed.
+##
+## .. bro:see:: PacketFilter PacketFilter::all_packets
+##    PacketFilter::unrestricted_filter capture_filters
+global restrict_filters: table[string] of string &redef;
+
+## Enum type identifying dynamic BPF filters. These are used by
+## :bro:see:`precompile_pcap_filter`  and :bro:see:`precompile_pcap_filter`.
+type PcapFilterID: enum { None };
+
+## Deprecated.
+##
+## .. bro:see:: anonymize_addr
+type IPAddrAnonymization: enum {
+	KEEP_ORIG_ADDR,
+	SEQUENTIALLY_NUMBERED,
+	RANDOM_MD5,
+	PREFIX_PRESERVING_A50,
+	PREFIX_PRESERVING_MD5,
+};
+
+## Deprecated.
+##
+## .. bro:see:: anonymize_addr
+type IPAddrAnonymizationClass: enum {
+	ORIG_ADDR,
+	RESP_ADDR,
+	OTHER_ADDR,
+};
+
+## A locally unique ID identifying a communication peer. The ID is returned by
+## :bro:id:`connect`.
+##
+## .. bro:see:: connect Communication
+type peer_id: count;
+
+## A communication peer.
+##
+## .. bro:see:: complete_handshake disconnect finished_send_state
+##    get_event_peer get_local_event_peer remote_capture_filter
+##    remote_connection_closed remote_connection_error
+##    remote_connection_established remote_connection_handshake_done
+##    remote_event_registered remote_log_peer remote_pong
+##    request_remote_events request_remote_logs request_remote_sync
+##    send_capture_filter send_current_packet send_id send_ping send_state
+##    set_accept_state set_compression_level
+##
+## .. todo::The type's name is to narrow these days, should rename.
+type event_peer: record {
+	id: peer_id;	##< Locally unique ID of peer (returned by :bro:id:`connect`).
+	host: addr;	##< The IP address of the peer.
+	## Either the port we connected to at the peer; or our port the peer
+	## connected to if the session is remotely initiated.
+	p: port;
+	is_local: bool;		##< True if this record describes the local process.
+	descr: string;		##< The peer's :bro:see:`peer_description`.
+	class: string &optional;	##< The self-assigned *class* of the peer. See :bro:see:`Communication::Node`.
+};
+
+## Deprecated.
+##
+## .. bro:see:: rotate_file rotate_file_by_name rotate_interval
+type rotate_info: record {
+	old_name: string;	##< Original filename.
+	new_name: string;	##< File name after rotation.
+	open: time;	##< Time when opened.
+	close: time;	##< Time when closed.
+};
+
+### The following aren't presently used, though they should be.
+# # Structures needed for subsequence computations (str_smith_waterman):
+# #
+# type sw_variant: enum {
+#	SW_SINGLE,
+#	SW_MULTIPLE,
+# };
+
+## Paramerts for the Smith-Waterman algorithm.
+##
+## .. bro:see:: str_smith_waterman
+type sw_params: record {
+	## Minimum size of a substring, minimum "granularity".
+	min_strlen: count &default = 3;
+
+	## Smith-Waterman flavor to use.
+	sw_variant: count &default = 0;
+};
+
+## Helper type for return value of Smith-Waterman algorithm.
+##
+## .. bro:see:: str_smith_waterman sw_substring_vec sw_substring sw_align_vec sw_params
+type sw_align: record {
+	str: string;	##< String a substring is part of.
+	index: count;	##< Offset substring is located.
+};
+
+## Helper type for return value of Smith-Waterman algorithm.
+##
+## .. bro:see:: str_smith_waterman sw_substring_vec sw_substring sw_align sw_params
+type sw_align_vec: vector of sw_align;
+
+## Helper type for return value of Smith-Waterman algorithm.
+##
+## .. bro:see:: str_smith_waterman sw_substring_vec sw_align_vec sw_align sw_params
+##
+type sw_substring: record {
+	str: string;	##< A substring.
+	aligns: sw_align_vec;	##< All strings of which it's a substring.
+	new: bool;	##< True if start of new alignment.
+};
+
+## Return type for Smith-Waterman algorithm.
+##
+## .. bro:see:: str_smith_waterman sw_substring sw_align_vec sw_align sw_params
+##
+## .. todo:: We need this type definition only for declaring builtin functions via
+##    ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
+##    then remove this alias.
+type sw_substring_vec: vector of sw_substring;
+
+## Policy-level representation of a packet passed on by libpcap. The data includes
+## the complete packet as returned by libpcap, including the link-layer header.
+##
+## .. bro:see:: dump_packet get_current_packet
+type pcap_packet: record {
+	ts_sec: count;	##< The non-fractional part of the packet's timestamp (i.e., full seconds since the epoch).
+	ts_usec: count;	##< The fractional part of the packet's timestamp.
+	caplen: count;	##< The number of bytes captured (<= *len*).
+	len: count;	##< The length of the packet in bytes, including <link-level header.
+	data: string;	##< The payload of the packet, including link-level header.
+};
+
+## GeoIP location information.
+##
+## .. bro:see:: lookup_location
+type geo_location: record {
+	country_code: string &optional;	##< The country code.
+	region: string &optional;	##< The region.
+	city: string &optional;	##< The city.
+	latitude: double &optional;	##< Latitude.
+	longitude: double &optional;	##< Longitude.
+} &log;
+
+## Computed entropy values. The record captures a number of measures that are
+## computed in parallel. See `A Pseudorandom Number Sequence Test Program
+## <http://www.fourmilab.ch/random>`_ for more information, Bro uses the same
+## code.
+##
+## .. bro:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy
+type entropy_test_result: record {
+	entropy: double;	##< Information density.
+	chi_square: double;	##< Chi-Square value.
+	mean: double;	##< Arithmetic Mean.
+	monte_carlo_pi: double;	##< Monte-carlo value for pi.
+	serial_correlation: double;	##< Serial correlation coefficient.
+};
+
+# Prototypes of Bro built-in functions.
+@load base/strings.bif
+@load base/bro.bif
+@load base/reporter.bif
+
+## Deprecated. This is superseded by the new logging framework.
+global log_file_name: function(tag: string): string &redef;
+
+## Deprecated. This is superseded by the new logging framework.
+global open_log_file: function(tag: string): file &redef;
+
+## Specifies a directory for Bro store its persistent state. All globals can
+## be declared persistent via the :bro:attr:`&persistent` attribute.
+const state_dir = ".state" &redef;
+
+## Length of the delays inserted when storing state incrementally. To avoid
+## dropping packets when serializing larger volumes of persistent state to
+## disk, Bro interleaves the operation with continued packet processing.
+const state_write_delay = 0.01 secs &redef;
+
+global done_with_network = F;
+event net_done(t: time) { done_with_network = T; }
+
+function log_file_name(tag: string): string
+	{
+	local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX");
+	return fmt("%s.%s", tag, suffix);
+	}
+
+function open_log_file(tag: string): file
+	{
+	return open(log_file_name(tag));
+	}
+
+## Internal function.
+function add_interface(iold: string, inew: string): string
+	{
+	if ( iold == "" )
+		return inew;
+	else
+		return fmt("%s %s", iold, inew);
+	}
+
+## Network interfaces to listen on. Use ``redef interfaces += "eth0"`` to
+## extend.
+global interfaces = "" &add_func = add_interface;
+
+## Internal function.
+function add_signature_file(sold: string, snew: string): string
+	{
+	if ( sold == "" )
+		return snew;
+	else
+		return cat(sold, " ", snew);
+	}
+
+## Signature files to read. Use ``redef signature_files  += "foo.sig"`` to
+## extend. Signature files will be searched relative to ``BROPATH``.
+global signature_files = "" &add_func = add_signature_file;
+
+## ``p0f`` fingerprint file to use. Will be searched relative to ``BROPATH``.
+const passive_fingerprint_file = "base/misc/p0f.fp" &redef;
+
+# todo::testing to see if I can remove these without causing problems.
+#const ftp = 21/tcp;
+#const ssh = 22/tcp;
+#const telnet = 23/tcp;
+#const smtp = 25/tcp;
+#const domain = 53/tcp;	# note, doesn't include UDP version
+#const gopher = 70/tcp;
+#const finger = 79/tcp;
+#const http = 80/tcp;
+#const ident = 113/tcp;
+#const bgp = 179/tcp;
+#const rlogin = 513/tcp;
+
+# TCP values for :bro:see:`endpoint` *state* field.
+# todo::these should go into an enum to make them autodoc'able.
+const TCP_INACTIVE = 0;	##< Endpoint is still inactive.
+const TCP_SYN_SENT = 1;	##< Endpoint has sent SYN.
+const TCP_SYN_ACK_SENT = 2;	##< Endpoint has sent SYN/ACK.
+const TCP_PARTIAL = 3;	##< Endpoint has sent data but no initial SYN.
+const TCP_ESTABLISHED = 4;	##< Endpoint has finished initial handshake regularly.
+const TCP_CLOSED = 5;	##< Endpoint has closed connection.
+const TCP_RESET = 6;	##< Endpoint has sent RST.
+
+# UDP values for :bro:see:`endpoint` *state* field.
+# todo::these should go into an enum to make them autodoc'able.
+const UDP_INACTIVE = 0;	##< Endpoint is still inactive.
+const UDP_ACTIVE = 1;	##< Endpoint has sent something.
+
+## If true, don't verify checksums.  Useful for running on altered trace
+## files, and for saving a few cycles, but at the risk of analyzing invalid
+## data. Note that the ``-C`` command-line option overrides the setting of this
+## variable.
+const ignore_checksums = F &redef;
+
+## If true, instantiate connection state when a partial connection
+## (one missing its initial establishment negotiation) is seen.
+const partial_connection_ok = T &redef;
+
+## If true, instantiate connection state when a SYN/ACK is seen but not the initial
+## SYN (even if :bro:see:`partial_connection_ok`  is false).
+const tcp_SYN_ack_ok = T &redef;
+
+## If true, pass any undelivered to the signature engine before flushing the state.
+## If a connection state is removed, there may still be some data waiting in the
+## reassembler.
+const tcp_match_undelivered = T &redef;
+
+## Check up on the result of an initial SYN after this much time.
+const tcp_SYN_timeout = 5 secs &redef;
+
+## After a connection has closed, wait this long for further activity
+## before checking whether to time out its state.
+const tcp_session_timer = 6 secs &redef;
+
+## When checking a closed connection for further activity, consider it
+## inactive if there hasn't been any for this long.  Complain if the
+## connection is reused before this much time has elapsed.
+const tcp_connection_linger = 5 secs &redef;
+
+## Wait this long upon seeing an initial SYN before timing out the
+## connection attempt.
+const tcp_attempt_delay = 5 secs &redef;
+
+## Upon seeing a normal connection close, flush state after this much time.
+const tcp_close_delay = 5 secs &redef;
+
+## Upon seeing a RST, flush state after this much time.
+const tcp_reset_delay = 5 secs &redef;
+
+## Generate a :bro:id:`connection_partial_close` event this much time after one half
+## of a partial connection closes, assuming there has been no subsequent
+## activity.
+const tcp_partial_close_delay = 3 secs &redef;
+
+## If a connection belongs to an application that we don't analyze,
+## time it out after this interval.  If 0 secs, then don't time it out (but
+## :bro:see:`tcp_inactivity_timeout`/:bro:see:`udp_inactivity_timeout`/:bro:see:`icmp_inactivity_timeout`
+## still apply).
+const non_analyzed_lifetime = 0 secs &redef;
+
+## If a TCP connection is inactive, time it out after this interval. If 0 secs,
+## then don't time it out.
+##
+## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
+const tcp_inactivity_timeout = 5 min &redef;
+
+## If a UDP flow is inactive, time it out after this interval. If 0 secs, then
+## don't time it out.
+##
+## .. bro:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
+const udp_inactivity_timeout = 1 min &redef;
+
+## If an ICMP flow is inactive, time it out after this interval. If 0 secs, then
+## don't time it out.
+##
+## .. bro:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout
+const icmp_inactivity_timeout = 1 min &redef;
+
+## Number of FINs/RSTs in a row that constitute a "storm". Storms are reported via
+## as ``weird`` via the notice framework, and they must also come within
+## intervals of at most :bro:see:`tcp_storm_interarrival_thresh`.
+##
+## .. bro:see:: tcp_storm_interarrival_thresh
+const tcp_storm_thresh = 1000 &redef;
+
+## FINs/RSTs must come with this much time or less between them to be
+## considered a "storm".
+##
+## .. bro:see:: tcp_storm_thresh
+const tcp_storm_interarrival_thresh = 1 sec &redef;
+
+## Maximum amount of data that might plausibly be sent in an initial flight (prior
+## to receiving any acks).  Used to determine whether we must not be seeing our
+## peer's ACKs.  Set to zero to turn off this determination.
+##
+## .. bro:see:: tcp_max_above_hole_without_any_acks tcp_excessive_data_without_further_acks
+const tcp_max_initial_window = 4096;
+
+## If we're not seeing our peer's ACKs, the maximum volume of data above a sequence
+## hole that we'll tolerate before assuming that there's been a packet drop and we
+## should give up on tracking a connection. If set to zero, then we don't ever give
+## up.
+##
+## .. bro:see:: tcp_max_initial_window tcp_excessive_data_without_further_acks
+const tcp_max_above_hole_without_any_acks = 4096;
+
+## If we've seen this much data without any of it being acked, we give up
+## on that connection to avoid memory exhaustion due to buffering all that
+## stuff.  If set to zero, then we don't ever give up.  Ideally, Bro would
+## track the current window on a connection and use it to infer that data
+## has in fact gone too far, but for now we just make this quite beefy.
+##
+## .. bro:see:: tcp_max_initial_window tcp_max_above_hole_without_any_acks
+const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024;
+
+## For services without an a handler, these sets define originator-side ports that
+## still trigger reassembly.
+##
+## .. :bro:see:: tcp_reassembler_ports_resp
+const tcp_reassembler_ports_orig: set[port] = {} &redef;
+
+## For services without an a handler, these sets define responder-side ports that
+## still trigger reassembly.
+##
+## .. :bro:see:: tcp_reassembler_ports_orig
+const tcp_reassembler_ports_resp: set[port] = {} &redef;
+
+## Defines destination TCP ports for which the contents of the originator stream
+## should be delivered via :bro:see:`tcp_contents`.
+##
+## .. bro:see:: tcp_content_delivery_ports_resp tcp_content_deliver_all_orig
+##    tcp_content_deliver_all_resp udp_content_delivery_ports_orig
+##    udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+##    udp_content_deliver_all_resp  tcp_contents
+const tcp_content_delivery_ports_orig: table[port] of bool = {} &redef;
+
+## Defines destination TCP ports for which the contents of the responder stream should
+## be delivered via :bro:see:`tcp_contents`.
+##
+## .. bro:see:: tcp_content_delivery_ports_orig tcp_content_deliver_all_orig
+##    tcp_content_deliver_all_resp udp_content_delivery_ports_orig
+##    udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+##    udp_content_deliver_all_resp tcp_contents
+const tcp_content_delivery_ports_resp: table[port] of bool = {} &redef;
+
+## If true, all TCP originator-side  traffic is reported via
+## :bro:see:`tcp_contents`.
+##
+## .. bro:see:: tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp
+##    tcp_content_deliver_all_resp udp_content_delivery_ports_orig
+##    udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+##    udp_content_deliver_all_resp tcp_contents
+const tcp_content_deliver_all_orig = F &redef;
+
+## If true, all TCP responder-side  traffic is reported via
+## :bro:see:`tcp_contents`.
+##
+## .. bro:see:: tcp_content_delivery_ports_orig
+##    tcp_content_delivery_ports_resp
+##    tcp_content_deliver_all_orig udp_content_delivery_ports_orig
+##    udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+##    udp_content_deliver_all_resp tcp_contents
+const tcp_content_deliver_all_resp = F &redef;
+
+## Defines UDP destination ports for which the contents of the originator stream
+## should be delivered via :bro:see:`udp_contents`.
+##
+## .. bro:see:: tcp_content_delivery_ports_orig
+##    tcp_content_delivery_ports_resp
+##    tcp_content_deliver_all_orig tcp_content_deliver_all_resp
+##    udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+##    udp_content_deliver_all_resp  udp_contents
+const udp_content_delivery_ports_orig: table[port] of bool = {} &redef;
+
+## Defines UDP destination ports for which the contents of the originator stream
+## should be delivered via :bro:see:`udp_contents`.
+##
+## .. bro:see:: tcp_content_delivery_ports_orig
+##    tcp_content_delivery_ports_resp tcp_content_deliver_all_orig
+##    tcp_content_deliver_all_resp udp_content_delivery_ports_orig
+##    udp_content_deliver_all_orig udp_content_deliver_all_resp udp_contents
+const udp_content_delivery_ports_resp: table[port] of bool = {} &redef;
+
+## If true, all UDP originator-side  traffic is reported via
+## :bro:see:`tcp_contents`.
+##
+## .. bro:see:: tcp_content_delivery_ports_orig
+##    tcp_content_delivery_ports_resp tcp_content_deliver_all_resp
+##    tcp_content_delivery_ports_orig udp_content_delivery_ports_orig
+##    udp_content_delivery_ports_resp  udp_content_deliver_all_resp
+##    udp_contents
+const udp_content_deliver_all_orig = F &redef;
+
+## If true, all UDP responder-side traffic is reported via
+## :bro:see:`tcp_contents`.
+##
+## .. bro:see:: tcp_content_delivery_ports_orig
+##    tcp_content_delivery_ports_resp tcp_content_deliver_all_resp
+##    tcp_content_delivery_ports_orig udp_content_delivery_ports_orig
+##    udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+##    udp_contents
+const udp_content_deliver_all_resp = F &redef;
+
+## Check for expired table entries after this amount of time.
+##
+## .. bro:see:: table_incremental_step table_expire_delay
+const table_expire_interval = 10 secs &redef;
+
+## When expiring/serializing table entries, don't work on more than this many table
+## at a time.
+##
+## .. bro:see:: table_expire_interval table_expire_delay
+const table_incremental_step = 5000 &redef;
+
+## When expiring table entries, wait this amount of time before checking the next
+## chunk of entries.
+##
+## .. :bro:see:: table_expire_interval table_incremental_step
+const table_expire_delay = 0.01 secs &redef;
+
+## Time to wait before timing out a DNS request.
+const dns_session_timeout = 10 sec &redef;
+
+## Time to wait before timing out an NTP request.
+const ntp_session_timeout = 300 sec &redef;
+
+## Time to wait before timing out an RPC request.
+const rpc_timeout = 24 sec &redef;
+
+## How long to hold onto fragments for possible reassembly.  A value of 0.0 means
+## "forever", which resists evasion, but can lead to state accrual.
+const frag_timeout = 0.0 sec &redef;
+
+## Time window for reordering packets. This is used for dealing with timestamp
+## discrepency between multiple packet sources.
+##
+## .. note:: Setting this can have a major performance impact as now packets need
+##    to be potentially copied and buffered.
+const packet_sort_window = 0 usecs &redef;
+
+## If positive, indicates the encapsulation header size that should
+## be skipped. This either applies to all packets, or if
+## :bro:see:`tunnel_port` is set, only to packets on that port.
+##
+## .. :bro:see:: tunnel_port
+const encap_hdr_size = 0 &redef;
+
+## A UDP port that specifies which connections to apply :bro:see:`encap_hdr_size`
+## to.
+##
+## .. :bro:see:: encap_hdr_size
+const tunnel_port = 0/udp &redef;
+
+## Whether to use the ``ConnSize`` analyzer to count the number of packets and
+## IP-level bytes transfered by each endpoint. If true, these values are returned
+## in the connection's :bro:see:`endpoint`  record value.
+const use_conn_size_analyzer = T &redef;
+
+# todo::these should go into an enum to make them autodoc'able.
+const ENDIAN_UNKNOWN = 0;	##< Endian not yet determined.
+const ENDIAN_LITTLE = 1;	##< Little endian.
+const ENDIAN_BIG = 2;	##< Big endian.
+const ENDIAN_CONFUSED = 3;	##< Tried to determine endian, but failed.
+
+## Deprecated.
+function append_addl(c: connection, addl: string)
+	{
+	if ( c$addl == "" )
+		c$addl= addl;
+
+	else if ( addl !in c$addl )
+		c$addl = fmt("%s %s", c$addl, addl);
+	}
+
+## Deprecated.
+function append_addl_marker(c: connection, addl: string, marker: string)
+	{
+	if ( c$addl == "" )
+		c$addl= addl;
+
+	else if ( addl !in c$addl )
+		c$addl = fmt("%s%s%s", c$addl, marker, addl);
+	}
+
+
+# Values for :bro:see:`set_contents_file` *direction* argument.
+# todo::these should go into an enum to make them autodoc'able
+const CONTENTS_NONE = 0;	##< Turn off recording of contents.
+const CONTENTS_ORIG = 1;	##< Record originator contents.
+const CONTENTS_RESP = 2;	##< Record responder contents.
+const CONTENTS_BOTH = 3;	##< Record both originator and responder contents.
+
+# Values for code of ICMP *unreachable* messages. The list is not exhaustive.
+# todo::these should go into an enum to make them autodoc'able
+#
+# .. bro:see:: :bro:see:`icmp_unreachable `
+const ICMP_UNREACH_NET = 0;	##< Network unreachable.
+const ICMP_UNREACH_HOST = 1;	##< Host unreachable.
+const ICMP_UNREACH_PROTOCOL = 2;	##< Protocol unreachable.
+const ICMP_UNREACH_PORT = 3;	##< Port unreachable.
+const ICMP_UNREACH_NEEDFRAG = 4;	##< Fragement needed.
+const ICMP_UNREACH_ADMIN_PROHIB = 13;	##< Adminstratively prohibited.
+
+# Definitions for access to packet headers.  Currently only used for
+# discarders.
+# todo::these should go into an enum to make them autodoc'able
+const IPPROTO_IP = 0;			##< Dummy for IP.
+const IPPROTO_ICMP = 1;			##< Control message protocol.
+const IPPROTO_IGMP = 2;			##< Group management protocol.
+const IPPROTO_IPIP = 4;			##< IP encapsulation in IP.
+const IPPROTO_TCP = 6;			##< TCP.
+const IPPROTO_UDP = 17;			##< User datagram protocol.
+const IPPROTO_ICMPV6 = 58;		##< ICMP for IPv6.
+const IPPROTO_RAW = 255;		##< Raw IP packet.
+
+## Values extracted from an IP header.
+##
+## .. bro:see:: pkt_hdr discarder_check_ip
+type ip_hdr: record {
+	hl: count;		##< Header length in bytes.
+	tos: count;		##< Type of service.
+	len: count;		##< Total length.
+	id: count;		##< Identification.
+	ttl: count;		##< Time to live.
+	p: count;		##< Protocol.
+	src: addr;		##< Source address.
+	dst: addr;		##< Destination address.
+};
+
+# TCP flags.
+#
+# todo::these should go into an enum to make them autodoc'able
+const TH_FIN = 1;	##< FIN.
+const TH_SYN = 2;	##< SYN.
+const TH_RST = 4;	##< RST.
+const TH_PUSH = 8;	##< PUSH.
+const TH_ACK = 16;	##< ACK.
+const TH_URG = 32;	##< URG.
+const TH_FLAGS = 63;	##< Mask combining all flags.
+
+## Values extracted from a TCP header.
+##
+## .. bro:see:: pkt_hdr discarder_check_tcp
+type tcp_hdr: record {
+	sport: port;		##< source port.
+	dport: port;		##< destination port
+	seq: count;		##< sequence number
+	ack: count;		##< acknowledgement number
+	hl: count;		##< header length (in bytes)
+	dl: count;		##< data length (xxx: not in original tcphdr!)
+	flags: count;		##< flags
+	win: count;		##< window
+};
+
+## Values extracted from a UDP header.
+##
+## .. bro:see:: pkt_hdr discarder_check_udp
+type udp_hdr: record {
+	sport: port;		##< source port
+	dport: port;		##< destination port
+	ulen: count;		##< udp length
+};
+
+## Values extracted from an ICMP header.
+##
+## .. bro:see:: pkt_hdr discarder_check_icmp
+type icmp_hdr: record {
+	icmp_type: count;	##< type of message
+};
+
+## A packet header, consisting of an IP header and transport-layer header.
+##
+## .. bro:see:: new_packet
+type pkt_hdr: record {
+	ip: ip_hdr;	##< The IP header.
+	tcp: tcp_hdr &optional;	##< The TCP header if a TCP packet.
+	udp: udp_hdr &optional;	##< The UDP header if a UDP packet.
+	icmp: icmp_hdr &optional;	##< The ICMP header if an ICMP packet.
+};
+
+## Definition of "secondary filters". A secondary filter is a BPF filter given as
+## index in this table. For each such filter, the corresponding event is raised for
+## all matching packets.
+global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr)
+	&redef;
+
+## Maximum length of payload passed to discarder functions.
+##
+## .. :bro:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp
+##    discarder_check_ip
+global discarder_maxlen = 128 &redef;
+
+## Function for skipping packets based on their IP header. If defined, this
+## function will be called for all IP packets before Bro performs any further
+## analysis. If the function signals to discard a packet, no further processing
+## will be performed on it.
+##
+## i: The IP header of the considered packet.
+##
+## Returns: True if the packet should not be analyzed any further.
+##
+## .. :bro:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp
+##    discarder_maxlen
+##
+## .. note:: This is very low-level functionality and potentially expensive.
+##    Avoid using it.
+global discarder_check_ip: function(i: ip_hdr): bool;
+
+## Function for skipping packets based on their TCP header. If defined, this
+## function will be called for all TCP packets before Bro performs any further
+## analysis. If the function signals to discard a packet, no further processing
+## will be performed on it.
+##
+## i: The IP header of the considered packet.
+## t: The TCP header.
+## d: Up to :bro:see:`discarder_maxlen` bytes of the TCP payload.
+##
+## Returns: True if the packet should not be analyzed any further.
+##
+## .. :bro:see:: discarder_check_ip discarder_check_udp discarder_check_icmp
+##    discarder_maxlen
+##
+## .. note:: This is very low-level functionality and potentially expensive.
+##    Avoid using it.
+global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
+
+## Function for skipping packets based on their UDP header. If defined, this
+## function will be called for all UDP packets before Bro performs any further
+## analysis. If the function signals to discard a packet, no further processing
+## will be performed on it.
+##
+## i: The IP header of the considered packet.
+## t: The UDP header.
+## d: Up to :bro:see:`discarder_maxlen` bytes of the UDP payload.
+##
+## Returns: True if the packet should not be analyzed any further.
+##
+## .. :bro:see:: discarder_check_ip discarder_check_tcp discarder_check_icmp
+##    discarder_maxlen
+##
+## .. note:: This is very low-level functionality and potentially expensive.
+##    Avoid using it.
+global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
+
+## Function for skipping packets based on their ICMP header. If defined, this
+## function will be called for all ICMP packets before Bro performs any further
+## analysis. If the function signals to discard a packet, no further processing
+## will be performed on it.
+##
+## i: The IP header of the considered packet.
+## ih: The ICMP header.
+##
+## Returns: True if the packet should not be analyzed any further.
+##
+## .. :bro:see:: discarder_check_ip discarder_check_tcp discarder_check_udp
+##    discarder_maxlen
+##
+## .. note:: This is very low-level functionality and potentially expensive.
+##    Avoid using it.
+global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool;
+
+## Bro's watchdog interval.
+const watchdog_interval = 10 sec &redef;
+
+## The maximum number of timers to expire after processing each new
+## packet.  The value trades off spreading out the timer expiration load
+## with possibly having to hold state longer.  A value of 0 means
+## "process all expired timers with each new packet".
+const max_timer_expires = 300 &redef;
+
+## With a similar trade-off, this gives the number of remote events
+## to process in a batch before interleaving other activity.
+const max_remote_events_processed = 10 &redef;
+
+# These need to match the definitions in Login.h.
+#
+# .. bro:see:: get_login_state
+#
+# todo::use enum to make them autodoc'able
+const LOGIN_STATE_AUTHENTICATE = 0;	# Trying to authenticate.
+const LOGIN_STATE_LOGGED_IN = 1;	# Successful authentication.
+const LOGIN_STATE_SKIP = 2;	# Skip any further processing.
+const LOGIN_STATE_CONFUSED = 3;	# We're confused.
+
+# It would be nice to replace these function definitions with some
+# form of parameterized types.
+
+## Returns minimum of two ``double`` values.
+##
+## a: First value.
+## b: Second value.
+##
+## Returns: The minimum of *a* and *b*.
+function min_double(a: double, b: double): double { return a < b ? a : b; }
+
+## Returns maximum of two ``double`` values.
+##
+## a: First value.
+## b: Second value.
+##
+## Returns: The maximum of *a* and *b*.
+function max_double(a: double, b: double): double { return a > b ? a : b; }
+
+## Returns minimum of two ``interval`` values.
+##
+## a: First value.
+## b: Second value.
+##
+## Returns: The minimum of *a* and *b*.
+function min_interval(a: interval, b: interval): interval { return a < b ? a : b; }
+
+## Returns maximum of two ``interval`` values.
+##
+## a: First value.
+## b: Second value.
+##
+## Returns: The maximum of *a* and *b*.
+function max_interval(a: interval, b: interval): interval { return a > b ? a : b; }
+
+## Returns minimum of two ``count`` values.
+##
+## a: First value.
+## b: Second value.
+##
+## Returns: The minimum of *a* and *b*.
+function min_count(a: count, b: count): count { return a < b ? a : b; }
+
+## Returns maximum of two ``count`` values.
+##
+## a: First value.
+## b: Second value.
+##
+## Returns: The maximum of *a* and *b*.
+function max_count(a: count, b: count): count { return a > b ? a : b; }
+
+## TODO.
+global skip_authentication: set[string] &redef;
+
+## TODO.
+global direct_login_prompts: set[string] &redef;
+
+## TODO.
+global login_prompts: set[string] &redef;
+
+## TODO.
+global login_non_failure_msgs: set[string] &redef;
+
+## TODO.
+global login_failure_msgs: set[string] &redef;
+
+## TODO.
+global login_success_msgs: set[string] &redef;
+
+## TODO.
+global login_timeouts: set[string] &redef;
+
+## A MIME header key/value pair.
+##
+## .. bro:see:: mime_header_list http_all_headers mime_all_headers mime_one_header
+type mime_header_rec: record {
+	name: string;	##< The header name.
+	value: string;	##< The header value.
+};
+
+## A list of MIME headers.
+##
+## .. bro:see:: mime_header_rec http_all_headers mime_all_headers
+type mime_header_list: table[count] of mime_header_rec;
+
+## The length of MIME data segments delivered to handlers of
+## :bro:see:`mime_segment_data`.
+##
+## .. bro:see:: mime_segment_data mime_segment_overlap_length
+global mime_segment_length = 1024 &redef;
+
+## The number of bytes of overlap between successive segments passed to
+## :bro:see:`mime_segment_data`.
+global mime_segment_overlap_length = 0 &redef;
+
+## An RPC portmapper mapping.
+##
+## .. bro:see:: pm_mappings
+type pm_mapping: record {
+	program: count;	##< The RPC program.
+	version: count;	##< The program version.
+	p: port;	##< The port.
+};
+
+## Table of RPC portmapper mappings.
+##
+## .. bro:see:: pm_request_dump
+type pm_mappings: table[count] of pm_mapping;
+
+## An RPC portmapper request.
+##
+## .. bro:see:: pm_attempt_getport pm_request_getport
+type pm_port_request: record {
+	program: count;	##< The RPC program.
+	version: count;	##< The program version.
+	is_tcp: bool;	##< True if using TCP.
+};
+
+## An RPC portmapper *callit* request.
+##
+## .. bro:see:: pm_attempt_callit pm_request_callit
+type pm_callit_request: record {
+	program: count;	##< The RPC program.
+	version: count;	##< The program version.
+	proc: count;	##< The procedure being called.
+	arg_size: count;	##< The size of the argument.
+};
+
+# See const.bif
+# const RPC_SUCCESS = 0;
+# const RPC_PROG_UNAVAIL = 1;
+# const RPC_PROG_MISMATCH = 2;
+# const RPC_PROC_UNAVAIL = 3;
+# const RPC_GARBAGE_ARGS = 4;
+# const RPC_SYSTEM_ERR = 5;
+# const RPC_TIMEOUT = 6;
+# const RPC_AUTH_ERROR = 7;
+# const RPC_UNKNOWN_ERROR = 8;
+
+## Mapping of numerical RPC status codes to readable messages.
+##
+## .. bro:see:: pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null pm_attempt_set pm_attempt_unset rpc_dialogue rpc_reply
+const RPC_status = {
+	[RPC_SUCCESS] = "ok",
+	[RPC_PROG_UNAVAIL] = "prog unavail",
+	[RPC_PROG_MISMATCH] = "mismatch",
+	[RPC_PROC_UNAVAIL] = "proc unavail",
+	[RPC_GARBAGE_ARGS] = "garbage args",
+	[RPC_SYSTEM_ERR] = "system err",
+	[RPC_TIMEOUT] = "timeout",
+	[RPC_AUTH_ERROR] = "auth error",
+	[RPC_UNKNOWN_ERROR] = "unknown"
+};
+
+module NFS3;
+
+export {
+	## If true, :bro:see:`nfs_proc_read` and :bro:see:`nfs_proc_write` events return
+	## the file data that has been read/written.
+	##
+	## .. .. bro:see:: return_data_max return_data_first_only
+	const return_data = F &redef;
+
+	## If bro:id:`NFS3::return_data` is true, how much data should be returned at
+	## most.
+	const return_data_max = 512 &redef;
+
+	## If bro:id:`NFS3::return_data` is true, whether to *only* return data if the read
+	## or write offset is 0, i.e., only return data for the beginning of the file.
+	const return_data_first_only = T &redef;
+
+	## Record summarizing the general results and status of NFSv3 request/reply pairs.
+	##
+	## Note that when *rpc_stats* or *nfs_stats* indicates not successful, the reply
+	## record passed to the correpsonding event will be empty and contain uninitialized
+	## fields, so don't use it. Also note  that time and duration values might not be
+	## fully accurate. For TCP, we record times when the corresponding chunk of data
+	## is delivered to the analyzer. Depending on the reassembler, this might be well
+	## after the first packet of the request was received.
+	##
+	## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup
+	##    nfs_proc_mkdir nfs_proc_not_implemented nfs_proc_null
+	##    nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
+	##    nfs_proc_rmdir nfs_proc_write nfs_reply_status
+	type info_t: record {
+		## The RPC status.
+		rpc_stat: rpc_status;
+		## The NFS status.
+		nfs_stat: status_t;
+		## The start time of the request.
+		req_start: time;
+		## The duration of the request.
+		req_dur: interval;
+		## The length in bytes of the request.
+		req_len: count;
+		## The start time of the reply.
+		rep_start: time;
+		## The duration of the reply.
+		rep_dur: interval;
+		## The length in bytes of the reply.
+		rep_len: count;
+	};
+
+	## NFS file attributes. Field names are based on RFC 1813.
+	##
+	## .. bro:see:: nfs_proc_getattr 
+	type fattr_t: record {
+		ftype: file_type_t;	##< File type.
+		mode: count;	##< Mode
+		nlink: count;	##< Number of links.
+		uid: count;	##< User ID.
+		gid: count;	##< Group ID.
+		size: count;	##< Size.
+		used: count;	##< TODO.
+		rdev1: count;	##< TODO.
+		rdev2: count;	##< TODO.
+		fsid: count;	##< TODO.
+		fileid: count;	##< TODO.
+		atime: time;	##< Time of last access.
+		mtime: time;	##< Time of last modification.
+		ctime: time;	##< Time of creation.
+	};
+
+	## NFS *readdir* arguments.
+	## 
+	## .. bro:see:: nfs_proc_readdir 
+	type diropargs_t : record {
+		dirfh: string;	##< The file handle of the directory.
+		fname: string;	##< The name of the file we are interested in.
+	};
+
+	## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the lookup
+	## succeeded, *fh* is always set and *obj_attr* and *dir_attr* may be set.
+	##
+	## .. bro:see:: nfs_proc_lookup 
+	type lookup_reply_t: record {
+		fh: string &optional;	##< File handle of object looked up.
+		obj_attr: fattr_t &optional;	##< Optional attributes associated w/ file
+		dir_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
+	};
+
+	## NFS *read* arguments.
+	##
+	## .. bro:see:: nfs_proc_read
+	type readargs_t: record {
+		fh: string;	##< File handle to read from.
+		offset: count;	##< Offset in file.
+		size: count;	##< Number of bytes to read.
+	};
+
+	## NFS *read* reply. If the lookup fails, *attr* may be set. If the lookup succeeds,
+	## *attr* may be set and all other fields are set. 
+	type read_reply_t: record {
+		attr: fattr_t &optional;	##< Attributes.
+		size: count &optional;	##< Number of bytes read.
+		eof: bool &optional;	##< Sid the read end at EOF.
+		data: string &optional;	##< The actual data; not yet implemented.
+	};
+
+	## NFS *readline* reply. If the request fails, *attr* may be set. If the request
+	## succeeds, *attr* may be set and all other fields are set.  
+	##
+	## .. bro:see:: nfs_proc_readlink
+	type readlink_reply_t: record {
+		attr: fattr_t &optional;	##< Attributes.
+		nfspath: string &optional;	##< Contents of the symlink; in general a pathname as text.
+	};
+
+	## NFS *write* arguments.
+	##
+	## .. bro:see:: nfs_proc_write 
+	type writeargs_t: record {
+		fh: string;	##< File handle to write to.
+		offset: count;	##< Offset in file.
+		size: count;	##< Number of bytes to write.
+		stable: stable_how_t;	##< How and when data is commited.
+		data: string &optional;	##< The actual data; not implemented yet.
+	};
+
+	## NFS *wcc* attributes.
+	## 
+	## .. bro:see:: NFS3::write_reply_t
+	type wcc_attr_t: record {
+		size: count;	##< The dize. 
+		atime: time;	##< Access time.
+		mtime: time;	##< Modification time.
+	};
+
+	## NFS *write* reply. If the request fails, *pre|post* attr may be set. If the
+	## request succeeds, *pre|post* attr may be set and all other fields are set. 
+	##
+	## .. bro:see:: nfs_proc_write 
+	type write_reply_t: record {
+		preattr: wcc_attr_t &optional;	##< Pre operation attributes.
+		postattr: fattr_t &optional;	##< Post operation attributes.
+		size: count &optional;	##< Size.
+		commited: stable_how_t &optional;	##< TODO.
+		verf: count &optional;	##< Write verifier cookie.
+	};
+
+	## NFS reply for *create*, *mkdir*, and *symlink*. If the proc
+	## failed, *dir_\*_attr* may be set. If the proc succeeded, *fh* and the *attr*'s
+	## may be set. Note: no guarantee that *fh* is set after success. 
+	##
+	## .. bro:see:: nfs_proc_create nfs_proc_mkdir 
+	type newobj_reply_t: record {
+		fh: string &optional;	##< File handle of object created.
+		obj_attr: fattr_t &optional;	##< Optional attributes associated w/ new object.
+		dir_pre_attr: wcc_attr_t &optional;	##< Optional attributes associated w/ dir.
+		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
+	};
+
+	## NFS reply for *remove*, *rmdir*. Corresponds to *wcc_data* in the spec. 
+	##
+	## .. bro:see:: nfs_proc_remove nfs_proc_rmdir 
+	type delobj_reply_t: record {
+		dir_pre_attr: wcc_attr_t &optional;	##< Optional attributes associated w/ dir.
+		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
+	};
+
+	## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*.
+	## 
+	## .. bro:see:: nfs_proc_readdir 
+	type readdirargs_t: record {
+		isplus: bool;	##< Is this a readdirplus request?
+		dirfh: string;	##< The directory filehandle.
+		cookie: count;	##< Cookie / pos in dir; 0 for first call.
+		cookieverf: count;	##< The cookie verifier.
+		dircount: count;	##< "count" field for readdir; maxcount otherwise (in bytes).
+		maxcount: count &optional;	##< Only used for readdirplus. in bytes.
+	};
+
+	## NFS *direntry*.  *fh* and *attr* are used for *readdirplus*. However, even
+	## for *readdirplus* they may not be filled out.
+	##
+	## .. bro:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t 
+	type direntry_t: record {
+		fileid: count;	##< E.g., inode number.
+		fname:  string;	##< Filename.
+		cookie: count;	##< Cookie value.
+		attr: fattr_t &optional;	##< *readdirplus*: the *fh* attributes for the entry.
+		fh: string &optional;	##< *readdirplus*: the *fh* for the entry
+	};
+
+	## Vector of NFS *direntry*.
+	##
+	## .. bro:see:: NFS3::readdir_reply_t 
+	type direntry_vec_t: vector of direntry_t;
+
+	## NFS *readdir* reply. Used for *readdir* and *readdirplus*. If an is
+	## returned, *dir_attr* might be set. On success, *dir_attr* may be set, all others
+	## must be set.
+	type readdir_reply_t: record {
+		isplus: bool;	##< True if the reply for a *readdirplus* request.
+		dir_attr: fattr_t &optional;	##< Directory attributes.
+		cookieverf: count &optional;	##< TODO.
+		entries: direntry_vec_t &optional;	##< Returned directory entries.
+		eof: bool;	##< If true, no more entries in directory.
+	};
+
+	## NFS *fsstat*.
+	type fsstat_t: record {
+		attrs: fattr_t &optional;	##< Attributes.
+		tbytes: double;	##< TODO.
+		fbytes: double;	##< TODO.
+		abytes: double;	##< TODO.
+		tfiles: double;	##< TODO.
+		ffiles: double;	##< TODO.
+		afiles: double;	##< TODO.
+		invarsec: interval;	##< TODO.
+	};
+} # end export
+
+module GLOBAL;
+
+## An NTP message.
+##
+## .. bro:see:: ntp_message 
+type ntp_msg: record {
+	id: count;	##< Message ID.
+	code: count;	##< Message code.
+	stratum: count;	##< Stratum.
+	poll: count;	##< Poll.
+	precision: int;	##< Precision.
+	distance: interval;	##< Distance.
+	dispersion: interval;	##< Dispersion.
+	ref_t: time;	##< Reference time.
+	originate_t: time;	##< Originating time.
+	receive_t: time;	##< Receive time.
+	xmit_t: time;	##< Send time.
+};
+
+
+## Maps SMB command numbers to descriptive names.
+global samba_cmds: table[count] of string &redef
+			&default = function(c: count): string
+				{ return fmt("samba-unknown-%d", c); };
+
+## An SMB command header.
+## 
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
+##    smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
+##    smb_com_write_andx smb_error smb_get_dfs_referral smb_message
+type smb_hdr : record {
+	command: count;	##< The command number (see :bro:see:`samba_cmds` ).
+	status: count;	##< The status code.
+	flags: count;	##< Flag set 1.
+	flags2: count;	##< Flag set 2.
+	tid: count;	##< TODO.
+	pid: count;	##< Process ID.
+	uid: count;	##< User ID.
+	mid: count;	##< TODO.
+};
+
+## An SMB transaction.
+## 
+## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 
+type smb_trans : record {
+	word_count: count;	##< TODO.
+	total_param_count: count;	##< TODO.
+	total_data_count: count;	##< TODO.
+	max_param_count: count;	##< TODO.
+	max_data_count: count;	##< TODO.
+	max_setup_count: count;	##< TODO.
+#	flags: count;
+#	timeout: count;
+	param_count: count;	##< TODO.
+	param_offset: count;	##< TODO.
+	data_count: count;	##< TODO.
+	data_offset: count;	##< TODO.
+	setup_count: count;	##< TODO. 
+	setup0: count;	##< TODO.
+	setup1: count;	##< TODO.
+	setup2: count;	##< TODO.
+	setup3: count;	##< TODO.
+	byte_count: count;	##< TODO.
+	parameters: string;	##< TODO.
+};
+
+
+## SMB transaction data.
+## 
+## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 
+##    
+## .. todo:: Should this really be a record type?
+type smb_trans_data : record {
+	data : string;	##< The transaction's data.
+};
+
+## Deprecated. 
+## 
+## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
+##    else.  
+type smb_tree_connect : record {
+	flags: count;
+	password: string;
+	path: string;
+	service: string;
+};
+
+## Deprecated. 
+## 
+## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
+##    else.  
+type smb_negotiate : table[count] of string;
+
+## A list of router addresses offered by a DHCP server.
+##
+## .. bro:see:: dhcp_ack dhcp_offer 
+type dhcp_router_list: table[count] of addr;
+
+## A DHCP message.
+##
+## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
+##    dhcp_offer dhcp_release dhcp_request 
+type dhcp_msg: record {
+	op: count;	##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
+	m_type: count;	##< The type of DHCP message.
+	xid: count;	##< Transaction ID of a DHCP session.
+	h_addr: string;	##< Hardware address of the client.
+	ciaddr: addr;	##< Original IP address of the client.
+	yiaddr: addr;	##< IP address assigned to the client.
+};
+
+## A DNS message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_message
+##    dns_query_reply dns_rejected dns_request
+type dns_msg: record {
+	id: count;	##< Transaction ID.
+
+	opcode: count;	##< Operation code.
+	rcode: count;	##< Return code.
+
+	QR: bool;	##< Query response flag.
+	AA: bool;	##< Authoritative answer flag.
+	TC: bool;	##< Truncated packet flag.
+	RD: bool;	##< Recursion desired flag.
+	RA: bool;	##< Recursion available flag.
+	Z: count;	##< TODO.
+
+	num_queries: count;	##< Number of query records.
+	num_answers: count;	##< Number of answer records.
+	num_auth: count;	##< Number of authoritative records.
+	num_addl: count;	##< Number of additional records.
+};
+
+## A DNS SOA record.
+##
+## .. bro:see:: dns_SOA_reply 
+type dns_soa: record {
+	mname: string;	##< Primary source of data for zone.
+	rname: string;	##< Mailbox for responsible person.
+	serial: count;	##< Version number of zone.
+	refresh: interval;	##< Seconds before refreshing.
+	retry: interval;	##< How long before retrying failed refresh.
+	expire: interval;	##< When zone no longer authoritative.
+	minimum: interval;	##< Minimum TTL to use when exporting.
+};
+
+## An additional DNS EDNS record.
+##
+## .. bro:see:: dns_EDNS_addl 
+type dns_edns_additional: record {
+	query: string;	##< Query.
+	qtype: count;	##< Query type.
+	t: count;	##< TODO.
+	payload_size: count;	##< TODO.
+	extended_rcode: count;	##< Extended return code.
+	version: count;	##< Version.
+	z_field: count;	##< TODO.
+	TTL: interval;	##< Time-to-live.
+	is_query: count;	##< TODO.
+};
+
+## An additional DNS TSIG record.
+##
+## bro:see:: dns_TSIG_addl 
+type dns_tsig_additional: record {
+	query: string;	##< Query.
+	qtype: count;	##< Query type.
+	alg_name: string;	##< Algorithm name.
+	sig: string;	##< Signature.
+	time_signed: time;	##< Time when signed.
+	fudge: time;	##< TODO.
+	orig_id: count;	##< TODO.
+	rr_error: count;	##< TODO.
+	is_query: count;	##< TODO.
+};
+
+# DNS answer types.
+# 
+# .. .. bro:see:: dns_answerr
+# 
+# todo::use enum to make them autodoc'able
+const DNS_QUERY = 0;	##< A query. This shouldn't occur, just for completeness.
+const DNS_ANS = 1;	##< An answer record.
+const DNS_AUTH = 2;	##< An authorative record.
+const DNS_ADDL = 3;	##< An additional record.
+
+## The general part of a DNS reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply
+##    dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+##    dns_TXT_reply dns_WKS_reply
+type dns_answer: record {
+	## Answer type. One of :bro:see:`DNS_QUERY`, :bro:see:`DNS_ANS`,
+	## :bro:see:`DNS_AUTH` and :bro:see:`DNS_ADDL`. 
+	answer_type: count;
+	query: string;	##< Query.
+	qtype: count;	##< Query type.
+	qclass: count;	##< Query class.
+	TTL: interval;	##< Time-to-live.
+};
+
+## For DNS servers in these sets, omit processing the AUTH records they include in
+## their replies.
+##
+## .. bro:see:: dns_skip_all_auth dns_skip_addl
+global dns_skip_auth: set[addr] &redef;
+
+## For DNS servers in these sets, omit processing the ADDL records they include in
+## their replies.
+##
+## .. bro:see:: dns_skip_all_addl dns_skip_auth
+global dns_skip_addl: set[addr] &redef;
+
+## If true, all DNS AUTH records are skipped.  
+##
+## .. bro:see:: dns_skip_all_addl dns_skip_auth
+global dns_skip_all_auth = T &redef;
+
+## If true, all DNS ADDL records are skipped. 
+##
+## .. bro:see:: dns_skip_all_auth dns_skip_addl
+global dns_skip_all_addl = T &redef;
+
+## If a DNS request includes more than this many queries, assume it's non-DNS
+## traffic and do not process it.  Set to 0 to turn off this functionality. 
+global dns_max_queries = 5;
+
+## The maxiumum size in bytes for an SSL cipher specifcation.  If we see a packet
+## that has bigger cipherspecs, we won't do a comparisons of cipherspecs.
+const ssl_max_cipherspec_size = 68 &redef;
+
+# todo::Is this still used?
+# type X509_extensions: table[count] of string;
+
+## An X509 certificate.
+##
+## .. bro:see:: x509_certificate 
+type X509: record {
+	version: count;	##< Version number.
+	serial: string;	##< Serial number.
+	subject: string;	##< Subject. 
+	issuer: string;	##< Issuer.
+	not_valid_before: time;	##< Timestamp before when certificate is not valid.
+	not_valid_after: time;	##< Timestamp after when certificate is not valid.
+};
+
+# This is indexed with the CA's name and yields a DER (binary) encoded certificate.
+# todo::Is this still used?
+# const root_ca_certs: table[string] of string = {} &redef;
+
+## HTTP session statistics.
+##
+## .. bro:see:: http_stats 
+type http_stats_rec: record {
+	num_requests: count;	##< Number of requests.
+	num_replies: count;	##< Number of replies.
+	request_version: double;	##< HTTP version of the requests.
+	reply_version: double;	##< HTTP Version of the replies.
+};
+
+## HTTP message statistics.
+##
+## .. bro:see:: http_message_done 
+type http_message_stat: record {
+	## When the request/reply line was complete.
+	start: time;
+	## Whether the message was interrupted.
+	interrupted: bool;
+	## Reason phrase if interrupted.
+	finish_msg: string;
+	## Length of body processed (before finished/interrupted).
+	body_length: count;
+	## Total length of gaps within body_length.
+	content_gap_length: count;
+	## Length of headers (including the req/reply line, but not CR/LF's).
+	header_length: count;
+};
+
+## Maximum number of HTTP entity data delivered to events. The amount of data
+## can be limited for better performance, zero disables truncation.  
+## 
+## .. bro:see:: http_entity_data skip_http_entity_data skip_http_data
+global http_entity_data_delivery_size = 1500 &redef;
+
+## Skip HTTP data for performance considerations. The skipped
+## portion will not go through TCP reassembly. 
+## 
+## .. bro:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size
+const skip_http_data = F &redef;
+
+## Maximum length of HTTP URIs passed to events. Longer ones will be truncated
+## to prevent over-long URIs (usually sent by worms) from slowing down event
+## processing.  A value of -1 means "do not truncate".
+## 
+## .. bro:see:: http_request
+const truncate_http_URI = -1 &redef;
+
+## IRC join information. 
+## 
+## .. bro:see:: irc_join_list
+type irc_join_info: record {
+	nick: string;
+	channel: string;
+	password: string;
+	usermode: string;
+};
+
+## Set of IRC join information.
+##
+## .. bro:see:: irc_join_message 
+type irc_join_list: set[irc_join_info];
+
+## Deprecated. 
+## 
+## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
+##    else.  
+global irc_servers : set[addr] &redef;
+
+## Internal to the stepping stone detector.
+const stp_delta: interval &redef;
+
+## Internal to the stepping stone detector.
+const stp_idle_min: interval &redef;
+
+## Internal to the stepping stone detector.
+global stp_skip_src: set[addr] &redef;
+
+## Deprecated.
+const interconn_min_interarrival: interval &redef;
+
+## Deprecated.
+const interconn_max_interarrival: interval &redef;
+
+## Deprecated.
+const interconn_max_keystroke_pkt_size: count &redef;
+
+## Deprecated.
+const interconn_default_pkt_size: count &redef;
+
+## Deprecated.
+const interconn_stat_period: interval &redef;
+
+## Deprecated.
+const interconn_stat_backoff: double &redef;
+
+## Deprecated.
+type interconn_endp_stats: record {
+	num_pkts: count;
+	num_keystrokes_two_in_row: count;
+	num_normal_interarrivals: count;
+	num_8k0_pkts: count;
+	num_8k4_pkts: count;
+	is_partial: bool;
+	num_bytes: count;
+	num_7bit_ascii: count;
+	num_lines: count;
+	num_normal_lines: count;
+};
+
+## Deprecated.
+const backdoor_stat_period: interval &redef;
+
+## Deprecated.
+const backdoor_stat_backoff: double &redef;
+
+## Deprecated.
+type backdoor_endp_stats: record {
+	is_partial: bool;
+	num_pkts: count;
+	num_8k0_pkts: count;
+	num_8k4_pkts: count;
+	num_lines: count;
+	num_normal_lines: count;
+	num_bytes: count;
+	num_7bit_ascii: count;
+};
+
+## Description of a signature match.
+##
+## .. bro:see:: signature_match 
+type signature_state: record {
+	sig_id:       string;	##< ID of the matching signature.
+	conn:         connection;	##< Matching connection.
+	is_orig:      bool;	##< True if matching endpoint is originator.
+	payload_size: count;	##< Payload size of the first matching packet of current endpoint.
+};
+
+# Deprecated. 
+# 
+# .. todo:: This type is no longer used. Remove any reference of this from the
+#    core. 
+type software_version: record {
+	major: int;
+	minor: int;
+	minor2: int;
+	addl: string;
+};
+
+# Deprecated. 
+# 
+# .. todo:: This type is no longer used. Remove any reference of this from the
+#    core. 
+type software: record {
+	name: string;
+	version: software_version;
+};
+
+## Quality of passive fingerprinting matches.
+##
+## .. .. bro:see:: OS_version
+type OS_version_inference: enum {
+	direct_inference,	##< TODO.
+	generic_inference,	##< TODO.
+	fuzzy_inference,	##< TODO.
+};
+
+## Passive fingerprinting match.
+##
+## .. bro:see:: OS_version_found 
+type OS_version: record {
+	genre: string;	##< Linux, Windows, AIX, ...
+	detail: string;	##< Lernel version or such.
+	dist: count;	##< How far is the host away from the sensor (TTL)?.
+	match_type: OS_version_inference;	##< Quality of the match.
+};
+
+## Defines for which subnets we should do passive fingerprinting.
+##
+## .. bro:see:: OS_version_found 
+global generate_OS_version_event: set[subnet] &redef;
+
+# Type used to report load samples via :bro:see:`load_sample`. For now, it's a
+# set of names (event names, source file names, and perhaps ``<source file, line
+# number>``, which were seen during the sample. 
+type load_sample_info: set[string];
+
+## ID for NetFlow header. This is primarily a means to sort together NetFlow
+## headers and flow records at the script level.  
+type nfheader_id: record {
+	## Name of the NetFlow file (e.g., ``netflow.dat``) or the receiving socket address
+	## (e.g., ``127.0.0.1:5555``), or an explicit name if specified to
+	## ``-y`` or ``-Y``.  
+	rcvr_id: string;
+	## A serial number, ignoring any overflows.
+	pdu_id: count;
+};
+
+## A NetFlow v5 header.
+##
+## .. bro:see:: netflow_v5_header 
+type nf_v5_header: record {
+	h_id: nfheader_id;	##< ID for sorting.
+	cnt: count;	##< TODO.
+	sysuptime: interval;	##< Router's uptime.
+	exporttime: time;	##< When the data was exported.
+	flow_seq: count;	##< Sequence number.
+	eng_type: count;	##< Engine type.
+	eng_id: count;	##< Engine ID.
+	sample_int: count;	##< Sampling interval.
+	exporter: addr;	##< Exporter address.
+};
+
+## A NetFlow v5 record.
+##
+## .. bro:see:: netflow_v5_record
+type nf_v5_record: record {     
+	h_id: nfheader_id;	##< ID for sorting.
+	id: conn_id;	##< Connection ID.
+	nexthop: addr;	##< Address of next hop.
+	input: count;	##< Input interface.
+	output: count;	##< Output interface.
+	pkts: count;	##< Number of packets.
+	octets: count;	##< Number of bytes.
+	first: time;	##< Timestamp of first packet.
+	last: time;	##< Timestamp of last packet.
+	tcpflag_fin: bool;	##< FIN flag for TCP flows.
+	tcpflag_syn: bool;	##< SYN flag for TCP flows.
+	tcpflag_rst: bool;	##< RST flag for TCP flows.
+	tcpflag_psh: bool;	##< PSH flag for TCP flows.
+	tcpflag_ack: bool;	##< ACK flag for TCP flows.
+	tcpflag_urg: bool;	##< URG flag for TCP flows.
+	proto: count;	##< IP protocol.
+	tos: count;	##< Type of service.
+	src_as: count;	##< Source AS.
+	dst_as: count;	##< Destination AS.
+	src_mask: count;	##< Source mask.
+	dst_mask: count;	##< Destination mask.
+};
+
+
+## A BitTorrent peer.
+##
+## .. bro:see:: bittorrent_peer_set
+type bittorrent_peer: record {
+	h: addr;	##< The peer's address.
+	p: port;	##< The peer's port.
+};
+
+## A set of BitTorrent peers.
+##    
+## .. bro:see:: bt_tracker_response
+type bittorrent_peer_set: set[bittorrent_peer];
+
+## BitTorrent "benc" value. Note that "benc" = Bencode ("Bee-Encode"), per
+## http://en.wikipedia.org/wiki/Bencode.
+##
+## .. bro:see:: bittorrent_benc_dir
+type bittorrent_benc_value: record {
+	i: int &optional;	##< TODO.
+	s: string &optional;	##< TODO.
+	d: string &optional;	##< TODO.
+	l: string &optional;	##< TODO.
+};
+
+## A table of BitTorrent "benc" values.
+##
+## .. bro:see:: bt_tracker_response
+type bittorrent_benc_dir: table[string] of bittorrent_benc_value;
+
+## Header table type used by BitTorrent analyzer.
+##
+## .. bro:see:: bt_tracker_request bt_tracker_response
+##    bt_tracker_response_not_ok 
+type bt_tracker_headers: table[string] of string;
+
+@load base/event.bif
+
+## BPF filter the user has set via the -f command line options. Empty if none.   
+const cmd_line_bpf_filter = "" &redef;
+
+## Deprecated.
+const log_rotate_interval = 0 sec &redef;
+
+## Deprecated.
+const log_rotate_base_time = "0:00" &redef;
+
+## Deprecated.
+const log_max_size = 0.0 &redef;
+
+## Deprecated.
+const log_encryption_key = "<undefined>" &redef;
+
+## Write profiling info into this file in regular intervals. The easiest way to
+## activate profiling is loading  :doc:`/scripts/policy/misc/profiling`.
+##
+## .. bro:see:: profiling_interval expensive_profiling_multiple segment_profiling 
+global profiling_file: file &redef;
+
+## Update interval for profiling (0 disables).  The easiest way to activate
+## profiling is loading  :doc:`/scripts/policy/misc/profiling`.
+##
+## .. bro:see:: profiling_file expensive_profiling_multiple segment_profiling  
+const profiling_interval = 0 secs &redef;
+
+## Multiples of profiling_interval at which (more expensive) memory profiling is
+## done (0 disables).
+##
+## .. bro:see:: profiling_interval profiling_file segment_profiling 
+const expensive_profiling_multiple = 0 &redef;
+
+## If true, then write segment profiling information (very high volume!)
+## in addition to profiling statistics.
+## 
+## .. bro:see:: profiling_interval expensive_profiling_multiple profiling_file
+const segment_profiling = F &redef;
+
+## Output modes for packet profiling information.
+##
+## .. bro:see:: pkt_profile_mode pkt_profile_freq pkt_profile_mode pkt_profile_file
+type pkt_profile_modes: enum {
+	PKT_PROFILE_MODE_NONE,	##< No output.
+	PKT_PROFILE_MODE_SECS,	##< Output every :bro:see:`pkt_profile_freq` seconds.
+	PKT_PROFILE_MODE_PKTS,	##< Output every :bro:see:`pkt_profile_freq` packets.
+	PKT_PROFILE_MODE_BYTES,	##< Output every :bro:see:`pkt_profile_freq` bytes.
+};
+
+## Output modes for packet profiling information.
+##
+## .. bro:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode pkt_profile_file
+const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef;
+
+## Frequency associated with packet profiling.
+##
+## .. bro:see:: pkt_profile_modes pkt_profile_mode pkt_profile_mode pkt_profile_file
+const pkt_profile_freq = 0.0 &redef;
+
+## File where packet profiles are logged.
+##
+## .. bro:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode pkt_profile_mode
+global pkt_profile_file: file &redef;
+
+## Rate at which to generate :bro:see:`load_sample` events. As all
+## events, the event is only generated if you've also defined a
+## :bro:see:`load_sample`  handler.  Units are inverse number of packets; e.g., a
+## value of 20 means "roughly one in every 20 packets".
+##
+## .. bro:see:: load_sample
+global load_sample_freq = 20 &redef;
+
+## Rate at which to generate :bro:see:`gap_report`  events assessing to what degree
+## the measurement process appears to exhibit loss.
+## 
+## .. bro:see:: gap_report
+const gap_report_freq = 1.0 sec &redef;
+
+## Whether we want :bro:see:`content_gap`  and :bro:see:`gap_report`  for partial
+## connections. A connection is partial if it is missing a full handshake. Note
+## that gap reports for partial connections might not be reliable.
+## 
+## .. bro:see:: content_gap gap_report partial_connection
+const report_gaps_for_partial = F &redef;
+
+## The CA certificate file to authorize remote Bros/Broccolis.
+## 
+## .. bro:see:: ssl_private_key ssl_passphrase
+const ssl_ca_certificate = "<undefined>" &redef;
+
+## File containing our private key and our certificate.
+## 
+## .. bro:see:: ssl_ca_certificate ssl_passphrase
+const ssl_private_key = "<undefined>" &redef;
+
+## The passphrase for our private key. Keeping this undefined
+## causes Bro to prompt for the passphrase.
+## 
+## .. bro:see:: ssl_private_key ssl_ca_certificate
+const ssl_passphrase = "<undefined>" &redef;
+
+## Default mode for Bro's user-space dynamic packet filter. If true, packets that
+## aren't explicitly allowed through, are dropped from any further processing. 
+## 
+## .. note:: This is not the BPF packet filter but an additional dynamic filter
+##    that Bro optionally applies just before normal processing starts. 
+##    
+## .. bro:see:: install_dst_addr_filter install_dst_net_filter 
+##    install_src_addr_filter install_src_net_filter  uninstall_dst_addr_filter
+##    uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter 
+const packet_filter_default = F &redef;
+
+## Maximum size of regular expression groups for signature matching.
+const sig_max_group_size = 50 &redef;
+
+## Deprecated. No longer functional.
+const enable_syslog = F &redef;
+
+## Description transmitted to remote communication peers for identification.
+const peer_description = "bro" &redef;
+
+## If true, broadcast events received from one peer to all other peers.  
+## 
+## .. bro:see:: forward_remote_state_changes
+##
+## .. note:: This option is only temporary and  will disappear once we get a more
+##    sophisticated script-level communication framework.
+const forward_remote_events = F &redef;
+
+## If true, broadcast state updates received from one peer to all other peers.  
+## 
+## .. bro:see:: forward_remote_events 
+##
+## .. note:: This option is only temporary and  will disappear once we get a more
+##    sophisticated script-level communication framework.
+const forward_remote_state_changes = F &redef;
+
+## Place-holder constant indicating "no peer".
+const PEER_ID_NONE = 0;
+
+## Deprecated.
+## 
+## .. todo:: The connection compressor is scheduled to be removed from Bro.
+const use_connection_compressor = F &redef;
+
+## Deprecated.
+## 
+## .. todo:: The connection compressor is scheduled to be removed from Bro.
+const cc_handle_resets = F &redef;
+
+## Deprecated.
+## 
+## .. todo:: The connection compressor is scheduled to be removed from Bro.
+const cc_handle_only_syns = T &redef;
+
+## Deprecated.
+## 
+## .. todo:: The connection compressor is scheduled to be removed from Bro.
+const cc_instantiate_on_data = F &redef;
+
+# Signature payload pattern types.
+# todo::use enum to help autodoc
+# todo::Still used?
+#const SIG_PATTERN_PAYLOAD = 0;
+#const SIG_PATTERN_HTTP = 1;
+#const SIG_PATTERN_FTP = 2;
+#const SIG_PATTERN_FINGER = 3;
+
+# Deprecated.
+# todo::Should use the new logging framework directly.
+const REMOTE_LOG_INFO = 1;	##< Deprecated.
+const REMOTE_LOG_ERROR = 2;	##< Deprecated.
+
+# Source of logging messages from the communication framework.
+# todo::these should go into an enum to make them autodoc'able.
+const REMOTE_SRC_CHILD = 1;	##< Message from the child process.
+const REMOTE_SRC_PARENT = 2;	##< Message from the parent process.
+const REMOTE_SRC_SCRIPT = 3;	##< Message from a policy script.
+
+## Synchronize trace processing at a regular basis in pseudo-realtime mode.
+## 
+## .. bro:see:: remote_trace_sync_peers
+const remote_trace_sync_interval = 0 secs &redef;
+
+## Number of peers across which to synchronize trace processing in
+## pseudo-realtime mode. 
+## 
+## .. bro:see:: remote_trace_sync_interval
+const remote_trace_sync_peers = 0 &redef;
+
+## Whether for :bro:attr:`&synchronized` state to send the old value as a
+## consistency check. 
+const remote_check_sync_consistency = F &redef;
+
+## Analyzer tags. The core automatically defines constants
+## ``ANALYZER_<analyzer-name>*``, e.g., ``ANALYZER_HTTP``.
+## 
+## .. bro:see:: dpd_config
+##
+## .. todo::We should autodoc these automaticallty generated constants.
+type AnalyzerTag: count;
+
+## Set of ports activating a particular protocol analysis.
+##
+## .. bro:see:: dpd_config
+type dpd_protocol_config: record {
+	ports: set[port] &optional;	##< Set of ports.
+};
+
+## Port configuration for Bro's "dynamic protocol detection". Protocol
+## analyzers can be activated via either well-known ports or content analysis.
+## This table defines the ports.
+##
+## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
+##    dpd_match_only_beginning dpd_ignore_ports 
+const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
+
+## Reassemble the beginning of all TCP connections before doing
+## signature-matching. Enabling this provides more accurate matching at the
+## expensive of CPU cycles.
+##
+## .. bro:see:: dpd_config dpd_buffer_size
+##    dpd_match_only_beginning dpd_ignore_ports 
+## 
+## .. note:: Despite the name, this option affects *all* signature matching, not
+##    only signatures used for dynamic protocol detection. 
+const dpd_reassemble_first_packets = T &redef;
+
+## Size of per-connection buffer used for dynamic protocol detection. For each
+## connection, Bro buffers this initial amount of payload in memory so that
+## complete protocol analysis can start even after the initial packets have
+## already passed through (i.e., when a DPD signature matches only later).
+## However, once the buffer is full, data is deleted and lost to analyzers that are
+## activated afterwards. Then only analyzers that can deal with partial
+## connections will be able to analyze the session. 
+##
+## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning
+##    dpd_ignore_ports 
+const dpd_buffer_size = 1024 &redef;
+
+## If true, stops signature matching if dpd_buffer_size has been reached.
+##
+## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
+##    dpd_config dpd_ignore_ports 
+## 
+## .. note:: Despite the name, this option affects *all* signature matching, not
+##    only signatures used for dynamic protocol detection. 
+const dpd_match_only_beginning = T &redef;
+
+## If true, don't consider any ports for deciding which protocol analyzer to
+## use. If so, the value of :bro:see:`dpd_config` is ignored. 
+##
+## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
+##    dpd_match_only_beginning dpd_config
+const dpd_ignore_ports = F &redef;
+
+## Ports which the core considers being likely used by servers. For ports in
+## this set, is may heuristically decide to flip the direction of the
+## connection if it misses the initial handshake. 
+const likely_server_ports: set[port] &redef;
+
+## Deprated. Set of all ports for which we know an analyzer, built by
+## :doc:`/scripts/base/frameworks/dpd/main`. 
+##
+## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main`
+##    itself we still need it. 
+global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
+
+## Per-incident timer managers are drained after this amount of inactivity.
+const timer_mgr_inactivity_timeout = 1 min &redef;
+
+## If true, output profiling for time-machine queries.
+const time_machine_profiling = F &redef;
+
+## If true, warns about unused event handlers at startup.
+const check_for_unused_event_handlers = F &redef;
+
+# If true, dumps all invoked event handlers at startup.
+# todo::Still used? 
+# const dump_used_event_handlers = F &redef;
+
+## Deprecated.
+const suppress_local_output = F &redef;
+
+## Holds the filename of the trace file given with -w (empty if none).
+##
+## .. bro:see:: record_all_packets
+const trace_output_file = "";
+
+## If a trace file is given with ``-w``, dump *all* packets seen by Bro into it. By
+## default, Bro applies (very few) heuristics to reduce the volume. A side effect
+## of setting this to true is that we can write the packets out before we actually
+## process them, which can be helpful for debugging in case the analysis triggers a
+## crash.
+## 
+## .. bro:see:: trace_output_file
+const record_all_packets = F &redef;
+
+## Ignore certain TCP retransmissions for :bro:see:`conn_stats`.  Some connections
+## (e.g., SSH) retransmit the acknowledged last byte to keep the connection alive.
+## If *ignore_keep_alive_rexmit* is set to true, such retransmissions will be
+## excluded in the rexmit counter in :bro:see:`conn_stats`.
+##
+## .. bro:see:: conn_stats
+const ignore_keep_alive_rexmit = F &redef;
+
+## Whether the analysis engine parses IP packets encapsulated in
+## UDP tunnels. 
+##
+## .. bro:see:: tunnel_port
+const parse_udp_tunnels = F &redef;
+
+## Number of bytes per packet to capture from live interfaces.
+const snaplen = 8192 &redef;
+
+# Load the logging framework here because it uses fairly deep integration with 
+# BiFs and script-land defined types.
+@load base/frameworks/logging
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
new file mode 100644
index 0000000000..1cf125c3ab
--- /dev/null
+++ b/scripts/base/init-default.bro
@@ -0,0 +1,41 @@
+##! This script loads everything in the base/ script directory.  If you want
+##! to run Bro without all of these scripts loaded by default, you can use
+##! the -b (--bare-mode) command line argument.  You can also copy the "@load"
+##! lines from this script to your own script to load only the scripts that 
+##! you actually want.
+
+@load base/utils/site
+@load base/utils/addrs
+@load base/utils/conn-ids
+@load base/utils/directions-and-hosts
+@load base/utils/files
+@load base/utils/numbers
+@load base/utils/paths
+@load base/utils/patterns
+@load base/utils/strings
+@load base/utils/thresholds
+
+# This has some deep interplay between types and BiFs so it's 
+# loaded in base/init-bare.bro
+#@load base/frameworks/logging
+@load base/frameworks/notice
+@load base/frameworks/dpd
+@load base/frameworks/signatures
+@load base/frameworks/packet-filter
+@load base/frameworks/software
+@load base/frameworks/communication
+@load base/frameworks/control
+@load base/frameworks/cluster
+@load base/frameworks/metrics
+@load base/frameworks/intel
+@load base/frameworks/reporter
+
+@load base/protocols/conn
+@load base/protocols/dns
+@load base/protocols/ftp
+@load base/protocols/http
+@load base/protocols/irc
+@load base/protocols/smtp
+@load base/protocols/ssh
+@load base/protocols/ssl
+@load base/protocols/syslog
diff --git a/policy/sigs/p0fsyn.osf b/scripts/base/misc/p0f.fp
similarity index 82%
rename from policy/sigs/p0fsyn.osf
rename to scripts/base/misc/p0f.fp
index 8767265819..0ee37b4e37 100644
--- a/policy/sigs/p0fsyn.osf
+++ b/scripts/base/misc/p0f.fp
@@ -11,7 +11,7 @@
 # | add new signatures.                                                     |
 # `-------------------------------------------------------------------------'
 #
-# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
+# (C) Copyright 2000-2006 by Michal Zalewski <lcamtuf@coredump.cx>
 #
 # Each line in this file specifies a single fingerprint. Please read the
 # information below carefully before attempting to append any signatures
@@ -28,7 +28,7 @@
 #   cases, the value is just arbitrary.
 #
 #   NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
-#   appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
+#   appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' 
 #   means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
 #   value of nn is not fixed (unlikely), just copy the Snn or Tnn token
 #   literally. If you know this device has a simple stack and a fixed
@@ -40,7 +40,7 @@
 #   to be a multitude of variants and WSS selection algorithms, but it's
 #   rather difficult to find a pattern without having the source.
 #
-#   If WSS looks like a regular fixed value (for example is a power of two),
+#   If WSS looks like a regular fixed value (for example is a power of two), 
 #   or if you can confirm the value is fixed by looking at several
 #   fingerprints, please quote it literaly. If there's no apparent pattern
 #   in WSS chosen, you should consider wildcarding this value - but this
@@ -51,8 +51,8 @@
 #   the MTU of the NAT device, but WSS remains a multiple of the original
 #   MSS. Fortunately for us, the source device would almost always be
 #   hooked up to Ethernet. P0f handles it automatically for the original
-#   MSS of 1460, by adding "NAT!" tag to the result.
-#
+#   MSS of 1460, by adding "NAT!" tag to the result. 
+#   
 #   In certain configurations, Linux erratically (?) uses MTU from another
 #   interface on the default gw interface. This only happens on systems with
 #   two network interfaces. Thus, some Linux systems that do not go thru NAT,
@@ -79,7 +79,7 @@
 #
 # - Initial TTL - We check the actual TTL of a received packet. It can't
 #   be higher than the initial TTL, and also shouldn't be dramatically
-#   lower (maximum distance is defined in config.h as 40 hops).
+#   lower (maximum distance is defined in config.h as 40 hops). 
 #
 #   NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
 #   You need to determine the initial TTL. The best way to do it is to
@@ -117,7 +117,7 @@
 #
 # - Window scaling (WSCALE) - this feature is used to scale WSS.
 #   It extends the size of a TCP/IP window to 32 bits, of sorts. Some modern
-#   systems implement this feature.
+#   systems implement this feature. 
 #
 #   NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
 #   to zero or other low value. There's usually no need to wildcard this
@@ -128,7 +128,7 @@
 #
 #   NEW SIGNATURE: Copy T or T0 option literally.
 #
-# - Selective ACK permitted - a flag set by systems that implement
+# - Selective ACK permitted - a flag set by systems that implement 
 #   selective ACK functionality,
 #
 #   NEW SIGNATURE: copy S option literally.
@@ -155,7 +155,7 @@
 #   NEW SIGNATURE: Copy the sequence literally.
 #
 # - Quirks. Some buggy stacks set certain values that should be zeroed in a
-#   TCP packet to non-zero values. This has no effect as of today, but is
+#   TCP packet to non-zero values. This has no effect as of today, but is 
 #   a valuable source of information. Some systems actually seem to leak
 #   memory there. Other systems just exhibit harmful but very specific
 #   behavior. This section captures all unusual yes-no properties not
@@ -224,13 +224,13 @@
 #     because of a badly broken packet, it records this fact.
 #
 #   There are several other quirks valid only in RST+ mode, see p0fr.fp for
-#   more information. Those quirks are unheard of in SYN and SYN+ACK
+#   more information. Those quirks are unheard of in SYN and SYN+ACK 
 #   modes.
 #
 #   NEW SIGNATURE: Copy "quirks" section literally.
 #
 # We DO NOT use ToS for fingerprinting. While the original TCP/IP
-# fingerprinting research believed this value would be useful for this
+# fingerprinting research believed this value would be useful for this 
 # purpose, it is not. The setting is way too often tweaked by network
 # devices.
 #
@@ -244,7 +244,7 @@
 #
 # wwww     - window size (can be * or %nnn or Sxx or Txx)
 #	     "Snn" (multiple of MSS) and "Tnn" (multiple of MTU) are allowed.
-# ttt      - initial TTL
+# ttt      - initial TTL 
 # D        - don't fragment bit (0 - not set, 1 - set)
 # ss       - overall SYN packet size (* has a special meaning)
 # OOO      - option value and order specification (see below)
@@ -258,7 +258,7 @@
 # bogus.
 #
 # If OS genre starts with @, it denotes an approximate hit for a group
-# of operating systems (signature reporting still enabled in this case).
+# of operating systems (signature reporting still enabled in this case). 
 # Use this feature at the end of this file to catch cases for which
 # you don't have a precise match, but can tell it's Windows or FreeBSD
 # or whatnot by looking at, say, flag layout alone.
@@ -310,7 +310,7 @@
 # -----------------------
 #
 # Do not add a system X as OS Y just because NMAP says so. It is often
-# the case that X is a NAT firewall. While nmap is talking to the
+# the case that X is a NAT firewall. While nmap is talking to the 
 # device itself, p0f is fingerprinting the guy behind the firewall
 # instead.
 #
@@ -363,6 +363,7 @@
 
 # ----------------- Linux -------------------
 
+S1:64:0:44:M*:A:Linux:1.2.x
 512:64:0:44:M*:.:Linux:2.0.3x (1)
 16384:64:0:44:M*:.:Linux:2.0.3x (2)
 
@@ -371,67 +372,73 @@
 64:64:0:44:M*:.:Linux:2.0.3x (MkLinux) on Mac (2)
 
 S4:64:1:60:M1360,S,T,N,W0:.:Linux:2.4 (Google crawlbot)
+S4:64:1:60:M1430,S,T,N,W0:.:Linux:2.4-2.6 (Google crawlbot)
 
-# Linux 2.6.0-test has an identical footprint as 2.4. I
-# wouldn't put it here until 2.6 gets a bit more, err,
-# mature (and perhaps starts to differ ;-), but many
-# people keep submitting 2.6.0-tests.
+S2:64:1:60:M*,S,T,N,W0:.:Linux:2.4 (large MTU?)
+S3:64:1:60:M*,S,T,N,W0:.:Linux:2.4 (newer)
+S4:64:1:60:M*,S,T,N,W0:.:Linux:2.4-2.6
 
-S2:64:1:60:M*,S,T,N,W0:.:Linux:2.4 (big boy)
-S3:64:1:60:M*,S,T,N,W0:.:Linux:2.4.18 and newer
-S4:64:1:60:M*,S,T,N,W0:.:Linux:2.4/2.6
+S3:64:1:60:M*,S,T,N,W1:.:Linux:2.6, seldom 2.4 (older, 1)
+S4:64:1:60:M*,S,T,N,W1:.:Linux:2.6, seldom 2.4 (older, 2)
+S3:64:1:60:M*,S,T,N,W2:.:Linux:2.6, seldom 2.4 (older, 3)
+S4:64:1:60:M*,S,T,N,W2:.:Linux:2.6, seldom 2.4 (older, 4)
+T4:64:1:60:M*,S,T,N,W2:.:Linux:2.6 (older, 5)
 
-S3:64:1:60:M*,S,T,N,W1:.:Linux:2.5 (sometimes 2.4) (1)
-S4:64:1:60:M*,S,T,N,W1:.:Linux:2.5/2.6 (sometimes 2.4) (2)
-S3:64:1:60:M*,S,T,N,W2:.:Linux:2.5 (sometimes 2.4) (3)
-S4:64:1:60:M*,S,T,N,W2:.:Linux:2.5 (sometimes 2.4) (4)
+S4:64:1:60:M*,S,T,N,W5:.:Linux:2.6 (newer, 1)
+S4:64:1:60:M*,S,T,N,W6:.:Linux:2.6 (newer, 2)
+S4:64:1:60:M*,S,T,N,W7:.:Linux:2.6 (newer, 3)
+T4:64:1:60:M*,S,T,N,W7:.:Linux:2.6 (newer, 4)
 
-S20:64:1:60:M*,S,T,N,W0:.:Linux:2.2.20 and newer
-S22:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (1)
-S11:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (2)
+
+S20:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (1)
+S22:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (2)
+S11:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (3)
 
 # Popular cluster config scripts disable timestamps and
 # selective ACK:
 
 S4:64:1:48:M1460,N,W0:.:Linux:2.4 in cluster
 
-# This needs to be investigated. On some systems, WSS
-# is selected as a multiple of MTU instead of MSS. I got
-# many submissions for this for many late versions of 2.4:
-
-T4:64:1:60:M1412,S,T,N,W0:.:Linux:2.4 (late, uncommon)
-
 # This happens only over loopback, but let's make folks happy:
-32767:64:1:60:M16396,S,T,N,W0:.:Linux:2.4 (local)
-S8:64:1:60:M3884,S,T,N,W0:.:Linux:2.2 (local)
+32767:64:1:60:M16396,S,T,N,W0:.:Linux:2.4 (loopback)
+32767:64:1:60:M16396,S,T,N,W2:.:Linux:2.6 (newer, loopback)
+S8:64:1:60:M3884,S,T,N,W0:.:Linux:2.2 (loopback)
 
 # Opera visitors:
 16384:64:1:60:M*,S,T,N,W0:.:-Linux:2.2 (Opera?)
 32767:64:1:60:M*,S,T,N,W0:.:-Linux:2.4 (Opera?)
 
-# Some fairly common mods:
-S4:64:1:52:M*,N,N,S,N,W0:.:Linux:2.4 w/o timestamps
-S22:64:1:52:M*,N,N,S,N,W0:.:Linux:2.2 w/o timestamps
+# Some fairly common mods & oddities:
+S22:64:1:52:M*,N,N,S,N,W0:.:Linux:2.2 (tstamp-)
+S4:64:1:52:M*,N,N,S,N,W0:.:Linux:2.4 (tstamp-)
+S4:64:1:52:M*,N,N,S,N,W2:.:Linux:2.6 (tstamp-)
+S4:64:1:44:M*:.:Linux:2.6? (barebone, rare!)
+T4:64:1:60:M1412,S,T,N,W0:.:Linux:2.4 (rare!)
 
 # ----------------- FreeBSD -----------------
 
-16384:64:1:44:M*:.:FreeBSD:2.0-4.1
+16384:64:1:44:M*:.:FreeBSD:2.0-4.2
 16384:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (1)
 
 1024:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (2)
 
-57344:64:1:44:M*:.:FreeBSD:4.6-4.8 (no RFC1323)
-57344:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.6-4.8
+57344:64:1:44:M*:.:FreeBSD:4.6-4.8 (RFC1323-)
+57344:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.6-4.9
 
 32768:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.8-5.1 (or MacOS X 10.2-10.3)
-65535:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.7-5.1 (or MacOS X 10.2-10.3) (1)
-65535:64:1:60:M*,N,W1,N,N,T:.:FreeBSD:4.7-5.1 (or MacOS X 10.2-10.3) (2)
+65535:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.7-5.2 (or MacOS X 10.2-10.4) (1)
+65535:64:1:60:M*,N,W1,N,N,T:.:FreeBSD:4.7-5.2 (or MacOS X 10.2-10.4) (2)
 
-65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-current (1)
-65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-current (2)
-65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-current (3)
+65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1 (1)
+65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1 (2)
+65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1 (3)
+65535:64:1:64:M*,N,N,S,N,W1,N,N,T:.:FreeBSD:5.3-5.4
+65535:64:1:64:M*,N,W1,N,N,T,S,E:P:FreeBSD:6.x (1)
+65535:64:1:64:M*,N,W0,N,N,T,S,E:P:FreeBSD:6.x (2)
 
-# 16384:64:1:60:M*,N,N,N,N,N,N,T:.:FreeBSD:4.4 (w/o timestamps)
+65535:64:1:44:M*:Z:FreeBSD:5.2 (RFC1323-)
+
+# 16384:64:1:60:M*,N,N,N,N,N,N,T:.:FreeBSD:4.4 (tstamp-)
 
 # ----------------- NetBSD ------------------
 
@@ -440,42 +447,51 @@ S22:64:1:52:M*,N,N,S,N,W0:.:Linux:2.2 w/o timestamps
 16384:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6
 65535:64:1:60:M*,N,W1,N,N,T0:.:NetBSD:1.6W-current (DF)
 65535:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6X (DF)
+32768:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6Z or 2.0 (DF)
+32768:64:1:64:M1416,N,W0,S,N,N,N,N,T0:.:NetBSD:2.0G (DF)
+32768:64:1:64:M*,N,W0,S,N,N,N,N,T0:.:NetBSD:3.0 (DF)
 
 # ----------------- OpenBSD -----------------
 
-16384:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4
+16384:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.9
 57344:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.3-3.4
 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4 (scrub)
-65535:64:1:64:M*,N,N,S,N,W0,N,N,T:.:-OpenBSD:3.0-3.4 (Opera)
+65535:64:1:64:M*,N,N,S,N,W0,N,N,T:.:-OpenBSD:3.0-3.4 (Opera?)
+32768:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.7
 
 # ----------------- Solaris -----------------
 
 S17:64:1:64:N,W3,N,N,T0,N,N,S,M*:.:Solaris:8 (RFC1323 on)
 S17:64:1:48:N,N,S,M*:.:Solaris:8 (1)
-S17:255:1:44:M*:.:Solaris:2.5 to 7
+S17:255:1:44:M*:.:Solaris:2.5-7 (1)
 
 # Sometimes, just sometimes, Solaris feels like coming up with
 # rather arbitrary MSS values ;-)
 
-S6:255:1:44:M*:.:Solaris:2.5-7
+S6:255:1:44:M*:.:Solaris:2.5-7 (2)
 S23:64:1:48:N,N,S,M*:.:Solaris:8 (2)
 S34:64:1:48:M*,N,N,S:.:Solaris:9
+S34:64:1:48:M*,N,N,N,N:.:Solaris:9 (no sack)
 S44:255:1:44:M*:.:Solaris:7
 
 4096:64:0:44:M1460:.:SunOS:4.1.x
 
 S34:64:1:52:M*,N,W0,N,N,S:.:Solaris:10 (beta)
+32850:64:1:64:M*,N,N,T,N,W1,N,N,S:.:Solaris:10 (1203?)
+32850:64:1:64:M*,N,W1,N,N,T,N,N,S:.:Solaris:9.1
 
 # ----------------- IRIX --------------------
 
 49152:60:0:44:M*:.:IRIX:6.2-6.4
 61440:60:0:44:M*:.:IRIX:6.2-6.5
-49152:60:0:52:M*,N,W2,N,N,S:.:IRIX:6.5 (RFC1323) (1)
-49152:60:0:52:M*,N,W3,N,N,S:.:IRIX:6.5 (RFC1323) (2)
+49152:60:0:52:M*,N,W2,N,N,S:.:IRIX:6.5 (RFC1323+) (1)
+49152:60:0:52:M*,N,W3,N,N,S:.:IRIX:6.5 (RFC1323+) (2)
 
 61440:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (1)
 49152:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (2)
 
+49152:60:0:64:M*,N,W2,N,N,T,N,N,S:.:IRIX:6.5 IP27
+
 # ----------------- Tru64 -------------------
 # Tru64 and OpenVMS share the same stack on occassions.
 # Relax.
@@ -497,8 +513,8 @@ S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic
 16616:255:1:48:M*,N,N,N,E:.:MacOS:8.1-8.6 (OTTCP)
 32768:255:1:48:M*,W0,N:.:MacOS:9.0-9.2
 
-32768:255:1:48:M1380,N,N,N,N:.:MacOS:9.1 (1) (OT 2.7.4)
-65535:255:1:48:M*,N,N,N,N:.:MacOS:9.1 (2) (OT 2.7.4)
+32768:255:1:48:M1380,N,N,N,N:.:MacOS:9.1 (OT 2.7.4) (1)
+65535:255:1:48:M*,N,N,N,N:.:MacOS:9.1 (OT 2.7.4) (2)
 
 # ----------------- Windows -----------------
 
@@ -528,7 +544,7 @@ S12:64:1:48:M*,N,N,S:.:Windows:98 (3
 T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S:.:Windows:98 (16)
 32767:64:1:48:M*,N,N,S:.:Windows:98 (4)
 37300:64:1:48:M*,N,N,S:.:Windows:98 (5)
-46080:64:1:52:M*,N,W3,N,N,S:.:Windows:98 (RFC1323)
+46080:64:1:52:M*,N,W3,N,N,S:.:Windows:98 (RFC1323+)
 65535:64:1:44:M*:.:Windows:98 (no sack)
 S16:128:1:48:M*,N,N,S:.:Windows:98 (6)
 S16:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:98 (7)
@@ -547,17 +563,24 @@ T31:128:1:44:M1414:.:Windows:NT 4.0 SP6a (1)
 # either dubious or non-specific (no service pack data)
 # were deleted and replaced with generics at the end.
 
-65535:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP1
-%8192:128:1:48:M*,N,N,S:.:Windows:2000 SP2+, XP SP1 (seldom 98 4.10.2222)
+65535:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP1+
+%8192:128:1:48:M*,N,N,S:.:Windows:2000 SP2+, XP SP1+ (seldom 98)
 S20:128:1:48:M*,N,N,S:.:Windows:SP3
-S45:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP 1 (2)
+S45:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP1+ (2)
 40320:128:1:48:M*,N,N,S:.:Windows:2000 SP4
 
 S6:128:1:48:M*,N,N,S:.:Windows:XP, 2000 SP2+
-S12:128:1:48:M*,N,N,S:.:Windows:XP SP1 (1)
-S44:128:1:48:M*,N,N,S:.:Windows:XP Pro SP1, 2000 SP3
-64512:128:1:48:M*,N,N,S:.:Windows:XP SP1, 2000 SP3 (2)
-32767:128:1:48:M*,N,N,S:.:Windows:XP SP1, 2000 SP4 (3)
+S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+ (1)
+S44:128:1:48:M*,N,N,S:.:Windows:XP SP1+, 2000 SP3
+64512:128:1:48:M*,N,N,S:.:Windows:XP SP1+, 2000 SP3 (2)
+32767:128:1:48:M*,N,N,S:.:Windows:XP SP1+, 2000 SP4 (3)
+
+# Windows 2003 & Vista
+
+8192:128:1:52:M*,W8,N,N,N,S:.:Windows:Vista (beta)
+32768:32:1:52:M1460,N,W0,N,N,S:.:Windows:2003 AS
+65535:64:1:52:M1460,N,W2,N,N,S:.:Windows:2003 (1)
+65535:64:1:48:M1460,N,N,S:.:Windows:2003 (2)
 
 # Odds, ends, mods:
 
@@ -565,23 +588,28 @@ S52:128:1:48:M1260,N,N,S:.:Windows:XP/2000 via Cisco
 65520:128:1:48:M*,N,N,S:.:Windows:XP bare-bone
 16384:128:1:52:M536,N,W0,N,N,S:.:Windows:2000 w/ZoneAlarm?
 2048:255:0:40:.:.:Windows:.NET Enterprise Server
+44620:64:0:48:M*,N,N,S:.:Windows:ME no SP (?)
+S6:255:1:48:M536,N,N,S:.:Windows:95 winsock 2
+32000:128:0:48:M*,N,N,S:.:Windows:XP w/Winroute?
+16384:64:1:48:M1452,N,N,S:.:Windows:XP w/Sygate? (1)
+17256:64:1:48:M1460,N,N,S:.:Windows:XP w/Sygate? (2)
 
 # No need to be more specific, it passes:
 *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!)
 
 # ----------------- HP/UX -------------------
 
-32768:64:1:44:M*:.:HP-UX:B.10.20
+32768:64:1:44:M*:.:HP-UX:B.10.20 
 32768:64:1:48:M*,W0,N:.:HP-UX:11.00-11.11
 
 # Whoa. Hardcore WSS.
-0:64:0:48:M*,W0,N:.:HP-UX:B.11.00 A (RFC1323)
+0:64:0:48:M*,W0,N:.:HP-UX:B.11.00 A (RFC1323+)
 
 # ----------------- RiscOS ------------------
 
 16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12:.:RISC OS:3.70-4.36 (inet 5.04)
 12288:32:0:44:M536:.:RISC OS:3.70 inet 4.10
-4096:64:1:56:M1460,N,N,T:T:.:RISC OS:3.70 freenet 2.00
+4096:64:1:56:M1460,N,N,T:T:RISC OS:3.70 freenet 2.00
 
 # ----------------- BSD/OS ------------------
 
@@ -593,7 +621,8 @@ S52:128:1:48:M1260,N,N,S:.:Windows:XP/2000 via Cisco
 
 # ---------------- NeXTSTEP -----------------
 
-S8:64:0:44:M512:.:NeXTSTEP:3.3
+S8:64:0:44:M512:.:NeXTSTEP:3.3 (1)
+S4:64:0:44:M1024:.:NeXTSTEP:3.3 (2)
 
 # ------------------ BeOS -------------------
 
@@ -615,6 +644,7 @@ S8:64:0:44:M512:.:NeXTSTEP:3.3
 # ------------------- QNX -------------------
 
 S16:64:0:44:M512:.:QNX:demodisk
+16384:64:0:60:M1460,N,W0,N,N,T0:.:QNX:6.x
 
 # ------------------ Novell -----------------
 
@@ -628,15 +658,19 @@ S16:64:0:44:M512:.:QNX:demodisk
 # -------------- SCO UnixWare ---------------
 
 S3:64:1:60:M1460,N,W0,N,N,T:.:SCO:UnixWare 7.1
+S17:64:1:60:M*,N,W0,N,N,T:.:SCO:UnixWare 7.1.x
 S23:64:1:44:M1380:.:SCO:OpenServer 5.0
 
 # ------------------- DOS -------------------
 
 2048:255:0:44:M536:.:DOS:Arachne via WATTCP/1.05
+T2:255:0:44:M984:.:DOS:Arachne via WATTCP/1.05 (eepro)
+16383:64:0:44:M536:.:DOS:Unknown via WATTCP (epppd)
 
 # ------------------ OS/2 -------------------
 
 S56:64:0:44:M512:.:OS/2:4
+28672:64:0:44:M1460:.:OS/2:Warp 4.0
 
 # ----------------- TOPS-20 -----------------
 
@@ -660,6 +694,10 @@ S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack
 
 16384:64:1:48:M1560,N,N,S:.:AMIGAOS:3.9 BB2 MiamiDX
 
+# ----------------- FreeMiNT ----------------
+
+S44:255:0:44:M536:.:FreeMiNT:1 patch 16A (Atari)
+
 ###########################################
 # Appliance / embedded / other signatures #
 ###########################################
@@ -669,7 +707,6 @@ S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack
 S12:64:1:44:M1460:.:@Checkpoint:(unknown 1)
 S12:64:1:48:N,N,S,M1460:.:@Checkpoint:(unknown 2)
 4096:32:0:44:M1460:.:ExtremeWare:4.x
-60352:64:0:52:M1460,N,W2,N,N,S:.:Clavister:firewall 7.x
 
 S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3
 S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026
@@ -680,17 +717,21 @@ S4:64:1:60:W0,N,S,T,M1460:.:FortiNet:FortiGate 50
 
 # ------- Switches and other stuff ----------
 
-4128:255:0:44:M*:Z:Cisco:7200, Catalyst 3500, et
+4128:255:0:44:M*:Z:Cisco:7200, Catalyst 3500, etc
 S8:255:0:44:M*:.:Cisco:12008
+S4:255:0:44:M536:Z:Cisco:IOS 11.0
 60352:128:1:64:M1460,N,W2,N,N,T,N,N,S:.:Alteon:ACEswitch
 64512:128:1:44:M1370:.:Nortel:Contivity Client
 
 # ---------- Caches and whatnots ------------
 
+8190:255:0:44:M1428:.:Google:Wireless Transcoder (1)
+8190:255:0:44:M1460:.:Google:Wireless Transcoder (2)
 8192:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:5.2
 16384:64:1:64:M1460,N,N,S,N,W0,N:.:NetCache:5.3
-65535:64:1:64:M1460,N,N,S,N,W*,N,N,T:.:NetCache:5.3-5.5
+65535:64:1:64:M1460,N,N,S,N,W*,N,N,T:.:NetCache:5.3-5.5 (or FreeBSD 5.4)
 20480:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:4.1
+S44:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:5.5
 
 32850:64:1:64:N,W1,N,N,T,N,N,S,M*:.:NetCache:Data OnTap 5.x
 
@@ -706,17 +747,25 @@ S1:255:1:60:M1460,S,T,N,W0:.:LookSmart:ZyBorg
 
 16384:255:0:40:.:.:Proxyblocker:(what's this?)
 
+65535:255:0:48:M*,N,N,S:.:Redline: T|X 2200
+
 # ----------- Embedded systems --------------
 
-S9:255:0:44:M536:.:PalmOS:Tungsten C
+S9:255:0:44:M536:.:PalmOS:Tungsten T3/C
 S5:255:0:44:M536:.:PalmOS:3/4
 S4:255:0:44:M536:.:PalmOS:3.5
 2948:255:0:44:M536:.:PalmOS:3.5.3 (Handera)
 S29:255:0:44:M536:.:PalmOS:5.0
+16384:255:0:44:M1398:.:PalmOS:5.2 (Clie)
+S14:255:0:44:M1350:.:PalmOS:5.2.1 (Treo)
+16384:255:0:44:M1400:.:PalmOS:5.2 (Sony)
 
 S23:64:1:64:N,W1,N,N,T,N,N,S,M1460:.:SymbianOS:7
-8192:255:0:44:M1460:.:SymbianOS:6048 (on Nokia 7650?)
-8192:255:0:44:M536:.:SymbianOS:(on Nokia 9210?)
+8192:255:0:44:M1460:.:SymbianOS:6048 (Nokia 7650?)
+8192:255:0:44:M536:.:SymbianOS:(Nokia 9210?)
+S22:64:1:56:M1460,T,S:.:SymbianOS:? (SE P800?)
+S36:64:1:56:M1360,T,S:.:SymbianOS:60xx (Nokia 6600?)
+S36:64:1:60:M1360,T,S,W0,E:.:SymbianOS:60xx
 
 32768:32:1:44:M1460:.:Windows:CE 3
 
@@ -733,6 +782,8 @@ S22:64:1:44:M1460:.:Sony:Playstation 2 (SOCOM?)
 
 S12:64:0:44:M1452:.:AXIS:Printer Server 5600 v5.64
 
+3100:32:1:44:M1460:.:Windows:CE 2.0
+
 ####################
 # Fancy signatures #
 ####################
@@ -742,6 +793,11 @@ S12:64:0:44:M1452:.:AXIS:Printer Server 5600 v5.64
 3072:64:0:40:.:.:-*NMAP:syn scan (3)
 4096:64:0:40:.:.:-*NMAP:syn scan (4)
 
+1024:64:0:40:.:A:-*NMAP:TCP sweep probe (1)
+2048:64:0:40:.:A:-*NMAP:TCP sweep probe (2)
+3072:64:0:40:.:A:-*NMAP:TCP sweep probe (3)
+4096:64:0:40:.:A:-*NMAP:TCP sweep probe (4)
+
 1024:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (1)
 2048:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (2)
 3072:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (3)
@@ -752,6 +808,8 @@ S12:64:0:44:M1452:.:AXIS:Printer Server 5600 v5.64
 3072:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (3)
 4096:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (4)
 
+32767:64:0:40:.:.:-*NAST:syn scan
+
 12345:255:0:40:.:A:-p0f:sendsyn utility
 
 # UFO - see tmp/*:
@@ -764,9 +822,12 @@ S23:64:1:64:N,W1,N,N,T,N,N,S,M1380:.:@Mysterious:GPRS gateway (?)
 # Generic signatures - just in case #
 #####################################
 
-*:128:1:52:M*,N,W0,N,N,S:.:@Windows:XP/2000 (RFC1323 no tstamp)
-*:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323)
-*:128:1:64:M*,N,W*,N,N,T0,N,N,S:.:@Windows:XP (RFC1323, w+)
+*:128:1:52:M*,N,W0,N,N,S:.:@Windows:XP/2000 (RFC1323+, w, tstamp-)
+*:128:1:52:M*,N,W*,N,N,S:.:@Windows:XP/2000 (RFC1323+, w+, tstamp-)
+*:128:1:52:M*,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323+, w-, tstamp+)
+*:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323+, w, tstamp+)
+*:128:1:64:M*,N,W*,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323+, w+, tstamp+)
+
 *:128:1:48:M536,N,N,S:.:@Windows:98
 *:128:1:48:M*,N,N,S:.:@Windows:XP/2000
 
diff --git a/scripts/base/protocols/conn/__load__.bro b/scripts/base/protocols/conn/__load__.bro
new file mode 100644
index 0000000000..8c673eca85
--- /dev/null
+++ b/scripts/base/protocols/conn/__load__.bro
@@ -0,0 +1,3 @@
+@load ./main
+@load ./contents
+@load ./inactivity
diff --git a/scripts/base/protocols/conn/contents.bro b/scripts/base/protocols/conn/contents.bro
new file mode 100644
index 0000000000..2e6b547ab1
--- /dev/null
+++ b/scripts/base/protocols/conn/contents.bro
@@ -0,0 +1,48 @@
+##! This script can be used to extract either the originator's data or the 
+##! responders data or both.  By default nothing is extracted, and in order 
+##! to actually extract data the ``c$extract_orig`` and/or the
+##! ``c$extract_resp`` variable must be set to ``T``.  One way to achieve this
+##! would be to handle the :bro:id:`connection_established` event elsewhere
+##! and set the ``extract_orig`` and ``extract_resp`` options there.
+##! However, there may be trouble with the timing due to event queue delay.
+##!
+##! .. note::
+##!
+##!    This script does not work well in a cluster context unless it has a
+##!    remotely mounted disk to write the content files to.
+
+@load base/utils/files
+
+module Conn;
+
+export {
+	## The prefix given to files containing extracted connections as they are
+	## opened on disk.
+	const extraction_prefix = "contents" &redef;
+	
+	## If this variable is set to ``T``, then all contents of all connections
+	## will be  extracted.
+	const default_extract = F &redef;
+}
+
+redef record connection += {
+	extract_orig: bool &default=default_extract;
+	extract_resp: bool &default=default_extract;
+};
+
+event connection_established(c: connection) &priority=-5
+	{
+	if ( c$extract_orig )
+		{
+		local orig_file = generate_extraction_filename(extraction_prefix, c, "orig.dat");
+		local orig_f = open(orig_file);
+		set_contents_file(c$id, CONTENTS_ORIG, orig_f);
+		}
+		
+	if ( c$extract_resp )
+		{
+		local resp_file = generate_extraction_filename(extraction_prefix, c, "resp.dat");
+		local resp_f = open(resp_file);
+		set_contents_file(c$id, CONTENTS_RESP, resp_f);
+		}
+	}
diff --git a/scripts/base/protocols/conn/inactivity.bro b/scripts/base/protocols/conn/inactivity.bro
new file mode 100644
index 0000000000..28df192de3
--- /dev/null
+++ b/scripts/base/protocols/conn/inactivity.bro
@@ -0,0 +1,41 @@
+##! Adjust the inactivity timeouts for interactive services which could
+##! very possibly have long delays between packets.
+
+module Conn;
+
+export {
+	## Define inactivity timeouts by the service detected being used over
+	## the connection.
+	const analyzer_inactivity_timeouts: table[AnalyzerTag] of interval = {
+		# For interactive services, allow longer periods of inactivity.
+		[[ANALYZER_SSH, ANALYZER_FTP]] = 1 hrs,
+	} &redef;
+	
+	## Define inactivity timeouts based on common protocol ports.
+	const port_inactivity_timeouts: table[port] of interval = {
+		[[21/tcp, 22/tcp, 23/tcp, 513/tcp]] = 1 hrs,
+	} &redef;
+	
+}
+	
+event protocol_confirmation(c: connection, atype: count, aid: count)
+	{
+	if ( atype in analyzer_inactivity_timeouts )
+		set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]);
+	}
+
+event connection_established(c: connection)
+	{
+	local service_port = c$id$resp_p;
+	if ( c$orig$state == TCP_INACTIVE )
+		{
+		# We're seeing a half-established connection. Use the
+		# service of the originator if it's well-known and the
+		# responder isn't.
+		if ( service_port !in likely_server_ports && c$id$orig_p in likely_server_ports )
+			service_port = c$id$orig_p;
+		}
+
+	if ( service_port in port_inactivity_timeouts )
+		set_inactivity_timeout(c$id, port_inactivity_timeouts[service_port]);
+	}
diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro
new file mode 100644
index 0000000000..34ec12fa56
--- /dev/null
+++ b/scripts/base/protocols/conn/main.bro
@@ -0,0 +1,240 @@
+##! This script manages the tracking/logging of general information regarding
+##! TCP, UDP, and ICMP traffic.  For UDP and ICMP, "connections" are to
+##! be interpreted using flow semantics (sequence of packets from a source
+##! host/post to a destination host/port).  Further, ICMP "ports" are to
+##! be interpreted as the source port meaning the ICMP message type and
+##! the destination port being the ICMP message code.
+
+@load base/utils/site
+
+module Conn;
+
+export {
+	## The connection logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## The record type which contains column fields of the connection log.
+	type Info: record {
+		## This is the time of the first packet.
+		ts:           time            &log;
+		## A unique identifier of a connection.
+		uid:          string          &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:           conn_id         &log;
+		## The transport layer protocol of the connection.
+		proto:        transport_proto &log;
+		## An identification of an application protocol being sent over the
+		## the connection.
+		service:      string          &log &optional;
+		## How long the connection lasted.  For 3-way or 4-way connection
+		## tear-downs, this will not include the final ACK.
+		duration:     interval        &log &optional;
+		## The number of payload bytes the originator sent. For TCP
+		## this is taken from sequence numbers and might be inaccurate 
+		## (e.g., due to large connections)
+		orig_bytes:   count           &log &optional;
+		## The number of payload bytes the responder sent. See ``orig_bytes``.
+		resp_bytes:   count           &log &optional;
+
+		## ==========   ===============================================
+		## conn_state   Meaning
+		## ==========   ===============================================
+		## S0           Connection attempt seen, no reply.
+		## S1           Connection established, not terminated.
+		## SF           Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.
+		## REJ          Connection attempt rejected.
+		## S2           Connection established and close attempt by originator seen (but no reply from responder).
+		## S3           Connection established and close attempt by responder seen (but no reply from originator).
+		## RSTO         Connection established, originator aborted (sent a RST).
+		## RSTR         Established, responder aborted.
+		## RSTOS0       Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.
+		## RSTRH        Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.
+		## SH           Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).
+		## SHR          Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.
+		## OTH          No SYN seen, just midstream traffic (a "partial connection" that was not later closed).
+		## ==========   ===============================================
+		conn_state:   string          &log &optional;
+		
+		## If the connection is originated locally, this value will be T.  If
+		## it was originated remotely it will be F.  In the case that the
+		## :bro:id:`Site::local_nets` variable is undefined, this field will 
+		## be left empty at all times.
+		local_orig:   bool            &log &optional;
+		
+		## Indicates the number of bytes missed in content gaps which is
+		## representative of packet loss.  A value other than zero will 
+		## normally cause protocol analysis to fail but some analysis may 
+		## have been completed prior to the packet loss.
+		missed_bytes: count           &log &default=0;
+
+		## Records the state history of connections as a string of letters.
+		## For TCP connections the meaning of those letters is:
+		##
+		## ======  ====================================================
+		## Letter  Meaning
+		## ======  ====================================================
+		## s       a SYN w/o the ACK bit set
+		## h       a SYN+ACK ("handshake")
+		## a       a pure ACK
+		## d       packet with payload ("data")
+		## f       packet with FIN bit set
+		## r       packet with RST bit set
+		## c       packet with a bad checksum
+		## i       inconsistent packet (e.g. SYN+RST bits both set)
+		## ======  ====================================================
+		##
+		## If the letter is in upper case it means the event comes from the
+		## originator and lower case then means the responder.
+		## Also, there is compression. We only record one "d" in each direction,
+		## for instance. I.e., we just record that data went in that direction.
+		## This history is not meant to encode how much data that happened to
+		## be.
+		history:      string          &log &optional;
+		## Number of packets the originator sent.
+		## Only set if :bro:id:`use_conn_size_analyzer` = T
+		orig_pkts:     count      &log &optional;
+		## Number IP level bytes the originator sent (as seen on the wire,
+		## taken from IP total_length header field).
+		## Only set if :bro:id:`use_conn_size_analyzer` = T
+		orig_ip_bytes: count      &log &optional;
+		## Number of packets the responder sent. See ``orig_pkts``.
+		resp_pkts:     count      &log &optional;
+		## Number IP level bytes the responder sent. See ``orig_pkts``.
+		resp_ip_bytes: count      &log &optional;
+	};
+
+	## Event that can be handled to access the :bro:type:`Conn::Info`
+	## record as it is sent on to the logging framework.
+	global log_conn: event(rec: Info);
+}
+
+redef record connection += {
+	conn: Info &optional;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn]);
+	}
+
+function conn_state(c: connection, trans: transport_proto): string
+	{
+	local os = c$orig$state;
+	local rs = c$resp$state;
+
+	local o_inactive = os == TCP_INACTIVE || os == TCP_PARTIAL;
+	local r_inactive = rs == TCP_INACTIVE || rs == TCP_PARTIAL;
+
+	if ( trans == tcp )
+		{
+		if ( rs == TCP_RESET )
+			{
+			if ( os == TCP_SYN_SENT || os == TCP_SYN_ACK_SENT ||
+			     (os == TCP_RESET &&
+			      c$orig$size == 0 && c$resp$size == 0) )
+				return "REJ";
+			else if ( o_inactive )
+				return "RSTRH";
+			else
+				return "RSTR";
+			}
+		else if ( os == TCP_RESET )
+			return r_inactive ? "RSTOS0" : "RSTO";
+		else if ( rs == TCP_CLOSED && os == TCP_CLOSED )
+			return "SF";
+		else if ( os == TCP_CLOSED )
+			return r_inactive ? "SH" : "S2";
+		else if ( rs == TCP_CLOSED )
+			return o_inactive ? "SHR" : "S3";
+		else if ( os == TCP_SYN_SENT && rs == TCP_INACTIVE )
+			return "S0";
+		else if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED )
+			return "S1";
+		else
+			return "OTH";
+		}
+
+	else if ( trans == udp )
+		{
+		if ( os == UDP_ACTIVE )
+			return rs == UDP_ACTIVE ? "SF" : "S0";
+		else
+			return rs == UDP_ACTIVE ? "SHR" : "OTH";
+		}
+
+	else
+		return "OTH";
+	}
+
+function determine_service(c: connection): string
+	{
+	local service = "";
+	for ( s in c$service )
+		{
+		if ( sub_bytes(s, 0, 1) != "-" )
+			service = service == "" ? s : cat(service, ",", s);
+		}
+
+	return to_lower(service);
+	}
+
+## Fill out the c$conn record for logging
+function set_conn(c: connection, eoc: bool)
+	{
+	if ( ! c?$conn )
+		{
+		local tmp: Info;
+		c$conn = tmp;
+		}
+
+	c$conn$ts=c$start_time;
+	c$conn$uid=c$uid;
+	c$conn$id=c$id;
+	c$conn$proto=get_port_transport_proto(c$id$resp_p);
+	if( |Site::local_nets| > 0 )
+		c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
+	
+	if ( eoc )
+		{
+		if ( c$duration > 0secs ) 
+			{
+			c$conn$duration=c$duration;
+			c$conn$orig_bytes=c$orig$size;
+			c$conn$resp_bytes=c$resp$size;
+			}
+		if ( c$orig?$num_pkts )
+			{
+			# these are set if use_conn_size_analyzer=T
+			# we can have counts in here even without duration>0
+			c$conn$orig_pkts = c$orig$num_pkts;
+			c$conn$orig_ip_bytes = c$orig$num_bytes_ip;
+			c$conn$resp_pkts = c$resp$num_pkts;
+			c$conn$resp_ip_bytes = c$resp$num_bytes_ip;
+			}
+		local service = determine_service(c);
+		if ( service != "" ) 
+			c$conn$service=service;
+		c$conn$conn_state=conn_state(c, get_port_transport_proto(c$id$resp_p));
+
+		if ( c$history != "" )
+			c$conn$history=c$history;
+		}
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
+	{
+	set_conn(c, F);
+	
+	c$conn$missed_bytes = c$conn$missed_bytes + length;
+	}
+	
+event connection_state_remove(c: connection) &priority=5
+	{
+	set_conn(c, T);
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	Log::write(Conn::LOG, c$conn);
+	}
+
diff --git a/scripts/base/protocols/dns/__load__.bro b/scripts/base/protocols/dns/__load__.bro
new file mode 100644
index 0000000000..1d47f6e0cd
--- /dev/null
+++ b/scripts/base/protocols/dns/__load__.bro
@@ -0,0 +1,2 @@
+@load ./consts
+@load ./main
diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.bro
new file mode 100644
index 0000000000..fbf4aba008
--- /dev/null
+++ b/scripts/base/protocols/dns/consts.bro
@@ -0,0 +1,77 @@
+##! Types, errors, and fields for analyzing DNS data.  A helper file
+##! for DNS analysis scripts.
+
+module DNS;
+
+export {
+	const PTR = 12;  ##< RR TYPE value for a domain name pointer.
+	const EDNS = 41; ##< An OPT RR TYPE value described by EDNS.
+	const ANY = 255; ##< A QTYPE value describing a request for all records.
+
+	## Mapping of DNS query type codes to human readable string representation.
+	const query_types = {
+		[1] = "A", [2] = "NS", [3] = "MD", [4] = "MF",
+		[5] = "CNAME", [6] = "SOA", [7] = "MB", [8] = "MG",
+		[9] = "MR", [10] = "NULL", [11] = "WKS", [PTR] = "PTR",
+		[13] = "HINFO", [14] = "MINFO", [15] = "MX", [16] = "TXT",
+		[17] = "RP", [18] = "AFSDB", [19] = "X25", [20] = "ISDN",
+		[21] = "RT", [22] = "NSAP", [23] = "NSAP-PTR", [24] = "SIG",
+		[25] = "KEY", [26] = "PX" , [27] = "GPOS", [28] = "AAAA",
+		[29] = "LOC", [30] = "EID", [31] = "NIMLOC", [32] = "NB",
+		[33] = "SRV", [34] = "ATMA", [35] = "NAPTR", [36] = "KX",
+		[37] = "CERT", [38] = "A6", [39] = "DNAME", [40] = "SINK",
+	 	[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SINK",
+		[45] = "SSHFP", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",
+		[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
+		[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
+		[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",
+		[32768] = "TA", [32769] = "DLV",
+		[ANY] = "*",
+	} &default = function(n: count): string { return fmt("query-%d", n); };
+
+	## Errors used for non-TSIG/EDNS types.
+	const base_errors = {
+		[0] = "NOERROR",        # No Error
+		[1] = "FORMERR",        # Format Error
+		[2] = "SERVFAIL",       # Server Failure
+		[3] = "NXDOMAIN",       # Non-Existent Domain
+		[4] = "NOTIMP",         # Not Implemented
+		[5] = "REFUSED",        # Query Refused
+		[6] = "YXDOMAIN",       # Name Exists when it should not
+		[7] = "YXRRSET",        # RR Set Exists when it should not
+		[8] = "NXRRSet",        # RR Set that should exist does not
+		[9] = "NOTAUTH",        # Server Not Authoritative for zone
+		[10] = "NOTZONE",       # Name not contained in zone
+		[11] = "unassigned-11", # available for assignment
+		[12] = "unassigned-12", # available for assignment
+		[13] = "unassigned-13", # available for assignment
+		[14] = "unassigned-14", # available for assignment
+		[15] = "unassigned-15", # available for assignment
+		[16] = "BADVERS",       # for EDNS, collision w/ TSIG
+		[17] = "BADKEY",        # Key not recognized
+		[18] = "BADTIME",       # Signature out of time window
+		[19] = "BADMODE",       # Bad TKEY Mode
+		[20] = "BADNAME",       # Duplicate key name
+		[21] = "BADALG",        # Algorithm not supported
+		[22] = "BADTRUNC",      # draft-ietf-dnsext-tsig-sha-05.txt
+		[3842] = "BADSIG",      # 16 <= number collision with EDNS(16);
+		                        # this is a translation from TSIG(16)
+	} &default = function(n: count): string { return fmt("rcode-%d", n); };
+
+	## This deciphers EDNS Z field values.
+	const edns_zfield = {
+		[0]     = "NOVALUE",    # regular entry
+		[32768] = "DNS_SEC_OK", # accepts DNS Sec RRs
+	} &default="?";
+
+	## Possible values of the CLASS field in resource records or QCLASS field
+	## in query messages.
+	const classes = {
+		[1]   = "C_INTERNET",
+		[2]   = "C_CSNET",
+		[3]   = "C_CHAOS",
+		[4]   = "C_HESOD",
+		[254] = "C_NONE",
+		[255] = "C_ANY",
+	} &default = function(n: count): string { return fmt("qclass-%d", n); };
+}
diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
new file mode 100644
index 0000000000..56107fd02d
--- /dev/null
+++ b/scripts/base/protocols/dns/main.bro
@@ -0,0 +1,340 @@
+##! Base DNS analysis script which tracks and logs DNS queries along with
+##! their responses.
+
+@load ./consts
+
+module DNS;
+
+export {
+	## The DNS logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## The record type which contains the column fields of the DNS log.
+	type Info: record {
+		## The earliest time at which a DNS protocol message over the
+		## associated connection is observed.
+		ts:            time               &log;
+		## A unique identifier of the connection over which DNS messages
+		## are being transferred.
+		uid:           string             &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:            conn_id            &log;
+		## The transport layer protocol of the connection.
+		proto:         transport_proto    &log;
+		## A 16 bit identifier assigned by the program that generated the
+		## DNS query.  Also used in responses to match up replies to
+		## outstanding queries.
+		trans_id:      count              &log &optional;
+		## The domain name that is the subject of the DNS query.
+		query:         string             &log &optional;
+		## The QCLASS value specifying the class of the query.
+		qclass:        count              &log &optional;
+		## A descriptive name for the class of the query.
+		qclass_name:   string             &log &optional;
+		## A QTYPE value specifying the type of the query.
+		qtype:         count              &log &optional;
+		## A descriptive name for the type of the query.
+		qtype_name:    string             &log &optional;
+		## The response code value in DNS response messages.
+		rcode:         count              &log &optional;
+		## A descriptive name for the response code value.
+		rcode_name:    string             &log &optional;
+		## Whether the message is a query (F) or response (T).
+		QR:            bool               &log &default=F;
+		## The Authoritative Answer bit for response messages specifies that
+		## the responding name server is an authority for the domain name
+		## in the question section.
+		AA:            bool               &log &default=F;
+		## The Truncation bit specifies that the message was truncated.
+		TC:            bool               &log &default=F;
+		## The Recursion Desired bit indicates to a name server to recursively
+		## purse the query.
+		RD:            bool               &log &default=F;
+		## The Recursion Available bit in a response message indicates if
+		## the name server supports recursive queries.
+		RA:            bool               &log &default=F;
+		## A reserved field that is currently supposed to be zero in all
+		## queries and responses.
+		Z:             count              &log &default=0;
+		## The set of resource descriptions in answer of the query.
+		answers:       vector of string   &log &optional;
+		## The caching intervals of the associated RRs described by the
+		## ``answers`` field.
+		TTLs:          vector of interval &log &optional;
+
+		## This value indicates if this request/response pair is ready to be
+		## logged.
+		ready:         bool            &default=F;
+		## The total number of resource records in a reply message's answer
+		## section.
+		total_answers: count           &optional;
+		## The total number of resource records in a reply message's answer,
+		## authority, and additional sections.
+		total_replies: count           &optional;
+	};
+
+	## A record type which tracks the status of DNS queries for a given
+	## :bro:type:`connection`.
+	type State: record {
+		## Indexed by query id, returns Info record corresponding to
+		## query/response which haven't completed yet.
+		pending: table[count] of Info &optional;
+
+		## This is the list of DNS responses that have completed based on the
+		## number of responses declared and the number received.  The contents
+		## of the set are transaction IDs.
+		finished_answers: set[count] &optional;
+	};
+
+	## An event that can be handled to access the :bro:type:`DNS::Info`
+	## record as it is sent to the logging framework.
+	global log_dns: event(rec: Info);
+
+	## This is called by the specific dns_*_reply events with a "reply" which
+	## may not represent the full data available from the resource record, but
+	## it's generally considered a summarization of the response(s).
+	##
+	## c: The connection record for which to fill in DNS reply data.
+	##
+	## msg: The DNS message header information for the response.
+	##
+	## ans: The general information of a RR response.
+	##
+	## reply: The specific response information according to RR type/class.
+	global do_reply: event(c: connection, msg: dns_msg, ans: dns_answer, reply: string);
+}
+
+redef record connection += {
+	dns:       Info  &optional;
+	dns_state: State &optional;
+};
+
+# DPD configuration.
+redef capture_filters += {
+	["dns"] = "port 53",
+	["mdns"] = "udp and port 5353",
+	["llmns"] = "udp and port 5355",
+	["netbios-ns"] = "udp port 137",
+};
+
+const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
+redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
+
+const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp };
+const dns_tcp_ports = { 53/tcp };
+redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] };
+redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] };
+
+redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]);
+	}
+
+function new_session(c: connection, trans_id: count): Info
+	{
+	if ( ! c?$dns_state )
+		{
+		local state: State;
+		state$pending=table();
+		state$finished_answers=set();
+		c$dns_state = state;
+		}
+
+	local info: Info;
+	info$ts       = network_time();
+	info$id       = c$id;
+	info$uid      = c$uid;
+	info$proto    = get_conn_transport_proto(c$id);
+	info$trans_id = trans_id;
+	return info;
+	}
+
+function set_session(c: connection, msg: dns_msg, is_query: bool)
+	{
+	if ( ! c?$dns_state || msg$id !in c$dns_state$pending )
+		{
+		c$dns_state$pending[msg$id] = new_session(c, msg$id);
+		# Try deleting this transaction id from the set of finished answers.
+		# Sometimes hosts will reuse ports and transaction ids and this should
+		# be considered to be a legit scenario (although bad practice).
+		delete c$dns_state$finished_answers[msg$id];
+		}
+
+	c$dns = c$dns_state$pending[msg$id];
+
+	c$dns$rcode = msg$rcode;
+	c$dns$rcode_name = base_errors[msg$rcode];
+
+	if ( ! is_query )
+		{
+		if ( ! c$dns?$total_answers )
+			c$dns$total_answers = msg$num_answers;
+
+		if ( c$dns?$total_replies &&
+		     c$dns$total_replies != msg$num_answers + msg$num_addl + msg$num_auth )
+			{
+			event conn_weird("dns_changed_number_of_responses", c,
+			                      fmt("The declared number of responses changed from %d to %d",
+			                          c$dns$total_replies,
+			                          msg$num_answers + msg$num_addl + msg$num_auth));
+			}
+		else
+			{
+			# Store the total number of responses expected from the first reply.
+			c$dns$total_replies = msg$num_answers + msg$num_addl + msg$num_auth;
+			}
+		}
+	}
+
+event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
+	{
+	set_session(c, msg, F);
+
+	if ( ans$answer_type == DNS_ANS )
+		{
+		c$dns$AA    = msg$AA;
+		c$dns$RA    = msg$RA;
+
+		if ( msg$id in c$dns_state$finished_answers )
+			event conn_weird("dns_reply_seen_after_done", c, "");
+
+		if ( reply != "" )
+			{
+			if ( ! c$dns?$answers )
+				c$dns$answers = vector();
+			c$dns$answers[|c$dns$answers|] = reply;
+
+			if ( ! c$dns?$TTLs )
+				c$dns$TTLs = vector();
+			c$dns$TTLs[|c$dns$TTLs|] = ans$TTL;
+			}
+
+		if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers )
+			{
+			add c$dns_state$finished_answers[c$dns$trans_id];
+			# Indicate this request/reply pair is ready to be logged.
+			c$dns$ready = T;
+			}
+		}
+	}
+
+event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=-5
+	{
+	if ( c$dns$ready )
+		{
+		Log::write(DNS::LOG, c$dns);
+		# This record is logged and no longer pending.
+		delete c$dns_state$pending[c$dns$trans_id];
+		}
+	}
+
+event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
+	{
+	set_session(c, msg, T);
+
+	c$dns$RD          = msg$RD;
+	c$dns$TC          = msg$TC;
+	c$dns$qclass      = qclass;
+	c$dns$qclass_name = classes[qclass];
+	c$dns$qtype       = qtype;
+	c$dns$qtype_name  = query_types[qtype];
+
+	# Decode netbios name queries
+	# Note: I'm ignoring the name type for now.  Not sure if this should be
+	#       worked into the query/response in some fashion.
+	if ( c$id$resp_p == 137/udp )
+		query = decode_netbios_name(query);
+	c$dns$query    = query;
+
+	c$dns$Z = msg$Z;
+	}
+
+event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, fmt("%s", a));
+	}
+
+event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, str: string) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, str);
+	}
+
+event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr,
+                     astr: string) &priority=5
+	{
+	# TODO: What should we do with astr?
+	event DNS::do_reply(c, msg, ans, fmt("%s", a));
+	}
+
+event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, name);
+	}
+
+event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, name);
+	}
+
+event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string,
+                   preference: count) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, name);
+	}
+
+event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, name);
+	}
+
+event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, soa$mname);
+	}
+
+event dns_WKS_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, "");
+	}
+
+event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, "");
+	}
+
+# TODO: figure out how to handle these
+#event dns_EDNS(c: connection, msg: dns_msg, ans: dns_answer)
+#	{
+#
+#	}
+#
+#event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
+#	{
+#
+#	}
+#
+#event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional)
+#	{
+#
+#	}
+
+
+event dns_rejected(c: connection, msg: dns_msg,
+                   query: string, qtype: count, qclass: count) &priority=5
+	{
+	set_session(c, msg, F);
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( ! c?$dns_state )
+		return;
+
+	# If Bro is expiring state, we should go ahead and log all unlogged
+	# request/response pairs now.
+	for ( trans_id in c$dns_state$pending )
+		Log::write(DNS::LOG, c$dns_state$pending[trans_id]);
+	}
+
diff --git a/scripts/base/protocols/ftp/__load__.bro b/scripts/base/protocols/ftp/__load__.bro
new file mode 100644
index 0000000000..0a399aef36
--- /dev/null
+++ b/scripts/base/protocols/ftp/__load__.bro
@@ -0,0 +1,3 @@
+@load ./utils-commands
+@load ./main
+@load ./file-extract
\ No newline at end of file
diff --git a/scripts/base/protocols/ftp/file-extract.bro b/scripts/base/protocols/ftp/file-extract.bro
new file mode 100644
index 0000000000..7cee4995ba
--- /dev/null
+++ b/scripts/base/protocols/ftp/file-extract.bro
@@ -0,0 +1,70 @@
+##! File extraction support for FTP.
+
+@load ./main
+@load base/utils/files
+
+module FTP;
+
+export {
+	## Pattern of file mime types to extract from FTP transfers.
+	const extract_file_types = /NO_DEFAULT/ &redef;
+
+	## The on-disk prefix for files to be extracted from FTP-data transfers.
+	const extraction_prefix = "ftp-item" &redef;
+}
+
+redef record Info += {
+	## On disk file where it was extracted to.
+	extraction_file:       file &log &optional;
+	
+	## Indicates if the current command/response pair should attempt to 
+	## extract the file if a file was transferred.
+	extract_file:          bool &default=F;
+	
+	## Internal tracking of the total number of files extracted during this 
+	## session.
+	num_extracted_files:   count &default=0;
+};
+
+event file_transferred(c: connection, prefix: string, descr: string,
+			mime_type: string) &priority=3
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] !in ftp_data_expected )
+		return;
+		
+	local s = ftp_data_expected[id$resp_h, id$resp_p];
+
+	if ( extract_file_types in s$mime_type )
+		{
+		s$extract_file = T;
+		++s$num_extracted_files;
+		}
+	}
+
+event file_transferred(c: connection, prefix: string, descr: string,
+			mime_type: string) &priority=-4
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] !in ftp_data_expected )
+		return;
+		
+	local s = ftp_data_expected[id$resp_h, id$resp_p];
+	
+	if ( s$extract_file )
+		{
+		local suffix = fmt("%d.dat", s$num_extracted_files);
+		local fname = generate_extraction_filename(extraction_prefix, c, suffix);
+		s$extraction_file = open(fname);
+		if ( s$passive )
+			set_contents_file(id, CONTENTS_RESP, s$extraction_file);
+		else
+			set_contents_file(id, CONTENTS_ORIG, s$extraction_file);
+		}
+	}
+
+event log_ftp(rec: Info) &priority=-10
+	{
+	delete rec$extraction_file;
+	delete rec$extract_file;
+	}
diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro
new file mode 100644
index 0000000000..9e16804a32
--- /dev/null
+++ b/scripts/base/protocols/ftp/main.bro
@@ -0,0 +1,345 @@
+##! The logging this script does is primarily focused on logging FTP commands
+##! along with metadata.  For example, if files are transferred, the argument
+##! will take on the full path that the client is at along with the requested 
+##! file name.
+
+@load ./utils-commands
+@load base/utils/paths
+@load base/utils/numbers
+
+module FTP;
+
+export {
+	## The FTP protocol logging stream identifier.
+	redef enum Log::ID += { LOG };
+	
+	## List of commands that should have their command/response pairs logged.
+	const logged_commands = {
+		"APPE", "DELE", "RETR", "STOR", "STOU", "ACCT"
+	} &redef;
+	
+	## This setting changes if passwords used in FTP sessions are captured or not.
+	const default_capture_password = F &redef;
+	
+	## User IDs that can be considered "anonymous".
+	const guest_ids = { "anonymous", "ftp", "guest" } &redef;
+	
+	type Info: record {
+		## Time when the command was sent.
+		ts:               time        &log;
+		uid:              string      &log;
+		id:               conn_id     &log;
+		## User name for the current FTP session.
+		user:             string      &log &default="<unknown>";
+		## Password for the current FTP session if captured.
+		password:         string      &log &optional;
+		## Command given by the client.
+		command:          string      &log &optional;
+		## Argument for the command if one is given.
+		arg:              string      &log &optional;
+		
+		## Libmagic "sniffed" file type if the command indicates a file transfer.
+		mime_type:        string      &log &optional;
+		## Libmagic "sniffed" file description if the command indicates a file transfer.
+		mime_desc:        string      &log &optional;
+		## Size of the file if the command indicates a file transfer.
+		file_size:        count       &log &optional;
+		
+		## Reply code from the server in response to the command.
+		reply_code:       count       &log &optional;
+		## Reply message from the server in response to the command.
+		reply_msg:        string      &log &optional;
+		## Arbitrary tags that may indicate a particular attribute of this command.
+		tags:             set[string] &log &default=set();
+		
+		## Current working directory that this session is in.  By making
+		## the default value '/.', we can indicate that unless something
+		## more concrete is discovered that the existing but unknown
+		## directory is ok to use.
+		cwd:                string  &default="/.";
+		
+		## Command that is currently waiting for a response.
+		cmdarg:             CmdArg  &optional;
+		## Queue for commands that have been sent but not yet responded to 
+		## are tracked here.
+		pending_commands:   PendingCmds;
+		
+		## Indicates if the session is in active or passive mode.
+		passive:            bool &default=F;
+		
+		## Determines if the password will be captured for this request.
+		capture_password:   bool &default=default_capture_password;
+	};
+
+	## This record is to hold a parsed FTP reply code.  For example, for the 
+	## 201 status code, the digits would be parsed as: x->2, y->0, z=>1.
+	type ReplyCode: record {
+		x: count;
+		y: count;
+		z: count;
+	};
+	
+	## Parse FTP reply codes into the three constituent single digit values.
+	global parse_ftp_reply_code: function(code: count): ReplyCode;
+	
+	## Event that can be handled to access the :bro:type:`FTP::Info`
+	## record as it is sent on to the logging framework.
+	global log_ftp: event(rec: Info);
+}
+
+# Add the state tracking information variable to the connection record
+redef record connection += {
+	ftp: Info &optional;
+};
+
+# Configure DPD
+const ports = { 21/tcp } &redef;
+redef capture_filters += { ["ftp"] = "port 21" };
+redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
+
+redef likely_server_ports += { 21/tcp };
+
+# Establish the variable for tracking expected connections.
+global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]);
+	}
+
+## A set of commands where the argument can be expected to refer
+## to a file or directory.
+const file_cmds = {
+	"APPE", "CWD", "DELE", "MKD", "RETR", "RMD", "RNFR", "RNTO",
+	"STOR", "STOU", "REST", "SIZE", "MDTM",
+};
+
+## Commands that either display or change the current working directory along
+## with the response codes to indicate a successful command.
+const directory_cmds = {
+	["CWD",  250],
+	["CDUP", 200], # typo in RFC?
+	["CDUP", 250], # as found in traces
+	["PWD",  257],
+	["XPWD", 257],
+};
+
+function parse_ftp_reply_code(code: count): ReplyCode
+	{
+	local a: ReplyCode;
+
+	a$z = code % 10;
+
+	code = code / 10;
+	a$y = code % 10;
+
+	code = code / 10;
+	a$x = code % 10;
+
+	return a;
+	}
+
+function set_ftp_session(c: connection)
+	{
+	if ( ! c?$ftp )
+		{
+		local s: Info;
+		s$ts=network_time();
+		s$uid=c$uid;
+		s$id=c$id;
+		c$ftp=s;
+		
+		# Add a shim command so the server can respond with some init response.
+		add_pending_cmd(c$ftp$pending_commands, "<init>", "");
+		}
+	}
+
+function ftp_message(s: Info)
+	{
+	# If it either has a tag associated with it (something detected)
+	# or it's a deliberately logged command.
+	if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) )
+		{
+		if ( s?$password && to_lower(s$user) !in guest_ids )
+			s$password = "<hidden>";
+		
+		local arg = s$cmdarg$arg;
+		if ( s$cmdarg$cmd in file_cmds )
+			arg = fmt("ftp://%s%s", s$id$resp_h, build_path_compressed(s$cwd, arg));
+		
+		s$ts=s$cmdarg$ts;
+		s$command=s$cmdarg$cmd;
+		if ( arg == "" )
+			delete s$arg;
+		else
+			s$arg=arg;
+		
+		Log::write(FTP::LOG, s);
+		}
+	
+	# The MIME and file_size fields are specific to file transfer commands 
+	# and may not be used in all commands so they need reset to "blank" 
+	# values after logging.
+	delete s$mime_type;
+	delete s$mime_desc;
+	delete s$file_size;
+	# Tags are cleared everytime too.
+	delete s$tags;
+	}
+
+event ftp_request(c: connection, command: string, arg: string) &priority=5
+	{
+	# Write out the previous command when a new command is seen.
+	# The downside here is that commands definitely aren't logged until the
+	# next command is issued or the control session ends.  In practicality
+	# this isn't an issue, but I suppose it could be a delay tactic for
+	# attackers.
+	if ( c?$ftp && c$ftp?$cmdarg && c$ftp?$reply_code )
+		{
+		remove_pending_cmd(c$ftp$pending_commands, c$ftp$cmdarg);
+		ftp_message(c$ftp);
+		}
+	
+	local id = c$id;
+	set_ftp_session(c);
+		
+	# Queue up the new command and argument
+	add_pending_cmd(c$ftp$pending_commands, command, arg);
+	
+	if ( command == "USER" )
+		c$ftp$user = arg;
+	
+	else if ( command == "PASS" )
+		c$ftp$password = arg;
+	
+	else if ( command == "PORT" || command == "EPRT" )
+		{
+		local data = (command == "PORT") ?
+				parse_ftp_port(arg) : parse_eftp_port(arg);
+
+		if ( data$valid )
+			{
+			c$ftp$passive=F;
+			ftp_data_expected[data$h, data$p] = c$ftp;
+			expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			}
+		else
+			{
+			# TODO: raise a notice?  does anyone care?
+			}
+		}
+	}
+
+
+event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=5
+	{
+	# TODO: figure out what to do with continued FTP response (not used much)
+	#if ( cont_resp ) return;
+
+	local id = c$id;
+	set_ftp_session(c);
+	
+	c$ftp$cmdarg = get_pending_cmd(c$ftp$pending_commands, code, msg);
+	
+	c$ftp$reply_code = code;
+	c$ftp$reply_msg = msg;
+	
+	# TODO: do some sort of generic clear text login processing here.
+	local response_xyz = parse_ftp_reply_code(code);
+	#if ( response_xyz$x == 2 &&  # successful
+	#     session$cmdarg$cmd == "PASS" )
+	#	do_ftp_login(c, session);
+
+	if ( (code == 150 && c$ftp$cmdarg$cmd == "RETR") ||
+	     (code == 213 && c$ftp$cmdarg$cmd == "SIZE") )
+		{
+		# NOTE: This isn't exactly the right thing to do for SIZE since the size
+		#       on a different file could be checked, but the file size will
+		#       be overwritten by the server response to the RETR command
+		#       if that's given as well which would be more correct.
+		c$ftp$file_size = extract_count(msg);
+		}
+		
+	# PASV and EPSV processing
+	else if ( (code == 227 || code == 229) &&
+	          (c$ftp$cmdarg$cmd == "PASV" || c$ftp$cmdarg$cmd == "EPSV") )
+		{
+		local data = (code == 227) ? parse_ftp_pasv(msg) : parse_ftp_epsv(msg);
+		
+		if ( data$valid )
+			{
+			c$ftp$passive=T;
+			
+			if ( code == 229 && data$h == 0.0.0.0 )
+				data$h = id$resp_h;
+			
+			ftp_data_expected[data$h, data$p] = c$ftp;
+			expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			}
+		else
+			{
+			# TODO: do something if there was a problem parsing the PASV message?
+			}
+		}
+
+	if ( [c$ftp$cmdarg$cmd, code] in directory_cmds )
+		{
+		if ( c$ftp$cmdarg$cmd == "CWD" )
+			c$ftp$cwd = build_path(c$ftp$cwd, c$ftp$cmdarg$arg);
+
+		else if ( c$ftp$cmdarg$cmd == "CDUP" )
+			c$ftp$cwd = cat(c$ftp$cwd, "/..");
+
+		else if ( c$ftp$cmdarg$cmd == "PWD" || c$ftp$cmdarg$cmd == "XPWD" )
+			c$ftp$cwd = extract_path(msg);
+		}
+	
+	# In case there are multiple commands queued, go ahead and remove the
+	# command here and log because we can't do the normal processing pipeline 
+	# to wait for a new command before logging the command/response pair.
+	if ( |c$ftp$pending_commands| > 1 )
+		{
+		remove_pending_cmd(c$ftp$pending_commands, c$ftp$cmdarg);
+		ftp_message(c$ftp);
+		}
+	}
+
+
+event expected_connection_seen(c: connection, a: count) &priority=10
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] in ftp_data_expected )
+		add c$service["ftp-data"];
+	}
+
+event file_transferred(c: connection, prefix: string, descr: string,
+			mime_type: string) &priority=5
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] in ftp_data_expected )
+		{
+		local s = ftp_data_expected[id$resp_h, id$resp_p];
+		s$mime_type = split1(mime_type, /;/)[1];
+		s$mime_desc = descr;
+		}
+	}
+	
+event file_transferred(c: connection, prefix: string, descr: string,
+			mime_type: string) &priority=-5
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] in ftp_data_expected )
+		delete ftp_data_expected[id$resp_h, id$resp_p];
+	}
+	
+# Use state remove event to cover connections terminated by RST.
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( ! c?$ftp ) return;
+
+	for ( ca in c$ftp$pending_commands )
+		{
+		c$ftp$cmdarg = c$ftp$pending_commands[ca];
+		ftp_message(c$ftp);
+		}
+	}
diff --git a/scripts/base/protocols/ftp/utils-commands.bro b/scripts/base/protocols/ftp/utils-commands.bro
new file mode 100644
index 0000000000..ddfad3e08d
--- /dev/null
+++ b/scripts/base/protocols/ftp/utils-commands.bro
@@ -0,0 +1,142 @@
+module FTP;
+
+export {
+	type CmdArg: record {
+		## Time when the command was sent.
+		ts:   time;
+		## Command.
+		cmd:  string &default="<unknown>";
+		## Argument for the command if one was given.
+		arg:  string &default="";
+		## Counter to track how many commands have been executed.
+		seq:  count &default=0;
+	};
+	
+	## Structure for tracking pending commands in the event that the client
+	## sends a large number of commands before the server has a chance to 
+	## reply.
+	type PendingCmds: table[count] of CmdArg;
+	
+	## Possible response codes for a wide variety of FTP commands.
+	const cmd_reply_code: set[string, count] = {
+		# According to RFC 959
+		["<init>", [120, 220, 421]],
+		["USER", [230, 331, 332, 421, 530, 500, 501]],
+		["PASS", [230, 202, 332, 421, 530, 500, 501, 503]],
+		["ACCT", [230, 202, 421, 530, 500, 501, 503]],
+		["CWD",  [250, 421, 500, 501, 502, 530, 550]],
+		["CDUP", [200, 250, 421, 500, 501, 502, 530, 550]],
+		["SMNT", [202, 250, 421, 500, 501, 502, 530, 550]],
+		["REIN", [120, 220, 421, 500, 502]],
+		["QUIT", [221, 500]],
+		["PORT", [200, 421, 500, 501, 530]],
+		["PASV", [227, 421, 500, 501, 502, 530]],
+		["MODE", [200, 421, 500, 501, 502, 504, 530]],
+		["TYPE", [200, 421, 500, 501, 504, 530]],
+		["STRU", [200, 421, 500, 501, 504, 530]],
+		["ALLO", [200, 202, 421, 500, 501, 504, 530]],
+		["REST", [200, 350, 421, 500, 501, 502, 530]],
+		["STOR", [110, 125, 150, 226, 250, 421, 425, 426, 451, 551, 552, 532, 450, 452, 553, 500, 501, 530, 550]],
+		["STOU", [110, 125, 150, 226, 250, 421, 425, 426, 451, 551, 552, 532, 450, 452, 553, 500, 501, 530, 550]],
+		["RETR", [110, 125, 150, 226, 250, 421, 425, 426, 451, 450, 500, 501, 530, 550]],
+		["LIST", [125, 150, 226, 250, 421, 425, 426, 451, 450, 500, 501, 502, 530, 550]],
+		["NLST", [125, 150, 226, 250, 421, 425, 426, 451, 450, 500, 501, 502, 530, 550]],
+		["APPE", [125, 150, 226, 250, 421, 425, 426, 451, 551, 552, 532, 450, 550, 452, 553, 500, 501, 502, 530]],
+		["RNFR", [350, 421, 450, 550, 500, 501, 502, 530]],
+		["RNTO", [250, 421, 532, 553, 500, 501, 502, 503, 530]],
+		["DELE", [250, 421, 450, 550, 500, 501, 502, 530]],
+		["RMD",  [250, 421, 500, 501, 502, 530, 550]],
+		["MKD",  [257, 421, 500, 501, 502, 530, 550]],
+		["PWD",  [257, 421, 500, 501, 502, 550]],
+		["ABOR", [225, 226, 421, 500, 501, 502]],
+		["SYST", [215, 421, 500, 501, 502, 530]],
+		["STAT", [211, 212, 213, 421, 450, 500, 501, 502, 530]],
+		["HELP", [200, 211, 214, 421, 500, 501, 502]],
+		["SITE", [200, 202, 214, 500, 501, 502, 530]],
+		["NOOP", [200, 421, 500]],
+
+		# Extensions
+		["LPRT", [500, 501, 521]],                # RFC1639
+		["FEAT", [211, 500, 502]],                # RFC2389
+		["OPTS", [200, 451, 501]],                # RFC2389
+		["EPSV", [229, 500, 501]],                # RFC2428
+		["EPRT", [200, 500, 501, 522]],           # RFC2428
+		["SIZE", [213, 500, 501, 550]],           # RFC3659
+		["MDTM", [213, 500, 501, 550]],           # RFC3659
+		["MLST", [150, 226, 250, 500, 501, 550]], # RFC3659
+		["MLSD", [150, 226, 250, 500, 501, 550]], # RFC3659
+		
+		["CLNT", [200, 500]],           # No RFC (indicate client software)
+		["MACB", [200, 500, 550]],      # No RFC (test for MacBinary support)
+
+		["<init>", 0],    # unexpected command-reply pair
+		["<missing>", 0], # unexpected command-reply pair
+		["QUIT", 0],      # unexpected command-reply pair
+	} &redef;
+}
+
+function add_pending_cmd(pc: PendingCmds, cmd: string, arg: string): CmdArg
+	{
+	local ca = [$cmd = cmd, $arg = arg, $seq=|pc|+1, $ts=network_time()];
+	pc[ca$seq] = ca;
+	
+	return ca;
+	}
+
+# Determine which is the best command to match with based on the 
+# response code and message.
+function get_pending_cmd(pc: PendingCmds, reply_code: count, reply_msg: string): CmdArg
+	{
+	local best_match: CmdArg;
+	local best_seq = 0;
+	local best_score: int = -1;
+
+	for ( cmd_seq in pc )
+		{
+		local cmd = pc[cmd_seq];
+		local score: int = 0;
+		
+		# if the command is compatible with the reply code
+		# code 500 (syntax error) is compatible with all commands
+		if ( reply_code == 500 || [cmd$cmd, reply_code] in cmd_reply_code )
+			score = score + 100;
+		
+		# if the command or the command arg appears in the reply message
+		if ( strstr(reply_msg, cmd$cmd) > 0 )
+			score = score + 20;
+		if ( strstr(reply_msg, cmd$arg) > 0 )
+			score = score + 10;
+		
+		if ( score > best_score ||
+		     ( score == best_score && best_seq > cmd_seq ) ) # break tie with sequence number
+			{
+			best_score = score;
+			best_seq = cmd_seq;
+			best_match = cmd;
+			}
+		}
+
+	#if ( [best_match$cmd, reply_code] !in cmd_reply_code )
+	#	{
+	#	# TODO: maybe do something when best match doesn't have an expected response code?
+	#	}
+	return best_match;
+	}
+
+function remove_pending_cmd(pc: PendingCmds, ca: CmdArg): bool
+	{
+	if ( ca$seq in pc )
+		{
+		delete pc[ca$seq];
+		return T;
+		}
+	else
+		return F;
+	}
+	
+function pop_pending_cmd(pc: PendingCmds, reply_code: count, reply_msg: string): CmdArg
+	{
+	local ca = get_pending_cmd(pc, reply_code, reply_msg);
+	remove_pending_cmd(pc, ca);
+	return ca;
+	}
diff --git a/scripts/base/protocols/http/__load__.bro b/scripts/base/protocols/http/__load__.bro
new file mode 100644
index 0000000000..314f04b872
--- /dev/null
+++ b/scripts/base/protocols/http/__load__.bro
@@ -0,0 +1,5 @@
+@load ./main
+@load ./utils
+@load ./file-ident
+@load ./file-hash
+@load ./file-extract
diff --git a/scripts/base/protocols/http/file-extract.bro b/scripts/base/protocols/http/file-extract.bro
new file mode 100644
index 0000000000..466d18c3b4
--- /dev/null
+++ b/scripts/base/protocols/http/file-extract.bro
@@ -0,0 +1,60 @@
+##! Extracts the items from HTTP traffic, one per file.  At this time only 
+##! the message body from the server can be extracted with this script.
+
+@load ./main
+@load ./file-ident
+@load base/utils/files
+
+module HTTP;
+
+export {
+	## Pattern of file mime types to extract from HTTP response entity bodies.
+	const extract_file_types = /NO_DEFAULT/ &redef;
+
+	## The on-disk prefix for files to be extracted from HTTP entity bodies.
+	const extraction_prefix = "http-item" &redef;
+
+	redef record Info += {
+		## On-disk file where the response body was extracted to.
+		extraction_file:  file &log &optional;
+		
+		## Indicates if the response body is to be extracted or not.  Must be 
+		## set before or by the first :bro:id:`http_entity_data` event for the
+		## content.
+		extract_file:     bool &default=F;
+	};
+}
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=-5
+	{
+	# Client body extraction is not currently supported in this script.
+	if ( is_orig )
+		return;
+	
+	if ( c$http$first_chunk )
+		{
+		if ( c$http?$mime_type &&
+		     extract_file_types in c$http$mime_type )
+			{
+			c$http$extract_file = T;
+			}
+			
+		if ( c$http$extract_file )
+			{
+			local suffix = fmt("%s_%d.dat", is_orig ? "orig" : "resp", c$http_state$current_response);
+			local fname = generate_extraction_filename(extraction_prefix, c, suffix);
+			
+			c$http$extraction_file = open(fname);
+			enable_raw_output(c$http$extraction_file);
+			}
+		}
+
+	if ( c$http?$extraction_file )
+		print c$http$extraction_file, data;
+	}
+
+event http_end_entity(c: connection, is_orig: bool)
+	{
+	if ( c$http?$extraction_file )
+		close(c$http$extraction_file);
+	}
diff --git a/scripts/base/protocols/http/file-hash.bro b/scripts/base/protocols/http/file-hash.bro
new file mode 100644
index 0000000000..7e8e5cceaf
--- /dev/null
+++ b/scripts/base/protocols/http/file-hash.bro
@@ -0,0 +1,92 @@
+##! Calculate hashes for HTTP body transfers.
+
+@load ./file-ident
+
+module HTTP;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that an MD5 sum was calculated for an HTTP response body.
+		MD5,
+	};
+
+	redef record Info += {
+		## MD5 sum for a file transferred over HTTP calculated from the 
+		## response body.
+		md5:             string   &log &optional;
+		
+		## This value can be set per-transfer to determine per request
+		## if a file should have an MD5 sum generated.  It must be
+		## set to T at the time of or before the first chunk of body data.
+		calc_md5:        bool     &default=F;
+		
+		## Indicates if an MD5 sum is being calculated for the current 
+		## request/response pair.
+		calculating_md5: bool     &default=F;
+	};
+	
+	## Generate MD5 sums for these filetypes.
+	const generate_md5 = /application\/x-dosexec/    # Windows and DOS executables
+	                   | /application\/x-executable/ # *NIX executable binary
+	                   &redef;
+}
+
+## Initialize and calculate the hash.
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=5
+	{
+	if ( is_orig || ! c?$http ) return;
+	
+	if ( c$http$first_chunk )
+		{
+		if ( c$http$calc_md5 || 
+		     (c$http?$mime_type && generate_md5 in c$http$mime_type) )
+			{
+			c$http$calculating_md5 = T;
+			md5_hash_init(c$id);
+			}
+		}
+	
+	if ( c$http$calculating_md5 )
+		md5_hash_update(c$id, data);
+	}
+	
+## In the event of a content gap during a file transfer, detect the state for
+## the MD5 sum calculation and stop calculating the MD5 since it would be 
+## incorrect anyway.
+event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
+	{
+	if ( is_orig || ! c?$http || ! c$http$calculating_md5 ) return;
+	
+	set_state(c, F, is_orig);
+	c$http$calculating_md5 = F;
+	md5_hash_finish(c$id);
+	}
+
+## When the file finishes downloading, finish the hash and generate a notice.
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority=-3
+	{
+	if ( is_orig || ! c?$http ) return;
+	
+	if ( c$http$calculating_md5 )
+		{
+		local url = build_url_http(c$http);
+		c$http$calculating_md5 = F;
+		c$http$md5 = md5_hash_finish(c$id);
+		
+		NOTICE([$note=MD5, $msg=fmt("%s %s %s", c$id$orig_h, c$http$md5, url),
+		        $sub=c$http$md5, $conn=c, $URL=url]);
+		}
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$http_state && 
+	     c$http_state$current_response in c$http_state$pending &&
+	     c$http_state$pending[c$http_state$current_response]$calculating_md5 )
+		{
+		# The MD5 sum isn't going to be saved anywhere since the entire 
+		# body wouldn't have been seen anyway and we'd just be giving an
+		# incorrect MD5 sum.
+		md5_hash_finish(c$id);
+		}
+	}
diff --git a/scripts/base/protocols/http/file-ident.bro b/scripts/base/protocols/http/file-ident.bro
new file mode 100644
index 0000000000..f2cb9d19ac
--- /dev/null
+++ b/scripts/base/protocols/http/file-ident.bro
@@ -0,0 +1,86 @@
+##! Identification of file types in HTTP response bodies with file content sniffing.
+
+@load base/frameworks/signatures
+@load base/frameworks/notice
+@load ./main
+@load ./utils
+
+# Add the magic number signatures to the core signature set.
+redef signature_files += "base/protocols/http/file-ident.sig";
+# Ignore the signatures used to match files
+redef Signatures::ignored_ids += /^matchfile-/;
+
+module HTTP;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates when the file extension doesn't seem to match the file contents.
+		Incorrect_File_Type,
+	};
+
+	redef record Info += {
+		## Mime type of response body identified by content sniffing.
+		mime_type:    string   &log &optional;
+		
+		## Indicates that no data of the current file transfer has been
+		## seen yet.  After the first :bro:id:`http_entity_data` event, it 
+		## will be set to F.
+		first_chunk:     bool &default=T;
+	};
+	
+	## Mapping between mime types and regular expressions for URLs
+	## The :bro:enum:`HTTP::Incorrect_File_Type` notice is generated if the pattern 
+	## doesn't match the mime type that was discovered.
+	const mime_types_extensions: table[string] of pattern = {
+		["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/,
+	} &redef;
+	
+	## A pattern for filtering out :bro:enum:`HTTP::Incorrect_File_Type` urls
+	## that are not noteworthy before a notice is created.  Each
+	## pattern added should match the complete URL (the matched URLs include
+	## "http://" at the beginning).
+	const ignored_incorrect_file_type_urls = /^$/ &redef;
+}
+
+event signature_match(state: signature_state, msg: string, data: string) &priority=5
+	{
+	# Only signatures matching file types are dealt with here.
+	if ( /^matchfile-/ !in state$sig_id ) return;
+
+	local c = state$conn;
+	set_state(c, F, F);
+	
+	# Not much point in any of this if we don't know about the HTTP session.
+	if ( ! c?$http ) return;
+	
+	# Set the mime type that was detected.
+	c$http$mime_type = msg;
+	
+	if ( msg in mime_types_extensions && 
+	     c$http?$uri && mime_types_extensions[msg] !in c$http$uri )
+		{
+		local url = build_url_http(c$http);
+		
+		if ( url == ignored_incorrect_file_type_urls )
+			return;
+		
+		local message = fmt("%s %s %s", msg, c$http$method, url);
+		NOTICE([$note=Incorrect_File_Type,
+		        $msg=message,
+		        $conn=c,
+		        $method=c$http$method,
+		        $URL=url]);
+		}
+	}
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=5
+	{
+	if ( c$http$first_chunk && ! c$http?$mime_type )
+			c$http$mime_type = split1(identify_data(data, T), /;/)[1];
+	}
+	
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=-10
+	{
+	if ( c$http$first_chunk )
+		c$http$first_chunk=F;
+	}
diff --git a/scripts/base/protocols/http/file-ident.sig b/scripts/base/protocols/http/file-ident.sig
new file mode 100644
index 0000000000..971a32bbfc
--- /dev/null
+++ b/scripts/base/protocols/http/file-ident.sig
@@ -0,0 +1,144 @@
+# These signatures are used as a replacement for libmagic.  The signature
+# name needs to start with "matchfile" and the "event" directive takes 
+# the mime type of the file matched by the http-reply-body pattern.
+#
+# Signatures from: http://www.garykessler.net/library/file_sigs.html
+
+signature matchfile-exe {
+	http-reply-body /\x4D\x5A/
+	event "application/x-dosexec"
+}
+
+signature matchfile-elf {
+	http-reply-body /\x7F\x45\x4C\x46/
+	event "application/x-executable"
+}
+
+signature matchfile-script {
+	# This is meant to match the interpreter declaration at the top of many 
+	# interpreted scripts.
+	http-reply-body /\#\![[:blank:]]?\//
+	event "application/x-script"
+}
+
+signature matchfile-wmv {
+	http-reply-body /\x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C/
+	event "video/x-ms-wmv"
+}
+
+signature matchfile-flv {
+	http-reply-body /\x46\x4C\x56\x01/
+	event "video/x-flv"
+}
+
+signature matchfile-swf {
+	http-reply-body /[\x46\x43]\x57\x53/
+	event "application/x-shockwave-flash"
+}
+
+signature matchfile-jar {
+	http-reply-body /\x5F\x27\xA8\x89/
+	event "application/java-archive"
+}
+
+signature matchfile-class {
+	http-reply-body /\xCA\xFE\xBA\xBE/
+	event "application/java-byte-code"
+}
+
+signature matchfile-msoffice-2007 {
+	# MS Office 2007 XML documents
+	http-reply-body /\x50\x4B\x03\x04\x14\x00\x06\x00/
+	event "application/msoffice"
+}
+
+signature matchfile-msoffice {
+	# Older MS Office files
+	http-reply-body /\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1/
+	event "application/msoffice"
+}
+
+signature matchfile-rtf {
+	http-reply-body /\x7B\x5C\x72\x74\x66\x31/
+	event "application/rtf"
+}
+
+signature matchfile-lnk {
+	http-reply-body /\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46/
+	event "application/x-ms-shortcut"
+}
+
+signature matchfile-torrent {
+	http-reply-body /\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65/
+	event "application/x-bittorrent"
+}
+
+signature matchfile-pdf {
+	http-reply-body /\x25\x50\x44\x46/
+	event "application/pdf"
+}
+
+signature matchfile-html {
+	http-reply-body /<[hH][tT][mM][lL]/
+	event "text/html"
+}
+
+signature matchfile-html2 {
+	http-reply-body /<![dD][oO][cC][tT][yY][pP][eE][[:blank:]][hH][tT][mM][lL]/
+	event "text/html"
+}
+
+signature matchfile-xml {
+	http-reply-body /<\??[xX][mM][lL]/
+	event "text/xml"
+}
+
+signature matchfile-gif {
+	http-reply-body /\x47\x49\x46\x38[\x37\x39]\x61/
+	event "image/gif"
+}
+
+signature matchfile-jpg {
+	http-reply-body /\xFF\xD8\xFF[\xDB\xE0\xE1\xE2\xE3\xE8]..[\x4A\x45\x53][\x46\x78\x50][\x49\x69][\x46\x66]/
+	event "image/jpeg"
+}
+
+signature matchfile-tiff {
+	http-reply-body /\x4D\x4D\x00[\x2A\x2B]/
+	event "image/tiff"
+}
+
+signature matchfile-png {
+	http-reply-body /\x89\x50\x4e\x47/
+	event "image/png"
+}
+
+signature matchfile-zip {
+	http-reply-body /\x50\x4B\x03\x04/
+	event "application/zip"
+}
+
+signature matchfile-bzip {
+	http-reply-body /\x42\x5A\x68/
+	event "application/bzip2"
+}
+
+signature matchfile-gzip {
+	http-reply-body /\x1F\x8B\x08/
+	event "application/x-gzip"
+}
+
+signature matchfile-cab {
+	http-reply-body /\x4D\x53\x43\x46/
+	event "application/vnd.ms-cab-compressed"
+}
+
+signature matchfile-rar {
+	http-reply-body /\x52\x61\x72\x21\x1A\x07\x00/
+	event "application/x-rar-compressed"
+}
+
+signature matchfile-7z {
+	http-reply-body /\x37\x7A\xBC\xAF\x27\x1C/
+	event "application/x-7z-compressed"
+}
diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro
new file mode 100644
index 0000000000..6571548145
--- /dev/null
+++ b/scripts/base/protocols/http/main.bro
@@ -0,0 +1,299 @@
+##! Implements base functionality for HTTP analysis.  The logging model is 
+##! to log request/response pairs and all relevant metadata together in 
+##! a single record.
+
+@load base/utils/numbers
+@load base/utils/files
+
+module HTTP;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	## Indicate a type of attack or compromise in the record to be logged.
+	type Tags: enum {
+		## Placeholder.
+		EMPTY
+	};
+	
+	## This setting changes if passwords used in Basic-Auth are captured or not.
+	const default_capture_password = F &redef;
+	
+	type Info: record {
+		## Timestamp for when the request happened.
+		ts:                      time      &log;
+		uid:                     string    &log;
+		id:                      conn_id   &log;
+		## Represents the pipelined depth into the connection of this 
+		## request/response transaction.
+		trans_depth:             count     &log;
+		## Verb used in the HTTP request (GET, POST, HEAD, etc.).
+		method:                  string    &log &optional;
+		## Value of the HOST header.
+		host:                    string    &log &optional;
+		## URI used in the request.
+		uri:                     string    &log &optional;
+		## Value of the "referer" header.  The comment is deliberately
+		## misspelled like the standard declares, but the name used here is
+		## "referrer" spelled correctly.
+		referrer:                string    &log &optional;
+		## Value of the User-Agent header from the client.
+		user_agent:              string    &log &optional;
+		## Actual uncompressed content size of the data transferred from
+		## the client.
+		request_body_len:        count     &log &default=0;
+		## Actual uncompressed content size of the data transferred from
+		## the server.
+		response_body_len:       count     &log &default=0;
+		## Status code returned by the server.
+		status_code:             count     &log &optional;
+		## Status message returned by the server.
+		status_msg:              string    &log &optional;
+		## Last seen 1xx informational reply code returned by the server.
+		info_code:               count     &log &optional;
+		## Last seen 1xx informational reply message returned by the server.
+		info_msg:                string    &log &optional;
+		## Filename given in the Content-Disposition header sent by the server.
+		filename:                string    &log &optional;
+		## A set of indicators of various attributes discovered and
+		## related to a particular request/response pair.
+		tags:                    set[Tags] &log;
+		
+		## Username if basic-auth is performed for the request.
+		username:                string    &log &optional;
+		## Password if basic-auth is performed for the request.
+		password:                string    &log &optional;
+		
+		## Determines if the password will be captured for this request.
+		capture_password:        bool      &default=default_capture_password;
+		
+		## All of the headers that may indicate if the request was proxied.
+		proxied:                 set[string] &log &optional;
+	};
+	
+	## Structure to maintain state for an HTTP connection with multiple 
+	## requests and responses.
+	type State: record {
+		## Pending requests.
+		pending:          table[count] of Info;
+		## Current request in the pending queue.
+		current_request:  count                &default=0;
+		## Current response in the pending queue.
+		current_response: count                &default=0;
+	};
+		
+	## A list of HTTP headers typically used to indicate proxied requests.
+	const proxy_headers: set[string] = {
+		"FORWARDED",
+		"X-FORWARDED-FOR",
+		"X-FORWARDED-FROM",
+		"CLIENT-IP",
+		"VIA",
+		"XROXY-CONNECTION",
+		"PROXY-CONNECTION",
+	} &redef;
+	
+	## Event that can be handled to access the HTTP record as it is sent on 
+	## to the logging framework.
+	global log_http: event(rec: Info);
+}
+
+# Add the http state tracking fields to the connection record.
+redef record connection += {
+	http:        Info  &optional;
+	http_state:  State &optional;
+};
+
+# Initialize the HTTP logging stream.
+event bro_init() &priority=5
+	{
+	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
+	}
+
+# DPD configuration.
+const ports = {
+	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
+	8000/tcp, 8080/tcp, 8888/tcp,
+};
+redef dpd_config += { 
+	[[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
+};
+redef capture_filters +=  {
+	["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)"
+};
+
+redef likely_server_ports += { 
+	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
+	8000/tcp, 8080/tcp, 8888/tcp,
+};
+
+function code_in_range(c: count, min: count, max: count) : bool
+	{
+	return c >= min && c <= max;
+	}
+
+function new_http_session(c: connection): Info
+	{
+	local tmp: Info;
+	tmp$ts=network_time();
+	tmp$uid=c$uid;
+	tmp$id=c$id;
+	# $current_request is set prior to the Info record creation so we 
+	# can use the value directly here.
+	tmp$trans_depth = c$http_state$current_request;
+	return tmp;
+	}
+	
+function set_state(c: connection, request: bool, is_orig: bool)
+	{
+	if ( ! c?$http_state )
+		{
+		local s: State;
+		c$http_state = s;
+		}
+		
+	# These deal with new requests and responses.
+	if ( request || c$http_state$current_request !in c$http_state$pending )
+		c$http_state$pending[c$http_state$current_request] = new_http_session(c);
+	if ( ! is_orig && c$http_state$current_response !in c$http_state$pending )
+		c$http_state$pending[c$http_state$current_response] = new_http_session(c);
+	
+	if ( is_orig )
+		c$http = c$http_state$pending[c$http_state$current_request];
+	else
+		c$http = c$http_state$pending[c$http_state$current_response];
+	}
+	
+event http_request(c: connection, method: string, original_URI: string,
+                   unescaped_URI: string, version: string) &priority=5
+	{
+	if ( ! c?$http_state )
+		{
+		local s: State;
+		c$http_state = s;
+		}
+	
+	++c$http_state$current_request;
+	set_state(c, T, T);
+	
+	c$http$method = method;
+	c$http$uri = unescaped_URI;
+	}
+	
+event http_reply(c: connection, version: string, code: count, reason: string) &priority=5
+	{
+	if ( ! c?$http_state )
+		{
+		local s: State;
+		c$http_state = s;
+		}
+	
+	# If the last response was an informational 1xx, we're still expecting
+	# the real response to the request, so don't create a new Info record yet.
+	if ( c$http_state$current_response !in c$http_state$pending ||
+	     (c$http_state$pending[c$http_state$current_response]?$status_code &&
+	       ! code_in_range(c$http_state$pending[c$http_state$current_response]$status_code, 100, 199)) )
+		++c$http_state$current_response;
+	set_state(c, F, F);
+	
+	c$http$status_code = code;
+	c$http$status_msg = reason;
+	if ( code_in_range(code, 100, 199) )
+		{
+		c$http$info_code = code;
+		c$http$info_msg = reason;
+		}
+	}
+	
+event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
+	{
+	set_state(c, F, is_orig);
+	
+	if ( is_orig ) # client headers
+		{
+		if ( name == "REFERER" )
+			c$http$referrer = value;
+		
+		else if ( name == "HOST" )
+			# The split is done to remove the occasional port value that shows up here.
+			c$http$host = split1(value, /:/)[1];
+		
+		else if ( name == "USER-AGENT" )
+			c$http$user_agent = value;
+		
+		else if ( name in proxy_headers )
+				{
+				if ( ! c$http?$proxied )
+					c$http$proxied = set();
+				add c$http$proxied[fmt("%s -> %s", name, value)];
+				}
+		
+		else if ( name == "AUTHORIZATION" )
+			{
+			if ( /^[bB][aA][sS][iI][cC] / in value )
+				{
+				local userpass = decode_base64(sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, ""));
+				local up = split(userpass, /:/);
+				if ( |up| >= 2 )
+					{
+					c$http$username = up[1];
+					if ( c$http$capture_password )
+						c$http$password = up[2];
+					}
+				else
+					{
+					c$http$username = fmt("<problem-decoding> (%s)", value);
+					if ( c$http$capture_password )
+						c$http$password = userpass;
+					}
+				}
+			}
+		}
+	
+	else # server headers
+		{
+		if ( name == "CONTENT-DISPOSITION" &&
+		     /[fF][iI][lL][eE][nN][aA][mM][eE]/ in value )
+			c$http$filename = extract_filename_from_content_disposition(value);
+		}
+	}
+	
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority = 5
+	{
+	set_state(c, F, is_orig);
+	
+	if ( is_orig )
+		c$http$request_body_len = stat$body_length;
+	else
+		c$http$response_body_len = stat$body_length;
+	}
+	
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority = -5
+	{
+	# The reply body is done so we're ready to log.
+	if ( ! is_orig )
+		{
+		# If the response was an informational 1xx, we're still expecting
+		# the real response later, so we'll continue using the same record.
+		if ( ! (c$http?$status_code && code_in_range(c$http$status_code, 100, 199)) )
+			{
+			Log::write(HTTP::LOG, c$http);
+			delete c$http_state$pending[c$http_state$current_response];
+			}
+		}
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	# Flush all pending but incomplete request/response pairs.
+	if ( c?$http_state )
+		{
+		for ( r in c$http_state$pending )
+			{
+			# We don't use pending elements at index 0.
+			if ( r == 0 ) next;
+			Log::write(HTTP::LOG, c$http_state$pending[r]);
+			}
+		}
+	}
+	
diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.bro
new file mode 100644
index 0000000000..0f2666fade
--- /dev/null
+++ b/scripts/base/protocols/http/utils.bro
@@ -0,0 +1,63 @@
+##! Utilities specific for HTTP processing.
+
+@load ./main
+
+module HTTP;
+
+export {
+	## Given a string containing a series of key-value pairs separated by "=",
+	## this function can be used to parse out all of the key names.
+	##
+	## data: The raw data, such as a URL or cookie value.
+	##
+	## kv_splitter: A regular expression representing the separator between
+	##              key-value pairs.
+	##
+	## Returns: A vector of strings containing the keys.
+	global extract_keys: function(data: string, kv_splitter: pattern): string_vec;
+	
+	## Creates a URL from an :bro:type:`HTTP::Info` record.  This should handle
+	## edge cases such as proxied requests appropriately.
+	##
+	## rec: An :bro:type:`HTTP::Info` record.
+	##
+	## Returns: A URL, not prefixed by "http://".
+	global build_url: function(rec: Info): string;
+	
+	## Creates a URL from an :bro:type:`HTTP::Info` record.  This should handle
+	## edge cases such as proxied requests appropriately.
+	##
+	## rec: An :bro:type:`HTTP::Info` record.
+	##
+	## Returns: A URL prefixed with "http://".
+	global build_url_http: function(rec: Info): string;
+}
+
+
+function extract_keys(data: string, kv_splitter: pattern): string_vec
+	{
+	local key_vec: vector of string = vector();
+	
+	local parts = split(data, kv_splitter);
+	for ( part_index in parts )
+		{
+		local key_val = split1(parts[part_index], /=/);
+		if ( 1 in key_val )
+			key_vec[|key_vec|] = key_val[1];
+		}
+	return key_vec;
+	}
+
+function build_url(rec: Info): string
+	{
+	local uri  = rec?$uri ? rec$uri : "/<missed_request>";
+	local host = rec?$host ? rec$host : fmt("%s", rec$id$resp_h);
+	if ( rec$id$resp_p != 80/tcp )
+		host = fmt("%s:%s", host, rec$id$resp_p);
+	return fmt("%s%s", host, uri);
+	}
+	
+function build_url_http(rec: Info): string
+	{
+	return fmt("http://%s", build_url(rec));
+	}
diff --git a/scripts/base/protocols/irc/__load__.bro b/scripts/base/protocols/irc/__load__.bro
new file mode 100644
index 0000000000..240e1487c3
--- /dev/null
+++ b/scripts/base/protocols/irc/__load__.bro
@@ -0,0 +1,2 @@
+@load ./main
+@load ./dcc-send
\ No newline at end of file
diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro
new file mode 100644
index 0000000000..d07a0edf5a
--- /dev/null
+++ b/scripts/base/protocols/irc/dcc-send.bro
@@ -0,0 +1,116 @@
+##! File extraction and introspection for DCC transfers over IRC.
+##!
+##! There is a major problem with this script in the cluster context because
+##! we might see A send B a message that a DCC connection is to be expected,
+##! but that connection will actually be between B and C which could be 
+##! analyzed on a different worker.
+##!
+
+# Example line from IRC server indicating that the DCC SEND is about to start:
+#    PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A
+
+@load ./main
+@load base/utils/files
+
+module IRC;
+
+export {
+	## Pattern of file mime types to extract from IRC DCC file transfers.
+	const extract_file_types = /NO_DEFAULT/ &redef;
+
+	## On-disk prefix for files to be extracted from IRC DCC file transfers.
+	const extraction_prefix = "irc-dcc-item" &redef;
+
+	redef record Info += {
+		## DCC filename requested.
+		dcc_file_name:         string &log &optional;
+		## Size of the DCC transfer as indicated by the sender.
+		dcc_file_size:         count  &log &optional;
+		## Sniffed mime type of the file.
+		dcc_mime_type:         string &log &optional;
+		
+		## The file handle for the file to be extracted
+		extraction_file:       file &log &optional;
+		
+		## A boolean to indicate if the current file transfer should be extracted.
+		extract_file:          bool &default=F;
+		
+		## The count of the number of file that have been extracted during the session.
+		num_extracted_files:   count &default=0;
+	};
+}
+
+global dcc_expected_transfers: table[addr, port] of Info = table();
+
+event file_transferred(c: connection, prefix: string, descr: string,
+                       mime_type: string) &priority=3
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] !in dcc_expected_transfers )
+		return;
+		
+	local irc = dcc_expected_transfers[id$resp_h, id$resp_p];
+	
+	irc$dcc_mime_type = split1(mime_type, /;/)[1];
+
+	if ( extract_file_types == irc$dcc_mime_type )
+		{
+		irc$extract_file = T;
+		}
+		
+	if ( irc$extract_file )
+		{
+		local suffix = fmt("%d.dat", ++irc$num_extracted_files);
+		local fname = generate_extraction_filename(extraction_prefix, c, suffix);
+		irc$extraction_file = open(fname);
+		}
+	}
+
+event file_transferred(c: connection, prefix: string, descr: string,
+			mime_type: string) &priority=-4
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] !in dcc_expected_transfers )
+		return;
+
+	local irc = dcc_expected_transfers[id$resp_h, id$resp_p];
+
+	local tmp = irc$command;
+	irc$command = "DCC";
+	Log::write(IRC::LOG, irc);
+	irc$command = tmp;
+
+	if ( irc?$extraction_file )
+		set_contents_file(id, CONTENTS_RESP, irc$extraction_file);
+
+	# Delete these values in case another DCC transfer 
+	# happens during the IRC session.
+	delete irc$extract_file;
+	delete irc$extraction_file;
+	delete irc$dcc_file_name;
+	delete irc$dcc_file_size;
+	delete irc$dcc_mime_type;
+	delete dcc_expected_transfers[id$resp_h, id$resp_p];
+	}
+
+event irc_dcc_message(c: connection, is_orig: bool,
+			prefix: string, target: string,
+			dcc_type: string, argument: string,
+			address: addr, dest_port: count, size: count) &priority=5
+	{
+	set_session(c);
+	if ( dcc_type != "SEND" )
+            return;
+	c$irc$dcc_file_name = argument;
+	c$irc$dcc_file_size = size;
+	local p = count_to_port(dest_port, tcp);
+	expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min);
+	dcc_expected_transfers[address, p] = c$irc;
+	}
+
+event expected_connection_seen(c: connection, a: count) &priority=10
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] in dcc_expected_transfers )
+		add c$service["irc-dcc-data"];
+	}
diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro
new file mode 100644
index 0000000000..2bf2a9bbb9
--- /dev/null
+++ b/scripts/base/protocols/irc/main.bro
@@ -0,0 +1,130 @@
+##! Implements the core IRC analysis support.  The logging model is to log
+##! IRC commands along with the associated response and some additional 
+##! metadata about the connection if it's available.
+
+module IRC;
+
+export {
+	
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp when the command was seen.
+		ts:       time        &log;
+		uid:      string      &log;
+		id:       conn_id     &log;
+		## Nick name given for the connection.
+		nick:     string      &log &optional;
+		## User name given for the connection.
+		user:     string      &log &optional;
+		
+		## Command given by the client.
+		command:  string      &log &optional;
+		## Value for the command given by the client.
+		value:    string      &log &optional;
+		## Any additional data for the command.
+		addl:     string      &log &optional;
+	};
+	
+	## Event that can be handled to access the IRC record as it is sent on 
+	## to the logging framework.
+	global irc_log: event(rec: Info);
+}
+
+redef record connection += {
+	## IRC session information.
+	irc:  Info &optional;
+};
+
+# Some common IRC ports.
+redef capture_filters += { ["irc-6666"] = "port 6666" };
+redef capture_filters += { ["irc-6667"] = "port 6667" };
+redef capture_filters += { ["irc-6668"] = "port 6668" };
+redef capture_filters += { ["irc-6669"] = "port 6669" };
+
+# DPD configuration.
+const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
+redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] };
+
+redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log]);
+	}
+	
+function new_session(c: connection): Info
+	{
+	local info: Info;
+	info$ts = network_time();
+	info$uid = c$uid;
+	info$id = c$id;
+	return info;
+	}
+	
+function set_session(c: connection)
+	{
+	if ( ! c?$irc )
+		c$irc = new_session(c);
+		
+	c$irc$ts=network_time();
+	}
+
+event irc_nick_message(c: connection, is_orig: bool, who: string, newnick: string) &priority=5
+	{
+	set_session(c);
+	if ( is_orig )
+		{
+		c$irc$command = "NICK";
+		c$irc$value = newnick;
+		}
+	}
+
+event irc_nick_message(c: connection, is_orig: bool, who: string, newnick: string) &priority=-5
+	{
+	if ( is_orig )
+		{
+		Log::write(IRC::LOG, c$irc);
+		c$irc$nick  = newnick;
+		}
+	}
+
+event irc_user_message(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string) &priority=5
+	{
+	set_session(c);
+	if ( is_orig )
+		{
+		c$irc$command = "USER";
+		c$irc$value = user;
+		c$irc$addl=fmt("%s %s %s", host, server, real_name);
+		}
+	}
+
+event irc_user_message(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string) &priority=-5
+	{
+	if ( is_orig )
+		{
+		Log::write(IRC::LOG, c$irc);
+		c$irc$user = user;
+		}
+	}
+
+event irc_join_message(c: connection, is_orig: bool, info_list: irc_join_list) &priority=5
+	{
+	set_session(c);
+	if ( is_orig )
+		c$irc$command = "JOIN";
+	}
+
+event irc_join_message(c: connection, is_orig: bool, info_list: irc_join_list) &priority=-5
+	{
+	if ( is_orig )
+		{
+		for ( l in info_list )
+			{
+			c$irc$value = l$channel;
+			c$irc$addl = (l$password != "" ? fmt(" with channel key: '%s'", l$password) : "");
+			Log::write(IRC::LOG, c$irc);
+			}
+		}
+	}
diff --git a/scripts/base/protocols/smtp/__load__.bro b/scripts/base/protocols/smtp/__load__.bro
new file mode 100644
index 0000000000..b4f089eaf4
--- /dev/null
+++ b/scripts/base/protocols/smtp/__load__.bro
@@ -0,0 +1,3 @@
+@load ./main
+@load ./entities
+@load ./entities-excerpt
\ No newline at end of file
diff --git a/scripts/base/protocols/smtp/entities-excerpt.bro b/scripts/base/protocols/smtp/entities-excerpt.bro
new file mode 100644
index 0000000000..701ed76399
--- /dev/null
+++ b/scripts/base/protocols/smtp/entities-excerpt.bro
@@ -0,0 +1,52 @@
+##! This script is for optionally adding a body excerpt to the SMTP
+##! entities log.
+
+@load ./entities
+
+module SMTP;
+
+export {
+	redef record SMTP::EntityInfo += {
+		## The entity body excerpt.
+		excerpt:    string &log &default="";
+		
+		## Internal tracking to know how much of the body should be included
+		## in the excerpt.
+		excerpt_len: count &optional;
+	};
+	
+	## This is the default value for how much of the entity body should be
+	## included for all MIME entities.
+	const default_entity_excerpt_len = 0 &redef;
+	
+	## This table defines how much of various entity bodies should be 
+	## included in excerpts.
+	const entity_excerpt_len: table[string] of count = {} 
+		&redef
+		&default = default_entity_excerpt_len;
+}
+
+event mime_segment_data(c: connection, length: count, data: string) &priority=-1
+	{
+	if ( ! c?$smtp ) return;
+	
+	if ( c$smtp$current_entity$content_len == 0 )
+		c$smtp$current_entity$excerpt_len = entity_excerpt_len[c$smtp$current_entity$mime_type];
+	}
+
+event mime_segment_data(c: connection, length: count, data: string) &priority=-2
+	{
+	if ( ! c?$smtp ) return;
+	
+	local ent = c$smtp$current_entity;
+	if ( ent$content_len < ent$excerpt_len )
+		{
+		if ( ent$content_len + length < ent$excerpt_len )
+			ent$excerpt = cat(ent$excerpt, data);
+		else
+			{
+			local x_bytes = ent$excerpt_len - ent$content_len;
+			ent$excerpt = cat(ent$excerpt, sub_bytes(data, 1, x_bytes));
+			}
+		}
+	}
diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.bro
new file mode 100644
index 0000000000..e158d045e0
--- /dev/null
+++ b/scripts/base/protocols/smtp/entities.bro
@@ -0,0 +1,239 @@
+##! Analysis and logging for MIME entities found in SMTP sessions.
+
+@load base/utils/strings
+@load base/utils/files
+@load ./main
+
+module SMTP;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that an MD5 sum was calculated for a MIME message.
+		MD5,
+	};
+
+	redef enum Log::ID += { ENTITIES_LOG };
+
+	type EntityInfo: record {
+		## This is the timestamp of when the MIME content transfer began.
+		ts:               time    &log;
+		uid:              string  &log;
+		id:               conn_id &log;
+		## A count to represent the depth of this message transaction in a 
+		## single connection where multiple messages were transferred.
+		trans_depth:      count  &log;
+		## The filename seen in the Content-Disposition header.
+		filename:         string  &log &optional;
+		## Track how many bytes of the MIME encoded file have been seen.
+		content_len:      count   &log &default=0;
+		## The mime type of the entity discovered through magic bytes identification.
+		mime_type:        string  &log &optional;
+		
+		## The calculated MD5 sum for the MIME entity.
+		md5:              string  &log &optional;
+		## Optionally calculate the file's MD5 sum.  Must be set prior to the 
+		## first data chunk being see in an event.
+		calc_md5:         bool    &default=F;
+		## This boolean value indicates if an MD5 sum is being calculated 
+		## for the current file transfer.
+		calculating_md5:  bool    &default=F;
+		
+		## Optionally write the file to disk.  Must be set prior to first 
+		## data chunk being seen in an event.
+		extract_file:     bool    &default=F;
+		## Store the file handle here for the file currently being extracted.
+		extraction_file:  file    &log &optional;
+	};
+
+	redef record Info += {
+		## The in-progress entity information.
+		current_entity:   EntityInfo &optional;
+	};
+
+	redef record State += {
+		## Store a count of the number of files that have been transferred in
+		## a conversation to create unique file names on disk.
+		num_extracted_files:  count   &default=0;
+		## Track the number of MIME encoded files transferred during a session.
+		mime_level:           count   &default=0;
+	};
+
+	## Generate MD5 sums for these filetypes.
+	const generate_md5 = /application\/x-dosexec/    # Windows and DOS executables
+	                   | /application\/x-executable/ # *NIX executable binary
+	                   &redef;
+
+	## Pattern of file mime types to extract from MIME bodies.
+	const extract_file_types = /NO_DEFAULT/ &redef;
+
+	## The on-disk prefix for files to be extracted from MIME entity bodies.
+	const extraction_prefix = "smtp-entity" &redef;
+
+	## If set, never generate MD5s. This is mainly for testing purposes to create
+	## reproducable output in the case that the decision whether to create
+	## checksums depends on environment specifics.
+	const never_calc_md5 = F &redef;
+
+	global log_mime: event(rec: EntityInfo);
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(SMTP::ENTITIES_LOG, [$columns=EntityInfo, $ev=log_mime]);
+	}
+
+function set_session(c: connection, new_entity: bool)
+	{
+	if ( ! c$smtp?$current_entity || new_entity )
+		{
+		local info: EntityInfo;
+		info$ts=network_time();
+		info$uid=c$uid;
+		info$id=c$id;
+		info$trans_depth=c$smtp$trans_depth;
+		
+		c$smtp$current_entity = info;
+		++c$smtp_state$mime_level;
+		}
+	}
+
+event mime_begin_entity(c: connection) &priority=10
+	{
+	if ( ! c?$smtp ) return;
+	
+	set_session(c, T);
+	}
+
+# This has priority -10 because other handlers need to know the current
+# content_len before it's updated by this handler.
+event mime_segment_data(c: connection, length: count, data: string) &priority=-10
+	{
+	if ( ! c?$smtp ) return;
+	
+	c$smtp$current_entity$content_len = c$smtp$current_entity$content_len + length;
+	}
+
+event mime_segment_data(c: connection, length: count, data: string) &priority=7
+    {
+	if ( ! c?$smtp ) return;
+	if ( c$smtp$current_entity$content_len == 0 )
+		c$smtp$current_entity$mime_type = split1(identify_data(data, T), /;/)[1];
+	}
+
+event mime_segment_data(c: connection, length: count, data: string) &priority=-5
+	{
+	if ( ! c?$smtp ) return;
+
+	if ( c$smtp$current_entity$content_len == 0 )
+		{
+		if ( generate_md5 in c$smtp$current_entity$mime_type && ! never_calc_md5 )
+			c$smtp$current_entity$calc_md5 = T;
+
+		if ( c$smtp$current_entity$calc_md5 )
+			{
+			c$smtp$current_entity$calculating_md5 = T;
+			md5_hash_init(c$id);
+			}
+		}
+
+	if ( c$smtp$current_entity$calculating_md5 )
+		md5_hash_update(c$id, data);
+}
+
+## In the event of a content gap during the MIME transfer, detect the state for
+## the MD5 sum calculation and stop calculating the MD5 since it would be
+## incorrect anyway.
+event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
+	{
+	if ( is_orig || ! c?$smtp || ! c$smtp?$current_entity ) return;
+
+	if ( c$smtp$current_entity$calculating_md5 )
+		{
+		c$smtp$current_entity$calculating_md5 = F;
+		md5_hash_finish(c$id);
+		}
+	}
+
+event mime_end_entity(c: connection) &priority=-3
+    {
+	# TODO: this check is only due to a bug in mime_end_entity that
+	#       causes the event to be generated twice for the same real event.
+	if ( ! c?$smtp || ! c$smtp?$current_entity )
+		return;
+
+	if ( c$smtp$current_entity$calculating_md5 )
+		{
+		c$smtp$current_entity$md5 = md5_hash_finish(c$id);
+
+		NOTICE([$note=MD5, $msg=fmt("Calculated a hash for a MIME entity from %s", c$id$orig_h),
+				$sub=c$smtp$current_entity$md5, $conn=c]);
+		}
+	}
+
+event mime_one_header(c: connection, h: mime_header_rec)
+	{
+	if ( ! c?$smtp ) return;
+	
+	if ( h$name == "CONTENT-DISPOSITION" &&
+	     /[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value )
+		c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value);
+	}
+
+event mime_end_entity(c: connection) &priority=-5
+	{
+	if ( ! c?$smtp ) return;
+
+	# This check and the delete below are just to cope with a bug where
+	# mime_end_entity can be generated multiple times for the same event.
+	if ( ! c$smtp?$current_entity )
+		return;
+
+	# Only log is there was some content.
+	if ( c$smtp$current_entity$content_len > 0 )
+		Log::write(SMTP::ENTITIES_LOG, c$smtp$current_entity);
+
+	delete c$smtp$current_entity;
+	}
+
+event mime_segment_data(c: connection, length: count, data: string) &priority=5
+	{
+	if ( ! c?$smtp ) return;
+	
+	if ( extract_file_types in c$smtp$current_entity$mime_type )
+		c$smtp$current_entity$extract_file = T;
+	}
+
+event mime_segment_data(c: connection, length: count, data: string) &priority=3
+	{
+	if ( ! c?$smtp ) return;
+	
+	if ( c$smtp$current_entity$extract_file && 
+	     c$smtp$current_entity$content_len == 0 )
+		{
+		local suffix = fmt("%d.dat", ++c$smtp_state$num_extracted_files);
+		local fname = generate_extraction_filename(extraction_prefix, c, suffix);
+		c$smtp$current_entity$extraction_file = open(fname);
+		enable_raw_output(c$smtp$current_entity$extraction_file);
+		}
+	}
+
+event mime_segment_data(c: connection, length: count, data: string) &priority=-5
+	{
+	if ( ! c?$smtp ) return;
+	
+	if ( c$smtp$current_entity$extract_file && c$smtp$current_entity?$extraction_file )
+		print c$smtp$current_entity$extraction_file, data;
+	}
+
+event mime_end_entity(c: connection) &priority=-3
+	{
+	if ( ! c?$smtp ) return;
+	
+	# TODO: this check is only due to a bug in mime_end_entity that
+	#       causes the event to be generated twice for the same real event.
+	if ( ! c$smtp?$current_entity )
+		return;
+
+	if ( c$smtp$current_entity?$extraction_file )
+		close(c$smtp$current_entity$extraction_file);
+	}
diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro
new file mode 100644
index 0000000000..513b85e342
--- /dev/null
+++ b/scripts/base/protocols/smtp/main.bro
@@ -0,0 +1,257 @@
+@load base/frameworks/notice
+@load base/utils/addrs
+@load base/utils/directions-and-hosts
+
+module SMTP;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		ts:                time            &log;
+		uid:               string          &log;
+		id:                conn_id         &log;
+		## This is a number that indicates the number of messages deep into
+		## this connection where this particular message was transferred.
+		trans_depth:       count           &log;
+		helo:              string          &log &optional;
+		mailfrom:          string          &log &optional;
+		rcptto:            set[string]     &log &optional;
+		date:              string          &log &optional;
+		from:              string          &log &optional;
+		to:                set[string]     &log &optional;
+		reply_to:          string          &log &optional;
+		msg_id:            string          &log &optional;
+		in_reply_to:       string          &log &optional;
+		subject:           string          &log &optional;
+		x_originating_ip:  addr            &log &optional;
+		first_received:    string          &log &optional;
+		second_received:   string          &log &optional;
+		## The last message the server sent to the client.
+		last_reply:        string          &log &optional;
+		path:              vector of addr  &log &optional;
+		user_agent:        string          &log &optional;
+		
+		## Indicate if the "Received: from" headers should still be processed.
+		process_received_from: bool        &default=T;
+		## Indicates if client activity has been seen, but not yet logged
+		has_client_activity:  bool            &default=F;
+	};
+	
+	type State: record {
+		helo:                     string    &optional;
+		## Count the number of individual messages transmitted during this 
+		## SMTP session.  Note, this is not the number of recipients, but the
+		## number of message bodies transferred.
+		messages_transferred:     count     &default=0;
+		
+		pending_messages:         set[Info] &optional;
+	};
+	
+	## Direction to capture the full "Received from" path.
+	##    REMOTE_HOSTS - only capture the path until an internal host is found.
+	##    LOCAL_HOSTS - only capture the path until the external host is discovered.
+	##    ALL_HOSTS - always capture the entire path.
+	##    NO_HOSTS - never capture the path.
+	const mail_path_capture = ALL_HOSTS &redef;
+		
+	global log_smtp: event(rec: Info);
+	
+	## Configure the default ports for SMTP analysis.
+	const ports = { 25/tcp, 587/tcp } &redef;
+}
+
+redef record connection += { 
+	smtp:       Info  &optional;
+	smtp_state: State &optional;
+};
+
+# Configure DPD
+redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" };
+redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] };
+
+redef likely_server_ports += { 25/tcp, 587/tcp };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]);
+	}
+	
+function find_address_in_smtp_header(header: string): string
+{
+	local ips = find_ip_addresses(header);
+	# If there are more than one IP address found, return the second.
+	if ( |ips| > 1 )
+		return ips[1];
+	# Otherwise, return the first.
+	else if ( |ips| > 0 )
+		return ips[0];
+	# Otherwise, there wasn't an IP address found.
+	else
+		return "";
+}
+
+function new_smtp_log(c: connection): Info
+	{
+	local l: Info;
+	l$ts=network_time();
+	l$uid=c$uid;
+	l$id=c$id;
+	# The messages_transferred count isn't incremented until the message is 
+	# finished so we need to increment the count by 1 here.
+	l$trans_depth = c$smtp_state$messages_transferred+1;
+	
+	if ( c$smtp_state?$helo )
+		l$helo = c$smtp_state$helo;
+	
+	# The path will always end with the hosts involved in this connection.
+	# The lower values in the vector are the end of the path.
+	l$path = vector(c$id$resp_h, c$id$orig_h);
+	
+	return l;
+	}
+
+function set_smtp_session(c: connection)
+	{
+	if ( ! c?$smtp_state )
+		c$smtp_state = [];
+	
+	if ( ! c?$smtp )
+		c$smtp = new_smtp_log(c);
+	}
+
+function smtp_message(c: connection)
+	{
+	if ( c$smtp$has_client_activity )
+		Log::write(SMTP::LOG, c$smtp);
+	}
+	
+event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &priority=5
+	{
+	set_smtp_session(c);
+	local upper_command = to_upper(command);
+
+	if ( upper_command != "QUIT" )
+		c$smtp$has_client_activity = T;
+	
+	if ( upper_command == "HELO" || upper_command == "EHLO" )
+		{
+		c$smtp_state$helo = arg;
+		c$smtp$helo = arg;
+		}
+
+	else if ( upper_command == "RCPT" && /^[tT][oO]:/ in arg )
+		{
+		if ( ! c$smtp?$rcptto ) 
+			c$smtp$rcptto = set();
+		add c$smtp$rcptto[split1(arg, /:[[:blank:]]*/)[2]];
+		}
+
+	else if ( upper_command == "MAIL" && /^[fF][rR][oO][mM]:/ in arg )
+		{
+		local partially_done = split1(arg, /:[[:blank:]]*/)[2];
+		c$smtp$mailfrom = split1(partially_done, /[[:blank:]]?/)[1];
+		}
+	}
+	
+event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
+                 msg: string, cont_resp: bool) &priority=5
+	{
+	set_smtp_session(c);
+	
+	# This continually overwrites, but we want the last reply,
+	# so this actually works fine.
+	c$smtp$last_reply = fmt("%d %s", code, msg);
+	}
+
+event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
+                 msg: string, cont_resp: bool) &priority=-5
+	{
+	if ( cmd == "." )
+		{
+		# Track the number of messages seen in this session.
+		++c$smtp_state$messages_transferred;
+		smtp_message(c);
+		c$smtp = new_smtp_log(c);
+		}
+	}
+
+event mime_one_header(c: connection, h: mime_header_rec) &priority=5
+	{
+	if ( ! c?$smtp ) return;
+	c$smtp$has_client_activity = T;
+
+	if ( h$name == "MESSAGE-ID" )
+		c$smtp$msg_id = h$value;
+
+	else if ( h$name == "RECEIVED" )
+		{
+		if ( c$smtp?$first_received )
+			c$smtp$second_received = c$smtp$first_received;
+		c$smtp$first_received = h$value;
+		}
+
+	else if ( h$name == "IN-REPLY-TO" )
+		c$smtp$in_reply_to = h$value;
+
+	else if ( h$name == "SUBJECT" )
+		c$smtp$subject = h$value;
+
+	else if ( h$name == "FROM" )
+		c$smtp$from = h$value;
+
+	else if ( h$name == "REPLY-TO" )
+		c$smtp$reply_to = h$value;
+
+	else if ( h$name == "DATE" )
+		c$smtp$date = h$value;
+
+	else if ( h$name == "TO" )
+		{
+		if ( ! c$smtp?$to )
+			c$smtp$to = set();
+		add c$smtp$to[h$value];
+		}
+
+	else if ( h$name == "X-ORIGINATING-IP" )
+		{
+		local addresses = find_ip_addresses(h$value);
+		if ( 1 in addresses )
+			c$smtp$x_originating_ip = to_addr(addresses[1]);
+		}
+	
+	else if ( h$name == "X-MAILER" ||
+	          h$name == "USER-AGENT" ||
+	          h$name == "X-USER-AGENT" )
+		c$smtp$user_agent = h$value;
+	}
+	
+# This event handler builds the "Received From" path by reading the 
+# headers in the mail
+event mime_one_header(c: connection, h: mime_header_rec) &priority=3
+	{
+	# If we've decided that we're done watching the received headers for
+	# whatever reason, we're done.  Could be due to only watching until 
+	# local addresses are seen in the received from headers.
+	if ( ! c?$smtp || h$name != "RECEIVED" || ! c$smtp$process_received_from )
+		return;
+
+	local text_ip = find_address_in_smtp_header(h$value);
+	if ( text_ip == "" )
+		return;
+	local ip = to_addr(text_ip);
+
+	if ( ! addr_matches_host(ip, mail_path_capture) && 
+	     ! Site::is_private_addr(ip) )
+		{
+		c$smtp$process_received_from = F;
+		}
+	if ( c$smtp$path[|c$smtp$path|-1] != ip )
+		c$smtp$path[|c$smtp$path|] = ip;
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$smtp )
+		smtp_message(c);
+	}
diff --git a/scripts/base/protocols/ssh/__load__.bro b/scripts/base/protocols/ssh/__load__.bro
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/protocols/ssh/__load__.bro
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
new file mode 100644
index 0000000000..0d3439bb1f
--- /dev/null
+++ b/scripts/base/protocols/ssh/main.bro
@@ -0,0 +1,208 @@
+##! Base SSH analysis script.  The heuristic to blindly determine success or 
+##! failure for SSH connections is implemented here.  At this time, it only
+##! uses the size of the data being returned from the server to make the
+##! heuristic determination about success of the connection.  
+##! Requires that :bro:id:`use_conn_size_analyzer` is set to T!  The heuristic
+##! is not attempted if the connection size analyzer isn't enabled.
+
+@load base/frameworks/notice
+@load base/utils/site
+@load base/utils/thresholds
+@load base/utils/conn-ids
+@load base/utils/directions-and-hosts
+
+module SSH;
+
+export {
+	## The SSH protocol logging stream identifier.
+	redef enum Log::ID += { LOG };
+	
+	redef enum Notice::Type += { 
+		## Indicates that a heuristically detected "successful" SSH 
+		## authentication occurred.
+		Login 
+	};
+
+	type Info: record {
+		## Time when the SSH connection began.
+		ts:              time         &log;
+		uid:             string       &log;
+		id:              conn_id      &log;
+		## Indicates if the login was heuristically guessed to be "success"
+		## or "failure".
+		status:          string       &log &optional;
+		## Direction of the connection.  If the client was a local host 
+		## logging into an external host, this would be OUTBOUD.  INBOUND
+		## would be set for the opposite situation.
+		# TODO: handle local-local and remote-remote better.
+		direction:       Direction    &log &optional;
+		## Software string given by the client.
+		client:          string       &log &optional;
+		## Software string given by the server.
+		server:          string       &log &optional;
+		## Amount of data returned from the server.  This is currently
+		## the only measure of the success heuristic and it is logged to 
+		## assist analysts looking at the logs to make their own determination
+		## about the success on a case-by-case basis.
+		resp_size:       count        &log &default=0;
+		
+		## Indicate if the SSH session is done being watched.
+		done:            bool         &default=F;
+	};
+	
+	## The size in bytes of data sent by the server at which the SSH 
+	## connection is presumed to be successful.
+	const authentication_data_size = 5500 &redef;
+	
+	## If true, we tell the event engine to not look at further data
+	## packets after the initial SSH handshake. Helps with performance
+	## (especially with large file transfers) but precludes some
+	## kinds of analyses (e.g., tracking connection size).
+	const skip_processing_after_detection = F &redef;
+	
+	## Event that is generated when the heuristic thinks that a login
+	## was successful.
+	global heuristic_successful_login: event(c: connection);
+	
+	## Event that is generated when the heuristic thinks that a login
+	## failed.
+	global heuristic_failed_login: event(c: connection);
+	
+	## Event that can be handled to access the :bro:type:`SSH::Info`
+	## record as it is sent on to the logging framework.
+	global log_ssh: event(rec: Info);
+}
+
+# Configure DPD and the packet filter
+redef capture_filters += { ["ssh"] = "tcp port 22" };
+redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] };
+
+redef likely_server_ports += { 22/tcp };
+
+redef record connection += {
+	ssh: Info &optional;
+};
+
+event bro_init() &priority=5
+{
+	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]);
+}
+
+function set_session(c: connection)
+	{
+	if ( ! c?$ssh )
+		{
+		local info: Info;
+		info$ts=network_time();
+		info$uid=c$uid;
+		info$id=c$id;
+		c$ssh = info;
+		}
+	}
+
+function check_ssh_connection(c: connection, done: bool)
+	{
+	# If done watching this connection, just return.
+	if ( c$ssh$done )
+		return;
+	
+	# Make sure conn_size_analyzer is active by checking 
+	# resp$num_bytes_ip.  In general it should always be active though.
+	if ( ! c$resp?$num_bytes_ip )
+		return;
+	
+	# Remove the IP and TCP header length from the total size.
+	# TODO: Fix for IPv6.  This whole approach also seems to break in some 
+	#       cases where there are more header bytes than num_bytes_ip.
+	local header_bytes = c$resp$num_pkts*32 + c$resp$num_pkts*20;
+	local server_bytes = c$resp$num_bytes_ip;
+	if ( server_bytes >= header_bytes )
+		server_bytes = server_bytes - header_bytes;
+	else
+		server_bytes = c$resp$size;
+	
+	# If this is still a live connection and the byte count has not crossed 
+	# the threshold, just return and let the rescheduled check happen later.
+	if ( ! done && server_bytes < authentication_data_size )
+		return;
+
+	# Make sure the server has sent back more than 50 bytes to filter out
+	# hosts that are just port scanning.  Nothing is ever logged if the server
+	# doesn't send back at least 50 bytes.
+	if ( server_bytes < 50 )
+		return;
+
+	c$ssh$direction = Site::is_local_addr(c$id$orig_h) ? OUTBOUND : INBOUND;
+	c$ssh$resp_size = server_bytes;
+	
+	if ( server_bytes < authentication_data_size )
+		{
+		c$ssh$status  = "failure";
+		event SSH::heuristic_failed_login(c);
+		}
+	else
+		{ 
+		# presumed successful login
+		c$ssh$status = "success";
+		event SSH::heuristic_successful_login(c);
+		}
+	
+	# Set the "done" flag to prevent the watching event from rescheduling
+	# after detection is done.
+	c$ssh$done=T;
+	
+	if ( skip_processing_after_detection )
+		{
+		# Stop watching this connection, we don't care about it anymore.
+		skip_further_processing(c$id);
+		set_record_packets(c$id, F);
+		}
+	}
+
+event SSH::heuristic_successful_login(c: connection) &priority=-5
+	{
+	NOTICE([$note=Login, 
+	        $msg="Heuristically detected successful SSH login.",
+	        $conn=c]);
+	
+	Log::write(SSH::LOG, c$ssh);
+	}
+event SSH::heuristic_failed_login(c: connection) &priority=-5
+	{
+	Log::write(SSH::LOG, c$ssh);
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$ssh )
+		check_ssh_connection(c, T);
+	}
+
+event ssh_watcher(c: connection)
+	{
+	local id = c$id;
+	# don't go any further if this connection is gone already!
+	if ( ! connection_exists(id) )
+		return;
+
+	check_ssh_connection(c, F);
+	if ( ! c$ssh$done )
+		schedule +15secs { ssh_watcher(c) };
+	}
+
+event ssh_server_version(c: connection, version: string) &priority=5
+	{
+	set_session(c);
+	c$ssh$server = version;
+	}
+	
+event ssh_client_version(c: connection, version: string) &priority=5
+	{
+	set_session(c);
+	c$ssh$client = version;
+	
+	# The heuristic detection for SSH relies on the ConnSize analyzer.
+	# Don't do the heuristics if it's disabled.
+	if ( use_conn_size_analyzer )
+		schedule +15secs { ssh_watcher(c) };
+	}
diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro
new file mode 100644
index 0000000000..eaaa13cd76
--- /dev/null
+++ b/scripts/base/protocols/ssl/__load__.bro
@@ -0,0 +1,3 @@
+@load ./consts
+@load ./main
+@load ./mozilla-ca-list
\ No newline at end of file
diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
new file mode 100644
index 0000000000..9d16ab18ba
--- /dev/null
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -0,0 +1,578 @@
+module SSL;
+
+export {
+	const SSLv2  = 0x0002;
+	const SSLv3  = 0x0300;
+	const TLSv10 = 0x0301;
+	const TLSv11 = 0x0302;
+	const TLSv12 = 0x0303;
+	## Mapping between the constants and string values for SSL/TLS versions.
+	const version_strings: table[count] of string = {
+		[SSLv2] = "SSLv2",
+		[SSLv3] = "SSLv3",
+		[TLSv10] = "TLSv10",
+		[TLSv11] = "TLSv11",
+		[TLSv12] = "TLSv12",
+	} &default="UNKNOWN";
+	
+	## Mapping between numeric codes and human readable strings for alert 
+	## levels.
+	const alert_levels: table[count] of string = {
+		[1] = "warning",
+		[2] = "fatal",
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+	
+	## Mapping between numeric codes and human readable strings for alert 
+	## descriptions..
+	const alert_descriptions: table[count] of string = {
+		[0] = "close_notify",
+		[10] = "unexpected_message",
+		[20] = "bad_record_mac",
+		[21] = "decryption_failed",
+		[22] = "record_overflow",
+		[30] = "decompression_failure",
+		[40] = "handshake_failure",
+		[41] = "no_certificate",
+		[42] = "bad_certificate",
+		[43] = "unsupported_certificate",
+		[44] = "certificate_revoked",
+		[45] = "certificate_expired",
+		[46] = "certificate_unknown",
+		[47] = "illegal_parameter",
+		[48] = "unknown_ca",
+		[49] = "access_denied",
+		[50] = "decode_error",
+		[51] = "decrypt_error",
+		[60] = "export_restriction",
+		[70] = "protocol_version",
+		[71] = "insufficient_security",
+		[80] = "internal_error",
+		[90] = "user_canceled",
+		[100] = "no_renegotiation",
+		[110] = "unsupported_extension",
+		[111] = "certificate_unobtainable",
+		[112] = "unrecognized_name",
+		[113] = "bad_certificate_status_response",
+		[114] = "bad_certificate_hash_value",
+		[115] = "unknown_psk_identity",
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+	
+	## Mapping between numeric codes and human readable strings for SSL/TLS
+	## extensions.
+	# More information can be found here:
+	# http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml
+	const extensions: table[count] of string = {
+		[0] = "server_name",
+		[1] = "max_fragment_length",
+		[2] = "client_certificate_url",
+		[3] = "trusted_ca_keys",
+		[4] = "truncated_hmac",
+		[5] = "status_request",
+		[6] = "user_mapping",
+		[7] = "client_authz",
+		[8] = "server_authz",
+		[9] = "cert_type",
+		[10] = "elliptic_curves",
+		[11] = "ec_point_formats",
+		[12] = "srp",
+		[13] = "signature_algorithms",
+		[14] = "use_srtp",
+		[35] = "SessionTicket TLS",
+		[13172] = "next_protocol_negotiation",
+		[65281] = "renegotiation_info"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+	
+	# SSLv2
+	const SSLv20_CK_RC4_128_WITH_MD5 = 0x010080;
+	const SSLv20_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080;
+	const SSLv20_CK_RC2_128_CBC_WITH_MD5 = 0x030080;
+	const SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080;
+	const SSLv20_CK_IDEA_128_CBC_WITH_MD5 = 0x050080;
+	const SSLv20_CK_DES_64_CBC_WITH_MD5 = 0x060040;
+	const SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0;
+
+	# TLS
+	const TLS_NULL_WITH_NULL_NULL = 0x0000;
+	const TLS_RSA_WITH_NULL_MD5 = 0x0001;
+	const TLS_RSA_WITH_NULL_SHA = 0x0002;
+	const TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003;
+	const TLS_RSA_WITH_RC4_128_MD5 = 0x0004;
+	const TLS_RSA_WITH_RC4_128_SHA = 0x0005;
+	const TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006;
+	const TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007;
+	const TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008;
+	const TLS_RSA_WITH_DES_CBC_SHA = 0x0009;
+	const TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A;
+	const TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B;
+	const TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C;
+	const TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D;
+	const TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E;
+	const TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F;
+	const TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010;
+	const TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011;
+	const TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012;
+	const TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013;
+	const TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014;
+	const TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015;
+	const TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016;
+	const TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017;
+	const TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018;
+	const TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019;
+	const TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A;
+	const TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B;
+	const SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C;
+	const SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D;
+	const TLS_KRB5_WITH_DES_CBC_SHA = 0x001E;
+	const TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F;
+	const TLS_KRB5_WITH_RC4_128_SHA = 0x0020;
+	const TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021;
+	const TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022;
+	const TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023;
+	const TLS_KRB5_WITH_RC4_128_MD5 = 0x0024;
+	const TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025;
+	const TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026;
+	const TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027;
+	const TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028;
+	const TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029;
+	const TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A;
+	const TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B;
+	const TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F;
+	const TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030;
+	const TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031;
+	const TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032;
+	const TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033;
+	const TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034;
+	const TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035;
+	const TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036;
+	const TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037;
+	const TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038;
+	const TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039;
+	const TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A;
+	const TLS_RSA_WITH_NULL_SHA256 = 0x003B;
+	const TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C;
+	const TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D;
+	const TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E;
+	const TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F;
+	const TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040;
+	const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041;
+	const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042;
+	const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043;
+	const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044;
+	const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045;
+	const TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046;
+	const TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060;
+	const TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061;
+	const TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062;
+	const TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063;
+	const TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064;
+	const TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065;
+	const TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066;
+	const TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067;
+	const TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068;
+	const TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069;
+	const TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A;
+	const TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B;
+	const TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C;
+	const TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D;
+	const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084;
+	const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085;
+	const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086;
+	const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087;
+	const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088;
+	const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089;
+	const TLS_PSK_WITH_RC4_128_SHA = 0x008A;
+	const TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B;
+	const TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C;
+	const TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D;
+	const TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E;
+	const TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F;
+	const TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090;
+	const TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091;
+	const TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092;
+	const TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093;
+	const TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094;
+	const TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095;
+	const TLS_RSA_WITH_SEED_CBC_SHA = 0x0096;
+	const TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097;
+	const TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098;
+	const TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099;
+	const TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A;
+	const TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B;
+	const TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C;
+	const TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D;
+	const TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E;
+	const TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F;
+	const TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0;
+	const TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1;
+	const TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2;
+	const TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3;
+	const TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4;
+	const TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5;
+	const TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6;
+	const TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7;
+	const TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8;
+	const TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9;
+	const TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA;
+	const TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB;
+	const TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC;
+	const TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD;
+	const TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE;
+	const TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF;
+	const TLS_PSK_WITH_NULL_SHA256 = 0x00B0;
+	const TLS_PSK_WITH_NULL_SHA384 = 0x00B1;
+	const TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2;
+	const TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3;
+	const TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4;
+	const TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5;
+	const TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6;
+	const TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7;
+	const TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8;
+	const TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9;
+	const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA;
+	const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB;
+	const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC;
+	const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD;
+	const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE;
+	const TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF;
+	const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0;
+	const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1;
+	const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2;
+	const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3;
+	const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4;
+	const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5;
+	const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001;
+	const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002;
+	const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003;
+	const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004;
+	const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005;
+	const TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006;
+	const TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007;
+	const TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008;
+	const TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009;
+	const TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A;
+	const TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B;
+	const TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C;
+	const TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D;
+	const TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E;
+	const TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F;
+	const TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010;
+	const TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011;
+	const TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012;
+	const TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013;
+	const TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014;
+	const TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015;
+	const TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016;
+	const TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017;
+	const TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018;
+	const TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019;
+	const TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A;
+	const TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B;
+	const TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C;
+	const TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D;
+	const TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E;
+	const TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F;
+	const TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020;
+	const TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021;
+	const TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022;
+	const TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023;
+	const TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024;
+	const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025;
+	const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026;
+	const TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027;
+	const TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028;
+	const TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029;
+	const TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A;
+	const TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B;
+	const TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C;
+	const TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D;
+	const TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E;
+	const TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F;
+	const TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030;
+	const TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031;
+	const TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032;
+	const TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033;
+	const TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034;
+	const TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035;
+	const TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036;
+	const TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037;
+	const TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038;
+	const TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039;
+	const TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A;
+	const TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B;
+	const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE;
+	const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF;
+	const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1;
+	const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0;
+	const SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80;
+	const SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81;
+	const SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82;
+	const SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83;
+	const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF;
+	
+	## This is a table of all known cipher specs.  It can be used for 
+	## detecting unknown ciphers and for converting the cipher spec constants 
+	## into a human readable format.
+	const cipher_desc: table[count] of string = {
+		[SSLv20_CK_RC4_128_EXPORT40_WITH_MD5] =
+			"SSLv20_CK_RC4_128_EXPORT40_WITH_MD5",
+		[SSLv20_CK_RC4_128_WITH_MD5] = "SSLv20_CK_RC4_128_WITH_MD5",
+		[SSLv20_CK_RC2_128_CBC_WITH_MD5] = "SSLv20_CK_RC2_128_CBC_WITH_MD5",
+		[SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5] =
+			"SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5",
+		[SSLv20_CK_IDEA_128_CBC_WITH_MD5] = "SSLv20_CK_IDEA_128_CBC_WITH_MD5",
+		[SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5] =
+			"SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5",
+		[SSLv20_CK_DES_64_CBC_WITH_MD5] = "SSLv20_CK_DES_64_CBC_WITH_MD5",
+
+		[TLS_NULL_WITH_NULL_NULL] = "TLS_NULL_WITH_NULL_NULL",
+		[TLS_RSA_WITH_NULL_MD5] = "TLS_RSA_WITH_NULL_MD5",
+		[TLS_RSA_WITH_NULL_SHA] = "TLS_RSA_WITH_NULL_SHA",
+		[TLS_RSA_EXPORT_WITH_RC4_40_MD5] = "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
+		[TLS_RSA_WITH_RC4_128_MD5] = "TLS_RSA_WITH_RC4_128_MD5",
+		[TLS_RSA_WITH_RC4_128_SHA] = "TLS_RSA_WITH_RC4_128_SHA",
+		[TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5] = "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+		[TLS_RSA_WITH_IDEA_CBC_SHA] = "TLS_RSA_WITH_IDEA_CBC_SHA",
+		[TLS_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
+		[TLS_RSA_WITH_DES_CBC_SHA] = "TLS_RSA_WITH_DES_CBC_SHA",
+		[TLS_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+		[TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+		[TLS_DH_DSS_WITH_DES_CBC_SHA] = "TLS_DH_DSS_WITH_DES_CBC_SHA",
+		[TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+		[TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+		[TLS_DH_RSA_WITH_DES_CBC_SHA] = "TLS_DH_RSA_WITH_DES_CBC_SHA",
+		[TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+		[TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+		[TLS_DHE_DSS_WITH_DES_CBC_SHA] = "TLS_DHE_DSS_WITH_DES_CBC_SHA",
+		[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+		[TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+		[TLS_DHE_RSA_WITH_DES_CBC_SHA] = "TLS_DHE_RSA_WITH_DES_CBC_SHA",
+		[TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+		[TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5] = "TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5",
+		[TLS_DH_ANON_WITH_RC4_128_MD5] = "TLS_DH_ANON_WITH_RC4_128_MD5",
+		[TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA",
+		[TLS_DH_ANON_WITH_DES_CBC_SHA] = "TLS_DH_ANON_WITH_DES_CBC_SHA",
+		[TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA",
+		[SSL_FORTEZZA_KEA_WITH_NULL_SHA] = "SSL_FORTEZZA_KEA_WITH_NULL_SHA",
+		[SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA] = "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA",
+		[TLS_KRB5_WITH_DES_CBC_SHA] = "TLS_KRB5_WITH_DES_CBC_SHA",
+		[TLS_KRB5_WITH_3DES_EDE_CBC_SHA] = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+		[TLS_KRB5_WITH_RC4_128_SHA] = "TLS_KRB5_WITH_RC4_128_SHA",
+		[TLS_KRB5_WITH_IDEA_CBC_SHA] = "TLS_KRB5_WITH_IDEA_CBC_SHA",
+		[TLS_KRB5_WITH_DES_CBC_MD5] = "TLS_KRB5_WITH_DES_CBC_MD5",
+		[TLS_KRB5_WITH_3DES_EDE_CBC_MD5] = "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+		[TLS_KRB5_WITH_RC4_128_MD5] = "TLS_KRB5_WITH_RC4_128_MD5",
+		[TLS_KRB5_WITH_IDEA_CBC_MD5] = "TLS_KRB5_WITH_IDEA_CBC_MD5",
+		[TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+		[TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
+		[TLS_KRB5_EXPORT_WITH_RC4_40_SHA] = "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
+		[TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+		[TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
+		[TLS_KRB5_EXPORT_WITH_RC4_40_MD5] = "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
+		[TLS_RSA_WITH_AES_128_CBC_SHA] = "TLS_RSA_WITH_AES_128_CBC_SHA",
+		[TLS_DH_DSS_WITH_AES_128_CBC_SHA] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+		[TLS_DH_RSA_WITH_AES_128_CBC_SHA] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+		[TLS_DHE_DSS_WITH_AES_128_CBC_SHA] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+		[TLS_DHE_RSA_WITH_AES_128_CBC_SHA] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+		[TLS_DH_ANON_WITH_AES_128_CBC_SHA] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA",
+		[TLS_RSA_WITH_AES_256_CBC_SHA] = "TLS_RSA_WITH_AES_256_CBC_SHA",
+		[TLS_DH_DSS_WITH_AES_256_CBC_SHA] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+		[TLS_DH_RSA_WITH_AES_256_CBC_SHA] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+		[TLS_DHE_DSS_WITH_AES_256_CBC_SHA] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+		[TLS_DHE_RSA_WITH_AES_256_CBC_SHA] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+		[TLS_DH_ANON_WITH_AES_256_CBC_SHA] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA",
+		[TLS_RSA_WITH_NULL_SHA256] = "TLS_RSA_WITH_NULL_SHA256",
+		[TLS_RSA_WITH_AES_128_CBC_SHA256] = "TLS_RSA_WITH_AES_128_CBC_SHA256",
+		[TLS_RSA_WITH_AES_256_CBC_SHA256] = "TLS_RSA_WITH_AES_256_CBC_SHA256",
+		[TLS_DH_DSS_WITH_AES_128_CBC_SHA256] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
+		[TLS_DH_RSA_WITH_AES_128_CBC_SHA256] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
+		[TLS_DHE_DSS_WITH_AES_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+		[TLS_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+		[TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
+		[TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
+		[TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
+		[TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+		[TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA",
+		[TLS_RSA_EXPORT1024_WITH_RC4_56_MD5] = "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5",
+		[TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5] = "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5",
+		[TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA] = "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA",
+		[TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] = "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
+		[TLS_RSA_EXPORT1024_WITH_RC4_56_SHA] = "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",
+		[TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA] = "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
+		[TLS_DHE_DSS_WITH_RC4_128_SHA] = "TLS_DHE_DSS_WITH_RC4_128_SHA",
+		[TLS_DHE_RSA_WITH_AES_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+		[TLS_DH_DSS_WITH_AES_256_CBC_SHA256] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
+		[TLS_DH_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
+		[TLS_DHE_DSS_WITH_AES_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+		[TLS_DHE_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+		[TLS_DH_ANON_WITH_AES_128_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA256",
+		[TLS_DH_ANON_WITH_AES_256_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA256",
+		[TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+		[TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
+		[TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
+		[TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
+		[TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+		[TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA",
+		[TLS_PSK_WITH_RC4_128_SHA] = "TLS_PSK_WITH_RC4_128_SHA",
+		[TLS_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
+		[TLS_PSK_WITH_AES_128_CBC_SHA] = "TLS_PSK_WITH_AES_128_CBC_SHA",
+		[TLS_PSK_WITH_AES_256_CBC_SHA] = "TLS_PSK_WITH_AES_256_CBC_SHA",
+		[TLS_DHE_PSK_WITH_RC4_128_SHA] = "TLS_DHE_PSK_WITH_RC4_128_SHA",
+		[TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+		[TLS_DHE_PSK_WITH_AES_128_CBC_SHA] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
+		[TLS_DHE_PSK_WITH_AES_256_CBC_SHA] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
+		[TLS_RSA_PSK_WITH_RC4_128_SHA] = "TLS_RSA_PSK_WITH_RC4_128_SHA",
+		[TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+		[TLS_RSA_PSK_WITH_AES_128_CBC_SHA] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
+		[TLS_RSA_PSK_WITH_AES_256_CBC_SHA] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
+		[TLS_RSA_WITH_SEED_CBC_SHA] = "TLS_RSA_WITH_SEED_CBC_SHA",
+		[TLS_DH_DSS_WITH_SEED_CBC_SHA] = "TLS_DH_DSS_WITH_SEED_CBC_SHA",
+		[TLS_DH_RSA_WITH_SEED_CBC_SHA] = "TLS_DH_RSA_WITH_SEED_CBC_SHA",
+		[TLS_DHE_DSS_WITH_SEED_CBC_SHA] = "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
+		[TLS_DHE_RSA_WITH_SEED_CBC_SHA] = "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
+		[TLS_DH_ANON_WITH_SEED_CBC_SHA] = "TLS_DH_ANON_WITH_SEED_CBC_SHA",
+		[TLS_RSA_WITH_AES_128_GCM_SHA256] = "TLS_RSA_WITH_AES_128_GCM_SHA256",
+		[TLS_RSA_WITH_AES_256_GCM_SHA384] = "TLS_RSA_WITH_AES_256_GCM_SHA384",
+		[TLS_DHE_RSA_WITH_AES_128_GCM_SHA256] = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+		[TLS_DHE_RSA_WITH_AES_256_GCM_SHA384] = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+		[TLS_DH_RSA_WITH_AES_128_GCM_SHA256] = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
+		[TLS_DH_RSA_WITH_AES_256_GCM_SHA384] = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
+		[TLS_DHE_DSS_WITH_AES_128_GCM_SHA256] = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+		[TLS_DHE_DSS_WITH_AES_256_GCM_SHA384] = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+		[TLS_DH_DSS_WITH_AES_128_GCM_SHA256] = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
+		[TLS_DH_DSS_WITH_AES_256_GCM_SHA384] = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
+		[TLS_DH_ANON_WITH_AES_128_GCM_SHA256] = "TLS_DH_ANON_WITH_AES_128_GCM_SHA256",
+		[TLS_DH_ANON_WITH_AES_256_GCM_SHA384] = "TLS_DH_ANON_WITH_AES_256_GCM_SHA384",
+		[TLS_PSK_WITH_AES_128_GCM_SHA256] = "TLS_PSK_WITH_AES_128_GCM_SHA256",
+		[TLS_PSK_WITH_AES_256_GCM_SHA384] = "TLS_PSK_WITH_AES_256_GCM_SHA384",
+		[TLS_DHE_PSK_WITH_AES_128_GCM_SHA256] = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
+		[TLS_DHE_PSK_WITH_AES_256_GCM_SHA384] = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
+		[TLS_RSA_PSK_WITH_AES_128_GCM_SHA256] = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
+		[TLS_RSA_PSK_WITH_AES_256_GCM_SHA384] = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
+		[TLS_PSK_WITH_AES_128_CBC_SHA256] = "TLS_PSK_WITH_AES_128_CBC_SHA256",
+		[TLS_PSK_WITH_AES_256_CBC_SHA384] = "TLS_PSK_WITH_AES_256_CBC_SHA384",
+		[TLS_PSK_WITH_NULL_SHA256] = "TLS_PSK_WITH_NULL_SHA256",
+		[TLS_PSK_WITH_NULL_SHA384] = "TLS_PSK_WITH_NULL_SHA384",
+		[TLS_DHE_PSK_WITH_AES_128_CBC_SHA256] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
+		[TLS_DHE_PSK_WITH_AES_256_CBC_SHA384] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
+		[TLS_DHE_PSK_WITH_NULL_SHA256] = "TLS_DHE_PSK_WITH_NULL_SHA256",
+		[TLS_DHE_PSK_WITH_NULL_SHA384] = "TLS_DHE_PSK_WITH_NULL_SHA384",
+		[TLS_RSA_PSK_WITH_AES_128_CBC_SHA256] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
+		[TLS_RSA_PSK_WITH_AES_256_CBC_SHA384] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
+		[TLS_RSA_PSK_WITH_NULL_SHA256] = "TLS_RSA_PSK_WITH_NULL_SHA256",
+		[TLS_RSA_PSK_WITH_NULL_SHA384] = "TLS_RSA_PSK_WITH_NULL_SHA384",
+		[TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+		[TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+		[TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+		[TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+		[TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+		[TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256",
+		[TLS_ECDH_ECDSA_WITH_NULL_SHA] = "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+		[TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+		[TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+		[TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+		[TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+		[TLS_ECDHE_ECDSA_WITH_NULL_SHA] = "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+		[TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+		[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+		[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+		[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+		[TLS_ECDH_RSA_WITH_NULL_SHA] = "TLS_ECDH_RSA_WITH_NULL_SHA",
+		[TLS_ECDH_RSA_WITH_RC4_128_SHA] = "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+		[TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+		[TLS_ECDH_RSA_WITH_AES_128_CBC_SHA] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+		[TLS_ECDH_RSA_WITH_AES_256_CBC_SHA] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+		[TLS_ECDHE_RSA_WITH_NULL_SHA] = "TLS_ECDHE_RSA_WITH_NULL_SHA",
+		[TLS_ECDHE_RSA_WITH_RC4_128_SHA] = "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+		[TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+		[TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+		[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+		[TLS_ECDH_ANON_WITH_NULL_SHA] = "TLS_ECDH_ANON_WITH_NULL_SHA",
+		[TLS_ECDH_ANON_WITH_RC4_128_SHA] = "TLS_ECDH_ANON_WITH_RC4_128_SHA",
+		[TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA",
+		[TLS_ECDH_ANON_WITH_AES_128_CBC_SHA] = "TLS_ECDH_ANON_WITH_AES_128_CBC_SHA",
+		[TLS_ECDH_ANON_WITH_AES_256_CBC_SHA] = "TLS_ECDH_ANON_WITH_AES_256_CBC_SHA",
+		[TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
+		[TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
+		[TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
+		[TLS_SRP_SHA_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
+		[TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
+		[TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
+		[TLS_SRP_SHA_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
+		[TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
+		[TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
+		[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+		[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+		[TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+		[TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+		[TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+		[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+		[TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+		[TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+		[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+		[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+		[TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+		[TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+		[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+		[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+		[TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+		[TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+		[TLS_ECDHE_PSK_WITH_RC4_128_SHA] = "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
+		[TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
+		[TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+		[TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
+		[TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
+		[TLS_ECDHE_PSK_WITH_NULL_SHA] = "TLS_ECDHE_PSK_WITH_NULL_SHA",
+		[TLS_ECDHE_PSK_WITH_NULL_SHA256] = "TLS_ECDHE_PSK_WITH_NULL_SHA256",
+		[TLS_ECDHE_PSK_WITH_NULL_SHA384] = "TLS_ECDHE_PSK_WITH_NULL_SHA384",
+		[SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
+		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
+		[SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",
+		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2",
+	} &default="UNKNOWN";
+	
+	## Mapping between the constants and string values for SSL/TLS errors.
+	const x509_errors: table[count] of string = {
+		[0]  = "ok",
+		[1]  = "unable to get issuer cert",
+		[2]  = "unable to get crl",
+		[3]  = "unable to decrypt cert signature",
+		[4]  = "unable to decrypt crl signature",
+		[5]  = "unable to decode issuer public key",
+		[6]  = "cert signature failure",
+		[7]  = "crl signature failure",
+		[8]  = "cert not yet valid",
+		[9]  = "cert has expired",
+		[10] = "crl not yet valid",
+		[11] = "crl has expired",
+		[12] = "error in cert not before field",
+		[13] = "error in cert not after field",
+		[14] = "error in crl last update field",
+		[15] = "error in crl next update field",
+		[16] = "out of mem",
+		[17] = "depth zero self signed cert",
+		[18] = "self signed cert in chain",
+		[19] = "unable to get issuer cert locally",
+		[20] = "unable to verify leaf signature",
+		[21] = "cert chain too long",
+		[22] = "cert revoked",
+		[23] = "invalid ca",
+		[24] = "path length exceeded",
+		[25] = "invalid purpose",
+		[26] = "cert untrusted",
+		[27] = "cert rejected",
+		[28] = "subject issuer mismatch",
+		[29] = "akid skid mismatch",
+		[30] = "akid issuer serial mismatch",
+		[31] = "keyusage no certsign",
+		[32] = "unable to get crl issuer",
+		[33] = "unhandled critical extension",
+	};
+
+}
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
new file mode 100644
index 0000000000..0b280a6bcf
--- /dev/null
+++ b/scripts/base/protocols/ssl/main.bro
@@ -0,0 +1,196 @@
+##! Base SSL analysis script.  This script logs information about the SSL/TLS
+##! handshaking and encryption establishment process.
+
+@load ./consts
+
+module SSL;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Time when the SSL connection began.
+		ts:               time             &log;
+		uid:              string           &log;
+		id:               conn_id          &log;
+		## SSL/TLS version the server offered.
+		version:          string           &log &optional;
+		## SSL/TLS cipher suite the server chose.
+		cipher:           string           &log &optional;
+		## Value of the Server Name Indicator SSL/TLS extension.  It 
+		## indicates the server name that the client was requesting.
+		server_name:      string           &log &optional;
+		## Session ID offered by the client for session resumption.
+		session_id:       string           &log &optional;
+		## Subject of the X.509 certificate offered by the server.
+		subject:          string           &log &optional;
+		## NotValidBefore field value from the server certificate.
+		not_valid_before: time             &log &optional;
+		## NotValidAfter field value from the serve certificate.
+		not_valid_after:  time             &log &optional;
+		## Last alert that was seen during the connection.
+		last_alert:       string           &log &optional;
+		
+		## Full binary server certificate stored in DER format.
+		cert:             string           &optional;
+		## Chain of certificates offered by the server to validate its 
+		## complete signing chain.
+		cert_chain:       vector of string &optional;
+
+		## The analyzer ID used for the analyzer instance attached
+		## to each connection.  It is not used for logging since it's a
+		## meaningless arbitrary number.
+		analyzer_id:      count            &optional;
+	};
+	
+	## The default root CA bundle.  By loading the
+	## mozilla-ca-list.bro script it will be set to Mozilla's root CA list.
+	const root_certs: table[string] of string = {} &redef;
+	
+	## If true, detach the SSL analyzer from the connection to prevent
+	## continuing to process encrypted traffic. Helps with performance
+	## (especially with large file transfers).
+	const disable_analyzer_after_detection = T &redef;
+	
+	## The openssl command line utility.  If it's in the path the default
+	## value will work, otherwise a full path string can be supplied for the
+	## utility.
+	const openssl_util = "openssl" &redef;
+	
+	## Event that can be handled to access the SSL
+	## record as it is sent on to the logging framework.
+	global log_ssl: event(rec: Info);
+}
+
+redef record connection += {
+	ssl: Info &optional;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
+	}
+
+redef capture_filters += {
+	["ssl"] = "tcp port 443",
+	["nntps"] = "tcp port 563",
+	["imap4-ssl"] = "tcp port 585",
+	["sshell"] = "tcp port 614",
+	["ldaps"] = "tcp port 636",
+	["ftps-data"] = "tcp port 989",
+	["ftps"] = "tcp port 990",
+	["telnets"] = "tcp port 992",
+	["imaps"] = "tcp port 993",
+	["ircs"] = "tcp port 994",
+	["pop3s"] = "tcp port 995",
+	["xmpps"] = "tcp port 5223",
+};
+
+const ports = {
+	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
+	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
+};
+
+redef dpd_config += {
+	[[ANALYZER_SSL]] = [$ports = ports]
+};
+
+redef likely_server_ports += {
+	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
+	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
+};
+
+function set_session(c: connection)
+	{
+	if ( ! c?$ssl )
+		c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id, $cert_chain=vector()];
+	}
+
+function finish(c: connection)
+	{
+	Log::write(SSL::LOG, c$ssl);
+	if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
+		disable_analyzer(c$id, c$ssl$analyzer_id);
+	delete c$ssl;
+	}
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set) &priority=5
+	{
+	set_session(c);
+
+	# Save the session_id if there is one set.
+	if ( session_id != /^\x00{32}$/ )
+		c$ssl$session_id = bytestring_to_hexstr(session_id);
+	}
+
+event ssl_server_hello(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count) &priority=5
+	{
+	set_session(c);
+
+	c$ssl$version = version_strings[version];
+	c$ssl$cipher = cipher_desc[cipher];
+	}
+
+event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=5
+	{
+	set_session(c);
+
+	# We aren't doing anything with client certificates yet.
+	if ( is_orig )
+		return;
+
+	if ( chain_idx == 0 )
+		{
+		# Save the primary cert.
+		c$ssl$cert = der_cert;
+
+		# Also save other certificate information about the primary cert.
+		c$ssl$subject = cert$subject;
+		c$ssl$not_valid_before = cert$not_valid_before;
+		c$ssl$not_valid_after = cert$not_valid_after;
+		}
+	else
+		{
+		# Otherwise, add it to the cert validation chain.
+		c$ssl$cert_chain[|c$ssl$cert_chain|] = der_cert;
+		}
+	}
+
+event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5
+	{
+	set_session(c);
+
+	if ( is_orig && extensions[code] == "server_name" )
+		c$ssl$server_name = sub_bytes(val, 6, |val|);
+	}
+
+event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5
+	{
+	set_session(c);
+
+	c$ssl$last_alert = alert_descriptions[desc];
+	}
+
+event ssl_established(c: connection) &priority=5
+	{
+	set_session(c);
+	}
+
+event ssl_established(c: connection) &priority=-5
+	{
+	finish(c);
+	}
+
+event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5
+	{
+	# Check by checking for existence of c$ssl record.
+	if ( c?$ssl && analyzer_name(atype) == "SSL" )
+		c$ssl$analyzer_id = aid;
+	}
+
+event protocol_violation(c: connection, atype: count, aid: count,
+                         reason: string) &priority=5
+	{
+	if ( c?$ssl )
+		finish(c);
+	}
diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.bro
new file mode 100644
index 0000000000..4c4dccb755
--- /dev/null
+++ b/scripts/base/protocols/ssl/mozilla-ca-list.bro
@@ -0,0 +1,142 @@
+# Don't edit!  This file is automatically generated.
+# Generated at: 2011-10-25 11:03:20 -0500
+@load base/protocols/ssl
+module SSL;
+redef root_certs += {
+	["CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US"] = "\x30\x82\x02\x5A\x30\x82\x01\xC3\x02\x02\x01\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x39\x38\x30\x38\x31\x33\x30\x30\x32\x39\x30\x30\x5A\x17\x0D\x31\x38\x30\x38\x31\x33\x32\x33\x35\x39\x30\x30\x5A\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\x95\x0F\xA0\xB6\xF0\x50\x9C\xE8\x7A\xC7\x88\xCD\xDD\x17\x0E\x2E\xB0\x94\xD0\x1B\x3D\x0E\xF6\x94\xC0\x8A\x94\xC7\x06\xC8\x90\x97\xC8\xB8\x64\x1A\x7A\x7E\x6C\x3C\x53\xE1\x37\x28\x73\x60\x7F\xB2\x97\x53\x07\x9F\x53\xF9\x6D\x58\x94\xD2\xAF\x8D\x6D\x88\x67\x80\xE6\xED\xB2\x95\xCF\x72\x31\xCA\xA5\x1C\x72\xBA\x5C\x02\xE7\x64\x42\xE7\xF9\xA9\x2C\xD6\x3A\x0D\xAC\x8D\x42\xAA\x24\x01\x39\xE6\x9C\x3F\x01\x85\x57\x0D\x58\x87\x45\xF8\xD3\x85\xAA\x93\x69\x26\x85\x70\x48\x80\x3F\x12\x15\xC7\x79\xB4\x1F\x05\x2F\x3B\x62\x99\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x6D\xEB\x1B\x09\xE9\x5E\xD9\x51\xDB\x67\x22\x61\xA4\x2A\x3C\x48\x77\xE3\xA0\x7C\xA6\xDE\x73\xA2\x14\x03\x85\x3D\xFB\xAB\x0E\x30\xC5\x83\x16\x33\x81\x13\x08\x9E\x7B\x34\x4E\xDF\x40\xC8\x74\xD7\xB9\x7D\xDC\xF4\x76\x55\x7D\x9B\x63\x54\x18\xE9\xF0\xEA\xF3\x5C\xB1\xD9\x8B\x42\x1E\xB9\xC0\x95\x4E\xBA\xFA\xD5\xE2\x7C\xF5\x68\x61\xBF\x8E\xEC\x05\x97\x5F\x5B\xB0\xD7\xA3\x85\x34\xC4\x24\xA7\x0D\x0F\x95\x93\xEF\xCB\x94\xD8\x9E\x1F\x9D\x5C\x85\x6D\xC7\xAA\xAE\x4F\x1F\x22\xB5\xCD\x95\xAD\xBA\xA7\xCC\xF9\xAB\x0B\x7A\x7F",
+	["emailAddress=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA"] = "\x30\x82\x03\x13\x30\x82\x02\x7C\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\xC4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x5A\x41\x31\x15\x30\x13\x06\x03\x55\x04\x08\x13\x0C\x57\x65\x73\x74\x65\x72\x6E\x20\x43\x61\x70\x65\x31\x12\x30\x10\x06\x03\x55\x04\x07\x13\x09\x43\x61\x70\x65\x20\x54\x6F\x77\x6E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x13\x14\x54\x68\x61\x77\x74\x65\x20\x43\x6F\x6E\x73\x75\x6C\x74\x69\x6E\x67\x20\x63\x63\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x54\x68\x61\x77\x74\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x41\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x73\x65\x72\x76\x65\x72\x2D\x63\x65\x72\x74\x73\x40\x74\x68\x61\x77\x74\x65\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x36\x30\x38\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x30\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xC4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x5A\x41\x31\x15\x30\x13\x06\x03\x55\x04\x08\x13\x0C\x57\x65\x73\x74\x65\x72\x6E\x20\x43\x61\x70\x65\x31\x12\x30\x10\x06\x03\x55\x04\x07\x13\x09\x43\x61\x70\x65\x20\x54\x6F\x77\x6E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x13\x14\x54\x68\x61\x77\x74\x65\x20\x43\x6F\x6E\x73\x75\x6C\x74\x69\x6E\x67\x20\x63\x63\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x54\x68\x61\x77\x74\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x41\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x73\x65\x72\x76\x65\x72\x2D\x63\x65\x72\x74\x73\x40\x74\x68\x61\x77\x74\x65\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xD3\xA4\x50\x6E\xC8\xFF\x56\x6B\xE6\xCF\x5D\xB6\xEA\x0C\x68\x75\x47\xA2\xAA\xC2\xDA\x84\x25\xFC\xA8\xF4\x47\x51\xDA\x85\xB5\x20\x74\x94\x86\x1E\x0F\x75\xC9\xE9\x08\x61\xF5\x06\x6D\x30\x6E\x15\x19\x02\xE9\x52\xC0\x62\xDB\x4D\x99\x9E\xE2\x6A\x0C\x44\x38\xCD\xFE\xBE\xE3\x64\x09\x70\xC5\xFE\xB1\x6B\x29\xB6\x2F\x49\xC8\x3B\xD4\x27\x04\x25\x10\x97\x2F\xE7\x90\x6D\xC0\x28\x42\x99\xD7\x4C\x43\xDE\xC3\xF5\x21\x6D\x54\x9F\x5D\xC3\x58\xE1\xC0\xE4\xD9\x5B\xB0\xB8\xDC\xB4\x7B\xDF\x36\x3A\xC2\xB5\x66\x22\x12\xD6\x87\x0D\x02\x03\x01\x00\x01\xA3\x13\x30\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x07\xFA\x4C\x69\x5C\xFB\x95\xCC\x46\xEE\x85\x83\x4D\x21\x30\x8E\xCA\xD9\xA8\x6F\x49\x1A\xE6\xDA\x51\xE3\x60\x70\x6C\x84\x61\x11\xA1\x1A\xC8\x48\x3E\x59\x43\x7D\x4F\x95\x3D\xA1\x8B\xB7\x0B\x62\x98\x7A\x75\x8A\xDD\x88\x4E\x4E\x9E\x40\xDB\xA8\xCC\x32\x74\xB9\x6F\x0D\xC6\xE3\xB3\x44\x0B\xD9\x8A\x6F\x9A\x29\x9B\x99\x18\x28\x3B\xD1\xE3\x40\x28\x9A\x5A\x3C\xD5\xB5\xE7\x20\x1B\x8B\xCA\xA4\xAB\x8D\xE9\x51\xD9\xE2\x4C\x2C\x59\xA9\xDA\xB9\xB2\x75\x1B\xF6\x42\xF2\xEF\xC7\xF2\x18\xF9\x89\xBC\xA3\xFF\x8A\x23\x2E\x70\x47",
+	["emailAddress=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA"] = "\x30\x82\x03\x27\x30\x82\x02\x90\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\xCE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x5A\x41\x31\x15\x30\x13\x06\x03\x55\x04\x08\x13\x0C\x57\x65\x73\x74\x65\x72\x6E\x20\x43\x61\x70\x65\x31\x12\x30\x10\x06\x03\x55\x04\x07\x13\x09\x43\x61\x70\x65\x20\x54\x6F\x77\x6E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x13\x14\x54\x68\x61\x77\x74\x65\x20\x43\x6F\x6E\x73\x75\x6C\x74\x69\x6E\x67\x20\x63\x63\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x54\x68\x61\x77\x74\x65\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x53\x65\x72\x76\x65\x72\x20\x43\x41\x31\x28\x30\x26\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x19\x70\x72\x65\x6D\x69\x75\x6D\x2D\x73\x65\x72\x76\x65\x72\x40\x74\x68\x61\x77\x74\x65\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x36\x30\x38\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x30\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x5A\x41\x31\x15\x30\x13\x06\x03\x55\x04\x08\x13\x0C\x57\x65\x73\x74\x65\x72\x6E\x20\x43\x61\x70\x65\x31\x12\x30\x10\x06\x03\x55\x04\x07\x13\x09\x43\x61\x70\x65\x20\x54\x6F\x77\x6E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x13\x14\x54\x68\x61\x77\x74\x65\x20\x43\x6F\x6E\x73\x75\x6C\x74\x69\x6E\x67\x20\x63\x63\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x54\x68\x61\x77\x74\x65\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x53\x65\x72\x76\x65\x72\x20\x43\x41\x31\x28\x30\x26\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x19\x70\x72\x65\x6D\x69\x75\x6D\x2D\x73\x65\x72\x76\x65\x72\x40\x74\x68\x61\x77\x74\x65\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xD2\x36\x36\x6A\x8B\xD7\xC2\x5B\x9E\xDA\x81\x41\x62\x8F\x38\xEE\x49\x04\x55\xD6\xD0\xEF\x1C\x1B\x95\x16\x47\xEF\x18\x48\x35\x3A\x52\xF4\x2B\x6A\x06\x8F\x3B\x2F\xEA\x56\xE3\xAF\x86\x8D\x9E\x17\xF7\x9E\xB4\x65\x75\x02\x4D\xEF\xCB\x09\xA2\x21\x51\xD8\x9B\xD0\x67\xD0\xBA\x0D\x92\x06\x14\x73\xD4\x93\xCB\x97\x2A\x00\x9C\x5C\x4E\x0C\xBC\xFA\x15\x52\xFC\xF2\x44\x6E\xDA\x11\x4A\x6E\x08\x9F\x2F\x2D\xE3\xF9\xAA\x3A\x86\x73\xB6\x46\x53\x58\xC8\x89\x05\xBD\x83\x11\xB8\x73\x3F\xAA\x07\x8D\xF4\x42\x4D\xE7\x40\x9D\x1C\x37\x02\x03\x01\x00\x01\xA3\x13\x30\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x26\x48\x2C\x16\xC2\x58\xFA\xE8\x16\x74\x0C\xAA\xAA\x5F\x54\x3F\xF2\xD7\xC9\x78\x60\x5E\x5E\x6E\x37\x63\x22\x77\x36\x7E\xB2\x17\xC4\x34\xB9\xF5\x08\x85\xFC\xC9\x01\x38\xFF\x4D\xBE\xF2\x16\x42\x43\xE7\xBB\x5A\x46\xFB\xC1\xC6\x11\x1F\xF1\x4A\xB0\x28\x46\xC9\xC3\xC4\x42\x7D\xBC\xFA\xAB\x59\x6E\xD5\xB7\x51\x88\x11\xE3\xA4\x85\x19\x6B\x82\x4C\xA4\x0C\x12\xAD\xE9\xA4\xAE\x3F\xF1\xC3\x49\x65\x9A\x8C\xC5\xC8\x3E\x25\xB7\x94\x99\xBB\x92\x32\x71\x07\xF0\x86\x5E\xED\x50\x27\xA6\x0D\xA6\x23\xF9\xBB\xCB\xA6\x07\x14\x42",
+	["OU=Equifax Secure Certificate Authority,O=Equifax,C=US"] = "\x30\x82\x03\x20\x30\x82\x02\x89\xA0\x03\x02\x01\x02\x02\x04\x35\xDE\xF4\xCF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x45\x71\x75\x69\x66\x61\x78\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x38\x30\x38\x32\x32\x31\x36\x34\x31\x35\x31\x5A\x17\x0D\x31\x38\x30\x38\x32\x32\x31\x36\x34\x31\x35\x31\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x45\x71\x75\x69\x66\x61\x78\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC1\x5D\xB1\x58\x67\x08\x62\xEE\xA0\x9A\x2D\x1F\x08\x6D\x91\x14\x68\x98\x0A\x1E\xFE\xDA\x04\x6F\x13\x84\x62\x21\xC3\xD1\x7C\xCE\x9F\x05\xE0\xB8\x01\xF0\x4E\x34\xEC\xE2\x8A\x95\x04\x64\xAC\xF1\x6B\x53\x5F\x05\xB3\xCB\x67\x80\xBF\x42\x02\x8E\xFE\xDD\x01\x09\xEC\xE1\x00\x14\x4F\xFC\xFB\xF0\x0C\xDD\x43\xBA\x5B\x2B\xE1\x1F\x80\x70\x99\x15\x57\x93\x16\xF1\x0F\x97\x6A\xB7\xC2\x68\x23\x1C\xCC\x4D\x59\x30\xAC\x51\x1E\x3B\xAF\x2B\xD6\xEE\x63\x45\x7B\xC5\xD9\x5F\x50\xD2\xE3\x50\x0F\x3A\x88\xE7\xBF\x14\xFD\xE0\xC7\xB9\x02\x03\x01\x00\x01\xA3\x82\x01\x09\x30\x82\x01\x05\x30\x70\x06\x03\x55\x1D\x1F\x04\x69\x30\x67\x30\x65\xA0\x63\xA0\x61\xA4\x5F\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x45\x71\x75\x69\x66\x61\x78\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x1A\x06\x03\x55\x1D\x10\x04\x13\x30\x11\x81\x0F\x32\x30\x31\x38\x30\x38\x32\x32\x31\x36\x34\x31\x35\x31\x5A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x48\xE6\x68\xF9\x2B\xD2\xB2\x95\xD7\x47\xD8\x23\x20\x10\x4F\x33\x98\x90\x9F\xD4\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x48\xE6\x68\xF9\x2B\xD2\xB2\x95\xD7\x47\xD8\x23\x20\x10\x4F\x33\x98\x90\x9F\xD4\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x1A\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x0D\x30\x0B\x1B\x05\x56\x33\x2E\x30\x63\x03\x02\x06\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x58\xCE\x29\xEA\xFC\xF7\xDE\xB5\xCE\x02\xB9\x17\xB5\x85\xD1\xB9\xE3\xE0\x95\xCC\x25\x31\x0D\x00\xA6\x92\x6E\x7F\xB6\x92\x63\x9E\x50\x95\xD1\x9A\x6F\xE4\x11\xDE\x63\x85\x6E\x98\xEE\xA8\xFF\x5A\xC8\xD3\x55\xB2\x66\x71\x57\xDE\xC0\x21\xEB\x3D\x2A\xA7\x23\x49\x01\x04\x86\x42\x7B\xFC\xEE\x7F\xA2\x16\x52\xB5\x67\x67\xD3\x40\xDB\x3B\x26\x58\xB2\x28\x77\x3D\xAE\x14\x77\x61\xD6\xFA\x2A\x66\x27\xA0\x0D\xFA\xA7\x73\x5C\xEA\x70\xF1\x94\x21\x65\x44\x5F\xFA\xFC\xEF\x29\x68\xA9\xA2\x87\x79\xEF\x79\xEF\x4F\xAC\x07\x77\x38",
+	["OU=DSTCA E1,O=Digital Signature Trust Co.,C=US"] = "\x30\x82\x03\x29\x30\x82\x02\x92\xA0\x03\x02\x01\x02\x02\x04\x36\x70\x15\x96\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x43\x41\x20\x45\x31\x30\x1E\x17\x0D\x39\x38\x31\x32\x31\x30\x31\x38\x31\x30\x32\x33\x5A\x17\x0D\x31\x38\x31\x32\x31\x30\x31\x38\x34\x30\x32\x33\x5A\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x43\x41\x20\x45\x31\x30\x81\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8B\x00\x30\x81\x87\x02\x81\x81\x00\xA0\x6C\x81\xA9\xCF\x34\x1E\x24\xDD\xFE\x86\x28\xCC\xDE\x83\x2F\xF9\x5E\xD4\x42\xD2\xE8\x74\x60\x66\x13\x98\x06\x1C\xA9\x51\x12\x69\x6F\x31\x55\xB9\x49\x72\x00\x08\x7E\xD3\xA5\x62\x44\x37\x24\x99\x8F\xD9\x83\x48\x8F\x99\x6D\x95\x13\xBB\x43\x3B\x2E\x49\x4E\x88\x37\xC1\xBB\x58\x7F\xFE\xE1\xBD\xF8\xBB\x61\xCD\xF3\x47\xC0\x99\xA6\xF1\xF3\x91\xE8\x78\x7C\x00\xCB\x61\xC9\x44\x27\x71\x69\x55\x4A\x7E\x49\x4D\xED\xA2\xA3\xBE\x02\x4C\x00\xCA\x02\xA8\xEE\x01\x02\x31\x64\x0F\x52\x2D\x13\x74\x76\x36\xB5\x7A\xB4\x2D\x71\x02\x01\x03\xA3\x82\x01\x24\x30\x82\x01\x20\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x68\x06\x03\x55\x1D\x1F\x04\x61\x30\x5F\x30\x5D\xA0\x5B\xA0\x59\xA4\x57\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x43\x41\x20\x45\x31\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x31\x39\x39\x38\x31\x32\x31\x30\x31\x38\x31\x30\x32\x33\x5A\x81\x0F\x32\x30\x31\x38\x31\x32\x31\x30\x31\x38\x31\x30\x32\x33\x5A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x6A\x79\x7E\x91\x69\x46\x18\x13\x0A\x02\x77\xA5\x59\x5B\x60\x98\x25\x0E\xA2\xF8\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6A\x79\x7E\x91\x69\x46\x18\x13\x0A\x02\x77\xA5\x59\x5B\x60\x98\x25\x0E\xA2\xF8\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x19\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x0C\x30\x0A\x1B\x04\x56\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x22\x12\xD8\x7A\x1D\xDC\x81\x06\xB6\x09\x65\xB2\x87\xC8\x1F\x5E\xB4\x2F\xE9\xC4\x1E\xF2\x3C\xC1\xBB\x04\x90\x11\x4A\x83\x4E\x7E\x93\xB9\x4D\x42\xC7\x92\x26\xA0\x5C\x34\x9A\x38\x72\xF8\xFD\x6B\x16\x3E\x20\xEE\x82\x8B\x31\x2A\x93\x36\x85\x23\x88\x8A\x3C\x03\x68\xD3\xC9\x09\x0F\x4D\xFC\x6C\xA4\xDA\x28\x72\x93\x0E\x89\x80\xB0\x7D\xFE\x80\x6F\x65\x6D\x18\x33\x97\x8B\xC2\x6B\x89\xEE\x60\x3D\xC8\x9B\xEF\x7F\x2B\x32\x62\x73\x93\xCB\x3C\xE3\x7B\xE2\x76\x78\x45\xBC\xA1\x93\x04\xBB\x86\x9F\x3A\x5B\x43\x7A\xC3\x8A\x65",
+	["OU=DSTCA E2,O=Digital Signature Trust Co.,C=US"] = "\x30\x82\x03\x29\x30\x82\x02\x92\xA0\x03\x02\x01\x02\x02\x04\x36\x6E\xD3\xCE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x43\x41\x20\x45\x32\x30\x1E\x17\x0D\x39\x38\x31\x32\x30\x39\x31\x39\x31\x37\x32\x36\x5A\x17\x0D\x31\x38\x31\x32\x30\x39\x31\x39\x34\x37\x32\x36\x5A\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x43\x41\x20\x45\x32\x30\x81\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8B\x00\x30\x81\x87\x02\x81\x81\x00\xBF\x93\x8F\x17\x92\xEF\x33\x13\x18\xEB\x10\x7F\x4E\x16\xBF\xFF\x06\x8F\x2A\x85\xBC\x5E\xF9\x24\xA6\x24\x88\xB6\x03\xB7\xC1\xC3\x5F\x03\x5B\xD1\x6F\xAE\x7E\x42\xEA\x66\x23\xB8\x63\x83\x56\xFB\x28\x2D\xE1\x38\x8B\xB4\xEE\xA8\x01\xE1\xCE\x1C\xB6\x88\x2A\x22\x46\x85\xFB\x9F\xA7\x70\xA9\x47\x14\x3F\xCE\xDE\x65\xF0\xA8\x71\xF7\x4F\x26\x6C\x8C\xBC\xC6\xB5\xEF\xDE\x49\x27\xFF\x48\x2A\x7D\xE8\x4D\x03\xCC\xC7\xB2\x52\xC6\x17\x31\x13\x3B\xB5\x4D\xDB\xC8\xC4\xF6\xC3\x0F\x24\x2A\xDA\x0C\x9D\xE7\x91\x5B\x80\xCD\x94\x9D\x02\x01\x03\xA3\x82\x01\x24\x30\x82\x01\x20\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x68\x06\x03\x55\x1D\x1F\x04\x61\x30\x5F\x30\x5D\xA0\x5B\xA0\x59\xA4\x57\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x43\x41\x20\x45\x32\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x31\x39\x39\x38\x31\x32\x30\x39\x31\x39\x31\x37\x32\x36\x5A\x81\x0F\x32\x30\x31\x38\x31\x32\x30\x39\x31\x39\x31\x37\x32\x36\x5A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x1E\x82\x4D\x28\x65\x80\x3C\xC9\x41\x6E\xAC\x35\x2E\x5A\xCB\xDE\xEE\xF8\x39\x5B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1E\x82\x4D\x28\x65\x80\x3C\xC9\x41\x6E\xAC\x35\x2E\x5A\xCB\xDE\xEE\xF8\x39\x5B\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x19\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x0C\x30\x0A\x1B\x04\x56\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x47\x8D\x83\xAD\x62\xF2\xDB\xB0\x9E\x45\x22\x05\xB9\xA2\xD6\x03\x0E\x38\x72\xE7\x9E\xFC\x7B\xE6\x93\xB6\x9A\xA5\xA2\x94\xC8\x34\x1D\x91\xD1\xC5\xD7\xF4\x0A\x25\x0F\x3D\x78\x81\x9E\x0F\xB1\x67\xC4\x90\x4C\x63\xDD\x5E\xA7\xE2\xBA\x9F\xF5\xF7\x4D\xA5\x31\x7B\x9C\x29\x2D\x4C\xFE\x64\x3E\xEC\xB6\x53\xFE\xEA\x9B\xED\x82\xDB\x74\x75\x4B\x07\x79\x6E\x1E\xD8\x19\x83\x73\xDE\xF5\x3E\xD0\xB5\xDE\xE7\x4B\x68\x7D\x43\x2E\x2A\x20\xE1\x7E\xA0\x78\x44\x9E\x08\xF5\x98\xF9\xC7\x7F\x1B\x1B\xD6\x06\x20\x02\x58\xA1\xC3\xA2\x03",
+	["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64",
+	["OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x03\x02\x30\x82\x02\x6B\x02\x10\x7D\xD9\xFE\x07\xCF\xA8\x1E\xB7\x10\x79\x67\xFB\xA7\x89\x34\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xC1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x3C\x30\x3A\x06\x03\x55\x04\x0B\x13\x33\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x38\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x30\x1E\x17\x0D\x39\x38\x30\x35\x31\x38\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xC1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x3C\x30\x3A\x06\x03\x55\x04\x0B\x13\x33\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x38\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xCC\x5E\xD1\x11\x5D\x5C\x69\xD0\xAB\xD3\xB9\x6A\x4C\x99\x1F\x59\x98\x30\x8E\x16\x85\x20\x46\x6D\x47\x3F\xD4\x85\x20\x84\xE1\x6D\xB3\xF8\xA4\xED\x0C\xF1\x17\x0F\x3B\xF9\xA7\xF9\x25\xD7\xC1\xCF\x84\x63\xF2\x7C\x63\xCF\xA2\x47\xF2\xC6\x5B\x33\x8E\x64\x40\x04\x68\xC1\x80\xB9\x64\x1C\x45\x77\xC7\xD8\x6E\xF5\x95\x29\x3C\x50\xE8\x34\xD7\x78\x1F\xA8\xBA\x6D\x43\x91\x95\x8F\x45\x57\x5E\x7E\xC5\xFB\xCA\xA4\x04\xEB\xEA\x97\x37\x54\x30\x6F\xBB\x01\x47\x32\x33\xCD\xDC\x57\x9B\x64\x69\x61\xF8\x9B\x1D\x1C\x89\x4F\x5C\x67\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x51\x4D\xCD\xBE\x5C\xCB\x98\x19\x9C\x15\xB2\x01\x39\x78\x2E\x4D\x0F\x67\x70\x70\x99\xC6\x10\x5A\x94\xA4\x53\x4D\x54\x6D\x2B\xAF\x0D\x5D\x40\x8B\x64\xD3\xD7\xEE\xDE\x56\x61\x92\x5F\xA6\xC4\x1D\x10\x61\x36\xD3\x2C\x27\x3C\xE8\x29\x09\xB9\x11\x64\x74\xCC\xB5\x73\x9F\x1C\x48\xA9\xBC\x61\x01\xEE\xE2\x17\xA6\x0C\xE3\x40\x08\x3B\x0E\xE7\xEB\x44\x73\x2A\x9A\xF1\x69\x92\xEF\x71\x14\xC3\x39\xAC\x71\xA7\x91\x09\x6F\xE4\x71\x06\xB3\xBA\x59\x57\x26\x79\x00\xF6\xF8\x0D\xA2\x33\x30\x28\xD4\xAA\x58\xA0\x9D\x9D\x69\x91\xFD",
+	["OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 4 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x03\x02\x30\x82\x02\x6B\x02\x10\x32\x88\x8E\x9A\xD2\xF5\xEB\x13\x47\xF8\x7F\xC4\x20\x37\x25\xF8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xC1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x3C\x30\x3A\x06\x03\x55\x04\x0B\x13\x33\x43\x6C\x61\x73\x73\x20\x34\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x38\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x30\x1E\x17\x0D\x39\x38\x30\x35\x31\x38\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xC1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x3C\x30\x3A\x06\x03\x55\x04\x0B\x13\x33\x43\x6C\x61\x73\x73\x20\x34\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x38\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xBA\xF0\xE4\xCF\xF9\xC4\xAE\x85\x54\xB9\x07\x57\xF9\x8F\xC5\x7F\x68\x11\xF8\xC4\x17\xB0\x44\xDC\xE3\x30\x73\xD5\x2A\x62\x2A\xB8\xD0\xCC\x1C\xED\x28\x5B\x7E\xBD\x6A\xDC\xB3\x91\x24\xCA\x41\x62\x3C\xFC\x02\x01\xBF\x1C\x16\x31\x94\x05\x97\x76\x6E\xA2\xAD\xBD\x61\x17\x6C\x4E\x30\x86\xF0\x51\x37\x2A\x50\xC7\xA8\x62\x81\xDC\x5B\x4A\xAA\xC1\xA0\xB4\x6E\xEB\x2F\xE5\x57\xC5\xB1\x2B\x40\x70\xDB\x5A\x4D\xA1\x8E\x1F\xBD\x03\x1F\xD8\x03\xD4\x8F\x4C\x99\x71\xBC\xE2\x82\xCC\x58\xE8\x98\x3A\x86\xD3\x86\x38\xF3\x00\x29\x1F\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x85\x8C\x12\xC1\xA7\xB9\x50\x15\x7A\xCB\x3E\xAC\xB8\x43\x8A\xDC\xAA\xDD\x14\xBA\x89\x81\x7E\x01\x3C\x23\x71\x21\x88\x2F\x82\xDC\x63\xFA\x02\x45\xAC\x45\x59\xD7\x2A\x58\x44\x5B\xB7\x9F\x81\x3B\x92\x68\x3D\xE2\x37\x24\xF5\x7B\x6C\x8F\x76\x35\x96\x09\xA8\x59\x9D\xB9\xCE\x23\xAB\x74\xD6\x83\xFD\x32\x73\x27\xD8\x69\x3E\x43\x74\xF6\xAE\xC5\x89\x9A\xE7\x53\x7C\xE9\x7B\xF6\x4B\xF3\xC1\x65\x83\xDE\x8D\x8A\x9C\x3C\x88\x8D\x39\x59\xFC\xAA\x3F\x22\x8D\xA1\xC1\x66\x50\x81\x72\x4C\xED\x22\x64\x4F\x4F\xCA\x80\x91\xB6\x29",
+	["CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE"] = "\x30\x82\x03\x75\x30\x82\x02\x5D\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x15\x4B\x5A\xC3\x94\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x57\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x45\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x6E\x76\x2D\x73\x61\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x39\x38\x30\x39\x30\x31\x31\x32\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x31\x32\x38\x31\x32\x30\x30\x30\x30\x5A\x30\x57\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x45\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x6E\x76\x2D\x73\x61\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDA\x0E\xE6\x99\x8D\xCE\xA3\xE3\x4F\x8A\x7E\xFB\xF1\x8B\x83\x25\x6B\xEA\x48\x1F\xF1\x2A\xB0\xB9\x95\x11\x04\xBD\xF0\x63\xD1\xE2\x67\x66\xCF\x1C\xDD\xCF\x1B\x48\x2B\xEE\x8D\x89\x8E\x9A\xAF\x29\x80\x65\xAB\xE9\xC7\x2D\x12\xCB\xAB\x1C\x4C\x70\x07\xA1\x3D\x0A\x30\xCD\x15\x8D\x4F\xF8\xDD\xD4\x8C\x50\x15\x1C\xEF\x50\xEE\xC4\x2E\xF7\xFC\xE9\x52\xF2\x91\x7D\xE0\x6D\xD5\x35\x30\x8E\x5E\x43\x73\xF2\x41\xE9\xD5\x6A\xE3\xB2\x89\x3A\x56\x39\x38\x6F\x06\x3C\x88\x69\x5B\x2A\x4D\xC5\xA7\x54\xB8\x6C\x89\xCC\x9B\xF9\x3C\xCA\xE5\xFD\x89\xF5\x12\x3C\x92\x78\x96\xD6\xDC\x74\x6E\x93\x44\x61\xD1\x8D\xC7\x46\xB2\x75\x0E\x86\xE8\x19\x8A\xD5\x6D\x6C\xD5\x78\x16\x95\xA2\xE9\xC8\x0A\x38\xEB\xF2\x24\x13\x4F\x73\x54\x93\x13\x85\x3A\x1B\xBC\x1E\x34\xB5\x8B\x05\x8C\xB9\x77\x8B\xB1\xDB\x1F\x20\x91\xAB\x09\x53\x6E\x90\xCE\x7B\x37\x74\xB9\x70\x47\x91\x22\x51\x63\x16\x79\xAE\xB1\xAE\x41\x26\x08\xC8\x19\x2B\xD1\x46\xAA\x48\xD6\x64\x2A\xD7\x83\x34\xFF\x2C\x2A\xC1\x6C\x19\x43\x4A\x07\x85\xE7\xD3\x7C\xF6\x21\x68\xEF\xEA\xF2\x52\x9F\x7F\x93\x90\xCF\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x60\x7B\x66\x1A\x45\x0D\x97\xCA\x89\x50\x2F\x7D\x04\xCD\x34\xA8\xFF\xFC\xFD\x4B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xD6\x73\xE7\x7C\x4F\x76\xD0\x8D\xBF\xEC\xBA\xA2\xBE\x34\xC5\x28\x32\xB5\x7C\xFC\x6C\x9C\x2C\x2B\xBD\x09\x9E\x53\xBF\x6B\x5E\xAA\x11\x48\xB6\xE5\x08\xA3\xB3\xCA\x3D\x61\x4D\xD3\x46\x09\xB3\x3E\xC3\xA0\xE3\x63\x55\x1B\xF2\xBA\xEF\xAD\x39\xE1\x43\xB9\x38\xA3\xE6\x2F\x8A\x26\x3B\xEF\xA0\x50\x56\xF9\xC6\x0A\xFD\x38\xCD\xC4\x0B\x70\x51\x94\x97\x98\x04\xDF\xC3\x5F\x94\xD5\x15\xC9\x14\x41\x9C\xC4\x5D\x75\x64\x15\x0D\xFF\x55\x30\xEC\x86\x8F\xFF\x0D\xEF\x2C\xB9\x63\x46\xF6\xAA\xFC\xDF\xBC\x69\xFD\x2E\x12\x48\x64\x9A\xE0\x95\xF0\xA6\xEF\x29\x8F\x01\xB1\x15\xB5\x0C\x1D\xA5\xFE\x69\x2C\x69\x24\x78\x1E\xB3\xA7\x1C\x71\x62\xEE\xCA\xC8\x97\xAC\x17\x5D\x8A\xC2\xF8\x47\x86\x6E\x2A\xC4\x56\x31\x95\xD0\x67\x89\x85\x2B\xF9\x6C\xA6\x5D\x46\x9D\x0C\xAA\x82\xE4\x99\x51\xDD\x70\xB7\xDB\x56\x3D\x61\xE4\x6A\xE1\x5C\xD6\xF6\xFE\x3D\xDE\x41\xCC\x07\xAE\x63\x52\xBF\x53\x53\xF4\x2B\xE9\xC7\xFD\xB6\xF7\x82\x5F\x85\xD2\x41\x18\xDB\x81\xB3\x04\x1C\xC5\x1F\xA4\x80\x6F\x15\x20\xC9\xDE\x0C\x88\x0A\x1D\xD6\x66\x55\xE2\xFC\x48\xC9\x29\x26\x69\xE0",
+	["CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2"] = "\x30\x82\x03\xBA\x30\x82\x02\xA2\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x0F\x86\x26\xE6\x0D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x32\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x36\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x17\x0D\x32\x31\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x32\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA6\xCF\x24\x0E\xBE\x2E\x6F\x28\x99\x45\x42\xC4\xAB\x3E\x21\x54\x9B\x0B\xD3\x7F\x84\x70\xFA\x12\xB3\xCB\xBF\x87\x5F\xC6\x7F\x86\xD3\xB2\x30\x5C\xD6\xFD\xAD\xF1\x7B\xDC\xE5\xF8\x60\x96\x09\x92\x10\xF5\xD0\x53\xDE\xFB\x7B\x7E\x73\x88\xAC\x52\x88\x7B\x4A\xA6\xCA\x49\xA6\x5E\xA8\xA7\x8C\x5A\x11\xBC\x7A\x82\xEB\xBE\x8C\xE9\xB3\xAC\x96\x25\x07\x97\x4A\x99\x2A\x07\x2F\xB4\x1E\x77\xBF\x8A\x0F\xB5\x02\x7C\x1B\x96\xB8\xC5\xB9\x3A\x2C\xBC\xD6\x12\xB9\xEB\x59\x7D\xE2\xD0\x06\x86\x5F\x5E\x49\x6A\xB5\x39\x5E\x88\x34\xEC\xBC\x78\x0C\x08\x98\x84\x6C\xA8\xCD\x4B\xB4\xA0\x7D\x0C\x79\x4D\xF0\xB8\x2D\xCB\x21\xCA\xD5\x6C\x5B\x7D\xE1\xA0\x29\x84\xA1\xF9\xD3\x94\x49\xCB\x24\x62\x91\x20\xBC\xDD\x0B\xD5\xD9\xCC\xF9\xEA\x27\x0A\x2B\x73\x91\xC6\x9D\x1B\xAC\xC8\xCB\xE8\xE0\xA0\xF4\x2F\x90\x8B\x4D\xFB\xB0\x36\x1B\xF6\x19\x7A\x85\xE0\x6D\xF2\x61\x13\x88\x5C\x9F\xE0\x93\x0A\x51\x97\x8A\x5A\xCE\xAF\xAB\xD5\xF7\xAA\x09\xAA\x60\xBD\xDC\xD9\x5F\xDF\x72\xA9\x60\x13\x5E\x00\x01\xC9\x4A\xFA\x3F\xA4\xEA\x07\x03\x21\x02\x8E\x82\xCA\x03\xC2\x9B\x8F\x02\x03\x01\x00\x01\xA3\x81\x9C\x30\x81\x99\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9B\xE2\x07\x57\x67\x1C\x1E\xC0\x6A\x06\xDE\x59\xB4\x9A\x2D\xDF\xDC\x19\x86\x2E\x30\x36\x06\x03\x55\x1D\x1F\x04\x2F\x30\x2D\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x67\x6C\x6F\x62\x61\x6C\x73\x69\x67\x6E\x2E\x6E\x65\x74\x2F\x72\x6F\x6F\x74\x2D\x72\x32\x2E\x63\x72\x6C\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x9B\xE2\x07\x57\x67\x1C\x1E\xC0\x6A\x06\xDE\x59\xB4\x9A\x2D\xDF\xDC\x19\x86\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x99\x81\x53\x87\x1C\x68\x97\x86\x91\xEC\xE0\x4A\xB8\x44\x0B\xAB\x81\xAC\x27\x4F\xD6\xC1\xB8\x1C\x43\x78\xB3\x0C\x9A\xFC\xEA\x2C\x3C\x6E\x61\x1B\x4D\x4B\x29\xF5\x9F\x05\x1D\x26\xC1\xB8\xE9\x83\x00\x62\x45\xB6\xA9\x08\x93\xB9\xA9\x33\x4B\x18\x9A\xC2\xF8\x87\x88\x4E\xDB\xDD\x71\x34\x1A\xC1\x54\xDA\x46\x3F\xE0\xD3\x2A\xAB\x6D\x54\x22\xF5\x3A\x62\xCD\x20\x6F\xBA\x29\x89\xD7\xDD\x91\xEE\xD3\x5C\xA2\x3E\xA1\x5B\x41\xF5\xDF\xE5\x64\x43\x2D\xE9\xD5\x39\xAB\xD2\xA2\xDF\xB7\x8B\xD0\xC0\x80\x19\x1C\x45\xC0\x2D\x8C\xE8\xF8\x2D\xA4\x74\x56\x49\xC5\x05\xB5\x4F\x15\xDE\x6E\x44\x78\x39\x87\xA8\x7E\xBB\xF3\x79\x18\x91\xBB\xF4\x6F\x9D\xC1\xF0\x8C\x35\x8C\x5D\x01\xFB\xC3\x6D\xB9\xEF\x44\x6D\x79\x46\x31\x7E\x0A\xFE\xA9\x82\xC1\xFF\xEF\xAB\x6E\x20\xC4\x50\xC9\x5F\x9D\x4D\x9B\x17\x8C\x0C\xE5\x01\xC9\xA0\x41\x6A\x73\x53\xFA\xA5\x50\xB4\x6E\x25\x0F\xFB\x4C\x18\xF4\xFD\x52\xD9\x8E\x69\xB1\xE8\x11\x0F\xDE\x88\xD8\xFB\x1D\x49\xF7\xAA\xDE\x95\xCF\x20\x78\xC2\x60\x12\xDB\x25\x40\x8C\x6A\xFC\x7E\x42\x38\x40\x64\x12\xF7\x9E\x81\xE1\x93\x2E",
+	["emailAddress=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O=ValiCert\, Inc.,L=ValiCert Validation Network"] = "\x30\x82\x02\xE7\x30\x82\x02\x50\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x35\x32\x32\x32\x33\x34\x38\x5A\x17\x0D\x31\x39\x30\x36\x32\x35\x32\x32\x32\x33\x34\x38\x5A\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xD8\x59\x82\x7A\x89\xB8\x96\xBA\xA6\x2F\x68\x6F\x58\x2E\xA7\x54\x1C\x06\x6E\xF4\xEA\x8D\x48\xBC\x31\x94\x17\xF0\xF3\x4E\xBC\xB2\xB8\x35\x92\x76\xB0\xD0\xA5\xA5\x01\xD7\x00\x03\x12\x22\x19\x08\xF8\xFF\x11\x23\x9B\xCE\x07\xF5\xBF\x69\x1A\x26\xFE\x4E\xE9\xD1\x7F\x9D\x2C\x40\x1D\x59\x68\x6E\xA6\xF8\x58\xB0\x9D\x1A\x8F\xD3\x3F\xF1\xDC\x19\x06\x81\xA8\x0E\xE0\x3A\xDD\xC8\x53\x45\x09\x06\xE6\x0F\x70\xC3\xFA\x40\xA6\x0E\xE2\x56\x05\x0F\x18\x4D\xFC\x20\x82\xD1\x73\x55\x74\x8D\x76\x72\xA0\x1D\x9D\x1D\xC0\xDD\x3F\x71\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x50\x68\x3D\x49\xF4\x2C\x1C\x06\x94\xDF\x95\x60\x7F\x96\x7B\x17\xFE\x4F\x71\xAD\x64\xC8\xDD\x77\xD2\xEF\x59\x55\xE8\x3F\xE8\x8E\x05\x2A\x21\xF2\x07\xD2\xB5\xA7\x52\xFE\x9C\xB1\xB6\xE2\x5B\x77\x17\x40\xEA\x72\xD6\x23\xCB\x28\x81\x32\xC3\x00\x79\x18\xEC\x59\x17\x89\xC9\xC6\x6A\x1E\x71\xC9\xFD\xB7\x74\xA5\x25\x45\x69\xC5\x48\xAB\x19\xE1\x45\x8A\x25\x6B\x19\xEE\xE5\xBB\x12\xF5\x7F\xF7\xA6\x8D\x51\xC3\xF0\x9D\x74\xB7\xA9\x3E\xA0\xA5\xFF\xB6\x49\x03\x13\xDA\x22\xCC\xED\x71\x82\x2B\x99\xCF\x3A\xB7\xF5\x2D\x72\xC8",
+	["emailAddress=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O=ValiCert\, Inc.,L=ValiCert Validation Network"] = "\x30\x82\x02\xE7\x30\x82\x02\x50\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x36\x30\x30\x31\x39\x35\x34\x5A\x17\x0D\x31\x39\x30\x36\x32\x36\x30\x30\x31\x39\x35\x34\x5A\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xCE\x3A\x71\xCA\xE5\xAB\xC8\x59\x92\x55\xD7\xAB\xD8\x74\x0E\xF9\xEE\xD9\xF6\x55\x47\x59\x65\x47\x0E\x05\x55\xDC\xEB\x98\x36\x3C\x5C\x53\x5D\xD3\x30\xCF\x38\xEC\xBD\x41\x89\xED\x25\x42\x09\x24\x6B\x0A\x5E\xB3\x7C\xDD\x52\x2D\x4C\xE6\xD4\xD6\x7D\x5A\x59\xA9\x65\xD4\x49\x13\x2D\x24\x4D\x1C\x50\x6F\xB5\xC1\x85\x54\x3B\xFE\x71\xE4\xD3\x5C\x42\xF9\x80\xE0\x91\x1A\x0A\x5B\x39\x36\x67\xF3\x3F\x55\x7C\x1B\x3F\xB4\x5F\x64\x73\x34\xE3\xB4\x12\xBF\x87\x64\xF8\xDA\x12\xFF\x37\x27\xC1\xB3\x43\xBB\xEF\x7B\x6E\x2E\x69\xF7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x3B\x7F\x50\x6F\x6F\x50\x94\x99\x49\x62\x38\x38\x1F\x4B\xF8\xA5\xC8\x3E\xA7\x82\x81\xF6\x2B\xC7\xE8\xC5\xCE\xE8\x3A\x10\x82\xCB\x18\x00\x8E\x4D\xBD\xA8\x58\x7F\xA1\x79\x00\xB5\xBB\xE9\x8D\xAF\x41\xD9\x0F\x34\xEE\x21\x81\x19\xA0\x32\x49\x28\xF4\xC4\x8E\x56\xD5\x52\x33\xFD\x50\xD5\x7E\x99\x6C\x03\xE4\xC9\x4C\xFC\xCB\x6C\xAB\x66\xB3\x4A\x21\x8C\xE5\xB5\x0C\x32\x3E\x10\xB2\xCC\x6C\xA1\xDC\x9A\x98\x4C\x02\x5B\xF3\xCE\xB9\x9E\xA5\x72\x0E\x4A\xB7\x3F\x3C\xE6\x16\x68\xF8\xBE\xED\x74\x4C\xBC\x5B\xD5\x62\x1F\x43\xDD",
+	["emailAddress=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O=ValiCert\, Inc.,L=ValiCert Validation Network"] = "\x30\x82\x02\xE7\x30\x82\x02\x50\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x36\x30\x30\x32\x32\x33\x33\x5A\x17\x0D\x31\x39\x30\x36\x32\x36\x30\x30\x32\x32\x33\x33\x5A\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xE3\x98\x51\x96\x1C\xE8\xD5\xB1\x06\x81\x6A\x57\xC3\x72\x75\x93\xAB\xCF\x9E\xA6\xFC\xF3\x16\x52\xD6\x2D\x4D\x9F\x35\x44\xA8\x2E\x04\x4D\x07\x49\x8A\x38\x29\xF5\x77\x37\xE7\xB7\xAB\x5D\xDF\x36\x71\x14\x99\x8F\xDC\xC2\x92\xF1\xE7\x60\x92\x97\xEC\xD8\x48\xDC\xBF\xC1\x02\x20\xC6\x24\xA4\x28\x4C\x30\x5A\x76\x6D\xB1\x5C\xF3\xDD\xDE\x9E\x10\x71\xA1\x88\xC7\x5B\x9B\x41\x6D\xCA\xB0\xB8\x8E\x15\xEE\xAD\x33\x2B\xCF\x47\x04\x5C\x75\x71\x0A\x98\x24\x98\x29\xA7\x49\x59\xA5\xDD\xF8\xB7\x43\x62\x61\xF3\xD3\xE2\xD0\x55\x3F\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x56\xBB\x02\x58\x84\x67\x08\x2C\xDF\x1F\xDB\x7B\x49\x33\xF5\xD3\x67\x9D\xF4\xB4\x0A\x10\xB3\xC9\xC5\x2C\xE2\x92\x6A\x71\x78\x27\xF2\x70\x83\x42\xD3\x3E\xCF\xA9\x54\xF4\xF1\xD8\x92\x16\x8C\xD1\x04\xCB\x4B\xAB\xC9\x9F\x45\xAE\x3C\x8A\xA9\xB0\x71\x33\x5D\xC8\xC5\x57\xDF\xAF\xA8\x35\xB3\x7F\x89\x87\xE9\xE8\x25\x92\xB8\x7F\x85\x7A\xAE\xD6\xBC\x1E\x37\x58\x2A\x67\xC9\x91\xCF\x2A\x81\x3E\xED\xC6\x39\xDF\xC0\x3E\x19\x9C\x19\xCC\x13\x4D\x82\x41\xB5\x8C\xDE\xE0\x3D\x60\x08\x20\x0F\x45\x7E\x6B\xA2\x7F\xA3\x8C\x15\xEE",
+	["CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x04\x1A\x30\x82\x03\x02\x02\x11\x00\x9B\x7E\x06\x49\xA3\x3E\x62\xB9\xD5\xEE\x90\x48\x71\x29\xEF\x57\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x39\x39\x31\x30\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCB\xBA\x9C\x52\xFC\x78\x1F\x1A\x1E\x6F\x1B\x37\x73\xBD\xF8\xC9\x6B\x94\x12\x30\x4F\xF0\x36\x47\xF5\xD0\x91\x0A\xF5\x17\xC8\xA5\x61\xC1\x16\x40\x4D\xFB\x8A\x61\x90\xE5\x76\x20\xC1\x11\x06\x7D\xAB\x2C\x6E\xA6\xF5\x11\x41\x8E\xFA\x2D\xAD\x2A\x61\x59\xA4\x67\x26\x4C\xD0\xE8\xBC\x52\x5B\x70\x20\x04\x58\xD1\x7A\xC9\xA4\x69\xBC\x83\x17\x64\xAD\x05\x8B\xBC\xD0\x58\xCE\x8D\x8C\xF5\xEB\xF0\x42\x49\x0B\x9D\x97\x27\x67\x32\x6E\xE1\xAE\x93\x15\x1C\x70\xBC\x20\x4D\x2F\x18\xDE\x92\x88\xE8\x6C\x85\x57\x11\x1A\xE9\x7E\xE3\x26\x11\x54\xA2\x45\x96\x55\x83\xCA\x30\x89\xE8\xDC\xD8\xA3\xED\x2A\x80\x3F\x7F\x79\x65\x57\x3E\x15\x20\x66\x08\x2F\x95\x93\xBF\xAA\x47\x2F\xA8\x46\x97\xF0\x12\xE2\xFE\xC2\x0A\x2B\x51\xE6\x76\xE6\xB7\x46\xB7\xE2\x0D\xA6\xCC\xA8\xC3\x4C\x59\x55\x89\xE6\xE8\x53\x5C\x1C\xEA\x9D\xF0\x62\x16\x0B\xA7\xC9\x5F\x0C\xF0\xDE\xC2\x76\xCE\xAF\xF7\x6A\xF2\xFA\x41\xA6\xA2\x33\x14\xC9\xE5\x7A\x63\xD3\x9E\x62\x37\xD5\x85\x65\x9E\x0E\xE6\x53\x24\x74\x1B\x5E\x1D\x12\x53\x5B\xC7\x2C\xE7\x83\x49\x3B\x15\xAE\x8A\x68\xB9\x57\x97\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x11\x14\x96\xC1\xAB\x92\x08\xF7\x3F\x2F\xC9\xB2\xFE\xE4\x5A\x9F\x64\xDE\xDB\x21\x4F\x86\x99\x34\x76\x36\x57\xDD\xD0\x15\x2F\xC5\xAD\x7F\x15\x1F\x37\x62\x73\x3E\xD4\xE7\x5F\xCE\x17\x03\xDB\x35\xFA\x2B\xDB\xAE\x60\x09\x5F\x1E\x5F\x8F\x6E\xBB\x0B\x3D\xEA\x5A\x13\x1E\x0C\x60\x6F\xB5\xC0\xB5\x23\x22\x2E\x07\x0B\xCB\xA9\x74\xCB\x47\xBB\x1D\xC1\xD7\xA5\x6B\xCC\x2F\xD2\x42\xFD\x49\xDD\xA7\x89\xCF\x53\xBA\xDA\x00\x5A\x28\xBF\x82\xDF\xF8\xBA\x13\x1D\x50\x86\x82\xFD\x8E\x30\x8F\x29\x46\xB0\x1E\x3D\x35\xDA\x38\x62\x16\x18\x4A\xAD\xE6\xB6\x51\x6C\xDE\xAF\x62\xEB\x01\xD0\x1E\x24\xFE\x7A\x8F\x12\x1A\x12\x68\xB8\xFB\x66\x99\x14\x14\x45\x5C\xAE\xE7\xAE\x69\x17\x81\x2B\x5A\x37\xC9\x5E\x2A\xF4\xC6\xE2\xA1\x5C\x54\x9B\xA6\x54\x00\xCF\xF0\xF1\xC1\xC7\x98\x30\x1A\x3B\x36\x16\xDB\xA3\x6E\xEA\xFD\xAD\xB2\xC2\xDA\xEF\x02\x47\x13\x8A\xC0\xF1\xB3\x31\xAD\x4F\x1C\xE1\x4F\x9C\xAF\x0F\x0C\x9D\xF7\x78\x0D\xD8\xF4\x35\x56\x80\xDA\xB7\x6D\x17\x8F\x9D\x1E\x81\x64\xE1\xFE\xC5\x45\xBA\xAD\x6B\xB9\x0A\x7A\x4E\x4F\x4B\x84\xEE\x4B\xF1\x7D\xDD\x11",
+	["CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x04\x1A\x30\x82\x03\x02\x02\x11\x00\xEC\xA0\xA7\x8B\x6E\x75\x6A\x01\xCF\xC4\x7C\xCC\x2F\x94\x5E\xD7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x34\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x39\x39\x31\x30\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x34\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\xCB\xA5\x11\x69\xC6\x59\xAB\xF1\x8F\xB5\x19\x0F\x56\xCE\xCC\xB5\x1F\x20\xE4\x9E\x26\x25\x4B\xE0\x73\x65\x89\x59\xDE\xD0\x83\xE4\xF5\x0F\xB5\xBB\xAD\xF1\x7C\xE8\x21\xFC\xE4\xE8\x0C\xEE\x7C\x45\x22\x19\x76\x92\xB4\x13\xB7\x20\x5B\x09\xFA\x61\xAE\xA8\xF2\xA5\x8D\x85\xC2\x2A\xD6\xDE\x66\x36\xD2\x9B\x02\xF4\xA8\x92\x60\x7C\x9C\x69\xB4\x8F\x24\x1E\xD0\x86\x52\xF6\x32\x9C\x41\x58\x1E\x22\xBD\xCD\x45\x62\x95\x08\x6E\xD0\x66\xDD\x53\xA2\xCC\xF0\x10\xDC\x54\x73\x8B\x04\xA1\x46\x33\x33\x5C\x17\x40\xB9\x9E\x4D\xD3\xF3\xBE\x55\x83\xE8\xB1\x89\x8E\x5A\x7C\x9A\x96\x22\x90\x3B\x88\x25\xF2\xD2\x53\x88\x02\x0C\x0B\x78\xF2\xE6\x37\x17\x4B\x30\x46\x07\xE4\x80\x6D\xA6\xD8\x96\x2E\xE8\x2C\xF8\x11\xB3\x38\x0D\x66\xA6\x9B\xEA\xC9\x23\x5B\xDB\x8E\xE2\xF3\x13\x8E\x1A\x59\x2D\xAA\x02\xF0\xEC\xA4\x87\x66\xDC\xC1\x3F\xF5\xD8\xB9\xF4\xEC\x82\xC6\xD2\x3D\x95\x1D\xE5\xC0\x4F\x84\xC9\xD9\xA3\x44\x28\x06\x6A\xD7\x45\xAC\xF0\x6B\x6A\xEF\x4E\x5F\xF8\x11\x82\x1E\x38\x63\x34\x66\x50\xD4\x3E\x93\x73\xFA\x30\xC3\x66\xAD\xFF\x93\x2D\x97\xEF\x03\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x8F\xFA\x25\x6B\x4F\x5B\xE4\xA4\x4E\x27\x55\xAB\x22\x15\x59\x3C\xCA\xB5\x0A\xD4\x4A\xDB\xAB\xDD\xA1\x5F\x53\xC5\xA0\x57\x39\xC2\xCE\x47\x2B\xBE\x3A\xC8\x56\xBF\xC2\xD9\x27\x10\x3A\xB1\x05\x3C\xC0\x77\x31\xBB\x3A\xD3\x05\x7B\x6D\x9A\x1C\x30\x8C\x80\xCB\x93\x93\x2A\x83\xAB\x05\x51\x82\x02\x00\x11\x67\x6B\xF3\x88\x61\x47\x5F\x03\x93\xD5\x5B\x0D\xE0\xF1\xD4\xA1\x32\x35\x85\xB2\x3A\xDB\xB0\x82\xAB\xD1\xCB\x0A\xBC\x4F\x8C\x5B\xC5\x4B\x00\x3B\x1F\x2A\x82\xA6\x7E\x36\x85\xDC\x7E\x3C\x67\x00\xB5\xE4\x3B\x52\xE0\xA8\xEB\x5D\x15\xF9\xC6\x6D\xF0\xAD\x1D\x0E\x85\xB7\xA9\x9A\x73\x14\x5A\x5B\x8F\x41\x28\xC0\xD5\xE8\x2D\x4D\xA4\x5E\xCD\xAA\xD9\xED\xCE\xDC\xD8\xD5\x3C\x42\x1D\x17\xC1\x12\x5D\x45\x38\xC3\x38\xF3\xFC\x85\x2E\x83\x46\x48\xB2\xD7\x20\x5F\x92\x36\x8F\xE7\x79\x0F\x98\x5E\x99\xE8\xF0\xD0\xA4\xBB\xF5\x53\xBD\x2A\xCE\x59\xB0\xAF\x6E\x7F\x6C\xBB\xD2\x1E\x00\xB0\x21\xED\xF8\x41\x62\x82\xB9\xD8\xB2\xC4\xBB\x46\x50\xF3\x31\xC5\x8F\x01\xA8\x74\xEB\xF5\x78\x27\xDA\xE7\xF7\x66\x43\xF3\x9E\x83\x3E\x20\xAA\xC3\x35\x60\x91\xCE",
+	["CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US"] = "\x30\x82\x04\xD8\x30\x82\x04\x41\xA0\x03\x02\x01\x02\x02\x04\x37\x4A\xD2\x43\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xC3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x3B\x30\x39\x06\x03\x55\x04\x0B\x13\x32\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x3A\x30\x38\x06\x03\x55\x04\x03\x13\x31\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x39\x30\x35\x32\x35\x31\x36\x30\x39\x34\x30\x5A\x17\x0D\x31\x39\x30\x35\x32\x35\x31\x36\x33\x39\x34\x30\x5A\x30\x81\xC3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x3B\x30\x39\x06\x03\x55\x04\x0B\x13\x32\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x3A\x30\x38\x06\x03\x55\x04\x03\x13\x31\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8B\x00\x30\x81\x87\x02\x81\x81\x00\xCD\x28\x83\x34\x54\x1B\x89\xF3\x0F\xAF\x37\x91\x31\xFF\xAF\x31\x60\xC9\xA8\xE8\xB2\x10\x68\xED\x9F\xE7\x93\x36\xF1\x0A\x64\xBB\x47\xF5\x04\x17\x3F\x23\x47\x4D\xC5\x27\x19\x81\x26\x0C\x54\x72\x0D\x88\x2D\xD9\x1F\x9A\x12\x9F\xBC\xB3\x71\xD3\x80\x19\x3F\x47\x66\x7B\x8C\x35\x28\xD2\xB9\x0A\xDF\x24\xDA\x9C\xD6\x50\x79\x81\x7A\x5A\xD3\x37\xF7\xC2\x4A\xD8\x29\x92\x26\x64\xD1\xE4\x98\x6C\x3A\x00\x8A\xF5\x34\x9B\x65\xF8\xED\xE3\x10\xFF\xFD\xB8\x49\x58\xDC\xA0\xDE\x82\x39\x6B\x81\xB1\x16\x19\x61\xB9\x54\xB6\xE6\x43\x02\x01\x03\xA3\x82\x01\xD7\x30\x82\x01\xD3\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x82\x01\x19\x06\x03\x55\x1D\x1F\x04\x82\x01\x10\x30\x82\x01\x0C\x30\x81\xDE\xA0\x81\xDB\xA0\x81\xD8\xA4\x81\xD5\x30\x81\xD2\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x3B\x30\x39\x06\x03\x55\x04\x0B\x13\x32\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x3A\x30\x38\x06\x03\x55\x04\x03\x13\x31\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x52\x4C\x2F\x6E\x65\x74\x31\x2E\x63\x72\x6C\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x31\x39\x39\x39\x30\x35\x32\x35\x31\x36\x30\x39\x34\x30\x5A\x81\x0F\x32\x30\x31\x39\x30\x35\x32\x35\x31\x36\x30\x39\x34\x30\x5A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xF0\x17\x62\x13\x55\x3D\xB3\xFF\x0A\x00\x6B\xFB\x50\x84\x97\xF3\xED\x62\xD0\x1A\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF0\x17\x62\x13\x55\x3D\xB3\xFF\x0A\x00\x6B\xFB\x50\x84\x97\xF3\xED\x62\xD0\x1A\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x19\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x0C\x30\x0A\x1B\x04\x56\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x90\xDC\x30\x02\xFA\x64\x74\xC2\xA7\x0A\xA5\x7C\x21\x8D\x34\x17\xA8\xFB\x47\x0E\xFF\x25\x7C\x8D\x13\x0A\xFB\xE4\x98\xB5\xEF\x8C\xF8\xC5\x10\x0D\xF7\x92\xBE\xF1\xC3\xD5\xD5\x95\x6A\x04\xBB\x2C\xCE\x26\x36\x65\xC8\x31\xC6\xE7\xEE\x3F\xE3\x57\x75\x84\x7A\x11\xEF\x46\x4F\x18\xF4\xD3\x98\xBB\xA8\x87\x32\xBA\x72\xF6\x3C\xE2\x3D\x9F\xD7\x1D\xD9\xC3\x60\x43\x8C\x58\x0E\x22\x96\x2F\x62\xA3\x2C\x1F\xBA\xAD\x05\xEF\xAB\x32\x78\x87\xA0\x54\x73\x19\xB5\x5C\x05\xF9\x52\x3E\x6D\x2D\x45\x0B\xF7\x0A\x93\xEA\xED\x06\xF9\xB2",
+	["CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net"] = "\x30\x82\x04\x5C\x30\x82\x03\x44\xA0\x03\x02\x01\x02\x02\x04\x38\x63\xB9\x66\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xB4\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x40\x30\x3E\x06\x03\x55\x04\x0B\x14\x37\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x5F\x32\x30\x34\x38\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x28\x32\x30\x34\x38\x29\x30\x1E\x17\x0D\x39\x39\x31\x32\x32\x34\x31\x37\x35\x30\x35\x31\x5A\x17\x0D\x31\x39\x31\x32\x32\x34\x31\x38\x32\x30\x35\x31\x5A\x30\x81\xB4\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x40\x30\x3E\x06\x03\x55\x04\x0B\x14\x37\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x5F\x32\x30\x34\x38\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x28\x32\x30\x34\x38\x29\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x4D\x4B\xA9\x12\x86\xB2\xEA\xA3\x20\x07\x15\x16\x64\x2A\x2B\x4B\xD1\xBF\x0B\x4A\x4D\x8E\xED\x80\x76\xA5\x67\xB7\x78\x40\xC0\x73\x42\xC8\x68\xC0\xDB\x53\x2B\xDD\x5E\xB8\x76\x98\x35\x93\x8B\x1A\x9D\x7C\x13\x3A\x0E\x1F\x5B\xB7\x1E\xCF\xE5\x24\x14\x1E\xB1\x81\xA9\x8D\x7D\xB8\xCC\x6B\x4B\x03\xF1\x02\x0C\xDC\xAB\xA5\x40\x24\x00\x7F\x74\x94\xA1\x9D\x08\x29\xB3\x88\x0B\xF5\x87\x77\x9D\x55\xCD\xE4\xC3\x7E\xD7\x6A\x64\xAB\x85\x14\x86\x95\x5B\x97\x32\x50\x6F\x3D\xC8\xBA\x66\x0C\xE3\xFC\xBD\xB8\x49\xC1\x76\x89\x49\x19\xFD\xC0\xA8\xBD\x89\xA3\x67\x2F\xC6\x9F\xBC\x71\x19\x60\xB8\x2D\xE9\x2C\xC9\x90\x76\x66\x7B\x94\xE2\xAF\x78\xD6\x65\x53\x5D\x3C\xD6\x9C\xB2\xCF\x29\x03\xF9\x2F\xA4\x50\xB2\xD4\x48\xCE\x05\x32\x55\x8A\xFD\xB2\x64\x4C\x0E\xE4\x98\x07\x75\xDB\x7F\xDF\xB9\x08\x55\x60\x85\x30\x29\xF9\x7B\x48\xA4\x69\x86\xE3\x35\x3F\x1E\x86\x5D\x7A\x7A\x15\xBD\xEF\x00\x8E\x15\x22\x54\x17\x00\x90\x26\x93\xBC\x0E\x49\x68\x91\xBF\xF8\x47\xD3\x9D\x95\x42\xC1\x0E\x4D\xDF\x6F\x26\xCF\xC3\x18\x21\x62\x66\x43\x70\xD6\xD5\xC0\x07\xE1\x02\x03\x01\x00\x01\xA3\x74\x30\x72\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x55\xE4\x81\xD1\x11\x80\xBE\xD8\x89\xB9\x08\xA3\x31\xF9\xA1\x24\x09\x16\xB9\x70\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x55\xE4\x81\xD1\x11\x80\xBE\xD8\x89\xB9\x08\xA3\x31\xF9\xA1\x24\x09\x16\xB9\x70\x30\x1D\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x10\x30\x0E\x1B\x08\x56\x35\x2E\x30\x3A\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x59\x47\xAC\x21\x84\x8A\x17\xC9\x9C\x89\x53\x1E\xBA\x80\x85\x1A\xC6\x3C\x4E\x3E\xB1\x9C\xB6\x7C\xC6\x92\x5D\x18\x64\x02\xE3\xD3\x06\x08\x11\x61\x7C\x63\xE3\x2B\x9D\x31\x03\x70\x76\xD2\xA3\x28\xA0\xF4\xBB\x9A\x63\x73\xED\x6D\xE5\x2A\xDB\xED\x14\xA9\x2B\xC6\x36\x11\xD0\x2B\xEB\x07\x8B\xA5\xDA\x9E\x5C\x19\x9D\x56\x12\xF5\x54\x29\xC8\x05\xED\xB2\x12\x2A\x8D\xF4\x03\x1B\xFF\xE7\x92\x10\x87\xB0\x3A\xB5\xC3\x9D\x05\x37\x12\xA3\xC7\xF4\x15\xB9\xD5\xA4\x39\x16\x9B\x53\x3A\x23\x91\xF1\xA8\x82\xA2\x6A\x88\x68\xC1\x79\x02\x22\xBC\xAA\xA6\xD6\xAE\xDF\xB0\x14\x5F\xB8\x87\xD0\xDD\x7C\x7F\x7B\xFF\xAF\x1C\xCF\xE6\xDB\x07\xAD\x5E\xDB\x85\x9D\xD0\x2B\x0D\x33\xDB\x04\xD1\xE6\x49\x40\x13\x2B\x76\xFB\x3E\xE9\x9C\x89\x0F\x15\xCE\x18\xB0\x85\x78\x21\x4F\x6B\x4F\x0E\xFA\x36\x67\xCD\x07\xF2\xFF\x08\xD0\xE2\xDE\xD9\xBF\x2A\xAF\xB8\x87\x86\x21\x3C\x04\xCA\xB7\x94\x68\x7F\xCF\x3C\xE9\x98\xD7\x38\xFF\xEC\xC0\xD9\x50\xF0\x2E\x4B\x58\xAE\x46\x6F\xD0\x2E\xC3\x60\xDA\x72\x55\x72\xBD\x4C\x45\x9E\x61\xBA\xBF\x84\x81\x92\x03\xD1\xD2\x69\x7C\xC5",
+	["CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE"] = "\x30\x82\x03\x77\x30\x82\x02\x5F\xA0\x03\x02\x01\x02\x02\x04\x02\x00\x00\xB9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x45\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x31\x13\x30\x11\x06\x03\x55\x04\x0B\x13\x0A\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x31\x32\x31\x38\x34\x36\x30\x30\x5A\x17\x0D\x32\x35\x30\x35\x31\x32\x32\x33\x35\x39\x30\x30\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x45\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x31\x13\x30\x11\x06\x03\x55\x04\x0B\x13\x0A\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA3\x04\xBB\x22\xAB\x98\x3D\x57\xE8\x26\x72\x9A\xB5\x79\xD4\x29\xE2\xE1\xE8\x95\x80\xB1\xB0\xE3\x5B\x8E\x2B\x29\x9A\x64\xDF\xA1\x5D\xED\xB0\x09\x05\x6D\xDB\x28\x2E\xCE\x62\xA2\x62\xFE\xB4\x88\xDA\x12\xEB\x38\xEB\x21\x9D\xC0\x41\x2B\x01\x52\x7B\x88\x77\xD3\x1C\x8F\xC7\xBA\xB9\x88\xB5\x6A\x09\xE7\x73\xE8\x11\x40\xA7\xD1\xCC\xCA\x62\x8D\x2D\xE5\x8F\x0B\xA6\x50\xD2\xA8\x50\xC3\x28\xEA\xF5\xAB\x25\x87\x8A\x9A\x96\x1C\xA9\x67\xB8\x3F\x0C\xD5\xF7\xF9\x52\x13\x2F\xC2\x1B\xD5\x70\x70\xF0\x8F\xC0\x12\xCA\x06\xCB\x9A\xE1\xD9\xCA\x33\x7A\x77\xD6\xF8\xEC\xB9\xF1\x68\x44\x42\x48\x13\xD2\xC0\xC2\xA4\xAE\x5E\x60\xFE\xB6\xA6\x05\xFC\xB4\xDD\x07\x59\x02\xD4\x59\x18\x98\x63\xF5\xA5\x63\xE0\x90\x0C\x7D\x5D\xB2\x06\x7A\xF3\x85\xEA\xEB\xD4\x03\xAE\x5E\x84\x3E\x5F\xFF\x15\xED\x69\xBC\xF9\x39\x36\x72\x75\xCF\x77\x52\x4D\xF3\xC9\x90\x2C\xB9\x3D\xE5\xC9\x23\x53\x3F\x1F\x24\x98\x21\x5C\x07\x99\x29\xBD\xC6\x3A\xEC\xE7\x6E\x86\x3A\x6B\x97\x74\x63\x33\xBD\x68\x18\x31\xF0\x78\x8D\x76\xBF\xFC\x9E\x8E\x5D\x2A\x86\xA7\x4D\x90\xDC\x27\x1A\x39\x02\x03\x01\x00\x01\xA3\x45\x30\x43\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE5\x9D\x59\x30\x82\x47\x58\xCC\xAC\xFA\x08\x54\x36\x86\x7B\x3A\xB5\x04\x4D\xF0\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x0C\x5D\x8E\xE4\x6F\x51\x68\x42\x05\xA0\xDD\xBB\x4F\x27\x25\x84\x03\xBD\xF7\x64\xFD\x2D\xD7\x30\xE3\xA4\x10\x17\xEB\xDA\x29\x29\xB6\x79\x3F\x76\xF6\x19\x13\x23\xB8\x10\x0A\xF9\x58\xA4\xD4\x61\x70\xBD\x04\x61\x6A\x12\x8A\x17\xD5\x0A\xBD\xC5\xBC\x30\x7C\xD6\xE9\x0C\x25\x8D\x86\x40\x4F\xEC\xCC\xA3\x7E\x38\xC6\x37\x11\x4F\xED\xDD\x68\x31\x8E\x4C\xD2\xB3\x01\x74\xEE\xBE\x75\x5E\x07\x48\x1A\x7F\x70\xFF\x16\x5C\x84\xC0\x79\x85\xB8\x05\xFD\x7F\xBE\x65\x11\xA3\x0F\xC0\x02\xB4\xF8\x52\x37\x39\x04\xD5\xA9\x31\x7A\x18\xBF\xA0\x2A\xF4\x12\x99\xF7\xA3\x45\x82\xE3\x3C\x5E\xF5\x9D\x9E\xB5\xC8\x9E\x7C\x2E\xC8\xA4\x9E\x4E\x08\x14\x4B\x6D\xFD\x70\x6D\x6B\x1A\x63\xBD\x64\xE6\x1F\xB7\xCE\xF0\xF2\x9F\x2E\xBB\x1B\xB7\xF2\x50\x88\x73\x92\xC2\xE2\xE3\x16\x8D\x9A\x32\x02\xAB\x8E\x18\xDD\xE9\x10\x11\xEE\x7E\x35\xAB\x90\xAF\x3E\x30\x94\x7A\xD0\x33\x3D\xA7\x65\x0F\xF5\xFC\x8E\x9E\x62\xCF\x47\x44\x2C\x01\x5D\xBB\x1D\xB5\x32\xD2\x47\xD2\x38\x2E\xD0\xFE\x81\xDC\x32\x6A\x1E\xB5\xEE\x3C\xD5\xFC\xE7\x81\x1D\x19\xC3\x24\x42\xEA\x63\x39\xA9",
+	["CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US"] = "\x30\x82\x02\x90\x30\x82\x01\xF9\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x65\x42\x75\x73\x69\x6E\x65\x73\x73\x20\x43\x41\x2D\x31\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x17\x0D\x32\x30\x30\x36\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x65\x42\x75\x73\x69\x6E\x65\x73\x73\x20\x43\x41\x2D\x31\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xBA\xE7\x17\x90\x02\x65\xB1\x34\x55\x3C\x49\xC2\x51\xD5\xDF\xA7\xD1\x37\x8F\xD1\xE7\x81\x73\x41\x52\x60\x9B\x9D\xA1\x17\x26\x78\xAD\xC7\xB1\xE8\x26\x94\x32\xB5\xDE\x33\x8D\x3A\x2F\xDB\xF2\x9A\x7A\x5A\x73\x98\xA3\x5C\xE9\xFB\x8A\x73\x1B\x5C\xE7\xC3\xBF\x80\x6C\xCD\xA9\xF4\xD6\x2B\xC0\xF7\xF9\x99\xAA\x63\xA2\xB1\x47\x02\x0F\xD4\xE4\x51\x3A\x12\x3C\x6C\x8A\x5A\x54\x84\x70\xDB\xC1\xC5\x90\xCF\x72\x45\xCB\xA8\x59\xC0\xCD\x33\x9D\x3F\xA3\x96\xEB\x85\x33\x21\x1C\x3E\x1E\x3E\x60\x6E\x76\x9C\x67\x85\xC5\xC8\xC3\x61\x02\x03\x01\x00\x01\xA3\x66\x30\x64\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xBE\xA8\xA0\x74\x72\x50\x6B\x44\xB7\xC9\x23\xD8\xFB\xA8\xFF\xB3\x57\x6B\x68\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBE\xA8\xA0\x74\x72\x50\x6B\x44\xB7\xC9\x23\xD8\xFB\xA8\xFF\xB3\x57\x6B\x68\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x30\xE2\x01\x51\xAA\xC7\xEA\x5F\xDA\xB9\xD0\x65\x0F\x30\xD6\x3E\xDA\x0D\x14\x49\x6E\x91\x93\x27\x14\x31\xEF\xC4\xF7\x2D\x45\xF8\xEC\xC7\xBF\xA2\x41\x0D\x23\xB4\x92\xF9\x19\x00\x67\xBD\x01\xAF\xCD\xE0\x71\xFC\x5A\xCF\x64\xC4\xE0\x96\x98\xD0\xA3\x40\xE2\x01\x8A\xEF\x27\x07\xF1\x65\x01\x8A\x44\x2D\x06\x65\x75\x52\xC0\x86\x10\x20\x21\x5F\x6C\x6B\x0F\x6C\xAE\x09\x1C\xAF\xF2\xA2\x18\x34\xC4\x75\xA4\x73\x1C\xF1\x8D\xDC\xEF\xAD\xF9\xB3\x76\xB4\x92\xBF\xDC\x95\x10\x1E\xBE\xCB\xC8\x3B\x5A\x84\x60\x19\x56\x94\xA9\x55",
+	["CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US"] = "\x30\x82\x02\x82\x30\x82\x01\xEB\xA0\x03\x02\x01\x02\x02\x01\x04\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x49\x6E\x63\x2E\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x65\x42\x75\x73\x69\x6E\x65\x73\x73\x20\x43\x41\x2D\x31\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x17\x0D\x32\x30\x30\x36\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x30\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x49\x6E\x63\x2E\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x65\x42\x75\x73\x69\x6E\x65\x73\x73\x20\x43\x41\x2D\x31\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xCE\x2F\x19\xBC\x17\xB7\x77\xDE\x93\xA9\x5F\x5A\x0D\x17\x4F\x34\x1A\x0C\x98\xF4\x22\xD9\x59\xD4\xC4\x68\x46\xF0\xB4\x35\xC5\x85\x03\x20\xC6\xAF\x45\xA5\x21\x51\x45\x41\xEB\x16\x58\x36\x32\x6F\xE2\x50\x62\x64\xF9\xFD\x51\x9C\xAA\x24\xD9\xF4\x9D\x83\x2A\x87\x0A\x21\xD3\x12\x38\x34\x6C\x8D\x00\x6E\x5A\xA0\xD9\x42\xEE\x1A\x21\x95\xF9\x52\x4C\x55\x5A\xC5\x0F\x38\x4F\x46\xFA\x6D\xF8\x2E\x35\xD6\x1D\x7C\xEB\xE2\xF0\xB0\x75\x80\xC8\xA9\x13\xAC\xBE\x88\xEF\x3A\x6E\xAB\x5F\x2A\x38\x62\x02\xB0\x12\x7B\xFE\x8F\xA6\x03\x02\x03\x01\x00\x01\xA3\x66\x30\x64\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x4A\x78\x32\x52\x11\xDB\x59\x16\x36\x5E\xDF\xC1\x14\x36\x40\x6A\x47\x7C\x4C\xA1\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4A\x78\x32\x52\x11\xDB\x59\x16\x36\x5E\xDF\xC1\x14\x36\x40\x6A\x47\x7C\x4C\xA1\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x75\x5B\xA8\x9B\x03\x11\xE6\xE9\x56\x4C\xCD\xF9\xA9\x4C\xC0\x0D\x9A\xF3\xCC\x65\x69\xE6\x25\x76\xCC\x59\xB7\xD6\x54\xC3\x1D\xCD\x99\xAC\x19\xDD\xB4\x85\xD5\xE0\x3D\xFC\x62\x20\xA7\x84\x4B\x58\x65\xF1\xE2\xF9\x95\x21\x3F\xF5\xD4\x7E\x58\x1E\x47\x87\x54\x3E\x58\xA1\xB5\xB5\xF8\x2A\xEF\x71\xE7\xBC\xC3\xF6\xB1\x49\x46\xE2\xD7\xA0\x6B\xE5\x56\x7A\x9A\x27\x98\x7C\x46\x62\x14\xE7\xC9\xFC\x6E\x03\x12\x79\x80\x38\x1D\x48\x82\x8D\xFC\x17\xFE\x2A\x96\x2B\xB5\x62\xA6\xA6\x3D\xBD\x7F\x92\x59\xCD\x5A\x2A\x82\xB2\x37\x79",
+	["OU=Equifax Secure eBusiness CA-2,O=Equifax Secure,C=US"] = "\x30\x82\x03\x20\x30\x82\x02\x89\xA0\x03\x02\x01\x02\x02\x04\x37\x70\xCF\xB5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x65\x42\x75\x73\x69\x6E\x65\x73\x73\x20\x43\x41\x2D\x32\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x33\x31\x32\x31\x34\x34\x35\x5A\x17\x0D\x31\x39\x30\x36\x32\x33\x31\x32\x31\x34\x34\x35\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x65\x42\x75\x73\x69\x6E\x65\x73\x73\x20\x43\x41\x2D\x32\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xE4\x39\x39\x93\x1E\x52\x06\x1B\x28\x36\xF8\xB2\xA3\x29\xC5\xED\x8E\xB2\x11\xBD\xFE\xEB\xE7\xB4\x74\xC2\x8F\xFF\x05\xE7\xD9\x9D\x06\xBF\x12\xC8\x3F\x0E\xF2\xD6\xD1\x24\xB2\x11\xDE\xD1\x73\x09\x8A\xD4\xB1\x2C\x98\x09\x0D\x1E\x50\x46\xB2\x83\xA6\x45\x8D\x62\x68\xBB\x85\x1B\x20\x70\x32\xAA\x40\xCD\xA6\x96\x5F\xC4\x71\x37\x3F\x04\xF3\xB7\x41\x24\x39\x07\x1A\x1E\x2E\x61\x58\xA0\x12\x0B\xE5\xA5\xDF\xC5\xAB\xEA\x37\x71\xCC\x1C\xC8\x37\x3A\xB9\x97\x52\xA7\xAC\xC5\x6A\x24\x94\x4E\x9C\x7B\xCF\xC0\x6A\xD6\xDF\x21\xBD\x02\x03\x01\x00\x01\xA3\x82\x01\x09\x30\x82\x01\x05\x30\x70\x06\x03\x55\x1D\x1F\x04\x69\x30\x67\x30\x65\xA0\x63\xA0\x61\xA4\x5F\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x65\x42\x75\x73\x69\x6E\x65\x73\x73\x20\x43\x41\x2D\x32\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x1A\x06\x03\x55\x1D\x10\x04\x13\x30\x11\x81\x0F\x32\x30\x31\x39\x30\x36\x32\x33\x31\x32\x31\x34\x34\x35\x5A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x50\x9E\x0B\xEA\xAF\x5E\xB9\x20\x48\xA6\x50\x6A\xCB\xFD\xD8\x20\x7A\xA7\x82\x76\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x50\x9E\x0B\xEA\xAF\x5E\xB9\x20\x48\xA6\x50\x6A\xCB\xFD\xD8\x20\x7A\xA7\x82\x76\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x1A\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x0D\x30\x0B\x1B\x05\x56\x33\x2E\x30\x63\x03\x02\x06\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x0C\x86\x82\xAD\xE8\x4E\x1A\xF5\x8E\x89\x27\xE2\x35\x58\x3D\x29\xB4\x07\x8F\x36\x50\x95\xBF\x6E\xC1\x9E\xEB\xC4\x90\xB2\x85\xA8\xBB\xB7\x42\xE0\x0F\x07\x39\xDF\xFB\x9E\x90\xB2\xD1\xC1\x3E\x53\x9F\x03\x44\xB0\x7E\x4B\xF4\x6F\xE4\x7C\x1F\xE7\xE2\xB1\xE4\xB8\x9A\xEF\xC3\xBD\xCE\xDE\x0B\x32\x34\xD9\xDE\x28\xED\x33\x6B\xC4\xD4\xD7\x3D\x12\x58\xAB\x7D\x09\x2D\xCB\x70\xF5\x13\x8A\x94\xA1\x27\xA4\xD6\x70\xC5\x6D\x94\xB5\xC9\x7D\x9D\xA0\xD2\xC6\x08\x49\xD9\x66\x9B\xA6\xD3\xF4\x0B\xDC\xC5\x26\x57\xE1\x91\x30\xEA\xCD",
+	["CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x18\x30\x82\x03\x00\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x41\x64\x64\x54\x72\x75\x73\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x33\x38\x33\x31\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x33\x38\x33\x31\x5A\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x41\x64\x64\x54\x72\x75\x73\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x96\x96\xD4\x21\x49\x60\xE2\x6B\xE8\x41\x07\x0C\xDE\xC4\xE0\xDC\x13\x23\xCD\xC1\x35\xC7\xFB\xD6\x4E\x11\x0A\x67\x5E\xF5\x06\x5B\x6B\xA5\x08\x3B\x5B\x29\x16\x3A\xE7\x87\xB2\x34\x06\xC5\xBC\x05\xA5\x03\x7C\x82\xCB\x29\x10\xAE\xE1\x88\x81\xBD\xD6\x9E\xD3\xFE\x2D\x56\xC1\x15\xCE\xE3\x26\x9D\x15\x2E\x10\xFB\x06\x8F\x30\x04\xDE\xA7\xB4\x63\xB4\xFF\xB1\x9C\xAE\x3C\xAF\x77\xB6\x56\xC5\xB5\xAB\xA2\xE9\x69\x3A\x3D\x0E\x33\x79\x32\x3F\x70\x82\x92\x99\x61\x6D\x8D\x30\x08\x8F\x71\x3F\xA6\x48\x57\x19\xF8\x25\xDC\x4B\x66\x5C\xA5\x74\x8F\x98\xAE\xC8\xF9\xC0\x06\x22\xE7\xAC\x73\xDF\xA5\x2E\xFB\x52\xDC\xB1\x15\x65\x20\xFA\x35\x66\x69\xDE\xDF\x2C\xF1\x6E\xBC\x30\xDB\x2C\x24\x12\xDB\xEB\x35\x35\x68\x90\xCB\x00\xB0\x97\x21\x3D\x74\x21\x23\x65\x34\x2B\xBB\x78\x59\xA3\xD6\xE1\x76\x39\x9A\xA4\x49\x8E\x8C\x74\xAF\x6E\xA4\x9A\xA3\xD9\x9B\xD2\x38\x5C\x9B\xA2\x18\xCC\x75\x23\x84\xBE\xEB\xE2\x4D\x33\x71\x8E\x1A\xF0\xC2\xF8\xC7\x1D\xA2\xAD\x03\x97\x2C\xF8\xCF\x25\xC6\xF6\xB8\x24\x31\xB1\x63\x5D\x92\x7F\x63\xF0\x25\xC9\x53\x2E\x1F\xBF\x4D\x02\x03\x01\x00\x01\xA3\x81\xD2\x30\x81\xCF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x95\xB1\xB4\xF0\x94\xB6\xBD\xC7\xDA\xD1\x11\x09\x21\xBE\xC1\xAF\x49\xFD\x10\x7B\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x8F\x06\x03\x55\x1D\x23\x04\x81\x87\x30\x81\x84\x80\x14\x95\xB1\xB4\xF0\x94\xB6\xBD\xC7\xDA\xD1\x11\x09\x21\xBE\xC1\xAF\x49\xFD\x10\x7B\xA1\x69\xA4\x67\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x41\x64\x64\x54\x72\x75\x73\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x2C\x6D\x64\x1B\x1F\xCD\x0D\xDD\xB9\x01\xFA\x96\x63\x34\x32\x48\x47\x99\xAE\x97\xED\xFD\x72\x16\xA6\x73\x47\x5A\xF4\xEB\xDD\xE9\xF5\xD6\xFB\x45\xCC\x29\x89\x44\x5D\xBF\x46\x39\x3D\xE8\xEE\xBC\x4D\x54\x86\x1E\x1D\x6C\xE3\x17\x27\x43\xE1\x89\x56\x2B\xA9\x6F\x72\x4E\x49\x33\xE3\x72\x7C\x2A\x23\x9A\xBC\x3E\xFF\x28\x2A\xED\xA3\xFF\x1C\x23\xBA\x43\x57\x09\x67\x4D\x4B\x62\x06\x2D\xF8\xFF\x6C\x9D\x60\x1E\xD8\x1C\x4B\x7D\xB5\x31\x2F\xD9\xD0\x7C\x5D\xF8\xDE\x6B\x83\x18\x78\x37\x57\x2F\xE8\x33\x07\x67\xDF\x1E\xC7\x6B\x2A\x95\x76\xAE\x8F\x57\xA3\xF0\xF4\x52\xB4\xA9\x53\x08\xCF\xE0\x4F\xD3\x7A\x53\x8B\xFD\xBB\x1C\x56\x36\xF2\xFE\xB2\xB6\xE5\x76\xBB\xD5\x22\x65\xA7\x3F\xFE\xD1\x66\xAD\x0B\xBC\x6B\x99\x86\xEF\x3F\x7D\xF3\x18\x32\xCA\x7B\xC6\xE3\xAB\x64\x46\x95\xF8\x26\x69\xD9\x55\x83\x7B\x2C\x96\x07\xFF\x59\x2C\x44\xA3\xC6\xE5\xE9\xA9\xDC\xA1\x63\x80\x5A\x21\x5E\x21\xCF\x53\x54\xF0\xBA\x6F\x89\xDB\xA8\xAA\x95\xCF\x8B\xE3\x71\xCC\x1E\x1B\x20\x44\x08\xC0\x7A\xB6\x40\xFD\xC4\xE4\x35\xE1\x1D\x16\x1C\xD0\xBC\x2B\x8E\xD6\x71\xD9",
+	["CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x36\x30\x82\x03\x1E\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x38\x33\x38\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x38\x33\x38\x5A\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\xF7\x1A\x33\xE6\xF2\x00\x04\x2D\x39\xE0\x4E\x5B\xED\x1F\xBC\x6C\x0F\xCD\xB5\xFA\x23\xB6\xCE\xDE\x9B\x11\x33\x97\xA4\x29\x4C\x7D\x93\x9F\xBD\x4A\xBC\x93\xED\x03\x1A\xE3\x8F\xCF\xE5\x6D\x50\x5A\xD6\x97\x29\x94\x5A\x80\xB0\x49\x7A\xDB\x2E\x95\xFD\xB8\xCA\xBF\x37\x38\x2D\x1E\x3E\x91\x41\xAD\x70\x56\xC7\xF0\x4F\x3F\xE8\x32\x9E\x74\xCA\xC8\x90\x54\xE9\xC6\x5F\x0F\x78\x9D\x9A\x40\x3C\x0E\xAC\x61\xAA\x5E\x14\x8F\x9E\x87\xA1\x6A\x50\xDC\xD7\x9A\x4E\xAF\x05\xB3\xA6\x71\x94\x9C\x71\xB3\x50\x60\x0A\xC7\x13\x9D\x38\x07\x86\x02\xA8\xE9\xA8\x69\x26\x18\x90\xAB\x4C\xB0\x4F\x23\xAB\x3A\x4F\x84\xD8\xDF\xCE\x9F\xE1\x69\x6F\xBB\xD7\x42\xD7\x6B\x44\xE4\xC7\xAD\xEE\x6D\x41\x5F\x72\x5A\x71\x08\x37\xB3\x79\x65\xA4\x59\xA0\x94\x37\xF7\x00\x2F\x0D\xC2\x92\x72\xDA\xD0\x38\x72\xDB\x14\xA8\x45\xC4\x5D\x2A\x7D\xB7\xB4\xD6\xC4\xEE\xAC\xCD\x13\x44\xB7\xC9\x2B\xDD\x43\x00\x25\xFA\x61\xB9\x69\x6A\x58\x23\x11\xB7\xA7\x33\x8F\x56\x75\x59\xF5\xCD\x29\xD7\x46\xB7\x0A\x2B\x65\xB6\xD3\x42\x6F\x15\xB2\xB8\x7B\xFB\xEF\xE9\x5D\x53\xD5\x34\x5A\x27\x02\x03\x01\x00\x01\xA3\x81\xDC\x30\x81\xD9\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAD\xBD\x98\x7A\x34\xB4\x26\xF7\xFA\xC4\x26\x54\xEF\x03\xBD\xE0\x24\xCB\x54\x1A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x99\x06\x03\x55\x1D\x23\x04\x81\x91\x30\x81\x8E\x80\x14\xAD\xBD\x98\x7A\x34\xB4\x26\xF7\xFA\xC4\x26\x54\xEF\x03\xBD\xE0\x24\xCB\x54\x1A\xA1\x73\xA4\x71\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB0\x9B\xE0\x85\x25\xC2\xD6\x23\xE2\x0F\x96\x06\x92\x9D\x41\x98\x9C\xD9\x84\x79\x81\xD9\x1E\x5B\x14\x07\x23\x36\x65\x8F\xB0\xD8\x77\xBB\xAC\x41\x6C\x47\x60\x83\x51\xB0\xF9\x32\x3D\xE7\xFC\xF6\x26\x13\xC7\x80\x16\xA5\xBF\x5A\xFC\x87\xCF\x78\x79\x89\x21\x9A\xE2\x4C\x07\x0A\x86\x35\xBC\xF2\xDE\x51\xC4\xD2\x96\xB7\xDC\x7E\x4E\xEE\x70\xFD\x1C\x39\xEB\x0C\x02\x51\x14\x2D\x8E\xBD\x16\xE0\xC1\xDF\x46\x75\xE7\x24\xAD\xEC\xF4\x42\xB4\x85\x93\x70\x10\x67\xBA\x9D\x06\x35\x4A\x18\xD3\x2B\x7A\xCC\x51\x42\xA1\x7A\x63\xD1\xE6\xBB\xA1\xC5\x2B\xC2\x36\xBE\x13\x0D\xE6\xBD\x63\x7E\x79\x7B\xA7\x09\x0D\x40\xAB\x6A\xDD\x8F\x8A\xC3\xF6\xF6\x8C\x1A\x42\x05\x51\xD4\x45\xF5\x9F\xA7\x62\x21\x68\x15\x20\x43\x3C\x99\xE7\x7C\xBD\x24\xD8\xA9\x91\x17\x73\x88\x3F\x56\x1B\x31\x38\x18\xB4\x71\x0F\x9A\xCD\xC8\x0E\x9E\x8E\x2E\x1B\xE1\x8C\x98\x83\xCB\x1F\x31\xF1\x44\x4C\xC6\x04\x73\x49\x76\x60\x0F\xC7\xF8\xBD\x17\x80\x6B\x2E\xE9\xCC\x4C\x0E\x5A\x9A\x79\x0F\x20\x0A\x2E\xD5\x9E\x63\x26\x1E\x55\x92\x94\xD8\x82\x17\x5A\x7B\xD0\xBC\xC7\x8F\x4E\x86\x04",
+	["CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x15\x30\x82\x02\xFD\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x41\x64\x64\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x31\x35\x30\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x31\x35\x30\x5A\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x41\x64\x64\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE9\x1A\x30\x8F\x83\x88\x14\xC1\x20\xD8\x3C\x9B\x8F\x1B\x7E\x03\x74\xBB\xDA\x69\xD3\x46\xA5\xF8\x8E\xC2\x0C\x11\x90\x51\xA5\x2F\x66\x54\x40\x55\xEA\xDB\x1F\x4A\x56\xEE\x9F\x23\x6E\xF4\x39\xCB\xA1\xB9\x6F\xF2\x7E\xF9\x5D\x87\x26\x61\x9E\x1C\xF8\xE2\xEC\xA6\x81\xF8\x21\xC5\x24\xCC\x11\x0C\x3F\xDB\x26\x72\x7A\xC7\x01\x97\x07\x17\xF9\xD7\x18\x2C\x30\x7D\x0E\x7A\x1E\x62\x1E\xC6\x4B\xC0\xFD\x7D\x62\x77\xD3\x44\x1E\x27\xF6\x3F\x4B\x44\xB3\xB7\x38\xD9\x39\x1F\x60\xD5\x51\x92\x73\x03\xB4\x00\x69\xE3\xF3\x14\x4E\xEE\xD1\xDC\x09\xCF\x77\x34\x46\x50\xB0\xF8\x11\xF2\xFE\x38\x79\xF7\x07\x39\xFE\x51\x92\x97\x0B\x5B\x08\x5F\x34\x86\x01\xAD\x88\x97\xEB\x66\xCD\x5E\xD1\xFF\xDC\x7D\xF2\x84\xDA\xBA\x77\xAD\xDC\x80\x08\xC7\xA7\x87\xD6\x55\x9F\x97\x6A\xE8\xC8\x11\x64\xBA\xE7\x19\x29\x3F\x11\xB3\x78\x90\x84\x20\x52\x5B\x11\xEF\x78\xD0\x83\xF6\xD5\x48\x90\xD0\x30\x1C\xCF\x80\xF9\x60\xFE\x79\xE4\x88\xF2\xDD\x00\xEB\x94\x45\xEB\x65\x94\x69\x40\xBA\xC0\xD5\xB4\xB8\xBA\x7D\x04\x11\xA8\xEB\x31\x05\x96\x94\x4E\x58\x21\x8E\x9F\xD0\x60\xFD\x02\x03\x01\x00\x01\xA3\x81\xD1\x30\x81\xCE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x81\x3E\x37\xD8\x92\xB0\x1F\x77\x9F\x5C\xB4\xAB\x73\xAA\xE7\xF6\x34\x60\x2F\xFA\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x8E\x06\x03\x55\x1D\x23\x04\x81\x86\x30\x81\x83\x80\x14\x81\x3E\x37\xD8\x92\xB0\x1F\x77\x9F\x5C\xB4\xAB\x73\xAA\xE7\xF6\x34\x60\x2F\xFA\xA1\x68\xA4\x66\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x41\x64\x64\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x03\xF7\x15\x4A\xF8\x24\xDA\x23\x56\x16\x93\x76\xDD\x36\x28\xB9\xAE\x1B\xB8\xC3\xF1\x64\xBA\x20\x18\x78\x95\x29\x27\x57\x05\xBC\x7C\x2A\xF4\xB9\x51\x55\xDA\x87\x02\xDE\x0F\x16\x17\x31\xF8\xAA\x79\x2E\x09\x13\xBB\xAF\xB2\x20\x19\x12\xE5\x93\xF9\x4B\xF9\x83\xE8\x44\xD5\xB2\x41\x25\xBF\x88\x75\x6F\xFF\x10\xFC\x4A\x54\xD0\x5F\xF0\xFA\xEF\x36\x73\x7D\x1B\x36\x45\xC6\x21\x6D\xB4\x15\xB8\x4E\xCF\x9C\x5C\xA5\x3D\x5A\x00\x8E\x06\xE3\x3C\x6B\x32\x7B\xF2\x9F\xF0\xB6\xFD\xDF\xF0\x28\x18\x48\xF0\xC6\xBC\xD0\xBF\x34\x80\x96\xC2\x4A\xB1\x6D\x8E\xC7\x90\x45\xDE\x2F\x67\xAC\x45\x04\xA3\x7A\xDC\x55\x92\xC9\x47\x66\xD8\x1A\x8C\xC7\xED\x9C\x4E\x9A\xE0\x12\xBB\xB5\x6A\x4C\x84\xE1\xE1\x22\x0D\x87\x00\x64\xFE\x8C\x7D\x62\x39\x65\xA6\xEF\x42\xB6\x80\x25\x12\x61\x01\xA8\x24\x13\x70\x00\x11\x26\x5F\xFA\x35\x50\xC5\x48\xCC\x06\x47\xE8\x27\xD8\x70\x8D\x5F\x64\xE6\xA1\x44\x26\x5E\x22\xEC\x92\xCD\xFF\x42\x9A\x44\x21\x6D\x5C\xC5\xE3\x22\x1D\x5F\x47\x12\xE7\xCE\x5F\x5D\xFA\xD8\xAA\xB1\x33\x2D\xD9\x76\xF2\x4E\x3A\x33\x0C\x2B\xB3\x2D\x90\x06",
+	["CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x1E\x30\x82\x03\x06\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x41\x64\x64\x54\x72\x75\x73\x74\x20\x51\x75\x61\x6C\x69\x66\x69\x65\x64\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x34\x35\x30\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x34\x35\x30\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x41\x64\x64\x54\x72\x75\x73\x74\x20\x51\x75\x61\x6C\x69\x66\x69\x65\x64\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE4\x1E\x9A\xFE\xDC\x09\x5A\x87\xA4\x9F\x47\xBE\x11\x5F\xAF\x84\x34\xDB\x62\x3C\x79\x78\xB7\xE9\x30\xB5\xEC\x0C\x1C\x2A\xC4\x16\xFF\xE0\xEC\x71\xEB\x8A\xF5\x11\x6E\xED\x4F\x0D\x91\xD2\x12\x18\x2D\x49\x15\x01\xC2\xA4\x22\x13\xC7\x11\x64\xFF\x22\x12\x9A\xB9\x8E\x5C\x2F\x08\xCF\x71\x6A\xB3\x67\x01\x59\xF1\x5D\x46\xF3\xB0\x78\xA5\xF6\x0E\x42\x7A\xE3\x7F\x1B\xCC\xD0\xF0\xB7\x28\xFD\x2A\xEA\x9E\xB3\xB0\xB9\x04\xAA\xFD\xF6\xC7\xB4\xB1\xB8\x2A\xA0\xFB\x58\xF1\x19\xA0\x6F\x70\x25\x7E\x3E\x69\x4A\x7F\x0F\x22\xD8\xEF\xAD\x08\x11\x9A\x29\x99\xE1\xAA\x44\x45\x9A\x12\x5E\x3E\x9D\x6D\x52\xFC\xE7\xA0\x3D\x68\x2F\xF0\x4B\x70\x7C\x13\x38\xAD\xBC\x15\x25\xF1\xD6\xCE\xAB\xA2\xC0\x31\xD6\x2F\x9F\xE0\xFF\x14\x59\xFC\x84\x93\xD9\x87\x7C\x4C\x54\x13\xEB\x9F\xD1\x2D\x11\xF8\x18\x3A\x3A\xDE\x25\xD9\xF7\xD3\x40\xED\xA4\x06\x12\xC4\x3B\xE1\x91\xC1\x56\x35\xF0\x14\xDC\x65\x36\x09\x6E\xAB\xA4\x07\xC7\x35\xD1\xC2\x03\x33\x36\x5B\x75\x26\x6D\x42\xF1\x12\x6B\x43\x6F\x4B\x71\x94\xFA\x34\x1D\xED\x13\x6E\xCA\x80\x7F\x98\x2F\x6C\xB9\x65\xD8\xE9\x02\x03\x01\x00\x01\xA3\x81\xD4\x30\x81\xD1\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x39\x95\x8B\x62\x8B\x5C\xC9\xD4\x80\xBA\x58\x0F\x97\x3F\x15\x08\x43\xCC\x98\xA7\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x91\x06\x03\x55\x1D\x23\x04\x81\x89\x30\x81\x86\x80\x14\x39\x95\x8B\x62\x8B\x5C\xC9\xD4\x80\xBA\x58\x0F\x97\x3F\x15\x08\x43\xCC\x98\xA7\xA1\x6B\xA4\x69\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x41\x64\x64\x54\x72\x75\x73\x74\x20\x51\x75\x61\x6C\x69\x66\x69\x65\x64\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x19\xAB\x75\xEA\xF8\x8B\x65\x61\x95\x13\xBA\x69\x04\xEF\x86\xCA\x13\xA0\xC7\xAA\x4F\x64\x1B\x3F\x18\xF6\xA8\x2D\x2C\x55\x8F\x05\xB7\x30\xEA\x42\x6A\x1D\xC0\x25\x51\x2D\xA7\xBF\x0C\xB3\xED\xEF\x08\x7F\x6C\x3C\x46\x1A\xEA\x18\x43\xDF\x76\xCC\xF9\x66\x86\x9C\x2C\x68\xF5\xE9\x17\xF8\x31\xB3\x18\xC4\xD6\x48\x7D\x23\x4C\x68\xC1\x7E\xBB\x01\x14\x6F\xC5\xD9\x6E\xDE\xBB\x04\x42\x6A\xF8\xF6\x5C\x7D\xE5\xDA\xFA\x87\xEB\x0D\x35\x52\x67\xD0\x9E\x97\x76\x05\x93\x3F\x95\xC7\x01\xE6\x69\x55\x38\x7F\x10\x61\x99\xC9\xE3\x5F\xA6\xCA\x3E\x82\x63\x48\xAA\xE2\x08\x48\x3E\xAA\xF2\xB2\x85\x62\xA6\xB4\xA7\xD9\xBD\x37\x9C\x68\xB5\x2D\x56\x7D\xB0\xB7\x3F\xA0\xB1\x07\xD6\xE9\x4F\xDC\xDE\x45\x71\x30\x32\x7F\x1B\x2E\x09\xF9\xBF\x52\xA1\xEE\xC2\x80\x3E\x06\x5C\x2E\x55\x40\xC1\x1B\xF5\x70\x45\xB0\xDC\x5D\xFA\xF6\x72\x5A\x77\xD2\x63\xCD\xCF\x58\x89\x00\x42\x63\x3F\x79\x39\xD0\x44\xB0\x82\x6E\x41\x19\xE8\xDD\xE0\xC1\x88\x5A\xD1\x1E\x71\x93\x1F\x24\x30\x74\xE5\x1E\xA8\xDE\x3C\x27\x37\x7F\x83\xAE\x9E\x77\xCF\xF0\x30\xB1\xFF\x4B\x99\xE8\xC6\xA1",
+	["CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust\, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust\, Inc.,C=US"] = "\x30\x82\x04\x91\x30\x82\x03\x79\xA0\x03\x02\x01\x02\x02\x04\x45\x6B\x50\x54\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xB0\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x73\x20\x69\x6E\x63\x6F\x72\x70\x6F\x72\x61\x74\x65\x64\x20\x62\x79\x20\x72\x65\x66\x65\x72\x65\x6E\x63\x65\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x28\x63\x29\x20\x32\x30\x30\x36\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x37\x32\x30\x32\x33\x34\x32\x5A\x17\x0D\x32\x36\x31\x31\x32\x37\x32\x30\x35\x33\x34\x32\x5A\x30\x81\xB0\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x73\x20\x69\x6E\x63\x6F\x72\x70\x6F\x72\x61\x74\x65\x64\x20\x62\x79\x20\x72\x65\x66\x65\x72\x65\x6E\x63\x65\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x28\x63\x29\x20\x32\x30\x30\x36\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB6\x95\xB6\x43\x42\xFA\xC6\x6D\x2A\x6F\x48\xDF\x94\x4C\x39\x57\x05\xEE\xC3\x79\x11\x41\x68\x36\xED\xEC\xFE\x9A\x01\x8F\xA1\x38\x28\xFC\xF7\x10\x46\x66\x2E\x4D\x1E\x1A\xB1\x1A\x4E\xC6\xD1\xC0\x95\x88\xB0\xC9\xFF\x31\x8B\x33\x03\xDB\xB7\x83\x7B\x3E\x20\x84\x5E\xED\xB2\x56\x28\xA7\xF8\xE0\xB9\x40\x71\x37\xC5\xCB\x47\x0E\x97\x2A\x68\xC0\x22\x95\x62\x15\xDB\x47\xD9\xF5\xD0\x2B\xFF\x82\x4B\xC9\xAD\x3E\xDE\x4C\xDB\x90\x80\x50\x3F\x09\x8A\x84\x00\xEC\x30\x0A\x3D\x18\xCD\xFB\xFD\x2A\x59\x9A\x23\x95\x17\x2C\x45\x9E\x1F\x6E\x43\x79\x6D\x0C\x5C\x98\xFE\x48\xA7\xC5\x23\x47\x5C\x5E\xFD\x6E\xE7\x1E\xB4\xF6\x68\x45\xD1\x86\x83\x5B\xA2\x8A\x8D\xB1\xE3\x29\x80\xFE\x25\x71\x88\xAD\xBE\xBC\x8F\xAC\x52\x96\x4B\xAA\x51\x8D\xE4\x13\x31\x19\xE8\x4E\x4D\x9F\xDB\xAC\xB3\x6A\xD5\xBC\x39\x54\x71\xCA\x7A\x7A\x7F\x90\xDD\x7D\x1D\x80\xD9\x81\xBB\x59\x26\xC2\x11\xFE\xE6\x93\xE2\xF7\x80\xE4\x65\xFB\x34\x37\x0E\x29\x80\x70\x4D\xAF\x38\x86\x2E\x9E\x7F\x57\xAF\x9E\x17\xAE\xEB\x1C\xCB\x28\x21\x5F\xB6\x1C\xD8\xE7\xA2\x04\x22\xF9\xD3\xDA\xD8\xCB\x02\x03\x01\x00\x01\xA3\x81\xB0\x30\x81\xAD\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x32\x30\x30\x36\x31\x31\x32\x37\x32\x30\x32\x33\x34\x32\x5A\x81\x0F\x32\x30\x32\x36\x31\x31\x32\x37\x32\x30\x35\x33\x34\x32\x5A\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x68\x90\xE4\x67\xA4\xA6\x53\x80\xC7\x86\x66\xA4\xF1\xF7\x4B\x43\xFB\x84\xBD\x6D\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x68\x90\xE4\x67\xA4\xA6\x53\x80\xC7\x86\x66\xA4\xF1\xF7\x4B\x43\xFB\x84\xBD\x6D\x30\x1D\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x10\x30\x0E\x1B\x08\x56\x37\x2E\x31\x3A\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x93\xD4\x30\xB0\xD7\x03\x20\x2A\xD0\xF9\x63\xE8\x91\x0C\x05\x20\xA9\x5F\x19\xCA\x7B\x72\x4E\xD4\xB1\xDB\xD0\x96\xFB\x54\x5A\x19\x2C\x0C\x08\xF7\xB2\xBC\x85\xA8\x9D\x7F\x6D\x3B\x52\xB3\x2A\xDB\xE7\xD4\x84\x8C\x63\xF6\x0F\xCB\x26\x01\x91\x50\x6C\xF4\x5F\x14\xE2\x93\x74\xC0\x13\x9E\x30\x3A\x50\xE3\xB4\x60\xC5\x1C\xF0\x22\x44\x8D\x71\x47\xAC\xC8\x1A\xC9\xE9\x9B\x9A\x00\x60\x13\xFF\x70\x7E\x5F\x11\x4D\x49\x1B\xB3\x15\x52\x7B\xC9\x54\xDA\xBF\x9D\x95\xAF\x6B\x9A\xD8\x9E\xE9\xF1\xE4\x43\x8D\xE2\x11\x44\x3A\xBF\xAF\xBD\x83\x42\x73\x52\x8B\xAA\xBB\xA7\x29\xCF\xF5\x64\x1C\x0A\x4D\xD1\xBC\xAA\xAC\x9F\x2A\xD0\xFF\x7F\x7F\xDA\x7D\xEA\xB1\xED\x30\x25\xC1\x84\xDA\x34\xD2\x5B\x78\x83\x56\xEC\x9C\x36\xC3\x26\xE2\x11\xF6\x67\x49\x1D\x92\xAB\x8C\xFB\xEB\xFF\x7A\xEE\x85\x4A\xA7\x50\x80\xF0\xA7\x5C\x4A\x94\x2E\x5F\x05\x99\x3C\x52\x41\xE0\xCD\xB4\x63\xCF\x01\x43\xBA\x9C\x83\xDC\x8F\x60\x3B\xF3\x5A\xB4\xB4\x7B\xAE\xDA\x0B\x90\x38\x75\xEF\x81\x1D\x66\xD2\xF7\x57\x70\x36\xB3\xBF\xFC\x28\xAF\x71\x25\x85\x5B\x13\xFE\x1E\x7F\x5A\xB4\x3C",
+	["OU=RSA Security 2048 V3,O=RSA Security Inc"] = "\x30\x82\x03\x61\x30\x82\x02\x49\xA0\x03\x02\x01\x02\x02\x10\x0A\x01\x01\x01\x00\x00\x02\x7C\x00\x00\x00\x0A\x00\x00\x00\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3A\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x49\x6E\x63\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x32\x30\x34\x38\x20\x56\x33\x30\x1E\x17\x0D\x30\x31\x30\x32\x32\x32\x32\x30\x33\x39\x32\x33\x5A\x17\x0D\x32\x36\x30\x32\x32\x32\x32\x30\x33\x39\x32\x33\x5A\x30\x3A\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x49\x6E\x63\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x32\x30\x34\x38\x20\x56\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\x8F\x55\x71\xD2\x80\xDD\x7B\x69\x79\xA7\xF0\x18\x50\x32\x3C\x62\x67\xF6\x0A\x95\x07\xDD\xE6\x1B\xF3\x9E\xD9\xD2\x41\x54\x6B\xAD\x9F\x7C\xBE\x19\xCD\xFB\x46\xAB\x41\x68\x1E\x18\xEA\x55\xC8\x2F\x91\x78\x89\x28\xFB\x27\x29\x60\xFF\xDF\x8F\x8C\x3B\xC9\x49\x9B\xB5\xA4\x94\xCE\x01\xEA\x3E\xB5\x63\x7B\x7F\x26\xFD\x19\xDD\xC0\x21\xBD\x84\xD1\x2D\x4F\x46\xC3\x4E\xDC\xD8\x37\x39\x3B\x28\xAF\xCB\x9D\x1A\xEA\x2B\xAF\x21\xA5\xC1\x23\x22\xB8\xB8\x1B\x5A\x13\x87\x57\x83\xD1\xF0\x20\xE7\xE8\x4F\x23\x42\xB0\x00\xA5\x7D\x89\xE9\xE9\x61\x73\x94\x98\x71\x26\xBC\x2D\x6A\xE0\xF7\x4D\xF0\xF1\xB6\x2A\x38\x31\x81\x0D\x29\xE1\x00\xC1\x51\x0F\x4C\x52\xF8\x04\x5A\xAA\x7D\x72\xD3\xB8\x87\x2A\xBB\x63\x10\x03\x2A\xB3\xA1\x4F\x0D\x5A\x5E\x46\xB7\x3D\x0E\xF5\x74\xEC\x99\x9F\xF9\x3D\x24\x81\x88\xA6\xDD\x60\x54\xE8\x95\x36\x3D\xC6\x09\x93\x9A\xA3\x12\x80\x00\x55\x99\x19\x47\xBD\xD0\xA5\x7C\xC3\xBA\xFB\x1F\xF7\xF5\x0F\xF8\xAC\xB9\xB5\xF4\x37\x98\x13\x18\xDE\x85\x5B\xB7\x0C\x82\x3B\x87\x6F\x95\x39\x58\x30\xDA\x6E\x01\x68\x17\x22\xCC\xC0\x0B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x07\xC3\x51\x30\xA4\xAA\xE9\x45\xAE\x35\x24\xFA\xFF\x24\x2C\x33\xD0\xB1\x9D\x8C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x07\xC3\x51\x30\xA4\xAA\xE9\x45\xAE\x35\x24\xFA\xFF\x24\x2C\x33\xD0\xB1\x9D\x8C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5F\x3E\x86\x76\x6E\xB8\x35\x3C\x4E\x36\x1C\x1E\x79\x98\xBF\xFD\xD5\x12\x11\x79\x52\x0E\xEE\x31\x89\xBC\xDD\x7F\xF9\xD1\xC6\x15\x21\xE8\x8A\x01\x54\x0D\x3A\xFB\x54\xB9\xD6\x63\xD4\xB1\xAA\x96\x4D\xA2\x42\x4D\xD4\x53\x1F\x8B\x10\xDE\x7F\x65\xBE\x60\x13\x27\x71\x88\xA4\x73\xE3\x84\x63\xD1\xA4\x55\xE1\x50\x93\xE6\x1B\x0E\x79\xD0\x67\xBC\x46\xC8\xBF\x3F\x17\x0D\x95\xE6\xC6\x90\x69\xDE\xE7\xB4\x2F\xDE\x95\x7D\xD0\x12\x3F\x3D\x3E\x7F\x4D\x3F\x14\x68\xF5\x11\x50\xD5\xC1\xF4\x90\xA5\x08\x1D\x31\x60\xFF\x60\x8C\x23\x54\x0A\xAF\xFE\xA1\x6E\xC5\xD1\x7A\x2A\x68\x78\xCF\x1E\x82\x0A\x20\xB4\x1F\xAD\xE5\x85\xB2\x6A\x68\x75\x4E\xAD\x25\x37\x94\x85\xBE\xBD\xA1\xD4\xEA\xB7\x0C\x4B\x3C\x9D\xE8\x12\x00\xF0\x5F\xAC\x0D\xE1\xAC\x70\x63\x73\xF7\x7F\x79\x9F\x32\x25\x42\x74\x05\x80\x28\xBF\xBD\xC1\x24\x96\x58\x15\xB1\x17\x21\xE9\x89\x4B\xDB\x07\x88\x67\xF4\x15\xAD\x70\x3E\x2F\x4D\x85\x3B\xC2\xB7\xDB\xFE\x98\x68\x23\x89\xE1\x74\x0F\xDE\xF4\xC5\x84\x63\x29\x1B\xCC\xCB\x07\xC9\x00\xA4\xA9\xD7\xC2\x22\x4F\x67\xD7\x77\xEC\x20\x05\x61\xDE",
+	["CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\x54\x30\x82\x02\x3C\xA0\x03\x02\x01\x02\x02\x03\x02\x34\x56\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x42\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x32\x30\x35\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x17\x0D\x32\x32\x30\x35\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x30\x42\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDA\xCC\x18\x63\x30\xFD\xF4\x17\x23\x1A\x56\x7E\x5B\xDF\x3C\x6C\x38\xE4\x71\xB7\x78\x91\xD4\xBC\xA1\xD8\x4C\xF8\xA8\x43\xB6\x03\xE9\x4D\x21\x07\x08\x88\xDA\x58\x2F\x66\x39\x29\xBD\x05\x78\x8B\x9D\x38\xE8\x05\xB7\x6A\x7E\x71\xA4\xE6\xC4\x60\xA6\xB0\xEF\x80\xE4\x89\x28\x0F\x9E\x25\xD6\xED\x83\xF3\xAD\xA6\x91\xC7\x98\xC9\x42\x18\x35\x14\x9D\xAD\x98\x46\x92\x2E\x4F\xCA\xF1\x87\x43\xC1\x16\x95\x57\x2D\x50\xEF\x89\x2D\x80\x7A\x57\xAD\xF2\xEE\x5F\x6B\xD2\x00\x8D\xB9\x14\xF8\x14\x15\x35\xD9\xC0\x46\xA3\x7B\x72\xC8\x91\xBF\xC9\x55\x2B\xCD\xD0\x97\x3E\x9C\x26\x64\xCC\xDF\xCE\x83\x19\x71\xCA\x4E\xE6\xD4\xD5\x7B\xA9\x19\xCD\x55\xDE\xC8\xEC\xD2\x5E\x38\x53\xE5\x5C\x4F\x8C\x2D\xFE\x50\x23\x36\xFC\x66\xE6\xCB\x8E\xA4\x39\x19\x00\xB7\x95\x02\x39\x91\x0B\x0E\xFE\x38\x2E\xD1\x1D\x05\x9A\xF6\x4D\x3E\x6F\x0F\x07\x1D\xAF\x2C\x1E\x8F\x60\x39\xE2\xFA\x36\x53\x13\x39\xD4\x5E\x26\x2B\xDB\x3D\xA8\x14\xBD\x32\xEB\x18\x03\x28\x52\x04\x71\xE5\xAB\x33\x3D\xE1\x38\xBB\x07\x36\x84\x62\x9C\x79\xEA\x16\x30\xF4\x5F\xC0\x2B\xE8\x71\x6B\xE4\xF9\x02\x03\x01\x00\x01\xA3\x53\x30\x51\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC0\x7A\x98\x68\x8D\x89\xFB\xAB\x05\x64\x0C\x11\x7D\xAA\x7D\x65\xB8\xCA\xCC\x4E\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xC0\x7A\x98\x68\x8D\x89\xFB\xAB\x05\x64\x0C\x11\x7D\xAA\x7D\x65\xB8\xCA\xCC\x4E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x35\xE3\x29\x6A\xE5\x2F\x5D\x54\x8E\x29\x50\x94\x9F\x99\x1A\x14\xE4\x8F\x78\x2A\x62\x94\xA2\x27\x67\x9E\xD0\xCF\x1A\x5E\x47\xE9\xC1\xB2\xA4\xCF\xDD\x41\x1A\x05\x4E\x9B\x4B\xEE\x4A\x6F\x55\x52\xB3\x24\xA1\x37\x0A\xEB\x64\x76\x2A\x2E\x2C\xF3\xFD\x3B\x75\x90\xBF\xFA\x71\xD8\xC7\x3D\x37\xD2\xB5\x05\x95\x62\xB9\xA6\xDE\x89\x3D\x36\x7B\x38\x77\x48\x97\xAC\xA6\x20\x8F\x2E\xA6\xC9\x0C\xC2\xB2\x99\x45\x00\xC7\xCE\x11\x51\x22\x22\xE0\xA5\xEA\xB6\x15\x48\x09\x64\xEA\x5E\x4F\x74\xF7\x05\x3E\xC7\x8A\x52\x0C\xDB\x15\xB4\xBD\x6D\x9B\xE5\xC6\xB1\x54\x68\xA9\xE3\x69\x90\xB6\x9A\xA5\x0F\xB8\xB9\x3F\x20\x7D\xAE\x4A\xB5\xB8\x9C\xE4\x1D\xB6\xAB\xE6\x94\xA5\xC1\xC7\x83\xAD\xDB\xF5\x27\x87\x0E\x04\x6C\xD5\xFF\xDD\xA0\x5D\xED\x87\x52\xB7\x2B\x15\x02\xAE\x39\xA6\x6A\x74\xE9\xDA\xC4\xE7\xBC\x4D\x34\x1E\xA9\x5C\x4D\x33\x5F\x92\x09\x2F\x88\x66\x5D\x77\x97\xC7\x1D\x76\x13\xA9\xD5\xE5\xF1\x16\x09\x11\x35\xD5\xAC\xDB\x24\x71\x70\x2C\x98\x56\x0B\xD9\x17\xB4\xD1\xE3\x51\x2B\x5E\x75\xE8\xD5\xD0\xDC\x4F\x34\xED\xC2\x05\x66\x80\xA1\xCB\xE6\x33",
+	["CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\x66\x30\x82\x02\x4E\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x30\x34\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x17\x0D\x31\x39\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x20\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xEF\x3C\x4D\x40\x3D\x10\xDF\x3B\x53\x00\xE1\x67\xFE\x94\x60\x15\x3E\x85\x88\xF1\x89\x0D\x90\xC8\x28\x23\x99\x05\xE8\x2B\x20\x9D\xC6\xF3\x60\x46\xD8\xC1\xB2\xD5\x8C\x31\xD9\xDC\x20\x79\x24\x81\xBF\x35\x32\xFC\x63\x69\xDB\xB1\x2A\x6B\xEE\x21\x58\xF2\x08\xE9\x78\xCB\x6F\xCB\xFC\x16\x52\xC8\x91\xC4\xFF\x3D\x73\xDE\xB1\x3E\xA7\xC2\x7D\x66\xC1\xF5\x7E\x52\x24\x1A\xE2\xD5\x67\x91\xD0\x82\x10\xD7\x78\x4B\x4F\x2B\x42\x39\xBD\x64\x2D\x40\xA0\xB0\x10\xD3\x38\x48\x46\x88\xA1\x0C\xBB\x3A\x33\x2A\x62\x98\xFB\x00\x9D\x13\x59\x7F\x6F\x3B\x72\xAA\xEE\xA6\x0F\x86\xF9\x05\x61\xEA\x67\x7F\x0C\x37\x96\x8B\xE6\x69\x16\x47\x11\xC2\x27\x59\x03\xB3\xA6\x60\xC2\x21\x40\x56\xFA\xA0\xC7\x7D\x3A\x13\xE3\xEC\x57\xC7\xB3\xD6\xAE\x9D\x89\x80\xF7\x01\xE7\x2C\xF6\x96\x2B\x13\x0D\x79\x2C\xD9\xC0\xE4\x86\x7B\x4B\x8C\x0C\x72\x82\x8A\xFB\x17\xCD\x00\x6C\x3A\x13\x3C\xB0\x84\x87\x4B\x16\x7A\x29\xB2\x4F\xDB\x1D\xD4\x0B\xF3\x66\x37\xBD\xD8\xF6\x57\xBB\x5E\x24\x7A\xB8\x3C\x8B\xB9\xFA\x92\x1A\x1A\x84\x9E\xD8\x74\x8F\xAA\x1B\x7F\x5E\xF4\xFE\x45\x22\x21\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x71\x38\x36\xF2\x02\x31\x53\x47\x2B\x6E\xBA\x65\x46\xA9\x10\x15\x58\x20\x05\x09\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x71\x38\x36\xF2\x02\x31\x53\x47\x2B\x6E\xBA\x65\x46\xA9\x10\x15\x58\x20\x05\x09\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x03\xF7\xB5\x2B\xAB\x5D\x10\xFC\x7B\xB2\xB2\x5E\xAC\x9B\x0E\x7E\x53\x78\x59\x3E\x42\x04\xFE\x75\xA3\xAD\xAC\x81\x4E\xD7\x02\x8B\x5E\xC4\x2D\xC8\x52\x76\xC7\x2C\x1F\xFC\x81\x32\x98\xD1\x4B\xC6\x92\x93\x33\x35\x31\x2F\xFC\xD8\x1D\x44\xDD\xE0\x81\x7F\x9D\xE9\x8B\xE1\x64\x91\x62\x0B\x39\x08\x8C\xAC\x74\x9D\x59\xD9\x7A\x59\x52\x97\x11\xB9\x16\x7B\x6F\x45\xD3\x96\xD9\x31\x7D\x02\x36\x0F\x9C\x3B\x6E\xCF\x2C\x0D\x03\x46\x45\xEB\xA0\xF4\x7F\x48\x44\xC6\x08\x40\xCC\xDE\x1B\x70\xB5\x29\xAD\xBA\x8B\x3B\x34\x65\x75\x1B\x71\x21\x1D\x2C\x14\x0A\xB0\x96\x95\xB8\xD6\xEA\xF2\x65\xFB\x29\xBA\x4F\xEA\x91\x93\x74\x69\xB6\xF2\xFF\xE1\x1A\xD0\x0C\xD1\x76\x85\xCB\x8A\x25\xBD\x97\x5E\x2C\x6F\x15\x99\x26\xE7\xB6\x29\xFF\x22\xEC\xC9\x02\xC7\x56\x00\xCD\x49\xB9\xB3\x6C\x7B\x53\x04\x1A\xE2\xA8\xC9\xAA\x12\x05\x23\xC2\xCE\xE7\xBB\x04\x02\xCC\xC0\x47\xA2\xE4\xC4\x29\x2F\x5B\x45\x57\x89\x51\xEE\x3C\xEB\x52\x08\xFF\x07\x35\x1E\x9F\x35\x6A\x47\x4A\x56\x98\xD1\x5A\x85\x1F\x8C\xF5\x22\xBF\xAB\xCE\x83\xF3\xE2\x22\x29\xAE\x7D\x83\x40\xA8\xBA\x6C",
+	["CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US"] = "\x30\x82\x05\x68\x30\x82\x03\x50\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x34\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA6\x15\x55\xA0\xA3\xC6\xE0\x1F\x8C\x9D\x21\x50\xD7\xC1\xBE\x2B\x5B\xB5\xA4\x9E\xA1\xD9\x72\x58\xBD\x00\x1B\x4C\xBF\x61\xC9\x14\x1D\x45\x82\xAB\xC6\x1D\x80\xD6\x3D\xEB\x10\x9C\x3A\xAF\x6D\x24\xF8\xBC\x71\x01\x9E\x06\xF5\x7C\x5F\x1E\xC1\x0E\x55\xCA\x83\x9A\x59\x30\xAE\x19\xCB\x30\x48\x95\xED\x22\x37\x8D\xF4\x4A\x9A\x72\x66\x3E\xAD\x95\xC0\xE0\x16\x00\xE0\x10\x1F\x2B\x31\x0E\xD7\x94\x54\xD3\x42\x33\xA0\x34\x1D\x1E\x45\x76\xDD\x4F\xCA\x18\x37\xEC\x85\x15\x7A\x19\x08\xFC\xD5\xC7\x9C\xF0\xF2\xA9\x2E\x10\xA9\x92\xE6\x3D\x58\x3D\xA9\x16\x68\x3C\x2F\x75\x21\x18\x7F\x28\x77\xA5\xE1\x61\x17\xB7\xA6\xE9\xF8\x1E\x99\xDB\x73\x6E\xF4\x0A\xA2\x21\x6C\xEE\xDA\xAA\x85\x92\x66\xAF\xF6\x7A\x6B\x82\xDA\xBA\x22\x08\x35\x0F\xCF\x42\xF1\x35\xFA\x6A\xEE\x7E\x2B\x25\xCC\x3A\x11\xE4\x6D\xAF\x73\xB2\x76\x1D\xAD\xD0\xB2\x78\x67\x1A\xA4\x39\x1C\x51\x0B\x67\x56\x83\xFD\x38\x5D\x0D\xCE\xDD\xF0\xBB\x2B\x96\x1F\xDE\x7B\x32\x52\xFD\x1D\xBB\xB5\x06\xA1\xB2\x21\x5E\xA5\xD6\x95\x68\x7F\xF0\x99\x9E\xDC\x45\x08\x3E\xE7\xD2\x09\x0D\x35\x94\xDD\x80\x4E\x53\x97\xD7\xB5\x09\x44\x20\x64\x16\x17\x03\x02\x4C\x53\x0D\x68\xDE\xD5\xAA\x72\x4D\x93\x6D\x82\x0E\xDB\x9C\xBD\xCF\xB4\xF3\x5C\x5D\x54\x7A\x69\x09\x96\xD6\xDB\x11\xC1\x8D\x75\xA8\xB4\xCF\x39\xC8\xCE\x3C\xBC\x24\x7C\xE6\x62\xCA\xE1\xBD\x7D\xA7\xBD\x57\x65\x0B\xE4\xFE\x25\xED\xB6\x69\x10\xDC\x28\x1A\x46\xBD\x01\x1D\xD0\x97\xB5\xE1\x98\x3B\xC0\x37\x64\xD6\x3D\x94\xEE\x0B\xE1\xF5\x28\xAE\x0B\x56\xBF\x71\x8B\x23\x29\x41\x8E\x86\xC5\x4B\x52\x7B\xD8\x71\xAB\x1F\x8A\x15\xA6\x3B\x83\x5A\xD7\x58\x01\x51\xC6\x4C\x41\xD9\x7F\xD8\x41\x67\x72\xA2\x28\xDF\x60\x83\xA9\x9E\xC8\x7B\xFC\x53\x73\x72\x59\xF5\x93\x7A\x17\x76\x0E\xCE\xF7\xE5\x5C\xD9\x0B\x55\x34\xA2\xAA\x5B\xB5\x6A\x54\xE7\x13\xCA\x57\xEC\x97\x6D\xF4\x5E\x06\x2F\x45\x8B\x58\xD4\x23\x16\x92\xE4\x16\x6E\x28\x63\x59\x30\xDF\x50\x01\x9C\x63\x89\x1A\x9F\xDB\x17\x94\x82\x70\x37\xC3\x24\x9E\x9A\x47\xD6\x5A\xCA\x4E\xA8\x69\x89\x72\x1F\x91\x6C\xDB\x7E\x9E\x1B\xAD\xC7\x1F\x73\xDD\x2C\x4F\x19\x65\xFD\x7F\x93\x40\x10\x2E\xD2\xF0\xED\x3C\x9E\x2E\x28\x3E\x69\x26\x33\xC5\x7B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xDA\xBB\x2E\xAA\xB0\x0C\xB8\x88\x26\x51\x74\x5C\x6D\x03\xD3\xC0\xD8\x8F\x7A\xD6\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xDA\xBB\x2E\xAA\xB0\x0C\xB8\x88\x26\x51\x74\x5C\x6D\x03\xD3\xC0\xD8\x8F\x7A\xD6\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x31\x78\xE6\xC7\xB5\xDF\xB8\x94\x40\xC9\x71\xC4\xA8\x35\xEC\x46\x1D\xC2\x85\xF3\x28\x58\x86\xB0\x0B\xFC\x8E\xB2\x39\x8F\x44\x55\xAB\x64\x84\x5C\x69\xA9\xD0\x9A\x38\x3C\xFA\xE5\x1F\x35\xE5\x44\xE3\x80\x79\x94\x68\xA4\xBB\xC4\x9F\x3D\xE1\x34\xCD\x30\x46\x8B\x54\x2B\x95\xA5\xEF\xF7\x3F\x99\x84\xFD\x35\xE6\xCF\x31\xC6\xDC\x6A\xBF\xA7\xD7\x23\x08\xE1\x98\x5E\xC3\x5A\x08\x76\xA9\xA6\xAF\x77\x2F\xB7\x60\xBD\x44\x46\x6A\xEF\x97\xFF\x73\x95\xC1\x8E\xE8\x93\xFB\xFD\x31\xB7\xEC\x57\x11\x11\x45\x9B\x30\xF1\x1A\x88\x39\xC1\x4F\x3C\xA7\x00\xD5\xC7\xFC\xAB\x6D\x80\x22\x70\xA5\x0C\xE0\x5D\x04\x29\x02\xFB\xCB\xA0\x91\xD1\x7C\xD6\xC3\x7E\x50\xD5\x9D\x58\xBE\x41\x38\xEB\xB9\x75\x3C\x15\xD9\x9B\xC9\x4A\x83\x59\xC0\xDA\x53\xFD\x33\xBB\x36\x18\x9B\x85\x0F\x15\xDD\xEE\x2D\xAC\x76\x93\xB9\xD9\x01\x8D\x48\x10\xA8\xFB\xF5\x38\x86\xF1\xDB\x0A\xC6\xBD\x84\xA3\x23\x41\xDE\xD6\x77\x6F\x85\xD4\x85\x1C\x50\xE0\xAE\x51\x8A\xBA\x8D\x3E\x76\xE2\xB9\xCA\x27\xF2\x5F\x9F\xEF\x6E\x59\x0D\x06\xD8\x2B\x17\xA4\xD2\x7C\x6B\xBB\x5F\x14\x1A\x48\x8F\x1A\x4C\xE7\xB3\x47\x1C\x8E\x4C\x45\x2B\x20\xEE\x48\xDF\xE7\xDD\x09\x8E\x18\xA8\xDA\x40\x8D\x92\x26\x11\x53\x61\x73\x5D\xEB\xBD\xE7\xC4\x4D\x29\x37\x61\xEB\xAC\x39\x2D\x67\x2E\x16\xD6\xF5\x00\x83\x85\xA1\xCC\x7F\x76\xC4\x7D\xE4\xB7\x4B\x66\xEF\x03\x45\x60\x69\xB6\x0C\x52\x96\x92\x84\x5E\xA6\xA3\xB5\xA4\x3E\x2B\xD9\xCC\xD8\x1B\x47\xAA\xF2\x44\xDA\x4F\xF9\x03\xE8\xF0\x14\xCB\x3F\xF3\x83\xDE\xD0\xC1\x54\xE3\xB7\xE8\x0A\x37\x4D\x8B\x20\x59\x03\x30\x19\xA1\x2C\xC8\xBD\x11\x1F\xDF\xAE\xC9\x4A\xC5\xF3\x27\x66\x66\x86\xAC\x68\x91\xFF\xD9\xE6\x53\x1C\x0F\x8B\x5C\x69\x65\x0A\x26\xC8\x1E\x34\xC3\x5D\x51\x7B\xD7\xA9\x9C\x06\xA1\x36\xDD\xD5\x89\x94\xBC\xD9\xE4\x2D\x0C\x5E\x09\x6C\x08\x97\x7C\xA3\x3D\x7C\x93\xFF\x3F\xA1\x14\xA7\xCF\xB5\x5D\xEB\xDB\xDB\x1C\xC4\x76\xDF\x88\xB9\xBD\x45\x05\x95\x1B\xAE\xFC\x46\x6A\x4C\xAF\x48\xE3\xCE\xAE\x0F\xD2\x7E\xEB\xE6\x6C\x9C\x4F\x81\x6A\x7A\x64\xAC\xBB\x3E\xD5\xE7\xCB\x76\x2E\xC5\xA7\x48\xC1\x5C\x90\x0F\xCB\xC8\x3F\xFA\xE6\x32\xE1\x8D\x1B\x6F\xA4\xE6\x8E\xD8\xF9\x29\x48\x8A\xCE\x73\xFE\x2C",
+	["CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US"] = "\x30\x82\x05\x6C\x30\x82\x03\x54\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x30\x34\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB3\x54\x52\xC1\xC9\x3E\xF2\xD9\xDC\xB1\x53\x1A\x59\x29\xE7\xB1\xC3\x45\x28\xE5\xD7\xD1\xED\xC5\xC5\x4B\xA1\xAA\x74\x7B\x57\xAF\x4A\x26\xFC\xD8\xF5\x5E\xA7\x6E\x19\xDB\x74\x0C\x4F\x35\x5B\x32\x0B\x01\xE3\xDB\xEB\x7A\x77\x35\xEA\xAA\x5A\xE0\xD6\xE8\xA1\x57\x94\xF0\x90\xA3\x74\x56\x94\x44\x30\x03\x1E\x5C\x4E\x2B\x85\x26\x74\x82\x7A\x0C\x76\xA0\x6F\x4D\xCE\x41\x2D\xA0\x15\x06\x14\x5F\xB7\x42\xCD\x7B\x8F\x58\x61\x34\xDC\x2A\x08\xF9\x2E\xC3\x01\xA6\x22\x44\x1C\x4C\x07\x82\xE6\x5B\xCE\xD0\x4A\x7C\x04\xD3\x19\x73\x27\xF0\xAA\x98\x7F\x2E\xAF\x4E\xEB\x87\x1E\x24\x77\x6A\x5D\xB6\xE8\x5B\x45\xBA\xDC\xC3\xA1\x05\x6F\x56\x8E\x8F\x10\x26\xA5\x49\xC3\x2E\xD7\x41\x87\x22\xE0\x4F\x86\xCA\x60\xB5\xEA\xA1\x63\xC0\x01\x97\x10\x79\xBD\x00\x3C\x12\x6D\x2B\x15\xB1\xAC\x4B\xB1\xEE\x18\xB9\x4E\x96\xDC\xDC\x76\xFF\x3B\xBE\xCF\x5F\x03\xC0\xFC\x3B\xE8\xBE\x46\x1B\xFF\xDA\x40\xC2\x52\xF7\xFE\xE3\x3A\xF7\x6A\x77\x35\xD0\xDA\x8D\xEB\x5E\x18\x6A\x31\xC7\x1E\xBA\x3C\x1B\x28\xD6\x6B\x54\xC6\xAA\x5B\xD7\xA2\x2C\x1B\x19\xCC\xA2\x02\xF6\x9B\x59\xBD\x37\x6B\x86\xB5\x6D\x82\xBA\xD8\xEA\xC9\x56\xBC\xA9\x36\x58\xFD\x3E\x19\xF3\xED\x0C\x26\xA9\x93\x38\xF8\x4F\xC1\x5D\x22\x06\xD0\x97\xEA\xE1\xAD\xC6\x55\xE0\x81\x2B\x28\x83\x3A\xFA\xF4\x7B\x21\x51\x00\xBE\x52\x38\xCE\xCD\x66\x79\xA8\xF4\x81\x56\xE2\xD0\x83\x09\x47\x51\x5B\x50\x6A\xCF\xDB\x48\x1A\x5D\x3E\xF7\xCB\xF6\x65\xF7\x6C\xF1\x95\xF8\x02\x3B\x32\x56\x82\x39\x7A\x5B\xBD\x2F\x89\x1B\xBF\xA1\xB4\xE8\xFF\x7F\x8D\x8C\xDF\x03\xF1\x60\x4E\x58\x11\x4C\xEB\xA3\x3F\x10\x2B\x83\x9A\x01\x73\xD9\x94\x6D\x84\x00\x27\x66\xAC\xF0\x70\x40\x09\x42\x92\xAD\x4F\x93\x0D\x61\x09\x51\x24\xD8\x92\xD5\x0B\x94\x61\xB2\x87\xB2\xED\xFF\x9A\x35\xFF\x85\x54\xCA\xED\x44\x43\xAC\x1B\x3C\x16\x6B\x48\x4A\x0A\x1C\x40\x88\x1F\x92\xC2\x0B\x00\x05\xFF\xF2\xC8\x02\x4A\xA4\xAA\xA9\xCC\x99\x96\x9C\x2F\x58\xE0\x7D\xE1\xBE\xBB\x07\xDC\x5F\x04\x72\x5C\x31\x34\xC3\xEC\x5F\x2D\xE0\x3D\x64\x90\x22\xE6\xD1\xEC\xB8\x2E\xDD\x59\xAE\xD9\xA1\x37\xBF\x54\x35\xDC\x73\x32\x4F\x8C\x04\x1E\x33\xB2\xC9\x46\xF1\xD8\x5C\xC8\x55\x50\xC9\x68\xBD\xA8\xBA\x36\x09\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x76\xF3\x55\xE1\xFA\xA4\x36\xFB\xF0\x9F\x5C\x62\x71\xED\x3C\xF4\x47\x38\x10\x2B\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x76\xF3\x55\xE1\xFA\xA4\x36\xFB\xF0\x9F\x5C\x62\x71\xED\x3C\xF4\x47\x38\x10\x2B\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x66\xC1\xC6\x23\xF3\xD9\xE0\x2E\x6E\x5F\xE8\xCF\xAE\xB0\xB0\x25\x4D\x2B\xF8\x3B\x58\x9B\x40\x24\x37\x5A\xCB\xAB\x16\x49\xFF\xB3\x75\x79\x33\xA1\x2F\x6D\x70\x17\x34\x91\xFE\x67\x7E\x8F\xEC\x9B\xE5\x5E\x82\xA9\x55\x1F\x2F\xDC\xD4\x51\x07\x12\xFE\xAC\x16\x3E\x2C\x35\xC6\x63\xFC\xDC\x10\xEB\x0D\xA3\xAA\xD0\x7C\xCC\xD1\xD0\x2F\x51\x2E\xC4\x14\x5A\xDE\xE8\x19\xE1\x3E\xC6\xCC\xA4\x29\xE7\x2E\x84\xAA\x06\x30\x78\x76\x54\x73\x28\x98\x59\x38\xE0\x00\x0D\x62\xD3\x42\x7D\x21\x9F\xAE\x3D\x3A\x8C\xD5\xFA\x77\x0D\x18\x2B\x16\x0E\x5F\x36\xE1\xFC\x2A\xB5\x30\x24\xCF\xE0\x63\x0C\x7B\x58\x1A\xFE\x99\xBA\x42\x12\xB1\x91\xF4\x7C\x68\xE2\xC8\xE8\xAF\x2C\xEA\xC9\x7E\xAE\xBB\x2A\x3D\x0D\x15\xDC\x34\x95\xB6\x18\x74\xA8\x6A\x0F\xC7\xB4\xF4\x13\xC4\xE4\x5B\xED\x0A\xD2\xA4\x97\x4C\x2A\xED\x2F\x6C\x12\x89\x3D\xF1\x27\x70\xAA\x6A\x03\x52\x21\x9F\x40\xA8\x67\x50\xF2\xF3\x5A\x1F\xDF\xDF\x23\xF6\xDC\x78\x4E\xE6\x98\x4F\x55\x3A\x53\xE3\xEF\xF2\xF4\x9F\xC7\x7C\xD8\x58\xAF\x29\x22\x97\xB8\xE0\xBD\x91\x2E\xB0\x76\xEC\x57\x11\xCF\xEF\x29\x44\xF3\xE9\x85\x7A\x60\x63\xE4\x5D\x33\x89\x17\xD9\x31\xAA\xDA\xD6\xF3\x18\x35\x72\xCF\x87\x2B\x2F\x63\x23\x84\x5D\x84\x8C\x3F\x57\xA0\x88\xFC\x99\x91\x28\x26\x69\x99\xD4\x8F\x97\x44\xBE\x8E\xD5\x48\xB1\xA4\x28\x29\xF1\x15\xB4\xE1\xE5\x9E\xDD\xF8\x8F\xA6\x6F\x26\xD7\x09\x3C\x3A\x1C\x11\x0E\xA6\x6C\x37\xF7\xAD\x44\x87\x2C\x28\xC7\xD8\x74\x82\xB3\xD0\x6F\x4A\x57\xBB\x35\x29\x27\xA0\x8B\xE8\x21\xA7\x87\x64\x36\x5D\xCC\xD8\x16\xAC\xC7\xB2\x27\x40\x92\x55\x38\x28\x8D\x51\x6E\xDD\x14\x67\x53\x6C\x71\x5C\x26\x84\x4D\x75\x5A\xB6\x7E\x60\x56\xA9\x4D\xAD\xFB\x9B\x1E\x97\xF3\x0D\xD9\xD2\x97\x54\x77\xDA\x3D\x12\xB7\xE0\x1E\xEF\x08\x06\xAC\xF9\x85\x87\xE9\xA2\xDC\xAF\x7E\x18\x12\x83\xFD\x56\x17\x41\x2E\xD5\x29\x82\x7D\x99\xF4\x31\xF6\x71\xA9\xCF\x2C\x01\x27\xA5\x05\xB9\xAA\xB2\x48\x4E\x2A\xEF\x9F\x93\x52\x51\x95\x3C\x52\x73\x8E\x56\x4C\x17\x40\xC0\x09\x28\xE4\x8B\x6A\x48\x53\xDB\xEC\xCD\x55\x55\xF1\xC6\xF8\xE9\xA2\x2C\x4C\xA6\xD1\x26\x5F\x7E\xAF\x5A\x4C\xDA\x1F\xA6\xF2\x1C\x2C\x7E\xAE\x02\x16\xD2\x56\xD0\x2F\x57\x53\x47\xE8\x92",
+	["CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US"] = "\x30\x82\x03\xA4\x30\x82\x02\x8C\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x41\x6D\x65\x72\x69\x63\x61\x20\x4F\x6E\x6C\x69\x6E\x65\x20\x49\x6E\x63\x2E\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x41\x6D\x65\x72\x69\x63\x61\x20\x4F\x6E\x6C\x69\x6E\x65\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x31\x30\x1E\x17\x0D\x30\x32\x30\x35\x32\x38\x30\x36\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x31\x31\x39\x32\x30\x34\x33\x30\x30\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x41\x6D\x65\x72\x69\x63\x61\x20\x4F\x6E\x6C\x69\x6E\x65\x20\x49\x6E\x63\x2E\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x41\x6D\x65\x72\x69\x63\x61\x20\x4F\x6E\x6C\x69\x6E\x65\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA8\x2F\xE8\xA4\x69\x06\x03\x47\xC3\xE9\x2A\x98\xFF\x19\xA2\x70\x9A\xC6\x50\xB2\x7E\xA5\xDF\x68\x4D\x1B\x7C\x0F\xB6\x97\x68\x7D\x2D\xA6\x8B\x97\xE9\x64\x86\xC9\xA3\xEF\xA0\x86\xBF\x60\x65\x9C\x4B\x54\x88\xC2\x48\xC5\x4A\x39\xBF\x14\xE3\x59\x55\xE5\x19\xB4\x74\xC8\xB4\x05\x39\x5C\x16\xA5\xE2\x95\x05\xE0\x12\xAE\x59\x8B\xA2\x33\x68\x58\x1C\xA6\xD4\x15\xB7\xD8\x9F\xD7\xDC\x71\xAB\x7E\x9A\xBF\x9B\x8E\x33\x0F\x22\xFD\x1F\x2E\xE7\x07\x36\xEF\x62\x39\xC5\xDD\xCB\xBA\x25\x14\x23\xDE\x0C\xC6\x3D\x3C\xCE\x82\x08\xE6\x66\x3E\xDA\x51\x3B\x16\x3A\xA3\x05\x7F\xA0\xDC\x87\xD5\x9C\xFC\x72\xA9\xA0\x7D\x78\xE4\xB7\x31\x55\x1E\x65\xBB\xD4\x61\xB0\x21\x60\xED\x10\x32\x72\xC5\x92\x25\x1E\xF8\x90\x4A\x18\x78\x47\xDF\x7E\x30\x37\x3E\x50\x1B\xDB\x1C\xD3\x6B\x9A\x86\x53\x07\xB0\xEF\xAC\x06\x78\xF8\x84\x99\xFE\x21\x8D\x4C\x80\xB6\x0C\x82\xF6\x66\x70\x79\x1A\xD3\x4F\xA3\xCF\xF1\xCF\x46\xB0\x4B\x0F\x3E\xDD\x88\x62\xB8\x8C\xA9\x09\x28\x3B\x7A\xC7\x97\xE1\x1E\xE5\xF4\x9F\xC0\xC0\xAE\x24\xA0\xC8\xA1\xD9\x0F\xD6\x7B\x26\x82\x69\x32\x3D\xA7\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x00\xAD\xD9\xA3\xF6\x79\xF6\x6E\x74\xA9\x7F\x33\x3D\x81\x17\xD7\x4C\xCF\x33\xDE\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x00\xAD\xD9\xA3\xF6\x79\xF6\x6E\x74\xA9\x7F\x33\x3D\x81\x17\xD7\x4C\xCF\x33\xDE\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x7C\x8A\xD1\x1F\x18\x37\x82\xE0\xB8\xB0\xA3\xED\x56\x95\xC8\x62\x61\x9C\x05\xA2\xCD\xC2\x62\x26\x61\xCD\x10\x16\xD7\xCC\xB4\x65\x34\xD0\x11\x8A\xAD\xA8\xA9\x05\x66\xEF\x74\xF3\x6D\x5F\x9D\x99\xAF\xF6\x8B\xFB\xEB\x52\xB2\x05\x98\xA2\x6F\x2A\xC5\x54\xBD\x25\xBD\x5F\xAE\xC8\x86\xEA\x46\x2C\xC1\xB3\xBD\xC1\xE9\x49\x70\x18\x16\x97\x08\x13\x8C\x20\xE0\x1B\x2E\x3A\x47\xCB\x1E\xE4\x00\x30\x95\x5B\xF4\x45\xA3\xC0\x1A\xB0\x01\x4E\xAB\xBD\xC0\x23\x6E\x63\x3F\x80\x4A\xC5\x07\xED\xDC\xE2\x6F\xC7\xC1\x62\xF1\xE3\x72\xD6\x04\xC8\x74\x67\x0B\xFA\x88\xAB\xA1\x01\xC8\x6F\xF0\x14\xAF\xD2\x99\xCD\x51\x93\x7E\xED\x2E\x38\xC7\xBD\xCE\x46\x50\x3D\x72\xE3\x79\x25\x9D\x9B\x88\x2B\x10\x20\xDD\xA5\xB8\x32\x9F\x8D\xE0\x29\xDF\x21\x74\x86\x82\xDB\x2F\x82\x30\xC6\xC7\x35\x86\xB3\xF9\x96\x5F\x46\xDB\x0C\x45\xFD\xF3\x50\xC3\x6F\xC6\xC3\x48\xAD\x46\xA6\xE1\x27\x47\x0A\x1D\x0E\x9B\xB6\xC2\x77\x7F\x63\xF2\xE0\x7D\x1A\xBE\xFC\xE0\xDF\xD7\xC7\xA7\x6C\xB0\xF9\xAE\xBA\x3C\xFD\x74\xB4\x11\xE8\x58\x0D\x80\xBC\xD3\xA8\x80\x3A\x99\xED\x75\xCC\x46\x7B",
+	["CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US"] = "\x30\x82\x05\xA4\x30\x82\x03\x8C\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x41\x6D\x65\x72\x69\x63\x61\x20\x4F\x6E\x6C\x69\x6E\x65\x20\x49\x6E\x63\x2E\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x41\x6D\x65\x72\x69\x63\x61\x20\x4F\x6E\x6C\x69\x6E\x65\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x32\x30\x1E\x17\x0D\x30\x32\x30\x35\x32\x38\x30\x36\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x30\x39\x32\x39\x31\x34\x30\x38\x30\x30\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x41\x6D\x65\x72\x69\x63\x61\x20\x4F\x6E\x6C\x69\x6E\x65\x20\x49\x6E\x63\x2E\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x41\x6D\x65\x72\x69\x63\x61\x20\x4F\x6E\x6C\x69\x6E\x65\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xCC\x41\x45\x1D\xE9\x3D\x4D\x10\xF6\x8C\xB1\x41\xC9\xE0\x5E\xCB\x0D\xB7\xBF\x47\x73\xD3\xF0\x55\x4D\xDD\xC6\x0C\xFA\xB1\x66\x05\x6A\xCD\x78\xB4\xDC\x02\xDB\x4E\x81\xF3\xD7\xA7\x7C\x71\xBC\x75\x63\xA0\x5D\xE3\x07\x0C\x48\xEC\x25\xC4\x03\x20\xF4\xFF\x0E\x3B\x12\xFF\x9B\x8D\xE1\xC6\xD5\x1B\xB4\x6D\x22\xE3\xB1\xDB\x7F\x21\x64\xAF\x86\xBC\x57\x22\x2A\xD6\x47\x81\x57\x44\x82\x56\x53\xBD\x86\x14\x01\x0B\xFC\x7F\x74\xA4\x5A\xAE\xF1\xBA\x11\xB5\x9B\x58\x5A\x80\xB4\x37\x78\x09\x33\x7C\x32\x47\x03\x5C\xC4\xA5\x83\x48\xF4\x57\x56\x6E\x81\x36\x27\x18\x4F\xEC\x9B\x28\xC2\xD4\xB4\xD7\x7C\x0C\x3E\x0C\x2B\xDF\xCA\x04\xD7\xC6\x8E\xEA\x58\x4E\xA8\xA4\xA5\x18\x1C\x6C\x45\x98\xA3\x41\xD1\x2D\xD2\xC7\x6D\x8D\x19\xF1\xAD\x79\xB7\x81\x3F\xBD\x06\x82\x27\x2D\x10\x58\x05\xB5\x78\x05\xB9\x2F\xDB\x0C\x6B\x90\x90\x7E\x14\x59\x38\xBB\x94\x24\x13\xE5\xD1\x9D\x14\xDF\xD3\x82\x4D\x46\xF0\x80\x39\x52\x32\x0F\xE3\x84\xB2\x7A\x43\xF2\x5E\xDE\x5F\x3F\x1D\xDD\xE3\xB2\x1B\xA0\xA1\x2A\x23\x03\x6E\x2E\x01\x15\x87\x5C\xA6\x75\x75\xC7\x97\x61\xBE\xDE\x86\xDC\xD4\x48\xDB\xBD\x2A\xBF\x4A\x55\xDA\xE8\x7D\x50\xFB\xB4\x80\x17\xB8\x94\xBF\x01\x3D\xEA\xDA\xBA\x7C\xE0\x58\x67\x17\xB9\x58\xE0\x88\x86\x46\x67\x6C\x9D\x10\x47\x58\x32\xD0\x35\x7C\x79\x2A\x90\xA2\x5A\x10\x11\x23\x35\xAD\x2F\xCC\xE4\x4A\x5B\xA7\xC8\x27\xF2\x83\xDE\x5E\xBB\x5E\x77\xE7\xE8\xA5\x6E\x63\xC2\x0D\x5D\x61\xD0\x8C\xD2\x6C\x5A\x21\x0E\xCA\x28\xA3\xCE\x2A\xE9\x95\xC7\x48\xCF\x96\x6F\x1D\x92\x25\xC8\xC6\xC6\xC1\xC1\x0C\x05\xAC\x26\xC4\xD2\x75\xD2\xE1\x2A\x67\xC0\x3D\x5B\xA5\x9A\xEB\xCF\x7B\x1A\xA8\x9D\x14\x45\xE5\x0F\xA0\x9A\x65\xDE\x2F\x28\xBD\xCE\x6F\x94\x66\x83\x48\x29\xD8\xEA\x65\x8C\xAF\x93\xD9\x64\x9F\x55\x57\x26\xBF\x6F\xCB\x37\x31\x99\xA3\x60\xBB\x1C\xAD\x89\x34\x32\x62\xB8\x43\x21\x06\x72\x0C\xA1\x5C\x6D\x46\xC5\xFA\x29\xCF\x30\xDE\x89\xDC\x71\x5B\xDD\xB6\x37\x3E\xDF\x50\xF5\xB8\x07\x25\x26\xE5\xBC\xB5\xFE\x3C\x02\xB3\xB7\xF8\xBE\x43\xC1\x87\x11\x94\x9E\x23\x6C\x17\x8A\xB8\x8A\x27\x0C\x54\x47\xF0\xA9\xB3\xC0\x80\x8C\xA0\x27\xEB\x1D\x19\xE3\x07\x8E\x77\x70\xCA\x2B\xF4\x7D\x76\xE0\x78\x67\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4D\x45\xC1\x68\x38\xBB\x73\xA9\x69\xA1\x20\xE7\xED\xF5\x22\xA1\x23\x14\xD7\x9E\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x4D\x45\xC1\x68\x38\xBB\x73\xA9\x69\xA1\x20\xE7\xED\xF5\x22\xA1\x23\x14\xD7\x9E\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x67\x6B\x06\xB9\x5F\x45\x3B\x2A\x4B\x33\xB3\xE6\x1B\x6B\x59\x4E\x22\xCC\xB9\xB7\xA4\x25\xC9\xA7\xC4\xF0\x54\x96\x0B\x64\xF3\xB1\x58\x4F\x5E\x51\xFC\xB2\x97\x7B\x27\x65\xC2\xE5\xCA\xE7\x0D\x0C\x25\x7B\x62\xE3\xFA\x9F\xB4\x87\xB7\x45\x46\xAF\x83\xA5\x97\x48\x8C\xA5\xBD\xF1\x16\x2B\x9B\x76\x2C\x7A\x35\x60\x6C\x11\x80\x97\xCC\xA9\x92\x52\xE6\x2B\xE6\x69\xED\xA9\xF8\x36\x2D\x2C\x77\xBF\x61\x48\xD1\x63\x0B\xB9\x5B\x52\xED\x18\xB0\x43\x42\x22\xA6\xB1\x77\xAE\xDE\x69\xC5\xCD\xC7\x1C\xA1\xB1\xA5\x1C\x10\xFB\x18\xBE\x1A\x70\xDD\xC1\x92\x4B\xBE\x29\x5A\x9D\x3F\x35\xBE\xE5\x7D\x51\xF8\x55\xE0\x25\x75\x23\x87\x1E\x5C\xDC\xBA\x9D\xB0\xAC\xB3\x69\xDB\x17\x83\xC9\xF7\xDE\x0C\xBC\x08\xDC\x91\x9E\xA8\xD0\xD7\x15\x37\x73\xA5\x35\xB8\xFC\x7E\xC5\x44\x40\x06\xC3\xEB\xF8\x22\x80\x5C\x47\xCE\x02\xE3\x11\x9F\x44\xFF\xFD\x9A\x32\xCC\x7D\x64\x51\x0E\xEB\x57\x26\x76\x3A\xE3\x1E\x22\x3C\xC2\xA6\x36\xDD\x19\xEF\xA7\xFC\x12\xF3\x26\xC0\x59\x31\x85\x4C\x9C\xD8\xCF\xDF\xA4\xCC\xCC\x29\x93\xFF\x94\x6D\x76\x5C\x13\x08\x97\xF2\xED\xA5\x0B\x4D\xDD\xE8\xC9\x68\x0E\x66\xD3\x00\x0E\x33\x12\x5B\xBC\x95\xE5\x32\x90\xA8\xB3\xC6\x6C\x83\xAD\x77\xEE\x8B\x7E\x7E\xB1\xA9\xAB\xD3\xE1\xF1\xB6\xC0\xB1\xEA\x88\xC0\xE7\xD3\x90\xE9\x28\x92\x94\x7B\x68\x7B\x97\x2A\x0A\x67\x2D\x85\x02\x38\x10\xE4\x03\x61\xD4\xDA\x25\x36\xC7\x08\x58\x2D\xA1\xA7\x51\xAF\x30\x0A\x49\xF5\xA6\x69\x87\x07\x2D\x44\x46\x76\x8E\x2A\xE5\x9A\x3B\xD7\x18\xA2\xFC\x9C\x38\x10\xCC\xC6\x3B\xD2\xB5\x17\x3A\x6F\xFD\xAE\x25\xBD\xF5\x72\x59\x64\xB1\x74\x2A\x38\x5F\x18\x4C\xDF\xCF\x71\x04\x5A\x36\xD4\xBF\x2F\x99\x9C\xE8\xD9\xBA\xB1\x95\xE6\x02\x4B\x21\xA1\x5B\xD5\xC1\x4F\x8F\xAE\x69\x6D\x53\xDB\x01\x93\xB5\x5C\x1E\x18\xDD\x64\x5A\xCA\x18\x28\x3E\x63\x04\x11\xFD\x1C\x8D\x00\x0F\xB8\x37\xDF\x67\x8A\x9D\x66\xA9\x02\x6A\x91\xFF\x13\xCA\x2F\x5D\x83\xBC\x87\x93\x6C\xDC\x24\x51\x16\x04\x25\x66\xFA\xB3\xD9\xC2\xBA\x29\xBE\x9A\x48\x38\x82\x99\xF4\xBF\x3B\x4A\x31\x19\xF9\xBF\x8E\x21\x33\x14\xCA\x4F\x54\x5F\xFB\xCE\xFB\x8F\x71\x7F\xFD\x5E\x19\xA0\x0F\x4B\x91\xB8\xC4\x54\xBC\x06\xB0\x45\x8F\x26\x91\xA2\x8E\xFE\xA9",
+	["CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US"] = "\x30\x82\x03\xA2\x30\x82\x02\x8A\xA0\x03\x02\x01\x02\x02\x10\x13\x86\x35\x4D\x1D\x3F\x06\xF2\xC1\xF9\x65\x05\xD5\x90\x1C\x62\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x13\x04\x56\x49\x53\x41\x31\x2F\x30\x2D\x06\x03\x55\x04\x0B\x13\x26\x56\x69\x73\x61\x20\x49\x6E\x74\x65\x72\x6E\x61\x74\x69\x6F\x6E\x61\x6C\x20\x53\x65\x72\x76\x69\x63\x65\x20\x41\x73\x73\x6F\x63\x69\x61\x74\x69\x6F\x6E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x56\x69\x73\x61\x20\x65\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x32\x30\x36\x32\x36\x30\x32\x31\x38\x33\x36\x5A\x17\x0D\x32\x32\x30\x36\x32\x34\x30\x30\x31\x36\x31\x32\x5A\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x13\x04\x56\x49\x53\x41\x31\x2F\x30\x2D\x06\x03\x55\x04\x0B\x13\x26\x56\x69\x73\x61\x20\x49\x6E\x74\x65\x72\x6E\x61\x74\x69\x6F\x6E\x61\x6C\x20\x53\x65\x72\x76\x69\x63\x65\x20\x41\x73\x73\x6F\x63\x69\x61\x74\x69\x6F\x6E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x56\x69\x73\x61\x20\x65\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x57\xDE\x56\x1E\x6E\xA1\xDA\x60\xB1\x94\x27\xCB\x17\xDB\x07\x3F\x80\x85\x4F\xC8\x9C\xB6\xD0\xF4\x6F\x4F\xCF\x99\xD8\xE1\xDB\xC2\x48\x5C\x3A\xAC\x39\x33\xC7\x1F\x6A\x8B\x26\x3D\x2B\x35\xF5\x48\xB1\x91\xC1\x02\x4E\x04\x96\x91\x7B\xB0\x33\xF0\xB1\x14\x4E\x11\x6F\xB5\x40\xAF\x1B\x45\xA5\x4A\xEF\x7E\xB6\xAC\xF2\xA0\x1F\x58\x3F\x12\x46\x60\x3C\x8D\xA1\xE0\x7D\xCF\x57\x3E\x33\x1E\xFB\x47\xF1\xAA\x15\x97\x07\x55\x66\xA5\xB5\x2D\x2E\xD8\x80\x59\xB2\xA7\x0D\xB7\x46\xEC\x21\x63\xFF\x35\xAB\xA5\x02\xCF\x2A\xF4\x4C\xFE\x7B\xF5\x94\x5D\x84\x4D\xA8\xF2\x60\x8F\xDB\x0E\x25\x3C\x9F\x73\x71\xCF\x94\xDF\x4A\xEA\xDB\xDF\x72\x38\x8C\xF3\x96\xBD\xF1\x17\xBC\xD2\xBA\x3B\x45\x5A\xC6\xA7\xF6\xC6\x17\x8B\x01\x9D\xFC\x19\xA8\x2A\x83\x16\xB8\x3A\x48\xFE\x4E\x3E\xA0\xAB\x06\x19\xE9\x53\xF3\x80\x13\x07\xED\x2D\xBF\x3F\x0A\x3C\x55\x20\x39\x2C\x2C\x00\x69\x74\x95\x4A\xBC\x20\xB2\xA9\x79\xE5\x18\x89\x91\xA8\xDC\x1C\x4D\xEF\xBB\x7E\x37\x0B\x5D\xFE\x39\xA5\x88\x52\x8C\x00\x6C\xEC\x18\x7C\x41\xBD\xF6\x8B\x75\x77\xBA\x60\x9D\x84\xE7\xFE\x2D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x15\x38\x83\x0F\x3F\x2C\x3F\x70\x33\x1E\xCD\x46\xFE\x07\x8C\x20\xE0\xD7\xC3\xB7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5F\xF1\x41\x7D\x7C\x5C\x08\xB9\x2B\xE0\xD5\x92\x47\xFA\x67\x5C\xA5\x13\xC3\x03\x21\x9B\x2B\x4C\x89\x46\xCF\x59\x4D\xC9\xFE\xA5\x40\xB6\x63\xCD\xDD\x71\x28\x95\x67\x11\xCC\x24\xAC\xD3\x44\x6C\x71\xAE\x01\x20\x6B\x03\xA2\x8F\x18\xB7\x29\x3A\x7D\xE5\x16\x60\x53\x78\x3C\xC0\xAF\x15\x83\xF7\x8F\x52\x33\x24\xBD\x64\x93\x97\xEE\x8B\xF7\xDB\x18\xA8\x6D\x71\xB3\xF7\x2C\x17\xD0\x74\x25\x69\xF7\xFE\x6B\x3C\x94\xBE\x4D\x4B\x41\x8C\x4E\xE2\x73\xD0\xE3\x90\x22\x73\x43\xCD\xF3\xEF\xEA\x73\xCE\x45\x8A\xB0\xA6\x49\xFF\x4C\x7D\x9D\x71\x88\xC4\x76\x1D\x90\x5B\x1D\xEE\xFD\xCC\xF7\xEE\xFD\x60\xA5\xB1\x7A\x16\x71\xD1\x16\xD0\x7C\x12\x3C\x6C\x69\x97\xDB\xAE\x5F\x39\x9A\x70\x2F\x05\x3C\x19\x46\x04\x99\x20\x36\xD0\x60\x6E\x61\x06\xBB\x16\x42\x8C\x70\xF7\x30\xFB\xE0\xDB\x66\xA3\x00\x01\xBD\xE6\x2C\xDA\x91\x5F\xA0\x46\x8B\x4D\x6A\x9C\x3D\x3D\xDD\x05\x46\xFE\x76\xBF\xA0\x0A\x3C\xE4\x00\xE6\x27\xB7\xFF\x84\x2D\xDE\xBA\x22\x27\x96\x10\x71\xEB\x22\xED\xDF\xDF\x33\x9C\xCF\xE3\xAD\xAE\x8E\xD4\x8E\xE6\x4F\x51\xAF\x16\x92\xE0\x5C\xF6\x07\x0F",
+	["emailAddress=certificate@trustcenter.de,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter for Security in Data Networks GmbH,L=Hamburg,ST=Hamburg,C=DE"] = "\x30\x82\x03\x5C\x30\x82\x02\xC5\xA0\x03\x02\x01\x02\x02\x02\x03\xEA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\xBC\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x48\x61\x6D\x62\x75\x72\x67\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x48\x61\x6D\x62\x75\x72\x67\x31\x3A\x30\x38\x06\x03\x55\x04\x0A\x13\x31\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x66\x6F\x72\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x69\x6E\x20\x44\x61\x74\x61\x20\x4E\x65\x74\x77\x6F\x72\x6B\x73\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x31\x29\x30\x27\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x1A\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x40\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x30\x1E\x17\x0D\x39\x38\x30\x33\x30\x39\x31\x31\x35\x39\x35\x39\x5A\x17\x0D\x31\x31\x30\x31\x30\x31\x31\x31\x35\x39\x35\x39\x5A\x30\x81\xBC\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x48\x61\x6D\x62\x75\x72\x67\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x48\x61\x6D\x62\x75\x72\x67\x31\x3A\x30\x38\x06\x03\x55\x04\x0A\x13\x31\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x66\x6F\x72\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x69\x6E\x20\x44\x61\x74\x61\x20\x4E\x65\x74\x77\x6F\x72\x6B\x73\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x31\x29\x30\x27\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x1A\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x40\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xDA\x38\xE8\xED\x32\x00\x29\x71\x83\x01\x0D\xBF\x8C\x01\xDC\xDA\xC6\xAD\x39\xA4\xA9\x8A\x2F\xD5\x8B\x5C\x68\x5F\x50\xC6\x62\xF5\x66\xBD\xCA\x91\x22\xEC\xAA\x1D\x51\xD7\x3D\xB3\x51\xB2\x83\x4E\x5D\xCB\x49\xB0\xF0\x4C\x55\xE5\x6B\x2D\xC7\x85\x0B\x30\x1C\x92\x4E\x82\xD4\xCA\x02\xED\xF7\x6F\xBE\xDC\xE0\xE3\x14\xB8\x05\x53\xF2\x9A\xF4\x56\x8B\x5A\x9E\x85\x93\xD1\xB4\x82\x56\xAE\x4D\xBB\xA8\x4B\x57\x16\xBC\xFE\xF8\x58\x9E\xF8\x29\x8D\xB0\x7B\xCD\x78\xC9\x4F\xAC\x8B\x67\x0C\xF1\x9C\xFB\xFC\x57\x9B\x57\x5C\x4F\x0D\x02\x03\x01\x00\x01\xA3\x6B\x30\x69\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x33\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x08\x04\x26\x16\x24\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x2F\x67\x75\x69\x64\x65\x6C\x69\x6E\x65\x73\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x84\x52\xFB\x28\xDF\xFF\x1F\x75\x01\xBC\x01\xBE\x04\x56\x97\x6A\x74\x42\x24\x31\x83\xF9\x46\xB1\x06\x8A\x89\xCF\x96\x2C\x33\xBF\x8C\xB5\x5F\x7A\x72\xA1\x85\x06\xCE\x86\xF8\x05\x8E\xE8\xF9\x25\xCA\xDA\x83\x8C\x06\xAC\xEB\x36\x6D\x85\x91\x34\x04\x36\xF4\x42\xF0\xF8\x79\x2E\x0A\x48\x5C\xAB\xCC\x51\x4F\x78\x76\xA0\xD9\xAC\x19\xBD\x2A\xD1\x69\x04\x28\x91\xCA\x36\x10\x27\x80\x57\x5B\xD2\x5C\xF5\xC2\x5B\xAB\x64\x81\x63\x74\x51\xF4\x97\xBF\xCD\x12\x28\xF7\x4D\x66\x7F\xA7\xF0\x1C\x01\x26\x78\xB2\x66\x47\x70\x51\x64",
+	["emailAddress=certificate@trustcenter.de,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter for Security in Data Networks GmbH,L=Hamburg,ST=Hamburg,C=DE"] = "\x30\x82\x03\x5C\x30\x82\x02\xC5\xA0\x03\x02\x01\x02\x02\x02\x03\xEB\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\xBC\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x48\x61\x6D\x62\x75\x72\x67\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x48\x61\x6D\x62\x75\x72\x67\x31\x3A\x30\x38\x06\x03\x55\x04\x0A\x13\x31\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x66\x6F\x72\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x69\x6E\x20\x44\x61\x74\x61\x20\x4E\x65\x74\x77\x6F\x72\x6B\x73\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x31\x29\x30\x27\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x1A\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x40\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x30\x1E\x17\x0D\x39\x38\x30\x33\x30\x39\x31\x31\x35\x39\x35\x39\x5A\x17\x0D\x31\x31\x30\x31\x30\x31\x31\x31\x35\x39\x35\x39\x5A\x30\x81\xBC\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x48\x61\x6D\x62\x75\x72\x67\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x48\x61\x6D\x62\x75\x72\x67\x31\x3A\x30\x38\x06\x03\x55\x04\x0A\x13\x31\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x66\x6F\x72\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x69\x6E\x20\x44\x61\x74\x61\x20\x4E\x65\x74\x77\x6F\x72\x6B\x73\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x31\x29\x30\x27\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x1A\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x40\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xB6\xB4\xC1\x35\x05\x2E\x0D\x8D\xEC\xA0\x40\x6A\x1C\x0E\x27\xA6\x50\x92\x6B\x50\x1B\x07\xDE\x2E\xE7\x76\xCC\xE0\xDA\xFC\x84\xA8\x5E\x8C\x63\x6A\x2B\x4D\xD9\x4E\x02\x76\x11\xC1\x0B\xF2\x8D\x79\xCA\x00\xB6\xF1\xB0\x0E\xD7\xFB\xA4\x17\x3D\xAF\xAB\x69\x7A\x96\x27\xBF\xAF\x33\xA1\x9A\x2A\x59\xAA\xC4\xB5\x37\x08\xF2\x12\xA5\x31\xB6\x43\xF5\x32\x96\x71\x28\x28\xAB\x8D\x28\x86\xDF\xBB\xEE\xE3\x0C\x7D\x30\xD6\xC3\x52\xAB\x8F\x5D\x27\x9C\x6B\xC0\xA3\xE7\x05\x6B\x57\x49\x44\xB3\x6E\xEA\x64\xCF\xD2\x8E\x7A\x50\x77\x77\x02\x03\x01\x00\x01\xA3\x6B\x30\x69\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x33\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x08\x04\x26\x16\x24\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x2F\x67\x75\x69\x64\x65\x6C\x69\x6E\x65\x73\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x16\x3D\xC6\xCD\xC1\xBB\x85\x71\x85\x46\x9F\x3E\x20\x8F\x51\x28\x99\xEC\x2D\x45\x21\x63\x23\x5B\x04\xBB\x4C\x90\xB8\x88\x92\x04\x4D\xBD\x7D\x01\xA3\x3F\xF6\xEC\xCE\xF1\xDE\xFE\x7D\xE5\xE1\x3E\xBB\xC6\xAB\x5E\x0B\xDD\x3D\x96\xC4\xCB\xA9\xD4\xF9\x26\xE6\x06\x4E\x9E\x0C\xA5\x7A\xBA\x6E\xC3\x7C\x82\x19\xD1\xC7\xB1\xB1\xC3\xDB\x0D\x8E\x9B\x40\x7C\x37\x0B\xF1\x5D\xE8\xFD\x1F\x90\x88\xA5\x0E\x4E\x37\x64\x21\xA8\x4E\x8D\xB4\x9F\xF1\xDE\x48\xAD\xD5\x56\x18\x52\x29\x8B\x47\x34\x12\x09\xD4\xBB\x92\x35\xEF\x0F\xDB\x34",
+	["CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL"] = "\x30\x82\x03\x0C\x30\x82\x01\xF4\xA0\x03\x02\x01\x02\x02\x03\x01\x00\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x55\x6E\x69\x7A\x65\x74\x6F\x20\x53\x70\x2E\x20\x7A\x20\x6F\x2E\x6F\x2E\x31\x12\x30\x10\x06\x03\x55\x04\x03\x13\x09\x43\x65\x72\x74\x75\x6D\x20\x43\x41\x30\x1E\x17\x0D\x30\x32\x30\x36\x31\x31\x31\x30\x34\x36\x33\x39\x5A\x17\x0D\x32\x37\x30\x36\x31\x31\x31\x30\x34\x36\x33\x39\x5A\x30\x3E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x55\x6E\x69\x7A\x65\x74\x6F\x20\x53\x70\x2E\x20\x7A\x20\x6F\x2E\x6F\x2E\x31\x12\x30\x10\x06\x03\x55\x04\x03\x13\x09\x43\x65\x72\x74\x75\x6D\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCE\xB1\xC1\x2E\xD3\x4F\x7C\xCD\x25\xCE\x18\x3E\x4F\xC4\x8C\x6F\x80\x6A\x73\xC8\x5B\x51\xF8\x9B\xD2\xDC\xBB\x00\x5C\xB1\xA0\xFC\x75\x03\xEE\x81\xF0\x88\xEE\x23\x52\xE9\xE6\x15\x33\x8D\xAC\x2D\x09\xC5\x76\xF9\x2B\x39\x80\x89\xE4\x97\x4B\x90\xA5\xA8\x78\xF8\x73\x43\x7B\xA4\x61\xB0\xD8\x58\xCC\xE1\x6C\x66\x7E\x9C\xF3\x09\x5E\x55\x63\x84\xD5\xA8\xEF\xF3\xB1\x2E\x30\x68\xB3\xC4\x3C\xD8\xAC\x6E\x8D\x99\x5A\x90\x4E\x34\xDC\x36\x9A\x8F\x81\x88\x50\xB7\x6D\x96\x42\x09\xF3\xD7\x95\x83\x0D\x41\x4B\xB0\x6A\x6B\xF8\xFC\x0F\x7E\x62\x9F\x67\xC4\xED\x26\x5F\x10\x26\x0F\x08\x4F\xF0\xA4\x57\x28\xCE\x8F\xB8\xED\x45\xF6\x6E\xEE\x25\x5D\xAA\x6E\x39\xBE\xE4\x93\x2F\xD9\x47\xA0\x72\xEB\xFA\xA6\x5B\xAF\xCA\x53\x3F\xE2\x0E\xC6\x96\x56\x11\x6E\xF7\xE9\x66\xA9\x26\xD8\x7F\x95\x53\xED\x0A\x85\x88\xBA\x4F\x29\xA5\x42\x8C\x5E\xB6\xFC\x85\x20\x00\xAA\x68\x0B\xA1\x1A\x85\x01\x9C\xC4\x46\x63\x82\x88\xB6\x22\xB1\xEE\xFE\xAA\x46\x59\x7E\xCF\x35\x2C\xD5\xB6\xDA\x5D\xF7\x48\x33\x14\x54\xB6\xEB\xD9\x6F\xCE\xCD\x88\xD6\xAB\x1B\xDA\x96\x3B\x1D\x59\x02\x03\x01\x00\x01\xA3\x13\x30\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB8\x8D\xCE\xEF\xE7\x14\xBA\xCF\xEE\xB0\x44\x92\x6C\xB4\x39\x3E\xA2\x84\x6E\xAD\xB8\x21\x77\xD2\xD4\x77\x82\x87\xE6\x20\x41\x81\xEE\xE2\xF8\x11\xB7\x63\xD1\x17\x37\xBE\x19\x76\x24\x1C\x04\x1A\x4C\xEB\x3D\xAA\x67\x6F\x2D\xD4\xCD\xFE\x65\x31\x70\xC5\x1B\xA6\x02\x0A\xBA\x60\x7B\x6D\x58\xC2\x9A\x49\xFE\x63\x32\x0B\x6B\xE3\x3A\xC0\xAC\xAB\x3B\xB0\xE8\xD3\x09\x51\x8C\x10\x83\xC6\x34\xE0\xC5\x2B\xE0\x1A\xB6\x60\x14\x27\x6C\x32\x77\x8C\xBC\xB2\x72\x98\xCF\xCD\xCC\x3F\xB9\xC8\x24\x42\x14\xD6\x57\xFC\xE6\x26\x43\xA9\x1D\xE5\x80\x90\xCE\x03\x54\x28\x3E\xF7\x3F\xD3\xF8\x4D\xED\x6A\x0A\x3A\x93\x13\x9B\x3B\x14\x23\x13\x63\x9C\x3F\xD1\x87\x27\x79\xE5\x4C\x51\xE3\x01\xAD\x85\x5D\x1A\x3B\xB1\xD5\x73\x10\xA4\xD3\xF2\xBC\x6E\x64\xF5\x5A\x56\x90\xA8\xC7\x0E\x4C\x74\x0F\x2E\x71\x3B\xF7\xC8\x47\xF4\x69\x6F\x15\xF2\x11\x5E\x83\x1E\x9C\x7C\x52\xAE\xFD\x02\xDA\x12\xA8\x59\x67\x18\xDB\xBC\x70\xDD\x9B\xB1\x69\xED\x80\xCE\x89\x40\x48\x6A\x0E\x35\xCA\x29\x66\x15\x21\x94\x2C\xE8\x60\x2A\x9B\x85\x4A\x40\xF3\x6B\x8A\x24\xEC\x06\x16\x2C\x73",
+	["CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x32\x30\x82\x03\x1A\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x0C\x18\x41\x41\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x1E\x17\x0D\x30\x34\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x0C\x18\x41\x41\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBE\x40\x9D\xF4\x6E\xE1\xEA\x76\x87\x1C\x4D\x45\x44\x8E\xBE\x46\xC8\x83\x06\x9D\xC1\x2A\xFE\x18\x1F\x8E\xE4\x02\xFA\xF3\xAB\x5D\x50\x8A\x16\x31\x0B\x9A\x06\xD0\xC5\x70\x22\xCD\x49\x2D\x54\x63\xCC\xB6\x6E\x68\x46\x0B\x53\xEA\xCB\x4C\x24\xC0\xBC\x72\x4E\xEA\xF1\x15\xAE\xF4\x54\x9A\x12\x0A\xC3\x7A\xB2\x33\x60\xE2\xDA\x89\x55\xF3\x22\x58\xF3\xDE\xDC\xCF\xEF\x83\x86\xA2\x8C\x94\x4F\x9F\x68\xF2\x98\x90\x46\x84\x27\xC7\x76\xBF\xE3\xCC\x35\x2C\x8B\x5E\x07\x64\x65\x82\xC0\x48\xB0\xA8\x91\xF9\x61\x9F\x76\x20\x50\xA8\x91\xC7\x66\xB5\xEB\x78\x62\x03\x56\xF0\x8A\x1A\x13\xEA\x31\xA3\x1E\xA0\x99\xFD\x38\xF6\xF6\x27\x32\x58\x6F\x07\xF5\x6B\xB8\xFB\x14\x2B\xAF\xB7\xAA\xCC\xD6\x63\x5F\x73\x8C\xDA\x05\x99\xA8\x38\xA8\xCB\x17\x78\x36\x51\xAC\xE9\x9E\xF4\x78\x3A\x8D\xCF\x0F\xD9\x42\xE2\x98\x0C\xAB\x2F\x9F\x0E\x01\xDE\xEF\x9F\x99\x49\xF1\x2D\xDF\xAC\x74\x4D\x1B\x98\xB5\x47\xC5\xE5\x29\xD1\xF9\x90\x18\xC7\x62\x9C\xBE\x83\xC7\x26\x7B\x3E\x8A\x25\xC7\xC0\xDD\x9D\xE6\x35\x68\x10\x20\x9D\x8F\xD8\xDE\xD2\xC3\x84\x9C\x0D\x5E\xE8\x2F\xC9\x02\x03\x01\x00\x01\xA3\x81\xC0\x30\x81\xBD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA0\x11\x0A\x23\x3E\x96\xF1\x07\xEC\xE2\xAF\x29\xEF\x82\xA5\x7F\xD0\x30\xA4\xB4\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x7B\x06\x03\x55\x1D\x1F\x04\x74\x30\x72\x30\x38\xA0\x36\xA0\x34\x86\x32\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x41\x41\x41\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x36\xA0\x34\xA0\x32\x86\x30\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x2E\x6E\x65\x74\x2F\x41\x41\x41\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x08\x56\xFC\x02\xF0\x9B\xE8\xFF\xA4\xFA\xD6\x7B\xC6\x44\x80\xCE\x4F\xC4\xC5\xF6\x00\x58\xCC\xA6\xB6\xBC\x14\x49\x68\x04\x76\xE8\xE6\xEE\x5D\xEC\x02\x0F\x60\xD6\x8D\x50\x18\x4F\x26\x4E\x01\xE3\xE6\xB0\xA5\xEE\xBF\xBC\x74\x54\x41\xBF\xFD\xFC\x12\xB8\xC7\x4F\x5A\xF4\x89\x60\x05\x7F\x60\xB7\x05\x4A\xF3\xF6\xF1\xC2\xBF\xC4\xB9\x74\x86\xB6\x2D\x7D\x6B\xCC\xD2\xF3\x46\xDD\x2F\xC6\xE0\x6A\xC3\xC3\x34\x03\x2C\x7D\x96\xDD\x5A\xC2\x0E\xA7\x0A\x99\xC1\x05\x8B\xAB\x0C\x2F\xF3\x5C\x3A\xCF\x6C\x37\x55\x09\x87\xDE\x53\x40\x6C\x58\xEF\xFC\xB6\xAB\x65\x6E\x04\xF6\x1B\xDC\x3C\xE0\x5A\x15\xC6\x9E\xD9\xF1\x59\x48\x30\x21\x65\x03\x6C\xEC\xE9\x21\x73\xEC\x9B\x03\xA1\xE0\x37\xAD\xA0\x15\x18\x8F\xFA\xBA\x02\xCE\xA7\x2C\xA9\x10\x13\x2C\xD4\xE5\x08\x26\xAB\x22\x97\x60\xF8\x90\x5E\x74\xD4\xA2\x9A\x53\xBD\xF2\xA9\x68\xE0\xA2\x6E\xC2\xD7\x6C\xB1\xA3\x0F\x9E\xBF\xEB\x68\xE7\x56\xF2\xAE\xF2\xE3\x2B\x38\x3A\x09\x81\xB5\x6B\x85\xD7\xBE\x2D\xED\x3F\x1A\xB7\xB2\x63\xE2\xF5\x62\x2C\x82\xD4\x6A\x00\x41\x50\xF1\x39\x83\x9F\x95\xE9\x36\x96\x98\x6E",
+	["CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x3F\x30\x82\x03\x27\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x24\x30\x22\x06\x03\x55\x04\x03\x0C\x1B\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x1E\x17\x0D\x30\x34\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x24\x30\x22\x06\x03\x55\x04\x03\x0C\x1B\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC0\x71\x33\x82\x8A\xD0\x70\xEB\x73\x87\x82\x40\xD5\x1D\xE4\xCB\xC9\x0E\x42\x90\xF9\xDE\x34\xB9\xA1\xBA\x11\xF4\x25\x85\xF3\xCC\x72\x6D\xF2\x7B\x97\x6B\xB3\x07\xF1\x77\x24\x91\x5F\x25\x8F\xF6\x74\x3D\xE4\x80\xC2\xF8\x3C\x0D\xF3\xBF\x40\xEA\xF7\xC8\x52\xD1\x72\x6F\xEF\xC8\xAB\x41\xB8\x6E\x2E\x17\x2A\x95\x69\x0C\xCD\xD2\x1E\x94\x7B\x2D\x94\x1D\xAA\x75\xD7\xB3\x98\xCB\xAC\xBC\x64\x53\x40\xBC\x8F\xAC\xAC\x36\xCB\x5C\xAD\xBB\xDD\xE0\x94\x17\xEC\xD1\x5C\xD0\xBF\xEF\xA5\x95\xC9\x90\xC5\xB0\xAC\xFB\x1B\x43\xDF\x7A\x08\x5D\xB7\xB8\xF2\x40\x1B\x2B\x27\x9E\x50\xCE\x5E\x65\x82\x88\x8C\x5E\xD3\x4E\x0C\x7A\xEA\x08\x91\xB6\x36\xAA\x2B\x42\xFB\xEA\xC2\xA3\x39\xE5\xDB\x26\x38\xAD\x8B\x0A\xEE\x19\x63\xC7\x1C\x24\xDF\x03\x78\xDA\xE6\xEA\xC1\x47\x1A\x0B\x0B\x46\x09\xDD\x02\xFC\xDE\xCB\x87\x5F\xD7\x30\x63\x68\xA1\xAE\xDC\x32\xA1\xBA\xBE\xFE\x44\xAB\x68\xB6\xA5\x17\x15\xFD\xBD\xD5\xA7\xA7\x9A\xE4\x44\x33\xE9\x88\x8E\xFC\xED\x51\xEB\x93\x71\x4E\xAD\x01\xE7\x44\x8E\xAB\x2D\xCB\xA8\xFE\x01\x49\x48\xF0\xC0\xDD\xC7\x68\xD8\x92\xFE\x3D\x02\x03\x01\x00\x01\xA3\x81\xC7\x30\x81\xC4\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3C\xD8\x93\x88\xC2\xC0\x82\x09\xCC\x01\x99\x06\x93\x20\xE9\x9E\x70\x09\x63\x4F\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x81\x06\x03\x55\x1D\x1F\x04\x7A\x30\x78\x30\x3B\xA0\x39\xA0\x37\x86\x35\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x53\x65\x63\x75\x72\x65\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x39\xA0\x37\xA0\x35\x86\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x2E\x6E\x65\x74\x2F\x53\x65\x63\x75\x72\x65\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x87\x01\x6D\x23\x1D\x7E\x5B\x17\x7D\xC1\x61\x32\xCF\x8F\xE7\xF3\x8A\x94\x59\x66\xE0\x9E\x28\xA8\x5E\xD3\xB7\xF4\x34\xE6\xAA\x39\xB2\x97\x16\xC5\x82\x6F\x32\xA4\xE9\x8C\xE7\xAF\xFD\xEF\xC2\xE8\xB9\x4B\xAA\xA3\xF4\xE6\xDA\x8D\x65\x21\xFB\xBA\x80\xEB\x26\x28\x85\x1A\xFE\x39\x8C\xDE\x5B\x04\x04\xB4\x54\xF9\xA3\x67\x9E\x41\xFA\x09\x52\xCC\x05\x48\xA8\xC9\x3F\x21\x04\x1E\xCE\x48\x6B\xFC\x85\xE8\xC2\x7B\xAF\x7F\xB7\xCC\xF8\x5F\x3A\xFD\x35\xC6\x0D\xEF\x97\xDC\x4C\xAB\x11\xE1\x6B\xCB\x31\xD1\x6C\xFB\x48\x80\xAB\xDC\x9C\x37\xB8\x21\x14\x4B\x0D\x71\x3D\xEC\x83\x33\x6E\xD1\x6E\x32\x16\xEC\x98\xC7\x16\x8B\x59\xA6\x34\xAB\x05\x57\x2D\x93\xF7\xAA\x13\xCB\xD2\x13\xE2\xB7\x2E\x3B\xCD\x6B\x50\x17\x09\x68\x3E\xB5\x26\x57\xEE\xB6\xE0\xB6\xDD\xB9\x29\x80\x79\x7D\x8F\xA3\xF0\xA4\x28\xA4\x15\xC4\x85\xF4\x27\xD4\x6B\xBF\xE5\x5C\xE4\x65\x02\x76\x54\xB4\xE3\x37\x66\x24\xD3\x19\x61\xC8\x52\x10\xE5\x8B\x37\x9A\xB9\xA9\xF9\x1D\xBF\xEA\x99\x92\x61\x96\xFF\x01\xCD\xA1\x5F\x0D\xBC\x71\xBC\x0E\xAC\x0B\x1D\x47\x45\x1D\xC1\xEC\x7C\xEC\xFD\x29",
+	["CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x72\x75\x73\x74\x65\x64\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x1E\x17\x0D\x30\x34\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x72\x75\x73\x74\x65\x64\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDF\x71\x6F\x36\x58\x53\x5A\xF2\x36\x54\x57\x80\xC4\x74\x08\x20\xED\x18\x7F\x2A\x1D\xE6\x35\x9A\x1E\x25\xAC\x9C\xE5\x96\x7E\x72\x52\xA0\x15\x42\xDB\x59\xDD\x64\x7A\x1A\xD0\xB8\x7B\xDD\x39\x15\xBC\x55\x48\xC4\xED\x3A\x00\xEA\x31\x11\xBA\xF2\x71\x74\x1A\x67\xB8\xCF\x33\xCC\xA8\x31\xAF\xA3\xE3\xD7\x7F\xBF\x33\x2D\x4C\x6A\x3C\xEC\x8B\xC3\x92\xD2\x53\x77\x24\x74\x9C\x07\x6E\x70\xFC\xBD\x0B\x5B\x76\xBA\x5F\xF2\xFF\xD7\x37\x4B\x4A\x60\x78\xF7\xF0\xFA\xCA\x70\xB4\xEA\x59\xAA\xA3\xCE\x48\x2F\xA9\xC3\xB2\x0B\x7E\x17\x72\x16\x0C\xA6\x07\x0C\x1B\x38\xCF\xC9\x62\xB7\x3F\xA0\x93\xA5\x87\x41\xF2\xB7\x70\x40\x77\xD8\xBE\x14\x7C\xE3\xA8\xC0\x7A\x8E\xE9\x63\x6A\xD1\x0F\x9A\xC6\xD2\xF4\x8B\x3A\x14\x04\x56\xD4\xED\xB8\xCC\x6E\xF5\xFB\xE2\x2C\x58\xBD\x7F\x4F\x6B\x2B\xF7\x60\x24\x58\x24\xCE\x26\xEF\x34\x91\x3A\xD5\xE3\x81\xD0\xB2\xF0\x04\x02\xD7\x5B\xB7\x3E\x92\xAC\x6B\x12\x8A\xF9\xE4\x05\xB0\x3B\x91\x49\x5C\xB2\xEB\x53\xEA\xF8\x9F\x47\x86\xEE\xBF\x95\xC0\xC0\x06\x9F\xD2\x5B\x5E\x11\x1B\xF4\xC7\x04\x35\x29\xD2\x55\x5C\xE4\xED\xEB\x02\x03\x01\x00\x01\xA3\x81\xC9\x30\x81\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC5\x7B\x58\xBD\xED\xDA\x25\x69\xD2\xF7\x59\x16\xA8\xB3\x32\xC0\x7B\x27\x5B\xF4\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x83\x06\x03\x55\x1D\x1F\x04\x7C\x30\x7A\x30\x3C\xA0\x3A\xA0\x38\x86\x36\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x54\x72\x75\x73\x74\x65\x64\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x3A\xA0\x38\xA0\x36\x86\x34\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x2E\x6E\x65\x74\x2F\x54\x72\x75\x73\x74\x65\x64\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xC8\x93\x81\x3B\x89\xB4\xAF\xB8\x84\x12\x4C\x8D\xD2\xF0\xDB\x70\xBA\x57\x86\x15\x34\x10\xB9\x2F\x7F\x1E\xB0\xA8\x89\x60\xA1\x8A\xC2\x77\x0C\x50\x4A\x9B\x00\x8B\xD8\x8B\xF4\x41\xE2\xD0\x83\x8A\x4A\x1C\x14\x06\xB0\xA3\x68\x05\x70\x31\x30\xA7\x53\x9B\x0E\xE9\x4A\xA0\x58\x69\x67\x0E\xAE\x9D\xF6\xA5\x2C\x41\xBF\x3C\x06\x6B\xE4\x59\xCC\x6D\x10\xF1\x96\x6F\x1F\xDF\xF4\x04\x02\xA4\x9F\x45\x3E\xC8\xD8\xFA\x36\x46\x44\x50\x3F\x82\x97\x91\x1F\x28\xDB\x18\x11\x8C\x2A\xE4\x65\x83\x57\x12\x12\x8C\x17\x3F\x94\x36\xFE\x5D\xB0\xC0\x04\x77\x13\xB8\xF4\x15\xD5\x3F\x38\xCC\x94\x3A\x55\xD0\xAC\x98\xF5\xBA\x00\x5F\xE0\x86\x19\x81\x78\x2F\x28\xC0\x7E\xD3\xCC\x42\x0A\xF5\xAE\x50\xA0\xD1\x3E\xC6\xA1\x71\xEC\x3F\xA0\x20\x8C\x66\x3A\x89\xB4\x8E\xD4\xD8\xB1\x4D\x25\x47\xEE\x2F\x88\xC8\xB5\xE1\x05\x45\xC0\xBE\x14\x71\xDE\x7A\xFD\x8E\x7B\x7D\x4D\x08\x96\xA5\x12\x73\xF0\x2D\xCA\x37\x27\x74\x12\x27\x4C\xCB\xB6\x97\xE9\xD9\xAE\x08\x6D\x5A\x39\x40\xDD\x05\x47\x75\x6A\x5A\x21\xB3\xA3\x18\xCF\x4E\xF7\x2E\x57\xB7\x98\x70\x5E\xC8\xC4\x78\xB0\x62",
+	["CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM"] = "\x30\x82\x05\xD0\x30\x82\x04\xB8\xA0\x03\x02\x01\x02\x02\x04\x3A\xB6\x50\x8B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x31\x30\x33\x31\x39\x31\x38\x33\x33\x33\x33\x5A\x17\x0D\x32\x31\x30\x33\x31\x37\x31\x38\x33\x33\x33\x33\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBF\x61\xB5\x95\x53\xBA\x57\xFC\xFA\xF2\x67\x0B\x3A\x1A\xDF\x11\x80\x64\x95\xB4\xD1\xBC\xCD\x7A\xCF\xF6\x29\x96\x2E\x24\x54\x40\x24\x38\xF7\x1A\x85\xDC\x58\x4C\xCB\xA4\x27\x42\x97\xD0\x9F\x83\x8A\xC3\xE4\x06\x03\x5B\x00\xA5\x51\x1E\x70\x04\x74\xE2\xC1\xD4\x3A\xAB\xD7\xAD\x3B\x07\x18\x05\x8E\xFD\x83\xAC\xEA\x66\xD9\x18\x1B\x68\x8A\xF5\x57\x1A\x98\xBA\xF5\xED\x76\x3D\x7C\xD9\xDE\x94\x6A\x3B\x4B\x17\xC1\xD5\x8F\xBD\x65\x38\x3A\x95\xD0\x3D\x55\x36\x4E\xDF\x79\x57\x31\x2A\x1E\xD8\x59\x65\x49\x58\x20\x98\x7E\xAB\x5F\x7E\x9F\xE9\xD6\x4D\xEC\x83\x74\xA9\xC7\x6C\xD8\xEE\x29\x4A\x85\x2A\x06\x14\xF9\x54\xE6\xD3\xDA\x65\x07\x8B\x63\x37\x12\xD7\xD0\xEC\xC3\x7B\x20\x41\x44\xA3\xED\xCB\xA0\x17\xE1\x71\x65\xCE\x1D\x66\x31\xF7\x76\x01\x19\xC8\x7D\x03\x58\xB6\x95\x49\x1D\xA6\x12\x26\xE8\xC6\x0C\x76\xE0\xE3\x66\xCB\xEA\x5D\xA6\x26\xEE\xE5\xCC\x5F\xBD\x67\xA7\x01\x27\x0E\xA2\xCA\x54\xC5\xB1\x7A\x95\x1D\x71\x1E\x4A\x29\x8A\x03\xDC\x6A\x45\xC1\xA4\x19\x5E\x6F\x36\xCD\xC3\xA2\xB0\xB7\xFE\x5C\x38\xE2\x52\xBC\xF8\x44\x43\xE6\x90\xBB\x02\x03\x01\x00\x01\xA3\x82\x02\x52\x30\x82\x02\x4E\x30\x3D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x31\x30\x2F\x30\x2D\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x21\x68\x74\x74\x70\x73\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x71\x75\x6F\x76\x61\x64\x69\x73\x6F\x66\x66\x73\x68\x6F\x72\x65\x2E\x63\x6F\x6D\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x82\x01\x1A\x06\x03\x55\x1D\x20\x04\x82\x01\x11\x30\x82\x01\x0D\x30\x82\x01\x09\x06\x09\x2B\x06\x01\x04\x01\xBE\x58\x00\x01\x30\x81\xFB\x30\x81\xD4\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC7\x1A\x81\xC4\x52\x65\x6C\x69\x61\x6E\x63\x65\x20\x6F\x6E\x20\x74\x68\x65\x20\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x62\x79\x20\x61\x6E\x79\x20\x70\x61\x72\x74\x79\x20\x61\x73\x73\x75\x6D\x65\x73\x20\x61\x63\x63\x65\x70\x74\x61\x6E\x63\x65\x20\x6F\x66\x20\x74\x68\x65\x20\x74\x68\x65\x6E\x20\x61\x70\x70\x6C\x69\x63\x61\x62\x6C\x65\x20\x73\x74\x61\x6E\x64\x61\x72\x64\x20\x74\x65\x72\x6D\x73\x20\x61\x6E\x64\x20\x63\x6F\x6E\x64\x69\x74\x69\x6F\x6E\x73\x20\x6F\x66\x20\x75\x73\x65\x2C\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x70\x72\x61\x63\x74\x69\x63\x65\x73\x2C\x20\x61\x6E\x64\x20\x74\x68\x65\x20\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x50\x6F\x6C\x69\x63\x79\x2E\x30\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x16\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x71\x75\x6F\x76\x61\x64\x69\x73\x2E\x62\x6D\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x8B\x4B\x6D\xED\xD3\x29\xB9\x06\x19\xEC\x39\x39\xA9\xF0\x97\x84\x6A\xCB\xEF\xDF\x30\x81\xAE\x06\x03\x55\x1D\x23\x04\x81\xA6\x30\x81\xA3\x80\x14\x8B\x4B\x6D\xED\xD3\x29\xB9\x06\x19\xEC\x39\x39\xA9\xF0\x97\x84\x6A\xCB\xEF\xDF\xA1\x81\x84\xA4\x81\x81\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x04\x3A\xB6\x50\x8B\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x8A\xD4\x14\xB5\xFE\xF4\x9A\x92\xA7\x19\xD4\xA4\x7E\x72\x18\x8F\xD9\x68\x7C\x52\x24\xDD\x67\x6F\x39\x7A\xC4\xAA\x5E\x3D\xE2\x58\xB0\x4D\x70\x98\x84\x61\xE8\x1B\xE3\x69\x18\x0E\xCE\xFB\x47\x50\xA0\x4E\xFF\xF0\x24\x1F\xBD\xB2\xCE\xF5\x27\xFC\xEC\x2F\x53\xAA\x73\x7B\x03\x3D\x74\x6E\xE6\x16\x9E\xEB\xA5\x2E\xC4\xBF\x56\x27\x50\x2B\x62\xBA\xBE\x4B\x1C\x3C\x55\x5C\x41\x1D\x24\xBE\x82\x20\x47\x5D\xD5\x44\x7E\x7A\x16\x68\xDF\x7D\x4D\x51\x70\x78\x57\x1D\x33\x1E\xFD\x02\x99\x9C\x0C\xCD\x0A\x05\x4F\xC7\xBB\x8E\xA4\x75\xFA\x4A\x6D\xB1\x80\x8E\x09\x56\xB9\x9C\x1A\x60\xFE\x5D\xC1\xD7\x7A\xDC\x11\x78\xD0\xD6\x5D\xC1\xB7\xD5\xAD\x32\x99\x03\x3A\x8A\xCC\x54\x25\x39\x31\x81\x7B\x13\x22\x51\xBA\x46\x6C\xA1\xBB\x9E\xFA\x04\x6C\x49\x26\x74\x8F\xD2\x73\xEB\xCC\x30\xA2\xE6\xEA\x59\x22\x87\xF8\x97\xF5\x0E\xFD\xEA\xCC\x92\xA4\x16\xC4\x52\x18\xEA\x21\xCE\xB1\xF1\xE6\x84\x81\xE5\xBA\xA9\x86\x28\xF2\x43\x5A\x5D\x12\x9D\xAC\x1E\xD9\xA8\xE5\x0A\x6A\xA7\x7F\xA0\x87\x29\xCF\xF2\x89\x4D\xD4\xEC\xC5\xE2\xE6\x7A\xD0\x36\x23\x8A\x4A\x74\x36\xF9",
+	["CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM"] = "\x30\x82\x05\xB7\x30\x82\x03\x9F\xA0\x03\x02\x01\x02\x02\x02\x05\x09\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x34\x31\x38\x32\x37\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x32\x34\x31\x38\x32\x33\x33\x33\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9A\x18\xCA\x4B\x94\x0D\x00\x2D\xAF\x03\x29\x8A\xF0\x0F\x81\xC8\xAE\x4C\x19\x85\x1D\x08\x9F\xAB\x29\x44\x85\xF3\x2F\x81\xAD\x32\x1E\x90\x46\xBF\xA3\x86\x26\x1A\x1E\xFE\x7E\x1C\x18\x3A\x5C\x9C\x60\x17\x2A\x3A\x74\x83\x33\x30\x7D\x61\x54\x11\xCB\xED\xAB\xE0\xE6\xD2\xA2\x7E\xF5\x6B\x6F\x18\xB7\x0A\x0B\x2D\xFD\xE9\x3E\xEF\x0A\xC6\xB3\x10\xE9\xDC\xC2\x46\x17\xF8\x5D\xFD\xA4\xDA\xFF\x9E\x49\x5A\x9C\xE6\x33\xE6\x24\x96\xF7\x3F\xBA\x5B\x2B\x1C\x7A\x35\xC2\xD6\x67\xFE\xAB\x66\x50\x8B\x6D\x28\x60\x2B\xEF\xD7\x60\xC3\xC7\x93\xBC\x8D\x36\x91\xF3\x7F\xF8\xDB\x11\x13\xC4\x9C\x77\x76\xC1\xAE\xB7\x02\x6A\x81\x7A\xA9\x45\x83\xE2\x05\xE6\xB9\x56\xC1\x94\x37\x8F\x48\x71\x63\x22\xEC\x17\x65\x07\x95\x8A\x4B\xDF\x8F\xC6\x5A\x0A\xE5\xB0\xE3\x5F\x5E\x6B\x11\xAB\x0C\xF9\x85\xEB\x44\xE9\xF8\x04\x73\xF2\xE9\xFE\x5C\x98\x8C\xF5\x73\xAF\x6B\xB4\x7E\xCD\xD4\x5C\x02\x2B\x4C\x39\xE1\xB2\x95\x95\x2D\x42\x87\xD7\xD5\xB3\x90\x43\xB7\x6C\x13\xF1\xDE\xDD\xF6\xC4\xF8\x89\x3F\xD1\x75\xF5\x92\xC3\x91\xD5\x8A\x88\xD0\x90\xEC\xDC\x6D\xDE\x89\xC2\x65\x71\x96\x8B\x0D\x03\xFD\x9C\xBF\x5B\x16\xAC\x92\xDB\xEA\xFE\x79\x7C\xAD\xEB\xAF\xF7\x16\xCB\xDB\xCD\x25\x2B\xE5\x1F\xFB\x9A\x9F\xE2\x51\xCC\x3A\x53\x0C\x48\xE6\x0E\xBD\xC9\xB4\x76\x06\x52\xE6\x11\x13\x85\x72\x63\x03\x04\xE0\x04\x36\x2B\x20\x19\x02\xE8\x74\xA7\x1F\xB6\xC9\x56\x66\xF0\x75\x25\xDC\x67\xC1\x0E\x61\x60\x88\xB3\x3E\xD1\xA8\xFC\xA3\xDA\x1D\xB0\xD1\xB1\x23\x54\xDF\x44\x76\x6D\xED\x41\xD8\xC1\xB2\x22\xB6\x53\x1C\xDF\x35\x1D\xDC\xA1\x77\x2A\x31\xE4\x2D\xF5\xE5\xE5\xDB\xC8\xE0\xFF\xE5\x80\xD7\x0B\x63\xA0\xFF\x33\xA1\x0F\xBA\x2C\x15\x15\xEA\x97\xB3\xD2\xA2\xB5\xBE\xF2\x8C\x96\x1E\x1A\x8F\x1D\x6C\xA4\x61\x37\xB9\x86\x73\x33\xD7\x97\x96\x9E\x23\x7D\x82\xA4\x4C\x81\xE2\xA1\xD1\xBA\x67\x5F\x95\x07\xA3\x27\x11\xEE\x16\x10\x7B\xBC\x45\x4A\x4C\xB2\x04\xD2\xAB\xEF\xD5\xFD\x0C\x51\xCE\x50\x6A\x08\x31\xF9\x91\xDA\x0C\x8F\x64\x5C\x03\xC3\x3A\x8B\x20\x3F\x6E\x8D\x67\x3D\x3A\xD6\xFE\x7D\x5B\x88\xC9\x5E\xFB\xCC\x61\xDC\x8B\x33\x77\xD3\x44\x32\x35\x09\x62\x04\x92\x16\x10\xD8\x9E\x27\x47\xFB\x3B\x21\xE3\xF8\xEB\x1D\x5B\x02\x03\x01\x00\x01\xA3\x81\xB0\x30\x81\xAD\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1A\x84\x62\xBC\x48\x4C\x33\x25\x04\xD4\xEE\xD0\xF6\x03\xC4\x19\x46\xD1\x94\x6B\x30\x6E\x06\x03\x55\x1D\x23\x04\x67\x30\x65\x80\x14\x1A\x84\x62\xBC\x48\x4C\x33\x25\x04\xD4\xEE\xD0\xF6\x03\xC4\x19\x46\xD1\x94\x6B\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x82\x02\x05\x09\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x3E\x0A\x16\x4D\x9F\x06\x5B\xA8\xAE\x71\x5D\x2F\x05\x2F\x67\xE6\x13\x45\x83\xC4\x36\xF6\xF3\xC0\x26\x0C\x0D\xB5\x47\x64\x5D\xF8\xB4\x72\xC9\x46\xA5\x03\x18\x27\x55\x89\x78\x7D\x76\xEA\x96\x34\x80\x17\x20\xDC\xE7\x83\xF8\x8D\xFC\x07\xB8\xDA\x5F\x4D\x2E\x67\xB2\x84\xFD\xD9\x44\xFC\x77\x50\x81\xE6\x7C\xB4\xC9\x0D\x0B\x72\x53\xF8\x76\x07\x07\x41\x47\x96\x0C\xFB\xE0\x82\x26\x93\x55\x8C\xFE\x22\x1F\x60\x65\x7C\x5F\xE7\x26\xB3\xF7\x32\x90\x98\x50\xD4\x37\x71\x55\xF6\x92\x21\x78\xF7\x95\x79\xFA\xF8\x2D\x26\x87\x66\x56\x30\x77\xA6\x37\x78\x33\x52\x10\x58\xAE\x3F\x61\x8E\xF2\x6A\xB1\xEF\x18\x7E\x4A\x59\x63\xCA\x8D\xA2\x56\xD5\xA7\x2F\xBC\x56\x1F\xCF\x39\xC1\xE2\xFB\x0A\xA8\x15\x2C\x7D\x4D\x7A\x63\xC6\x6C\x97\x44\x3C\xD2\x6F\xC3\x4A\x17\x0A\xF8\x90\xD2\x57\xA2\x19\x51\xA5\x2D\x97\x41\xDA\x07\x4F\xA9\x50\xDA\x90\x8D\x94\x46\xE1\x3E\xF0\x94\xFD\x10\x00\x38\xF5\x3B\xE8\x40\xE1\xB4\x6E\x56\x1A\x20\xCC\x6F\x58\x8D\xED\x2E\x45\x8F\xD6\xE9\x93\x3F\xE7\xB1\x2C\xDF\x3A\xD6\x22\x8C\xDC\x84\xBB\x22\x6F\xD0\xF8\xE4\xC6\x39\xE9\x04\x88\x3C\xC3\xBA\xEB\x55\x7A\x6D\x80\x99\x24\xF5\x6C\x01\xFB\xF8\x97\xB0\x94\x5B\xEB\xFD\xD2\x6F\xF1\x77\x68\x0D\x35\x64\x23\xAC\xB8\x55\xA1\x03\xD1\x4D\x42\x19\xDC\xF8\x75\x59\x56\xA3\xF9\xA8\x49\x79\xF8\xAF\x0E\xB9\x11\xA0\x7C\xB7\x6A\xED\x34\xD0\xB6\x26\x62\x38\x1A\x87\x0C\xF8\xE8\xFD\x2E\xD3\x90\x7F\x07\x91\x2A\x1D\xD6\x7E\x5C\x85\x83\x99\xB0\x38\x08\x3F\xE9\x5E\xF9\x35\x07\xE4\xC9\x62\x6E\x57\x7F\xA7\x50\x95\xF7\xBA\xC8\x9B\xE6\x8E\xA2\x01\xC5\xD6\x66\xBF\x79\x61\xF3\x3C\x1C\xE1\xB9\x82\x5C\x5D\xA0\xC3\xE9\xD8\x48\xBD\x19\xA2\x11\x14\x19\x6E\xB2\x86\x1B\x68\x3E\x48\x37\x1A\x88\xB7\x5D\x96\x5E\x9C\xC7\xEF\x27\x62\x08\xE2\x91\x19\x5C\xD2\xF1\x21\xDD\xBA\x17\x42\x82\x97\x71\x81\x53\x31\xA9\x9F\xF6\x7D\x62\xBF\x72\xE1\xA3\x93\x1D\xCC\x8A\x26\x5A\x09\x38\xD0\xCE\xD7\x0D\x80\x16\xB4\x78\xA5\x3A\x87\x4C\x8D\x8A\xA5\xD5\x46\x97\xF2\x2C\x10\xB9\xBC\x54\x22\xC0\x01\x50\x69\x43\x9E\xF4\xB2\xEF\x6D\xF8\xEC\xDA\xF1\xE3\xB1\xEF\xDF\x91\x8F\x54\x2A\x0B\x25\xC1\x26\x19\xC4\x52\x10\x05\x65\xD5\x82\x10\xEA\xC2\x31\xCD\x2E",
+	["CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM"] = "\x30\x82\x06\x9D\x30\x82\x04\x85\xA0\x03\x02\x01\x02\x02\x02\x05\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x34\x31\x39\x31\x31\x32\x33\x5A\x17\x0D\x33\x31\x31\x31\x32\x34\x31\x39\x30\x36\x34\x34\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xCC\x57\x42\x16\x54\x9C\xE6\x98\xD3\xD3\x4D\xEE\xFE\xED\xC7\x9F\x43\x39\x4A\x65\xB3\xE8\x16\x88\x34\xDB\x0D\x59\x91\x74\xCF\x92\xB8\x04\x40\xAD\x02\x4B\x31\xAB\xBC\x8D\x91\x68\xD8\x20\x0E\x1A\x01\xE2\x1A\x7B\x4E\x17\x5D\xE2\x8A\xB7\x3F\x99\x1A\xCD\xEB\x61\xAB\xC2\x65\xA6\x1F\xB7\xB7\xBD\xB7\x8F\xFC\xFD\x70\x8F\x0B\xA0\x67\xBE\x01\xA2\x59\xCF\x71\xE6\x0F\x29\x76\xFF\xB1\x56\x79\x45\x2B\x1F\x9E\x7A\x54\xE8\xA3\x29\x35\x68\xA4\x01\x4F\x0F\xA4\x2E\x37\xEF\x1B\xBF\xE3\x8F\x10\xA8\x72\xAB\x58\x57\xE7\x54\x86\xC8\xC9\xF3\x5B\xDA\x2C\xDA\x5D\x8E\x6E\x3C\xA3\x3E\xDA\xFB\x82\xE5\xDD\xF2\x5C\xB2\x05\x33\x6F\x8A\x36\xCE\xD0\x13\x4E\xFF\xBF\x4A\x0C\x34\x4C\xA6\xC3\x21\xBD\x50\x04\x55\xEB\xB1\xBB\x9D\xFB\x45\x1E\x64\x15\xDE\x55\x01\x8C\x02\x76\xB5\xCB\xA1\x3F\x42\x69\xBC\x2F\xBD\x68\x43\x16\x56\x89\x2A\x37\x61\x91\xFD\xA6\xAE\x4E\xC0\xCB\x14\x65\x94\x37\x4B\x92\x06\xEF\x04\xD0\xC8\x9C\x88\xDB\x0B\x7B\x81\xAF\xB1\x3D\x2A\xC4\x65\x3A\x78\xB6\xEE\xDC\x80\xB1\xD2\xD3\x99\x9C\x3A\xEE\x6B\x5A\x6B\xB3\x8D\xB7\xD5\xCE\x9C\xC2\xBE\xA5\x4B\x2F\x16\xB1\x9E\x68\x3B\x06\x6F\xAE\x7D\x9F\xF8\xDE\xEC\xCC\x29\xA7\x98\xA3\x25\x43\x2F\xEF\xF1\x5F\x26\xE1\x88\x4D\xF8\x5E\x6E\xD7\xD9\x14\x6E\x19\x33\x69\xA7\x3B\x84\x89\x93\xC4\x53\x55\x13\xA1\x51\x78\x40\xF8\xB8\xC9\xA2\xEE\x7B\xBA\x52\x42\x83\x9E\x14\xED\x05\x52\x5A\x59\x56\xA7\x97\xFC\x9D\x3F\x0A\x29\xD8\xDC\x4F\x91\x0E\x13\xBC\xDE\x95\xA4\xDF\x8B\x99\xBE\xAC\x9B\x33\x88\xEF\xB5\x81\xAF\x1B\xC6\x22\x53\xC8\xF6\xC7\xEE\x97\x14\xB0\xC5\x7C\x78\x52\xC8\xF0\xCE\x6E\x77\x60\x84\xA6\xE9\x2A\x76\x20\xED\x58\x01\x17\x30\x93\xE9\x1A\x8B\xE0\x73\x63\xD9\x6A\x92\x94\x49\x4E\xB4\xAD\x4A\x85\xC4\xA3\x22\x30\xFC\x09\xED\x68\x22\x73\xA6\x88\x0C\x55\x21\x58\xC5\xE1\x3A\x9F\x2A\xDD\xCA\xE1\x90\xE0\xD9\x73\xAB\x6C\x80\xB8\xE8\x0B\x64\x93\xA0\x9C\x8C\x19\xFF\xB3\xD2\x0C\xEC\x91\x26\x87\x8A\xB3\xA2\xE1\x70\x8F\x2C\x0A\xE5\xCD\x6D\x68\x51\xEB\xDA\x3F\x05\x7F\x8B\x32\xE6\x13\x5C\x6B\xFE\x5F\x40\xE2\x22\xC8\xB4\xB4\x64\x4F\xD6\xBA\x7D\x48\x3E\xA8\x69\x0C\xD7\xBB\x86\x71\xC9\x73\xB8\x3F\x3B\x9D\x25\x4B\xDA\xFF\x40\xEB\x02\x03\x01\x00\x01\xA3\x82\x01\x95\x30\x82\x01\x91\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\xE1\x06\x03\x55\x1D\x20\x04\x81\xD9\x30\x81\xD6\x30\x81\xD3\x06\x09\x2B\x06\x01\x04\x01\xBE\x58\x00\x03\x30\x81\xC5\x30\x81\x93\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\x86\x1A\x81\x83\x41\x6E\x79\x20\x75\x73\x65\x20\x6F\x66\x20\x74\x68\x69\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x63\x6F\x6E\x73\x74\x69\x74\x75\x74\x65\x73\x20\x61\x63\x63\x65\x70\x74\x61\x6E\x63\x65\x20\x6F\x66\x20\x74\x68\x65\x20\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x50\x6F\x6C\x69\x63\x79\x20\x2F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x50\x72\x61\x63\x74\x69\x63\x65\x20\x53\x74\x61\x74\x65\x6D\x65\x6E\x74\x2E\x30\x2D\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x21\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x71\x75\x6F\x76\x61\x64\x69\x73\x67\x6C\x6F\x62\x61\x6C\x2E\x63\x6F\x6D\x2F\x63\x70\x73\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF2\xC0\x13\xE0\x82\x43\x3E\xFB\xEE\x2F\x67\x32\x96\x35\x5C\xDB\xB8\xCB\x02\xD0\x30\x6E\x06\x03\x55\x1D\x23\x04\x67\x30\x65\x80\x14\xF2\xC0\x13\xE0\x82\x43\x3E\xFB\xEE\x2F\x67\x32\x96\x35\x5C\xDB\xB8\xCB\x02\xD0\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x82\x02\x05\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x4F\xAD\xA0\x2C\x4C\xFA\xC0\xF2\x6F\xF7\x66\x55\xAB\x23\x34\xEE\xE7\x29\xDA\xC3\x5B\xB6\xB0\x83\xD9\xD0\xD0\xE2\x21\xFB\xF3\x60\xA7\x3B\x5D\x60\x53\x27\xA2\x9B\xF6\x08\x22\x2A\xE7\xBF\xA0\x72\xE5\x9C\x24\x6A\x31\xB1\x90\x7A\x27\xDB\x84\x11\x89\x27\xA6\x77\x5A\x38\xD7\xBF\xAC\x86\xFC\xEE\x5D\x83\xBC\x06\xC6\xD1\x77\x6B\x0F\x6D\x24\x2F\x4B\x7A\x6C\xA7\x07\x96\xCA\xE3\x84\x9F\xAD\x88\x8B\x1D\xAB\x16\x8D\x5B\x66\x17\xD9\x16\xF4\x8B\x80\xD2\xDD\xF8\xB2\x76\xC3\xFC\x38\x13\xAA\x0C\xDE\x42\x69\x2B\x6E\xF3\x3C\xEB\x80\x27\xDB\xF5\xA6\x44\x0D\x9F\x5A\x55\x59\x0B\xD5\x0D\x52\x48\xC5\xAE\x9F\xF2\x2F\x80\xC5\xEA\x32\x50\x35\x12\x97\x2E\xC1\xE1\xFF\xF1\x23\x88\x51\x38\x9F\xF2\x66\x56\x76\xE7\x0F\x51\x97\xA5\x52\x0C\x4D\x49\x51\x95\x36\x3D\xBF\xA2\x4B\x0C\x10\x1D\x86\x99\x4C\xAA\xF3\x72\x11\x93\xE4\xEA\xF6\x9B\xDA\xA8\x5D\xA7\x4D\xB7\x9E\x02\xAE\x73\x00\xC8\xDA\x23\x03\xE8\xF9\xEA\x19\x74\x62\x00\x94\xCB\x22\x20\xBE\x94\xA7\x59\xB5\x82\x6A\xBE\x99\x79\x7A\xA9\xF2\x4A\x24\x52\xF7\x74\xFD\xBA\x4E\xE6\xA8\x1D\x02\x6E\xB1\x0D\x80\x44\xC1\xAE\xD3\x23\x37\x5F\xBB\x85\x7C\x2B\x92\x2E\xE8\x7E\xA5\x8B\xDD\x99\xE1\xBF\x27\x6F\x2D\x5D\xAA\x7B\x87\xFE\x0A\xDD\x4B\xFC\x8E\xF5\x26\xE4\x6E\x70\x42\x6E\x33\xEC\x31\x9E\x7B\x93\xC1\xE4\xC9\x69\x1A\x3D\xC0\x6B\x4E\x22\x6D\xEE\xAB\x58\x4D\xC6\xD0\x41\xC1\x2B\xEA\x4F\x12\x87\x5E\xEB\x45\xD8\x6C\xF5\x98\x02\xD3\xA0\xD8\x55\x8A\x06\x99\x19\xA2\xA0\x77\xD1\x30\x9E\xAC\xCC\x75\xEE\x83\xF5\xB0\x62\x39\xCF\x6C\x57\xE2\x4C\xD2\x91\x0B\x0E\x75\x28\x1B\x9A\xBF\xFD\x1A\x43\xF1\xCA\x77\xFB\x3B\x8F\x61\xB8\x69\x28\x16\x42\x04\x5E\x70\x2A\x1C\x21\xD8\x8F\xE1\xBD\x23\x5B\x2D\x74\x40\x92\xD9\x63\x19\x0D\x73\xDD\x69\xBC\x62\x47\xBC\xE0\x74\x2B\xB2\xEB\x7D\xBE\x41\x1B\xB5\xC0\x46\xC5\xA1\x22\xCB\x5F\x4E\xC1\x28\x92\xDE\x18\xBA\xD5\x2A\x28\xBB\x11\x8B\x17\x93\x98\x99\x60\x94\x5C\x23\xCF\x5A\x27\x97\x5E\x0B\x05\x06\x93\x37\x1E\x3B\x69\x36\xEB\xA9\x9E\x61\x1D\x8F\x32\xDA\x8E\x0C\xD6\x74\x3E\x7B\x09\x24\xDA\x01\x77\x47\xC4\x3B\xCD\x34\x8C\x99\xF5\xCA\xE1\x25\x61\x33\xB2\x59\x1B\xE2\x6E\xD7\x37\x57\xB6\x0D\xA9\x12\xDA",
+	["OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP"] = "\x30\x82\x03\x5A\x30\x82\x02\x42\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x30\x34\x32\x30\x34\x39\x5A\x17\x0D\x32\x33\x30\x39\x33\x30\x30\x34\x32\x30\x34\x39\x5A\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB3\xB3\xFE\x7F\xD3\x6D\xB1\xEF\x16\x7C\x57\xA5\x0C\x6D\x76\x8A\x2F\x4B\xBF\x64\xFB\x4C\xEE\x8A\xF0\xF3\x29\x7C\xF5\xFF\xEE\x2A\xE0\xE9\xE9\xBA\x5B\x64\x22\x9A\x9A\x6F\x2C\x3A\x26\x69\x51\x05\x99\x26\xDC\xD5\x1C\x6A\x71\xC6\x9A\x7D\x1E\x9D\xDD\x7C\x6C\xC6\x8C\x67\x67\x4A\x3E\xF8\x71\xB0\x19\x27\xA9\x09\x0C\xA6\x95\xBF\x4B\x8C\x0C\xFA\x55\x98\x3B\xD8\xE8\x22\xA1\x4B\x71\x38\x79\xAC\x97\x92\x69\xB3\x89\x7E\xEA\x21\x68\x06\x98\x14\x96\x87\xD2\x61\x36\xBC\x6D\x27\x56\x9E\x57\xEE\xC0\xC0\x56\xFD\x32\xCF\xA4\xD9\x8E\xC2\x23\xD7\x8D\xA8\xF3\xD8\x25\xAC\x97\xE4\x70\x38\xF4\xB6\x3A\xB4\x9D\x3B\x97\x26\x43\xA3\xA1\xBC\x49\x59\x72\x4C\x23\x30\x87\x01\x58\xF6\x4E\xBE\x1C\x68\x56\x66\xAF\xCD\x41\x5D\xC8\xB3\x4D\x2A\x55\x46\xAB\x1F\xDA\x1E\xE2\x40\x3D\xDB\xCD\x7D\xB9\x92\x80\x9C\x37\xDD\x0C\x96\x64\x9D\xDC\x22\xF7\x64\x8B\xDF\x61\xDE\x15\x94\x52\x15\xA0\x7D\x52\xC9\x4B\xA8\x21\xC9\xC6\xB1\xED\xCB\xC3\x95\x60\xD1\x0F\xF0\xAB\x70\xF8\xDF\xCB\x4D\x7E\xEC\xD6\xFA\xAB\xD9\xBD\x7F\x54\xF2\xA5\xE9\x79\xFA\xD9\xD6\x76\x24\x28\x73\x02\x03\x01\x00\x01\xA3\x3F\x30\x3D\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA0\x73\x49\x99\x68\xDC\x85\x5B\x65\xE3\x9B\x28\x2F\x57\x9F\xBD\x33\xBC\x07\x48\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x68\x40\xA9\xA8\xBB\xE4\x4F\x5D\x79\xB3\x05\xB5\x17\xB3\x60\x13\xEB\xC6\x92\x5D\xE0\xD1\xD3\x6A\xFE\xFB\xBE\x9B\x6D\xBF\xC7\x05\x6D\x59\x20\xC4\x1C\xF0\xB7\xDA\x84\x58\x02\x63\xFA\x48\x16\xEF\x4F\xA5\x0B\xF7\x4A\x98\xF2\x3F\x9E\x1B\xAD\x47\x6B\x63\xCE\x08\x47\xEB\x52\x3F\x78\x9C\xAF\x4D\xAE\xF8\xD5\x4F\xCF\x9A\x98\x2A\x10\x41\x39\x52\xC4\xDD\xD9\x9B\x0E\xEF\x93\x01\xAE\xB2\x2E\xCA\x68\x42\x24\x42\x6C\xB0\xB3\x3A\x3E\xCD\xE9\xDA\x48\xC4\x15\xCB\xE9\xF9\x07\x0F\x92\x50\x49\x8A\xDD\x31\x97\x5F\xC9\xE9\x37\xAA\x3B\x59\x65\x97\x94\x32\xC9\xB3\x9F\x3E\x3A\x62\x58\xC5\x49\xAD\x62\x0E\x71\xA5\x32\xAA\x2F\xC6\x89\x76\x43\x40\x13\x13\x67\x3D\xA2\x54\x25\x10\xCB\xF1\x3A\xF2\xD9\xFA\xDB\x49\x56\xBB\xA6\xFE\xA7\x41\x35\xC3\xE0\x88\x61\xC9\x88\xC7\xDF\x36\x10\x22\x98\x59\xEA\xB0\x4A\xFB\x56\x16\x73\x6E\xAC\x4D\xF7\x22\xA1\x4F\xAD\x1D\x7A\x2D\x45\x27\xE5\x30\xC1\x5E\xF2\xDA\x13\xCB\x25\x42\x51\x95\x47\x03\x8C\x6C\x21\xCC\x74\x42\xED\x53\xFF\x33\x8B\x8F\x0F\x57\x01\x16\x2F\xCF\xA6\xEE\xC9\x70\x22\x14\xBD\xFD\xBE\x6C\x0B\x03",
+	["CN=Sonera Class2 CA,O=Sonera,C=FI"] = "\x30\x82\x03\x20\x30\x82\x02\x08\xA0\x03\x02\x01\x02\x02\x01\x1D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x53\x6F\x6E\x65\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x6F\x6E\x65\x72\x61\x20\x43\x6C\x61\x73\x73\x32\x20\x43\x41\x30\x1E\x17\x0D\x30\x31\x30\x34\x30\x36\x30\x37\x32\x39\x34\x30\x5A\x17\x0D\x32\x31\x30\x34\x30\x36\x30\x37\x32\x39\x34\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x53\x6F\x6E\x65\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x6F\x6E\x65\x72\x61\x20\x43\x6C\x61\x73\x73\x32\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x90\x17\x4A\x35\x9D\xCA\xF0\x0D\x96\xC7\x44\xFA\x16\x37\xFC\x48\xBD\xBD\x7F\x80\x2D\x35\x3B\xE1\x6F\xA8\x67\xA9\xBF\x03\x1C\x4D\x8C\x6F\x32\x47\xD5\x41\x68\xA4\x13\x04\xC1\x35\x0C\x9A\x84\x43\xFC\x5C\x1D\xFF\x89\xB3\xE8\x17\x18\xCD\x91\x5F\xFB\x89\xE3\xEA\xBF\x4E\x5D\x7C\x1B\x26\xD3\x75\x79\xED\xE6\x84\xE3\x57\xE5\xAD\x29\xC4\xF4\x3A\x28\xE7\xA5\x7B\x84\x36\x69\xB3\xFD\x5E\x76\xBD\xA3\x2D\x99\xD3\x90\x4E\x23\x28\x7D\x18\x63\xF1\x54\x3B\x26\x9D\x76\x5B\x97\x42\xB2\xFF\xAE\xF0\x4E\xEC\xDD\x39\x95\x4E\x83\x06\x7F\xE7\x49\x40\xC8\xC5\x01\xB2\x54\x5A\x66\x1D\x3D\xFC\xF9\xE9\x3C\x0A\x9E\x81\xB8\x70\xF0\x01\x8B\xE4\x23\x54\x7C\xC8\xAE\xF8\x90\x1E\x00\x96\x72\xD4\x54\xCF\x61\x23\xBC\xEA\xFB\x9D\x02\x95\xD1\xB6\xB9\x71\x3A\x69\x08\x3F\x0F\xB4\xE1\x42\xC7\x88\xF5\x3F\x98\xA8\xA7\xBA\x1C\xE0\x71\x71\xEF\x58\x57\x81\x50\x7A\x5C\x6B\x74\x46\x0E\x83\x03\x98\xC3\x8E\xA8\x6E\xF2\x76\x32\x6E\x27\x83\xC2\x73\xF3\xDC\x18\xE8\xB4\x93\xEA\x75\x44\x6B\x04\x60\x20\x71\x57\x87\x9D\xF3\xBE\xA0\x90\x23\x3D\x8A\x24\xE1\xDA\x21\xDB\xC3\x02\x03\x01\x00\x01\xA3\x33\x30\x31\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x11\x06\x03\x55\x1D\x0E\x04\x0A\x04\x08\x4A\xA0\xAA\x58\x84\xD3\x5E\x3C\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5A\xCE\x87\xF9\x16\x72\x15\x57\x4B\x1D\xD9\x9B\xE7\xA2\x26\x30\xEC\x93\x67\xDF\xD6\x2D\xD2\x34\xAF\xF7\x38\xA5\xCE\xAB\x16\xB9\xAB\x2F\x7C\x35\xCB\xAC\xD0\x0F\xB4\x4C\x2B\xFC\x80\xEF\x6B\x8C\x91\x5F\x36\x76\xF7\xDB\xB3\x1B\x19\xEA\xF4\xB2\x11\xFD\x61\x71\x44\xBF\x28\xB3\x3A\x1D\xBF\xB3\x43\xE8\x9F\xBF\xDC\x31\x08\x71\xB0\x9D\x8D\xD6\x34\x47\x32\x90\xC6\x65\x24\xF7\xA0\x4A\x7C\x04\x73\x8F\x39\x6F\x17\x8C\x72\xB5\xBD\x4B\xC8\x7A\xF8\x7B\x83\xC3\x28\x4E\x9C\x09\xEA\x67\x3F\xB2\x67\x04\x1B\xC3\x14\xDA\xF8\xE7\x49\x24\x91\xD0\x1D\x6A\xFA\x61\x39\xEF\x6B\xE7\x21\x75\x06\x07\xD8\x12\xB4\x21\x20\x70\x42\x71\x81\xDA\x3C\x9A\x36\xBE\xA6\x5B\x0D\x6A\x6C\x9A\x1F\x91\x7B\xF9\xF9\xEF\x42\xBA\x4E\x4E\x9E\xCC\x0C\x8D\x94\xDC\xD9\x45\x9C\x5E\xEC\x42\x50\x63\xAE\xF4\x5D\xC4\xB1\x12\xDC\xCA\x3B\xA8\x2E\x9D\x14\x5A\x05\x75\xB7\xEC\xD7\x63\xE2\xBA\x35\xB6\x04\x08\x91\xE8\xDA\x9D\x9C\xF6\x66\xB5\x18\xAC\x0A\xA6\x54\x26\x34\x33\xD2\x1B\xC1\xD4\x7F\x1A\x3A\x8E\x0B\xAA\x32\x6E\xDB\xFC\x4F\x25\x9F\xD9\x32\xC7\x96\x5A\x70\xAC\xDF\x4C",
+	["CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL"] = "\x30\x82\x03\xBA\x30\x82\x02\xA2\xA0\x03\x02\x01\x02\x02\x04\x00\x98\x96\x8A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x32\x31\x32\x31\x37\x30\x39\x32\x33\x34\x39\x5A\x17\x0D\x31\x35\x31\x32\x31\x36\x30\x39\x31\x35\x33\x38\x5A\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x98\xD2\xB5\x51\x11\x7A\x81\xA6\x14\x98\x71\x6D\xBE\xCC\xE7\x13\x1B\xD6\x27\x0E\x7A\xB3\x6A\x18\x1C\xB6\x61\x5A\xD5\x61\x09\xBF\xDE\x90\x13\xC7\x67\xEE\xDD\xF3\xDA\xC5\x0C\x12\x9E\x35\x55\x3E\x2C\x27\x88\x40\x6B\xF7\xDC\xDD\x22\x61\xF5\xC2\xC7\x0E\xF5\xF6\xD5\x76\x53\x4D\x8F\x8C\xBC\x18\x76\x37\x85\x9D\xE8\xCA\x49\xC7\xD2\x4F\x98\x13\x09\xA2\x3E\x22\x88\x9C\x7F\xD6\xF2\x10\x65\xB4\xEE\x5F\x18\xD5\x17\xE3\xF8\xC5\xFD\xE2\x9D\xA2\xEF\x53\x0E\x85\x77\xA2\x0F\xE1\x30\x47\xEE\x00\xE7\x33\x7D\x44\x67\x1A\x0B\x51\xE8\x8B\xA0\x9E\x50\x98\x68\x34\x52\x1F\x2E\x6D\x01\xF2\x60\x45\xF2\x31\xEB\xA9\x31\x68\x29\xBB\x7A\x41\x9E\xC6\x19\x7F\x94\xB4\x51\x39\x03\x7F\xB2\xDE\xA7\x32\x9B\xB4\x47\x8E\x6F\xB4\x4A\xAE\xE5\xAF\xB1\xDC\xB0\x1B\x61\xBC\x99\x72\xDE\xE4\x89\xB7\x7A\x26\x5D\xDA\x33\x49\x5B\x52\x9C\x0E\xF5\x8A\xAD\xC3\xB8\x3D\xE8\x06\x6A\xC2\xD5\x2A\x0B\x6C\x7B\x84\xBD\x56\x05\xCB\x86\x65\x92\xEC\x44\x2B\xB0\x8E\xB9\xDC\x70\x0B\x46\xDA\xAD\xBC\x63\x88\x39\xFA\xDB\x6A\xFE\x23\xFA\xBC\xE4\x48\xF4\x67\x2B\x6A\x11\x10\x21\x49\x02\x03\x01\x00\x01\xA3\x81\x91\x30\x81\x8E\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x4F\x06\x03\x55\x1D\x20\x04\x48\x30\x46\x30\x44\x06\x04\x55\x1D\x20\x00\x30\x3C\x30\x3A\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x2E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x6B\x69\x6F\x76\x65\x72\x68\x65\x69\x64\x2E\x6E\x6C\x2F\x70\x6F\x6C\x69\x63\x69\x65\x73\x2F\x72\x6F\x6F\x74\x2D\x70\x6F\x6C\x69\x63\x79\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA8\x7D\xEB\xBC\x63\xA4\x74\x13\x74\x00\xEC\x96\xE0\xD3\x34\xC1\x2C\xBF\x6C\xF8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x05\x84\x87\x55\x74\x36\x61\xC1\xBB\xD1\xD4\xC6\x15\xA8\x13\xB4\x9F\xA4\xFE\xBB\xEE\x15\xB4\x2F\x06\x0C\x29\xF2\xA8\x92\xA4\x61\x0D\xFC\xAB\x5C\x08\x5B\x51\x13\x2B\x4D\xC2\x2A\x61\xC8\xF8\x09\x58\xFC\x2D\x02\xB2\x39\x7D\x99\x66\x81\xBF\x6E\x5C\x95\x45\x20\x6C\xE6\x79\xA7\xD1\xD8\x1C\x29\xFC\xC2\x20\x27\x51\xC8\xF1\x7C\x5D\x34\x67\x69\x85\x11\x30\xC6\x00\xD2\xD7\xF3\xD3\x7C\xB6\xF0\x31\x57\x28\x12\x82\x73\xE9\x33\x2F\xA6\x55\xB4\x0B\x91\x94\x47\x9C\xFA\xBB\x7A\x42\x32\xE8\xAE\x7E\x2D\xC8\xBC\xAC\x14\xBF\xD9\x0F\xD9\x5B\xFC\xC1\xF9\x7A\x95\xE1\x7D\x7E\x96\xFC\x71\xB0\xC2\x4C\xC8\xDF\x45\x34\xC9\xCE\x0D\xF2\x9C\x64\x08\xD0\x3B\xC3\x29\xC5\xB2\xED\x90\x04\xC1\xB1\x29\x91\xC5\x30\x6F\xC1\xA9\x72\x33\xCC\xFE\x5D\x16\x17\x2C\x11\x69\xE7\x7E\xFE\xC5\x83\x08\xDF\xBC\xDC\x22\x3A\x2E\x20\x69\x23\x39\x56\x60\x67\x90\x8B\x2E\x76\x39\xFB\x11\x88\x97\xF6\x7C\xBD\x4B\xB8\x20\x16\x67\x05\x8D\xE2\x3B\xC1\x72\x3F\x94\x95\x37\xC7\x5D\xB9\x9E\xD8\x93\xA1\x17\x8F\xFF\x0C\x66\x15\xC1\x24\x7C\x32\x7C\x03\x1D\x3B\xA1\x58\x45\x32\x93",
+	["OU=TDC Internet Root CA,O=TDC Internet,C=DK"] = "\x30\x82\x04\x2B\x30\x82\x03\x13\xA0\x03\x02\x01\x02\x02\x04\x3A\xCC\xA5\x4C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x43\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x4B\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x54\x44\x43\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x54\x44\x43\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x31\x30\x34\x30\x35\x31\x36\x33\x33\x31\x37\x5A\x17\x0D\x32\x31\x30\x34\x30\x35\x31\x37\x30\x33\x31\x37\x5A\x30\x43\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x4B\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x54\x44\x43\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x54\x44\x43\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC4\xB8\x40\xBC\x91\xD5\x63\x1F\xD7\x99\xA0\x8B\x0C\x40\x1E\x74\xB7\x48\x9D\x46\x8C\x02\xB2\xE0\x24\x5F\xF0\x19\x13\xA7\x37\x83\x6B\x5D\xC7\x8E\xF9\x84\x30\xCE\x1A\x3B\xFA\xFB\xCE\x8B\x6D\x23\xC6\xC3\x6E\x66\x9F\x89\xA5\xDF\xE0\x42\x50\x67\xFA\x1F\x6C\x1E\xF4\xD0\x05\xD6\xBF\xCA\xD6\x4E\xE4\x68\x60\x6C\x46\xAA\x1C\x5D\x63\xE1\x07\x86\x0E\x65\x00\xA7\x2E\xA6\x71\xC6\xBC\xB9\x81\xA8\x3A\x7D\x1A\xD2\xF9\xD1\xAC\x4B\xCB\xCE\x75\xAF\xDC\x7B\xFA\x81\x73\xD4\xFC\xBA\xBD\x41\x88\xD4\x74\xB3\xF9\x5E\x38\x3A\x3C\x43\xA8\xD2\x95\x4E\x77\x6D\x13\x0C\x9D\x8F\x78\x01\xB7\x5A\x20\x1F\x03\x37\x35\xE2\x2C\xDB\x4B\x2B\x2C\x78\xB9\x49\xDB\xC4\xD0\xC7\x9C\x9C\xE4\x8A\x20\x09\x21\x16\x56\x66\xFF\x05\xEC\x5B\xE3\xF0\xCF\xAB\x24\x24\x5E\xC3\x7F\x70\x7A\x12\xC4\xD2\xB5\x10\xA0\xB6\x21\xE1\x8D\x78\x69\x55\x44\x69\xF5\xCA\x96\x1C\x34\x85\x17\x25\x77\xE2\xF6\x2F\x27\x98\x78\xFD\x79\x06\x3A\xA2\xD6\x5A\x43\xC1\xFF\xEC\x04\x3B\xEE\x13\xEF\xD3\x58\x5A\xFF\x92\xEB\xEC\xAE\xDA\xF2\x37\x03\x47\x41\xB6\x97\xC9\x2D\x0A\x41\x22\xBB\xBB\xE6\xA7\x02\x03\x01\x00\x01\xA3\x82\x01\x25\x30\x82\x01\x21\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x65\x06\x03\x55\x1D\x1F\x04\x5E\x30\x5C\x30\x5A\xA0\x58\xA0\x56\xA4\x54\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x4B\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x54\x44\x43\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x54\x44\x43\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x32\x30\x30\x31\x30\x34\x30\x35\x31\x36\x33\x33\x31\x37\x5A\x81\x0F\x32\x30\x32\x31\x30\x34\x30\x35\x31\x37\x30\x33\x31\x37\x5A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x6C\x64\x01\xC7\xFD\x85\x6D\xAC\xC8\xDA\x9E\x50\x08\x85\x08\xB5\x3C\x56\xA8\x50\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6C\x64\x01\xC7\xFD\x85\x6D\xAC\xC8\xDA\x9E\x50\x08\x85\x08\xB5\x3C\x56\xA8\x50\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x10\x30\x0E\x1B\x08\x56\x35\x2E\x30\x3A\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4E\x43\xCC\xD1\xDD\x1D\x10\x1B\x06\x7F\xB7\xA4\xFA\xD3\xD9\x4D\xFB\x23\x9F\x23\x54\x5B\xE6\x8B\x2F\x04\x28\x8B\xB5\x27\x6D\x89\xA1\xEC\x98\x69\xDC\xE7\x8D\x26\x83\x05\x79\x74\xEC\xB4\xB9\xA3\x97\xC1\x35\x00\xFD\x15\xDA\x39\x81\x3A\x95\x31\x90\xDE\x97\xE9\x86\xA8\x99\x77\x0C\xE5\x5A\xA0\x84\xFF\x12\x16\xAC\x6E\xB8\x8D\xC3\x7B\x92\xC2\xAC\x2E\xD0\x7D\x28\xEC\xB6\xF3\x60\x38\x69\x6F\x3E\xD8\x04\x55\x3E\x9E\xCC\x55\xD2\xBA\xFE\xBB\x47\x04\xD7\x0A\xD9\x16\x0A\x34\x29\xF5\x58\x13\xD5\x4F\xCF\x8F\x56\x4B\xB3\x1E\xEE\xD3\x98\x79\xDA\x08\x1E\x0C\x6F\xB8\xF8\x16\x27\xEF\xC2\x6F\x3D\xF6\xA3\x4B\x3E\x0E\xE4\x6D\x6C\xDB\x3B\x41\x12\x9B\xBD\x0D\x47\x23\x7F\x3C\x4A\xD0\xAF\xC0\xAF\xF6\xEF\x1B\xB5\x15\xC4\xEB\x83\xC4\x09\x5F\x74\x8B\xD9\x11\xFB\xC2\x56\xB1\x3C\xF8\x70\xCA\x34\x8D\x43\x40\x13\x8C\xFD\x99\x03\x54\x79\xC6\x2E\xEA\x86\xA1\xF6\x3A\xD4\x09\xBC\xF4\xBC\x66\xCC\x3D\x58\xD0\x57\x49\x0A\xEE\x25\xE2\x41\xEE\x13\xF9\x9B\x38\x34\xD1\x00\xF5\x7E\xE7\x94\x1D\xFC\x69\x03\x62\xB8\x99\x05\x05\x3D\x6B\x78\x12\xBD\xB0\x6F\x65",
+	["CN=TDC OCES CA,O=TDC,C=DK"] = "\x30\x82\x05\x19\x30\x82\x04\x01\xA0\x03\x02\x01\x02\x02\x04\x3E\x48\xBD\xC4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x31\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x4B\x31\x0C\x30\x0A\x06\x03\x55\x04\x0A\x13\x03\x54\x44\x43\x31\x14\x30\x12\x06\x03\x55\x04\x03\x13\x0B\x54\x44\x43\x20\x4F\x43\x45\x53\x20\x43\x41\x30\x1E\x17\x0D\x30\x33\x30\x32\x31\x31\x30\x38\x33\x39\x33\x30\x5A\x17\x0D\x33\x37\x30\x32\x31\x31\x30\x39\x30\x39\x33\x30\x5A\x30\x31\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x4B\x31\x0C\x30\x0A\x06\x03\x55\x04\x0A\x13\x03\x54\x44\x43\x31\x14\x30\x12\x06\x03\x55\x04\x03\x13\x0B\x54\x44\x43\x20\x4F\x43\x45\x53\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAC\x62\xF6\x61\x20\xB2\xCF\xC0\xC6\x85\xD7\xE3\x79\xE6\xCC\xED\xF2\x39\x92\xA4\x97\x2E\x64\xA3\x84\x5B\x87\x9C\x4C\xFD\xA4\xF3\xC4\x5F\x21\xBD\x56\x10\xEB\xDB\x2E\x61\xEC\x93\x69\xE3\xA3\xCC\xBD\x99\xC3\x05\xFC\x06\xB8\xCA\x36\x1C\xFE\x90\x8E\x49\x4C\xC4\x56\x9A\x2F\x56\xBC\xCF\x7B\x0C\xF1\x6F\x47\xA6\x0D\x43\x4D\xE2\xE9\x1D\x39\x34\xCD\x8D\x2C\xD9\x12\x98\xF9\xE3\xE1\xC1\x4A\x7C\x86\x38\xC4\xA9\xC4\x61\x88\xD2\x5E\xAF\x1A\x26\x4D\xD5\xE4\xA0\x22\x47\x84\xD9\x64\xB7\x19\x96\xFC\xEC\x19\xE4\xB2\x97\x26\x4E\x4A\x4C\xCB\x8F\x24\x8B\x54\x18\x1C\x48\x61\x7B\xD5\x88\x68\xDA\x5D\xB5\xEA\xCD\x1A\x30\xC1\x80\x83\x76\x50\xAA\x4F\xD1\xD4\xDD\x38\xF0\xEF\x16\xF4\xE1\x0C\x50\x06\xBF\xEA\xFB\x7A\x49\xA1\x28\x2B\x1C\xF6\xFC\x15\x32\xA3\x74\x6A\x8F\xA9\xC3\x62\x29\x71\x31\xE5\x3B\xA4\x60\x17\x5E\x74\xE6\xDA\x13\xED\xE9\x1F\x1F\x1B\xD1\xB2\x68\x73\xC6\x10\x34\x75\x46\x10\x10\xE3\x90\x00\x76\x40\xCB\x8B\xB7\x43\x09\x21\xFF\xAB\x4E\x93\xC6\x58\xE9\xA5\x82\xDB\x77\xC4\x3A\x99\xB1\x72\x95\x49\x04\xF0\xB7\x2B\xFA\x7B\x59\x8E\xDD\x02\x03\x01\x00\x01\xA3\x82\x02\x37\x30\x82\x02\x33\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\xEC\x06\x03\x55\x1D\x20\x04\x81\xE4\x30\x81\xE1\x30\x81\xDE\x06\x08\x2A\x81\x50\x81\x29\x01\x01\x01\x30\x81\xD1\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x65\x72\x74\x69\x66\x69\x6B\x61\x74\x2E\x64\x6B\x2F\x72\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x30\x81\x9D\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\x90\x30\x0A\x16\x03\x54\x44\x43\x30\x03\x02\x01\x01\x1A\x81\x81\x43\x65\x72\x74\x69\x66\x69\x6B\x61\x74\x65\x72\x20\x66\x72\x61\x20\x64\x65\x6E\x6E\x65\x20\x43\x41\x20\x75\x64\x73\x74\x65\x64\x65\x73\x20\x75\x6E\x64\x65\x72\x20\x4F\x49\x44\x20\x31\x2E\x32\x2E\x32\x30\x38\x2E\x31\x36\x39\x2E\x31\x2E\x31\x2E\x31\x2E\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x20\x66\x72\x6F\x6D\x20\x74\x68\x69\x73\x20\x43\x41\x20\x61\x72\x65\x20\x69\x73\x73\x75\x65\x64\x20\x75\x6E\x64\x65\x72\x20\x4F\x49\x44\x20\x31\x2E\x32\x2E\x32\x30\x38\x2E\x31\x36\x39\x2E\x31\x2E\x31\x2E\x31\x2E\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x81\x81\x06\x03\x55\x1D\x1F\x04\x7A\x30\x78\x30\x48\xA0\x46\xA0\x44\xA4\x42\x30\x40\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x4B\x31\x0C\x30\x0A\x06\x03\x55\x04\x0A\x13\x03\x54\x44\x43\x31\x14\x30\x12\x06\x03\x55\x04\x03\x13\x0B\x54\x44\x43\x20\x4F\x43\x45\x53\x20\x43\x41\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x2C\xA0\x2A\xA0\x28\x86\x26\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x6F\x63\x65\x73\x2E\x63\x65\x72\x74\x69\x66\x69\x6B\x61\x74\x2E\x64\x6B\x2F\x6F\x63\x65\x73\x2E\x63\x72\x6C\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x32\x30\x30\x33\x30\x32\x31\x31\x30\x38\x33\x39\x33\x30\x5A\x81\x0F\x32\x30\x33\x37\x30\x32\x31\x31\x30\x39\x30\x39\x33\x30\x5A\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x60\xB5\x85\xEC\x56\x64\x7E\x12\x19\x27\x67\x1D\x50\x15\x4B\x73\xAE\x3B\xF9\x12\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x60\xB5\x85\xEC\x56\x64\x7E\x12\x19\x27\x67\x1D\x50\x15\x4B\x73\xAE\x3B\xF9\x12\x30\x1D\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x10\x30\x0E\x1B\x08\x56\x36\x2E\x30\x3A\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x0A\xBA\x26\x26\x46\xD3\x73\xA8\x09\xF3\x6B\x0B\x30\x99\xFD\x8A\xE1\x57\x7A\x11\xD3\xB8\x94\xD7\x09\x10\x6E\xA3\xB1\x38\x03\xD1\xB6\xF2\x43\x41\x29\x62\xA7\x72\xD8\xFB\x7C\x05\xE6\x31\x70\x27\x54\x18\x4E\x8A\x7C\x4E\xE5\xD1\xCA\x8C\x78\x88\xCF\x1B\xD3\x90\x8B\xE6\x23\xF8\x0B\x0E\x33\x43\x7D\x9C\xE2\x0A\x19\x8F\xC9\x01\x3E\x74\x5D\x74\xC9\x8B\x1C\x03\xE5\x18\xC8\x01\x4C\x3F\xCB\x97\x05\x5D\x98\x71\xA6\x98\x6F\xB6\x7C\xBD\x37\x7F\xBE\xE1\x93\x25\x6D\x6F\xF0\x0A\xAD\x17\x18\xE1\x03\xBC\x07\x29\xC8\xAD\x26\xE8\xF8\x61\xF0\xFD\x21\x09\x7E\x9A\x8E\xA9\x68\x7D\x48\x62\x72\xBD\x00\xEA\x01\x99\xB8\x06\x82\x51\x81\x4E\xF1\xF5\xB4\x91\x54\xB9\x23\x7A\x00\x9A\x9F\x5D\x8D\xE0\x3C\x64\xB9\x1A\x12\x92\x2A\xC7\x82\x44\x72\x39\xDC\xE2\x3C\xC6\xD8\x55\xF5\x15\x4E\xC8\x05\x0E\xDB\xC6\xD0\x62\xA6\xEC\x15\xB4\xB5\x02\x82\xDB\xAC\x8C\xA2\x81\xF0\x9B\x99\x31\xF5\x20\x20\xA8\x88\x61\x0A\x07\x9F\x94\xFC\xD0\xD7\x1B\xCC\x2E\x17\xF3\x04\x27\x76\x67\xEB\x54\x83\xFD\xA4\x90\x7E\x06\x3D\x04\xA3\x43\x2D\xDA\xFC\x0B\x62\xEA\x2F\x5F\x62\x53",
+	["CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US"] = "\x30\x82\x04\x5E\x30\x82\x03\x46\xA0\x03\x02\x01\x02\x02\x10\x44\xBE\x0C\x8B\x50\x00\x21\xB4\x11\xD3\x2A\x68\x06\xA9\xAD\x69\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x93\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x08\x13\x02\x55\x54\x31\x17\x30\x15\x06\x03\x55\x04\x07\x13\x0E\x53\x61\x6C\x74\x20\x4C\x61\x6B\x65\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x0B\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x55\x54\x4E\x20\x2D\x20\x44\x41\x54\x41\x43\x6F\x72\x70\x20\x53\x47\x43\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x34\x31\x38\x35\x37\x32\x31\x5A\x17\x0D\x31\x39\x30\x36\x32\x34\x31\x39\x30\x36\x33\x30\x5A\x30\x81\x93\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x08\x13\x02\x55\x54\x31\x17\x30\x15\x06\x03\x55\x04\x07\x13\x0E\x53\x61\x6C\x74\x20\x4C\x61\x6B\x65\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x0B\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x55\x54\x4E\x20\x2D\x20\x44\x41\x54\x41\x43\x6F\x72\x70\x20\x53\x47\x43\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDF\xEE\x58\x10\xA2\x2B\x6E\x55\xC4\x8E\xBF\x2E\x46\x09\xE7\xE0\x08\x0F\x2E\x2B\x7A\x13\x94\x1B\xBD\xF6\xB6\x80\x8E\x65\x05\x93\x00\x1E\xBC\xAF\xE2\x0F\x8E\x19\x0D\x12\x47\xEC\xAC\xAD\xA3\xFA\x2E\x70\xF8\xDE\x6E\xFB\x56\x42\x15\x9E\x2E\x5C\xEF\x23\xDE\x21\xB9\x05\x76\x27\x19\x0F\x4F\xD6\xC3\x9C\xB4\xBE\x94\x19\x63\xF2\xA6\x11\x0A\xEB\x53\x48\x9C\xBE\xF2\x29\x3B\x16\xE8\x1A\xA0\x4C\xA6\xC9\xF4\x18\x59\x68\xC0\x70\xF2\x53\x00\xC0\x5E\x50\x82\xA5\x56\x6F\x36\xF9\x4A\xE0\x44\x86\xA0\x4D\x4E\xD6\x47\x6E\x49\x4A\xCB\x67\xD7\xA6\xC4\x05\xB9\x8E\x1E\xF4\xFC\xFF\xCD\xE7\x36\xE0\x9C\x05\x6C\xB2\x33\x22\x15\xD0\xB4\xE0\xCC\x17\xC0\xB2\xC0\xF4\xFE\x32\x3F\x29\x2A\x95\x7B\xD8\xF2\xA7\x4E\x0F\x54\x7C\xA1\x0D\x80\xB3\x09\x03\xC1\xFF\x5C\xDD\x5E\x9A\x3E\xBC\xAE\xBC\x47\x8A\x6A\xAE\x71\xCA\x1F\xB1\x2A\xB8\x5F\x42\x05\x0B\xEC\x46\x30\xD1\x72\x0B\xCA\xE9\x56\x6D\xF5\xEF\xDF\x78\xBE\x61\xBA\xB2\xA5\xAE\x04\x4C\xBC\xA8\xAC\x69\x15\x97\xBD\xEF\xEB\xB4\x8C\xBF\x35\xF8\xD4\xC3\xD1\x28\x0E\x5C\x3A\x9F\x70\x18\x33\x20\x77\xC4\xA2\xAF\x02\x03\x01\x00\x01\xA3\x81\xAB\x30\x81\xA8\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xC6\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x53\x32\xD1\xB3\xCF\x7F\xFA\xE0\xF1\xA0\x5D\x85\x4E\x92\xD2\x9E\x45\x1D\xB4\x4F\x30\x3D\x06\x03\x55\x1D\x1F\x04\x36\x30\x34\x30\x32\xA0\x30\xA0\x2E\x86\x2C\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x55\x54\x4E\x2D\x44\x41\x54\x41\x43\x6F\x72\x70\x53\x47\x43\x2E\x63\x72\x6C\x30\x2A\x06\x03\x55\x1D\x25\x04\x23\x30\x21\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x01\x06\x0A\x2B\x06\x01\x04\x01\x82\x37\x0A\x03\x03\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x04\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x27\x35\x97\x00\x8A\x8B\x28\xBD\xC6\x33\x30\x1E\x29\xFC\xE2\xF7\xD5\x98\xD4\x40\xBB\x60\xCA\xBF\xAB\x17\x2C\x09\x36\x7F\x50\xFA\x41\xDC\xAE\x96\x3A\x0A\x23\x3E\x89\x59\xC9\xA3\x07\xED\x1B\x37\xAD\xFC\x7C\xBE\x51\x49\x5A\xDE\x3A\x0A\x54\x08\x16\x45\xC2\x99\xB1\x87\xCD\x8C\x68\xE0\x69\x03\xE9\xC4\x4E\x98\xB2\x3B\x8C\x16\xB3\x0E\xA0\x0C\x98\x50\x9B\x93\xA9\x70\x09\xC8\x2C\xA3\x8F\xDF\x02\xE4\xE0\x71\x3A\xF1\xB4\x23\x72\xA0\xAA\x01\xDF\xDF\x98\x3E\x14\x50\xA0\x31\x26\xBD\x28\xE9\x5A\x30\x26\x75\xF9\x7B\x60\x1C\x8D\xF3\xCD\x50\x26\x6D\x04\x27\x9A\xDF\xD5\x0D\x45\x47\x29\x6B\x2C\xE6\x76\xD9\xA9\x29\x7D\x32\xDD\xC9\x36\x3C\xBD\xAE\x35\xF1\x11\x9E\x1D\xBB\x90\x3F\x12\x47\x4E\x8E\xD7\x7E\x0F\x62\x73\x1D\x52\x26\x38\x1C\x18\x49\xFD\x30\x74\x9A\xC4\xE5\x22\x2F\xD8\xC0\x8D\xED\x91\x7A\x4C\x00\x8F\x72\x7F\x5D\xDA\xDD\x1B\x8B\x45\x6B\xE7\xDD\x69\x97\xA8\xC5\x56\x4C\x0F\x0C\xF6\x9F\x7A\x91\x37\xF6\x97\x82\xE0\xDD\x71\x69\xFF\x76\x3F\x60\x4D\x3C\xCF\xF7\x99\xF9\xC6\x57\xF4\xC9\x55\x39\x78\xBA\x2C\x79\xC9\xA6\x88\x2B\xF4\x08",
+	["CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US"] = "\x30\x82\x04\x74\x30\x82\x03\x5C\xA0\x03\x02\x01\x02\x02\x10\x44\xBE\x0C\x8B\x50\x00\x24\xB4\x11\xD3\x36\x2A\xFE\x65\x0A\xFD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x97\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x08\x13\x02\x55\x54\x31\x17\x30\x15\x06\x03\x55\x04\x07\x13\x0E\x53\x61\x6C\x74\x20\x4C\x61\x6B\x65\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x0B\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x55\x54\x4E\x2D\x55\x53\x45\x52\x46\x69\x72\x73\x74\x2D\x48\x61\x72\x64\x77\x61\x72\x65\x30\x1E\x17\x0D\x39\x39\x30\x37\x30\x39\x31\x38\x31\x30\x34\x32\x5A\x17\x0D\x31\x39\x30\x37\x30\x39\x31\x38\x31\x39\x32\x32\x5A\x30\x81\x97\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x08\x13\x02\x55\x54\x31\x17\x30\x15\x06\x03\x55\x04\x07\x13\x0E\x53\x61\x6C\x74\x20\x4C\x61\x6B\x65\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x0B\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x55\x54\x4E\x2D\x55\x53\x45\x52\x46\x69\x72\x73\x74\x2D\x48\x61\x72\x64\x77\x61\x72\x65\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB1\xF7\xC3\x38\x3F\xB4\xA8\x7F\xCF\x39\x82\x51\x67\xD0\x6D\x9F\xD2\xFF\x58\xF3\xE7\x9F\x2B\xEC\x0D\x89\x54\x99\xB9\x38\x99\x16\xF7\xE0\x21\x79\x48\xC2\xBB\x61\x74\x12\x96\x1D\x3C\x6A\x72\xD5\x3C\x10\x67\x3A\x39\xED\x2B\x13\xCD\x66\xEB\x95\x09\x33\xA4\x6C\x97\xB1\xE8\xC6\xEC\xC1\x75\x79\x9C\x46\x5E\x8D\xAB\xD0\x6A\xFD\xB9\x2A\x55\x17\x10\x54\xB3\x19\xF0\x9A\xF6\xF1\xB1\x5D\xB6\xA7\x6D\xFB\xE0\x71\x17\x6B\xA2\x88\xFB\x00\xDF\xFE\x1A\x31\x77\x0C\x9A\x01\x7A\xB1\x32\xE3\x2B\x01\x07\x38\x6E\xC3\xA5\x5E\x23\xBC\x45\x9B\x7B\x50\xC1\xC9\x30\x8F\xDB\xE5\x2B\x7A\xD3\x5B\xFB\x33\x40\x1E\xA0\xD5\x98\x17\xBC\x8B\x87\xC3\x89\xD3\x5D\xA0\x8E\xB2\xAA\xAA\xF6\x8E\x69\x88\x06\xC5\xFA\x89\x21\xF3\x08\x9D\x69\x2E\x09\x33\x9B\x29\x0D\x46\x0F\x8C\xCC\x49\x34\xB0\x69\x51\xBD\xF9\x06\xCD\x68\xAD\x66\x4C\xBC\x3E\xAC\x61\xBD\x0A\x88\x0E\xC8\xDF\x3D\xEE\x7C\x04\x4C\x9D\x0A\x5E\x6B\x91\xD6\xEE\xC7\xED\x28\x8D\xAB\x4D\x87\x89\x73\xD0\x6E\xA4\xD0\x1E\x16\x8B\x14\xE1\x76\x44\x03\x7F\x63\xAC\xE4\xCD\x49\x9C\xC5\x92\xF4\xAB\x32\xA1\x48\x5B\x02\x03\x01\x00\x01\xA3\x81\xB9\x30\x81\xB6\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xC6\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA1\x72\x5F\x26\x1B\x28\x98\x43\x95\x5D\x07\x37\xD5\x85\x96\x9D\x4B\xD2\xC3\x45\x30\x44\x06\x03\x55\x1D\x1F\x04\x3D\x30\x3B\x30\x39\xA0\x37\xA0\x35\x86\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x55\x54\x4E\x2D\x55\x53\x45\x52\x46\x69\x72\x73\x74\x2D\x48\x61\x72\x64\x77\x61\x72\x65\x2E\x63\x72\x6C\x30\x31\x06\x03\x55\x1D\x25\x04\x2A\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x05\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x06\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x47\x19\x0F\xDE\x74\xC6\x99\x97\xAF\xFC\xAD\x28\x5E\x75\x8E\xEB\x2D\x67\xEE\x4E\x7B\x2B\xD7\x0C\xFF\xF6\xDE\xCB\x55\xA2\x0A\xE1\x4C\x54\x65\x93\x60\x6B\x9F\x12\x9C\xAD\x5E\x83\x2C\xEB\x5A\xAE\xC0\xE4\x2D\xF4\x00\x63\x1D\xB8\xC0\x6C\xF2\xCF\x49\xBB\x4D\x93\x6F\x06\xA6\x0A\x22\xB2\x49\x62\x08\x4E\xFF\xC8\xC8\x14\xB2\x88\x16\x5D\xE7\x01\xE4\x12\x95\xE5\x45\x34\xB3\x8B\x69\xBD\xCF\xB4\x85\x8F\x75\x51\x9E\x7D\x3A\x38\x3A\x14\x48\x12\xC6\xFB\xA7\x3B\x1A\x8D\x0D\x82\x40\x07\xE8\x04\x08\x90\xA1\x89\xCB\x19\x50\xDF\xCA\x1C\x01\xBC\x1D\x04\x19\x7B\x10\x76\x97\x3B\xEE\x90\x90\xCA\xC4\x0E\x1F\x16\x6E\x75\xEF\x33\xF8\xD3\x6F\x5B\x1E\x96\xE3\xE0\x74\x77\x74\x7B\x8A\xA2\x6E\x2D\xDD\x76\xD6\x39\x30\x82\xF0\xAB\x9C\x52\xF2\x2A\xC7\xAF\x49\x5E\x7E\xC7\x68\xE5\x82\x81\xC8\x6A\x27\xF9\x27\x88\x2A\xD5\x58\x50\x95\x1F\xF0\x3B\x1C\x57\xBB\x7D\x14\x39\x62\x2B\x9A\xC9\x94\x92\x2A\xA3\x22\x0C\xFF\x89\x26\x7D\x5F\x23\x2B\x47\xD7\x15\x1D\xA9\x6A\x9E\x51\x0D\x2A\x51\x9E\x81\xF9\xD4\x3B\x5E\x70\x12\x7F\x10\x32\x9C\x1E\xBB\x9D\xF8\x66\xA8",
+	["CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU"] = "\x30\x82\x04\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x31\x36\x31\x33\x34\x33\x5A\x17\x0D\x33\x37\x30\x39\x33\x30\x31\x36\x31\x33\x34\x34\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xB7\x36\x55\xE5\xA5\x5D\x18\x30\xE0\xDA\x89\x54\x91\xFC\xC8\xC7\x52\xF8\x2F\x50\xD9\xEF\xB1\x75\x73\x65\x47\x7D\x1B\x5B\xBA\x75\xC5\xFC\xA1\x88\x24\xFA\x2F\xED\xCA\x08\x4A\x39\x54\xC4\x51\x7A\xB5\xDA\x60\xEA\x38\x3C\x81\xB2\xCB\xF1\xBB\xD9\x91\x23\x3F\x48\x01\x70\x75\xA9\x05\x2A\xAD\x1F\x71\xF3\xC9\x54\x3D\x1D\x06\x6A\x40\x3E\xB3\x0C\x85\xEE\x5C\x1B\x79\xC2\x62\xC4\xB8\x36\x8E\x35\x5D\x01\x0C\x23\x04\x47\x35\xAA\x9B\x60\x4E\xA0\x66\x3D\xCB\x26\x0A\x9C\x40\xA1\xF4\x5D\x98\xBF\x71\xAB\xA5\x00\x68\x2A\xED\x83\x7A\x0F\xA2\x14\xB5\xD4\x22\xB3\x80\xB0\x3C\x0C\x5A\x51\x69\x2D\x58\x18\x8F\xED\x99\x9E\xF1\xAE\xE2\x95\xE6\xF6\x47\xA8\xD6\x0C\x0F\xB0\x58\x58\xDB\xC3\x66\x37\x9E\x9B\x91\x54\x33\x37\xD2\x94\x1C\x6A\x48\xC9\xC9\xF2\xA5\xDA\xA5\x0C\x23\xF7\x23\x0E\x9C\x32\x55\x5E\x71\x9C\x84\x05\x51\x9A\x2D\xFD\xE6\x4E\x2A\x34\x5A\xDE\xCA\x40\x37\x67\x0C\x54\x21\x55\x77\xDA\x0A\x0C\xCC\x97\xAE\x80\xDC\x94\x36\x4A\xF4\x3E\xCE\x36\x13\x1E\x53\xE4\xAC\x4E\x3A\x05\xEC\xDB\xAE\x72\x9C\x38\x8B\xD0\x39\x3B\x89\x0A\x3E\x77\xFE\x75\x02\x01\x03\xA3\x82\x01\x44\x30\x82\x01\x40\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x3C\x06\x03\x55\x1D\x1F\x04\x35\x30\x33\x30\x31\xA0\x2F\xA0\x2D\x86\x2B\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\x94\xF5\xB1\x4D\xE9\xDB\xA1\x29\x5B\x57\x8B\x4D\x76\x06\x76\xE1\xD1\xA2\x8A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x27\x06\x03\x55\x1D\x11\x04\x20\x30\x1E\x81\x1C\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x27\x06\x03\x55\x1D\x12\x04\x20\x30\x1E\x81\x1C\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x58\x06\x03\x55\x1D\x20\x04\x51\x30\x4F\x30\x4D\x06\x0B\x2B\x06\x01\x04\x01\x81\x87\x2E\x0A\x03\x01\x30\x3E\x30\x3C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x30\x68\x74\x74\x70\x3A\x2F\x2F\x63\x70\x73\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x70\x73\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x2E\x68\x74\x6D\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x0C\x41\x97\xC2\x1A\x86\xC0\x22\x7C\x9F\xFB\x90\xF3\x1A\xD1\x03\xB1\xEF\x13\xF9\x21\x5F\x04\x9C\xDA\xC9\xA5\x8D\x27\x6C\x96\x87\x91\xBE\x41\x90\x01\x72\x93\xE7\x1E\x7D\x5F\xF6\x89\xC6\x5D\xA7\x40\x09\x3D\xAC\x49\x45\x45\xDC\x2E\x8D\x30\x68\xB2\x09\xBA\xFB\xC3\x2F\xCC\xBA\x0B\xDF\x3F\x77\x7B\x46\x7D\x3A\x12\x24\x8E\x96\x8F\x3C\x05\x0A\x6F\xD2\x94\x28\x1D\x6D\x0C\xC0\x2E\x88\x22\xD5\xD8\xCF\x1D\x13\xC7\xF0\x48\xD7\xD7\x05\xA7\xCF\xC7\x47\x9E\x3B\x3C\x34\xC8\x80\x4F\xD4\x14\xBB\xFC\x0D\x50\xF7\xFA\xB3\xEC\x42\x5F\xA9\xDD\x6D\xC8\xF4\x75\xCF\x7B\xC1\x72\x26\xB1\x01\x1C\x5C\x2C\xFD\x7A\x4E\xB4\x01\xC5\x05\x57\xB9\xE7\x3C\xAA\x05\xD9\x88\xE9\x07\x46\x41\xCE\xEF\x41\x81\xAE\x58\xDF\x83\xA2\xAE\xCA\xD7\x77\x1F\xE7\x00\x3C\x9D\x6F\x8E\xE4\x32\x09\x1D\x4D\x78\x34\x78\x34\x3C\x94\x9B\x26\xED\x4F\x71\xC6\x19\x7A\xBD\x20\x22\x48\x5A\xFE\x4B\x7D\x03\xB7\xE7\x58\xBE\xC6\x32\x4E\x74\x1E\x68\xDD\xA8\x68\x5B\xB3\x3E\xEE\x62\x7D\xD9\x80\xE8\x0A\x75\x7A\xB7\xEE\xB4\x65\x9A\x21\x90\xE0\xAA\xD0\x98\xBC\x38\xB5\x73\x3C\x8B\xF8\xDC",
+	["CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU"] = "\x30\x82\x04\xC5\x30\x82\x03\xAD\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x31\x36\x31\x34\x31\x38\x5A\x17\x0D\x33\x37\x30\x39\x33\x30\x31\x36\x31\x34\x31\x38\x5A\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xA2\x70\xA2\xD0\x9F\x42\xAE\x5B\x17\xC7\xD8\x7D\xCF\x14\x83\xFC\x4F\xC9\xA1\xB7\x13\xAF\x8A\xD7\x9E\x3E\x04\x0A\x92\x8B\x60\x56\xFA\xB4\x32\x2F\x88\x4D\xA1\x60\x08\xF4\xB7\x09\x4E\xA0\x49\x2F\x49\xD6\xD3\xDF\x9D\x97\x5A\x9F\x94\x04\x70\xEC\x3F\x59\xD9\xB7\xCC\x66\x8B\x98\x52\x28\x09\x02\xDF\xC5\x2F\x84\x8D\x7A\x97\x77\xBF\xEC\x40\x9D\x25\x72\xAB\xB5\x3F\x32\x98\xFB\xB7\xB7\xFC\x72\x84\xE5\x35\x87\xF9\x55\xFA\xA3\x1F\x0E\x6F\x2E\x28\xDD\x69\xA0\xD9\x42\x10\xC6\xF8\xB5\x44\xC2\xD0\x43\x7F\xDB\xBC\xE4\xA2\x3C\x6A\x55\x78\x0A\x77\xA9\xD8\xEA\x19\x32\xB7\x2F\xFE\x5C\x3F\x1B\xEE\xB1\x98\xEC\xCA\xAD\x7A\x69\x45\xE3\x96\x0F\x55\xF6\xE6\xED\x75\xEA\x65\xE8\x32\x56\x93\x46\x89\xA8\x25\x8A\x65\x06\xEE\x6B\xBF\x79\x07\xD0\xF1\xB7\xAF\xED\x2C\x4D\x92\xBB\xC0\xA8\x5F\xA7\x67\x7D\x04\xF2\x15\x08\x70\xAC\x92\xD6\x7D\x04\xD2\x33\xFB\x4C\xB6\x0B\x0B\xFB\x1A\xC9\xC4\x8D\x03\xA9\x7E\x5C\xF2\x50\xAB\x12\xA5\xA1\xCF\x48\x50\xA5\xEF\xD2\xC8\x1A\x13\xFA\xB0\x7F\xB1\x82\x1C\x77\x6A\x0F\x5F\xDC\x0B\x95\x8F\xEF\x43\x7E\xE6\x45\x09\x25\x02\x01\x03\xA3\x82\x01\x50\x30\x82\x01\x4C\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x3F\x06\x03\x55\x1D\x1F\x04\x38\x30\x36\x30\x34\xA0\x32\xA0\x30\x86\x2E\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x43\x9C\x36\x9F\xB0\x9E\x30\x4D\xC6\xCE\x5F\xAD\x10\xAB\xE5\x03\xA5\xFA\xA9\x14\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x2A\x06\x03\x55\x1D\x11\x04\x23\x30\x21\x81\x1F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x2A\x06\x03\x55\x1D\x12\x04\x23\x30\x21\x81\x1F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x5B\x06\x03\x55\x1D\x20\x04\x54\x30\x52\x30\x50\x06\x0B\x2B\x06\x01\x04\x01\x81\x87\x2E\x0A\x01\x01\x30\x41\x30\x3F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x70\x73\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x70\x73\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x2E\x68\x74\x6D\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3C\x3B\x70\x91\xF9\x04\x54\x27\x91\xE1\xED\xED\xFE\x68\x7F\x61\x5D\xE5\x41\x65\x4F\x32\xF1\x18\x05\x94\x6A\x1C\xDE\x1F\x70\xDB\x3E\x7B\x32\x02\x34\xB5\x0C\x6C\xA1\x8A\x7C\xA5\xF4\x8F\xFF\xD4\xD8\xAD\x17\xD5\x2D\x04\xD1\x3F\x58\x80\xE2\x81\x59\x88\xBE\xC0\xE3\x46\x93\x24\xFE\x90\xBD\x26\xA2\x30\x2D\xE8\x97\x26\x57\x35\x89\x74\x96\x18\xF6\x15\xE2\xAF\x24\x19\x56\x02\x02\xB2\xBA\x0F\x14\xEA\xC6\x8A\x66\xC1\x86\x45\x55\x8B\xBE\x92\xBE\x9C\xA4\x04\xC7\x49\x3C\x9E\xE8\x29\x7A\x89\xD7\xFE\xAF\xFF\x68\xF5\xA5\x17\x90\xBD\xAC\x99\xCC\xA5\x86\x57\x09\x67\x46\xDB\xD6\x16\xC2\x46\xF1\xE4\xA9\x50\xF5\x8F\xD1\x92\x15\xD3\x5F\x3E\xC6\x00\x49\x3A\x6E\x58\xB2\xD1\xD1\x27\x0D\x25\xC8\x32\xF8\x20\x11\xCD\x7D\x32\x33\x48\x94\x54\x4C\xDD\xDC\x79\xC4\x30\x9F\xEB\x8E\xB8\x55\xB5\xD7\x88\x5C\xC5\x6A\x24\x3D\xB2\xD3\x05\x03\x51\xC6\x07\xEF\xCC\x14\x72\x74\x3D\x6E\x72\xCE\x18\x28\x8C\x4A\xA0\x77\xE5\x09\x2B\x45\x44\x47\xAC\xB7\x67\x7F\x01\x8A\x05\x5A\x93\xBE\xA1\xC1\xFF\xF8\xE7\x0E\x67\xA4\x47\x49\x76\x5D\x75\x90\x1A\xF5\x26\x8F\xF0",
+	["CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU"] = "\x30\x82\x06\x7D\x30\x82\x05\x65\xA0\x03\x02\x01\x02\x02\x02\x01\x03\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\xAF\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x48\x75\x6E\x67\x61\x72\x79\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x6F\x7A\x6A\x65\x67\x79\x7A\x6F\x69\x20\x28\x43\x6C\x61\x73\x73\x20\x41\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x1E\x17\x0D\x39\x39\x30\x32\x32\x34\x32\x33\x31\x34\x34\x37\x5A\x17\x0D\x31\x39\x30\x32\x31\x39\x32\x33\x31\x34\x34\x37\x5A\x30\x81\xAF\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x48\x75\x6E\x67\x61\x72\x79\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x6F\x7A\x6A\x65\x67\x79\x7A\x6F\x69\x20\x28\x43\x6C\x61\x73\x73\x20\x41\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x74\x8C\x0F\xBB\x4C\xF4\x37\x1E\xA9\x05\x82\xD8\xE6\xE1\x6C\x70\xEA\x78\xB5\x6E\xD1\x38\x44\x0D\xA8\x83\xCE\x5D\xD2\xD6\xD5\x81\xC5\xD4\x4B\xE7\x5B\x94\x70\x26\xDB\x3B\x9D\x6A\x4C\x62\xF7\x71\xF3\x64\xD6\x61\x3B\x3D\xEB\x73\xA3\x37\xD9\xCF\xEA\x8C\x92\x3B\xCD\xF7\x07\xDC\x66\x74\x97\xF4\x45\x22\xDD\xF4\x5C\xE0\xBF\x6D\xF3\xBE\x65\x33\xE4\x15\x3A\xBF\xDB\x98\x90\x55\x38\xC4\xED\xA6\x55\x63\x0B\xB0\x78\x04\xF4\xE3\x6E\xC1\x3F\x8E\xFC\x51\x78\x1F\x92\x9E\x83\xC2\xFE\xD9\xB0\xA9\xC9\xBC\x5A\x00\xFF\xA9\xA8\x98\x74\xFB\xF6\x2C\x3E\x15\x39\x0D\xB6\x04\x55\xA8\x0E\x98\x20\x42\xB3\xB1\x25\xAD\x7E\x9A\x6F\x5D\x53\xB1\xAB\x0C\xFC\xEB\xE0\xF3\x7A\xB3\xA8\xB3\xFF\x46\xF6\x63\xA2\xD8\x3A\x98\x7B\xB6\xAC\x85\xFF\xB0\x25\x4F\x74\x63\xE7\x13\x07\xA5\x0A\x8F\x05\xF7\xC0\x64\x6F\x7E\xA7\x27\x80\x96\xDE\xD4\x2E\x86\x60\xC7\x6B\x2B\x5E\x73\x7B\x17\xE7\x91\x3F\x64\x0C\xD8\x4B\x22\x34\x2B\x9B\x32\xF2\x48\x1F\x9F\xA1\x0A\x84\x7A\xE2\xC2\xAD\x97\x3D\x8E\xD5\xC1\xF9\x56\xA3\x50\xE9\xC6\xB4\xFA\x98\xA2\xEE\x95\xE6\x2A\x03\x8C\xDF\x02\x03\x01\x00\x01\xA3\x82\x02\x9F\x30\x82\x02\x9B\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x00\x06\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x04\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x82\x02\x60\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x82\x02\x51\x16\x82\x02\x4D\x46\x49\x47\x59\x45\x4C\x45\x4D\x21\x20\x45\x7A\x65\x6E\x20\x74\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x41\x6C\x74\x61\x6C\x61\x6E\x6F\x73\x20\x53\x7A\x6F\x6C\x67\x61\x6C\x74\x61\x74\x61\x73\x69\x20\x46\x65\x6C\x74\x65\x74\x65\x6C\x65\x69\x62\x65\x6E\x20\x6C\x65\x69\x72\x74\x20\x65\x6C\x6A\x61\x72\x61\x73\x6F\x6B\x20\x61\x6C\x61\x70\x6A\x61\x6E\x20\x6B\x65\x73\x7A\x75\x6C\x74\x2E\x20\x41\x20\x68\x69\x74\x65\x6C\x65\x73\x69\x74\x65\x73\x20\x66\x6F\x6C\x79\x61\x6D\x61\x74\x61\x74\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x74\x65\x72\x6D\x65\x6B\x66\x65\x6C\x65\x6C\x6F\x73\x73\x65\x67\x2D\x62\x69\x7A\x74\x6F\x73\x69\x74\x61\x73\x61\x20\x76\x65\x64\x69\x2E\x20\x41\x20\x64\x69\x67\x69\x74\x61\x6C\x69\x73\x20\x61\x6C\x61\x69\x72\x61\x73\x20\x65\x6C\x66\x6F\x67\x61\x64\x61\x73\x61\x6E\x61\x6B\x20\x66\x65\x6C\x74\x65\x74\x65\x6C\x65\x20\x61\x7A\x20\x65\x6C\x6F\x69\x72\x74\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x69\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6D\x65\x67\x74\x65\x74\x65\x6C\x65\x2E\x20\x41\x7A\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6C\x65\x69\x72\x61\x73\x61\x20\x6D\x65\x67\x74\x61\x6C\x61\x6C\x68\x61\x74\x6F\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x68\x6F\x6E\x6C\x61\x70\x6A\x61\x6E\x20\x61\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x63\x69\x6D\x65\x6E\x20\x76\x61\x67\x79\x20\x6B\x65\x72\x68\x65\x74\x6F\x20\x61\x7A\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x20\x65\x2D\x6D\x61\x69\x6C\x20\x63\x69\x6D\x65\x6E\x2E\x20\x49\x4D\x50\x4F\x52\x54\x41\x4E\x54\x21\x20\x54\x68\x65\x20\x69\x73\x73\x75\x61\x6E\x63\x65\x20\x61\x6E\x64\x20\x74\x68\x65\x20\x75\x73\x65\x20\x6F\x66\x20\x74\x68\x69\x73\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x69\x73\x20\x73\x75\x62\x6A\x65\x63\x74\x20\x74\x6F\x20\x74\x68\x65\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x43\x50\x53\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x6F\x72\x20\x62\x79\x20\x65\x2D\x6D\x61\x69\x6C\x20\x61\x74\x20\x63\x70\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x82\x01\x01\x00\x48\x24\x46\xF7\xBA\x56\x6F\xFA\xC8\x28\x03\x40\x4E\xE5\x31\x39\x6B\x26\x6B\x53\x7F\xDB\xDF\xDF\xF3\x71\x3D\x26\xC0\x14\x0E\xC6\x67\x7B\x23\xA8\x0C\x73\xDD\x01\xBB\xC6\xCA\x6E\x37\x39\x55\xD5\xC7\x8C\x56\x20\x0E\x28\x0A\x0E\xD2\x2A\xA4\xB0\x49\x52\xC6\x38\x07\xFE\xBE\x0A\x09\x8C\xD1\x98\xCF\xCA\xDA\x14\x31\xA1\x4F\xD2\x39\xFC\x0F\x11\x2C\x43\xC3\xDD\xAB\x93\xC7\x55\x3E\x47\x7C\x18\x1A\x00\xDC\xF3\x7B\xD8\xF2\x7F\x52\x6C\x20\xF4\x0B\x5F\x69\x52\xF4\xEE\xF8\xB2\x29\x60\xEB\xE3\x49\x31\x21\x0D\xD6\xB5\x10\x41\xE2\x41\x09\x6C\xE2\x1A\x9A\x56\x4B\x77\x02\xF6\xA0\x9B\x9A\x27\x87\xE8\x55\x29\x71\xC2\x90\x9F\x45\x78\x1A\xE1\x15\x64\x3D\xD0\x0E\xD8\xA0\x76\x9F\xAE\xC5\xD0\x2E\xEA\xD6\x0F\x56\xEC\x64\x7F\x5A\x9B\x14\x58\x01\x27\x7E\x13\x50\xC7\x6B\x2A\xE6\x68\x3C\xBF\x5C\xA0\x0A\x1B\xE1\x0E\x7A\xE9\xE2\x80\xC3\xE9\xE9\xF6\xFD\x6C\x11\x9E\xD0\xE5\x28\x27\x2B\x54\x32\x42\x14\x82\x75\xE6\x4A\xF0\x2B\x66\x75\x63\x8C\xA2\xFB\x04\x3E\x83\x0E\x9B\x36\xF0\x18\xE4\x26\x20\xC3\x8C\xF0\x28\x07\xAD\x3C\x17\x66\x88\xB5\xFD\xB6\x88",
+	["CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU"] = "\x30\x82\x05\x4B\x30\x82\x04\xB4\xA0\x03\x02\x01\x02\x02\x01\x69\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\x99\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x32\x30\x30\x06\x03\x55\x04\x03\x13\x29\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x55\x7A\x6C\x65\x74\x69\x20\x28\x43\x6C\x61\x73\x73\x20\x42\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x1E\x17\x0D\x39\x39\x30\x32\x32\x35\x31\x34\x31\x30\x32\x32\x5A\x17\x0D\x31\x39\x30\x32\x32\x30\x31\x34\x31\x30\x32\x32\x5A\x30\x81\x99\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x32\x30\x30\x06\x03\x55\x04\x03\x13\x29\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x55\x7A\x6C\x65\x74\x69\x20\x28\x43\x6C\x61\x73\x73\x20\x42\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xB1\xEA\x04\xEC\x20\xA0\x23\xC2\x8F\x38\x60\xCF\xC7\x46\xB3\xD5\x1B\xFE\xFB\xB9\x99\x9E\x04\xDC\x1C\x7F\x8C\x4A\x81\x98\xEE\xA4\xD4\xCA\x8A\x17\xB9\x22\x7F\x83\x0A\x75\x4C\x9B\xC0\x69\xD8\x64\x39\xA3\xED\x92\xA3\xFD\x5B\x5C\x74\x1A\xC0\x47\xCA\x3A\x69\x76\x9A\xBA\xE2\x44\x17\xFC\x4C\xA3\xD5\xFE\xB8\x97\x88\xAF\x88\x03\x89\x1F\xA4\xF2\x04\x3E\xC8\x07\x0B\xE6\xF9\xB3\x2F\x7A\x62\x14\x09\x46\x14\xCA\x64\xF5\x8B\x80\xB5\x62\xA8\xD8\x6B\xD6\x71\x93\x2D\xB3\xBF\x09\x54\x58\xED\x06\xEB\xA8\x7B\xDC\x43\xB1\xA1\x69\x02\x03\x01\x00\x01\xA3\x82\x02\x9F\x30\x82\x02\x9B\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x04\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x00\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x82\x02\x60\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x82\x02\x51\x16\x82\x02\x4D\x46\x49\x47\x59\x45\x4C\x45\x4D\x21\x20\x45\x7A\x65\x6E\x20\x74\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x41\x6C\x74\x61\x6C\x61\x6E\x6F\x73\x20\x53\x7A\x6F\x6C\x67\x61\x6C\x74\x61\x74\x61\x73\x69\x20\x46\x65\x6C\x74\x65\x74\x65\x6C\x65\x69\x62\x65\x6E\x20\x6C\x65\x69\x72\x74\x20\x65\x6C\x6A\x61\x72\x61\x73\x6F\x6B\x20\x61\x6C\x61\x70\x6A\x61\x6E\x20\x6B\x65\x73\x7A\x75\x6C\x74\x2E\x20\x41\x20\x68\x69\x74\x65\x6C\x65\x73\x69\x74\x65\x73\x20\x66\x6F\x6C\x79\x61\x6D\x61\x74\x61\x74\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x74\x65\x72\x6D\x65\x6B\x66\x65\x6C\x65\x6C\x6F\x73\x73\x65\x67\x2D\x62\x69\x7A\x74\x6F\x73\x69\x74\x61\x73\x61\x20\x76\x65\x64\x69\x2E\x20\x41\x20\x64\x69\x67\x69\x74\x61\x6C\x69\x73\x20\x61\x6C\x61\x69\x72\x61\x73\x20\x65\x6C\x66\x6F\x67\x61\x64\x61\x73\x61\x6E\x61\x6B\x20\x66\x65\x6C\x74\x65\x74\x65\x6C\x65\x20\x61\x7A\x20\x65\x6C\x6F\x69\x72\x74\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x69\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6D\x65\x67\x74\x65\x74\x65\x6C\x65\x2E\x20\x41\x7A\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6C\x65\x69\x72\x61\x73\x61\x20\x6D\x65\x67\x74\x61\x6C\x61\x6C\x68\x61\x74\x6F\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x68\x6F\x6E\x6C\x61\x70\x6A\x61\x6E\x20\x61\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x63\x69\x6D\x65\x6E\x20\x76\x61\x67\x79\x20\x6B\x65\x72\x68\x65\x74\x6F\x20\x61\x7A\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x20\x65\x2D\x6D\x61\x69\x6C\x20\x63\x69\x6D\x65\x6E\x2E\x20\x49\x4D\x50\x4F\x52\x54\x41\x4E\x54\x21\x20\x54\x68\x65\x20\x69\x73\x73\x75\x61\x6E\x63\x65\x20\x61\x6E\x64\x20\x74\x68\x65\x20\x75\x73\x65\x20\x6F\x66\x20\x74\x68\x69\x73\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x69\x73\x20\x73\x75\x62\x6A\x65\x63\x74\x20\x74\x6F\x20\x74\x68\x65\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x43\x50\x53\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x6F\x72\x20\x62\x79\x20\x65\x2D\x6D\x61\x69\x6C\x20\x61\x74\x20\x63\x70\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x04\xDB\xAE\x8C\x17\xAF\xF8\x0E\x90\x31\x4E\xCD\x3E\x09\xC0\x6D\x3A\xB0\xF8\x33\x4C\x47\x4C\xE3\x75\x88\x10\x97\xAC\xB0\x38\x15\x91\xC6\x29\x96\xCC\x21\xC0\x6D\x3C\xA5\x74\xCF\xD8\x82\xA5\x39\xC3\x65\xE3\x42\x70\xBB\x22\x90\xE3\x7D\xDB\x35\x76\xE1\xA0\xB5\xDA\x9F\x70\x6E\x93\x1A\x30\x39\x1D\x30\xDB\x2E\xE3\x7C\xB2\x91\xB2\xD1\x37\x29\xFA\xB9\xD6\x17\x5C\x47\x4F\xE3\x1D\x38\xEB\x9F\xD5\x7B\x95\xA8\x28\x9E\x15\x4A\xD1\xD1\xD0\x2B\x00\x97\xA0\xE2\x92\x36\x2B\x63\xAC\x58\x01\x6B\x33\x29\x50\x86\x83\xF1\x01\x48",
+	["CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU"] = "\x30\x82\x05\x4F\x30\x82\x04\xB8\xA0\x03\x02\x01\x02\x02\x01\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\x9B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x34\x30\x32\x06\x03\x55\x04\x03\x13\x2B\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x45\x78\x70\x72\x65\x73\x73\x7A\x20\x28\x43\x6C\x61\x73\x73\x20\x43\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x1E\x17\x0D\x39\x39\x30\x32\x32\x35\x31\x34\x30\x38\x31\x31\x5A\x17\x0D\x31\x39\x30\x32\x32\x30\x31\x34\x30\x38\x31\x31\x5A\x30\x81\x9B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x34\x30\x32\x06\x03\x55\x04\x03\x13\x2B\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x45\x78\x70\x72\x65\x73\x73\x7A\x20\x28\x43\x6C\x61\x73\x73\x20\x43\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xEB\xEC\xB0\x6C\x61\x8A\x23\x25\xAF\x60\x20\xE3\xD9\x9F\xFC\x93\x0B\xDB\x5D\x8D\xB0\xA1\xB3\x40\x3A\x82\xCE\xFD\x75\xE0\x78\x32\x03\x86\x5A\x86\x95\x91\xED\x53\xFA\x9D\x40\xFC\xE6\xE8\xDD\xD9\x5B\x7A\x03\xBD\x5D\xF3\x3B\x0C\xC3\x51\x79\x9B\xAD\x55\xA0\xE9\xD0\x03\x10\xAF\x0A\xBA\x14\x42\xD9\x52\x26\x11\x22\xC7\xD2\x20\xCC\x82\xA4\x9A\xA9\xFE\xB8\x81\x76\x9D\x6A\xB7\xD2\x36\x75\x3E\xB1\x86\x09\xF6\x6E\x6D\x7E\x4E\xB7\x7A\xEC\xAE\x71\x84\xF6\x04\x33\x08\x25\x32\xEB\x74\xAC\x16\x44\xC6\xE4\x40\x93\x1D\x7F\xAD\x02\x03\x01\x00\x01\xA3\x82\x02\x9F\x30\x82\x02\x9B\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x04\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x00\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x82\x02\x60\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x82\x02\x51\x16\x82\x02\x4D\x46\x49\x47\x59\x45\x4C\x45\x4D\x21\x20\x45\x7A\x65\x6E\x20\x74\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x41\x6C\x74\x61\x6C\x61\x6E\x6F\x73\x20\x53\x7A\x6F\x6C\x67\x61\x6C\x74\x61\x74\x61\x73\x69\x20\x46\x65\x6C\x74\x65\x74\x65\x6C\x65\x69\x62\x65\x6E\x20\x6C\x65\x69\x72\x74\x20\x65\x6C\x6A\x61\x72\x61\x73\x6F\x6B\x20\x61\x6C\x61\x70\x6A\x61\x6E\x20\x6B\x65\x73\x7A\x75\x6C\x74\x2E\x20\x41\x20\x68\x69\x74\x65\x6C\x65\x73\x69\x74\x65\x73\x20\x66\x6F\x6C\x79\x61\x6D\x61\x74\x61\x74\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x74\x65\x72\x6D\x65\x6B\x66\x65\x6C\x65\x6C\x6F\x73\x73\x65\x67\x2D\x62\x69\x7A\x74\x6F\x73\x69\x74\x61\x73\x61\x20\x76\x65\x64\x69\x2E\x20\x41\x20\x64\x69\x67\x69\x74\x61\x6C\x69\x73\x20\x61\x6C\x61\x69\x72\x61\x73\x20\x65\x6C\x66\x6F\x67\x61\x64\x61\x73\x61\x6E\x61\x6B\x20\x66\x65\x6C\x74\x65\x74\x65\x6C\x65\x20\x61\x7A\x20\x65\x6C\x6F\x69\x72\x74\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x69\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6D\x65\x67\x74\x65\x74\x65\x6C\x65\x2E\x20\x41\x7A\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6C\x65\x69\x72\x61\x73\x61\x20\x6D\x65\x67\x74\x61\x6C\x61\x6C\x68\x61\x74\x6F\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x68\x6F\x6E\x6C\x61\x70\x6A\x61\x6E\x20\x61\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x63\x69\x6D\x65\x6E\x20\x76\x61\x67\x79\x20\x6B\x65\x72\x68\x65\x74\x6F\x20\x61\x7A\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x20\x65\x2D\x6D\x61\x69\x6C\x20\x63\x69\x6D\x65\x6E\x2E\x20\x49\x4D\x50\x4F\x52\x54\x41\x4E\x54\x21\x20\x54\x68\x65\x20\x69\x73\x73\x75\x61\x6E\x63\x65\x20\x61\x6E\x64\x20\x74\x68\x65\x20\x75\x73\x65\x20\x6F\x66\x20\x74\x68\x69\x73\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x69\x73\x20\x73\x75\x62\x6A\x65\x63\x74\x20\x74\x6F\x20\x74\x68\x65\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x43\x50\x53\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x6F\x72\x20\x62\x79\x20\x65\x2D\x6D\x61\x69\x6C\x20\x61\x74\x20\x63\x70\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x10\xAD\x7F\xD7\x0C\x32\x80\x0A\xD8\x86\xF1\x79\x98\xB5\xAD\xD4\xCD\xB3\x36\xC4\x96\x48\xC1\x5C\xCD\x9A\xD9\x05\x2E\x9F\xBE\x50\xEB\xF4\x26\x14\x10\x2D\xD4\x66\x17\xF8\x9E\xC1\x27\xFD\xF1\xED\xE4\x7B\x4B\xA0\x6C\xB5\xAB\x9A\x57\x70\xA6\xED\xA0\xA4\xED\x2E\xF5\xFD\xFC\xBD\xFE\x4D\x37\x08\x0C\xBC\xE3\x96\x83\x22\xF5\x49\x1B\x7F\x4B\x2B\xB4\x54\xC1\x80\x7C\x99\x4E\x1D\xD0\x8C\xEE\xD0\xAC\xE5\x92\xFA\x75\x56\xFE\x64\xA0\x13\x8F\xB8\xB8\x16\x9D\x61\x05\x67\x80\xC8\xD0\xD8\xA5\x07\x02\x34\x98\x04\x8D\x33\x04\xD4",
+	["CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US"] = "\x30\x82\x04\x30\x30\x82\x03\x18\xA0\x03\x02\x01\x02\x02\x10\x50\x94\x6C\xEC\x18\xEA\xD5\x9C\x4D\xD5\x97\xEF\x75\x8F\xA0\xAD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x13\x15\x77\x77\x77\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x58\x52\x61\x6D\x70\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x49\x6E\x63\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x58\x52\x61\x6D\x70\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x31\x31\x30\x31\x31\x37\x31\x34\x30\x34\x5A\x17\x0D\x33\x35\x30\x31\x30\x31\x30\x35\x33\x37\x31\x39\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x13\x15\x77\x77\x77\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x58\x52\x61\x6D\x70\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x49\x6E\x63\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x58\x52\x61\x6D\x70\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x98\x24\x1E\xBD\x15\xB4\xBA\xDF\xC7\x8C\xA5\x27\xB6\x38\x0B\x69\xF3\xB6\x4E\xA8\x2C\x2E\x21\x1D\x5C\x44\xDF\x21\x5D\x7E\x23\x74\xFE\x5E\x7E\xB4\x4A\xB7\xA6\xAD\x1F\xAE\xE0\x06\x16\xE2\x9B\x5B\xD9\x67\x74\x6B\x5D\x80\x8F\x29\x9D\x86\x1B\xD9\x9C\x0D\x98\x6D\x76\x10\x28\x58\xE4\x65\xB0\x7F\x4A\x98\x79\x9F\xE0\xC3\x31\x7E\x80\x2B\xB5\x8C\xC0\x40\x3B\x11\x86\xD0\xCB\xA2\x86\x36\x60\xA4\xD5\x30\x82\x6D\xD9\x6E\xD0\x0F\x12\x04\x33\x97\x5F\x4F\x61\x5A\xF0\xE4\xF9\x91\xAB\xE7\x1D\x3B\xBC\xE8\xCF\xF4\x6B\x2D\x34\x7C\xE2\x48\x61\x1C\x8E\xF3\x61\x44\xCC\x6F\xA0\x4A\xA9\x94\xB0\x4D\xDA\xE7\xA9\x34\x7A\x72\x38\xA8\x41\xCC\x3C\x94\x11\x7D\xEB\xC8\xA6\x8C\xB7\x86\xCB\xCA\x33\x3B\xD9\x3D\x37\x8B\xFB\x7A\x3E\x86\x2C\xE7\x73\xD7\x0A\x57\xAC\x64\x9B\x19\xEB\xF4\x0F\x04\x08\x8A\xAC\x03\x17\x19\x64\xF4\x5A\x25\x22\x8D\x34\x2C\xB2\xF6\x68\x1D\x12\x6D\xD3\x8A\x1E\x14\xDA\xC4\x8F\xA6\xE2\x23\x85\xD5\x7A\x0D\xBD\x6A\xE0\xE9\xEC\xEC\x17\xBB\x42\x1B\x67\xAA\x25\xED\x45\x83\x21\xFC\xC1\xC9\x7C\xD5\x62\x3E\xFA\xF2\xC5\x2D\xD3\xFD\xD4\x65\x02\x03\x01\x00\x01\xA3\x81\x9F\x30\x81\x9C\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC6\x4F\xA2\x3D\x06\x63\x84\x09\x9C\xCE\x62\xE4\x04\xAC\x8D\x5C\xB5\xE9\xB6\x1B\x30\x36\x06\x03\x55\x1D\x1F\x04\x2F\x30\x2D\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x2F\x58\x47\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x91\x15\x39\x03\x01\x1B\x67\xFB\x4A\x1C\xF9\x0A\x60\x5B\xA1\xDA\x4D\x97\x62\xF9\x24\x53\x27\xD7\x82\x64\x4E\x90\x2E\xC3\x49\x1B\x2B\x9A\xDC\xFC\xA8\x78\x67\x35\xF1\x1D\xF0\x11\xBD\xB7\x48\xE3\x10\xF6\x0D\xDF\x3F\xD2\xC9\xB6\xAA\x55\xA4\x48\xBA\x02\xDB\xDE\x59\x2E\x15\x5B\x3B\x9D\x16\x7D\x47\xD7\x37\xEA\x5F\x4D\x76\x12\x36\xBB\x1F\xD7\xA1\x81\x04\x46\x20\xA3\x2C\x6D\xA9\x9E\x01\x7E\x3F\x29\xCE\x00\x93\xDF\xFD\xC9\x92\x73\x89\x89\x64\x9E\xE7\x2B\xE4\x1C\x91\x2C\xD2\xB9\xCE\x7D\xCE\x6F\x31\x99\xD3\xE6\xBE\xD2\x1E\x90\xF0\x09\x14\x79\x5C\x23\xAB\x4D\xD2\xDA\x21\x1F\x4D\x99\x79\x9D\xE1\xCF\x27\x9F\x10\x9B\x1C\x88\x0D\xB0\x8A\x64\x41\x31\xB8\x0E\x6C\x90\x24\xA4\x9B\x5C\x71\x8F\xBA\xBB\x7E\x1C\x1B\xDB\x6A\x80\x0F\x21\xBC\xE9\xDB\xA6\xB7\x40\xF4\xB2\x8B\xA9\xB1\xE4\xEF\x9A\x1A\xD0\x3D\x69\x99\xEE\xA8\x28\xA3\xE1\x3C\xB3\xF0\xB2\x11\x9C\xCF\x7C\x40\xE6\xDD\xE7\x43\x7D\xA2\xD8\x3A\xB5\xA9\x8D\xF2\x34\x99\xC4\xD4\x10\xE1\x06\xFD\x09\x84\x10\x3B\xEE\xC4\x4C\xF4\xEC\x27\x7C\x42\xC2\x74\x7C\x82\x8A\x09\xC9\xB4\x03\x25\xBC",
+	["OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US"] = "\x30\x82\x04\x00\x30\x82\x02\xE8\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x30\x36\x32\x39\x31\x37\x30\x36\x32\x30\x5A\x17\x0D\x33\x34\x30\x36\x32\x39\x31\x37\x30\x36\x32\x30\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xDE\x9D\xD7\xEA\x57\x18\x49\xA1\x5B\xEB\xD7\x5F\x48\x86\xEA\xBE\xDD\xFF\xE4\xEF\x67\x1C\xF4\x65\x68\xB3\x57\x71\xA0\x5E\x77\xBB\xED\x9B\x49\xE9\x70\x80\x3D\x56\x18\x63\x08\x6F\xDA\xF2\xCC\xD0\x3F\x7F\x02\x54\x22\x54\x10\xD8\xB2\x81\xD4\xC0\x75\x3D\x4B\x7F\xC7\x77\xC3\x3E\x78\xAB\x1A\x03\xB5\x20\x6B\x2F\x6A\x2B\xB1\xC5\x88\x7E\xC4\xBB\x1E\xB0\xC1\xD8\x45\x27\x6F\xAA\x37\x58\xF7\x87\x26\xD7\xD8\x2D\xF6\xA9\x17\xB7\x1F\x72\x36\x4E\xA6\x17\x3F\x65\x98\x92\xDB\x2A\x6E\x5D\xA2\xFE\x88\xE0\x0B\xDE\x7F\xE5\x8D\x15\xE1\xEB\xCB\x3A\xD5\xE2\x12\xA2\x13\x2D\xD8\x8E\xAF\x5F\x12\x3D\xA0\x08\x05\x08\xB6\x5C\xA5\x65\x38\x04\x45\x99\x1E\xA3\x60\x60\x74\xC5\x41\xA5\x72\x62\x1B\x62\xC5\x1F\x6F\x5F\x1A\x42\xBE\x02\x51\x65\xA8\xAE\x23\x18\x6A\xFC\x78\x03\xA9\x4D\x7F\x80\xC3\xFA\xAB\x5A\xFC\xA1\x40\xA4\xCA\x19\x16\xFE\xB2\xC8\xEF\x5E\x73\x0D\xEE\x77\xBD\x9A\xF6\x79\x98\xBC\xB1\x07\x67\xA2\x15\x0D\xDD\xA0\x58\xC6\x44\x7B\x0A\x3E\x62\x28\x5F\xBA\x41\x07\x53\x58\xCF\x11\x7E\x38\x74\xC5\xF8\xFF\xB5\x69\x90\x8F\x84\x74\xEA\x97\x1B\xAF\x02\x01\x03\xA3\x81\xC0\x30\x81\xBD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD2\xC4\xB0\xD2\x91\xD4\x4C\x11\x71\xB3\x61\xCB\x3D\xA1\xFE\xDD\xA8\x6A\xD4\xE3\x30\x81\x8D\x06\x03\x55\x1D\x23\x04\x81\x85\x30\x81\x82\x80\x14\xD2\xC4\xB0\xD2\x91\xD4\x4C\x11\x71\xB3\x61\xCB\x3D\xA1\xFE\xDD\xA8\x6A\xD4\xE3\xA1\x67\xA4\x65\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x00\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x32\x4B\xF3\xB2\xCA\x3E\x91\xFC\x12\xC6\xA1\x07\x8C\x8E\x77\xA0\x33\x06\x14\x5C\x90\x1E\x18\xF7\x08\xA6\x3D\x0A\x19\xF9\x87\x80\x11\x6E\x69\xE4\x96\x17\x30\xFF\x34\x91\x63\x72\x38\xEE\xCC\x1C\x01\xA3\x1D\x94\x28\xA4\x31\xF6\x7A\xC4\x54\xD7\xF6\xE5\x31\x58\x03\xA2\xCC\xCE\x62\xDB\x94\x45\x73\xB5\xBF\x45\xC9\x24\xB5\xD5\x82\x02\xAD\x23\x79\x69\x8D\xB8\xB6\x4D\xCE\xCF\x4C\xCA\x33\x23\xE8\x1C\x88\xAA\x9D\x8B\x41\x6E\x16\xC9\x20\xE5\x89\x9E\xCD\x3B\xDA\x70\xF7\x7E\x99\x26\x20\x14\x54\x25\xAB\x6E\x73\x85\xE6\x9B\x21\x9D\x0A\x6C\x82\x0E\xA8\xF8\xC2\x0C\xFA\x10\x1E\x6C\x96\xEF\x87\x0D\xC4\x0F\x61\x8B\xAD\xEE\x83\x2B\x95\xF8\x8E\x92\x84\x72\x39\xEB\x20\xEA\x83\xED\x83\xCD\x97\x6E\x08\xBC\xEB\x4E\x26\xB6\x73\x2B\xE4\xD3\xF6\x4C\xFE\x26\x71\xE2\x61\x11\x74\x4A\xFF\x57\x1A\x87\x0F\x75\x48\x2E\xCF\x51\x69\x17\xA0\x02\x12\x61\x95\xD5\xD1\x40\xB2\x10\x4C\xEE\xC4\xAC\x10\x43\xA6\xA5\x9E\x0A\xD5\x95\x62\x9A\x0D\xCF\x88\x82\xC5\x32\x0C\xE4\x2B\x9F\x45\xE6\x0D\x9F\x28\x9C\xB1\xB9\x2A\x5A\x57\xAD\x37\x0F\xAF\x1D\x7F\xDB\xBD\x9F",
+	["OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US"] = "\x30\x82\x04\x0F\x30\x82\x02\xF7\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x30\x36\x32\x39\x31\x37\x33\x39\x31\x36\x5A\x17\x0D\x33\x34\x30\x36\x32\x39\x31\x37\x33\x39\x31\x36\x5A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xB7\x32\xC8\xFE\xE9\x71\xA6\x04\x85\xAD\x0C\x11\x64\xDF\xCE\x4D\xEF\xC8\x03\x18\x87\x3F\xA1\xAB\xFB\x3C\xA6\x9F\xF0\xC3\xA1\xDA\xD4\xD8\x6E\x2B\x53\x90\xFB\x24\xA4\x3E\x84\xF0\x9E\xE8\x5F\xEC\xE5\x27\x44\xF5\x28\xA6\x3F\x7B\xDE\xE0\x2A\xF0\xC8\xAF\x53\x2F\x9E\xCA\x05\x01\x93\x1E\x8F\x66\x1C\x39\xA7\x4D\xFA\x5A\xB6\x73\x04\x25\x66\xEB\x77\x7F\xE7\x59\xC6\x4A\x99\x25\x14\x54\xEB\x26\xC7\xF3\x7F\x19\xD5\x30\x70\x8F\xAF\xB0\x46\x2A\xFF\xAD\xEB\x29\xED\xD7\x9F\xAA\x04\x87\xA3\xD4\xF9\x89\xA5\x34\x5F\xDB\x43\x91\x82\x36\xD9\x66\x3C\xB1\xB8\xB9\x82\xFD\x9C\x3A\x3E\x10\xC8\x3B\xEF\x06\x65\x66\x7A\x9B\x19\x18\x3D\xFF\x71\x51\x3C\x30\x2E\x5F\xBE\x3D\x77\x73\xB2\x5D\x06\x6C\xC3\x23\x56\x9A\x2B\x85\x26\x92\x1C\xA7\x02\xB3\xE4\x3F\x0D\xAF\x08\x79\x82\xB8\x36\x3D\xEA\x9C\xD3\x35\xB3\xBC\x69\xCA\xF5\xCC\x9D\xE8\xFD\x64\x8D\x17\x80\x33\x6E\x5E\x4A\x5D\x99\xC9\x1E\x87\xB4\x9D\x1A\xC0\xD5\x6E\x13\x35\x23\x5E\xDF\x9B\x5F\x3D\xEF\xD6\xF7\x76\xC2\xEA\x3E\xBB\x78\x0D\x1C\x42\x67\x6B\x04\xD8\xF8\xD6\xDA\x6F\x8B\xF2\x44\xA0\x01\xAB\x02\x01\x03\xA3\x81\xC5\x30\x81\xC2\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBF\x5F\xB7\xD1\xCE\xDD\x1F\x86\xF4\x5B\x55\xAC\xDC\xD7\x10\xC2\x0E\xA9\x88\xE7\x30\x81\x92\x06\x03\x55\x1D\x23\x04\x81\x8A\x30\x81\x87\x80\x14\xBF\x5F\xB7\xD1\xCE\xDD\x1F\x86\xF4\x5B\x55\xAC\xDC\xD7\x10\xC2\x0E\xA9\x88\xE7\xA1\x6C\xA4\x6A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x00\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x05\x9D\x3F\x88\x9D\xD1\xC9\x1A\x55\xA1\xAC\x69\xF3\xF3\x59\xDA\x9B\x01\x87\x1A\x4F\x57\xA9\xA1\x79\x09\x2A\xDB\xF7\x2F\xB2\x1E\xCC\xC7\x5E\x6A\xD8\x83\x87\xA1\x97\xEF\x49\x35\x3E\x77\x06\x41\x58\x62\xBF\x8E\x58\xB8\x0A\x67\x3F\xEC\xB3\xDD\x21\x66\x1F\xC9\x54\xFA\x72\xCC\x3D\x4C\x40\xD8\x81\xAF\x77\x9E\x83\x7A\xBB\xA2\xC7\xF5\x34\x17\x8E\xD9\x11\x40\xF4\xFC\x2C\x2A\x4D\x15\x7F\xA7\x62\x5D\x2E\x25\xD3\x00\x0B\x20\x1A\x1D\x68\xF9\x17\xB8\xF4\xBD\x8B\xED\x28\x59\xDD\x4D\x16\x8B\x17\x83\xC8\xB2\x65\xC7\x2D\x7A\xA5\xAA\xBC\x53\x86\x6D\xDD\x57\xA4\xCA\xF8\x20\x41\x0B\x68\xF0\xF4\xFB\x74\xBE\x56\x5D\x7A\x79\xF5\xF9\x1D\x85\xE3\x2D\x95\xBE\xF5\x71\x90\x43\xCC\x8D\x1F\x9A\x00\x0A\x87\x29\xE9\x55\x22\x58\x00\x23\xEA\xE3\x12\x43\x29\x5B\x47\x08\xDD\x8C\x41\x6A\x65\x06\xA8\xE5\x21\xAA\x41\xB4\x95\x21\x95\xB9\x7D\xD1\x34\xAB\x13\xD6\xAD\xBC\xDC\xE2\x3D\x39\xCD\xBD\x3E\x75\x70\xA1\x18\x59\x03\xC9\x22\xB4\x8F\x9C\xD5\x5E\x2A\xD7\xA5\xB6\xD4\x0A\x6D\xF8\xB7\x40\x11\x46\x9A\x1F\x79\x0E\x62\xBF\x0F\x97\xEC\xE0\x2F\x1F\x17\x94",
+	["CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL"] = "\x30\x82\x07\xC9\x30\x82\x05\xB1\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x0B\x13\x22\x53\x65\x63\x75\x72\x65\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x69\x67\x6E\x69\x6E\x67\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x30\x39\x31\x37\x31\x39\x34\x36\x33\x36\x5A\x17\x0D\x33\x36\x30\x39\x31\x37\x31\x39\x34\x36\x33\x36\x5A\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x0B\x13\x22\x53\x65\x63\x75\x72\x65\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x69\x67\x6E\x69\x6E\x67\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC1\x88\xDB\x09\xBC\x6C\x46\x7C\x78\x9F\x95\x7B\xB5\x33\x90\xF2\x72\x62\xD6\xC1\x36\x20\x22\x24\x5E\xCE\xE9\x77\xF2\x43\x0A\xA2\x06\x64\xA4\xCC\x8E\x36\xF8\x38\xE6\x23\xF0\x6E\x6D\xB1\x3C\xDD\x72\xA3\x85\x1C\xA1\xD3\x3D\xB4\x33\x2B\xD3\x2F\xAF\xFE\xEA\xB0\x41\x59\x67\xB6\xC4\x06\x7D\x0A\x9E\x74\x85\xD6\x79\x4C\x80\x37\x7A\xDF\x39\x05\x52\x59\xF7\xF4\x1B\x46\x43\xA4\xD2\x85\x85\xD2\xC3\x71\xF3\x75\x62\x34\xBA\x2C\x8A\x7F\x1E\x8F\xEE\xED\x34\xD0\x11\xC7\x96\xCD\x52\x3D\xBA\x33\xD6\xDD\x4D\xDE\x0B\x3B\x4A\x4B\x9F\xC2\x26\x2F\xFA\xB5\x16\x1C\x72\x35\x77\xCA\x3C\x5D\xE6\xCA\xE1\x26\x8B\x1A\x36\x76\x5C\x01\xDB\x74\x14\x25\xFE\xED\xB5\xA0\x88\x0F\xDD\x78\xCA\x2D\x1F\x07\x97\x30\x01\x2D\x72\x79\xFA\x46\xD6\x13\x2A\xA8\xB9\xA6\xAB\x83\x49\x1D\xE5\xF2\xEF\xDD\xE4\x01\x8E\x18\x0A\x8F\x63\x53\x16\x85\x62\xA9\x0E\x19\x3A\xCC\xB5\x66\xA6\xC2\x6B\x74\x07\xE4\x2B\xE1\x76\x3E\xB4\x6D\xD8\xF6\x44\xE1\x73\x62\x1F\x3B\xC4\xBE\xA0\x53\x56\x25\x6C\x51\x09\xF7\xAA\xAB\xCA\xBF\x76\xFD\x6D\x9B\xF3\x9D\xDB\xBF\x3D\x66\xBC\x0C\x56\xAA\xAF\x98\x48\x95\x3A\x4B\xDF\xA7\x58\x50\xD9\x38\x75\xA9\x5B\xEA\x43\x0C\x02\xFF\x99\xEB\xE8\x6C\x4D\x70\x5B\x29\x65\x9C\xDD\xAA\x5D\xCC\xAF\x01\x31\xEC\x0C\xEB\xD2\x8D\xE8\xEA\x9C\x7B\xE6\x6E\xF7\x27\x66\x0C\x1A\x48\xD7\x6E\x42\xE3\x3F\xDE\x21\x3E\x7B\xE1\x0D\x70\xFB\x63\xAA\xA8\x6C\x1A\x54\xB4\x5C\x25\x7A\xC9\xA2\xC9\x8B\x16\xA6\xBB\x2C\x7E\x17\x5E\x05\x4D\x58\x6E\x12\x1D\x01\xEE\x12\x10\x0D\xC6\x32\x7F\x18\xFF\xFC\xF4\xFA\xCD\x6E\x91\xE8\x36\x49\xBE\x1A\x48\x69\x8B\xC2\x96\x4D\x1A\x12\xB2\x69\x17\xC1\x0A\x90\xD6\xFA\x79\x22\x48\xBF\xBA\x7B\x69\xF8\x70\xC7\xFA\x7A\x37\xD8\xD8\x0D\xD2\x76\x4F\x57\xFF\x90\xB7\xE3\x91\xD2\xDD\xEF\xC2\x60\xB7\x67\x3A\xDD\xFE\xAA\x9C\xF0\xD4\x8B\x7F\x72\x22\xCE\xC6\x9F\x97\xB6\xF8\xAF\x8A\xA0\x10\xA8\xD9\xFB\x18\xC6\xB6\xB5\x5C\x52\x3C\x89\xB6\x19\x2A\x73\x01\x0A\x0F\x03\xB3\x12\x60\xF2\x7A\x2F\x81\xDB\xA3\x6E\xFF\x26\x30\x97\xF5\x8B\xDD\x89\x57\xB6\xAD\x3D\xB3\xAF\x2B\xC5\xB7\x76\x02\xF0\xA5\xD6\x2B\x9A\x86\x14\x2A\x72\xF6\xE3\x33\x8C\x5D\x09\x4B\x13\xDF\xBB\x8C\x74\x13\x52\x4B\x02\x03\x01\x00\x01\xA3\x82\x02\x52\x30\x82\x02\x4E\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xAE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4E\x0B\xEF\x1A\xA4\x40\x5B\xA5\x17\x69\x87\x30\xCA\x34\x68\x43\xD0\x41\xAE\xF2\x30\x64\x06\x03\x55\x1D\x1F\x04\x5D\x30\x5B\x30\x2C\xA0\x2A\xA0\x28\x86\x26\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x73\x66\x73\x63\x61\x2D\x63\x72\x6C\x2E\x63\x72\x6C\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x73\x66\x73\x63\x61\x2D\x63\x72\x6C\x2E\x63\x72\x6C\x30\x82\x01\x5D\x06\x03\x55\x1D\x20\x04\x82\x01\x54\x30\x82\x01\x50\x30\x82\x01\x4C\x06\x0B\x2B\x06\x01\x04\x01\x81\xB5\x37\x01\x01\x01\x30\x82\x01\x3B\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x70\x64\x66\x30\x35\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x29\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x69\x6E\x74\x65\x72\x6D\x65\x64\x69\x61\x74\x65\x2E\x70\x64\x66\x30\x81\xD0\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC3\x30\x27\x16\x20\x53\x74\x61\x72\x74\x20\x43\x6F\x6D\x6D\x65\x72\x63\x69\x61\x6C\x20\x28\x53\x74\x61\x72\x74\x43\x6F\x6D\x29\x20\x4C\x74\x64\x2E\x30\x03\x02\x01\x01\x1A\x81\x97\x4C\x69\x6D\x69\x74\x65\x64\x20\x4C\x69\x61\x62\x69\x6C\x69\x74\x79\x2C\x20\x72\x65\x61\x64\x20\x74\x68\x65\x20\x73\x65\x63\x74\x69\x6F\x6E\x20\x2A\x4C\x65\x67\x61\x6C\x20\x4C\x69\x6D\x69\x74\x61\x74\x69\x6F\x6E\x73\x2A\x20\x6F\x66\x20\x74\x68\x65\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x50\x6F\x6C\x69\x63\x79\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x70\x64\x66\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x38\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x2B\x16\x29\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x46\x72\x65\x65\x20\x53\x53\x4C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x16\x6C\x99\xF4\x66\x0C\x34\xF5\xD0\x85\x5E\x7D\x0A\xEC\xDA\x10\x4E\x38\x1C\x5E\xDF\xA6\x25\x05\x4B\x91\x32\xC1\xE8\x3B\xF1\x3D\xDD\x44\x09\x5B\x07\x49\x8A\x29\xCB\x66\x02\xB7\xB1\x9A\xF7\x25\x98\x09\x3C\x8E\x1B\xE1\xDD\x36\x87\x2B\x4B\xBB\x68\xD3\x39\x66\x3D\xA0\x26\xC7\xF2\x39\x91\x1D\x51\xAB\x82\x7B\x7E\xD5\xCE\x5A\xE4\xE2\x03\x57\x70\x69\x97\x08\xF9\x5E\x58\xA6\x0A\xDF\x8C\x06\x9A\x45\x16\x16\x38\x0A\x5E\x57\xF6\x62\xC7\x7A\x02\x05\xE6\xBC\x1E\xB5\xF2\x9E\xF4\xA9\x29\x83\xF8\xB2\x14\xE3\x6E\x28\x87\x44\xC3\x90\x1A\xDE\x38\xA9\x3C\xAC\x43\x4D\x64\x45\xCE\xDD\x28\xA9\x5C\xF2\x73\x7B\x04\xF8\x17\xE8\xAB\xB1\xF3\x2E\x5C\x64\x6E\x73\x31\x3A\x12\xB8\xBC\xB3\x11\xE4\x7D\x8F\x81\x51\x9A\x3B\x8D\x89\xF4\x4D\x93\x66\x7B\x3C\x03\xED\xD3\x9A\x1D\x9A\xF3\x65\x50\xF5\xA0\xD0\x75\x9F\x2F\xAF\xF0\xEA\x82\x43\x98\xF8\x69\x9C\x89\x79\xC4\x43\x8E\x46\x72\xE3\x64\x36\x12\xAF\xF7\x25\x1E\x38\x89\x90\x77\x7E\xC3\x6B\x6A\xB9\xC3\xCB\x44\x4B\xAC\x78\x90\x8B\xE7\xC7\x2C\x1E\x4B\x11\x44\xC8\x34\x52\x27\xCD\x0A\x5D\x9F\x85\xC1\x89\xD5\x1A\x78\xF2\x95\x10\x53\x32\xDD\x80\x84\x66\x75\xD9\xB5\x68\x28\xFB\x61\x2E\xBE\x84\xA8\x38\xC0\x99\x12\x86\xA5\x1E\x67\x64\xAD\x06\x2E\x2F\xA9\x70\x85\xC7\x96\x0F\x7C\x89\x65\xF5\x8E\x43\x54\x0E\xAB\xDD\xA5\x80\x39\x94\x60\xC0\x34\xC9\x96\x70\x2C\xA3\x12\xF5\x1F\x48\x7B\xBD\x1C\x7E\x6B\xB7\x9D\x90\xF4\x22\x3B\xAE\xF8\xFC\x2A\xCA\xFA\x82\x52\xA0\xEF\xAF\x4B\x55\x93\xEB\xC1\xB5\xF0\x22\x8B\xAC\x34\x4E\x26\x22\x04\xA1\x87\x2C\x75\x4A\xB7\xE5\x7D\x13\xD7\xB8\x0C\x64\xC0\x36\xD2\xC9\x2F\x86\x12\x8C\x23\x09\xC1\x1B\x82\x3B\x73\x49\xA3\x6A\x57\x87\x94\xE5\xD6\x78\xC5\x99\x43\x63\xE3\x4D\xE0\x77\x2D\xE1\x65\x99\x72\x69\x04\x1A\x47\x09\xE6\x0F\x01\x56\x24\xFB\x1F\xBF\x0E\x79\xA9\x58\x2E\xB9\xC4\x09\x01\x7E\x95\xBA\x6D\x00\x06\x3E\xB2\xEA\x4A\x10\x39\xD8\xD0\x2B\xF5\xBF\xEC\x75\xBF\x97\x02\xC5\x09\x1B\x08\xDC\x55\x37\xE2\x81\xFB\x37\x84\x43\x62\x20\xCA\xE7\x56\x4B\x65\xEA\xFE\x6C\xC1\x24\x93\x24\xA1\x34\xEB\x05\xFF\x9A\x22\xAE\x9B\x7D\x3F\xF1\x65\x51\x0A\xA6\x30\x6A\xB3\xF4\x88\x1C\x80\x0D\xFC\x72\x8A\xE8\x83\x5E",
+	["O=Government Root Certification Authority,C=TW"] = "\x30\x82\x05\x72\x30\x82\x03\x5A\xA0\x03\x02\x01\x02\x02\x10\x1F\x9D\x59\x5A\xD7\x2F\xC2\x06\x44\xA5\x80\x08\x69\xE3\x5E\xF6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x32\x31\x32\x30\x35\x31\x33\x32\x33\x33\x33\x5A\x17\x0D\x33\x32\x31\x32\x30\x35\x31\x33\x32\x33\x33\x33\x5A\x30\x3F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9A\x25\xB8\xEC\xCC\xA2\x75\xA8\x7B\xF7\xCE\x5B\x59\x8A\xC9\xD1\x86\x12\x08\x54\xEC\x9C\xF2\xE7\x46\xF6\x88\xF3\x7C\xE9\xA5\xDF\x4C\x47\x36\xA4\x1B\x01\x1C\x7F\x1E\x57\x8A\x8D\xC3\xC5\xD1\x21\xE3\xDA\x24\x3F\x48\x2B\xFB\x9F\x2E\xA1\x94\xE7\x2C\x1C\x93\xD1\xBF\x1B\x01\x87\x53\x99\xCE\xA7\xF5\x0A\x21\x76\x77\xFF\xA9\xB7\xC6\x73\x94\x4F\x46\xF7\x10\x49\x37\xFA\xA8\x59\x49\x5D\x6A\x81\x07\x56\xF2\x8A\xF9\x06\xD0\xF7\x70\x22\x4D\xB4\xB7\x41\xB9\x32\xB8\xB1\xF0\xB1\xC3\x9C\x3F\x70\xFD\x53\xDD\x81\xAA\xD8\x63\x78\xF6\xD8\x53\x6E\xA1\xAC\x6A\x84\x24\x72\x54\x86\xC6\xD2\xB2\xCA\x1C\x0E\x79\x81\xD6\xB5\x70\x62\x08\x01\x2E\x4E\x4F\x0E\xD5\x11\xAF\xA9\xAF\xE5\x9A\xBF\xDC\xCC\x87\x6D\x26\xE4\xC9\x57\xA2\xFB\x96\xF9\xCC\xE1\x3F\x53\x8C\x6C\x4C\x7E\x9B\x53\x08\x0B\x6C\x17\xFB\x67\xC8\xC2\xAD\xB1\xCD\x80\xB4\x97\xDC\x76\x01\x16\x15\xE9\x6A\xD7\xA4\xE1\x78\x47\xCE\x86\xD5\xFB\x31\xF3\xFA\x31\xBE\x34\xAA\x28\xFB\x70\x4C\x1D\x49\xC7\xAF\x2C\x9D\x6D\x66\xA6\xB6\x8D\x64\x7E\xB5\x20\x6A\x9D\x3B\x81\xB6\x8F\x40\x00\x67\x4B\x89\x86\xB8\xCC\x65\xFE\x15\x53\xE9\x04\xC1\xD6\x5F\x1D\x44\xD7\x0A\x2F\x27\x9A\x46\x7D\xA1\x0D\x75\xAD\x54\x86\x15\xDC\x49\x3B\xF1\x96\xCE\x0F\x9B\xA0\xEC\xA3\x7A\x5D\xBE\xD5\x2A\x75\x42\xE5\x7B\xDE\xA5\xB6\xAA\xAF\x28\xAC\xAC\x90\xAC\x38\xB7\xD5\x68\x35\x26\x7A\xDC\xF7\x3B\xF3\xFD\x45\x9B\xD1\xBB\x43\x78\x6E\x6F\xF1\x42\x54\x6A\x98\xF0\x0D\xAD\x97\xE9\x52\x5E\xE9\xD5\x6A\x72\xDE\x6A\xF7\x1B\x60\x14\xF4\xA5\xE4\xB6\x71\x67\xAA\x1F\xEA\xE2\x4D\xC1\x42\x40\xFE\x67\x46\x17\x38\x2F\x47\x3F\x71\x9C\xAE\xE5\x21\xCA\x61\x2D\x6D\x07\xA8\x84\x7C\x2D\xEE\x51\x25\xF1\x63\x90\x9E\xFD\xE1\x57\x88\x6B\xEF\x8A\x23\x6D\xB1\xE6\xBD\x3F\xAD\xD1\x3D\x96\x0B\x85\x8D\xCD\x6B\x27\xBB\xB7\x05\x9B\xEC\xBB\x91\xA9\x0A\x07\x12\x02\x97\x4E\x20\x90\xF0\xFF\x0D\x1E\xE2\x41\x3B\xD3\x40\x3A\xE7\x8D\x5D\xDA\x66\xE4\x02\xB0\x07\x52\x98\x5C\x0E\x8E\x33\x9C\xC2\xA6\x95\xFB\x55\x19\x6E\x4C\x8E\xAE\x4B\x0F\xBD\xC1\x38\x4D\x5E\x8F\x84\x1D\x66\xCD\xC5\x60\x96\xB4\x52\x5A\x05\x89\x8E\x95\x7A\x98\xC1\x91\x3C\x95\x23\xB2\x0E\xF4\x79\xB4\xC9\x7C\xC1\x4A\x21\x02\x03\x01\x00\x01\xA3\x6A\x30\x68\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCC\xCC\xEF\xCC\x29\x60\xA4\x3B\xB1\x92\xB6\x3C\xFA\x32\x62\x8F\xAC\x25\x15\x3B\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x04\x67\x2A\x07\x00\x04\x31\x30\x2F\x30\x2D\x02\x01\x00\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x30\x07\x06\x05\x67\x2A\x03\x00\x00\x04\x14\x03\x9B\xF0\x22\x13\xFF\x95\x28\x36\xD3\xDC\x9E\xC0\x32\xFB\x31\x3A\x8A\x51\x65\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x40\x80\x4A\xFA\x26\xC9\xCE\x5E\x30\xDD\x4F\x86\x74\x76\x58\xF5\xAE\xB3\x83\x33\x78\xA4\x7A\x74\x17\x19\x4E\xE9\x52\xB5\xB9\xE0\x0A\x74\x62\xAA\x68\xCA\x78\xA0\x4C\x9A\x8E\x2C\x23\x2E\xD5\x6A\x12\x24\xBF\xD4\x68\xD3\x8A\xD0\xD8\x9C\x9F\xB4\x1F\x0C\xDE\x38\x7E\x57\x38\xFC\x8D\xE2\x4F\x5E\x0C\x9F\xAB\x3B\xD2\xFF\x75\x97\xCB\xA4\xE3\x67\x08\xFF\xE5\xC0\x16\xB5\x48\x01\x7D\xE9\xF9\x0A\xFF\x1B\xE5\x6A\x69\xBF\x78\x21\xA8\xC2\xA7\x23\xA9\x86\xAB\x76\x56\xE8\x0E\x0C\xF6\x13\xDD\x2A\x66\x8A\x64\x49\x3D\x1A\x18\x87\x90\x04\x9F\x42\x52\xB7\x4F\xCB\xFE\x47\x41\x76\x35\xEF\xFF\x00\x76\x36\x45\x32\x9B\xC6\x46\x85\x5D\xE2\x24\xB0\x1E\xE3\x48\x96\x98\x57\x47\x94\x55\x7A\x0F\x41\xB1\x44\x24\xF3\xC1\xFE\x1A\x6B\xBF\x88\xFD\xC1\xA6\xDA\x93\x60\x5E\x81\x4A\x99\x20\x9C\x48\x66\x19\xB5\x00\x79\x54\x0F\xB8\x2C\x2F\x4B\xBC\xA9\x5D\x5B\x60\x7F\x8C\x87\xA5\xE0\x52\x63\x2A\xBE\xD8\x3B\x85\x40\x15\xFE\x1E\xB6\x65\x3F\xC5\x4B\xDA\x7E\xB5\x7A\x35\x29\xA3\x2E\x7A\x98\x60\x22\xA3\xF4\x7D\x27\x4E\x2D\xEA\xB4\x74\x3C\xE9\x0F\xA4\x33\x0F\x10\x11\xBC\x13\x01\xD6\xE5\x0E\xD3\xBF\xB5\x12\xA2\xE1\x45\x23\xC0\xCC\x08\x6E\x61\xB7\x89\xAB\x83\xE3\x24\x1E\xE6\x5D\x07\xE7\x1F\x20\x3E\xCF\x67\xC8\xE7\xAC\x30\x6D\x27\x4B\x68\x6E\x4B\x2A\x5C\x02\x08\x34\xDB\xF8\x76\xE4\x67\xA3\x26\x9C\x3F\xA2\x32\xC2\x4A\xC5\x81\x18\x31\x10\x56\xAA\x84\xEF\x2D\x0A\xFF\xB8\x1F\x77\xD2\xBF\xA5\x58\xA0\x62\xE4\xD7\x4B\x91\x75\x8D\x89\x80\x98\x7E\x6D\xCB\x53\x4E\x5E\xAF\xF6\xB2\x97\x85\x97\xB9\xDA\x55\x06\xB9\x24\xEE\xD7\xC6\x38\x1E\x63\x1B\x12\x3B\x95\xE1\x58\xAC\xF2\xDF\x84\xD5\x5F\x99\x2F\x0D\x55\x5B\xE6\x38\xDB\x2E\x3F\x72\xE9\x48\x85\xCB\xBB\x29\x13\x8F\x1E\x38\x55\xB9\xF3\xB2\xC4\x30\x99\x23\x4E\x5D\xF2\x48\xA1\x12\x0C\xDC\x12\x90\x09\x90\x54\x91\x03\x3C\x47\xE5\xD5\xC9\x65\xE0\xB7\x4B\x7D\xEC\x47\xD3\xB3\x0B\x3E\xAD\x9E\xD0\x74\x00\x0E\xEB\xBD\x51\xAD\xC0\xDE\x2C\xC0\xC3\x6A\xFE\xEF\xDC\x0B\xA7\xFA\x46\xDF\x60\xDB\x9C\xA6\x59\x50\x75\x23\x69\x73\x93\xB2\xF9\xFC\x02\xD3\x47\xE6\x71\xCE\x10\x02\xEE\x27\x8C\x84\xFF\xAC\x45\x0D\x13\x5C\x83\x32\xE0\x25\xA5\x86\x2C\x7C\xF4\x12",
+	["emailAddress=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES"] = "\x30\x82\x04\x57\x30\x82\x03\x3F\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x9D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x22\x30\x20\x06\x03\x55\x04\x07\x13\x19\x43\x2F\x20\x4D\x75\x6E\x74\x61\x6E\x65\x72\x20\x32\x34\x34\x20\x42\x61\x72\x63\x65\x6C\x6F\x6E\x61\x31\x42\x30\x40\x06\x03\x55\x04\x03\x13\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x63\x61\x40\x66\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x30\x31\x31\x30\x32\x34\x32\x32\x30\x30\x30\x30\x5A\x17\x0D\x31\x33\x31\x30\x32\x34\x32\x32\x30\x30\x30\x30\x5A\x30\x81\x9D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x22\x30\x20\x06\x03\x55\x04\x07\x13\x19\x43\x2F\x20\x4D\x75\x6E\x74\x61\x6E\x65\x72\x20\x32\x34\x34\x20\x42\x61\x72\x63\x65\x6C\x6F\x6E\x61\x31\x42\x30\x40\x06\x03\x55\x04\x03\x13\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x63\x61\x40\x66\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x2E\x63\x6F\x6D\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE7\x23\x03\x6F\x6F\x23\xA5\x5E\x78\xCE\x95\x2C\xED\x94\x1E\x6E\x0A\x9E\x01\xC7\xEA\x30\xD1\x2C\x9D\xDD\x37\xE8\x9B\x98\x79\x56\xD3\xFC\x73\xDF\xD0\x8A\xDE\x55\x8F\x51\xF9\x5A\xEA\xDE\xB5\x70\xC4\xED\xA4\xED\xFF\xA3\x0D\x6E\x0F\x64\x50\x31\xAF\x01\x27\x58\xAE\xFE\x6C\xA7\x4A\x2F\x17\x2D\xD3\x73\xD5\x13\x1C\x8F\x59\xA5\x34\x2C\x1D\x54\x04\x45\xCD\x68\xB8\xA0\xC0\x03\xA5\xCF\x85\x42\x47\x95\x28\x5B\xCF\xEF\x80\x6C\xE0\x90\x97\x8A\x01\x3C\x1D\xF3\x87\x10\x30\x26\x48\x7D\xD7\xFC\xE9\x9D\x91\x71\xFF\x41\x9A\xA9\x40\xB5\x37\x9C\x29\x20\x4F\x1F\x52\xE3\xA0\x7D\x13\x6D\x54\xB7\x0A\xDE\xE9\x6A\x4E\x07\xAC\xAC\x19\x5F\xDC\x7E\x62\x74\xF6\xB2\x05\x00\xBA\x85\xA0\xFD\x1D\x38\x6E\xCB\x5A\xBB\x86\xBC\x94\x67\x33\x35\x83\x2C\x1F\x23\xCD\xF8\xC8\x91\x71\xCC\x97\x8B\xEF\xAE\x0F\xDC\x29\x03\x1B\xC0\x39\xEB\x70\xED\xC1\x6E\x0E\xD8\x67\x0B\x89\xA9\xBC\x35\xE4\xEF\xB6\x34\xB4\xA5\xB6\xC4\x2D\xA5\xBE\xD0\xC3\x94\x24\x48\xDB\xDF\x96\xD3\x00\xB5\x66\x1A\x8B\x66\x05\x0F\xDD\x3F\x3F\xCB\x3F\xAA\x5E\x9A\x4A\xF8\xB4\x4A\xEF\x95\x37\x1B\x02\x03\x01\x00\x01\xA3\x81\x9F\x30\x81\x9C\x30\x2A\x06\x03\x55\x1D\x11\x04\x23\x30\x21\x86\x1F\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x2E\x63\x6F\x6D\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x01\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x32\x30\x30\x31\x31\x30\x32\x34\x32\x32\x30\x30\x30\x30\x5A\x81\x0F\x32\x30\x31\x33\x31\x30\x32\x34\x32\x32\x30\x30\x30\x30\x5A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x33\x0B\xA0\x66\xD1\xEA\xDA\xCE\xDE\x62\x93\x04\x28\x52\xB5\x14\x7F\x38\x68\xB7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x47\x73\xFE\x8D\x27\x54\xF0\xF5\xD4\x77\x9C\x27\x79\x57\x57\xB7\x15\x56\xEC\xC7\xD8\x58\xB7\x01\x02\xF4\x33\xED\x93\x50\x88\x9E\x7C\x46\xB1\xBD\x3F\x14\x6F\xF1\xB3\x47\x48\x8B\x8C\x97\x06\xD7\xEA\x7E\xA3\x5C\x2A\xBB\x4D\x2F\x47\xE2\xF8\x39\x06\xC9\x9C\x2E\x31\x1A\x03\x78\xF4\xBC\x38\xC6\x22\x8B\x33\x31\xF0\x16\x04\x04\x7D\xF9\x76\xE4\x4B\xD7\xC0\xE6\x83\xEC\x59\xCC\x3F\xDE\xFF\x4F\x6B\xB7\x67\x7E\xA6\x86\x81\x32\x23\x03\x9D\xC8\xF7\x5F\xC1\x4A\x60\xA5\x92\xA9\xB1\xA4\xA0\x60\xC3\x78\x87\xB3\x22\xF3\x2A\xEB\x5B\xA9\xED\x05\xAB\x37\x0F\xB1\xE2\xD3\x95\x76\x63\x56\x74\x8C\x58\x72\x1B\x37\xE5\x64\xA1\xBE\x4D\x0C\x93\x98\x0C\x97\xF6\x87\x6D\xB3\x3F\xE7\xCB\x80\xA6\xED\x88\xC7\x5F\x50\x62\x02\xE8\x99\x74\x16\xD0\xE6\xB4\x39\xF1\x27\xCB\xC8\x40\xD6\xE3\x86\x10\xA9\x23\x12\x92\xE0\x69\x41\x63\xA7\xAF\x25\x0B\xC0\xC5\x92\xCB\x1E\x98\xA3\x5A\xBA\xC5\x33\x0F\xA0\x97\x01\xDD\x7F\xE0\x7B\xD6\x06\x54\xCF\xA1\xE2\x4D\x38\xEB\x4B\x50\xB5\xCB\x26\xF4\xCA\xDA\x70\x4A\x6A\xA1\xE2\x79\xAA\xE1\xA7\x33\xF6\xFD\x4A\x1F\xF6\xD9\x60",
+	["CN=Wells Fargo Root Certificate Authority,OU=Wells Fargo Certification Authority,O=Wells Fargo,C=US"] = "\x30\x82\x03\xE5\x30\x82\x02\xCD\xA0\x03\x02\x01\x02\x02\x04\x39\xE4\x97\x9E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x31\x2C\x30\x2A\x06\x03\x55\x04\x0B\x13\x23\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2F\x30\x2D\x06\x03\x55\x04\x03\x13\x26\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x30\x31\x30\x31\x31\x31\x36\x34\x31\x32\x38\x5A\x17\x0D\x32\x31\x30\x31\x31\x34\x31\x36\x34\x31\x32\x38\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x31\x2C\x30\x2A\x06\x03\x55\x04\x0B\x13\x23\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2F\x30\x2D\x06\x03\x55\x04\x03\x13\x26\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD5\xA8\x33\x3B\x26\xF9\x34\xFF\xCD\x9B\x7E\xE5\x04\x47\xCE\x00\xE2\x7D\x77\xE7\x31\xC2\x2E\x27\xA5\x4D\x68\xB9\x31\xBA\x8D\x43\x59\x97\xC7\x73\xAA\x7F\x3D\x5C\x40\x9E\x05\xE5\xA1\xE2\x89\xD9\x4C\xB8\x3F\x9B\xF9\x0C\xB4\xC8\x62\x19\x2C\x45\xAE\x91\x1E\x73\x71\x41\xC4\x4B\x13\xFD\x70\xC2\x25\xAC\x22\xF5\x75\x0B\xB7\x53\xE4\xA5\x2B\xDD\xCE\xBD\x1C\x3A\x7A\xC3\xF7\x13\x8F\x26\x54\x9C\x16\x6B\x6B\xAF\xFB\xD8\x96\xB1\x60\x9A\x48\xE0\x25\x22\x24\x79\x34\xCE\x0E\x26\x00\x0B\x4E\xAB\xFD\x8B\xCE\x82\xD7\x2F\x08\x70\x68\xC1\xA8\x0A\xF9\x74\x4F\x07\xAB\xA4\xF9\xE2\x83\x7E\x27\x73\x74\x3E\xB8\xF9\x38\x42\xFC\xA5\xA8\x5B\x48\x23\xB3\xEB\xE3\x25\xB2\x80\xAE\x96\xD4\x0A\x9C\xC2\x78\x9A\xC6\x68\x18\xAE\x37\x62\x37\x5E\x51\x75\xA8\x58\x63\xC0\x51\xEE\x40\x78\x7E\xA8\xAF\x1A\xA0\xE1\xB0\x78\x9D\x50\x8C\x7B\xE7\xB3\xFC\x8E\x23\xB0\xDB\x65\x00\x70\x84\x01\x08\x00\x14\x6E\x54\x86\x9A\xBA\xCC\xF9\x37\x10\xF6\xE0\xDE\x84\x2D\x9D\xA4\x85\x37\xD3\x87\xE3\x15\xD0\xC1\x17\x90\x7E\x19\x21\x6A\x12\xA9\x76\xFD\x12\x02\xE9\x4F\x21\x5E\x17\x02\x03\x01\x00\x01\xA3\x61\x30\x5F\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x4C\x06\x03\x55\x1D\x20\x04\x45\x30\x43\x30\x41\x06\x0B\x60\x86\x48\x01\x86\xFB\x7B\x87\x07\x01\x0B\x30\x32\x30\x30\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x24\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x65\x6C\x6C\x73\x66\x61\x72\x67\x6F\x2E\x63\x6F\x6D\x2F\x63\x65\x72\x74\x70\x6F\x6C\x69\x63\x79\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xD2\x27\xDD\x9C\x0A\x77\x2B\xBB\x22\xF2\x02\xB5\x4A\x4A\x91\xF9\xD1\x2D\xBE\xE4\xBB\x1A\x68\xEF\x0E\xA4\x00\xE9\xEE\xE7\xEF\xEE\xF6\xF9\xE5\x74\xA4\xC2\xD8\x52\x58\xC4\x74\xFB\xCE\x6B\xB5\x3B\x29\x79\x18\x5A\xEF\x9B\xED\x1F\x6B\x36\xEE\x48\x25\x25\x14\xB6\x56\xA2\x10\xE8\xEE\xA7\x7F\xD0\x3F\xA3\xD0\xC3\x5D\x26\xEE\x07\xCC\xC3\xC1\x24\x21\x87\x1E\xDF\x2A\x12\x53\x6F\x41\x16\xE7\xED\xAE\x94\xFA\x8C\x72\xFA\x13\x47\xF0\x3C\x7E\xAE\x7D\x11\x3A\x13\xEC\xED\xFA\x6F\x72\x64\x7B\x9D\x7D\x7F\x26\xFD\x7A\xFB\x25\xAD\xEA\x3E\x29\x7F\x4C\xE3\x00\x57\x32\xB0\xB3\xE9\xED\x53\x17\xD9\x8B\xB2\x14\x0E\x30\xE8\xE5\xD5\x13\xC6\x64\xAF\xC4\x00\xD5\xD8\x58\x24\xFC\xF5\x8F\xEC\xF1\xC7\x7D\xA5\xDB\x0F\x27\xD1\xC6\xF2\x40\x88\xE6\x1F\xF6\x61\xA8\xF4\x42\xC8\xB9\x37\xD3\xA9\xBE\x2C\x56\x78\xC2\x72\x9B\x59\x5D\x35\x40\x8A\xE8\x4E\x63\x1A\xB6\xE9\x20\x6A\x51\xE2\xCE\xA4\x90\xDF\x76\x70\x99\x5C\x70\x43\x4D\xB7\xB6\xA7\x19\x64\x4E\x92\xB7\xC5\x91\x3C\x7F\x48\x16\x65\x7B\x16\xFD\xCB\xFC\xFB\xD9\xD5\xD6\x4F\x21\x65\x3B\x4A\x7F\x47\xA3\xFB",
+	["CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch"] = "\x30\x82\x05\xD9\x30\x82\x03\xC1\xA0\x03\x02\x01\x02\x02\x10\x5C\x0B\x85\x5C\x0B\xE7\x59\x41\xDF\x57\xCC\x3F\x7F\x9D\xA8\x36\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x35\x30\x38\x31\x38\x31\x32\x30\x36\x32\x30\x5A\x17\x0D\x32\x35\x30\x38\x31\x38\x32\x32\x30\x36\x32\x30\x5A\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD0\xB9\xB0\xA8\x0C\xD9\xBB\x3F\x21\xF8\x1B\xD5\x33\x93\x80\x16\x65\x20\x75\xB2\x3D\x9B\x60\x6D\x46\xC8\x8C\x31\x6F\x17\xC3\xFA\x9A\x6C\x56\xED\x3C\xC5\x91\x57\xC3\xCD\xAB\x96\x49\x90\x2A\x19\x4B\x1E\xA3\x6D\x57\xDD\xF1\x2B\x62\x28\x75\x45\x5E\xAA\xD6\x5B\xFA\x0B\x25\xD8\xA1\x16\xF9\x1C\xC4\x2E\xE6\x95\x2A\x67\xCC\xD0\x29\x6E\x3C\x85\x34\x38\x61\x49\xB1\x00\x9F\xD6\x3A\x71\x5F\x4D\x6D\xCE\x5F\xB9\xA9\xE4\x89\x7F\x6A\x52\xFA\xCA\x9B\xF2\xDC\xA9\xF9\x9D\x99\x47\x3F\x4E\x29\x5F\xB4\xA6\x8D\x5D\x7B\x0B\x99\x11\x03\x03\xFE\xE7\xDB\xDB\xA3\xFF\x1D\xA5\xCD\x90\x1E\x01\x1F\x35\xB0\x7F\x00\xDB\x90\x6F\xC6\x7E\x7B\xD1\xEE\x7A\x7A\xA7\xAA\x0C\x57\x6F\xA4\x6D\xC5\x13\x3B\xB0\xA5\xD9\xED\x32\x1C\xB4\x5E\x67\x8B\x54\xDC\x73\x87\xE5\xD3\x17\x7C\x66\x50\x72\x5D\xD4\x1A\x58\xC1\xD9\xCF\xD8\x89\x02\x6F\xA7\x49\xB4\x36\x5D\xD0\xA4\xDE\x07\x2C\xB6\x75\xB7\x28\x91\xD6\x97\xBE\x28\xF5\x98\x1E\xEA\x5B\x26\xC9\xBD\xB0\x97\x73\xDA\xAE\x91\x26\xEB\x68\xC1\xF9\x39\x15\xD6\x67\x4B\x0A\x6D\x4F\xCB\xCF\xB0\xE4\x42\x71\x8C\x53\x79\xE7\xEE\xE1\xDB\x1D\xA0\x6E\x1D\x8C\x1A\x77\x35\x5C\x16\x1E\x2B\x53\x1F\x34\x8B\xD1\x6C\xFC\xF2\x67\x07\x7A\xF5\xAD\xED\xD6\x9A\xAB\xA1\xB1\x4B\xE1\xCC\x37\x5F\xFD\x7F\xCD\x4D\xAE\xB8\x1F\x9C\x43\xF9\x2A\x58\x55\x43\x45\xBC\x96\xCD\x70\x0E\xFC\xC9\xE3\x66\xBA\x4E\x8D\x3B\x81\xCB\x15\x64\x7B\xB9\x94\xE8\x5D\x33\x52\x85\x71\x2E\x4F\x8E\xA2\x06\x11\x51\xC9\xE3\xCB\xA1\x6E\x31\x08\x64\x0C\xC2\xD2\x3C\xF5\x36\xE8\xD7\xD0\x0E\x78\x23\x20\x91\xC9\x24\x2A\x65\x29\x5B\x22\xF7\x21\xCE\x83\x5E\xA4\xF3\xDE\x4B\xD3\x68\x8F\x46\x75\x5C\x83\x09\x6E\x29\x6B\xC4\x70\x8C\xF5\x9D\xD7\x20\x2F\xFF\x46\xD2\x2B\x38\xC2\x2F\x75\x1C\x3D\x7E\xDA\xA5\xEF\x1E\x60\x85\x69\x42\xD3\xCC\xF8\x63\xFE\x1E\x43\x39\x85\xA6\xB6\x63\x41\x10\xB3\x73\x1E\xBC\xD3\xFA\xCA\x7D\x16\x47\xE2\xA7\xD5\xD0\xA3\x8A\x0A\x08\x96\x62\x56\x6E\x34\xDB\xD9\x02\xB9\x30\x75\xE3\x04\xD2\xE7\x8F\xC2\xB0\x11\x40\x0A\xAC\xD5\x71\x02\x62\x8B\x31\xBE\xDD\xC6\x23\x58\x31\x42\x43\x2D\x74\xF9\xC6\x9E\xA6\x8A\x0F\xE9\xFE\xBF\x83\xE6\x43\x57\x24\xBA\xEF\x46\x34\xAA\xD7\x12\x01\x38\xED\x02\x03\x01\x00\x01\xA3\x81\x86\x30\x81\x83\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x21\x04\x16\x30\x14\x30\x12\x06\x07\x60\x85\x74\x01\x53\x00\x01\x06\x07\x60\x85\x74\x01\x53\x00\x01\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x07\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x03\x25\x2F\xDE\x6F\x82\x01\x3A\x5C\x2C\xDC\x2B\xA1\x69\xB5\x67\xD4\x8C\xD3\xFD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x03\x25\x2F\xDE\x6F\x82\x01\x3A\x5C\x2C\xDC\x2B\xA1\x69\xB5\x67\xD4\x8C\xD3\xFD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x35\x10\xCB\xEC\xA6\x04\x0D\x0D\x0F\xCD\xC0\xDB\xAB\xA8\xF2\x88\x97\x0C\xDF\x93\x2F\x4D\x7C\x40\x56\x31\x7A\xEB\xA4\x0F\x60\xCD\x7A\xF3\xBE\xC3\x27\x8E\x03\x3E\xA4\xDD\x12\xEF\x7E\x1E\x74\x06\x3C\x3F\x31\xF2\x1C\x7B\x91\x31\x21\xB4\xF0\xD0\x6C\x97\xD4\xE9\x97\xB2\x24\x56\x1E\x56\xC3\x35\xBD\x88\x05\x0F\x5B\x10\x1A\x64\xE1\xC7\x82\x30\xF9\x32\xAD\x9E\x50\x2C\xE7\x78\x05\xD0\x31\xB1\x5A\x98\x8A\x75\x4E\x90\x5C\x6A\x14\x2A\xE0\x52\x47\x82\x60\xE6\x1E\xDA\x81\xB1\xFB\x14\x0B\x5A\xF1\x9F\xD2\x95\xBA\x3E\xD0\x1B\xD6\x15\x1D\xA3\xBE\x86\xD5\xDB\x0F\xC0\x49\x64\xBB\x2E\x50\x19\x4B\xD2\x24\xF8\xDD\x1E\x07\x56\xD0\x38\xA0\x95\x70\x20\x76\x8C\xD7\xDD\x1E\xDE\x9F\x71\xC4\x23\xEF\x83\x13\x5C\xA3\x24\x15\x4D\x29\x40\x3C\x6A\xC4\xA9\xD8\xB7\xA6\x44\xA5\x0D\xF4\xE0\x9D\x77\x1E\x40\x70\x26\xFC\xDA\xD9\x36\xE4\x79\xE4\xB5\x3F\xBC\x9B\x65\xBE\xBB\x11\x96\xCF\xDB\xC6\x28\x39\x3A\x08\xCE\x47\x5B\x53\x5A\xC5\x99\xFE\x5D\xA9\xDD\xEF\x4C\xD4\xC6\xA5\xAD\x02\xE6\x8C\x07\x12\x1E\x6F\x03\xD1\x6F\xA0\xA3\xF3\x29\xBD\x12\xC7\x50\xA2\xB0\x7F\x88\xA9\x99\x77\x9A\xB1\xC0\xA5\x39\x2E\x5C\x7C\x69\xE2\x2C\xB0\xEA\x37\x6A\xA4\xE1\x5A\xE1\xF5\x50\xE5\x83\xEF\xA5\xBB\x2A\x88\xE7\x8C\xDB\xFD\x6D\x5E\x97\x19\xA8\x7E\x66\x75\x6B\x71\xEA\xBF\xB1\xC7\x6F\xA0\xF4\x8E\xA4\xEC\x34\x51\x5B\x8C\x26\x03\x70\xA1\x77\xD5\x01\x12\x57\x00\x35\xDB\x23\xDE\x0E\x8A\x28\x99\xFD\xB1\x10\x6F\x4B\xFF\x38\x2D\x60\x4E\x2C\x9C\xEB\x67\xB5\xAD\x49\xEE\x4B\x1F\xAC\xAF\xFB\x0D\x90\x5A\x66\x60\x70\x5D\xAA\xCD\x78\xD4\x24\xEE\xC8\x41\xA0\x93\x01\x92\x9C\x6A\x9E\xFC\xB9\x24\xC5\xB3\x15\x82\x7E\xBE\xAE\x95\x2B\xEB\xB1\xC0\xDA\xE3\x01\x60\x0B\x5E\x69\xAC\x84\x56\x61\xBE\x71\x17\xFE\x1D\x13\x0F\xFE\xC6\x87\x45\xE9\xFE\x32\xA0\x1A\x0D\x13\xA4\x94\x55\x71\xA5\x16\x8B\xBA\xCA\x89\xB0\xB2\xC7\xFC\x8F\xD8\x54\xB5\x93\x62\x9D\xCE\xCF\x59\xFB\x3D\x18\xCE\x2A\xCB\x35\x15\x82\x5D\xFF\x54\x22\x5B\x71\x52\xFB\xB7\xC9\xFE\x60\x9B\x00\x41\x64\xF0\xAA\x2A\xEC\xB6\x42\x43\xCE\x89\x66\x81\xC8\x8B\x9F\x39\x54\x03\x25\xD3\x16\x35\x8E\x84\xD0\x5F\xFA\x30\x1A\xF5\x9A\x6C\xF4\x0E\x53\xF9\x3A\x5B\xD1\x1C",
+	["CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xB7\x30\x82\x02\x9F\xA0\x03\x02\x01\x02\x02\x10\x0C\xE7\xE0\xE5\x17\xD8\x46\xFE\x8F\xE5\x60\xFC\x1B\xF0\x30\x39\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x44\x69\x67\x69\x43\x65\x72\x74\x20\x41\x73\x73\x75\x72\x65\x64\x20\x49\x44\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x44\x69\x67\x69\x43\x65\x72\x74\x20\x41\x73\x73\x75\x72\x65\x64\x20\x49\x44\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x0E\x15\xCE\xE4\x43\x80\x5C\xB1\x87\xF3\xB7\x60\xF9\x71\x12\xA5\xAE\xDC\x26\x94\x88\xAA\xF4\xCE\xF5\x20\x39\x28\x58\x60\x0C\xF8\x80\xDA\xA9\x15\x95\x32\x61\x3C\xB5\xB1\x28\x84\x8A\x8A\xDC\x9F\x0A\x0C\x83\x17\x7A\x8F\x90\xAC\x8A\xE7\x79\x53\x5C\x31\x84\x2A\xF6\x0F\x98\x32\x36\x76\xCC\xDE\xDD\x3C\xA8\xA2\xEF\x6A\xFB\x21\xF2\x52\x61\xDF\x9F\x20\xD7\x1F\xE2\xB1\xD9\xFE\x18\x64\xD2\x12\x5B\x5F\xF9\x58\x18\x35\xBC\x47\xCD\xA1\x36\xF9\x6B\x7F\xD4\xB0\x38\x3E\xC1\x1B\xC3\x8C\x33\xD9\xD8\x2F\x18\xFE\x28\x0F\xB3\xA7\x83\xD6\xC3\x6E\x44\xC0\x61\x35\x96\x16\xFE\x59\x9C\x8B\x76\x6D\xD7\xF1\xA2\x4B\x0D\x2B\xFF\x0B\x72\xDA\x9E\x60\xD0\x8E\x90\x35\xC6\x78\x55\x87\x20\xA1\xCF\xE5\x6D\x0A\xC8\x49\x7C\x31\x98\x33\x6C\x22\xE9\x87\xD0\x32\x5A\xA2\xBA\x13\x82\x11\xED\x39\x17\x9D\x99\x3A\x72\xA1\xE6\xFA\xA4\xD9\xD5\x17\x31\x75\xAE\x85\x7D\x22\xAE\x3F\x01\x46\x86\xF6\x28\x79\xC8\xB1\xDA\xE4\x57\x17\xC4\x7E\x1C\x0E\xB0\xB4\x92\xA6\x56\xB3\xBD\xB2\x97\xED\xAA\xA7\xF0\xB7\xC5\xA8\x3F\x95\x16\xD0\xFF\xA1\x96\xEB\x08\x5F\x18\x77\x4F\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x45\xEB\xA2\xAF\xF4\x92\xCB\x82\x31\x2D\x51\x8B\xA7\xA7\x21\x9D\xF3\x6D\xC8\x0F\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x45\xEB\xA2\xAF\xF4\x92\xCB\x82\x31\x2D\x51\x8B\xA7\xA7\x21\x9D\xF3\x6D\xC8\x0F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA2\x0E\xBC\xDF\xE2\xED\xF0\xE3\x72\x73\x7A\x64\x94\xBF\xF7\x72\x66\xD8\x32\xE4\x42\x75\x62\xAE\x87\xEB\xF2\xD5\xD9\xDE\x56\xB3\x9F\xCC\xCE\x14\x28\xB9\x0D\x97\x60\x5C\x12\x4C\x58\xE4\xD3\x3D\x83\x49\x45\x58\x97\x35\x69\x1A\xA8\x47\xEA\x56\xC6\x79\xAB\x12\xD8\x67\x81\x84\xDF\x7F\x09\x3C\x94\xE6\xB8\x26\x2C\x20\xBD\x3D\xB3\x28\x89\xF7\x5F\xFF\x22\xE2\x97\x84\x1F\xE9\x65\xEF\x87\xE0\xDF\xC1\x67\x49\xB3\x5D\xEB\xB2\x09\x2A\xEB\x26\xED\x78\xBE\x7D\x3F\x2B\xF3\xB7\x26\x35\x6D\x5F\x89\x01\xB6\x49\x5B\x9F\x01\x05\x9B\xAB\x3D\x25\xC1\xCC\xB6\x7F\xC2\xF1\x6F\x86\xC6\xFA\x64\x68\xEB\x81\x2D\x94\xEB\x42\xB7\xFA\x8C\x1E\xDD\x62\xF1\xBE\x50\x67\xB7\x6C\xBD\xF3\xF1\x1F\x6B\x0C\x36\x07\x16\x7F\x37\x7C\xA9\x5B\x6D\x7A\xF1\x12\x46\x60\x83\xD7\x27\x04\xBE\x4B\xCE\x97\xBE\xC3\x67\x2A\x68\x11\xDF\x80\xE7\x0C\x33\x66\xBF\x13\x0D\x14\x6E\xF3\x7F\x1F\x63\x10\x1E\xFA\x8D\x1B\x25\x6D\x6C\x8F\xA5\xB7\x61\x01\xB1\xD2\xA3\x26\xA1\x10\x71\x9D\xAD\xE2\xC3\xF9\xC3\x99\x51\xB7\x2B\x07\x08\xCE\x2E\xE6\x50\xB2\xA7\xFA\x0A\x45\x2F\xA2\xF0\xF2",
+	["CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xAF\x30\x82\x02\x97\xA0\x03\x02\x01\x02\x02\x10\x08\x3B\xE0\x56\x90\x42\x46\xB1\xA1\x75\x6A\xC9\x59\x91\xC7\x4A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE2\x3B\xE1\x11\x72\xDE\xA8\xA4\xD3\xA3\x57\xAA\x50\xA2\x8F\x0B\x77\x90\xC9\xA2\xA5\xEE\x12\xCE\x96\x5B\x01\x09\x20\xCC\x01\x93\xA7\x4E\x30\xB7\x53\xF7\x43\xC4\x69\x00\x57\x9D\xE2\x8D\x22\xDD\x87\x06\x40\x00\x81\x09\xCE\xCE\x1B\x83\xBF\xDF\xCD\x3B\x71\x46\xE2\xD6\x66\xC7\x05\xB3\x76\x27\x16\x8F\x7B\x9E\x1E\x95\x7D\xEE\xB7\x48\xA3\x08\xDA\xD6\xAF\x7A\x0C\x39\x06\x65\x7F\x4A\x5D\x1F\xBC\x17\xF8\xAB\xBE\xEE\x28\xD7\x74\x7F\x7A\x78\x99\x59\x85\x68\x6E\x5C\x23\x32\x4B\xBF\x4E\xC0\xE8\x5A\x6D\xE3\x70\xBF\x77\x10\xBF\xFC\x01\xF6\x85\xD9\xA8\x44\x10\x58\x32\xA9\x75\x18\xD5\xD1\xA2\xBE\x47\xE2\x27\x6A\xF4\x9A\x33\xF8\x49\x08\x60\x8B\xD4\x5F\xB4\x3A\x84\xBF\xA1\xAA\x4A\x4C\x7D\x3E\xCF\x4F\x5F\x6C\x76\x5E\xA0\x4B\x37\x91\x9E\xDC\x22\xE6\x6D\xCE\x14\x1A\x8E\x6A\xCB\xFE\xCD\xB3\x14\x64\x17\xC7\x5B\x29\x9E\x32\xBF\xF2\xEE\xFA\xD3\x0B\x42\xD4\xAB\xB7\x41\x32\xDA\x0C\xD4\xEF\xF8\x81\xD5\xBB\x8D\x58\x3F\xB5\x1B\xE8\x49\x28\xA2\x70\xDA\x31\x04\xDD\xF7\xB2\x16\xF2\x4C\x0A\x4E\x07\xA8\xED\x4A\x3D\x5E\xB5\x7F\xA3\x90\xC3\xAF\x27\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x03\xDE\x50\x35\x56\xD1\x4C\xBB\x66\xF0\xA3\xE2\x1B\x1B\xC3\x97\xB2\x3D\xD1\x55\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x03\xDE\x50\x35\x56\xD1\x4C\xBB\x66\xF0\xA3\xE2\x1B\x1B\xC3\x97\xB2\x3D\xD1\x55\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xCB\x9C\x37\xAA\x48\x13\x12\x0A\xFA\xDD\x44\x9C\x4F\x52\xB0\xF4\xDF\xAE\x04\xF5\x79\x79\x08\xA3\x24\x18\xFC\x4B\x2B\x84\xC0\x2D\xB9\xD5\xC7\xFE\xF4\xC1\x1F\x58\xCB\xB8\x6D\x9C\x7A\x74\xE7\x98\x29\xAB\x11\xB5\xE3\x70\xA0\xA1\xCD\x4C\x88\x99\x93\x8C\x91\x70\xE2\xAB\x0F\x1C\xBE\x93\xA9\xFF\x63\xD5\xE4\x07\x60\xD3\xA3\xBF\x9D\x5B\x09\xF1\xD5\x8E\xE3\x53\xF4\x8E\x63\xFA\x3F\xA7\xDB\xB4\x66\xDF\x62\x66\xD6\xD1\x6E\x41\x8D\xF2\x2D\xB5\xEA\x77\x4A\x9F\x9D\x58\xE2\x2B\x59\xC0\x40\x23\xED\x2D\x28\x82\x45\x3E\x79\x54\x92\x26\x98\xE0\x80\x48\xA8\x37\xEF\xF0\xD6\x79\x60\x16\xDE\xAC\xE8\x0E\xCD\x6E\xAC\x44\x17\x38\x2F\x49\xDA\xE1\x45\x3E\x2A\xB9\x36\x53\xCF\x3A\x50\x06\xF7\x2E\xE8\xC4\x57\x49\x6C\x61\x21\x18\xD5\x04\xAD\x78\x3C\x2C\x3A\x80\x6B\xA7\xEB\xAF\x15\x14\xE9\xD8\x89\xC1\xB9\x38\x6C\xE2\x91\x6C\x8A\xFF\x64\xB9\x77\x25\x57\x30\xC0\x1B\x24\xA3\xE1\xDC\xE9\xDF\x47\x7C\xB5\xB4\x24\x08\x05\x30\xEC\x2D\xBD\x0B\xBF\x45\xBF\x50\xB9\xA9\xF3\xEB\x98\x01\x12\xAD\xC8\x88\xC6\x98\x34\x5F\x8D\x0A\x3C\xC6\xE9\xD5\x95\x95\x6D\xDE",
+	["CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xC5\x30\x82\x02\xAD\xA0\x03\x02\x01\x02\x02\x10\x02\xAC\x5C\x26\x6A\x0B\x40\x9B\x8F\x0B\x79\xF2\xAE\x46\x25\x77\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x44\x69\x67\x69\x43\x65\x72\x74\x20\x48\x69\x67\x68\x20\x41\x73\x73\x75\x72\x61\x6E\x63\x65\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x44\x69\x67\x69\x43\x65\x72\x74\x20\x48\x69\x67\x68\x20\x41\x73\x73\x75\x72\x61\x6E\x63\x65\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC6\xCC\xE5\x73\xE6\xFB\xD4\xBB\xE5\x2D\x2D\x32\xA6\xDF\xE5\x81\x3F\xC9\xCD\x25\x49\xB6\x71\x2A\xC3\xD5\x94\x34\x67\xA2\x0A\x1C\xB0\x5F\x69\xA6\x40\xB1\xC4\xB7\xB2\x8F\xD0\x98\xA4\xA9\x41\x59\x3A\xD3\xDC\x94\xD6\x3C\xDB\x74\x38\xA4\x4A\xCC\x4D\x25\x82\xF7\x4A\xA5\x53\x12\x38\xEE\xF3\x49\x6D\x71\x91\x7E\x63\xB6\xAB\xA6\x5F\xC3\xA4\x84\xF8\x4F\x62\x51\xBE\xF8\xC5\xEC\xDB\x38\x92\xE3\x06\xE5\x08\x91\x0C\xC4\x28\x41\x55\xFB\xCB\x5A\x89\x15\x7E\x71\xE8\x35\xBF\x4D\x72\x09\x3D\xBE\x3A\x38\x50\x5B\x77\x31\x1B\x8D\xB3\xC7\x24\x45\x9A\xA7\xAC\x6D\x00\x14\x5A\x04\xB7\xBA\x13\xEB\x51\x0A\x98\x41\x41\x22\x4E\x65\x61\x87\x81\x41\x50\xA6\x79\x5C\x89\xDE\x19\x4A\x57\xD5\x2E\xE6\x5D\x1C\x53\x2C\x7E\x98\xCD\x1A\x06\x16\xA4\x68\x73\xD0\x34\x04\x13\x5C\xA1\x71\xD3\x5A\x7C\x55\xDB\x5E\x64\xE1\x37\x87\x30\x56\x04\xE5\x11\xB4\x29\x80\x12\xF1\x79\x39\x88\xA2\x02\x11\x7C\x27\x66\xB7\x88\xB7\x78\xF2\xCA\x0A\xA8\x38\xAB\x0A\x64\xC2\xBF\x66\x5D\x95\x84\xC1\xA1\x25\x1E\x87\x5D\x1A\x50\x0B\x20\x12\xCC\x41\xBB\x6E\x0B\x51\x38\xB8\x4B\xCB\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB1\x3E\xC3\x69\x03\xF8\xBF\x47\x01\xD4\x98\x26\x1A\x08\x02\xEF\x63\x64\x2B\xC3\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xB1\x3E\xC3\x69\x03\xF8\xBF\x47\x01\xD4\x98\x26\x1A\x08\x02\xEF\x63\x64\x2B\xC3\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1C\x1A\x06\x97\xDC\xD7\x9C\x9F\x3C\x88\x66\x06\x08\x57\x21\xDB\x21\x47\xF8\x2A\x67\xAA\xBF\x18\x32\x76\x40\x10\x57\xC1\x8A\xF3\x7A\xD9\x11\x65\x8E\x35\xFA\x9E\xFC\x45\xB5\x9E\xD9\x4C\x31\x4B\xB8\x91\xE8\x43\x2C\x8E\xB3\x78\xCE\xDB\xE3\x53\x79\x71\xD6\xE5\x21\x94\x01\xDA\x55\x87\x9A\x24\x64\xF6\x8A\x66\xCC\xDE\x9C\x37\xCD\xA8\x34\xB1\x69\x9B\x23\xC8\x9E\x78\x22\x2B\x70\x43\xE3\x55\x47\x31\x61\x19\xEF\x58\xC5\x85\x2F\x4E\x30\xF6\xA0\x31\x16\x23\xC8\xE7\xE2\x65\x16\x33\xCB\xBF\x1A\x1B\xA0\x3D\xF8\xCA\x5E\x8B\x31\x8B\x60\x08\x89\x2D\x0C\x06\x5C\x52\xB7\xC4\xF9\x0A\x98\xD1\x15\x5F\x9F\x12\xBE\x7C\x36\x63\x38\xBD\x44\xA4\x7F\xE4\x26\x2B\x0A\xC4\x97\x69\x0D\xE9\x8C\xE2\xC0\x10\x57\xB8\xC8\x76\x12\x91\x55\xF2\x48\x69\xD8\xBC\x2A\x02\x5B\x0F\x44\xD4\x20\x31\xDB\xF4\xBA\x70\x26\x5D\x90\x60\x9E\xBC\x4B\x17\x09\x2F\xB4\xCB\x1E\x43\x68\xC9\x07\x27\xC1\xD2\x5C\xF7\xEA\x21\xB9\x68\x12\x9C\x3C\x9C\xBF\x9E\xFC\x80\x5C\x9B\x63\xCD\xEC\x47\xAA\x25\x27\x67\xA0\x37\xF3\x00\x82\x7D\x54\xD7\xA9\xF8\xE9\x2E\x13\xA3\x77\xE8\x1F\x4A",
+	["CN=Class 2 Primary CA,O=Certplus,C=FR"] = "\x30\x82\x03\x92\x30\x82\x02\x7A\xA0\x03\x02\x01\x02\x02\x11\x00\x85\xBD\x4B\xF3\xD8\xDA\xE3\x69\xF6\x94\xD7\x5F\xC3\xA5\x44\x23\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x43\x65\x72\x74\x70\x6C\x75\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x41\x30\x1E\x17\x0D\x39\x39\x30\x37\x30\x37\x31\x37\x30\x35\x30\x30\x5A\x17\x0D\x31\x39\x30\x37\x30\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x43\x65\x72\x74\x70\x6C\x75\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDC\x50\x96\xD0\x12\xF8\x35\xD2\x08\x78\x7A\xB6\x52\x70\xFD\x6F\xEE\xCF\xB9\x11\xCB\x5D\x77\xE1\xEC\xE9\x7E\x04\x8D\xD6\xCC\x6F\x73\x43\x57\x60\xAC\x33\x0A\x44\xEC\x03\x5F\x1C\x80\x24\x91\xE5\xA8\x91\x56\x12\x82\xF7\xE0\x2B\xF4\xDB\xAE\x61\x2E\x89\x10\x8D\x6B\x6C\xBA\xB3\x02\xBD\xD5\x36\xC5\x48\x37\x23\xE2\xF0\x5A\x37\x52\x33\x17\x12\xE2\xD1\x60\x4D\xBE\x2F\x41\x11\xE3\xF6\x17\x25\x0C\x8B\x91\xC0\x1B\x99\x7B\x99\x56\x0D\xAF\xEE\xD2\xBC\x47\x57\xE3\x79\x49\x7B\x34\x89\x27\x24\x84\xDE\xB1\xEC\xE9\x58\x4E\xFE\x4E\xDF\x5A\xBE\x41\xAD\xAC\x08\xC5\x18\x0E\xEF\xD2\x53\xEE\x6C\xD0\x9D\x12\x01\x13\x8D\xDC\x80\x62\xF7\x95\xA9\x44\x88\x4A\x71\x4E\x60\x55\x9E\xDB\x23\x19\x79\x56\x07\x0C\x3F\x63\x0B\x5C\xB0\xE2\xBE\x7E\x15\xFC\x94\x33\x58\x41\x38\x74\xC4\xE1\x8F\x8B\xDF\x26\xAC\x1F\xB5\x8B\x3B\xB7\x43\x59\x6B\xB0\x24\xA6\x6D\x90\x8B\xC4\x72\xEA\x5D\x33\x98\xB7\xCB\xDE\x5E\x7B\xEF\x94\xF1\x1B\x3E\xCA\xC9\x21\xC1\xC5\x98\x02\xAA\xA2\xF6\x5B\x77\x9B\xF5\x7E\x96\x55\x34\x1C\x67\x69\xC0\xF1\x42\xE3\x47\xAC\xFC\x28\x1C\x66\x55\x02\x03\x01\x00\x01\xA3\x81\x8C\x30\x81\x89\x30\x0F\x06\x03\x55\x1D\x13\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\x73\x2D\xDF\xCB\x0E\x28\x0C\xDE\xDD\xB3\xA4\xCA\x79\xB8\x8E\xBB\xE8\x30\x89\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x01\x06\x30\x37\x06\x03\x55\x1D\x1F\x04\x30\x30\x2E\x30\x2C\xA0\x2A\xA0\x28\x86\x26\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x65\x72\x74\x70\x6C\x75\x73\x2E\x63\x6F\x6D\x2F\x43\x52\x4C\x2F\x63\x6C\x61\x73\x73\x32\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA7\x54\xCF\x88\x44\x19\xCB\xDF\xD4\x7F\x00\xDF\x56\x33\x62\xB5\xF7\x51\x01\x90\xEB\xC3\x3F\xD1\x88\x44\xE9\x24\x5D\xEF\xE7\x14\xBD\x20\xB7\x9A\x3C\x00\xFE\x6D\x9F\xDB\x90\xDC\xD7\xF4\x62\xD6\x8B\x70\x5D\xE7\xE5\x04\x48\xA9\x68\x7C\xC9\xF1\x42\xF3\x6C\x7F\xC5\x7A\x7C\x1D\x51\x88\xBA\xD2\x0A\x3E\x27\x5D\xDE\x2D\x51\x4E\xD3\x13\x64\x69\xE4\x2E\xE3\xD3\xE7\x9B\x09\x99\xA6\xE0\x95\x9B\xCE\x1A\xD7\x7F\xBE\x3C\xCE\x52\xB3\x11\x15\xC1\x0F\x17\xCD\x03\xBB\x9C\x25\x15\xBA\xA2\x76\x89\xFC\x06\xF1\x18\xD0\x93\x4B\x0E\x7C\x82\xB7\xA5\xF4\xF6\x5F\xFE\xED\x40\xA6\x9D\x84\x74\x39\xB9\xDC\x1E\x85\x16\xDA\x29\x1B\x86\x23\x00\xC9\xBB\x89\x7E\x6E\x80\x88\x1E\x2F\x14\xB4\x03\x24\xA8\x32\x6F\x03\x9A\x47\x2C\x30\xBE\x56\xC6\xA7\x42\x02\x70\x1B\xEA\x40\xD8\xBA\x05\x03\x70\x07\xA4\x96\xFF\xFD\x48\x33\x0A\xE1\xDC\xA5\x81\x90\x9B\x4D\xDD\x7D\xE7\xE7\xB2\xCD\x5C\xC8\x6A\x95\xF8\xA5\xF6\x8D\xC4\x5D\x78\x08\xBE\x7B\x06\xD6\x49\xCF\x19\x36\x50\x23\x2E\x08\xE6\x9E\x05\x4D\x47\x18\xD5\x16\xE9\xB1\xD6\xB6\x10\xD5\xBB\x97\xBF\xA2\x8E\xB4\x54",
+	["CN=DST Root CA X3,O=Digital Signature Trust Co."] = "\x30\x82\x03\x4A\x30\x82\x02\x32\xA0\x03\x02\x01\x02\x02\x10\x44\xAF\xB0\x80\xD6\xA3\x27\xBA\x89\x30\x39\x86\x2E\xF8\x40\x6B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3F\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x58\x33\x30\x1E\x17\x0D\x30\x30\x30\x39\x33\x30\x32\x31\x31\x32\x31\x39\x5A\x17\x0D\x32\x31\x30\x39\x33\x30\x31\x34\x30\x31\x31\x35\x5A\x30\x3F\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x58\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDF\xAF\xE9\x97\x50\x08\x83\x57\xB4\xCC\x62\x65\xF6\x90\x82\xEC\xC7\xD3\x2C\x6B\x30\xCA\x5B\xEC\xD9\xC3\x7D\xC7\x40\xC1\x18\x14\x8B\xE0\xE8\x33\x76\x49\x2A\xE3\x3F\x21\x49\x93\xAC\x4E\x0E\xAF\x3E\x48\xCB\x65\xEE\xFC\xD3\x21\x0F\x65\xD2\x2A\xD9\x32\x8F\x8C\xE5\xF7\x77\xB0\x12\x7B\xB5\x95\xC0\x89\xA3\xA9\xBA\xED\x73\x2E\x7A\x0C\x06\x32\x83\xA2\x7E\x8A\x14\x30\xCD\x11\xA0\xE1\x2A\x38\xB9\x79\x0A\x31\xFD\x50\xBD\x80\x65\xDF\xB7\x51\x63\x83\xC8\xE2\x88\x61\xEA\x4B\x61\x81\xEC\x52\x6B\xB9\xA2\xE2\x4B\x1A\x28\x9F\x48\xA3\x9E\x0C\xDA\x09\x8E\x3E\x17\x2E\x1E\xDD\x20\xDF\x5B\xC6\x2A\x8A\xAB\x2E\xBD\x70\xAD\xC5\x0B\x1A\x25\x90\x74\x72\xC5\x7B\x6A\xAB\x34\xD6\x30\x89\xFF\xE5\x68\x13\x7B\x54\x0B\xC8\xD6\xAE\xEC\x5A\x9C\x92\x1E\x3D\x64\xB3\x8C\xC6\xDF\xBF\xC9\x41\x70\xEC\x16\x72\xD5\x26\xEC\x38\x55\x39\x43\xD0\xFC\xFD\x18\x5C\x40\xF1\x97\xEB\xD5\x9A\x9B\x8D\x1D\xBA\xDA\x25\xB9\xC6\xD8\xDF\xC1\x15\x02\x3A\xAB\xDA\x6E\xF1\x3E\x2E\xF5\x5C\x08\x9C\x3C\xD6\x83\x69\xE4\x10\x9B\x19\x2A\xB6\x29\x57\xE3\xE5\x3D\x9B\x9F\xF0\x02\x5D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC4\xA7\xB1\xA4\x7B\x2C\x71\xFA\xDB\xE1\x4B\x90\x75\xFF\xC4\x15\x60\x85\x89\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA3\x1A\x2C\x9B\x17\x00\x5C\xA9\x1E\xEE\x28\x66\x37\x3A\xBF\x83\xC7\x3F\x4B\xC3\x09\xA0\x95\x20\x5D\xE3\xD9\x59\x44\xD2\x3E\x0D\x3E\xBD\x8A\x4B\xA0\x74\x1F\xCE\x10\x82\x9C\x74\x1A\x1D\x7E\x98\x1A\xDD\xCB\x13\x4B\xB3\x20\x44\xE4\x91\xE9\xCC\xFC\x7D\xA5\xDB\x6A\xE5\xFE\xE6\xFD\xE0\x4E\xDD\xB7\x00\x3A\xB5\x70\x49\xAF\xF2\xE5\xEB\x02\xF1\xD1\x02\x8B\x19\xCB\x94\x3A\x5E\x48\xC4\x18\x1E\x58\x19\x5F\x1E\x02\x5A\xF0\x0C\xF1\xB1\xAD\xA9\xDC\x59\x86\x8B\x6E\xE9\x91\xF5\x86\xCA\xFA\xB9\x66\x33\xAA\x59\x5B\xCE\xE2\xA7\x16\x73\x47\xCB\x2B\xCC\x99\xB0\x37\x48\xCF\xE3\x56\x4B\xF5\xCF\x0F\x0C\x72\x32\x87\xC6\xF0\x44\xBB\x53\x72\x6D\x43\xF5\x26\x48\x9A\x52\x67\xB7\x58\xAB\xFE\x67\x76\x71\x78\xDB\x0D\xA2\x56\x14\x13\x39\x24\x31\x85\xA2\xA8\x02\x5A\x30\x47\xE1\xDD\x50\x07\xBC\x02\x09\x90\x00\xEB\x64\x63\x60\x9B\x16\xBC\x88\xC9\x12\xE6\xD2\x7D\x91\x8B\xF9\x3D\x32\x8D\x65\xB4\xE9\x7C\xB1\x57\x76\xEA\xC5\xB6\x28\x39\xBF\x15\x65\x1C\xC8\xF6\x77\x96\x6A\x0A\x8D\x77\x0B\xD8\x91\x0B\x04\x8E\x07\xDB\x29\xB6\x0A\xEE\x9D\x82\x35\x35\x10",
+	["CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US"] = "\x30\x82\x04\x09\x30\x82\x02\xF1\xA0\x03\x02\x01\x02\x02\x10\x0D\x5E\x99\x0A\xD6\x9D\xB7\x78\xEC\xD8\x07\x56\x3B\x86\x15\xD9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x20\x41\x43\x45\x53\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x41\x43\x45\x53\x20\x43\x41\x20\x58\x36\x30\x1E\x17\x0D\x30\x33\x31\x31\x32\x30\x32\x31\x31\x39\x35\x38\x5A\x17\x0D\x31\x37\x31\x31\x32\x30\x32\x31\x31\x39\x35\x38\x5A\x30\x5B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x20\x41\x43\x45\x53\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x41\x43\x45\x53\x20\x43\x41\x20\x58\x36\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB9\x3D\xF5\x2C\xC9\x94\xDC\x75\x8A\x95\x5D\x63\xE8\x84\x77\x76\x66\xB9\x59\x91\x5C\x46\xDD\x92\x3E\x9F\xF9\x0E\x03\xB4\x3D\x61\x92\xBD\x23\x26\xB5\x63\xEE\x92\xD2\x9E\xD6\x3C\xC8\x0D\x90\x5F\x64\x81\xB1\xA8\x08\x0D\x4C\xD8\xF9\xD3\x05\x28\x52\xB4\x01\x25\xC5\x95\x1C\x0C\x7E\x3E\x10\x84\x75\xCF\xC1\x19\x91\x63\xCF\xE8\xA8\x91\x88\xB9\x43\x52\xBB\x80\xB1\x55\x89\x8B\x31\xFA\xD0\xB7\x76\xBE\x41\x3D\x30\x9A\xA4\x22\x25\x17\x73\xE8\x1E\xE2\xD3\xAC\x2A\xBD\x5B\x38\x21\xD5\x2A\x4B\xD7\x55\x7D\xE3\x3A\x55\xBD\xD7\x6D\x6B\x02\x57\x6B\xE6\x47\x7C\x08\xC8\x82\xBA\xDE\xA7\x87\x3D\xA1\x6D\xB8\x30\x56\xC2\xB3\x02\x81\x5F\x2D\xF5\xE2\x9A\x30\x18\x28\xB8\x66\xD3\xCB\x01\x96\x6F\xEA\x8A\x45\x55\xD6\xE0\x9D\xFF\x67\x2B\x17\x02\xA6\x4E\x1A\x6A\x11\x0B\x7E\xB7\x7B\xE7\x98\xD6\x8C\x76\x6F\xC1\x3B\xDB\x50\x93\x7E\xE5\xD0\x8E\x1F\x37\xB8\xBD\xBA\xC6\x9F\x6C\xE9\x7C\x33\xF2\x32\x3C\x26\x47\xFA\x27\x24\x02\xC9\x7E\x1D\x5B\x88\x42\x13\x6A\x35\x7C\x7D\x35\xE9\x2E\x66\x91\x72\x93\xD5\x32\x26\xC4\x74\xF5\x53\xA3\xB3\x5D\x9A\xF6\x09\xCB\x02\x03\x01\x00\x01\xA3\x81\xC8\x30\x81\xC5\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1F\x06\x03\x55\x1D\x11\x04\x18\x30\x16\x81\x14\x70\x6B\x69\x2D\x6F\x70\x73\x40\x74\x72\x75\x73\x74\x64\x73\x74\x2E\x63\x6F\x6D\x30\x62\x06\x03\x55\x1D\x20\x04\x5B\x30\x59\x30\x57\x06\x0A\x60\x86\x48\x01\x65\x03\x02\x01\x01\x01\x30\x49\x30\x47\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x3B\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x75\x73\x74\x64\x73\x74\x2E\x63\x6F\x6D\x2F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x2F\x70\x6F\x6C\x69\x63\x79\x2F\x41\x43\x45\x53\x2D\x69\x6E\x64\x65\x78\x2E\x68\x74\x6D\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x09\x72\x06\x4E\x18\x43\x0F\xE5\xD6\xCC\xC3\x6A\x8B\x31\x7B\x78\x8F\xA8\x83\xB8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA3\xD8\x8E\xD6\xB2\xDB\xCE\x05\xE7\x32\xCD\x01\xD3\x04\x03\xE5\x76\xE4\x56\x2B\x9C\x99\x90\xE8\x08\x30\x6C\xDF\x7D\x3D\xEE\xE5\xBF\xB5\x24\x40\x84\x49\xE1\xD1\x28\xAE\xC4\xC2\x3A\x53\x30\x88\xF1\xF5\x77\x6E\x51\xCA\xFA\xFF\x99\xAF\x24\x5F\x1B\xA0\xFD\xF2\xAC\x84\xCA\xDF\xA9\xF0\x5F\x04\x2E\xAD\x16\xBF\x21\x97\x10\x81\x3D\xE3\xFF\x87\x8D\x32\xDC\x94\xE5\x47\x8A\x5E\x6A\x13\xC9\x94\x95\x3D\xD2\xEE\xC8\x34\x95\xD0\x80\xD4\xAD\x32\x08\x80\x54\x3C\xE0\xBD\x52\x53\xD7\x52\x7C\xB2\x69\x3F\x7F\x7A\xCF\x6A\x74\xCA\xFA\x04\x2A\x9C\x4C\x5A\x06\xA5\xE9\x20\xAD\x45\x66\x0F\x69\xF1\xDD\xBF\xE9\xE3\x32\x8B\xFA\xE0\xC1\x86\x4D\x72\x3C\x2E\xD8\x93\x78\x0A\x2A\xF8\xD8\xD2\x27\x3D\x19\x89\x5F\x5A\x7B\x8A\x3B\xCC\x0C\xDA\x51\xAE\xC7\x0B\xF7\x2B\xB0\x37\x05\xEC\xBC\x57\x23\xE2\x38\xD2\x9B\x68\xF3\x56\x12\x88\x4F\x42\x7C\xB8\x31\xC4\xB5\xDB\xE4\xC8\x21\x34\xE9\x48\x11\x35\xEE\xFA\xC7\x92\x57\xC5\x9F\x34\xE4\xC7\xF6\xF7\x0E\x0B\x4C\x9C\x68\x78\x7B\x71\x31\xC7\xEB\x1E\xE0\x67\x41\xF3\xB7\xA0\xA7\xCD\xE5\x7A\x33\x36\x6A\xFA\x9A\x2B",
+	["O=(c) 2005 T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E.,L=ANKARA,C=TR,CN=T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1"] = "\x30\x82\x03\xFB\x30\x82\x02\xE3\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xB7\x31\x3F\x30\x3D\x06\x03\x55\x04\x03\x0C\x36\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x0C\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x4E\x4B\x41\x52\x41\x31\x56\x30\x54\x06\x03\x55\x04\x0A\x0C\x4D\x28\x63\x29\x20\x32\x30\x30\x35\x20\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x30\x1E\x17\x0D\x30\x35\x30\x35\x31\x33\x31\x30\x32\x37\x31\x37\x5A\x17\x0D\x31\x35\x30\x33\x32\x32\x31\x30\x32\x37\x31\x37\x5A\x30\x81\xB7\x31\x3F\x30\x3D\x06\x03\x55\x04\x03\x0C\x36\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x0C\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x4E\x4B\x41\x52\x41\x31\x56\x30\x54\x06\x03\x55\x04\x0A\x0C\x4D\x28\x63\x29\x20\x32\x30\x30\x35\x20\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCA\x52\x05\xD6\x63\x03\xD8\x1C\x5F\xDD\xD2\x7B\x5D\xF2\x0C\x60\x61\x5B\x6B\x3B\x74\x2B\x78\x0D\x7D\x45\xBD\x22\x74\xE8\x8C\x03\xC1\xC6\x11\x2A\x3D\x95\xBC\xA9\x94\xB0\xBB\x91\x97\xC8\x69\x7C\x84\xC5\xB4\x91\x6C\x6C\x13\x6A\xA4\x55\xAD\xA4\x85\xE8\x95\x7E\xB3\x00\xAF\x00\xC2\x05\x18\xF5\x70\x9D\x36\x8B\xAE\xCB\xE4\x1B\x81\x7F\x93\x88\xFB\x6A\x55\xBB\x7D\x85\x92\xCE\xBA\x58\x9F\xDB\x32\xC5\xBD\x5D\xEF\x22\x4A\x2F\x41\x07\x7E\x49\x61\xB3\x86\xEC\x4E\xA6\x41\x6E\x84\xBC\x03\xEC\xF5\x3B\x1C\xC8\x1F\xC2\xEE\xA8\xEE\xEA\x12\x4A\x8D\x14\xCF\xF3\x0A\xE0\x50\x39\xF9\x08\x35\xF8\x11\x59\xAD\xE7\x22\xEA\x4B\xCA\x14\x06\xDE\x42\xBA\xB2\x99\xF3\x2D\x54\x88\x10\x06\xEA\xE1\x1A\x3E\x3D\x67\x1F\xFB\xCE\xFB\x7C\x82\xE8\x11\x5D\x4A\xC1\xB9\x14\xEA\x54\xD9\x66\x9B\x7C\x89\x7D\x04\x9A\x62\xC9\xE9\x52\x3C\x9E\x9C\xEF\xD2\xF5\x26\xE4\xE6\xE5\x18\x7C\x8B\x6E\xDF\x6C\xCC\x78\x5B\x4F\x72\xB2\xCB\x5C\x3F\x8C\x05\x8D\xD1\x4C\x8C\xAD\x92\xC7\xE1\x78\x7F\x65\x6C\x49\x06\x50\x2C\x9E\x32\xC2\xD7\x4A\xC6\x75\x8A\x59\x4E\x75\x6F\x47\x5E\xC1\x02\x03\x01\x00\x01\xA3\x10\x30\x0E\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x15\xF5\x55\xFF\x37\x96\x80\x59\x21\xA4\xFC\xA1\x15\x4C\x20\xF6\xD4\x5F\xDA\x03\x24\xFC\xCF\x90\x1A\xF4\x21\x0A\x9A\xEE\x3A\xB1\x6A\xEF\xEF\xF8\x60\xD1\x4C\x36\x66\x45\x1D\xF3\x66\x02\x74\x04\x7B\x92\x30\xA8\xDE\x0A\x76\x0F\xEF\x95\x6E\xBD\xC9\x37\xE6\x1A\x0D\xAC\x89\x48\x5B\xCC\x83\x36\xC2\xF5\x46\x5C\x59\x82\x56\xB4\xD5\xFE\x23\xB4\xD8\x54\x1C\x44\xAB\xC4\xA7\xE5\x14\xCE\x3C\x41\x61\x7C\x43\xE6\xCD\xC4\x81\x09\x8B\x24\xFB\x54\x25\xD6\x16\xA8\x96\x0C\x67\x07\x6F\xB3\x50\x47\xE3\x1C\x24\x28\xDD\x2A\x98\xA4\x61\xFE\xDB\xEA\x12\x37\xBC\x01\x1A\x34\x85\xBD\x6E\x4F\xE7\x91\x72\x07\x44\x85\x1E\x58\xCA\x54\x44\xDD\xF7\xAC\xB9\xCB\x89\x21\x72\xDB\x8F\xC0\x69\x29\x97\x2A\xA3\xAE\x18\x23\x97\x1C\x41\x2A\x8B\x7C\x2A\xC1\x7C\x90\xE8\xA9\x28\xC0\xD3\x91\xC6\xAD\x28\x87\x40\x68\xB5\xFF\xEC\xA7\xD2\xD3\x38\x18\x9C\xD3\x7D\x69\x5D\xF0\xC6\xA5\x1E\x24\x1B\xA3\x47\xFC\x69\x07\x68\xE7\xE4\x9A\xB4\xED\x0F\xA1\x87\x87\x02\xCE\x87\xD2\x48\x4E\xE1\xBC\xFF\xCB\xF1\x72\x92\x44\x64\x03\x25\xEA\xDE\x5B\x6E\x9F\xC9\xF2\x4E\xAC\xDD\xC7",
+	["O=T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E. (c) Kas\C4\B1m 2005,L=Ankara,C=TR,CN=T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1"] = "\x30\x82\x04\x3C\x30\x82\x03\x24\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xBE\x31\x3F\x30\x3D\x06\x03\x55\x04\x03\x0C\x36\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x5D\x30\x5B\x06\x03\x55\x04\x0A\x0C\x54\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x20\x28\x63\x29\x20\x4B\x61\x73\xC4\xB1\x6D\x20\x32\x30\x30\x35\x30\x1E\x17\x0D\x30\x35\x31\x31\x30\x37\x31\x30\x30\x37\x35\x37\x5A\x17\x0D\x31\x35\x30\x39\x31\x36\x31\x30\x30\x37\x35\x37\x5A\x30\x81\xBE\x31\x3F\x30\x3D\x06\x03\x55\x04\x03\x0C\x36\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x5D\x30\x5B\x06\x03\x55\x04\x0A\x0C\x54\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x20\x28\x63\x29\x20\x4B\x61\x73\xC4\xB1\x6D\x20\x32\x30\x30\x35\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA9\x36\x7E\xC3\x91\x43\x4C\xC3\x19\x98\x08\xC8\xC7\x58\x7B\x4F\x16\x8C\xA5\xCE\x49\x01\x1F\x73\x0E\xAC\x75\x13\xA6\xFA\x9E\x2C\x20\xDE\xD8\x90\x0E\x0A\xD1\x69\xD2\x27\xFB\xAA\x77\x9F\x27\x52\x25\xE2\xCB\x5D\xD8\xD8\x83\x50\x17\x7D\x8A\xB5\x82\x3F\x04\x8E\xB4\xD5\xF0\x49\xA7\x64\xB7\x1E\x2E\x5F\x20\x9C\x50\x75\x4F\xAF\xE1\xB5\x41\x14\xF4\x98\x92\x88\xC7\xE5\xE5\x64\x47\x61\x47\x79\xFD\xC0\x51\xF1\xC1\x99\xE7\xDC\xCE\x6A\xFB\xAF\xB5\x01\x30\xDC\x46\x1C\xEF\x8A\xEC\x95\xEF\xDC\xFF\xAF\x10\x1C\xEB\x9D\xD8\xB0\xAA\x6A\x85\x18\x0D\x17\xC9\x3E\xBF\xF1\x9B\xD0\x09\x89\x42\xFD\xA0\x42\xB4\x9D\x89\x51\x55\x29\xCF\x1B\x70\xBC\x84\x54\xAD\xC1\x13\x1F\x98\xF4\x2E\x76\x60\x8B\x5D\x3F\x9A\xAD\xCA\x0C\xBF\xA7\x56\x5B\x8F\x77\xB8\xD5\x9E\x79\x49\x92\x3F\xE0\xF1\x97\x24\x7A\x6C\x9B\x17\x0F\x6D\xEF\x53\x98\x91\x2B\xE4\x0F\xBE\x59\x79\x07\x78\xBB\x97\x95\xF4\x9F\x69\xD4\x58\x87\x0A\xA9\xE3\xCC\xB6\x58\x19\x9F\x26\x21\xB1\xC4\x59\x8D\xB2\x41\x75\xC0\xAD\x69\xCE\x9C\x00\x08\xF2\x36\xFF\x3E\xF0\xA1\x0F\x1A\xAC\x14\xFD\xA6\x60\x0F\x02\x03\x01\x00\x01\xA3\x43\x30\x41\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD9\x37\xB3\x4E\x05\xFD\xD9\xCF\x9F\x12\x16\xAE\xB6\x89\x2F\xEB\x25\x3A\x88\x1C\x30\x0F\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x05\x03\x03\x07\x06\x00\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x72\x60\x96\xB7\xC9\xDC\xD8\x29\x5E\x23\x85\x5F\xB2\xB3\x2D\x76\xFB\x88\xD7\x17\xFE\x7B\x6D\x45\xB8\xF6\x85\x6C\x9F\x22\xFC\x2A\x10\x22\xEC\xAA\xB9\x30\xF6\xAB\x58\xD6\x39\x10\x31\x99\x29\x00\xBD\x89\x66\x41\xFB\x74\xDE\x91\xC1\x18\x0B\x9F\xB5\x61\xCB\x9D\x3A\xBE\xF5\xA8\x94\xA3\x22\x55\x6E\x17\x49\xFF\xD2\x29\xF1\x38\x26\x5D\xEF\xA5\xAA\x3A\xF9\x71\x7B\xE6\xDA\x58\x1D\xD3\x74\xC2\x01\xFA\x3E\x69\x58\x5F\xAD\xCB\x68\xBE\x14\x2E\x9B\x6C\xC0\xB6\xDC\xA0\x26\xFA\x77\x1A\xE2\x24\xDA\x1A\x37\xE0\x67\xAD\xD1\x73\x83\x0D\xA5\x1A\x1D\x6E\x12\x92\x7E\x84\x62\x00\x17\xBD\xBC\x25\x18\x57\xF2\xD7\xA9\x6F\x59\x88\xBC\x34\xB7\x2E\x85\x78\x9D\x96\xDC\x14\xC3\x2C\x8A\x52\x9B\x96\x8C\x52\x66\x3D\x86\x16\x8B\x47\xB8\x51\x09\x8C\xEA\x7D\xCD\x88\x72\xB3\x60\x33\xB1\xF0\x0A\x44\xEF\x0F\xF5\x09\x37\x88\x24\x0E\x2C\x6B\x20\x3A\xA2\xFA\x11\xF2\x40\x35\x9C\x44\x68\x63\x3B\xAC\x33\x6F\x63\xBC\x2C\xBB\xF2\xD2\xCB\x76\x7D\x7D\x88\xD8\x1D\xC8\x05\x1D\x6E\xBC\x94\xA9\x66\x8C\x77\x71\xC7\xFA\x91\xFA\x2F\x51\x9E\xE9\x39\x52\xB6\xE7\x04\x42",
+	["CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH"] = "\x30\x82\x05\xBA\x30\x82\x03\xA2\xA0\x03\x02\x01\x02\x02\x09\x00\xBB\x40\x1C\x43\xF5\x5E\x4F\xB0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x47\x6F\x6C\x64\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x36\x31\x30\x32\x35\x30\x38\x33\x30\x33\x35\x5A\x17\x0D\x33\x36\x31\x30\x32\x35\x30\x38\x33\x30\x33\x35\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x47\x6F\x6C\x64\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAF\xE4\xEE\x7E\x8B\x24\x0E\x12\x6E\xA9\x50\x2D\x16\x44\x3B\x92\x92\x5C\xCA\xB8\x5D\x84\x92\x42\x13\x2A\xBC\x65\x57\x82\x40\x3E\x57\x24\xCD\x50\x8B\x25\x2A\xB7\x6F\xFC\xEF\xA2\xD0\xC0\x1F\x02\x24\x4A\x13\x96\x8F\x23\x13\xE6\x28\x58\x00\xA3\x47\xC7\x06\xA7\x84\x23\x2B\xBB\xBD\x96\x2B\x7F\x55\xCC\x8B\xC1\x57\x1F\x0E\x62\x65\x0F\xDD\x3D\x56\x8A\x73\xDA\xAE\x7E\x6D\xBA\x81\x1C\x7E\x42\x8C\x20\x35\xD9\x43\x4D\x84\xFA\x84\xDB\x52\x2C\xF3\x0E\x27\x77\x0B\x6B\xBF\x11\x2F\x72\x78\x9F\x2E\xD8\x3E\xE6\x18\x37\x5A\x2A\x72\xF9\xDA\x62\x90\x92\x95\xCA\x1F\x9C\xE9\xB3\x3C\x2B\xCB\xF3\x01\x13\xBF\x5A\xCF\xC1\xB5\x0A\x60\xBD\xDD\xB5\x99\x64\x53\xB8\xA0\x96\xB3\x6F\xE2\x26\x77\x91\x8C\xE0\x62\x10\x02\x9F\x34\x0F\xA4\xD5\x92\x33\x51\xDE\xBE\x8D\xBA\x84\x7A\x60\x3C\x6A\xDB\x9F\x2B\xEC\xDE\xDE\x01\x3F\x6E\x4D\xE5\x50\x86\xCB\xB4\xAF\xED\x44\x40\xC5\xCA\x5A\x8C\xDA\xD2\x2B\x7C\xA8\xEE\xBE\xA6\xE5\x0A\xAA\x0E\xA5\xDF\x05\x52\xB7\x55\xC7\x22\x5D\x32\x6A\x97\x97\x63\x13\xDB\xC9\xDB\x79\x36\x7B\x85\x3A\x4A\xC5\x52\x89\xF9\x24\xE7\x9D\x77\xA9\x82\xFF\x55\x1C\xA5\x71\x69\x2B\xD1\x02\x24\xF2\xB3\x26\xD4\x6B\xDA\x04\x55\xE5\xC1\x0A\xC7\x6D\x30\x37\x90\x2A\xE4\x9E\x14\x33\x5E\x16\x17\x55\xC5\x5B\xB5\xCB\x34\x89\x92\xF1\x9D\x26\x8F\xA1\x07\xD4\xC6\xB2\x78\x50\xDB\x0C\x0C\x0B\x7C\x0B\x8C\x41\xD7\xB9\xE9\xDD\x8C\x88\xF7\xA3\x4D\xB2\x32\xCC\xD8\x17\xDA\xCD\xB7\xCE\x66\x9D\xD4\xFD\x5E\xFF\xBD\x97\x3E\x29\x75\xE7\x7E\xA7\x62\x58\xAF\x25\x34\xA5\x41\xC7\x3D\xBC\x0D\x50\xCA\x03\x03\x0F\x08\x5A\x1F\x95\x73\x78\x62\xBF\xAF\x72\x14\x69\x0E\xA5\xE5\x03\x0E\x78\x8E\x26\x28\x42\xF0\x07\x0B\x62\x20\x10\x67\x39\x46\xFA\xA9\x03\xCC\x04\x38\x7A\x66\xEF\x20\x83\xB5\x8C\x4A\x56\x8E\x91\x00\xFC\x8E\x5C\x82\xDE\x88\xA0\xC3\xE2\x68\x6E\x7D\x8D\xEF\x3C\xDD\x65\xF4\x5D\xAC\x51\xEF\x24\x80\xAE\xAA\x56\x97\x6F\xF9\xAD\x7D\xDA\x61\x3F\x98\x77\x3C\xA5\x91\xB6\x1C\x8C\x26\xDA\x65\xA2\x09\x6D\xC1\xE2\x54\xE3\xB9\xCA\x4C\x4C\x80\x8F\x77\x7B\x60\x9A\x1E\xDF\xB6\xF2\x48\x1E\x0E\xBA\x4E\x54\x6D\x98\xE0\xE1\xA2\x1A\xA2\x77\x50\xCF\xC4\x63\x92\xEC\x47\x19\x9D\xEB\xE6\x6B\xCE\xC1\x02\x03\x01\x00\x01\xA3\x81\xAC\x30\x81\xA9\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x5B\x25\x7B\x96\xA4\x65\x51\x7E\xB8\x39\xF3\xC0\x78\x66\x5E\xE8\x3A\xE7\xF0\xEE\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x5B\x25\x7B\x96\xA4\x65\x51\x7E\xB8\x39\xF3\xC0\x78\x66\x5E\xE8\x3A\xE7\xF0\xEE\x30\x46\x06\x03\x55\x1D\x20\x04\x3F\x30\x3D\x30\x3B\x06\x09\x60\x85\x74\x01\x59\x01\x02\x01\x01\x30\x2E\x30\x2C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x20\x68\x74\x74\x70\x3A\x2F\x2F\x72\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x2E\x73\x77\x69\x73\x73\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x27\xBA\xE3\x94\x7C\xF1\xAE\xC0\xDE\x17\xE6\xE5\xD8\xD5\xF5\x54\xB0\x83\xF4\xBB\xCD\x5E\x05\x7B\x4F\x9F\x75\x66\xAF\x3C\xE8\x56\x7E\xFC\x72\x78\x38\x03\xD9\x2B\x62\x1B\x00\xB9\xF8\xE9\x60\xCD\xCC\xCE\x51\x8A\xC7\x50\x31\x6E\xE1\x4A\x7E\x18\x2F\x69\x59\xB6\x3D\x64\x81\x2B\xE3\x83\x84\xE6\x22\x87\x8E\x7D\xE0\xEE\x02\x99\x61\xB8\x1E\xF4\xB8\x2B\x88\x12\x16\x84\xC2\x31\x93\x38\x96\x31\xA6\xB9\x3B\x53\x3F\xC3\x24\x93\x56\x5B\x69\x92\xEC\xC5\xC1\xBB\x38\x00\xE3\xEC\x17\xA9\xB8\xDC\xC7\x7C\x01\x83\x9F\x32\x47\xBA\x52\x22\x34\x1D\x32\x7A\x09\x56\xA7\x7C\x25\x36\xA9\x3D\x4B\xDA\xC0\x82\x6F\x0A\xBB\x12\xC8\x87\x4B\x27\x11\xF9\x1E\x2D\xC7\x93\x3F\x9E\xDB\x5F\x26\x6B\x52\xD9\x2E\x8A\xF1\x14\xC6\x44\x8D\x15\xA9\xB7\xBF\xBD\xDE\xA6\x1A\xEE\xAE\x2D\xFB\x48\x77\x17\xFE\xBB\xEC\xAF\x18\xF5\x2A\x51\xF0\x39\x84\x97\x95\x6C\x6E\x1B\xC3\x2B\xC4\x74\x60\x79\x25\xB0\x0A\x27\xDF\xDF\x5E\xD2\x39\xCF\x45\x7D\x42\x4B\xDF\xB3\x2C\x1E\xC5\xC6\x5D\xCA\x55\x3A\xA0\x9C\x69\x9A\x8F\xDA\xEF\xB2\xB0\x3C\x9F\x87\x6C\x12\x2B\x65\x70\x15\x52\x31\x1A\x24\xCF\x6F\x31\x23\x50\x1F\x8C\x4F\x8F\x23\xC3\x74\x41\x63\x1C\x55\xA8\x14\xDD\x3E\xE0\x51\x50\xCF\xF1\x1B\x30\x56\x0E\x92\xB0\x82\x85\xD8\x83\xCB\x22\x64\xBC\x2D\xB8\x25\xD5\x54\xA2\xB8\x06\xEA\xAD\x92\xA4\x24\xA0\xC1\x86\xB5\x4A\x13\x6A\x47\xCF\x2E\x0B\x56\x95\x54\xCB\xCE\x9A\xDB\x6A\xB4\xA6\xB2\xDB\x41\x08\x86\x27\x77\xF7\x6A\xA0\x42\x6C\x0B\x38\xCE\xD7\x75\x50\x32\x92\xC2\xDF\x2B\x30\x22\x48\xD0\xD5\x41\x38\x25\x5D\xA4\xE9\x5D\x9F\xC6\x94\x75\xD0\x45\xFD\x30\x97\x43\x8F\x90\xAB\x0A\xC7\x86\x73\x60\x4A\x69\x2D\xDE\xA5\x78\xD7\x06\xDA\x6A\x9E\x4B\x3E\x77\x3A\x20\x13\x22\x01\xD0\xBF\x68\x9E\x63\x60\x6B\x35\x4D\x0B\x6D\xBA\xA1\x3D\xC0\x93\xE0\x7F\x23\xB3\x55\xAD\x72\x25\x4E\x46\xF9\xD2\x16\xEF\xB0\x64\xC1\x01\x9E\xE9\xCA\xA0\x6A\x98\x0E\xCF\xD8\x60\xF2\x2F\x49\xB8\xE4\x42\xE1\x38\x35\x16\xF4\xC8\x6E\x4F\xF7\x81\x56\xE8\xBA\xA3\xBE\x23\xAF\xAE\xFD\x6F\x03\xE0\x02\x3B\x30\x76\xFA\x1B\x6D\x41\xCF\x01\xB1\xE9\xB8\xC9\x66\xF4\xDB\x26\xF3\x3A\xA4\x74\xF2\x49\x24\x5B\xC9\xB0\xD0\x57\xC1\xFA\x3E\x7A\xE1\x97\xC9",
+	["CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH"] = "\x30\x82\x05\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x08\x4F\x1B\xD4\x2F\x54\xBB\x2F\x4B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x53\x69\x6C\x76\x65\x72\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x36\x31\x30\x32\x35\x30\x38\x33\x32\x34\x36\x5A\x17\x0D\x33\x36\x31\x30\x32\x35\x30\x38\x33\x32\x34\x36\x5A\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x53\x69\x6C\x76\x65\x72\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\xF1\x87\x7F\xD3\x78\x31\xF7\x38\xC9\xF8\xC3\x99\x43\xBC\xC7\xF7\xBC\x37\xE7\x4E\x71\xBA\x4B\x8F\xA5\x73\x1D\x5C\x6E\x98\xAE\x03\x57\xAE\x38\x37\x43\x2F\x17\x3D\x1F\xC8\xCE\x68\x10\xC1\x78\xAE\x19\x03\x2B\x10\xFA\x2C\x79\x83\xF6\xE8\xB9\x68\xB9\x55\xF2\x04\x44\xA7\x39\xF9\xFC\x04\x8B\x1E\xF1\xA2\x4D\x27\xF9\x61\x7B\xBA\xB7\xE5\xA2\x13\xB6\xEB\x61\x3E\xD0\x6C\xD1\xE6\xFB\xFA\x5E\xED\x1D\xB4\x9E\xA0\x35\x5B\xA1\x92\xCB\xF0\x49\x92\xFE\x85\x0A\x05\x3E\xE6\xD9\x0B\xE2\x4F\xBB\xDC\x95\x37\xFC\x91\xE9\x32\x35\x22\xD1\x1F\x3A\x4E\x27\x85\x9D\xB0\x15\x94\x32\xDA\x61\x0D\x47\x4D\x60\x42\xAE\x92\x47\xE8\x83\x5A\x50\x58\xE9\x8A\x8B\xB9\x5D\xA1\xDC\xDD\x99\x4A\x1F\x36\x67\xBB\x48\xE4\x83\xB6\x37\xEB\x48\x3A\xAF\x0F\x67\x8F\x17\x07\xE8\x04\xCA\xEF\x6A\x31\x87\xD4\xC0\xB6\xF9\x94\x71\x7B\x67\x64\xB8\xB6\x91\x4A\x42\x7B\x65\x2E\x30\x6A\x0C\xF5\x90\xEE\x95\xE6\xF2\xCD\x82\xEC\xD9\xA1\x4A\xEC\xF6\xB2\x4B\xE5\x45\x85\xE6\x6D\x78\x93\x04\x2E\x9C\x82\x6D\x36\xA9\xC4\x31\x64\x1F\x86\x83\x0B\x2A\xF4\x35\x0A\x78\xC9\x55\xCF\x41\xB0\x47\xE9\x30\x9F\x99\xBE\x61\xA8\x06\x84\xB9\x28\x7A\x5F\x38\xD9\x1B\xA9\x38\xB0\x83\x7F\x73\xC1\xC3\x3B\x48\x2A\x82\x0F\x21\x9B\xB8\xCC\xA8\x35\xC3\x84\x1B\x83\xB3\x3E\xBE\xA4\x95\x69\x01\x3A\x89\x00\x78\x04\xD9\xC9\xF4\x99\x19\xAB\x56\x7E\x5B\x8B\x86\x39\x15\x91\xA4\x10\x2C\x09\x32\x80\x60\xB3\x93\xC0\x2A\xB6\x18\x0B\x9D\x7E\x8D\x49\xF2\x10\x4A\x7F\xF9\xD5\x46\x2F\x19\x92\xA3\x99\xA7\x26\xAC\xBB\x8C\x3C\xE6\x0E\xBC\x47\x07\xDC\x73\x51\xF1\x70\x64\x2F\x08\xF9\xB4\x47\x1D\x30\x6C\x44\xEA\x29\x37\x85\x92\x68\x66\xBC\x83\x38\xFE\x7B\x39\x2E\xD3\x50\xF0\x1F\xFB\x5E\x60\xB6\xA9\xA6\xFA\x27\x41\xF1\x9B\x18\x72\xF2\xF5\x84\x74\x4A\xC9\x67\xC4\x54\xAE\x48\x64\xDF\x8C\xD1\x6E\xB0\x1D\xE1\x07\x8F\x08\x1E\x99\x9C\x71\xE9\x4C\xD8\xA5\xF7\x47\x12\x1F\x74\xD1\x51\x9E\x86\xF3\xC2\xA2\x23\x40\x0B\x73\xDB\x4B\xA6\xE7\x73\x06\x8C\xC1\xA0\xE9\xC1\x59\xAC\x46\xFA\xE6\x2F\xF8\xCF\x71\x9C\x46\x6D\xB9\xC4\x15\x8D\x38\x79\x03\x45\x48\xEF\xC4\x5D\xD7\x08\xEE\x87\x39\x22\x86\xB2\x0D\x0F\x58\x43\xF7\x71\xA9\x48\x2E\xFD\xEA\xD6\x1F\x02\x03\x01\x00\x01\xA3\x81\xAC\x30\x81\xA9\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x17\xA0\xCD\xC1\xE4\x41\xB6\x3A\x5B\x3B\xCB\x45\x9D\xBD\x1C\xC2\x98\xFA\x86\x58\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x17\xA0\xCD\xC1\xE4\x41\xB6\x3A\x5B\x3B\xCB\x45\x9D\xBD\x1C\xC2\x98\xFA\x86\x58\x30\x46\x06\x03\x55\x1D\x20\x04\x3F\x30\x3D\x30\x3B\x06\x09\x60\x85\x74\x01\x59\x01\x03\x01\x01\x30\x2E\x30\x2C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x20\x68\x74\x74\x70\x3A\x2F\x2F\x72\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x2E\x73\x77\x69\x73\x73\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x73\xC6\x81\xE0\x27\xD2\x2D\x0F\xE0\x95\x30\xE2\x9A\x41\x7F\x50\x2C\x5F\x5F\x62\x61\xA9\x86\x6A\x69\x18\x0C\x74\x49\xD6\x5D\x84\xEA\x41\x52\x18\x6F\x58\xAD\x50\x56\x20\x6A\xC6\xBD\x28\x69\x58\x91\xDC\x91\x11\x35\xA9\x3A\x1D\xBC\x1A\xA5\x60\x9E\xD8\x1F\x7F\x45\x91\x69\xD9\x7E\xBB\x78\x72\xC1\x06\x0F\x2A\xCE\x8F\x85\x70\x61\xAC\xA0\xCD\x0B\xB8\x39\x29\x56\x84\x32\x4E\x86\xBB\x3D\xC4\x2A\xD9\xD7\x1F\x72\xEE\xFE\x51\xA1\x22\x41\xB1\x71\x02\x63\x1A\x82\xB0\x62\xAB\x5E\x57\x12\x1F\xDF\xCB\xDD\x75\xA0\xC0\x5D\x79\x90\x8C\x1B\xE0\x50\xE6\xDE\x31\xFE\x98\x7B\x70\x5F\xA5\x90\xD8\xAD\xF8\x02\xB6\x6F\xD3\x60\xDD\x40\x4B\x22\xC5\x3D\xAD\x3A\x7A\x9F\x1A\x1A\x47\x91\x79\x33\xBA\x82\xDC\x32\x69\x03\x96\x6E\x1F\x4B\xF0\x71\xFE\xE3\x67\x72\xA0\xB1\xBF\x5C\x8B\xE4\xFA\x99\x22\xC7\x84\xB9\x1B\x8D\x23\x97\x3F\xED\x25\xE0\xCF\x65\xBB\xF5\x61\x04\xEF\xDD\x1E\xB2\x5A\x41\x22\x5A\xA1\x9F\x5D\x2C\xE8\x5B\xC9\x6D\xA9\x0C\x0C\x78\xAA\x60\xC6\x56\x8F\x01\x5A\x0C\x68\xBC\x69\x19\x79\xC4\x1F\x7E\x97\x05\xBF\xC5\xE9\x24\x51\x5E\xD4\xD5\x4B\x53\xED\xD9\x23\x5A\x36\x03\x65\xA3\xC1\x03\xAD\x41\x30\xF3\x46\x1B\x85\x90\xAF\x65\xB5\xD5\xB1\xE4\x16\x5B\x78\x75\x1D\x97\x7A\x6D\x59\xA9\x2A\x8F\x7B\xDE\xC3\x87\x89\x10\x99\x49\x73\x78\xC8\x3D\xBD\x51\x35\x74\x2A\xD5\xF1\x7E\x69\x1B\x2A\xBB\x3B\xBD\x25\xB8\x9A\x5A\x3D\x72\x61\x90\x66\x87\xEE\x0C\xD6\x4D\xD4\x11\x74\x0B\x6A\xFE\x0B\x03\xFC\xA3\x55\x57\x89\xFE\x4A\xCB\xAE\x5B\x17\x05\xC8\xF2\x8D\x23\x31\x53\x38\xD2\x2D\x6A\x3F\x82\xB9\x8D\x08\x6A\xF7\x5E\x41\x74\x6E\xC3\x11\x7E\x07\xAC\x29\x60\x91\x3F\x38\xCA\x57\x10\x0D\xBD\x30\x2F\xC7\xA5\xE6\x41\xA0\xDA\xAE\x05\x87\x9A\xA0\xA4\x65\x6C\x4C\x09\x0C\x89\xBA\xB8\xD3\xB9\xC0\x93\x8A\x30\xFA\x8D\xE5\x9A\x6B\x15\x01\x4E\x67\xAA\xDA\x62\x56\x3E\x84\x08\x66\xD2\xC4\x36\x7D\xA7\x3E\x10\xFC\x88\xE0\xD4\x80\xE5\x00\xBD\xAA\xF3\x4E\x06\xA3\x7A\x6A\xF9\x62\x72\xE3\x09\x4F\xEB\x9B\x0E\x01\x23\xF1\x9F\xBB\x7C\xDC\xDC\x6C\x11\x97\x25\xB2\xF2\xB4\x63\x14\xD2\x06\x2A\x67\x8C\x83\xF5\xCE\xEA\x07\xD8\x9A\x6A\x1E\xEC\xE4\x0A\xBB\x2A\x4C\xEB\x09\x60\x39\xCE\xCA\x62\xD8\x2E\x6E",
+	["CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\x7C\x30\x82\x02\x64\xA0\x03\x02\x01\x02\x02\x10\x18\xAC\xB5\x6A\xFD\x69\xB6\x15\x3A\x63\x6C\xAF\xDA\xFA\xC4\xA1\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x13\x28\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x37\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x13\x28\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBE\xB8\x15\x7B\xFF\xD4\x7C\x7D\x67\xAD\x83\x64\x7B\xC8\x42\x53\x2D\xDF\xF6\x84\x08\x20\x61\xD6\x01\x59\x6A\x9C\x44\x11\xAF\xEF\x76\xFD\x95\x7E\xCE\x61\x30\xBB\x7A\x83\x5F\x02\xBD\x01\x66\xCA\xEE\x15\x8D\x6F\xA1\x30\x9C\xBD\xA1\x85\x9E\x94\x3A\xF3\x56\x88\x00\x31\xCF\xD8\xEE\x6A\x96\x02\xD9\xED\x03\x8C\xFB\x75\x6D\xE7\xEA\xB8\x55\x16\x05\x16\x9A\xF4\xE0\x5E\xB1\x88\xC0\x64\x85\x5C\x15\x4D\x88\xC7\xB7\xBA\xE0\x75\xE9\xAD\x05\x3D\x9D\xC7\x89\x48\xE0\xBB\x28\xC8\x03\xE1\x30\x93\x64\x5E\x52\xC0\x59\x70\x22\x35\x57\x88\x8A\xF1\x95\x0A\x83\xD7\xBC\x31\x73\x01\x34\xED\xEF\x46\x71\xE0\x6B\x02\xA8\x35\x72\x6B\x97\x9B\x66\xE0\xCB\x1C\x79\x5F\xD8\x1A\x04\x68\x1E\x47\x02\xE6\x9D\x60\xE2\x36\x97\x01\xDF\xCE\x35\x92\xDF\xBE\x67\xC7\x6D\x77\x59\x3B\x8F\x9D\xD6\x90\x15\x94\xBC\x42\x34\x10\xC1\x39\xF9\xB1\x27\x3E\x7E\xD6\x8A\x75\xC5\xB2\xAF\x96\xD3\xA2\xDE\x9B\xE4\x98\xBE\x7D\xE1\xE9\x81\xAD\xB6\x6F\xFC\xD7\x0E\xDA\xE0\x34\xB0\x0D\x1A\x77\xE7\xE3\x08\x98\xEF\x58\xFA\x9C\x84\xB7\x36\xAF\xC2\xDF\xAC\xD2\xF4\x10\x06\x70\x71\x35\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x2C\xD5\x50\x41\x97\x15\x8B\xF0\x8F\x36\x61\x5B\x4A\xFB\x6B\xD9\x99\xC9\x33\x92\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5A\x70\x7F\x2C\xDD\xB7\x34\x4F\xF5\x86\x51\xA9\x26\xBE\x4B\xB8\xAA\xF1\x71\x0D\xDC\x61\xC7\xA0\xEA\x34\x1E\x7A\x77\x0F\x04\x35\xE8\x27\x8F\x6C\x90\xBF\x91\x16\x24\x46\x3E\x4A\x4E\xCE\x2B\x16\xD5\x0B\x52\x1D\xFC\x1F\x67\xA2\x02\x45\x31\x4F\xCE\xF3\xFA\x03\xA7\x79\x9D\x53\x6A\xD9\xDA\x63\x3A\xF8\x80\xD7\xD3\x99\xE1\xA5\xE1\xBE\xD4\x55\x71\x98\x35\x3A\xBE\x93\xEA\xAE\xAD\x42\xB2\x90\x6F\xE0\xFC\x21\x4D\x35\x63\x33\x89\x49\xD6\x9B\x4E\xCA\xC7\xE7\x4E\x09\x00\xF7\xDA\xC7\xEF\x99\x62\x99\x77\xB6\x95\x22\x5E\x8A\xA0\xAB\xF4\xB8\x78\x98\xCA\x38\x19\x99\xC9\x72\x9E\x78\xCD\x4B\xAC\xAF\x19\xA0\x73\x12\x2D\xFC\xC2\x41\xBA\x81\x91\xDA\x16\x5A\x31\xB7\xF9\xB4\x71\x80\x12\x48\x99\x72\x73\x5A\x59\x53\xC1\x63\x52\x33\xED\xA7\xC9\xD2\x39\x02\x70\xFA\xE0\xB1\x42\x66\x29\xAA\x9B\x51\xED\x30\x54\x22\x14\x5F\xD9\xAB\x1D\xC1\xE4\x94\xF0\xF8\xF5\x2B\xF7\xEA\xCA\x78\x46\xD6\xB8\x91\xFD\xA6\x0D\x2B\x1A\x14\x01\x3E\x80\xF0\x42\xA0\x95\x07\x5E\x6D\xCD\xCC\x4B\xA4\x45\x8D\xAB\x12\xE8\xB3\xDE\x5A\xE5\xA0\x7C\xE8\x0F\x22\x1D\x5A\xE9\x59",
+	["CN=thawte Primary Root CA,OU=(c) 2006 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US"] = "\x30\x82\x04\x20\x30\x82\x03\x08\xA0\x03\x02\x01\x02\x02\x10\x34\x4E\xD5\x57\x20\xD5\xED\xEC\x49\xF4\x2F\xCE\x37\xDB\x2B\x6D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xA9\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x36\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x37\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xA9\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x36\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAC\xA0\xF0\xFB\x80\x59\xD4\x9C\xC7\xA4\xCF\x9D\xA1\x59\x73\x09\x10\x45\x0C\x0D\x2C\x6E\x68\xF1\x6C\x5B\x48\x68\x49\x59\x37\xFC\x0B\x33\x19\xC2\x77\x7F\xCC\x10\x2D\x95\x34\x1C\xE6\xEB\x4D\x09\xA7\x1C\xD2\xB8\xC9\x97\x36\x02\xB7\x89\xD4\x24\x5F\x06\xC0\xCC\x44\x94\x94\x8D\x02\x62\x6F\xEB\x5A\xDD\x11\x8D\x28\x9A\x5C\x84\x90\x10\x7A\x0D\xBD\x74\x66\x2F\x6A\x38\xA0\xE2\xD5\x54\x44\xEB\x1D\x07\x9F\x07\xBA\x6F\xEE\xE9\xFD\x4E\x0B\x29\xF5\x3E\x84\xA0\x01\xF1\x9C\xAB\xF8\x1C\x7E\x89\xA4\xE8\xA1\xD8\x71\x65\x0D\xA3\x51\x7B\xEE\xBC\xD2\x22\x60\x0D\xB9\x5B\x9D\xDF\xBA\xFC\x51\x5B\x0B\xAF\x98\xB2\xE9\x2E\xE9\x04\xE8\x62\x87\xDE\x2B\xC8\xD7\x4E\xC1\x4C\x64\x1E\xDD\xCF\x87\x58\xBA\x4A\x4F\xCA\x68\x07\x1D\x1C\x9D\x4A\xC6\xD5\x2F\x91\xCC\x7C\x71\x72\x1C\xC5\xC0\x67\xEB\x32\xFD\xC9\x92\x5C\x94\xDA\x85\xC0\x9B\xBF\x53\x7D\x2B\x09\xF4\x8C\x9D\x91\x1F\x97\x6A\x52\xCB\xDE\x09\x36\xA4\x77\xD8\x7B\x87\x50\x44\xD5\x3E\x6E\x29\x69\xFB\x39\x49\x26\x1E\x09\xA5\x80\x7B\x40\x2D\xEB\xE8\x27\x85\xC9\xFE\x61\xFD\x7E\xE6\x7C\x97\x1D\xD5\x9D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7B\x5B\x45\xCF\xAF\xCE\xCB\x7A\xFD\x31\x92\x1A\x6A\xB6\xF3\x46\xEB\x57\x48\x50\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x79\x11\xC0\x4B\xB3\x91\xB6\xFC\xF0\xE9\x67\xD4\x0D\x6E\x45\xBE\x55\xE8\x93\xD2\xCE\x03\x3F\xED\xDA\x25\xB0\x1D\x57\xCB\x1E\x3A\x76\xA0\x4C\xEC\x50\x76\xE8\x64\x72\x0C\xA4\xA9\xF1\xB8\x8B\xD6\xD6\x87\x84\xBB\x32\xE5\x41\x11\xC0\x77\xD9\xB3\x60\x9D\xEB\x1B\xD5\xD1\x6E\x44\x44\xA9\xA6\x01\xEC\x55\x62\x1D\x77\xB8\x5C\x8E\x48\x49\x7C\x9C\x3B\x57\x11\xAC\xAD\x73\x37\x8E\x2F\x78\x5C\x90\x68\x47\xD9\x60\x60\xE6\xFC\x07\x3D\x22\x20\x17\xC4\xF7\x16\xE9\xC4\xD8\x72\xF9\xC8\x73\x7C\xDF\x16\x2F\x15\xA9\x3E\xFD\x6A\x27\xB6\xA1\xEB\x5A\xBA\x98\x1F\xD5\xE3\x4D\x64\x0A\x9D\x13\xC8\x61\xBA\xF5\x39\x1C\x87\xBA\xB8\xBD\x7B\x22\x7F\xF6\xFE\xAC\x40\x79\xE5\xAC\x10\x6F\x3D\x8F\x1B\x79\x76\x8B\xC4\x37\xB3\x21\x18\x84\xE5\x36\x00\xEB\x63\x20\x99\xB9\xE9\xFE\x33\x04\xBB\x41\xC8\xC1\x02\xF9\x44\x63\x20\x9E\x81\xCE\x42\xD3\xD6\x3F\x2C\x76\xD3\x63\x9C\x59\xDD\x8F\xA6\xE1\x0E\xA0\x2E\x41\xF7\x2E\x95\x47\xCF\xBC\xFD\x33\xF3\xF6\x0B\x61\x7E\x7E\x91\x2B\x81\x47\xC2\x27\x30\xEE\xA7\x10\x5D\x37\x8F\x5C\x39\x2B\xE4\x04\xF0\x7B\x8D\x56\x8C\x68",
+	["CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x04\xD3\x30\x82\x03\xBB\xA0\x03\x02\x01\x02\x02\x10\x18\xDA\xD1\x9E\x26\x7D\xE8\xBB\x4A\x21\x58\xCD\xCC\x6B\x3B\x4A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x36\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x35\x30\x1E\x17\x0D\x30\x36\x31\x31\x30\x38\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x36\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x35\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x24\x08\x08\x29\x7A\x35\x9E\x60\x0C\xAA\xE7\x4B\x3B\x4E\xDC\x7C\xBC\x3C\x45\x1C\xBB\x2B\xE0\xFE\x29\x02\xF9\x57\x08\xA3\x64\x85\x15\x27\xF5\xF1\xAD\xC8\x31\x89\x5D\x22\xE8\x2A\xAA\xA6\x42\xB3\x8F\xF8\xB9\x55\xB7\xB1\xB7\x4B\xB3\xFE\x8F\x7E\x07\x57\xEC\xEF\x43\xDB\x66\x62\x15\x61\xCF\x60\x0D\xA4\xD8\xDE\xF8\xE0\xC3\x62\x08\x3D\x54\x13\xEB\x49\xCA\x59\x54\x85\x26\xE5\x2B\x8F\x1B\x9F\xEB\xF5\xA1\x91\xC2\x33\x49\xD8\x43\x63\x6A\x52\x4B\xD2\x8F\xE8\x70\x51\x4D\xD1\x89\x69\x7B\xC7\x70\xF6\xB3\xDC\x12\x74\xDB\x7B\x5D\x4B\x56\xD3\x96\xBF\x15\x77\xA1\xB0\xF4\xA2\x25\xF2\xAF\x1C\x92\x67\x18\xE5\xF4\x06\x04\xEF\x90\xB9\xE4\x00\xE4\xDD\x3A\xB5\x19\xFF\x02\xBA\xF4\x3C\xEE\xE0\x8B\xEB\x37\x8B\xEC\xF4\xD7\xAC\xF2\xF6\xF0\x3D\xAF\xDD\x75\x91\x33\x19\x1D\x1C\x40\xCB\x74\x24\x19\x21\x93\xD9\x14\xFE\xAC\x2A\x52\xC7\x8F\xD5\x04\x49\xE4\x8D\x63\x47\x88\x3C\x69\x83\xCB\xFE\x47\xBD\x2B\x7E\x4F\xC5\x95\xAE\x0E\x9D\xD4\xD1\x43\xC0\x67\x73\xE3\x14\x08\x7E\xE5\x3F\x9F\x73\xB8\x33\x0A\xCF\x5D\x3F\x34\x87\x96\x8A\xEE\x53\xE8\x25\x15\x02\x03\x01\x00\x01\xA3\x81\xB2\x30\x81\xAF\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x6D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x0C\x04\x61\x30\x5F\xA1\x5D\xA0\x5B\x30\x59\x30\x57\x30\x55\x16\x09\x69\x6D\x61\x67\x65\x2F\x67\x69\x66\x30\x21\x30\x1F\x30\x07\x06\x05\x2B\x0E\x03\x02\x1A\x04\x14\x8F\xE5\xD3\x1A\x86\xAC\x8D\x8E\x6B\xC3\xCF\x80\x6A\xD4\x48\x18\x2C\x7B\x19\x2E\x30\x25\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x67\x6F\x2E\x76\x65\x72\x69\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x76\x73\x6C\x6F\x67\x6F\x2E\x67\x69\x66\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7F\xD3\x65\xA7\xC2\xDD\xEC\xBB\xF0\x30\x09\xF3\x43\x39\xFA\x02\xAF\x33\x31\x33\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x93\x24\x4A\x30\x5F\x62\xCF\xD8\x1A\x98\x2F\x3D\xEA\xDC\x99\x2D\xBD\x77\xF6\xA5\x79\x22\x38\xEC\xC4\xA7\xA0\x78\x12\xAD\x62\x0E\x45\x70\x64\xC5\xE7\x97\x66\x2D\x98\x09\x7E\x5F\xAF\xD6\xCC\x28\x65\xF2\x01\xAA\x08\x1A\x47\xDE\xF9\xF9\x7C\x92\x5A\x08\x69\x20\x0D\xD9\x3E\x6D\x6E\x3C\x0D\x6E\xD8\xE6\x06\x91\x40\x18\xB9\xF8\xC1\xED\xDF\xDB\x41\xAA\xE0\x96\x20\xC9\xCD\x64\x15\x38\x81\xC9\x94\xEE\xA2\x84\x29\x0B\x13\x6F\x8E\xDB\x0C\xDD\x25\x02\xDB\xA4\x8B\x19\x44\xD2\x41\x7A\x05\x69\x4A\x58\x4F\x60\xCA\x7E\x82\x6A\x0B\x02\xAA\x25\x17\x39\xB5\xDB\x7F\xE7\x84\x65\x2A\x95\x8A\xBD\x86\xDE\x5E\x81\x16\x83\x2D\x10\xCC\xDE\xFD\xA8\x82\x2A\x6D\x28\x1F\x0D\x0B\xC4\xE5\xE7\x1A\x26\x19\xE1\xF4\x11\x6F\x10\xB5\x95\xFC\xE7\x42\x05\x32\xDB\xCE\x9D\x51\x5E\x28\xB6\x9E\x85\xD3\x5B\xEF\xA5\x7D\x45\x40\x72\x8E\xB7\x0E\x6B\x0E\x06\xFB\x33\x35\x48\x71\xB8\x9D\x27\x8B\xC4\x65\x5F\x0D\x86\x76\x9C\x44\x7A\xF6\x95\x5C\xF6\x5D\x32\x08\x33\xA4\x54\xB6\x18\x3F\x68\x5C\xF2\x42\x4A\x85\x38\x54\x83\x5F\xD1\xE8\x2C\xF2\xAC\x11\xD6\xA8\xED\x63\x6A",
+	["CN=SecureTrust CA,O=SecureTrust Corporation,C=US"] = "\x30\x82\x03\xB8\x30\x82\x02\xA0\xA0\x03\x02\x01\x02\x02\x10\x0C\xF0\x8E\x5C\x08\x16\xA5\xAD\x42\x7F\xF0\xEB\x27\x18\x59\xD0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x30\x37\x31\x39\x33\x31\x31\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x39\x34\x30\x35\x35\x5A\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\xA4\x81\xE5\x95\xCD\xF5\xF6\x14\x8E\xC2\x4F\xCA\xD4\xE2\x78\x95\x58\x9C\x41\xE1\x0D\x99\x40\x24\x17\x39\x91\x33\x66\xE9\xBE\xE1\x83\xAF\x62\x5C\x89\xD1\xFC\x24\x5B\x61\xB3\xE0\x11\x11\x41\x1C\x1D\x6E\xF0\xB8\xBB\xF8\xDE\xA7\x81\xBA\xA6\x48\xC6\x9F\x1D\xBD\xBE\x8E\xA9\x41\x3E\xB8\x94\xED\x29\x1A\xD4\x8E\xD2\x03\x1D\x03\xEF\x6D\x0D\x67\x1C\x57\xD7\x06\xAD\xCA\xC8\xF5\xFE\x0E\xAF\x66\x25\x48\x04\x96\x0B\x5D\xA3\xBA\x16\xC3\x08\x4F\xD1\x46\xF8\x14\x5C\xF2\xC8\x5E\x01\x99\x6D\xFD\x88\xCC\x86\xA8\xC1\x6F\x31\x42\x6C\x52\x3E\x68\xCB\xF3\x19\x34\xDF\xBB\x87\x18\x56\x80\x26\xC4\xD0\xDC\xC0\x6F\xDF\xDE\xA0\xC2\x91\x16\xA0\x64\x11\x4B\x44\xBC\x1E\xF6\xE7\xFA\x63\xDE\x66\xAC\x76\xA4\x71\xA3\xEC\x36\x94\x68\x7A\x77\xA4\xB1\xE7\x0E\x2F\x81\x7A\xE2\xB5\x72\x86\xEF\xA2\x6B\x8B\xF0\x0F\xDB\xD3\x59\x3F\xBA\x72\xBC\x44\x24\x9C\xE3\x73\xB3\xF7\xAF\x57\x2F\x42\x26\x9D\xA9\x74\xBA\x00\x52\xF2\x4B\xCD\x53\x7C\x47\x0B\x36\x85\x0E\x66\xA9\x08\x97\x16\x34\x57\xC1\x66\xF7\x80\xE3\xED\x70\x54\xC7\x93\xE0\x2E\x28\x15\x59\x87\xBA\xBB\x02\x03\x01\x00\x01\xA3\x81\x9D\x30\x81\x9A\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x42\x32\xB6\x16\xFA\x04\xFD\xFE\x5D\x4B\x7A\xC3\xFD\xF7\x4C\x40\x1D\x5A\x43\xAF\x30\x34\x06\x03\x55\x1D\x1F\x04\x2D\x30\x2B\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x65\x63\x75\x72\x65\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x53\x54\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x30\xED\x4F\x4A\xE1\x58\x3A\x52\x72\x5B\xB5\xA6\xA3\x65\x18\xA6\xBB\x51\x3B\x77\xE9\x9D\xEA\xD3\x9F\x5C\xE0\x45\x65\x7B\x0D\xCA\x5B\xE2\x70\x50\xB2\x94\x05\x14\xAE\x49\xC7\x8D\x41\x07\x12\x73\x94\x7E\x0C\x23\x21\xFD\xBC\x10\x7F\x60\x10\x5A\x72\xF5\x98\x0E\xAC\xEC\xB9\x7F\xDD\x7A\x6F\x5D\xD3\x1C\xF4\xFF\x88\x05\x69\x42\xA9\x05\x71\xC8\xB7\xAC\x26\xE8\x2E\xB4\x8C\x6A\xFF\x71\xDC\xB8\xB1\xDF\x99\xBC\x7C\x21\x54\x2B\xE4\x58\xA2\xBB\x57\x29\xAE\x9E\xA9\xA3\x19\x26\x0F\x99\x2E\x08\xB0\xEF\xFD\x69\xCF\x99\x1A\x09\x8D\xE3\xA7\x9F\x2B\xC9\x36\x34\x7B\x24\xB3\x78\x4C\x95\x17\xA4\x06\x26\x1E\xB6\x64\x52\x36\x5F\x60\x67\xD9\x9C\xC5\x05\x74\x0B\xE7\x67\x23\xD2\x08\xFC\x88\xE9\xAE\x8B\x7F\xE1\x30\xF4\x37\x7E\xFD\xC6\x32\xDA\x2D\x9E\x44\x30\x30\x6C\xEE\x07\xDE\xD2\x34\xFC\xD2\xFF\x40\xF6\x4B\xF4\x66\x46\x06\x54\xA6\xF2\x32\x0A\x63\x26\x30\x6B\x9B\xD1\xDC\x8B\x47\xBA\xE1\xB9\xD5\x62\xD0\xA2\xA0\xF4\x67\x05\x78\x29\x63\x1A\x6F\x04\xD6\xF8\xC6\x4C\xA3\x9A\xB1\x37\xB4\x8D\xE5\x28\x4B\x1D\x9E\x2C\xC2\xB8\x68\xBC\xED\x02\xEE\x31",
+	["CN=Secure Global CA,O=SecureTrust Corporation,C=US"] = "\x30\x82\x03\xBC\x30\x82\x02\xA4\xA0\x03\x02\x01\x02\x02\x10\x07\x56\x22\xA4\xE8\xD4\x8A\x89\x4D\xF4\x13\xC8\xF0\xF8\xEA\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x30\x37\x31\x39\x34\x32\x32\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x39\x35\x32\x30\x36\x5A\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x35\x2E\xD8\xAC\x6C\x55\x69\x06\x71\xE5\x13\x68\x24\xB3\x4F\xD8\xCC\x21\x47\xF8\xF1\x60\x38\x89\x89\x03\xE9\xBD\xEA\x5E\x46\x53\x09\xDC\x5C\xF5\x5A\xE8\xF7\x45\x2A\x02\xEB\x31\x61\xD7\x29\x33\x4C\xCE\xC7\x7C\x0A\x37\x7E\x0F\xBA\x32\x98\xE1\x1D\x97\xAF\x8F\xC7\xDC\xC9\x38\x96\xF3\xDB\x1A\xFC\x51\xED\x68\xC6\xD0\x6E\xA4\x7C\x24\xD1\xAE\x42\xC8\x96\x50\x63\x2E\xE0\xFE\x75\xFE\x98\xA7\x5F\x49\x2E\x95\xE3\x39\x33\x64\x8E\x1E\xA4\x5F\x90\xD2\x67\x3C\xB2\xD9\xFE\x41\xB9\x55\xA7\x09\x8E\x72\x05\x1E\x8B\xDD\x44\x85\x82\x42\xD0\x49\xC0\x1D\x60\xF0\xD1\x17\x2C\x95\xEB\xF6\xA5\xC1\x92\xA3\xC5\xC2\xA7\x08\x60\x0D\x60\x04\x10\x96\x79\x9E\x16\x34\xE6\xA9\xB6\xFA\x25\x45\x39\xC8\x1E\x65\xF9\x93\xF5\xAA\xF1\x52\xDC\x99\x98\x3D\xA5\x86\x1A\x0C\x35\x33\xFA\x4B\xA5\x04\x06\x15\x1C\x31\x80\xEF\xAA\x18\x6B\xC2\x7B\xD7\xDA\xCE\xF9\x33\x20\xD5\xF5\xBD\x6A\x33\x2D\x81\x04\xFB\xB0\x5C\xD4\x9C\xA3\xE2\x5C\x1D\xE3\xA9\x42\x75\x5E\x7B\xD4\x77\xEF\x39\x54\xBA\xC9\x0A\x18\x1B\x12\x99\x49\x2F\x88\x4B\xFD\x50\x62\xD1\x73\xE7\x8F\x7A\x43\x02\x03\x01\x00\x01\xA3\x81\x9D\x30\x81\x9A\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAF\x44\x04\xC2\x41\x7E\x48\x83\xDB\x4E\x39\x02\xEC\xEC\x84\x7A\xE6\xCE\xC9\xA4\x30\x34\x06\x03\x55\x1D\x1F\x04\x2D\x30\x2B\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x65\x63\x75\x72\x65\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x53\x47\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x63\x1A\x08\x40\x7D\xA4\x5E\x53\x0D\x77\xD8\x7A\xAE\x1F\x0D\x0B\x51\x16\x03\xEF\x18\x7C\xC8\xE3\xAF\x6A\x58\x93\x14\x60\x91\xB2\x84\xDC\x88\x4E\xBE\x39\x8A\x3A\xF3\xE6\x82\x89\x5D\x01\x37\xB3\xAB\x24\xA4\x15\x0E\x92\x35\x5A\x4A\x44\x5E\x4E\x57\xFA\x75\xCE\x1F\x48\xCE\x66\xF4\x3C\x40\x26\x92\x98\x6C\x1B\xEE\x24\x46\x0C\x17\xB3\x52\xA5\xDB\xA5\x91\x91\xCF\x37\xD3\x6F\xE7\x27\x08\x3A\x4E\x19\x1F\x3A\xA7\x58\x5C\x17\xCF\x79\x3F\x8B\xE4\xA7\xD3\x26\x23\x9D\x26\x0F\x58\x69\xFC\x47\x7E\xB2\xD0\x8D\x8B\x93\xBF\x29\x4F\x43\x69\x74\x76\x67\x4B\xCF\x07\x8C\xE6\x02\xF7\xB5\xE1\xB4\x43\xB5\x4B\x2D\x14\x9F\xF9\xDC\x26\x0D\xBF\xA6\x47\x74\x06\xD8\x88\xD1\x3A\x29\x30\x84\xCE\xD2\x39\x80\x62\x1B\xA8\xC7\x57\x49\xBC\x6A\x55\x51\x67\x15\x4A\xBE\x35\x07\xE4\xD5\x75\x98\x37\x79\x30\x14\xDB\x29\x9D\x6C\xC5\x69\xCC\x47\x55\xA2\x30\xF7\xCC\x5C\x7F\xC2\xC3\x98\x1C\x6B\x4E\x16\x80\xEB\x7A\x78\x65\x45\xA2\x00\x1A\xAF\x0C\x0D\x55\x64\x34\x48\xB8\x92\xB9\xF1\xB4\x50\x29\xF2\x4F\x23\x1F\xDA\x6C\xAC\x1F\x44\xE1\xDD\x23\x78\x51\x5B\xC7\x16",
+	["CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x1D\x30\x82\x03\x05\xA0\x03\x02\x01\x02\x02\x10\x4E\x81\x2D\x8A\x82\x65\xE0\x0B\x02\xEE\x3E\x35\x02\x46\xE5\x3D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD0\x40\x8B\x8B\x72\xE3\x91\x1B\xF7\x51\xC1\x1B\x54\x04\x98\xD3\xA9\xBF\xC1\xE6\x8A\x5D\x3B\x87\xFB\xBB\x88\xCE\x0D\xE3\x2F\x3F\x06\x96\xF0\xA2\x29\x50\x99\xAE\xDB\x3B\xA1\x57\xB0\x74\x51\x71\xCD\xED\x42\x91\x4D\x41\xFE\xA9\xC8\xD8\x6A\x86\x77\x44\xBB\x59\x66\x97\x50\x5E\xB4\xD4\x2C\x70\x44\xCF\xDA\x37\x95\x42\x69\x3C\x30\xC4\x71\xB3\x52\xF0\x21\x4D\xA1\xD8\xBA\x39\x7C\x1C\x9E\xA3\x24\x9D\xF2\x83\x16\x98\xAA\x16\x7C\x43\x9B\x15\x5B\xB7\xAE\x34\x91\xFE\xD4\x62\x26\x18\x46\x9A\x3F\xEB\xC1\xF9\xF1\x90\x57\xEB\xAC\x7A\x0D\x8B\xDB\x72\x30\x6A\x66\xD5\xE0\x46\xA3\x70\xDC\x68\xD9\xFF\x04\x48\x89\x77\xDE\xB5\xE9\xFB\x67\x6D\x41\xE9\xBC\x39\xBD\x32\xD9\x62\x02\xF1\xB1\xA8\x3D\x6E\x37\x9C\xE2\x2F\xE2\xD3\xA2\x26\x8B\xC6\xB8\x55\x43\x88\xE1\x23\x3E\xA5\xD2\x24\x39\x6A\x47\xAB\x00\xD4\xA1\xB3\xA9\x25\xFE\x0D\x3F\xA7\x1D\xBA\xD3\x51\xC1\x0B\xA4\xDA\xAC\x38\xEF\x55\x50\x24\x05\x65\x46\x93\x34\x4F\x2D\x8D\xAD\xC6\xD4\x21\x19\xD2\x8E\xCA\x05\x61\x71\x07\x73\x47\xE5\x8A\x19\x12\xBD\x04\x4D\xCE\x4E\x9C\xA5\x48\xAC\xBB\x26\xF7\x02\x03\x01\x00\x01\xA3\x81\x8E\x30\x81\x8B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0B\x58\xE5\x8B\xC6\x4C\x15\x37\xA4\x40\xA9\x30\xA9\x21\xBE\x47\x36\x5A\x56\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x49\x06\x03\x55\x1D\x1F\x04\x42\x30\x40\x30\x3E\xA0\x3C\xA0\x3A\x86\x38\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x43\x4F\x4D\x4F\x44\x4F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3E\x98\x9E\x9B\xF6\x1B\xE9\xD7\x39\xB7\x78\xAE\x1D\x72\x18\x49\xD3\x87\xE4\x43\x82\xEB\x3F\xC9\xAA\xF5\xA8\xB5\xEF\x55\x7C\x21\x52\x65\xF9\xD5\x0D\xE1\x6C\xF4\x3E\x8C\x93\x73\x91\x2E\x02\xC4\x4E\x07\x71\x6F\xC0\x8F\x38\x61\x08\xA8\x1E\x81\x0A\xC0\x2F\x20\x2F\x41\x8B\x91\xDC\x48\x45\xBC\xF1\xC6\xDE\xBA\x76\x6B\x33\xC8\x00\x2D\x31\x46\x4C\xED\xE7\x9D\xCF\x88\x94\xFF\x33\xC0\x56\xE8\x24\x86\x26\xB8\xD8\x38\x38\xDF\x2A\x6B\xDD\x12\xCC\xC7\x3F\x47\x17\x4C\xA2\xC2\x06\x96\x09\xD6\xDB\xFE\x3F\x3C\x46\x41\xDF\x58\xE2\x56\x0F\x3C\x3B\xC1\x1C\x93\x35\xD9\x38\x52\xAC\xEE\xC8\xEC\x2E\x30\x4E\x94\x35\xB4\x24\x1F\x4B\x78\x69\xDA\xF2\x02\x38\xCC\x95\x52\x93\xF0\x70\x25\x59\x9C\x20\x67\xC4\xEE\xF9\x8B\x57\x61\xF4\x92\x76\x7D\x3F\x84\x8D\x55\xB7\xE8\xE5\xAC\xD5\xF1\xF5\x19\x56\xA6\x5A\xFB\x90\x1C\xAF\x93\xEB\xE5\x1C\xD4\x67\x97\x5D\x04\x0E\xBE\x0B\x83\xA6\x17\x83\xB9\x30\x12\xA0\xC5\x33\x15\x05\xB9\x0D\xFB\xC7\x05\x76\xE3\xD8\x4A\x8D\xFC\x34\x17\xA3\xC6\x21\x28\xBE\x30\x45\x31\x1E\xC7\x78\xBE\x58\x61\x38\xAC\x3B\xE2\x01\x65",
+	["CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US"] = "\x30\x82\x03\xE6\x30\x82\x02\xCE\xA0\x03\x02\x01\x02\x02\x10\x57\xCB\x33\x6F\xC2\x5C\x16\xE6\x47\x16\x17\xE3\x90\x31\x68\xE0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE4\xBC\x7E\x92\x30\x6D\xC6\xD8\x8E\x2B\x0B\xBC\x46\xCE\xE0\x27\x96\xDE\xDE\xF9\xFA\x12\xD3\x3C\x33\x73\xB3\x04\x2F\xBC\x71\x8C\xE5\x9F\xB6\x22\x60\x3E\x5F\x5D\xCE\x09\xFF\x82\x0C\x1B\x9A\x51\x50\x1A\x26\x89\xDD\xD5\x61\x5D\x19\xDC\x12\x0F\x2D\x0A\xA2\x43\x5D\x17\xD0\x34\x92\x20\xEA\x73\xCF\x38\x2C\x06\x26\x09\x7A\x72\xF7\xFA\x50\x32\xF8\xC2\x93\xD3\x69\xA2\x23\xCE\x41\xB1\xCC\xE4\xD5\x1F\x36\xD1\x8A\x3A\xF8\x8C\x63\xE2\x14\x59\x69\xED\x0D\xD3\x7F\x6B\xE8\xB8\x03\xE5\x4F\x6A\xE5\x98\x63\x69\x48\x05\xBE\x2E\xFF\x33\xB6\xE9\x97\x59\x69\xF8\x67\x19\xAE\x93\x61\x96\x44\x15\xD3\x72\xB0\x3F\xBC\x6A\x7D\xEC\x48\x7F\x8D\xC3\xAB\xAA\x71\x2B\x53\x69\x41\x53\x34\xB5\xB0\xB9\xC5\x06\x0A\xC4\xB0\x45\xF5\x41\x5D\x6E\x89\x45\x7B\x3D\x3B\x26\x8C\x74\xC2\xE5\xD2\xD1\x7D\xB2\x11\xD4\xFB\x58\x32\x22\x9A\x80\xC9\xDC\xFD\x0C\xE9\x7F\x5E\x03\x97\xCE\x3B\x00\x14\x87\x27\x70\x38\xA9\x8E\x6E\xB3\x27\x76\x98\x51\xE0\x05\xE3\x21\xAB\x1A\xD5\x85\x22\x3C\x29\xB5\x9A\x16\xC5\x80\xA8\xF4\xBB\x6B\x30\x8F\x2F\x46\x02\xA2\xB1\x0C\x22\xE0\xD3\x02\x03\x01\x00\x01\xA3\x81\x97\x30\x81\x94\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x21\x30\xC9\xFB\x00\xD7\x4E\x98\xDA\x87\xAA\x2A\xD0\xA7\x2E\xB1\x40\x31\xA7\x4C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x52\x06\x03\x55\x1D\x1F\x04\x4B\x30\x49\x30\x47\xA0\x45\xA0\x43\x86\x41\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x6E\x65\x74\x73\x6F\x6C\x73\x73\x6C\x2E\x63\x6F\x6D\x2F\x4E\x65\x74\x77\x6F\x72\x6B\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xBB\xAE\x4B\xE7\xB7\x57\xEB\x7F\xAA\x2D\xB7\x73\x47\x85\x6A\xC1\xE4\xA5\x1D\xE4\xE7\x3C\xE9\xF4\x59\x65\x77\xB5\x7A\x5B\x5A\x8D\x25\x36\xE0\x7A\x97\x2E\x38\xC0\x57\x60\x83\x98\x06\x83\x9F\xB9\x76\x7A\x6E\x50\xE0\xBA\x88\x2C\xFC\x45\xCC\x18\xB0\x99\x95\x51\x0E\xEC\x1D\xB8\x88\xFF\x87\x50\x1C\x82\xC2\xE3\xE0\x32\x80\xBF\xA0\x0B\x47\xC8\xC3\x31\xEF\x99\x67\x32\x80\x4F\x17\x21\x79\x0C\x69\x5C\xDE\x5E\x34\xAE\x02\xB5\x26\xEA\x50\xDF\x7F\x18\x65\x2C\xC9\xF2\x63\xE1\xA9\x07\xFE\x7C\x71\x1F\x6B\x33\x24\x6A\x1E\x05\xF7\x05\x68\xC0\x6A\x12\xCB\x2E\x5E\x61\xCB\xAE\x28\xD3\x7E\xC2\xB4\x66\x91\x26\x5F\x3C\x2E\x24\x5F\xCB\x58\x0F\xEB\x28\xEC\xAF\x11\x96\xF3\xDC\x7B\x6F\xC0\xA7\x88\xF2\x53\x77\xB3\x60\x5E\xAE\xAE\x28\xDA\x35\x2C\x6F\x34\x45\xD3\x26\xE1\xDE\xEC\x5B\x4F\x27\x6B\x16\x7C\xBD\x44\x04\x18\x82\xB3\x89\x79\x17\x10\x71\x3D\x7A\xA2\x16\x4E\xF5\x01\xCD\xA4\x6C\x65\x68\xA1\x49\x76\x5C\x43\xC9\xD8\xBC\x36\x67\x6C\xA5\x94\xB5\xD4\xCC\xB9\xBD\x6A\x35\x56\x21\xDE\xD8\xC3\xEB\xFB\xCB\xA4\x60\x4C\xB0\x55\xA0\xA0\x7B\x57\xB2",
+	["CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US"] = "\x30\x82\x04\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x37\x31\x32\x31\x33\x31\x37\x30\x37\x35\x34\x5A\x17\x0D\x32\x32\x31\x32\x31\x34\x30\x30\x30\x37\x35\x34\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xEE\x6F\xB4\xBD\x79\xE2\x8F\x08\x21\x9E\x38\x04\x41\x25\xEF\xAB\x5B\x1C\x53\x92\xAC\x6D\x9E\xDD\xC2\xC4\x2E\x45\x94\x03\x35\x88\x67\x74\x57\xE3\xDF\x8C\xB8\xA7\x76\x8F\x3B\xF7\xA8\xC4\xDB\x29\x63\x0E\x91\x68\x36\x8A\x97\x8E\x8A\x71\x68\x09\x07\xE4\xE8\xD4\x0E\x4F\xF8\xD6\x2B\x4C\xA4\x16\xF9\xEF\x43\x98\x8F\xB3\x9E\x52\xDF\x6D\x91\x39\x8F\x38\xBD\x77\x8B\x43\x63\xEB\xB7\x93\xFC\x30\x4C\x1C\x01\x93\xB6\x13\xFB\xF7\xA1\x1F\xBF\x25\xE1\x74\x37\x2C\x1E\xA4\x5E\x3C\x68\xF8\x4B\xBF\x0D\xB9\x1E\x2E\x36\xE8\xA9\xE4\xA7\xF8\x0F\xCB\x82\x75\x7C\x35\x2D\x22\xD6\xC2\xBF\x0B\xF3\xB4\xFC\x6C\x95\x61\x1E\x57\xD7\x04\x81\x32\x83\x52\x79\xE6\x83\x63\xCF\xB7\xCB\x63\x8B\x11\xE2\xBD\x5E\xEB\xF6\x8D\xED\x95\x72\x28\xB4\xAC\x12\x62\xE9\x4A\x33\xE6\x83\x32\xAE\x05\x75\x95\xBD\x84\x95\xDB\x2A\x5C\x9B\x8E\x2E\x0C\xB8\x81\x2B\x41\xE6\x38\x56\x9F\x49\x9B\x6C\x76\xFA\x8A\x5D\xF7\x01\x79\x81\x7C\xC1\x83\x40\x05\xFE\x71\xFD\x0C\x3F\xCC\x4E\x60\x09\x0E\x65\x47\x10\x2F\x01\xC0\x05\x3F\x8F\xF8\xB3\x41\xEF\x5A\x42\x7E\x59\xEF\xD2\x97\x0C\x65\x02\x03\x01\x00\x01\xA3\x82\x01\x34\x30\x82\x01\x30\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x03\x55\x1D\x1F\x04\x32\x30\x30\x30\x2E\xA0\x2C\xA0\x2A\x86\x28\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x70\x6B\x69\x2E\x77\x65\x6C\x6C\x73\x66\x61\x72\x67\x6F\x2E\x63\x6F\x6D\x2F\x77\x73\x70\x72\x63\x61\x2E\x63\x72\x6C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x26\x95\x19\x10\xD9\xE8\xA1\x97\x91\xFF\xDC\x19\xD9\xB5\x04\x3E\xD2\x73\x0A\x6A\x30\x81\xB2\x06\x03\x55\x1D\x23\x04\x81\xAA\x30\x81\xA7\x80\x14\x26\x95\x19\x10\xD9\xE8\xA1\x97\x91\xFF\xDC\x19\xD9\xB5\x04\x3E\xD2\x73\x0A\x6A\xA1\x81\x8B\xA4\x81\x88\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB9\x15\xB1\x44\x91\xCC\x23\xC8\x2B\x4D\x77\xE3\xF8\x9A\x7B\x27\x0D\xCD\x72\xBB\x99\x00\xCA\x7C\x66\x19\x50\xC6\xD5\x98\xED\xAB\xBF\x03\x5A\xE5\x4D\xE5\x1E\xC8\x4F\x71\x97\x86\xD5\xE3\x1D\xFD\x90\xC9\x3C\x75\x77\x57\x7A\x7D\xF8\xDE\xF4\xD4\xD5\xF7\x95\xE6\x74\x6E\x1D\x3C\xAE\x7C\x9D\xDB\x02\x03\x05\x2C\x71\x4B\x25\x3E\x07\xE3\x5E\x9A\xF5\x66\x17\x29\x88\x1A\x38\x9F\xCF\xAA\x41\x03\x84\x97\x6B\x93\x38\x7A\xCA\x30\x44\x1B\x24\x44\x33\xD0\xE4\xD1\xDC\x28\x38\xF4\x13\x43\x35\x35\x29\x63\xA8\x7C\xA2\xB5\xAD\x38\xA4\xED\xAD\xFD\xC6\x9A\x1F\xFF\x97\x73\xFE\xFB\xB3\x35\xA7\x93\x86\xC6\x76\x91\x00\xE6\xAC\x51\x16\xC4\x27\x32\x5C\xDB\x73\xDA\xA5\x93\x57\x8E\x3E\x6D\x35\x26\x08\x59\xD5\xE7\x44\xD7\x76\x20\x63\xE7\xAC\x13\x67\xC3\x6D\xB1\x70\x46\x7C\xD5\x96\x11\x3D\x89\x6F\x5D\xA8\xA1\xEB\x8D\x0A\xDA\xC3\x1D\x33\x6C\xA3\xEA\x67\x19\x9A\x99\x7F\x4B\x3D\x83\x51\x2A\x1D\xCA\x2F\x86\x0C\xA2\x7E\x10\x2D\x2B\xD4\x16\x95\x0B\x07\xAA\x2E\x14\x92\x49\xB7\x29\x6F\xD8\x6D\x31\x7D\xF5\xFC\xA1\x10\x07\x87\xCE\x2F\x59\xDC\x3E\x58\xDB",
+	["CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x02\x89\x30\x82\x02\x0F\xA0\x03\x02\x01\x02\x02\x10\x1F\x47\xAF\xAA\x62\x00\x70\x50\x54\x4C\x01\x9E\x9B\x63\x99\x2A\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x33\x30\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x03\x47\x7B\x2F\x75\xC9\x82\x15\x85\xFB\x75\xE4\x91\x16\xD4\xAB\x62\x99\xF5\x3E\x52\x0B\x06\xCE\x41\x00\x7F\x97\xE1\x0A\x24\x3C\x1D\x01\x04\xEE\x3D\xD2\x8D\x09\x97\x0C\xE0\x75\xE4\xFA\xFB\x77\x8A\x2A\xF5\x03\x60\x4B\x36\x8B\x16\x23\x16\xAD\x09\x71\xF4\x4A\xF4\x28\x50\xB4\xFE\x88\x1C\x6E\x3F\x6C\x2F\x2F\x09\x59\x5B\xA5\x5B\x0B\x33\x99\xE2\xC3\x3D\x89\xF9\x6A\x2C\xEF\xB2\xD3\x06\xE9\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x75\x71\xA7\x19\x48\x19\xBC\x9D\x9D\xEA\x41\x47\xDF\x94\xC4\x48\x77\x99\xD3\x79\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xEF\x03\x5B\x7A\xAC\xB7\x78\x0A\x72\xB7\x88\xDF\xFF\xB5\x46\x14\x09\x0A\xFA\xA0\xE6\x7D\x08\xC6\x1A\x87\xBD\x18\xA8\x73\xBD\x26\xCA\x60\x0C\x9D\xCE\x99\x9F\xCF\x5C\x0F\x30\xE1\xBE\x14\x31\xEA\x02\x30\x14\xF4\x93\x3C\x49\xA7\x33\x7A\x90\x46\x47\xB3\x63\x7D\x13\x9B\x4E\xB7\x6F\x18\x37\x80\x53\xFE\xDD\x20\xE0\x35\x9A\x36\xD1\xC7\x01\xB9\xE6\xDC\xDD\xF3\xFF\x1D\x2C\x3A\x16\x57\xD9\x92\x39\xD6",
+	["emailAddress=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR"] = "\x30\x82\x04\x02\x30\x82\x02\xEA\xA0\x03\x02\x01\x02\x02\x05\x39\x11\x45\x10\x94\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75\x76\x2E\x66\x72\x30\x1E\x17\x0D\x30\x32\x31\x32\x31\x33\x31\x34\x32\x39\x32\x33\x5A\x17\x0D\x32\x30\x31\x30\x31\x37\x31\x34\x32\x39\x32\x32\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75\x76\x2E\x66\x72\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB2\x1F\xD1\xD0\x62\xC5\x33\x3B\xC0\x04\x86\x88\xB3\xDC\xF8\x88\xF7\xFD\xDF\x43\xDF\x7A\x8D\x9A\x49\x5C\xF6\x4E\xAA\xCC\x1C\xB9\xA1\xEB\x27\x89\xF2\x46\xE9\x3B\x4A\x71\xD5\x1D\x8E\x2D\xCF\xE6\xAD\xAB\x63\x50\xC7\x54\x0B\x6E\x12\xC9\x90\x36\xC6\xD8\x2F\xDA\x91\xAA\x68\xC5\x72\xFE\x17\x0A\xB2\x17\x7E\x79\xB5\x32\x88\x70\xCA\x70\xC0\x96\x4A\x8E\xE4\x55\xCD\x1D\x27\x94\xBF\xCE\x72\x2A\xEC\x5C\xF9\x73\x20\xFE\xBD\xF7\x2E\x89\x67\xB8\xBB\x47\x73\x12\xF7\xD1\x35\x69\x3A\xF2\x0A\xB9\xAE\xFF\x46\x42\x46\xA2\xBF\xA1\x85\x1A\xF9\xBF\xE4\xFF\x49\x85\xF7\xA3\x70\x86\x32\x1C\x5D\x9F\x60\xF7\xA9\xAD\xA5\xFF\xCF\xD1\x34\xF9\x7D\x5B\x17\xC6\xDC\xD6\x0E\x28\x6B\xC2\xDD\xF1\xF5\x33\x68\x9D\x4E\xFC\x87\x7C\x36\x12\xD6\xA3\x80\xE8\x43\x0D\x55\x61\x94\xEA\x64\x37\x47\xEA\x77\xCA\xD0\xB2\x58\x05\xC3\x5D\x7E\xB1\xA8\x46\x90\x31\x56\xCE\x70\x2A\x96\xB2\x30\xB8\x77\xE6\x79\xC0\xBD\x29\x3B\xFD\x94\x77\x4C\xBD\x20\xCD\x41\x25\xE0\x2E\xC7\x1B\xBB\xEE\xA4\x04\x41\xD2\x5D\xAD\x12\x6A\x8A\x9B\x47\xFB\xC9\xDD\x46\x40\xE1\x9D\x3C\x33\xD0\xB5\x02\x03\x01\x00\x01\xA3\x77\x30\x75\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x46\x30\x15\x06\x03\x55\x1D\x20\x04\x0E\x30\x0C\x30\x0A\x06\x08\x2A\x81\x7A\x01\x79\x01\x01\x01\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA3\x05\x2F\x18\x60\x50\xC2\x89\x0A\xDD\x2B\x21\x4F\xFF\x8E\x4E\xA8\x30\x31\x36\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xA3\x05\x2F\x18\x60\x50\xC2\x89\x0A\xDD\x2B\x21\x4F\xFF\x8E\x4E\xA8\x30\x31\x36\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x05\xDC\x26\xD8\xFA\x77\x15\x44\x68\xFC\x2F\x66\x3A\x74\xE0\x5D\xE4\x29\xFF\x06\x07\x13\x84\x4A\xAB\xCF\x6D\xA0\x1F\x51\x94\xF8\x49\xCB\x74\x36\x14\xBC\x15\xDD\xDB\x89\x2F\xDD\x8F\xA0\x5D\x7C\xF5\x12\xEB\x9F\x9E\x38\xA4\x47\xCC\xB3\x96\xD9\xBE\x9C\x25\xAB\x03\x7E\x33\x0F\x95\x81\x0D\xFD\x16\xE0\x88\xBE\x37\xF0\x6C\x5D\xD0\x31\x9B\x32\x2B\x5D\x17\x65\x93\x98\x60\xBC\x6E\x8F\xB1\xA8\x3C\x1E\xD9\x1C\xF3\xA9\x26\x42\xF9\x64\x1D\xC2\xE7\x92\xF6\xF4\x1E\x5A\xAA\x19\x52\x5D\xAF\xE8\xA2\xF7\x60\xA0\xF6\x8D\xF0\x89\xF5\x6E\xE0\x0A\x05\x01\x95\xC9\x8B\x20\x0A\xBA\x5A\xFC\x9A\x2C\x3C\xBD\xC3\xB7\xC9\x5D\x78\x25\x05\x3F\x56\x14\x9B\x0C\xDA\xFB\x3A\x48\xFE\x97\x69\x5E\xCA\x10\x86\xF7\x4E\x96\x04\x08\x4D\xEC\xB0\xBE\x5D\xDC\x3B\x8E\x4F\xC1\xFD\x9A\x36\x34\x9A\x4C\x54\x7E\x17\x03\x48\x95\x08\x11\x1C\x07\x6F\x85\x08\x7E\x5D\x4D\xC4\x9D\xDB\xFB\xAE\xCE\xB2\xD1\xB3\xB8\x83\x6C\x1D\xB2\xB3\x79\xF1\xD8\x70\x99\x7E\xF0\x13\x02\xCE\x5E\xDD\x51\xD3\xDF\x36\x81\xA1\x1B\x78\x2F\x71\xB3\xF1\x59\x4C\x46\x18\x28\xAB\x85\xD2\x60\x56\x5A",
+	["OU=Security Communication EV RootCA1,O=SECOM Trust Systems CO.\,LTD.,C=JP"] = "\x30\x82\x03\x7D\x30\x82\x02\x65\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x60\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x13\x21\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x45\x56\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x1E\x17\x0D\x30\x37\x30\x36\x30\x36\x30\x32\x31\x32\x33\x32\x5A\x17\x0D\x33\x37\x30\x36\x30\x36\x30\x32\x31\x32\x33\x32\x5A\x30\x60\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x13\x21\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x45\x56\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x7F\xEC\x57\x9B\x24\xE0\xFE\x9C\xBA\x42\x79\xA9\x88\x8A\xFA\x80\xE0\xF5\x07\x29\x43\xEA\x8E\x0A\x34\x36\x8D\x1C\xFA\xA7\xB5\x39\x78\xFF\x97\x75\xF7\x2F\xE4\xAA\x6B\x04\x84\x44\xCA\xA6\xE2\x68\x8E\xFD\x55\x50\x62\x0F\xA4\x71\x0E\xCE\x07\x38\x2D\x42\x85\x50\xAD\x3C\x96\x6F\x8B\xD5\xA2\x0E\xCF\xDE\x49\x89\x3D\xD6\x64\x2E\x38\xE5\x1E\x6C\xB5\x57\x8A\x9E\xEF\x48\x0E\xCD\x7A\x69\x16\x87\x44\xB5\x90\xE4\x06\x9D\xAE\xA1\x04\x97\x58\x79\xEF\x20\x4A\x82\x6B\x8C\x22\xBF\xEC\x1F\x0F\xE9\x84\x71\xED\xF1\x0E\xE4\xB8\x18\x13\xCC\x56\x36\x5D\xD1\x9A\x1E\x51\x6B\x39\x6E\x60\x76\x88\x34\x0B\xF3\xB3\xD1\xB0\x9D\xCA\x61\xE2\x64\x1D\xC1\x46\x07\xB8\x63\xDD\x1E\x33\x65\xB3\x8E\x09\x55\x52\x3D\xB5\xBD\xFF\x07\xEB\xAD\x61\x55\x18\x2C\xA9\x69\x98\x4A\xAA\x40\xC5\x33\x14\x65\x74\x00\xF9\x91\xDE\xAF\x03\x48\xC5\x40\x54\xDC\x0F\x84\x90\x68\x20\xC5\x92\x96\xDC\x2E\xE5\x02\x45\xAA\xC0\x5F\x54\xF8\x6D\xEA\x49\xCF\x5D\x6C\x4B\xAF\xEF\x9A\xC2\x56\x5C\xC6\x35\x56\x42\x6A\x30\x5F\xC2\xAB\xF6\xE2\x3D\x3F\xB3\xC9\x11\x8F\x31\x4C\xD7\x9F\x49\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x35\x4A\xF5\x4D\xAF\x3F\xD7\x82\x38\xAC\xAB\x71\x65\x17\x75\x8C\x9D\x55\x93\xE6\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA8\x87\xE9\xEC\xF8\x40\x67\x5D\xC3\xC1\x66\xC7\x40\x4B\x97\xFC\x87\x13\x90\x5A\xC4\xEF\xA0\xCA\x5F\x8B\xB7\xA7\xB7\xF1\xD6\xB5\x64\xB7\x8A\xB3\xB8\x1B\xCC\xDA\xFB\xAC\x66\x88\x41\xCE\xE8\xFC\xE4\xDB\x1E\x88\xA6\xED\x27\x50\x1B\x02\x30\x24\x46\x79\xFE\x04\x87\x70\x97\x40\x73\xD1\xC0\xC1\x57\x19\x9A\x69\xA5\x27\x99\xAB\x9D\x62\x84\xF6\x51\xC1\x2C\xC9\x23\x15\xD8\x28\xB7\xAB\x25\x13\xB5\x46\xE1\x86\x02\xFF\x26\x8C\xC4\x88\x92\x1D\x56\xFE\x19\x67\xF2\x55\xE4\x80\xA3\x6B\x9C\xAB\x77\xE1\x51\x71\x0D\x20\xDB\x10\x9A\xDB\xBD\x76\x79\x07\x77\x99\x28\xAD\x9A\x5E\xDA\xB1\x4F\x44\x2C\x35\x8E\xA5\x96\xC7\xFD\x83\xF0\x58\xC6\x79\xD6\x98\x7C\xA8\x8D\xFE\x86\x3E\x07\x16\x92\xE1\x7B\xE7\x1D\xEC\x33\x76\x7E\x42\x2E\x4A\x85\xF9\x91\x89\x68\x84\x03\x81\xA5\x9B\x9A\xBE\xE3\x37\xC5\x54\xAB\x56\x3B\x18\x2D\x41\xA4\x0C\xF8\x42\xDB\x99\xA0\xE0\x72\x6F\xBB\x5D\xE1\x16\x4F\x53\x0A\x64\xF9\x4E\xF4\xBF\x4E\x54\xBD\x78\x6C\x88\xEA\xBF\x9C\x13\x24\xC2\x70\x69\xA2\x7F\x0F\xC8\x3C\xAD\x08\xC9\xB0\x98\x40\xA3\x2A\xE7\x88\x83\xED\x77\x8F\x74",
+	["CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH"] = "\x30\x82\x03\xF1\x30\x82\x02\xD9\xA0\x03\x02\x01\x02\x02\x10\x41\x3D\x72\xC7\xF4\x6B\x1F\x81\x43\x7D\xF1\xD2\x28\x54\xDF\x9A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x1B\x30\x19\x06\x03\x55\x04\x0B\x13\x12\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x35\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x41\x20\x43\x41\x30\x1E\x17\x0D\x30\x35\x31\x32\x31\x31\x31\x36\x30\x33\x34\x34\x5A\x17\x0D\x33\x37\x31\x32\x31\x31\x31\x36\x30\x39\x35\x31\x5A\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x1B\x30\x19\x06\x03\x55\x04\x0B\x13\x12\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x35\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x41\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCB\x4F\xB3\x00\x9B\x3D\x36\xDD\xF9\xD1\x49\x6A\x6B\x10\x49\x1F\xEC\xD8\x2B\xB2\xC6\xF8\x32\x81\x29\x43\x95\x4C\x9A\x19\x23\x21\x15\x45\xDE\xE3\xC8\x1C\x51\x55\x5B\xAE\x93\xE8\x37\xFF\x2B\x6B\xE9\xD4\xEA\xBE\x2A\xDD\xA8\x51\x2B\xD7\x66\xC3\x61\x5C\x60\x02\xC8\xF5\xCE\x72\x7B\x3B\xB8\xF2\x4E\x65\x08\x9A\xCD\xA4\x6A\x19\xC1\x01\xBB\x73\xA6\xD7\xF6\xC3\xDD\xCD\xBC\xA4\x8B\xB5\x99\x61\xB8\x01\xA2\xA3\xD4\x4D\xD4\x05\x3D\x91\xAD\xF8\xB4\x08\x71\x64\xAF\x70\xF1\x1C\x6B\x7E\xF6\xC3\x77\x9D\x24\x73\x7B\xE4\x0C\x8C\xE1\xD9\x36\xE1\x99\x8B\x05\x99\x0B\xED\x45\x31\x09\xCA\xC2\x00\xDB\xF7\x72\xA0\x96\xAA\x95\x87\xD0\x8E\xC7\xB6\x61\x73\x0D\x76\x66\x8C\xDC\x1B\xB4\x63\xA2\x9F\x7F\x93\x13\x30\xF1\xA1\x27\xDB\xD9\xFF\x2C\x55\x88\x91\xA0\xE0\x4F\x07\xB0\x28\x56\x8C\x18\x1B\x97\x44\x8E\x89\xDD\xE0\x17\x6E\xE7\x2A\xEF\x8F\x39\x0A\x31\x84\x82\xD8\x40\x14\x49\x2E\x7A\x41\xE4\xA7\xFE\xE3\x64\xCC\xC1\x59\x71\x4B\x2C\x21\xA7\x5B\x7D\xE0\x1D\xD1\x2E\x81\x9B\xC3\xD8\x68\xF7\xBD\x96\x1B\xAC\x70\xB1\x16\x14\x0B\xDB\x60\xB9\x26\x01\x05\x02\x03\x01\x00\x01\xA3\x51\x30\x4F\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB3\x03\x7E\xAE\x36\xBC\xB0\x79\xD1\xDC\x94\x26\xB6\x11\xBE\x21\xB2\x69\x86\x94\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4B\xA1\xFF\x0B\x87\x6E\xB3\xF9\xC1\x43\xB1\x48\xF3\x28\xC0\x1D\x2E\xC9\x09\x41\xFA\x94\x00\x1C\xA4\xA4\xAB\x49\x4F\x8F\x3D\x1E\xEF\x4D\x6F\xBD\xBC\xA4\xF6\xF2\x26\x30\xC9\x10\xCA\x1D\x88\xFB\x74\x19\x1F\x85\x45\xBD\xB0\x6C\x51\xF9\x36\x7E\xDB\xF5\x4C\x32\x3A\x41\x4F\x5B\x47\xCF\xE8\x0B\x2D\xB6\xC4\x19\x9D\x74\xC5\x47\xC6\x3B\x6A\x0F\xAC\x14\xDB\x3C\xF4\x73\x9C\xA9\x05\xDF\x00\xDC\x74\x78\xFA\xF8\x35\x60\x59\x02\x13\x18\x7C\xBC\xFB\x4D\xB0\x20\x6D\x43\xBB\x60\x30\x7A\x67\x33\x5C\xC5\x99\xD1\xF8\x2D\x39\x52\x73\xFB\x8C\xAA\x97\x25\x5C\x72\xD9\x08\x1E\xAB\x4E\x3C\xE3\x81\x31\x9F\x03\xA6\xFB\xC0\xFE\x29\x88\x55\xDA\x84\xD5\x50\x03\xB6\xE2\x84\xA3\xA6\x36\xAA\x11\x3A\x01\xE1\x18\x4B\xD6\x44\x68\xB3\x3D\xF9\x53\x74\x84\xB3\x46\x91\x46\x96\x00\xB7\x80\x2C\xB6\xE1\xE3\x10\xE2\xDB\xA2\xE7\x28\x8F\x01\x96\x62\x16\x3E\x00\xE3\x1C\xA5\x36\x81\x18\xA2\x4C\x52\x76\xC0\x11\xA3\x6E\xE6\x1D\xBA\xE3\x5A\xBE\x36\x53\xC5\x3E\x75\x8F\x86\x69\x29\x58\x53\xB5\x9C\xBB\x6F\x9F\x5C\xC5\x18\xEC\xDD\x2F\xE1\x98\xC9\xFC\xBE\xDF\x0A\x0D",
+	["CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU"] = "\x30\x82\x07\xA8\x30\x82\x06\x90\xA0\x03\x02\x01\x02\x02\x11\x00\xCC\xB8\xE7\xBF\x4E\x29\x1A\xFD\xA2\xDC\x66\xA5\x1C\x2C\x0F\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x72\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x43\x41\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x35\x30\x34\x30\x36\x31\x32\x32\x38\x34\x34\x5A\x17\x0D\x31\x37\x30\x34\x30\x36\x31\x32\x32\x38\x34\x34\x5A\x30\x72\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x43\x41\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xED\xC8\x00\xD5\x81\x7B\xCD\x38\x00\x47\xCC\xDB\x84\xC1\x21\x69\x2C\x74\x90\x0C\x21\xD9\x53\x87\xED\x3E\x43\x44\x53\xAF\xAB\xF8\x80\x9B\x3C\x78\x8D\xD4\x8D\xAE\xB8\xEF\xD3\x11\xDC\x81\xE6\xCF\x3B\x96\x8C\xD6\x6F\x15\xC6\x77\x7E\xA1\x2F\xE0\x5F\x92\xB6\x27\xD7\x76\x9A\x1D\x43\x3C\xEA\xD9\xEC\x2F\xEE\x39\xF3\x6A\x67\x4B\x8B\x82\xCF\x22\xF8\x65\x55\xFE\x2C\xCB\x2F\x7D\x48\x7A\x3D\x75\xF9\xAA\xA0\x27\xBB\x78\xC2\x06\xCA\x51\xC2\x7E\x66\x4B\xAF\xCD\xA2\xA7\x4D\x02\x82\x3F\x82\xAC\x85\xC6\xE1\x0F\x90\x47\x99\x94\x0A\x71\x72\x93\x2A\xC9\xA6\xC0\xBE\x3C\x56\x4C\x73\x92\x27\xF1\x6B\xB5\xF5\xFD\xFC\x30\x05\x60\x92\xC6\xEB\x96\x7E\x01\x91\xC2\x69\xB1\x1E\x1D\x7B\x53\x45\xB8\xDC\x41\x1F\xC9\x8B\x71\xD6\x54\x14\xE3\x8B\x54\x78\x3F\xBE\xF4\x62\x3B\x5B\xF5\xA3\xEC\xD5\x92\x74\xE2\x74\x30\xEF\x01\xDB\xE1\xD4\xAB\x99\x9B\x2A\x6B\xF8\xBD\xA6\x1C\x86\x23\x42\x5F\xEC\x49\xDE\x9A\x8B\x5B\xF4\x72\x3A\x40\xC5\x49\x3E\xA5\xBE\x8E\xAA\x71\xEB\x6C\xFA\xF5\x1A\xE4\x6A\xFD\x7B\x7D\x55\x40\xEF\x58\x6E\xE6\xD9\xD5\xBC\x24\xAB\xC1\xEF\xB7\x02\x03\x01\x00\x01\xA3\x82\x04\x37\x30\x82\x04\x33\x30\x67\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x5B\x30\x59\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x1C\x68\x74\x74\x70\x73\x3A\x2F\x2F\x72\x63\x61\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x6F\x63\x73\x70\x30\x2D\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86\x21\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x52\x6F\x6F\x74\x43\x41\x2E\x63\x72\x74\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x82\x01\x73\x06\x03\x55\x1D\x20\x04\x82\x01\x6A\x30\x82\x01\x66\x30\x82\x01\x62\x06\x0C\x2B\x06\x01\x04\x01\x81\xA8\x18\x02\x01\x01\x01\x30\x82\x01\x50\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1C\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x53\x5A\x53\x5A\x2F\x30\x82\x01\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\x14\x1E\x82\x01\x10\x00\x41\x00\x20\x00\x74\x00\x61\x00\x6E\x00\xFA\x00\x73\x00\xED\x00\x74\x00\x76\x00\xE1\x00\x6E\x00\x79\x00\x20\x00\xE9\x00\x72\x00\x74\x00\x65\x00\x6C\x00\x6D\x00\x65\x00\x7A\x00\xE9\x00\x73\x00\xE9\x00\x68\x00\x65\x00\x7A\x00\x20\x00\xE9\x00\x73\x00\x20\x00\x65\x00\x6C\x00\x66\x00\x6F\x00\x67\x00\x61\x00\x64\x00\xE1\x00\x73\x00\xE1\x00\x68\x00\x6F\x00\x7A\x00\x20\x00\x61\x00\x20\x00\x53\x00\x7A\x00\x6F\x00\x6C\x00\x67\x00\xE1\x00\x6C\x00\x74\x00\x61\x00\x74\x00\xF3\x00\x20\x00\x53\x00\x7A\x00\x6F\x00\x6C\x00\x67\x00\xE1\x00\x6C\x00\x74\x00\x61\x00\x74\x00\xE1\x00\x73\x00\x69\x00\x20\x00\x53\x00\x7A\x00\x61\x00\x62\x00\xE1\x00\x6C\x00\x79\x00\x7A\x00\x61\x00\x74\x00\x61\x00\x20\x00\x73\x00\x7A\x00\x65\x00\x72\x00\x69\x00\x6E\x00\x74\x00\x20\x00\x6B\x00\x65\x00\x6C\x00\x6C\x00\x20\x00\x65\x00\x6C\x00\x6A\x00\xE1\x00\x72\x00\x6E\x00\x69\x00\x3A\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x65\x00\x2D\x00\x73\x00\x7A\x00\x69\x00\x67\x00\x6E\x00\x6F\x00\x2E\x00\x68\x00\x75\x00\x2F\x00\x53\x00\x5A\x00\x53\x00\x5A\x00\x2F\x30\x81\xC8\x06\x03\x55\x1D\x1F\x04\x81\xC0\x30\x81\xBD\x30\x81\xBA\xA0\x81\xB7\xA0\x81\xB4\x86\x21\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x52\x6F\x6F\x74\x43\x41\x2E\x63\x72\x6C\x86\x81\x8E\x6C\x64\x61\x70\x3A\x2F\x2F\x6C\x64\x61\x70\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x43\x4E\x3D\x4D\x69\x63\x72\x6F\x73\x65\x63\x25\x32\x30\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x41\x2C\x4F\x55\x3D\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x25\x32\x30\x43\x41\x2C\x4F\x3D\x4D\x69\x63\x72\x6F\x73\x65\x63\x25\x32\x30\x4C\x74\x64\x2E\x2C\x4C\x3D\x42\x75\x64\x61\x70\x65\x73\x74\x2C\x43\x3D\x48\x55\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x52\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x4C\x69\x73\x74\x3B\x62\x69\x6E\x61\x72\x79\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\x96\x06\x03\x55\x1D\x11\x04\x81\x8E\x30\x81\x8B\x81\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\xA4\x77\x30\x75\x31\x23\x30\x21\x06\x03\x55\x04\x03\x0C\x1A\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\xC3\xB3\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x16\x30\x14\x06\x03\x55\x04\x0B\x0C\x0D\x65\x2D\x53\x7A\x69\x67\x6E\xC3\xB3\x20\x48\x53\x5A\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4B\x66\x74\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x30\x81\xAC\x06\x03\x55\x1D\x23\x04\x81\xA4\x30\x81\xA1\x80\x14\xC7\xA0\x49\x75\x16\x61\x84\xDB\x31\x4B\x84\xD2\xF1\x37\x40\x90\xEF\x4E\xDC\xF7\xA1\x76\xA4\x74\x30\x72\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x43\x41\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x82\x11\x00\xCC\xB8\xE7\xBF\x4E\x29\x1A\xFD\xA2\xDC\x66\xA5\x1C\x2C\x0F\x11\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC7\xA0\x49\x75\x16\x61\x84\xDB\x31\x4B\x84\xD2\xF1\x37\x40\x90\xEF\x4E\xDC\xF7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xD3\x13\x9C\x66\x63\x59\x2E\xCA\x5C\x70\x0C\xFC\x83\xBC\x55\xB1\xF4\x8E\x07\x6C\x66\x27\xCE\xC1\x3B\x20\xA9\x1C\xBB\x46\x54\x70\xEE\x5A\xCC\xA0\x77\xEA\x68\x44\x27\xEB\xF2\x29\xDD\x77\xA9\xD5\xFB\xE3\xD4\xA7\x04\xC4\x95\xB8\x0B\xE1\x44\x68\x60\x07\x43\x30\x31\x42\x61\xE5\xEE\xD9\xE5\x24\xD5\x1B\xDF\xE1\x4A\x1B\xAA\x9F\xC7\x5F\xF8\x7A\x11\xEA\x13\x93\x00\xCA\x8A\x58\xB1\xEE\xED\x0E\x4D\xB4\xD7\xA8\x36\x26\x7C\xE0\x3A\xC1\xD5\x57\x82\xF1\x75\xB6\xFD\x89\x5F\xDA\xF3\xA8\x38\x9F\x35\x06\x08\xCE\x22\x95\xBE\xCD\xD5\xFC\xBE\x5B\xDE\x79\x6B\xDC\x7A\xA9\x65\x66\xBE\xB1\x25\x5A\x5F\xED\x7E\xD3\xAC\x46\x6D\x4C\xF4\x32\x87\xB4\x20\x04\xE0\x6C\x78\xB0\x77\xD1\x85\x46\x4B\xA6\x12\xB7\x75\xE8\x4A\xC9\x56\x6C\xD7\x92\xAB\x9D\xF5\x49\x38\xD2\x4F\x53\xE3\x55\x90\x11\xDB\x98\x96\xC6\x49\xF2\x3E\xF4\x9F\x1B\xE0\xF7\x88\xDC\x25\x62\x99\x44\xD8\x73\xBF\x3F\x30\xF3\x0C\x37\x3E\xD4\xC2\x28\x80\x73\xB1\x01\xB7\x9D\x5A\x96\x14\x01\x4B\xA9\x11\x9D\x29\x6A\x2E\xD0\x5D\x81\xC0\xCF\xB2\x20\x43\xC7\x03\xE0\x37\x4E\x5D\x0A\xDC\x59\x20\x25",
+	["CN=Certigna,O=Dhimyotis,C=FR"] = "\x30\x82\x03\xA8\x30\x82\x02\x90\xA0\x03\x02\x01\x02\x02\x09\x00\xFE\xDC\xE3\x01\x0F\xC9\x48\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x30\x1E\x17\x0D\x30\x37\x30\x36\x32\x39\x31\x35\x31\x33\x30\x35\x5A\x17\x0D\x32\x37\x30\x36\x32\x39\x31\x35\x31\x33\x30\x35\x5A\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC8\x68\xF1\xC9\xD6\xD6\xB3\x34\x75\x26\x82\x1E\xEC\xB4\xBE\xEA\x5C\xE1\x26\xED\x11\x47\x61\xE1\xA2\x7C\x16\x78\x40\x21\xE4\x60\x9E\x5A\xC8\x63\xE1\xC4\xB1\x96\x92\xFF\x18\x6D\x69\x23\xE1\x2B\x62\xF7\xDD\xE2\x36\x2F\x91\x07\xB9\x48\xCF\x0E\xEC\x79\xB6\x2C\xE7\x34\x4B\x70\x08\x25\xA3\x3C\x87\x1B\x19\xF2\x81\x07\x0F\x38\x90\x19\xD3\x11\xFE\x86\xB4\xF2\xD1\x5E\x1E\x1E\x96\xCD\x80\x6C\xCE\x3B\x31\x93\xB6\xF2\xA0\xD0\xA9\x95\x12\x7D\xA5\x9A\xCC\x6B\xC8\x84\x56\x8A\x33\xA9\xE7\x22\x15\x53\x16\xF0\xCC\x17\xEC\x57\x5F\xE9\xA2\x0A\x98\x09\xDE\xE3\x5F\x9C\x6F\xDC\x48\xE3\x85\x0B\x15\x5A\xA6\xBA\x9F\xAC\x48\xE3\x09\xB2\xF7\xF4\x32\xDE\x5E\x34\xBE\x1C\x78\x5D\x42\x5B\xCE\x0E\x22\x8F\x4D\x90\xD7\x7D\x32\x18\xB3\x0B\x2C\x6A\xBF\x8E\x3F\x14\x11\x89\x20\x0E\x77\x14\xB5\x3D\x94\x08\x87\xF7\x25\x1E\xD5\xB2\x60\x00\xEC\x6F\x2A\x28\x25\x6E\x2A\x3E\x18\x63\x17\x25\x3F\x3E\x44\x20\x16\xF6\x26\xC8\x25\xAE\x05\x4A\xB4\xE7\x63\x2C\xF3\x8C\x16\x53\x7E\x5C\xFB\x11\x1A\x08\xC1\x46\x62\x9F\x22\xB8\xF1\xC2\x8D\x69\xDC\xFA\x3A\x58\x06\xDF\x02\x03\x01\x00\x01\xA3\x81\xBC\x30\x81\xB9\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1A\xED\xFE\x41\x39\x90\xB4\x24\x59\xBE\x01\xF2\x52\xD5\x45\xF6\x5A\x39\xDC\x11\x30\x64\x06\x03\x55\x1D\x23\x04\x5D\x30\x5B\x80\x14\x1A\xED\xFE\x41\x39\x90\xB4\x24\x59\xBE\x01\xF2\x52\xD5\x45\xF6\x5A\x39\xDC\x11\xA1\x38\xA4\x36\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x82\x09\x00\xFE\xDC\xE3\x01\x0F\xC9\x48\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x03\x1E\x92\x71\xF6\x42\xAF\xE1\xA3\x61\x9E\xEB\xF3\xC0\x0F\xF2\xA5\xD4\xDA\x95\xE6\xD6\xBE\x68\x36\x3D\x7E\x6E\x1F\x4C\x8A\xEF\xD1\x0F\x21\x6D\x5E\xA5\x52\x63\xCE\x12\xF8\xEF\x2A\xDA\x6F\xEB\x37\xFE\x13\x02\xC7\xCB\x3B\x3E\x22\x6B\xDA\x61\x2E\x7F\xD4\x72\x3D\xDD\x30\xE1\x1E\x4C\x40\x19\x8C\x0F\xD7\x9C\xD1\x83\x30\x7B\x98\x59\xDC\x7D\xC6\xB9\x0C\x29\x4C\xA1\x33\xA2\xEB\x67\x3A\x65\x84\xD3\x96\xE2\xED\x76\x45\x70\x8F\xB5\x2B\xDE\xF9\x23\xD6\x49\x6E\x3C\x14\xB5\xC6\x9F\x35\x1E\x50\xD0\xC1\x8F\x6A\x70\x44\x02\x62\xCB\xAE\x1D\x68\x41\xA7\xAA\x57\xE8\x53\xAA\x07\xD2\x06\xF6\xD5\x14\x06\x0B\x91\x03\x75\x2C\x6C\x72\xB5\x61\x95\x9A\x0D\x8B\xB9\x0D\xE7\xF5\xDF\x54\xCD\xDE\xE6\xD8\xD6\x09\x08\x97\x63\xE5\xC1\x2E\xB0\xB7\x44\x26\xC0\x26\xC0\xAF\x55\x30\x9E\x3B\xD5\x36\x2A\x19\x04\xF4\x5C\x1E\xFF\xCF\x2C\xB7\xFF\xD0\xFD\x87\x40\x11\xD5\x11\x23\xBB\x48\xC0\x21\xA9\xA4\x28\x2D\xFD\x15\xF8\xB0\x4E\x2B\xF4\x30\x5B\x21\xFC\x11\x91\x34\xBE\x41\xEF\x7B\x9D\x97\x75\xFF\x97\x95\xC0\x96\x58\x2F\xEA\xBB\x46\xD7\xBB\xE4\xD9\x2E",
+	["CN=AC Ra\C3\ADz Certic\C3\A1mara S.A.,O=Sociedad Cameral de Certificaci\C3\B3n Digital - Certic\C3\A1mara S.A.,C=CO"] = "\x30\x82\x06\x66\x30\x82\x04\x4E\xA0\x03\x02\x01\x02\x02\x0F\x07\x7E\x52\x93\x7B\xE0\x15\xE3\x57\xF0\x69\x8C\xCB\xEC\x0C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4F\x31\x47\x30\x45\x06\x03\x55\x04\x0A\x0C\x3E\x53\x6F\x63\x69\x65\x64\x61\x64\x20\x43\x61\x6D\x65\x72\x61\x6C\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\xC3\xB3\x6E\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x2D\x20\x43\x65\x72\x74\x69\x63\xC3\xA1\x6D\x61\x72\x61\x20\x53\x2E\x41\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x0C\x1A\x41\x43\x20\x52\x61\xC3\xAD\x7A\x20\x43\x65\x72\x74\x69\x63\xC3\xA1\x6D\x61\x72\x61\x20\x53\x2E\x41\x2E\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x37\x32\x30\x34\x36\x32\x39\x5A\x17\x0D\x33\x30\x30\x34\x30\x32\x32\x31\x34\x32\x30\x32\x5A\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4F\x31\x47\x30\x45\x06\x03\x55\x04\x0A\x0C\x3E\x53\x6F\x63\x69\x65\x64\x61\x64\x20\x43\x61\x6D\x65\x72\x61\x6C\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\xC3\xB3\x6E\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x2D\x20\x43\x65\x72\x74\x69\x63\xC3\xA1\x6D\x61\x72\x61\x20\x53\x2E\x41\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x0C\x1A\x41\x43\x20\x52\x61\xC3\xAD\x7A\x20\x43\x65\x72\x74\x69\x63\xC3\xA1\x6D\x61\x72\x61\x20\x53\x2E\x41\x2E\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAB\x6B\x89\xA3\x53\xCC\x48\x23\x08\xFB\xC3\xCF\x51\x96\x08\x2E\xB8\x08\x7A\x6D\x3C\x90\x17\x86\xA9\xE9\xED\x2E\x13\x34\x47\xB2\xD0\x70\xDC\xC9\x3C\xD0\x8D\xCA\xEE\x4B\x17\xAB\xD0\x85\xB0\xA7\x23\x04\xCB\xA8\xA2\xFC\xE5\x75\xDB\x40\xCA\x62\x89\x8F\x50\x9E\x01\x3D\x26\x5B\x18\x84\x1C\xCB\x7C\x37\xB7\x7D\xEC\xD3\x7F\x73\x19\xB0\x6A\xB2\xD8\x88\x8A\x2D\x45\x74\xA8\xF7\xB3\xB8\xC0\xD4\xDA\xCD\x22\x89\x74\x4D\x5A\x15\x39\x73\x18\x74\x4F\xB5\xEB\x99\xA7\xC1\x1E\x88\xB4\xC2\x93\x90\x63\x97\xF3\xA7\xA7\x12\xB2\x09\x22\x07\x33\xD9\x91\xCD\x0E\x9C\x1F\x0E\x20\xC7\xEE\xBB\x33\x8D\x8F\xC2\xD2\x58\xA7\x5F\xFD\x65\x37\xE2\x88\xC2\xD8\x8F\x86\x75\x5E\xF9\x2D\xA7\x87\x33\xF2\x78\x37\x2F\x8B\xBC\x1D\x86\x37\x39\xB1\x94\xF2\xD8\xBC\x4A\x9C\x83\x18\x5A\x06\xFC\xF3\xD4\xD4\xBA\x8C\x15\x09\x25\xF0\xF9\xB6\x8D\x04\x7E\x17\x12\x33\x6B\x57\x48\x4C\x4F\xDB\x26\x1E\xEB\xCC\x90\xE7\x8B\xF9\x68\x7C\x70\x0F\xA3\x2A\xD0\x3A\x38\xDF\x37\x97\xE2\x5B\xDE\x80\x61\xD3\x80\xD8\x91\x83\x42\x5A\x4C\x04\x89\x68\x11\x3C\xAC\x5F\x68\x80\x41\xCC\x60\x42\xCE\x0D\x5A\x2A\x0C\x0F\x9B\x30\xC0\xA6\xF0\x86\xDB\xAB\x49\xD7\x97\x6D\x48\x8B\xF9\x03\xC0\x52\x67\x9B\x12\xF7\xC2\xF2\x2E\x98\x65\x42\xD9\xD6\x9A\xE3\xD0\x19\x31\x0C\xAD\x87\xD5\x57\x02\x7A\x30\xE8\x86\x26\xFB\x8F\x23\x8A\x54\x87\xE4\xBF\x3C\xEE\xEB\xC3\x75\x48\x5F\x1E\x39\x6F\x81\x62\x6C\xC5\x2D\xC4\x17\x54\x19\xB7\x37\x8D\x9C\x37\x91\xC8\xF6\x0B\xD5\xEA\x63\x6F\x83\xAC\x38\xC2\xF3\x3F\xDE\x9A\xFB\xE1\x23\x61\xF0\xC8\x26\xCB\x36\xC8\xA1\xF3\x30\x8F\xA4\xA3\xA2\xA1\xDD\x53\xB3\xDE\xF0\x9A\x32\x1F\x83\x91\x79\x30\xC1\xA9\x1F\x53\x9B\x53\xA2\x15\x53\x3F\xDD\x9D\xB3\x10\x3B\x48\x7D\x89\x0F\xFC\xED\x03\xF5\xFB\x25\x64\x75\x0E\x17\x19\x0D\x8F\x00\x16\x67\x79\x7A\x40\xFC\x2D\x59\x07\xD9\x90\xFA\x9A\xAD\x3D\xDC\x80\x8A\xE6\x5C\x35\xA2\x67\x4C\x11\x6B\xB1\xF8\x80\x64\x00\x2D\x6F\x22\x61\xC5\xAC\x4B\x26\xE5\x5A\x10\x82\x9B\xA4\x83\x7B\x34\xF7\x9E\x89\x91\x20\x97\x8E\xB7\x42\xC7\x66\xC3\xD0\xE9\xA4\xD6\xF5\x20\x8D\xC4\xC3\x95\xAC\x44\x0A\x9D\x5B\x73\x3C\x26\x3D\x2F\x4A\xBE\xA7\xC9\xA7\x10\x1E\xFB\x9F\x50\x69\xF3\x02\x03\x01\x00\x01\xA3\x81\xE6\x30\x81\xE3\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD1\x09\xD0\xE9\xD7\xCE\x79\x74\x54\xF9\x3A\x30\xB3\xF4\x6D\x2C\x03\x03\x1B\x68\x30\x81\xA0\x06\x03\x55\x1D\x20\x04\x81\x98\x30\x81\x95\x30\x81\x92\x06\x04\x55\x1D\x20\x00\x30\x81\x89\x30\x2B\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1F\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x65\x72\x74\x69\x63\x61\x6D\x61\x72\x61\x2E\x63\x6F\x6D\x2F\x64\x70\x63\x2F\x30\x5A\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x4E\x1A\x4C\x4C\x69\x6D\x69\x74\x61\x63\x69\x6F\x6E\x65\x73\x20\x64\x65\x20\x67\x61\x72\x61\x6E\x74\xED\x61\x73\x20\x64\x65\x20\x65\x73\x74\x65\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x64\x6F\x20\x73\x65\x20\x70\x75\x65\x64\x65\x6E\x20\x65\x6E\x63\x6F\x6E\x74\x72\x61\x72\x20\x65\x6E\x20\x6C\x61\x20\x44\x50\x43\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x5C\x94\xB5\xB8\x45\x91\x4D\x8E\x61\x1F\x03\x28\x0F\x53\x7C\xE6\xA4\x59\xA9\xB3\x8A\x7A\xC5\xB0\xFF\x08\x7C\x2C\xA3\x71\x1C\x21\x13\x67\xA1\x95\x12\x40\x35\x83\x83\x8F\x74\xDB\x33\x5C\xF0\x49\x76\x0A\x81\x52\xDD\x49\xD4\x9A\x32\x33\xEF\x9B\xA7\xCB\x75\xE5\x7A\xCB\x97\x12\x90\x5C\xBA\x7B\xC5\x9B\xDF\xBB\x39\x23\xC8\xFF\x98\xCE\x0A\x4D\x22\x01\x48\x07\x7E\x8A\xC0\xD5\x20\x42\x94\x44\xEF\xBF\x77\xA2\x89\x67\x48\x1B\x40\x03\x05\xA1\x89\xEC\xCF\x62\xE3\x3D\x25\x76\x66\xBF\x26\xB7\xBB\x22\xBE\x6F\xFF\x39\x57\x74\xBA\x7A\xC9\x01\x95\xC1\x95\x51\xE8\xAB\x2C\xF8\xB1\x86\x20\xE9\x3F\xCB\x35\x5B\xD2\x17\xE9\x2A\xFE\x83\x13\x17\x40\xEE\x88\x62\x65\x5B\xD5\x3B\x60\xE9\x7B\x3C\xB8\xC9\xD5\x7F\x36\x02\x25\xAA\x68\xC2\x31\x15\xB7\x30\x65\xEB\x7F\x1D\x48\x79\xB1\xCF\x39\xE2\x42\x80\x16\xD3\xF5\x93\x23\xFC\x4C\x97\xC9\x5A\x37\x6C\x7C\x22\xD8\x4A\xCD\xD2\x8E\x36\x83\x39\x91\x90\x10\xC8\xF1\xC9\x35\x7E\x3F\xB8\xD3\x81\xC6\x20\x64\x1A\xB6\x50\xC2\x21\xA4\x78\xDC\xD0\x2F\x3B\x64\x93\x74\xF0\x96\x90\xF1\xEF\xFB\x09\x5A\x34\x40\x96\xF0\x36\x12\xC1\xA3\x74\x8C\x93\x7E\x41\xDE\x77\x8B\xEC\x86\xD9\xD2\x0F\x3F\x2D\xD1\xCC\x40\xA2\x89\x66\x48\x1E\x20\xB3\x9C\x23\x59\x73\xA9\x44\x73\xBC\x24\x79\x90\x56\x37\xB3\xC6\x29\x7E\xA3\x0F\xF1\x29\x39\xEF\x7E\x5C\x28\x32\x70\x35\xAC\xDA\xB8\xC8\x75\x66\xFC\x9B\x4C\x39\x47\x8E\x1B\x6F\x9B\x4D\x02\x54\x22\x33\xEF\x61\xBA\x9E\x29\x84\xEF\x4E\x4B\x33\x47\x76\x97\x6A\xCB\x7E\x5F\xFD\x15\xA6\x9E\x42\x43\x5B\x66\x5A\x8A\x88\x0D\xF7\x16\xB9\x3F\x51\x65\x2B\x66\x6A\x8B\xD1\x38\x52\xA2\xD6\x46\x11\xFA\xFC\x9A\x1C\x74\x9E\x8F\x97\x0B\x02\x4F\x64\xC6\xF5\x68\xD3\x4B\x2D\xFF\xA4\x37\x1E\x8B\x3F\xBF\x44\xBE\x61\x46\xA1\x84\x3D\x08\x27\x4C\x81\x20\x77\x89\x08\xEA\x67\x40\x5E\x6C\x08\x51\x5F\x34\x5A\x8C\x96\x68\xCD\xD7\xF7\x89\xC2\x1C\xD3\x32\x00\xAF\x52\xCB\xD3\x60\x5B\x2A\x3A\x47\x7E\x6B\x30\x33\xA1\x62\x29\x7F\x4A\xB9\xE1\x2D\xE7\x14\x23\x0E\x0E\x18\x47\xE1\x79\xFC\x15\x55\xD0\xB1\xFC\x25\x71\x63\x75\x33\x1C\x23\x2B\xAF\x5C\xD9\xED\x47\x77\x60\x0E\x3B\x0F\x1E\xD2\xC0\xDC\x64\x05\x89\xFC\x78\xD6\x5C\x2C\x26\x43\xA9",
+	["CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE"] = "\x30\x82\x04\xAA\x30\x82\x03\x92\xA0\x03\x02\x01\x02\x02\x0E\x2E\x6A\x00\x01\x00\x02\x1F\xD7\x52\x21\x2C\x11\x5C\x3B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x76\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x31\x25\x30\x23\x06\x03\x55\x04\x03\x13\x1C\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x20\x49\x49\x30\x1E\x17\x0D\x30\x36\x30\x31\x31\x32\x31\x34\x33\x38\x34\x33\x5A\x17\x0D\x32\x35\x31\x32\x33\x31\x32\x32\x35\x39\x35\x39\x5A\x30\x76\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x31\x25\x30\x23\x06\x03\x55\x04\x03\x13\x1C\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x20\x49\x49\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\x80\x87\x9B\x8E\xF0\xC3\x7C\x87\xD7\xE8\x24\x82\x11\xB3\x3C\xDD\x43\x62\xEE\xF8\xC3\x45\xDA\xE8\xE1\xA0\x5F\xD1\x2A\xB2\xEA\x93\x68\xDF\xB4\xC8\xD6\x43\xE9\xC4\x75\x59\x7F\xFC\xE1\x1D\xF8\x31\x70\x23\x1B\x88\x9E\x27\xB9\x7B\xFD\x3A\xD2\xC9\xA9\xE9\x14\x2F\x90\xBE\x03\x52\xC1\x49\xCD\xF6\xFD\xE4\x08\x66\x0B\x57\x8A\xA2\x42\xA0\xB8\xD5\x7F\x69\x5C\x90\x32\xB2\x97\x0D\xCA\x4A\xDC\x46\x3E\x02\x55\x89\x53\xE3\x1A\x5A\xCB\x36\xC6\x07\x56\xF7\x8C\xCF\x11\xF4\x4C\xBB\x30\x70\x04\x95\xA5\xF6\x39\x8C\xFD\x73\x81\x08\x7D\x89\x5E\x32\x1E\x22\xA9\x22\x45\x4B\xB0\x66\x2E\x30\xCC\x9F\x65\xFD\xFC\xCB\x81\xA9\xF1\xE0\x3B\xAF\xA3\x86\xD1\x89\xEA\xC4\x45\x79\x50\x5D\xAE\xE9\x21\x74\x92\x4D\x8B\x59\x82\x8F\x94\xE3\xE9\x4A\xF1\xE7\x49\xB0\x14\xE3\xF5\x62\xCB\xD5\x72\xBD\x1F\xB9\xD2\x9F\xA0\xCD\xA8\xFA\x01\xC8\xD9\x0D\xDF\xDA\xFC\x47\x9D\xB3\xC8\x54\xDF\x49\x4A\xF1\x21\xA9\xFE\x18\x4E\xEE\x48\xD4\x19\xBB\xEF\x7D\xE4\xE2\x9D\xCB\x5B\xB6\x6E\xFF\xE3\xCD\x5A\xE7\x74\x82\x05\xBA\x80\x25\x38\xCB\xE4\x69\x9E\xAF\x41\xAA\x1A\x84\xF5\x02\x03\x01\x00\x01\xA3\x82\x01\x34\x30\x82\x01\x30\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\xAB\x54\x4C\x80\xA1\xDB\x56\x43\xB7\x91\x4A\xCB\xF3\x82\x7A\x13\x5C\x08\xAB\x30\x81\xED\x06\x03\x55\x1D\x1F\x04\x81\xE5\x30\x81\xE2\x30\x81\xDF\xA0\x81\xDC\xA0\x81\xD9\x86\x35\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x2F\x63\x72\x6C\x2F\x76\x32\x2F\x74\x63\x5F\x63\x6C\x61\x73\x73\x5F\x32\x5F\x63\x61\x5F\x49\x49\x2E\x63\x72\x6C\x86\x81\x9F\x6C\x64\x61\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x2F\x43\x4E\x3D\x54\x43\x25\x32\x30\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x25\x32\x30\x43\x6C\x61\x73\x73\x25\x32\x30\x32\x25\x32\x30\x43\x41\x25\x32\x30\x49\x49\x2C\x4F\x3D\x54\x43\x25\x32\x30\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x25\x32\x30\x47\x6D\x62\x48\x2C\x4F\x55\x3D\x72\x6F\x6F\x74\x63\x65\x72\x74\x73\x2C\x44\x43\x3D\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2C\x44\x43\x3D\x64\x65\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x52\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x4C\x69\x73\x74\x3F\x62\x61\x73\x65\x3F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x8C\xD7\xDF\x7E\xEE\x1B\x80\x10\xB3\x83\xF5\xDB\x11\xEA\x6B\x4B\xA8\x92\x18\xD9\xF7\x07\x39\xF5\x2C\xBE\x06\x75\x7A\x68\x53\x15\x1C\xEA\x4A\xED\x5E\xFC\x23\xB2\x13\xA0\xD3\x09\xFF\xF6\xF6\x2E\x6B\x41\x71\x79\xCD\xE2\x6D\xFD\xAE\x59\x6B\x85\x1D\xB8\x4E\x22\x9A\xED\x66\x39\x6E\x4B\x94\xE6\x55\xFC\x0B\x1B\x8B\x77\xC1\x53\x13\x66\x89\xD9\x28\xD6\x8B\xF3\x45\x4A\x63\xB7\xFD\x7B\x0B\x61\x5D\xB8\x6D\xBE\xC3\xDC\x5B\x79\xD2\xED\x86\xE5\xA2\x4D\xBE\x5E\x74\x7C\x6A\xED\x16\x38\x1F\x7F\x58\x81\x5A\x1A\xEB\x32\x88\x2D\xB2\xF3\x39\x77\x80\xAF\x5E\xB6\x61\x75\x29\xDB\x23\x4D\x88\xCA\x50\x28\xCB\x85\xD2\xD3\x10\xA2\x59\x6E\xD3\x93\x54\x00\x7A\xA2\x46\x95\x86\x05\x9C\xA9\x19\x98\xE5\x31\x72\x0C\x00\xE2\x67\xD9\x40\xE0\x24\x33\x7B\x6F\x2C\xB9\x5C\xAB\x65\x9D\x2C\xAC\x76\xEA\x35\x99\xF5\x97\xB9\x0F\x24\xEC\xC7\x76\x21\x28\x65\xAE\x57\xE8\x07\x88\x75\x4A\x56\xA0\xD2\x05\x3A\xA4\xE6\x8D\x92\x88\x2C\xF3\xF2\xE1\xC1\xC6\x61\xDB\x41\xC5\xC7\x9B\xF7\x0E\x1A\x51\x45\xC2\x61\x6B\xDC\x64\x27\x17\x8C\x5A\xB7\xDA\x74\x28\xCD\x97\xE4\xBD",
+	["CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE"] = "\x30\x82\x04\xAA\x30\x82\x03\x92\xA0\x03\x02\x01\x02\x02\x0E\x4A\x47\x00\x01\x00\x02\xE5\xA0\x5D\xD6\x3F\x00\x51\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x76\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x31\x25\x30\x23\x06\x03\x55\x04\x03\x13\x1C\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x49\x49\x30\x1E\x17\x0D\x30\x36\x30\x31\x31\x32\x31\x34\x34\x31\x35\x37\x5A\x17\x0D\x32\x35\x31\x32\x33\x31\x32\x32\x35\x39\x35\x39\x5A\x30\x76\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x31\x25\x30\x23\x06\x03\x55\x04\x03\x13\x1C\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x49\x49\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB4\xE0\xBB\x51\xBB\x39\x5C\x8B\x04\xC5\x4C\x79\x1C\x23\x86\x31\x10\x63\x43\x55\x27\x3F\xC6\x45\xC7\xA4\x3D\xEC\x09\x0D\x1A\x1E\x20\xC2\x56\x1E\xDE\x1B\x37\x07\x30\x22\x2F\x6F\xF1\x06\xF1\xAB\xAD\xD6\xC8\xAB\x61\xA3\x2F\x43\xC4\xB0\xB2\x2D\xFC\xC3\x96\x69\x7B\x7E\x8A\xE4\xCC\xC0\x39\x12\x90\x42\x60\xC9\xCC\x35\x68\xEE\xDA\x5F\x90\x56\x5F\xCD\x1C\x4D\x5B\x58\x49\xEB\x0E\x01\x4F\x64\xFA\x2C\x3C\x89\x58\xD8\x2F\x2E\xE2\xB0\x68\xE9\x22\x3B\x75\x89\xD6\x44\x1A\x65\xF2\x1B\x97\x26\x1D\x28\x6D\xAC\xE8\xBD\x59\x1D\x2B\x24\xF6\xD6\x84\x03\x66\x88\x24\x00\x78\x60\xF1\xF8\xAB\xFE\x02\xB2\x6B\xFB\x22\xFB\x35\xE6\x16\xD1\xAD\xF6\x2E\x12\xE4\xFA\x35\x6A\xE5\x19\xB9\x5D\xDB\x3B\x1E\x1A\xFB\xD3\xFF\x15\x14\x08\xD8\x09\x6A\xBA\x45\x9D\x14\x79\x60\x7D\xAF\x40\x8A\x07\x73\xB3\x93\x96\xD3\x74\x34\x8D\x3A\x37\x29\xDE\x5C\xEC\xF5\xEE\x2E\x31\xC2\x20\xDC\xBE\xF1\x4F\x7F\x23\x52\xD9\x5B\xE2\x64\xD9\x9C\xAA\x07\x08\xB5\x45\xBD\xD1\xD0\x31\xC1\xAB\x54\x9F\xA9\xD2\xC3\x62\x60\x03\xF1\xBB\x39\x4A\x92\x4A\x3D\x0A\xB9\x9D\xC5\xA0\xFE\x37\x02\x03\x01\x00\x01\xA3\x82\x01\x34\x30\x82\x01\x30\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD4\xA2\xFC\x9F\xB3\xC3\xD8\x03\xD3\x57\x5C\x07\xA4\xD0\x24\xA7\xC0\xF2\x00\xD4\x30\x81\xED\x06\x03\x55\x1D\x1F\x04\x81\xE5\x30\x81\xE2\x30\x81\xDF\xA0\x81\xDC\xA0\x81\xD9\x86\x35\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x2F\x63\x72\x6C\x2F\x76\x32\x2F\x74\x63\x5F\x63\x6C\x61\x73\x73\x5F\x33\x5F\x63\x61\x5F\x49\x49\x2E\x63\x72\x6C\x86\x81\x9F\x6C\x64\x61\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2E\x64\x65\x2F\x43\x4E\x3D\x54\x43\x25\x32\x30\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x25\x32\x30\x43\x6C\x61\x73\x73\x25\x32\x30\x33\x25\x32\x30\x43\x41\x25\x32\x30\x49\x49\x2C\x4F\x3D\x54\x43\x25\x32\x30\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x25\x32\x30\x47\x6D\x62\x48\x2C\x4F\x55\x3D\x72\x6F\x6F\x74\x63\x65\x72\x74\x73\x2C\x44\x43\x3D\x74\x72\x75\x73\x74\x63\x65\x6E\x74\x65\x72\x2C\x44\x43\x3D\x64\x65\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x52\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x4C\x69\x73\x74\x3F\x62\x61\x73\x65\x3F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x36\x60\xE4\x70\xF7\x06\x20\x43\xD9\x23\x1A\x42\xF2\xF8\xA3\xB2\xB9\x4D\x8A\xB4\xF3\xC2\x9A\x55\x31\x7C\xC4\x3B\x67\x9A\xB4\xDF\x4D\x0E\x8A\x93\x4A\x17\x8B\x1B\x8D\xCA\x89\xE1\xCF\x3A\x1E\xAC\x1D\xF1\x9C\x32\xB4\x8E\x59\x76\xA2\x41\x85\x25\x37\xA0\x13\xD0\xF5\x7C\x4E\xD5\xEA\x96\xE2\x6E\x72\xC1\xBB\x2A\xFE\x6C\x6E\xF8\x91\x98\x46\xFC\xC9\x1B\x57\x5B\xEA\xC8\x1A\x3B\x3F\xB0\x51\x98\x3C\x07\xDA\x2C\x59\x01\xDA\x8B\x44\xE8\xE1\x74\xFD\xA7\x68\xDD\x54\xBA\x83\x46\xEC\xC8\x46\xB5\xF8\xAF\x97\xC0\x3B\x09\x1C\x8F\xCE\x72\x96\x3D\x33\x56\x70\xBC\x96\xCB\xD8\xD5\x7D\x20\x9A\x83\x9F\x1A\xDC\x39\xF1\xC5\x72\xA3\x11\x03\xFD\x3B\x42\x52\x29\xDB\xE8\x01\xF7\x9B\x5E\x8C\xD6\x8D\x86\x4E\x19\xFA\xBC\x1C\xBE\xC5\x21\xA5\x87\x9E\x78\x2E\x36\xDB\x09\x71\xA3\x72\x34\xF8\x6C\xE3\x06\x09\xF2\x5E\x56\xA5\xD3\xDD\x98\xFA\xD4\xE6\x06\xF4\xF0\xB6\x20\x63\x4B\xEA\x29\xBD\xAA\x82\x66\x1E\xFB\x81\xAA\xA7\x37\xAD\x13\x18\xE6\x92\xC3\x81\xC1\x33\xBB\x88\x1E\xA1\xE7\xE2\xB4\xBD\x31\x6C\x0E\x51\x3D\x6F\xFB\x96\x56\x80\xE2\x36\x17\xD1\xDC\xE4",
+	["CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE"] = "\x30\x82\x03\xDD\x30\x82\x02\xC5\xA0\x03\x02\x01\x02\x02\x0E\x1D\xA2\x00\x01\x00\x02\xEC\xB7\x60\x80\x78\x8D\xB6\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x79\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x47\x6D\x62\x48\x31\x24\x30\x22\x06\x03\x55\x04\x0B\x13\x1B\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x49\x30\x1E\x17\x0D\x30\x36\x30\x33\x32\x32\x31\x35\x35\x34\x32\x38\x5A\x17\x0D\x32\x35\x31\x32\x33\x31\x32\x32\x35\x39\x35\x39\x5A\x30\x79\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x47\x6D\x62\x48\x31\x24\x30\x22\x06\x03\x55\x04\x0B\x13\x1B\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x49\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA4\x77\x23\x96\x44\xAF\x90\xF4\x31\xA7\x10\xF4\x26\x87\x9C\xF3\x38\xD9\x0F\x5E\xDE\xCF\x41\xE8\x31\xAD\xC6\x74\x91\x24\x96\x78\x1E\x09\xA0\x9B\x9A\x95\x4A\x4A\xF5\x62\x7C\x02\xA8\xCA\xAC\xFB\x5A\x04\x76\x39\xDE\x5F\xF1\xF9\xB3\xBF\xF3\x03\x58\x55\xD2\xAA\xB7\xE3\x04\x22\xD1\xF8\x94\xDA\x22\x08\x00\x8D\xD3\x7C\x26\x5D\xCC\x77\x79\xE7\x2C\x78\x39\xA8\x26\x73\x0E\xA2\x5D\x25\x69\x85\x4F\x55\x0E\x9A\xEF\xC6\xB9\x44\xE1\x57\x3D\xDF\x1F\x54\x22\xE5\x6F\x65\xAA\x33\x84\x3A\xF3\xCE\x7A\xBE\x55\x97\xAE\x8D\x12\x0F\x14\x33\xE2\x50\x70\xC3\x49\x87\x13\xBC\x51\xDE\xD7\x98\x12\x5A\xEF\x3A\x83\x33\x92\x06\x75\x8B\x92\x7C\x12\x68\x7B\x70\x6A\x0F\xB5\x9B\xB6\x77\x5B\x48\x59\x9D\xE4\xEF\x5A\xAD\xF3\xC1\x9E\xD4\xD7\x45\x4E\xCA\x56\x34\x21\xBC\x3E\x17\x5B\x6F\x77\x0C\x48\x01\x43\x29\xB0\xDD\x3F\x96\x6E\xE6\x95\xAA\x0C\xC0\x20\xB6\xFD\x3E\x36\x27\x9C\xE3\x5C\xCF\x4E\x81\xDC\x19\xBB\x91\x90\x7D\xEC\xE6\x97\x04\x1E\x93\xCC\x22\x49\xD7\x97\x86\xB6\x13\x0A\x3C\x43\x23\x77\x7E\xF0\xDC\xE6\xCD\x24\x1F\x3B\x83\x9B\x34\x3A\x83\x34\xE3\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x92\xA4\x75\x2C\xA4\x9E\xBE\x81\x44\xEB\x79\xFC\x8A\xC5\x95\xA5\xEB\x10\x75\x73\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x92\xA4\x75\x2C\xA4\x9E\xBE\x81\x44\xEB\x79\xFC\x8A\xC5\x95\xA5\xEB\x10\x75\x73\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x28\xD2\xE0\x86\xD5\xE6\xF8\x7B\xF0\x97\xDC\x22\x6B\x3B\x95\x14\x56\x0F\x11\x30\xA5\x9A\x4F\x3A\xB0\x3A\xE0\x06\xCB\x65\xF5\xED\xC6\x97\x27\xFE\x25\xF2\x57\xE6\x5E\x95\x8C\x3E\x64\x60\x15\x5A\x7F\x2F\x0D\x01\xC5\xB1\x60\xFD\x45\x35\xCF\xF0\xB2\xBF\x06\xD9\xEF\x5A\xBE\xB3\x62\x21\xB4\xD7\xAB\x35\x7C\x53\x3E\xA6\x27\xF1\xA1\x2D\xDA\x1A\x23\x9D\xCC\xDD\xEC\x3C\x2D\x9E\x27\x34\x5D\x0F\xC2\x36\x79\xBC\xC9\x4A\x62\x2D\xED\x6B\xD9\x7D\x41\x43\x7C\xB6\xAA\xCA\xED\x61\xB1\x37\x82\x15\x09\x1A\x8A\x16\x30\xD8\xEC\xC9\xD6\x47\x72\x78\x4B\x10\x46\x14\x8E\x5F\x0E\xAF\xEC\xC7\x2F\xAB\x10\xD7\xB6\xF1\x6E\xEC\x86\xB2\xC2\xE8\x0D\x92\x73\xDC\xA2\xF4\x0F\x3A\xBF\x61\x23\x10\x89\x9C\x48\x40\x6E\x70\x00\xB3\xD3\xBA\x37\x44\x58\x11\x7A\x02\x6A\x88\xF0\x37\x34\xF0\x19\xE9\xAC\xD4\x65\x73\xF6\x69\x8C\x64\x94\x3A\x79\x85\x29\xB0\x16\x2B\x0C\x82\x3F\x06\x9C\xC7\xFD\x10\x2B\x9E\x0F\x2C\xB6\x9E\xE3\x15\xBF\xD9\x36\x1C\xBA\x25\x1A\x52\x3D\x1A\xEC\x22\x0C\x1C\xE0\xA4\xA2\x3D\xF0\xE8\x39\xCF\x81\xC0\x7B\xED\x5D\x1F\x6F\xC5\xD0\x0B\xD7\x98",
+	["CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE"] = "\x30\x82\x03\x9F\x30\x82\x02\x87\xA0\x03\x02\x01\x02\x02\x01\x26\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x71\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x39\x39\x30\x37\x30\x39\x31\x32\x31\x31\x30\x30\x5A\x17\x0D\x31\x39\x30\x37\x30\x39\x32\x33\x35\x39\x30\x30\x5A\x30\x71\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\x0B\xA3\x35\xE0\x8B\x29\x14\xB1\x14\x85\xAF\x3C\x10\xE4\x39\x6F\x35\x5D\x4A\xAE\xDD\xEA\x61\x8D\x95\x49\xF4\x6F\x64\xA3\x1A\x60\x66\xA4\xA9\x40\x22\x84\xD9\xD4\xA5\xE5\x78\x93\x0E\x68\x01\xAD\xB9\x4D\x5C\x3A\xCE\xD3\xB8\xA8\x42\x40\xDF\xCF\xA3\xBA\x82\x59\x6A\x92\x1B\xAC\x1C\x9A\xDA\x08\x2B\x25\x27\xF9\x69\x23\x47\xF1\xE0\xEB\x2C\x7A\x9B\xF5\x13\x02\xD0\x7E\x34\x7C\xC2\x9E\x3C\x00\x59\xAB\xF5\xDA\x0C\xF5\x32\x3C\x2B\xAC\x50\xDA\xD6\xC3\xDE\x83\x94\xCA\xA8\x0C\x99\x32\x0E\x08\x48\x56\x5B\x6A\xFB\xDA\xE1\x58\x58\x01\x49\x5F\x72\x41\x3C\x15\x06\x01\x8E\x5D\xAD\xAA\xB8\x93\xB4\xCD\x9E\xEB\xA7\xE8\x6A\x2D\x52\x34\xDB\x3A\xEF\x5C\x75\x51\xDA\xDB\xF3\x31\xF9\xEE\x71\x98\x32\xC4\x54\x15\x44\x0C\xF9\x9B\x55\xED\xAD\xDF\x18\x08\xA0\xA3\x86\x8A\x49\xEE\x53\x05\x8F\x19\x4C\xD5\xDE\x58\x79\x9B\xD2\x6A\x1C\x42\xAB\xC5\xD5\xA7\xCF\x68\x0F\x96\xE4\xE1\x61\x98\x76\x61\xC8\x91\x7C\xD6\x3E\x00\xE2\x91\x50\x87\xE1\x9D\x0A\xE6\xAD\x97\xD2\x1D\xC6\x3A\x7D\xCB\xBC\xDA\x03\x34\xD5\x8E\x5B\x01\xF5\x6A\x07\xB7\x16\xB6\x6E\x4A\x7F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x31\xC3\x79\x1B\xBA\xF5\x53\xD7\x17\xE0\x89\x7A\x2D\x17\x6C\x0A\xB3\x2B\x9D\x33\x30\x0F\x06\x03\x55\x1D\x13\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x05\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x94\x64\x59\xAD\x39\x64\xE7\x29\xEB\x13\xFE\x5A\xC3\x8B\x13\x57\xC8\x04\x24\xF0\x74\x77\xC0\x60\xE3\x67\xFB\xE9\x89\xA6\x83\xBF\x96\x82\x7C\x6E\xD4\xC3\x3D\xEF\x9E\x80\x6E\xBB\x29\xB4\x98\x7A\xB1\x3B\x54\xEB\x39\x17\x47\x7E\x1A\x8E\x0B\xFC\x1F\x31\x59\x31\x04\xB2\xCE\x17\xF3\x2C\xC7\x62\x36\x55\xE2\x22\xD8\x89\x55\xB4\x98\x48\xAA\x64\xFA\xD6\x1C\x36\xD8\x44\x78\x5A\x5A\x23\x3A\x57\x97\xF5\x7A\x30\x4F\xAE\x9F\x6A\x4C\x4B\x2B\x8E\xA0\x03\xE3\x3E\xE0\xA9\xD4\xD2\x7B\xD2\xB3\xA8\xE2\x72\x3C\xAD\x9E\xFF\x80\x59\xE4\x9B\x45\xB4\xF6\x3B\xB0\xCD\x39\x19\x98\x32\xE5\xEA\x21\x61\x90\xE4\x31\x21\x8E\x34\xB1\xF7\x2F\x35\x4A\x85\x10\xDA\xE7\x8A\x37\x21\xBE\x59\x63\xE0\xF2\x85\x88\x31\x53\xD4\x54\x14\x85\x70\x79\xF4\x2E\x06\x77\x27\x75\x2F\x1F\xB8\x8A\xF9\xFE\xC5\xBA\xD8\x36\xE4\x83\xEC\xE7\x65\xB7\xBF\x63\x5A\xF3\x46\xAF\x81\x94\x37\xD4\x41\x8C\xD6\x23\xD6\x1E\xCF\xF5\x68\x1B\x44\x63\xA2\x5A\xBA\xA7\x35\x59\xA1\xE5\x70\x05\x9B\x0E\x23\x57\x99\x94\x0A\x6D\xBA\x39\x63\x28\x86\x92\xF3\x18\x84\xD8\xFB\xD1\xCF\x05\x56\x64\x57",
+	["C=IL,O=ComSign,CN=ComSign Secured CA"] = "\x30\x82\x03\xAB\x30\x82\x02\x93\xA0\x03\x02\x01\x02\x02\x11\x00\xC7\x28\x47\x09\xB3\xB8\x6C\x45\x8C\x1D\xFA\x24\xF5\x36\x4E\xE9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3C\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x6F\x6D\x53\x69\x67\x6E\x20\x53\x65\x63\x75\x72\x65\x64\x20\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x43\x6F\x6D\x53\x69\x67\x6E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x30\x1E\x17\x0D\x30\x34\x30\x33\x32\x34\x31\x31\x33\x37\x32\x30\x5A\x17\x0D\x32\x39\x30\x33\x31\x36\x31\x35\x30\x34\x35\x36\x5A\x30\x3C\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x6F\x6D\x53\x69\x67\x6E\x20\x53\x65\x63\x75\x72\x65\x64\x20\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x43\x6F\x6D\x53\x69\x67\x6E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC6\xB5\x68\x5F\x1D\x94\x15\xC3\xA4\x08\x55\x2D\xE3\xA0\x57\x7A\xEF\xE9\x74\x2A\xBB\xB9\x7C\x57\x49\x1A\x11\x5E\x4F\x29\x87\x0C\x48\xD6\x6A\xE7\x8F\xD4\x7E\x57\x24\xB9\x06\x89\xE4\x1C\x3C\xEA\xAC\xE3\xDA\x21\x80\x73\x21\x0A\xEF\x79\x98\x6C\x1F\x08\xFF\xA1\x50\x7D\xF2\x98\x1B\xC9\x54\x6F\x3E\xA5\x28\xEC\x21\x04\x0F\x45\xBB\x07\x3D\xA1\xC0\xFA\x2A\x98\x1D\x4E\x06\x93\xFB\xF5\x88\x3B\xAB\x5F\xCB\x16\xBF\xE6\xF3\x9E\x4A\x87\xED\x19\xEA\xC2\x9F\x43\xE4\xF1\x81\xA5\x7F\x10\x4F\x3E\xD1\x4A\x62\xAD\x53\x1B\xCB\x83\xFF\x07\x65\xA5\x92\x2D\x66\xA9\x5B\xB8\x5A\xF4\x1D\xB4\x21\x91\x4A\x17\x7B\x9E\x32\xFE\x56\x24\x39\xB2\x54\x84\x43\xF5\x84\xC2\xD8\xBC\x41\x90\xCC\x9D\xD6\x68\xDA\xE9\x82\x50\xA9\x3B\x68\xCF\xB5\x5D\x02\x94\x60\x16\xB1\x43\xD9\x43\x5D\xDD\x5D\x87\x6E\xEA\xBB\xB3\xC9\x6B\xF6\x03\x94\x09\x70\xDE\x16\x11\x7A\x2B\xE8\x76\x8F\x49\x10\x98\x77\xB9\x63\x5C\x8B\x33\x97\x75\xF6\x0B\x8C\xB2\xAB\x5B\xDE\x74\x20\x25\x3F\xE3\xF3\x11\xF9\x87\x68\x86\x35\x71\xC3\x1D\x8C\x2D\xEB\xE5\x1A\xAC\x0F\x73\xD5\x82\x59\x40\x80\xD3\x02\x03\x01\x00\x01\xA3\x81\xA7\x30\x81\xA4\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x44\x06\x03\x55\x1D\x1F\x04\x3D\x30\x3B\x30\x39\xA0\x37\xA0\x35\x86\x33\x68\x74\x74\x70\x3A\x2F\x2F\x66\x65\x64\x69\x72\x2E\x63\x6F\x6D\x73\x69\x67\x6E\x2E\x63\x6F\x2E\x69\x6C\x2F\x63\x72\x6C\x2F\x43\x6F\x6D\x53\x69\x67\x6E\x53\x65\x63\x75\x72\x65\x64\x43\x41\x2E\x63\x72\x6C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xC1\x4B\xED\x70\xB6\xF7\x3E\x7C\x00\x3B\x00\x8F\xC7\x3E\x0E\x45\x9F\x1E\x5D\xEC\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC1\x4B\xED\x70\xB6\xF7\x3E\x7C\x00\x3B\x00\x8F\xC7\x3E\x0E\x45\x9F\x1E\x5D\xEC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x16\xCF\xEE\x92\x13\x50\xAB\x7B\x14\x9E\x33\xB6\x42\x20\x6A\xD4\x15\xBD\x09\xAB\xFC\x72\xE8\xEF\x47\x7A\x90\xAC\x51\xC1\x64\x4E\xE9\x88\xBD\x43\x45\x81\xE3\x66\x23\x3F\x12\x86\x4D\x19\xE4\x05\xB0\xE6\x37\xC2\x8D\xDA\x06\x28\xC9\x0F\x89\xA4\x53\xA9\x75\x3F\xB0\x96\xFB\xAB\x4C\x33\x55\xF9\x78\x26\x46\x6F\x1B\x36\x98\xFB\x42\x76\xC1\x82\xB9\x8E\xDE\xFB\x45\xF9\x63\x1B\x62\x3B\x39\x06\xCA\x77\x7A\xA8\x3C\x09\xCF\x6C\x36\x3D\x0F\x0A\x45\x4B\x69\x16\x1A\x45\x7D\x33\x03\x65\xF9\x52\x71\x90\x26\x95\xAC\x4C\x0C\xF5\x8B\x93\x3F\xCC\x75\x74\x85\x98\xBA\xFF\x62\x7A\x4D\x1F\x89\xFE\xAE\xBD\x94\x00\x99\xBF\x11\xA5\xDC\xE0\x79\xC5\x16\x0B\x7D\x02\x61\x1D\xEA\x85\xF9\x02\x15\x4F\xE7\x5A\x89\x4E\x14\x6F\xE3\x37\x4B\x85\xF5\xC1\x3C\x61\xE0\xFD\x05\x41\xB2\x92\x7F\xC3\x1D\xA0\xD0\xAE\x52\x64\x60\x6B\x18\xC6\x26\x9C\xD8\xF5\x64\xE4\x36\x1A\x62\x9F\x8A\x0F\x3E\xFF\x6D\x4E\x19\x56\x4E\x20\x91\x6C\x9F\x34\x33\x3A\x34\x57\x50\x3A\x6F\x81\x5E\x06\xC6\xF5\x3E\x7C\x4E\x8E\x2B\xCE\x65\x06\x2E\x5D\xD2\x2A\x53\x74\x5E\xD3\x6E\x27\x9E\x8F",
+	["CN=Cybertrust Global Root,O=Cybertrust\, Inc"] = "\x30\x82\x03\xA1\x30\x82\x02\x89\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x0F\x85\xAA\x2D\x48\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3B\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x36\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x17\x0D\x32\x31\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x30\x3B\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xF8\xC8\xBC\xBD\x14\x50\x66\x13\xFF\xF0\xD3\x79\xEC\x23\xF2\xB7\x1A\xC7\x8E\x85\xF1\x12\x73\xA6\x19\xAA\x10\xDB\x9C\xA2\x65\x74\x5A\x77\x3E\x51\x7D\x56\xF6\xDC\x23\xB6\xD4\xED\x5F\x58\xB1\x37\x4D\xD5\x49\x0E\x6E\xF5\x6A\x87\xD6\xD2\x8C\xD2\x27\xC6\xE2\xFF\x36\x9F\x98\x65\xA0\x13\x4E\xC6\x2A\x64\x9B\xD5\x90\x12\xCF\x14\x06\xF4\x3B\xE3\xD4\x28\xBE\xE8\x0E\xF8\xAB\x4E\x48\x94\x6D\x8E\x95\x31\x10\x5C\xED\xA2\x2D\xBD\xD5\x3A\x6D\xB2\x1C\xBB\x60\xC0\x46\x4B\x01\xF5\x49\xAE\x7E\x46\x8A\xD0\x74\x8D\xA1\x0C\x02\xCE\xEE\xFC\xE7\x8F\xB8\x6B\x66\xF3\x7F\x44\x00\xBF\x66\x25\x14\x2B\xDD\x10\x30\x1D\x07\x96\x3F\x4D\xF6\x6B\xB8\x8F\xB7\x7B\x0C\xA5\x38\xEB\xDE\x47\xDB\xD5\x5D\x39\xFC\x88\xA7\xF3\xD7\x2A\x74\xF1\xE8\x5A\xA2\x3B\x9F\x50\xBA\xA6\x8C\x45\x35\xC2\x50\x65\x95\xDC\x63\x82\xEF\xDD\xBF\x77\x4D\x9C\x62\xC9\x63\x73\x16\xD0\x29\x0F\x49\xA9\x48\xF0\xB3\xAA\xB7\x6C\xC5\xA7\x30\x39\x40\x5D\xAE\xC4\xE2\x5D\x26\x53\xF0\xCE\x1C\x23\x08\x61\xA8\x94\x19\xBA\x04\x62\x40\xEC\x1F\x38\x70\x77\x12\x06\x71\xA7\x30\x18\x5D\x25\x27\xA5\x02\x03\x01\x00\x01\xA3\x81\xA5\x30\x81\xA2\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB6\x08\x7B\x0D\x7A\xCC\xAC\x20\x4C\x86\x56\x32\x5E\xCF\xAB\x6E\x85\x2D\x70\x57\x30\x3F\x06\x03\x55\x1D\x1F\x04\x38\x30\x36\x30\x34\xA0\x32\xA0\x30\x86\x2E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x32\x2E\x70\x75\x62\x6C\x69\x63\x2D\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x63\x72\x6C\x2F\x63\x74\x2F\x63\x74\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xB6\x08\x7B\x0D\x7A\xCC\xAC\x20\x4C\x86\x56\x32\x5E\xCF\xAB\x6E\x85\x2D\x70\x57\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x56\xEF\x0A\x23\xA0\x54\x4E\x95\x97\xC9\xF8\x89\xDA\x45\xC1\xD4\xA3\x00\x25\xF4\x1F\x13\xAB\xB7\xA3\x85\x58\x69\xC2\x30\xAD\xD8\x15\x8A\x2D\xE3\xC9\xCD\x81\x5A\xF8\x73\x23\x5A\xA7\x7C\x05\xF3\xFD\x22\x3B\x0E\xD1\x06\xC4\xDB\x36\x4C\x73\x04\x8E\xE5\xB0\x22\xE4\xC5\xF3\x2E\xA5\xD9\x23\xE3\xB8\x4E\x4A\x20\xA7\x6E\x02\x24\x9F\x22\x60\x67\x7B\x8B\x1D\x72\x09\xC5\x31\x5C\xE9\x79\x9F\x80\x47\x3D\xAD\xA1\x0B\x07\x14\x3D\x47\xFF\x03\x69\x1A\x0C\x0B\x44\xE7\x63\x25\xA7\x7F\xB2\xC9\xB8\x76\x84\xED\x23\xF6\x7D\x07\xAB\x45\x7E\xD3\xDF\xB3\xBF\xE9\x8A\xB6\xCD\xA8\xA2\x67\x2B\x52\xD5\xB7\x65\xF0\x39\x4C\x63\xA0\x91\x79\x93\x52\x0F\x54\xDD\x83\xBB\x9F\xD1\x8F\xA7\x53\x73\xC3\xCB\xFF\x30\xEC\x7C\x04\xB8\xD8\x44\x1F\x93\x5F\x71\x09\x22\xB7\x6E\x3E\xEA\x1C\x03\x4E\x9D\x1A\x20\x61\xFB\x81\x37\xEC\x5E\xFC\x0A\x45\xAB\xD7\xE7\x17\x55\xD0\xA0\xEA\x60\x9B\xA6\xF6\xE3\x8C\x5B\x29\xC2\x06\x60\x14\x9D\x2D\x97\x4C\xA9\x93\x15\x9D\x61\xC4\x01\x5F\x48\xD6\x58\xBD\x56\x31\x12\x4E\x11\xC8\x21\xE0\xB3\x11\x91\x65\xDB\xB4\xA6\x88\x38\xCE\x55",
+	["OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\, Ltd.,C=TW"] = "\x30\x82\x05\xB0\x30\x82\x03\x98\xA0\x03\x02\x01\x02\x02\x10\x15\xC8\xBD\x65\x47\x5C\xAF\xB8\x97\x00\x5E\xE4\x06\xD2\xBC\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x43\x68\x75\x6E\x67\x68\x77\x61\x20\x54\x65\x6C\x65\x63\x6F\x6D\x20\x43\x6F\x2E\x2C\x20\x4C\x74\x64\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x0C\x21\x65\x50\x4B\x49\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x31\x32\x32\x30\x30\x32\x33\x31\x32\x37\x5A\x17\x0D\x33\x34\x31\x32\x32\x30\x30\x32\x33\x31\x32\x37\x5A\x30\x5E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x43\x68\x75\x6E\x67\x68\x77\x61\x20\x54\x65\x6C\x65\x63\x6F\x6D\x20\x43\x6F\x2E\x2C\x20\x4C\x74\x64\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x0C\x21\x65\x50\x4B\x49\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xE1\x25\x0F\xEE\x8D\xDB\x88\x33\x75\x67\xCD\xAD\x1F\x7D\x3A\x4E\x6D\x9D\xD3\x2F\x14\xF3\x63\x74\xCB\x01\x21\x6A\x37\xEA\x84\x50\x07\x4B\x26\x5B\x09\x43\x6C\x21\x9E\x6A\xC8\xD5\x03\xF5\x60\x69\x8F\xCC\xF0\x22\xE4\x1F\xE7\xF7\x6A\x22\x31\xB7\x2C\x15\xF2\xE0\xFE\x00\x6A\x43\xFF\x87\x65\xC6\xB5\x1A\xC1\xA7\x4C\x6D\x22\x70\x21\x8A\x31\xF2\x97\x74\x89\x09\x12\x26\x1C\x9E\xCA\xD9\x12\xA2\x95\x3C\xDA\xE9\x67\xBF\x08\xA0\x64\xE3\xD6\x42\xB7\x45\xEF\x97\xF4\xF6\xF5\xD7\xB5\x4A\x15\x02\x58\x7D\x98\x58\x4B\x60\xBC\xCD\xD7\x0D\x9A\x13\x33\x53\xD1\x61\xF9\x7A\xD5\xD7\x78\xB3\x9A\x33\xF7\x00\x86\xCE\x1D\x4D\x94\x38\xAF\xA8\xEC\x78\x51\x70\x8A\x5C\x10\x83\x51\x21\xF7\x11\x3D\x34\x86\x5E\xE5\x48\xCD\x97\x81\x82\x35\x4C\x19\xEC\x65\xF6\x6B\xC5\x05\xA1\xEE\x47\x13\xD6\xB3\x21\x27\x94\x10\x0A\xD9\x24\x3B\xBA\xBE\x44\x13\x46\x30\x3F\x97\x3C\xD8\xD7\xD7\x6A\xEE\x3B\x38\xE3\x2B\xD4\x97\x0E\xB9\x1B\xE7\x07\x49\x7F\x37\x2A\xF9\x77\x78\xCF\x54\xED\x5B\x46\x9D\xA3\x80\x0E\x91\x43\xC1\xD6\x5B\x5F\x14\xBA\x9F\xA6\x8D\x24\x47\x40\x59\xBF\x72\x38\xB2\x36\x6C\x37\xFF\x99\xD1\x5D\x0E\x59\x0A\xAB\x69\xF7\xC0\xB2\x04\x45\x7A\x54\x00\xAE\xBE\x53\xF6\xB5\xE7\xE1\xF8\x3C\xA3\x31\xD2\xA9\xFE\x21\x52\x64\xC5\xA6\x67\xF0\x75\x07\x06\x94\x14\x81\x55\xC6\x27\xE4\x01\x8F\x17\xC1\x6A\x71\xD7\xBE\x4B\xFB\x94\x58\x7D\x7E\x11\x33\xB1\x42\xF7\x62\x6C\x18\xD6\xCF\x09\x68\x3E\x7F\x6C\xF6\x1E\x8F\x62\xAD\xA5\x63\xDB\x09\xA7\x1F\x22\x42\x41\x1E\x6F\x99\x8A\x3E\xD7\xF9\x3F\x40\x7A\x79\xB0\xA5\x01\x92\xD2\x9D\x3D\x08\x15\xA5\x10\x01\x2D\xB3\x32\x76\xA8\x95\x0D\xB3\x7A\x9A\xFB\x07\x10\x78\x11\x6F\xE1\x8F\xC7\xBA\x0F\x25\x1A\x74\x2A\xE5\x1C\x98\x41\x99\xDF\x21\x87\xE8\x95\x06\x6A\x0A\xB3\x6A\x47\x76\x65\xF6\x3A\xCF\x8F\x62\x17\x19\x7B\x0A\x28\xCD\x1A\xD2\x83\x1E\x21\xC7\x2C\xBF\xBE\xFF\x61\x68\xB7\x67\x1B\xBB\x78\x4D\x8D\xCE\x67\xE5\xE4\xC1\x8E\xB7\x23\x66\xE2\x9D\x90\x75\x34\x98\xA9\x36\x2B\x8A\x9A\x94\xB9\x9D\xEC\xCC\x8A\xB1\xF8\x25\x89\x5C\x5A\xB6\x2F\x8C\x1F\x6D\x79\x24\xA7\x52\x68\xC3\x84\x35\xE2\x66\x8D\x63\x0E\x25\x4D\xD5\x19\xB2\xE6\x79\x37\xA7\x22\x9D\x54\x31\x02\x03\x01\x00\x01\xA3\x6A\x30\x68\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1E\x0C\xF7\xB6\x67\xF2\xE1\x92\x26\x09\x45\xC0\x55\x39\x2E\x77\x3F\x42\x4A\xA2\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x04\x67\x2A\x07\x00\x04\x31\x30\x2F\x30\x2D\x02\x01\x00\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x30\x07\x06\x05\x67\x2A\x03\x00\x00\x04\x14\x45\xB0\xC2\xC7\x0A\x56\x7C\xEE\x5B\x78\x0C\x95\xF9\x18\x53\xC1\xA6\x1C\xD8\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x09\xB3\x83\x53\x59\x01\x3E\x95\x49\xB9\xF1\x81\xBA\xF9\x76\x20\x23\xB5\x27\x60\x74\xD4\x6A\x99\x34\x5E\x6C\x00\x53\xD9\x9F\xF2\xA6\xB1\x24\x07\x44\x6A\x2A\xC6\xA5\x8E\x78\x12\xE8\x47\xD9\x58\x1B\x13\x2A\x5E\x79\x9B\x9F\x0A\x2A\x67\xA6\x25\x3F\x06\x69\x56\x73\xC3\x8A\x66\x48\xFB\x29\x81\x57\x74\x06\xCA\x9C\xEA\x28\xE8\x38\x67\x26\x2B\xF1\xD5\xB5\x3F\x65\x93\xF8\x36\x5D\x8E\x8D\x8D\x40\x20\x87\x19\xEA\xEF\x27\xC0\x3D\xB4\x39\x0F\x25\x7B\x68\x50\x74\x55\x9C\x0C\x59\x7D\x5A\x3D\x41\x94\x25\x52\x08\xE0\x47\x2C\x15\x31\x19\xD5\xBF\x07\x55\xC6\xBB\x12\xB5\x97\xF4\x5F\x83\x85\xBA\x71\xC1\xD9\x6C\x81\x11\x76\x0A\x0A\xB0\xBF\x82\x97\xF7\xEA\x3D\xFA\xFA\xEC\x2D\xA9\x28\x94\x3B\x56\xDD\xD2\x51\x2E\xAE\xC0\xBD\x08\x15\x8C\x77\x52\x34\x96\xD6\x9B\xAC\xD3\x1D\x8E\x61\x0F\x35\x7B\x9B\xAE\x39\x69\x0B\x62\x60\x40\x20\x36\x8F\xAF\xFB\x36\xEE\x2D\x08\x4A\x1D\xB8\xBF\x9B\x5C\xF8\xEA\xA5\x1B\xA0\x73\xA6\xD8\xF8\x6E\xE0\x33\x04\x5F\x68\xAA\x27\x87\xED\xD9\xC1\x90\x9C\xED\xBD\xE3\x6A\x35\xAF\x63\xDF\xAB\x18\xD9\xBA\xE6\xE9\x4A\xEA\x50\x8A\x0F\x61\x93\x1E\xE2\x2D\x19\xE2\x30\x94\x35\x92\x5D\x0E\xB6\x07\xAF\x19\x80\x8F\x47\x90\x51\x4B\x2E\x4D\xDD\x85\xE2\xD2\x0A\x52\x0A\x17\x9A\xFC\x1A\xB0\x50\x02\xE5\x01\xA3\x63\x37\x21\x4C\x44\xC4\x9B\x51\x99\x11\x0E\x73\x9C\x06\x8F\x54\x2E\xA7\x28\x5E\x44\x39\x87\x56\x2D\x37\xBD\x85\x44\x94\xE1\x0C\x4B\x2C\x9C\xC3\x92\x85\x34\x61\xCB\x0F\xB8\x9B\x4A\x43\x52\xFE\x34\x3A\x7D\xB8\xE9\x29\xDC\x76\xA9\xC8\x30\xF8\x14\x71\x80\xC6\x1E\x36\x48\x74\x22\x41\x5C\x87\x82\xE8\x18\x71\x8B\x41\x89\x44\xE7\x7E\x58\x5B\xA8\xB8\x8D\x13\xE9\xA7\x6C\xC3\x47\xED\xB3\x1A\x9D\x62\xAE\x8D\x82\xEA\x94\x9E\xDD\x59\x10\xC3\xAD\xDD\xE2\x4D\xE3\x31\xD5\xC7\xEC\xE8\xF2\xB0\xFE\x92\x1E\x16\x0A\x1A\xFC\xD9\xF3\xF8\x27\xB6\xC9\xBE\x1D\xB4\x6C\x64\x90\x7F\xF4\xE4\xC4\x5B\xD7\x37\xAE\x42\x0E\xDD\xA4\x1A\x6F\x7C\x88\x54\xC5\x16\x6E\xE1\x7A\x68\x2E\xF8\x3A\xBF\x0D\xA4\x3C\x89\x3B\x78\xA7\x4E\x63\x83\x04\x21\x08\x67\x8D\xF2\x82\x49\xD0\x5B\xFD\xB1\xCD\x0F\x83\x84\xD4\x3E\x20\x85\xF7\x4A\x3D\x2B\x9C\xFD\x2A\x0A\x09\x4D\xEA\x81\xF8\x11\x9C",
+	["CN=T\C3\9CB\C4\B0TAK UEKAE K\C3\B6k Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 - S\C3\BCr\C3\BCm 3,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara\C5\9Ft\C4\B1rma Enstit\C3\BCs\C3\BC - UEKAE,O=T\C3\BCrkiye Bilimsel ve Teknolojik Ara\C5\9Ft\C4\B1rma Kurumu - T\C3\9CB\C4\B0TAK,L=Gebze - Kocaeli,C=TR"] = "\x30\x82\x05\x17\x30\x82\x03\xFF\xA0\x03\x02\x01\x02\x02\x01\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x82\x01\x2B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x0C\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x47\x30\x45\x06\x03\x55\x04\x0A\x0C\x3E\x54\xC3\xBC\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x31\x48\x30\x46\x06\x03\x55\x04\x0B\x0C\x3F\x55\x6C\x75\x73\x61\x6C\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x76\x65\x20\x4B\x72\x69\x70\x74\x6F\x6C\x6F\x6A\x69\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x45\x6E\x73\x74\x69\x74\xC3\xBC\x73\xC3\xBC\x20\x2D\x20\x55\x45\x4B\x41\x45\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x31\x4A\x30\x48\x06\x03\x55\x04\x03\x0C\x41\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x20\x55\x45\x4B\x41\x45\x20\x4B\xC3\xB6\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x2D\x20\x53\xC3\xBC\x72\xC3\xBC\x6D\x20\x33\x30\x1E\x17\x0D\x30\x37\x30\x38\x32\x34\x31\x31\x33\x37\x30\x37\x5A\x17\x0D\x31\x37\x30\x38\x32\x31\x31\x31\x33\x37\x30\x37\x5A\x30\x82\x01\x2B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x0C\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x47\x30\x45\x06\x03\x55\x04\x0A\x0C\x3E\x54\xC3\xBC\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x31\x48\x30\x46\x06\x03\x55\x04\x0B\x0C\x3F\x55\x6C\x75\x73\x61\x6C\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x76\x65\x20\x4B\x72\x69\x70\x74\x6F\x6C\x6F\x6A\x69\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x45\x6E\x73\x74\x69\x74\xC3\xBC\x73\xC3\xBC\x20\x2D\x20\x55\x45\x4B\x41\x45\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x31\x4A\x30\x48\x06\x03\x55\x04\x03\x0C\x41\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x20\x55\x45\x4B\x41\x45\x20\x4B\xC3\xB6\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x2D\x20\x53\xC3\xBC\x72\xC3\xBC\x6D\x20\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x8A\x6D\x4B\xFF\x10\x88\x3A\xC3\xF6\x7E\x94\xE8\xEA\x20\x64\x70\xAE\x21\x81\xBE\x3A\x7B\x3C\xDB\xF1\x1D\x52\x7F\x59\xFA\xF3\x22\x4C\x95\xA0\x90\xBC\x48\x4E\x11\xAB\xFB\xB7\xB5\x8D\x7A\x83\x28\x8C\x26\x46\xD8\x4E\x95\x40\x87\x61\x9F\xC5\x9E\x6D\x81\x87\x57\x6C\x8A\x3B\xB4\x66\xEA\xCC\x40\xFC\xE3\xAA\x6C\xB2\xCB\x01\xDB\x32\xBF\xD2\xEB\x85\xCF\xA1\x0D\x55\xC3\x5B\x38\x57\x70\xB8\x75\xC6\x79\xD1\x14\x30\xED\x1B\x58\x5B\x6B\xEF\x35\xF2\xA1\x21\x4E\xC5\xCE\x7C\x99\x5F\x6C\xB9\xB8\x22\x93\x50\xA7\xCD\x4C\x70\x6A\xBE\x6A\x05\x7F\x13\x9C\x2B\x1E\xEA\xFE\x47\xCE\x04\xA5\x6F\xAC\x93\x2E\x7C\x2B\x9F\x9E\x79\x13\x91\xE8\xEA\x9E\xCA\x38\x75\x8E\x62\xB0\x95\x93\x2A\xE5\xDF\xE9\x5E\x97\x6E\x20\x5F\x5F\x84\x7A\x44\x39\x19\x40\x1C\xBA\x55\x2B\xFB\x30\xB2\x81\xEF\x84\xE3\xDC\xEC\x98\x38\x39\x03\x85\x08\xA9\x54\x03\x05\x29\xF0\xC9\x8F\x8B\xEA\x0B\x86\x65\x19\x11\xD3\xE9\x09\x23\xDE\x68\x93\x03\xC9\x36\x1C\x21\x6E\xCE\x8C\x66\xF1\x99\x30\xD8\xD7\xB3\xC3\x1D\xF8\x81\x2E\xA8\xBD\x82\x0B\x66\xFE\x82\xCB\xE1\xE0\x1A\x82\xC3\x40\x81\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBD\x88\x87\xC9\x8F\xF6\xA4\x0A\x0B\xAA\xEB\xC5\xFE\x91\x23\x9D\xAB\x4A\x8A\x32\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1D\x7C\xFA\x49\x8F\x34\xE9\xB7\x26\x92\x16\x9A\x05\x74\xE7\x4B\xD0\x6D\x39\x6C\xC3\x26\xF6\xCE\xB8\x31\xBC\xC4\xDF\xBC\x2A\xF8\x37\x91\x18\xDC\x04\xC8\x64\x99\x2B\x18\x6D\x80\x03\x59\xC9\xAE\xF8\x58\xD0\x3E\xED\xC3\x23\x9F\x69\x3C\x86\x38\x1C\x9E\xEF\xDA\x27\x78\xD1\x84\x37\x71\x8A\x3C\x4B\x39\xCF\x7E\x45\x06\xD6\x2D\xD8\x8A\x4D\x78\x12\xD6\xAD\xC2\xD3\xCB\xD2\xD0\x41\xF3\x26\x36\x4A\x9B\x95\x6C\x0C\xEE\xE5\xD1\x43\x27\x66\xC1\x88\xF7\x7A\xB3\x20\x6C\xEA\xB0\x69\x2B\xC7\x20\xE8\x0C\x03\xC4\x41\x05\x99\xE2\x3F\xE4\x6B\xF8\xA0\x86\x81\xC7\x84\xC6\x1F\xD5\x4B\x81\x12\xB2\x16\x21\x2C\x13\xA1\x80\xB2\x5E\x0C\x4A\x13\x9E\x20\xD8\x62\x40\xAB\x90\xEA\x64\x4A\x2F\xAC\x0D\x01\x12\x79\x45\xA8\x2F\x87\x19\x68\xC8\xE2\x85\xC7\x30\xB2\x75\xF9\x38\x3F\xB2\xC0\x93\xB4\x6B\xE2\x03\x44\xCE\x67\xA0\xDF\x89\xD6\xAD\x8C\x76\xA3\x13\xC3\x94\x61\x2B\x6B\xD9\x6C\xC1\x07\x0A\x22\x07\x85\x6C\x85\x24\x46\xA9\xBE\x3F\x8B\x78\x84\x82\x7E\x24\x0C\x9D\xFD\x81\x37\xE3\x25\xA8\xED\x36\x4E\x95\x2C\xC9\x9C\x90\xDA\xEC\xA9\x42\x3C\xAD\xB6\x02",
+	["CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x03\x53\x30\x82\x02\x3B\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x36\x31\x30\x31\x33\x31\x30\x32\x35\x30\x39\x5A\x17\x0D\x31\x36\x31\x30\x31\x33\x31\x30\x32\x35\x30\x39\x5A\x30\x4B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x8B\x3C\x07\x45\xD8\xF6\xDF\xE6\xC7\xCA\xBA\x8D\x43\xC5\x47\x8D\xB0\x5A\xC1\x38\xDB\x92\x84\x1C\xAF\x13\xD4\x0F\x6F\x36\x46\x20\xC4\x2E\xCC\x71\x70\x34\xA2\x34\xD3\x37\x2E\xD8\xDD\x3A\x77\x2F\xC0\xEB\x29\xE8\x5C\xD2\xB5\xA9\x91\x34\x87\x22\x59\xFE\xCC\xDB\xE7\x99\xAF\x96\xC1\xA8\xC7\x40\xDD\xA5\x15\x8C\x6E\xC8\x7C\x97\x03\xCB\xE6\x20\xF2\xD7\x97\x5F\x31\xA1\x2F\x37\xD2\xBE\xEE\xBE\xA9\xAD\xA8\x4C\x9E\x21\x66\x43\x3B\xA8\xBC\xF3\x09\xA3\x38\xD5\x59\x24\xC1\xC2\x47\x76\xB1\x88\x5C\x82\x3B\xBB\x2B\xA6\x04\xD7\x8C\x07\x8F\xCD\xD5\x41\x1D\xF0\xAE\xB8\x29\x2C\x94\x52\x60\x34\x94\x3B\xDA\xE0\x38\xD1\x9D\x33\x3E\x15\xF4\x93\x32\xC5\x00\xDA\xB5\x29\x66\x0E\x3A\x78\x0F\x21\x52\x5F\x02\xE5\x92\x7B\x25\xD3\x92\x1E\x2F\x15\x9D\x81\xE4\x9D\x8E\xE8\xEF\x89\xCE\x14\x4C\x54\x1D\x1C\x81\x12\x4D\x70\xA8\xBE\x10\x05\x17\x7E\x1F\xD1\xB8\x57\x55\xED\xCD\xBB\x52\xC2\xB0\x1E\x78\xC2\x4D\x36\x68\xCB\x56\x26\xC1\x52\xC1\xBD\x76\xF7\x58\xD5\x72\x7E\x1F\x44\x76\xBB\x00\x89\x1D\x16\x9D\x51\x35\xEF\x4D\xC2\x56\xEF\x6B\xE0\x8C\x3B\x0D\xE9\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3F\x8D\x9A\x59\x8B\xFC\x7B\x7B\x9C\xA3\xAF\x38\xB0\x39\xED\x90\x71\x80\xD6\xC8\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x15\x1A\x7E\x13\x8A\xB9\xE8\x07\xA3\x4B\x27\x32\xB2\x40\x91\xF2\x21\xD1\x64\x85\xBE\x63\x6A\xD2\xCF\x81\xC2\x15\xD5\x7A\x7E\x0C\x29\xAC\x37\x1E\x1C\x7C\x76\x52\x95\xDA\xB5\x7F\x23\xA1\x29\x77\x65\xC9\x32\x9D\xA8\x2E\x56\xAB\x60\x76\xCE\x16\xB4\x8D\x7F\x78\xC0\xD5\x99\x51\x83\x7F\x5E\xD9\xBE\x0C\xA8\x50\xED\x22\xC7\xAD\x05\x4C\x76\xFB\xED\xEE\x1E\x47\x64\xF6\xF7\x27\x7D\x5C\x28\x0F\x45\xC5\x5C\x62\x5E\xA6\x9A\x91\x91\xB7\x53\x17\x2E\xDC\xAD\x60\x9D\x96\x64\x39\xBD\x67\x68\xB2\xAE\x05\xCB\x4D\xE7\x5F\x1F\x57\x86\xD5\x20\x9C\x28\xFB\x6F\x13\x38\xF5\xF6\x11\x92\xF6\x7D\x99\x5E\x1F\x0C\xE8\xAB\x44\x24\x29\x72\x40\x3D\x36\x52\xAF\x8C\x58\x90\x73\xC1\xEC\x61\x2C\x79\xA1\xEC\x87\xB5\x3F\xDA\x4D\xD9\x21\x00\x30\xDE\x90\xDA\x0E\xD3\x1A\x48\xA9\x3E\x85\x0B\x14\x8B\x8C\xBC\x41\x9E\x6A\xF7\x0E\x70\xC0\x35\xF7\x39\xA2\x5D\x66\xD0\x7B\x59\x9F\xA8\x47\x12\x9A\x27\x23\xA4\x2D\x8E\x27\x83\x92\x20\xA1\xD7\x15\x7F\xF1\x2E\x18\xEE\xF4\x48\x7F\x2F\x7F\xF1\xA1\x18\xB5\xA1\x0B\x94\xA0\x62\x20\x32\x9C\x1D\xF6\xD4\xEF\xBF\x4C\x88\x68",
+	["CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x03\x53\x30\x82\x02\x3B\xA0\x03\x02\x01\x02\x02\x01\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x35\x30\x35\x30\x39\x31\x34\x31\x33\x30\x33\x5A\x17\x0D\x31\x35\x30\x35\x30\x39\x31\x34\x31\x33\x30\x33\x5A\x30\x4B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA4\x8E\xD7\x74\xD9\x29\x64\xDE\x5F\x1F\x87\x80\x91\xEA\x4E\x39\xE6\x19\xC6\x44\x0B\x80\xD5\x0B\xAF\x53\x07\x8B\x12\xBD\xE6\x67\xF0\x02\xB1\x89\xF6\x60\x8A\xC4\x5B\xB0\x42\xD1\xC0\x21\xA8\xCB\xE1\x9B\xEF\x64\x51\xB6\xA7\xCF\x15\xF5\x74\x80\x68\x04\x90\xA0\x58\xA2\xE6\x74\xA6\x53\x53\x55\x48\x63\x3F\x92\x56\xDD\x24\x4E\x8E\xF8\xBA\x2B\xFF\xF3\x34\x8A\x9E\x28\xD7\x34\x9F\xAC\x2F\xD6\x0F\xF1\xA4\x2F\xBD\x52\xB2\x49\x85\x6D\x39\x35\xF0\x44\x30\x93\x46\x24\xF3\xB6\xE7\x53\xFB\xBC\x61\xAF\xA9\xA3\x14\xFB\xC2\x17\x17\x84\x6C\xE0\x7C\x88\xF8\xC9\x1C\x57\x2C\xF0\x3D\x7E\x94\xBC\x25\x93\x84\xE8\x9A\x00\x9A\x45\x05\x42\x57\x80\xF4\x4E\xCE\xD9\xAE\x39\xF6\xC8\x53\x10\x0C\x65\x3A\x47\x7B\x60\xC2\xD6\xFA\x91\xC9\xC6\x71\x6C\xBD\x91\x87\x3C\x91\x86\x49\xAB\xF3\x0F\xA0\x6C\x26\x76\x5E\x1C\xAC\x9B\x71\xE5\x8D\xBC\x9B\x21\x1E\x9C\xD6\x38\x7E\x24\x80\x15\x31\x82\x96\xB1\x49\xD3\x62\x37\x5B\x88\x0C\x0A\x62\x34\xFE\xA7\x48\x7E\x99\xB1\x30\x8B\x90\x37\x95\x1C\xA8\x1F\xA5\x2C\x8D\xF4\x55\xC8\xDB\xDD\x59\x0A\xC2\xAD\x78\xA0\xF4\x8B\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x38\x14\xE6\xC8\xF0\xA9\xA4\x03\xF4\x4E\x3E\x22\xA3\x5B\xF2\xD6\xE0\xAD\x40\x74\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x01\x67\xA3\x8C\xC9\x25\x3D\x13\x63\x5D\x16\x6F\xEC\xA1\x3E\x09\x5C\x91\x15\x2A\x2A\xD9\x80\x21\x4F\x05\xDC\xBB\xA5\x89\xAB\x13\x33\x2A\x9E\x38\xB7\x8C\x6F\x02\x72\x63\xC7\x73\x77\x1E\x09\x06\xBA\x3B\x28\x7B\xA4\x47\xC9\x61\x6B\x08\x08\x20\xFC\x8A\x05\x8A\x1F\xBC\xBA\xC6\xC2\xFE\xCF\x6E\xEC\x13\x33\x71\x67\x2E\x69\xFA\xA9\x2C\x3F\x66\xC0\x12\x59\x4D\x0B\x54\x02\x92\x84\xBB\xDB\x12\xEF\x83\x70\x70\x78\xC8\x53\xFA\xDF\xC6\xC6\xFF\xDC\x88\x2F\x07\xC0\x49\x9D\x32\x57\x60\xD3\xF2\xF6\x99\x29\x5F\xE7\xAA\x01\xCC\xAC\x33\xA8\x1C\x0A\xBB\x91\xC4\x03\xA0\x6F\xB6\x34\xF9\x86\xD3\xB3\x76\x54\x98\xF4\x4A\x81\xB3\x53\x9D\x4D\x40\xEC\xE5\x77\x13\x45\xAF\x5B\xAA\x1F\xD8\x2F\x4C\x82\x7B\xFE\x2A\xC4\x58\xBB\x4F\xFC\x9E\xFD\x03\x65\x1A\x2A\x0E\xC3\xA5\x20\x16\x94\x6B\x79\xA6\xA2\x12\xB4\xBB\x1A\xA4\x23\x7A\x5F\xF0\xAE\x84\x24\xE4\xF3\x2B\xFB\x8A\x24\xA3\x27\x98\x65\xDA\x30\x75\x76\xFC\x19\x91\xE8\xDB\xEB\x9B\x3F\x32\xBF\x40\x97\x07\x26\xBA\xCC\xF3\x94\x85\x4A\x7A\x27\x93\xCF\x90\x42\xD4\xB8\x5B\x16\xA6\xE7\xCB\x40\x03\xDD\x79",
+	["C=TR,O=EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E.,CN=EBG Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1"] = "\x30\x82\x05\xE7\x30\x82\x03\xCF\xA0\x03\x02\x01\x02\x02\x08\x4C\xAF\x73\x42\x1C\x8E\x74\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x80\x31\x38\x30\x36\x06\x03\x55\x04\x03\x0C\x2F\x45\x42\x47\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x37\x30\x35\x06\x03\x55\x04\x0A\x0C\x2E\x45\x42\x47\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6C\x65\x72\x69\x20\x76\x65\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x30\x1E\x17\x0D\x30\x36\x30\x38\x31\x37\x30\x30\x32\x31\x30\x39\x5A\x17\x0D\x31\x36\x30\x38\x31\x34\x30\x30\x33\x31\x30\x39\x5A\x30\x81\x80\x31\x38\x30\x36\x06\x03\x55\x04\x03\x0C\x2F\x45\x42\x47\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x37\x30\x35\x06\x03\x55\x04\x0A\x0C\x2E\x45\x42\x47\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6C\x65\x72\x69\x20\x76\x65\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xEE\xA0\x84\x61\xD0\x3A\x6A\x66\x10\x32\xD8\x31\x38\x7F\xA7\xA7\xE5\xFD\xA1\xE1\xFB\x97\x77\xB8\x71\x96\xE8\x13\x96\x46\x83\x4F\xB6\xF2\x5F\x72\x56\x6E\x13\x60\xA5\x01\x91\xE2\x5B\xC5\xCD\x57\x1F\x77\x63\x51\xFF\x2F\x3D\xDB\xB9\x3F\xAA\xA9\x35\xE7\x79\xD0\xF5\xD0\x24\xB6\x21\xEA\xEB\x23\x94\xFE\x29\xBF\xFB\x89\x91\x0C\x64\x9A\x05\x4A\x2B\xCC\x0C\xEE\xF1\x3D\x9B\x82\x69\xA4\x4C\xF8\x9A\x6F\xE7\x22\xDA\x10\xBA\x5F\x92\xFC\x18\x27\x0A\xA8\xAA\x44\xFA\x2E\x2C\xB4\xFB\x46\x9A\x08\x03\x83\x72\xAB\x88\xE4\x6A\x72\xC9\xE5\x65\x1F\x6E\x2A\x0F\x9D\xB3\xE8\x3B\xE4\x0C\x6E\x7A\xDA\x57\xFD\xD7\xEB\x79\x8B\x5E\x20\x06\xD3\x76\x0B\x6C\x02\x95\xA3\x96\xE4\xCB\x76\x51\xD1\x28\x9D\xA1\x1A\xFC\x44\xA2\x4D\xCC\x7A\x76\xA8\x0D\x3D\xBF\x17\x4F\x22\x88\x50\xFD\xAE\xB6\xEC\x90\x50\x4A\x5B\x9F\x95\x41\xAA\xCA\x0F\xB2\x4A\xFE\x80\x99\x4E\xA3\x46\x15\xAB\xF8\x73\x42\x6A\xC2\x66\x76\xB1\x0A\x26\x15\xDD\x93\x92\xEC\xDB\xA9\x5F\x54\x22\x52\x91\x70\x5D\x13\xEA\x48\xEC\x6E\x03\x6C\xD9\xDD\x6C\xFC\xEB\x0D\x03\xFF\xA6\x83\x12\x9B\xF1\xA9\x93\x0F\xC5\x26\x4C\x31\xB2\x63\x99\x61\x72\xE7\x2A\x64\x99\xD2\xB8\xE9\x75\xE2\x7C\xA9\xA9\x9A\x1A\xAA\xC3\x56\xDB\x10\x9A\x3C\x83\x52\xB6\x7B\x96\xB7\xAC\x87\x77\xA8\xB9\xF2\x67\x0B\x94\x43\xB3\xAF\x3E\x73\xFA\x42\x36\xB1\x25\xC5\x0A\x31\x26\x37\x56\x67\xBA\xA3\x0B\x7D\xD6\xF7\x89\xCD\x67\xA1\xB7\x3A\x1E\x66\x4F\xF6\xA0\x55\x14\x25\x4C\x2C\x33\x0D\xA6\x41\x8C\xBD\x04\x31\x6A\x10\x72\x0A\x9D\x0E\x2E\x76\xBD\x5E\xF3\x51\x89\x8B\xA8\x3F\x55\x73\xBF\xDB\x3A\xC6\x24\x05\x96\x92\x48\xAA\x4B\x8D\x2A\x03\xE5\x57\x91\x10\xF4\x6A\x28\x15\x6E\x47\x77\x84\x5C\x51\x74\x9F\x19\xE9\xE6\x1E\x63\x16\x39\xE3\x11\x15\xE3\x58\x1A\x44\xBD\xCB\xC4\x6C\x66\xD7\x84\x06\xDF\x30\xF4\x37\xA2\x43\x22\x79\xD2\x10\x6C\xDF\xBB\xE6\x13\x11\xFC\x9D\x84\x0A\x13\x7B\xF0\x3B\xD0\xFC\xA3\x0A\xD7\x89\xEA\x96\x7E\x8D\x48\x85\x1E\x64\x5F\xDB\x54\xA2\xAC\xD5\x7A\x02\x79\x6B\xD2\x8A\xF0\x67\xDA\x65\x72\x0D\x14\x70\xE4\xE9\x8E\x78\x8F\x32\x74\x7C\x57\xF2\xD6\xD6\xF4\x36\x89\x1B\xF8\x29\x6C\x8B\xB9\xF6\x97\xD1\xA4\x2E\xAA\xBE\x0B\x19\xC2\x45\xE9\x70\x5D\x02\x03\x00\x9D\xD9\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE7\xCE\xC6\x4F\xFC\x16\x67\x96\xFA\x4A\xA3\x07\xC1\x04\xA7\xCB\x6A\xDE\xDA\x47\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xE7\xCE\xC6\x4F\xFC\x16\x67\x96\xFA\x4A\xA3\x07\xC1\x04\xA7\xCB\x6A\xDE\xDA\x47\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x9B\x98\x9A\x5D\xBE\xF3\x28\x23\x76\xC6\x6C\xF7\x7F\xE6\x40\x9E\xC0\x36\xDC\x95\x0D\x1D\xAD\x15\xC5\x36\xD8\xD5\x39\xEF\xF2\x1E\x22\x5E\xB3\x82\xB4\x5D\xBB\x4C\x1A\xCA\x92\x0D\xDF\x47\x24\x1E\xB3\x24\xDA\x91\x88\xE9\x83\x70\xDD\x93\xD7\xE9\xBA\xB3\xDF\x16\x5A\x3E\xDE\xE0\xC8\xFB\xD3\xFD\x6C\x29\xF8\x15\x46\xA0\x68\x26\xCC\x93\x52\xAE\x82\x01\x93\x90\xCA\x77\xCA\x4D\x49\xEF\xE2\x5A\xD9\x2A\xBD\x30\xCE\x4C\xB2\x81\xB6\x30\xCE\x59\x4F\xDA\x59\x1D\x6A\x7A\xA4\x45\xB0\x82\x26\x81\x86\x76\xF5\xF5\x10\x00\xB8\xEE\xB3\x09\xE8\x4F\x87\x02\x07\xAE\x24\x5C\xF0\x5F\xAC\x0A\x30\xCC\x8A\x40\xA0\x73\x04\xC1\xFB\x89\x24\xF6\x9A\x1C\x5C\xB7\x3C\x0A\x67\x36\x05\x08\x31\xB3\xAF\xD8\x01\x68\x2A\xE0\x78\x8F\x74\xDE\xB8\x51\xA4\x8C\x6C\x20\x3D\xA2\xFB\xB3\xD4\x09\xFD\x7B\xC2\x80\xAA\x93\x6C\x29\x98\x21\xA8\xBB\x16\xF3\xA9\x12\x5F\x74\xB5\x87\x98\xF2\x95\x26\xDF\x34\xEF\x8A\x53\x91\x88\x5D\x1A\x94\xA3\x3F\x7C\x22\xF8\xD7\x88\xBA\xA6\x8C\x96\xA8\x3D\x52\x34\x62\x9F\x00\x1E\x54\x55\x42\x67\xC6\x4D\x46\x8F\xBB\x14\x45\x3D\x0A\x96\x16\x8E\x10\xA1\x97\x99\xD5\xD3\x30\x85\xCC\xDE\xB4\x72\xB7\xBC\x8A\x3C\x18\x29\x68\xFD\xDC\x71\x07\xEE\x24\x39\x6A\xFA\xED\xA5\xAC\x38\x2F\xF9\x1E\x10\x0E\x06\x71\x1A\x10\x4C\xFE\x75\x7E\xFF\x1E\x57\x39\x42\xCA\xD7\xE1\x15\xA1\x56\x55\x59\x1B\xD1\xA3\xAF\x11\xD8\x4E\xC3\xA5\x2B\xEF\x90\xBF\xC0\xEC\x82\x13\x5B\x8D\xD6\x72\x2C\x93\x4E\x8F\x6A\x29\xDF\x85\x3C\xD3\x0D\xE0\xA2\x18\x12\xCC\x55\x2F\x47\xB7\xA7\x9B\x02\xFE\x41\xF6\x88\x4C\x6D\xDA\xA9\x01\x47\x83\x64\x27\x62\x10\x82\xD6\x12\x7B\x5E\x03\x1F\x34\xA9\xC9\x91\xFE\xAF\x5D\x6D\x86\x27\xB7\x23\xAA\x75\x18\xCA\x20\xE7\xB0\x0F\xD7\x89\x0E\xA6\x67\x22\x63\xF4\x83\x41\x2B\x06\x4B\xBB\x58\xD5\xD1\xD7\xB7\xB9\x10\x63\xD8\x89\x4A\xB4\xAA\xDD\x16\x63\xF5\x6E\xBE\x60\xA1\xF8\xED\xE8\xD6\x90\x4F\x1A\xC6\xC5\xA0\x29\xD3\xA7\x21\xA8\xF5\x5A\x3C\xF7\xC7\x49\xA2\x21\x9A\x4A\x95\x52\x20\x96\x72\x9A\x66\xCB\xF7\xD2\x86\x43\x7C\x22\xBE\x96\xF9\xBD\x01\xA8\x47\xDD\xE5\x3B\x40\xF9\x75\x2B\x9B\x2B\x46\x64\x86\x8D\x1E\xF4\x8F\xFB\x07\x77\xD0\xEA\x49\xA2\x1C\x8D\x52\x14\xA6\x0A\x93",
+	["OU=certSIGN ROOT CA,O=certSIGN,C=RO"] = "\x30\x82\x03\x38\x30\x82\x02\x20\xA0\x03\x02\x01\x02\x02\x06\x20\x06\x05\x16\x70\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x52\x4F\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x63\x65\x72\x74\x53\x49\x47\x4E\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x63\x65\x72\x74\x53\x49\x47\x4E\x20\x52\x4F\x4F\x54\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x30\x37\x30\x34\x31\x37\x32\x30\x30\x34\x5A\x17\x0D\x33\x31\x30\x37\x30\x34\x31\x37\x32\x30\x30\x34\x5A\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x52\x4F\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x63\x65\x72\x74\x53\x49\x47\x4E\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x63\x65\x72\x74\x53\x49\x47\x4E\x20\x52\x4F\x4F\x54\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\x33\xB9\x7E\xC8\x25\x4A\x8E\xB5\xDB\xB4\x28\x1B\xAA\x57\x90\xE8\xD1\x22\xD3\x64\xBA\xD3\x93\xE8\xD4\xAC\x86\x61\x40\x6A\x60\x57\x68\x54\x84\x4D\xBC\x6A\x54\x02\x05\xFF\xDF\x9B\x9A\x2A\xAE\x5D\x07\x8F\x4A\xC3\x28\x7F\xEF\xFB\x2B\xFA\x79\xF1\xC7\xAD\xF0\x10\x53\x24\x90\x8B\x66\xC9\xA8\x88\xAB\xAF\x5A\xA3\x00\xE9\xBE\xBA\x46\xEE\x5B\x73\x7B\x2C\x17\x82\x81\x5E\x62\x2C\xA1\x02\x65\xB3\xBD\xC5\x2B\x00\x7E\xC4\xFC\x03\x33\x57\x0D\xED\xE2\xFA\xCE\x5D\x45\xD6\x38\xCD\x35\xB6\xB2\xC1\xD0\x9C\x81\x4A\xAA\xE4\xB2\x01\x5C\x1D\x8F\x5F\x99\xC4\xB1\xAD\xDB\x88\x21\xEB\x90\x08\x82\x80\xF3\x30\xA3\x43\xE6\x90\x82\xAE\x55\x28\x49\xED\x5B\xD7\xA9\x10\x38\x0E\xFE\x8F\x4C\x5B\x9B\x46\xEA\x41\xF5\xB0\x08\x74\xC3\xD0\x88\x33\xB6\x7C\xD7\x74\xDF\xDC\x84\xD1\x43\x0E\x75\x39\xA1\x25\x40\x28\xEA\x78\xCB\x0E\x2C\x2E\x39\x9D\x8C\x8B\x6E\x16\x1C\x2F\x26\x82\x10\xE2\xE3\x65\x94\x0A\x04\xC0\x5E\xF7\x5D\x5B\xF8\x10\xE2\xD0\xBA\x7A\x4B\xFB\xDE\x37\x00\x00\x1A\x5B\x28\xE3\xD2\x9C\x73\x3E\x32\x87\x98\xA1\xC9\x51\x2F\xD7\xDE\xAC\x33\xB3\x4F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE0\x8C\x9B\xDB\x25\x49\xB3\xF1\x7C\x86\xD6\xB2\x42\x87\x0B\xD0\x6B\xA0\xD9\xE4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3E\xD2\x1C\x89\x2E\x35\xFC\xF8\x75\xDD\xE6\x7F\x65\x88\xF4\x72\x4C\xC9\x2C\xD7\x32\x4E\xF3\xDD\x19\x79\x47\xBD\x8E\x3B\x5B\x93\x0F\x50\x49\x24\x13\x6B\x14\x06\x72\xEF\x09\xD3\xA1\xA1\xE3\x40\x84\xC9\xE7\x18\x32\x74\x3C\x48\x6E\x0F\x9F\x4B\xD4\xF7\x1E\xD3\x93\x86\x64\x54\x97\x63\x72\x50\xD5\x55\xCF\xFA\x20\x93\x02\xA2\x9B\xC3\x23\x93\x4E\x16\x55\x76\xA0\x70\x79\x6D\xCD\x21\x1F\xCF\x2F\x2D\xBC\x19\xE3\x88\x31\xF8\x59\x1A\x81\x09\xC8\x97\xA6\x74\xC7\x60\xC4\x5B\xCC\x57\x8E\xB2\x75\xFD\x1B\x02\x09\xDB\x59\x6F\x72\x93\x69\xF7\x31\x41\xD6\x88\x38\xBF\x87\xB2\xBD\x16\x79\xF9\xAA\xE4\xBE\x88\x25\xDD\x61\x27\x23\x1C\xB5\x31\x07\x04\x36\xB4\x1A\x90\xBD\xA0\x74\x71\x50\x89\x6D\xBC\x14\xE3\x0F\x86\xAE\xF1\xAB\x3E\xC7\xA0\x09\xCC\xA3\x48\xD1\xE0\xDB\x64\xE7\x92\xB5\xCF\xAF\x72\x43\x70\x8B\xF9\xC3\x84\x3C\x13\xAA\x7E\x92\x9B\x57\x53\x93\xFA\x70\xC2\x91\x0E\x31\xF9\x9B\x67\x5D\xE9\x96\x38\x5E\x5F\xB3\x73\x4E\x88\x15\x67\xDE\x9E\x76\x10\x62\x20\xBE\x55\x69\x95\x43\x00\x39\x4D\xF6\xEE\xB0\x5A\x4E\x49\x44\x54\x58\x5F\x42\x83",
+	["CN=CNNIC ROOT,O=CNNIC,C=CN"] = "\x30\x82\x03\x55\x30\x82\x02\x3D\xA0\x03\x02\x01\x02\x02\x04\x49\x33\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x32\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0A\x13\x05\x43\x4E\x4E\x49\x43\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x43\x4E\x4E\x49\x43\x20\x52\x4F\x4F\x54\x30\x1E\x17\x0D\x30\x37\x30\x34\x31\x36\x30\x37\x30\x39\x31\x34\x5A\x17\x0D\x32\x37\x30\x34\x31\x36\x30\x37\x30\x39\x31\x34\x5A\x30\x32\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0A\x13\x05\x43\x4E\x4E\x49\x43\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x43\x4E\x4E\x49\x43\x20\x52\x4F\x4F\x54\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD3\x35\xF7\x3F\x73\x77\xAD\xE8\x5B\x73\x17\xC2\xD1\x6F\xED\x55\xBC\x6E\xEA\xE8\xA4\x79\xB2\x6C\xC3\xA3\xEF\xE1\x9F\xB1\x3B\x48\x85\xF5\x9A\x5C\x21\x22\x10\x2C\xC5\x82\xCE\xDA\xE3\x9A\x6E\x37\xE1\x87\x2C\xDC\xB9\x0C\x5A\xBA\x88\x55\xDF\xFD\xAA\xDB\x1F\x31\xEA\x01\xF1\xDF\x39\x01\xC1\x13\xFD\x48\x52\x21\xC4\x55\xDF\xDA\xD8\xB3\x54\x76\xBA\x74\xB1\xB7\x7D\xD7\xC0\xE8\xF6\x59\xC5\x4D\xC8\xBD\xAD\x1F\x14\xDA\xDF\x58\x44\x25\x32\x19\x2A\xC7\x7E\x7E\x8E\xAE\x38\xB0\x30\x7B\x47\x72\x09\x31\xF0\x30\xDB\xC3\x1B\x76\x29\xBB\x69\x76\x4E\x57\xF9\x1B\x64\xA2\x93\x56\xB7\x6F\x99\x6E\xDB\x0A\x04\x9C\x11\xE3\x80\x1F\xCB\x63\x94\x10\x0A\xA9\xE1\x64\x82\x31\xF9\x8C\x27\xED\xA6\x99\x00\xF6\x70\x93\x18\xF8\xA1\x34\x86\xA3\xDD\x7A\xC2\x18\x79\xF6\x7A\x65\x35\xCF\x90\xEB\xBD\x33\x93\x9F\x53\xAB\x73\x3B\xE6\x9B\x34\x20\x2F\x1D\xEF\xA9\x1D\x63\x1A\xA0\x80\xDB\x03\x2F\xF9\x26\x1A\x86\xD2\x8D\xBB\xA9\xBE\x52\x3A\x87\x67\x48\x0D\xBF\xB4\xA0\xD8\x26\xBE\x23\x5F\x73\x37\x7F\x26\xE6\x92\x04\xA3\x7F\xCF\x20\xA7\xB7\xF3\x3A\xCA\xCB\x99\xCB\x02\x03\x01\x00\x01\xA3\x73\x30\x71\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x65\xF2\x31\xAD\x2A\xF7\xF7\xDD\x52\x96\x0A\xC7\x02\xC1\x0E\xEF\xA6\xD5\x3B\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xFE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x65\xF2\x31\xAD\x2A\xF7\xF7\xDD\x52\x96\x0A\xC7\x02\xC1\x0E\xEF\xA6\xD5\x3B\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4B\x35\xEE\xCC\xE4\xAE\xBF\xC3\x6E\xAD\x9F\x95\x3B\x4B\x3F\x5B\x1E\xDF\x57\x29\xA2\x59\xCA\x38\xE2\xB9\x1A\xFF\x9E\xE6\x6E\x32\xDD\x1E\xAE\xEA\x35\xB7\xF5\x93\x91\x4E\xDA\x42\xE1\xC3\x17\x60\x50\xF2\xD1\x5C\x26\xB9\x82\xB7\xEA\x6D\xE4\x9C\x84\xE7\x03\x79\x17\xAF\x98\x3D\x94\xDB\xC7\xBA\x00\xE7\xB8\xBF\x01\x57\xC1\x77\x45\x32\x0C\x3B\xF1\xB4\x1C\x08\xB0\xFD\x51\xA0\xA1\xDD\x9A\x1D\x13\x36\x9A\x6D\xB7\xC7\x3C\xB9\xE1\xC5\xD9\x17\xFA\x83\xD5\x3D\x15\xA0\x3C\xBB\x1E\x0B\xE2\xC8\x90\x3F\xA8\x86\x0C\xFC\xF9\x8B\x5E\x85\xCB\x4F\x5B\x4B\x62\x11\x47\xC5\x45\x7C\x05\x2F\x41\xB1\x9E\x10\x69\x1B\x99\x96\xE0\x55\x79\xFB\x4E\x86\x99\xB8\x94\xDA\x86\x38\x6A\x93\xA3\xE7\xCB\x6E\xE5\xDF\xEA\x21\x55\x89\x9C\x7D\x7D\x7F\x98\xF5\x00\x89\xEE\xE3\x84\xC0\x5C\x96\xB5\xC5\x46\xEA\x46\xE0\x85\x55\xB6\x1B\xC9\x12\xD6\xC1\xCD\xCD\x80\xF3\x02\x01\x3C\xC8\x69\xCB\x45\x48\x63\xD8\x94\xD0\xEC\x85\x0E\x3B\x4E\x11\x65\xF4\x82\x8C\xA6\x3D\xAE\x2E\x22\x94\x09\xC8\x5C\xEA\x3C\x81\x5D\x16\x2A\x03\x97\x16\x55\x09\xDB\x8A\x41\x82\x9E\x66\x9B\x11",
+	["OU=ApplicationCA,O=Japanese Government,C=JP"] = "\x30\x82\x03\xA0\x30\x82\x02\x88\xA0\x03\x02\x01\x02\x02\x01\x31\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x43\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x4A\x61\x70\x61\x6E\x65\x73\x65\x20\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0B\x13\x0D\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x43\x41\x30\x1E\x17\x0D\x30\x37\x31\x32\x31\x32\x31\x35\x30\x30\x30\x30\x5A\x17\x0D\x31\x37\x31\x32\x31\x32\x31\x35\x30\x30\x30\x30\x5A\x30\x43\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x4A\x61\x70\x61\x6E\x65\x73\x65\x20\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0B\x13\x0D\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA7\x6D\xE0\x74\x4E\x87\x8F\xA5\x06\xDE\x68\xA2\xDB\x86\x99\x4B\x64\x0D\x71\xF0\x0A\x05\x9B\x8E\xAA\xE1\xCC\x2E\xD2\x6A\x3B\xC1\x7A\xB4\x97\x61\x8D\x8A\xBE\xC6\x9A\x9C\x06\xB4\x86\x51\xE4\x37\x0E\x74\x78\x7E\x5F\x8A\x7F\x94\xA4\xD7\x47\x08\xFD\x50\x5A\x56\xE4\x68\xAC\x28\x73\xA0\x7B\xE9\x7F\x18\x92\x40\x4F\x2D\x9D\xF5\xAE\x44\x48\x73\x36\x06\x9E\x64\x2C\x3B\x34\x23\xDB\x5C\x26\xE4\x71\x79\x8F\xD4\x6E\x79\x22\xB9\x93\xC1\xCA\xCD\xC1\x56\xED\x88\x6A\xD7\xA0\x39\x21\x04\x57\x2C\xA2\xF5\xBC\x47\x41\x4F\x5E\x34\x22\x95\xB5\x1F\x29\x6D\x5E\x4A\xF3\x4D\x72\xBE\x41\x56\x20\x87\xFC\xE9\x50\x47\xD7\x30\x14\xEE\x5C\x8C\x55\xBA\x59\x8D\x87\xFC\x23\xDE\x93\xD0\x04\x8C\xFD\xEF\x6D\xBD\xD0\x7A\xC9\xA5\x3A\x6A\x72\x33\xC6\x4A\x0D\x05\x17\x2A\x2D\x7B\xB1\xA7\xD8\xD6\xF0\xBE\xF4\x3F\xEA\x0E\x28\x6D\x41\x61\x23\x76\x78\xC3\xB8\x65\xA4\xF3\x5A\xAE\xCC\xC2\xAA\xD9\xE7\x58\xDE\xB6\x7E\x9D\x85\x6E\x9F\x2A\x0A\x6F\x9F\x03\x29\x30\x97\x28\x1D\xBC\xB7\xCF\x54\x29\x4E\x51\x31\xF9\x27\xB6\x28\x26\xFE\xA2\x63\xE6\x41\x16\xF0\x33\x98\x47\x02\x03\x01\x00\x01\xA3\x81\x9E\x30\x81\x9B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x54\x5A\xCB\x26\x3F\x71\xCC\x94\x46\x0D\x96\x53\xEA\x6B\x48\xD0\x93\xFE\x42\x75\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x59\x06\x03\x55\x1D\x11\x04\x52\x30\x50\xA4\x4E\x30\x4C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\xE6\x97\xA5\xE6\x9C\xAC\xE5\x9B\xBD\xE6\x94\xBF\xE5\xBA\x9C\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\xE3\x82\xA2\xE3\x83\x97\xE3\x83\xAA\xE3\x82\xB1\xE3\x83\xBC\xE3\x82\xB7\xE3\x83\xA7\xE3\x83\xB3\x43\x41\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x39\x6A\x44\x76\x77\x38\x3A\xEC\xA3\x67\x46\x0F\xF9\x8B\x06\xA8\xFB\x6A\x90\x31\xCE\x7E\xEC\xDA\xD1\x89\x7C\x7A\xEB\x2E\x0C\xBD\x99\x32\xE7\xB0\x24\xD6\xC3\xFF\xF5\xB2\x88\x09\x87\x2C\xE3\x54\xE1\xA3\xA6\xB2\x08\x0B\xC0\x85\xA8\xC8\xD2\x9C\x71\xF6\x1D\x9F\x60\xFC\x38\x33\x13\xE1\x9E\xDC\x0B\x5F\xDA\x16\x50\x29\x7B\x2F\x70\x91\x0F\x99\xBA\x34\x34\x8D\x95\x74\xC5\x7E\x78\xA9\x66\x5D\xBD\xCA\x21\x77\x42\x10\xAC\x66\x26\x3D\xDE\x91\xAB\xFD\x15\xF0\x6F\xED\x6C\x5F\x10\xF8\xF3\x16\xF6\x03\x8A\x8F\xA7\x12\x11\x0C\xCB\xFD\x3F\x79\xC1\x9C\xFD\x62\xEE\xA3\xCF\x54\x0C\xD1\x2B\x5F\x17\x3E\xE3\x3E\xBF\xC0\x2B\x3E\x09\x9B\xFE\x88\xA6\x7E\xB4\x92\x17\xFC\x23\x94\x81\xBD\x6E\xA7\xC5\x8C\xC2\xEB\x11\x45\xDB\xF8\x41\xC9\x96\x76\xEA\x70\x5F\x79\x12\x6B\xE4\xA3\x07\x5A\x05\xEF\x27\x49\xCF\x21\x9F\x8A\x4C\x09\x70\x66\xA9\x26\xC1\x2B\x11\x4E\x33\xD2\x0E\xFC\xD6\x6C\xD2\x0E\x32\x64\x68\xFF\xAD\x05\x78\x5F\x03\x1D\xA8\xE3\x90\xAC\x24\xE0\x0F\x40\xA7\x4B\xAE\x8B\x28\xB7\x82\xCA\x18\x07\xE6\xB7\x5B\x74\xE9\x20\x19\x7F\xB2\x1B\x89\x54",
+	["CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\xFE\x30\x82\x02\xE6\xA0\x03\x02\x01\x02\x02\x10\x15\xAC\x6E\x94\x19\xB2\x79\x4B\x41\xF6\x27\xA9\xC3\x18\x0F\x1F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x38\x20\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x30\x38\x30\x34\x30\x32\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x38\x20\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDC\xE2\x5E\x62\x58\x1D\x33\x57\x39\x32\x33\xFA\xEB\xCB\x87\x8C\xA7\xD4\x4A\xDD\x06\x88\xEA\x64\x8E\x31\x98\xA5\x38\x90\x1E\x98\xCF\x2E\x63\x2B\xF0\x46\xBC\x44\xB2\x89\xA1\xC0\x28\x0C\x49\x70\x21\x95\x9F\x64\xC0\xA6\x93\x12\x02\x65\x26\x86\xC6\xA5\x89\xF0\xFA\xD7\x84\xA0\x70\xAF\x4F\x1A\x97\x3F\x06\x44\xD5\xC9\xEB\x72\x10\x7D\xE4\x31\x28\xFB\x1C\x61\xE6\x28\x07\x44\x73\x92\x22\x69\xA7\x03\x88\x6C\x9D\x63\xC8\x52\xDA\x98\x27\xE7\x08\x4C\x70\x3E\xB4\xC9\x12\xC1\xC5\x67\x83\x5D\x33\xF3\x03\x11\xEC\x6A\xD0\x53\xE2\xD1\xBA\x36\x60\x94\x80\xBB\x61\x63\x6C\x5B\x17\x7E\xDF\x40\x94\x1E\xAB\x0D\xC2\x21\x28\x70\x88\xFF\xD6\x26\x6C\x6C\x60\x04\x25\x4E\x55\x7E\x7D\xEF\xBF\x94\x48\xDE\xB7\x1D\xDD\x70\x8D\x05\x5F\x88\xA5\x9B\xF2\xC2\xEE\xEA\xD1\x40\x41\x6D\x62\x38\x1D\x56\x06\xC5\x03\x47\x51\x20\x19\xFC\x7B\x10\x0B\x0E\x62\xAE\x76\x55\xBF\x5F\x77\xBE\x3E\x49\x01\x53\x3D\x98\x25\x03\x76\x24\x5A\x1D\xB4\xDB\x89\xEA\x79\xE5\xB6\xB3\x3B\x3F\xBA\x4C\x28\x41\x7F\x06\xAC\x6A\x8E\xC1\xD0\xF6\x05\x1D\x7D\xE6\x42\x86\xE3\xA5\xD5\x47\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC4\x79\xCA\x8E\xA1\x4E\x03\x1D\x1C\xDC\x6B\xDB\x31\x5B\x94\x3E\x3F\x30\x7F\x2D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x2D\xC5\x13\xCF\x56\x80\x7B\x7A\x78\xBD\x9F\xAE\x2C\x99\xE7\xEF\xDA\xDF\x94\x5E\x09\x69\xA7\xE7\x6E\x68\x8C\xBD\x72\xBE\x47\xA9\x0E\x97\x12\xB8\x4A\xF1\x64\xD3\x39\xDF\x25\x34\xD4\xC1\xCD\x4E\x81\xF0\x0F\x04\xC4\x24\xB3\x34\x96\xC6\xA6\xAA\x30\xDF\x68\x61\x73\xD7\xF9\x8E\x85\x89\xEF\x0E\x5E\x95\x28\x4A\x2A\x27\x8F\x10\x8E\x2E\x7C\x86\xC4\x02\x9E\xDA\x0C\x77\x65\x0E\x44\x0D\x92\xFD\xFD\xB3\x16\x36\xFA\x11\x0D\x1D\x8C\x0E\x07\x89\x6A\x29\x56\xF7\x72\xF4\xDD\x15\x9C\x77\x35\x66\x57\xAB\x13\x53\xD8\x8E\xC1\x40\xC5\xD7\x13\x16\x5A\x72\xC7\xB7\x69\x01\xC4\x7A\xB1\x83\x01\x68\x7D\x8D\x41\xA1\x94\x18\xC1\x25\x5C\xFC\xF0\xFE\x83\x02\x87\x7C\x0D\x0D\xCF\x2E\x08\x5C\x4A\x40\x0D\x3E\xEC\x81\x61\xE6\x24\xDB\xCA\xE0\x0E\x2D\x07\xB2\x3E\x56\xDC\x8D\xF5\x41\x85\x07\x48\x9B\x0C\x0B\xCB\x49\x3F\x7D\xEC\xB7\xFD\xCB\x8D\x67\x89\x1A\xAB\xED\xBB\x1E\xA3\x00\x08\x08\x17\x2A\x82\x5C\x31\x5D\x46\x8A\x2D\x0F\x86\x9B\x74\xD9\x45\xFB\xD4\x40\xB1\x7A\xAA\x68\x2D\x86\xB2\x99\x22\xE1\xC1\x2B\xC7\x9C\xF8\xF3\x5F\xA8\x82\x12\xEB\x19\x11\x2D",
+	["CN=thawte Primary Root CA - G2,OU=(c) 2007 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US"] = "\x30\x82\x02\x88\x30\x82\x02\x0D\xA0\x03\x02\x01\x02\x02\x10\x35\xFC\x26\x5C\xD9\x84\x4F\xC9\x3D\x26\x3D\x57\x9B\xAE\xD7\x56\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x84\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x37\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x37\x31\x31\x30\x35\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x84\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x37\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xA2\xD5\x9C\x82\x7B\x95\x9D\xF1\x52\x78\x87\xFE\x8A\x16\xBF\x05\xE6\xDF\xA3\x02\x4F\x0D\x07\xC6\x00\x51\xBA\x0C\x02\x52\x2D\x22\xA4\x42\x39\xC4\xFE\x8F\xEA\xC9\xC1\xBE\xD4\x4D\xFF\x9F\x7A\x9E\xE2\xB1\x7C\x9A\xAD\xA7\x86\x09\x73\x87\xD1\xE7\x9A\xE3\x7A\xA5\xAA\x6E\xFB\xBA\xB3\x70\xC0\x67\x88\xA2\x35\xD4\xA3\x9A\xB1\xFD\xAD\xC2\xEF\x31\xFA\xA8\xB9\xF3\xFB\x08\xC6\x91\xD1\xFB\x29\x95\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9A\xD8\x00\x30\x00\xE7\x6B\x7F\x85\x18\xEE\x8B\xB6\xCE\x8A\x0C\xF8\x11\xE1\xBB\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x69\x00\x30\x66\x02\x31\x00\xDD\xF8\xE0\x57\x47\x5B\xA7\xE6\x0A\xC3\xBD\xF5\x80\x8A\x97\x35\x0D\x1B\x89\x3C\x54\x86\x77\x28\xCA\xA1\xF4\x79\xDE\xB5\xE6\x38\xB0\xF0\x65\x70\x8C\x7F\x02\x54\xC2\xBF\xFF\xD8\xA1\x3E\xD9\xCF\x02\x31\x00\xC4\x8D\x94\xFC\xDC\x53\xD2\xDC\x9D\x78\x16\x1F\x15\x33\x23\x53\x52\xE3\x5A\x31\x5D\x9D\xCA\xAE\xBD\x13\x29\x44\x0D\x27\x5B\xA8\xE7\x68\x9C\x12\xF7\x58\x3F\x2E\x72\x02\x57\xA3\x8F\xA1\x14\x2E",
+	["CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US"] = "\x30\x82\x04\x2A\x30\x82\x03\x12\xA0\x03\x02\x01\x02\x02\x10\x60\x01\x97\xB7\x46\xA7\xEA\xB4\xB4\x9A\xD6\x4B\x2F\xF7\x90\xFB\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xAE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x38\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x30\x38\x30\x34\x30\x32\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xAE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x38\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB2\xBF\x27\x2C\xFB\xDB\xD8\x5B\xDD\x78\x7B\x1B\x9E\x77\x66\x81\xCB\x3E\xBC\x7C\xAE\xF3\xA6\x27\x9A\x34\xA3\x68\x31\x71\x38\x33\x62\xE4\xF3\x71\x66\x79\xB1\xA9\x65\xA3\xA5\x8B\xD5\x8F\x60\x2D\x3F\x42\xCC\xAA\x6B\x32\xC0\x23\xCB\x2C\x41\xDD\xE4\xDF\xFC\x61\x9C\xE2\x73\xB2\x22\x95\x11\x43\x18\x5F\xC4\xB6\x1F\x57\x6C\x0A\x05\x58\x22\xC8\x36\x4C\x3A\x7C\xA5\xD1\xCF\x86\xAF\x88\xA7\x44\x02\x13\x74\x71\x73\x0A\x42\x59\x02\xF8\x1B\x14\x6B\x42\xDF\x6F\x5F\xBA\x6B\x82\xA2\x9D\x5B\xE7\x4A\xBD\x1E\x01\x72\xDB\x4B\x74\xE8\x3B\x7F\x7F\x7D\x1F\x04\xB4\x26\x9B\xE0\xB4\x5A\xAC\x47\x3D\x55\xB8\xD7\xB0\x26\x52\x28\x01\x31\x40\x66\xD8\xD9\x24\xBD\xF6\x2A\xD8\xEC\x21\x49\x5C\x9B\xF6\x7A\xE9\x7F\x55\x35\x7E\x96\x6B\x8D\x93\x93\x27\xCB\x92\xBB\xEA\xAC\x40\xC0\x9F\xC2\xF8\x80\xCF\x5D\xF4\x5A\xDC\xCE\x74\x86\xA6\x3E\x6C\x0B\x53\xCA\xBD\x92\xCE\x19\x06\x72\xE6\x0C\x5C\x38\x69\xC7\x04\xD6\xBC\x6C\xCE\x5B\xF6\xF7\x68\x9C\xDC\x25\x15\x48\x88\xA1\xE9\xA9\xF8\x98\x9C\xE0\xF3\xD5\x31\x28\x61\x11\x6C\x67\x96\x8D\x39\x99\xCB\xC2\x45\x24\x39\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAD\x6C\xAA\x94\x60\x9C\xED\xE4\xFF\xFA\x3E\x0A\x74\x2B\x63\x03\xF7\xB6\x59\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x1A\x40\xD8\x95\x65\xAC\x09\x92\x89\xC6\x39\xF4\x10\xE5\xA9\x0E\x66\x53\x5D\x78\xDE\xFA\x24\x91\xBB\xE7\x44\x51\xDF\xC6\x16\x34\x0A\xEF\x6A\x44\x51\xEA\x2B\x07\x8A\x03\x7A\xC3\xEB\x3F\x0A\x2C\x52\x16\xA0\x2B\x43\xB9\x25\x90\x3F\x70\xA9\x33\x25\x6D\x45\x1A\x28\x3B\x27\xCF\xAA\xC3\x29\x42\x1B\xDF\x3B\x4C\xC0\x33\x34\x5B\x41\x88\xBF\x6B\x2B\x65\xAF\x28\xEF\xB2\xF5\xC3\xAA\x66\xCE\x7B\x56\xEE\xB7\xC8\xCB\x67\xC1\xC9\x9C\x1A\x18\xB8\xC4\xC3\x49\x03\xF1\x60\x0E\x50\xCD\x46\xC5\xF3\x77\x79\xF7\xB6\x15\xE0\x38\xDB\xC7\x2F\x28\xA0\x0C\x3F\x77\x26\x74\xD9\x25\x12\xDA\x31\xDA\x1A\x1E\xDC\x29\x41\x91\x22\x3C\x69\xA7\xBB\x02\xF2\xB6\x5C\x27\x03\x89\xF4\x06\xEA\x9B\xE4\x72\x82\xE3\xA1\x09\xC1\xE9\x00\x19\xD3\x3E\xD4\x70\x6B\xBA\x71\xA6\xAA\x58\xAE\xF4\xBB\xE9\x6C\xB6\xEF\x87\xCC\x9B\xBB\xFF\x39\xE6\x56\x61\xD3\x0A\xA7\xC4\x5C\x4C\x60\x7B\x05\x77\x26\x7A\xBF\xD8\x07\x52\x2C\x62\xF7\x70\x63\xD9\x39\xBC\x6F\x1C\xC2\x79\xDC\x76\x29\xAF\xCE\xC5\x2C\x64\x04\x5E\x88\x36\x6E\x31\xD4\x40\x1A\x62\x34\x36\x3F\x35\x01\xAE\xAC\x63\xA0",
+	["CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US"] = "\x30\x82\x02\xAE\x30\x82\x02\x35\xA0\x03\x02\x01\x02\x02\x10\x3C\xB2\xF4\x48\x0A\x00\xE2\xFE\xEB\x24\x3B\x5E\x60\x3E\xC3\x6B\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x37\x20\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x37\x31\x31\x30\x35\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x37\x20\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x15\xB1\xE8\xFD\x03\x15\x43\xE5\xAC\xEB\x87\x37\x11\x62\xEF\xD2\x83\x36\x52\x7D\x45\x57\x0B\x4A\x8D\x7B\x54\x3B\x3A\x6E\x5F\x15\x02\xC0\x50\xA6\xCF\x25\x2F\x7D\xCA\x48\xB8\xC7\x50\x63\x1C\x2A\x21\x08\x7C\x9A\x36\xD8\x0B\xFE\xD1\x26\xC5\x58\x31\x30\x28\x25\xF3\x5D\x5D\xA3\xB8\xB6\xA5\xB4\x92\xED\x6C\x2C\x9F\xEB\xDD\x43\x89\xA2\x3C\x4B\x48\x91\x1D\x50\xEC\x26\xDF\xD6\x60\x2E\xBD\x21\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x15\x5F\x35\x57\x51\x55\xFB\x25\xB2\xAD\x03\x69\xFC\x01\xA3\xFA\xBE\x11\x55\xD5\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x67\x00\x30\x64\x02\x30\x64\x96\x59\xA6\xE8\x09\xDE\x8B\xBA\xFA\x5A\x88\x88\xF0\x1F\x91\xD3\x46\xA8\xF2\x4A\x4C\x02\x63\xFB\x6C\x5F\x38\xDB\x2E\x41\x93\xA9\x0E\xE6\x9D\xDC\x31\x1C\xB2\xA0\xA7\x18\x1C\x79\xE1\xC7\x36\x02\x30\x3A\x56\xAF\x9A\x74\x6C\xF6\xFB\x83\xE0\x33\xD3\x08\x5F\xA1\x9C\xC2\x5B\x9F\x46\xD6\xB6\xCB\x91\x06\x63\xA2\x06\xE7\x33\xAC\x3E\xA8\x81\x12\xD0\xCB\xBA\xD0\x92\x0B\xB6\x9E\x96\xAA\x04\x0F\x8A",
+	["CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x04\xB9\x30\x82\x03\xA1\xA0\x03\x02\x01\x02\x02\x10\x40\x1A\xC4\x64\x21\xB3\x13\x21\x03\x0E\xBB\xE4\x12\x1A\xC5\x1D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xBD\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x38\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x38\x30\x36\x06\x03\x55\x04\x03\x13\x2F\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x34\x30\x32\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xBD\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x38\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x38\x30\x36\x06\x03\x55\x04\x03\x13\x2F\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC7\x61\x37\x5E\xB1\x01\x34\xDB\x62\xD7\x15\x9B\xFF\x58\x5A\x8C\x23\x23\xD6\x60\x8E\x91\xD7\x90\x98\x83\x7A\xE6\x58\x19\x38\x8C\xC5\xF6\xE5\x64\x85\xB4\xA2\x71\xFB\xED\xBD\xB9\xDA\xCD\x4D\x00\xB4\xC8\x2D\x73\xA5\xC7\x69\x71\x95\x1F\x39\x3C\xB2\x44\x07\x9C\xE8\x0E\xFA\x4D\x4A\xC4\x21\xDF\x29\x61\x8F\x32\x22\x61\x82\xC5\x87\x1F\x6E\x8C\x7C\x5F\x16\x20\x51\x44\xD1\x70\x4F\x57\xEA\xE3\x1C\xE3\xCC\x79\xEE\x58\xD8\x0E\xC2\xB3\x45\x93\xC0\x2C\xE7\x9A\x17\x2B\x7B\x00\x37\x7A\x41\x33\x78\xE1\x33\xE2\xF3\x10\x1A\x7F\x87\x2C\xBE\xF6\xF5\xF7\x42\xE2\xE5\xBF\x87\x62\x89\x5F\x00\x4B\xDF\xC5\xDD\xE4\x75\x44\x32\x41\x3A\x1E\x71\x6E\x69\xCB\x0B\x75\x46\x08\xD1\xCA\xD2\x2B\x95\xD0\xCF\xFB\xB9\x40\x6B\x64\x8C\x57\x4D\xFC\x13\x11\x79\x84\xED\x5E\x54\xF6\x34\x9F\x08\x01\xF3\x10\x25\x06\x17\x4A\xDA\xF1\x1D\x7A\x66\x6B\x98\x60\x66\xA4\xD9\xEF\xD2\x2E\x82\xF1\xF0\xEF\x09\xEA\x44\xC9\x15\x6A\xE2\x03\x6E\x33\xD3\xAC\x9F\x55\x00\xC7\xF6\x08\x6A\x94\xB9\x5F\xDC\xE0\x33\xF1\x84\x60\xF9\x5B\x27\x11\xB4\xFC\x16\xF2\xBB\x56\x6A\x80\x25\x8D\x02\x03\x01\x00\x01\xA3\x81\xB2\x30\x81\xAF\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x6D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x0C\x04\x61\x30\x5F\xA1\x5D\xA0\x5B\x30\x59\x30\x57\x30\x55\x16\x09\x69\x6D\x61\x67\x65\x2F\x67\x69\x66\x30\x21\x30\x1F\x30\x07\x06\x05\x2B\x0E\x03\x02\x1A\x04\x14\x8F\xE5\xD3\x1A\x86\xAC\x8D\x8E\x6B\xC3\xCF\x80\x6A\xD4\x48\x18\x2C\x7B\x19\x2E\x30\x25\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x67\x6F\x2E\x76\x65\x72\x69\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x76\x73\x6C\x6F\x67\x6F\x2E\x67\x69\x66\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB6\x77\xFA\x69\x48\x47\x9F\x53\x12\xD5\xC2\xEA\x07\x32\x76\x07\xD1\x97\x07\x19\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x4A\xF8\xF8\xB0\x03\xE6\x2C\x67\x7B\xE4\x94\x77\x63\xCC\x6E\x4C\xF9\x7D\x0E\x0D\xDC\xC8\xB9\x35\xB9\x70\x4F\x63\xFA\x24\xFA\x6C\x83\x8C\x47\x9D\x3B\x63\xF3\x9A\xF9\x76\x32\x95\x91\xB1\x77\xBC\xAC\x9A\xBE\xB1\xE4\x31\x21\xC6\x81\x95\x56\x5A\x0E\xB1\xC2\xD4\xB1\xA6\x59\xAC\xF1\x63\xCB\xB8\x4C\x1D\x59\x90\x4A\xEF\x90\x16\x28\x1F\x5A\xAE\x10\xFB\x81\x50\x38\x0C\x6C\xCC\xF1\x3D\xC3\xF5\x63\xE3\xB3\xE3\x21\xC9\x24\x39\xE9\xFD\x15\x66\x46\xF4\x1B\x11\xD0\x4D\x73\xA3\x7D\x46\xF9\x3D\xED\xA8\x5F\x62\xD4\xF1\x3F\xF8\xE0\x74\x57\x2B\x18\x9D\x81\xB4\xC4\x28\xDA\x94\x97\xA5\x70\xEB\xAC\x1D\xBE\x07\x11\xF0\xD5\xDB\xDD\xE5\x8C\xF0\xD5\x32\xB0\x83\xE6\x57\xE2\x8F\xBF\xBE\xA1\xAA\xBF\x3D\x1D\xB5\xD4\x38\xEA\xD7\xB0\x5C\x3A\x4F\x6A\x3F\x8F\xC0\x66\x6C\x63\xAA\xE9\xD9\xA4\x16\xF4\x81\xD1\x95\x14\x0E\x7D\xCD\x95\x34\xD9\xD2\x8F\x70\x73\x81\x7B\x9C\x7E\xBD\x98\x61\xD8\x45\x87\x98\x90\xC5\xEB\x86\x30\xC6\x35\xBF\xF0\xFF\xC3\x55\x88\x83\x4B\xEF\x05\x92\x06\x71\xF2\xB8\x98\x93\xB7\xEC\xCD\x82\x61\xF1\x38\xE6\x4F\x97\x98\x2A\x5A\x8D",
+	["CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU=(c) 2007 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x03\x84\x30\x82\x03\x0A\xA0\x03\x02\x01\x02\x02\x10\x2F\x80\xFE\x23\x8C\x0E\x22\x0F\x48\x67\x12\x28\x91\x87\xAC\xB3\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x37\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x34\x30\x1E\x17\x0D\x30\x37\x31\x31\x30\x35\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x37\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x34\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xA7\x56\x7A\x7C\x52\xDA\x64\x9B\x0E\x2D\x5C\xD8\x5E\xAC\x92\x3D\xFE\x01\xE6\x19\x4A\x3D\x14\x03\x4B\xFA\x60\x27\x20\xD9\x83\x89\x69\xFA\x54\xC6\x9A\x18\x5E\x55\x2A\x64\xDE\x06\xF6\x8D\x4A\x3B\xAD\x10\x3C\x65\x3D\x90\x88\x04\x89\xE0\x30\x61\xB3\xAE\x5D\x01\xA7\x7B\xDE\x7C\xB2\xBE\xCA\x65\x61\x00\x86\xAE\xDA\x8F\x7B\xD0\x89\xAD\x4D\x1D\x59\x9A\x41\xB1\xBC\x47\x80\xDC\x9E\x62\xC3\xF9\xA3\x81\xB2\x30\x81\xAF\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x6D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x0C\x04\x61\x30\x5F\xA1\x5D\xA0\x5B\x30\x59\x30\x57\x30\x55\x16\x09\x69\x6D\x61\x67\x65\x2F\x67\x69\x66\x30\x21\x30\x1F\x30\x07\x06\x05\x2B\x0E\x03\x02\x1A\x04\x14\x8F\xE5\xD3\x1A\x86\xAC\x8D\x8E\x6B\xC3\xCF\x80\x6A\xD4\x48\x18\x2C\x7B\x19\x2E\x30\x25\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x67\x6F\x2E\x76\x65\x72\x69\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x76\x73\x6C\x6F\x67\x6F\x2E\x67\x69\x66\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB3\x16\x91\xFD\xEE\xA6\x6E\xE4\xB5\x2E\x49\x8F\x87\x78\x81\x80\xEC\xE5\xB1\xB5\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x66\x21\x0C\x18\x26\x60\x5A\x38\x7B\x56\x42\xE0\xA7\xFC\x36\x84\x51\x91\x20\x2C\x76\x4D\x43\x3D\xC4\x1D\x84\x23\xD0\xAC\xD6\x7C\x35\x06\xCE\xCD\x69\xBD\x90\x0D\xDB\x6C\x48\x42\x1D\x0E\xAA\x42\x02\x31\x00\x9C\x3D\x48\x39\x23\x39\x58\x1A\x15\x12\x59\x6A\x9E\xEF\xD5\x59\xB2\x1D\x52\x2C\x99\x71\xCD\xC7\x29\xDF\x1B\x2A\x61\x7B\x71\xD1\xDE\xF3\xC0\xE5\x0D\x3A\x4A\xAA\x2D\xA7\xD8\x86\x2A\xDD\x2E\x10",
+	["CN=NetLock Arany (Class Gold) F\C5\91tan\C3\BAs\C3\ADtv\C3\A1ny,OU=Tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU"] = "\x30\x82\x04\x15\x30\x82\x02\xFD\xA0\x03\x02\x01\x02\x02\x06\x49\x41\x2C\xE4\x00\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xA7\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x0C\x2E\x54\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x6B\x69\x61\x64\xC3\xB3\x6B\x20\x28\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x29\x31\x35\x30\x33\x06\x03\x55\x04\x03\x0C\x2C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x41\x72\x61\x6E\x79\x20\x28\x43\x6C\x61\x73\x73\x20\x47\x6F\x6C\x64\x29\x20\x46\xC5\x91\x74\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x30\x1E\x17\x0D\x30\x38\x31\x32\x31\x31\x31\x35\x30\x38\x32\x31\x5A\x17\x0D\x32\x38\x31\x32\x30\x36\x31\x35\x30\x38\x32\x31\x5A\x30\x81\xA7\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x0C\x2E\x54\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x6B\x69\x61\x64\xC3\xB3\x6B\x20\x28\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x29\x31\x35\x30\x33\x06\x03\x55\x04\x03\x0C\x2C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x41\x72\x61\x6E\x79\x20\x28\x43\x6C\x61\x73\x73\x20\x47\x6F\x6C\x64\x29\x20\x46\xC5\x91\x74\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC4\x24\x5E\x73\xBE\x4B\x6D\x14\xC3\xA1\xF4\xE3\x97\x90\x6E\xD2\x30\x45\x1E\x3C\xEE\x67\xD9\x64\xE0\x1A\x8A\x7F\xCA\x30\xCA\x83\xE3\x20\xC1\xE3\xF4\x3A\xD3\x94\x5F\x1A\x7C\x5B\x6D\xBF\x30\x4F\x84\x27\xF6\x9F\x1F\x49\xBC\xC6\x99\x0A\x90\xF2\x0F\xF5\x7F\x43\x84\x37\x63\x51\x8B\x7A\xA5\x70\xFC\x7A\x58\xCD\x8E\x9B\xED\xC3\x46\x6C\x84\x70\x5D\xDA\xF3\x01\x90\x23\xFC\x4E\x30\xA9\x7E\xE1\x27\x63\xE7\xED\x64\x3C\xA0\xB8\xC9\x33\x63\xFE\x16\x90\xFF\xB0\xB8\xFD\xD7\xA8\xC0\xC0\x94\x43\x0B\xB6\xD5\x59\xA6\x9E\x56\xD0\x24\x1F\x70\x79\xAF\xDB\x39\x54\x0D\x65\x75\xD9\x15\x41\x94\x01\xAF\x5E\xEC\xF6\x8D\xF1\xFF\xAD\x64\xFE\x20\x9A\xD7\x5C\xEB\xFE\xA6\x1F\x08\x64\xA3\x8B\x76\x55\xAD\x1E\x3B\x28\x60\x2E\x87\x25\xE8\xAA\xAF\x1F\xC6\x64\x46\x20\xB7\x70\x7F\x3C\xDE\x48\xDB\x96\x53\xB7\x39\x77\xE4\x1A\xE2\xC7\x16\x84\x76\x97\x5B\x2F\xBB\x19\x15\x85\xF8\x69\x85\xF5\x99\xA7\xA9\xF2\x34\xA7\xA9\xB6\xA6\x03\xFC\x6F\x86\x3D\x54\x7C\x76\x04\x9B\x6B\xF9\x40\x5D\x00\x34\xC7\x2E\x99\x75\x9D\xE5\x88\x03\xAA\x4D\xF8\x03\xD2\x42\x76\xC0\x1B\x02\x03\x00\xA8\x8B\xA3\x45\x30\x43\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x04\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCC\xFA\x67\x93\xF0\xB6\xB8\xD0\xA5\xC0\x1E\xF3\x53\xFD\x8C\x53\xDF\x83\xD7\x96\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\xAB\x7F\xEE\x1C\x16\xA9\x9C\x3C\x51\x00\xA0\xC0\x11\x08\x05\xA7\x99\xE6\x6F\x01\x88\x54\x61\x6E\xF1\xB9\x18\xAD\x4A\xAD\xFE\x81\x40\x23\x94\x2F\xFB\x75\x7C\x2F\x28\x4B\x62\x24\x81\x82\x0B\xF5\x61\xF1\x1C\x6E\xB8\x61\x38\xEB\x81\xFA\x62\xA1\x3B\x5A\x62\xD3\x94\x65\xC4\xE1\xE6\x6D\x82\xF8\x2F\x25\x70\xB2\x21\x26\xC1\x72\x51\x1F\x8C\x2C\xC3\x84\x90\xC3\x5A\x8F\xBA\xCF\xF4\xA7\x65\xA5\xEB\x98\xD1\xFB\x05\xB2\x46\x75\x15\x23\x6A\x6F\x85\x63\x30\x80\xF0\xD5\x9E\x1F\x29\x1C\xC2\x6C\xB0\x50\x59\x5D\x90\x5B\x3B\xA8\x0D\x30\xCF\xBF\x7D\x7F\xCE\xF1\x9D\x83\xBD\xC9\x46\x6E\x20\xA6\xF9\x61\x51\xBA\x21\x2F\x7B\xBE\xA5\x15\x63\xA1\xD4\x95\x87\xF1\x9E\xB9\xF3\x89\xF3\x3D\x85\xB8\xB8\xDB\xBE\xB5\xB9\x29\xF9\xDA\x37\x05\x00\x49\x94\x03\x84\x44\xE7\xBF\x43\x31\xCF\x75\x8B\x25\xD1\xF4\xA6\x64\xF5\x92\xF6\xAB\x05\xEB\x3D\xE9\xA5\x0B\x36\x62\xDA\xCC\x06\x5F\x36\x8B\xB6\x5E\x31\xB8\x2A\xFB\x5E\xF6\x71\xDF\x44\x26\x9E\xC4\xE6\x0D\x91\xB4\x2E\x75\x95\x80\x51\x6A\x4B\x30\xA6\xB0\x62\xA1\x93\xF1\x9B\xD8\xCE\xC4\x63\x75\x3F\x59\x47\xB1",
+	["CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL"] = "\x30\x82\x05\xCA\x30\x82\x03\xB2\xA0\x03\x02\x01\x02\x02\x04\x00\x98\x96\x8C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x0C\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x38\x30\x33\x32\x36\x31\x31\x31\x38\x31\x37\x5A\x17\x0D\x32\x30\x30\x33\x32\x35\x31\x31\x30\x33\x31\x30\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x0C\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC5\x59\xE7\x6F\x75\xAA\x3E\x4B\x9C\xB5\xB8\xAC\x9E\x0B\xE4\xF9\xD9\xCA\xAB\x5D\x8F\xB5\x39\x10\x82\xD7\xAF\x51\xE0\x3B\xE1\x00\x48\x6A\xCF\xDA\xE1\x06\x43\x11\x99\xAA\x14\x25\x12\xAD\x22\xE8\x00\x6D\x43\xC4\xA9\xB8\xE5\x1F\x89\x4B\x67\xBD\x61\x48\xEF\xFD\xD2\xE0\x60\x88\xE5\xB9\x18\x60\x28\xC3\x77\x2B\xAD\xB0\x37\xAA\x37\xDE\x64\x59\x2A\x46\x57\xE4\x4B\xB9\xF8\x37\x7C\xD5\x36\xE7\x80\xC1\xB6\xF3\xD4\x67\x9B\x96\xE8\xCE\xD7\xC6\x0A\x53\xD0\x6B\x49\x96\xF3\xA3\x0B\x05\x77\x48\xF7\x25\xE5\x70\xAC\x30\x14\x20\x25\xE3\x7F\x75\x5A\xE5\x48\xF8\x4E\x7B\x03\x07\x04\xFA\x82\x61\x87\x6E\xF0\x3B\xC4\xA4\xC7\xD0\xF5\x74\x3E\xA5\x5D\x1A\x08\xF2\x9B\x25\xD2\xF6\xAC\x04\x26\x3E\x55\x3A\x62\x28\xA5\x7B\xB2\x30\xAF\xF8\x37\xC2\xD1\xBA\xD6\x38\xFD\xF4\xEF\x49\x30\x37\x99\x26\x21\x48\x85\x01\xA9\xE5\x16\xE7\xDC\x90\x55\xDF\x0F\xE8\x38\xCD\x99\x37\x21\x4F\x5D\xF5\x22\x6F\x6A\xC5\x12\x16\x60\x17\x55\xF2\x65\x66\xA6\xA7\x30\x91\x38\xC1\x38\x1D\x86\x04\x84\xBA\x1A\x25\x78\x5E\x9D\xAF\xCC\x50\x60\xD6\x13\x87\x52\xED\x63\x1F\x6D\x65\x7D\xC2\x15\x18\x74\xCA\xE1\x7E\x64\x29\x8C\x72\xD8\x16\x13\x7D\x0B\x49\x4A\xF1\x28\x1B\x20\x74\x6B\xC5\x3D\xDD\xB0\xAA\x48\x09\x3D\x2E\x82\x94\xCD\x1A\x65\xD9\x2B\x88\x9A\x99\xBC\x18\x7E\x9F\xEE\x7D\x66\x7C\x3E\xBD\x94\xB8\x81\xCE\xCD\x98\x30\x78\xC1\x6F\x67\xD0\xBE\x5F\xE0\x68\xED\xDE\xE2\xB1\xC9\x2C\x59\x78\x92\xAA\xDF\x2B\x60\x63\xF2\xE5\x5E\xB9\xE3\xCA\xFA\x7F\x50\x86\x3E\xA2\x34\x18\x0C\x09\x68\x28\x11\x1C\xE4\xE1\xB9\x5C\x3E\x47\xBA\x32\x3F\x18\xCC\x5B\x84\xF5\xF3\x6B\x74\xC4\x72\x74\xE1\xE3\x8B\xA0\x4A\xBD\x8D\x66\x2F\xEA\xAD\x35\xDA\x20\xD3\x88\x82\x61\xF0\x12\x22\xB6\xBC\xD0\xD5\xA4\xEC\xAF\x54\x88\x25\x24\x3C\xA7\x6D\xB1\x72\x29\x3F\x3E\x57\xA6\x7F\x55\xAF\x6E\x26\xC6\xFE\xE7\xCC\x40\x5C\x51\x44\x81\x0A\x78\xDE\x4A\xCE\x55\xBF\x1D\xD5\xD9\xB7\x56\xEF\xF0\x76\xFF\x0B\x79\xB5\xAF\xBD\xFB\xA9\x69\x91\x46\x97\x68\x80\x14\x36\x1D\xB3\x7F\xBB\x29\x98\x36\xA5\x20\xFA\x82\x60\x62\x33\xA4\xEC\xD6\xBA\x07\xA7\x6E\xC5\xCF\x14\xA6\xE7\xD6\x92\x34\xD8\x81\xF5\xFC\x1D\x5D\xAA\x5C\x1E\xF6\xA3\x4D\x3B\xB8\xF7\x39\x02\x03\x01\x00\x01\xA3\x81\x97\x30\x81\x94\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x52\x06\x03\x55\x1D\x20\x04\x4B\x30\x49\x30\x47\x06\x04\x55\x1D\x20\x00\x30\x3F\x30\x3D\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x31\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x6B\x69\x6F\x76\x65\x72\x68\x65\x69\x64\x2E\x6E\x6C\x2F\x70\x6F\x6C\x69\x63\x69\x65\x73\x2F\x72\x6F\x6F\x74\x2D\x70\x6F\x6C\x69\x63\x79\x2D\x47\x32\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x91\x68\x32\x87\x15\x1D\x89\xE2\xB5\xF1\xAC\x36\x28\x34\x8D\x0B\x7C\x62\x88\xEB\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\xA8\x41\x4A\x67\x2A\x92\x81\x82\x50\x6E\xE1\xD7\xD8\xB3\x39\x3B\xF3\x02\x15\x09\x50\x51\xEF\x2D\xBD\x24\x7B\x88\x86\x3B\xF9\xB4\xBC\x92\x09\x96\xB9\xF6\xC0\xAB\x23\x60\x06\x79\x8C\x11\x4E\x51\xD2\x79\x80\x33\xFB\x9D\x48\xBE\xEC\x41\x43\x81\x1F\x7E\x47\x40\x1C\xE5\x7A\x08\xCA\xAA\x8B\x75\xAD\x14\xC4\xC2\xE8\x66\x3C\x82\x07\xA7\xE6\x27\x82\x5B\x18\xE6\x0F\x6E\xD9\x50\x3E\x8A\x42\x18\x29\xC6\xB4\x56\xFC\x56\x10\xA0\x05\x17\xBD\x0C\x23\x7F\xF4\x93\xED\x9C\x1A\x51\xBE\xDD\x45\x41\xBF\x91\x24\xB4\x1F\x8C\xE9\x5F\xCF\x7B\x21\x99\x9F\x95\x9F\x39\x3A\x46\x1C\x6C\xF9\xCD\x7B\x9C\x90\xCD\x28\xA9\xC7\xA9\x55\xBB\xAC\x62\x34\x62\x35\x13\x4B\x14\x3A\x55\x83\xB9\x86\x8D\x92\xA6\xC6\xF4\x07\x25\x54\xCC\x16\x57\x12\x4A\x82\x78\xC8\x14\xD9\x17\x82\x26\x2D\x5D\x20\x1F\x79\xAE\xFE\xD4\x70\x16\x16\x95\x83\xD8\x35\x39\xFF\x52\x5D\x75\x1C\x16\xC5\x13\x55\xCF\x47\xCC\x75\x65\x52\x4A\xDE\xF0\xB0\xA7\xE4\x0A\x96\x0B\xFB\xAD\xC2\xE2\x25\x84\xB2\xDD\xE4\xBD\x7E\x59\x6C\x9B\xF0\xF0\xD8\xE7\xCA\xF2\xE9\x97\x38\x7E\x89\xBE\xCC\xFB\x39\x17\x61\x3F\x72\xDB\x3A\x91\xD8\x65\x01\x19\x1D\xAD\x50\xA4\x57\x0A\x7C\x4B\xBC\x9C\x71\x73\x2A\x45\x51\x19\x85\xCC\x8E\xFD\x47\xA7\x74\x95\x1D\xA8\xD1\xAF\x4E\x17\xB1\x69\x26\xC2\xAA\x78\x57\x5B\xC5\x4D\xA7\xE5\x9E\x05\x17\x94\xCA\xB2\x5F\xA0\x49\x18\x8D\x34\xE9\x26\x6C\x48\x1E\xAA\x68\x92\x05\xE1\x82\x73\x5A\x9B\xDC\x07\x5B\x08\x6D\x7D\x9D\xD7\x8D\x21\xD9\xFC\x14\x20\xAA\xC2\x45\xDF\x3F\xE7\x00\xB2\x51\xE4\xC2\xF8\x05\xB9\x79\x1A\x8C\x34\xF3\x9E\x5B\xE4\x37\x5B\x6B\x4A\xDF\x2C\x57\x8A\x40\x5A\x36\xBA\xDD\x75\x44\x08\x37\x42\x70\x0C\xFE\xDC\x5E\x21\xA0\xA3\x8A\xC0\x90\x9C\x68\xDA\x50\xE6\x45\x10\x47\x78\xB6\x4E\xD2\x65\xC9\xC3\x37\xDF\xE1\x42\x63\xB0\x57\x37\x45\x2D\x7B\x8A\x9C\xBF\x05\xEA\x65\x55\x33\xF7\x39\x10\xC5\x28\x2A\x21\x7A\x1B\x8A\xC4\x24\xF9\x3F\x15\xC8\x9A\x15\x20\xF5\x55\x62\x96\xED\x6D\x93\x50\xBC\xE4\xAA\x78\xAD\xD9\xCB\x0A\x65\x87\xA6\x66\xC1\xC4\x81\xA3\x77\x3A\x58\x1E\x0B\xEE\x83\x8B\x9D\x1E\xD2\x52\xA4\xCC\x1D\x6F\xB0\x98\x6D\x94\x31\xB5\xF8\x71\x0A\xDC\xB9\xFC\x7D\x32\x60\xE6\xEB\xAF\x8A\x01",
+	["CN=CA Disig,O=Disig a.s.,L=Bratislava,C=SK"] = "\x30\x82\x04\x0F\x30\x82\x02\xF7\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x13\x08\x43\x41\x20\x44\x69\x73\x69\x67\x30\x1E\x17\x0D\x30\x36\x30\x33\x32\x32\x30\x31\x33\x39\x33\x34\x5A\x17\x0D\x31\x36\x30\x33\x32\x32\x30\x31\x33\x39\x33\x34\x5A\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x13\x08\x43\x41\x20\x44\x69\x73\x69\x67\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x92\xF6\x31\xC1\x7D\x88\xFD\x99\x01\xA9\xD8\x7B\xF2\x71\x75\xF1\x31\xC6\xF3\x75\x66\xFA\x51\x28\x46\x84\x97\x78\x34\xBC\x6C\xFC\xBC\x45\x59\x88\x26\x18\x4A\xC4\x37\x1F\xA1\x4A\x44\xBD\xE3\x71\x04\xF5\x44\x17\xE2\x3F\xFC\x48\x58\x6F\x5C\x9E\x7A\x09\xBA\x51\x37\x22\x23\x66\x43\x21\xB0\x3C\x64\xA2\xF8\x6A\x15\x0E\x3F\xEB\x51\xE1\x54\xA9\xDD\x06\x99\xD7\x9A\x3C\x54\x8B\x39\x03\x3F\x0F\xC5\xCE\xC6\xEB\x83\x72\x02\xA8\x1F\x71\xF3\x2D\xF8\x75\x08\xDB\x62\x4C\xE8\xFA\xCE\xF9\xE7\x6A\x1F\xB6\x6B\x35\x82\xBA\xE2\x8F\x16\x92\x7D\x05\x0C\x6C\x46\x03\x5D\xC0\xED\x69\xBF\x3A\xC1\x8A\xA0\xE8\x8E\xD9\xB9\x45\x28\x87\x08\xEC\xB4\xCA\x15\xBE\x82\xDD\xB5\x44\x8B\x2D\xAD\x86\x0C\x68\x62\x6D\x85\x56\xF2\xAC\x14\x63\x3A\xC6\xD1\x99\xAC\x34\x78\x56\x4B\xCF\xB6\xAD\x3F\x8C\x8A\xD7\x04\xE5\xE3\x78\x4C\xF5\x86\xAA\xF5\x8F\xFA\x3D\x6C\x71\xA3\x2D\xCA\x67\xEB\x68\x7B\x6E\x33\xA9\x0C\x82\x28\xA8\x4C\x6A\x21\x40\x15\x20\x0C\x26\x5B\x83\xC2\xA9\x16\x15\xC0\x24\x82\x5D\x2B\x16\xAD\xCA\x63\xF6\x74\x00\xB0\xDF\x43\xC4\x10\x60\x56\x67\x63\x45\x02\x03\x01\x00\x01\xA3\x81\xFF\x30\x81\xFC\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x8D\xB2\x49\x68\x9D\x72\x08\x25\xB9\xC0\x27\xF5\x50\x93\x56\x48\x46\x71\xF9\x8F\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x36\x06\x03\x55\x1D\x11\x04\x2F\x30\x2D\x81\x13\x63\x61\x6F\x70\x65\x72\x61\x74\x6F\x72\x40\x64\x69\x73\x69\x67\x2E\x73\x6B\x86\x16\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x69\x73\x69\x67\x2E\x73\x6B\x2F\x63\x61\x30\x66\x06\x03\x55\x1D\x1F\x04\x5F\x30\x5D\x30\x2D\xA0\x2B\xA0\x29\x86\x27\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x69\x73\x69\x67\x2E\x73\x6B\x2F\x63\x61\x2F\x63\x72\x6C\x2F\x63\x61\x5F\x64\x69\x73\x69\x67\x2E\x63\x72\x6C\x30\x2C\xA0\x2A\xA0\x28\x86\x26\x68\x74\x74\x70\x3A\x2F\x2F\x63\x61\x2E\x64\x69\x73\x69\x67\x2E\x73\x6B\x2F\x63\x61\x2F\x63\x72\x6C\x2F\x63\x61\x5F\x64\x69\x73\x69\x67\x2E\x63\x72\x6C\x30\x1A\x06\x03\x55\x1D\x20\x04\x13\x30\x11\x30\x0F\x06\x0D\x2B\x81\x1E\x91\x93\xE6\x0A\x00\x00\x00\x01\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5D\x34\x74\x61\x4C\xAF\x3B\xD8\xFF\x9F\x6D\x58\x36\x1C\x3D\x0B\x81\x0D\x12\x2B\x46\x10\x80\xFD\xE7\x3C\x27\xD0\x7A\xC8\xA9\xB6\x7E\x74\x30\x33\xA3\x3A\x8A\x7B\x74\xC0\x79\x79\x42\x93\x6D\xFF\xB1\x29\x14\x82\xAB\x21\x8C\x2F\x17\xF9\x3F\x26\x2F\xF5\x59\xC6\xEF\x80\x06\xB7\x9A\x49\x29\xEC\xCE\x7E\x71\x3C\x6A\x10\x41\xC0\xF6\xD3\x9A\xB2\x7C\x5A\x91\x9C\xC0\xAC\x5B\xC8\x4D\x5E\xF7\xE1\x53\xFF\x43\x77\xFC\x9E\x4B\x67\x6C\xD7\xF3\x83\xD1\xA0\xE0\x7F\x25\xDF\xB8\x98\x0B\x9A\x32\x38\x6C\x30\xA0\xF3\xFF\x08\x15\x33\xF7\x50\x4A\x7B\x3E\xA3\x3E\x20\xA9\xDC\x2F\x56\x80\x0A\xED\x41\x50\xB0\xC9\xF4\xEC\xB2\xE3\x26\x44\x00\x0E\x6F\x9E\x06\xBC\x22\x96\x53\x70\x65\xC4\x50\x0A\x46\x6B\xA4\x2F\x27\x81\x12\x27\x13\x5F\x10\xA1\x76\xCE\x8A\x7B\x37\xEA\xC3\x39\x61\x03\x95\x98\x3A\xE7\x6C\x88\x25\x08\xFC\x79\x68\x0D\x87\x7D\x62\xF8\xB4\x5F\xFB\xC5\xD8\x4C\xBD\x58\xBC\x3F\x43\x5B\xD4\x1E\x01\x4D\x3C\x63\xBE\x23\xEF\x8C\xCD\x5A\x50\xB8\x68\x54\xF9\x0A\x99\x33\x11\x00\xE1\x9E\xC2\x46\x77\x82\xF5\x59\x06\x8C\x21\x4C\x87\x09\xCD\xE5\xA8",
+	["CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,emailAddress=pki@sk.ee"] = "\x30\x82\x04\xE6\x30\x82\x03\xCE\xA0\x03\x02\x01\x02\x02\x04\x3B\x8E\x4B\xFC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5D\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x03\x13\x07\x4A\x75\x75\x72\x2D\x53\x4B\x30\x1E\x17\x0D\x30\x31\x30\x38\x33\x30\x31\x34\x32\x33\x30\x31\x5A\x17\x0D\x31\x36\x30\x38\x32\x36\x31\x34\x32\x33\x30\x31\x5A\x30\x5D\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x03\x13\x07\x4A\x75\x75\x72\x2D\x53\x4B\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x81\x71\x36\x3E\x33\x07\xD6\xE3\x30\x8D\x13\x7E\x77\x32\x46\xCB\xCF\x19\xB2\x60\x31\x46\x97\x86\xF4\x98\x46\xA4\xC2\x65\x45\xCF\xD3\x40\x7C\xE3\x5A\x22\xA8\x10\x78\x33\xCC\x88\xB1\xD3\x81\x4A\xF6\x62\x17\x7B\x5F\x4D\x0A\x2E\xD0\xCF\x8B\x23\xEE\x4F\x02\x4E\xBB\xEB\x0E\xCA\xBD\x18\x63\xE8\x80\x1C\x8D\xE1\x1C\x8D\x3D\xE0\xFF\x5B\x5F\xEA\x64\xE5\x97\xE8\x3F\x99\x7F\x0C\x0A\x09\x33\x00\x1A\x53\xA7\x21\xE1\x38\x4B\xD6\x83\x1B\xAD\xAF\x64\xC2\xF9\x1C\x7A\x8C\x66\x48\x4D\x66\x1F\x18\x0A\xE2\x3E\xBB\x1F\x07\x65\x93\x85\xB9\x1A\xB0\xB9\xC4\xFB\x0D\x11\xF6\xF5\xD6\xF9\x1B\xC7\x2C\x2B\xB7\x18\x51\xFE\xE0\x7B\xF6\xA8\x48\xAF\x6C\x3B\x4F\x2F\xEF\xF8\xD1\x47\x1E\x26\x57\xF0\x51\x1D\x33\x96\xFF\xEF\x59\x3D\xDA\x4D\xD1\x15\x34\xC7\xEA\x3F\x16\x48\x7B\x91\x1C\x80\x43\x0F\x3D\xB8\x05\x3E\xD1\xB3\x95\xCD\xD8\xCA\x0F\xC2\x43\x67\xDB\xB7\x93\xE0\x22\x82\x2E\xBE\xF5\x68\x28\x83\xB9\xC1\x3B\x69\x7B\x20\xDA\x4E\x9C\x6D\xE1\xBA\xCD\x8F\x7A\x6C\xB0\x09\x22\xD7\x8B\x0B\xDB\x1C\xD5\x5A\x26\x5B\x0D\xC0\xEA\xE5\x60\xD0\x9F\xFE\x35\xDF\x3F\x02\x03\x01\x00\x01\xA3\x82\x01\xAC\x30\x82\x01\xA8\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x82\x01\x16\x06\x03\x55\x1D\x20\x04\x82\x01\x0D\x30\x82\x01\x09\x30\x82\x01\x05\x06\x0A\x2B\x06\x01\x04\x01\xCE\x1F\x01\x01\x01\x30\x81\xF6\x30\x81\xD0\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC3\x1E\x81\xC0\x00\x53\x00\x65\x00\x65\x00\x20\x00\x73\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x6B\x00\x61\x00\x61\x00\x74\x00\x20\x00\x6F\x00\x6E\x00\x20\x00\x76\x00\xE4\x00\x6C\x00\x6A\x00\x61\x00\x73\x00\x74\x00\x61\x00\x74\x00\x75\x00\x64\x00\x20\x00\x41\x00\x53\x00\x2D\x00\x69\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x74\x00\x73\x00\x65\x00\x65\x00\x72\x00\x69\x00\x6D\x00\x69\x00\x73\x00\x6B\x00\x65\x00\x73\x00\x6B\x00\x75\x00\x73\x00\x20\x00\x61\x00\x6C\x00\x61\x00\x6D\x00\x2D\x00\x53\x00\x4B\x00\x20\x00\x73\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x6B\x00\x61\x00\x61\x00\x74\x00\x69\x00\x64\x00\x65\x00\x20\x00\x6B\x00\x69\x00\x6E\x00\x6E\x00\x69\x00\x74\x00\x61\x00\x6D\x00\x69\x00\x73\x00\x65\x00\x6B\x00\x73\x30\x21\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x15\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6B\x2E\x65\x65\x2F\x63\x70\x73\x2F\x30\x2B\x06\x03\x55\x1D\x1F\x04\x24\x30\x22\x30\x20\xA0\x1E\xA0\x1C\x86\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6B\x2E\x65\x65\x2F\x6A\x75\x75\x72\x2F\x63\x72\x6C\x2F\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x04\xAA\x7A\x47\xA3\xE4\x89\xAF\x1A\xCF\x0A\x40\xA7\x18\x3F\x6F\xEF\xE9\x7D\xBE\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x04\xAA\x7A\x47\xA3\xE4\x89\xAF\x1A\xCF\x0A\x40\xA7\x18\x3F\x6F\xEF\xE9\x7D\xBE\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xE6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x7B\xC1\x18\x94\x53\xA2\x09\xF3\xFE\x26\x67\x9A\x50\xE4\xC3\x05\x2F\x2B\x35\x78\x91\x4C\x7C\xA8\x11\x11\x79\x4C\x49\x59\xAC\xC8\xF7\x85\x65\x5C\x46\xBB\x3B\x10\xA0\x02\xAF\xCD\x4F\xB5\xCC\x36\x2A\xEC\x5D\xFE\xEF\xA0\x91\xC9\xB6\x93\x6F\x7C\x80\x54\xEC\xC7\x08\x70\x0D\x8E\xFB\x82\xEC\x2A\x60\x78\x69\x36\x36\xD1\xC5\x9C\x8B\x69\xB5\x40\xC8\x94\x65\x77\xF2\x57\x21\x66\x3B\xCE\x85\x40\xB6\x33\x63\x1A\xBF\x79\x1E\xFC\x5C\x1D\xD3\x1D\x93\x1B\x8B\x0C\x5D\x85\xBD\x99\x30\x32\x18\x09\x91\x52\xE9\x7C\xA1\xBA\xFF\x64\x92\x9A\xEC\xFE\x35\xEE\x8C\x2F\xAE\xFC\x20\x86\xEC\x4A\xDE\x1B\x78\x32\x37\xA6\x81\xD2\x9D\xAF\x5A\x12\x16\xCA\x99\x5B\xFC\x6F\x6D\x0E\xC5\xA0\x1E\x86\xC9\x91\xD0\x5C\x98\x82\x5F\x63\x0C\x8A\x5A\xAB\xD8\x95\xA6\xCC\xCB\x8A\xD6\xBF\x64\x4B\x8E\xCA\x8A\xB2\xB0\xE9\x21\x32\x9E\xAA\xA8\x85\x98\x34\x81\x39\x21\x3B\xA8\x3A\x52\x32\x3D\xF6\x6B\x37\x86\x06\x5A\x15\x98\xDC\xF0\x11\x66\xFE\x34\x20\xB7\x03\xF4\x41\x10\x7D\x39\x84\x79\x96\x72\x63\xB6\x96\x02\xE5\x6B\xB9\xAD\x19\x4D\xBB\xC6\x44\xDB\x36\xCB\x2A\x9C\x8E",
+	["CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK"] = "\x30\x82\x03\x30\x30\x82\x02\x18\xA0\x03\x02\x01\x02\x02\x02\x03\xE8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x4B\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x33\x30\x35\x31\x35\x30\x35\x31\x33\x31\x34\x5A\x17\x0D\x32\x33\x30\x35\x31\x35\x30\x34\x35\x32\x32\x39\x5A\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x4B\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAC\xFF\x38\xB6\xE9\x66\x02\x49\xE3\xA2\xB4\xE1\x90\xF9\x40\x8F\x79\xF9\xE2\xBD\x79\xFE\x02\xBD\xEE\x24\x92\x1D\x22\xF6\xDA\x85\x72\x69\xFE\xD7\x3F\x09\xD4\xDD\x91\xB5\x02\x9C\xD0\x8D\x5A\xE1\x55\xC3\x50\x86\xB9\x29\x26\xC2\xE3\xD9\xA0\xF1\x69\x03\x28\x20\x80\x45\x22\x2D\x56\xA7\x3B\x54\x95\x56\x22\x59\x1F\x28\xDF\x1F\x20\x3D\x6D\xA2\x36\xBE\x23\xA0\xB1\x6E\xB5\xB1\x27\x3F\x39\x53\x09\xEA\xAB\x6A\xE8\x74\xB2\xC2\x65\x5C\x8E\xBF\x7C\xC3\x78\x84\xCD\x9E\x16\xFC\xF5\x2E\x4F\x20\x2A\x08\x9F\x77\xF3\xC5\x1E\xC4\x9A\x52\x66\x1E\x48\x5E\xE3\x10\x06\x8F\x22\x98\xE1\x65\x8E\x1B\x5D\x23\x66\x3B\xB8\xA5\x32\x51\xC8\x86\xAA\xA1\xA9\x9E\x7F\x76\x94\xC2\xA6\x6C\xB7\x41\xF0\xD5\xC8\x06\x38\xE6\xD4\x0C\xE2\xF3\x3B\x4C\x6D\x50\x8C\xC4\x83\x27\xC1\x13\x84\x59\x3D\x9E\x75\x74\xB6\xD8\x02\x5E\x3A\x90\x7A\xC0\x42\x36\x72\xEC\x6A\x4D\xDC\xEF\xC4\x00\xDF\x13\x18\x57\x5F\x26\x78\xC8\xD6\x0A\x79\x77\xBF\xF7\xAF\xB7\x76\xB9\xA5\x0B\x84\x17\x5D\x10\xEA\x6F\xE1\xAB\x95\x11\x5F\x6D\x3C\xA3\x5C\x4D\x83\x5B\xF2\xB3\x19\x8A\x80\x8B\x0B\x87\x02\x03\x01\x00\x01\xA3\x26\x30\x24\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x0E\x46\xD5\x3C\xAE\xE2\x87\xD9\x5E\x81\x8B\x02\x98\x41\x08\x8C\x4C\xBC\xDA\xDB\xEE\x27\x1B\x82\xE7\x6A\x45\xEC\x16\x8B\x4F\x85\xA0\xF3\xB2\x70\xBD\x5A\x96\xBA\xCA\x6E\x6D\xEE\x46\x8B\x6E\xE7\x2A\x2E\x96\xB3\x19\x33\xEB\xB4\x9F\xA8\xB2\x37\xEE\x98\xA8\x97\xB6\x2E\xB6\x67\x27\xD4\xA6\x49\xFD\x1C\x93\x65\x76\x9E\x42\x2F\xDC\x22\x6C\x9A\x4F\xF2\x5A\x15\x39\xB1\x71\xD7\x2B\x51\xE8\x6D\x1C\x98\xC0\xD9\x2A\xF4\xA1\x82\x7B\xD5\xC9\x41\xA2\x23\x01\x74\x38\x55\x8B\x0F\xB9\x2E\x67\xA2\x20\x04\x37\xDA\x9C\x0B\xD3\x17\x21\xE0\x8F\x97\x79\x34\x6F\x84\x48\x02\x20\x33\x1B\xE6\x34\x44\x9F\x91\x70\xF4\x80\x5E\x84\x43\xC2\x29\xD2\x6C\x12\x14\xE4\x61\x8D\xAC\x10\x90\x9E\x84\x50\xBB\xF0\x96\x6F\x45\x9F\x8A\xF3\xCA\x6C\x4F\xFA\x11\x3A\x15\x15\x46\xC3\xCD\x1F\x83\x5B\x2D\x41\x12\xED\x50\x67\x41\x13\x3D\x21\xAB\x94\x8A\xAA\x4E\x7C\xC1\xB1\xFB\xA7\xD6\xB5\x27\x2F\x97\xAB\x6E\xE0\x1D\xE2\xD1\x1C\x2C\x1F\x44\xE2\xFC\xBE\x91\xA1\x9C\xFB\xD6\x29\x53\x73\x86\x9F\x53\xD8\x43\x0E\x5D\xD6\x63\x82\x71\x1D\x80\x74\xCA\xF6\xE2\x02\x6B\xD9\x5A",
+	["CN=SecureSign RootCA11,O=Japan Certification Services\, Inc.,C=JP"] = "\x30\x82\x03\x6D\x30\x82\x02\x55\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x13\x22\x4A\x61\x70\x61\x6E\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x53\x65\x63\x75\x72\x65\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x31\x30\x1E\x17\x0D\x30\x39\x30\x34\x30\x38\x30\x34\x35\x36\x34\x37\x5A\x17\x0D\x32\x39\x30\x34\x30\x38\x30\x34\x35\x36\x34\x37\x5A\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x13\x22\x4A\x61\x70\x61\x6E\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x53\x65\x63\x75\x72\x65\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xFD\x77\xAA\xA5\x1C\x90\x05\x3B\xCB\x4C\x9B\x33\x8B\x5A\x14\x45\xA4\xE7\x90\x16\xD1\xDF\x57\xD2\x21\x10\xA4\x17\xFD\xDF\xAC\xD6\x1F\xA7\xE4\xDB\x7C\xF7\xEC\xDF\xB8\x03\xDA\x94\x58\xFD\x5D\x72\x7C\x8C\x3F\x5F\x01\x67\x74\x15\x96\xE3\x02\x3C\x87\xDB\xAE\xCB\x01\x8E\xC2\xF3\x66\xC6\x85\x45\xF4\x02\xC6\x3A\xB5\x62\xB2\xAF\xFA\x9C\xBF\xA4\xE6\xD4\x80\x30\x98\xF3\x0D\xB6\x93\x8F\xA9\xD4\xD8\x36\xF2\xB0\xFC\x8A\xCA\x2C\xA1\x15\x33\x95\x31\xDA\xC0\x1B\xF2\xEE\x62\x99\x86\x63\x3F\xBF\xDD\x93\x2A\x83\xA8\x76\xB9\x13\x1F\xB7\xCE\x4E\x42\x85\x8F\x22\xE7\x2E\x1A\xF2\x95\x09\xB2\x05\xB5\x44\x4E\x77\xA1\x20\xBD\xA9\xF2\x4E\x0A\x7D\x50\xAD\xF5\x05\x0D\x45\x4F\x46\x71\xFD\x28\x3E\x53\xFB\x04\xD8\x2D\xD7\x65\x1D\x4A\x1B\xFA\xCF\x3B\xB0\x31\x9A\x35\x6E\xC8\x8B\x06\xD3\x00\x91\xF2\x94\x08\x65\x4C\xB1\x34\x06\x00\x7A\x89\xE2\xF0\xC7\x03\x59\xCF\xD5\xD6\xE8\xA7\x32\xB3\xE6\x98\x40\x86\xC5\xCD\x27\x12\x8B\xCC\x7B\xCE\xB7\x11\x3C\x62\x60\x07\x23\x3E\x2B\x40\x6E\x94\x80\x09\x6D\xB6\xB3\x6F\x77\x6F\x35\x08\x50\xFB\x02\x87\xC5\x3E\x89\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x5B\xF8\x4D\x4F\xB2\xA5\x86\xD4\x3A\xD2\xF1\x63\x9A\xA0\xBE\x09\xF6\x57\xB7\xDE\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA0\xA1\x38\x16\x66\x2E\xA7\x56\x1F\x21\x9C\x06\xFA\x1D\xED\xB9\x22\xC5\x38\x26\xD8\x4E\x4F\xEC\xA3\x7F\x79\xDE\x46\x21\xA1\x87\x77\x8F\x07\x08\x9A\xB2\xA4\xC5\xAF\x0F\x32\x98\x0B\x7C\x66\x29\xB6\x9B\x7D\x25\x52\x49\x43\xAB\x4C\x2E\x2B\x6E\x7A\x70\xAF\x16\x0E\xE3\x02\x6C\xFB\x42\xE6\x18\x9D\x45\xD8\x55\xC8\xE8\x3B\xDD\xE7\xE1\xF4\x2E\x0B\x1C\x34\x5C\x6C\x58\x4A\xFB\x8C\x88\x50\x5F\x95\x1C\xBF\xED\xAB\x22\xB5\x65\xB3\x85\xBA\x9E\x0F\xB8\xAD\xE5\x7A\x1B\x8A\x50\x3A\x1D\xBD\x0D\xBC\x7B\x54\x50\x0B\xB9\x42\xAF\x55\xA0\x18\x81\xAD\x65\x99\xEF\xBE\xE4\x9C\xBF\xC4\x85\xAB\x41\xB2\x54\x6F\xDC\x25\xCD\xED\x78\xE2\x8E\x0C\x8D\x09\x49\xDD\x63\x7B\x5A\x69\x96\x02\x21\xA8\xBD\x52\x59\xE9\x7D\x35\xCB\xC8\x52\xCA\x7F\x81\xFE\xD9\x6B\xD3\xF7\x11\xED\x25\xDF\xF8\xE7\xF9\xA4\xFA\x72\x97\x84\x53\x0D\xA5\xD0\x32\x18\x51\x76\x59\x14\x6C\x0F\xEB\xEC\x5F\x80\x8C\x75\x43\x83\xC3\x85\x98\xFF\x4C\x9E\x2D\x0D\xE4\x77\x83\x93\x4E\xB5\x96\x07\x8B\x28\x13\x9B\x8C\x19\x8D\x41\x27\x49\x40\xEE\xDE\xE6\x23\x44\x39\xDC\xA1\x22\xD6\xBA\x03\xF2",
+	["C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root"] = "\x30\x82\x05\xB5\x30\x82\x03\x9D\xA0\x03\x02\x01\x02\x02\x08\x61\x8D\xC7\x86\x3B\x01\x82\x05\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x44\x31\x16\x30\x14\x06\x03\x55\x04\x03\x0C\x0D\x41\x43\x45\x44\x49\x43\x4F\x4D\x20\x52\x6F\x6F\x74\x31\x0C\x30\x0A\x06\x03\x55\x04\x0B\x0C\x03\x50\x4B\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x0C\x06\x45\x44\x49\x43\x4F\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x1E\x17\x0D\x30\x38\x30\x34\x31\x38\x31\x36\x32\x34\x32\x32\x5A\x17\x0D\x32\x38\x30\x34\x31\x33\x31\x36\x32\x34\x32\x32\x5A\x30\x44\x31\x16\x30\x14\x06\x03\x55\x04\x03\x0C\x0D\x41\x43\x45\x44\x49\x43\x4F\x4D\x20\x52\x6F\x6F\x74\x31\x0C\x30\x0A\x06\x03\x55\x04\x0B\x0C\x03\x50\x4B\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x0C\x06\x45\x44\x49\x43\x4F\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xFF\x92\x95\xE1\x68\x06\x76\xB4\x2C\xC8\x58\x48\xCA\xFD\x80\x54\x29\x55\x63\x24\xFF\x90\x65\x9B\x10\x75\x7B\xC3\x6A\xDB\x62\x02\x01\xF2\x18\x86\xB5\x7C\x5A\x38\xB1\xE4\x58\xB9\xFB\xD3\xD8\x2D\x9F\xBD\x32\x37\xBF\x2C\x15\x6D\xBE\xB5\xF4\x21\xD2\x13\x91\xD9\x07\xAD\x01\x05\xD6\xF3\xBD\x77\xCE\x5F\x42\x81\x0A\xF9\x6A\xE3\x83\x00\xA8\x2B\x2E\x55\x13\x63\x81\xCA\x47\x1C\x7B\x5C\x16\x57\x7A\x1B\x83\x60\x04\x3A\x3E\x65\xC3\xCD\x01\xDE\xDE\xA4\xD6\x0C\xBA\x8E\xDE\xD9\x04\xEE\x17\x56\x22\x9B\x8F\x63\xFD\x4D\x16\x0B\xB7\x7B\x77\x8C\xF9\x25\xB5\xD1\x6D\x99\x12\x2E\x4F\x1A\xB8\xE6\xEA\x04\x92\xAE\x3D\x11\xB9\x51\x42\x3D\x87\xB0\x31\x85\xAF\x79\x5A\x9C\xFE\xE7\x4E\x5E\x92\x4F\x43\xFC\xAB\x3A\xAD\xA5\x12\x26\x66\xB9\xE2\x0C\xD7\x98\xCE\xD4\x58\xA5\x95\x40\x0A\xB7\x44\x9D\x13\x74\x2B\xC2\xA5\xEB\x22\x15\x98\x10\xD8\x8B\xC5\x04\x9F\x1D\x8F\x60\xE5\x06\x1B\x9B\xCF\xB9\x79\xA0\x3D\xA2\x23\x3F\x42\x3F\x6B\xFA\x1C\x03\x7B\x30\x8D\xCE\x6C\xC0\xBF\xE6\x1B\x5F\xBF\x67\xB8\x84\x19\xD5\x15\xEF\x7B\xCB\x90\x36\x31\x62\xC9\xBC\x02\xAB\x46\x5F\x9B\xFE\x1A\x68\x94\x34\x3D\x90\x8E\xAD\xF6\xE4\x1D\x09\x7F\x4A\x88\x38\x3F\xBE\x67\xFD\x34\x96\xF5\x1D\xBC\x30\x74\xCB\x38\xEE\xD5\x6C\xAB\xD4\xFC\xF4\x00\xB7\x00\x5B\x85\x32\x16\x76\x33\xE9\xD8\xA3\x99\x9D\x05\x00\xAA\x16\xE6\xF3\x81\x7D\x6F\x7D\xAA\x86\x6D\xAD\x15\x74\xD3\xC4\xA2\x71\xAA\xF4\x14\x7D\xE7\x32\xB8\x1F\xBC\xD5\xF1\x4E\xBD\x6F\x17\x02\x39\xD7\x0E\x95\x42\x3A\xC7\x00\x3E\xE9\x26\x63\x11\xEA\x0B\xD1\x4A\xFF\x18\x9D\xB2\xD7\x7B\x2F\x3A\xD9\x96\xFB\xE8\x1E\x92\xAE\x13\x55\xC8\xD9\x27\xF6\xDC\x48\x1B\xB0\x24\xC1\x85\xE3\x77\x9D\x9A\xA4\xF3\x0C\x11\x1D\x0D\xC8\xB4\x14\xEE\xB5\x82\x57\x09\xBF\x20\x58\x7F\x2F\x22\x23\xD8\x70\xCB\x79\x6C\xC9\x4B\xF2\xA9\x2A\xC8\xFC\x87\x2B\xD7\x1A\x50\xF8\x27\xE8\x2F\x43\xE3\x3A\xBD\xD8\x57\x71\xFD\xCE\xA6\x52\x5B\xF9\xDD\x4D\xED\xE5\xF6\x6F\x89\xED\xBB\x93\x9C\x76\x21\x75\xF0\x92\x4C\x29\xF7\x2F\x9C\x01\x2E\xFE\x50\x46\x9E\x64\x0C\x14\xB3\x07\x5B\xC5\xC2\x73\x6C\xF1\x07\x5C\x45\x24\x14\x35\xAE\x83\xF1\x6A\x4D\x89\x7A\xFA\xB3\xD8\x2D\x66\xF0\x36\x87\xF5\x2B\x53\x02\x03\x01\x00\x01\xA3\x81\xAA\x30\x81\xA7\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xA6\xB3\xE1\x2B\x2B\x49\xB6\xD7\x73\xA1\xAA\x94\xF5\x01\xE7\x73\x65\x4C\xAC\x50\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA6\xB3\xE1\x2B\x2B\x49\xB6\xD7\x73\xA1\xAA\x94\xF5\x01\xE7\x73\x65\x4C\xAC\x50\x30\x44\x06\x03\x55\x1D\x20\x04\x3D\x30\x3B\x30\x39\x06\x04\x55\x1D\x20\x00\x30\x31\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x61\x63\x65\x64\x69\x63\x6F\x6D\x2E\x65\x64\x69\x63\x6F\x6D\x67\x72\x6F\x75\x70\x2E\x63\x6F\x6D\x2F\x64\x6F\x63\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xCE\x2C\x0B\x52\x51\x62\x26\x7D\x0C\x27\x83\x8F\xC5\xF6\xDA\xA0\x68\x7B\x4F\x92\x5E\xEA\xA4\x73\x32\x11\x53\x44\xB2\x44\xCB\x9D\xEC\x0F\x79\x42\xB3\x10\xA6\xC7\x0D\x9D\xCB\xB6\xFA\x3F\x3A\x7C\xEA\xBF\x88\x53\x1B\x3C\xF7\x82\xFA\x05\x35\x33\xE1\x35\xA8\x57\xC0\xE7\xFD\x8D\x4F\x3F\x93\x32\x4F\x78\x66\x03\x77\x07\x58\xE9\x95\xC8\x7E\x3E\xD0\x79\x00\x8C\xF2\x1B\x51\x33\x9B\xBC\x94\xE9\x3A\x7B\x6E\x52\x2D\x32\x9E\x23\xA4\x45\xFB\xB6\x2E\x13\xB0\x8B\x18\xB1\xDD\xCE\xD5\x1D\xA7\x42\x7F\x55\xBE\xFB\x5B\xBB\x47\xD4\xFC\x24\xCD\x04\xAE\x96\x05\x15\xD6\xAC\xCE\x30\xF3\xCA\x0B\xC5\xBA\xE2\x22\xE0\xA6\xAD\x22\xE4\x02\xEE\x74\x11\x7F\x4C\xFF\x78\x1D\x35\xDA\xE6\x02\x34\xEB\x18\x12\x61\x77\x06\x09\x16\x63\xEA\x18\xAD\xA2\x87\x1F\xF2\xC7\x80\x09\x09\x75\x4E\x10\xA8\x8F\x3D\x86\xB8\x75\x11\xC0\x24\x62\x8A\x96\x7B\x4A\x45\xE9\xEC\x59\xC5\xBE\x6B\x83\xE6\xE1\xE8\xAC\xB5\x30\x1E\xFE\x05\x07\x80\xF9\xE1\x23\x0D\x50\x8F\x05\x98\xFF\x2C\x5F\xE8\x3B\xB6\xAD\xCF\x81\xB5\x21\x87\xCA\x08\x2A\x23\x27\x30\x20\x2B\xCF\xED\x94\x5B\xAC\xB2\x7A\xD2\xC7\x28\xA1\x8A\x0B\x9B\x4D\x4A\x2C\x6D\x85\x3F\x09\x72\x3C\x67\xE2\xD9\xDC\x07\xBA\xEB\x65\x7B\x5A\x01\x63\xD6\x90\x5B\x4F\x17\x66\x3D\x7F\x0B\x19\xA3\x93\x63\x10\x52\x2A\x9F\x14\x16\x58\xE2\xDC\xA5\xF4\xA1\x16\x8B\x0E\x91\x8B\x81\xCA\x9B\x59\xFA\xD8\x6B\x91\x07\x65\x55\x5F\x52\x1F\xAF\x3A\xFB\x90\xDD\x69\xA5\x5B\x9C\x6D\x0E\x2C\xB6\xFA\xCE\xAC\xA5\x7C\x32\x4A\x67\x40\xDC\x30\x34\x23\xDD\xD7\x04\x23\x66\xF0\xFC\x55\x80\xA7\xFB\x66\x19\x82\x35\x67\x62\x70\x39\x5E\x6F\xC7\xEA\x90\x40\x44\x08\x1E\xB8\xB2\xD6\xDB\xEE\x59\xA7\x0D\x18\x79\x34\xBC\x54\x18\x5E\x53\xCA\x34\x51\xED\x45\x0A\xE6\x8E\xC7\x82\x36\x3E\xA7\x38\x63\xA9\x30\x2C\x17\x10\x60\x92\x9F\x55\x87\x12\x59\x10\xC2\x0F\x67\x69\x11\xCC\x4E\x1E\x7E\x4A\x9A\xAD\xAF\x40\xA8\x75\xAC\x56\x90\x74\xB8\xA0\x9C\xA5\x79\x6F\xDC\xE9\x1A\xC8\x69\x05\xE9\xBA\xFA\x03\xB3\x7C\xE4\xE0\x4E\xC2\xCE\x9D\xE8\xB6\x46\x0D\x6E\x7E\x57\x3A\x67\x94\xC2\xCB\x1F\x9C\x77\x4A\x67\x4E\x69\x86\x43\x93\x38\xFB\xB6\xDB\x4F\x83\x91\xD4\x60\x7E\x4B\x3E\x2B\x38\x07\x55\x98\x5E\xA4",
+	["emailAddress=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU"] = "\x30\x82\x04\x0A\x30\x82\x02\xF2\xA0\x03\x02\x01\x02\x02\x09\x00\xC2\x7E\x43\x04\x4E\x47\x3F\x19\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x30\x39\x31\x1F\x30\x1D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x30\x1E\x17\x0D\x30\x39\x30\x36\x31\x36\x31\x31\x33\x30\x31\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x30\x31\x31\x33\x30\x31\x38\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x30\x39\x31\x1F\x30\x1D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE9\xF8\x8F\xF3\x63\xAD\xDA\x86\xD8\xA7\xE0\x42\xFB\xCF\x91\xDE\xA6\x26\xF8\x99\xA5\x63\x70\xAD\x9B\xAE\xCA\x33\x40\x7D\x6D\x96\x6E\xA1\x0E\x44\xEE\xE1\x13\x9D\x94\x42\x52\x9A\xBD\x75\x85\x74\x2C\xA8\x0E\x1D\x93\xB6\x18\xB7\x8C\x2C\xA8\xCF\xFB\x5C\x71\xB9\xDA\xEC\xFE\xE8\x7E\x8F\xE4\x2F\x1D\xB2\xA8\x75\x87\xD8\xB7\xA1\xE5\x3B\xCF\x99\x4A\x46\xD0\x83\x19\x7D\xC0\xA1\x12\x1C\x95\x6D\x4A\xF4\xD8\xC7\xA5\x4D\x33\x2E\x85\x39\x40\x75\x7E\x14\x7C\x80\x12\x98\x50\xC7\x41\x67\xB8\xA0\x80\x61\x54\xA6\x6C\x4E\x1F\xE0\x9D\x0E\x07\xE9\xC9\xBA\x33\xE7\xFE\xC0\x55\x28\x2C\x02\x80\xA7\x19\xF5\x9E\xDC\x55\x53\x03\x97\x7B\x07\x48\xFF\x99\xFB\x37\x8A\x24\xC4\x59\xCC\x50\x10\x63\x8E\xAA\xA9\x1A\xB0\x84\x1A\x86\xF9\x5F\xBB\xB1\x50\x6E\xA4\xD1\x0A\xCC\xD5\x71\x7E\x1F\xA7\x1B\x7C\xF5\x53\x6E\x22\x5F\xCB\x2B\xE6\xD4\x7C\x5D\xAE\xD6\xC2\xC6\x4C\xE5\x05\x01\xD9\xED\x57\xFC\xC1\x23\x79\xFC\xFA\xC8\x24\x83\x95\xF3\xB5\x6A\x51\x01\xD0\x77\xD6\xE9\x12\xA1\xF9\x1A\x83\xFB\x82\x1B\xB9\xB0\x97\xF4\x76\x06\x33\x43\x49\xA0\xFF\x0B\xB5\xFA\xB5\x02\x03\x01\x00\x01\xA3\x81\x80\x30\x7E\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCB\x0F\xC6\xDF\x42\x43\xCC\x3D\xCB\xB5\x48\x23\xA1\x1A\x7A\xA6\x2A\xBB\x34\x68\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xCB\x0F\xC6\xDF\x42\x43\xCC\x3D\xCB\xB5\x48\x23\xA1\x1A\x7A\xA6\x2A\xBB\x34\x68\x30\x1B\x06\x03\x55\x1D\x11\x04\x14\x30\x12\x81\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\xC9\xD1\x0E\x5E\x2E\xD5\xCC\xB3\x7C\x3E\xCB\xFC\x3D\xFF\x0D\x28\x95\x93\x04\xC8\xBF\xDA\xCD\x79\xB8\x43\x90\xF0\xA4\xBE\xEF\xF2\xEF\x21\x98\xBC\xD4\xD4\x5D\x06\xF6\xEE\x42\xEC\x30\x6C\xA0\xAA\xA9\xCA\xF1\xAF\x8A\xFA\x3F\x0B\x73\x6A\x3E\xEA\x2E\x40\x7E\x1F\xAE\x54\x61\x79\xEB\x2E\x08\x37\xD7\x23\xF3\x8C\x9F\xBE\x1D\xB1\xE1\xA4\x75\xDB\xA0\xE2\x54\x14\xB1\xBA\x1C\x29\xA4\x18\xF6\x12\xBA\xA2\x14\x14\xE3\x31\x35\xC8\x40\xFF\xB7\xE0\x05\x76\x57\xC1\x1C\x59\xF2\xF8\xBF\xE4\xED\x25\x62\x5C\x84\xF0\x7E\x7E\x1F\xB3\xBE\xF9\xB7\x21\x11\xCC\x03\x01\x56\x70\xA7\x10\x92\x1E\x1B\x34\x81\x1E\xAD\x9C\x1A\xC3\x04\x3C\xED\x02\x61\xD6\x1E\x06\xF3\x5F\x3A\x87\xF2\x2B\xF1\x45\x87\xE5\x3D\xAC\xD1\xC7\x57\x84\xBD\x6B\xAE\xDC\xD8\xF9\xB6\x1B\x62\x70\x0B\x3D\x36\xC9\x42\xF2\x32\xD7\x7A\x61\xE6\xD2\xDB\x3D\xCF\xC8\xA9\xC9\x9B\xDC\xDB\x58\x44\xD7\x6F\x38\xAF\x7F\x78\xD3\xA3\xAD\x1A\x75\xBA\x1C\xC1\x36\x7C\x8F\x1E\x6D\x1C\xC3\x75\x46\xAE\x35\x05\xA6\xF6\x5C\x3D\x21\xEE\x56\xF0\xC9\x82\x22\x2D\x7A\x54\xAB\x70\xC3\x7D\x22\x65\x82\x70\x96",
+	["CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR"] = "\x30\x82\x03\xB6\x30\x82\x02\x9E\xA0\x03\x02\x01\x02\x02\x10\x44\x99\x8D\x3C\xC0\x03\x27\xBD\x9C\x76\x95\xB9\xEA\xDB\xAC\xB5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x28\x30\x26\x06\x03\x55\x04\x0A\x13\x1F\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x42\x69\x6C\x67\x69\x20\x47\x75\x76\x65\x6E\x6C\x69\x67\x69\x20\x41\x2E\x53\x2E\x31\x3C\x30\x3A\x06\x03\x55\x04\x03\x13\x33\x65\x2D\x47\x75\x76\x65\x6E\x20\x4B\x6F\x6B\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\x67\x6C\x61\x79\x69\x63\x69\x73\x69\x30\x1E\x17\x0D\x30\x37\x30\x31\x30\x34\x31\x31\x33\x32\x34\x38\x5A\x17\x0D\x31\x37\x30\x31\x30\x34\x31\x31\x33\x32\x34\x38\x5A\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x28\x30\x26\x06\x03\x55\x04\x0A\x13\x1F\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x42\x69\x6C\x67\x69\x20\x47\x75\x76\x65\x6E\x6C\x69\x67\x69\x20\x41\x2E\x53\x2E\x31\x3C\x30\x3A\x06\x03\x55\x04\x03\x13\x33\x65\x2D\x47\x75\x76\x65\x6E\x20\x4B\x6F\x6B\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\x67\x6C\x61\x79\x69\x63\x69\x73\x69\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC3\x12\x20\x9E\xB0\x5E\x00\x65\x8D\x4E\x46\xBB\x80\x5C\xE9\x2C\x06\x97\xD5\xF3\x72\xC9\x70\xB9\xE7\x4B\x65\x80\xC1\x4B\xBE\x7E\x3C\xD7\x54\x31\x94\xDE\xD5\x12\xBA\x53\x16\x02\xEA\x58\x63\xEF\x5B\xD8\xF3\xED\x2A\x1A\xAA\x71\x48\xA3\xDC\x10\x2D\x5F\x5F\xEB\x5C\x4B\x9C\x96\x08\x42\x25\x28\x11\xCC\x8A\x5A\x62\x01\x50\xD5\xEB\x09\x53\x2F\xF8\xC3\x8F\xFE\xB3\xFC\xFD\x9D\xA2\xE3\x5F\x7D\xBE\xED\x0B\xE0\x60\xEB\x69\xEC\x33\xED\xD8\x8D\xFB\x12\x49\x83\x00\xC9\x8B\x97\x8C\x3B\x73\x2A\x32\xB3\x12\xF7\xB9\x4D\xF2\xF4\x4D\x6D\xC7\xE6\xD6\x26\x37\x08\xF2\xD9\xFD\x6B\x5C\xA3\xE5\x48\x5C\x58\xBC\x42\xBE\x03\x5A\x81\xBA\x1C\x35\x0C\x00\xD3\xF5\x23\x7E\x71\x30\x08\x26\x38\xDC\x25\x11\x47\x2D\xF3\xBA\x23\x10\xA5\xBF\xBC\x02\xF7\x43\x5E\xC7\xFE\xB0\x37\x50\x99\x7B\x0F\x93\xCE\xE6\x43\x2C\xC3\x7E\x0D\xF2\x1C\x43\x66\x60\xCB\x61\x31\x47\x87\xA3\x4F\xAE\xBD\x56\x6C\x4C\xBC\xBC\xF8\x05\xCA\x64\xF4\xE9\x34\xA1\x2C\xB5\x73\xE1\xC2\x3E\xE8\xC8\xC9\x34\x25\x08\x5C\xF3\xED\xA6\xC7\x94\x9F\xAD\x88\x43\x25\xD7\xE1\x39\x60\xFE\xAC\x39\x59\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9F\xEE\x44\xB3\x94\xD5\xFA\x91\x4F\x2E\xD9\x55\x9A\x04\x56\xDB\x2D\xC4\xDB\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x7F\x5F\xB9\x53\x5B\x63\x3D\x75\x32\xE7\xFA\xC4\x74\x1A\xCB\x46\xDF\x46\x69\x1C\x52\xCF\xAA\x4F\xC2\x68\xEB\xFF\x80\xA9\x51\xE8\x3D\x62\x77\x89\x3D\x0A\x75\x39\xF1\x6E\x5D\x17\x87\x6F\x68\x05\xC1\x94\x6C\xD9\x5D\xDF\xDA\xB2\x59\xCB\xA5\x10\x8A\xCA\xCC\x39\xCD\x9F\xEB\x4E\xDE\x52\xFF\x0C\xF0\xF4\x92\xA9\xF2\x6C\x53\xAB\x9B\xD2\x47\xA0\x1F\x74\xF7\x9B\x9A\xF1\x2F\x15\x9F\x7A\x64\x30\x18\x07\x3C\x2A\x0F\x67\xCA\xFC\x0F\x89\x61\x9D\x65\xA5\x3C\xE5\xBC\x13\x5B\x08\xDB\xE3\xFF\xED\xBB\x06\xBB\x6A\x06\xB1\x7A\x4F\x65\xC6\x82\xFD\x1E\x9C\x8B\xB5\x0D\xEE\x48\xBB\xB8\xBD\xAA\x08\xB4\xFB\xA3\x7C\xCB\x9F\xCD\x90\x76\x5C\x86\x96\x78\x57\x0A\x66\xF9\x58\x1A\x9D\xFD\x97\x29\x60\xDE\x11\xA6\x90\x1C\x19\x1C\xEE\x01\x96\x22\x34\x34\x2E\x91\xF9\xB7\xC4\x27\xD1\x7B\xE6\xBF\xFB\x80\x44\x5A\x16\xE5\xEB\xE0\xD4\x0A\x38\xBC\xE4\x91\xE3\xD5\xEB\x5C\xC1\xAC\xDF\x1B\x6A\x7C\x9E\xE5\x75\xD2\xB6\x97\x87\xDB\xCC\x87\x2B\x43\x3A\x84\x08\xAF\xAB\x3C\xDB\xF7\x3C\x66\x31\x86\xB0\x9D\x53\x79\xED\xF8\x23\xDE\x42\xE3\x2D\x82\xF1\x0F\xE5\xFA\x97",
+	["CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3"] = "\x30\x82\x03\x5F\x30\x82\x02\x47\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x21\x58\x53\x08\xA2\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x33\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x39\x30\x33\x31\x38\x31\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x30\x33\x31\x38\x31\x30\x30\x30\x30\x30\x5A\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x33\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCC\x25\x76\x90\x79\x06\x78\x22\x16\xF5\xC0\x83\xB6\x84\xCA\x28\x9E\xFD\x05\x76\x11\xC5\xAD\x88\x72\xFC\x46\x02\x43\xC7\xB2\x8A\x9D\x04\x5F\x24\xCB\x2E\x4B\xE1\x60\x82\x46\xE1\x52\xAB\x0C\x81\x47\x70\x6C\xDD\x64\xD1\xEB\xF5\x2C\xA3\x0F\x82\x3D\x0C\x2B\xAE\x97\xD7\xB6\x14\x86\x10\x79\xBB\x3B\x13\x80\x77\x8C\x08\xE1\x49\xD2\x6A\x62\x2F\x1F\x5E\xFA\x96\x68\xDF\x89\x27\x95\x38\x9F\x06\xD7\x3E\xC9\xCB\x26\x59\x0D\x73\xDE\xB0\xC8\xE9\x26\x0E\x83\x15\xC6\xEF\x5B\x8B\xD2\x04\x60\xCA\x49\xA6\x28\xF6\x69\x3B\xF6\xCB\xC8\x28\x91\xE5\x9D\x8A\x61\x57\x37\xAC\x74\x14\xDC\x74\xE0\x3A\xEE\x72\x2F\x2E\x9C\xFB\xD0\xBB\xBF\xF5\x3D\x00\xE1\x06\x33\xE8\x82\x2B\xAE\x53\xA6\x3A\x16\x73\x8C\xDD\x41\x0E\x20\x3A\xC0\xB4\xA7\xA1\xE9\xB2\x4F\x90\x2E\x32\x60\xE9\x57\xCB\xB9\x04\x92\x68\x68\xE5\x38\x26\x60\x75\xB2\x9F\x77\xFF\x91\x14\xEF\xAE\x20\x49\xFC\xAD\x40\x15\x48\xD1\x02\x31\x61\x19\x5E\xB8\x97\xEF\xAD\x77\xB7\x64\x9A\x7A\xBF\x5F\xC1\x13\xEF\x9B\x62\xFB\x0D\x6C\xE0\x54\x69\x16\xA9\x03\xDA\x6E\xE9\x83\x93\x71\x76\xC6\x69\x85\x82\x17\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x8F\xF0\x4B\x7F\xA8\x2E\x45\x24\xAE\x4D\x50\xFA\x63\x9A\x8B\xDE\xE2\xDD\x1B\xBC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x4B\x40\xDB\xC0\x50\xAA\xFE\xC8\x0C\xEF\xF7\x96\x54\x45\x49\xBB\x96\x00\x09\x41\xAC\xB3\x13\x86\x86\x28\x07\x33\xCA\x6B\xE6\x74\xB9\xBA\x00\x2D\xAE\xA4\x0A\xD3\xF5\xF1\xF1\x0F\x8A\xBF\x73\x67\x4A\x83\xC7\x44\x7B\x78\xE0\xAF\x6E\x6C\x6F\x03\x29\x8E\x33\x39\x45\xC3\x8E\xE4\xB9\x57\x6C\xAA\xFC\x12\x96\xEC\x53\xC6\x2D\xE4\x24\x6C\xB9\x94\x63\xFB\xDC\x53\x68\x67\x56\x3E\x83\xB8\xCF\x35\x21\xC3\xC9\x68\xFE\xCE\xDA\xC2\x53\xAA\xCC\x90\x8A\xE9\xF0\x5D\x46\x8C\x95\xDD\x7A\x58\x28\x1A\x2F\x1D\xDE\xCD\x00\x37\x41\x8F\xED\x44\x6D\xD7\x53\x28\x97\x7E\xF3\x67\x04\x1E\x15\xD7\x8A\x96\xB4\xD3\xDE\x4C\x27\xA4\x4C\x1B\x73\x73\x76\xF4\x17\x99\xC2\x1F\x7A\x0E\xE3\x2D\x08\xAD\x0A\x1C\x2C\xFF\x3C\xAB\x55\x0E\x0F\x91\x7E\x36\xEB\xC3\x57\x49\xBE\xE1\x2E\x2D\x7C\x60\x8B\xC3\x41\x51\x13\x23\x9D\xCE\xF7\x32\x6B\x94\x01\xA8\x99\xE7\x2C\x33\x1F\x3A\x3B\x25\xD2\x86\x40\xCE\x3B\x2C\x86\x78\xC9\x61\x2F\x14\xBA\xEE\xDB\x55\x6F\xDF\x84\xEE\x05\x09\x4D\xBD\x28\xD8\x72\xCE\xD3\x62\x50\x65\x1E\xEB\x92\x97\x83\x31\xD9\xB3\xB5\xCA\x47\x58\x3F\x5F",
+	["CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE"] = "\x30\x82\x03\xE1\x30\x82\x02\xC9\xA0\x03\x02\x01\x02\x02\x0E\x63\x25\x00\x01\x00\x02\x14\x8D\x33\x15\x02\xE4\x6C\xF4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x47\x6D\x62\x48\x31\x24\x30\x22\x06\x03\x55\x04\x0B\x13\x1B\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x49\x49\x49\x30\x1E\x17\x0D\x30\x39\x30\x39\x30\x39\x30\x38\x31\x35\x32\x37\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x47\x6D\x62\x48\x31\x24\x30\x22\x06\x03\x55\x04\x0B\x13\x1B\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x54\x43\x20\x54\x72\x75\x73\x74\x43\x65\x6E\x74\x65\x72\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x49\x49\x49\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC2\xDA\x9C\x62\xB0\xB9\x71\x12\xB0\x0B\xC8\x1A\x57\xB2\xAE\x83\x14\x99\xB3\x34\x4B\x9B\x90\xA2\xC5\xE7\xE7\x2F\x02\xA0\x4D\x2D\xA4\xFA\x85\xDA\x9B\x25\x85\x2D\x40\x28\x20\x6D\xEA\xE0\xBD\xB1\x48\x83\x22\x29\x44\x9F\x4E\x83\xEE\x35\x51\x13\x73\x74\xD5\xBC\xF2\x30\x66\x94\x53\xC0\x40\x36\x2F\x0C\x84\x65\xCE\x0F\x6E\xC2\x58\x93\xE8\x2C\x0B\x3A\xE9\xC1\x8E\xFB\xF2\x6B\xCA\x3C\xE2\x9C\x4E\x8E\xE4\xF9\x7D\xD3\x27\x9F\x1B\xD5\x67\x78\x87\x2D\x7F\x0B\x47\xB3\xC7\xE8\xC9\x48\x7C\xAF\x2F\xCC\x0A\xD9\x41\xEF\x9F\xFE\x9A\xE1\xB2\xAE\xF9\x53\xB5\xE5\xE9\x46\x9F\x60\xE3\xDF\x8D\xD3\x7F\xFB\x96\x7E\xB3\xB5\x72\xF8\x4B\xAD\x08\x79\xCD\x69\x89\x40\x27\xF5\x2A\xC1\xAD\x43\xEC\xA4\x53\xC8\x61\xB6\xF7\xD2\x79\x2A\x67\x18\x76\x48\x6D\x5B\x25\x01\xD1\x26\xC5\xB7\x57\x69\x23\x15\x5B\x61\x8A\xAD\xF0\x1B\x2D\xD9\xAF\x5C\xF1\x26\x90\x69\xA9\xD5\x0C\x40\xF5\x33\x80\x43\x8F\x9C\xA3\x76\x2A\x45\xB4\xAF\xBF\x7F\x3E\x87\x3F\x76\xC5\xCD\x2A\xDE\x20\xC5\x16\x58\xCB\xF9\x1B\xF5\x0F\xCB\x0D\x11\x52\x64\xB8\xD2\x76\x62\x77\x83\xF1\x58\x9F\xFF\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x56\xE7\xE1\x5B\x25\x43\x80\xE0\xF6\x8C\xE1\x71\xBC\x8E\xE5\x80\x2F\xC4\x48\xE2\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x56\xE7\xE1\x5B\x25\x43\x80\xE0\xF6\x8C\xE1\x71\xBC\x8E\xE5\x80\x2F\xC4\x48\xE2\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x83\xC7\xAF\xEA\x7F\x4D\x0A\x3C\x39\xB1\x68\xBE\x7B\x6D\x89\x2E\xE9\xB3\x09\xE7\x18\x57\x8D\x85\x9A\x17\xF3\x76\x42\x50\x13\x0F\xC7\x90\x6F\x33\xAD\xC5\x49\x60\x2B\x6C\x49\x58\x19\xD4\xE2\xBE\xB7\xBF\xAB\x49\xBC\x94\xC8\xAB\xBE\x28\x6C\x16\x68\xE0\xC8\x97\x46\x20\xA0\x68\x67\x60\x88\x39\x20\x51\xD8\x68\x01\x11\xCE\xA7\xF6\x11\x07\xF6\xEC\xEC\xAC\x1A\x1F\xB2\x66\x6E\x56\x67\x60\x7A\x74\x5E\xC0\x6D\x97\x36\xAE\xB5\x0D\x5D\x66\x73\xC0\x25\x32\x45\xD8\x4A\x06\x07\x8F\xC4\xB7\x07\xB1\x4D\x06\x0D\xE1\xA5\xEB\xF4\x75\xCA\xBA\x9C\xD0\xBD\xB3\xD3\x32\x24\x4C\xEE\x7E\xE2\x76\x04\x4B\x49\x53\xD8\xF2\xE9\x54\x33\xFC\xE5\x71\x1F\x3D\x14\x5C\x96\x4B\xF1\x3A\xF2\x00\xBB\x6C\xB4\xFA\x96\x55\x08\x88\x09\xC1\xCC\x91\x19\x29\xB0\x20\x2D\xFF\xCB\x38\xA4\x40\xE1\x17\xBE\x79\x61\x80\xFF\x07\x03\x86\x4C\x4E\x7B\x06\x9F\x11\x86\x8D\x89\xEE\x27\xC4\xDB\xE2\xBC\x19\x8E\x0B\xC3\xC3\x13\xC7\x2D\x03\x63\x3B\xD3\xE8\xE4\xA2\x2A\xC2\x82\x08\x94\x16\x54\xF0\xEF\x1F\x27\x90\x25\xB8\x0D\x0E\x28\x1B\x47\x77\x47\xBD\x1C\xA8\x25\xF1\x94\xB4\x66",
+	["CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES"] = "\x30\x82\x06\x14\x30\x82\x03\xFC\xA0\x03\x02\x01\x02\x02\x08\x53\xEC\x3B\xEE\xFB\xB2\x48\x5F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x30\x1E\x17\x0D\x30\x39\x30\x35\x32\x30\x30\x38\x33\x38\x31\x35\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x30\x38\x33\x38\x31\x35\x5A\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xCA\x96\x6B\x8E\xEA\xF8\xFB\xF1\xA2\x35\xE0\x7F\x4C\xDA\xE0\xC3\x52\xD7\x7D\xB6\x10\xC8\x02\x5E\xB3\x43\x2A\xC4\x4F\x6A\xB2\xCA\x1C\x5D\x28\x9A\x78\x11\x1A\x69\x59\x57\xAF\xB5\x20\x42\xE4\x8B\x0F\xE6\xDF\x5B\xA6\x03\x92\x2F\xF5\x11\xE4\x62\xD7\x32\x71\x38\xD9\x04\x0C\x71\xAB\x3D\x51\x7E\x0F\x07\xDF\x63\x05\x5C\xE9\xBF\x94\x6F\xC1\x29\x82\xC0\xB4\xDA\x51\xB0\xC1\x3C\xBB\xAD\x37\x4A\x5C\xCA\xF1\x4B\x36\x0E\x24\xAB\xBF\xC3\x84\x77\xFD\xA8\x50\xF4\xB1\xE7\xC6\x2F\xD2\x2D\x59\x8D\x7A\x0A\x4E\x96\x69\x52\x02\xAA\x36\x98\xEC\xFC\xFA\x14\x83\x0C\x37\x1F\xC9\x92\x37\x7F\xD7\x81\x2D\xE5\xC4\xB9\xE0\x3E\x34\xFE\x67\xF4\x3E\x66\xD1\xD3\xF4\x40\xCF\x5E\x62\x34\x0F\x70\x06\x3E\x20\x18\x5A\xCE\xF7\x72\x1B\x25\x6C\x93\x74\x14\x93\xA3\x73\xB1\x0E\xAA\x87\x10\x23\x59\x5F\x20\x05\x19\x47\xED\x68\x8E\x92\x12\xCA\x5D\xFC\xD6\x2B\xB2\x92\x3C\x20\xCF\xE1\x5F\xAF\x20\xBE\xA0\x76\x7F\x76\xE5\xEC\x1A\x86\x61\x33\x3E\xE7\x7B\xB4\x3F\xA0\x0F\x8E\xA2\xB9\x6A\x6F\xB9\x87\x26\x6F\x41\x6C\x88\xA6\x50\xFD\x6A\x63\x0B\xF5\x93\x16\x1B\x19\x8F\xB2\xED\x9B\x9B\xC9\x90\xF5\x01\x0C\xDF\x19\x3D\x0F\x3E\x38\x23\xC9\x2F\x8F\x0C\xD1\x02\xFE\x1B\x55\xD6\x4E\xD0\x8D\x3C\xAF\x4F\xA4\xF3\xFE\xAF\x2A\xD3\x05\x9D\x79\x08\xA1\xCB\x57\x31\xB4\x9C\xC8\x90\xB2\x67\xF4\x18\x16\x93\x3A\xFC\x47\xD8\xD1\x78\x96\x31\x1F\xBA\x2B\x0C\x5F\x5D\x99\xAD\x63\x89\x5A\x24\x20\x76\xD8\xDF\xFD\xAB\x4E\xA6\x22\xAA\x9D\x5E\xE6\x27\x8A\x7D\x68\x29\xA3\xE7\x8A\xB8\xDA\x11\xBB\x17\x2D\x99\x9D\x13\x24\x46\xF7\xC5\xE2\xD8\x9F\x8E\x7F\xC7\x8F\x74\x6D\x5A\xB2\xE8\x72\xF5\xAC\xEE\x24\x10\xAD\x2F\x14\xDA\xFF\x2D\x9A\x46\x71\x47\xBE\x42\xDF\xBB\x01\xDB\xF4\x7F\xD3\x28\x8F\x31\x59\x5B\xD3\xC9\x02\xA6\xB4\x52\xCA\x6E\x97\xFB\x43\xC5\x08\x26\x6F\x8A\xF4\xBB\xFD\x9F\x28\xAA\x0D\xD5\x45\xF3\x13\x3A\x1D\xD8\xC0\x78\x8F\x41\x67\x3C\x1E\x94\x64\xAE\x7B\x0B\xC5\xE8\xD9\x01\x88\x39\x1A\x97\x86\x64\x41\xD5\x3B\x87\x0C\x6E\xFA\x0F\xC6\xBD\x48\x14\xBF\x39\x4D\xD4\x9E\x41\xB6\x8F\x96\x1D\x63\x96\x93\xD9\x95\x06\x78\x31\x68\x9E\x37\x06\x3B\x80\x89\x45\x61\x39\x23\xC7\x1B\x44\xA3\x15\xE5\x1C\xF8\x92\x30\xBB\x02\x03\x01\x00\x01\xA3\x81\xEF\x30\x81\xEC\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x01\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x65\xCD\xEB\xAB\x35\x1E\x00\x3E\x7E\xD5\x74\xC0\x1C\xB4\x73\x47\x0E\x1A\x64\x2F\x30\x81\xA6\x06\x03\x55\x1D\x20\x04\x81\x9E\x30\x81\x9B\x30\x81\x98\x06\x04\x55\x1D\x20\x00\x30\x81\x8F\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x2E\x63\x6F\x6D\x2F\x63\x70\x73\x30\x5C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x50\x1E\x4E\x00\x50\x00\x61\x00\x73\x00\x65\x00\x6F\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x42\x00\x6F\x00\x6E\x00\x61\x00\x6E\x00\x6F\x00\x76\x00\x61\x00\x20\x00\x34\x00\x37\x00\x20\x00\x42\x00\x61\x00\x72\x00\x63\x00\x65\x00\x6C\x00\x6F\x00\x6E\x00\x61\x00\x20\x00\x30\x00\x38\x00\x30\x00\x31\x00\x37\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x17\x7D\xA0\xF9\xB4\xDD\xC5\xC5\xEB\xAD\x4B\x24\xB5\xA1\x02\xAB\xDD\xA5\x88\x4A\xB2\x0F\x55\x4B\x2B\x57\x8C\x3B\xE5\x31\xDD\xFE\xC4\x32\xF1\xE7\x5B\x64\x96\x36\x32\x18\xEC\xA5\x32\x77\xD7\xE3\x44\xB6\xC0\x11\x2A\x80\xB9\x3D\x6A\x6E\x7C\x9B\xD3\xAD\xFC\xC3\xD6\xA3\xE6\x64\x29\x7C\xD1\xE1\x38\x1E\x82\x2B\xFF\x27\x65\xAF\xFB\x16\x15\xC4\x2E\x71\x84\xE5\xB5\xFF\xFA\xA4\x47\xBD\x64\x32\xBB\xF6\x25\x84\xA2\x27\x42\xF5\x20\xB0\xC2\x13\x10\x11\xCD\x10\x15\xBA\x42\x90\x2A\xD2\x44\xE1\x96\x26\xEB\x31\x48\x12\xFD\x2A\xDA\xC9\x06\xCF\x74\x1E\xA9\x4B\xD5\x87\x28\xF9\x79\x34\x92\x3E\x2E\x44\xE8\xF6\x8F\x4F\x8F\x35\x3F\x25\xB3\x39\xDC\x63\x2A\x90\x6B\x20\x5F\xC4\x52\x12\x4E\x97\x2C\x2A\xAC\x9D\x97\xDE\x48\xF2\xA3\x66\xDB\xC2\xD2\x83\x95\xA6\x66\xA7\x9E\x25\x0F\xE9\x0B\x33\x91\x65\x0A\x5A\xC3\xD9\x54\x12\xDD\xAF\xC3\x4E\x0E\x1F\x26\x5E\x0D\xDC\xB3\x8D\xEC\xD5\x81\x70\xDE\xD2\x4F\x24\x05\xF3\x6C\x4E\xF5\x4C\x49\x66\x8D\xD1\xFF\xD2\x0B\x25\x41\x48\xFE\x51\x84\xC6\x42\xAF\x80\x04\xCF\xD0\x7E\x64\x49\xE4\xF2\xDF\xA2\xEC\xB1\x4C\xC0\x2A\x1D\xE7\xB4\xB1\x65\xA2\xC4\xBC\xF1\x98\xF4\xAA\x70\x07\x63\xB4\xB8\xDA\x3B\x4C\xFA\x40\x22\x30\x5B\x11\xA6\xF0\x05\x0E\xC6\x02\x03\x48\xAB\x86\x9B\x85\xDD\xDB\xDD\xEA\xA2\x76\x80\x73\x7D\xF5\x9C\x04\xC4\x45\x8D\xE7\xB9\x1C\x8B\x9E\xEA\xD7\x75\xD1\x72\xB1\xDE\x75\x44\xE7\x42\x7D\xE2\x57\x6B\x7D\xDC\x99\xBC\x3D\x83\x28\xEA\x80\x93\x8D\xC5\x4C\x65\xC1\x70\x81\xB8\x38\xFC\x43\x31\xB2\xF6\x03\x34\x47\xB2\xAC\xFB\x22\x06\xCB\x1E\xDD\x17\x47\x1C\x5F\x66\xB9\xD3\x1A\xA2\xDA\x11\xB1\xA4\xBC\x23\xC9\xE4\xBE\x87\xFF\xB9\x94\xB6\xF8\x5D\x20\x4A\xD4\x5F\xE7\xBD\x68\x7B\x65\xF2\x15\x1E\xD2\x3A\xA9\x2D\xE9\xD8\x6B\x24\xAC\x97\x58\x44\x47\xAD\x59\x18\xF1\x21\x65\x70\xDE\xCE\x34\x60\xA8\x40\xF1\xF3\x3C\xA4\xC3\x28\x23\x8C\xFE\x27\x33\x43\x40\xA0\x17\x3C\xEB\xEA\x3B\xB0\x72\xA6\xA3\xB9\x4A\x4B\x5E\x16\x48\xF4\xB2\xBC\xC8\x8C\x92\xC5\x9D\x9F\xAC\x72\x36\xBC\x34\x80\x34\x6B\xA9\x8B\x92\xC0\xB8\x17\xED\xEC\x76\x53\xF5\x24\x01\x8C\xB3\x22\xE8\x4B\x7C\x55\xC6\x9D\xFA\xA3\x14\xBB\x65\x85\x6E\x6E\x4F\x12\x7E\x0A\x3C\x9D\x95",
+	["CN=Izenpe.com,O=IZENPE S.A.,C=ES"] = "\x30\x82\x05\xF1\x30\x82\x03\xD9\xA0\x03\x02\x01\x02\x02\x10\x00\xB0\xB7\x5A\x16\x48\x5F\xBF\xE1\xCB\xF5\x8B\xD7\x19\xE6\x7D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x38\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x49\x5A\x45\x4E\x50\x45\x20\x53\x2E\x41\x2E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x0C\x0A\x49\x7A\x65\x6E\x70\x65\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x30\x37\x31\x32\x31\x33\x31\x33\x30\x38\x32\x38\x5A\x17\x0D\x33\x37\x31\x32\x31\x33\x30\x38\x32\x37\x32\x35\x5A\x30\x38\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x49\x5A\x45\x4E\x50\x45\x20\x53\x2E\x41\x2E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x0C\x0A\x49\x7A\x65\x6E\x70\x65\x2E\x63\x6F\x6D\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC9\xD3\x7A\xCA\x0F\x1E\xAC\xA7\x86\xE8\x16\x65\x6A\xB1\xC2\x1B\x45\x32\x71\x95\xD9\xFE\x10\x5B\xCC\xAF\xE7\xA5\x79\x01\x8F\x89\xC3\xCA\xF2\x55\x71\xF7\x77\xBE\x77\x94\xF3\x72\xA4\x2C\x44\xD8\x9E\x92\x9B\x14\x3A\xA1\xE7\x24\x90\x0A\x0A\x56\x8E\xC5\xD8\x26\x94\xE1\xD9\x48\xE1\x2D\x3E\xDA\x0A\x72\xDD\xA3\x99\x15\xDA\x81\xA2\x87\xF4\x7B\x6E\x26\x77\x89\x58\xAD\xD6\xEB\x0C\xB2\x41\x7A\x73\x6E\x6D\xDB\x7A\x78\x41\xE9\x08\x88\x12\x7E\x87\x2E\x66\x11\x63\x6C\x54\xFB\x3C\x9D\x72\xC0\xBC\x2E\xFF\xC2\xB7\xDD\x0D\x76\xE3\x3A\xD7\xF7\xB4\x68\xBE\xA2\xF5\xE3\x81\x6E\xC1\x46\x6F\x5D\x8D\xE0\x4D\xC6\x54\x55\x89\x1A\x33\x31\x0A\xB1\x57\xB9\xA3\x8A\x98\xC3\xEC\x3B\x34\xC5\x95\x41\x69\x7E\x75\xC2\x3C\x20\xC5\x61\xBA\x51\x47\xA0\x20\x90\x93\xA1\x90\x4B\xF3\x4E\x7C\x85\x45\x54\x9A\xD1\x05\x26\x41\xB0\xB5\x4D\x1D\x33\xBE\xC4\x03\xC8\x25\x7C\xC1\x70\xDB\x3B\xF4\x09\x2D\x54\x27\x48\xAC\x2F\xE1\xC4\xAC\x3E\xC8\xCB\x92\x4C\x53\x39\x37\x23\xEC\xD3\x01\xF9\xE0\x09\x44\x4D\x4D\x64\xC0\xE1\x0D\x5A\x87\x22\xBC\xAD\x1B\xA3\xFE\x26\xB5\x15\xF3\xA7\xFC\x84\x19\xE9\xEC\xA1\x88\xB4\x44\x69\x84\x83\xF3\x89\xD1\x74\x06\xA9\xCC\x0B\xD6\xC2\xDE\x27\x85\x50\x26\xCA\x17\xB8\xC9\x7A\x87\x56\x2C\x1A\x01\x1E\x6C\xBE\x13\xAD\x10\xAC\xB5\x24\xF5\x38\x91\xA1\xD6\x4B\xDA\xF1\xBB\xD2\xDE\x47\xB5\xF1\xBC\x81\xF6\x59\x6B\xCF\x19\x53\xE9\x8D\x15\xCB\x4A\xCB\xA9\x6F\x44\xE5\x1B\x41\xCF\xE1\x86\xA7\xCA\xD0\x6A\x9F\xBC\x4C\x8D\x06\x33\x5A\xA2\x85\xE5\x90\x35\xA0\x62\x5C\x16\x4E\xF0\xE3\xA2\xFA\x03\x1A\xB4\x2C\x71\xB3\x58\x2C\xDE\x7B\x0B\xDB\x1A\x0F\xEB\xDE\x21\x1F\x06\x77\x06\x03\xB0\xC9\xEF\x99\xFC\xC0\xB9\x4F\x0B\x86\x28\xFE\xD2\xB9\xEA\xE3\xDA\xA5\xC3\x47\x69\x12\xE0\xDB\xF0\xF6\x19\x8B\xED\x7B\x70\xD7\x02\xD6\xED\x87\x18\x28\x2C\x04\x24\x4C\x77\xE4\x48\x8A\x1A\xC6\x3B\x9A\xD4\x0F\xCA\xFA\x75\xD2\x01\x40\x5A\x8D\x79\xBF\x8B\xCF\x4B\xCF\xAA\x16\xC1\x95\xE4\xAD\x4C\x8A\x3E\x17\x91\xD4\xB1\x62\xE5\x82\xE5\x80\x04\xA4\x03\x7E\x8D\xBF\xDA\x7F\xA2\x0F\x97\x4F\x0C\xD3\x0D\xFB\xD7\xD1\xE5\x72\x7E\x1C\xC8\x77\xFF\x5B\x9A\x0F\xB7\xAE\x05\x46\xE5\xF1\xA8\x16\xEC\x47\xA4\x17\x02\x03\x01\x00\x01\xA3\x81\xF6\x30\x81\xF3\x30\x81\xB0\x06\x03\x55\x1D\x11\x04\x81\xA8\x30\x81\xA5\x81\x0F\x69\x6E\x66\x6F\x40\x69\x7A\x65\x6E\x70\x65\x2E\x63\x6F\x6D\xA4\x81\x91\x30\x81\x8E\x31\x47\x30\x45\x06\x03\x55\x04\x0A\x0C\x3E\x49\x5A\x45\x4E\x50\x45\x20\x53\x2E\x41\x2E\x20\x2D\x20\x43\x49\x46\x20\x41\x30\x31\x33\x33\x37\x32\x36\x30\x2D\x52\x4D\x65\x72\x63\x2E\x56\x69\x74\x6F\x72\x69\x61\x2D\x47\x61\x73\x74\x65\x69\x7A\x20\x54\x31\x30\x35\x35\x20\x46\x36\x32\x20\x53\x38\x31\x43\x30\x41\x06\x03\x55\x04\x09\x0C\x3A\x41\x76\x64\x61\x20\x64\x65\x6C\x20\x4D\x65\x64\x69\x74\x65\x72\x72\x61\x6E\x65\x6F\x20\x45\x74\x6F\x72\x62\x69\x64\x65\x61\x20\x31\x34\x20\x2D\x20\x30\x31\x30\x31\x30\x20\x56\x69\x74\x6F\x72\x69\x61\x2D\x47\x61\x73\x74\x65\x69\x7A\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1D\x1C\x65\x0E\xA8\xF2\x25\x7B\xB4\x91\xCF\xE4\xB1\xB1\xE6\xBD\x55\x74\x6C\x05\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x78\xA6\x0C\x16\x4A\x9F\x4C\x88\x3A\xC0\xCB\x0E\xA5\x16\x7D\x9F\xB9\x48\x5F\x18\x8F\x0D\x62\x36\xF6\xCD\x19\x6B\xAC\xAB\xD5\xF6\x91\x7D\xAE\x71\xF3\x3F\xB3\x0E\x78\x85\x9B\x95\xA4\x27\x21\x47\x42\x4A\x7C\x48\x3A\xF5\x45\x7C\xB3\x0C\x8E\x51\x78\xAC\x95\x13\xDE\xC6\xFD\x7D\xB8\x1A\x90\x4C\xAB\x92\x03\xC7\xED\x42\x01\xCE\x0F\xD8\xB1\xFA\xA2\x92\xE1\x60\x6D\xAE\x7A\x6B\x09\xAA\xC6\x29\xEE\x68\x49\x67\x30\x80\x24\x7A\x31\x16\x39\x5B\x7E\xF1\x1C\x2E\xDD\x6C\x09\xAD\xF2\x31\xC1\x82\x4E\xB9\xBB\xF9\xBE\xBF\x2A\x85\x3F\xC0\x40\xA3\x3A\x59\xFC\x59\x4B\x3C\x28\x24\xDB\xB4\x15\x75\xAE\x0D\x88\xBA\x2E\x73\xC0\xBD\x58\x87\xE5\x42\xF2\xEB\x5E\xEE\x1E\x30\x22\x99\xCB\x37\xD1\xC4\x21\x6C\x81\xEC\xBE\x6D\x26\xE6\x1C\xE4\x42\x20\x9E\x47\xB0\xAC\x83\x59\x70\x2C\x35\xD6\xAF\x36\x34\xB4\xCD\x3B\xF8\x32\xA8\xEF\xE3\x78\x89\xFB\x8D\x45\x2C\xDA\x9C\xB8\x7E\x40\x1C\x61\xE7\x3E\xA2\x92\x2C\x4B\xF2\xCD\xFA\x98\xB6\x29\xFF\xF3\xF2\x7B\xA9\x1F\x2E\xA0\x93\x57\x2B\xDE\x85\x03\xF9\x69\x37\xCB\x9E\x78\x6A\x05\xB4\xC5\x31\x78\x89\xEC\x7A\xA7\x85\xE1\xB9\x7B\x3C\xDE\xBE\x1E\x79\x84\xCE\x9F\x70\x0E\x59\xC2\x35\x2E\x90\x2A\x31\xD9\xE4\x45\x7A\x41\xA4\x2E\x13\x9B\x34\x0E\x66\x7B\x49\xAB\x64\x97\xD0\x46\xC3\x79\x9D\x72\x50\x63\xA6\x98\x5B\x06\xBD\x48\x6D\xD8\x39\x83\x70\xE8\x35\xF0\x05\xD1\xAA\xBC\xE3\xDB\xC8\x02\xEA\x7C\xFD\x82\xDA\xC2\x5B\x52\x35\xAE\x98\x3A\xAD\xBA\x35\x93\x23\xA7\x1F\x48\xDD\x35\x46\x98\xB2\x10\x68\xE4\xA5\x31\xC2\x0A\x58\x2E\x19\x81\x10\xC9\x50\x75\xFC\xEA\x5A\x16\xCE\x11\xD7\xEE\xEF\x50\x88\x2D\x61\xFF\x3F\x42\x73\x05\x94\x43\xD5\x8E\x3C\x4E\x01\x3A\x19\xA5\x1F\x46\x4E\x77\xD0\x5D\xE5\x81\x22\x21\x87\xFE\x94\x7D\x84\xD8\x93\xAD\xD6\x68\x43\x48\xB2\xDB\xEB\x73\x24\xE7\x91\x7F\x54\xA4\xB6\x80\x3E\x9D\xA3\x3C\x4C\x72\xC2\x57\xC4\xA0\xD4\xCC\x38\x27\xCE\xD5\x06\x9E\xA2\x48\xD9\xE9\x9F\xCE\x82\x70\x36\x93\x9A\x3B\xDF\x96\x21\xE3\x59\xB7\x0C\xDA\x91\x37\xF0\xFD\x59\x5A\xB3\x99\xC8\x69\x6C\x43\x26\x01\x35\x63\x60\x55\x89\x03\x3A\x75\xD8\xBA\x4A\xD9\x54\xFF\xEE\xDE\x80\xD8\x2D\xD1\x38\xD5\x5E\x2D\x0B\x98\x7D\x3E\x6C\xDB\xFC\x26\x88\xC7",
+	["CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU"] = "\x30\x82\x07\x4F\x30\x82\x05\x37\xA0\x03\x02\x01\x02\x02\x09\x00\xA3\xDA\x42\x7E\xA4\xB1\xAE\xDA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xAE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x43\x30\x41\x06\x03\x55\x04\x07\x13\x3A\x4D\x61\x64\x72\x69\x64\x20\x28\x73\x65\x65\x20\x63\x75\x72\x72\x65\x6E\x74\x20\x61\x64\x64\x72\x65\x73\x73\x20\x61\x74\x20\x77\x77\x77\x2E\x63\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x2E\x63\x6F\x6D\x2F\x61\x64\x64\x72\x65\x73\x73\x29\x31\x12\x30\x10\x06\x03\x55\x04\x05\x13\x09\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x2E\x41\x2E\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x20\x2D\x20\x32\x30\x30\x38\x30\x1E\x17\x0D\x30\x38\x30\x38\x30\x31\x31\x32\x32\x39\x35\x30\x5A\x17\x0D\x33\x38\x30\x37\x33\x31\x31\x32\x32\x39\x35\x30\x5A\x30\x81\xAE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x43\x30\x41\x06\x03\x55\x04\x07\x13\x3A\x4D\x61\x64\x72\x69\x64\x20\x28\x73\x65\x65\x20\x63\x75\x72\x72\x65\x6E\x74\x20\x61\x64\x64\x72\x65\x73\x73\x20\x61\x74\x20\x77\x77\x77\x2E\x63\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x2E\x63\x6F\x6D\x2F\x61\x64\x64\x72\x65\x73\x73\x29\x31\x12\x30\x10\x06\x03\x55\x04\x05\x13\x09\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x2E\x41\x2E\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x20\x2D\x20\x32\x30\x30\x38\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAF\x00\xCB\x70\x37\x2B\x80\x5A\x4A\x3A\x6C\x78\x94\x7D\xA3\x7F\x1A\x1F\xF6\x35\xD5\xBD\xDB\xCB\x0D\x44\x72\x3E\x26\xB2\x90\x52\xBA\x63\x3B\x28\x58\x6F\xA5\xB3\x6D\x94\xA6\xF3\xDD\x64\x0C\x55\xF6\xF6\xE7\xF2\x22\x22\x80\x5E\xE1\x62\xC6\xB6\x29\xE1\x81\x6C\xF2\xBF\xE5\x7D\x32\x6A\x54\xA0\x32\x19\x59\xFE\x1F\x8B\xD7\x3D\x60\x86\x85\x24\x6F\xE3\x11\xB3\x77\x3E\x20\x96\x35\x21\x6B\xB3\x08\xD9\x70\x2E\x64\xF7\x84\x92\x53\xD6\x0E\xB0\x90\x8A\x8A\xE3\x87\x8D\x06\xD3\xBD\x90\x0E\xE2\x99\xA1\x1B\x86\x0E\xDA\x9A\x0A\xBB\x0B\x61\x50\x06\x52\xF1\x9E\x7F\x76\xEC\xCB\x0F\xD0\x1E\x0D\xCF\x99\x30\x3D\x1C\xC4\x45\x10\x58\xAC\xD6\xD3\xE8\xD7\xE5\xEA\xC5\x01\x07\x77\xD6\x51\xE6\x03\x7F\x8A\x48\xA5\x4D\x68\x75\xB9\xE9\xBC\x9E\x4E\x19\x71\xF5\x32\x4B\x9C\x6D\x60\x19\x0B\xFB\xCC\x9D\x75\xDC\xBF\x26\xCD\x8F\x93\x78\x39\x79\x73\x5E\x25\x0E\xCA\x5C\xEB\x77\x12\x07\xCB\x64\x41\x47\x72\x93\xAB\x50\xC3\xEB\x09\x76\x64\x34\xD2\x39\xB7\x76\x11\x09\x0D\x76\x45\xC4\xA9\xAE\x3D\x6A\xAF\xB5\x7D\x65\x2F\x94\x58\x10\xEC\x5C\x7C\xAF\x7E\xE2\xB6\x18\xD9\xD0\x9B\x4E\x5A\x49\xDF\xA9\x66\x0B\xCC\x3C\xC6\x78\x7C\xA7\x9C\x1D\xE3\xCE\x8E\x53\xBE\x05\xDE\x60\x0F\x6B\xE5\x1A\xDB\x3F\xE3\xE1\x21\xC9\x29\xC1\xF1\xEB\x07\x9C\x52\x1B\x01\x44\x51\x3C\x7B\x25\xD7\xC4\xE5\x52\x54\x5D\x25\x07\xCA\x16\x20\xB8\xAD\xE4\x41\xEE\x7A\x08\xFE\x99\x6F\x83\xA6\x91\x02\xB0\x6C\x36\x55\x6A\xE7\x7D\xF5\x96\xE6\xCA\x81\xD6\x97\xF1\x94\x83\xE9\xED\xB0\xB1\x6B\x12\x69\x1E\xAC\xFB\x5D\xA9\xC5\x98\xE9\xB4\x5B\x58\x7A\xBE\x3D\xA2\x44\x3A\x63\x59\xD4\x0B\x25\xDE\x1B\x4F\xBD\xE5\x01\x9E\xCD\xD2\x29\xD5\x9F\x17\x19\x0A\x6F\xBF\x0C\x90\xD3\x09\x5F\xD9\xE3\x8A\x35\xCC\x79\x5A\x4D\x19\x37\x92\xB7\xC4\xC1\xAD\xAF\xF4\x79\x24\x9A\xB2\x01\x0B\xB1\xAF\x5C\x96\xF3\x80\x32\xFB\x5C\x3D\x98\xF1\xA0\x3F\x4A\xDE\xBE\xAF\x94\x2E\xD9\x55\x9A\x17\x6E\x60\x9D\x63\x6C\xB8\x63\xC9\xAE\x81\x5C\x18\x35\xE0\x90\xBB\xBE\x3C\x4F\x37\x22\xB9\x7E\xEB\xCF\x9E\x77\x21\xA6\x3D\x38\x81\xFB\x48\xDA\x31\x3D\x2B\xE3\x89\xF5\xD0\xB5\xBD\x7E\xE0\x50\xC4\x12\x89\xB3\x23\x9A\x10\x31\x85\xDB\xAE\x6F\xEF\x38\x33\x18\x76\x11\x02\x03\x01\x00\x01\xA3\x82\x01\x6C\x30\x82\x01\x68\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF9\x24\xAC\x0F\xB2\xB5\xF8\x79\xC0\xFA\x60\x88\x1B\xC4\xD9\x4D\x02\x9E\x17\x19\x30\x81\xE3\x06\x03\x55\x1D\x23\x04\x81\xDB\x30\x81\xD8\x80\x14\xF9\x24\xAC\x0F\xB2\xB5\xF8\x79\xC0\xFA\x60\x88\x1B\xC4\xD9\x4D\x02\x9E\x17\x19\xA1\x81\xB4\xA4\x81\xB1\x30\x81\xAE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x43\x30\x41\x06\x03\x55\x04\x07\x13\x3A\x4D\x61\x64\x72\x69\x64\x20\x28\x73\x65\x65\x20\x63\x75\x72\x72\x65\x6E\x74\x20\x61\x64\x64\x72\x65\x73\x73\x20\x61\x74\x20\x77\x77\x77\x2E\x63\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x2E\x63\x6F\x6D\x2F\x61\x64\x64\x72\x65\x73\x73\x29\x31\x12\x30\x10\x06\x03\x55\x04\x05\x13\x09\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x2E\x41\x2E\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x20\x2D\x20\x32\x30\x30\x38\x82\x09\x00\xA3\xDA\x42\x7E\xA4\xB1\xAE\xDA\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x3D\x06\x03\x55\x1D\x20\x04\x36\x30\x34\x30\x32\x06\x04\x55\x1D\x20\x00\x30\x2A\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1C\x68\x74\x74\x70\x3A\x2F\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x63\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x2E\x63\x6F\x6D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x90\x12\xAF\x22\x35\xC2\xA3\x39\xF0\x2E\xDE\xE9\xB5\xE9\x78\x7C\x48\xBE\x3F\x7D\x45\x92\x5E\xE9\xDA\xB1\x19\xFC\x16\x3C\x9F\xB4\x5B\x66\x9E\x6A\xE7\xC3\xB9\x5D\x88\xE8\x0F\xAD\xCF\x23\x0F\xDE\x25\x3A\x5E\xCC\x4F\xA5\xC1\xB5\x2D\xAC\x24\xD2\x58\x07\xDE\xA2\xCF\x69\x84\x60\x33\xE8\x10\x0D\x13\xA9\x23\xD0\x85\xE5\x8E\x7B\xA6\x9E\x3D\x72\x13\x72\x33\xF5\xAA\x7D\xC6\x63\x1F\x08\xF4\xFE\x01\x7F\x24\xCF\x2B\x2C\x54\x09\xDE\xE2\x2B\x6D\x92\xC6\x39\x4F\x16\xEA\x3C\x7E\x7A\x46\xD4\x45\x6A\x46\xA8\xEB\x75\x82\x56\xA7\xAB\xA0\x7C\x68\x13\x33\xF6\x9D\x30\xF0\x6F\x27\x39\x24\x23\x2A\x90\xFD\x90\x29\x35\xF2\x93\xDF\x34\xA5\xC6\xF7\xF8\xEF\x8C\x0F\x62\x4A\x7C\xAE\xD3\xF5\x54\xF8\x8D\xB6\x9A\x56\x87\x16\x82\x3A\x33\xAB\x5A\x22\x08\xF7\x82\xBA\xEA\x2E\xE0\x47\x9A\xB4\xB5\x45\xA3\x05\x3B\xD9\xDC\x2E\x45\x40\x3B\xEA\xDC\x7F\xE8\x3B\xEB\xD1\xEC\x26\xD8\x35\xA4\x30\xC5\x3A\xAC\x57\x9E\xB3\x76\xA5\x20\x7B\xF9\x1E\x4A\x05\x62\x01\xA6\x28\x75\x60\x97\x92\x0D\x6E\x3E\x4D\x37\x43\x0D\x92\x15\x9C\x18\x22\xCD\x51\x99\xA0\x29\x1A\x3C\x5F\x8A\x32\x33\x5B\x30\xC7\x89\x2F\x47\x98\x0F\xA3\x03\xC6\xF6\xF1\xAC\xDF\x32\xF0\xD9\x81\x1A\xE4\x9C\xBD\xF6\x80\x14\xF0\xD1\x2C\xB9\x85\xF5\xD8\xA3\xB1\xC8\xA5\x21\xE5\x1C\x13\x97\xEE\x0E\xBD\xDF\x29\xA9\xEF\x34\x53\x5B\xD3\xE4\x6A\x13\x84\x06\xB6\x32\x02\xC4\x52\xAE\x22\xD2\xDC\xB2\x21\x42\x1A\xDA\x40\xF0\x29\xC9\xEC\x0A\x0C\x5C\xE2\xD0\xBA\xCC\x48\xD3\x37\x0A\xCC\x12\x0A\x8A\x79\xB0\x3D\x03\x7F\x69\x4B\xF4\x34\x20\x7D\xB3\x34\xEA\x8E\x4B\x64\xF5\x3E\xFD\xB3\x23\x67\x15\x0D\x04\xB8\xF0\x2D\xC1\x09\x51\x3C\xB2\x6C\x15\xF0\xA5\x23\xD7\x83\x74\xE4\xE5\x2E\xC9\xFE\x98\x27\x42\xC6\xAB\xC6\x9E\xB0\xD0\x5B\x38\xA5\x9B\x50\xDE\x7E\x18\x98\xB5\x45\x3B\xF6\x79\xB4\xE8\xF7\x1A\x7B\x06\x83\xFB\xD0\x8B\xDA\xBB\xC7\xBD\x18\xAB\x08\x6F\x3C\x80\x6B\x40\x3F\x19\x19\xBA\x65\x8A\xE6\xBE\xD5\x5C\xD3\x36\xD7\xEF\x40\x52\x24\x60\x38\x67\x04\x31\xEC\x8F\xF3\x82\xC6\xDE\xB9\x55\xF3\x3B\x31\x91\x5A\xDC\xB5\x08\x15\xAD\x76\x25\x0A\x0D\x7B\x2E\x87\xE2\x0C\xA6\x06\xBC\x26\x10\x6D\x37\x9D\xEC\xDD\x78\x8C\x7C\x80\xC5\xF0\xD9\x77\x48\xD0",
+	["CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU"] = "\x30\x82\x07\x49\x30\x82\x05\x31\xA0\x03\x02\x01\x02\x02\x09\x00\xC9\xCD\xD3\xE9\xD5\x7D\x23\xCE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xAC\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x43\x30\x41\x06\x03\x55\x04\x07\x13\x3A\x4D\x61\x64\x72\x69\x64\x20\x28\x73\x65\x65\x20\x63\x75\x72\x72\x65\x6E\x74\x20\x61\x64\x64\x72\x65\x73\x73\x20\x61\x74\x20\x77\x77\x77\x2E\x63\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x2E\x63\x6F\x6D\x2F\x61\x64\x64\x72\x65\x73\x73\x29\x31\x12\x30\x10\x06\x03\x55\x04\x05\x13\x09\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x2D\x20\x32\x30\x30\x38\x30\x1E\x17\x0D\x30\x38\x30\x38\x30\x31\x31\x32\x33\x31\x34\x30\x5A\x17\x0D\x33\x38\x30\x37\x33\x31\x31\x32\x33\x31\x34\x30\x5A\x30\x81\xAC\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x43\x30\x41\x06\x03\x55\x04\x07\x13\x3A\x4D\x61\x64\x72\x69\x64\x20\x28\x73\x65\x65\x20\x63\x75\x72\x72\x65\x6E\x74\x20\x61\x64\x64\x72\x65\x73\x73\x20\x61\x74\x20\x77\x77\x77\x2E\x63\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x2E\x63\x6F\x6D\x2F\x61\x64\x64\x72\x65\x73\x73\x29\x31\x12\x30\x10\x06\x03\x55\x04\x05\x13\x09\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x2D\x20\x32\x30\x30\x38\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC0\xDF\x56\xD3\xE4\x3A\x9B\x76\x45\xB4\x13\xDB\xFF\xC1\xB6\x19\x8B\x37\x41\x18\x95\x52\x47\xEB\x17\x9D\x29\x88\x8E\x35\x6C\x06\x32\x2E\x47\x62\xF3\x49\x04\xBF\x7D\x44\x36\xB1\x71\xCC\xBD\x5A\x09\x73\xD5\xD9\x85\x44\xFF\x91\x57\x25\xDF\x5E\x36\x8E\x70\xD1\x5C\x71\x43\x1D\xD9\xDA\xEF\x5C\xD2\xFB\x1B\xBD\x3A\xB5\xCB\xAD\xA3\xCC\x44\xA7\x0D\xAE\x21\x15\x3F\xB9\x7A\x5B\x92\x75\xD8\xA4\x12\x38\x89\x19\x8A\xB7\x80\xD2\xE2\x32\x6F\x56\x9C\x91\xD6\x88\x10\x0B\xB3\x74\x64\x92\x74\x60\xF3\xF6\xCF\x18\x4F\x60\xB2\x23\xD0\xC7\x3B\xCE\x61\x4B\x99\x8F\xC2\x0C\xD0\x40\xB2\x98\xDC\x0D\xA8\x4E\xA3\xB9\x0A\xAE\x60\xA0\xAD\x45\x52\x63\xBA\x66\xBD\x68\xE0\xF9\xBE\x1A\xA8\x81\xBB\x1E\x41\x78\x75\xD3\xC1\xFE\x00\x55\xB0\x87\x54\xE8\x27\x90\x35\x1D\x4C\x33\xAD\x97\xFC\x97\x2E\x98\x84\xBF\x2C\xC9\xA3\xBF\xD1\x98\x11\x14\xED\x63\xF8\xCA\x98\x88\x58\x17\x99\xED\x45\x03\x97\x7E\x3C\x86\x1E\x88\x8C\xBE\xF2\x91\x84\x8F\x65\x34\xD8\x00\x4C\x7D\xB7\x31\x17\x5A\x29\x7A\x0A\x18\x24\x30\xA3\x37\xB5\x7A\xA9\x01\x7D\x26\xD6\xF9\x0E\x8E\x59\xF1\xFD\x1B\x33\xB5\x29\x3B\x17\x3B\x41\xB6\x21\xDD\xD4\xC0\x3D\xA5\x9F\x9F\x1F\x43\x50\xC9\xBB\xBC\x6C\x7A\x97\x98\xEE\xCD\x8C\x1F\xFB\x9C\x51\xAE\x8B\x70\xBD\x27\x9F\x71\xC0\x6B\xAC\x7D\x90\x66\xE8\xD7\x5D\x3A\x0D\xB0\xD5\xC2\x8D\xD5\xC8\x9D\x9D\xC1\x6D\xD0\xD0\xBF\x51\xE4\xE3\xF8\xC3\x38\x36\xAE\xD6\xA7\x75\xE6\xAF\x84\x43\x5D\x93\x92\x0C\x6A\x07\xDE\x3B\x1D\x98\x22\xD6\xAC\xC1\x35\xDB\xA3\xA0\x25\xFF\x72\xB5\x76\x1D\xDE\x6D\xE9\x2C\x66\x2C\x52\x84\xD0\x45\x92\xCE\x1C\xE5\xE5\x33\x1D\xDC\x07\x53\x54\xA3\xAA\x82\x3B\x9A\x37\x2F\xDC\xDD\xA0\x64\xE9\xE6\xDD\xBD\xAE\xFC\x64\x85\x1D\x3C\xA7\xC9\x06\xDE\x84\xFF\x6B\xE8\x6B\x1A\x3C\xC5\xA2\xB3\x42\xFB\x8B\x09\x3E\x5F\x08\x52\xC7\x62\xC4\xD4\x05\x71\xBF\xC4\x64\xE4\xF8\xA1\x83\xE8\x3E\x12\x9B\xA8\x1E\xD4\x36\x4D\x2F\x71\xF6\x8D\x28\xF6\x83\xA9\x13\xD2\x61\xC1\x91\xBB\x48\xC0\x34\x8F\x41\x8C\x4B\x4C\xDB\x69\x12\xFF\x50\x94\x9C\x20\x83\x59\x73\xED\x7C\xA1\xF2\xF1\xFD\xDD\xF7\x49\xD3\x43\x58\xA0\x56\x63\xCA\x3D\x3D\xE5\x35\x56\x59\xE9\x0E\xCA\x20\xCC\x2B\x4B\x93\x29\x0F\x02\x03\x01\x00\x01\xA3\x82\x01\x6A\x30\x82\x01\x66\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB9\x09\xCA\x9C\x1E\xDB\xD3\x6C\x3A\x6B\xAE\xED\x54\xF1\x5B\x93\x06\x35\x2E\x5E\x30\x81\xE1\x06\x03\x55\x1D\x23\x04\x81\xD9\x30\x81\xD6\x80\x14\xB9\x09\xCA\x9C\x1E\xDB\xD3\x6C\x3A\x6B\xAE\xED\x54\xF1\x5B\x93\x06\x35\x2E\x5E\xA1\x81\xB2\xA4\x81\xAF\x30\x81\xAC\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x43\x30\x41\x06\x03\x55\x04\x07\x13\x3A\x4D\x61\x64\x72\x69\x64\x20\x28\x73\x65\x65\x20\x63\x75\x72\x72\x65\x6E\x74\x20\x61\x64\x64\x72\x65\x73\x73\x20\x61\x74\x20\x77\x77\x77\x2E\x63\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x2E\x63\x6F\x6D\x2F\x61\x64\x64\x72\x65\x73\x73\x29\x31\x12\x30\x10\x06\x03\x55\x04\x05\x13\x09\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x2D\x20\x32\x30\x30\x38\x82\x09\x00\xC9\xCD\xD3\xE9\xD5\x7D\x23\xCE\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x3D\x06\x03\x55\x1D\x20\x04\x36\x30\x34\x30\x32\x06\x04\x55\x1D\x20\x00\x30\x2A\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1C\x68\x74\x74\x70\x3A\x2F\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x63\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x2E\x63\x6F\x6D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x80\x88\x7F\x70\xDE\x92\x28\xD9\x05\x94\x46\xFF\x90\x57\xA9\xF1\x2F\xDF\x1A\x0D\x6B\xFA\x7C\x0E\x1C\x49\x24\x79\x27\xD8\x46\xAA\x6F\x29\x59\x52\x88\x70\x12\xEA\xDD\x3D\xF5\x9B\x53\x54\x6F\xE1\x60\xA2\xA8\x09\xB9\xEC\xEB\x59\x7C\xC6\x35\xF1\xDC\x18\xE9\xF1\x67\xE5\xAF\xBA\x45\xE0\x09\xDE\xCA\x44\x0F\xC2\x17\x0E\x77\x91\x45\x7A\x33\x5F\x5F\x96\x2C\x68\x8B\xC1\x47\x8F\x98\x9B\x3D\xC0\xEC\xCB\xF5\xD5\x82\x92\x84\x35\xD1\xBE\x36\x38\x56\x72\x31\x5B\x47\x2D\xAA\x17\xA4\x63\x51\xEB\x0A\x01\xAD\x7F\xEC\x75\x9E\xCB\xA1\x1F\xF1\x7F\x12\xB1\xB9\xE4\x64\x7F\x67\xD6\x23\x2A\xF4\xB8\x39\x5D\x98\xE8\x21\xA7\xE1\xBD\x3D\x42\x1A\x74\x9A\x70\xAF\x68\x6C\x50\x5D\x49\xCF\xFF\xFB\x0E\x5D\xE6\x2C\x47\xD7\x81\x3A\x59\x00\xB5\x73\x6B\x63\x20\xF6\x31\x45\x08\x39\x0E\xF4\x70\x7E\x40\x70\x5A\x3F\xD0\x6B\x42\xA9\x74\x3D\x28\x2F\x02\x6D\x75\x72\x95\x09\x8D\x48\x63\xC6\xC6\x23\x57\x92\x93\x5E\x35\xC1\x8D\xF9\x0A\xF7\x2C\x9D\x62\x1C\xF6\xAD\x7C\xDD\xA6\x31\x1E\xB6\xB1\xC7\x7E\x85\x26\xFA\xA4\x6A\xB5\xDA\x63\x30\xD1\xEF\x93\x37\xB2\x66\x2F\x7D\x05\xF7\xE7\xB7\x4B\x98\x94\x35\xC0\xD9\x3A\x29\xC1\x9D\xB2\x50\x33\x1D\x4A\xA9\x5A\xA6\xC9\x03\xEF\xED\xF4\xE7\xA8\x6E\x8A\xB4\x57\x84\xEB\xA4\x3F\xD0\xEE\xAA\xAA\x87\x5B\x63\xE8\x93\xE2\x6B\xA8\xD4\xB8\x72\x78\x6B\x1B\xED\x39\xE4\x5D\xCB\x9B\xAA\x87\xD5\x4F\x4E\x00\xFE\xD9\x6A\x9F\x3C\x31\x0F\x28\x02\x01\x7D\x98\xE8\xA7\xB0\xA2\x64\x9E\x79\xF8\x48\xF2\x15\xA9\xCC\xE6\xC8\x44\xEB\x3F\x78\x99\xF2\x7B\x71\x3E\x3C\xF1\x98\xA7\xC5\x18\x12\x3F\xE6\xBB\x28\x33\x42\xE9\x45\x0A\x7C\x6D\xF2\x86\x79\x2F\xC5\x82\x19\x7D\x09\x89\x7C\xB2\x54\x76\x88\xAE\xDE\xC1\xF3\xCC\xE1\x6E\xDB\x31\xD6\x93\xAE\x99\xA0\xEF\x25\x6A\x73\x98\x89\x5B\x3A\x2E\x13\x88\x1E\xBF\xC0\x92\x94\x34\x1B\xE3\x27\xB7\x8B\x1E\x6F\x42\xFF\xE7\xE9\x37\x9B\x50\x1D\x2D\xA2\xF9\x02\xEE\xCB\x58\x58\x3A\x71\xBC\x68\xE3\xAA\xC1\xAF\x1C\x28\x1F\xA2\xDC\x23\x65\x3F\x81\xEA\xAE\x99\xD3\xD8\x30\xCF\x13\x0D\x4F\x15\xC9\x84\xBC\xA7\x48\x2D\xF8\x30\x23\x77\xD8\x46\x4B\x79\x6D\xF6\x8C\xED\x3A\x7F\x60\x11\x78\xF4\xE9\x9B\xAE\xD5\x54\xC0\x74\x80\xD1\x0B\x42\x9F\xC1",
+	["CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US"] = "\x30\x82\x03\xC5\x30\x82\x02\xAD\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x83\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x41\x72\x69\x7A\x6F\x6E\x61\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x53\x63\x6F\x74\x74\x73\x64\x61\x6C\x65\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x47\x6F\x44\x61\x64\x64\x79\x2E\x63\x6F\x6D\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x39\x30\x39\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x83\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x41\x72\x69\x7A\x6F\x6E\x61\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x53\x63\x6F\x74\x74\x73\x64\x61\x6C\x65\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x47\x6F\x44\x61\x64\x64\x79\x2E\x63\x6F\x6D\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBF\x71\x62\x08\xF1\xFA\x59\x34\xF7\x1B\xC9\x18\xA3\xF7\x80\x49\x58\xE9\x22\x83\x13\xA6\xC5\x20\x43\x01\x3B\x84\xF1\xE6\x85\x49\x9F\x27\xEA\xF6\x84\x1B\x4E\xA0\xB4\xDB\x70\x98\xC7\x32\x01\xB1\x05\x3E\x07\x4E\xEE\xF4\xFA\x4F\x2F\x59\x30\x22\xE7\xAB\x19\x56\x6B\xE2\x80\x07\xFC\xF3\x16\x75\x80\x39\x51\x7B\xE5\xF9\x35\xB6\x74\x4E\xA9\x8D\x82\x13\xE4\xB6\x3F\xA9\x03\x83\xFA\xA2\xBE\x8A\x15\x6A\x7F\xDE\x0B\xC3\xB6\x19\x14\x05\xCA\xEA\xC3\xA8\x04\x94\x3B\x46\x7C\x32\x0D\xF3\x00\x66\x22\xC8\x8D\x69\x6D\x36\x8C\x11\x18\xB7\xD3\xB2\x1C\x60\xB4\x38\xFA\x02\x8C\xCE\xD3\xDD\x46\x07\xDE\x0A\x3E\xEB\x5D\x7C\xC8\x7C\xFB\xB0\x2B\x53\xA4\x92\x62\x69\x51\x25\x05\x61\x1A\x44\x81\x8C\x2C\xA9\x43\x96\x23\xDF\xAC\x3A\x81\x9A\x0E\x29\xC5\x1C\xA9\xE9\x5D\x1E\xB6\x9E\x9E\x30\x0A\x39\xCE\xF1\x88\x80\xFB\x4B\x5D\xCC\x32\xEC\x85\x62\x43\x25\x34\x02\x56\x27\x01\x91\xB4\x3B\x70\x2A\x3F\x6E\xB1\xE8\x9C\x88\x01\x7D\x9F\xD4\xF9\xDB\x53\x6D\x60\x9D\xBF\x2C\xE7\x58\xAB\xB8\x5F\x46\xFC\xCE\xC4\x1B\x03\x3C\x09\xEB\x49\x31\x5C\x69\x46\xB3\xE0\x47\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3A\x9A\x85\x07\x10\x67\x28\xB6\xEF\xF6\xBD\x05\x41\x6E\x20\xC1\x94\xDA\x0F\xDE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x99\xDB\x5D\x79\xD5\xF9\x97\x59\x67\x03\x61\xF1\x7E\x3B\x06\x31\x75\x2D\xA1\x20\x8E\x4F\x65\x87\xB4\xF7\xA6\x9C\xBC\xD8\xE9\x2F\xD0\xDB\x5A\xEE\xCF\x74\x8C\x73\xB4\x38\x42\xDA\x05\x7B\xF8\x02\x75\xB8\xFD\xA5\xB1\xD7\xAE\xF6\xD7\xDE\x13\xCB\x53\x10\x7E\x8A\x46\xD1\x97\xFA\xB7\x2E\x2B\x11\xAB\x90\xB0\x27\x80\xF9\xE8\x9F\x5A\xE9\x37\x9F\xAB\xE4\xDF\x6C\xB3\x85\x17\x9D\x3D\xD9\x24\x4F\x79\x91\x35\xD6\x5F\x04\xEB\x80\x83\xAB\x9A\x02\x2D\xB5\x10\xF4\xD8\x90\xC7\x04\x73\x40\xED\x72\x25\xA0\xA9\x9F\xEC\x9E\xAB\x68\x12\x99\x57\xC6\x8F\x12\x3A\x09\xA4\xBD\x44\xFD\x06\x15\x37\xC1\x9B\xE4\x32\xA3\xED\x38\xE8\xD8\x64\xF3\x2C\x7E\x14\xFC\x02\xEA\x9F\xCD\xFF\x07\x68\x17\xDB\x22\x90\x38\x2D\x7A\x8D\xD1\x54\xF1\x69\xE3\x5F\x33\xCA\x7A\x3D\x7B\x0A\xE3\xCA\x7F\x5F\x39\xE5\xE2\x75\xBA\xC5\x76\x18\x33\xCE\x2C\xF0\x2F\x4C\xAD\xF7\xB1\xE7\xCE\x4F\xA8\xC4\x9B\x4A\x54\x06\xC5\x7F\x7D\xD5\x08\x0F\xE2\x1C\xFE\x7E\x17\xB8\xAC\x5E\xF6\xD4\x16\xB2\x43\x09\x0C\x4D\xF6\xA7\x6B\xB4\x99\x84\x65\xCA\x7A\x88\xE2\xE2\x44\xBE\x5C\xF7\xEA\x1C\xF5",
+	["CN=Starfield Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US"] = "\x30\x82\x03\xDD\x30\x82\x02\xC5\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x8F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x41\x72\x69\x7A\x6F\x6E\x61\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x53\x63\x6F\x74\x74\x73\x64\x61\x6C\x65\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x03\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x39\x30\x39\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x8F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x41\x72\x69\x7A\x6F\x6E\x61\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x53\x63\x6F\x74\x74\x73\x64\x61\x6C\x65\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x03\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBD\xED\xC1\x03\xFC\xF6\x8F\xFC\x02\xB1\x6F\x5B\x9F\x48\xD9\x9D\x79\xE2\xA2\xB7\x03\x61\x56\x18\xC3\x47\xB6\xD7\xCA\x3D\x35\x2E\x89\x43\xF7\xA1\x69\x9B\xDE\x8A\x1A\xFD\x13\x20\x9C\xB4\x49\x77\x32\x29\x56\xFD\xB9\xEC\x8C\xDD\x22\xFA\x72\xDC\x27\x61\x97\xEE\xF6\x5A\x84\xEC\x6E\x19\xB9\x89\x2C\xDC\x84\x5B\xD5\x74\xFB\x6B\x5F\xC5\x89\xA5\x10\x52\x89\x46\x55\xF4\xB8\x75\x1C\xE6\x7F\xE4\x54\xAE\x4B\xF8\x55\x72\x57\x02\x19\xF8\x17\x71\x59\xEB\x1E\x28\x07\x74\xC5\x9D\x48\xBE\x6C\xB4\xF4\xA4\xB0\xF3\x64\x37\x79\x92\xC0\xEC\x46\x5E\x7F\xE1\x6D\x53\x4C\x62\xAF\xCD\x1F\x0B\x63\xBB\x3A\x9D\xFB\xFC\x79\x00\x98\x61\x74\xCF\x26\x82\x40\x63\xF3\xB2\x72\x6A\x19\x0D\x99\xCA\xD4\x0E\x75\xCC\x37\xFB\x8B\x89\xC1\x59\xF1\x62\x7F\x5F\xB3\x5F\x65\x30\xF8\xA7\xB7\x4D\x76\x5A\x1E\x76\x5E\x34\xC0\xE8\x96\x56\x99\x8A\xB3\xF0\x7F\xA4\xCD\xBD\xDC\x32\x31\x7C\x91\xCF\xE0\x5F\x11\xF8\x6B\xAA\x49\x5C\xD1\x99\x94\xD1\xA2\xE3\x63\x5B\x09\x76\xB5\x56\x62\xE1\x4B\x74\x1D\x96\xD4\x26\xD4\x08\x04\x59\xD0\x98\x0E\x0E\xE6\xDE\xFC\xC3\xEC\x1F\x90\xF1\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7C\x0C\x32\x1F\xA7\xD9\x30\x7F\xC4\x7D\x68\xA3\x62\xA8\xA1\xCE\xAB\x07\x5B\x27\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x11\x59\xFA\x25\x4F\x03\x6F\x94\x99\x3B\x9A\x1F\x82\x85\x39\xD4\x76\x05\x94\x5E\xE1\x28\x93\x6D\x62\x5D\x09\xC2\xA0\xA8\xD4\xB0\x75\x38\xF1\x34\x6A\x9D\xE4\x9F\x8A\x86\x26\x51\xE6\x2C\xD1\xC6\x2D\x6E\x95\x20\x4A\x92\x01\xEC\xB8\x8A\x67\x7B\x31\xE2\x67\x2E\x8C\x95\x03\x26\x2E\x43\x9D\x4A\x31\xF6\x0E\xB5\x0C\xBB\xB7\xE2\x37\x7F\x22\xBA\x00\xA3\x0E\x7B\x52\xFB\x6B\xBB\x3B\xC4\xD3\x79\x51\x4E\xCD\x90\xF4\x67\x07\x19\xC8\x3C\x46\x7A\x0D\x01\x7D\xC5\x58\xE7\x6D\xE6\x85\x30\x17\x9A\x24\xC4\x10\xE0\x04\xF7\xE0\xF2\x7F\xD4\xAA\x0A\xFF\x42\x1D\x37\xED\x94\xE5\x64\x59\x12\x20\x77\x38\xD3\x32\x3E\x38\x81\x75\x96\x73\xFA\x68\x8F\xB1\xCB\xCE\x1F\xC5\xEC\xFA\x9C\x7E\xCF\x7E\xB1\xF1\x07\x2D\xB6\xFC\xBF\xCA\xA4\xBF\xD0\x97\x05\x4A\xBC\xEA\x18\x28\x02\x90\xBD\x54\x78\x09\x21\x71\xD3\xD1\x7D\x1D\xD9\x16\xB0\xA9\x61\x3D\xD0\x0A\x00\x22\xFC\xC7\x7B\xCB\x09\x64\x45\x0B\x3B\x40\x81\xF7\x7D\x7C\x32\xF5\x98\xCA\x58\x8E\x7D\x2A\xEE\x90\x59\x73\x64\xF9\x36\x74\x5E\x25\xA1\xF5\x66\x05\x2E\x7F\x39\x15\xA9\x2A\xFB\x50\x8B\x8E\x85\x69\xF4",
+	["CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US"] = "\x30\x82\x03\xEF\x30\x82\x02\xD7\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x41\x72\x69\x7A\x6F\x6E\x61\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x53\x63\x6F\x74\x74\x73\x64\x61\x6C\x65\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x3B\x30\x39\x06\x03\x55\x04\x03\x13\x32\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x39\x30\x39\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x41\x72\x69\x7A\x6F\x6E\x61\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x53\x63\x6F\x74\x74\x73\x64\x61\x6C\x65\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x3B\x30\x39\x06\x03\x55\x04\x03\x13\x32\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD5\x0C\x3A\xC4\x2A\xF9\x4E\xE2\xF5\xBE\x19\x97\x5F\x8E\x88\x53\xB1\x1F\x3F\xCB\xCF\x9F\x20\x13\x6D\x29\x3A\xC8\x0F\x7D\x3C\xF7\x6B\x76\x38\x63\xD9\x36\x60\xA8\x9B\x5E\x5C\x00\x80\xB2\x2F\x59\x7F\xF6\x87\xF9\x25\x43\x86\xE7\x69\x1B\x52\x9A\x90\xE1\x71\xE3\xD8\x2D\x0D\x4E\x6F\xF6\xC8\x49\xD9\xB6\xF3\x1A\x56\xAE\x2B\xB6\x74\x14\xEB\xCF\xFB\x26\xE3\x1A\xBA\x1D\x96\x2E\x6A\x3B\x58\x94\x89\x47\x56\xFF\x25\xA0\x93\x70\x53\x83\xDA\x84\x74\x14\xC3\x67\x9E\x04\x68\x3A\xDF\x8E\x40\x5A\x1D\x4A\x4E\xCF\x43\x91\x3B\xE7\x56\xD6\x00\x70\xCB\x52\xEE\x7B\x7D\xAE\x3A\xE7\xBC\x31\xF9\x45\xF6\xC2\x60\xCF\x13\x59\x02\x2B\x80\xCC\x34\x47\xDF\xB9\xDE\x90\x65\x6D\x02\xCF\x2C\x91\xA6\xA6\xE7\xDE\x85\x18\x49\x7C\x66\x4E\xA3\x3A\x6D\xA9\xB5\xEE\x34\x2E\xBA\x0D\x03\xB8\x33\xDF\x47\xEB\xB1\x6B\x8D\x25\xD9\x9B\xCE\x81\xD1\x45\x46\x32\x96\x70\x87\xDE\x02\x0E\x49\x43\x85\xB6\x6C\x73\xBB\x64\xEA\x61\x41\xAC\xC9\xD4\x54\xDF\x87\x2F\xC7\x22\xB2\x26\xCC\x9F\x59\x54\x68\x9F\xFC\xBE\x2A\x2F\xC4\x55\x1C\x75\x40\x60\x17\x85\x02\x55\x39\x8B\x7F\x05\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9C\x5F\x00\xDF\xAA\x01\xD7\x30\x2B\x38\x88\xA2\xB8\x6D\x4A\x9C\xF2\x11\x91\x83\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x4B\x36\xA6\x84\x77\x69\xDD\x3B\x19\x9F\x67\x23\x08\x6F\x0E\x61\xC9\xFD\x84\xDC\x5F\xD8\x36\x81\xCD\xD8\x1B\x41\x2D\x9F\x60\xDD\xC7\x1A\x68\xD9\xD1\x6E\x86\xE1\x88\x23\xCF\x13\xDE\x43\xCF\xE2\x34\xB3\x04\x9D\x1F\x29\xD5\xBF\xF8\x5E\xC8\xD5\xC1\xBD\xEE\x92\x6F\x32\x74\xF2\x91\x82\x2F\xBD\x82\x42\x7A\xAD\x2A\xB7\x20\x7D\x4D\xBC\x7A\x55\x12\xC2\x15\xEA\xBD\xF7\x6A\x95\x2E\x6C\x74\x9F\xCF\x1C\xB4\xF2\xC5\x01\xA3\x85\xD0\x72\x3E\xAD\x73\xAB\x0B\x9B\x75\x0C\x6D\x45\xB7\x8E\x94\xAC\x96\x37\xB5\xA0\xD0\x8F\x15\x47\x0E\xE3\xE8\x83\xDD\x8F\xFD\xEF\x41\x01\x77\xCC\x27\xA9\x62\x85\x33\xF2\x37\x08\xEF\x71\xCF\x77\x06\xDE\xC8\x19\x1D\x88\x40\xCF\x7D\x46\x1D\xFF\x1E\xC7\xE1\xCE\xFF\x23\xDB\xC6\xFA\x8D\x55\x4E\xA9\x02\xE7\x47\x11\x46\x3E\xF4\xFD\xBD\x7B\x29\x26\xBB\xA9\x61\x62\x37\x28\xB6\x2D\x2A\xF6\x10\x86\x64\xC9\x70\xA7\xD2\xAD\xB7\x29\x70\x79\xEA\x3C\xDA\x63\x25\x9F\xFD\x68\xB7\x30\xEC\x70\xFB\x75\x8A\xB7\x6D\x60\x67\xB2\x1E\xC8\xB9\xE9\xD8\xA8\x6F\x02\x8B\x67\x0D\x4D\x26\x57\x71\xDA\x20\xFC\xC1\x4A\x50\x8D\xB1\x28\xBA",
+	["CN=AffirmTrust Commercial,O=AffirmTrust,C=US"] = "\x30\x82\x03\x4C\x30\x82\x02\x34\xA0\x03\x02\x01\x02\x02\x08\x77\x77\x06\x27\x26\xA9\xB1\x7C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x43\x6F\x6D\x6D\x65\x72\x63\x69\x61\x6C\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x30\x36\x30\x36\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x34\x30\x36\x30\x36\x5A\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x43\x6F\x6D\x6D\x65\x72\x63\x69\x61\x6C\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xF6\x1B\x4F\x67\x07\x2B\xA1\x15\xF5\x06\x22\xCB\x1F\x01\xB2\xE3\x73\x45\x06\x44\x49\x2C\xBB\x49\x25\x14\xD6\xCE\xC3\xB7\xAB\x2C\x4F\xC6\x41\x32\x94\x57\xFA\x12\xA7\x5B\x0E\xE2\x8F\x1F\x1E\x86\x19\xA7\xAA\xB5\x2D\xB9\x5F\x0D\x8A\xC2\xAF\x85\x35\x79\x32\x2D\xBB\x1C\x62\x37\xF2\xB1\x5B\x4A\x3D\xCA\xCD\x71\x5F\xE9\x42\xBE\x94\xE8\xC8\xDE\xF9\x22\x48\x64\xC6\xE5\xAB\xC6\x2B\x6D\xAD\x05\xF0\xFA\xD5\x0B\xCF\x9A\xE5\xF0\x50\xA4\x8B\x3B\x47\xA5\x23\x5B\x7A\x7A\xF8\x33\x3F\xB8\xEF\x99\x97\xE3\x20\xC1\xD6\x28\x89\xCF\x94\xFB\xB9\x45\xED\xE3\x40\x17\x11\xD4\x74\xF0\x0B\x31\xE2\x2B\x26\x6A\x9B\x4C\x57\xAE\xAC\x20\x3E\xBA\x45\x7A\x05\xF3\xBD\x9B\x69\x15\xAE\x7D\x4E\x20\x63\xC4\x35\x76\x3A\x07\x02\xC9\x37\xFD\xC7\x47\xEE\xE8\xF1\x76\x1D\x73\x15\xF2\x97\xA4\xB5\xC8\x7A\x79\xD9\x42\xAA\x2B\x7F\x5C\xFE\xCE\x26\x4F\xA3\x66\x81\x35\xAF\x44\xBA\x54\x1E\x1C\x30\x32\x65\x9D\xE6\x3C\x93\x5E\x50\x4E\x7A\xE3\x3A\xD4\x6E\xCC\x1A\xFB\xF9\xD2\x37\xAE\x24\x2A\xAB\x57\x03\x22\x28\x0D\x49\x75\x7F\xB7\x28\xDA\x75\xBF\x8E\xE3\xDC\x0E\x79\x31\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9D\x93\xC6\x53\x8B\x5E\xCA\xAF\x3F\x9F\x1E\x0F\xE5\x99\x95\xBC\x24\xF6\x94\x8F\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x58\xAC\xF4\x04\x0E\xCD\xC0\x0D\xFF\x0A\xFD\xD4\xBA\x16\x5F\x29\xBD\x7B\x68\x99\x58\x49\xD2\xB4\x1D\x37\x4D\x7F\x27\x7D\x46\x06\x5D\x43\xC6\x86\x2E\x3E\x73\xB2\x26\x7D\x4F\x93\xA9\xB6\xC4\x2A\x9A\xAB\x21\x97\x14\xB1\xDE\x8C\xD3\xAB\x89\x15\xD8\x6B\x24\xD4\xF1\x16\xAE\xD8\xA4\x5C\xD4\x7F\x51\x8E\xED\x18\x01\xB1\x93\x63\xBD\xBC\xF8\x61\x80\x9A\x9E\xB1\xCE\x42\x70\xE2\xA9\x7D\x06\x25\x7D\x27\xA1\xFE\x6F\xEC\xB3\x1E\x24\xDA\xE3\x4B\x55\x1A\x00\x3B\x35\xB4\x3B\xD9\xD7\x5D\x30\xFD\x81\x13\x89\xF2\xC2\x06\x2B\xED\x67\xC4\x8E\xC9\x43\xB2\x5C\x6B\x15\x89\x02\xBC\x62\xFC\x4E\xF2\xB5\x33\xAA\xB2\x6F\xD3\x0A\xA2\x50\xE3\xF6\x3B\xE8\x2E\x44\xC2\xDB\x66\x38\xA9\x33\x56\x48\xF1\x6D\x1B\x33\x8D\x0D\x8C\x3F\x60\x37\x9D\xD3\xCA\x6D\x7E\x34\x7E\x0D\x9F\x72\x76\x8B\x1B\x9F\x72\xFD\x52\x35\x41\x45\x02\x96\x2F\x1C\xB2\x9A\x73\x49\x21\xB1\x49\x47\x45\x47\xB4\xEF\x6A\x34\x11\xC9\x4D\x9A\xCC\x59\xB7\xD6\x02\x9E\x5A\x4E\x65\xB5\x94\xAE\x1B\xDF\x29\xB0\x16\xF1\xBF\x00\x9E\x07\x3A\x17\x64\xB5\x04\xB5\x23\x21\x99\x0A\x95\x3B\x97\x7C\xEF",
+	["CN=AffirmTrust Networking,O=AffirmTrust,C=US"] = "\x30\x82\x03\x4C\x30\x82\x02\x34\xA0\x03\x02\x01\x02\x02\x08\x7C\x4F\x04\x39\x1C\xD4\x99\x2D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x69\x6E\x67\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x30\x38\x32\x34\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x34\x30\x38\x32\x34\x5A\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x69\x6E\x67\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB4\x84\xCC\x33\x17\x2E\x6B\x94\x6C\x6B\x61\x52\xA0\xEB\xA3\xCF\x79\x94\x4C\xE5\x94\x80\x99\xCB\x55\x64\x44\x65\x8F\x67\x64\xE2\x06\xE3\x5C\x37\x49\xF6\x2F\x9B\x84\x84\x1E\x2D\xF2\x60\x9D\x30\x4E\xCC\x84\x85\xE2\x2C\xCF\x1E\x9E\xFE\x36\xAB\x33\x77\x35\x44\xD8\x35\x96\x1A\x3D\x36\xE8\x7A\x0E\xD8\xD5\x47\xA1\x6A\x69\x8B\xD9\xFC\xBB\x3A\xAE\x79\x5A\xD5\xF4\xD6\x71\xBB\x9A\x90\x23\x6B\x9A\xB7\x88\x74\x87\x0C\x1E\x5F\xB9\x9E\x2D\xFA\xAB\x53\x2B\xDC\xBB\x76\x3E\x93\x4C\x08\x08\x8C\x1E\xA2\x23\x1C\xD4\x6A\xAD\x22\xBA\x99\x01\x2E\x6D\x65\xCB\xBE\x24\x66\x55\x24\x4B\x40\x44\xB1\x1B\xD7\xE1\xC2\x85\xC0\xDE\x10\x3F\x3D\xED\xB8\xFC\xF1\xF1\x23\x53\xDC\xBF\x65\x97\x6F\xD9\xF9\x40\x71\x8D\x7D\xBD\x95\xD4\xCE\xBE\xA0\x5E\x27\x23\xDE\xFD\xA6\xD0\x26\x0E\x00\x29\xEB\x3C\x46\xF0\x3D\x60\xBF\x3F\x50\xD2\xDC\x26\x41\x51\x9E\x14\x37\x42\x04\xA3\x70\x57\xA8\x1B\x87\xED\x2D\xFA\x7B\xEE\x8C\x0A\xE3\xA9\x66\x89\x19\xCB\x41\xF9\xDD\x44\x36\x61\xCF\xE2\x77\x46\xC8\x7D\xF6\xF4\x92\x81\x36\xFD\xDB\x34\xF1\x72\x7E\xF3\x0C\x16\xBD\xB4\x15\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x07\x1F\xD2\xE7\x9C\xDA\xC2\x6E\xA2\x40\xB4\xB0\x7A\x50\x10\x50\x74\xC4\xC8\xBD\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x89\x57\xB2\x16\x7A\xA8\xC2\xFD\xD6\xD9\x9B\x9B\x34\xC2\x9C\xB4\x32\x14\x4D\xA7\xA4\xDF\xEC\xBE\xA7\xBE\xF8\x43\xDB\x91\x37\xCE\xB4\x32\x2E\x50\x55\x1A\x35\x4E\x76\x43\x71\x20\xEF\x93\x77\x4E\x15\x70\x2E\x87\xC3\xC1\x1D\x6D\xDC\xCB\xB5\x27\xD4\x2C\x56\xD1\x52\x53\x3A\x44\xD2\x73\xC8\xC4\x1B\x05\x65\x5A\x62\x92\x9C\xEE\x41\x8D\x31\xDB\xE7\x34\xEA\x59\x21\xD5\x01\x7A\xD7\x64\xB8\x64\x39\xCD\xC9\xED\xAF\xED\x4B\x03\x48\xA7\xA0\x99\x01\x80\xDC\x65\xA3\x36\xAE\x65\x59\x48\x4F\x82\x4B\xC8\x65\xF1\x57\x1D\xE5\x59\x2E\x0A\x3F\x6C\xD8\xD1\xF5\xE5\x09\xB4\x6C\x54\x00\x0A\xE0\x15\x4D\x87\x75\x6D\xB7\x58\x96\x5A\xDD\x6D\xD2\x00\xA0\xF4\x9B\x48\xBE\xC3\x37\xA4\xBA\x36\xE0\x7C\x87\x85\x97\x1A\x15\xA2\xDE\x2E\xA2\x5B\xBD\xAF\x18\xF9\x90\x50\xCD\x70\x59\xF8\x27\x67\x47\xCB\xC7\xA0\x07\x3A\x7D\xD1\x2C\x5D\x6C\x19\x3A\x66\xB5\x7D\xFD\x91\x6F\x82\xB1\xBE\x08\x93\xDB\x14\x47\xF1\xA2\x37\xC7\x45\x9E\x3C\xC7\x77\xAF\x64\xA8\x93\xDF\xF6\x69\x83\x82\x60\xF2\x49\x42\x34\xED\x5A\x00\x54\x85\x1C\x16\x36\x92\x0C\x5C\xFA\xA6\xAD\xBF\xDB",
+	["CN=AffirmTrust Premium,O=AffirmTrust,C=US"] = "\x30\x82\x05\x46\x30\x82\x03\x2E\xA0\x03\x02\x01\x02\x02\x08\x6D\x8C\x14\x46\xB1\xA6\x0A\xEE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x41\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x0C\x13\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x31\x30\x33\x36\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x34\x31\x30\x33\x36\x5A\x30\x41\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x0C\x13\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\x12\xDF\xA9\x5F\xFE\x41\xDD\xDD\xF5\x9F\x8A\xE3\xF6\xAC\xE1\x3C\x78\x9A\xBC\xD8\xF0\x7F\x7A\xA0\x33\x2A\xDC\x8D\x20\x5B\xAE\x2D\x6F\xE7\x93\xD9\x36\x70\x6A\x68\xCF\x8E\x51\xA3\x85\x5B\x67\x04\xA0\x10\x24\x6F\x5D\x28\x82\xC1\x97\x57\xD8\x48\x29\x13\xB6\xE1\xBE\x91\x4D\xDF\x85\x0C\x53\x18\x9A\x1E\x24\xA2\x4F\x8F\xF0\xA2\x85\x0B\xCB\xF4\x29\x7F\xD2\xA4\x58\xEE\x26\x4D\xC9\xAA\xA8\x7B\x9A\xD9\xFA\x38\xDE\x44\x57\x15\xE5\xF8\x8C\xC8\xD9\x48\xE2\x0D\x16\x27\x1D\x1E\xC8\x83\x85\x25\xB7\xBA\xAA\x55\x41\xCC\x03\x22\x4B\x2D\x91\x8D\x8B\xE6\x89\xAF\x66\xC7\xE9\xFF\x2B\xE9\x3C\xAC\xDA\xD2\xB3\xC3\xE1\x68\x9C\x89\xF8\x7A\x00\x56\xDE\xF4\x55\x95\x6C\xFB\xBA\x64\xDD\x62\x8B\xDF\x0B\x77\x32\xEB\x62\xCC\x26\x9A\x9B\xBB\xAA\x62\x83\x4C\xB4\x06\x7A\x30\xC8\x29\xBF\xED\x06\x4D\x97\xB9\x1C\xC4\x31\x2B\xD5\x5F\xBC\x53\x12\x17\x9C\x99\x57\x29\x66\x77\x61\x21\x31\x07\x2E\x25\x49\x9D\x18\xF2\xEE\xF3\x2B\x71\x8C\xB5\xBA\x39\x07\x49\x77\xFC\xEF\x2E\x92\x90\x05\x8D\x2D\x2F\x77\x7B\xEF\x43\xBF\x35\xBB\x9A\xD8\xF9\x73\xA7\x2C\xF2\xD0\x57\xEE\x28\x4E\x26\x5F\x8F\x90\x68\x09\x2F\xB8\xF8\xDC\x06\xE9\x2E\x9A\x3E\x51\xA7\xD1\x22\xC4\x0A\xA7\x38\x48\x6C\xB3\xF9\xFF\x7D\xAB\x86\x57\xE3\xBA\xD6\x85\x78\x77\xBA\x43\xEA\x48\x7F\xF6\xD8\xBE\x23\x6D\x1E\xBF\xD1\x36\x6C\x58\x5C\xF1\xEE\xA4\x19\x54\x1A\xF5\x03\xD2\x76\xE6\xE1\x8C\xBD\x3C\xB3\xD3\x48\x4B\xE2\xC8\xF8\x7F\x92\xA8\x76\x46\x9C\x42\x65\x3E\xA4\x1E\xC1\x07\x03\x5A\x46\x2D\xB8\x97\xF3\xB7\xD5\xB2\x55\x21\xEF\xBA\xDC\x4C\x00\x97\xFB\x14\x95\x27\x33\xBF\xE8\x43\x47\x46\xD2\x08\x99\x16\x60\x3B\x9A\x7E\xD2\xE6\xED\x38\xEA\xEC\x01\x1E\x3C\x48\x56\x49\x09\xC7\x4C\x37\x00\x9E\x88\x0E\xC0\x73\xE1\x6F\x66\xE9\x72\x47\x30\x3E\x10\xE5\x0B\x03\xC9\x9A\x42\x00\x6C\xC5\x94\x7E\x61\xC4\x8A\xDF\x7F\x82\x1A\x0B\x59\xC4\x59\x32\x77\xB3\xBC\x60\x69\x56\x39\xFD\xB4\x06\x7B\x2C\xD6\x64\x36\xD9\xBD\x48\xED\x84\x1F\x7E\xA5\x22\x8F\x2A\xB8\x42\xF4\x82\xB7\xD4\x53\x90\x78\x4E\x2D\x1A\xFD\x81\x6F\x44\xD7\x3B\x01\x74\x96\x42\xE0\x00\xE2\x2E\x6B\xEA\xC5\xEE\x72\xAC\xBB\xBF\xFE\xEA\xAA\xA8\xF8\xDC\xF6\xB2\x79\x8A\xB6\x67\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9D\xC0\x67\xA6\x0C\x22\xD9\x26\xF5\x45\xAB\xA6\x65\x52\x11\x27\xD8\x45\xAC\x63\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xB3\x57\x4D\x10\x62\x4E\x3A\xE4\xAC\xEA\xB8\x1C\xAF\x32\x23\xC8\xB3\x49\x5A\x51\x9C\x76\x28\x8D\x79\xAA\x57\x46\x17\xD5\xF5\x52\xF6\xB7\x44\xE8\x08\x44\xBF\x18\x84\xD2\x0B\x80\xCD\xC5\x12\xFD\x00\x55\x05\x61\x87\x41\xDC\xB5\x24\x9E\x3C\xC4\xD8\xC8\xFB\x70\x9E\x2F\x78\x96\x83\x20\x36\xDE\x7C\x0F\x69\x13\x88\xA5\x75\x36\x98\x08\xA6\xC6\xDF\xAC\xCE\xE3\x58\xD6\xB7\x3E\xDE\xBA\xF3\xEB\x34\x40\xD8\xA2\x81\xF5\x78\x3F\x2F\xD5\xA5\xFC\xD9\xA2\xD4\x5E\x04\x0E\x17\xAD\xFE\x41\xF0\xE5\xB2\x72\xFA\x44\x82\x33\x42\xE8\x2D\x58\xF7\x56\x8C\x62\x3F\xBA\x42\xB0\x9C\x0C\x5C\x7E\x2E\x65\x26\x5C\x53\x4F\x00\xB2\x78\x7E\xA1\x0D\x99\x2D\x8D\xB8\x1D\x8E\xA2\xC4\xB0\xFD\x60\xD0\x30\xA4\x8E\xC8\x04\x62\xA9\xC4\xED\x35\xDE\x7A\x97\xED\x0E\x38\x5E\x92\x2F\x93\x70\xA5\xA9\x9C\x6F\xA7\x7D\x13\x1D\x7E\xC6\x08\x48\xB1\x5E\x67\xEB\x51\x08\x25\xE9\xE6\x25\x6B\x52\x29\x91\x9C\xD2\x39\x73\x08\x57\xDE\x99\x06\xB4\x5B\x9D\x10\x06\xE1\xC2\x00\xA8\xB8\x1C\x4A\x02\x0A\x14\xD0\xC1\x41\xCA\xFB\x8C\x35\x21\x7D\x82\x38\xF2\xA9\x54\x91\x19\x35\x93\x94\x6D\x6A\x3A\xC5\xB2\xD0\xBB\x89\x86\x93\xE8\x9B\xC9\x0F\x3A\xA7\x7A\xB8\xA1\xF0\x78\x46\xFA\xFC\x37\x2F\xE5\x8A\x84\xF3\xDF\xFE\x04\xD9\xA1\x68\xA0\x2F\x24\xE2\x09\x95\x06\xD5\x95\xCA\xE1\x24\x96\xEB\x7C\xF6\x93\x05\xBB\xED\x73\xE9\x2D\xD1\x75\x39\xD7\xE7\x24\xDB\xD8\x4E\x5F\x43\x8F\x9E\xD0\x14\x39\xBF\x55\x70\x48\x99\x57\x31\xB4\x9C\xEE\x4A\x98\x03\x96\x30\x1F\x60\x06\xEE\x1B\x23\xFE\x81\x60\x23\x1A\x47\x62\x85\xA5\xCC\x19\x34\x80\x6F\xB3\xAC\x1A\xE3\x9F\xF0\x7B\x48\xAD\xD5\x01\xD9\x67\xB6\xA9\x72\x93\xEA\x2D\x66\xB5\xB2\xB8\xE4\x3D\x3C\xB2\xEF\x4C\x8C\xEA\xEB\x07\xBF\xAB\x35\x9A\x55\x86\xBC\x18\xA6\xB5\xA8\x5E\xB4\x83\x6C\x6B\x69\x40\xD3\x9F\xDC\xF1\xC3\x69\x6B\xB9\xE1\x6D\x09\xF4\xF1\xAA\x50\x76\x0A\x7A\x7D\x7A\x17\xA1\x55\x96\x42\x99\x31\x09\xDD\x60\x11\x8D\x05\x30\x7E\xE6\x8E\x46\xD1\x9D\x14\xDA\xC7\x17\xE4\x05\x96\x8C\xC4\x24\xB5\x1B\xCF\x14\x07\xB2\x40\xF8\xA3\x9E\x41\x86\xBC\x04\xD0\x6B\x96\xC8\x2A\x80\x34\xFD\xBF\xEF\x06\xA3\xDD\x58\xC5\x85\x3D\x3E\x8F\xFE\x9E\x29\xE0\xB6\xB8\x09\x68\x19\x1C\x18\x43",
+	["CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US"] = "\x30\x82\x01\xFE\x30\x82\x01\x85\xA0\x03\x02\x01\x02\x02\x08\x74\x97\x25\x8A\xC7\x3F\x7A\x54\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x45\x43\x43\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x32\x30\x32\x34\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x34\x32\x30\x32\x34\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x45\x43\x43\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x0D\x30\x5E\x1B\x15\x9D\x03\xD0\xA1\x79\x35\xB7\x3A\x3C\x92\x7A\xCA\x15\x1C\xCD\x62\xF3\x9C\x26\x5C\x07\x3D\xE5\x54\xFA\xA3\xD6\xCC\x12\xEA\xF4\x14\x5F\xE8\x8E\x19\xAB\x2F\x2E\x48\xE6\xAC\x18\x43\x78\xAC\xD0\x37\xC3\xBD\xB2\xCD\x2C\xE6\x47\xE2\x1A\xE6\x63\xB8\x3D\x2E\x2F\x78\xC4\x4F\xDB\xF4\x0F\xA4\x68\x4C\x55\x72\x6B\x95\x1D\x4E\x18\x42\x95\x78\xCC\x37\x3C\x91\xE2\x9B\x65\x2B\x29\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9A\xAF\x29\x7A\xC0\x11\x35\x35\x26\x51\x30\x00\xC3\x6A\xFE\x40\xD5\xAE\xD6\x3C\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x67\x00\x30\x64\x02\x30\x17\x09\xF3\x87\x88\x50\x5A\xAF\xC8\xC0\x42\xBF\x47\x5F\xF5\x6C\x6A\x86\xE0\xC4\x27\x74\xE4\x38\x53\xD7\x05\x7F\x1B\x34\xE3\xC6\x2F\xB3\xCA\x09\x3C\x37\x9D\xD7\xE7\xB8\x46\xF1\xFD\xA1\xE2\x71\x02\x30\x42\x59\x87\x43\xD4\x51\xDF\xBA\xD3\x09\x32\x5A\xCE\x88\x7E\x57\x3D\x9C\x5F\x42\x6B\xF5\x07\x2D\xB5\xF0\x82\x93\xF9\x59\x6F\xAE\x64\xFA\x58\xE5\x8B\x1E\xE3\x63\xBE\xB5\x81\xCD\x6F\x02\x8C\x79",
+	["CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL"] = "\x30\x82\x03\xBB\x30\x82\x02\xA3\xA0\x03\x02\x01\x02\x02\x03\x04\x44\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x1E\x17\x0D\x30\x38\x31\x30\x32\x32\x31\x32\x30\x37\x33\x37\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x32\x30\x37\x33\x37\x5A\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE3\xFB\x7D\xA3\x72\xBA\xC2\xF0\xC9\x14\x87\xF5\x6B\x01\x4E\xE1\x6E\x40\x07\xBA\x6D\x27\x5D\x7F\xF7\x5B\x2D\xB3\x5A\xC7\x51\x5F\xAB\xA4\x32\xA6\x61\x87\xB6\x6E\x0F\x86\xD2\x30\x02\x97\xF8\xD7\x69\x57\xA1\x18\x39\x5D\x6A\x64\x79\xC6\x01\x59\xAC\x3C\x31\x4A\x38\x7C\xD2\x04\xD2\x4B\x28\xE8\x20\x5F\x3B\x07\xA2\xCC\x4D\x73\xDB\xF3\xAE\x4F\xC7\x56\xD5\x5A\xA7\x96\x89\xFA\xF3\xAB\x68\xD4\x23\x86\x59\x27\xCF\x09\x27\xBC\xAC\x6E\x72\x83\x1C\x30\x72\xDF\xE0\xA2\xE9\xD2\xE1\x74\x75\x19\xBD\x2A\x9E\x7B\x15\x54\x04\x1B\xD7\x43\x39\xAD\x55\x28\xC5\xE2\x1A\xBB\xF4\xC0\xE4\xAE\x38\x49\x33\xCC\x76\x85\x9F\x39\x45\xD2\xA4\x9E\xF2\x12\x8C\x51\xF8\x7C\xE4\x2D\x7F\xF5\xAC\x5F\xEB\x16\x9F\xB1\x2D\xD1\xBA\xCC\x91\x42\x77\x4C\x25\xC9\x90\x38\x6F\xDB\xF0\xCC\xFB\x8E\x1E\x97\x59\x3E\xD5\x60\x4E\xE6\x05\x28\xED\x49\x79\x13\x4B\xBA\x48\xDB\x2F\xF9\x72\xD3\x39\xCA\xFE\x1F\xD8\x34\x72\xF5\xB4\x40\xCF\x31\x01\xC3\xEC\xDE\x11\x2D\x17\x5D\x1F\xB8\x50\xD1\x5E\x19\xA7\x69\xDE\x07\x33\x28\xCA\x50\x95\xF9\xA7\x54\xCB\x54\x86\x50\x45\xA9\xF9\x49\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x08\x76\xCD\xCB\x07\xFF\x24\xF6\xC5\xCD\xED\xBB\x90\xBC\xE2\x84\x37\x46\x75\xF7\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA6\xA8\xAD\x22\xCE\x01\x3D\xA6\xA3\xFF\x62\xD0\x48\x9D\x8B\x5E\x72\xB0\x78\x44\xE3\xDC\x1C\xAF\x09\xFD\x23\x48\xFA\xBD\x2A\xC4\xB9\x55\x04\xB5\x10\xA3\x8D\x27\xDE\x0B\x82\x63\xD0\xEE\xDE\x0C\x37\x79\x41\x5B\x22\xB2\xB0\x9A\x41\x5C\xA6\x70\xE0\xD4\xD0\x77\xCB\x23\xD3\x00\xE0\x6C\x56\x2F\xE1\x69\x0D\x0D\xD9\xAA\xBF\x21\x81\x50\xD9\x06\xA5\xA8\xFF\x95\x37\xD0\xAA\xFE\xE2\xB3\xF5\x99\x2D\x45\x84\x8A\xE5\x42\x09\xD7\x74\x02\x2F\xF7\x89\xD8\x99\xE9\xBC\x27\xD4\x47\x8D\xBA\x0D\x46\x1C\x77\xCF\x14\xA4\x1C\xB9\xA4\x31\xC4\x9C\x28\x74\x03\x34\xFF\x33\x19\x26\xA5\xE9\x0D\x74\xB7\x3E\x97\xC6\x76\xE8\x27\x96\xA3\x66\xDD\xE1\xAE\xF2\x41\x5B\xCA\x98\x56\x83\x73\x70\xE4\x86\x1A\xD2\x31\x41\xBA\x2F\xBE\x2D\x13\x5A\x76\x6F\x4E\xE8\x4E\x81\x0E\x3F\x5B\x03\x22\xA0\x12\xBE\x66\x58\x11\x4A\xCB\x03\xC4\xB4\x2A\x2A\x2D\x96\x17\xE0\x39\x54\xBC\x48\xD3\x76\x27\x9D\x9A\x2D\x06\xA6\xC9\xEC\x39\xD2\xAB\xDB\x9F\x9A\x0B\x27\x02\x35\x29\xB1\x40\x95\xE7\xF9\xE8\x9C\x55\x88\x19\x46\xD6\xB7\x34\xF5\x7E\xCE\x39\x9A\xD9\x38\xF1\x51\xF7\x4F\x2C",
+	["CN=Certinomis - Autorit\C3\A9 Racine,OU=0002 433998903,O=Certinomis,C=FR"] = "\x30\x82\x05\x9C\x30\x82\x03\x84\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x26\x30\x24\x06\x03\x55\x04\x03\x0C\x1D\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x41\x75\x74\x6F\x72\x69\x74\xC3\xA9\x20\x52\x61\x63\x69\x6E\x65\x30\x1E\x17\x0D\x30\x38\x30\x39\x31\x37\x30\x38\x32\x38\x35\x39\x5A\x17\x0D\x32\x38\x30\x39\x31\x37\x30\x38\x32\x38\x35\x39\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x26\x30\x24\x06\x03\x55\x04\x03\x0C\x1D\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x41\x75\x74\x6F\x72\x69\x74\xC3\xA9\x20\x52\x61\x63\x69\x6E\x65\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9D\x85\x9F\x86\xD3\xE3\xAF\xC7\xB2\x6B\x6E\x33\xE0\x9E\xB7\x42\x34\x55\x9D\xF9\x81\xBE\x63\xD8\x23\x76\x0E\x97\x54\xCD\x99\x4C\x1A\xF1\x39\xC7\x88\xD8\x17\x50\x0C\x9E\x61\xDA\xC0\x4E\x55\xDE\xE7\x5A\xB8\x7A\x4E\x77\x87\x0D\xE5\xB8\xEB\xFA\x9E\x5E\x7B\x1E\xC4\xCF\x28\x74\xC7\x93\xF5\x14\xC6\x22\x28\x04\xF9\x91\xC3\xAB\x27\x73\x6A\x0E\x2E\x4D\xF3\x2E\x28\x1F\x70\xDF\x55\x2F\x4E\xED\xC7\x71\x6F\x09\x72\x2E\xED\xD5\x32\x97\xD0\xF1\x58\x77\xD1\x60\xBC\x4E\x5E\xDB\x9A\x84\xF6\x47\x61\x45\x2B\xF6\x50\xA6\x7F\x6A\x71\x27\x48\x84\x35\x9E\xAC\xFE\x69\xA9\x9E\x7A\x5E\x35\x25\xFA\xB4\xA7\x49\x35\x77\x96\xA7\x36\x5B\xE1\xCD\xDF\x23\x70\xD8\x5D\x4C\xA5\x08\x83\xF1\xA6\x24\x38\x13\xA8\xEC\x2F\xA8\xA1\x67\xC7\xA6\x2D\x86\x47\xEE\x8A\xFC\xEC\x9B\x0E\x74\xF4\x2B\x49\x02\x7B\x90\x75\x8C\xFC\x99\x39\x01\x39\xD6\x4A\x89\xE5\x9E\x76\xAB\x3E\x96\x28\x38\x26\x8B\xDD\x8D\x8C\xC0\xF6\x01\x1E\x6F\xA5\x31\x12\x38\x7D\x95\xC2\x71\xEE\xED\x74\xAE\xE4\x36\xA2\x43\x75\xD5\xF1\x00\x9B\xE2\xE4\xD7\xCC\x42\x03\x4B\x78\x7A\xE5\x7D\xBB\xB8\xAE\x2E\x20\x93\xD3\xE4\x61\xDF\x71\xE1\x76\x67\x97\x3F\xB6\xDF\x6A\x73\x5A\x64\x22\xE5\x42\xDB\xCF\x81\x03\x93\xD8\xF4\xE3\x10\xE0\x72\xF6\x00\x70\xAC\xF0\xC1\x7A\x0F\x05\x7F\xCF\x34\x69\x45\xB5\x93\xE4\x19\xDB\x52\x16\x23\x05\x89\x0E\x8D\x48\xE4\x25\x6F\xB3\x78\xBF\x62\xF5\x07\xFA\x95\x24\xC2\x96\xB2\xE8\xA3\x23\xC2\x5D\x03\xFC\xC3\xD3\xE5\x7C\xC9\x75\x23\xD7\xF4\xF5\xBC\xDE\xE4\xDF\xCD\x80\xBF\x91\x88\x7D\xA7\x13\xB4\x39\xBA\x2C\xBA\xBD\xD1\x6B\xCC\xF3\xA5\x28\xED\x44\x9E\x7D\x52\xA3\x6F\x96\x2E\x19\x7E\x1C\xF3\x5B\xC7\x16\x8E\xBB\x60\x7D\x77\x66\x47\x54\x82\x00\x11\x60\x6C\x32\xC1\xA8\x38\x1B\xEB\x6E\x98\x13\xD6\xEE\x38\xF5\xF0\x9F\x0E\xEF\xFE\x31\x81\xC1\xD2\x24\x95\x2F\x53\x7A\x69\xA2\xF0\x0F\x86\x45\x8E\x58\x82\x2B\x4C\x22\xD4\x5E\xA0\xE7\x7D\x26\x27\x48\xDF\x25\x46\x8D\x4A\x28\x7C\x86\x9E\xF9\x9B\x1A\x59\xB9\x65\xBF\x05\xDD\xB6\x42\x5D\x3D\xE6\x00\x48\x82\x5E\x20\xF7\x11\x82\xDE\xCA\xD8\x9F\xE6\x37\x47\x26\x1E\xEB\x78\xF7\x61\xC3\x41\x64\x58\x02\x41\xF9\xDA\xE0\xD1\xF8\xF9\xE8\xFD\x52\x38\xB6\xF5\x89\xDF\x02\x03\x01\x00\x01\xA3\x5B\x30\x59\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0D\x8C\xB6\x61\xDA\x44\xB8\xD1\x14\x7D\xC3\xBE\x7D\x5E\x48\xF0\xCE\xCA\x6A\xB0\x30\x17\x06\x03\x55\x1D\x20\x04\x10\x30\x0E\x30\x0C\x06\x0A\x2A\x81\x7A\x01\x56\x02\x02\x00\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x24\x3E\x60\x06\x7E\x1D\xEF\x3A\x3E\xDB\xEA\xAF\x1C\x9A\x2C\x01\x0B\xF4\xC5\xB5\xD9\x49\x31\xF4\x5D\x41\x8D\x89\x0C\x4E\xFF\x6C\xA2\xFD\xFF\xE2\x06\xC8\x39\x9F\xF1\x5A\xA9\xDD\x22\x58\x15\xA8\x8A\xD3\xB1\xE6\x32\x09\x82\x03\x6C\xD7\x3F\x08\xC7\xF8\xB9\xBA\x00\x6D\xB9\xD6\xFC\x52\x32\x5D\xA4\x7F\xA4\x31\x94\xBB\xB6\x4C\x38\x7F\x28\x30\x35\xFF\x9F\x23\x53\xB7\xB6\xEE\x14\x70\x00\x40\x2B\xDA\x47\xAB\x34\x7E\x5E\xA7\x56\x30\x61\x2B\x8B\x43\xAC\xFD\xB6\x88\x28\xF5\x6B\xB6\x3E\x60\x4A\xBA\x42\x90\x34\x67\x8D\xEA\xEB\x5F\x45\x54\x3B\x17\xAC\x8B\xE4\xC6\x65\x0F\xEE\xD0\x8C\x5D\x66\x39\xCE\x32\xA7\xD8\x10\x97\xC0\x7E\x34\x9C\x9F\x94\xF3\xF6\x86\x1F\xCF\x1B\x73\xAD\x94\x79\x87\x68\x70\xC3\x33\xA5\x70\xE7\xD8\xD5\x38\x94\x6F\x63\x79\xEB\xBF\x0A\x0E\x08\xE7\xC5\x2F\x0F\x42\xA0\x2B\x14\x40\xFF\x21\xE0\x05\xC5\x27\xE1\x84\x11\x13\xBA\xD6\x86\x1D\x41\x0B\x13\x23\x89\xD3\xC9\x0B\xE8\x8A\xBA\x7A\xA3\xA3\x73\x37\x35\x80\x7D\x12\xB8\x33\x77\x40\x38\xC0\xFA\x5E\x30\xD2\xF2\xB6\xA3\xB1\xD6\xA2\x95\x97\x81\x9B\x52\xED\x69\x4C\xFF\x80\xE4\x53\xDB\x54\x5B\x03\x6D\x54\x5F\xB1\xB8\xEF\x24\xBD\x6F\x9F\x11\xC3\xC7\x64\xC2\x0F\x28\x62\x85\x66\x5E\x1A\x7B\xB2\xB7\xEF\xAE\x35\xC9\x19\x33\xA8\xB8\x27\xDB\x33\x55\xBF\x68\xE1\x75\x48\x44\x56\xFB\xCD\xD3\x48\xBB\x47\x89\x3A\xAC\x69\xF5\x80\xC6\xE4\x44\x50\x2F\x54\xC4\xAA\x43\xC5\x31\x31\x58\xBD\x96\xC5\xEA\x75\x6C\x9A\x75\xB1\x4D\xF8\xF7\x97\xFF\x96\x16\xF2\x97\x4D\xE8\xF6\xF3\x11\xF9\x3A\x7D\x8A\x38\x6E\x04\xCB\xE1\xD3\x45\x15\xAA\xA5\xD1\x1D\x9D\x5D\x63\xE8\x24\xE6\x36\x14\xE2\x87\xAD\x1B\x59\xF5\x44\x9B\xFB\xD7\x77\x7C\x1F\x01\x70\x62\xA1\x20\x1A\xA2\xC5\x1A\x28\xF4\x21\x03\xEE\x2E\xD9\xC1\x80\xEA\xB9\xD9\x82\xD6\x5B\x76\xC2\xCB\x3B\xB5\xD2\x00\xF0\xA3\x0E\xE1\xAD\x6E\x40\xF7\xDB\xA0\xB4\xD0\x46\xAE\x15\xD7\x44\xC2\x4D\x35\xF9\xD2\x0B\xF2\x17\xF6\xAC\x66\xD5\x24\xB2\x4F\xD1\x1C\x99\xC0\x6E\xF5\x7D\xEB\x74\x04\xB8\xF9\x4D\x77\x09\xD7\xB4\xCF\x07\x30\x09\xF1\xB8\x00\x56\xD9\x17\x16\x16\x0A\x2B\x86\xDF\x8F\x01\x19\x1A\xE5\xBB\x82\x63\xFF\xBE\x0B\x76\x16\x5E\x37\x37\xE6\xD8\x74\x97\xA2\x99\x45\x79",
+	["CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES"] = "\x30\x82\x06\x8B\x30\x82\x05\x73\xA0\x03\x02\x01\x02\x02\x04\x3B\x45\xE5\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x30\x1E\x17\x0D\x30\x31\x30\x37\x30\x36\x31\x36\x32\x32\x34\x37\x5A\x17\x0D\x32\x31\x30\x37\x30\x31\x31\x35\x32\x32\x34\x37\x5A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC6\x2A\xAB\x57\x11\x37\x2F\x22\x8A\xCA\x03\x74\x1D\xCA\xED\x2D\xA2\x0B\xBC\x33\x52\x40\x26\x47\xBE\x5A\x69\xA6\x3B\x72\x36\x17\x4C\xE8\xDF\xB8\xBB\x2F\x76\xE1\x40\x46\x74\x65\x02\x90\x52\x08\xB4\xFF\xA8\x8C\xC1\xE0\xC7\x89\x56\x10\x39\x33\xEF\x68\xB4\x5F\x5F\xDA\x6D\x23\xA1\x89\x5E\x22\xA3\x4A\x06\xF0\x27\xF0\x57\xB9\xF8\xE9\x4E\x32\x77\x0A\x3F\x41\x64\xF3\xEB\x65\xEE\x76\xFE\x54\xAA\x7D\x1D\x20\xAE\xF3\xD7\x74\xC2\x0A\x5F\xF5\x08\x28\x52\x08\xCC\x55\x5D\xD2\x0F\xDB\x9A\x81\xA5\xBB\xA1\xB3\xC1\x94\xCD\x54\xE0\x32\x75\x31\x91\x1A\x62\xB2\xDE\x75\xE2\xCF\x4F\x89\xD9\x91\x90\x0F\x41\x1B\xB4\x5A\x4A\x77\xBD\x67\x83\xE0\x93\xE7\x5E\xA7\x0C\xE7\x81\xD3\xF4\x52\xAC\x53\xB2\x03\xC7\x44\x26\xFB\x79\xE5\xCB\x34\x60\x50\x10\x7B\x1B\xDB\x6B\xD7\x47\xAB\x5F\x7C\x68\xCA\x6E\x9D\x41\x03\x10\xEE\x6B\x99\x7B\x5E\x25\xA8\xC2\xAB\xE4\xC0\xF3\x5C\x9C\xE3\xBE\xCE\x31\x4C\x64\x1E\x5E\x80\xA2\xF5\x83\x7E\x0C\xD6\xCA\x8C\x55\x8E\xBE\xE0\xBE\x49\x07\x0F\xA3\x24\x41\x7A\x58\x1D\x84\xEA\x58\x12\xC8\xE1\xB7\xED\xEF\x93\xDE\x94\x08\x31\x02\x03\x01\x00\x01\xA3\x82\x03\x3B\x30\x82\x03\x37\x30\x32\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x26\x30\x24\x30\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x16\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x70\x6B\x69\x2E\x67\x76\x61\x2E\x65\x73\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x02\x30\x82\x02\x34\x06\x03\x55\x1D\x20\x04\x82\x02\x2B\x30\x82\x02\x27\x30\x82\x02\x23\x06\x0A\x2B\x06\x01\x04\x01\xBF\x55\x02\x01\x00\x30\x82\x02\x13\x30\x82\x01\xE8\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\xDA\x1E\x82\x01\xD6\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x52\x00\x61\x00\xED\x00\x7A\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x47\x00\x65\x00\x6E\x00\x65\x00\x72\x00\x61\x00\x6C\x00\x69\x00\x74\x00\x61\x00\x74\x00\x20\x00\x56\x00\x61\x00\x6C\x00\x65\x00\x6E\x00\x63\x00\x69\x00\x61\x00\x6E\x00\x61\x00\x2E\x00\x0D\x00\x0A\x00\x4C\x00\x61\x00\x20\x00\x44\x00\x65\x00\x63\x00\x6C\x00\x61\x00\x72\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x64\x00\x65\x00\x20\x00\x50\x00\x72\x00\xE1\x00\x63\x00\x74\x00\x69\x00\x63\x00\x61\x00\x73\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x71\x00\x75\x00\x65\x00\x20\x00\x72\x00\x69\x00\x67\x00\x65\x00\x20\x00\x65\x00\x6C\x00\x20\x00\x66\x00\x75\x00\x6E\x00\x63\x00\x69\x00\x6F\x00\x6E\x00\x61\x00\x6D\x00\x69\x00\x65\x00\x6E\x00\x74\x00\x6F\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x70\x00\x72\x00\x65\x00\x73\x00\x65\x00\x6E\x00\x74\x00\x65\x00\x20\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x73\x00\x65\x00\x20\x00\x65\x00\x6E\x00\x63\x00\x75\x00\x65\x00\x6E\x00\x74\x00\x72\x00\x61\x00\x20\x00\x65\x00\x6E\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x64\x00\x69\x00\x72\x00\x65\x00\x63\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x77\x00\x65\x00\x62\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x70\x00\x6B\x00\x69\x00\x2E\x00\x67\x00\x76\x00\x61\x00\x2E\x00\x65\x00\x73\x00\x2F\x00\x63\x00\x70\x00\x73\x30\x25\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x19\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x6B\x69\x2E\x67\x76\x61\x2E\x65\x73\x2F\x63\x70\x73\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7B\x35\xD3\x40\xD2\x1C\x78\x19\x66\xEF\x74\x10\x28\xDC\x3E\x4F\xB2\x78\x04\xFC\x30\x81\x95\x06\x03\x55\x1D\x23\x04\x81\x8D\x30\x81\x8A\x80\x14\x7B\x35\xD3\x40\xD2\x1C\x78\x19\x66\xEF\x74\x10\x28\xDC\x3E\x4F\xB2\x78\x04\xFC\xA1\x6C\xA4\x6A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x82\x04\x3B\x45\xE5\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x24\x61\x4E\xF5\xB5\xC8\x42\x02\x2A\xB3\x5C\x75\xAD\xC5\x6D\xCA\xE7\x94\x3F\xA5\x68\x95\x88\xC1\x54\xC0\x10\x69\xA2\x12\x2F\x18\x3F\x25\x50\xA8\x7C\x4A\xEA\xC6\x09\xD9\xF4\x75\xC6\x40\xDA\xAF\x50\x9D\x3D\xA5\x16\xBB\x6D\x31\xC6\xC7\x73\x0A\x48\xFE\x20\x72\xED\x6F\xCC\xE8\x83\x61\x16\x46\x90\x01\x95\x4B\x7D\x8E\x9A\x52\x09\x2F\xF6\x6F\x1C\xE4\xA1\x71\xCF\x8C\x2A\x5A\x17\x73\x83\x47\x4D\x0F\x36\xFB\x04\x4D\x49\x51\xE2\x14\xC9\x64\x61\xFB\xD4\x14\xE0\xF4\x9E\xB7\x34\x8F\x0A\x26\xBD\x97\x5C\xF4\x79\x3A\x4A\x30\x19\xCC\xAD\x4F\xA0\x98\x8A\xB4\x31\x97\x2A\xE2\x73\x6D\x7E\x78\xB8\xF8\x88\x89\x4F\xB1\x22\x91\x64\x4B\xF5\x50\xDE\x03\xDB\xE5\xC5\x76\xE7\x13\x66\x75\x7E\x65\xFB\x01\x9F\x93\x87\x88\x9D\xF9\x46\x57\x7C\x4D\x60\xAF\x98\x73\x13\x23\xA4\x20\x91\x81\xFA\xD0\x61\x66\xB8\x7D\xD1\xAF\xD6\x6F\x1E\x6C\x3D\xE9\x11\xFD\xA9\xF9\x82\x22\x86\x99\x33\x71\x5A\xEA\x19\x57\x3D\x91\xCD\xA9\xC0\xA3\x6E\x07\x13\xA6\xC9\xED\xF8\x68\xA3\x9E\xC3\x5A\x72\x09\x87\x28\xD1\xC4\x73\xC4\x73\x18\x5F\x50\x75\x16\x31\x9F\xB7\xE8\x7C\xC3",
+	["CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT"] = "\x30\x82\x03\xCF\x30\x82\x02\xB7\xA0\x03\x02\x01\x02\x02\x03\x01\x6C\x1E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x8D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x41\x54\x31\x48\x30\x46\x06\x03\x55\x04\x0A\x0C\x3F\x41\x2D\x54\x72\x75\x73\x74\x20\x47\x65\x73\x2E\x20\x66\x2E\x20\x53\x69\x63\x68\x65\x72\x68\x65\x69\x74\x73\x73\x79\x73\x74\x65\x6D\x65\x20\x69\x6D\x20\x65\x6C\x65\x6B\x74\x72\x2E\x20\x44\x61\x74\x65\x6E\x76\x65\x72\x6B\x65\x68\x72\x20\x47\x6D\x62\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x0C\x10\x41\x2D\x54\x72\x75\x73\x74\x2D\x6E\x51\x75\x61\x6C\x2D\x30\x33\x31\x19\x30\x17\x06\x03\x55\x04\x03\x0C\x10\x41\x2D\x54\x72\x75\x73\x74\x2D\x6E\x51\x75\x61\x6C\x2D\x30\x33\x30\x1E\x17\x0D\x30\x35\x30\x38\x31\x37\x32\x32\x30\x30\x30\x30\x5A\x17\x0D\x31\x35\x30\x38\x31\x37\x32\x32\x30\x30\x30\x30\x5A\x30\x81\x8D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x41\x54\x31\x48\x30\x46\x06\x03\x55\x04\x0A\x0C\x3F\x41\x2D\x54\x72\x75\x73\x74\x20\x47\x65\x73\x2E\x20\x66\x2E\x20\x53\x69\x63\x68\x65\x72\x68\x65\x69\x74\x73\x73\x79\x73\x74\x65\x6D\x65\x20\x69\x6D\x20\x65\x6C\x65\x6B\x74\x72\x2E\x20\x44\x61\x74\x65\x6E\x76\x65\x72\x6B\x65\x68\x72\x20\x47\x6D\x62\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x0C\x10\x41\x2D\x54\x72\x75\x73\x74\x2D\x6E\x51\x75\x61\x6C\x2D\x30\x33\x31\x19\x30\x17\x06\x03\x55\x04\x03\x0C\x10\x41\x2D\x54\x72\x75\x73\x74\x2D\x6E\x51\x75\x61\x6C\x2D\x30\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x3D\x61\x6E\x03\xF3\x90\x3B\xC0\x41\x0B\x84\x80\xCD\xEC\x2A\xA3\x9D\x6B\xBB\x6E\xC2\x42\x84\xF7\x51\x14\xE1\xA0\xA8\x2D\x51\xA3\x51\xF2\xDE\x23\xF0\x34\x44\xFF\x94\xEB\xCC\x05\x23\x95\x40\xB9\x07\x78\xA5\x25\xF6\x0A\xBD\x45\x86\xE8\xD9\xBD\xC0\x04\x8E\x85\x44\x61\xEF\x7F\xA7\xC9\xFA\xC1\x25\xCC\x85\x2C\x63\x3F\x05\x60\x73\x49\x05\xE0\x60\x78\x95\x10\x4B\xDC\xF9\x11\x59\xCE\x71\x7F\x40\x9B\x8A\xAA\x24\xDF\x0B\x42\xE2\xDB\x56\xBC\x4A\xD2\xA5\x0C\x9B\xB7\x43\x3E\xDD\x83\xD3\x26\x10\x02\xCF\xEA\x23\xC4\x49\x4E\xE5\xD3\xE9\xB4\x88\xAB\x0C\xAE\x62\x92\xD4\x65\x87\xD9\x6A\xD7\xF4\x85\x9F\xE4\x33\x22\x25\xA5\xE5\xC8\x33\xBA\xC3\xC7\x41\xDC\x5F\xC6\x6A\xCC\x00\x0E\x6D\x32\xA8\xB6\x87\x36\x00\x62\x77\x9B\x1E\x1F\x34\xCB\x90\x3C\x78\x88\x74\x05\xEB\x79\xF5\x93\x71\x65\xCA\x9D\xC7\x6B\x18\x2D\x3D\x5C\x4E\xE7\xD5\xF8\x3F\x31\x7D\x8F\x87\xEC\x0A\x22\x2F\x23\xE9\xFE\xBB\x7D\xC9\xE0\xF4\xEC\xEB\x7C\xC4\xB0\xC3\x2D\x62\xB5\x9A\x71\xD6\xB1\x6A\xE8\xEC\xD9\xED\xD5\x72\xEC\xBE\x57\x01\xCE\x05\x55\x9F\xDE\xD1\x60\x88\x10\xB3\x02\x03\x01\x00\x01\xA3\x36\x30\x34\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x11\x06\x03\x55\x1D\x0E\x04\x0A\x04\x08\x44\x6A\x95\x67\x55\x79\x11\x4F\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x55\xD4\x54\xD1\x59\x48\x5C\xB3\x93\x85\xAA\xBF\x63\x2F\xE4\x80\xCE\x34\xA3\x34\x62\x3E\xF6\xD8\xEE\x67\x88\x31\x04\x03\x6F\x0B\xD4\x07\xFB\x4E\x75\x0F\xD3\x2E\xD3\xC0\x17\xC7\xC6\x28\xEC\x06\x0D\x11\x24\x0E\x0E\xA5\x5D\xBF\x8C\xB2\x13\x96\x71\xDC\xD4\xCE\x0E\x0D\x0A\x68\x32\x6C\xB9\x41\x31\x19\xAB\xB1\x07\x7B\x4D\x98\xD3\x5C\xB0\xD1\xF0\xA7\x42\xA0\xB5\xC4\x8E\xAF\xFE\xF1\x3F\xF4\xEF\x4F\x46\x00\x76\xEB\x02\xFB\xF9\x9D\xD2\x40\x96\xC7\x88\x3A\xB8\x9F\x11\x79\xF3\x80\x65\xA8\xBD\x1F\xD3\x78\x81\xA0\x51\x4C\x37\xB4\xA6\x5D\x25\x70\xD1\x66\xC9\x68\xF9\x2E\x11\x14\x68\xF1\x54\x98\x08\xAC\x26\x92\x0F\xDE\x89\x9E\xD4\xFA\xB3\x79\x2B\xD2\xA3\x79\xD4\xEC\x8B\xAC\x87\x53\x68\x42\x4C\x51\x51\x74\x1E\x1B\x27\x2E\xE3\xF5\x1F\x29\x74\x4D\xED\xAF\xF7\xE1\x92\x99\x81\xE8\xBE\x3A\xC7\x17\x50\xF6\xB7\xC6\xFC\x9B\xB0\x8A\x6B\xD6\x88\x03\x91\x8F\x06\x77\x3A\x85\x02\xDD\x98\xD5\x43\x78\x3F\xC6\x30\x15\xAC\x9B\x6B\xCB\x57\xB7\x89\x51\x8B\x3A\xE8\xC9\x84\x0C\xDB\xB1\x50\x20\x0A\x1A\x4A\xBA\x6A\x1A\xBD\xEC\x1B\xC8\xC5\x84\x9A\xCD",
+	["CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW"] = "\x30\x82\x03\x7B\x30\x82\x02\x63\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x38\x32\x38\x30\x37\x32\x34\x33\x33\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB0\x7E\x72\xB8\xA4\x03\x94\xE6\xA7\xDE\x09\x38\x91\x4A\x11\x40\x87\xA7\x7C\x59\x64\x14\x7B\xB5\x11\x10\xDD\xFE\xBF\xD5\xC0\xBB\x56\xE2\x85\x25\xF4\x35\x72\x0F\xF8\x53\xD0\x41\xE1\x44\x01\xC2\xB4\x1C\xC3\x31\x42\x16\x47\x85\x33\x22\x76\xB2\x0A\x6F\x0F\xE5\x25\x50\x4F\x85\x86\xBE\xBF\x98\x2E\x10\x67\x1E\xBE\x11\x05\x86\x05\x90\xC4\x59\xD0\x7C\x78\x10\xB0\x80\x5C\xB7\xE1\xC7\x2B\x75\xCB\x7C\x9F\xAE\xB5\xD1\x9D\x23\x37\x63\xA7\xDC\x42\xA2\x2D\x92\x04\x1B\x50\xC1\x7B\xB8\x3E\x1B\xC9\x56\x04\x8B\x2F\x52\x9B\xAD\xA9\x56\xE9\xC1\xFF\xAD\xA9\x58\x87\x30\xB6\x81\xF7\x97\x45\xFC\x19\x57\x3B\x2B\x6F\xE4\x47\xF4\x99\x45\xFE\x1D\xF1\xF8\x97\xA3\x88\x1D\x37\x1C\x5C\x8F\xE0\x76\x25\x9A\x50\xF8\xA0\x54\xFF\x44\x90\x76\x23\xD2\x32\xC6\xC3\xAB\x06\xBF\xFC\xFB\xBF\xF3\xAD\x7D\x92\x62\x02\x5B\x29\xD3\x35\xA3\x93\x9A\x43\x64\x60\x5D\xB2\xFA\x32\xFF\x3B\x04\xAF\x4D\x40\x6A\xF9\xC7\xE3\xEF\x23\xFD\x6B\xCB\xE5\x0F\x8B\x38\x0D\xEE\x0A\xFC\xFE\x0F\x98\x9F\x30\x31\xDD\x6C\x52\x65\xF9\x8B\x81\xBE\x22\xE1\x1C\x58\x03\xBA\x91\x1B\x89\x07\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6A\x38\x5B\x26\x8D\xDE\x8B\x5A\xF2\x4F\x7A\x54\x83\x19\x18\xE3\x08\x35\xA6\xBA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3C\xD5\x77\x3D\xDA\xDF\x89\xBA\x87\x0C\x08\x54\x6A\x20\x50\x92\xBE\xB0\x41\x3D\xB9\x26\x64\x83\x0A\x2F\xE8\x40\xC0\x97\x28\x27\x82\x30\x4A\xC9\x93\xFF\x6A\xE7\xA6\x00\x7F\x89\x42\x9A\xD6\x11\xE5\x53\xCE\x2F\xCC\xF2\xDA\x05\xC4\xFE\xE2\x50\xC4\x3A\x86\x7D\xCC\xDA\x7E\x10\x09\x3B\x92\x35\x2A\x53\xB2\xFE\xEB\x2B\x05\xD9\x6C\x5D\xE6\xD0\xEF\xD3\x6A\x66\x9E\x15\x28\x85\x7A\xE8\x82\x00\xAC\x1E\xA7\x09\x69\x56\x42\xD3\x68\x51\x18\xBE\x54\x9A\xBF\x44\x41\xBA\x49\xBE\x20\xBA\x69\x5C\xEE\xB8\x77\xCD\xCE\x6C\x1F\xAD\x83\x96\x18\x7D\x0E\xB5\x14\x39\x84\xF1\x28\xE9\x2D\xA3\x9E\x7B\x1E\x7A\x72\x5A\x83\xB3\x79\x6F\xEF\xB4\xFC\xD0\x0A\xA5\x58\x4F\x46\xDF\xFB\x6D\x79\x59\xF2\x84\x22\x52\xAE\x0F\xCC\xFB\x7C\x3B\xE7\x6A\xCA\x47\x61\xC3\x7A\xF8\xD3\x92\x04\x1F\xB8\x20\x84\xE1\x36\x54\x16\xC7\x40\xDE\x3B\x8A\x73\xDC\xDF\xC6\x09\x4C\xDF\xEC\xDA\xFF\xD4\x53\x42\xA1\xC9\xF2\x62\x1D\x22\x83\x3C\x97\xC5\xF9\x19\x62\x27\xAC\x65\x22\xD7\xD3\x3C\xC6\xE5\x8E\xB2\x53\xCC\x49\xCE\xBC\x30\xFE\x7B\x0E\x33\x90\xFB\xED\xD2\x14\x91\x1F\x07\xAF",
+};
diff --git a/scripts/base/protocols/syslog/__load__.bro b/scripts/base/protocols/syslog/__load__.bro
new file mode 100644
index 0000000000..0098b81a7a
--- /dev/null
+++ b/scripts/base/protocols/syslog/__load__.bro
@@ -0,0 +1,2 @@
+@load ./consts
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/protocols/syslog/consts.bro b/scripts/base/protocols/syslog/consts.bro
new file mode 100644
index 0000000000..dce1877ecf
--- /dev/null
+++ b/scripts/base/protocols/syslog/consts.bro
@@ -0,0 +1,45 @@
+##! Constants definitions for syslog.
+
+module Syslog;
+
+export {
+	## Mapping between the constants and string values for syslog facilities.
+	const facility_codes: table[count] of string = {
+		[0]  = "KERN",
+		[1]  = "USER",
+		[2]  = "MAIL",
+		[3]  = "DAEMON",
+		[4]  = "AUTH",
+		[5]  = "SYSLOG",
+		[6]  = "LPR",
+		[7]  = "NEWS",
+		[8]  = "UUCP",
+		[9]  = "CRON",
+		[10] =  "AUTHPRIV",
+		[11] =  "FTP",
+		[12] =  "NTP",
+		[13] =  "AUDIT",
+		[14] =  "ALERT",
+		[15] =  "CLOCK",
+		[16] =  "LOCAL0",
+		[17] =  "LOCAL1",
+		[18] =  "LOCAL2",
+		[19] =  "LOCAL3",
+		[20] =  "LOCAL4",
+		[21] =  "LOCAL5",
+		[22] =  "LOCAL6",
+		[23] =  "LOCAL7",
+	} &default=function(c: count): string { return fmt("?-%d", c); };
+	
+	## Mapping between the constants and string values for syslog severities.
+	const severity_codes: table[count] of string = {
+		[0] = "EMERG",
+		[1] = "ALERT",
+		[2] = "CRIT",
+		[3] = "ERR",
+		[4] = "WARNING",
+		[5] = "NOTICE",
+		[6] = "INFO",
+		[7] = "DEBUG",
+	} &default=function(c: count): string { return fmt("?-%d", c); };
+}
\ No newline at end of file
diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro
new file mode 100644
index 0000000000..79f89d5e71
--- /dev/null
+++ b/scripts/base/protocols/syslog/main.bro
@@ -0,0 +1,59 @@
+##! Core script support for logging syslog messages.  This script represents 
+##! one syslog message as one logged record.
+
+@load ./consts
+
+module Syslog;
+
+export {
+	redef enum Log::ID += { LOG };
+	
+	type Info: record {
+		## Timestamp of when the syslog message was seen.
+		ts:        time            &log;
+		uid:       string          &log;
+		id:        conn_id         &log;
+		## Protocol over which the message was seen.
+		proto:     transport_proto &log;
+		## Syslog facility for the message.
+		facility:  string          &log;
+		## Syslog severity for the message.
+		severity:  string          &log;
+		## The plain text message.
+		message:   string          &log;
+	};
+}
+
+redef capture_filters += { ["syslog"] = "port 514" };
+const ports = { 514/udp } &redef;
+redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] };
+
+redef likely_server_ports += { 514/udp };
+
+redef record connection += {
+	syslog: Info &optional;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Syslog::LOG, [$columns=Info]);
+	}
+
+event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5
+	{
+	local info: Info;
+	info$ts=network_time();
+	info$uid=c$uid;
+	info$id=c$id;
+	info$proto=get_port_transport_proto(c$id$resp_p);
+	info$facility=facility_codes[facility];
+	info$severity=severity_codes[severity];
+	info$message=msg;
+	
+	c$syslog = info;
+	}
+
+event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=-5
+	{
+	Log::write(Syslog::LOG, c$syslog);
+	}
diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro
new file mode 100644
index 0000000000..415b9adfa9
--- /dev/null
+++ b/scripts/base/utils/addrs.bro
@@ -0,0 +1,100 @@
+##! Functions for parsing and manipulating IP addresses.
+
+# Regular expressions for matching IP addresses in strings.
+const ipv4_addr_regex = /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/;
+const ipv6_8hex_regex = /([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/;
+const ipv6_compressed_hex_regex = /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)/;
+const ipv6_hex4dec_regex = /(([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/;
+const ipv6_compressed_hex4dec_regex = /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/;
+
+# These are commented out until patterns can be constructed this way at init time.
+#const ipv6_addr_regex = ipv6_8hex_regex |
+#                        ipv6_compressed_hex_regex |
+#                        ipv6_hex4dec_regex |
+#                        ipv6_compressed_hex4dec_regex;
+#const ip_addr_regex = ipv4_addr_regex | ipv6_addr_regex;
+
+const ipv6_addr_regex =     
+    /([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/ |
+    /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)/ | # IPv6 Compressed Hex
+    /(([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/ | # 6Hex4Dec
+    /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/; # CompressedHex4Dec
+
+const ip_addr_regex = 
+    /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/ |
+    /([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/ |
+    /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)/ | # IPv6 Compressed Hex
+    /(([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/ | # 6Hex4Dec
+    /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/; # CompressedHex4Dec
+
+## Checks if all elements of a string array are a valid octet value.
+## octets: an array of strings to check for valid octet values.
+## Returns: T if every element is between 0 and 255, inclusive, else F.
+function has_valid_octets(octets: string_array): bool
+	{
+	local num = 0;
+	for ( i in octets )
+		{
+		num = to_count(octets[i]);
+		if ( num < 0 || 255 < num )
+			return F;
+		}
+	return T;
+	}
+
+## Checks if a string appears to be a valid IPv4 or IPv6 address.
+## ip_str: the string to check for valid IP formatting.
+## Returns: T if the string is a valid IPv4 or IPv6 address format.
+function is_valid_ip(ip_str: string): bool
+	{
+	local octets: string_array;
+	if ( ip_str == ipv4_addr_regex )
+		{
+		octets = split(ip_str, /\./);
+		if ( |octets| != 4 )
+			return F;
+		
+		return has_valid_octets(octets);
+		}
+	else if ( ip_str == ipv6_addr_regex )
+		{
+		if ( ip_str == ipv6_hex4dec_regex ||
+		     ip_str == ipv6_compressed_hex4dec_regex )
+			{
+			# the regexes for hybrid IPv6-IPv4 address formats don't for valid
+			# octets within the IPv4 part, so do that now
+			octets = split(ip_str, /\./);
+			if ( |octets| != 4 )
+				return F;
+
+			# get rid of remaining IPv6 stuff in first octet
+			local tmp = split(octets[1], /:/);
+			octets[1] = tmp[|tmp|];
+
+			return has_valid_octets(octets);
+			}
+		else
+			{
+			# pure IPv6 address formats that only use hex digits don't need
+			# any additional checks -- the regexes should be complete
+			return T;
+			}
+		}
+	return F;
+	}
+
+## Extracts all IP (v4 or v6) address strings from a given string.
+## input: a string that may contain an IP address anywhere within it.
+## Returns: an array containing all valid IP address strings found in input.
+function find_ip_addresses(input: string): string_array
+	{
+	local parts = split_all(input, ip_addr_regex);
+	local output: string_array;
+
+	for ( i in parts )
+		{
+		if ( i % 2 == 0 && is_valid_ip(parts[i]) )
+			output[|output|] = parts[i];
+		}
+	return output;
+	}
diff --git a/scripts/base/utils/conn-ids.bro b/scripts/base/utils/conn-ids.bro
new file mode 100644
index 0000000000..3a10263a95
--- /dev/null
+++ b/scripts/base/utils/conn-ids.bro
@@ -0,0 +1,38 @@
+##! Simple functions for generating ASCII strings from connection IDs.
+
+module GLOBAL;
+
+export {
+	## Takes a conn_id record and returns a string representation with the 
+	## the general data flow appearing to be from the connection originator
+	## on the left to the responder on the right.
+	global id_string: function(id: conn_id): string;
+	
+	## Takes a conn_id record and returns a string representation with the 
+	## the general data flow appearing to be from the connection responder
+	## on the right to the originator on the left.
+	global reverse_id_string: function(id: conn_id): string;
+	
+	## Calls :bro:id:`id_string` or :bro:id:`reverse_id_string` if the second
+	## argument is T or F, respectively.
+	global directed_id_string: function(id: conn_id, is_orig: bool): string;
+}
+
+function id_string(id: conn_id): string
+	{
+	return fmt("%s:%d > %s:%d",
+		id$orig_h, id$orig_p,
+		id$resp_h, id$resp_p);
+	}
+
+function reverse_id_string(id: conn_id): string
+	{
+	return fmt("%s:%d < %s:%d",
+		id$orig_h, id$orig_p,
+		id$resp_h, id$resp_p);
+	}
+
+function directed_id_string(id: conn_id, is_orig: bool): string
+	{
+	return is_orig ? id_string(id) : reverse_id_string(id);
+	}
diff --git a/scripts/base/utils/directions-and-hosts.bro b/scripts/base/utils/directions-and-hosts.bro
new file mode 100644
index 0000000000..a88c4827a6
--- /dev/null
+++ b/scripts/base/utils/directions-and-hosts.bro
@@ -0,0 +1,59 @@
+@load ./site
+
+type Direction: enum {
+	## The connection originator is not within the locally-monitored network,
+	## but the other endpoint is.
+	INBOUND,
+	## The connection originator is within the locally-monitored network,
+	## but the other endpoint is not.
+	OUTBOUND,
+	## Only one endpoint is within the locally-monitored network, meaning
+	## the connection is either outbound or inbound.
+	BIDIRECTIONAL,
+	## This value doesn't match any connection.
+	NO_DIRECTION
+};
+
+## Checks whether a given connection is of a given direction with respect
+## to the locally-monitored network.
+## id: a connection record containing the originator/responder hosts.
+## d: a direction with respect to the locally-monitored network
+## Returns: T if the two connection endpoints match the given direction, else F.
+function id_matches_direction(id: conn_id, d: Direction): bool
+	{
+	if ( d == NO_DIRECTION ) return F;
+
+	local o_local = Site::is_local_addr(id$orig_h);
+	local r_local = Site::is_local_addr(id$resp_h);
+
+	if ( d == BIDIRECTIONAL )
+		return (o_local && !r_local) || (!o_local && r_local);
+	else if ( d == OUTBOUND )
+		return o_local && !r_local;
+	else if ( d == INBOUND )
+		return !o_local && r_local;
+	}
+
+type Host: enum {
+	## A host within the locally-monitored network.
+	LOCAL_HOSTS,
+	## A host not within the locally-monitored network.
+	REMOTE_HOSTS,
+	## Any host.
+	ALL_HOSTS,
+	## This value doesn't match any host.
+	NO_HOSTS
+};
+
+## Checks whether a given host (IP address) matches a given host type.
+## ip: address of a host
+## h: a host type
+## Returns: T if the given host matches the given type, else F.
+function addr_matches_host(ip: addr, h: Host): bool
+	{
+	if ( h == NO_HOSTS ) return F;
+	
+	return ( h == ALL_HOSTS ||
+	        (h == LOCAL_HOSTS && Site::is_local_addr(ip)) ||
+	        (h == REMOTE_HOSTS && !Site::is_local_addr(ip)) );
+	}
diff --git a/scripts/base/utils/files.bro b/scripts/base/utils/files.bro
new file mode 100644
index 0000000000..8111245c24
--- /dev/null
+++ b/scripts/base/utils/files.bro
@@ -0,0 +1,26 @@
+
+## This function can be used to generate a consistent filename for when
+## contents of a file, stream, or connection are being extracted to disk.
+function generate_extraction_filename(prefix: string, c: connection, suffix: string): string
+	{
+	local conn_info = fmt("%s:%d-%s:%d", 
+	                      c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p);
+	
+	if ( prefix != "" )
+		conn_info = fmt("%s_%s", prefix, conn_info);
+	if ( suffix != "" )
+		conn_info = fmt("%s_%s", conn_info, suffix);
+		
+	return conn_info;
+	}
+	
+## For CONTENT-DISPOSITION headers, this function can be used to extract 
+## the filename.
+function extract_filename_from_content_disposition(data: string): string
+	{
+	local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE]=/, "");
+	# Remove quotes around the filename if they are there.
+	if ( /^\"/ in filename )
+		filename =  split_n(filename, /\"/, F, 2)[2];
+	return filename;
+	}
diff --git a/scripts/base/utils/numbers.bro b/scripts/base/utils/numbers.bro
new file mode 100644
index 0000000000..9b100862d4
--- /dev/null
+++ b/scripts/base/utils/numbers.bro
@@ -0,0 +1,10 @@
+## Extract the first integer found in the given string.
+## If no integer can be found, 0 is returned.
+function extract_count(s: string): count
+	{
+	local parts = split_n(s, /[0-9]+/, T, 1);
+	if ( 2 in parts )
+		return to_count(parts[2]);
+	else
+		return 0;
+	}
\ No newline at end of file
diff --git a/scripts/base/utils/paths.bro b/scripts/base/utils/paths.bro
new file mode 100644
index 0000000000..92f0745be4
--- /dev/null
+++ b/scripts/base/utils/paths.bro
@@ -0,0 +1,74 @@
+##! Functions to parse and manipulate UNIX style paths and directories.
+
+const absolute_path_pat = /(\/|[A-Za-z]:[\\\/]).*/;
+
+## Given an arbitrary string, extracts a single, absolute path (directory
+## with filename).
+## TODO: Make this work on Window's style directories.
+## input: a string that may contain an absolute path
+## Returns: the first absolute path found in input string, else an empty string
+function extract_path(input: string): string
+	{
+	const dir_pattern = /(\/|[A-Za-z]:[\\\/])([^\"\ ]|(\\\ ))*/;
+	local parts = split_all(input, dir_pattern);
+
+	if ( |parts| < 3 )
+		return "";
+
+	return parts[2];
+	}
+
+## Compresses a given path by removing '..'s and the parent directory it
+## references and also removing '/'s.
+## dir: a path string, either relative or absolute
+## Returns: a compressed version of the input path
+function compress_path(dir: string): string
+	{
+	const cdup_sep = /((\/)*([^\/]|\\\/)+)?((\/)+\.\.(\/)*)/;
+
+	local parts = split_n(dir, cdup_sep, T, 1);
+	if ( length(parts) > 1 )
+		{
+		# reaching a point with two parent dir references back-to-back means
+		# we don't know about anything higher in the tree to pop off
+		if ( parts[2] == "../.." )
+			return cat_string_array(parts);
+		if ( sub_bytes(parts[2], 0, 1) == "/" )
+			parts[2] = "/";
+		else
+			parts[2] = "";
+		dir = cat_string_array(parts);
+		return compress_path(dir);
+		}
+
+	const multislash_sep = /(\/){2,}/;
+	parts = split_all(dir, multislash_sep);
+	for ( i in parts )
+		if ( i % 2 == 0 )
+			parts[i] = "/";
+	dir = cat_string_array(parts);
+
+	# remove trailing slashes from path
+	if ( |dir| > 1 && sub_bytes(dir, |dir|, 1) == "/" )
+		dir = sub_bytes(dir, 0, |dir| - 1);
+
+	return dir;
+	}
+
+## Constructs a path to a file given a directory and a file name.
+## dir: the directory in which the file lives
+## file_name: the name of the file
+## Returns: the concatenation of the directory path and file name, or just
+##          the file name if it's already an absolute path
+function build_path(dir: string, file_name: string): string
+	{
+	return (file_name == absolute_path_pat) ?
+		file_name : cat(dir, "/", file_name);
+	}
+
+## Returns a compressed path to a file given a directory and file name.
+## See :bro:id`build_path` and :bro:id:`compress_path`.
+function build_path_compressed(dir: string, file_name: string): string
+	{
+	return compress_path(build_path(dir, file_name));
+	}
diff --git a/scripts/base/utils/patterns.bro b/scripts/base/utils/patterns.bro
new file mode 100644
index 0000000000..107eebce5b
--- /dev/null
+++ b/scripts/base/utils/patterns.bro
@@ -0,0 +1,52 @@
+##! Functions for creating and working with patterns.
+
+## Given a pattern as a string with two tildes (~~) contained in it, it will
+## return a pattern with string set's elements OR'd together where the
+## double-tilde was given (this function only works at or before init time).
+## ss: a set of strings to OR together
+## pat: the pattern containing a "~~"  in it.  If a literal backslash is
+##      included, it needs to be escaped with another backslash due to Bro's
+##      string parsing reducing it to a single backslash upon rendering.
+## Returns: the input pattern with "~~" replaced by OR'd elements of input set
+function set_to_regex(ss: set[string], pat: string): pattern
+	{
+	local i: count = 0;
+	local return_pat = "";
+	for ( s in ss )
+		{
+		local tmp_pattern = convert_for_pattern(s);
+		return_pat = ( i == 0 ) ? 
+			 tmp_pattern : cat(tmp_pattern, "|", return_pat);
+		++i;
+		}
+	return string_to_pattern(sub(pat, /~~/, return_pat), F);
+	}
+
+type PatternMatchResult: record {
+	## T if a match was found, F otherwise.
+	matched: bool;
+	## Portion of string that first matched.
+	str: string;
+	## 1-based offset where match starts.
+	off: count;
+};
+
+## Matches the given pattern against the given string, returning
+## a :bro:type:`PatternMatchResult` record.
+## For example: ``match_pattern("foobar", /o*[a-k]/)`` returns
+## ``[matched=T, str=f, off=1]``,  because the *first* match is for
+## zero o's followed by an [a-k], but ``match_pattern("foobar", /o+[a-k]/)``
+## returns ``[matched=T, str=oob, off=2]``
+## s: a string to match against
+## p: a pattern to match
+## Returns: a record indicating the match status
+function match_pattern(s: string, p: pattern): PatternMatchResult
+	{
+	local a = split_n(s, p, T, 1);
+
+	if ( |a| == 1 )
+		# no match
+		return [$matched = F, $str = "", $off = 0];
+	else
+		return [$matched = T, $str = a[2], $off = |a[1]| + 1];
+	}
diff --git a/scripts/base/utils/site.bro b/scripts/base/utils/site.bro
new file mode 100644
index 0000000000..4aeb70fe3f
--- /dev/null
+++ b/scripts/base/utils/site.bro
@@ -0,0 +1,152 @@
+##! Definitions describing a site - which networks and DNS zones are "local"
+##! and "neighbors", and servers running particular services.
+@load ./patterns
+
+module Site;
+
+export {
+	## Address space that is considered private and unrouted.
+	## By default it has RFC defined non-routable IPv4 address space.
+	const private_address_space: set[subnet] = {
+		10.0.0.0/8, 
+		192.168.0.0/16, 
+		127.0.0.0/8, 
+		172.16.0.0/12
+	} &redef;
+
+	## Networks that are considered "local".
+	const local_nets: set[subnet] &redef;
+	
+	## This is used for retrieving the subnet when you multiple 
+	## :bro:id:`Site::local_nets`.  A membership query can be done with an 
+	## :bro:type:`addr` and the table will yield the subnet it was found 
+	## within.
+	global local_nets_table: table[subnet] of subnet = {};
+
+	## Networks that are considered "neighbors".
+	const neighbor_nets: set[subnet] &redef;
+	
+	## If local network administrators are known and they have responsibility
+	## for defined address space, then a mapping can be defined here between
+	## networks for which they have responsibility and a set of email 
+	## addresses.
+	const local_admins: table[subnet] of set[string] = {} &redef;
+
+	## DNS zones that are considered "local".
+	const local_zones: set[string] &redef;
+
+	## DNS zones that are considered "neighbors".
+	const neighbor_zones: set[string] &redef;
+
+	## Function that returns true if an address corresponds to one of
+	## the local networks, false if not.
+	global is_local_addr: function(a: addr): bool;
+	
+	## Function that returns true if an address corresponds to one of
+	## the neighbor networks, false if not.
+	global is_neighbor_addr: function(a: addr): bool;
+	
+	## Function that returns true if an address corresponds to one of
+	## the private/unrouted networks, false if not.
+	global is_private_addr: function(a: addr): bool;
+
+	## Function that returns true if a host name is within a local 
+	## DNS zone.
+	global is_local_name: function(name: string): bool;
+	
+	## Function that returns true if a host name is within a neighbor 
+	## DNS zone.
+	global is_neighbor_name: function(name: string): bool;
+	
+	## Function that returns a common separated list of email addresses
+	## that are considered administrators for the IP address provided as
+	## an argument.
+	global get_emails: function(a: addr): string;
+}
+
+# Please ignore, this is an interally used variable.
+global local_dns_suffix_regex: pattern = /MATCH_NOTHING/;
+global local_dns_neighbor_suffix_regex: pattern = /MATCH_NOTHING/;
+
+
+function is_local_addr(a: addr): bool
+	{
+	return a in local_nets;
+	}
+	
+function is_neighbor_addr(a: addr): bool
+	{
+	return a in neighbor_nets;
+	}
+	
+function is_private_addr(a: addr): bool
+	{
+	return a in private_address_space;
+	}
+	
+function is_local_name(name: string): bool
+	{
+	return local_dns_suffix_regex in name;
+	}
+	
+function is_neighbor_name(name: string): bool
+	{
+	return local_dns_neighbor_suffix_regex in name;
+	}
+
+# This is a hack for doing a for loop.
+const one_to_32: vector of count = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32};
+	
+# TODO: make this work with IPv6
+function find_all_emails(ip: addr): set[string]
+	{
+	if ( ip !in local_admins ) return set();
+
+	local output_values: set[string] = set();
+	local tmp_subnet: subnet;
+	local i: count;
+	local emails: string;
+	for ( i in one_to_32 )
+		{
+		tmp_subnet = mask_addr(ip, one_to_32[i]);
+		for ( email in local_admins[tmp_subnet] )
+			{
+			for ( email in local_admins[tmp_subnet] )
+				{
+				if ( email != "" )
+					add output_values[email];
+				}
+			}
+		}
+	return output_values;
+	}
+
+function fmt_email_string(emails: set[string]): string
+	{
+	local output="";
+	for( email in emails )
+		{
+		if ( output == "" )
+			output = email;
+		else
+			output = fmt("%s, %s", output, email);
+		}
+	return output;
+	}
+
+function get_emails(a: addr): string
+	{
+	return fmt_email_string(find_all_emails(a));
+	}
+
+event bro_init() &priority=10
+	{
+	# Double backslashes are needed due to string parsing.
+	local_dns_suffix_regex = set_to_regex(local_zones, "(^\\.?|\\.)(~~)$");
+	local_dns_neighbor_suffix_regex = set_to_regex(neighbor_zones, "(^\\.?|\\.)(~~)$");
+
+	# Create the local_nets mapping table.
+	for ( cidr in Site::local_nets )
+		local_nets_table[cidr] = cidr;
+
+	}
diff --git a/scripts/base/utils/strings.bro b/scripts/base/utils/strings.bro
new file mode 100644
index 0000000000..2836f368b4
--- /dev/null
+++ b/scripts/base/utils/strings.bro
@@ -0,0 +1,54 @@
+##! Functions to assist with small string analysis and manipulation that can
+##! be implemented as Bro functions and don't need to be implemented as built 
+##! in functions.
+
+## Returns true if the given string is at least 25% composed of 8-bit
+## characters.
+function is_string_binary(s: string): bool
+	{
+	return byte_len(gsub(s, /[\x00-\x7f]/, "")) * 100 / |s| >= 25;
+	}
+
+## Joins a set of string together, with elements delimited by a constant string.
+## ss: a set of strings to join
+## j: the string used to join set elements
+## Returns: a string composed of the all elements of the set, delimited by the
+##          joining string.
+function join_string_set(ss: set[string], j: string): string
+	{
+	local output="";
+	local i=0;
+	for ( s in ss )
+		{
+		if ( i > 0 )
+			output = cat(output, j);
+			
+		output = cat(output, s);
+		++i;
+		}
+	return output;
+	}
+
+## Given a string, returns an escaped version.
+## s: a string to escape
+## chars: a string containing all the characters that need to be escaped
+## Returns: a string with all occurrences of any character in ``chars`` escaped
+##          using ``\``, and any literal ``\`` characters likewise escaped.
+function string_escape(s: string, chars: string): string
+	{
+	s = subst_string(s, "\\", "\\\\");
+	for ( c in chars )
+		s = subst_string(s, c, cat("\\", c));
+	return s;
+	}
+
+## Cut a number of character from the end of the given string.
+## s: a string to trim
+## tail_len: the number of characters to remove from end of string
+## Returns: the string in ``s`` with ``tail_len`` characters removed from end
+function cut_tail(s: string, tail_len: count): string
+	{
+	if ( tail_len > |s| )
+		tail_len = |s|;
+	return sub_bytes(s, 1, int_to_count(|s| - tail_len));
+	}
diff --git a/scripts/base/utils/thresholds.bro b/scripts/base/utils/thresholds.bro
new file mode 100644
index 0000000000..14bcc3b50b
--- /dev/null
+++ b/scripts/base/utils/thresholds.bro
@@ -0,0 +1,58 @@
+##! Functions for using multiple thresholds with a counting tracker.  For
+##! example, you may want to generate a notice when something happens 10 times
+##! and again when it happens 100 times but nothing in between.  You can use
+##! the :bro:id:`check_threshold` function to define your threshold points
+##! and the :bro:type:`TrackCount` variable where you are keeping track of your
+##! counter.
+
+module GLOBAL;
+
+export {
+	type TrackCount: record {
+		## The counter for the number of times something has happened.
+		n:     count &default=0;
+		## The index of the vector where the counter currently is.  This is
+		## used to track which threshold is currently being watched for.
+		index: count &default=0;
+	};
+	
+	## The thresholds you would like to use as defaults with the 
+	## :bro:id:`default_check_threshold` function.
+	const default_notice_thresholds: vector of count = {
+		30, 100, 1000, 10000, 100000, 1000000, 10000000,
+	} &redef;
+	
+	## This will check if a :bro:type:`TrackCount` variable has crossed any
+	## thresholds in a given set.
+	## v: a vector holding counts that represent thresholds
+	## tracker: the record being used to track event counter and currently
+	##          monitored threshold value
+	## Returns: T if a threshold has been crossed, else F
+	global check_threshold: function(v: vector of count, tracker: TrackCount): bool;
+	
+	## This will use the :bro:id:`default_notice_thresholds` variable to check 
+	## a :bro:type:`TrackCount` variable to see if it has crossed another 
+	## threshold.
+	global default_check_threshold: function(tracker: TrackCount): bool;
+}
+
+function new_track_count(): TrackCount
+	{
+	local tc: TrackCount;
+	return tc;
+	}
+
+function check_threshold(v: vector of count, tracker: TrackCount): bool
+	{
+	if ( tracker$index <= |v| && tracker$n >= v[tracker$index] )
+		{
+		++tracker$index;
+		return T;
+		}
+	return F;
+	}
+
+function default_check_threshold(tracker: TrackCount): bool
+	{
+	return check_threshold(default_notice_thresholds, tracker);
+	}
diff --git a/scripts/policy/frameworks/communication/listen.bro b/scripts/policy/frameworks/communication/listen.bro
new file mode 100644
index 0000000000..e366e5b4ff
--- /dev/null
+++ b/scripts/policy/frameworks/communication/listen.bro
@@ -0,0 +1,12 @@
+##! Loading this script will make the Bro instance listen for remote 
+##! Bro instances to connect.
+
+@load base/frameworks/communication
+
+module Communication;
+
+event bro_init() &priority=-10
+	{
+	enable_communication();
+	listen(listen_interface, listen_port, listen_ssl);
+	}
diff --git a/scripts/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.bro
new file mode 100644
index 0000000000..b4769764f4
--- /dev/null
+++ b/scripts/policy/frameworks/control/controllee.bro
@@ -0,0 +1,69 @@
+##! The controllee portion of the control framework.  Load this script if remote
+##! runtime control of the Bro process is desired.
+##!
+##! A controllee only needs to load the controllee script in addition
+##! to the specific analysis scripts desired.  It may also need a node
+##! configured as a controller node in the communications nodes configuration::
+##!
+##!     bro <scripts> frameworks/control/controllee
+
+@load base/frameworks/control
+# If an instance is a controllee, it implicitly needs to listen for remote
+# connections.
+@load frameworks/communication/listen
+
+module Control;
+
+event Control::id_value_request(id: string)
+	{
+	local val = lookup_ID(id);
+	event Control::id_value_response(id, fmt("%s", val));
+	}
+
+event Control::peer_status_request()
+	{
+	local status = "";
+	for ( p in Communication::nodes )
+		{
+		local peer = Communication::nodes[p];
+		if ( ! peer$connected )
+			next;
+			
+		local res = resource_usage();
+		status += fmt("%.6f peer=%s host=%s events_in=%s events_out=%s ops_in=%s ops_out=%s bytes_in=? bytes_out=?\n",
+					network_time(),
+					peer$peer$descr, peer$host,
+					res$num_events_queued, res$num_events_dispatched,
+					res$blocking_input, res$blocking_output);
+		}
+
+	event Control::peer_status_response(status);
+	}
+
+event Control::net_stats_request()
+	{
+	local ns = net_stats();
+	local reply = fmt("%.6f recvd=%d dropped=%d link=%d\n", network_time(), 
+	                  ns$pkts_recvd, ns$pkts_dropped, ns$pkts_link);
+	event Control::net_stats_response(reply);
+	}
+	
+event Control::configuration_update_request()
+	{
+	# Generate the alias event. 
+	event Control::configuration_update();
+	
+	# Don't need to do anything in particular here, it's just indicating that
+	# the configuration is going to be updated.  This event could be handled
+	# by other scripts if they need to do some ancilliary processing if 
+	# redef-able consts are modified at runtime.
+	event Control::configuration_update_response();
+	}
+	
+event Control::shutdown_request()
+	{
+	# Send the acknowledgement event.
+	event Control::shutdown_response();
+	# Schedule the shutdown to let the current event queue flush itself first.
+	event terminate_event();
+	}
diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.bro
new file mode 100644
index 0000000000..39647095db
--- /dev/null
+++ b/scripts/policy/frameworks/control/controller.bro
@@ -0,0 +1,114 @@
+##! This is a utility script that implements the controller interface for the
+##! control framework.  It's intended to be run to control a remote Bro 
+##! and then shutdown.
+##!
+##! It's intended to be used from the command line like this::
+##!     bro <scripts> frameworks/control/controller Control::host=<host_addr> Control::port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
+
+@load base/frameworks/control
+@load base/frameworks/communication
+
+module Control;
+
+# Do some sanity checking and rework the communication nodes.
+event bro_init() &priority=5
+	{
+	# We know that some command was given because this script wouldn't be
+	# loaded if there wasn't so we can feel free to throw an error here and
+	# shutdown.
+	if ( cmd !in commands )
+		{
+		# TODO: do an actual error here.  Maybe through the reporter events?
+		print fmt("The '%s' control command is unknown.", cmd);
+		terminate();
+		}
+	
+	# Establish the communication configuration and only request response
+	# messages.
+	Communication::nodes["control"] = [$host=host, $p=host_port,
+	                                   $sync=F, $connect=T,
+	                                   $class="control", $events=Control::controllee_events];
+	}
+
+
+event Control::id_value_response(id: string, val: string) &priority=-10
+	{
+	event terminate_event();
+	}
+
+event Control::peer_status_response(s: string) &priority=-10
+	{
+	event terminate_event();
+	}
+
+event Control::net_stats_response(s: string) &priority=-10
+	{
+	event terminate_event();
+	}
+	
+event Control::configuration_update_response() &priority=-10
+	{
+	event terminate_event();
+	}
+
+event Control::shutdown_response() &priority=-10
+	{
+	event terminate_event();
+	}
+	
+function configuration_update_func(p: event_peer)
+	{
+	# Send all &redef'able consts to the peer.
+	local globals = global_ids();
+    local cnt = 0;
+	for ( id in globals )
+		{
+        if ( id in ignore_ids )
+			next;
+
+		local t = globals[id];
+
+		# Skip it if the variable isn't redefinable or not const.
+		# We don't want to update non-const globals because that's usually
+		# where state is stored and those values will frequently be declared
+		# with &redef so that attributes can be redefined.
+		# 
+		# NOTE: functions are currently not fully supported for serialization and hence
+		# aren't sent.
+		if ( t$constant && t$redefinable && t$type_name != "func" )
+			{
+			send_id(p, id);
+			++cnt;
+			}
+		}
+
+	print fmt("sent %d IDs", cnt);
+	event terminate_event();
+	}
+
+event remote_connection_handshake_done(p: event_peer) &priority=-10
+	{
+	if ( cmd == "id_value" )
+		{
+		if ( arg != "" )
+			event Control::id_value_request(arg);
+		else
+			{
+			# TODO: do an actual error here.  Maybe through the reporter events?
+			print "The id_value command requires that Control::arg have some value.";
+			terminate();
+			}
+		}
+	else if ( cmd == "peer_status" )
+		event Control::peer_status_request();
+	else if ( cmd == "net_stats" )
+		event Control::net_stats_request();
+	else if ( cmd == "shutdown" )
+		event Control::shutdown_request();
+	else if ( cmd == "configuration_update" )
+		{
+		configuration_update_func(p);
+		# Signal configuration update to peer.
+		event Control::configuration_update_request();
+		}
+	}
diff --git a/policy/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro
similarity index 82%
rename from policy/detect-protocols.bro
rename to scripts/policy/frameworks/dpd/detect-protocols.bro
index 49f02e60e9..8f4e892ce4 100644
--- a/policy/detect-protocols.bro
+++ b/scripts/policy/frameworks/dpd/detect-protocols.bro
@@ -1,24 +1,20 @@
-# $Id: detect-protocols.bro,v 1.1.4.4 2006/05/31 18:07:27 sommer Exp $
-#
-# Finds connections with protocols on non-standard ports using the DPM
-# framework.
+##! Finds connections with protocols on non-standard ports with DPD.
 
-@load site
-
-@load conn-id
-@load notice
+@load base/frameworks/notice
+@load base/utils/site
+@load base/utils/conn-ids
 
 module ProtocolDetector;
 
 export {
-	redef enum Notice += {
-		ProtocolFound,	# raised for each connection found
-		ServerFound,	# raised once per dst host/port/protocol tuple
+	redef enum Notice::Type += {
+		Protocol_Found,
+		Server_Found,
 	};
 
 	# Table of (protocol, resp_h, resp_p) tuples known to be uninteresting
 	# in the given direction.  For all other protocols detected on
-	# non-standard ports, we raise a ProtocolFound notice.  (More specific
+	# non-standard ports, we raise a Protocol_Found notice.  (More specific
 	# filtering can then be done via notice_filters.)
 	#
 	# Use 0.0.0.0 for to wildcard-match any resp_h.
@@ -43,8 +39,8 @@ export {
 		# [ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella
 	} &redef;
 
-	# Set of analyzers for which we suppress ServerFound notices
-	# (but not ProtocolFound).  Along with avoiding clutter in the
+	# Set of analyzers for which we suppress Server_Found notices
+	# (but not Protocol_Found).  Along with avoiding clutter in the
 	# log files, this also saves memory because for these we don't
 	# need to remember which servers we already have reported, which
 	# for some can be a lot.
@@ -106,20 +102,20 @@ function do_notice(c: connection, a: count, d: dir)
 	if ( d == BOTH )
 		return;
 
-	if ( d == INCOMING && is_local_addr(c$id$resp_h) )
+	if ( d == INCOMING && Site::is_local_addr(c$id$resp_h) )
 		return;
 
-	if ( d == OUTGOING && ! is_local_addr(c$id$resp_h) )
+	if ( d == OUTGOING && ! Site::is_local_addr(c$id$resp_h) )
 		return;
 
 	local p = get_protocol(c, a);
 	local s = fmt_protocol(p);
 
-	NOTICE([$note=ProtocolFound,
+	NOTICE([$note=Protocol_Found,
 		$msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p),
 		$sub=s, $conn=c, $n=a]);
 
-	# We report multiple ServerFound's per host if we find a new
+	# We report multiple Server_Found's per host if we find a new
 	# sub-protocol.
 	local known = [c$id$resp_h, c$id$resp_p, p$a] in servers;
 
@@ -130,7 +126,7 @@ function do_notice(c: connection, a: count, d: dir)
 
 	if ( (! known || newsub) && a !in suppress_servers )
 		{
-		NOTICE([$note=ServerFound,
+		NOTICE([$note=Server_Found,
 			$msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s,
 				c$id$resp_p, (known ? " (update)" : "")),
 			$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h, $n=a]);
@@ -158,13 +154,10 @@ function report_protocols(c: connection)
 		{
 		if ( [a, c$id$resp_h, c$id$resp_p] in valids )
 			do_notice(c, a, valids[a, c$id$resp_h, c$id$resp_p]);
-
 		else if ( [a, 0.0.0.0, c$id$resp_p] in valids )
 			do_notice(c, a, valids[a, 0.0.0.0, c$id$resp_p]);
 		else
 			do_notice(c, a, NONE);
-
-		append_addl(c, analyzer_name(a));
 		}
 
 	delete conns[c$id];
@@ -221,20 +214,6 @@ event protocol_confirmation(c: connection, atype: count, aid: count)
 		}
 	}
 
-# event connection_analyzer_disabled(c: connection, analyzer: count)
-# 	{
-# 	if ( c$id !in conns )
-# 		return;
-# 
-# 	delete conns[c$id][analyzer];
-# 	}
-
-function append_proto_addl(c: connection)
-	{
-	for ( a in conns[c$id] )
-		append_addl(c, fmt_protocol(get_protocol(c, a)));
-	}
-
 function found_protocol(c: connection, analyzer: count, protocol: string)
 	{
 	# Don't report anything running on a well-known port.
@@ -247,12 +226,3 @@ function found_protocol(c: connection, analyzer: count, protocol: string)
 
 	add protocols[c$id][protocol];
 	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( c$id !in conns )
-		return;
-
-	append_proto_addl(c);
-	}
-
diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.bro
new file mode 100644
index 0000000000..3883cd1207
--- /dev/null
+++ b/scripts/policy/frameworks/dpd/packet-segment-logging.bro
@@ -0,0 +1,29 @@
+##! This script enables logging of packet segment data when a protocol 
+##! parsing violation is encountered.  The amount of 
+##! data from the packet logged is set by the packet_segment_size variable.
+##! A caveat to logging packet data is that in some cases, the packet may
+##! not be the packet that actually caused the protocol violation.
+
+@load base/frameworks/dpd
+
+module DPD;
+
+export {
+	redef record Info += {
+		## A chunk of the payload the most likely resulted in the protocol 
+		## violation.
+		packet_segment: string &optional &log;
+	};
+
+	## Size of the packet segment to display in the DPD log.
+	const packet_segment_size: int = 255 &redef;
+}
+
+
+event protocol_violation(c: connection, atype: count, aid: count,
+                         reason: string) &priority=4
+	{
+	if ( ! c?$dpd ) return;
+	
+	c$dpd$packet_segment=fmt("%s", sub_bytes(get_current_packet()$data, 0, packet_segment_size));
+	}
diff --git a/scripts/policy/frameworks/metrics/conn-example.bro b/scripts/policy/frameworks/metrics/conn-example.bro
new file mode 100644
index 0000000000..974012963b
--- /dev/null
+++ b/scripts/policy/frameworks/metrics/conn-example.bro
@@ -0,0 +1,25 @@
+##! An example of using the metrics framework to collect connection metrics 
+##! aggregated into /24 CIDR ranges.
+
+@load base/frameworks/metrics
+@load base/utils/site
+
+redef enum Metrics::ID += { 
+	CONNS_ORIGINATED, 
+	CONNS_RESPONDED 
+};
+
+event bro_init()
+	{
+	Metrics::add_filter(CONNS_ORIGINATED, [$aggregation_mask=24, $break_interval=1mins]);
+	
+	# Site::local_nets must be defined in order for this to actually do anything.
+	Metrics::add_filter(CONNS_RESPONDED,  [$aggregation_table=Site::local_nets_table, $break_interval=1mins]);
+	}
+
+event connection_established(c: connection)
+	{
+	Metrics::add_data(CONNS_ORIGINATED, [$host=c$id$orig_h], 1);
+	Metrics::add_data(CONNS_RESPONDED,  [$host=c$id$resp_h], 1);
+	}
+	
diff --git a/scripts/policy/frameworks/metrics/http-example.bro b/scripts/policy/frameworks/metrics/http-example.bro
new file mode 100644
index 0000000000..58ca4e6614
--- /dev/null
+++ b/scripts/policy/frameworks/metrics/http-example.bro
@@ -0,0 +1,37 @@
+##! Provides an example of aggregating and limiting collection down to 
+##! only local networks.  Additionally, the status code for the response from
+##! the request is added into the metric.
+
+@load base/frameworks/metrics
+@load base/protocols/http
+@load base/utils/site
+
+redef enum Metrics::ID += {
+	## Measures HTTP requests indexed on both the request host and the response
+	## code from the server.
+	HTTP_REQUESTS_BY_STATUS_CODE,
+
+	## Currently unfinished and not working.
+	HTTP_REQUESTS_BY_HOST_HEADER,
+};
+
+event bro_init()
+	{
+	# TODO: these are waiting on a fix with table vals + records before they will work.
+	#Metrics::add_filter(HTTP_REQUESTS_BY_HOST_HEADER, 
+	#                    [$pred(index: Metrics::Index) = { return Site::is_local_addr(index$host); },
+	#                     $aggregation_mask=24,
+	#                     $break_interval=1min]);
+	
+	# Site::local_nets must be defined in order for this to actually do anything.
+	Metrics::add_filter(HTTP_REQUESTS_BY_STATUS_CODE, [$aggregation_table=Site::local_nets_table,
+	                                                   $break_interval=1min]);
+	}
+
+event HTTP::log_http(rec: HTTP::Info)
+	{
+	if ( rec?$host )
+		Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$str=rec$host], 1);
+	if ( rec?$status_code )
+		Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], 1);
+	}
diff --git a/scripts/policy/frameworks/metrics/ssl-example.bro b/scripts/policy/frameworks/metrics/ssl-example.bro
new file mode 100644
index 0000000000..5ec675779a
--- /dev/null
+++ b/scripts/policy/frameworks/metrics/ssl-example.bro
@@ -0,0 +1,28 @@
+##! Provides an example of using the metrics framework to collect the number
+##! of times a specific server name indicator value is seen in SSL session
+##! establishments.  Names ending in google.com are being filtered out as an
+##! example of the predicate based filtering in metrics filters.
+
+@load base/frameworks/metrics
+@load base/protocols/ssl
+
+redef enum Metrics::ID += {
+	SSL_SERVERNAME,
+};
+
+event bro_init()
+	{
+	Metrics::add_filter(SSL_SERVERNAME, 
+		[$name="no-google-ssl-servers",
+		 $pred(index: Metrics::Index) = { 
+		    return (/google\.com$/ !in index$str); 
+		 },
+		 $break_interval=10secs
+		]);
+	}
+
+event SSL::log_ssl(rec: SSL::Info)
+	{
+	if ( rec?$server_name )
+		Metrics::add_data(SSL_SERVERNAME, [$str=rec$server_name], 1);
+	}
diff --git a/scripts/policy/frameworks/signatures/detect-windows-shells.sig b/scripts/policy/frameworks/signatures/detect-windows-shells.sig
new file mode 100644
index 0000000000..39b1fd91e2
--- /dev/null
+++ b/scripts/policy/frameworks/signatures/detect-windows-shells.sig
@@ -0,0 +1,13 @@
+signature windows_reverse_shell {
+  ip-proto == tcp
+  tcp-state established,originator
+  event "ATTACK-RESPONSES Microsoft cmd.exe banner (reverse-shell originator)"
+  payload /.*Microsoft Windows.*\x28C\x29 Copyright 1985-.*Microsoft Corp/
+}
+
+signature windows_shell {
+  ip-proto == tcp
+  tcp-state established,responder
+  event "ATTACK-RESPONSES Microsoft cmd.exe banner (normal-shell responder)"
+  payload /.*Microsoft Windows.*\x28C\x29 Copyright 1985-.*Microsoft Corp/
+}
diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.bro
new file mode 100644
index 0000000000..974a23dc76
--- /dev/null
+++ b/scripts/policy/frameworks/software/version-changes.bro
@@ -0,0 +1,44 @@
+##! Provides the possibly to define software names that are interesting to 
+##! watch for changes.  A notice is generated if software versions change on a
+##! host.
+
+@load base/frameworks/notice
+@load base/frameworks/software
+
+module Software;
+
+export {
+	redef enum Notice::Type += { 
+		## For certain software, a version changing may matter.  In that case, 
+		## this notice will be generated.  Software that matters if the version
+		## changes can be configured with the 
+		## :bro:id:`Software::interesting_version_changes` variable.
+		Software_Version_Change,
+	};
+	
+	## Some software is more interesting when the version changes and this is
+	## a set of all software that should raise a notice when a different 
+	## version is seen on a host.
+	const interesting_version_changes: set[string] = { } &redef;
+}
+
+event log_software(rec: Info)
+	{
+	local ts = tracked[rec$host];
+	
+	if ( rec$name in ts )
+		{
+		local old = ts[rec$name];
+	
+		# Is it a potentially interesting version change?
+		if ( rec$name in interesting_version_changes )
+			{
+			local msg = fmt("%.6f %s switched from %s to %s (%s)",
+					network_time(), rec$software_type,
+					software_fmt_version(old$version),
+					software_fmt(rec), rec$software_type);
+			NOTICE([$note=Software_Version_Change, $src=rec$host,
+			        $msg=msg, $sub=software_fmt(rec)]);
+			}
+		}
+	}
diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro
new file mode 100644
index 0000000000..c2c2ba5b32
--- /dev/null
+++ b/scripts/policy/frameworks/software/vulnerable.bro
@@ -0,0 +1,29 @@
+##! Provides a variable to define vulnerable versions of software and if a 
+##! a version of that software as old or older than the defined version a 
+##! notice will be generated.
+
+@load base/frameworks/notice
+@load base/frameworks/software
+
+module Software;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a vulnerable version of software was detected.
+		Vulnerable_Version,
+	};
+
+	## This is a table of software versions indexed by the name of the 
+	## software and yielding the latest version that is vulnerable.
+	const vulnerable_versions: table[string] of Version &redef;
+}
+
+event log_software(rec: Info)
+	{
+	if ( rec$name in vulnerable_versions &&
+	     cmp_versions(rec$version, vulnerable_versions[rec$name]) <= 0 )
+		{
+		NOTICE([$note=Vulnerable_Version, $src=rec$host, 
+		        $msg=fmt("A vulnerable version of software was detected: %s", software_fmt(rec))]);
+		}
+	}
diff --git a/scripts/policy/integration/barnyard2/__load__.bro b/scripts/policy/integration/barnyard2/__load__.bro
new file mode 100644
index 0000000000..c4790c6b32
--- /dev/null
+++ b/scripts/policy/integration/barnyard2/__load__.bro
@@ -0,0 +1,2 @@
+@load ./types
+@load ./main
diff --git a/scripts/policy/integration/barnyard2/main.bro b/scripts/policy/integration/barnyard2/main.bro
new file mode 100644
index 0000000000..1d38d80809
--- /dev/null
+++ b/scripts/policy/integration/barnyard2/main.bro
@@ -0,0 +1,56 @@
+##! This script lets Barnyard2 integrate with Bro.  It receives alerts from
+##! Barnyard2 and logs them.  In the future it will do more correlation
+##! and derive new notices from the alerts.
+
+@load ./types
+
+module Barnyard2;
+
+export {
+	redef enum Log::ID += { LOG };
+	
+	type Info: record {
+		ts:                 time      &log;
+		pid:                PacketID  &log;
+		alert:              AlertData &log;
+	};
+	
+	## This can convert a Barnyard :bro:type:`Barnyard2::PacketID` value to a 
+	## :bro:type:`conn_id` value in the case that you might need to index 
+	## into an existing data structure elsewhere within Bro.
+	global pid2cid: function(p: PacketID): conn_id;
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Barnyard2::LOG, [$columns=Info]);
+	}
+
+
+function pid2cid(p: PacketID): conn_id
+	{
+	return [$orig_h=p$src_ip, $orig_p=p$src_p, $resp_h=p$dst_ip, $resp_p=p$dst_p];
+	}
+
+event barnyard_alert(id: PacketID, alert: AlertData, msg: string, data: string)
+	{
+	Log::write(Barnyard2::LOG, [$ts=network_time(), $pid=id, $alert=alert]);
+	
+	#local proto_connection_string: string;
+	#if ( id$src_p == 0/tcp )
+	#	proto_connection_string = fmt("{PROTO:255} %s -> %s", id$src_ip, id$dst_ip);
+	#else
+	#	proto_connection_string = fmt("{%s} %s:%d -> %s:%d", 
+	#	                              to_upper(fmt("%s", get_port_transport_proto(id$dst_p))),
+	#	                              id$src_ip, id$src_p, id$dst_ip, id$dst_p);
+    #
+	#local snort_alike_msg = fmt("%.6f [**] [%d:%d:%d] %s [**] [Classification: %s] [Priority: %d] %s", 
+	#                            sad$ts,
+	#                            sad$generator_id,
+	#                            sad$signature_id,
+	#                            sad$signature_revision,
+	#                            msg, 
+	#                            sad$classification, 
+	#                            sad$priority_id, 
+	#                            proto_connection_string);
+	}
diff --git a/scripts/policy/integration/barnyard2/types.bro b/scripts/policy/integration/barnyard2/types.bro
new file mode 100644
index 0000000000..6cfcbb9535
--- /dev/null
+++ b/scripts/policy/integration/barnyard2/types.bro
@@ -0,0 +1,32 @@
+##! This file is separate from the base script so that dependencies can
+##! be loaded in the correct order.
+
+module Barnyard2;
+
+export {
+	type AlertData: record {
+		sensor_id:          count;  ##< Sensor that originated this event.
+		ts:                 time;   ##< Timestamp attached to the alert.
+		signature_id:       count;  ##< Sig id for this generator.
+		generator_id:       count;  ##< Which generator generated the alert?
+		signature_revision: count;  ##< Sig revision for this id.
+		classification_id:  count;  ##< Event classification.
+		classification:     string; ##< Descriptive classification string,
+		priority_id:        count;  ##< Event priority.
+		event_id:           count;  ##< Event ID.
+	} &log;
+
+	type PacketID: record {
+		src_ip: addr;
+		src_p: port;
+		dst_ip: addr;
+		dst_p: port;
+	} &log;
+
+	## This is the event that Barnyard2 instances will send if they're 
+	## configured with the bro_alert output plugin.
+	global barnyard_alert: event(id: Barnyard2::PacketID,
+	                             alert: Barnyard2::AlertData,
+	                             msg: string,
+	                             data: string);
+}
diff --git a/scripts/policy/misc/analysis-groups.bro b/scripts/policy/misc/analysis-groups.bro
new file mode 100644
index 0000000000..17f5bab845
--- /dev/null
+++ b/scripts/policy/misc/analysis-groups.bro
@@ -0,0 +1,31 @@
+##! This script gives the capability to selectively enable and disable event 
+##! groups at runtime. No events will be raised for all members of a disabled
+##! event group.
+
+module AnalysisGroups;
+
+export {
+	## By default, all event groups are enabled. 
+	## We disable all groups in this table.
+	const disabled: set[string] &redef;
+}
+
+# Set to remember all groups which were disabled by the last update.
+global currently_disabled: set[string];
+
+# This is the event that the control framework uses when it needs to indicate
+# that an update control action happened.
+event Control::configuration_update()
+	{
+	# Reenable those which are not to be disabled anymore.
+	for ( g in currently_disabled )
+		if ( g !in disabled ) 
+			enable_event_group(g);
+	
+	# Disable those which are not already disabled.
+	for ( g in disabled )
+		if ( g !in currently_disabled )
+			disable_event_group(g);
+	
+	currently_disabled = copy(disabled);
+	}
\ No newline at end of file
diff --git a/scripts/policy/misc/capture-loss.bro b/scripts/policy/misc/capture-loss.bro
new file mode 100644
index 0000000000..b2d23020f8
--- /dev/null
+++ b/scripts/policy/misc/capture-loss.bro
@@ -0,0 +1,85 @@
+##! This script logs evidence regarding the degree to which the packet
+##! capture process suffers from measurement loss.  
+##! The loss could be due to overload on the host or NIC performing 
+##! the packet capture or it could even be beyond the host.  If you are 
+##! capturing from a switch with a SPAN port, it's very possible that 
+##! the switch itself could be overloaded and dropping packets.
+##! Reported loss is computed in terms of number of "gap events" (ACKs 
+##! for a sequence number that's above a gap).
+
+@load base/frameworks/notice
+@load base/frameworks/metrics
+
+module CaptureLoss;
+
+export {
+	redef enum Log::ID += { LOG };
+	
+	redef enum Notice::Type += {
+		## Report if the detected capture loss exceeds the percentage
+		## threshold.
+		Too_Much_Loss
+	};
+	
+	type Info: record {
+		## Timestamp for when the measurement occurred.
+		ts:           time     &log;
+		## The time delay between this measurement and the last.
+		ts_delta:     interval &log;
+		## In the event that there are multiple Bro instances logging
+		## to the same host, this distinguishes each peer with it's
+		## individual name.
+		peer:         string   &log;
+		## Number of missed ACKs from the previous measurement interval.
+		gaps:         count    &log;
+		## Total number of ACKs seen in the previous measurement interval.
+		acks:         count    &log;
+		## Percentage of ACKs seen where the data being ACKed wasn't seen.
+		percent_lost: string   &log;
+	};
+	
+	## The interval at which capture loss reports are created.
+	const watch_interval = 15mins &redef;
+	
+	## The percentage of missed data that is considered "too much" 
+	## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be
+	## generated. The value is expressed as a double between 0 and 1 with 1
+	## being 100%
+	const too_much_loss: double = 0.1 &redef;
+}
+
+event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps: count)
+	{
+	if ( last_ts == 0 )
+		{
+		schedule watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) };
+		return;
+		}
+	
+	local now = network_time();
+	local g = get_gap_summary();
+	local acks = g$ack_events - last_acks;
+	local gaps = g$gap_events - last_gaps;
+	local pct_lost = (acks == 0) ? 0.0 : (100 * (1.0 * gaps) / (1.0 * acks));
+	local info: Info = [$ts=now,
+	                    $ts_delta=now-last_ts,
+	                    $peer=peer_description,
+	                    $acks=acks, $gaps=gaps, 
+	                    $percent_lost=fmt("%.3f%%", pct_lost)];
+	
+	if ( pct_lost >= too_much_loss*100 )
+		NOTICE([$note=Too_Much_Loss, 
+		        $msg=fmt("The capture loss script detected an estimated loss rate above %.3f%%", pct_lost)]);
+	
+	Log::write(LOG, info);
+	schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) };
+	}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(LOG, [$columns=Info]);
+
+	# We only schedule the event if we are capturing packets.
+	if ( reading_live_traffic() || reading_traces() )
+		schedule watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) };
+	}
diff --git a/scripts/policy/misc/loaded-scripts.bro b/scripts/policy/misc/loaded-scripts.bro
new file mode 100644
index 0000000000..468478e682
--- /dev/null
+++ b/scripts/policy/misc/loaded-scripts.bro
@@ -0,0 +1,38 @@
+##! Log the loaded scripts.
+
+module LoadedScripts;
+
+export {
+	redef enum Log::ID += { LOG };
+	
+	type Info: record {
+		## Name of the script loaded potentially with spaces included before
+		## the file name to indicate load depth.  The convention is two spaces
+		## per level of depth.
+		name: string &log;
+	};
+}
+
+const depth: table[count] of string = {
+	[0]  = "",
+	[1]  = "  ",
+	[2]  = "    ",
+	[3]  = "      ",
+	[4]  = "        ",
+	[5]  = "          ",
+	[6]  = "            ",
+	[7]  = "              ",
+	[8]  = "                ",
+	[9]  = "                  ",
+	[10] = "                    ",
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(LoadedScripts::LOG, [$columns=Info]);
+	}
+
+event bro_script_loaded(path: string, level: count)
+	{
+	Log::write(LoadedScripts::LOG, [$name=cat(depth[level], path)]);
+	}
\ No newline at end of file
diff --git a/scripts/policy/misc/profiling.bro b/scripts/policy/misc/profiling.bro
new file mode 100644
index 0000000000..31451f1a55
--- /dev/null
+++ b/scripts/policy/misc/profiling.bro
@@ -0,0 +1,18 @@
+##! Turns on profiling of Bro resource consumption.
+
+module Profiling;
+
+## Set the profiling output file.
+redef profiling_file = open_log_file("prof");
+
+## Set the cheap profiling interval.
+redef profiling_interval = 15 secs;
+
+## Set the expensive profiling interval.
+redef expensive_profiling_multiple = 20;
+
+event bro_init()
+	{
+	set_buf(profiling_file, F);
+	}
+
diff --git a/scripts/policy/misc/stats.bro b/scripts/policy/misc/stats.bro
new file mode 100644
index 0000000000..d7866fd136
--- /dev/null
+++ b/scripts/policy/misc/stats.bro
@@ -0,0 +1,83 @@
+##! Log memory/packet/lag statistics.  Differs from profiling.bro in that this
+##! is lighter-weight (much less info, and less load to generate).
+
+@load base/frameworks/notice
+
+module Stats;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	## How often stats are reported.
+	const stats_report_interval = 1min &redef;
+
+	type Info: record {
+		## Timestamp for the measurement.
+		ts:            time      &log;
+		## Peer that generated this log.  Mostly for clusters.
+		peer:          string    &log;
+		## Amount of memory currently in use in MB.
+		mem:           count     &log;
+		## Number of packets processed since the last stats interval.
+		pkts_proc:     count     &log;
+		## Number of events that been processed since the last stats interval.
+		events_proc:   count     &log;
+		## Number of events that have been queued since the last stats interval.
+		events_queued: count     &log;
+
+		## Lag between the wall clock and packet timestamps if reading live traffic.
+		lag:           interval  &log &optional;
+		## Number of packets received since the last stats interval if reading
+		## live traffic.
+		pkts_recv:     count     &log &optional;
+		## Number of packets dropped since the last stats interval if reading
+		## live traffic.
+		pkts_dropped:  count     &log &optional;
+		## Number of packets seen on the link since the last stats interval
+		## if reading live traffic.
+		pkts_link:     count     &log &optional;
+	};
+
+	## Event to catch stats as they are written to the logging stream.
+	global log_stats: event(rec: Info);
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats]);
+	}
+
+event check_stats(last_ts: time, last_ns: NetStats, last_res: bro_resources)
+	{
+	local now = current_time();
+	local ns = net_stats();
+	local res = resource_usage();
+
+	if ( bro_is_terminating() )
+		# No more stats will be written or scheduled when Bro is
+		# shutting down.
+		return;
+
+	local info: Info = [$ts=now, $peer=peer_description, $mem=res$mem/1000000,
+	                    $pkts_proc=res$num_packets - last_res$num_packets,
+	                    $events_proc=res$num_events_dispatched - last_res$num_events_dispatched,
+	                    $events_queued=res$num_events_queued - last_res$num_events_queued];
+
+	if ( reading_live_traffic() )
+		{
+		info$lag = now - network_time();
+		# Someone's going to have to explain what this is and add a field to the Info record.
+		# info$util = 100.0*((res$user_time + res$system_time) - (last_res$user_time + last_res$system_time))/(now-last_ts);
+		info$pkts_recv = ns$pkts_recvd - last_ns$pkts_recvd;
+		info$pkts_dropped = ns$pkts_dropped  - last_ns$pkts_dropped;
+		info$pkts_link = ns$pkts_link  - last_ns$pkts_link;
+		}
+
+	Log::write(Stats::LOG, info);
+	schedule stats_report_interval { check_stats(now, ns, res) };
+	}
+
+event bro_init()
+	{
+	schedule stats_report_interval { check_stats(current_time(), net_stats(), resource_usage()) };
+	}
diff --git a/scripts/policy/misc/trim-trace-file.bro b/scripts/policy/misc/trim-trace-file.bro
new file mode 100644
index 0000000000..8a7781b628
--- /dev/null
+++ b/scripts/policy/misc/trim-trace-file.bro
@@ -0,0 +1,38 @@
+##! Deletes the -w tracefile at regular intervals and starts a new file
+##! from scratch.
+
+module TrimTraceFile;
+
+export {
+	## The interval between times that the output tracefile is rotated.
+	const trim_interval = 10 mins &redef;
+	
+	## This event can be generated externally to this script if on-demand
+	## tracefile rotation is required with the caveat that the script doesn't
+	## currently attempt to get back on schedule automatically and the next
+	## trim will likely won't happen on the
+	## :bro:id:`TrimTraceFile::trim_interval`.
+	global go: event(first_trim: bool);
+	}
+
+event TrimTraceFile::go(first_trim: bool)
+	{
+	if ( bro_is_terminating() || trace_output_file == "" )
+		return;
+	
+	if ( ! first_trim )
+		{
+		local info = rotate_file_by_name(trace_output_file);
+		if ( info$old_name != "" )
+			system(fmt("/bin/rm %s", info$new_name));
+		}
+	
+	schedule trim_interval { TrimTraceFile::go(F) };
+	}
+
+event bro_init()
+	{
+	if ( trim_interval > 0 secs )
+		schedule trim_interval { TrimTraceFile::go(T) };
+	}
+
diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.bro
new file mode 100644
index 0000000000..8914a5a22a
--- /dev/null
+++ b/scripts/policy/protocols/conn/known-hosts.bro
@@ -0,0 +1,59 @@
+##! This script logs hosts that Bro determines have performed complete TCP 
+##! handshakes and logs the address once per day (by default).  The log that 
+##! is output provides an easy way to determine a count of the IP addresses in
+##! use on a network per day.
+
+@load base/utils/directions-and-hosts
+
+module Known;
+
+export {
+	## The known-hosts logging stream identifier.
+	redef enum Log::ID += { HOSTS_LOG };
+
+	## The record type which contains the column fields of the known-hosts log.
+	type HostsInfo: record {
+		## The timestamp at which the host was detected.
+		ts:      time &log;
+		## The address that was detected originating or responding to a TCP 
+		## connection.
+		host:    addr &log;
+	};
+	
+	## The hosts whose existence should be logged and tracked.
+	## See :bro:type:`Host` for possible choices.
+	const host_tracking = LOCAL_HOSTS &redef;
+	
+	## The set of all known addresses to store for preventing duplicate 
+	## logging of addresses.  It can also be used from other scripts to 
+	## inspect if an address has been seen in use.
+	## Maintain the list of known hosts for 24 hours so that the existence
+	## of each individual address is logged each day.
+	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
+
+	## An event that can be handled to access the :bro:type:`Known::HostsInfo`
+	## record as it is sent on to the logging framework.
+	global log_known_hosts: event(rec: HostsInfo);
+}
+
+event bro_init()
+	{
+	Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts]);
+	}
+
+event connection_established(c: connection) &priority=5
+	{
+	local id = c$id;
+	
+	for ( host in set(id$orig_h, id$resp_h) )
+		{
+		if ( host !in known_hosts && 
+		     c$orig$state == TCP_ESTABLISHED &&
+		     c$resp$state == TCP_ESTABLISHED &&
+		     addr_matches_host(host, host_tracking) )
+			{
+			add known_hosts[host];
+			Log::write(Known::HOSTS_LOG, [$ts=network_time(), $host=host]);
+			}
+		}
+	}
diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro
new file mode 100644
index 0000000000..f494a30f82
--- /dev/null
+++ b/scripts/policy/protocols/conn/known-services.bro
@@ -0,0 +1,100 @@
+##! This script logs and tracks services.  In the case of this script, a service
+##! is defined as an IP address and port which has responded to and fully 
+##! completed a TCP handshake with another host.  If a protocol is detected
+##! during the session, the protocol will also be logged.
+
+@load base/utils/directions-and-hosts
+
+module Known;
+
+export {
+	## The known-services logging stream identifier.
+	redef enum Log::ID += { SERVICES_LOG };
+
+	## The record type which contains the column fields of the known-services
+	## log.
+	type ServicesInfo: record {
+		## The time at which the service was detected.
+		ts:             time            &log;
+		## The host address on which the service is running.
+		host:           addr            &log;
+		## The port number on which the service is running.
+		port_num:       port            &log;
+		## The transport-layer protocol which the service uses.
+		port_proto:     transport_proto &log;
+		## A set of protocols that match the service's connection payloads.
+		service:        set[string]     &log;
+	};
+	
+	## The hosts whose services should be tracked and logged.
+	## See :bro:type:`Host` for possible choices.
+	const service_tracking = LOCAL_HOSTS &redef;
+
+	## Tracks the set of daily-detected services for preventing the logging
+	## of duplicates, but can also be inspected by other scripts for
+	## different purposes.
+	global known_services: set[addr, port] &create_expire=1day &synchronized;
+
+	## Event that can be handled to access the :bro:type:`Known::ServicesInfo`
+	## record as it is sent on to the logging framework.
+	global log_known_services: event(rec: ServicesInfo);
+}
+
+redef record connection += {
+	# This field is to indicate whether or not the processing for detecting 
+	# and logging the service for this connection is complete.
+	known_services_done: bool &default=F;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
+	                                         $ev=log_known_services]);
+	}
+	
+event log_it(ts: time, a: addr, p: port, services: set[string])
+	{
+	if ( [a, p] !in known_services )
+		{
+		add known_services[a, p];
+	
+		local i: ServicesInfo;
+		i$ts=ts;
+		i$host=a;
+		i$port_num=p;
+		i$port_proto=get_port_transport_proto(p);
+		i$service=services;
+		Log::write(Known::SERVICES_LOG, i);
+		}
+	}
+	
+function known_services_done(c: connection)
+	{
+	local id = c$id;
+	c$known_services_done = T;
+	
+	if ( ! addr_matches_host(id$resp_h, service_tracking) ||
+	     "ftp-data" in c$service || # don't include ftp data sessions
+	     ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks.
+		return;
+	
+	# If no protocol was detected, wait a short
+	# time before attempting to log in case a protocol is detected
+	# on another connection.
+	if ( |c$service| == 0 )
+		schedule 5min { log_it(network_time(), id$resp_h, id$resp_p, c$service) };
+	else 
+		event log_it(network_time(), id$resp_h, id$resp_p, c$service);
+	}
+	
+event protocol_confirmation(c: connection, atype: count, aid: count) &priority=-5
+	{
+	known_services_done(c);
+	}
+
+# Handle the connection ending in case no protocol was ever detected.
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( ! c$known_services_done && c$resp$state == TCP_ESTABLISHED )
+		known_services_done(c);
+	}
diff --git a/scripts/policy/protocols/conn/weirds.bro b/scripts/policy/protocols/conn/weirds.bro
new file mode 100644
index 0000000000..9d6730819c
--- /dev/null
+++ b/scripts/policy/protocols/conn/weirds.bro
@@ -0,0 +1,44 @@
+##! This script handles core generated connection related "weird" events to 
+##! push weird information about connections into the weird framework.
+##! For live operational deployments, this can frequently cause load issues
+##! due to large numbers of these events and quite possibly shouldn't be
+##! loaded.
+
+@load base/frameworks/notice
+
+module Conn;
+
+export {
+	redef enum Notice::Type += {
+		## Possible evasion; usually just chud.
+		Retransmission_Inconsistency,
+		## Could mean packet drop; could also be chud.
+		Ack_Above_Hole,
+		## Data has sequence hole; perhaps due to filtering.
+		Content_Gap,
+	};
+}
+
+event rexmit_inconsistency(c: connection, t1: string, t2: string)
+	{
+	NOTICE([$note=Retransmission_Inconsistency,
+	        $conn=c,
+	        $msg=fmt("%s rexmit inconsistency (%s) (%s)",
+	                 id_string(c$id), t1, t2),
+	        $identifier=fmt("%s", c$id)]);
+	}
+
+event ack_above_hole(c: connection)
+	{
+	NOTICE([$note=Ack_Above_Hole, $conn=c,
+	        $msg=fmt("%s ack above a hole", id_string(c$id))]);
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	NOTICE([$note=Content_Gap, $conn=c,
+	        $msg=fmt("%s content gap (%s %d/%d)%s",
+	                 id_string(c$id), is_orig ? ">" : "<", seq, length,
+	                 is_external_connection(c) ? " [external]" : "")]);
+	}
+
diff --git a/scripts/policy/protocols/dns/auth-addl.bro b/scripts/policy/protocols/dns/auth-addl.bro
new file mode 100644
index 0000000000..8c04379c1c
--- /dev/null
+++ b/scripts/policy/protocols/dns/auth-addl.bro
@@ -0,0 +1,48 @@
+##! This script adds authoritative and additional responses for the current
+##! query to the DNS log.  It can cause severe overhead due to the need
+##! for all authoritative and additional responses to have events generated.
+##! This script is not recommended for use on heavily loaded links.
+
+@load base/protocols/dns/main
+
+redef dns_skip_all_auth = F;
+redef dns_skip_all_addl = F;
+
+module DNS;
+
+export {
+	redef record Info += {
+		## Authoritative responses for the query.
+		auth:       set[string] &log &optional;
+		## Additional responses for the query.
+		addl:       set[string] &log &optional;
+	};
+}
+
+event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=4
+	{
+	# The "ready" flag will be set here.  This causes the setting from the 
+	# base script to be overridden since the base script will log immediately 
+	# after all of the ANS replies have been seen.
+	c$dns$ready=F;
+	
+	if ( ans$answer_type == DNS_AUTH )
+		{
+		if ( ! c$dns?$auth )
+			c$dns$auth = set();
+		add c$dns$auth[reply];
+		}
+	else if ( ans$answer_type == DNS_ADDL )
+		{
+		if ( ! c$dns?$addl )
+			c$dns$addl = set();
+		add c$dns$addl[reply];
+		}
+	
+	if ( c$dns?$answers && c$dns?$auth && c$dns?$addl &&
+	     c$dns$total_replies == |c$dns$answers| + |c$dns$auth| + |c$dns$addl| )
+		{
+		# *Now* all replies desired have been seen.
+		c$dns$ready = T;
+		}
+	}
diff --git a/scripts/policy/protocols/dns/detect-external-names.bro b/scripts/policy/protocols/dns/detect-external-names.bro
new file mode 100644
index 0000000000..a1897d06e7
--- /dev/null
+++ b/scripts/policy/protocols/dns/detect-external-names.bro
@@ -0,0 +1,35 @@
+##! This script detects names which are not within zones considered to be
+##! local but resolving to addresses considered local.  
+##! The :bro:id:`Site::local_zones` variable **must** be set appropriately for 
+##! this detection.
+
+@load base/frameworks/notice
+@load base/utils/site
+
+module DNS;
+
+export {
+	redef enum Notice::Type += { 
+		## Raised when a non-local name is found to be pointing at a local host.
+		## :bro:id:`Site::local_zones` variable **must** be set appropriately 
+		## for this detection.
+		External_Name,
+		};
+}
+
+event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3
+	{
+	if ( |Site::local_zones| == 0 )
+		return;
+	
+	# Check for responses from remote hosts that point at local hosts
+	# but the name is not considered to be within a "local" zone.
+	if ( Site::is_local_addr(a) &&            # referring to a local host
+	     ! Site::is_local_name(ans$query) )   # name isn't in a local zone.
+		{
+		NOTICE([$note=External_Name,
+		        $msg=fmt("%s is pointing to a local host - %s.", ans$query, a),
+		        $conn=c, 
+		        $identifier=cat(a,ans$query)]);
+		}
+	}
diff --git a/scripts/policy/protocols/ftp/detect.bro b/scripts/policy/protocols/ftp/detect.bro
new file mode 100644
index 0000000000..e1bd627921
--- /dev/null
+++ b/scripts/policy/protocols/ftp/detect.bro
@@ -0,0 +1,29 @@
+##! Detect various potentially bad FTP activities.
+
+@load base/frameworks/notice
+@load base/protocols/ftp
+
+module FTP;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a successful response to a "SITE EXEC" 
+		## command/arg pair was seen.
+		Site_Exec_Success,
+	};
+}
+
+event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=3
+	{
+	local response_xyz = parse_ftp_reply_code(code);
+	
+	# If a successful SITE EXEC command is executed, raise a notice.
+	if ( response_xyz$x == 2 &&
+	     c$ftp$cmdarg$cmd == "SITE" && 
+	     /[Ee][Xx][Ee][Cc]/ in c$ftp$cmdarg$arg )
+		{
+		NOTICE([$note=Site_Exec_Success, $conn=c,
+		        $msg=fmt("FTP command: %s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg),
+		        $identifier=cat(c$id$orig_h, c$id$resp_h, "SITE EXEC")]);
+		}
+	}
diff --git a/scripts/policy/protocols/ftp/software.bro b/scripts/policy/protocols/ftp/software.bro
new file mode 100644
index 0000000000..0ae963d552
--- /dev/null
+++ b/scripts/policy/protocols/ftp/software.bro
@@ -0,0 +1,28 @@
+##! Software detection with the FTP protocol.
+
+# TODO:
+#
+# * Detect server software with initial 220 message
+# * Detect client software with password given for anonymous users
+#   (e.g. cyberduck@example.net)
+
+@load base/frameworks/software
+
+module FTP;
+
+export {
+	redef enum Software::Type += {
+		## Identifier for FTP clients in the software framework.
+		CLIENT,
+		## Not currently implemented.
+		SERVER,
+	};
+}
+
+event ftp_request(c: connection, command: string, arg: string) &priority=4
+	{
+	if ( command == "CLNT" )
+		{
+		Software::found(c$id, [$unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT]);
+		}
+	}
diff --git a/scripts/policy/protocols/http/detect-MHR.bro b/scripts/policy/protocols/http/detect-MHR.bro
new file mode 100644
index 0000000000..a0e3cb50fb
--- /dev/null
+++ b/scripts/policy/protocols/http/detect-MHR.bro
@@ -0,0 +1,37 @@
+##! Detect file downloads over HTTP that have MD5 sums matching files in Team 
+##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
+##! By default, not all file transfers will have MD5 sums calculated.  Read the
+##! documentation for the :doc:base/protocols/http/file-hash.bro script to see
+##! how to configure which transfers will have hashes calculated.
+
+@load base/frameworks/notice
+@load base/protocols/http
+
+module HTTP;
+
+export {
+	redef enum Notice::Type += { 
+		## The MD5 sum of a file transferred over HTTP matched in the
+		## malware hash registry.
+		Malware_Hash_Registry_Match
+	};
+}
+
+event log_http(rec: HTTP::Info)
+	{
+	if ( rec?$md5 )
+		{
+		local hash_domain = fmt("%s.malware.hash.cymru.com", rec$md5);
+		when ( local addrs = lookup_hostname(hash_domain) )
+			{
+			# 127.0.0.2 indicates that the md5 sum was found in the MHR.
+			if ( 127.0.0.2 in addrs )
+				{
+				local url = HTTP::build_url_http(rec);
+				local message = fmt("%s %s %s", rec$id$orig_h, rec$md5, url);
+				NOTICE([$note=Malware_Hash_Registry_Match, 
+				        $msg=message, $id=rec$id, $URL=url]);
+				}
+			}
+		}
+	}
diff --git a/scripts/policy/protocols/http/detect-intel.bro b/scripts/policy/protocols/http/detect-intel.bro
new file mode 100644
index 0000000000..281d705c13
--- /dev/null
+++ b/scripts/policy/protocols/http/detect-intel.bro
@@ -0,0 +1,21 @@
+##! Intelligence based HTTP detections.  Not yet working!
+
+@load base/protocols/http/main
+@load base/protocols/http/utils
+@load base/frameworks/intel/main
+
+module HTTP;
+
+event log_http(rec: Info)
+	{
+	local url = HTTP::build_url(rec);
+	local query = [$str=url, $subtype="url", $or_tags=set("malicious", "malware")];
+	if ( Intel::matcher(query) )
+		{
+		local msg = fmt("%s accessed a malicious URL from the intelligence framework", rec$id$orig_h);
+		NOTICE([$note=Intel::Detection, 
+		        $msg=msg, 
+		        $sub=HTTP::build_url_http(rec), 
+		        $id=rec$id]);
+		}
+	}
diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro
new file mode 100644
index 0000000000..a92565c63a
--- /dev/null
+++ b/scripts/policy/protocols/http/detect-sqli.bro
@@ -0,0 +1,81 @@
+##! SQL injection attack detection in HTTP.
+
+@load base/frameworks/notice
+@load base/frameworks/metrics
+@load base/protocols/http
+
+module HTTP;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a host performing SQL injection attacks was detected.
+		SQL_Injection_Attacker,
+		## Indicates that a host was seen to have SQL injection attacks against
+		## it.  This is tracked by IP address as opposed to hostname.
+		SQL_Injection_Victim,
+	};
+	
+	redef enum Metrics::ID += {
+		## Metric to track SQL injection attackers.
+		SQLI_ATTACKER,
+		## Metrics to track SQL injection victims.
+		SQLI_VICTIM,
+	};
+
+	redef enum Tags += {
+		## Indicator of a URI based SQL injection attack.
+		URI_SQLI,
+		## Indicator of client body based SQL injection attack.  This is 
+		## typically the body content of a POST request. Not implemented yet.
+		POST_SQLI,
+		## Indicator of a cookie based SQL injection attack. Not implemented yet.
+		COOKIE_SQLI,
+	};
+	
+	## Defines the threshold that determines if an SQL injection attack
+	## is ongoing based on the number of requests that appear to be SQL 
+	## injection attacks.
+	const sqli_requests_threshold = 50 &redef;
+	
+	## Interval at which to watch for the
+	## :bro:id:`HTTP::sqli_requests_threshold` variable to be crossed.
+	## At the end of each interval the counter is reset.
+	const sqli_requests_interval = 5min &redef;
+
+	## Regular expression is used to match URI based SQL injections.
+	const match_sql_injection_uri = 
+		  /[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/
+		| /[\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/
+		| /[\?&][^[:blank:]\x00-\x37]+?=[\-0-9%]*([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x37]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/
+		| /[\?&][^[:blank:]\x00-\x37\|]+?=([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/
+		| /[\?&][^[:blank:]\x00-\x37]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/
+		| /\/\*![[:digit:]]{5}.*?\*\// &redef;
+}
+
+event bro_init() &priority=3
+	{
+	# Add filters to the metrics so that the metrics framework knows how to 
+	# determine when it looks like an actual attack and how to respond when
+	# thresholds are crossed.
+	
+	Metrics::add_filter(SQLI_ATTACKER, [$log=F,
+	                                   $notice_threshold=sqli_requests_threshold,
+	                                   $break_interval=sqli_requests_interval,
+	                                   $note=SQL_Injection_Attacker]);
+	Metrics::add_filter(SQLI_VICTIM, [$log=F,
+	                                 $notice_threshold=sqli_requests_threshold,
+	                                 $break_interval=sqli_requests_interval,
+	                                 $note=SQL_Injection_Victim]);
+	}
+
+event http_request(c: connection, method: string, original_URI: string,
+                   unescaped_URI: string, version: string) &priority=3
+	{
+	if ( match_sql_injection_uri in unescaped_URI )
+		{
+		add c$http$tags[URI_SQLI];
+		
+		Metrics::add_data(SQLI_ATTACKER, [$host=c$id$orig_h], 1);
+		Metrics::add_data(SQLI_VICTIM, [$host=c$id$resp_h], 1);
+		}
+	}
diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.bro
new file mode 100644
index 0000000000..796da5c29a
--- /dev/null
+++ b/scripts/policy/protocols/http/detect-webapps.bro
@@ -0,0 +1,54 @@
+##! Detect and log web applications through the software framework.
+
+@load base/frameworks/signatures
+@load base/frameworks/software
+@load base/protocols/http
+
+module HTTP;
+
+redef signature_files += "protocols/http/detect-webapps.sig";
+# Ignore the signatures used to match webapps
+redef Signatures::ignored_ids += /^webapp-/;
+
+export {
+	redef enum Software::Type += {
+		## Identifier for web applications in the software framework.
+		WEB_APPLICATION,
+	};
+
+	redef record Software::Info += {
+		## Most root URL where the software was discovered.
+		url:   string &optional &log;
+	};
+}
+
+event signature_match(state: signature_state, msg: string, data: string) &priority=5
+	{
+	if ( /^webapp-/ !in state$sig_id ) return;
+	
+	local c = state$conn;
+	local si = Software::Info;
+	si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];
+	si$url = build_url_http(c$http);
+	if ( c$id$resp_h in Software::tracked &&
+	     si$name in Software::tracked[c$id$resp_h] )
+		{
+		# If the new url is a substring of an existing, known url then let's
+		# use that as the new url for the software.
+		# PROBLEM: different version of the same software on the same server with a shared root path
+		local is_substring = 0;
+		if ( Software::tracked[c$id$resp_h][si$name]?$url &&
+		     |si$url| <= |Software::tracked[c$id$resp_h][si$name]$url| )
+			is_substring = strstr(Software::tracked[c$id$resp_h][si$name]$url, si$url);
+		
+		if ( is_substring == 1 )
+			{
+			Software::tracked[c$id$resp_h][si$name]$url = si$url;
+			# Force the software to be logged because it indicates a URL
+			# closer to the root of the site.
+			si$force_log = T;
+			}
+		}
+	
+	Software::found(c$id, si);
+	}
diff --git a/scripts/policy/protocols/http/detect-webapps.sig b/scripts/policy/protocols/http/detect-webapps.sig
new file mode 100644
index 0000000000..2a4e30bf31
--- /dev/null
+++ b/scripts/policy/protocols/http/detect-webapps.sig
@@ -0,0 +1,85 @@
+signature webapp-wordpress {
+	http-reply-body /.*(<link rel=(\"|')stylesheet(\"|') [^>]+wp-content|<meta name=(\"|')generator(\"|') [^>]+WordPress[^\"]+)/
+	event "WordPress"
+}
+
+signature webapp-xoops {
+	http-reply-body /.*<meta name=(\"|')generator(\"|') [^>]+XOOPS/
+	event "Xoops"
+}
+
+signature webapp-phpmyadmin {
+	http-reply-body /.*(var pma_absolute_uri = '|PMA_sendHeaderLocation\(|<title>phpMyAdmin<\/title>)/
+	event "phpMyAdmin"
+}
+
+signature webapp-phppgadmin {
+	http-reply-body /.*(<title>phpPgAdmin<\/title>|<span class=(\"|')appname(\"|')>phpPgAdmin)/
+	event "phpPgAdmin"
+}
+
+signature webapp-phpbb {
+	http-reply-body /.*(Powered by (<a href=(\"|')[^>]+)?phpBB|<meta name=(\"|')copyright(\"|') [^>]+phpBB Group)/
+	event "phpBB"
+}
+
+signature webapp-joomla {
+	http-reply-body /.*(<meta name=(\"|')generator(\"|') [^>]+Joomla|<!\-\- JoomlaWorks \"K2\")/
+	http-reply-header /X-Content-Encoded-By: Joomla/
+	event "Joomla"
+}
+
+signature webapp-google-analytics {
+	http-reply-body /.*(\.google\-analytics\.com\/ga\.js|<script src=(\"|')[^\"]+google\-analytics\.com\/urchin\.js(\"|'))/
+	event "Google Analytics"
+}
+
+signature webapp-cpanel {
+	http-reply-body /.*<!-- cPanel/
+	event "cPanel"
+}
+
+signature webapp-mediawiki {
+	http-reply-body /.*(<meta name=(\"|')generator(\"|') [^>]+MediaWiki|<a[^>]+>Powered by MediaWiki<\/a>)/
+	event "MediaWiki"
+}
+
+signature webapp-moodle {
+	http-reply-body /.*(var moodleConfigFn = function\(me\)|<img[^>]+moodlelogo)/
+	event "Moodle"
+}
+
+signature webapp-oscommerce {
+	http-reply-body /.*<!-- header_eof \/\/-->/
+	event "osCommerce"
+}
+
+signature webapp-plesk {
+	http-reply-body /.*<script[^>]* src=(\"|')[^>]*common\.js\?plesk/
+	event "Plesk"
+}
+
+signature webapp-plone {
+	http-reply-body /.*<meta name=(\"|')generator(\"|') [^>]+Plone/
+	event "Plone"
+}
+
+signature webapp-redmine {
+	http-reply-body /.*(<meta name=(\"|')description(\"|')Redmine(\"|')|Powered by <a href=(\"|')[^>]+Redmine)/
+	event "Redmine"
+}
+
+signature webapp-trac {
+	http-reply-body /.*(<a id=(\"|')tracpowered)/
+	event "Trac"
+}
+
+signature webapp-typo3 {
+	http-reply-body /.*(<meta name=(\"|')generator(\"|') [^>]+TYPO3|<(script[^>]* src|link[^>]* href)=[^>]*fileadmin)/
+	event "Typo3"
+}
+
+signature webapp-drupal {
+	http-reply-body /.*(<script [^>]+drupal\.js|jQuery\.extend\(Drupal\.settings, \{|Drupal\.extend\(\{ settings: \{|<link[^>]+sites\/(default|all)\/themes\/|<style[^>]+sites\/(default|all)\/(themes|modules)\/)/
+	event "Drupal"
+}
\ No newline at end of file
diff --git a/scripts/policy/protocols/http/header-names.bro b/scripts/policy/protocols/http/header-names.bro
new file mode 100644
index 0000000000..bd0e55f02f
--- /dev/null
+++ b/scripts/policy/protocols/http/header-names.bro
@@ -0,0 +1,45 @@
+##! Extract and include the header names used for each request in the HTTP
+##! logging stream.  The headers in the logging stream will be stored in the
+##! same order which they were seen on the wire.
+
+@load base/protocols/http/main
+
+module HTTP;
+
+export {
+	redef record Info += {
+		## The vector of HTTP header names sent by the client.  No header 
+		## values are included here, just the header names.
+		client_header_names:  vector of string &log &optional;
+		
+		## The vector of HTTP header names sent by the server.  No header 
+		## values are included here, just the header names.
+		server_header_names:  vector of string &log &optional;
+	};
+	
+	## A boolean value to determine if client header names are to be logged.
+	const log_client_header_names = T &redef;
+	
+	## A boolean value to determine if server header names are to be logged.
+	const log_server_header_names = F &redef;
+}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
+	{
+	if ( ! is_orig || ! c?$http )
+		return;
+	
+	if ( log_client_header_names )
+		{
+		if ( ! c$http?$client_header_names )
+			c$http$client_header_names = vector();
+		c$http$client_header_names[|c$http$client_header_names|] = name;
+		}
+		
+	if ( log_server_header_names )
+		{
+		if ( ! c$http?$server_header_names )
+			c$http$server_header_names = vector();
+		c$http$server_header_names[|c$http$server_header_names|] = name;
+		}
+	}
diff --git a/scripts/policy/protocols/http/software-browser-plugins.bro b/scripts/policy/protocols/http/software-browser-plugins.bro
new file mode 100644
index 0000000000..b466a9da40
--- /dev/null
+++ b/scripts/policy/protocols/http/software-browser-plugins.bro
@@ -0,0 +1,60 @@
+##! Detect browser plugins as they leak through requests to Omniture 
+##! advertising servers.
+
+@load base/protocols/http
+@load base/frameworks/software
+
+module HTTP;
+
+export {
+	redef record Info += {
+		## Indicates if the server is an omniture advertising server.
+		omniture: bool &default=F;
+	};
+	
+	redef enum Software::Type += {
+		## Identifier for browser plugins in the software framework.
+		BROWSER_PLUGIN
+	};
+}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
+	{
+	if ( is_orig )
+		{
+		if ( name == "X-FLASH-VERSION" )
+			{
+			# Flash doesn't include it's name so we'll add it here since it 
+			# simplifies the version parsing.
+			value = cat("Flash/", value);
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
+			}
+		}
+	else
+		{
+		# Find if the server is Omniture
+		if ( name == "SERVER" && /^Omniture/ in value )
+			c$http$omniture = T;
+		}
+	}
+
+event log_http(rec: Info)
+	{
+	# We only want to inspect requests that were sent to omniture advertising 
+	# servers.
+	if ( rec$omniture && rec?$uri )
+		{
+		# We do {5,} because sometimes we see p=6 in the urls.
+		local parts = split_n(rec$uri, /&p=([^&]{5,});&/, T, 1);
+		if ( 2 in parts )
+			{
+			# We do sub_bytes here just to remove the extra extracted 
+			# characters from the regex split above.
+			local sw = sub_bytes(parts[2], 4, |parts[2]|-5);
+			local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/);
+			
+			for ( i in plugins )
+				Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]);
+			}
+		}
+	}
diff --git a/scripts/policy/protocols/http/software.bro b/scripts/policy/protocols/http/software.bro
new file mode 100644
index 0000000000..2ad4246a56
--- /dev/null
+++ b/scripts/policy/protocols/http/software.bro
@@ -0,0 +1,40 @@
+##! Software identification and extraction for HTTP traffic.
+
+@load base/frameworks/software
+
+module HTTP;
+
+export {
+	redef enum Software::Type += {
+		## Identifier for web servers in the software framework.
+		SERVER,
+		## Identifier for app servers in the software framework.
+		APPSERVER,
+		## Identifier for web browsers in the software framework.
+		BROWSER,
+	};
+
+	## The pattern of HTTP User-Agents which you would like to ignore.
+	const ignored_user_agents = /NO_DEFAULT/ &redef;
+}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2
+	{
+	if ( is_orig )
+		{
+		if ( name == "USER-AGENT" && ignored_user_agents !in value )
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER]);
+		}
+	else
+		{
+		if ( name == "SERVER" )
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
+		else if ( name == "X-POWERED-BY" )
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
+		else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" )
+			{
+			value = cat("SharePoint/", value);
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
+			}
+		}
+	}
diff --git a/scripts/policy/protocols/http/var-extraction-cookies.bro b/scripts/policy/protocols/http/var-extraction-cookies.bro
new file mode 100644
index 0000000000..610c6e1381
--- /dev/null
+++ b/scripts/policy/protocols/http/var-extraction-cookies.bro
@@ -0,0 +1,17 @@
+##! Extracts and logs variables names from cookies sent by clients.
+
+@load base/protocols/http/main
+@load base/protocols/http/utils
+
+module HTTP;
+
+redef record Info += {
+	## Variable names extracted from all cookies.
+	cookie_vars: vector of string &optional &log;
+};
+
+event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2
+	{
+	if ( is_orig && name == "COOKIE" )
+		c$http$cookie_vars = extract_keys(value, /;[[:blank:]]*/);
+	}
diff --git a/scripts/policy/protocols/http/var-extraction-uri.bro b/scripts/policy/protocols/http/var-extraction-uri.bro
new file mode 100644
index 0000000000..27ee89d6f2
--- /dev/null
+++ b/scripts/policy/protocols/http/var-extraction-uri.bro
@@ -0,0 +1,17 @@
+##! Extracts and log variables from the requested URI in the default HTTP 
+##! logging stream.
+
+@load base/protocols/http
+
+module HTTP;
+
+redef record Info += {
+	## Variable names from the URI.
+	uri_vars:    vector of string &optional &log;
+};
+
+event http_request(c: connection, method: string, original_URI: string,
+                   unescaped_URI: string, version: string) &priority=2
+	{
+	c$http$uri_vars = extract_keys(original_URI, /&/);
+	}
diff --git a/scripts/policy/protocols/smtp/blocklists.bro b/scripts/policy/protocols/smtp/blocklists.bro
new file mode 100644
index 0000000000..a3e75318bb
--- /dev/null
+++ b/scripts/policy/protocols/smtp/blocklists.bro
@@ -0,0 +1,58 @@
+
+@load base/protocols/smtp
+
+module SMTP;
+
+export {
+	redef enum Notice::Type += { 
+		## Indicates that the server sent a reply mentioning an SMTP block list.
+		Blocklist_Error_Message,
+		## Indicates the client's address is seen in the block list error message.
+		Blocklist_Blocked_Host,
+	};
+
+	# This matches content in SMTP error messages that indicate some
+	# block list doesn't like the connection/mail.
+	const blocklist_error_messages = 
+		  /spamhaus\.org\//
+		| /sophos\.com\/security\//
+		| /spamcop\.net\/bl/
+		| /cbl\.abuseat\.org\// 
+		| /sorbs\.net\// 
+		| /bsn\.borderware\.com\//
+		| /mail-abuse\.com\//
+		| /b\.barracudacentral\.com\//
+		| /psbl\.surriel\.com\// 
+		| /antispam\.imp\.ch\// 
+		| /dyndns\.com\/.*spam/
+		| /rbl\.knology\.net\//
+		| /intercept\.datapacket\.net\//
+		| /uceprotect\.net\//
+		| /hostkarma\.junkemailfilter\.com\// &redef;
+	
+}
+
+event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
+                 msg: string, cont_resp: bool) &priority=3
+	{
+	if ( code >= 400 && code != 421 )
+		{
+		# Raise a notice when an SMTP error about a block list is discovered.
+		if ( blocklist_error_messages in msg )
+			{
+			local note = Blocklist_Error_Message;
+			local message = fmt("%s received an error message mentioning an SMTP block list", c$id$orig_h);
+
+			# Determine if the originator's IP address is in the message.
+			local ips = find_ip_addresses(msg);
+			local text_ip = "";
+			if ( |ips| > 0 && to_addr(ips[0]) == c$id$orig_h )
+				{
+				note = Blocklist_Blocked_Host;
+				message = fmt("%s is on an SMTP block list", c$id$orig_h);
+				}
+			
+			NOTICE([$note=note, $conn=c, $msg=message, $sub=msg]);
+			}
+		}
+	}
diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro
new file mode 100644
index 0000000000..4635b17a83
--- /dev/null
+++ b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro
@@ -0,0 +1,52 @@
+@load base/frameworks/notice/main
+@load base/protocols/smtp/main
+
+module SMTP;
+
+export {
+	redef enum Notice::Type += {
+		Suspicious_Origination
+	};
+
+	## Places where it's suspicious for mail to originate from represented as
+	## all-capital, two character country codes (e.x. US).  It requires 
+	## libGeoIP support built in.
+	const suspicious_origination_countries: set[string] = {} &redef;
+	const suspicious_origination_networks: set[subnet] = {} &redef;
+
+}
+
+event log_smtp(rec: Info)
+	{
+	local ip: addr;
+	local loc: geo_location;
+	if ( rec?$x_originating_ip )
+		{
+		ip = rec$x_originating_ip;
+		loc = lookup_location(ip);
+		
+		if ( (loc?$country_code &&
+			 loc$country_code in suspicious_origination_countries) ||
+			 ip in suspicious_origination_networks )
+			{
+			NOTICE([$note=Suspicious_Origination,
+			        $msg=fmt("An email originated from %s (%s).",
+			                 loc?$country_code ? loc$country_code : "", ip),
+			        $id=rec$id]);
+			}
+		}
+	if ( rec?$path )
+		{
+		ip = rec$path[|rec$path|-1];
+		loc = lookup_location(ip);
+
+		if ( (loc?$country_code &&
+			 loc$country_code in suspicious_origination_countries) ||
+			 ip in suspicious_origination_networks )
+			{
+			NOTICE([$note=Suspicious_Origination,
+			        $msg=fmt("Based up Received headers, email originated from %s (%s).", loc?$country_code ? loc$country_code : "", ip),
+			        $id=rec$id]);
+			}
+		}
+	}
diff --git a/scripts/policy/protocols/smtp/software.bro b/scripts/policy/protocols/smtp/software.bro
new file mode 100644
index 0000000000..f520485338
--- /dev/null
+++ b/scripts/policy/protocols/smtp/software.bro
@@ -0,0 +1,82 @@
+##! This script feeds software detected through email into the software
+##! framework.  Mail clients and webmail interfaces are the only thing 
+##! currently detected.
+##! 
+##! TODO:
+##!
+##! * Find some heuristic to determine if email was sent through 
+##!   a MS Exhange webmail interface as opposed to a desktop client.
+
+@load base/frameworks/software/main
+@load base/protocols/smtp/main
+
+module SMTP;
+
+export {
+	redef enum Software::Type += {
+		MAIL_CLIENT,
+		MAIL_SERVER,
+		WEBMAIL_SERVER
+	};
+	
+	redef record Info += {
+		## Boolean indicator of if the message was sent through a webmail 
+		## interface.
+		is_webmail: bool &log &default=F;
+	};
+	
+	## Assuming that local mail servers are more trustworthy with the headers 
+	## they insert into messages envelopes, this default makes Bro not attempt
+	## to detect software in inbound message bodies.  If mail coming in from
+	## external addresses gives incorrect data in the Received headers, it 
+	## could populate your SOFTWARE logging stream with incorrect data.
+	## If you would like to detect mail clients for incoming messages 
+	## (network traffic originating from a non-local address), set this
+	## variable to EXTERNAL_HOSTS or ALL_HOSTS.
+	const detect_clients_in_messages_from = LOCAL_HOSTS &redef;
+	
+	## A regular expression to match USER-AGENT-like headers to find if a 
+	## message was sent with a webmail interface.
+	const webmail_user_agents = 
+	                     /^iPlanet Messenger/ 
+	                   | /^Sun Java\(tm\) System Messenger Express/
+	                   | /\(IMP\)/  # Horde Internet Messaging Program
+	                   | /^SquirrelMail/
+	                   | /^NeoMail/ 
+	                   | /ZimbraWebClient/ &redef;
+}
+
+event mime_one_header(c: connection, h: mime_header_rec) &priority=4
+	{
+	if ( ! c?$smtp ) return;
+	if ( h$name == "USER-AGENT" && webmail_user_agents in c$smtp$user_agent )
+		c$smtp$is_webmail = T;
+	}
+
+event log_smtp(rec: Info)
+	{
+	# If the MUA provided a user-agent string, kick over to the software framework.
+	# This is done here so that the "Received: from" path has a chance to be
+	# built since that's where the IP address is pulled from.
+	if ( rec?$user_agent )
+		{
+		local s_type = MAIL_CLIENT;
+		local client_ip = rec$path[|rec$path|-1];
+		if ( rec$is_webmail )
+			{
+			s_type = WEBMAIL_SERVER;
+			# If the earliest received header indicates that the connection
+			# was via HTTP, then that likely means the actual mail software 
+			# is installed on the second address in the path.
+			if ( rec?$first_received && /via HTTP/ in rec$first_received )
+				client_ip = rec$path[|rec$path|-2];
+			}
+		
+		if ( addr_matches_host(rec$id$orig_h,
+		                       detect_clients_in_messages_from) )
+			{
+			Software::found(rec$id, [$unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type]);
+			}
+		}
+	}
+
diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro
new file mode 100644
index 0000000000..aa6e920c12
--- /dev/null
+++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro
@@ -0,0 +1,79 @@
+##! Detect hosts which are doing password guessing attacks and/or password
+##! bruteforcing over SSH.
+
+@load base/protocols/ssh
+@load base/frameworks/metrics
+@load base/frameworks/notice
+@load base/frameworks/intel
+
+module SSH;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a host has been identified as crossing the 
+		## :bro:id:`SSH::password_guesses_limit` threshold with heuristically
+		## determined failed logins.
+		Password_Guessing,
+		## Indicates that a host previously identified as a "password guesser"
+		## has now had a heuristically successful login attempt.  This is not
+		## currently implemented.
+		Login_By_Password_Guesser,
+	};
+	
+	redef enum Metrics::ID  += {
+		## Metric is to measure failed logins.
+		FAILED_LOGIN,
+	};
+
+	## The number of failed SSH connections before a host is designated as
+	## guessing passwords.
+	const password_guesses_limit = 30 &redef;
+
+	## The amount of time to remember presumed non-successful logins to build
+	## model of a password guesser.
+	const guessing_timeout = 30 mins &redef;
+
+	## This value can be used to exclude hosts or entire networks from being 
+	## tracked as potential "guessers".  There are cases where the success
+	## heuristic fails and this acts as the whitelist.  The index represents 
+	## client subnets and the yield value represents server subnets.
+	const ignore_guessers: table[subnet] of subnet &redef;
+
+	## Tracks hosts identified as guessing passwords.
+	global password_guessers: set[addr] 
+		&read_expire=guessing_timeout+1hr &synchronized &redef;
+}
+
+event bro_init()
+	{
+	Metrics::add_filter(FAILED_LOGIN, [$name="detect-bruteforcing", $log=F,
+	                                   $note=Password_Guessing,
+	                                   $notice_threshold=password_guesses_limit,
+	                                   $notice_freq=1hr,
+	                                   $break_interval=guessing_timeout]);
+	}
+
+event SSH::heuristic_successful_login(c: connection)
+	{
+	local id = c$id;
+	
+	# TODO: This is out for the moment pending some more additions to the 
+	#       metrics framework.
+	#if ( id$orig_h in password_guessers )
+	#	{
+	#	NOTICE([$note=Login_By_Password_Guesser,
+	#	        $conn=c,
+	#	        $msg=fmt("Successful SSH login by password guesser %s", id$orig_h)]);
+	#	}
+	}
+
+event SSH::heuristic_failed_login(c: connection)
+	{
+	local id = c$id;
+	
+	# Add data to the FAILED_LOGIN metric unless this connection should 
+	# be ignored.
+	if ( ! (id$orig_h in ignore_guessers &&
+	        id$resp_h in ignore_guessers[id$orig_h]) )
+		Metrics::add_data(FAILED_LOGIN, [$host=id$orig_h], 1);
+	}
diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro
new file mode 100644
index 0000000000..0f8bb932fe
--- /dev/null
+++ b/scripts/policy/protocols/ssh/geo-data.bro
@@ -0,0 +1,43 @@
+##! Geodata based detections for SSH analysis.
+
+@load base/frameworks/notice
+@load base/protocols/ssh
+
+module SSH;
+
+export {
+	redef enum Notice::Type += {
+		## If an SSH login is seen to or from a "watched" country based on the
+		## :bro:id:`SSH::watched_countries` variable then this notice will
+		## be generated.
+		Watched_Country_Login,
+	};
+	
+	redef record Info += {
+		## Add geographic data related to the "remote" host of the connection.
+		remote_location: geo_location &log &optional;
+	};
+	
+	## The set of countries for which you'd like to generate notices upon 
+	## successful login.
+	const watched_countries: set[string] = {"RO"} &redef;
+}
+
+event SSH::heuristic_successful_login(c: connection) &priority=5
+	{
+	local location: geo_location;
+	location = (c$ssh$direction == OUTBOUND) ? 
+		lookup_location(c$id$resp_h) : lookup_location(c$id$orig_h);
+	
+	# Add the location data to the SSH record.
+	c$ssh$remote_location = location;
+	
+	if ( location?$country_code && location$country_code in watched_countries )
+		{
+		NOTICE([$note=Watched_Country_Login,
+		        $conn=c,
+		        $msg=fmt("SSH login %s watched country: %s", 
+		                 (c$ssh$direction == OUTBOUND) ? "to" : "from", 
+		                 location$country_code)]);
+		}
+	}
diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.bro b/scripts/policy/protocols/ssh/interesting-hostnames.bro
new file mode 100644
index 0000000000..f79c67ede9
--- /dev/null
+++ b/scripts/policy/protocols/ssh/interesting-hostnames.bro
@@ -0,0 +1,47 @@
+##! This script will generate a notice if an apparent SSH login originates 
+##! or heads to a host with a reverse hostname that looks suspicious.  By 
+##! default, the regular expression to match "interesting" hostnames includes 
+##! names that are typically used for infrastructure hosts like nameservers, 
+##! mail servers, web servers and ftp servers.
+
+@load base/frameworks/notice
+
+module SSH;
+
+export {
+	redef enum Notice::Type += {
+		## Generated if a login originates or responds with a host where the 
+		## reverse hostname lookup resolves to a name matched by the 
+		## :bro:id:`SSH::interesting_hostnames` regular expression.
+		Interesting_Hostname_Login,
+	};
+	
+	## Strange/bad host names to see successful SSH logins from or to.
+	const interesting_hostnames =
+			/^d?ns[0-9]*\./ |
+			/^smtp[0-9]*\./ |
+			/^mail[0-9]*\./ |
+			/^pop[0-9]*\./  |
+			/^imap[0-9]*\./ |
+			/^www[0-9]*\./  |
+			/^ftp[0-9]*\./  &redef;
+}
+
+event SSH::heuristic_successful_login(c: connection)
+	{
+	for ( host in set(c$id$orig_h, c$id$resp_h) )
+		{
+		when ( local hostname = lookup_addr(host) )
+			{
+			if ( interesting_hostnames in hostname )
+				{
+				NOTICE([$note=Interesting_Hostname_Login,
+				        $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
+				                 Site::is_local_addr(host) ? "local" : "remote",
+				                 host == c$id$orig_h ? "client" : "server"),
+				        $sub=hostname, $conn=c]);
+				}
+			}
+		}
+	}
+
diff --git a/scripts/policy/protocols/ssh/software.bro b/scripts/policy/protocols/ssh/software.bro
new file mode 100644
index 0000000000..ba03bed284
--- /dev/null
+++ b/scripts/policy/protocols/ssh/software.bro
@@ -0,0 +1,29 @@
+##! Extracts SSH client and server information from SSH 
+##! connections and forwards it to the software framework.
+
+@load base/frameworks/software
+
+module SSH;
+
+export {
+	redef enum Software::Type += {
+		## Identifier for SSH clients in the software framework.
+		SERVER,
+		## Identifier for SSH servers in the software framework.
+		CLIENT,
+	};
+}
+
+event ssh_client_version(c: connection, version: string) &priority=4
+	{
+	# Get rid of the protocol information when passing to the software framework.
+	local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, "");
+	Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT]);
+	}
+
+event ssh_server_version(c: connection, version: string) &priority=4
+	{
+	# Get rid of the protocol information when passing to the software framework.
+	local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, "");
+	Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
+	}
diff --git a/scripts/policy/protocols/ssl/cert-hash.bro b/scripts/policy/protocols/ssl/cert-hash.bro
new file mode 100644
index 0000000000..32a165a946
--- /dev/null
+++ b/scripts/policy/protocols/ssl/cert-hash.bro
@@ -0,0 +1,22 @@
+##! Calculate MD5 sums for server DER formatted certificates.
+
+@load base/protocols/ssl
+
+module SSL;
+
+export {
+	redef record Info += {
+		## MD5 sum of the raw server certificate.
+		cert_hash: string &log &optional;
+	};
+}
+
+event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=4
+	{
+	# We aren't tracking client certificates yet and we are also only tracking
+	# the primary cert.  Watch that this came from an SSL analyzed session too.
+	if ( is_orig || chain_idx != 0 || ! c?$ssl ) 
+		return;
+
+	c$ssl$cert_hash = md5_hash(der_cert);
+	}
\ No newline at end of file
diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro
new file mode 100644
index 0000000000..80616e6a99
--- /dev/null
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -0,0 +1,63 @@
+##! Generate notices when X.509 certificates over SSL/TLS are expired or 
+##! going to expire soon based on the date and time values stored within the
+##! certificate.
+
+@load base/protocols/ssl
+@load base/frameworks/notice
+@load base/utils/directions-and-hosts
+
+@load protocols/ssl/cert-hash
+
+module SSL;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a certificate's NotValidAfter date has lapsed and
+		## the certificate is now invalid.
+		Certificate_Expired,
+		## Indicates that a certificate is going to expire within 
+		## :bro:id:`SSL::notify_when_cert_expiring_in`.
+		Certificate_Expires_Soon,
+		## Indicates that a certificate's NotValidBefore date is future dated.
+		Certificate_Not_Valid_Yet,
+	};
+	
+	## The category of hosts you would like to be notified about which have 
+	## certificates that are going to be expiring soon.  By default, these 
+	## notices will be suppressed by the notice framework for 1 day after 
+	## a particular certificate has had a notice generated.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	const notify_certs_expiration = LOCAL_HOSTS &redef;
+	
+	## The time before a certificate is going to expire that you would like to
+	## start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices.
+	const notify_when_cert_expiring_in = 30days &redef;
+}
+
+event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
+	{
+	# If this isn't the host cert or we aren't interested in the server, just return.
+	if ( is_orig || 
+		 chain_idx != 0 ||
+		 ! c$ssl?$cert_hash || 
+		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
+		return;
+	
+	if ( cert$not_valid_before > network_time() )
+		NOTICE([$note=Certificate_Not_Valid_Yet,
+		        $conn=c, $suppress_for=1day,
+		        $msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
+	
+	else if ( cert$not_valid_after < network_time() )
+		NOTICE([$note=Certificate_Expired,
+		        $conn=c, $suppress_for=1day,
+		        $msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
+	
+	else if ( cert$not_valid_after - notify_when_cert_expiring_in < network_time() )
+		NOTICE([$note=Certificate_Expires_Soon,
+		        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
+		        $conn=c, $suppress_for=1day,
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
+	}
diff --git a/scripts/policy/protocols/ssl/extract-certs-pem.bro b/scripts/policy/protocols/ssl/extract-certs-pem.bro
new file mode 100644
index 0000000000..420c60a4fd
--- /dev/null
+++ b/scripts/policy/protocols/ssl/extract-certs-pem.bro
@@ -0,0 +1,49 @@
+##! This script is used to extract host certificates seen on the wire to disk
+##! after being converted to PEM files.  The certificates will be stored in
+##! a single file, one for local certificates and one for remote certificates.
+##!
+##! ..note::
+##!
+##!     - It doesn't work well on a cluster because each worker will write its 
+##!       own certificate files and no duplicate checking is done across
+##!       clusters so each node would log each certificate.
+##!
+##!     - If there is a certificate input based vulnerability found in the
+##!       openssl command line utility, you could be in trouble because this
+##!       script uses that utility to convert from DER to PEM certificates.
+##!
+
+@load base/protocols/ssl
+@load base/utils/directions-and-hosts
+@load protocols/ssl/cert-hash
+
+module SSL;
+
+export {
+	## Control if host certificates offered by the defined hosts 
+	## will be written to the PEM certificates file.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	const extract_certs_pem = LOCAL_HOSTS &redef;
+}
+
+# This is an internally maintained variable to prevent relogging of
+# certificates that have already been seen.  It is indexed on an md5 sum of
+# the certificate.
+global extracted_certs: set[string] = set() &read_expire=1hr &redef;
+
+event ssl_established(c: connection) &priority=5
+	{
+	if ( ! c$ssl?$cert )
+		return;
+	if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
+		return;
+	
+	if ( c$ssl$cert_hash in extracted_certs )
+		# If we already extracted this cert, don't do it again.
+		return;
+	
+	add extracted_certs[c$ssl$cert_hash];
+	local side = Site::is_local_addr(c$id$resp_h) ? "local" : "remote";
+	local cmd = fmt("%s x509 -inform DER -outform PEM >> certs-%s.pem", openssl_util, side);
+	piped_exec(cmd, c$ssl$cert);
+	}
diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro
new file mode 100644
index 0000000000..3986a9aa1e
--- /dev/null
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@@ -0,0 +1,63 @@
+##! Log information about certificates while attempting to avoid duplicate logging.
+
+@load base/utils/directions-and-hosts
+@load base/protocols/ssl
+@load protocols/ssl/cert-hash
+
+module Known;
+
+export {
+	redef enum Log::ID += { CERTS_LOG };
+	
+	type CertsInfo: record {
+		## The timestamp when the certificate was detected.
+		ts:             time   &log;
+		## The address that offered the certificate.
+		host:           addr   &log;
+		## If the certificate was handed out by a server, this is the 
+		## port that the server was listening on.
+		port_num:       port   &log &optional;
+		## Certificate subject.
+		subject:        string &log &optional;
+		## Certificate issuer subject.
+		issuer_subject: string &log &optional;
+		## Serial number for the certificate.
+		serial:         string &log &optional;
+	};
+	
+	## The certificates whose existence should be logged and tracked.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	const cert_tracking = LOCAL_HOSTS &redef;
+	
+	## The set of all known certificates to store for preventing duplicate 
+	## logging.  It can also be used from other scripts to 
+	## inspect if a certificate has been seen in use. The string value 
+	## in the set is for storing the DER formatted certificate's MD5 hash.
+	global certs: set[addr, string] &create_expire=1day &synchronized &redef;
+	
+	## Event that can be handled to access the loggable record as it is sent 
+	## on to the logging framework.
+	global log_known_certs: event(rec: CertsInfo);
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]);
+	}
+
+event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
+	{
+	# Make sure this is the server cert and we have a hash for it.
+	if ( is_orig || chain_idx != 0 || ! c$ssl?$cert_hash ) 
+		return;
+	
+	local host = c$id$resp_h;
+	if ( [host, c$ssl$cert_hash] !in certs && addr_matches_host(host, cert_tracking) )
+		{
+		add certs[host, c$ssl$cert_hash];
+		Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host,
+		                              $port_num=c$id$resp_p, $subject=cert$subject,
+		                              $issuer_subject=cert$issuer,
+		                              $serial=cert$serial]);
+		}
+	}
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
new file mode 100644
index 0000000000..03624eac84
--- /dev/null
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -0,0 +1,53 @@
+##! Perform full certificate chain validation for SSL certificates.
+
+@load base/frameworks/notice
+@load base/protocols/ssl
+@load protocols/ssl/cert-hash
+
+module SSL;
+
+export {
+	redef enum Notice::Type += {
+		## This notice indicates that the result of validating the certificate
+		## along with it's full certificate chain was invalid.
+		Invalid_Server_Cert
+	};
+	
+	redef record Info += {
+		## Result of certificate validation for this connection.
+		validation_status: string &log &optional;
+	};
+	
+	## MD5 hash values for recently validated certs along with the validation
+	## status message are kept in this table to avoid constant validation 
+	## everytime the same certificate is seen.
+	global recently_validated_certs: table[string] of string = table() 
+		&read_expire=5mins &synchronized &redef;
+}
+
+event ssl_established(c: connection) &priority=3
+	{
+	# If there aren't any certs we can't very well do certificate validation.
+	if ( ! c$ssl?$cert || ! c$ssl?$cert_chain )
+		return;
+	
+	if ( c$ssl?$cert_hash && c$ssl$cert_hash in recently_validated_certs )
+		{
+		c$ssl$validation_status = recently_validated_certs[c$ssl$cert_hash];
+		}
+	else
+		{
+		local result = x509_verify(c$ssl$cert, c$ssl$cert_chain, root_certs);
+		c$ssl$validation_status = x509_err2str(result);
+		}
+		
+	if ( c$ssl$validation_status != "ok" )
+		{
+		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
+		NOTICE([$note=Invalid_Server_Cert, $msg=message,
+		        $sub=c$ssl$subject, $conn=c,
+		        $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status,c$ssl$cert_hash)]);
+		}
+	}
+
+
diff --git a/scripts/policy/tuning/__load__.bro b/scripts/policy/tuning/__load__.bro
new file mode 100644
index 0000000000..03449882f8
--- /dev/null
+++ b/scripts/policy/tuning/__load__.bro
@@ -0,0 +1,2 @@
+##! This loads the default tuning 
+@load ./defaults
\ No newline at end of file
diff --git a/scripts/policy/tuning/defaults/__load__.bro b/scripts/policy/tuning/defaults/__load__.bro
new file mode 100644
index 0000000000..ffc760e5f7
--- /dev/null
+++ b/scripts/policy/tuning/defaults/__load__.bro
@@ -0,0 +1,2 @@
+@load ./packet-fragments
+@load ./warnings
\ No newline at end of file
diff --git a/scripts/policy/tuning/defaults/packet-fragments.bro b/scripts/policy/tuning/defaults/packet-fragments.bro
new file mode 100644
index 0000000000..30d7e23729
--- /dev/null
+++ b/scripts/policy/tuning/defaults/packet-fragments.bro
@@ -0,0 +1,10 @@
+## Capture TCP fragments, but not UDP (or ICMP), since those are a lot more
+## common due to high-volume, fragmenting protocols such as NFS :-(.
+
+## This normally isn't used because of the default open packet filter 
+## but we set it anyway in case the user is using a packet filter.
+redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" };
+
+## Shorten the fragment timeout from never expiring to expiring fragments after
+## five minutes.
+redef frag_timeout = 5 min;
diff --git a/scripts/policy/tuning/defaults/warnings.bro b/scripts/policy/tuning/defaults/warnings.bro
new file mode 100644
index 0000000000..cedc3d62ad
--- /dev/null
+++ b/scripts/policy/tuning/defaults/warnings.bro
@@ -0,0 +1,11 @@
+##! This file is meant to print messages on stdout for settings that would be
+##! good to set in most cases or other things that could be done to achieve 
+##! better detection.
+
+@load base/utils/site
+
+event bro_init() &priority=-10
+	{
+	if ( |Site::local_nets| == 0 )
+		print "WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.";
+	}
diff --git a/scripts/policy/tuning/track-all-assets.bro b/scripts/policy/tuning/track-all-assets.bro
new file mode 100644
index 0000000000..b00dc8ad40
--- /dev/null
+++ b/scripts/policy/tuning/track-all-assets.bro
@@ -0,0 +1,9 @@
+@load base/frameworks/software
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+
+redef Software::asset_tracking  = ALL_HOSTS;
+redef Known::host_tracking      = ALL_HOSTS;
+redef Known::service_tracking   = ALL_HOSTS;
+redef Known::cert_tracking      = ALL_HOSTS;
diff --git a/scripts/site/local-manager.bro b/scripts/site/local-manager.bro
new file mode 100644
index 0000000000..5e6005f21e
--- /dev/null
+++ b/scripts/site/local-manager.bro
@@ -0,0 +1 @@
+##! Local site policy loaded only by the manager if Bro is running as a cluster.
diff --git a/scripts/site/local-proxy.bro b/scripts/site/local-proxy.bro
new file mode 100644
index 0000000000..478ba6d048
--- /dev/null
+++ b/scripts/site/local-proxy.bro
@@ -0,0 +1 @@
+##! Local site policy loaded only by the proxies if Bro is running as a cluster.
diff --git a/scripts/site/local-worker.bro b/scripts/site/local-worker.bro
new file mode 100644
index 0000000000..b2a100e135
--- /dev/null
+++ b/scripts/site/local-worker.bro
@@ -0,0 +1 @@
+##! Local site policy loaded only by the workers if Bro is running as a cluster.
\ No newline at end of file
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
new file mode 100644
index 0000000000..9681f7a75c
--- /dev/null
+++ b/scripts/site/local.bro
@@ -0,0 +1,70 @@
+##! Local site policy. Customize as appropriate. 
+##!
+##! This file will not be overwritten when upgrading or reinstalling!
+
+# This script logs which scripts were loaded during each run.
+@load misc/loaded-scripts
+
+# Apply the default tuning scripts for common tuning settings.
+@load tuning/defaults
+
+# Generate notices when vulnerable versions of software are discovered.
+# The default is to only monitor software found in the address space defined
+# as "local".  Refer to the software framework's documentation for more 
+# information.
+@load frameworks/software/vulnerable
+
+# Example vulnerable software.  This needs to be updated and maintained over
+# time as new vulnerabilities are discovered.
+redef Software::vulnerable_versions += {
+	["Flash"] = [$major=10,$minor=2,$minor2=153,$addl="1"],
+	["Java"] = [$major=1,$minor=6,$minor2=0,$addl="22"],
+};
+
+# Detect software changing (e.g. attacker installing hacked SSHD).
+@load frameworks/software/version-changes
+
+# This adds signatures to detect cleartext forward and reverse windows shells.
+redef signature_files += "frameworks/signatures/detect-windows-shells.sig";
+
+# Uncomment the following line to begin receiving (by default hourly) emails
+# containing all of your notices.
+# redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 0] };
+
+# Load all of the scripts that detect software in various protocols.
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+@load protocols/http/software
+# The detect-webapps script could possibly cause performance trouble when 
+# running on live traffic.  Enable it cautiously.
+#@load protocols/http/detect-webapps
+
+# This script detects DNS results pointing toward your Site::local_nets 
+# where the name is not part of your local DNS zone and is being hosted 
+# externally.  Requires that the Site::local_zones variable is defined.
+@load protocols/dns/detect-external-names
+
+# Script to detect various activity in FTP sessions.
+@load protocols/ftp/detect
+
+# Scripts that do asset tracking.
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+
+# This script enables SSL/TLS certificate validation.
+@load protocols/ssl/validate-certs
+
+# If you have libGeoIP support built in, do some geographic detections and 
+# logging for SSH traffic.
+@load protocols/ssh/geo-data
+# Detect hosts doing SSH bruteforce attacks.
+@load protocols/ssh/detect-bruteforcing
+# Detect logins using "interesting" hostnames.
+@load protocols/ssh/interesting-hostnames
+
+# Detect MD5 sums in Team Cymru's Malware Hash Registry.
+@load protocols/http/detect-MHR
+# Detect SQL injection attacks.
+@load protocols/http/detect-sqli
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
new file mode 100644
index 0000000000..415468a801
--- /dev/null
+++ b/scripts/test-all-policy.bro
@@ -0,0 +1,63 @@
+# This file loads ALL policy scripts that are part of the Bro distribution.
+# 
+# This is rarely makes sense, and is for testing only.
+# 
+# Note that we have a unit test that makes sure that all policy files shipped are
+# actually loaded here. If we have files that are part of the distribution yet
+# can't be loaded here,  these must still be listed here with their load command
+# commented out.
+
+# The base/ scripts are all loaded by default and not included here.
+
+# @load frameworks/communication/listen.bro
+# @load frameworks/control/controllee.bro
+# @load frameworks/control/controller.bro
+@load frameworks/dpd/detect-protocols.bro
+@load frameworks/dpd/packet-segment-logging.bro
+@load frameworks/metrics/conn-example.bro
+@load frameworks/metrics/http-example.bro
+@load frameworks/metrics/ssl-example.bro
+@load frameworks/software/version-changes.bro
+@load frameworks/software/vulnerable.bro
+@load integration/barnyard2/__load__.bro
+@load integration/barnyard2/main.bro
+@load integration/barnyard2/types.bro
+@load misc/analysis-groups.bro
+@load misc/capture-loss.bro
+@load misc/loaded-scripts.bro
+@load misc/profiling.bro
+@load misc/stats.bro
+@load misc/trim-trace-file.bro
+@load protocols/conn/known-hosts.bro
+@load protocols/conn/known-services.bro
+@load protocols/conn/weirds.bro
+@load protocols/dns/auth-addl.bro
+@load protocols/dns/detect-external-names.bro
+@load protocols/ftp/detect.bro
+@load protocols/ftp/software.bro
+@load protocols/http/detect-intel.bro
+@load protocols/http/detect-MHR.bro
+@load protocols/http/detect-sqli.bro
+@load protocols/http/detect-webapps.bro
+@load protocols/http/header-names.bro
+@load protocols/http/software-browser-plugins.bro
+@load protocols/http/software.bro
+@load protocols/http/var-extraction-cookies.bro
+@load protocols/http/var-extraction-uri.bro
+@load protocols/smtp/blocklists.bro
+@load protocols/smtp/detect-suspicious-orig.bro
+@load protocols/smtp/software.bro
+@load protocols/ssh/detect-bruteforcing.bro
+@load protocols/ssh/geo-data.bro
+@load protocols/ssh/interesting-hostnames.bro
+@load protocols/ssh/software.bro
+@load protocols/ssl/cert-hash.bro
+@load protocols/ssl/expiring-certs.bro
+@load protocols/ssl/extract-certs-pem.bro
+@load protocols/ssl/known-certs.bro
+@load protocols/ssl/validate-certs.bro
+@load tuning/__load__.bro
+@load tuning/defaults/__load__.bro
+@load tuning/defaults/packet-fragments.bro
+@load tuning/defaults/warnings.bro
+@load tuning/track-all-assets.bro
diff --git a/src/ARP.cc b/src/ARP.cc
index 42b9d0e6f8..3606ed66d5 100644
--- a/src/ARP.cc
+++ b/src/ARP.cc
@@ -1,10 +1,9 @@
-// $Id: ARP.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 
 #include "ARP.h"
 #include "Event.h"
+#include "Reporter.h"
 
 
 ARP_Analyzer::ARP_Analyzer()
@@ -218,12 +217,7 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
 
 void ARP_Analyzer::Corrupted(const char* msg)
 	{
-	if ( ! net_weird )
-		return;
-
-	val_list* vl = new val_list;
-	vl->append(new StringVal(msg));
-	mgr.QueueEvent(net_weird, vl);
+	reporter->Weird(msg);
 	}
 
 void ARP_Analyzer::RREvent(EventHandlerPtr e,
diff --git a/src/ARP.h b/src/ARP.h
index c7765eb9a9..37f20ced3c 100644
--- a/src/ARP.h
+++ b/src/ARP.h
@@ -1,5 +1,3 @@
-// $Id: ARP.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef arp_h
@@ -17,6 +15,8 @@
 #include <sys/ethernet.h>
 #elif defined(HAVE_NETINET_IF_ETHER_H)
 #include <netinet/if_ether.h>
+#elif defined(HAVE_NET_ETHERTYPES_H)
+#include <net/ethertypes.h>
 #endif
 
 #ifndef arp_pkthdr
diff --git a/src/Active.cc b/src/Active.cc
deleted file mode 100644
index c7193de089..0000000000
--- a/src/Active.cc
+++ /dev/null
@@ -1,218 +0,0 @@
-// $Id: Active.cc 1282 2005-09-07 17:02:02Z vern $
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-
-#include <map>
-
-#include "Active.h"
-#include "util.h"
-#include "Dict.h"
-
-declare(PDict,string);
-typedef PDict(string) MachineMap;
-declare(PDict,MachineMap);
-typedef PDict(MachineMap) ActiveMap;
-declare(PDict,NumericData);
-typedef PDict(NumericData) ActiveMapNumeric;
-
-static ActiveMap active_map;
-static ActiveMapNumeric active_map_numeric;
-
-static MachineMap default_values;
-static NumericData default_values_numeric;
-
-static bool map_was_loaded = false;
-
-bool get_map_result(uint32 ip_addr, const char* key, string& result)
-	{
-	const MachineMap* machine_map;
-#ifndef ACTIVE_MAPPING
-	machine_map = &default_values;
-#else
-	HashKey machinekey(ip_addr);
-	machine_map = active_map.Lookup(&machinekey);
-
-	if ( ! machine_map )
-		machine_map = &default_values;
-#endif
-	HashKey mapkey(key);
-	string* entry = machine_map->Lookup(&mapkey);
-	if ( ! entry )
-		{
-		entry = default_values.Lookup(&mapkey);
-		}
-
-	if ( ! entry )
-		{
-		internal_error("Unknown active mapping entry requested: %s", key);
-		return false;
-		}
-
-	result = *entry;
-
-	return true;
-	}
-
-bool get_map_result(uint32 ip_addr, const NumericData*& result)
-	{
-#ifndef ACTIVE_MAPPING
-	result = &default_values_numeric;
-	return true;
-#endif
-	HashKey machinekey(&ip_addr, 1);
-	NumericData* entry = active_map_numeric.Lookup(&machinekey);
-
-	if ( ! entry )
-		result = &default_values_numeric;
-	else
-		result = entry;
-
-	return true;
-	}
-
-
-char* chop (char* s)
-	{
-	s[strlen(s) - 1] = 0;
-	return s;
-	}
-
-map < const char *, ReassemblyPolicy, ltstr > reassem_names;
-
-// Remember to index the table with IP address in network order!
-bool load_mapping_table(const char* map_file)
-	{
-	reassem_names["BSD"] = RP_BSD;
-	reassem_names["linux"] = RP_LINUX;
-	reassem_names["last"] = RP_LAST;
-	reassem_names["first"] = RP_FIRST;
-
-	// Default values are read in from AM file under IP address 0.0.0.0
-	default_values.Insert(new HashKey("accepts_rst_outside_window"),
-			      new string("no"));
-	default_values.Insert(new HashKey("accepts_rst_in_window"),
-			      new string("yes"));
-	default_values.Insert(new HashKey("accepts_rst_in_sequence"),
-			      new string("yes"));
-	default_values.Insert(new HashKey("mtu"),
-			      new string("0"));
-
-	default_values_numeric.path_MTU = 0;   // 0 = unknown
-	default_values_numeric.hops = 0;       // 0 = unknown;
-	default_values_numeric.ip_reassem = RP_UNKNOWN;
-	default_values_numeric.tcp_reassem = RP_UNKNOWN;
-	default_values_numeric.accepts_rst_in_window = true;
-	default_values_numeric.accepts_rst_outside_window = false;
-
-
-	if ( map_file && strlen(map_file) )
-		{
-		FILE* f = fopen(map_file, "r");
-		if ( ! f )
-			return false;
-
-		char buf[512];
-		if ( ! fgets(buf, sizeof(buf), f) )
-			error("Error reading mapping file.\n");
-
-		int num_fields = atoi(buf);
-
-		string* field_names = new string[num_fields];
-		for ( int i = 0; i < num_fields; ++i )
-			{
-			if ( ! fgets(buf, sizeof(buf), f) )
-				error("Error reading mapping file.\n");
-			field_names[i] = chop(buf);
-			}
-
-		if ( ! fgets(buf, sizeof(buf), f) )
-			error("Error reading mapping file.\n");
-
-		int num_machines = atoi(buf);
-
-		for ( int j = 0; j < num_machines; ++j )
-			{ // read ip address, parse it
-			if ( ! fgets(buf, sizeof(buf), f) )
-				error("Error reading mapping file.\n");
-
-			uint32 ip;
-			in_addr in;
-			if ( ! inet_aton(chop(buf), &in) )
-				error("Error reading mapping file.\n");
-
-			ip = in.s_addr;
-
-			MachineMap* newmap;
-			NumericData* newnumeric;
-
-			if ( ip ) // ip = 0.0.0.0 = default values
-				{
-				newmap = new MachineMap;
-				newnumeric = new NumericData;
-				}
-			else
-				{
-				newmap = &default_values;
-				newnumeric = &default_values_numeric;
-				}
-
-			for ( int i = 0; i < num_fields; ++i )
-				{
-				if ( ! fgets(buf, sizeof(buf), f) )
-					error("Error reading mapping file.\n");
-
-				string fname = field_names[i];
-
-				chop(buf);
-
-				// Don't try to parse an unknown value ("").
-				if ( streq(buf, "") )
-					continue;
-
-				HashKey mapkey(fname.c_str());
-				newmap->Insert(&mapkey, new string(buf));
-
-				if ( fname == "mtu" )
-					newnumeric->path_MTU = atoi(buf);
-
-				else if ( fname == "hops" )
-					newnumeric->hops = atoi(buf);
-
-				else if ( fname == "tcp_segment_overlap" )
-					newnumeric->tcp_reassem = reassem_names[buf];
-
-				else if ( fname == "overlap_policy" )
-					newnumeric->ip_reassem = reassem_names[buf];
-
-				else if ( fname == "accepts_rst_in_window" )
-					newnumeric->accepts_rst_in_window = streq(buf, "yes");
-
-				else if ( fname == "accepts_rst_outside_window" )
-					newnumeric->accepts_rst_outside_window = streq(buf, "yes");
-
-				else if ( fname == "accepts_rst_in_sequence" )
-					newnumeric->accepts_rst_in_sequence = streq(buf, "yes");
-
-				else
-					warn("unrecognized mapping file tag:", fname.c_str());
-				}
-
-			HashKey machinekey(&ip, 1);
-			active_map.Insert(&machinekey, newmap);
-			active_map_numeric.Insert(&machinekey, newnumeric);
-			}
-
-		delete [] field_names;
-		}
-
-	map_was_loaded = true;
-
-	return true;
-	}
diff --git a/src/Active.h b/src/Active.h
deleted file mode 100644
index 72ea06c084..0000000000
--- a/src/Active.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// $Id: Active.h 80 2004-07-14 20:15:50Z jason $
-
-#ifndef active_h
-#define active_h
-
-#include <string>
-using namespace std;
-
-#include "util.h"
-
-enum ReassemblyPolicy {
-	RP_UNKNOWN,
-	RP_BSD,	// Left-trim to equal or lower offset frags
-	RP_LINUX,	// Left-trim to strictly lower offset frags
-	RP_FIRST,	// Accept only new (no previous value) octets
-	RP_LAST	// Accept all
-};
-
-struct NumericData {
-	ReassemblyPolicy ip_reassem;
-	ReassemblyPolicy tcp_reassem;
-	unsigned short path_MTU;	// 0 = unknown
-	unsigned char hops;	// 0 = unknown
-	bool accepts_rst_in_window;
-	bool accepts_rst_outside_window;
-	bool accepts_rst_in_sequence;
-};
-
-// Return value is whether or not there was a known result for that
-// machine (actually, IP address in network order); if not, a default
-// is returned. Note that the map data is a string in all cases: the
-// numeric form is more efficient and is to be preferred ordinarily.
-bool get_map_result(uint32 ip_addr, const char* key, string& result);
-
-// Basically a special case of get_map_result(), but returns numbers
-// directly for efficiency reasons, since these are frequently
-// looked up. ### Perhaps a better generic mechanism is in order.
-bool get_map_result(uint32 ip_addr, const NumericData*& result);
-
-// Reads in AM data from the specified file (basically [IP, policy] tuples)
-// Should be called at initialization time.
-bool load_mapping_table(const char* map_file);
-
-#endif
diff --git a/src/Analyzer.cc b/src/Analyzer.cc
index 06b05960b7..92ca3ecc50 100644
--- a/src/Analyzer.cc
+++ b/src/Analyzer.cc
@@ -1,4 +1,4 @@
-// $Id: Analyzer.cc,v 1.1.4.28 2006/06/01 17:18:10 sommer Exp $
+#include <algorithm>
 
 #include "Analyzer.h"
 #include "PIA.h"
@@ -34,8 +34,9 @@
 #include "Portmap.h"
 #include "POP3.h"
 #include "SSH.h"
-#include "SSLProxy.h"
 #include "SSL-binpac.h"
+#include "Syslog-binpac.h"
+#include "ConnSizeAnalyzer.h"
 
 // Keep same order here as in AnalyzerTag definition!
 const Analyzer::Config Analyzer::analyzer_configs[] = {
@@ -48,6 +49,7 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 
 	{ AnalyzerTag::ICMP, "ICMP", ICMP_Analyzer::InstantiateAnalyzer,
 		ICMP_Analyzer::Available, 0, false },
+
 	{ AnalyzerTag::TCP, "TCP", TCP_Analyzer::InstantiateAnalyzer,
 		TCP_Analyzer::Available, 0, false },
 	{ AnalyzerTag::UDP, "UDP", UDP_Analyzer::InstantiateAnalyzer,
@@ -103,8 +105,6 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 		SMTP_Analyzer::Available, 0, false },
 	{ AnalyzerTag::SSH, "SSH", SSH_Analyzer::InstantiateAnalyzer,
 		SSH_Analyzer::Available, 0, false },
-	{ AnalyzerTag::SSL, "SSL", SSLProxy_Analyzer::InstantiateAnalyzer,
-		SSLProxy_Analyzer::Available, 0, false },
 	{ AnalyzerTag::Telnet, "TELNET", Telnet_Analyzer::InstantiateAnalyzer,
 		Telnet_Analyzer::Available, 0, false },
 
@@ -120,12 +120,12 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::HTTP_BINPAC, "HTTP_BINPAC",
 		HTTP_Analyzer_binpac::InstantiateAnalyzer,
 		HTTP_Analyzer_binpac::Available, 0, false },
-	{ AnalyzerTag::RPC_UDP_BINPAC, "RPC_UDP_BINPAC",
-		RPC_UDP_Analyzer_binpac::InstantiateAnalyzer,
-		RPC_UDP_Analyzer_binpac::Available, 0, false },
-	{ AnalyzerTag::SSL_BINPAC, "SSL_BINPAC",
+	{ AnalyzerTag::SSL, "SSL",
 		SSL_Analyzer_binpac::InstantiateAnalyzer,
 		SSL_Analyzer_binpac::Available, 0, false },
+	{ AnalyzerTag::SYSLOG_BINPAC, "SYSLOG_BINPAC",
+		Syslog_Analyzer_binpac::InstantiateAnalyzer,
+		Syslog_Analyzer_binpac::Available, 0, false },
 
 	{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
 		File_Analyzer::Available, 0, false },
@@ -141,6 +141,9 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::TCPStats, "TCPSTATS",
 		TCPStats_Analyzer::InstantiateAnalyzer,
 		TCPStats_Analyzer::Available, 0, false },
+	{ AnalyzerTag::ConnSize, "CONNSIZE",
+		ConnSize_Analyzer::InstantiateAnalyzer,
+		ConnSize_Analyzer::Available, 0, false },
 
 	{ AnalyzerTag::Contents, "CONTENTS", 0, 0, 0, false },
 	{ AnalyzerTag::ContentLine, "CONTENTLINE", 0, 0, 0, false },
@@ -155,7 +158,6 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::Contents_SMB, "CONTENTS_SMB", 0, 0, 0, false },
 	{ AnalyzerTag::Contents_RPC, "CONTENTS_RPC", 0, 0, 0, false },
 	{ AnalyzerTag::Contents_NFS, "CONTENTS_NFS", 0, 0, 0, false },
-	{ AnalyzerTag::Contents_SSL, "CONTENTS_SSL", 0, 0, 0, false },
 };
 
 AnalyzerTimer::~AnalyzerTimer()
@@ -227,6 +229,7 @@ Analyzer::Analyzer(AnalyzerTag::Tag arg_tag, Connection* arg_conn)
 	protocol_confirmed = false;
 	skip = false;
 	finished = false;
+	removing = false;
 	parent = 0;
 	orig_supporters = 0;
 	resp_supporters = 0;
@@ -408,16 +411,10 @@ void Analyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
 		Analyzer* current = *i;
 		next = ++i;
 
-		if ( ! current->finished )
+		if ( ! (current->finished || current->removing ) )
 			current->NextPacket(len, data, is_orig, seq, ip, caplen);
 		else
-			{
-			// Analyzer has already been disabled so delete it.
-			DBG_LOG(DBG_DPD, "%s deleted child %s",
-					fmt_analyzer(this).c_str(), fmt_analyzer(current).c_str());
-			children.erase(--i);
-			delete current;
-			}
+			DeleteChild(--i);
 		}
 
 	AppendNewChildren();
@@ -437,16 +434,10 @@ void Analyzer::ForwardStream(int len, const u_char* data, bool is_orig)
 		Analyzer* current = *i;
 		next = ++i;
 
-		if ( ! current->finished )
+		if ( ! (current->finished || current->removing ) )
 			current->NextStream(len, data, is_orig);
 		else
-			{
-			// Analyzer has already been disabled so delete it.
-			DBG_LOG(DBG_DPD, "%s deleted child %s",
-					fmt_analyzer(this).c_str(), fmt_analyzer(current).c_str());
-			children.erase(--i);
-			delete current;
-			}
+			DeleteChild(--i);
 		}
 
 	AppendNewChildren();
@@ -466,16 +457,10 @@ void Analyzer::ForwardUndelivered(int seq, int len, bool is_orig)
 		Analyzer* current = *i;
 		next = ++i;
 
-		if ( ! current->finished )
+		if ( ! (current->finished || current->removing ) )
 			current->NextUndelivered(seq, len, is_orig);
 		else
-			{
-			// Analyzer has already been disabled so delete it.
-			DBG_LOG(DBG_DPD, "%s deleted child %s",
-					fmt_analyzer(this).c_str(), fmt_analyzer(current).c_str());
-			children.erase(--i);
-			delete current;
-			}
+			DeleteChild(--i);
 		}
 
 	AppendNewChildren();
@@ -492,16 +477,10 @@ void Analyzer::ForwardEndOfData(bool orig)
 		Analyzer* current = *i;
 		next = ++i;
 
-		if ( ! current->finished )
+		if ( ! (current->finished || current->removing ) )
 			current->NextEndOfData(orig);
 		else
-			{
-			// Analyzer has already been disabled so delete it.
-			DBG_LOG(DBG_DPD, "%s deleted child %s",
-					fmt_analyzer(this).c_str(), fmt_analyzer(current).c_str());
-			children.erase(--i);
-			delete current;
-			}
+			DeleteChild(--i);
 		}
 
 	AppendNewChildren();
@@ -547,15 +526,17 @@ Analyzer* Analyzer::AddChildAnalyzer(AnalyzerTag::Tag analyzer)
 void Analyzer::RemoveChildAnalyzer(Analyzer* analyzer)
 	{
 	LOOP_OVER_CHILDREN(i)
-		if ( *i == analyzer && ! analyzer->finished )
+		if ( *i == analyzer && ! (analyzer->finished || analyzer->removing) )
 			{
-			DBG_LOG(DBG_DPD, "%s disabled child %s",
+			DBG_LOG(DBG_DPD, "%s disabling child %s",
 					fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str());
-			(*i)->Done();
-			// We don't delete it here as we may in fact
-			// iterate over the list right now.  Done() sets
-			// "finished" to true and this is checked
-			// later to delete it.
+			// We just flag it as being removed here but postpone
+			// actually doing that to later. Otherwise, we'd need
+			// to call Done() here, which then in turn might
+			// cause further code to be executed that may assume
+			// something not true because of a violation that
+			// triggered the removal in the first place.
+			(*i)->removing = true;
 			return;
 			}
 	}
@@ -563,11 +544,12 @@ void Analyzer::RemoveChildAnalyzer(Analyzer* analyzer)
 void Analyzer::RemoveChildAnalyzer(AnalyzerID id)
 	{
 	LOOP_OVER_CHILDREN(i)
-		if ( (*i)->id == id && ! (*i)->finished )
+		if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) )
 			{
-			DBG_LOG(DBG_DPD, "%s  disabled child %s", GetTagName(), id,
+			DBG_LOG(DBG_DPD, "%s  disabling child %s", GetTagName(), id,
 					fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str());
-			(*i)->Done();
+			// See comment above.
+			(*i)->removing = true;
 			return;
 			}
 	}
@@ -615,6 +597,26 @@ Analyzer* Analyzer::FindChild(AnalyzerTag::Tag arg_tag)
 	return 0;
 	}
 
+void Analyzer::DeleteChild(analyzer_list::iterator i)
+	{
+	Analyzer* child = *i;
+
+	// Analyzer must have already been finished or marked for removal.
+	assert(child->finished || child->removing);
+
+	if ( child->removing )
+		{
+		child->Done();
+		child->removing = false;
+		}
+
+	DBG_LOG(DBG_DPD, "%s deleted child %s 3",
+		fmt_analyzer(this).c_str(), fmt_analyzer(child).c_str());
+
+	children.erase(i);
+	delete child;
+	}
+
 void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer)
 	{
 	if ( HasSupportAnalyzer(analyzer->GetTag(), analyzer->IsOrig()) )
@@ -741,15 +743,6 @@ void Analyzer::FlipRoles()
 	resp_supporters = tmp;
 	}
 
-int Analyzer::RewritingTrace()
-	{
-	LOOP_OVER_CHILDREN(i)
-		if ( (*i)->RewritingTrace() )
-			return 1;
-
-	return 0;
-	}
-
 void Analyzer::ProtocolConfirmation()
 	{
 	if ( protocol_confirmed )
@@ -851,6 +844,12 @@ unsigned int Analyzer::MemoryAllocation() const
 	return mem;
 	}
 
+void Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	LOOP_OVER_CHILDREN(i)
+		(*i)->UpdateConnVal(conn_val);
+	}
+
 void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
 					int seq, const IP_Hdr* ip, int caplen)
 	{
@@ -894,39 +893,24 @@ void SupportAnalyzer::ForwardUndelivered(int seq, int len, bool is_orig)
 		Parent()->Undelivered(seq, len, is_orig);
 	}
 
-TransportLayerAnalyzer::~TransportLayerAnalyzer()
-	{
-	delete rewriter;
-	}
 
 void TransportLayerAnalyzer::Done()
 	{
 	Analyzer::Done();
-
-	if ( rewriter )
-		rewriter->Done();
 	}
 
 void TransportLayerAnalyzer::SetContentsFile(unsigned int /* direction */,
 						BroFile* /* f */)
 	{
-	run_time("analyzer type does not support writing to a contents file");
+	reporter->Error("analyzer type does not support writing to a contents file");
 	}
 
 BroFile* TransportLayerAnalyzer::GetContentsFile(unsigned int /* direction */) const
 	{
-	run_time("analyzer type does not support writing to a contents file");
+	reporter->Error("analyzer type does not support writing to a contents file");
 	return 0;
 	}
 
-void TransportLayerAnalyzer::SetTraceRewriter(Rewriter* r)
-	{
-	if ( rewriter )
-		rewriter->Done();
-	delete rewriter;
-	rewriter = r;
-	}
-
 void TransportLayerAnalyzer::PacketContents(const u_char* data, int len)
 	{
 	if ( packet_contents && len > 0 )
diff --git a/src/Analyzer.h b/src/Analyzer.h
index 83c5a5c7d7..7797e215fe 100644
--- a/src/Analyzer.h
+++ b/src/Analyzer.h
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // Main analyzer interface.
 
 #ifndef ANALYZER_H
@@ -225,12 +223,15 @@ public:
 	virtual void ProtocolViolation(const char* reason,
 					const char* data = 0, int len = 0);
 
-	// Returns true if the analyzer or one of its children is rewriting
-	// the trace.
-	virtual int RewritingTrace();
-
 	virtual unsigned int MemoryAllocation() const;
 
+	// Called whenever the connection value needs to be updated. Per
+	// default, this method will be called for each analyzer in the tree.
+	// Analyzers can use this method to attach additional data to the
+	// connections. A call to BuildConnVal will in turn trigger a call to
+	// UpdateConnVal. 
+	virtual void UpdateConnVal(RecordVal *conn_val);
+
 	// The following methods are proxies: calls are directly forwarded
 	// to the connection instance.  These are for convenience only,
 	// allowing us to reuse more of the old analyzer code unchanged.
@@ -242,11 +243,8 @@ public:
 		{ conn->Event(f, this, v1, v2); }
 	void ConnectionEvent(EventHandlerPtr f, val_list* vl)
 		{ conn->ConnectionEvent(f, this, vl); }
-	void Weird(const char* name)	{ conn->Weird(name); }
-	void Weird(const char* name, const char* addl)
+	void Weird(const char* name, const char* addl = "")
 		{ conn->Weird(name, addl); }
-	void Weird(const char* name, int addl_len, const char* addl)
-		{ conn->Weird(name, addl_len, addl); };
 
 	// Factory function to instantiate new analyzers.
 	static Analyzer* InstantiateAnalyzer(AnalyzerTag::Tag tag, Connection* c);
@@ -279,6 +277,10 @@ protected:
 	void AppendNewChildren();
 
 private:
+	// Internal method to eventually delete a child analyzer that's
+	// already Done().
+	void DeleteChild(analyzer_list::iterator i);
+
 	AnalyzerTag::Tag tag;
 	AnalyzerID id;
 
@@ -299,6 +301,7 @@ private:
 	bool timers_canceled;
 	bool skip;
 	bool finished;
+	bool removing;
 
 	static AnalyzerID id_counter;
 
@@ -367,12 +370,9 @@ private:
 class TransportLayerAnalyzer : public Analyzer {
 public:
 	TransportLayerAnalyzer(AnalyzerTag::Tag tag, Connection* conn)
-		: Analyzer(tag, conn)	{ pia = 0; rewriter = 0; }
-
-	virtual ~TransportLayerAnalyzer();
+		: Analyzer(tag, conn)	{ pia = 0; }
 
 	virtual void Done();
-	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig) = 0;
 	virtual bool IsReuse(double t, const u_char* pkt) = 0;
 
 	virtual void SetContentsFile(unsigned int direction, BroFile* f);
@@ -381,11 +381,6 @@ public:
 	void SetPIA(PIA* arg_PIA)	{ pia = arg_PIA; }
 	PIA* GetPIA() const		{ return pia; }
 
-	Rewriter* TraceRewriter()	{ return rewriter; }
-
-	// Takes ownership.
-	void SetTraceRewriter(Rewriter* r);
-
 	// Raises packet_contents event.
 	void PacketContents(const u_char* data, int len);
 
@@ -394,7 +389,6 @@ protected:
 
 private:
 	PIA* pia;
-	Rewriter* rewriter;
 };
 
 #endif
diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h
index 231b39364a..42d2f5626c 100644
--- a/src/AnalyzerTags.h
+++ b/src/AnalyzerTags.h
@@ -1,5 +1,3 @@
-// $Id: AnalyzerTags.h,v 1.1.2.5 2006/06/01 01:55:42 sommer Exp $
-
 #ifndef ANALYZERTAGS_H
 #define ANALYZERTAGS_H
 
@@ -22,28 +20,29 @@ namespace AnalyzerTag {
 		PIA_TCP, PIA_UDP,
 
 		// Transport-layer analyzers.
-		ICMP, TCP, UDP,
+		ICMP,
+		TCP, UDP,
 
 		// Application-layer analyzers (hand-written).
 		BitTorrent, BitTorrentTracker,
 		DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC,
 		Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin,
 		RPC, Rsh, SMB, SMTP, SSH,
-		SSL,
 		Telnet,
 
 		// Application-layer analyzers, binpac-generated.
 		DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC,
-		HTTP_BINPAC, RPC_UDP_BINPAC, SSL_BINPAC,
+		HTTP_BINPAC, SSL, SYSLOG_BINPAC,
 
 		// Other
 		File, Backdoor, InterConn, SteppingStone, TCPStats,
+		ConnSize,
+
 
 		// Support-analyzers
 		Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP,
 		Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh,
 		Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS,
-		Contents_SSL,
 		// End-marker.
 		LastAnalyzer
 	};
diff --git a/src/Anon.cc b/src/Anon.cc
index 36e5e05b86..440f8600d5 100644
--- a/src/Anon.cc
+++ b/src/Anon.cc
@@ -1,5 +1,3 @@
-// $Id: Anon.cc 7075 2010-09-13 02:39:38Z vern $
-
 #include <stdlib.h>
 #include <unistd.h>
 #include <assert.h>
@@ -17,7 +15,7 @@ AnonymizeIPAddr* ip_anonymizer[NUM_ADDR_ANONYMIZATION_METHODS] = {0};
 
 static uint32 rand32()
 	{
-	return ((random() & 0xffff) << 16) | (random() & 0xffff);
+	return ((bro_random() & 0xffff) << 16) | (bro_random() & 0xffff);
 	}
 
 // From tcpdpriv.
@@ -102,9 +100,9 @@ ipaddr32_t AnonymizeIPAddr_RandomMD5::anonymize(ipaddr32_t input)
 	}
 
 
-// This code is from "On the Design and Performance of Prefix-Preserving 
+// This code is from "On the Design and Performance of Prefix-Preserving
 // IP Traffic Trace Anonymization", by Xu et al (IMW 2001)
-// 
+//
 // http://www.imconf.net/imw-2001/proceedings.html
 
 ipaddr32_t AnonymizeIPAddr_PrefixMD5::anonymize(ipaddr32_t input)
@@ -159,7 +157,7 @@ int AnonymizeIPAddr_A50::PreservePrefix(ipaddr32_t input, int num_bits)
 
 	if ( ! before_anonymization )
 		{
-		run_time("prefix perservation specified after anonymization begun");
+		reporter->Error("prefix perservation specified after anonymization begun");
 		return 0;
 		}
 
@@ -206,7 +204,7 @@ AnonymizeIPAddr_A50::Node* AnonymizeIPAddr_A50::new_node_block()
 	int block_size = 1024;
 	Node* block = new Node[block_size];
 	if ( ! block )
-		internal_error("out of memory!");
+		reporter->InternalError("out of memory!");
 
 	blocks.push_back(block);
 
@@ -258,7 +256,7 @@ ipaddr32_t AnonymizeIPAddr_A50::make_output(ipaddr32_t old_output, int swivel) c
 AnonymizeIPAddr_A50::Node* AnonymizeIPAddr_A50::make_peer(ipaddr32_t a, Node* n)
 	{
 	if ( a == 0 || a == 0xFFFFFFFFU )
-		internal_error("0.0.0.0 and 255.255.255.255 should never get into the tree");
+		reporter->InternalError("0.0.0.0 and 255.255.255.255 should never get into the tree");
 
 	// Become a peer.
 	// Algorithm: create two nodes, the two peers.  Leave orig node as
@@ -341,7 +339,7 @@ AnonymizeIPAddr_A50::Node* AnonymizeIPAddr_A50::find_node(ipaddr32_t a)
 			}
 		}
 
-	internal_error("out of memory!");
+	reporter->InternalError("out of memory!");
 	return 0;
 	}
 
@@ -379,24 +377,24 @@ ipaddr32_t anonymize_ip(ipaddr32_t ip, enum ip_addr_anonymization_class_t cl)
 	}
 
 	ipaddr32_t new_ip = 0;
-		
+
 	if ( preserve_addr && preserve_addr->Lookup(&addr) )
 		new_ip = ip;
 
 	else if ( method >= 0 && method < NUM_ADDR_ANONYMIZATION_METHODS )
 		{
-		if ( method == KEEP_ORIG_ADDR ) 
+		if ( method == KEEP_ORIG_ADDR )
 			new_ip = ip;
 
 		else if ( ! ip_anonymizer[method] )
-			internal_error("IP anonymizer not initialized");
+			reporter->InternalError("IP anonymizer not initialized");
 
 		else
 			new_ip = ip_anonymizer[method]->Anonymize(ip);
 		}
 
 	else
-		internal_error("invalid IP anonymization method");
+		reporter->InternalError("invalid IP anonymization method");
 
 #ifdef LOG_ANONYMIZATION_MAPPING
 	log_anonymization_mapping(ip, new_ip);
diff --git a/src/Anon.h b/src/Anon.h
index 3368ce16da..ce234f4680 100644
--- a/src/Anon.h
+++ b/src/Anon.h
@@ -1,5 +1,3 @@
-// $Id: Anon.h 416 2004-09-17 03:52:28Z vern $
-
 // The prefix-preserving IP address anonymization code is largely
 // based on (and sometimes directly copied from) Eddie Kohler's
 // ipsumdump-1.20 code, per:
@@ -18,6 +16,7 @@
 #include <map>
 using namespace std;
 
+#include "Reporter.h"
 #include "net_util.h"
 
 // TODO: Anon.h may not be the right place to put these functions ...
@@ -52,7 +51,7 @@ public:
 	// Keep the specified prefix unchanged.
 	virtual int PreservePrefix(ipaddr32_t /* input */, int /* num_bits */)
 		{
-		internal_error("prefix preserving is not supported for the anonymizer");
+		reporter->InternalError("prefix preserving is not supported for the anonymizer");
 		return 0;
 		}
 
diff --git a/src/Attr.cc b/src/Attr.cc
index 5a83d0501b..aed9165182 100644
--- a/src/Attr.cc
+++ b/src/Attr.cc
@@ -1,5 +1,3 @@
-// $Id: Attr.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -7,6 +5,7 @@
 #include "Attr.h"
 #include "Expr.h"
 #include "Serializer.h"
+#include "LogMgr.h"
 
 const char* attr_name(attr_tag t)
 	{
@@ -18,7 +17,7 @@ const char* attr_name(attr_tag t)
 		"&persistent", "&synchronized", "&postprocessor",
 		"&encrypt", "&match", "&disable_print_hook",
 		"&raw_output", "&mergeable", "&priority",
-		"&group", "(&tracked)",
+		"&group", "&log", "&error_handler", "(&tracked)",
 	};
 
 	return attr_names[int(t)];
@@ -49,6 +48,40 @@ void Attr::Describe(ODesc* d) const
 		}
 	}
 
+void Attr::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:attr:`");
+	AddTag(d);
+	d->Add("`");
+
+	if ( expr )
+		{
+		d->SP();
+		d->Add("=");
+		d->SP();
+
+
+		if ( expr->Tag() == EXPR_NAME )
+			{
+			d->Add(":bro:see:`");
+			expr->Describe(d);
+			d->Add("`");
+			}
+
+		else if ( expr->Type()->Tag() == TYPE_FUNC )
+			{
+			d->Add(":bro:type:`func`");
+			}
+
+		else
+			{
+			d->Add("``");
+			expr->Describe(d);
+			d-> Add("``");
+			}
+		}
+	}
+
 void Attr::AddTag(ODesc* d) const
 	{
 	if ( d->IsBinary() )
@@ -57,10 +90,11 @@ void Attr::AddTag(ODesc* d) const
 		d->Add(attr_name(Tag()));
 	}
 
-Attributes::Attributes(attr_list* a, BroType* t)
+Attributes::Attributes(attr_list* a, BroType* t, bool arg_in_record)
 	{
 	attrs = new attr_list(a->length());
 	type = t->Ref();
+	in_record = arg_in_record;
 
 	SetLocationInfo(&start_location, &end_location);
 
@@ -161,6 +195,17 @@ void Attributes::Describe(ODesc* d) const
 		}
 	}
 
+void Attributes::DescribeReST(ODesc* d) const
+	{
+	loop_over_list(*attrs, i)
+		{
+		if ( i > 0 )
+			d->Add(" ");
+
+		(*attrs)[i]->DescribeReST(d);
+		}
+	}
+
 void Attributes::CheckAttr(Attr* a)
 	{
 	switch ( a->Tag() ) {
@@ -199,27 +244,72 @@ void Attributes::CheckAttr(Attr* a)
 		{
 		BroType* atype = a->AttrExpr()->Type();
 
-		if ( type->Tag() != TYPE_TABLE || type->IsSet() )
+		if ( type->Tag() != TYPE_TABLE || (type->IsSet() && ! in_record) )
 			{
-			if ( ! same_type(atype, type) )
-				a->AttrExpr()->Error("&default value has inconsistent type", type);
-			break;
+			if ( same_type(atype, type) )
+				// Ok.
+				break;
+
+			// Record defaults may be promotable.
+			if ( (type->Tag() == TYPE_RECORD && atype->Tag() == TYPE_RECORD &&
+			      record_promotion_compatible(atype->AsRecordType(),
+							  type->AsRecordType())) )
+				// Ok.
+				break;
+
+			a->AttrExpr()->Error("&default value has inconsistent type", type);
 			}
 
 		TableType* tt = type->AsTableType();
+		BroType* ytype = tt->YieldType();
 
-		if ( ! same_type(atype, tt->YieldType()) )
+		if ( ! in_record )
 			{
-			// It can still be a default function.
-			if ( atype->Tag() == TYPE_FUNC )
+			// &default applies to the type itself.
+			if ( ! same_type(atype, ytype) )
 				{
-				FuncType* f = atype->AsFuncType();
-				if ( ! f->CheckArgs(tt->IndexTypes()) ||
-				     ! same_type(f->YieldType(), tt->YieldType()) )
-					Error("&default function type clash");
+				// It can still be a default function.
+				if ( atype->Tag() == TYPE_FUNC )
+					{
+					FuncType* f = atype->AsFuncType();
+					if ( ! f->CheckArgs(tt->IndexTypes()) ||
+					     ! same_type(f->YieldType(), ytype) )
+						Error("&default function type clash");
+
+					// Ok.
+					break;
+					}
+
+				// Table defaults may be promotable.
+				if ( (ytype->Tag() == TYPE_RECORD && atype->Tag() == TYPE_RECORD &&
+				      record_promotion_compatible(atype->AsRecordType(),
+								  ytype->AsRecordType())) )
+					// Ok.
+					break;
+
+				Error("&default value has inconsistent type 2");
 				}
-			else
-				Error("&default value has inconsistent type");
+
+			// Ok.
+			break;
+			}
+
+		else
+			{
+			// &default applies to record field.
+
+			if ( same_type(atype, type) ||
+			     (atype->Tag() == TYPE_TABLE && atype->AsTableType()->IsUnspecifiedTable()) )
+				// Ok.
+				break;
+
+			// Table defaults may be promotable.
+			if ( (ytype->Tag() == TYPE_RECORD && atype->Tag() == TYPE_RECORD &&
+			      record_promotion_compatible(atype->AsRecordType(), ytype->AsRecordType())) )
+				// Ok.
+				break;
+
+			Error("&default value has inconsistent type");
 			}
 		}
 		break;
@@ -316,10 +406,18 @@ void Attributes::CheckAttr(Attr* a)
 	case ATTR_GROUP:
 		if ( type->Tag() != TYPE_FUNC ||
 		     ! type->AsFuncType()->IsEvent() )
-			{
 			Error("&group only applicable to events");
-			break;
-			}
+		break;
+
+	case ATTR_ERROR_HANDLER:
+		if ( type->Tag() != TYPE_FUNC ||
+		     ! type->AsFuncType()->IsEvent() )
+			Error("&error_handler only applicable to events");
+		break;
+
+	case ATTR_LOG:
+		if ( ! LogVal::IsCompatibleType(type) )
+			Error("&log applied to a type that cannot be logged");
 		break;
 
 	default:
@@ -327,6 +425,41 @@ void Attributes::CheckAttr(Attr* a)
 	}
 	}
 
+bool Attributes::operator==(const Attributes& other) const
+	{
+	if ( ! attrs )
+		return other.attrs;
+
+	if ( ! other.attrs )
+		return false;
+
+	loop_over_list(*attrs, i)
+		{
+		Attr* a = (*attrs)[i];
+		Attr* o = other.FindAttr(a->Tag());
+
+		if ( ! o )
+			return false;
+
+		if ( ! (*a == *o) )
+			return false;
+		}
+
+	loop_over_list(*other.attrs, j)
+		{
+		Attr* o = (*other.attrs)[j];
+		Attr* a = FindAttr(o->Tag());
+
+		if ( ! a )
+			return false;
+
+		if ( ! (*a == *o) )
+			return false;
+		}
+
+	return true;
+	}
+
 bool Attributes::Serialize(SerialInfo* info) const
 	{
 	return SerialObj::Serialize(info);
@@ -351,7 +484,11 @@ bool Attributes::DoSerialize(SerialInfo* info) const
 	loop_over_list((*attrs), i)
 		{
 		Attr* a = (*attrs)[i];
-		SERIALIZE_OPTIONAL(a->AttrExpr())
+
+		// Broccoli doesn't support expressions.
+		Expr* e = (! info->broccoli_peer) ? a->AttrExpr() : 0;
+		SERIALIZE_OPTIONAL(e);
+
 		if ( ! SERIALIZE(char(a->Tag())) )
 			return false;
 		}
diff --git a/src/Attr.h b/src/Attr.h
index 73fb101841..6c835dc61c 100644
--- a/src/Attr.h
+++ b/src/Attr.h
@@ -1,5 +1,3 @@
-// $Id: Attr.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef attr_h
@@ -35,6 +33,8 @@ typedef enum {
 	ATTR_MERGEABLE,
 	ATTR_PRIORITY,
 	ATTR_GROUP,
+	ATTR_LOG,
+	ATTR_ERROR_HANDLER,
 	ATTR_TRACKED,	// hidden attribute, tracked by NotifierRegistry
 #define NUM_ATTRS (int(ATTR_TRACKED) + 1)
 } attr_tag;
@@ -51,6 +51,21 @@ public:
 		{ return tag == ATTR_REDEF || tag == ATTR_OPTIONAL; }
 
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
+
+	bool operator==(const Attr& other) const
+		{
+		if ( tag != other.tag )
+			return false;
+
+		if ( expr || other.expr )
+			// If any has an expression and they aren't the same object, we
+			// declare them unequal, as we can't really find out if the two
+			// expressions are equivalent.
+			return (expr == other.expr);
+
+		return true;
+		}
 
 protected:
 	void AddTag(ODesc* d) const;
@@ -62,7 +77,7 @@ protected:
 // Manages a collection of attributes.
 class Attributes : public BroObj {
 public:
-	Attributes(attr_list* a, BroType* t);
+	Attributes(attr_list* a, BroType* t, bool in_record);
 	~Attributes();
 
 	void AddAttr(Attr* a);
@@ -73,12 +88,15 @@ public:
 	void RemoveAttr(attr_tag t);
 
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
 
 	attr_list* Attrs()	{ return attrs; }
 
 	bool Serialize(SerialInfo* info) const;
 	static Attributes* Unserialize(UnserialInfo* info);
 
+	bool operator==(const Attributes& other) const;
+
 protected:
 	Attributes()	{ type = 0; attrs = 0; }
 	void CheckAttr(Attr* attr);
@@ -87,6 +105,7 @@ protected:
 
 	BroType* type;
 	attr_list* attrs;
+	bool in_record;
 };
 
 #endif
diff --git a/src/BPF_Program.cc b/src/BPF_Program.cc
index 7796ccce81..a6d3d80c05 100644
--- a/src/BPF_Program.cc
+++ b/src/BPF_Program.cc
@@ -1,5 +1,3 @@
-// $Id: BPF_Program.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/BPF_Program.h b/src/BPF_Program.h
index 4c6e090cda..88ed669da2 100644
--- a/src/BPF_Program.h
+++ b/src/BPF_Program.h
@@ -1,5 +1,3 @@
-// $Id: BPF_Program.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef bpf_program_h
diff --git a/src/BackDoor.cc b/src/BackDoor.cc
index 493fd9ae00..c218a98ce2 100644
--- a/src/BackDoor.cc
+++ b/src/BackDoor.cc
@@ -1,5 +1,3 @@
-// $Id: BackDoor.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/BackDoor.h b/src/BackDoor.h
index 50d97514ef..40ea3bbaa3 100644
--- a/src/BackDoor.h
+++ b/src/BackDoor.h
@@ -1,5 +1,3 @@
-// $Id: BackDoor.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef backdoor_h
diff --git a/src/Base64.cc b/src/Base64.cc
index a82b2ee24a..b0da8ea74c 100644
--- a/src/Base64.cc
+++ b/src/Base64.cc
@@ -1,16 +1,27 @@
-// $Id: Base64.cc 6024 2008-07-26 19:20:47Z vern $
-
 #include "config.h"
 #include "Base64.h"
 
-static int base64_table[256];
+int Base64Decoder::default_base64_table[256];
+const string Base64Decoder::default_alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 
-static void init_base64_table()
+int* Base64Decoder::InitBase64Table(const string& alphabet)
 	{
-	static int table_initialized = 0;
+	assert(alphabet.size() == 64);
 
-	if ( ++table_initialized > 1 )
-		return;
+	static bool default_table_initialized = false;
+
+	if ( alphabet == default_alphabet && default_table_initialized )
+		return default_base64_table;
+
+	int* base64_table = 0;
+
+	if ( alphabet == default_alphabet )
+		{
+		base64_table = default_base64_table;
+		default_table_initialized = true;
+		}
+	else
+		base64_table = new int[256];
 
 	int i;
 	for ( i = 0; i < 256; ++i )
@@ -18,35 +29,43 @@ static void init_base64_table()
 
 	for ( i = 0; i < 26; ++i )
 		{
-		base64_table['A' + i] = i;
-		base64_table['a' + i] = i + 26;
+		base64_table[int(alphabet[0 + i])] = i;
+		base64_table[int(alphabet[26 + i])] = i + 26;
 		}
 
 	for ( i = 0; i < 10; ++i )
-		base64_table['0' + i] = i + 52;
+		base64_table[int(alphabet[52 + i])] = i + 52;
 
 	// Casts to avoid compiler warnings.
-	base64_table[int('+')] = 62;
-	base64_table[int('/')] = 63;
+	base64_table[int(alphabet[62])] = 62;
+	base64_table[int(alphabet[63])] = 63;
 	base64_table[int('=')] = 0;
+
+	return base64_table;
 	}
 
-Base64Decoder::Base64Decoder(Analyzer* arg_analyzer)
+Base64Decoder::Base64Decoder(Analyzer* arg_analyzer, const string& alphabet)
 	{
-	init_base64_table();
+	base64_table = InitBase64Table(alphabet.size() ? alphabet : default_alphabet);
 	base64_group_next = 0;
 	base64_padding = base64_after_padding = 0;
 	errored = 0;
 	analyzer = arg_analyzer;
 	}
 
+Base64Decoder::~Base64Decoder()
+	{
+	if ( base64_table != default_base64_table )
+		delete base64_table;
+	}
+
 int Base64Decoder::Decode(int len, const char* data, int* pblen, char** pbuf)
 	{
 	int blen;
 	char* buf;
 
 	if ( ! pbuf )
-		internal_error("nil pointer to decoding result buffer");
+		reporter->InternalError("nil pointer to decoding result buffer");
 
 	if ( *pbuf )
 		{
@@ -144,13 +163,21 @@ int Base64Decoder::Done(int* pblen, char** pbuf)
 	return 0;
 	}
 
-BroString* decode_base64(const BroString* s)
+
+BroString* decode_base64(const BroString* s, const BroString* a)
 	{
+	if ( a && a->Len() != 64 )
+		{
+		reporter->Error("base64 decoding alphabet is not 64 characters: %s",
+		                a->CheckString());
+		return 0;
+		}
+
 	int buf_len = int((s->Len() + 3) / 4) * 3 + 1;
 	int rlen2, rlen = buf_len;
 	char* rbuf2, *rbuf = new char[rlen];
 
-	Base64Decoder dec(0);
+	Base64Decoder dec(0, a ? a->CheckString() : "");
 	if ( dec.Decode(s->Len(), (const char*) s->Bytes(), &rlen, &rbuf) == -1 )
 		goto err;
 
diff --git a/src/Base64.h b/src/Base64.h
index a8e7c01667..0e02c94cf0 100644
--- a/src/Base64.h
+++ b/src/Base64.h
@@ -1,5 +1,3 @@
-// $Id: Base64.h 3526 2006-09-12 07:32:21Z vern $
-
 #ifndef base64_h
 #define base64_h
 
@@ -15,11 +13,11 @@
 
 class Base64Decoder {
 public:
-	// <analyzer> is used for error reporting, and it should be zero
-	// when the decoder is called by the built-in function
-	// decode_base64().
-	Base64Decoder(Analyzer* analyzer);
-	~Base64Decoder()	{ }
+	// <analyzer> is used for error reporting, and it should be zero when
+	// the decoder is called by the built-in function decode_base64().
+	// Empty alphabet indicates the default base64 alphabet.
+	Base64Decoder(Analyzer* analyzer, const string& alphabet = "");
+	~Base64Decoder();
 
 	// A note on Decode():
 	//
@@ -46,7 +44,7 @@ public:
 		if ( analyzer )
 			analyzer->Weird("base64_illegal_encoding", msg);
 		else
-			run_time(msg);
+			reporter->Error("%s", msg);
 		}
 
 protected:
@@ -59,8 +57,13 @@ protected:
 	int base64_after_padding;
 	int errored;	// if true, we encountered an error - skip further processing
 	Analyzer* analyzer;
+	int* base64_table;
+
+	static int* InitBase64Table(const string& alphabet);
+	static int default_base64_table[256];
+	static const string default_alphabet;
 };
 
-BroString* decode_base64(const BroString* s);
+BroString* decode_base64(const BroString* s, const BroString* a = 0);
 
 #endif /* base64_h */
diff --git a/src/BitTorrent.cc b/src/BitTorrent.cc
index e99047beb1..c58eb4cf65 100644
--- a/src/BitTorrent.cc
+++ b/src/BitTorrent.cc
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // This code contributed by Nadi Sarrar.
 
 #include "BitTorrent.h"
diff --git a/src/BitTorrent.h b/src/BitTorrent.h
index 7f745d48c8..191b4c50d7 100644
--- a/src/BitTorrent.h
+++ b/src/BitTorrent.h
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // This code contributed by Nadi Sarrar.
 
 #ifndef bittorrent_h
diff --git a/src/BitTorrentTracker.cc b/src/BitTorrentTracker.cc
index 50f6d0449c..995a01dd63 100644
--- a/src/BitTorrentTracker.cc
+++ b/src/BitTorrentTracker.cc
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // This code contributed by Nadi Sarrar.
 
 #include "BitTorrentTracker.h"
@@ -8,8 +6,10 @@
 #include <sys/types.h>
 #include <regex.h>
 
-# define FMT_INT "%lld"
-# define FMT_UINT "%llu"
+#include <algorithm>
+
+# define FMT_INT "%" PRId64
+# define FMT_UINT "%" PRIu64
 
 static TableType* bt_tracker_headers = 0;
 static RecordType* bittorrent_peer;
diff --git a/src/BitTorrentTracker.h b/src/BitTorrentTracker.h
index 167c9d0d10..d57665d104 100644
--- a/src/BitTorrentTracker.h
+++ b/src/BitTorrentTracker.h
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // This code contributed by Nadi Sarrar.
 
 #ifndef bittorrenttracker_h
diff --git a/src/BroDoc.cc b/src/BroDoc.cc
new file mode 100644
index 0000000000..b20db727ff
--- /dev/null
+++ b/src/BroDoc.cc
@@ -0,0 +1,455 @@
+#include <cstdio>
+#include <cstdarg>
+#include <string>
+#include <list>
+#include <algorithm>
+#include <libgen.h>
+
+#include "BroDoc.h"
+#include "BroDocObj.h"
+#include "util.h"
+
+BroDoc::BroDoc(const std::string& rel, const std::string& abs)
+	{
+	size_t f_pos = abs.find_last_of('/');
+
+	if ( std::string::npos == f_pos )
+		source_filename = abs;
+	else
+		source_filename = abs.substr(f_pos + 1);
+
+	if ( rel[0] == '/' || rel[0] == '.' )
+		{
+		// The Bro script isn't being loaded via BROPATH, so just use basename
+		// as the document title.
+		doc_title = source_filename;
+		}
+	else
+		{
+		// Keep the relative directory as part of the document title.
+		if ( rel.size() == 0 || rel[rel.size() - 1] == '/' )
+			doc_title = rel + source_filename;
+		else
+			doc_title = rel + "/" + source_filename;
+		}
+
+	downloadable_filename = source_filename;
+
+	size_t ext_pos = downloadable_filename.find(".bif.bro");
+	if ( std::string::npos != ext_pos )
+		downloadable_filename.erase(ext_pos + 4);
+
+	reST_filename = doc_title;
+	ext_pos = reST_filename.find(".bro");
+
+	if ( std::string::npos == ext_pos )
+		reST_filename += ".rst";
+	else
+		reST_filename.replace(ext_pos, 4, ".rst");
+
+	reST_filename = doc_title.substr(0, ext_pos);
+	reST_filename += ".rst";
+
+	// Instead of re-creating the directory hierarchy based on related
+	// loads, just replace the directory separatories such that the reST
+	// output will all be placed in a flat directory (the working dir).
+	std::for_each(reST_filename.begin(), reST_filename.end(), replace_slash());
+
+	reST_file = fopen(reST_filename.c_str(), "w");
+
+	if ( ! reST_file )
+		fprintf(stderr, "Failed to open %s\n", reST_filename.c_str());
+
+#ifdef DOCDEBUG
+	fprintf(stdout, "Documenting absolute source: %s\n", abs.c_str());
+	fprintf(stdout, "\trelative dir: %s\n", rel.c_str());
+	fprintf(stdout, "\tdoc title: %s\n", doc_title.c_str());
+	fprintf(stdout, "\tbro file: %s\n", source_filename.c_str());
+	fprintf(stdout, "\trst file: %s\n", reST_filename.c_str());
+#endif
+	}
+
+BroDoc::~BroDoc()
+	{
+	if ( reST_file && fclose( reST_file ) )
+		fprintf(stderr, "Failed to close %s\n", reST_filename.c_str());
+
+	FreeBroDocObjPtrList(all);
+	}
+
+void BroDoc::AddImport(const std::string& s)
+	{
+	std::string lname(s);
+	// First strip any .bro extension.
+	size_t ext_pos = lname.find(".bro");
+	if ( ext_pos != std::string::npos )
+		lname = lname.substr(0, ext_pos);
+
+	const char* full_filename = "<error>";
+	const char* subpath = "<error>";
+	FILE* f = search_for_file(lname.c_str(), "bro", &full_filename, true,
+	                          &subpath);
+
+	if ( f )
+		{
+		fclose(f);
+
+		char* tmp = copy_string(full_filename);
+		char* filename = basename(tmp);
+		extern char* PACKAGE_LOADER;
+
+		if ( streq(filename, PACKAGE_LOADER) )
+			{
+			// link to the package's index
+			string pkg(subpath);
+			pkg += "/index";
+			imports.push_back(pkg);
+			}
+		else
+			{
+			if ( subpath[0] == '/' || subpath[0] == '.' )
+				{
+				// it's not a subpath of scripts/, so just add the name of it
+				// as it's given in the @load directive
+				imports.push_back(lname);
+				}
+			else
+				{
+				// combine the base file name of script in the @load directive
+				// with the subpath of BROPATH's scripts/ directory
+				string fname(subpath);
+				char* othertmp = copy_string(lname.c_str());
+				fname.append("/").append(basename(othertmp));
+				imports.push_back(fname);
+				delete [] othertmp;
+				}
+			}
+
+		delete [] tmp;
+		delete [] full_filename;
+		delete [] subpath;
+		}
+	else
+		fprintf(stderr, "Failed to document '@load %s' in file: %s\n",
+		        s.c_str(), reST_filename.c_str());
+	}
+
+void BroDoc::SetPacketFilter(const std::string& s)
+	{
+	packet_filter = s;
+	size_t pos1 = s.find("{\n");
+	size_t pos2 = s.find("}");
+
+	if ( pos1 != std::string::npos && pos2 != std::string::npos )
+		packet_filter = s.substr(pos1 + 2, pos2 - 2);
+
+	bool has_non_whitespace = false;
+
+	for ( std::string::const_iterator it = packet_filter.begin();
+		it != packet_filter.end(); ++it )
+		{
+		if ( *it != ' ' && *it != '\t' && *it != '\n' && *it != '\r' )
+			{
+			has_non_whitespace = true;
+			break;
+			}
+		}
+
+	if ( ! has_non_whitespace )
+		packet_filter.clear();
+	}
+
+void BroDoc::AddPortAnalysis(const std::string& analyzer,
+			const std::string& ports)
+	{
+	std::string reST_string = analyzer + "::\n" + ports + "\n\n";
+	port_analysis.push_back(reST_string);
+	}
+
+void BroDoc::WriteDocFile() const
+	{
+	WriteToDoc(".. Automatically generated.  Do not edit.\n\n");
+
+	WriteToDoc(":tocdepth: 3\n\n");
+
+	WriteSectionHeading(doc_title.c_str(), '=');
+
+	WriteStringList(".. bro:namespace:: %s\n", modules);
+
+	WriteToDoc("\n");
+
+	// WriteSectionHeading("Overview", '-');
+	WriteStringList("%s\n", summary);
+
+	WriteToDoc("\n");
+
+	if ( ! modules.empty() )
+		{
+		WriteToDoc(":Namespace%s: ", (modules.size() > 1 ? "s" : ""));
+		// WriteStringList(":bro:namespace:`%s`", modules);
+		WriteStringList("``%s``, ", "``%s``", modules);
+		WriteToDoc("\n");
+		}
+
+	if ( ! imports.empty() )
+		{
+		WriteToDoc(":Imports: ");
+		std::list<std::string>::const_iterator it;
+		for ( it = imports.begin(); it != imports.end(); ++it )
+			{
+			if ( it != imports.begin() )
+				WriteToDoc(", ");
+
+			string pretty(*it);
+			size_t pos = pretty.find("/index");
+			if ( pos != std::string::npos && pos + 6 == pretty.size() )
+				pretty = pretty.substr(0, pos);
+			WriteToDoc(":doc:`%s </scripts/%s>`", pretty.c_str(), it->c_str());
+			}
+		WriteToDoc("\n");
+		}
+
+	WriteToDoc(":Source File: :download:`%s`\n",
+		downloadable_filename.c_str());
+
+	WriteToDoc("\n");
+
+	WriteInterface("Summary", '~', '#', true, true);
+
+	if ( ! notices.empty() )
+		WriteBroDocObjList(notices, "Notices", '#');
+
+	if ( port_analysis.size() || packet_filter.size() )
+		WriteSectionHeading("Configuration Changes", '#');
+
+	if ( ! port_analysis.empty() )
+		{
+		WriteSectionHeading("Port Analysis", '^');
+		WriteToDoc("Loading this script makes the following changes to "
+		           ":bro:see:`dpd_config`.\n\n");
+		WriteStringList("%s, ", "%s", port_analysis);
+		}
+
+	if ( ! packet_filter.empty() )
+		{
+		WriteSectionHeading("Packet Filter", '^');
+		WriteToDoc("Loading this script makes the following changes to "
+		           ":bro:see:`capture_filters`.\n\n");
+		WriteToDoc("Filters added::\n\n");
+		WriteToDoc("%s\n", packet_filter.c_str());
+		}
+
+	WriteInterface("Detailed Interface", '~', '#', true, false);
+
+#if 0   // Disabled for now.
+	BroDocObjList::const_iterator it;
+	bool hasPrivateIdentifiers = false;
+
+	for ( it = all.begin(); it != all.end(); ++it )
+		{
+		if ( ! IsPublicAPI(*it) )
+			{
+			hasPrivateIdentifiers = true;
+			break;
+			}
+		}
+
+	if ( hasPrivateIdentifiers )
+		WriteInterface("Private Interface", '~', '#', false, false);
+#endif
+	}
+
+void BroDoc::WriteInterface(const char* heading, char underline,
+			char sub, bool isPublic, bool isShort) const
+	{
+	WriteSectionHeading(heading, underline);
+	WriteBroDocObjList(options, isPublic, "Options", sub, isShort);
+	WriteBroDocObjList(constants, isPublic, "Constants", sub, isShort);
+	WriteBroDocObjList(state_vars, isPublic, "State Variables", sub, isShort);
+	WriteBroDocObjList(types, isPublic, "Types", sub, isShort);
+	WriteBroDocObjList(events, isPublic, "Events", sub, isShort);
+	WriteBroDocObjList(functions, isPublic, "Functions", sub, isShort);
+	WriteBroDocObjList(redefs, isPublic, "Redefinitions", sub, isShort);
+	}
+
+void BroDoc::WriteStringList(const char* format, const char* last_format,
+			const std::list<std::string>& l) const
+	{
+	if ( l.empty() )
+		{
+		WriteToDoc("\n");
+		return;
+		}
+
+	std::list<std::string>::const_iterator it;
+	std::list<std::string>::const_iterator last = l.end();
+	last--;
+
+	for ( it = l.begin(); it != last; ++it )
+		WriteToDoc(format, it->c_str());
+
+	WriteToDoc(last_format, last->c_str());
+	}
+
+void BroDoc::WriteBroDocObjTable(const BroDocObjList& l) const
+	{
+	int max_id_col = 0;
+	int max_com_col = 0;
+	BroDocObjList::const_iterator it;
+
+	for ( it = l.begin(); it != l.end(); ++it )
+		{
+		int c = (*it)->ColumnSize();
+
+		if ( c > max_id_col )
+			max_id_col = c;
+
+		c = (*it)->LongestShortDescLen();
+
+		if ( c > max_com_col )
+			max_com_col = c;
+		}
+
+	// Start table.
+	WriteRepeatedChar('=', max_id_col);
+	WriteToDoc(" ");
+
+	if ( max_com_col == 0 )
+		WriteToDoc("=");
+	else
+		WriteRepeatedChar('=', max_com_col);
+
+	WriteToDoc("\n");
+
+	for ( it = l.begin(); it != l.end(); ++it )
+		{
+		if ( it != l.begin() )
+			WriteToDoc("\n\n");
+		(*it)->WriteReSTCompact(reST_file, max_id_col);
+		}
+
+	// End table.
+	WriteToDoc("\n");
+	WriteRepeatedChar('=', max_id_col);
+	WriteToDoc(" ");
+
+	if ( max_com_col == 0 )
+		WriteToDoc("=");
+	else
+		WriteRepeatedChar('=', max_com_col);
+
+	WriteToDoc("\n\n");
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjList& l, bool wantPublic,
+			const char* heading, char underline, bool isShort) const
+	{
+	if ( l.empty() )
+		return;
+
+	BroDocObjList::const_iterator it;
+	bool (*f_ptr)(const BroDocObj* o) = 0;
+
+	if ( wantPublic )
+		f_ptr = IsPublicAPI;
+	else
+		f_ptr = IsPrivateAPI;
+
+	it = std::find_if(l.begin(), l.end(), f_ptr);
+
+	if ( it == l.end() )
+		return;
+
+	WriteSectionHeading(heading, underline);
+
+	BroDocObjList filtered_list;
+
+	while ( it != l.end() )
+		{
+		filtered_list.push_back(*it);
+		it = find_if(++it, l.end(), f_ptr);
+		}
+
+	if ( isShort )
+		WriteBroDocObjTable(filtered_list);
+	else
+		WriteBroDocObjList(filtered_list);
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjMap& m, bool wantPublic,
+			const char* heading, char underline, bool isShort) const
+	{
+	BroDocObjMap::const_iterator it;
+	BroDocObjList l;
+
+	for ( it = m.begin(); it != m.end(); ++it )
+		l.push_back(it->second);
+
+	WriteBroDocObjList(l, wantPublic, heading, underline, isShort);
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjList& l, const char* heading,
+			char underline) const
+	{
+	WriteSectionHeading(heading, underline);
+	WriteBroDocObjList(l);
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjList& l) const
+	{
+	for ( BroDocObjList::const_iterator it = l.begin(); it != l.end(); ++it )
+		(*it)->WriteReST(reST_file);
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjMap& m, const char* heading,
+			char underline) const
+	{
+	BroDocObjMap::const_iterator it;
+	BroDocObjList l;
+
+	for ( it = m.begin(); it != m.end(); ++it )
+		l.push_back(it->second);
+
+	WriteBroDocObjList(l, heading, underline);
+	}
+
+void BroDoc::WriteToDoc(const char* format, ...) const
+	{
+	va_list argp;
+	va_start(argp, format);
+	vfprintf(reST_file, format, argp);
+	va_end(argp);
+	}
+
+void BroDoc::WriteSectionHeading(const char* heading, char underline) const
+	{
+	WriteToDoc("%s\n", heading);
+	WriteRepeatedChar(underline, strlen(heading));
+	WriteToDoc("\n");
+	}
+
+void BroDoc::WriteRepeatedChar(char c, size_t n) const
+	{
+	for ( size_t i = 0; i < n; ++i )
+		WriteToDoc("%c", c);
+	}
+
+void BroDoc::FreeBroDocObjPtrList(BroDocObjList& l)
+	{
+	for ( BroDocObjList::const_iterator it = l.begin(); it != l.end(); ++it )
+		delete *it;
+
+	l.clear();
+	}
+
+void BroDoc::AddFunction(BroDocObj* o)
+	{
+	BroDocObjMap::const_iterator it = functions.find(o->Name());
+	if ( it == functions.end() )
+		{
+		functions[o->Name()] = o;
+		all.push_back(o);
+		}
+	else
+		functions[o->Name()]->Combine(o);
+	}
diff --git a/src/BroDoc.h b/src/BroDoc.h
new file mode 100644
index 0000000000..ac6ff0a59b
--- /dev/null
+++ b/src/BroDoc.h
@@ -0,0 +1,390 @@
+#ifndef brodoc_h
+#define brodoc_h
+
+#include <cstdio>
+#include <cstdarg>
+#include <string>
+#include <list>
+
+#include "BroDocObj.h"
+
+/**
+ * This class is used to gather all data relevant to the automatic generation
+ * of a reStructuredText (reST) document from a given Bro script.
+ */
+class BroDoc {
+public:
+	/**
+	 * BroDoc constructor
+	 * Given a Bro script, opens new file in the current working directory
+	 * that will contain reST documentation generated from the parsing
+	 * of the Bro script.  The new reST file will be named similar to
+	 * the filename of the Bro script that generates it, except any
+	 * ".bro" file extension is stripped and ".rst" takes it place.
+	 * If the filename doesn't end in ".bro", then ".rst" is just appended.
+	 * Any '/' characters in the reST file name that result from choice of
+	 * the 'rel' parameter are replaced with '^'.
+	 * @param rel A string representing a subpath of the root Bro script
+	 *        source/install directory in which the source file is located.
+	 *        It can also be an absolute path, but then the parameter is
+	 *        ignored and the document title is just derived from file name
+	 * @param abs The absolute path to the Bro script for which to generate
+	 *        documentation.
+	 */
+	BroDoc(const std::string& rel, const std::string& abs);
+
+	/**
+	 * BroDoc destructor
+	 * Closes the file that was opened by the constructor and frees up
+	 * memory taken by BroDocObj objects.
+	 */
+	virtual ~BroDoc();
+
+	/**
+	 * Write out full reST documentation for the Bro script that was parsed.
+	 * BroDoc's default implementation of this function will care
+	 * about whether declarations made in the Bro script are part of
+	 * the public versus private interface (whether things are declared in
+	 * the export section).
+	 */
+	virtual void WriteDocFile() const;
+
+	/**
+	 * Schedules some summarizing text to be output directly into the reST doc.
+	 * This should be called whenever the scanner sees a line in the Bro script
+	 * starting with "##!"
+	 * @param s The summary text to add to the reST doc.
+	 */
+	void AddSummary(const std::string& s)	{ summary.push_back(s); }
+
+	/**
+	 * Schedules an import (@load) to be documented.
+	 * If the script being loaded has a .bro suffix, it is internally stripped.
+	 * This should be called whenever the scanner sees an @load.
+	 * @param s The name of the imported script.
+	 */
+	void AddImport(const std::string& s);
+
+	/**
+	 * Schedules a namespace (module) to be documented.
+	 * This should be called whenever the parser sees a TOK_MODULE.
+	 * @param s The namespace (module) identifier's name.
+	 */
+	void AddModule(const std::string& s)	{ modules.push_back(s); }
+
+	/**
+	 * Sets the way the script changes the "capture_filters" table.
+	 * This is determined by the scanner checking for changes to
+	 * the "capture_filters" table after each of Bro's input scripts
+	 * (given as command line arguments to Bro) are finished being parsed.
+	 * @param s The value "capture_filters" as given by TableVal::Describe()
+	 */
+	void SetPacketFilter(const std::string& s);
+
+	/**
+	 * Schedules documentation of a given set of ports being associated
+	 * with a particular analyzer as a result of the current script
+	 * being loaded -- the way the "dpd_config" table is changed.
+	 * @param analyzer An analyzer that changed the "dpd_config" table.
+	 * @param ports The set of ports assigned to the analyzer in table.
+	 */
+	void AddPortAnalysis(const std::string& analyzer, const std::string& ports);
+
+	/**
+	 * Schedules documentation of a script option.  An option is
+	 * defined as any variable in the script that is declared 'const'
+	 * and has the '&redef' attribute.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script option and
+	 *        also any associated comments about it.
+	 */
+	void AddOption(const BroDocObj* o)
+		{
+		options.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a script constant.  An option is
+	 * defined as any variable in the script that is declared 'const'
+	 * and does *not* have the '&redef' attribute.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script constant and
+	 *        also any associated comments about it.
+	 */
+	void AddConstant(const BroDocObj* o)
+		{
+		constants.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a script state variable.  A state variable
+	 * is defined as any variable in the script that is declared 'global'
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script state variable
+	 *        and also any associated comments about it.
+	 */
+	void AddStateVar(const BroDocObj* o)
+		{
+		state_vars.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a type declared by the script.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script option and
+	 *        also any associated comments about it.
+	 */
+	void AddType(const BroDocObj* o)
+		{
+		types.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a Notice (enum redef) declared by script
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the Notice and also
+	 *        any associated comments about it.
+	 */
+	void AddNotice(const BroDocObj* o)
+		{
+		notices.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of an event declared by the script.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script event and
+	 *        also any associated comments about it.
+	 */
+	void AddEvent(const BroDocObj* o)
+		{
+		events.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of an event handler declared by the script.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script event handler and
+	 *        also any associated comments about it.
+	 */
+	void AddEventHandler(const BroDocObj* o)
+		{
+		event_handlers.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a function declared by the script.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script function and
+	 *        also any associated comments about it.
+	 */
+	void AddFunction(BroDocObj* o);
+
+	/**
+	 * Schedules documentation of a redef done by the script
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script identifier
+	 *        that was redefined and also any associated comments.
+	 */
+	void AddRedef(const BroDocObj* o)
+		{
+		redefs.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Gets the name of the Bro script source file for which reST
+	 * documentation is being generated.
+	 * @return A char* to the start of the source file's name.
+	 */
+	const char* GetSourceFileName() const
+		{
+		return source_filename.c_str();
+		}
+
+	/**
+	 * Gets the name of the generated reST documentation file.
+	 * @return A char* to the start of the generated reST file's name.
+	 */
+	const char* GetOutputFileName() const
+		{
+		return reST_filename.c_str();
+		}
+
+protected:
+	FILE* reST_file;
+	std::string reST_filename;
+	std::string source_filename;	// points to the basename of source file
+	std::string downloadable_filename; // file that will be linked for download
+	std::string doc_title;
+	std::string packet_filter;
+
+	std::list<std::string> modules;
+	std::list<std::string> summary;
+	std::list<std::string> imports;
+	std::list<std::string> port_analysis;
+
+	typedef std::list<const BroDocObj*> BroDocObjList;
+	typedef std::map<std::string, BroDocObj*> BroDocObjMap;
+
+	BroDocObjList options;
+	BroDocObjList constants;
+	BroDocObjList state_vars;
+	BroDocObjList types;
+	BroDocObjList notices;
+	BroDocObjList events;
+	BroDocObjList event_handlers;
+	BroDocObjMap functions;
+	BroDocObjList redefs;
+
+	BroDocObjList all;
+
+	/**
+	 * Writes out a list of strings to the reST document.
+	 * If the list is empty, prints a newline character.
+	 * @param format A printf style format string for elements of the list
+	 *        except for the last one in the list
+	 * @param last_format A printf style format string to use for the last
+	 *        element of the list
+	 * @param l A reference to a list of strings
+	 */
+	void WriteStringList(const char* format, const char* last_format,
+			const std::list<std::string>& l) const;
+
+	/**
+	 * @see WriteStringList(const char*, const char*,
+	 *                      const std::list<std::string>&>)
+	 */
+	void WriteStringList(const char* format,
+			const std::list<std::string>& l) const
+		{
+		WriteStringList(format, format, l);
+		}
+
+
+	/**
+	 * Writes out a table of BroDocObj's to the reST document
+	 * @param l A list of BroDocObj pointers
+	 */
+	void WriteBroDocObjTable(const BroDocObjList& l) const;
+
+	/**
+	 * Writes out a list of BroDocObj objects to the reST document
+	 * @param l A list of BroDocObj pointers
+	 * @param wantPublic If true, filter out objects that are not declared
+	 *        in the global scope.  If false, filter out those that are in
+	 *        the global scope.
+	 * @param heading The title of the section to create in the reST doc.
+	 * @param underline The character to use to underline the reST
+	 *        section heading.
+	 * @param isShort Whether to write the full documentation or a "short"
+	 *        version (a single sentence)
+	 */
+	void WriteBroDocObjList(const BroDocObjList& l, bool wantPublic,
+			const char* heading, char underline,
+			bool isShort) const;
+
+	/**
+	 * Wraps the BroDocObjMap into a BroDocObjList and the writes that list
+	 * to the reST document
+	 * @see WriteBroDocObjList(const BroDocObjList&, bool, const char*, char,
+	        bool)
+	 */
+	void WriteBroDocObjList(const BroDocObjMap& m, bool wantPublic,
+			const char* heading, char underline,
+			bool isShort) const;
+
+	/**
+	 * Writes out a list of BroDocObj objects to the reST document
+	 * @param l A list of BroDocObj pointers
+	 * @param heading The title of the section to create in the reST doc.
+	 * @param underline The character to use to underline the reST
+	 *        section heading.
+	 */
+	void WriteBroDocObjList(const BroDocObjList& l, const char* heading,
+			char underline) const;
+
+	/**
+	 * Writes out a list of BroDocObj objects to the reST document
+	 * @param l A list of BroDocObj pointers
+	 */
+	void WriteBroDocObjList(const BroDocObjList& l) const;
+
+	/**
+	 * Wraps the BroDocObjMap into a BroDocObjList and the writes that list
+	 * to the reST document
+	 * @see WriteBroDocObjList(const BroDocObjList&, const char*, char)
+	 */
+	void WriteBroDocObjList(const BroDocObjMap& m, const char* heading,
+			char underline) const;
+
+	/**
+	 * A wrapper to fprintf() that always uses the reST document
+	 * for the FILE* argument.
+	 * @param format A printf style format string.
+	 */
+	void WriteToDoc(const char* format, ...) const;
+
+	/**
+	 * Writes out a reST section heading
+	 * @param heading The title of the heading to create
+	 * @param underline The character to use to underline the section title
+	 *        within the reST document
+	 */
+	void WriteSectionHeading(const char* heading, char underline) const;
+
+	/**
+	 * Writes out given number of characters to reST document
+	 * @param c the character to write
+	 * @param n the number of characters to write
+	 */
+	void WriteRepeatedChar(char c, size_t n) const;
+
+	/**
+	 * Writes out the reST for either the script's public or private interface
+	 * @param heading The title of the interfaces section heading
+	 * @param underline The underline character to use for the interface
+	 *        section
+	 * @param subunderline The underline character to use for interface
+	 *        sub-sections
+	 * @param isPublic Whether to write out the public or private script
+	 *        interface
+	 * @param isShort Whether to write out the full documentation or a "short"
+	 *        description (a single sentence)
+	 */
+	void WriteInterface(const char* heading, char underline, char subunderline,
+			bool isPublic, bool isShort) const;
+private:
+
+	/**
+	 * Frees memory allocated to BroDocObj's objects in a given list.
+	 * @param a reference to a list of BroDocObj pointers
+	 */
+	void FreeBroDocObjPtrList(BroDocObjList& l);
+
+	static bool IsPublicAPI(const BroDocObj* o)
+		{
+		return o->IsPublicAPI();
+		}
+
+	static bool IsPrivateAPI(const BroDocObj* o)
+		{
+		return ! o->IsPublicAPI();
+		}
+
+    struct replace_slash {
+        void operator()(char& c)
+            {
+            if ( c == '/' ) c = '^';
+            }
+    };
+};
+
+#endif
diff --git a/src/BroDocObj.cc b/src/BroDocObj.cc
new file mode 100644
index 0000000000..12753ea15d
--- /dev/null
+++ b/src/BroDocObj.cc
@@ -0,0 +1,171 @@
+#include <cstdio>
+#include <string>
+#include <list>
+#include "ID.h"
+#include "BroDocObj.h"
+
+BroDocObj* BroDocObj::last = 0;
+
+BroDocObj::BroDocObj(const ID* id, std::list<std::string>*& reST,
+			bool is_fake)
+	{
+	last = this;
+	broID = id;
+	reST_doc_strings = reST;
+	reST = 0;
+	is_fake_id = is_fake;
+	use_role = 0;
+	FormulateShortDesc();
+	}
+
+BroDocObj::~BroDocObj()
+	{
+	if ( reST_doc_strings )
+		delete reST_doc_strings;
+
+	if ( is_fake_id )
+		delete broID;
+	}
+
+void BroDocObj::WriteReSTCompact(FILE* file, int max_col) const
+	{
+	ODesc desc;
+	desc.SetQuotes(1);
+	broID->DescribeReSTShort(&desc);
+
+	fprintf(file, "%s", desc.Description());
+
+	std::list<std::string>::const_iterator it;
+
+	for ( it = short_desc.begin(); it != short_desc.end(); ++it )
+		{
+		int start_col;
+
+		if ( it == short_desc.begin() )
+			start_col = max_col - desc.Len() + 1;
+		else
+			{
+			start_col = max_col + 1;
+			fprintf(file, "\n");
+			}
+
+		for ( int i = 0; i < start_col; ++i )
+			fprintf(file, " ");
+
+		fprintf(file, "%s", it->c_str());
+		}
+	}
+
+int BroDocObj::LongestShortDescLen() const
+	{
+	size_t max = 0;
+
+	std::list<std::string>::const_iterator it;
+
+	for ( it = short_desc.begin(); it != short_desc.end(); ++it )
+		{
+		if ( it->size() > max )
+			max = it->size();
+		}
+
+	return max;
+	}
+
+void BroDocObj::FormulateShortDesc()
+	{
+	if ( ! reST_doc_strings )
+		return;
+
+	short_desc.clear();
+	std::list<std::string>::const_iterator it;
+
+	for ( it = reST_doc_strings->begin();
+		it != reST_doc_strings->end(); ++it )
+		{
+		// The short description stops at the first sentence or the
+		// first empty comment.
+		size_t end = it->find_first_of(".");
+
+		if ( end == string::npos )
+			{
+			std::string::const_iterator s;
+			bool empty = true;
+
+			for ( s = it->begin(); s != it->end(); ++s )
+				{
+				if ( *s != ' ' && *s != '\t' && *s != '\n' && *s != '\r' )
+					{
+					empty = false;
+					short_desc.push_back(*it);
+					break;
+					}
+				}
+			
+			if ( empty )
+				break;
+			}
+		else
+			{
+			short_desc.push_back(it->substr(0, end + 1));
+			break;
+			}
+		}
+	}
+
+void BroDocObj::WriteReST(FILE* file) const
+	{
+	int indent_spaces = 3;
+	ODesc desc;
+	desc.SetIndentSpaces(indent_spaces);
+	desc.SetQuotes(1);
+
+	broID->DescribeReST(&desc, use_role);
+
+	fprintf(file, "%s", desc.Description());
+
+	if ( HasDocumentation() )
+		{
+		fprintf(file, "\n");
+		std::list<std::string>::const_iterator it;
+
+		for ( it = reST_doc_strings->begin();
+			it != reST_doc_strings->end(); ++it)
+			{
+			for ( int i = 0; i < indent_spaces; ++i )
+				fprintf(file, " ");
+
+			fprintf(file, "%s\n", it->c_str());
+			}
+		}
+
+	fprintf(file, "\n");
+	}
+
+int BroDocObj::ColumnSize() const
+	{
+	ODesc desc;
+	desc.SetQuotes(1);
+	broID->DescribeReSTShort(&desc);
+	return desc.Len();
+	}
+
+bool BroDocObj::IsPublicAPI() const
+	{
+	return (broID->Scope() == SCOPE_GLOBAL) ||
+		(broID->Scope() == SCOPE_MODULE && broID->IsExport());
+	}
+
+void BroDocObj::Combine(const BroDocObj* o)
+	{
+	if ( o->reST_doc_strings )
+		{
+		if ( ! reST_doc_strings )
+			reST_doc_strings = new std::list<std::string>();
+
+		reST_doc_strings->splice(reST_doc_strings->end(),
+			*(o->reST_doc_strings));
+		}
+
+	delete o;
+	FormulateShortDesc();
+	}
diff --git a/src/BroDocObj.h b/src/BroDocObj.h
new file mode 100644
index 0000000000..cb512f8cda
--- /dev/null
+++ b/src/BroDocObj.h
@@ -0,0 +1,137 @@
+#ifndef brodocobj_h
+#define brodocobj_h
+
+#include <cstdio>
+#include <string>
+#include <list>
+
+#include "ID.h"
+
+/**
+ * This class wraps a Bro script identifier, providing methods relevant
+ * to automatic generation of reStructuredText (reST) documentation for it.
+ */
+class BroDocObj {
+public:
+	/**
+	 * BroDocObj constructor
+	 * @param id a pointer to an identifier that is to be documented
+	 * @param reST a reference to a pointer of a list of strings that
+	 *        represent the reST documentation for the ID.  The pointer
+	 *        will be set to 0 after this constructor finishes.
+	 * @param is_fake whether the ID* is a dummy just for doc purposes
+	 */
+	BroDocObj(const ID* id, std::list<std::string>*& reST,
+			bool is_fake = false);
+
+	/**
+	 * BroDocObj destructor
+	 * Deallocates the memory associated with the list of reST strings
+	 */
+	~BroDocObj();
+
+	/**
+	 * Writes the reST representation of this object which includes
+	 * 1) a reST friendly description of the ID
+	 * 2) "##" or "##<" stylized comments.
+	 *    Anything after these style of comments is inserted as-is into
+	 *    the reST document.
+	 * @param file The (already opened) file to write the reST to.
+	 */
+	void WriteReST(FILE* file) const;
+
+	/**
+	 * Writes a compact version of the ID and associated documentation
+	 * for insertion into a table.
+	 * @param file The (already opened) file to write the reST to.
+	 * @param max_col The maximum length of the first table column
+	 */
+	void WriteReSTCompact(FILE* file, int max_col) const;
+
+	/**
+	 * @return the column size required by the reST representation of the ID
+	 */
+	int ColumnSize() const;
+
+	/**
+	 * Check whether this documentation is part of the public API.  In
+	 * other words, this means that the identifier is declared as part of
+	 * the global scope (has GLOBAL namespace or is exported from another
+	 * namespace).
+	 * @return true if the identifier is part of the script's public API
+	 */
+	bool IsPublicAPI() const;
+
+	/**
+	 * Return whether this object has documentation (## comments)
+	 * @return true if the ID has comments associated with it
+	 */
+	bool HasDocumentation() const
+		{
+		return reST_doc_strings && reST_doc_strings->size() > 0;
+		}
+
+	/**
+	 * @return whether this object will use reST role (T) or directive (F)
+	 * notation for the wrapped identifier.  Roles are usually used
+	 * for cross-referencing.
+	 */
+	bool UseRole() const	{ return use_role; }
+
+	/**
+	 * @param b whether this object will use reST role (T) or directive (F)
+	 * notation for the wrapped identifier.  Roles are usually used
+	 * for cross-referencing.
+	 */
+	void SetRole(bool b)	{ use_role = b; }
+
+	/**
+	 * Append any reST documentation strings in a given BroDocObj to this
+	 * object's list and then delete the given BroDocObj
+	 * @param o a pointer to a BroDocObj to subsume
+	 */
+	void Combine(const BroDocObj* o);
+
+	/**
+	 * @return the name of the wrapped identifier
+	 */
+	const char* Name() const	{ return broID->Name(); }
+
+	/**
+	 * @return the longest string element of the short description's list of
+	 *         strings
+	 */
+	int LongestShortDescLen() const;
+
+	/**
+	 * Adds a reST documentation string to this BroDocObj's list.
+	 * @param s the documentation string to append.
+	 */
+	void AddDocString(const std::string& s)
+		{
+		if ( ! reST_doc_strings )
+			reST_doc_strings = new std::list<std::string>();
+		reST_doc_strings->push_back(s);
+		FormulateShortDesc();
+		}
+
+	static BroDocObj* last;
+
+protected:
+	std::list<std::string>* reST_doc_strings;
+	std::list<std::string> short_desc;
+	const ID* broID;
+	bool is_fake_id; /**< Whether the ID* is a dummy just for doc purposes */
+	bool use_role; /**< Whether to use a reST role or directive for the ID */
+
+	/**
+	 * Set the short_desc member to be a subset of reST_doc_strings.
+	 * Specifically, short_desc will be everything in reST_doc_strings
+	 * up until the first period or first empty string list element found.
+	 */
+	void FormulateShortDesc();
+
+private:
+};
+
+#endif
diff --git a/src/BroList.h b/src/BroList.h
index b71615a18a..6168bf7bda 100644
--- a/src/BroList.h
+++ b/src/BroList.h
@@ -1,5 +1,3 @@
-// $Id: BroList.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef brolist_h
diff --git a/src/BroString.cc b/src/BroString.cc
index 08c724f5f2..e05995b156 100644
--- a/src/BroString.cc
+++ b/src/BroString.cc
@@ -1,5 +1,3 @@
-// $Id: BroString.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -7,8 +5,11 @@
 #include <algorithm>
 #include <ctype.h>
 
+#include <algorithm>
+
 #include "BroString.h"
 #include "Var.h"
+#include "Reporter.h"
 
 #ifdef DEBUG
 #define DEBUG_STR(msg) DBG_LOG(DBG_STRING, msg)
@@ -173,9 +174,9 @@ const char* BroString::CheckString() const
 		// Either an embedded NUL, or no final NUL.
 		char* exp_s = Render();
 		if ( b[n-1] != '\0' )
-			run_time("string without NUL terminator: \"%s\"", exp_s);
+			reporter->Error("string without NUL terminator: \"%s\"", exp_s);
 		else
-			run_time("string with embedded NUL: \"%s\"", exp_s);
+			reporter->Error("string with embedded NUL: \"%s\"", exp_s);
 
 		delete [] exp_s;
 		return "<string-with-NUL>";
diff --git a/src/BroString.h b/src/BroString.h
index 48471cb99e..58991d78af 100644
--- a/src/BroString.h
+++ b/src/BroString.h
@@ -1,5 +1,3 @@
-// $Id: BroString.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef brostring_h
diff --git a/src/Brofiler.cc b/src/Brofiler.cc
new file mode 100644
index 0000000000..783d027761
--- /dev/null
+++ b/src/Brofiler.cc
@@ -0,0 +1,84 @@
+#include <cstdio>
+#include <utility>
+#include <algorithm>
+#include "Brofiler.h"
+#include "util.h"
+
+Brofiler::Brofiler()
+	: ignoring(0), delim('\t')
+	{
+	}
+
+Brofiler::~Brofiler()
+	{
+	}
+
+bool Brofiler::ReadStats()
+	{
+	char* bf = getenv("BRO_PROFILER_FILE");
+	if ( ! bf )
+		return false;
+
+	FILE* f = fopen(bf, "r");
+	if ( ! f )
+		return false;
+
+	char line[16384];
+	string delimiter;
+	delimiter = delim;
+
+	while( fgets(line, sizeof(line), f) )
+		{
+		line[strlen(line) - 1] = 0; //remove newline
+		string cnt(strtok(line, delimiter.c_str()));
+		string location(strtok(0, delimiter.c_str()));
+		string desc(strtok(0, delimiter.c_str()));
+		pair<string, string> location_desc(location, desc);
+		uint64 count;
+		atoi_n(cnt.size(), cnt.c_str(), 0, 10, count);
+		usage_map[location_desc] = count;
+		}
+
+	fclose(f);
+	return true;
+	}
+
+bool Brofiler::WriteStats()
+	{
+	char* bf = getenv("BRO_PROFILER_FILE");
+	if ( ! bf ) return false;
+
+	FILE* f = fopen(bf, "w");
+	if ( ! f )
+		{
+		reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing\n", bf);
+		return false;
+		}
+
+	for ( list<const Stmt*>::const_iterator it = stmts.begin();
+	      it != stmts.end(); ++it )
+		{
+		ODesc location_info;
+		(*it)->GetLocationInfo()->Describe(&location_info);
+		ODesc desc_info;
+		(*it)->Describe(&desc_info);
+		string desc(desc_info.Description());
+		for_each(desc.begin(), desc.end(), canonicalize_desc());
+		pair<string, string> location_desc(location_info.Description(), desc);
+		if ( usage_map.find(location_desc) != usage_map.end() )
+			usage_map[location_desc] += (*it)->GetAccessCount();
+		else
+			usage_map[location_desc] = (*it)->GetAccessCount();
+		}
+
+	map<pair<string, string>, uint64 >::const_iterator it;
+	for ( it = usage_map.begin(); it != usage_map.end(); ++it )
+		{
+		fprintf(f, "%"PRIu64"%c%s%c%s\n", it->second, delim,
+				it->first.first.c_str(), delim, it->first.second.c_str());
+		}
+
+	fclose(f);
+	return true;
+	}
+
diff --git a/src/Brofiler.h b/src/Brofiler.h
new file mode 100644
index 0000000000..edbe1e932c
--- /dev/null
+++ b/src/Brofiler.h
@@ -0,0 +1,79 @@
+#ifndef BROFILER_H_
+#define BROFILER_H_
+
+#include <map>
+#include <utility>
+#include <list>
+#include <Stmt.h>
+
+
+/**
+ * A simple class for managing stats of Bro script coverage across Bro runs.
+ */
+class Brofiler {
+public:
+	Brofiler();
+	virtual ~Brofiler();
+
+	/**
+	 * Imports Bro script Stmt usage information from file pointed to by
+	 * environment variable BRO_PROFILER_FILE.
+	 *
+	 * @return: true if usage info was read, otherwise false.
+	 */
+	bool ReadStats();
+
+	/**
+	 * Combines usage stats from current run with any read from ReadStats(),
+	 * then writes information to file pointed to by environment variable
+	 * BRO_PROFILER_FILE.
+	 *
+	 * @return: true when usage info is written, otherwise false.
+	 */
+	bool WriteStats();
+
+	void SetDelim(char d) { delim = d; }
+
+	void IncIgnoreDepth() { ignoring++; }
+	void DecIgnoreDepth() { ignoring--; }
+
+	void AddStmt(const Stmt* s) { if ( ignoring == 0 ) stmts.push_back(s); }
+
+private:
+	/**
+	 * The current, global Brofiler instance creates this list at parse-time.
+	 */
+	list<const Stmt*> stmts;
+
+	/**
+	 * Indicates whether new statments will not be considered as part of
+	 * coverage statistics because it was marked with the @no-test tag.
+	 */
+	unsigned int ignoring;
+
+	/**
+	 * This maps Stmt location-desc pairs to the total number of times that
+	 * Stmt has been executed.  The map can be initialized from a file at
+	 * startup time and modified at shutdown time before writing back
+	 * to a file.
+	 */
+	map<pair<string, string>, uint64> usage_map;
+
+	/**
+	 * The character to use to delimit Brofiler output files.  Default is '\t'.
+	 */
+	char delim;
+
+	/**
+	 * A canonicalization routine for Stmt descriptions containing characters
+	 * that don't agree with the output format of Brofiler.
+	 */
+	struct canonicalize_desc {
+		void operator() (char& c)
+			{
+			if ( c == '\n' ) c = ' ';
+			}
+	};
+};
+
+#endif /* BROFILER_H_ */
diff --git a/src/CCL.cc b/src/CCL.cc
index 326dcc7320..6c4ec5ea2e 100644
--- a/src/CCL.cc
+++ b/src/CCL.cc
@@ -1,5 +1,3 @@
-// $Id: CCL.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/CCL.h b/src/CCL.h
index 760e64b6f9..2870acf53a 100644
--- a/src/CCL.h
+++ b/src/CCL.h
@@ -1,5 +1,3 @@
-// $Id: CCL.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef ccl_h
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 81ed0d81af..0e29082db3 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -1,4 +1,5 @@
-include_directories(${CMAKE_CURRENT_SOURCE_DIR}
+include_directories(BEFORE
+                    ${CMAKE_CURRENT_SOURCE_DIR}
                     ${CMAKE_CURRENT_BINARY_DIR}
 )
 
@@ -81,9 +82,14 @@ flex_target(Scanner scan.l ${CMAKE_CURRENT_BINARY_DIR}/scan.cc
 ## bifcl (BIF compiler) target
 
 set(bifcl_SRCS
+   ${BISON_BIFParser_INPUT}
+   ${FLEX_BIFScanner_INPUT}
    ${BISON_BIFParser_OUTPUTS}
    ${FLEX_BIFScanner_OUTPUTS}
    bif_arg.cc
+   module_util.cc
+   bif_arg.h
+   module_util.h
 )
 
 add_executable(bifcl ${bifcl_SRCS})
@@ -101,20 +107,29 @@ macro(BIF_TARGET bifInput)
     get_bif_output_files(${bifInput} bifOutputs)
     add_custom_command(OUTPUT ${bifOutputs}
                        COMMAND bifcl
-                       ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} 
+                       ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} || (rm -f ${bifOutputs} && exit 1)
+                       # In order be able to run bro from the build directory,
+                       # the generated bro script needs to be inside a
+                       # a directory tree named the same way it will be
+                       # referenced from an @load.
+                       COMMAND "${CMAKE_COMMAND}"
+                       ARGS -E copy ${bifInput}.bro base/${bifInput}.bro
+                       COMMAND "${CMAKE_COMMAND}"
+                       ARGS -E remove -f ${bifInput}.bro
                        DEPENDS ${bifInput}
+                       DEPENDS bifcl
                        COMMENT "[BIFCL] Processing ${bifInput}"
     )
     list(APPEND ALL_BIF_OUTPUTS ${bifOutputs})
     list(APPEND INSTALL_BIF_OUTPUTS
-         ${CMAKE_CURRENT_BINARY_DIR}/${bifInput}.bro)
+         ${CMAKE_CURRENT_BINARY_DIR}/base/${bifInput}.bro)
 endmacro(BIF_TARGET)
 
 # returns a list of output files that bifcl will produce
 # for given input file in ${outputFileVar}
 macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar)
     set(${outputFileVar}
-        ${inputFile}.bro
+        base/${inputFile}.bro
         ${inputFile}.func_def
         ${inputFile}.func_h
         ${inputFile}.func_init
@@ -126,17 +141,12 @@ endmacro(GET_BIF_OUTPUT_FILES)
 
 set(BIF_SRCS
     bro.bif
+    logging.bif
     event.bif
     const.bif
-    common-rw.bif
-    finger-rw.bif
-    ident-rw.bif
-    dns-rw.bif
-    ftp-rw.bif
-    smtp-rw.bif
-    http-rw.bif
+    types.bif
     strings.bif
-    smb-rw.bif
+    reporter.bif
 )
 
 foreach (bift ${BIF_SRCS})
@@ -155,18 +165,20 @@ set(BINPAC_AUXSRC
 # A macro to define a command that uses the BinPac compiler to
 # produce C++ code that implements a protocol parser/analyzer
 # The outputs of the command are appended to list ALL_BINPAC_OUTPUTS
+# All arguments to this macro are appended to list ALL_BINPAC_INPUTS
 macro(BINPAC_TARGET pacFile)
     get_filename_component(basename ${pacFile} NAME_WE)
     add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h
                               ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc
                        COMMAND ${BinPAC_EXE}
-                       ARGS -d ${CMAKE_CURRENT_BINARY_DIR}
+                       ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR}
                             -I ${CMAKE_CURRENT_SOURCE_DIR}
                             ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile}
                        DEPENDS ${BinPAC_EXE} ${pacFile}
                                ${BINPAC_AUXSRC} ${ARGN}
                        COMMENT "[BINPAC] Processing ${pacFile}"
     )
+    list(APPEND ALL_BINPAC_INPUTS ${ARGV})
     list(APPEND ALL_BINPAC_OUTPUTS
          ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h
          ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc) 
@@ -177,9 +189,9 @@ binpac_target(binpac_bro-lib.pac)
 binpac_target(bittorrent.pac
     bittorrent-protocol.pac bittorrent-analyzer.pac)
 binpac_target(dce_rpc.pac
-    dce_rpc-protocol.pac dce_rpc-analyzer.pac)
+    dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac)
 binpac_target(dce_rpc_simple.pac
-    dce_rpc-protocol.pac)
+    dce_rpc-protocol.pac epmapper.pac)
 binpac_target(dhcp.pac
     dhcp-protocol.pac dhcp-analyzer.pac)
 binpac_target(dns.pac
@@ -191,18 +203,35 @@ binpac_target(http.pac
 binpac_target(ncp.pac)
 binpac_target(netflow.pac
     netflow-protocol.pac netflow-analyzer.pac)
-binpac_target(rpc.pac
-    rpc-analyzer.pac portmap-analyzer.pac)
 binpac_target(smb.pac
     smb-protocol.pac smb-pipe.pac smb-mailslot.pac)
 binpac_target(ssl.pac
     ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac)
-binpac_target(ssl-record-layer.pac
-    ssl-defs.pac ssl.pac)
+binpac_target(syslog.pac
+    syslog-protocol.pac syslog-analyzer.pac)
 
 ########################################################################
 ## bro target
 
+# This macro stores associated headers for any C/C++ source files given
+# as arguments (past _var) as a list in the CMake variable named "_var".
+macro(COLLECT_HEADERS _var)
+    foreach (src ${ARGN})
+        get_filename_component(ext ${src} EXT)
+        if (${ext} STREQUAL ".cc" OR ${ext} STREQUAL ".c")
+            get_filename_component(base ${src} NAME_WE)
+            get_filename_component(dir ${src} PATH)
+            if (NOT "${dir}")
+                set(dir ${CMAKE_CURRENT_SOURCE_DIR})
+            endif ()
+            set(header "${dir}/${base}.h")
+            if (EXISTS ${header})
+                list(APPEND ${_var} ${header})
+            endif ()
+        endif ()
+    endforeach ()
+endmacro(COLLECT_HEADERS _var)
+
 # define a command that's used to run the make_dbg_constants.pl script
 # building the bro binary depends on the outputs of this script
 add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
@@ -216,28 +245,32 @@ add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
                    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
 )
 
-set(dns_SRCS nb_dns.c nb_dns.h)
-
-set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc
-                 SSLv2.cc SSLv3.cc SSLv3Automaton.cc)
-
-if (USE_NMALLOC)
-    set(malloc_SRCS malloc.c)
-endif ()
+set(dns_SRCS nb_dns.c)
+set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS
+                            -fno-strict-aliasing)
 
 set(bro_SRCS
     ${CMAKE_CURRENT_BINARY_DIR}/version.c
+    ${BIF_SRCS}
     ${ALL_BIF_OUTPUTS}
+    ${BINPAC_AUXSRC}
+    ${ALL_BINPAC_INPUTS}
     ${ALL_BINPAC_OUTPUTS}
     ${TRANSFORMED_BISON_OUTPUTS}
     ${FLEX_RuleScanner_OUTPUTS}
+    ${FLEX_RuleScanner_INPUT}
+    ${BISON_RuleParser_INPUT}
     ${FLEX_REScanner_OUTPUTS}
+    ${FLEX_REScanner_INPUT}
+    ${BISON_REParser_INPUT}
     ${FLEX_Scanner_OUTPUTS}
+    ${FLEX_Scanner_INPUT}
+    ${BISON_Parser_INPUT}
     ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
     main.cc
     net_util.cc
     util.cc
-    Active.cc
+    module_util.cc
     Analyzer.cc
     Anon.cc
     ARP.cc
@@ -247,12 +280,16 @@ set(bro_SRCS
     BitTorrent.cc
     BitTorrentTracker.cc
     BPF_Program.cc
+    BroDoc.cc
+    BroDocObj.cc
+    Brofiler.cc
     BroString.cc
     CCL.cc
     ChunkedIO.cc
     CompHash.cc
     Conn.cc
     ConnCompressor.cc
+    ConnSizeAnalyzer.cc
     ContentLine.cc
     DCE_RPC.cc
     DFA.cc
@@ -296,7 +333,11 @@ set(bro_SRCS
     IOSource.cc
     IRC.cc
     List.cc
-    Logger.cc
+    Reporter.cc
+    LogMgr.cc
+    LogWriter.cc
+    LogWriterAscii.cc
+    LogWriterNone.cc
     Login.cc
     MIME.cc
     NCP.cc
@@ -320,6 +361,7 @@ set(bro_SRCS
     PrefixTable.cc
     PriorityQueue.cc
     Queue.cc
+    RandTest.cc
     RE.cc
     RPC.cc
     Reassem.cc
@@ -345,15 +387,14 @@ set(bro_SRCS
     Stats.cc
     SteppingStone.cc
     Stmt.cc
+    Syslog-binpac.cc
     TCP.cc
     TCP_Endpoint.cc
     TCP_Reassembler.cc
-    TCP_Rewriter.cc
     Telnet.cc
     Timer.cc
     Traverse.cc
     Trigger.cc
-    TwoWise.cc
     Type.cc
     UDP.cc
     Val.cc
@@ -365,32 +406,25 @@ set(bro_SRCS
     md5.c
     patricia.c
     setsignal.c
-    UDP_Rewriter.cc
-    DNS_Rewriter.cc
     PacketDumper.cc
-    Rewriter.cc
     strsep.c
+    modp_numtoa.c
     ${dns_SRCS}
-    ${malloc_SRCS}
     ${openssl_SRCS}
 )
 
-add_definitions(-DPOLICYDEST="${POLICYDIR}")
+collect_headers(bro_HEADERS ${bro_SRCS})
 
-add_executable(bro ${bro_SRCS})
+add_definitions(-DBRO_SCRIPT_INSTALL_PATH="${BRO_SCRIPT_INSTALL_PATH}")
+add_definitions(-DBRO_SCRIPT_SOURCE_PATH="${BRO_SCRIPT_SOURCE_PATH}")
+add_definitions(-DBRO_BUILD_PATH="${CMAKE_CURRENT_BINARY_DIR}")
 
-set(brolibs
-    ${BinPAC_LIBRARY}
-    ${PCAP_LIBRARY}
-    ${OpenSSL_LIBRARIES}
-    ${BIND_LIBRARY}
-    ${OPTLIBS}
-)
+add_executable(bro ${bro_SRCS} ${bro_HEADERS})
 
-target_link_libraries(bro ${brolibs})
+target_link_libraries(bro ${brodeps})
 
 install(TARGETS bro DESTINATION bin)
-install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${POLICYDIR})
+install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base)
 
 set(BRO_EXE bro
     CACHE STRING "Bro executable binary" FORCE)
diff --git a/src/ChunkedIO.cc b/src/ChunkedIO.cc
index 0db5675766..f5bcb4b7c1 100644
--- a/src/ChunkedIO.cc
+++ b/src/ChunkedIO.cc
@@ -1,5 +1,3 @@
-// $Id: ChunkedIO.cc 6888 2009-08-20 18:23:11Z vern $
-
 #include <unistd.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -9,6 +7,8 @@
 #include <assert.h>
 #include <openssl/ssl.h>
 
+#include <algorithm>
+
 #include "config.h"
 #include "ChunkedIO.h"
 #include "NetVar.h"
@@ -140,7 +140,7 @@ bool ChunkedIOFd::Write(Chunk* chunk)
 	{
 #ifdef DEBUG
 	DBG_LOG(DBG_CHUNKEDIO, "write of size %d [%s]",
-		chunk->len, fmt_bytes(chunk->data, min(20, chunk->len)));
+		chunk->len, fmt_bytes(chunk->data, min((uint32)20, chunk->len)));
 #endif
 
 	// Reject if our queue of pending chunks is way too large. Otherwise,
@@ -166,13 +166,13 @@ bool ChunkedIOFd::Write(Chunk* chunk)
 
 	// We have to split it up.
 	char* p = chunk->data;
-	unsigned long left = chunk->len;
+	uint32 left = chunk->len;
 
 	while ( left )
 		{
 		Chunk* part = new Chunk;
 
-		part->len = min(BUFFER_SIZE - sizeof(uint32), left);
+		part->len = min<uint32>(BUFFER_SIZE - sizeof(uint32), left);
 		part->data = new char[part->len];
 		memcpy(part->data, p, part->len);
 		left -= part->len;
@@ -193,7 +193,7 @@ bool ChunkedIOFd::WriteChunk(Chunk* chunk, bool partial)
 	assert(chunk->len <= BUFFER_SIZE - sizeof(uint32) );
 
 	if ( chunk->len == 0 )
-		internal_error( "attempt to write 0 bytes chunk");
+		InternalError("attempt to write 0 bytes chunk");
 
 	if ( partial )
 		chunk->len |= FLAG_PARTIAL;
@@ -283,7 +283,7 @@ bool ChunkedIOFd::FlushWriteBuffer()
 			}
 
 		if ( written == 0 )
-			internal_error("written==0");
+			InternalError("written==0");
 
 		// Short write.
 		write_pos += written;
@@ -427,7 +427,7 @@ bool ChunkedIOFd::Read(Chunk** chunk, bool may_block)
 				(*chunk)->len & ~FLAG_PARTIAL,
 				(*chunk)->len & FLAG_PARTIAL ? "(P) " : "",
 				fmt_bytes((*chunk)->data,
-						min(20, (*chunk)->len)));
+						min((uint32)20, (*chunk)->len)));
 #endif
 
 	if ( ! ((*chunk)->len & FLAG_PARTIAL) )
@@ -904,7 +904,7 @@ bool ChunkedIOSSL::WriteData(char* p, uint32 len, bool* error)
 			return false;
 	}
 
-	internal_error("can't be reached");
+	InternalError("can't be reached");
 	return false;
 	}
 
@@ -1024,7 +1024,7 @@ bool ChunkedIOSSL::ReadData(char* p, uint32 len, bool* error)
 		}
 
 	// Can't be reached.
-	internal_error("can't be reached");
+	InternalError("can't be reached");
 	return false;
 	}
 
@@ -1170,8 +1170,6 @@ void ChunkedIOSSL::Stats(char* buffer, int length)
 	ChunkedIO::Stats(buffer + i, length - i);
 	}
 
-#ifdef HAVE_LIBZ
-
 bool CompressedChunkedIO::Init()
 	{
 	zin.zalloc = 0;
@@ -1348,5 +1346,3 @@ void CompressedChunkedIO::Stats(char* buffer, int length)
 	io->Stats(buffer + i, length - i);
 	buffer[length-1] = '\0';
 	}
-
-#endif	/* HAVE_LIBZ */
diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h
index 516f0f7ddc..56b5656945 100644
--- a/src/ChunkedIO.h
+++ b/src/ChunkedIO.h
@@ -1,5 +1,3 @@
-// $Id: ChunkedIO.h 6888 2009-08-20 18:23:11Z vern $
-//
 // Implements non-blocking chunk-wise I/O.
 
 #ifndef CHUNKEDIO_H
@@ -120,6 +118,11 @@ public:
 #endif
 
 protected:
+	void InternalError(const char* msg)
+		// We can't use the reporter here as we might be running in a
+		// sub-process.
+		{ fprintf(stderr, "%s", msg); abort(); }
+
 	Statistics stats;
 	const char* tag;
 
@@ -284,8 +287,6 @@ private:
 	static SSL_CTX* ctx;
 };
 
-#ifdef HAVE_LIBZ
-
 #include <zlib.h>
 
 // Wrapper class around a another ChunkedIO which the (un-)compresses data.
@@ -332,6 +333,4 @@ protected:
 	unsigned long uncompressed_bytes_written;
 };
 
-#endif	/* HAVE_LIBZ */
-
 #endif
diff --git a/src/CompHash.cc b/src/CompHash.cc
index 2e0870303c..545d3ed8e4 100644
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@@ -1,11 +1,11 @@
-// $Id: CompHash.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
 
 #include "CompHash.h"
 #include "Val.h"
+#include "Reporter.h"
+#include "Func.h"
 
 CompositeHash::CompositeHash(TypeList* composite_type)
 	{
@@ -46,7 +46,7 @@ CompositeHash::CompositeHash(TypeList* composite_type)
 
 	else
 		{
-		size = ComputeKeySize();
+		size = ComputeKeySize(0, 1, true);
 
 		if ( size > 0 )
 			// Fixed size.  Make sure what we get is fully aligned.
@@ -65,11 +65,22 @@ CompositeHash::~CompositeHash()
 
 // Computes the piece of the hash for Val*, returning the new kp.
 char* CompositeHash::SingleValHash(int type_check, char* kp0,
-					BroType* bt, Val* v) const
+				   BroType* bt, Val* v, bool optional) const
 	{
 	char* kp1 = 0;
 	InternalTypeTag t = bt->InternalType();
 
+	if ( optional )
+		{
+		// Add a marker saying whether the optional field is set.
+		char* kp = AlignAndPadType<char>(kp0);
+		*kp = ( v ? 1 : 0);
+		kp0 = reinterpret_cast<char*>(kp+1);
+
+		if ( ! v ) 
+			return kp0;
+		}
+
 	if ( type_check )
 		{
 		InternalTypeTag vt = v->Type()->InternalType();
@@ -144,43 +155,120 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
 	case TYPE_INTERNAL_VOID:
 	case TYPE_INTERNAL_OTHER:
 		{
-		if ( v->Type()->Tag() == TYPE_FUNC )
+		switch ( v->Type()->Tag() ) {
+		case TYPE_FUNC:
 			{
-			Val** kp = AlignAndPadType<Val*>(kp0);
-			v->Ref();
-			// Ref((BroObj*) v->AsFunc());
-			*kp = v;
+			uint32* kp = AlignAndPadType<uint32>(kp0);
+			*kp = v->AsFunc()->GetUniqueFuncID();
 			kp1 = reinterpret_cast<char*>(kp+1);
+			break;
 			}
 
-		else if ( v->Type()->Tag() == TYPE_RECORD )
+		case TYPE_RECORD:
 			{
 			char* kp = kp0;
 			RecordVal* rv = v->AsRecordVal();
-			RecordType* rt = v->Type()->AsRecordType();
+			RecordType* rt = bt->AsRecordType();
 			int num_fields = rt->NumFields();
 
 			for ( int i = 0; i < num_fields; ++i )
 				{
 				Val* rv_i = rv->Lookup(i);
-				if ( ! rv_i )
+
+				Attributes* a = rt->FieldDecl(i)->attrs;
+				bool optional = (a && a->FindAttr(ATTR_OPTIONAL));
+
+				if ( ! (rv_i || optional) )
 					return 0;
 
 				if ( ! (kp = SingleValHash(type_check, kp,
 							   rt->FieldType(i),
-							   rv_i)) )
+							   rv_i, optional)) )
 					return 0;
 				}
 
 			kp1 = kp;
+			break;
 			}
-		else
+
+		case TYPE_TABLE:
 			{
-			internal_error("bad index type in CompositeHash::SingleValHash");
+			int* kp = AlignAndPadType<int>(kp0);
+			TableVal* tv = v->AsTableVal();
+			ListVal* lv = tv->ConvertToList();
+			*kp = tv->Size();
+			kp1 = reinterpret_cast<char*>(kp+1);
+			for ( int i = 0; i < tv->Size(); ++i )
+				{
+				Val* key = lv->Index(i);
+				if ( ! (kp1 = SingleValHash(type_check, kp1, key->Type(), key,
+				                            false)) )
+					return 0;
+
+				if ( ! v->Type()->IsSet() )
+					{
+					Val* val = tv->Lookup(key);
+					if ( ! (kp1 = SingleValHash(type_check, kp1, val->Type(),
+								    val, false)) )
+						return 0;
+					}
+				}
+			}
+			break;
+
+		case TYPE_VECTOR:
+			{
+			unsigned int* kp = AlignAndPadType<unsigned int>(kp0);
+			VectorVal* vv = v->AsVectorVal();
+			VectorType* vt = v->Type()->AsVectorType();
+			vector<Val*>* indices = v->AsVector();
+			*kp = vv->Size();
+			kp1 = reinterpret_cast<char*>(kp+1);
+			for ( unsigned int i = 0; i < vv->Size(); ++i )
+				{
+				Val* val = vv->Lookup(i);
+				unsigned int* kp = AlignAndPadType<unsigned int>(kp1);
+				*kp = i;
+				kp1 = reinterpret_cast<char*>(kp+1);
+				kp = AlignAndPadType<unsigned int>(kp1);
+				*kp = val ? 1 : 0;
+				kp1 = reinterpret_cast<char*>(kp+1);
+
+				if ( val )
+					{
+					if ( ! (kp1 = SingleValHash(type_check, kp1,
+					                            vt->YieldType(), val, false)) )
+						return 0;
+					}
+				}
+			}
+			break;
+
+		case TYPE_LIST:
+			{
+			int* kp = AlignAndPadType<int>(kp0);
+			ListVal* lv = v->AsListVal();
+			*kp = lv->Length();
+			kp1 = reinterpret_cast<char*>(kp+1);
+			for ( int i = 0; i < lv->Length(); ++i )
+				{
+				Val* v = lv->Index(i);
+				if ( ! (kp1 = SingleValHash(type_check, kp1, v->Type(), v,
+				                            false)) )
+					return 0;
+				}
+			}
+			break;
+
+		default:
+			{
+			reporter->InternalError("bad index type in CompositeHash::SingleValHash");
 			return 0;
 			}
 		}
-		break;
+
+		break; // case TYPE_INTERNAL_VOID/OTHER
+		}
 
 	case TYPE_INTERNAL_STRING:
 		{
@@ -228,7 +316,7 @@ HashKey* CompositeHash::ComputeHash(const Val* v, int type_check) const
 
 	if ( ! k )
 		{
-		int sz = ComputeKeySize(v, type_check);
+		int sz = ComputeKeySize(v, type_check, false);
 		if ( sz == 0 )
 			return 0;
 
@@ -248,7 +336,7 @@ HashKey* CompositeHash::ComputeHash(const Val* v, int type_check) const
 	char* kp = k;
 	loop_over_list(*tl, i)
 		{
-		kp = SingleValHash(type_check, kp, (*tl)[i], (*vl)[i]);
+		kp = SingleValHash(type_check, kp, (*tl)[i], (*vl)[i], false);
 		if ( ! kp )
 			return 0;
 		}
@@ -297,9 +385,9 @@ HashKey* CompositeHash::ComputeSingletonHash(const Val* v, int type_check) const
 	case TYPE_INTERNAL_VOID:
 	case TYPE_INTERNAL_OTHER:
 		if ( v->Type()->Tag() == TYPE_FUNC )
-			return new HashKey(v);
+			return new HashKey(v->AsFunc()->GetUniqueFuncID());
 
-		internal_error("bad index type in CompositeHash::ComputeSingletonHash");
+		reporter->InternalError("bad index type in CompositeHash::ComputeSingletonHash");
 		return 0;
 
 	case TYPE_INTERNAL_STRING:
@@ -309,16 +397,20 @@ HashKey* CompositeHash::ComputeSingletonHash(const Val* v, int type_check) const
 		return 0;
 
 	default:
-		internal_error("bad internal type in CompositeHash::ComputeSingletonHash");
+		reporter->InternalError("bad internal type in CompositeHash::ComputeSingletonHash");
 		return 0;
 	}
 	}
 
 int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
-					int type_check, int sz) const
+				     int type_check, int sz, bool optional,
+				     bool calc_static_size) const
 	{
 	InternalTypeTag t = bt->InternalType();
 
+	if ( optional )
+		sz = SizeAlign(sz, sizeof(char));
+
 	if ( type_check && v )
 		{
 		InternalTypeTag vt = v->Type()->InternalType();
@@ -358,10 +450,14 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
 	case TYPE_INTERNAL_VOID:
 	case TYPE_INTERNAL_OTHER:
 		{
-		if ( bt->Tag() == TYPE_FUNC )
-			sz = SizeAlign(sz, sizeof(Val*));
+		switch ( bt->Tag() ) {
+		case TYPE_FUNC:
+			{
+			sz = SizeAlign(sz, sizeof(uint32));
+			break;
+			}
 
-		else if ( bt->Tag() == TYPE_RECORD )
+		case TYPE_RECORD:
 			{
 			const RecordVal* rv = v ? v->AsRecordVal() : 0;
 			RecordType* rt = bt->AsRecordType();
@@ -369,24 +465,95 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
 
 			for ( int i = 0; i < num_fields; ++i )
 				{
+				Attributes* a = rt->FieldDecl(i)->attrs;
+				bool optional = (a && a->FindAttr(ATTR_OPTIONAL));
+
 				sz = SingleTypeKeySize(rt->FieldType(i),
-							rv ? rv->Lookup(i) : 0,
-							type_check, sz);
+						       rv ? rv->Lookup(i) : 0,
+						       type_check, sz, optional,
+						       calc_static_size);
 				if ( ! sz )
 					return 0;
 				}
+
+			break;
 			}
-		else
+
+		case TYPE_TABLE:
 			{
-			internal_error("bad index type in CompositeHash::CompositeHash");
+			if ( ! v )
+				return (optional && ! calc_static_size) ? sz : 0;
+
+			sz = SizeAlign(sz, sizeof(int));
+			TableVal* tv = const_cast<TableVal*>(v->AsTableVal());
+			ListVal* lv = tv->ConvertToList();
+			for ( int i = 0; i < tv->Size(); ++i )
+				{
+				Val* key = lv->Index(i);
+				sz = SingleTypeKeySize(key->Type(), key, type_check, sz, false,
+				                       calc_static_size);
+				if ( ! sz ) return 0;
+				if ( ! bt->IsSet() )
+					{
+					Val* val = tv->Lookup(key);
+					sz = SingleTypeKeySize(val->Type(), val, type_check, sz,
+					                       false, calc_static_size);
+					if ( ! sz ) return 0;
+					}
+				}
+
+			break;
+			}
+
+		case TYPE_VECTOR:
+			{
+			if ( ! v )
+				return (optional && ! calc_static_size) ? sz : 0;
+
+			sz = SizeAlign(sz, sizeof(unsigned int));
+			VectorVal* vv = const_cast<VectorVal*>(v->AsVectorVal());
+			for ( unsigned int i = 0; i < vv->Size(); ++i )
+				{
+				Val* val = vv->Lookup(i);
+				sz = SizeAlign(sz, sizeof(unsigned int));
+				sz = SizeAlign(sz, sizeof(unsigned int));
+				if ( val )
+					sz = SingleTypeKeySize(bt->AsVectorType()->YieldType(),
+					                       val, type_check, sz, false,
+					                       calc_static_size);
+				if ( ! sz ) return 0;
+				}
+
+			break;
+			}
+
+		case TYPE_LIST:
+			{
+			sz = SizeAlign(sz, sizeof(int));
+			ListVal* lv = const_cast<ListVal*>(v->AsListVal());
+			for ( int i = 0; i < lv->Length(); ++i )
+				{
+				sz = SingleTypeKeySize(lv->Index(i)->Type(), lv->Index(i),
+				                       type_check, sz, false, calc_static_size);
+				if ( ! sz) return 0;
+				}
+
+			break;
+			}
+
+		default:
+			{
+			reporter->InternalError("bad index type in CompositeHash::CompositeHash");
 			return 0;
 			}
 		}
-		break;
+
+		break; // case TYPE_INTERNAL_VOID/OTHER
+		}
 
 	case TYPE_INTERNAL_STRING:
 		if ( ! v )
-			return 0;
+			return (optional && ! calc_static_size) ? sz : 0;
 
 		// Factor in length field.
 		sz = SizeAlign(sz, sizeof(int));
@@ -400,7 +567,7 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
 	return sz;
 	}
 
-int CompositeHash::ComputeKeySize(const Val* v, int type_check) const
+int CompositeHash::ComputeKeySize(const Val* v, int type_check, bool calc_static_size) const
 	{
 	const type_list* tl = type->Types();
 	const val_list* vl = 0;
@@ -418,7 +585,7 @@ int CompositeHash::ComputeKeySize(const Val* v, int type_check) const
 	loop_over_list(*tl, i)
 		{
 		sz = SingleTypeKeySize((*tl)[i], v ? v->AsListVal()->Index(i) : 0,
-				       type_check, sz);
+				       type_check, sz, false, calc_static_size);
 		if ( ! sz )
 			return 0;
 		}
@@ -495,30 +662,41 @@ ListVal* CompositeHash::RecoverVals(const HashKey* k) const
 	loop_over_list(*tl, i)
 		{
 		Val* v;
-		kp = RecoverOneVal(k, kp, k_end, (*tl)[i], v);
+		kp = RecoverOneVal(k, kp, k_end, (*tl)[i], v, false);
 		ASSERT(v);
 		l->Append(v);
 		}
 
 	if ( kp != k_end )
-		internal_error("under-ran key in CompositeHash::DescribeKey");
+		reporter->InternalError("under-ran key in CompositeHash::DescribeKey %zd", k_end - kp);
 
 	return l;
 	}
 
 const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 					 const char* const k_end, BroType* t,
-					 Val*& pval) const
+					 Val*& pval, bool optional) const
 	{
 	// k->Size() == 0 for a single empty string.
 	if ( kp0 >= k_end && k->Size() > 0 )
-		internal_error("over-ran key in CompositeHash::RecoverVals");
+		reporter->InternalError("over-ran key in CompositeHash::RecoverVals");
 
 	TypeTag tag = t->Tag();
 	InternalTypeTag it = t->InternalType();
-
 	const char* kp1 = 0;
 
+	if ( optional )
+		{
+		const char* kp = AlignType<char>(kp0);
+		kp0 = kp1 = reinterpret_cast<const char*>(kp+1);
+
+		if ( ! *kp )
+			{
+			pval = 0;
+			return kp0;
+			}
+		}
+
 	switch ( it ) {
 	case TYPE_INTERNAL_INT:
 		{
@@ -548,7 +726,7 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 			break;
 
 		default:
-			internal_error("bad internal unsigned int in CompositeHash::RecoverOneVal()");
+			reporter->InternalError("bad internal unsigned int in CompositeHash::RecoverOneVal()");
 			pval = 0;
 			break;
 		}
@@ -582,12 +760,8 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 			pval = new AddrVal(addr_val);
 			break;
 
-		case TYPE_NET:
-			pval = new NetVal(addr_val);
-			break;
-
 		default:
-			internal_error("bad internal address in CompositeHash::RecoverOneVal()");
+			reporter->InternalError("bad internal address in CompositeHash::RecoverOneVal()");
 			pval = 0;
 			break;
 		}
@@ -608,35 +782,36 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 	case TYPE_INTERNAL_VOID:
 	case TYPE_INTERNAL_OTHER:
 		{
-		if ( t->Tag() == TYPE_FUNC )
+		switch ( t->Tag() ) {
+		case TYPE_FUNC:
 			{
-			Val* const * const kp = AlignType<Val*>(kp0);
+			const uint32* const kp = AlignType<uint32>(kp0);
 			kp1 = reinterpret_cast<const char*>(kp+1);
 
-			Val* v = *kp;
+			Func* f = Func::GetFuncPtrByID(*kp);
 
-			if ( ! v || ! v->Type() )
-				internal_error("bad aggregate Val in CompositeHash::RecoverOneVal()");
+			if ( ! f )
+				reporter->InternalError("failed to look up unique function id %" PRIu32 " in CompositeHash::RecoverOneVal()", *kp);
 
-			if ( t->Tag() != TYPE_FUNC &&
-			     // ### Maybe fix later, but may be fundamentally
-			     // un-checkable --US
-			     ! same_type(v->Type(), t) )
-				{
-				internal_error("inconsistent aggregate Val in CompositeHash::RecoverOneVal()");
-				}
+			pval = new Val(f);
+
+			if ( ! pval->Type() )
+				reporter->InternalError("bad aggregate Val in CompositeHash::RecoverOneVal()");
+
+			else if ( t->Tag() != TYPE_FUNC &&
+				  ! same_type(pval->Type(), t) )
+				// ### Maybe fix later, but may be fundamentally
+				// un-checkable --US
+				reporter->InternalError("inconsistent aggregate Val in CompositeHash::RecoverOneVal()");
 
 			// ### A crude approximation for now.
-			if ( t->Tag() == TYPE_FUNC &&
-			     v->Type()->Tag() != TYPE_FUNC )
-				{
-				internal_error("inconsistent aggregate Val in CompositeHash::RecoverOneVal()");
-				}
-
-			pval = v->Ref();
+			else if ( t->Tag() == TYPE_FUNC &&
+				  pval->Type()->Tag() != TYPE_FUNC )
+				reporter->InternalError("inconsistent aggregate Val in CompositeHash::RecoverOneVal()");
 			}
+			break;
 
-		else if ( t->Tag() == TYPE_RECORD )
+		case TYPE_RECORD:
 			{
 			const char* kp = kp0;
 			RecordType* rt = t->AsRecordType();
@@ -647,11 +822,15 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 			for ( i = 0; i < num_fields; ++i )
 				{
 				Val* v;
+
+				Attributes* a = rt->FieldDecl(i)->attrs;
+				bool optional = (a && a->FindAttr(ATTR_OPTIONAL));
+
 				kp = RecoverOneVal(k, kp, k_end,
-				                   rt->FieldType(i), v);
-				if ( ! v )
+				                   rt->FieldType(i), v, optional);
+				if ( ! (v || optional) )
 					{
-					internal_error("didn't recover expected number of fields from HashKey");
+					reporter->InternalError("didn't recover expected number of fields from HashKey");
 					pval = 0;
 					break;
 					}
@@ -669,10 +848,90 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 			pval = rv;
 			kp1 = kp;
 			}
-		else
+			break;
+
+		case TYPE_TABLE:
 			{
-			internal_error("bad index type in CompositeHash::DescribeKey");
+			int n;
+			const int* const kp = AlignType<int>(kp0);
+			n = *kp;
+			kp1 = reinterpret_cast<const char*>(kp+1);
+			TableType* tt = t->AsTableType();
+			TableVal* tv = new TableVal(tt);
+			vector<Val*> keys, values;
+			for ( int i = 0; i < n; ++i )
+				{
+				Val* key;
+				kp1 = RecoverOneVal(k, kp1, k_end, tt->Indices(), key, false);
+				keys.push_back(key);
+				if ( ! t->IsSet() )
+					{
+					Val* value;
+					kp1 = RecoverOneVal(k, kp1, k_end, tt->YieldType(), value,
+					                    false);
+					values.push_back(value);
+					}
+				}
+
+			for ( int i = 0; i < n; ++i )
+				tv->Assign(keys[i], t->IsSet() ? 0 : values[i]);
+
+			pval = tv;
 			}
+			break;
+
+		case TYPE_VECTOR:
+			{
+			unsigned int n;
+			const unsigned int* kp = AlignType<unsigned int>(kp0);
+			n = *kp;
+			kp1 = reinterpret_cast<const char*>(kp+1);
+			VectorType* vt = t->AsVectorType();
+			VectorVal* vv = new VectorVal(vt);
+			for ( unsigned int i = 0; i < n; ++i )
+				{
+				kp = AlignType<unsigned int>(kp1);
+				unsigned int index = *kp;
+				kp1 = reinterpret_cast<const char*>(kp+1);
+				kp = AlignType<unsigned int>(kp1);
+				unsigned int have_val = *kp;
+				kp1 = reinterpret_cast<const char*>(kp+1);
+				Val* value = 0;
+				if ( have_val )
+					kp1 = RecoverOneVal(k, kp1, k_end, vt->YieldType(), value,
+					                    false);
+				vv->Assign(index, value, 0);
+				}
+
+			pval = vv;
+			}
+			break;
+
+		case TYPE_LIST:
+			{
+			int n;
+			const int* const kp = AlignType<int>(kp0);
+			n = *kp;
+			kp1 = reinterpret_cast<const char*>(kp+1);
+			TypeList* tl = t->AsTypeList();
+			ListVal* lv = new ListVal(TYPE_ANY);
+			for ( int i = 0; i < n; ++i )
+				{
+				Val* v;
+				BroType* it = (*tl->Types())[i];
+				kp1 = RecoverOneVal(k, kp1, k_end, it, v, false);
+				lv->Append(v);
+				}
+
+			pval = lv;
+			}
+			break;
+
+		default:
+			{
+			reporter->InternalError("bad index type in CompositeHash::DescribeKey");
+			}
+		}
 		}
 		break;
 
diff --git a/src/CompHash.h b/src/CompHash.h
index a0632e1bfe..1a02114358 100644
--- a/src/CompHash.h
+++ b/src/CompHash.h
@@ -1,5 +1,3 @@
-// $Id: CompHash.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef comphash_h
@@ -29,16 +27,16 @@ protected:
 
 	// Computes the piece of the hash for Val*, returning the new kp.
 	// Used as a helper for ComputeHash in the non-singleton case.
-	char* SingleValHash(int type_check, char* kp,
-				BroType* bt, Val* v) const;
+	char* SingleValHash(int type_check, char* kp, BroType* bt, Val* v,
+			    bool optional) const;
 
 	// Recovers just one Val of possibly many; called from RecoverVals.
 	// Upon return, pval will point to the recovered Val of type t.
-	// Returns and updated kp for the next Val.  Calls internal_error()
+	// Returns and updated kp for the next Val.  Calls reporter->InternalError()
 	// upon errors, so there is no return value for invalid input.
 	const char* RecoverOneVal(const HashKey* k,
 				  const char* kp, const char* const k_end,
-				  BroType* t, Val*& pval) const;
+				  BroType* t, Val*& pval, bool optional) const;
 
 	// Rounds the given pointer up to the nearest multiple of the
 	// given size, if not already a multiple.
@@ -74,10 +72,12 @@ protected:
 	// the value is computed for the particular list of values.
 	// Returns 0 if the key has an indeterminant size (if v not given),
 	// or if v doesn't match the index type (if given).
-	int ComputeKeySize(const Val* v = 0, int type_check = 1) const;
+	int ComputeKeySize(const Val* v, int type_check,
+			   bool calc_static_size) const;
 
 	int SingleTypeKeySize(BroType*, const Val*,
-				int type_check, int sz) const;
+			      int type_check, int sz, bool optional,
+			      bool calc_static_size) const;
 
 	TypeList* type;
 	char* key;	// space for composite key
diff --git a/src/Conn.cc b/src/Conn.cc
index 50afe41d0c..df59b1037a 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -1,5 +1,3 @@
-// $Id: Conn.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -11,7 +9,7 @@
 #include "Conn.h"
 #include "Event.h"
 #include "Sessions.h"
-#include "Logger.h"
+#include "Reporter.h"
 #include "Timer.h"
 #include "PIA.h"
 #include "binpac.h"
@@ -54,7 +52,7 @@ void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer,
 ConnectionTimer::~ConnectionTimer()
 	{
 	if ( conn->RefCnt() < 1 )
-		internal_error("reference count inconsistency in ~ConnectionTimer");
+		reporter->InternalError("reference count inconsistency in ~ConnectionTimer");
 
 	conn->RemoveTimer(this);
 	Unref(conn);
@@ -72,7 +70,7 @@ void ConnectionTimer::Dispatch(double t, int is_expire)
 	(conn->*timer)(t);
 
 	if ( conn->RefCnt() < 1 )
-		internal_error("reference count inconsistency in ConnectionTimer::Dispatch");
+		reporter->InternalError("reference count inconsistency in ConnectionTimer::Dispatch");
 	}
 
 IMPLEMENT_SERIAL(ConnectionTimer, SER_CONNECTION_TIMER);
@@ -94,7 +92,7 @@ bool ConnectionTimer::DoSerialize(SerialInfo* info) const
 	else if ( timer == timer_func(&Connection::RemoveConnectionTimer) )
 		type = 4;
 	else
-		internal_error("unknown function in ConnectionTimer::DoSerialize()");
+		reporter->InternalError("unknown function in ConnectionTimer::DoSerialize()");
 
 	return conn->Serialize(info) && SERIALIZE(type) && SERIALIZE(do_expire);
 	}
@@ -152,7 +150,6 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
 	proto = TRANSPORT_UNKNOWN;
 
 	conn_val = 0;
-	orig_endp = resp_endp = 0;
 	login_conn = 0;
 
 	is_active = 1;
@@ -182,6 +179,8 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
 	TimerMgr::Tag* tag = current_iosrc->GetCurrentTag();
 	conn_timer_mgr = tag ? new TimerMgr::Tag(*tag) : 0;
 
+	uid = 0; // Will set later.
+
 	if ( conn_timer_mgr )
 		{
 		++external_connections;
@@ -196,7 +195,7 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
 Connection::~Connection()
 	{
 	if ( ! finished )
-		internal_error("Done() not called before destruction of Connection");
+		reporter->InternalError("Done() not called before destruction of Connection");
 
 	CancelTimers();
 
@@ -346,30 +345,33 @@ RecordVal* Connection::BuildConnVal()
 		id_val->Assign(1, new PortVal(ntohs(orig_port), prot_type));
 		id_val->Assign(2, new AddrVal(resp_addr));
 		id_val->Assign(3, new PortVal(ntohs(resp_port), prot_type));
-		conn_val->Assign(0, id_val);
 
-		orig_endp = new RecordVal(endpoint);
+		RecordVal *orig_endp = new RecordVal(endpoint);
 		orig_endp->Assign(0, new Val(0, TYPE_COUNT));
 		orig_endp->Assign(1, new Val(0, TYPE_COUNT));
-		conn_val->Assign(1, orig_endp);
 
-		resp_endp = new RecordVal(endpoint);
+		RecordVal *resp_endp = new RecordVal(endpoint);
 		resp_endp->Assign(0, new Val(0, TYPE_COUNT));
 		resp_endp->Assign(1, new Val(0, TYPE_COUNT));
-		conn_val->Assign(2, resp_endp);
 
-		// conn_val->Assign(3, new Val(start_time, TYPE_TIME));	// ###
+		conn_val->Assign(0, id_val);
+		conn_val->Assign(1, orig_endp);
+		conn_val->Assign(2, resp_endp);
+		// 3 and 4 are set below.
 		conn_val->Assign(5, new TableVal(string_set));	// service
 		conn_val->Assign(6, new StringVal(""));	// addl
 		conn_val->Assign(7, new Val(0, TYPE_COUNT));	// hot
 		conn_val->Assign(8, new StringVal(""));	// history
+
+		if ( ! uid )
+			uid = calculate_unique_id();
+
+		char tmp[20];
+		conn_val->Assign(9, new StringVal(uitoa_n(uid, tmp, sizeof(tmp), 62)));
 		}
 
 	if ( root_analyzer )
-		{
-		root_analyzer->UpdateEndpointVal(orig_endp, 1);
-		root_analyzer->UpdateEndpointVal(resp_endp, 0);
-		}
+		root_analyzer->UpdateConnVal(conn_val);
 
 	conn_val->Assign(3, new Val(start_time, TYPE_TIME));	// ###
 	conn_val->Assign(4, new Val(last_time - start_time, TYPE_INTERVAL));
@@ -631,54 +633,10 @@ void Connection::ConnectionEvent(EventHandlerPtr f, Analyzer* a, val_list* vl)
 			a ? a->GetID() : 0, GetTimerMgr(), this);
 	}
 
-void Connection::Weird(const char* name)
-	{
-	weird = 1;
-	if ( conn_weird )
-		Event(conn_weird, 0, name);
-	else
-		fprintf(stderr, "%.06f weird: %s\n", network_time, name);
-	}
-
 void Connection::Weird(const char* name, const char* addl)
 	{
 	weird = 1;
-	if ( conn_weird_addl )
-		{
-		val_list* vl = new val_list(3);
-
-		vl->append(new StringVal(name));
-		vl->append(BuildConnVal());
-		vl->append(new StringVal(addl));
-
-		ConnectionEvent(conn_weird_addl, 0, vl);
-		}
-
-	else
-		fprintf(stderr, "%.06f weird: %s (%s)\n", network_time, name, addl);
-	}
-
-void Connection::Weird(const char* name, int addl_len, const char* addl)
-	{
-	weird = 1;
-	if ( conn_weird_addl )
-		{
-		val_list* vl = new val_list(3);
-
-		vl->append(new StringVal(name));
-		vl->append(BuildConnVal());
-		vl->append(new StringVal(addl_len, addl));
-
-		ConnectionEvent(conn_weird_addl, 0, vl);
-		}
-
-	else
-		{
-		fprintf(stderr, "%.06f weird: %s (", network_time, name);
-		for ( int i = 0; i < addl_len; ++i )
-			fputc(addl[i], stderr);
-		fprintf(stderr, ")\n");
-		}
+	reporter->Weird(this, name, addl ? addl : "");
 	}
 
 void Connection::AddTimer(timer_func timer, double t, int do_expire,
@@ -744,10 +702,6 @@ void Connection::FlipRoles()
 	resp_port = orig_port;
 	orig_port = tmp_port;
 
-	RecordVal* tmp_rc = resp_endp;
-	resp_endp = orig_endp;
-	orig_endp = tmp_rc;
-
 	Unref(conn_val);
 	conn_val = 0;
 
@@ -755,16 +709,6 @@ void Connection::FlipRoles()
 		root_analyzer->FlipRoles();
 	}
 
-int Connection::RewritingTrace()
-	{
-	return root_analyzer ? root_analyzer->RewritingTrace() : 0;
-	}
-
-Rewriter* Connection::TraceRewriter() const
-	{
-	return root_analyzer ? root_analyzer->TraceRewriter() : 0;
-	}
-
 unsigned int Connection::MemoryAllocation() const
 	{
 	return padded_sizeof(*this)
@@ -803,7 +747,7 @@ void Connection::Describe(ODesc* d) const
 			break;
 
 		case TRANSPORT_UNKNOWN:
-			internal_error("unknown transport in Connction::Describe()");
+			reporter->InternalError("unknown transport in Connction::Describe()");
 			break;
 		}
 
@@ -853,8 +797,6 @@ bool Connection::DoSerialize(SerialInfo* info) const
 			return false;
 
 	SERIALIZE_OPTIONAL(conn_val);
-	SERIALIZE_OPTIONAL(orig_endp);
-	SERIALIZE_OPTIONAL(resp_endp);
 
 	// FIXME: RuleEndpointState not yet serializable.
 	// FIXME: Analyzers not yet serializable.
@@ -918,10 +860,6 @@ bool Connection::DoUnserialize(UnserialInfo* info)
 
 	UNSERIALIZE_OPTIONAL(conn_val,
 			(RecordVal*) Val::Unserialize(info, connection_type));
-	UNSERIALIZE_OPTIONAL(orig_endp,
-			(RecordVal*) Val::Unserialize(info, endpoint));
-	UNSERIALIZE_OPTIONAL(resp_endp,
-			(RecordVal*) Val::Unserialize(info, endpoint));
 
 	int iproto;
 
diff --git a/src/Conn.h b/src/Conn.h
index bbe3c2b3f6..8e90d6a9c3 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -1,5 +1,3 @@
-// $Id: Conn.h 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef conn_h
@@ -23,7 +21,6 @@ class RuleHdrTest;
 class Specific_RE_Matcher;
 class TransportLayerAnalyzer;
 class RuleEndpointState;
-class Rewriter;
 
 typedef enum {
 	NUL_IN_LINE,
@@ -135,17 +132,6 @@ public:
 
 	TransportProto ConnTransport() const { return proto; }
 
-	// If we are rewriting the trace of the connection, then we do
-	// not record original packets. We are rewriting if at least one,
-	// then the analyzer is rewriting.
-	int RewritingTrace();
-
-	// If we are rewriting trace, we need a handle to the rewriter.
-	// Returns 0 if not rewriting.  (Note that if multiple analyzers
-	// want to rewrite, only one of them is returned.  It's undefined
-	// which one.)
-	Rewriter* TraceRewriter() const;
-
 	// True if we should record subsequent packets (either headers or
 	// in their entirety, depending on record_contents).  We still
 	// record subsequent SYN/FIN/RST, regardless of how this is set.
@@ -205,15 +191,13 @@ public:
 	// Raises a software_unparsed_version_found event.
 	int UnparsedVersionFoundEvent(const uint32* addr,
 			const char* full_descr, int len, Analyzer* analyzer);
-	
+
 	void Event(EventHandlerPtr f, Analyzer* analyzer, const char* name = 0);
 	void Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2 = 0);
 	void ConnectionEvent(EventHandlerPtr f, Analyzer* analyzer,
 				val_list* vl);
 
-	void Weird(const char* name);
-	void Weird(const char* name, const char* addl);
-	void Weird(const char* name, int addl_len, const char* addl);
+	void Weird(const char* name, const char* addl = "");
 	bool DidWeird() const	{ return weird != 0; }
 
 	// Cancel all associated timers.
@@ -313,7 +297,10 @@ public:
 			::operator delete(((char*) ptr) - 4);
 		}
 
+	void SetUID(uint64 arg_uid)	 { uid = arg_uid; }
+
 protected:
+
 	Connection()	{ persistent = 0; }
 
 	// Add the given timer to expire at time t.  If do_expire
@@ -345,8 +332,6 @@ protected:
 	double start_time, last_time;
 	double inactivity_timeout;
 	RecordVal* conn_val;
-	RecordVal* orig_endp;
-	RecordVal* resp_endp;
 	LoginConn* login_conn;	// either nil, or this
 	int suppress_event;	// suppress certain events to once per conn.
 
@@ -370,6 +355,8 @@ protected:
 
 	TransportLayerAnalyzer* root_analyzer;
 	PIA* primary_PIA;
+
+	uint64 uid;	// Globally unique connection ID.
 };
 
 class ConnectionTimer : public Timer {
diff --git a/src/ConnCompressor.cc b/src/ConnCompressor.cc
index f38c0dcb89..7a04cb4f0b 100644
--- a/src/ConnCompressor.cc
+++ b/src/ConnCompressor.cc
@@ -1,9 +1,8 @@
-// $Id: ConnCompressor.cc 7008 2010-03-25 02:42:20Z vern $
-
 #include <arpa/inet.h>
 
 #include "ConnCompressor.h"
 #include "Event.h"
+#include "ConnSizeAnalyzer.h"
 #include "net_util.h"
 
 // The basic model of the compressor is to wait for an answer before
@@ -46,8 +45,10 @@
 //   by the compressor. Matching would require significant additional state
 //   w/o being very helpful.
 //
-// - Trace rewriting doesn't work if the compressor is turned on (this is
-//   not a conceptual problem, but simply not implemented).
+// - If use_conn_size_analyzer is True, the reported counts for bytes and
+//   packets may not account for some packets/data that is part of those
+//   packets which the connection compressor handles. The error, if any, will
+//   however be small.
 
 
 #ifdef DEBUG
@@ -237,7 +238,7 @@ Connection* ConnCompressor::NextPacket(double t, HashKey* key, const IP_Hdr* ip,
 	else if ( addr_eq(ip->SrcAddr(), SrcAddr(pending)) &&
 		  tp->th_sport == SrcPort(pending) )
 		// Another packet from originator.
-		tc = NextFromOrig(pending, t, key, tp);
+		tc = NextFromOrig(pending, t, key, ip, tp);
 
 	else
 		// A reply.
@@ -332,11 +333,15 @@ Connection* ConnCompressor::FirstFromOrig(double t, HashKey* key,
 	}
 
 Connection* ConnCompressor::NextFromOrig(PendingConn* pending, double t,
-						HashKey* key, const tcphdr* tp)
+						HashKey* key, const IP_Hdr* ip,
+						const tcphdr* tp)
 	{
 	// Another packet from the same host without seeing an answer so far.
 	DBG_LOG(DBG_COMPRESSOR, "%s same again", fmt_conn_id(pending));
 
+	++pending->num_pkts;
+	++pending->num_bytes_ip += ip->PayloadLen();
+
 	// New window scale overrides old - not great, this is a (subtle)
 	// evasion opportunity.
 	if ( TCP_Analyzer::ParseTCPOptions(tp, parse_tcp_options, 0, 0,
@@ -391,26 +396,6 @@ Connection* ConnCompressor::NextFromOrig(PendingConn* pending, double t,
 			{
 			if ( (tp->th_flags & TH_ACK) && ! pending->ACK )
 				Weird(pending, t, "repeated_SYN_with_ack");
-			else
-				{
-				// We adjust the start-time. Unfortunately
-				// this means that we have to create a new
-				// PendingConn as all of them need to be
-				// monotonically increasing in time. This
-				// leads to some inconsistencies with TCP.cc,
-				// as by doing this we basically restart our
-				// attempt_timer.
-
-				pending = MoveState(t, pending);
-
-				// Removing is necessary because the key
-				// will be destroyed at some point.
-				conns.Remove(&pending->key, sizeof(pending->key),
-						pending->hash, true);
-				conns.Dictionary::Insert(&pending->key,
-					sizeof(pending->key), pending->hash,
-					MakeMapPtr(pending), 0);
-				}
 			}
 
 		else
@@ -544,6 +529,8 @@ Connection* ConnCompressor::Instantiate(HashKey* key, PendingConn* pending)
 		return 0;
 		}
 
+	new_conn->SetUID(pending->uid);
+
 	DBG_LOG(DBG_COMPRESSOR, "%s instantiated", fmt_conn_id(pending));
 
 	++sizes.connections;
@@ -631,6 +618,9 @@ void ConnCompressor::PktHdrToPendingConn(double time, const HashKey* key,
 	c->FIN = (tp->th_flags & TH_FIN) != 0;
 	c->RST = (tp->th_flags & TH_RST) != 0;
 	c->ACK = (tp->th_flags & TH_ACK) != 0;
+	c->uid = calculate_unique_id();
+	c->num_bytes_ip = ip->TotalLen();
+	c->num_pkts = 1;
 	c->invalid = 0;
 
 	if ( TCP_Analyzer::ParseTCPOptions(tp, parse_tcp_options, 0, 0, c) < 0 )
@@ -671,7 +661,7 @@ const IP_Hdr* ConnCompressor::PendingConnToPacket(const PendingConn* c)
 	// only an IPv4 address.
 #ifdef BROv6
 	if ( ! is_v4_addr(c->key.ip1) || ! is_v4_addr(c->key.ip2) )
-		internal_error("IPv6 snuck into connection compressor");
+		reporter->InternalError("IPv6 snuck into connection compressor");
 #endif
 	*(uint32*) &ip->ip_src =
 			to_v4_addr(c->ip1_is_src ? c->key.ip1 : c->key.ip2);
@@ -715,17 +705,6 @@ uint8 ConnCompressor::MakeFlags(const PendingConn* c) const
 	return tcp_flags;
 	}
 
-ConnCompressor::PendingConn* ConnCompressor::MoveState(double time,
-							PendingConn* c)
-	{
-	PendingConn* nc = MakeNewState(time);
-	memcpy(nc, c, sizeof(PendingConn));
-	c->invalid = 1;
-	nc->time = time;
-	++sizes.pending_in_mem;
-	return nc;
-	}
-
 ConnCompressor::PendingConn* ConnCompressor::MakeNewState(double t)
 	{
 	// See if there is enough space in the current block.
@@ -882,8 +861,18 @@ void ConnCompressor::Event(const PendingConn* pending, double t,
 							TRANSPORT_TCP));
 			orig_endp->Assign(0, new Val(orig_size, TYPE_COUNT));
 			orig_endp->Assign(1, new Val(orig_state, TYPE_COUNT));
+
+			if ( ConnSize_Analyzer::Available() )
+				{
+				// Fill in optional fields if ConnSize_Analyzer is on.
+				orig_endp->Assign(2, new Val(pending->num_pkts, TYPE_COUNT));
+				orig_endp->Assign(3, new Val(pending->num_bytes_ip, TYPE_COUNT));
+				}
+
 			resp_endp->Assign(0, new Val(0, TYPE_COUNT));
 			resp_endp->Assign(1, new Val(resp_state, TYPE_COUNT));
+			resp_endp->Assign(2, new Val(0, TYPE_COUNT));
+			resp_endp->Assign(3, new Val(0, TYPE_COUNT));
 			}
 		else
 			{
@@ -893,10 +882,22 @@ void ConnCompressor::Event(const PendingConn* pending, double t,
 			id_val->Assign(2, new AddrVal(SrcAddr(pending)));
 			id_val->Assign(3, new PortVal(ntohs(SrcPort(pending)),
 							TRANSPORT_TCP));
+
 			orig_endp->Assign(0, new Val(0, TYPE_COUNT));
 			orig_endp->Assign(1, new Val(resp_state, TYPE_COUNT));
+			orig_endp->Assign(2, new Val(0, TYPE_COUNT));
+			orig_endp->Assign(3, new Val(0, TYPE_COUNT));
+
 			resp_endp->Assign(0, new Val(orig_size, TYPE_COUNT));
 			resp_endp->Assign(1, new Val(orig_state, TYPE_COUNT));
+
+			if ( ConnSize_Analyzer::Available() )
+				{
+				// Fill in optional fields if ConnSize_Analyzer is on
+				resp_endp->Assign(2, new Val(pending->num_pkts, TYPE_COUNT));
+				resp_endp->Assign(3, new Val(pending->num_bytes_ip, TYPE_COUNT));
+				}
+
 			DBG_LOG(DBG_COMPRESSOR, "%s swapped direction", fmt_conn_id(pending));
 			}
 
@@ -911,9 +912,20 @@ void ConnCompressor::Event(const PendingConn* pending, double t,
 		conn_val->Assign(7, new Val(0, TYPE_COUNT));	// hot
 		conn_val->Assign(8, new StringVal(""));	// history
 
+		char tmp[20]; // uid.
+		conn_val->Assign(9, new StringVal(uitoa_n(pending->uid, tmp, sizeof(tmp), 62)));
+
 		conn_val->SetOrigin(0);
 		}
 
+	if ( event == conn_weird )
+		{
+		// Special case to go through the logger.
+		const char* msg = arg->AsString()->CheckString();
+		reporter->Weird(conn_val->Ref(), msg);
+		return;
+		}
+
 	val_list* vl = new val_list;
 	if ( arg )
 		vl->append(arg);
diff --git a/src/ConnCompressor.h b/src/ConnCompressor.h
index f0069024a2..36959b615c 100644
--- a/src/ConnCompressor.h
+++ b/src/ConnCompressor.h
@@ -1,5 +1,3 @@
-// $Id: ConnCompressor.h 6008 2008-07-23 00:24:22Z vern $
-//
 // The ConnCompressor keeps track of the first packet seen for a conn_id using
 // only a minimal amount of memory. This helps us to avoid instantiating
 // full Connection objects for never-established sessions.
@@ -97,6 +95,11 @@ public:
 		uint32 ack;
 		hash_t hash;
 		uint16 window;
+		uint64 uid;
+
+		// The following are set if use_conn_size_analyzer is T.
+		uint16 num_pkts;
+		uint16 num_bytes_ip;
 	};
 
 private:
@@ -118,8 +121,8 @@ private:
 					const IP_Hdr* ip, const tcphdr* tp);
 
 	// Called for more packets from the orginator w/o seeing a response.
-	Connection* NextFromOrig(PendingConn* pending,
-				double t, HashKey* key, const tcphdr* tp);
+	Connection* NextFromOrig(PendingConn* pending, double t, HashKey* key,
+					const IP_Hdr* ip, const tcphdr* tp);
 
 	// Called for the first response packet. Instantiates a Connection.
 	Connection* Response(PendingConn* pending, double t, HashKey* key,
@@ -138,10 +141,6 @@ private:
 	// Fakes a TCP packet based on the available information.
 	const IP_Hdr* PendingConnToPacket(const PendingConn* c);
 
-	// For changing the timestamp of PendingConn - allocates a new one,
-	// sets the given time, and copies all other data from old.
-	PendingConn* MoveState(double time, PendingConn* old);
-
 	// Construct a TCP-flags byte.
 	uint8 MakeFlags(const PendingConn* c) const;
 
@@ -164,11 +163,10 @@ private:
 
 	void Weird(const PendingConn* pending, double t, const char* msg)
 		{
-		if ( conn_weird )
-			Event(pending, t, conn_weird, TCP_ENDPOINT_INACTIVE, 0,
-				TCP_ENDPOINT_INACTIVE, new StringVal(msg));
-		else
-			fprintf(stderr, "%.06f weird: %s\n", t, msg);
+		// This will actually go through the Reporter; Event() takes
+		// care of that.
+		Event(pending, t, conn_weird, TCP_ENDPOINT_INACTIVE, 0,
+		      TCP_ENDPOINT_INACTIVE, new StringVal(msg));
 		}
 
 	static const int BLOCK_SIZE = 16 * 1024;
diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc
new file mode 100644
index 0000000000..a1b892f4db
--- /dev/null
+++ b/src/ConnSizeAnalyzer.cc
@@ -0,0 +1,88 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// See ConnSize.h for more extensive comments.
+
+
+#include "ConnSizeAnalyzer.h"
+#include "TCP.h"
+
+
+
+ConnSize_Analyzer::ConnSize_Analyzer(Connection* c)
+: Analyzer(AnalyzerTag::ConnSize, c)
+	{
+	}
+
+
+ConnSize_Analyzer::~ConnSize_Analyzer()
+	{
+	}
+
+void ConnSize_Analyzer::Init()
+	{
+	Analyzer::Init();
+
+	orig_bytes = 0;
+	orig_pkts = 0;
+	resp_bytes = 0;
+	resp_pkts = 0;
+	}
+
+void ConnSize_Analyzer::Done()
+	{
+	Analyzer::Done();
+	}
+
+void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+
+	if ( is_orig )
+		{
+		orig_bytes += ip->TotalLen();
+		orig_pkts ++;
+		}
+	else
+		{
+		resp_bytes += ip->TotalLen();
+		resp_pkts ++;
+		}
+	}
+
+void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	// RecordType *connection_type is decleared in NetVar.h
+	int orig_endp_idx = connection_type->FieldOffset("orig");
+	int resp_endp_idx = connection_type->FieldOffset("resp");
+	RecordVal *orig_endp = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	RecordVal *resp_endp = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
+
+	// endpoint is the RecordType from NetVar.h
+	// TODO: or orig_endp->Type()->AsRecordVal()->FieldOffset()
+	int pktidx = endpoint->FieldOffset("num_pkts");
+	int bytesidx = endpoint->FieldOffset("num_bytes_ip");
+
+	// TODO: error handling?
+	orig_endp->Assign(pktidx, new Val(orig_pkts, TYPE_COUNT));
+	orig_endp->Assign(bytesidx, new Val(orig_bytes, TYPE_COUNT));
+	resp_endp->Assign(pktidx, new Val(resp_pkts, TYPE_COUNT));
+	resp_endp->Assign(bytesidx, new Val(resp_bytes, TYPE_COUNT));
+
+	Analyzer::UpdateConnVal(conn_val);
+	}
+
+
+void ConnSize_Analyzer::FlipRoles()
+	{
+	Analyzer::FlipRoles();
+	uint64_t tmp;
+
+	tmp = orig_bytes;
+	orig_bytes = resp_bytes;
+	resp_bytes = tmp;
+
+	tmp = orig_pkts;
+	orig_pkts = resp_pkts;
+	resp_pkts = tmp;
+	}
+
diff --git a/src/ConnSizeAnalyzer.h b/src/ConnSizeAnalyzer.h
new file mode 100644
index 0000000000..1fdd57bb15
--- /dev/null
+++ b/src/ConnSizeAnalyzer.h
@@ -0,0 +1,39 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+
+#ifndef CONNSTATS_H
+#define CONNSTATS_H
+
+#include "Analyzer.h"
+#include "NetVar.h"
+
+
+class ConnSize_Analyzer : public Analyzer {
+public:
+	ConnSize_Analyzer(Connection* c);
+	virtual ~ConnSize_Analyzer();
+
+	virtual void Init();
+	virtual void Done();
+
+	// from Analyzer.h
+	virtual void UpdateConnVal(RecordVal *conn_val);
+	virtual void FlipRoles();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new ConnSize_Analyzer(conn); }
+
+	static bool Available()	{ return BifConst::use_conn_size_analyzer ; }
+
+protected:
+	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+
+	uint64_t orig_bytes;
+	uint64_t resp_bytes;
+	uint64_t orig_pkts;
+	uint64_t resp_pkts;
+};
+
+#endif
diff --git a/src/ContentLine.cc b/src/ContentLine.cc
index 6dd772a0f8..5601694e1d 100644
--- a/src/ContentLine.cc
+++ b/src/ContentLine.cc
@@ -1,4 +1,4 @@
-// $Id: ContentLine.cc,v 1.1.2.8 2006/06/01 01:55:42 sommer Exp $
+#include <algorithm>
 
 #include "ContentLine.h"
 #include "TCP.h"
@@ -101,7 +101,7 @@ void ContentLine_Analyzer::DeliverStream(int len, const u_char* data,
 		buf = tmp;
 
 		if ( ! buf )
-			internal_error("out of memory delivering endpoint line");
+			reporter->InternalError("out of memory delivering endpoint line");
 		}
 
 	DoDeliver(len, data);
@@ -120,10 +120,10 @@ void ContentLine_Analyzer::EndpointEOF(bool is_orig)
 		DeliverStream(1, (const u_char*) "\n", is_orig);
 	}
 
-void ContentLine_Analyzer::SetPlainDelivery(int length)
+void ContentLine_Analyzer::SetPlainDelivery(int64_t length)
 	{
 	if ( length < 0 )
-		internal_error("negative length for plain delivery");
+		reporter->InternalError("negative length for plain delivery");
 
 	plain_delivery_length = length;
 	}
@@ -154,7 +154,7 @@ void ContentLine_Analyzer::DoDeliver(int len, const u_char* data)
 
 		if ( plain_delivery_length > 0 )
 			{
-			int deliver_plain = min(plain_delivery_length, len);
+			int deliver_plain = min(plain_delivery_length, (int64_t)len);
 
 			last_char = 0; // clear last_char
 			plain_delivery_length -= deliver_plain;
@@ -179,7 +179,7 @@ void ContentLine_Analyzer::DoDeliver(int len, const u_char* data)
 		if ( seq < seq_to_skip )
 			{
 			// Skip rest of the data and return
-			int skip_len = seq_to_skip - seq;
+			int64_t skip_len = seq_to_skip - seq;
 			if ( skip_len > len )
 				skip_len = len;
 
@@ -310,7 +310,7 @@ void ContentLine_Analyzer::CheckNUL()
 		}
 	}
 
-void ContentLine_Analyzer::SkipBytesAfterThisLine(int length)
+void ContentLine_Analyzer::SkipBytesAfterThisLine(int64_t length)
 	{
 	// This is a little complicated because Bro has to handle
 	// both CR and CRLF as a line break. When a line is delivered,
@@ -326,7 +326,7 @@ void ContentLine_Analyzer::SkipBytesAfterThisLine(int length)
 		SkipBytes(length);
 	}
 
-void ContentLine_Analyzer::SkipBytes(int length)
+void ContentLine_Analyzer::SkipBytes(int64_t length)
 	{
 	skip_pending = 0;
 	seq_to_skip = SeqDelivered() + length;
diff --git a/src/ContentLine.h b/src/ContentLine.h
index fe18ae9f95..5e9f01945f 100644
--- a/src/ContentLine.h
+++ b/src/ContentLine.h
@@ -1,5 +1,3 @@
-// $Id: ContentLine.h,v 1.1.2.9 2006/06/01 01:55:42 sommer Exp $
-//
 // Support-analyzer to split a reassembled stream into lines.
 
 #ifndef CONTENTLINE_H
@@ -44,16 +42,16 @@ public:
 	// mode for next <length> bytes.  Plain-delivery data is also passed
 	// via DeliverStream() and can differentiated by calling
 	// IsPlainDelivery().
-	void SetPlainDelivery(int length);
-	int GetPlainDeliveryLength() const	{ return plain_delivery_length; }
+	void SetPlainDelivery(int64_t length);
+	int64_t GetPlainDeliveryLength() const	{ return plain_delivery_length; }
 	bool IsPlainDelivery()			{ return is_plain; }
 
 	// Skip <length> bytes after this line.
 	// Can be used to skip HTTP data for performance considerations.
-	void SkipBytesAfterThisLine(int length);
-	void SkipBytes(int length);
+	void SkipBytesAfterThisLine(int64_t length);
+	void SkipBytes(int64_t length);
 
-	bool IsSkippedContents(int seq, int length)
+	bool IsSkippedContents(int64_t seq, int64_t length)
 		{ return seq + length <= seq_to_skip; }
 
 protected:
@@ -71,26 +69,26 @@ protected:
 	void CheckNUL();
 
 	// Returns the sequence number delivered so far.
-	int SeqDelivered() const	{ return seq_delivered_in_lines; }
+	int64_t SeqDelivered() const	{ return seq_delivered_in_lines; }
 
 	u_char* buf;	// where we build up the body of the request
 	int offset;	// where we are in buf
 	int buf_len;	// how big buf is, total
 	unsigned int last_char;	// last (non-option) character scanned
 
-	int seq;	// last seq number
-	int seq_to_skip;
+	int64_t seq;	// last seq number
+	int64_t seq_to_skip;
 
 	// Seq delivered up to through NewLine() -- it is adjusted
 	// *before* NewLine() is called.
-	int seq_delivered_in_lines;
+	int64_t seq_delivered_in_lines;
 
 	// Number of bytes to be skipped after this line. See
 	// comments in SkipBytesAfterThisLine().
-	int skip_pending;
+	int64_t skip_pending;
 
 	// Remaining bytes to deliver plain.
-	int plain_delivery_length;
+	int64_t plain_delivery_length;
 	int is_plain;
 
 	// Don't deliver further data.
diff --git a/src/Continuation.h b/src/Continuation.h
index bde07203a9..009d2a87f3 100644
--- a/src/Continuation.h
+++ b/src/Continuation.h
@@ -1,5 +1,3 @@
-// $Id: Continuation.h 2698 2006-04-03 05:50:52Z vern $
-//
 // Helper class to implement continuation-like mechanisms for
 // suspending/resuming tasks for incremental operation.
 //
diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc
index fe163f2632..1d9acaf1fa 100644
--- a/src/DCE_RPC.cc
+++ b/src/DCE_RPC.cc
@@ -1,5 +1,3 @@
-// $Id: DCE_RPC.cc 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -60,7 +58,7 @@ UUID::UUID(const u_char d[16])
 UUID::UUID(const binpac::bytestring& uuid)
 	{
 	if ( uuid.length() != 16 )
-		internal_error("UUID length error");
+		reporter->InternalError("UUID length error");
 	memcpy(data, uuid.begin(), 16);
 	s = uuid_to_string(data);
 	}
@@ -82,10 +80,10 @@ UUID::UUID(const char* str)
 		}
 
 	if ( i != 16 )
-		internal_error(fmt("invalid UUID string: %s", str));
+		reporter->InternalError("invalid UUID string: %s", str);
 	}
 
-typedef map<UUID, BroEnum::dce_rpc_if_id> uuid_map_t;
+typedef map<UUID, BifEnum::dce_rpc_if_id> uuid_map_t;
 
 static uuid_map_t& well_known_uuid_map()
 	{
@@ -95,7 +93,7 @@ static uuid_map_t& well_known_uuid_map()
 	if ( initialized )
 		return the_map;
 
-	using namespace BroEnum;
+	using namespace BifEnum;
 
 	the_map[UUID("e1af8308-5d1f-11c9-91a4-08002b14a0fa")] = DCE_RPC_epmapper;
 
@@ -186,14 +184,14 @@ DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b)
 	else
 		fragmented = 0;
 
-	ptype = (BroEnum::dce_rpc_ptype) bytes[2];
+	ptype = (BifEnum::dce_rpc_ptype) bytes[2];
 	frag_len = extract_uint16(LittleEndian(), bytes + 8);
 	}
 
 DCE_RPC_Session::DCE_RPC_Session(Analyzer* a)
 : analyzer(a),
   if_uuid("00000000-0000-0000-0000-000000000000"),
-  if_id(BroEnum::DCE_RPC_unknown_if)
+  if_id(BifEnum::DCE_RPC_unknown_if)
 	{
 	opnum = -1;
 	}
@@ -234,7 +232,7 @@ void DCE_RPC_Session::DeliverPDU(int is_orig, int len, const u_char* data)
 		val_list* vl = new val_list;
 		vl->append(analyzer->BuildConnVal());
 		vl->append(new Val(is_orig, TYPE_BOOL));
-		vl->append(new EnumVal(data[2], enum_dce_rpc_ptype));
+		vl->append(new EnumVal(data[2], BifType::Enum::dce_rpc_ptype));
 		vl->append(new StringVal(len, (const char*) data));
 
 		analyzer->ConnectionEvent(dce_rpc_message, vl);
@@ -286,7 +284,7 @@ void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu
 			// conn->Weird(fmt("Unknown DCE_RPC interface %s",
 			// 		if_uuid.to_string()));
 #endif
-			if_id = BroEnum::DCE_RPC_unknown_if;
+			if_id = BifEnum::DCE_RPC_unknown_if;
 			}
 		else
 			if_id = uuid_it->second;
@@ -296,7 +294,7 @@ void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu
 			val_list* vl = new val_list;
 			vl->append(analyzer->BuildConnVal());
 			vl->append(new StringVal(if_uuid.to_string()));
-			// vl->append(new EnumVal(if_id, enum_dce_rpc_if_id));
+			// vl->append(new EnumVal(if_id, BifType::Enum::dce_rpc_if_id));
 
 			analyzer->ConnectionEvent(dce_rpc_bind, vl);
 			}
@@ -321,7 +319,7 @@ void DCE_RPC_Session::DeliverRequest(const binpac::DCE_RPC_Simple::DCE_RPC_PDU*
 		}
 
 	switch ( if_id ) {
-	case BroEnum::DCE_RPC_epmapper:
+	case BifEnum::DCE_RPC_epmapper:
 		DeliverEpmapperRequest(pdu, req);
 		break;
 
@@ -345,7 +343,7 @@ void DCE_RPC_Session::DeliverResponse(const binpac::DCE_RPC_Simple::DCE_RPC_PDU*
 		}
 
 	switch ( if_id ) {
-	case BroEnum::DCE_RPC_epmapper:
+	case BifEnum::DCE_RPC_epmapper:
 		DeliverEpmapperResponse(pdu, resp);
 		break;
 
diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h
index 4e13443148..63237a151b 100644
--- a/src/DCE_RPC.h
+++ b/src/DCE_RPC.h
@@ -1,5 +1,3 @@
-// $Id: DCE_RPC.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef dce_rpc_h
@@ -91,7 +89,7 @@ class DCE_RPC_Header {
 public:
 	DCE_RPC_Header(Analyzer* a, const u_char* bytes);
 
-	BroEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
+	BifEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
 	int FragLen() const		{ return frag_len; }
 	int LittleEndian() const	{ return bytes[4] >> 4; }
 	bool Fragmented() const		{ return fragmented; }
@@ -102,7 +100,7 @@ public:
 protected:
 	Analyzer* analyzer;
 	const u_char* bytes;
-	BroEnum::dce_rpc_ptype ptype;
+	BifEnum::dce_rpc_ptype ptype;
 	int frag_len;
 	bool fragmented;
 };
@@ -138,7 +136,7 @@ protected:
 
 	Analyzer* analyzer;
 	UUID if_uuid;
-	BroEnum::dce_rpc_if_id if_id;
+	BifEnum::dce_rpc_if_id if_id;
 	int opnum;
 	struct {
 		dce_rpc_endpoint_addr addr;
diff --git a/src/DFA.cc b/src/DFA.cc
index 57ea87335e..e58ea260e5 100644
--- a/src/DFA.cc
+++ b/src/DFA.cc
@@ -1,5 +1,3 @@
-// $Id: DFA.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -21,11 +19,10 @@ DFA_State::DFA_State(int arg_state_num, const EquivClass* ec,
 	nfa_states = arg_nfa_states;
 	accept = arg_accept;
 	mark = 0;
-	lock = 0;
 
 	SymPartition(ec);
 
-	xtions = new DFA_State_Handle*[num_sym];
+	xtions = new DFA_State*[num_sym];
 
 	for ( int i = 0; i < num_sym; ++i )
 		xtions[i] = DFA_UNCOMPUTED_STATE_PTR;
@@ -33,31 +30,14 @@ DFA_State::DFA_State(int arg_state_num, const EquivClass* ec,
 
 DFA_State::~DFA_State()
 	{
-	for ( int i = 0; i < num_sym; ++i )
-		{
-		DFA_State_Handle* s = xtions[i];
-		if ( s && s != DFA_UNCOMPUTED_STATE_PTR )
-			StateUnref(s);
-		}
-
 	delete [] xtions;
 	delete nfa_states;
 	delete accept;
 	delete meta_ec;
 	}
 
-void DFA_State::AddXtion(int sym, DFA_State_Handle* next_state)
+void DFA_State::AddXtion(int sym, DFA_State* next_state)
 	{
-	// The order is important here: first StateRef() the new,
-	// then StateUnref() the old.  Otherwise, we may get a problem
-	// if both are equal.
-
-	if ( next_state )
-		StateRef(next_state);
-
-	if ( xtions[sym] && xtions[sym] != DFA_UNCOMPUTED_STATE_PTR )
-		StateUnref(xtions[sym]);
-
 	xtions[sym] = next_state;
 	}
 
@@ -94,14 +74,10 @@ void DFA_State::SymPartition(const EquivClass* ec)
 	meta_ec->BuildECs();
 	}
 
-DFA_State_Handle* DFA_State::ComputeXtion(int sym, DFA_Machine* machine)
+DFA_State* DFA_State::ComputeXtion(int sym, DFA_Machine* machine)
 	{
-	// Make sure we will not expire...
-	assert(IsLocked());
-
 	int equiv_sym = meta_ec->EquivRep(sym);
-	if ( xtions[equiv_sym] != DFA_UNCOMPUTED_STATE_PTR &&
-	     StateIsValid(xtions[equiv_sym]) )
+	if ( xtions[equiv_sym] != DFA_UNCOMPUTED_STATE_PTR )
 		{
 		AddXtion(sym, xtions[equiv_sym]);
 		return xtions[sym];
@@ -109,7 +85,7 @@ DFA_State_Handle* DFA_State::ComputeXtion(int sym, DFA_Machine* machine)
 
 	const EquivClass* ec = machine->EC();
 
-	DFA_State_Handle* next_d;
+	DFA_State* next_d;
 
 	NFA_state_list* ns = SymFollowSet(equiv_sym, ec);
 	if ( ns->length() > 0 )
@@ -211,10 +187,10 @@ void DFA_State::ClearMarks()
 
 		for ( int i = 0; i < num_sym; ++i )
 			{
-			DFA_State_Handle* s = xtions[i];
+			DFA_State* s = xtions[i];
 
 			if ( s && s != DFA_UNCOMPUTED_STATE_PTR )
-				(*xtions[i])->ClearMarks();
+				xtions[i]->ClearMarks();
 			}
 		}
 	}
@@ -243,7 +219,7 @@ void DFA_State::Dump(FILE* f, DFA_Machine* m)
 	int num_trans = 0;
 	for ( int sym = 0; sym < num_sym; ++sym )
 		{
-		DFA_State_Handle* s = xtions[sym];
+		DFA_State* s = xtions[sym];
 
 		if ( ! s )
 			continue;
@@ -271,7 +247,7 @@ void DFA_State::Dump(FILE* f, DFA_Machine* m)
 		else
 			fprintf(f, "%stransition on %s to state %d",
 				++num_trans == 1 ? "\t" : "\n\t", xbuf,
-				(*s)->StateNum());
+				s->StateNum());
 
 		sym = i - 1;
 		}
@@ -283,10 +259,10 @@ void DFA_State::Dump(FILE* f, DFA_Machine* m)
 
 	for ( int sym = 0; sym < num_sym; ++sym )
 		{
-		DFA_State_Handle* s = xtions[sym];
+		DFA_State* s = xtions[sym];
 
 		if ( s && s != DFA_UNCOMPUTED_STATE_PTR )
-			(*s)->Dump(f, m);
+			s->Dump(f, m);
 		}
 	}
 
@@ -294,7 +270,7 @@ void DFA_State::Stats(unsigned int* computed, unsigned int* uncomputed)
 	{
 	for ( int sym = 0; sym < num_sym; ++sym )
 		{
-		DFA_State_Handle* s = xtions[sym];
+		DFA_State* s = xtions[sym];
 
 		if ( s == DFA_UNCOMPUTED_STATE_PTR )
 			(*uncomputed)++;
@@ -313,11 +289,9 @@ unsigned int DFA_State::Size()
 		+ (centry ? padded_sizeof(CacheEntry) : 0);
 	}
 
-
 DFA_State_Cache::DFA_State_Cache(int arg_maxsize)
 	{
 	maxsize = arg_maxsize;
-	head = tail = 0;
 	hits = misses = 0;
 	}
 
@@ -328,13 +302,12 @@ DFA_State_Cache::~DFA_State_Cache()
 	while ( (e = (CacheEntry*) states.NextEntry(i)) )
 		{
 		assert(e->state);
-		StateInvalidate(e->state);
 		delete e->hash;
 		delete e;
 		}
 	}
 
-DFA_State_Handle* DFA_State_Cache::Lookup(const NFA_state_list& nfas,
+DFA_State* DFA_State_Cache::Lookup(const NFA_state_list& nfas,
 						HashKey** hash)
 	{
 	// We assume that state ID's don't exceed 10 digits, plus
@@ -380,100 +353,24 @@ DFA_State_Handle* DFA_State_Cache::Lookup(const NFA_state_list& nfas,
 	delete *hash;
 	*hash = 0;
 
-	MoveToFront(e);
-
 	return e->state;
 	}
 
-DFA_State_Handle* DFA_State_Cache::Insert(DFA_State* state, HashKey* hash)
+DFA_State* DFA_State_Cache::Insert(DFA_State* state, HashKey* hash)
 	{
 	CacheEntry* e;
 
-#ifdef EXPIRE_DFA_STATES
-	if ( states.Length() == maxsize )
-		{
-		// Remove oldest unlocked entry.
-		for ( e = tail; e; e = e->prev )
-			if ( ! (*e->state)->lock )
-				break;
-		if ( e )
-			Remove(e);
-		}
-#endif
-
 	e = new CacheEntry;
 
-#ifdef EXPIRE_DFA_STATES
-	// Insert as head.
-	e->state = new DFA_State_Handle(state);
-	e->state->state->centry = e;
-#else
 	e->state = state;
 	e->state->centry = e;
-#endif
 	e->hash = hash;
-	e->prev = 0;
-	e->next = head;
-	if ( head )
-		head->prev = e;
-	head = e;
-	if ( ! tail )
-		tail = e;
 
 	states.Insert(hash, e);
 
 	return e->state;
 	}
 
-void DFA_State_Cache::Remove(CacheEntry* e)
-	{
-	if ( e == head )
-		{
-		head = e->next;
-		if ( head )
-			head->prev = 0;
-		}
-	else
-		e->prev->next = e->next;
-
-	if ( e == tail )
-		{
-		tail = e->prev;
-		if ( tail )
-			tail->next = 0;
-		}
-	else
-		e->next->prev = e->prev;
-
-	states.Remove(e->hash);
-
-	assert(e->state);
-	StateInvalidate(e->state);
-	delete e->hash;
-	delete e;
-	}
-
-void DFA_State_Cache::MoveToFront(CacheEntry* e)
-	{
-	++hits;
-
-	if ( e->prev )
-		{
-		e->prev->next = e->next;
-
-		if ( e->next )
-			e->next->prev = e->prev;
-		else
-			tail = e->prev;
-
-		e->prev = 0;
-		e->next = head;
-
-		head->prev = e;
-		head = e;
-		}
-	}
-
 void DFA_State_Cache::GetStats(Stats* s)
 	{
 	s->dfa_states = 0;
@@ -490,9 +387,9 @@ void DFA_State_Cache::GetStats(Stats* s)
 	while ( (e = (CacheEntry*) states.NextEntry(i)) )
 		{
 		++s->dfa_states;
-		s->nfa_states += (*e->state)->NFAStateNum();
-		(*e->state)->Stats(&s->computed, &s->uncomputed);
-		s->mem += pad_size((*e->state)->Size()) + padded_sizeof(*e->state);
+		s->nfa_states += e->state->NFAStateNum();
+		e->state->Stats(&s->computed, &s->uncomputed);
+		s->mem += pad_size(e->state->Size()) + padded_sizeof(*e->state);
 		}
 	}
 
@@ -514,9 +411,6 @@ DFA_Machine::DFA_Machine(NFA_Machine* n, EquivClass* arg_ec)
 		{
 		NFA_state_list* state_set = epsilon_closure(ns);
 		(void) StateSetToDFA_State(state_set, start_state, ec);
-
-		StateRef(start_state);
-		StateLock(start_state);
 		}
 	else
 		start_state = 0; // Jam
@@ -524,12 +418,6 @@ DFA_Machine::DFA_Machine(NFA_Machine* n, EquivClass* arg_ec)
 
 DFA_Machine::~DFA_Machine()
 	{
-	if ( start_state )
-		{
-		StateUnlock(start_state);
-		StateUnref(start_state);
-		}
-
 	delete dfa_state_cache;
 	Unref(nfa);
 	}
@@ -541,8 +429,8 @@ void DFA_Machine::Describe(ODesc* d) const
 
 void DFA_Machine::Dump(FILE* f)
 	{
-	(*start_state)->Dump(f, this);
-	(*start_state)->ClearMarks();
+	start_state->Dump(f, this);
+	start_state->ClearMarks();
 	}
 
 void DFA_Machine::DumpStats(FILE* f)
@@ -571,12 +459,11 @@ unsigned int DFA_Machine::MemoryAllocation() const
 	}
 
 int DFA_Machine::StateSetToDFA_State(NFA_state_list* state_set,
-				DFA_State_Handle*& d, const EquivClass* ec)
+				DFA_State*& d, const EquivClass* ec)
 	{
 	HashKey* hash;
 	d = dfa_state_cache->Lookup(*state_set, &hash);
 
-	assert((! d) || StateIsValid(d));
 	if ( d )
 		return 0;
 
diff --git a/src/DFA.h b/src/DFA.h
index 6bf9fd640b..0f6c7d2f25 100644
--- a/src/DFA.h
+++ b/src/DFA.h
@@ -1,5 +1,3 @@
-// $Id: DFA.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 
@@ -8,57 +6,12 @@
 
 #include <assert.h>
 
-// It's possible to use a fixed size cache of computed states for each DFA.
-// If the number of DFA states reaches the given limit, old states are expired
-// on a least-recently-used basis. This may impact the performance significantly
-// if expired states have to be recalculated regularly, but it limits the
-// amount of memory taken by a DFA.
-//
-// Enable by configuring with --with-expire-dfa-states.
-
 class DFA_State;
 
-// The cache marks expired states as invalid.
-#define DFA_INVALID_STATE_PTR ((DFA_State*) -1)
-
 // Transitions to the uncomputed state indicate that we haven't yet
 // computed the state to go to.
 #define DFA_UNCOMPUTED_STATE -2
-#define DFA_UNCOMPUTED_STATE_PTR ((DFA_State_Handle*) DFA_UNCOMPUTED_STATE)
-
-#ifdef EXPIRE_DFA_STATES
-
-class DFA_State_Handle {
-public:
-	// The reference counting keeps track of this *handle* (not the state).
-	void Ref()	{ assert(state); ++refcount; }
-	void Unref()
-		{
-		if ( --refcount == 0 )
-			delete this;
-		}
-
-	inline void Invalidate();
-	bool IsValid() const		{ return state != DFA_INVALID_STATE_PTR; }
-
-	DFA_State* State() const	{ return state; }
-	DFA_State* operator->() const	{ return state; }
-
-protected:
-	friend class DFA_State_Cache;
-
-	DFA_State_Handle(DFA_State* arg_state)
-		{ state = arg_state; refcount = 1; }
-
-	inline ~DFA_State_Handle();
-
-	DFA_State* state;
-	int refcount;
-};
-
-#else
-typedef DFA_State DFA_State_Handle;
-#endif
+#define DFA_UNCOMPUTED_STATE_PTR ((DFA_State*) DFA_UNCOMPUTED_STATE)
 
 #include "NFA.h"
 
@@ -76,9 +29,9 @@ public:
 
 	int StateNum() const		{ return state_num; }
 	int NFAStateNum() const		{ return nfa_states->length(); }
-	void AddXtion(int sym, DFA_State_Handle* next_state);
+	void AddXtion(int sym, DFA_State* next_state);
 
-	inline DFA_State_Handle* Xtion(int sym, DFA_Machine* machine);
+	inline DFA_State* Xtion(int sym, DFA_Machine* machine);
 
 	const AcceptingSet* Accept() const	{ return accept; }
 	void SymPartition(const EquivClass* ec);
@@ -98,43 +51,29 @@ public:
 	void Stats(unsigned int* computed, unsigned int* uncomputed);
 	unsigned int Size();
 
-	// Locking a state will keep it from expiring from a cache.
-	void Lock()	{ ++lock; }
-	void Unlock()	{ --lock; }
-
-#ifdef EXPIRE_DFA_STATES
-	bool IsLocked()	{ return lock != 0; }
-#else
-	bool IsLocked()	{ return true; }
-	DFA_State* operator->(){ return this; }
-#endif
-
 protected:
 	friend class DFA_State_Cache;
 
-	DFA_State_Handle* ComputeXtion(int sym, DFA_Machine* machine);
+	DFA_State* ComputeXtion(int sym, DFA_Machine* machine);
 	void AppendIfNew(int sym, int_list* sym_list);
 
 	int state_num;
 	int num_sym;
 
-	DFA_State_Handle** xtions;
+	DFA_State** xtions;
 
 	AcceptingSet* accept;
 	NFA_state_list* nfa_states;
 	EquivClass* meta_ec;	// which ec's make same transition
 	DFA_State* mark;
-	int lock;
 	CacheEntry* centry;
 
 	static unsigned int transition_counter;	// see Xtion()
 };
 
 struct CacheEntry {
-	DFA_State_Handle* state;
+	DFA_State* state;
 	HashKey* hash;
-	CacheEntry* next;
-	CacheEntry* prev;
 };
 
 class DFA_State_Cache {
@@ -143,13 +82,11 @@ public:
 	~DFA_State_Cache();
 
 	// If the caller stores the handle, it has to call Ref() on it.
-	DFA_State_Handle* Lookup(const NFA_state_list& nfa_states,
+	DFA_State* Lookup(const NFA_state_list& nfa_states,
 					HashKey** hash);
 
 	// Takes ownership of both; hash is the one returned by Lookup().
-	DFA_State_Handle* Insert(DFA_State* state, HashKey* hash);
-
-	void MoveToFront(DFA_State* state)	{ MoveToFront(state->centry); }
+	DFA_State* Insert(DFA_State* state, HashKey* hash);
 
 	int NumEntries() const	{ return states.Length(); }
 
@@ -168,9 +105,6 @@ public:
 	void GetStats(Stats* s);
 
 private:
-	void Remove(CacheEntry* e);
-	void MoveToFront(CacheEntry* e);
-
 	int maxsize;
 
 	int hits;	// Statistics
@@ -180,10 +114,6 @@ private:
 
 	// Hash indexed by NFA states (MD5s of them, actually).
 	PDict(CacheEntry) states;
-
-	// List in LRU order.
-	CacheEntry* head;
-	CacheEntry* tail;
 };
 
 declare(PList,DFA_State);
@@ -196,7 +126,7 @@ public:
 			int* acc_array);
 	~DFA_Machine();
 
-	DFA_State_Handle* StartState() const	{ return start_state; }
+	DFA_State* StartState() const	{ return start_state; }
 
 	int NumStates() const	{ return dfa_state_cache->NumEntries(); }
 
@@ -217,74 +147,18 @@ protected:
 	int state_count;
 
 	// The state list has to be sorted according to IDs.
-	int StateSetToDFA_State(NFA_state_list* state_set, DFA_State_Handle*& d,
+	int StateSetToDFA_State(NFA_state_list* state_set, DFA_State*& d,
 				const EquivClass* ec);
 	const EquivClass* EC() const	{ return ec; }
 
 	EquivClass* ec;	// equivalence classes corresponding to NFAs
-	DFA_State_Handle* start_state;
+	DFA_State* start_state;
 	DFA_State_Cache* dfa_state_cache;
 
 	NFA_Machine* nfa;
 };
 
-#ifdef EXPIRE_DFA_STATES
-
-inline DFA_State_Handle* DFA_State::Xtion(int sym, DFA_Machine* machine)
-	{
-	Lock();
-
-	// This is just a clumsy form of sampling... Instead of moving
-	// the state to the front of our LRU cache on each transition (which
-	// would be quite often) we just do it on every nth transition
-	// (counted across all DFA states). This is based on the observation
-	// that a very few of all states are used most of time.
-	// (currently n=10000; should it be configurable?)
-	if ( transition_counter++ % 10000 == 0 )
-		machine->Cache()->MoveToFront(this);
-
-	DFA_State_Handle* h;
-
-	if ( xtions[sym] == DFA_UNCOMPUTED_STATE_PTR ||
-	     (xtions[sym] && ! xtions[sym]->IsValid()) )
-		h = ComputeXtion(sym, machine);
-	else
-		h = xtions[sym];
-
-	Unlock();
-
-	return h;
-	}
-
-inline DFA_State_Handle::~DFA_State_Handle()
-	{
-	if ( state != DFA_INVALID_STATE_PTR )
-		delete state;
-	}
-
-inline void DFA_State_Handle::Invalidate()
-	{
-	assert(state!=DFA_INVALID_STATE_PTR);
-	delete state;
-	state = DFA_INVALID_STATE_PTR;
-	Unref();
-	}
-
-// Not nice but helps avoiding some overhead in the non-expiration case.
-static inline void StateLock(DFA_State_Handle* s)	{ s->State()->Lock(); }
-static inline void StateUnlock(DFA_State_Handle* s)	{ s->State()->Unlock(); }
-static inline void StateRef(DFA_State_Handle* s)	{ s->Ref(); }
-static inline void StateUnref(DFA_State_Handle* s)	{ s->Unref(); }
-static inline void StateInvalidate(DFA_State_Handle* s)	{ s->Invalidate(); }
-
-static inline bool StateIsValid(DFA_State_Handle* s)
-	{
-	return ! s || s->IsValid();
-	}
-
-#else
-
-inline DFA_State_Handle* DFA_State::Xtion(int sym, DFA_Machine* machine)
+inline DFA_State* DFA_State::Xtion(int sym, DFA_Machine* machine)
 	{
 	if ( xtions[sym] == DFA_UNCOMPUTED_STATE_PTR )
 		return ComputeXtion(sym, machine);
@@ -292,13 +166,4 @@ inline DFA_State_Handle* DFA_State::Xtion(int sym, DFA_Machine* machine)
 		return xtions[sym];
 	}
 
-static inline void StateLock(DFA_State_Handle* s)	{ }
-static inline void StateUnlock(DFA_State_Handle* s)	{ }
-static inline void StateRef(DFA_State_Handle* s)	{ }
-static inline void StateUnref(DFA_State_Handle* s)	{ }
-static inline void StateInvalidate(DFA_State_Handle* s)	{ }
-static inline bool StateIsValid(DFA_State_Handle* s)	{ return true; }
-
-#endif
-
 #endif
diff --git a/src/DHCP-binpac.cc b/src/DHCP-binpac.cc
index 23149b7837..2aec6e6e9f 100644
--- a/src/DHCP-binpac.cc
+++ b/src/DHCP-binpac.cc
@@ -1,5 +1,3 @@
-// $Id:$
-
 #include "DHCP-binpac.h"
 
 DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn)
diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h
index d0e93dcfc2..06ddff3bb6 100644
--- a/src/DHCP-binpac.h
+++ b/src/DHCP-binpac.h
@@ -1,5 +1,3 @@
-// $Id:$
-
 #ifndef dhcp_binpac_h
 #define dhcp_binpac_h
 
diff --git a/src/DNS-binpac.cc b/src/DNS-binpac.cc
index e06ef1ab19..eb95ac2e1c 100644
--- a/src/DNS-binpac.cc
+++ b/src/DNS-binpac.cc
@@ -1,5 +1,3 @@
-// $Id:$
-
 #include "DNS-binpac.h"
 #include "TCP_Reassembler.h"
 
diff --git a/src/DNS-binpac.h b/src/DNS-binpac.h
index b43e3b6aae..9e8cb16f69 100644
--- a/src/DNS-binpac.h
+++ b/src/DNS-binpac.h
@@ -1,5 +1,3 @@
-// $Id:$
-
 #ifndef dns_binpac_h
 #define dns_binpac_h
 
diff --git a/src/DNS.cc b/src/DNS.cc
index 1391794261..c93ea6973d 100644
--- a/src/DNS.cc
+++ b/src/DNS.cc
@@ -1,5 +1,3 @@
-// $Id: DNS.cc 6885 2009-08-20 04:37:55Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -13,8 +11,6 @@
 #include "DNS.h"
 #include "Sessions.h"
 #include "Event.h"
-#include "DNS_Rewriter.h"
-#include "TCP_Rewriter.h"
 
 DNS_Interpreter::DNS_Interpreter(Analyzer* arg_analyzer)
 	{
@@ -48,6 +44,7 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 	// This should weed out most of it.
 	if ( dns_max_queries > 0 && msg.qdcount > dns_max_queries )
 		{
+		analyzer->ProtocolViolation("DNS_Conn_count_too_large");
 		analyzer->Weird("DNS_Conn_count_too_large");
 		EndMessage(&msg);
 		return 0;
@@ -71,6 +68,8 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 		return 0;
 		}
 
+	analyzer->ProtocolConfirmation();
+
 	AddrVal server(analyzer->Conn()->RespAddr());
 
 	int skip_auth = dns_skip_all_auth;
@@ -1030,7 +1029,7 @@ Contents_DNS::Contents_DNS(Connection* conn, bool orig,
 
 Contents_DNS::~Contents_DNS()
 	{
-	delete msg_buf;
+	free(msg_buf);
 	}
 
 void Contents_DNS::Flush()
@@ -1134,11 +1133,6 @@ DNS_Analyzer::~DNS_Analyzer()
 
 void DNS_Analyzer::Init()
 	{
-	if ( transformed_pkt_dump && RewritingTrace() &&
-	     Conn()->ConnTransport() == TRANSPORT_UDP )
-		Conn()->GetRootAnalyzer()->SetTraceRewriter(
-			new DNS_Rewriter(this, transformed_pkt_dump_MTU,
-			transformed_pkt_dump));
 	}
 
 void DNS_Analyzer::Done()
@@ -1196,5 +1190,3 @@ void DNS_Analyzer::ExpireTimer(double t)
 		ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,
 				t + dns_session_timeout, 1, TIMER_DNS_EXPIRE);
 	}
-
-#include "dns-rw.bif.func_def"
diff --git a/src/DNS.h b/src/DNS.h
index 6a68bf5dbd..83ca80911e 100644
--- a/src/DNS.h
+++ b/src/DNS.h
@@ -1,5 +1,3 @@
-// $Id: DNS.h 6885 2009-08-20 04:37:55Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef dns_h
@@ -265,11 +263,6 @@ public:
 	virtual void Done();
 	virtual void ConnectionClosed(TCP_Endpoint* endpoint,
 					TCP_Endpoint* peer, int gen_event);
-	virtual int RewritingTrace()
-		{
-		return rewriting_dns_trace ||
-			TCP_ApplicationAnalyzer::RewritingTrace();
-		}
 
 	void ExpireTimer(double t);
 
diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index 742ff00b8f..2b9d07a969 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -1,5 +1,3 @@
-// $Id: DNS_Mgr.cc 7073 2010-09-13 00:45:02Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -29,10 +27,13 @@
 #endif
 #include <stdlib.h>
 
+#include <algorithm>
+
 #include "DNS_Mgr.h"
 #include "Event.h"
 #include "Net.h"
 #include "Var.h"
+#include "Reporter.h"
 
 extern "C" {
 extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
@@ -61,6 +62,7 @@ public:
 protected:
 	char* host;	// if non-nil, this is a host request
 	uint32 addr;
+	uint32 ttl;
 	int request_pending;
 };
 
@@ -80,8 +82,8 @@ int DNS_Mgr_Request::MakeRequest(nb_dns_info* nb_dns)
 
 class DNS_Mapping {
 public:
-	DNS_Mapping(const char* host, struct hostent* h);
-	DNS_Mapping(uint32 addr, struct hostent* h);
+	DNS_Mapping(const char* host, struct hostent* h, uint32 ttl);
+	DNS_Mapping(uint32 addr, struct hostent* h, uint32 ttl);
 	DNS_Mapping(FILE* f);
 
 	int NoMapping() const		{ return no_mapping; }
@@ -106,6 +108,9 @@ public:
 	int Failed() const		{ return failed; }
 	int Valid() const		{ return ! failed; }
 
+	bool Expired() const
+		{ return current_time() > (creation_time + req_ttl); }
+
 protected:
 	friend class DNS_Mgr;
 
@@ -117,6 +122,7 @@ protected:
 
 	char* req_host;
 	uint32 req_addr;
+	uint32 req_ttl;
 
 	int num_names;
 	char** names;
@@ -144,21 +150,23 @@ static TableVal* empty_addr_set()
 	return new TableVal(s);
 	}
 
-DNS_Mapping::DNS_Mapping(const char* host, struct hostent* h)
+DNS_Mapping::DNS_Mapping(const char* host, struct hostent* h, uint32 ttl)
 	{
 	Init(h);
 	req_host = copy_string(host);
 	req_addr = 0;
+	req_ttl = ttl;
 
 	if ( names && ! names[0] )
 		names[0] = copy_string(host);
 	}
 
-DNS_Mapping::DNS_Mapping(uint32 addr, struct hostent* h)
+DNS_Mapping::DNS_Mapping(uint32 addr, struct hostent* h, uint32 ttl)
 	{
 	Init(h);
 	req_addr = addr;
 	req_host = 0;
+	req_ttl = ttl;
 	}
 
 DNS_Mapping::DNS_Mapping(FILE* f)
@@ -350,7 +358,7 @@ DNS_Mgr::DNS_Mgr(DNS_MgrMode arg_mode)
 	nb_dns = nb_dns_init(err);
 
 	if ( ! nb_dns )
-		warn(fmt("problem initializing NB-DNS: %s", err));
+		reporter->Warning("problem initializing NB-DNS: %s", err);
 
 	dns_mapping_valid = dns_mapping_unverified = dns_mapping_new_name =
 		dns_mapping_lost_name = dns_mapping_name_changed =
@@ -362,6 +370,9 @@ DNS_Mgr::DNS_Mgr(DNS_MgrMode arg_mode)
 	cache_name = dir = 0;
 
 	asyncs_pending = 0;
+	num_requests = 0;
+	successful = 0;
+	failed = 0;
 	}
 
 DNS_Mgr::~DNS_Mgr()
@@ -437,7 +448,7 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
 				return d->Addrs()->ConvertToSet();
 			else
 				{
-				warn("no such host:", name);
+				reporter->Warning("no such host: %s", name);
 				return empty_addr_set();
 				}
 			}
@@ -450,7 +461,7 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
 		return empty_addr_set();
 
 	case DNS_FORCE:
-		internal_error("can't find DNS entry for %s in cache", name);
+		reporter->FatalError("can't find DNS entry for %s in cache", name);
 		return 0;
 
 	case DNS_DEFAULT:
@@ -459,7 +470,7 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
 		return LookupHost(name);
 
 	default:
-		internal_error("bad mode in DNS_Mgr::LookupHost");
+		reporter->InternalError("bad mode in DNS_Mgr::LookupHost");
 		return 0;
 	}
 	}
@@ -480,7 +491,7 @@ Val* DNS_Mgr::LookupAddr(uint32 addr)
 				return d->Host();
 			else
 				{
-				warn("can't resolve IP address:", dotted_addr(addr));
+				reporter->Warning("can't resolve IP address: %s", dotted_addr(addr));
 				return new StringVal(dotted_addr(addr));
 				}
 			}
@@ -493,7 +504,7 @@ Val* DNS_Mgr::LookupAddr(uint32 addr)
 		return new StringVal("<none>");
 
 	case DNS_FORCE:
-		internal_error("can't find DNS entry for %s in cache",
+		reporter->FatalError("can't find DNS entry for %s in cache",
 				dotted_addr(addr));
 		return 0;
 
@@ -503,7 +514,7 @@ Val* DNS_Mgr::LookupAddr(uint32 addr)
 		return LookupAddr(addr);
 
 	default:
-		internal_error("bad mode in DNS_Mgr::LookupHost");
+		reporter->InternalError("bad mode in DNS_Mgr::LookupHost");
 		return 0;
 	}
 	}
@@ -564,7 +575,7 @@ void DNS_Mgr::Resolve()
 		struct nb_dns_result r;
 		status = nb_dns_activity(nb_dns, &r, err);
 		if ( status < 0 )
-			internal_error(
+			reporter->Warning(
 			    "NB-DNS error in DNS_Mgr::WaitForReplies (%s)",
 			    err);
 		else if ( status > 0 )
@@ -661,6 +672,7 @@ Val* DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
 void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r)
 	{
 	struct hostent* h = (r && r->host_errno == 0) ? r->hostent : 0;
+	u_int32_t ttl = r->ttl;
 
 	DNS_Mapping* new_dm;
 	DNS_Mapping* prev_dm;
@@ -668,7 +680,7 @@ void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r)
 
 	if ( dr->ReqHost() )
 		{
-		new_dm = new DNS_Mapping(dr->ReqHost(), h);
+		new_dm = new DNS_Mapping(dr->ReqHost(), h, ttl);
 		prev_dm = host_mappings.Insert(dr->ReqHost(), new_dm);
 
 		if ( new_dm->Failed() && prev_dm && prev_dm->Valid() )
@@ -681,7 +693,7 @@ void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r)
 		}
 	else
 		{
-		new_dm = new DNS_Mapping(dr->ReqAddr(), h);
+		new_dm = new DNS_Mapping(dr->ReqAddr(), h, ttl);
 		uint32 tmp_addr = dr->ReqAddr();
 		HashKey k(&tmp_addr, 1);
 		prev_dm = addr_mappings.Insert(&k, new_dm);
@@ -742,7 +754,7 @@ void DNS_Mgr::CompareMappings(DNS_Mapping* prev_dm, DNS_Mapping* new_dm)
 	ListVal* new_a = new_dm->Addrs();
 
 	if ( ! prev_a || ! new_a )
-		internal_error("confused in DNS_Mgr::CompareMappings");
+		reporter->InternalError("confused in DNS_Mgr::CompareMappings");
 
 	ListVal* prev_delta = AddrListDelta(prev_a, new_a);
 	ListVal* new_delta = AddrListDelta(new_a, prev_a);
@@ -812,7 +824,7 @@ void DNS_Mgr::LoadCache(FILE* f)
 		}
 
 	if ( ! m->NoMapping() )
-		internal_error("DNS cache corrupted");
+		reporter->FatalError("DNS cache corrupted");
 
 	delete m;
 	fclose(f);
@@ -831,9 +843,17 @@ const char* DNS_Mgr::LookupAddrInCache(dns_mgr_addr_type addr)
 	{
 	HashKey h(&addr, 1);
 	DNS_Mapping* d = dns_mgr->addr_mappings.Lookup(&h);
+
 	if ( ! d )
 		return 0;
 
+	if ( d->Expired() )
+		{
+		dns_mgr->addr_mappings.Remove(&h);
+		delete d;
+		return 0;
+		}
+
 	// The escapes in the following strings are to avoid having it
 	// interpreted as a trigraph sequence.
 	return d->names ? d->names[0] : "<\?\?\?>";
@@ -842,9 +862,18 @@ const char* DNS_Mgr::LookupAddrInCache(dns_mgr_addr_type addr)
 TableVal* DNS_Mgr::LookupNameInCache(string name)
 	{
 	DNS_Mapping* d = dns_mgr->host_mappings.Lookup(name.c_str());
+
 	if ( ! d || ! d->names )
 		return 0;
 
+	if ( d->Expired() )
+		{
+		HashKey h(name.c_str());
+		dns_mgr->host_mappings.Remove(&h);
+		delete d;
+		return 0;
+		}
+
 	return d->AddrsSet();
 	}
 
@@ -924,6 +953,8 @@ void DNS_Mgr::IssueAsyncRequests()
 		AsyncRequest* req = asyncs_queued.front();
 		asyncs_queued.pop_front();
 
+		++num_requests;
+
 		DNS_Mgr_Request* dr;
 		if ( req->IsAddrReq() )
 			dr = new DNS_Mgr_Request(req->host);
@@ -932,7 +963,8 @@ void DNS_Mgr::IssueAsyncRequests()
 
 		if ( ! dr->MakeRequest(nb_dns) )
 			{
-			run_time("can't issue DNS request");
+			reporter->Warning("can't issue DNS request");
+			++failed;
 			req->Timeout();
 			continue;
 			}
@@ -967,10 +999,16 @@ void DNS_Mgr::CheckAsyncAddrRequest(dns_mgr_addr_type addr, bool timeout)
 		{
 		const char* name = LookupAddrInCache(addr);
 		if ( name )
+			{
+			++successful;
 			i->second->Resolved(name);
+			}
 
 		else if ( timeout )
+			{
+			++failed;
 			i->second->Timeout();
+			}
 
 		else
 			return;
@@ -996,12 +1034,16 @@ void DNS_Mgr::CheckAsyncHostRequest(const char* host, bool timeout)
 
 		if ( addrs )
 			{
+			++successful;
 			i->second->Resolved(addrs);
 			Unref(addrs);
 			}
 
 		else if ( timeout )
+			{
+			++failed;
 			i->second->Timeout();
+			}
 
 		else
 			return;
@@ -1014,14 +1056,29 @@ void DNS_Mgr::CheckAsyncHostRequest(const char* host, bool timeout)
 		}
 	}
 
-void  DNS_Mgr::Process()
+void DNS_Mgr::Flush()
 	{
+	DoProcess(false);
 
+	IterCookie* cookie = addr_mappings.InitForIteration();
+	DNS_Mapping* dm;
+
+	host_mappings.Clear();
+	addr_mappings.Clear();
+	}
+
+void DNS_Mgr::Process()
+	{
+	DoProcess(false);
+	}
+
+void DNS_Mgr::DoProcess(bool flush)
+	{
 	while ( asyncs_timeouts.size() > 0 )
 		{
 		AsyncRequest* req = asyncs_timeouts.top();
 
-		if ( req->time + DNS_TIMEOUT > current_time() )
+		if ( req->time + DNS_TIMEOUT > current_time() || flush )
 			break;
 
 		if ( req->IsAddrReq() )
@@ -1045,7 +1102,7 @@ void  DNS_Mgr::Process()
 	int status = nb_dns_activity(nb_dns, &r, err);
 
 	if ( status < 0 )
-		internal_error("NB-DNS error in DNS_Mgr::Process (%s)", err);
+		reporter->Warning("NB-DNS error in DNS_Mgr::Process (%s)", err);
 
 	else if ( status > 0 )
 		{
@@ -1062,6 +1119,8 @@ void  DNS_Mgr::Process()
 			CheckAsyncHostRequest(dr->ReqHost(), true);
 
 		IssueAsyncRequests();
+
+		delete dr;
 		}
 	}
 
@@ -1069,7 +1128,10 @@ int DNS_Mgr::AnswerAvailable(int timeout)
 	{
 	int fd = nb_dns_fd(nb_dns);
 	if ( fd < 0 )
-		internal_error("nb_dns_fd() failed in DNS_Mgr::WaitForReplies");
+		{
+		reporter->Warning("nb_dns_fd() failed in DNS_Mgr::WaitForReplies");
+		return -1;
+		}
 
 	fd_set read_fds;
 
@@ -1084,13 +1146,28 @@ int DNS_Mgr::AnswerAvailable(int timeout)
 
 	if ( status < 0 )
 		{
-		if ( errno == EINTR )
-			return -1;
-		internal_error("problem with DNS select");
+		if ( errno != EINTR )
+			reporter->Warning("problem with DNS select");
+
+		return -1;
 		}
 
 	if ( status > 1 )
-		internal_error("strange return from DNS select");
+		{
+		reporter->Warning("strange return from DNS select");
+		return -1;
+		}
 
 	return status;
 	}
+
+void DNS_Mgr::GetStats(Stats* stats)
+	{
+	stats->requests = num_requests;
+	stats->successful = successful;
+	stats->failed = failed;
+	stats->pending = asyncs_pending;
+	stats->cached_hosts = host_mappings.Length();
+	stats->cached_addresses = addr_mappings.Length();
+	}
+
diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h
index 580eae92f1..def608d064 100644
--- a/src/DNS_Mgr.h
+++ b/src/DNS_Mgr.h
@@ -1,6 +1,4 @@
-// $Id: DNS_Mgr.h 6915 2009-09-22 05:04:17Z vern $
-//
-// See the file "COPYING" in the main distribution directory for copyright.
+  // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef dnsmgr_h
 #define dnsmgr_h
@@ -51,6 +49,7 @@ public:
 	virtual ~DNS_Mgr();
 
 	bool Init();
+	void Flush();
 
 	// Looks up the address or addresses of the given host, and returns
 	// a set of addr.
@@ -82,6 +81,17 @@ public:
 	void AsyncLookupAddr(dns_mgr_addr_type host, LookupCallback* callback);
 	void AsyncLookupName(string name, LookupCallback* callback);
 
+	struct Stats {
+		unsigned long requests;	// These count only async requests.
+		unsigned long successful;
+		unsigned long failed;
+		unsigned long pending;
+		unsigned long cached_hosts;
+		unsigned long cached_addresses;
+	};
+
+	void GetStats(Stats* stats);
+
 protected:
 	friend class LookupCallback;
 	friend class DNS_Mgr_Request;
@@ -100,8 +110,9 @@ protected:
 	void LoadCache(FILE* f);
 	void Save(FILE* f, PDict(DNS_Mapping)& m);
 
-	// Selects on the fd to see if there is an answer available (timeout is
-	// secs). Returns 0 on timeout, -1 on EINTR, and 1 if answer is ready.
+	// Selects on the fd to see if there is an answer available (timeout
+	// is secs). Returns 0 on timeout, -1 on EINTR or other error, and 1
+	// if answer is ready.
 	int AnswerAvailable(int timeout);
 
 	// Issue as many queued async requests as slots are available.
@@ -112,6 +123,9 @@ protected:
 	void CheckAsyncAddrRequest(dns_mgr_addr_type addr, bool timeout);
 	void CheckAsyncHostRequest(const char* host, bool timeout);
 
+	// Process outstanding requests.
+	void DoProcess(bool flush);
+
 	// IOSource interface.
 	virtual void GetFds(int* read, int* write, int* except);
 	virtual double NextTimestamp(double* network_time);
@@ -203,6 +217,10 @@ protected:
 	TimeoutQueue asyncs_timeouts;
 
 	int asyncs_pending;
+
+	unsigned long num_requests;
+	unsigned long successful;
+	unsigned long failed;
 };
 
 extern DNS_Mgr* dns_mgr;
diff --git a/src/DNS_Rewriter.cc b/src/DNS_Rewriter.cc
deleted file mode 100644
index 15a7fc1570..0000000000
--- a/src/DNS_Rewriter.cc
+++ /dev/null
@@ -1,587 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-
-#include "NetVar.h"
-#include "DNS.h"
-#include "Val.h"
-#include "TCP.h"
-#include "Anon.h"
-#include "DNS_Rewriter.h"
-
-DNS_Rewriter::DNS_Rewriter(Analyzer* analyzer, int arg_MTU,
-				PacketDumper* dumper)
-: UDP_Rewriter(analyzer, arg_MTU, dumper)
-	{
-	pkt_size = 0;
-	current_pkt_id = 0;
-
-	pkt = new u_char[DNS_PKT_SIZE + DNS_HDR_SIZE];
-	}
-
-void DNS_Rewriter::DnsCopyHeader(Val* msg)
-	{
-	// New header - reset packet size.
-	pkt_size = 0;
-
-	// Move msg->AsRecordVal() to a RecordVal* to optimize.
-	const RecordVal* msg_rec = msg->AsRecordVal();
-	int id = msg_rec->Lookup(0)->AsCount();
-	int opcode = msg_rec->Lookup(1)->AsCount();
-	int rcode = msg_rec->Lookup(2)->AsCount();
-	int QR = msg_rec->Lookup(3)->AsBool();
-	int AA = msg_rec->Lookup(4)->AsBool();
-	int TC = msg_rec->Lookup(5)->AsBool();
-	int RD = msg_rec->Lookup(6)->AsBool();
-	int RA = msg_rec->Lookup(7)->AsBool();
-	int Z = msg_rec->Lookup(8)->AsCount();
-	int qdcount = msg_rec->Lookup(9)->AsCount();
-	int ancount = msg_rec->Lookup(10)->AsCount();
-	int nscount = msg_rec->Lookup(11)->AsCount();
-	int arcount = msg_rec->Lookup(12)->AsCount();
-
-	current_pkt_id = id;
-
-	// Set the DNS flags.
-	uint16 flags = (QR << 15) | (AA << 10) | (TC << 9) |
-			(RD << 8) | (RA << 7) | (Z << 4);
-
-	flags |= rcode | (opcode << 11);
-
-	(void) WriteShortVal(id);
-	(void) WriteShortVal(flags);
-	(void) WriteShortVal(qdcount);
-	(void) WriteShortVal(ancount);
-	(void) WriteShortVal(nscount);
-	(void) WriteShortVal(arcount);
-
-	// We've finished the header.
-	pkt_size = DNS_HDR_SIZE;
-
-	// Assign all the pointers for dn_comp().
-	dpp = dn_ptrs;
-	*dpp++ = pkt;
-	*dpp++ = 0;
-
-	last_dn_ptr = dn_ptrs + sizeof dn_ptrs / sizeof dn_ptrs[0];
-	}
-
-int DNS_Rewriter::DnsCopyQuery(Val* val)
-	{
-	const RecordVal* val_rec = val->AsRecordVal();
-
-	// int type = val_rec->Lookup(0)->AsCount();
-
-	const BroString* query = val_rec->Lookup(1)->AsString();
-	int atype = val_rec->Lookup(2)->AsCount();
-	int aclass = val_rec->Lookup(3)->AsCount();
-
-	return DnsCopyQuery(query, atype, aclass);
-	}
-
-// Copy the question part of the query into memory.
-// Return the number of bytes that the query string compressed to.
-int DNS_Rewriter::DnsCopyQuery(const BroString* query, uint32 qtype,
-				uint32 qclass)
-	{
-	int len = query->Len();
-	int psize = pkt_size;
-
-	// Encode the query string.
-	const char* dname = (char*) query->Bytes();
-	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-
-	// Can't encode in less than 2 bytes, or about to overwrite.
-	if ( len < 1 || pkt_size + len + 4 > DNS_PKT_SIZE )
-		{
-		warn("dn_comp couldn't encode name into packet");
-		return 0;
-		}
-
-	pkt_size += len;
-
-	// Set type.
-	if ( ! WriteShortVal(qtype) )
-		{
-		pkt_size = psize;
-		return 0;
-		}
-
-	// Set class.
-	if ( ! WriteShortVal(qclass) )
-		{
-		pkt_size = psize;
-		return 0;
-		}
-
-	return len;
-	}
-
-
-// PTR, NS and CNAME are all the same.
-void DNS_Rewriter::DnsCopyPTR(Val* ans, const BroString* name)
-	{
-	DnsCopyCNAME(ans, name);
-	}
-
-// Copy an NS RR into the packet.
-void DNS_Rewriter::DnsCopyNS( Val* ans, const BroString* name)
-	{
-	DnsCopyCNAME(ans, name);
-	}
-
-// Copy an A RR into the packet.
-void DNS_Rewriter::DnsCopyA(Val* ans, uint32 addr)
-	{
-	int psize = pkt_size;
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-
-	if ( ! len )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Now we put in how long the resource data is (A rec is always 4).
-	if ( ! WriteShortVal(4) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Stick in the address (already in network byte order).
-	if ( ! WriteVal(uint32(ntohl(addr))) )
-		{
-		pkt_size = psize;
-		return;
-		}
-	}
-
-// Copy an AAAA RR into the packet.
-void DNS_Rewriter::DnsCopyAAAA(Val* ans, addr_type addr, const BroString* addrstr)
-	{
-	int psize = pkt_size;
-
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-	if ( ! len || pkt_size + 6 > DNS_PKT_SIZE )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Now we put in how long the resource data is (AAAA rec is always 16).
-	if ( ! WriteShortVal(16) )
-		{
-		pkt_size = psize;
-		return;
-		}
-#ifdef BROv6
-	if ( ! WriteVal(addr) )
-		{
-		pkt_size = psize;
-		return;
-		}
-#else
-	uint32 addr_copy[4];
-	char* addr_tmp = addrstr->Render(BroString::ESC_NONE);
-	inet_pton(AF_INET6, addr_tmp, addr_copy);
-
-	if ( ! WriteVal(addr_copy) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	delete addr_tmp;
-#endif
-
-	}
-
-// Copy a CNAME RR into the packet.
-void DNS_Rewriter::DnsCopyCNAME(Val* ans, const BroString* name)
-	{
-	int psize = pkt_size;
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-	if ( ! len || pkt_size + 6 > DNS_PKT_SIZE )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Resource length (domain name length in packet).
-	// Have to skip till it's encoded, remember this spot.
-	u_char* resource_len = pkt + pkt_size;
-	pkt_size += 2;
-
-	// Encode the domain name.
-	const char* dname = (char*) name->CheckString();
-	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-
-	if ( len < 1 )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	pkt_size += len;
-
-	// Now we put in how long the name was to encode.
-	uint16 net_rdlen = htons(short(len));
-	memcpy(resource_len, &net_rdlen, sizeof(uint16));
-	}
-
-// Copy a CNAME RR into the packet.
-void DNS_Rewriter::DnsCopyTXT(Val* ans, const BroString* name)
-	{
-	int psize = pkt_size;
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-	if ( ! len || pkt_size + 6 > DNS_PKT_SIZE )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	if ( ! WriteShortVal(name->Len()+1))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	if ( ! WriteVal(uint8(name->Len())))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	if ( ! WriteVal(name))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	}
-
-// Copy an MX RR into the packet.
-void DNS_Rewriter::DnsCopyMX(Val* ans, const BroString* name, uint32 preference)
-	{
-	int psize = pkt_size;
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-
-	if ( ! len || pkt_size + len + 6 > DNS_PKT_SIZE )
-		{
-		warn("DnsCopyMX: packet too large");
-		return;
-		}
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL) )
-		{
-		pkt_size = psize;
-		warn("DnsCopyMX: packet too large");
-		return;
-		}
-
-	// Resource length (domain name length in packet).
-	// Have to skip till it's, remember this spot.
-	u_char* resource_len = pkt + pkt_size;
-	pkt_size += 2;
-
-	if ( ! WriteShortVal(preference))
-		{
-		pkt_size = psize;
-		warn("DnsCopyMX: packet too large");
-		return;
-		}
-
-	// Encode the domain name.
-	const char* dname = (char*) name->CheckString();
-	len += dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-
-	if ( len < 1 )
-		{
-		pkt_size = psize;
-		warn("DnsCopyMX: packet too large");
-		return;
-		}
-
-	pkt_size += len;
-
-	// 2 bytes for the preference size above.
-	len += 2;
-
-	// Now we put in how long the name was to encode.
-	uint16 net_rdlen = htons(short(len));
-	memcpy(resource_len, &net_rdlen, sizeof(uint16));
-	}
-
-// Copy an SOA RR into the packet.
-void DNS_Rewriter::DnsCopySOA(Val* ans, Val* soa)
-	{
-	u_char* resource_len;
-	int resource_offset = 0;
-	int psize = pkt_size;
-
-	const RecordVal* soa_rec = soa->AsRecordVal();
-
-	const BroString* mname = soa_rec->Lookup(0)->AsString();
-	const BroString* rname = soa_rec->Lookup(1)->AsString();
-	uint32 serial = soa_rec->Lookup(2)->AsCount();
-	double refresh = soa_rec->Lookup(3)->AsInterval();
-	double retry = soa_rec->Lookup(4)->AsInterval();
-	double expire = soa_rec->Lookup(5)->AsInterval();
-	double minimum = soa_rec->Lookup(6)->AsInterval();
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-
-	if ( ! len || len + 6 > DNS_PKT_SIZE )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Resource length: have to skip till it's encoded.
-	// Remember this spot and offset.
-	resource_len = pkt + pkt_size;
-	pkt_size += 2;
-
-	// Start counting from here (after rdlength).
-	resource_offset = pkt_size;
-
-	// Encode the domain name.
-	const char* dname = (char*) mname->CheckString();
-	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-
-	if ( len < 1 )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	pkt_size += len;
-
-	// Encode the domain name.
-	dname = (char*) rname->CheckString();
-	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-	if ( len < 1 )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	pkt_size += len;
-
-	if ( ! WriteVal(serial) || ! WriteDoubleAsInt(refresh) ||
-	     ! WriteDoubleAsInt(retry) || ! WriteDoubleAsInt(expire) ||
-	     ! WriteDoubleAsInt(minimum) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Now we put in how long this packet was.
-	uint16 net_rdlen = htons(short(pkt_size - resource_offset));
-	memcpy(resource_len, &net_rdlen, sizeof(uint16));
-	}
-
-void DNS_Rewriter::DnsCopyEDNSaddl(Val* ans)
-	{
-	const RecordVal* ans_rec = ans->AsRecordVal();
-
-	int ans_type = ans_rec->Lookup(0)->AsCount();
-	// BroString* query_name = ans_rec->Lookup(1)->AsString();
-	int atype = ans_rec->Lookup(2)->AsCount();
-	int aclass = ans_rec->Lookup(3)->AsCount();
-	int return_error = ans_rec->Lookup(4)->AsCount();
-	int version = ans_rec->Lookup(5)->AsCount();
-	int z = ans_rec->Lookup(6)->AsCount();
-	double ttl = ans_rec->Lookup(7)->AsInterval();
-	int is_query = ans_rec->Lookup(8)->AsCount();
-
-	int rcode = return_error;
-	int ecode = 0;
-
-	int psize = pkt_size;
-
-	if ( return_error > 0xff )
-		{
-		rcode &= 0xff;
-		ecode = return_error >> 8;
-		}
-
-	// Stick the version onto the ecode.
-	ecode = (ecode << 8) | version;
-
-	// Write fixed part of OPT RR
-	// Name '0'.
-	memset(pkt + pkt_size, 0, 1);
-	++pkt_size;
-
-	// Type (either 29 or 41).
-	if ( ! WriteShortVal(atype) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// UDP playload size
-	if ( ! WriteShortVal(aclass) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Extended rcode + version.
-	if ( ! WriteShortVal(ecode) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Z field.
-	if ( ! WriteShortVal(z) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Data length (XXX:for now its zero!).
-	if ( ! WriteShortVal(0) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Don't write data (XXX:we don't have it!).
-	}
-
-// Does this packet match the current packet being worked on?
-int DNS_Rewriter::DnsPktMatch(Val* msg)
-	{
-	return msg->AsRecordVal()->Lookup(0)->AsInt() == current_pkt_id;
-	}
-
-// Supports copying of TXT values.
-int DNS_Rewriter::WriteVal(const BroString* val)
-	{
-	int n = val->Len();
-
-        if ( pkt_size + n > DNS_PKT_SIZE )
-		{
-		warn("WriteVal: couldn't write data into packet");
-		return 0;
-		}
-
-        char* new_val = val->Render(BroString::ESC_NONE);
-        memcpy(pkt + pkt_size, new_val, n);
-        pkt_size += n;
-
-        delete[] new_val;
-
-        return n;
-	}
-
-int DNS_Rewriter::WriteVal(const uint32* val)
-	{
-	if ( pkt_size + 16 > DNS_PKT_SIZE )
-		{
-		warn("WriteVal: couldn't write data into packet");
-		return 0;
-		}
-
-	memcpy(pkt + pkt_size, &val[0], sizeof(uint32)); pkt_size += 4;
-	memcpy(pkt + pkt_size, &val[1], sizeof(uint32)); pkt_size += 4;
-	memcpy(pkt + pkt_size, &val[2], sizeof(uint32)); pkt_size += 4;
-	memcpy(pkt + pkt_size, &val[3], sizeof(uint32)); pkt_size += 4;
-
-	return sizeof(uint32) * 4;
-	}
-
-// Write a 32 bit value given in host order to the packet.
-int DNS_Rewriter::WriteVal(uint32 val)
-	{
-	if ( pkt_size + 4 > DNS_PKT_SIZE )
-		{
-		warn("WriteVal: couldn't write data into packet");
-		return 0;
-		}
-
-	uint32 net_val = htonl(val);
-	memcpy(pkt + pkt_size, &net_val, sizeof(uint32));
-	pkt_size += 4;
-
-	return sizeof(uint32);
-	}
-
-// Write a 16 bit value given in host order to the packet.
-int DNS_Rewriter::WriteVal(uint16 val)
-	{
-	if ( pkt_size + 2 > DNS_PKT_SIZE )
-		{
-		warn("WriteShortVal: couldn't write data into packet");
-		return 0;
-		}
-
-	uint16 net_val = htons(val);
-	memcpy(pkt + pkt_size, &net_val, sizeof(uint16));
-	pkt_size += 2;
-
-	return sizeof(uint16);
-	}
-
-// Write a 8 bit value given in host order to the packet.
-int DNS_Rewriter::WriteVal(uint8 val)
-	{
-	if ( pkt_size + 1 > DNS_PKT_SIZE )
-		{
-		warn("WriteVal: couldn't write data into packet");
-		return 0;
-		}
-
-	memcpy(pkt + pkt_size, &val, sizeof(uint8));
-	pkt_size += sizeof(uint8);
-
-	return sizeof(uint8);
-	}
diff --git a/src/DNS_Rewriter.h b/src/DNS_Rewriter.h
deleted file mode 100644
index 1a106b6f55..0000000000
--- a/src/DNS_Rewriter.h
+++ /dev/null
@@ -1,70 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef dns_rewriter_h
-#define dns_rewriter_h
-
-#include "UDP.h"
-#include "UDP_Rewriter.h"
-#include "Rewriter.h"
-
-#define DNS_HDR_SIZE 12
-
-// DNS packets size. 512 is the *normal* size, but some packets are bigger
-// than this, and the anonymization process can expand packets, so we
-// pad this way out.
-#define DNS_PKT_SIZE (512*4)
-
-class DNS_Rewriter: public UDP_Rewriter {
-public:
-	DNS_Rewriter(Analyzer* analyzer, int arg_MTU, PacketDumper* dumper);
-	virtual ~DNS_Rewriter()	{ delete pkt;}
-
-	void DnsCopyHeader(Val* val);
-
-	int DnsCopyQuery(const BroString* query, uint32 qtype, uint32 qclass);
-	int DnsCopyQuery(Val* val);
-
-	void DnsCopyNS(Val* ans, const BroString* name);
-	void DnsCopyPTR(Val* ans, const BroString* name);
-	void DnsCopyCNAME(Val* ans, const BroString* name);
-	void DnsCopyTXT(Val* ans, const BroString* name);
-	void DnsCopyA(Val* ans, uint32 addr);
-
-	// AAAA is weird, because the address is an IPv4 type.
-	// If we don't have IPv6, and if it's IPv6, it's a pointer
-	// to valid data.
-	void DnsCopyAAAA(Val* ans, addr_type addr, const BroString* addrstr);
-
-	void DnsCopyMX(Val* ans, const BroString* name, uint32 preference);
-	void DnsCopySOA(Val* ans, Val* soa);
-	void DnsCopyEDNSaddl(Val* ans);
-
-	int DnsPktMatch(Val* val);
-	const u_char* Packet() const	{ return pkt; }
-	int PacketSize() const	{ return pkt_size; }
-	void SetOrig( int orig )	{ is_orig = orig; }
-	int IsOrig()			{ return is_orig; }
-
-	int WriteDoubleAsInt(double d)	{ return WriteVal(uint32(d)); }
-	int WriteShortVal(uint16 val)	{ return WriteVal(uint16(val)); }
-	int WriteVal(uint32 val);
-	int WriteVal(uint16 val);
-	int WriteVal(uint8 val);
-	int WriteVal(const uint32* val);
-	int WriteVal(const BroString* val);
-
-private:
-	u_char* pkt;		// the DNS packet
-	int pkt_size;		// size of the packet
-	int current_pkt_id;	// current ID (sanity checking)
-
-	int is_orig;
-
-	u_char* dn_ptrs[30];	// pointer to names in DNS packet
-	u_char** dpp;		// points to current position in DNS packet
-	u_char** last_dn_ptr;	// points to last entry in dn_ptrs
-};
-
-#endif
diff --git a/src/DPM.cc b/src/DPM.cc
index b9afb15196..32b598232b 100644
--- a/src/DPM.cc
+++ b/src/DPM.cc
@@ -1,5 +1,3 @@
-// $Id: DPM.cc,v 1.1.4.14 2006/06/01 17:18:10 sommer Exp $
-
 #include "DPM.h"
 #include "PIA.h"
 #include "Hash.h"
@@ -10,6 +8,7 @@
 #include "BackDoor.h"
 #include "InterConn.h"
 #include "SteppingStone.h"
+#include "ConnSizeAnalyzer.h"
 
 
 ExpectedConn::ExpectedConn(const uint32* _orig, const uint32* _resp,
@@ -189,6 +188,8 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 					const u_char* data)
 	{
 	TCP_Analyzer* tcp = 0;
+	UDP_Analyzer* udp = 0;
+	ICMP_Analyzer* icmp = 0;
 	TransportLayerAnalyzer* root = 0;
 	AnalyzerTag::Tag expected = AnalyzerTag::Error;
 	analyzer_map* ports = 0;
@@ -206,7 +207,7 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 		break;
 
 	case TRANSPORT_UDP:
-		root = new UDP_Analyzer(conn);
+		root = udp = new UDP_Analyzer(conn);
 		pia = new PIA_UDP(conn);
 		expected = GetExpected(proto, conn);
 		ports = &udp_ports;
@@ -214,14 +215,14 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 		break;
 
 	case TRANSPORT_ICMP: {
-		root = new ICMP_Analyzer(conn);
+		root = icmp = new ICMP_Analyzer(conn);
 		DBG_DPD(conn, "activated ICMP analyzer");
 		analyzed = true;
 		break;
 		}
 
 	default:
-		internal_error("unknown protocol");
+		reporter->InternalError("unknown protocol");
 	}
 
 	if ( ! root )
@@ -333,6 +334,16 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 		// we cannot add it as a normal child.
 		if ( TCPStats_Analyzer::Available() )
 			tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn));
+
+		// Add ConnSize analyzer. Needs to see packets, not stream.
+		if ( ConnSize_Analyzer::Available() )
+			tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn));
+		}
+
+	else
+		{
+		if ( ConnSize_Analyzer::Available() )
+			root->AddChildAnalyzer(new ConnSize_Analyzer(conn), false);
 		}
 
 	if ( pia )
@@ -351,7 +362,7 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 	if ( expected != AnalyzerTag::Error  )
 		conn->Event(expected_connection_seen, 0,
 				new Val(expected, TYPE_COUNT));
-	
+
 	return true;
 	}
 
diff --git a/src/DPM.h b/src/DPM.h
index 056f6b25cc..4bacbfbeea 100644
--- a/src/DPM.h
+++ b/src/DPM.h
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // The central management unit for dynamic analyzer selection.
 
 #ifndef DPM_H
diff --git a/src/DbgBreakpoint.cc b/src/DbgBreakpoint.cc
index a71a6fc186..11847fc4dc 100644
--- a/src/DbgBreakpoint.cc
+++ b/src/DbgBreakpoint.cc
@@ -1,5 +1,3 @@
-// $Id: DbgBreakpoint.cc 1345 2005-09-08 07:42:11Z vern $
-
 // Implementation of breakpoints.
 
 #include "config.h"
@@ -204,7 +202,10 @@ bool DbgBreakpoint::Reset()
 		break;
 	}
 
-	internal_error("DbgBreakpoint::Reset function incomplete.");
+	reporter->InternalError("DbgBreakpoint::Reset function incomplete.");
+
+	// Cannot be reached.
+	return false;
 	}
 
 bool DbgBreakpoint::SetCondition(const string& new_condition)
@@ -292,7 +293,7 @@ BreakCode DbgBreakpoint::ShouldBreak(Stmt* s)
 		assert(false);
 
 	default:
-		internal_error("Invalid breakpoint type in DbgBreakpoint::ShouldBreak");
+		reporter->InternalError("Invalid breakpoint type in DbgBreakpoint::ShouldBreak");
 	}
 
 	// If we got here, that means that the breakpoint could hit,
@@ -309,7 +310,7 @@ BreakCode DbgBreakpoint::ShouldBreak(Stmt* s)
 BreakCode DbgBreakpoint::ShouldBreak(double t)
 	{
 	if ( kind != BP_TIME )
-		internal_error("Calling ShouldBreak(time) on a non-time breakpoint");
+		reporter->InternalError("Calling ShouldBreak(time) on a non-time breakpoint");
 
 	if ( t < at_time )
 		return bcNoHit;
@@ -350,6 +351,6 @@ void DbgBreakpoint::PrintHitMsg()
 		assert(false);
 
 	default:
-		internal_error("Missed a case in DbgBreakpoint::PrintHitMsg\n");
+		reporter->InternalError("Missed a case in DbgBreakpoint::PrintHitMsg\n");
 	}
 	}
diff --git a/src/DbgBreakpoint.h b/src/DbgBreakpoint.h
index 505d1389a4..5fadfe0474 100644
--- a/src/DbgBreakpoint.h
+++ b/src/DbgBreakpoint.h
@@ -1,5 +1,3 @@
-// $Id: DbgBreakpoint.h 80 2004-07-14 20:15:50Z jason $
-
 // Structures and methods for implementing breakpoints in the Bro debugger.
 
 #ifndef DbgBreakpoint_h
diff --git a/src/DbgDisplay.h b/src/DbgDisplay.h
index 033dac79e9..1c83d84ec4 100644
--- a/src/DbgDisplay.h
+++ b/src/DbgDisplay.h
@@ -1,5 +1,3 @@
-// $Id: DbgDisplay.h 80 2004-07-14 20:15:50Z jason $
-
 // Structures and methods for implementing watches in the Bro debugger.
 
 #ifndef dbg_display_h
diff --git a/src/DbgWatch.cc b/src/DbgWatch.cc
index 75f9b9c4af..74ac26cb73 100644
--- a/src/DbgWatch.cc
+++ b/src/DbgWatch.cc
@@ -4,16 +4,17 @@
 
 #include "Debug.h"
 #include "DbgWatch.h"
+#include "Reporter.h"
 
 // Support classes
 DbgWatch::DbgWatch(BroObj* var_to_watch)
 	{
-	internal_error("DbgWatch unimplemented");
+	reporter->InternalError("DbgWatch unimplemented");
 	}
 
 DbgWatch::DbgWatch(Expr* expr_to_watch)
 	{
-	internal_error("DbgWatch unimplemented");
+	reporter->InternalError("DbgWatch unimplemented");
 	}
 
 DbgWatch::~DbgWatch()
diff --git a/src/DbgWatch.h b/src/DbgWatch.h
index ed85e88748..e3359f53ad 100644
--- a/src/DbgWatch.h
+++ b/src/DbgWatch.h
@@ -1,5 +1,3 @@
-// $Id: DbgWatch.h 80 2004-07-14 20:15:50Z jason $
-
 // Structures and methods for implementing watches in the Bro debugger.
 
 #ifndef dbgwatch_h
diff --git a/src/Debug.cc b/src/Debug.cc
index da67c941e4..1b849fff7e 100644
--- a/src/Debug.cc
+++ b/src/Debug.cc
@@ -54,7 +54,7 @@ DebuggerState::~DebuggerState()
 bool StmtLocMapping::StartsAfter(const StmtLocMapping* m2)
 	{
 	if ( ! m2  )
-		internal_error("Assertion failed: %s", "m2 != 0");
+		reporter->InternalError("Assertion failed: m2 != 0");
 
 	return loc.first_line > m2->loc.first_line ||
 		(loc.first_line == m2->loc.first_line &&
@@ -343,7 +343,7 @@ vector<ParseLocationRec> parse_location_string(const string& s)
 				plr.type = plrUnknown;
 
 			FILE* throwaway = search_for_file(filename.c_str(), "bro",
-								&full_filename);
+								&full_filename, true, 0);
 			if ( ! throwaway )
 				{
 				debug_msg("No such policy file: %s.\n", filename.c_str());
@@ -362,7 +362,7 @@ vector<ParseLocationRec> parse_location_string(const string& s)
 		{
 		Filemap* map = g_dbgfilemaps.Lookup(loc_filename);
 		if ( ! map )
-			internal_error("Policy file %s should have been loaded\n",
+			reporter->InternalError("Policy file %s should have been loaded\n",
 					loc_filename);
 
 		if ( plr.line > how_many_lines_in(loc_filename) )
@@ -603,7 +603,7 @@ int dbg_execute_command(const char* cmd)
 #endif
 
 	if ( int(cmd_code) >= num_debug_cmds() )
-		internal_error("Assertion failed: %s", "int(cmd_code) < num_debug_cmds()");
+		reporter->InternalError("Assertion failed: int(cmd_code) < num_debug_cmds()");
 
 	// Dispatch to the op-specific handler (with args).
 	int retcode = dbg_dispatch_cmd(cmd_code, arguments);
@@ -612,7 +612,7 @@ int dbg_execute_command(const char* cmd)
 
 	const DebugCmdInfo* info = get_debug_cmd_info(cmd_code);
 	if ( ! info  )
-		internal_error("Assertion failed: %s", "info");
+		reporter->InternalError("Assertion failed: info");
 
 	if ( ! info )
 		return -2;	// ### yuck, why -2?
@@ -766,7 +766,7 @@ int dbg_handle_debug_input()
 
 	const Stmt* stmt = curr_frame->GetNextStmt();
 	if ( ! stmt )
-		internal_error("Assertion failed: %s", "stmt != 0");
+		reporter->InternalError("Assertion failed: stmt != 0");
 
 	const Location loc = *stmt->GetLocationInfo();
 
@@ -797,7 +797,7 @@ int dbg_handle_debug_input()
 		input_line = (char*) safe_malloc(1024);
 		input_line[1023] = 0;
 		// ### Maybe it's not always stdin.
-		fgets(input_line, 1023, stdin);
+		input_line = fgets(input_line, 1023, stdin);
 #endif
 
 		// ### Maybe not stdin; maybe do better cleanup.
@@ -872,7 +872,7 @@ bool pre_execute_stmt(Stmt* stmt, Frame* f)
 		p = g_debugger_state.breakpoint_map.equal_range(stmt);
 
 		if ( p.first == p.second )
-			internal_error("Breakpoint count nonzero, but no matching breakpoints");
+			reporter->InternalError("Breakpoint count nonzero, but no matching breakpoints");
 
 		for ( BPMapType::iterator i = p.first; i != p.second; ++i )
 			{
@@ -943,11 +943,11 @@ Val* dbg_eval_expr(const char* expr)
 		(g_frame_stack.size() - 1) - g_debugger_state.curr_frame_idx;
 
 	if ( ! (frame_idx >= 0 && (unsigned) frame_idx < g_frame_stack.size())  )
-		internal_error("Assertion failed: %s", "frame_idx >= 0 && (unsigned) frame_idx < g_frame_stack.size()");
+		reporter->InternalError("Assertion failed: frame_idx >= 0 && (unsigned) frame_idx < g_frame_stack.size()");
 
 	Frame* frame = g_frame_stack[frame_idx];
 	if ( ! (frame)  )
-		internal_error("Assertion failed: %s", "frame");
+		reporter->InternalError("Assertion failed: frame");
 
 	const BroFunc* func = frame->GetFunction();
 	if ( func )
diff --git a/src/Debug.h b/src/Debug.h
index ad82337b12..a83e05c224 100644
--- a/src/Debug.h
+++ b/src/Debug.h
@@ -1,5 +1,3 @@
-// $Id: Debug.h 80 2004-07-14 20:15:50Z jason $
-
 // Debugging support for Bro policy files.
 
 #ifndef debug_h
diff --git a/src/DebugCmds.cc b/src/DebugCmds.cc
index a26e6a9567..1d3b9dd220 100644
--- a/src/DebugCmds.cc
+++ b/src/DebugCmds.cc
@@ -194,7 +194,7 @@ static int dbg_backtrace_internal(int start, int end)
 	if ( start < 0 || end < 0 ||
 	     (unsigned) start >= g_frame_stack.size() ||
 	     (unsigned) end >= g_frame_stack.size() )
-		internal_error("Invalid stack frame index in DbgBacktraceInternal\n");
+		reporter->InternalError("Invalid stack frame index in DbgBacktraceInternal\n");
 
 	if ( start < end )
 		{
@@ -325,7 +325,7 @@ int dbg_cmd_frame(DebugCmd cmd, const vector<string>& args)
 	// for 'list', 'break', etc.
 	const Stmt* stmt = g_frame_stack[user_frame_number]->GetNextStmt();
 	if ( ! stmt )
-		internal_error("Assertion failed: %s", "stmt != 0");
+		reporter->InternalError("Assertion failed: %s", "stmt != 0");
 
 	const Location loc = *stmt->GetLocationInfo();
 	g_debugger_state.last_loc = loc;
@@ -365,7 +365,7 @@ int dbg_cmd_break(DebugCmd cmd, const vector<string>& args)
 
 		Stmt* stmt = g_frame_stack[user_frame_number]->GetNextStmt();
 		if ( ! stmt )
-			internal_error("Assertion failed: %s", "stmt != 0");
+			reporter->InternalError("Assertion failed: %s", "stmt != 0");
 
 		DbgBreakpoint* bp = new DbgBreakpoint();
 		bp->SetID(g_debugger_state.NextBPID());
@@ -530,7 +530,7 @@ int dbg_cmd_break_set_state(DebugCmd cmd, const vector<string>& args)
 				break;
 
 			default:
-				internal_error("Invalid command in DbgCmdBreakSetState\n");
+				reporter->InternalError("Invalid command in DbgCmdBreakSetState\n");
 			}
 			}
 
diff --git a/src/DebugCmds.h b/src/DebugCmds.h
index a14990b918..e7b9c6a4c1 100644
--- a/src/DebugCmds.h
+++ b/src/DebugCmds.h
@@ -1,5 +1,3 @@
-// $Id: DebugCmds.h 80 2004-07-14 20:15:50Z jason $
-//
 // Support routines to help deal with Bro debugging commands and
 // implementation of most commands.
 
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 9ab0bde380..d60fdd70c8 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -1,5 +1,3 @@
-// $Id: DebugLogger.cc 4771 2007-08-11 05:50:24Z vern $
-
 #ifdef DEBUG
 
 #include <stdlib.h>
@@ -17,6 +15,7 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{ "compressor", 0, false }, {"string", 0, false },
 	{ "notifiers", 0, false },  { "main-loop", 0, false },
 	{ "dpd", 0, false }, { "tm", 0, false },
+	{ "logging", 0, false }
 };
 
 DebugLogger::DebugLogger(const char* filename)
@@ -24,12 +23,18 @@ DebugLogger::DebugLogger(const char* filename)
 	if ( filename )
 		{
 		filename = log_file_name(filename);
-		
+
 		file = fopen(filename, "w");
 		if ( ! file )
 			{
-			fprintf(stderr, "Can't open '%s' for debugging output.", filename);
-			exit(1);
+			// The reporter may not be initialized here yet.
+			if ( reporter )
+				reporter->FatalError("can't open '%s' for debugging output", filename);
+			else
+				{
+				fprintf(stderr, "can't open '%s' for debugging output\n", filename);
+				exit(1);
+				}
 			}
 
 		setvbuf(file, NULL, _IOLBF, 0);
@@ -67,7 +72,7 @@ void DebugLogger::EnableStreams(const char* s)
 			if ( strcasecmp("verbose", tok) == 0 )
 				verbose = true;
 			else
-				internal_error("unknown debug stream %s\n", tok);
+				reporter->FatalError("unknown debug stream %s\n", tok);
 			}
 
 		tok = strtok(0, ",");
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index 3d8c1ac83f..a2dece5b3c 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -1,5 +1,3 @@
-// $Id: DebugLogger.h 4771 2007-08-11 05:50:24Z vern $
-//
 // A logger for (selective) debugging output. Only compiled in if DEBUG is
 // defined.
 
@@ -20,11 +18,12 @@ enum DebugStream {
 	DBG_STATE,	// StateAccess logging
 	DBG_CHUNKEDIO,	// ChunkedIO logging
 	DBG_COMPRESSOR,	// Connection compressor
-	DBG_STRING,     // String code
-	DBG_NOTIFIERS,   // Notifiers (see StateAccess.h)
+	DBG_STRING,	// String code
+	DBG_NOTIFIERS,	// Notifiers (see StateAccess.h)
 	DBG_MAINLOOP,	// Main IOSource loop
 	DBG_DPD,	// Dynamic application detection framework
-	DBG_TM,	// Time-machine packet input via Brocolli
+	DBG_TM,		// Time-machine packet input via Brocolli
+	DBG_LOGGING,	// Logging streams
 
 	NUM_DBGS // Has to be last
 };
diff --git a/src/Desc.cc b/src/Desc.cc
index baf3ad1160..12b4a524eb 100644
--- a/src/Desc.cc
+++ b/src/Desc.cc
@@ -1,5 +1,3 @@
-// $Id: Desc.cc 6245 2008-10-07 00:56:59Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -9,6 +7,7 @@
 
 #include "Desc.h"
 #include "File.h"
+#include "Reporter.h"
 
 #define DEFAULT_SIZE 128
 #define SLOP 10
@@ -41,6 +40,8 @@ ODesc::ODesc(desc_type t, BroFile* arg_f)
 	want_quotes = 0;
 	do_flush = 1;
 	include_stats = 0;
+	indent_with_spaces = 0;
+	escape = false;
 	}
 
 ODesc::~ODesc()
@@ -54,6 +55,11 @@ ODesc::~ODesc()
 		free(base);
 	}
 
+void ODesc::EnableEscaping()
+	{
+	escape = true;
+	}
+
 void ODesc::PushIndent()
 	{
 	++indent_level;
@@ -63,10 +69,16 @@ void ODesc::PushIndent()
 void ODesc::PopIndent()
 	{
 	if ( --indent_level < 0 )
-		internal_error("ODesc::PopIndent underflow");
+		reporter->InternalError("ODesc::PopIndent underflow");
 	NL();
 	}
 
+void ODesc::PopIndentNoNL()
+	{
+	if ( --indent_level < 0 )
+		reporter->InternalError("ODesc::PopIndent underflow");
+	}
+
 void ODesc::Add(const char* s, int do_indent)
 	{
 	unsigned int n = strlen(s);
@@ -88,7 +100,7 @@ void ODesc::Add(int i)
 	else
 		{
 		char tmp[256];
-		sprintf(tmp, "%d", i);
+		modp_litoa10(i, tmp);
 		Add(tmp);
 		}
 	}
@@ -100,7 +112,7 @@ void ODesc::Add(uint32 u)
 	else
 		{
 		char tmp[256];
-		sprintf(tmp, "%u", u);
+		modp_ulitoa10(u, tmp);
 		Add(tmp);
 		}
 	}
@@ -112,7 +124,7 @@ void ODesc::Add(int64 i)
 	else
 		{
 		char tmp[256];
-		sprintf(tmp, "%lld", i);
+		modp_litoa10(i, tmp);
 		Add(tmp);
 		}
 	}
@@ -124,7 +136,7 @@ void ODesc::Add(uint64 u)
 	else
 		{
 		char tmp[256];
-		sprintf(tmp, "%llu", u);
+		modp_ulitoa10(u, tmp);
 		Add(tmp);
 		}
 	}
@@ -136,7 +148,7 @@ void ODesc::Add(double d)
 	else
 		{
 		char tmp[256];
-		sprintf(tmp, IsReadable() ? "%.15g" : "%.17g", d);
+		modp_dtoa2(d, tmp, IsReadable() ? 6 : 8);
 		Add(tmp);
 
 		if ( d == double(int(d)) )
@@ -158,15 +170,20 @@ void ODesc::AddBytes(const BroString* s)
 	{
 	if ( IsReadable() )
 		{
-		int render_style = BroString::EXPANDED_STRING;
-		if ( Style() == ALTERNATIVE_STYLE )
-			// Only change NULs, since we can't in any case
-			// cope with them.
-			render_style = BroString::ESC_NULL;
+		if ( Style() == RAW_STYLE )
+			AddBytes(reinterpret_cast<const char*>(s->Bytes()), s->Len());
+		else
+			{
+			int render_style = BroString::EXPANDED_STRING;
+			if ( Style() == ALTERNATIVE_STYLE )
+				// Only change NULs, since we can't in any case
+				// cope with them.
+				render_style = BroString::ESC_NULL;
 
-		const char* str = s->Render(render_style);
-		Add(str);
-		delete [] str;
+			const char* str = s->Render(render_style);
+			Add(str);
+			delete [] str;
+			}
 		}
 	else
 		{
@@ -179,12 +196,95 @@ void ODesc::AddBytes(const BroString* s)
 
 void ODesc::Indent()
 	{
-	for ( int i = 0; i < indent_level; ++i )
-		Add("\t", 0);
+	if ( indent_with_spaces > 0 )
+		{
+		for ( int i = 0; i < indent_level; ++i )
+			for ( int j = 0; j < indent_with_spaces; ++j )
+				Add(" ", 0);
+		}
+	else
+		{
+		for ( int i = 0; i < indent_level; ++i )
+			Add("\t", 0);
+		}
 	}
 
+static const char hex_chars[] = "0123456789abcdef";
+
+static const char* find_first_unprintable(ODesc* d, const char* bytes, unsigned int n)
+	{
+	if ( d->IsBinary() )
+		return 0;
+
+	while ( n-- )
+		{
+		if ( ! isprint(*bytes) )
+			return bytes;
+		++bytes;
+		}
+
+	return 0;
+	}
+
+pair<const char*, size_t> ODesc::FirstEscapeLoc(const char* bytes, size_t n)
+	{
+	pair<const char*, size_t> p(find_first_unprintable(this, bytes, n), 1);
+
+	string str(bytes, n);
+	list<string>::const_iterator it;
+	for ( it = escape_sequences.begin(); it != escape_sequences.end(); ++it )
+		{
+		size_t pos = str.find(*it);
+		if ( pos != string::npos && (p.first == 0 || bytes + pos < p.first) )
+			{
+			p.first = bytes + pos;
+			p.second = it->size();
+			}
+		}
+
+	return p;
+	}
 
 void ODesc::AddBytes(const void* bytes, unsigned int n)
+	{
+	if ( ! escape )
+	    {
+	    AddBytesRaw(bytes, n);
+	    return;
+	    }
+
+	const char* s = (const char*) bytes;
+	const char* e = (const char*) bytes + n;
+
+	while ( s < e )
+		{
+		pair<const char*, size_t> p = FirstEscapeLoc(s, e - s);
+		if ( p.first )
+			{
+			AddBytesRaw(s, p.first - s);
+			if ( p.second == 1 )
+				{
+				char hex[6] = "\\x00";
+				hex[2] = hex_chars[((*p.first) & 0xf0) >> 4];
+				hex[3] = hex_chars[(*p.first) & 0x0f];
+				AddBytesRaw(hex, 4);
+				}
+			else
+				{
+				string esc_str = get_escaped_string(string(p.first, p.second), true);
+				AddBytesRaw(esc_str.c_str(), esc_str.size());
+				}
+			s = p.first + p.second;
+			}
+		else
+			{
+			AddBytesRaw(s, e - s);
+			break;
+			}
+		}
+	}
+
+void ODesc::AddBytesRaw(const void* bytes, unsigned int n)
 	{
 	if ( n == 0 )
 		return;
@@ -198,7 +298,7 @@ void ODesc::AddBytes(const void* bytes, unsigned int n)
 			if ( ! write_failed )
 				// Most likely it's a "disk full" so report
 				// subsequent failures only once.
-				run_time(fmt("error writing to %s: %s", f->Name(), strerror(errno)));
+				reporter->Error("error writing to %s: %s", f->Name(), strerror(errno));
 
 			write_failed = true;
 			return;
@@ -234,5 +334,20 @@ void ODesc::Grow(unsigned int n)
 
 void ODesc::OutOfMemory()
 	{
-	internal_error("out of memory");
+	reporter->InternalError("out of memory");
 	}
+
+void ODesc::Clear()
+	{
+	offset = 0;
+
+	// If we've allocated an exceedingly large amount of space, free it.
+	if ( size > 10 * 1024 * 1024 )
+		{
+		free(base);
+		size = DEFAULT_SIZE;
+		base = safe_malloc(size);
+		((char*) base)[0] = '\0';
+		}
+	}
+
diff --git a/src/Desc.h b/src/Desc.h
index 49b331d51b..27cbd4fa01 100644
--- a/src/Desc.h
+++ b/src/Desc.h
@@ -1,11 +1,11 @@
-// $Id: Desc.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef descriptor_h
 #define descriptor_h
 
 #include <stdio.h>
+#include <list>
+#include <utility>
 #include "BroString.h"
 
 typedef enum {
@@ -17,6 +17,7 @@ typedef enum {
 typedef enum {
 	STANDARD_STYLE,
 	ALTERNATIVE_STYLE,
+	RAW_STYLE,
 } desc_style;
 
 class BroFile;
@@ -49,10 +50,22 @@ public:
 
 	void SetFlush(int arg_do_flush)	{ do_flush = arg_do_flush; }
 
+	void EnableEscaping();
+	void AddEscapeSequence(const char* s) { escape_sequences.push_back(s); }
+	void AddEscapeSequence(const char* s, size_t n)
+	    { escape_sequences.push_back(string(s, n)); }
+	void RemoveEscapeSequence(const char* s) { escape_sequences.remove(s); }
+	void RemoveEscapeSequence(const char* s, size_t n)
+	    { escape_sequences.remove(string(s, n)); }
+
 	void PushIndent();
 	void PopIndent();
+	void PopIndentNoNL();
 	int GetIndentLevel() const	{ return indent_level; }
 
+	int IndentSpaces() const	{ return indent_with_spaces; }
+	void SetIndentSpaces(int i)	{ indent_with_spaces = i; }
+
 	void Add(const char* s, int do_indent=1);
 	void AddN(const char* s, int len)	{ AddBytes(s, len); }
 	void Add(int i);
@@ -93,6 +106,9 @@ public:
 				Add("\n", 0);
 			}
 
+	// Bypasses the escaping enabled via SetEscape().
+	void AddRaw(const char* s, int len)	{ AddBytesRaw(s, len); }
+
 	// Returns the description as a string.
 	const char* Description() const		{ return (const char*) base; }
 
@@ -111,16 +127,32 @@ public:
 
 	int Len() const		{ return offset; }
 
+	void Clear();
+
 protected:
 	void Indent();
 
 	void AddBytes(const void* bytes, unsigned int n);
+	void AddBytesRaw(const void* bytes, unsigned int n);
 
 	// Make buffer big enough for n bytes beyond bufp.
 	void Grow(unsigned int n);
 
 	void OutOfMemory();
 
+	/**
+	 * Returns the location of the first place in the bytes to be hex-escaped.
+	 *
+	 * @param bytes the starting memory address to start searching for
+	 *        escapable character.
+	 * @param n the maximum number of bytes to search.
+	 * @return a pair whose first element represents a starting memory address
+	 *         to be escaped up to the number of characters indicated by the
+	 *         second element.  The first element may be 0 if nothing is
+	 *         to be escaped.
+	 */
+	pair<const char*, size_t> FirstEscapeLoc(const char* bytes, size_t n);
+
 	desc_type type;
 	desc_style style;
 
@@ -128,6 +160,9 @@ protected:
 	unsigned int offset;	// where we are in the buffer
 	unsigned int size;	// size of buffer in bytes
 
+	bool escape;	// escape unprintable characters in output?
+	list<string> escape_sequences; // additional sequences of chars to escape
+
 	BroFile* f;	// or the file we're using.
 
 	int indent_level;
@@ -135,6 +170,7 @@ protected:
 	int want_quotes;
 	int do_flush;
 	int include_stats;
+	int indent_with_spaces;
 };
 
 #endif
diff --git a/src/Dict.cc b/src/Dict.cc
index 642ceabbb4..c71cf4c417 100644
--- a/src/Dict.cc
+++ b/src/Dict.cc
@@ -1,5 +1,3 @@
-// $Id: Dict.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -9,6 +7,7 @@
 #endif
 
 #include "Dict.h"
+#include "Reporter.h"
 
 // If the mean bucket length exceeds the following then Insert() will
 // increase the size of the hash table.
@@ -68,6 +67,19 @@ Dictionary::Dictionary(dict_order ordering, int initial_size)
 	}
 
 Dictionary::~Dictionary()
+	{
+	DeInit();
+	delete order;
+	}
+
+void Dictionary::Clear()
+	{
+	DeInit();
+	Init(2);
+	tbl2 = 0;
+	}
+
+void Dictionary::DeInit()
 	{
 	for ( int i = 0; i < num_buckets; ++i )
 		if ( tbl[i] )
@@ -85,7 +97,6 @@ Dictionary::~Dictionary()
 			}
 
 	delete [] tbl;
-	delete order;
 
 	if ( tbl2 == 0 )
 		return;
@@ -104,7 +115,9 @@ Dictionary::~Dictionary()
 
 			delete chain;
 			}
+
 	delete [] tbl2;
+	tbl2 = 0;
 	}
 
 void* Dictionary::Lookup(const void* key, int key_size, hash_t hash) const
@@ -474,7 +487,7 @@ void Dictionary::StartChangeSize(int new_size)
 		return;
 
 	if ( tbl2 )
-		internal_error("Dictionary::StartChangeSize() tbl2 not NULL");
+		reporter->InternalError("Dictionary::StartChangeSize() tbl2 not NULL");
 
 	Init2(new_size);
 
@@ -521,7 +534,7 @@ void Dictionary::FinishChangeSize()
 	{
 	// Cheap safety check.
 	if ( num_entries != 0 )
-		internal_error(
+		reporter->InternalError(
 		    "Dictionary::FinishChangeSize: num_entries is %d\n",
 		    num_entries);
 
diff --git a/src/Dict.h b/src/Dict.h
index 75ac82c827..3a2239ef54 100644
--- a/src/Dict.h
+++ b/src/Dict.h
@@ -1,5 +1,3 @@
-// $Id: Dict.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef dict_h
@@ -120,11 +118,15 @@ public:
 	void MakeRobustCookie(IterCookie* cookie)
 		{ cookies.append(cookie); }
 
+	// Remove all entries.
+	void Clear();
+
 	unsigned int MemoryAllocation() const;
 
 private:
 	void Init(int size);
 	void Init2(int size);	// initialize second table for resizing
+	void DeInit();
 
 	// Internal version of Insert().
 	void* Insert(DictEntry* entry, int copy_key);
diff --git a/src/Discard.cc b/src/Discard.cc
index e0dd8deed0..a71b810601 100644
--- a/src/Discard.cc
+++ b/src/Discard.cc
@@ -1,7 +1,7 @@
-// $Id: Discard.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <algorithm>
+
 #include "config.h"
 
 #include "Net.h"
@@ -42,7 +42,17 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 		{
 		val_list* args = new val_list;
 		args->append(BuildHeader(ip4));
-		discard_packet = check_ip->Call(args)->AsBool();
+
+		try
+			{
+			discard_packet = check_ip->Call(args)->AsBool();
+			}
+
+		catch ( InterpreterException& e )
+			{
+			discard_packet = false;
+			}
+
 		delete args;
 
 		if ( discard_packet )
@@ -90,7 +100,17 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			args->append(BuildHeader(ip4));
 			args->append(BuildHeader(tp, len));
 			args->append(BuildData(data, th_len, len, caplen));
-			discard_packet = check_tcp->Call(args)->AsBool();
+
+			try
+				{
+				discard_packet = check_tcp->Call(args)->AsBool();
+				}
+
+			catch ( InterpreterException& e )
+				{
+				discard_packet = false;
+				}
+
 			delete args;
 			}
 		}
@@ -106,7 +126,17 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			args->append(BuildHeader(ip4));
 			args->append(BuildHeader(up));
 			args->append(BuildData(data, uh_len, len, caplen));
-			discard_packet = check_udp->Call(args)->AsBool();
+
+			try
+				{
+				discard_packet = check_udp->Call(args)->AsBool();
+				}
+
+			catch ( InterpreterException& e )
+				{
+				discard_packet = false;
+				}
+
 			delete args;
 			}
 		}
@@ -120,7 +150,17 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			val_list* args = new val_list;
 			args->append(BuildHeader(ip4));
 			args->append(BuildHeader(ih));
-			discard_packet = check_icmp->Call(args)->AsBool();
+
+			try
+				{
+				discard_packet = check_icmp->Call(args)->AsBool();
+				}
+
+			catch ( InterpreterException& e )
+				{
+				discard_packet = false;
+				}
+
 			delete args;
 			}
 		}
diff --git a/src/Discard.h b/src/Discard.h
index 4ffcab39d1..16f7a58e6e 100644
--- a/src/Discard.h
+++ b/src/Discard.h
@@ -1,5 +1,3 @@
-// $Id: Discard.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef discard_h
diff --git a/src/EquivClass.cc b/src/EquivClass.cc
index ff5dc88603..6ab667b146 100644
--- a/src/EquivClass.cc
+++ b/src/EquivClass.cc
@@ -1,5 +1,3 @@
-// $Id: EquivClass.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/EquivClass.h b/src/EquivClass.h
index 9b35a9bb64..e5193cde47 100644
--- a/src/EquivClass.h
+++ b/src/EquivClass.h
@@ -1,5 +1,3 @@
-// $Id: EquivClass.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef equiv_class_h
diff --git a/src/Event.cc b/src/Event.cc
index b5dd589f43..97f29000d6 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -1,5 +1,3 @@
-// $Id: Event.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -93,7 +91,7 @@ void EventMgr::QueueEvent(Event* event)
 void EventMgr::Dispatch()
 	{
 	if ( ! head )
-		internal_error("EventMgr underflow");
+		reporter->InternalError("EventMgr underflow");
 
 	Event* current = head;
 
@@ -120,9 +118,6 @@ void EventMgr::Drain()
 
 	// Note: we might eventually need a general way to specify things to
 	// do after draining events.
-	extern void flush_rewriter_packet();
-	flush_rewriter_packet();
-
 	draining = false;
 
 	// We evaluate Triggers here. While this is somewhat unrelated to event
diff --git a/src/Event.h b/src/Event.h
index 9028ca5fab..e0ce7bf555 100644
--- a/src/Event.h
+++ b/src/Event.h
@@ -1,5 +1,3 @@
-// $Id: Event.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef event_h
@@ -40,10 +38,25 @@ protected:
 			event_serializer->Serialize(&info, handler->Name(), args);
 			}
 
-		handler->Call(args, no_remote);
+		if ( handler->ErrorHandler() )
+			reporter->BeginErrorHandler();
+
+		try
+			{
+			handler->Call(args, no_remote);
+			}
+
+		catch ( InterpreterException& e )
+			{
+			// Already reported.
+			}
+
 		if ( obj )
 			// obj->EventDone();
 			Unref(obj);
+
+		if ( handler->ErrorHandler() )
+			reporter->EndErrorHandler();
 		}
 
 	EventHandlerPtr handler;
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index 9df18ab007..2867b63437 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -1,5 +1,3 @@
-// $Id: EventHandler.cc 5911 2008-07-03 22:59:01Z vern $
-
 #include "Event.h"
 #include "EventHandler.h"
 #include "Func.h"
@@ -13,6 +11,7 @@ EventHandler::EventHandler(const char* arg_name)
 	local = 0;
 	type = 0;
 	group = 0;
+	error_handler = false;
 	enabled = true;
 	}
 
@@ -23,6 +22,11 @@ EventHandler::~EventHandler()
 	delete [] group;
 	}
 
+EventHandler::operator bool() const
+	{
+	return enabled && ((local && local->HasBodies()) || receivers.length());
+	}
+
 FuncType* EventHandler::FType()
 	{
 	if ( type )
@@ -64,6 +68,7 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 		}
 
 	if ( local )
+		// No try/catch here; we pass exceptions upstream.
 		Unref(local->Call(vl));
 	else
 		{
diff --git a/src/EventHandler.h b/src/EventHandler.h
index de4d1a1458..2aebe87584 100644
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@@ -1,5 +1,3 @@
-// $Id: EventHandler.h 5911 2008-07-03 22:59:01Z vern $
-//
 // Capsulates local and remote event handlers.
 
 #ifndef EVENTHANDLER
@@ -34,11 +32,15 @@ public:
 	void Call(val_list* vl, bool no_remote = false);
 
 	// Returns true if there is at least one local or remote handler.
-	operator  bool() const
-		{ return enabled && (local || receivers.length()); }
+	operator  bool() const;
 
-	void SetUsed()          { used = true; }
-	bool Used()             { return used; }
+	void SetUsed()	{ used = true; }
+	bool Used()	{ return used; }
+
+	// Handlers marked as error handlers will not be called recursively to
+	// avoid infinite loops if they trigger a similar error themselves.
+	void SetErrorHandler()	{ error_handler = true; }
+	bool ErrorHandler()	{ return error_handler; }
 
 	const char* Group()	{ return group; }
 	void SetGroup(const char* arg_group)
@@ -58,6 +60,7 @@ private:
 	FuncType* type;
 	bool used;		// this handler is indeed used somewhere
 	bool enabled;
+	bool error_handler;	// this handler reports error messages.
 
 	declare(List, SourceID);
 	typedef List(SourceID) receiver_list;
@@ -75,6 +78,9 @@ public:
 	const EventHandlerPtr& operator=(const EventHandlerPtr& h)
 		{ handler = h.handler; return *this; }
 
+	bool operator==(const EventHandlerPtr& h) const
+		{ return handler == h.handler; }
+
 	EventHandler* Ptr()	{ return handler; }
 
 	operator bool() const	{ return handler && *handler; }
diff --git a/src/EventLauncher.cc b/src/EventLauncher.cc
index 1982d78c11..246c9dc8aa 100644
--- a/src/EventLauncher.cc
+++ b/src/EventLauncher.cc
@@ -1,5 +1,3 @@
-// $Id:$
-
 #include "Val.h"
 #include "Analyzer.h"
 #include "EventLauncher.h"
diff --git a/src/EventLauncher.h b/src/EventLauncher.h
index 276f28ef75..6a57c59391 100644
--- a/src/EventLauncher.h
+++ b/src/EventLauncher.h
@@ -1,5 +1,3 @@
-// $Id:$
-
 #ifndef event_launcher_h
 #define event_launcher_h
 
diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc
index d7f672c2e5..4d29c5d95f 100644
--- a/src/EventRegistry.cc
+++ b/src/EventRegistry.cc
@@ -1,5 +1,3 @@
-// $Id: EventRegistry.cc 6829 2009-07-09 09:12:59Z vern $
-
 #include "EventRegistry.h"
 #include "RE.h"
 #include "RemoteSerializer.h"
@@ -91,11 +89,20 @@ void EventRegistry::SetGroup(const char* name, const char* group)
 	{
 	EventHandler* eh = Lookup(name);
 	if ( ! eh )
-		internal_error("unknown event handler in SetGroup()");
+		reporter->InternalError("unknown event handler in SetGroup()");
 
 	eh->SetGroup(group);
 	}
 
+void EventRegistry::SetErrorHandler(const char* name)
+	{
+	EventHandler* eh = Lookup(name);
+	if ( ! eh )
+		reporter->InternalError("unknown event handler in SetErrorHandler()");
+
+	eh->SetErrorHandler();
+	}
+
 void EventRegistry::EnableGroup(const char* group, bool enable)
 	{
 	IterCookie* c = handlers.InitForIteration();
diff --git a/src/EventRegistry.h b/src/EventRegistry.h
index 980b8ea83f..6ee5e3bcbd 100644
--- a/src/EventRegistry.h
+++ b/src/EventRegistry.h
@@ -1,5 +1,3 @@
-// $Id: EventRegistry.h 6829 2009-07-09 09:12:59Z vern $
-//
 // Each event raised/handled by Bro is registered in the EventRegistry.
 
 #ifndef EVENT_REGISTRY
@@ -31,6 +29,11 @@ public:
 	// Associates a group with the given event.
 	void SetGroup(const char* name, const char* group);
 
+	// Marks a handler as handling errors. Error handler will not be called
+	// recursively to avoid infinite loops in case they trigger an error
+	// themselves.
+	void SetErrorHandler(const char* name);
+
 	// Enable/disable all members of the group.
 	void EnableGroup(const char* group, bool enable);
 
diff --git a/src/Expr.cc b/src/Expr.cc
index 77466f2a55..f9669f86fc 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -1,5 +1,3 @@
-// $Id: Expr.cc 6864 2009-08-16 23:30:39Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -223,7 +221,9 @@ bool Expr::DoUnserialize(UnserialInfo* info)
 
 	tag = BroExprTag(c);
 
-	UNSERIALIZE_OPTIONAL(type, BroType::Unserialize(info));
+	BroType* t = 0;
+	UNSERIALIZE_OPTIONAL(t, BroType::Unserialize(info));
+	SetType(t);
 	return true;
 	}
 
@@ -231,7 +231,6 @@ bool Expr::DoUnserialize(UnserialInfo* info)
 NameExpr::NameExpr(ID* arg_id) : Expr(EXPR_NAME)
 	{
 	id = arg_id;
-	ReferenceID();
 	SetType(id->Type()->Ref());
 
 	EventHandler* h = event_registry->Lookup(id->Name());
@@ -244,29 +243,6 @@ NameExpr::~NameExpr()
 	Unref(id);
 	}
 
-void NameExpr::ReferenceID()
-	{
-	// ### This is a hack. We check whether one of the remote serializer's
-	// built-in functions is referenced. If so, we activate the serializer.
-	// A better solution would be to either (1) a generic mechanism in
-	// which have (internal) attributes associated with identifiers and
-	// as we see references to the identifiers, we do bookkeeping
-	// associated with their attribute (so in this case the attribute
-	// would be "flag that inter-Bro communication is being used"),
-	// or (2) after the parse is done, we'd query whether these
-	// particular identifiers were seen, rather than doing the test
-	// here for every NameExpr we create.
-	if ( id->Type()->Tag() == TYPE_FUNC )
-		{
-		const char* const* builtins = remote_serializer->GetBuiltins();
-		while( *builtins )
-			{
-			if ( streq(id->Name(), *builtins++) )
-				using_communication = true;
-			}
-		}
-	}
-
 Expr* NameExpr::Simplify(SimplifyType simp_type)
 	{
 	if ( simp_type != SIMPLIFY_LHS && id->IsConst() )
@@ -284,7 +260,7 @@ Val* NameExpr::Eval(Frame* f) const
 	Val* v;
 
 	if ( id->AsType() )
-		RunTime("cannot evaluate type name");
+		return new Val(id->AsType(), true);
 
 	if ( id->IsGlobal() )
 		v = id->ID_Val();
@@ -300,7 +276,7 @@ Val* NameExpr::Eval(Frame* f) const
 		return v->Ref();
 	else
 		{
-		RunTime("value used but not set");
+		Error("value used but not set");
 		return 0;
 		}
 	}
@@ -383,7 +359,7 @@ bool NameExpr::DoUnserialize(UnserialInfo* info)
 		if ( id )
 			::Ref(id);
 		else
-			run_time("unserialized unknown global name");
+			reporter->Warning("configuration changed: unserialized unknown global name from persistent state");
 
 		delete [] name;
 		}
@@ -393,8 +369,6 @@ bool NameExpr::DoUnserialize(UnserialInfo* info)
 	if ( ! id )
 		return false;
 
-	ReferenceID();
-
 	return true;
 	}
 
@@ -494,8 +468,7 @@ Val* UnaryExpr::Eval(Frame* f) const
 		VectorVal* v_op = v->AsVectorVal();
 		VectorVal* result = new VectorVal(Type()->AsVectorType());
 
-		for ( unsigned int i = VECTOR_MIN;
-		      i < v_op->Size() + VECTOR_MIN; ++i )
+		for ( unsigned int i = 0; i < v_op->Size(); ++i )
 			{
 			Val* v_i = v_op->Lookup(i);
 			result->Assign(i, v_i ? Fold(v_i) : 0, this);
@@ -627,14 +600,13 @@ Val* BinaryExpr::Eval(Frame* f) const
 
 		if ( v_op1->Size() != v_op2->Size() )
 			{
-			RunTime("vector operands are of different sizes");
+			Error("vector operands are of different sizes");
 			return 0;
 			}
 
 		VectorVal* v_result = new VectorVal(Type()->AsVectorType());
 
-		for ( unsigned int i = VECTOR_MIN;
-		      i < v_op1->Size() + VECTOR_MIN; ++i )
+		for ( unsigned int i = 0; i < v_op1->Size(); ++i )
 			{
 			if ( v_op1->Lookup(i) && v_op2->Lookup(i) )
 				v_result->Assign(i,
@@ -656,8 +628,7 @@ Val* BinaryExpr::Eval(Frame* f) const
 		VectorVal* vv = (is_vec1 ? v1 : v2)->AsVectorVal();
 		VectorVal* v_result = new VectorVal(Type()->AsVectorType());
 
-		for ( unsigned int i = VECTOR_MIN;
-		      i < vv->Size() + VECTOR_MIN; ++i )
+		for ( unsigned int i = 0; i < vv->Size(); ++i )
 			{
 			Val* vv_i = vv->Lookup(i);
 			if ( vv_i )
@@ -1043,7 +1014,7 @@ Val* IncrExpr::DoSingleEval(Frame* f, Val* v) const
 
 		if ( k < 0 &&
 		     v->Type()->InternalType() == TYPE_INTERNAL_UNSIGNED )
-			RunTime("count underflow");
+			Error("count underflow");
 		}
 
 	 BroType* ret_type = Type();
@@ -1063,8 +1034,7 @@ Val* IncrExpr::Eval(Frame* f) const
 	if ( is_vector(v) )
 		{
 		VectorVal* v_vec = v->AsVectorVal();
-		for ( unsigned int i = VECTOR_MIN;
-		      i < v_vec->Size() + VECTOR_MIN; ++i )
+		for ( unsigned int i = 0; i < v_vec->Size(); ++i )
 			{
 			Val* elt = v_vec->Lookup(i);
 			if ( elt )
@@ -1941,7 +1911,7 @@ Val* BoolExpr::Eval(Frame* f) const
 			{
 			result = new VectorVal(Type()->AsVectorType());
 			result->Resize(vector_v->Size());
-			result->AssignRepeat(VECTOR_MIN, result->Size(),
+			result->AssignRepeat(0, result->Size(),
 						scalar_v, this);
 			}
 		else
@@ -1963,15 +1933,14 @@ Val* BoolExpr::Eval(Frame* f) const
 
 	if ( vec_v1->Size() != vec_v2->Size() )
 		{
-		RunTime("vector operands have different sizes");
+		Error("vector operands have different sizes");
 		return 0;
 		}
 
 	VectorVal* result = new VectorVal(Type()->AsVectorType());
 	result->Resize(vec_v1->Size());
 
-	for ( unsigned int i = VECTOR_MIN;
-	      i < vec_v1->Size() + VECTOR_MIN; ++i )
+	for ( unsigned int i = 0; i < vec_v1->Size(); ++i )
 		{
 		Val* op1 = vec_v1->Lookup(i);
 		Val* op2 = vec_v2->Lookup(i);
@@ -2077,7 +2046,6 @@ EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 		case TYPE_STRING:
 		case TYPE_PORT:
 		case TYPE_ADDR:
-		case TYPE_NET:
 		case TYPE_SUBNET:
 		case TYPE_ERROR:
 			break;
@@ -2346,14 +2314,14 @@ Val* CondExpr::Eval(Frame* f) const
 
 	if ( cond->Size() != a->Size() || a->Size() != b->Size() )
 		{
-		RunTime("vectors in conditional expression have different sizes");
+		Error("vectors in conditional expression have different sizes");
 		return 0;
 		}
 
 	VectorVal* result = new VectorVal(Type()->AsVectorType());
 	result->Resize(cond->Size());
 
-	for ( unsigned int i = VECTOR_MIN; i < cond->Size() + VECTOR_MIN; ++i )
+	for ( unsigned int i = 0; i < cond->Size(); ++i )
 		{
 		Val* local_cond = cond->Lookup(i);
 		if ( local_cond )
@@ -2467,7 +2435,7 @@ bool RefExpr::DoUnserialize(UnserialInfo* info)
 	}
 
 AssignExpr::AssignExpr(Expr* arg_op1, Expr* arg_op2, int arg_is_init,
-			Val* arg_val)
+		       Val* arg_val, attr_list* arg_attrs)
 : BinaryExpr(EXPR_ASSIGN,
 		arg_is_init ? arg_op1 : arg_op1->MakeLvalue(), arg_op2)
 	{
@@ -2487,22 +2455,17 @@ AssignExpr::AssignExpr(Expr* arg_op1, Expr* arg_op2, int arg_is_init,
 
 	// We discard the status from TypeCheck since it has already
 	// generated error messages.
-	(void) TypeCheck();
+	(void) TypeCheck(arg_attrs);
 
 	val = arg_val ? arg_val->Ref() : 0;
 
 	SetLocationInfo(arg_op1->GetLocationInfo(), arg_op2->GetLocationInfo());
 	}
 
-bool AssignExpr::TypeCheck()
+bool AssignExpr::TypeCheck(attr_list* attrs)
 	{
 	TypeTag bt1 = op1->Type()->Tag();
-	if ( IsVector(bt1) )
-		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
-
 	TypeTag bt2 = op2->Type()->Tag();
-	if ( IsVector(bt2) )
-		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
 
 	if ( bt1 == TYPE_LIST && bt2 == TYPE_ANY )
 		// This is ok because we cannot explicitly declare lists on
@@ -2531,16 +2494,57 @@ bool AssignExpr::TypeCheck()
 		return true;
 		}
 
+	if ( bt1 == TYPE_TABLE && op2->Tag() == EXPR_LIST )
+		{
+		attr_list* attr_copy = 0;
+
+		if ( attrs )
+			{
+			attr_copy = new attr_list;
+			loop_over_list(*attrs, i)
+				attr_copy->append((*attrs)[i]);
+			}
+
+		op2 = new TableConstructorExpr(op2->AsListExpr(), attr_copy);
+		return true;
+		}
+
+	if ( bt1 == TYPE_VECTOR && bt2 == bt1 &&
+	     op2->Type()->AsVectorType()->IsUnspecifiedVector() )
+		{
+		op2 = new VectorCoerceExpr(op2, op1->Type()->AsVectorType());
+		return true;
+		}
+
+	if ( op1->Type()->Tag() == TYPE_RECORD &&
+	     op2->Type()->Tag() == TYPE_RECORD )
+		{
+		if ( same_type(op1->Type(), op2->Type()) )
+			{
+			RecordType* rt1 = op1->Type()->AsRecordType();
+			RecordType* rt2 = op2->Type()->AsRecordType();
+
+			// Make sure the attributes match as well.
+			for ( int i = 0; i < rt1->NumFields(); ++i )
+				{
+				const TypeDecl* td1 = rt1->FieldDecl(i);
+				const TypeDecl* td2 = rt2->FieldDecl(i);
+
+				if ( same_attrs(td1->attrs, td2->attrs) )
+					// Everything matches.
+					return true;
+				}
+			}
+
+		// Need to coerce.
+		op2 = new RecordCoerceExpr(op2, op1->Type()->AsRecordType());
+		return true;
+		}
+
 	if ( ! same_type(op1->Type(), op2->Type()) )
 		{
-		if ( op1->Type()->Tag() == TYPE_RECORD &&
-		     op2->Type()->Tag() == TYPE_RECORD )
-			op2 = new RecordCoerceExpr(op2, op1->Type()->AsRecordType());
-		else
-			{
-			ExprError("type clash in assignment");
-			return false;
-			}
+		ExprError("type clash in assignment");
+		return false;
 		}
 
 	return true;
@@ -2611,7 +2615,6 @@ Val* AssignExpr::Eval(Frame* f) const
 	if ( v )
 		{
 		op1->Assign(f, v);
-		//### op1->SetAttribs();
 		return val ? val->Ref() : v->Ref();
 		}
 	else
@@ -2927,12 +2930,11 @@ Val* IndexExpr::Eval(Frame* f) const
 			{
 			if ( v_v1->Size() != v_v2->Size() )
 				{
-				RunTime("size mismatch, boolean index and vector");
+				Error("size mismatch, boolean index and vector");
 				return 0;
 				}
 
-			for ( unsigned int i = VECTOR_MIN;
-			      i < v_v2->Size() + VECTOR_MIN; ++i )
+			for ( unsigned int i = 0; i < v_v2->Size(); ++i )
 				{
 				if ( v_v2->Lookup(i)->AsBool() )
 					v_result->Assign(v_result->Size() + 1, v_v1->Lookup(i), this);
@@ -2944,8 +2946,7 @@ Val* IndexExpr::Eval(Frame* f) const
 			// S does, i.e., by excluding those elements.
 			// Probably only do this if *all* are negative.
 			v_result->Resize(v_v2->Size());
-			for ( unsigned int i = VECTOR_MIN;
-			      i < v_v2->Size() + VECTOR_MIN; ++i )
+			for ( unsigned int i = 0; i < v_v2->Size(); ++i )
 				v_result->Assign(i, v_v1->Lookup(v_v2->Lookup(i)->CoerceToInt()), this);
 			}
 		}
@@ -2976,7 +2977,7 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const
 	if ( v )
 		return v->Ref();
 
-	RunTime("no such index");
+	Error("no such index");
 	return 0;
 	}
 
@@ -3062,13 +3063,6 @@ FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name)
 	if ( IsError() )
 		return;
 
-	if ( streq(arg_field_name, "attr") )
-		{
-		field = -1;
-		SetType(op->Type()->AttributesType()->Ref());
-		return;
-		}
-
 	if ( ! IsRecord(op->Type()->Tag()) )
 		ExprError("not a record");
 	else
@@ -3100,18 +3094,18 @@ Expr* FieldExpr::Simplify(SimplifyType simp_type)
 	return this;
 	}
 
+int FieldExpr::CanDel() const
+	{
+	return td->FindAttr(ATTR_DEFAULT) || td->FindAttr(ATTR_OPTIONAL);
+	}
+
 void FieldExpr::Assign(Frame* f, Val* v, Opcode opcode)
 	{
-	if ( IsError() || ! v )
+	if ( IsError() )
 		return;
 
 	if ( field < 0 )
-		{
-		Val* lhs = op->Eval(f);
-		lhs->SetAttribs(v->AsRecordVal());
-		Unref(lhs);
-		return;
-		}
+		ExprError("no such field in record");
 
 	Val* op_v = op->Eval(f);
 	if ( op_v )
@@ -3122,11 +3116,13 @@ void FieldExpr::Assign(Frame* f, Val* v, Opcode opcode)
 		}
 	}
 
+void FieldExpr::Delete(Frame* f)
+	{
+	Assign(f, 0, OP_ASSIGN_IDX);
+	}
+
 Val* FieldExpr::Fold(Val* v) const
 	{
-	if ( field < 0 )
-		return v->GetAttribs(true)->Ref();
-
 	Val* result = v->AsRecordVal()->Lookup(field);
 	if ( result )
 		return result->Ref();
@@ -3137,8 +3133,9 @@ Val* FieldExpr::Fold(Val* v) const
 		return def_attr->AttrExpr()->Eval(0);
 	else
 		{
-		Internal("field value missing");
-		return 0;
+		reporter->ExprRuntimeError(this, "field value missing");
+		assert(false);
+		return 0; // Will never get here, but compiler can't tell.
 		}
 	}
 
@@ -3179,24 +3176,20 @@ bool FieldExpr::DoUnserialize(UnserialInfo* info)
 	return td != 0;
 	}
 
-HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name,
-			   bool arg_is_attr)
+HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name)
 : UnaryExpr(EXPR_HAS_FIELD, arg_op)
 	{
 	field_name = arg_field_name;
-	is_attr = arg_is_attr;
 	field = 0;
 
 	if ( IsError() )
 		return;
 
-	if ( ! is_attr && ! IsRecord(op->Type()->Tag()) )
+	if ( ! IsRecord(op->Type()->Tag()) )
 		ExprError("not a record");
 	else
 		{
-		RecordType* rt = is_attr ?
-					op->Type()->AttributesType() :
-					op->Type()->AsRecordType();
+		RecordType* rt = op->Type()->AsRecordType();
 		field = rt->FieldOffset(field_name);
 
 		if ( field < 0 )
@@ -3215,10 +3208,7 @@ Val* HasFieldExpr::Fold(Val* v) const
 	{
 	RecordVal* rec_to_look_at;
 
-	if ( is_attr )
-		rec_to_look_at = v->GetAttribs(false);
-	else
-		rec_to_look_at = v->AsRecordVal();
+	rec_to_look_at = v->AsRecordVal();
 
 	if ( ! rec_to_look_at )
 		return new Val(0, TYPE_BOOL);
@@ -3235,12 +3225,7 @@ void HasFieldExpr::ExprDescribe(ODesc* d) const
 	op->Describe(d);
 
 	if ( d->IsReadable() )
-		{
-		if ( is_attr )
-			d->Add("?$$");
-		else
-			d->Add("?$");
-		}
+		d->Add("?$");
 
 	if ( IsError() )
 		d->Add("<error>");
@@ -3255,13 +3240,17 @@ IMPLEMENT_SERIAL(HasFieldExpr, SER_HAS_FIELD_EXPR);
 bool HasFieldExpr::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_HAS_FIELD_EXPR, UnaryExpr);
-	return SERIALIZE(is_attr) && SERIALIZE(field_name) && SERIALIZE(field);
+
+	// Serialize the former "bool is_attr" first for backwards compatibility.
+	return SERIALIZE(false) && SERIALIZE(field_name) && SERIALIZE(field);
 	}
 
 bool HasFieldExpr::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(UnaryExpr);
-	return UNSERIALIZE(&is_attr) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field);
+	// Unserialize the former "bool is_attr" first for backwards compatibility.
+	bool not_used;
+	return UNSERIALIZE(&not_used) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field);
 	}
 
 RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
@@ -3314,48 +3303,12 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
 
 Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 	{
-	if ( ! aggr )
-		aggr = new RecordVal(const_cast<RecordType*>(t->AsRecordType()));
+	RecordVal* rv = Eval(0)->AsRecordVal();
+	RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr);
 
-	if ( record_promotion_compatible(t->AsRecordType(), Type()->AsRecordType()) )
+	if ( ar )
 		{
-		RecordVal* ar = aggr->AsRecordVal();
-		RecordType* ar_t = aggr->Type()->AsRecordType();
-
-		RecordVal* rv = Eval(0)->AsRecordVal();
-		RecordType* rv_t = rv->Type()->AsRecordType();
-
-		int i;
-		for ( i = 0; i < rv_t->NumFields(); ++i )
-			{
-			int t_i = ar_t->FieldOffset(rv_t->FieldName(i));
-
-			if ( t_i < 0 )
-				{
-				char buf[512];
-				safe_snprintf(buf, sizeof(buf),
-					      "orphan field \"%s\" in initialization",
-					      rv_t->FieldName(i));
-				Error(buf);
-				break;
-				}
-
-			else
-				ar->Assign(t_i, rv->Lookup(i)->Ref());
-			}
-
-		for ( i = 0; i < ar_t->NumFields(); ++i )
-			if ( ! ar->Lookup(i) &&
-			     ! ar_t->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
-				{
-				char buf[512];
-				safe_snprintf(buf, sizeof(buf),
-					      "non-optional field \"%s\" missing in initialization", ar_t->FieldName(i));
-				Error(buf);
-				}
-
 		Unref(rv);
-
 		return ar;
 		}
 
@@ -3424,7 +3377,7 @@ TableConstructorExpr::TableConstructorExpr(ListExpr* constructor_list,
 			SetError("values in table(...) constructor do not specify a table");
 		}
 
-	attrs = arg_attrs ? new Attributes(arg_attrs, type) : 0;
+	attrs = arg_attrs ? new Attributes(arg_attrs, type, false) : 0;
 	}
 
 Val* TableConstructorExpr::Eval(Frame* f) const
@@ -3490,7 +3443,7 @@ SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list,
 	else if ( type->Tag() != TYPE_TABLE || ! type->AsTableType()->IsSet() )
 		SetError("values in set(...) constructor do not specify a set");
 
-	attrs = arg_attrs ? new Attributes(arg_attrs, type) : 0;
+	attrs = arg_attrs ? new Attributes(arg_attrs, type, false) : 0;
 	}
 
 Val* SetConstructorExpr::Eval(Frame* f) const
@@ -3505,10 +3458,9 @@ Val* SetConstructorExpr::Eval(Frame* f) const
 		{
 		Val* element = exprs[i]->Eval(f);
 		aggr->Assign(element, 0);
+		Unref(element);
 		}
 
-	aggr->AsTableVal()->SetAttrs(attrs);
-
 	return aggr;
 	}
 
@@ -3549,6 +3501,13 @@ VectorConstructorExpr::VectorConstructorExpr(ListExpr* constructor_list)
 	if ( IsError() )
 		return;
 
+	if ( constructor_list->Exprs().length() == 0 )
+		{
+		// vector().
+		SetType(new ::VectorType(base_type(TYPE_ANY)));
+		return;
+		}
+
 	BroType* t = merge_type_list(constructor_list);
 	if ( t )
 		{
@@ -3575,9 +3534,9 @@ Val* VectorConstructorExpr::Eval(Frame* f) const
 		{
 		Expr* e = exprs[i];
 		Val* v = e->Eval(f);
-		if ( ! vec->Assign(i + VECTOR_MIN, v, e) )
+		if ( ! vec->Assign(i, v, e) )
 			{
-			Error(fmt("type mismatch at index %d", i + VECTOR_MIN), e);
+			Error(fmt("type mismatch at index %d", i), e);
 			return 0;
 			}
 		}
@@ -3599,9 +3558,9 @@ Val* VectorConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 		Expr* e = exprs[i];
 		Val* v = check_and_promote(e->Eval(0), vt, 1);
 
-		if ( ! v || ! vec->Assign(i + VECTOR_MIN, v, e) )
+		if ( ! v || ! vec->Assign(i, v, e) )
 			{
-			Error(fmt("initialization type mismatch at index %d", i + VECTOR_MIN), e);
+			Error(fmt("initialization type mismatch at index %d", i), e);
 			return 0;
 			}
 		}
@@ -3787,6 +3746,7 @@ Val* RecordMatchExpr::Fold(Val* v1, Val* v2) const
 				}
 			}
 
+		// No try/catch here; we pass exceptions upstream.
 		Val* pred_val =
 			match_rec->Lookup(pred_field_index)->AsFunc()->Call(&args);
 		bool is_zero = pred_val->IsZero();
@@ -3960,7 +3920,7 @@ Val* ArithCoerceExpr::Fold(Val* v) const
 
 	VectorVal* vv = v->AsVectorVal();
 	VectorVal* result = new VectorVal(Type()->AsVectorType());
-	for ( unsigned int i = VECTOR_MIN; i < vv->Size() + VECTOR_MIN; ++i )
+	for ( unsigned int i = 0; i < vv->Size(); ++i )
 		{
 		Val* elt = vv->Lookup(i);
 		if ( elt )
@@ -4020,27 +3980,26 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
 			{
 			int t_i = t_r->FieldOffset(sub_r->FieldName(i));
 			if ( t_i < 0 )
-				{
-				// Same as in RecordConstructorExpr::InitVal.
-				char buf[512];
-				safe_snprintf(buf, sizeof(buf),
-					      "orphan record field \"%s\"",
-					      sub_r->FieldName(i));
-				Error(buf);
+				// Orphane field in rhs, that's ok.
 				continue;
-				}
 
 			BroType* sub_t_i = sub_r->FieldType(i);
 			BroType* sup_t_i = t_r->FieldType(t_i);
 
 			if ( ! same_type(sup_t_i, sub_t_i) )
 				{
-				char buf[512];
-				safe_snprintf(buf, sizeof(buf),
-					      "type clash for field \"%s\"", sub_r->FieldName(i));
-				Error(buf, sub_t_i);
-				SetError();
-				break;
+				if ( sup_t_i->Tag() != TYPE_RECORD ||
+				     sub_t_i->Tag() != TYPE_RECORD ||
+				     ! record_promotion_compatible(sup_t_i->AsRecordType(),
+				                                   sub_t_i->AsRecordType()) )
+					{
+					char buf[512];
+					safe_snprintf(buf, sizeof(buf),
+						"type clash for field \"%s\"", sub_r->FieldName(i));
+					Error(buf, sub_t_i);
+					SetError();
+					break;
+					}
 				}
 
 			map[t_i] = i;
@@ -4073,9 +4032,51 @@ Val* RecordCoerceExpr::Fold(Val* v) const
 	for ( int i = 0; i < map_size; ++i )
 		{
 		if ( map[i] >= 0 )
-			val->Assign(i, rv->Lookup(map[i])->Ref());
+			{
+			Val* rhs = rv->Lookup(map[i]);
+			if ( ! rhs )
+				{
+				const Attr* def = rv->Type()->AsRecordType()->FieldDecl(
+					map[i])->FindAttr(ATTR_DEFAULT);
+
+				if ( def )
+					rhs = def->AttrExpr()->Eval(0);
+				}
+
+			if ( rhs )
+				rhs = rhs->Ref();
+
+			assert(rhs || Type()->AsRecordType()->FieldDecl(i)->FindAttr(ATTR_OPTIONAL));
+
+			BroType* rhs_type = rhs->Type();
+			RecordType* val_type = val->Type()->AsRecordType();
+			BroType* field_type = val_type->FieldType(i);
+
+			if ( rhs_type->Tag() == TYPE_RECORD &&
+			     field_type->Tag() == TYPE_RECORD &&
+			     ! same_type(rhs_type, field_type) )
+				{
+				Val* new_val = rhs->AsRecordVal()->CoerceTo(
+				    field_type->AsRecordType());
+				if ( new_val )
+					{
+					Unref(rhs);
+					rhs = new_val;
+					}
+				}
+
+			val->Assign(i, rhs);
+			}
 		else
-			val->Assign(i, 0);
+			{
+			const Attr* def =
+			     Type()->AsRecordType()->FieldDecl(i)->FindAttr(ATTR_DEFAULT);
+
+			if ( def )
+				val->Assign(i, def->AttrExpr()->Eval(0));
+			else
+				val->Assign(i, 0);
+			}
 		}
 
 	return val;
@@ -4158,6 +4159,50 @@ bool TableCoerceExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+VectorCoerceExpr::VectorCoerceExpr(Expr* op, VectorType* v)
+: UnaryExpr(EXPR_VECTOR_COERCE, op)
+	{
+	if ( IsError() )
+		return;
+
+	SetType(v->Ref());
+
+	if ( Type()->Tag() != TYPE_VECTOR )
+		ExprError("coercion to non-vector");
+
+	else if ( op->Type()->Tag() != TYPE_VECTOR )
+		ExprError("coercion of non-vector to vector");
+	}
+
+
+VectorCoerceExpr::~VectorCoerceExpr()
+	{
+	}
+
+Val* VectorCoerceExpr::Fold(Val* v) const
+	{
+	VectorVal* vv = v->AsVectorVal();
+
+	if ( vv->Size() > 0 )
+		Internal("coercion of non-empty vector");
+
+	return new VectorVal(Type()->Ref()->AsVectorType());
+	}
+
+IMPLEMENT_SERIAL(VectorCoerceExpr, SER_VECTOR_COERCE_EXPR);
+
+bool VectorCoerceExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_VECTOR_COERCE_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool VectorCoerceExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
 FlattenExpr::FlattenExpr(Expr* arg_op)
 : UnaryExpr(EXPR_FLATTEN, arg_op)
 	{
@@ -4200,7 +4245,7 @@ Val* FlattenExpr::Fold(Val* v) const
 			l->Append(fa->AttrExpr()->Eval(0));
 
 		else
-			Internal("missing field value");
+			reporter->ExprRuntimeError(this, "missing field value");
 		}
 
 	return l;
@@ -4626,7 +4671,7 @@ Val* CallExpr::Eval(Frame* f) const
 
 		if ( f )
 			f->SetCall(this);
-		ret = func->Call(v, f);
+		ret = func->Call(v, f); // No try/catch here; we pass exceptions upstream.
 		if ( f )
 			f->ClearCall();
 		// Don't Unref() the arguments, as Func::Call already did that.
@@ -4872,7 +4917,7 @@ Val* ListExpr::Eval(Frame* f) const
 		Val* ev = exprs[i]->Eval(f);
 		if ( ! ev )
 			{
-			RunTime("uninitialized list value");
+			Error("uninitialized list value");
 			return 0;
 			}
 
@@ -5023,14 +5068,13 @@ Val* ListExpr::InitVal(const BroType* t, Val* aggr) const
 		loop_over_list(exprs, i)
 			{
 			Expr* e = exprs[i];
+			check_and_promote_expr(e, vec->Type()->AsVectorType()->YieldType());
 			Val* v = e->Eval(0);
-			if ( ! vec->Assign(i + VECTOR_MIN, v, e) )
+			if ( ! vec->Assign(i, v, e) )
 				{
-				e->Error(fmt("type mismatch at index %d",  i + VECTOR_MIN));
+				e->Error(fmt("type mismatch at index %d", i));
 				return 0;
 				}
-
-			Unref(v);
 			}
 
 		return aggr;
@@ -5334,27 +5378,52 @@ int check_and_promote_expr(Expr*& e, BroType* t)
 		return 1;
 		}
 
-	else if ( ! same_type(t, et) )
+	if ( t->Tag() == TYPE_RECORD && et->Tag() == TYPE_RECORD )
 		{
-		if ( t->Tag() == TYPE_RECORD && et->Tag() == TYPE_RECORD )
-			{
-			RecordType* t_r = t->AsRecordType();
-			RecordType* et_r = et->AsRecordType();
+		RecordType* t_r = t->AsRecordType();
+		RecordType* et_r = et->AsRecordType();
 
-			if ( record_promotion_compatible(t_r, et_r) )
+		if ( same_type(t, et) )
+			{
+			// Make sure the attributes match as well.
+			for ( int i = 0; i < t_r->NumFields(); ++i )
 				{
-				e = new RecordCoerceExpr(e, t_r);
-				return 1;
+				const TypeDecl* td1 = t_r->FieldDecl(i);
+				const TypeDecl* td2 = et_r->FieldDecl(i);
+
+				if ( same_attrs(td1->attrs, td2->attrs) )
+					// Everything matches perfectly.
+					return 1;
 				}
 			}
 
-		else if ( t->Tag() == TYPE_TABLE && et->Tag() == TYPE_TABLE &&
+		if ( record_promotion_compatible(t_r, et_r) )
+			{
+			e = new RecordCoerceExpr(e, t_r);
+			return 1;
+			}
+
+		t->Error("incompatible record types", e);
+		return 0;
+		}
+
+
+	if ( ! same_type(t, et) )
+		{
+		if ( t->Tag() == TYPE_TABLE && et->Tag() == TYPE_TABLE &&
 			  et->AsTableType()->IsUnspecifiedTable() )
 			{
 			e = new TableCoerceExpr(e, t->AsTableType());
 			return 1;
 			}
 
+		if ( t->Tag() == TYPE_VECTOR && et->Tag() == TYPE_VECTOR &&
+		     et->AsVectorType()->IsUnspecifiedVector() )
+			{
+			e = new VectorCoerceExpr(e, t->AsVectorType());
+			return 1;
+			}
+
 		t->Error("type clash", e);
 		return 0;
 		}
@@ -5576,7 +5645,7 @@ int same_expr(const Expr* e1, const Expr* e2)
 		}
 
 	default:
-		internal_error("bad tag in same_expr()");
+		reporter->InternalError("bad tag in same_expr()");
 	}
 
 	return 0;
@@ -5596,7 +5665,7 @@ static Expr* make_constant(BroType* t, double d)
 	case TYPE_INTERNAL_DOUBLE:	v = new Val(double(d), t->Tag()); break;
 
 	default:
-		internal_error("bad type in make_constant()");
+		reporter->InternalError("bad type in make_constant()");
 	}
 
 	return new ConstExpr(v);
diff --git a/src/Expr.h b/src/Expr.h
index c078d4651c..8676a1ad7e 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -1,5 +1,3 @@
-// $Id: Expr.h 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef expr_h
@@ -40,7 +38,10 @@ typedef enum {
 	EXPR_CALL,
 	EXPR_EVENT,
 	EXPR_SCHEDULE,
-	EXPR_ARITH_COERCE, EXPR_RECORD_COERCE, EXPR_TABLE_COERCE,
+	EXPR_ARITH_COERCE,
+	EXPR_RECORD_COERCE,
+	EXPR_TABLE_COERCE,
+	EXPR_VECTOR_COERCE,
 	EXPR_SIZE,
 	EXPR_FLATTEN,
 #define NUM_EXPRS (int(EXPR_FLATTEN) + 1)
@@ -214,7 +215,6 @@ protected:
 	friend class Expr;
 	NameExpr()	{ id = 0; }
 
-	void ReferenceID();
 	void ExprDescribe(ODesc* d) const;
 
 	DECLARE_SERIAL(NameExpr);
@@ -623,7 +623,7 @@ class AssignExpr : public BinaryExpr {
 public:
 	// If val is given, evaluating this expression will always yield the val
 	// yet still perform the assignment.  Used for triggers.
-	AssignExpr(Expr* op1, Expr* op2, int is_init, Val* val = 0);
+	AssignExpr(Expr* op1, Expr* op2, int is_init, Val* val = 0, attr_list* attrs = 0);
 	virtual ~AssignExpr()	{ Unref(val); }
 
 	Expr* Simplify(SimplifyType simp_type);
@@ -638,7 +638,7 @@ protected:
 	friend class Expr;
 	AssignExpr()	{ }
 
-	bool TypeCheck();
+	bool TypeCheck(attr_list* attrs = 0);
 	bool TypeCheckArithmetics(TypeTag bt1, TypeTag bt2);
 
 	DECLARE_SERIAL(AssignExpr);
@@ -685,8 +685,11 @@ public:
 
 	int Field() const	{ return field; }
 
+	int CanDel() const;
+
 	Expr* Simplify(SimplifyType simp_type);
 	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
+	void Delete(Frame* f);
 
 	Expr* MakeLvalue();
 
@@ -709,7 +712,7 @@ protected:
 // "rec?$$attrname" is true if the attribute attrname is not nil.
 class HasFieldExpr : public UnaryExpr {
 public:
-	HasFieldExpr(Expr* op, const char* field_name, bool is_attr);
+	HasFieldExpr(Expr* op, const char* field_name);
 	~HasFieldExpr();
 
 protected:
@@ -895,6 +898,20 @@ protected:
 	DECLARE_SERIAL(TableCoerceExpr);
 };
 
+class VectorCoerceExpr : public UnaryExpr {
+public:
+	VectorCoerceExpr(Expr* op, VectorType* v);
+	~VectorCoerceExpr();
+
+protected:
+	friend class Expr;
+	VectorCoerceExpr()	{ }
+
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(VectorCoerceExpr);
+};
+
 // An internal operator for flattening array indices that are records
 // into a list of individual values.
 class FlattenExpr : public UnaryExpr {
diff --git a/src/FTP.cc b/src/FTP.cc
index 79eb872d79..588348ea8d 100644
--- a/src/FTP.cc
+++ b/src/FTP.cc
@@ -1,5 +1,3 @@
-// $Id: FTP.cc 6782 2009-06-28 02:19:03Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -10,7 +8,6 @@
 #include "FTP.h"
 #include "NVT.h"
 #include "Event.h"
-#include "TCP_Rewriter.h"
 
 FTP_Analyzer::FTP_Analyzer(Connection* conn)
 : TCP_ApplicationAnalyzer(AnalyzerTag::FTP, conn)
@@ -169,5 +166,3 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 	ConnectionEvent(f, vl);
 	}
 
-
-#include "ftp-rw.bif.func_def"
diff --git a/src/FTP.h b/src/FTP.h
index f5d60fdf3b..4ef6c44d83 100644
--- a/src/FTP.h
+++ b/src/FTP.h
@@ -1,5 +1,3 @@
-// $Id: FTP.h 6782 2009-06-28 02:19:03Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef ftp_h
@@ -14,11 +12,6 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual int RewritingTrace()
-		{
-		return rewriting_ftp_trace ||
-			TCP_ApplicationAnalyzer::RewritingTrace();
-		}
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{
diff --git a/src/File.cc b/src/File.cc
index a57147d923..080923ad37 100644
--- a/src/File.cc
+++ b/src/File.cc
@@ -1,5 +1,3 @@
-// $Id: File.cc 6942 2009-11-16 03:54:08Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -20,6 +18,8 @@
 #include <errno.h>
 #include <unistd.h>
 
+#include <algorithm>
+
 #include "File.h"
 #include "Type.h"
 #include "Timer.h"
@@ -28,6 +28,7 @@
 #include "Net.h"
 #include "Serializer.h"
 #include "Event.h"
+#include "Reporter.h"
 
 // Timer which on dispatching rotates the file.
 class RotateTimer : public Timer {
@@ -91,7 +92,7 @@ static int maximize_num_fds()
 #else
 	struct rlimit rl;
 	if ( getrlimit(RLIMIT_NOFILE, &rl) < 0 )
-		internal_error("maximize_num_fds(): getrlimit failed");
+		reporter->InternalError("maximize_num_fds(): getrlimit failed");
 
 	if ( rl.rlim_max == RLIM_INFINITY )
 		{
@@ -107,7 +108,7 @@ static int maximize_num_fds()
 	rl.rlim_cur = rl.rlim_max;
 
 	if ( setrlimit(RLIMIT_NOFILE, &rl) < 0 )
-		internal_error("maximize_num_fds(): setrlimit failed");
+		reporter->InternalError("maximize_num_fds(): setrlimit failed");
 
 	return rl.rlim_cur / 2;
 #endif
@@ -148,7 +149,7 @@ BroFile::BroFile(const char* arg_name, const char* arg_access, BroType* arg_t)
 	t = arg_t ? arg_t : base_type(TYPE_STRING);
 	if ( ! Open() )
 		{
-		error(fmt("cannot open %s: %s", name, strerror(errno)));
+		reporter->Error("cannot open %s: %s", name, strerror(errno));
 		is_open = 0;
 		okay_to_manage = 0;
 		}
@@ -195,10 +196,9 @@ bool BroFile::Open(FILE* file)
 	InstallRotateTimer();
 
 	if ( ! f )
-		{
 		f = fopen(name, access);
-		SetBuf(buffered);
-		}
+
+	SetBuf(buffered);
 
 	if ( f )
 		{
@@ -271,7 +271,7 @@ FILE* BroFile::File()
 FILE* BroFile::BringIntoCache()
 	{
 	if ( f )
-		internal_error("BroFile non-nil non-open file");
+		reporter->InternalError("BroFile non-nil non-open file");
 
 	if ( num_files_in_cache >= max_files_in_cache )
 		PurgeCache();
@@ -285,12 +285,12 @@ FILE* BroFile::BringIntoCache()
 
 	if ( ! f )
 		{
-		run_time("can't open %s", this);
+		reporter->Error("can't open %s", name);
 
 		f = fopen("/dev/null", "w");
 
 		if ( ! f )
-			internal_error("out of file descriptors");
+			reporter->InternalError("out of file descriptors");
 
 		okay_to_manage = 0;
 		return f;
@@ -300,7 +300,7 @@ FILE* BroFile::BringIntoCache()
 	UpdateFileSize();
 
 	if ( fseek(f, position, SEEK_SET) < 0 )
-		run_time("reopen seek failed", this);
+		reporter->Error("reopen seek failed");
 
 	InsertAtBeginning();
 
@@ -313,7 +313,7 @@ FILE* BroFile::Seek(long new_position)
 		return 0;
 
 	if ( fseek(f, new_position, SEEK_SET) < 0 )
-		run_time("seek failed", this);
+		reporter->Error("seek failed");
 
 	return f;
 	}
@@ -324,7 +324,7 @@ void BroFile::SetBuf(bool arg_buffered)
 		return;
 
 	if ( setvbuf(f, NULL, arg_buffered ? _IOFBF : _IOLBF, 0) != 0 )
-		run_time("setvbuf failed", this);
+		reporter->Error("setvbuf failed");
 
 	buffered = arg_buffered;
 	}
@@ -375,18 +375,18 @@ int BroFile::Close()
 void BroFile::Suspend()
 	{
 	if ( ! is_in_cache )
-		internal_error("BroFile::Suspend() called for non-cached file");
+		reporter->InternalError("BroFile::Suspend() called for non-cached file");
 	if ( ! is_open )
-		internal_error("BroFile::Suspend() called for non-open file");
+		reporter->InternalError("BroFile::Suspend() called for non-open file");
 
 	Unlink();
 
 	if ( ! f )
-		internal_error("BroFile::Suspend() called for nil file");
+		reporter->InternalError("BroFile::Suspend() called for nil file");
 
 	if ( (position = ftell(f)) < 0 )
 		{
-		run_time("ftell failed", this);
+		reporter->Error("ftell failed");
 		position = 0;
 		}
 
@@ -397,7 +397,7 @@ void BroFile::Suspend()
 void BroFile::PurgeCache()
 	{
 	if ( ! tail )
-		internal_error("BroFile purge of empty cache");
+		reporter->InternalError("BroFile purge of empty cache");
 
 	tail->Suspend();
 	}
@@ -417,13 +417,13 @@ void BroFile::Unlink()
 			Next()->SetPrev(prev);
 
 		if ( (head || tail) && ! (head && tail) )
-			internal_error("BroFile link list botch");
+			reporter->InternalError("BroFile link list botch");
 
 		is_in_cache = 0;
 		prev = next = 0;
 
 		if ( --num_files_in_cache < 0 )
-			internal_error("BroFile underflow of file cache");
+			reporter->InternalError("BroFile underflow of file cache");
 		}
 	}
 
@@ -443,7 +443,7 @@ void BroFile::InsertAtBeginning()
 		}
 
 	if ( ++num_files_in_cache > max_files_in_cache )
-		internal_error("BroFile overflow of file cache");
+		reporter->InternalError("BroFile overflow of file cache");
 
 	is_in_cache = 1;
 	}
@@ -454,7 +454,7 @@ void BroFile::MoveToBeginning()
 		return;	// already at the beginning
 
 	if ( ! is_in_cache || ! prev )
-		internal_error("BroFile inconsistency in MoveToBeginning()");
+		reporter->InternalError("BroFile inconsistency in MoveToBeginning()");
 
 	Unlink();
 	InsertAtBeginning();
@@ -641,7 +641,7 @@ void BroFile::InitEncrypt(const char* keyfile)
 
 		if ( ! key )
 			{
-			error(fmt("can't open key file %s: %s", keyfile, strerror(errno)));
+			reporter->Error("can't open key file %s: %s", keyfile, strerror(errno));
 			Close();
 			return;
 			}
@@ -649,8 +649,8 @@ void BroFile::InitEncrypt(const char* keyfile)
 		pub_key = PEM_read_PUBKEY(key, 0, 0, 0);
 		if ( ! pub_key )
 			{
-			error(fmt("can't read key from %s: %s", keyfile,
-					ERR_error_string(ERR_get_error(), 0)));
+			reporter->Error("can't read key from %s: %s", keyfile,
+					ERR_error_string(ERR_get_error(), 0));
 			Close();
 			return;
 			}
@@ -663,7 +663,7 @@ void BroFile::InitEncrypt(const char* keyfile)
 
 	unsigned char secret[EVP_PKEY_size(pub_key)];
 	unsigned char* psecret = secret;
-	unsigned long secret_len;
+	unsigned int secret_len;
 
 	int iv_len = EVP_CIPHER_iv_length(cipher_type);
 	unsigned char iv[iv_len];
@@ -671,8 +671,8 @@ void BroFile::InitEncrypt(const char* keyfile)
 	if ( ! EVP_SealInit(cipher_ctx, cipher_type, &psecret,
 				(int*) &secret_len, iv, &pub_key, 1) )
 		{
-		error(fmt("can't init cipher context for %s: %s", keyfile,
-				ERR_error_string(ERR_get_error(), 0)));
+		reporter->Error("can't init cipher context for %s: %s", keyfile,
+				ERR_error_string(ERR_get_error(), 0));
 		Close();
 		return;
 		}
@@ -684,8 +684,8 @@ void BroFile::InitEncrypt(const char* keyfile)
 		fwrite(secret, ntohl(secret_len), 1, f) &&
 		fwrite(iv, iv_len, 1, f)) )
 		{
-		error(fmt("can't write header to log file %s: %s",
-				name, strerror(errno)));
+		reporter->Error("can't write header to log file %s: %s",
+				name, strerror(errno));
 		Close();
 		return;
 		}
@@ -709,8 +709,8 @@ void BroFile::FinishEncrypt()
 
 		if ( outl && ! fwrite(cipher_buffer, outl, 1, f) )
 			{
-			run_time(fmt("write error for %s: %s",
-					name, strerror(errno)));
+			reporter->Error("write error for %s: %s",
+					name, strerror(errno));
 			return;
 			}
 
@@ -736,22 +736,22 @@ int BroFile::Write(const char* data, int len)
 		while ( len )
 			{
 			int outl;
-			int inl = min(MIN_BUFFER_SIZE, len);
+			int inl = min(+MIN_BUFFER_SIZE, len);
 
 			if ( ! EVP_SealUpdate(cipher_ctx, cipher_buffer, &outl,
 						(unsigned char*)data, inl) )
 				{
-				run_time(fmt("encryption error for %s: %s",
+				reporter->Error("encryption error for %s: %s",
 					name,
-					ERR_error_string(ERR_get_error(), 0)));
+					ERR_error_string(ERR_get_error(), 0));
 				Close();
 				return 0;
 				}
 
 			if ( outl && ! fwrite(cipher_buffer, outl, 1, f) )
 				{
-				run_time(fmt("write error for %s: %s",
-						name, strerror(errno)));
+				reporter->Error("write error for %s: %s",
+						name, strerror(errno));
 				Close();
 				return 0;
 				}
@@ -798,7 +798,7 @@ void BroFile::UpdateFileSize()
 	struct stat s;
 	if ( fstat(fileno(f), &s) < 0 )
 		{
-		run_time(fmt("can't stat fd for %s: %s", name, strerror(errno)));
+		reporter->Error("can't stat fd for %s: %s", name, strerror(errno));
 		current_size = 0;
 		return;
 		}
diff --git a/src/File.h b/src/File.h
index dad0d6da8b..444d6209e2 100644
--- a/src/File.h
+++ b/src/File.h
@@ -1,5 +1,3 @@
-// $Id: File.h 6888 2009-08-20 18:23:11Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef file_h
diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc
index 7f9e0b2c2d..d4064e8144 100644
--- a/src/FileAnalyzer.cc
+++ b/src/FileAnalyzer.cc
@@ -1,24 +1,21 @@
-// $Id: FileAnalyzer.cc,v 1.1.4.2 2006/06/01 17:18:10 sommer Exp $
+#include <algorithm>
 
 #include "FileAnalyzer.h"
+#include "Reporter.h"
 
-#ifdef HAVE_LIBMAGIC
 magic_t File_Analyzer::magic = 0;
 magic_t File_Analyzer::magic_mime = 0;
-#endif
 
 File_Analyzer::File_Analyzer(Connection* conn)
 : TCP_ApplicationAnalyzer(AnalyzerTag::File, conn)
 	{
 	buffer_len = 0;
 
-#ifdef HAVE_LIBMAGIC
 	if ( ! magic )
 		{
 		InitMagic(&magic, MAGIC_NONE);
 		InitMagic(&magic_mime, MAGIC_MIME);
 		}
-#endif
 	}
 
 void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
@@ -51,13 +48,11 @@ void File_Analyzer::Identify()
 	const char* descr = 0;
 	const char* mime = 0;
 
-#ifdef HAVE_LIBMAGIC
 	if ( magic )
 		descr = magic_buffer(magic, buffer, buffer_len);
 
 	if ( magic_mime )
 		mime = magic_buffer(magic_mime, buffer, buffer_len);
-#endif
 
 	val_list* vl = new val_list;
 	vl->append(BuildConnVal());
@@ -67,19 +62,17 @@ void File_Analyzer::Identify()
 	ConnectionEvent(file_transferred, vl);
 	}
 
-#ifdef HAVE_LIBMAGIC
 void File_Analyzer::InitMagic(magic_t* magic, int flags)
 	{
 	*magic = magic_open(flags);
 
 	if ( ! *magic )
-		error(fmt("can't init libmagic: %s", magic_error(*magic)));
+		reporter->Error("can't init libmagic: %s", magic_error(*magic));
 
 	else if ( magic_load(*magic, 0) < 0 )
 		{
-		error(fmt("can't load magic file: %s", magic_error(*magic)));
+		reporter->Error("can't load magic file: %s", magic_error(*magic));
 		magic_close(*magic);
 		*magic = 0;
 		}
 	}
-#endif
diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h
index f343547210..dcf9d22e8e 100644
--- a/src/FileAnalyzer.h
+++ b/src/FileAnalyzer.h
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // Analyzer for connections that transfer binary data.
 
 #ifndef FILEANALYZER_H
@@ -7,9 +5,7 @@
 
 #include "TCP.h"
 
-#ifdef HAVE_LIBMAGIC
 #include <magic.h>
-#endif
 
 class File_Analyzer : public TCP_ApplicationAnalyzer {
 public:
@@ -33,12 +29,10 @@ protected:
 	char buffer[BUFFER_SIZE];
 	int buffer_len;
 
-#ifdef HAVE_LIBMAGIC
 	static void InitMagic(magic_t* magic, int flags);
 
 	static magic_t magic;
 	static magic_t magic_mime;
-#endif
 };
 
 #endif
diff --git a/src/Finger.cc b/src/Finger.cc
index 3f617b1c05..be0f3754b5 100644
--- a/src/Finger.cc
+++ b/src/Finger.cc
@@ -1,5 +1,3 @@
-// $Id: Finger.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -9,7 +7,6 @@
 #include "NetVar.h"
 #include "Finger.h"
 #include "Event.h"
-#include "TCP_Rewriter.h"
 #include "ContentLine.h"
 
 Finger_Analyzer::Finger_Analyzer(Connection* conn)
@@ -42,7 +39,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 
 	if ( is_orig )
 		{
-		
+
 		if ( ! finger_request )
 			return;
 
@@ -87,5 +84,3 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 		ConnectionEvent(finger_reply, vl);
 		}
 	}
-
-#include "finger-rw.bif.func_def"
diff --git a/src/Finger.h b/src/Finger.h
index 92fc5e6f82..3c61c4ad2a 100644
--- a/src/Finger.h
+++ b/src/Finger.h
@@ -1,5 +1,3 @@
-// $Id: Finger.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef finger_h
@@ -17,8 +15,6 @@ public:
 	virtual void Done();
 	// Line-based input.
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual int RewritingTrace()
-		{ return rewriting_finger_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Finger_Analyzer(conn); }
diff --git a/src/FlowSrc.cc b/src/FlowSrc.cc
index 4f94d7e4a8..fe6998ea79 100644
--- a/src/FlowSrc.cc
+++ b/src/FlowSrc.cc
@@ -1,5 +1,3 @@
-/// $Id: FlowSrc.cc 4621 2007-07-10 13:37:13Z bager $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 //
 // Written by Bernhard Ager, TU Berlin (2006/2007).
@@ -77,7 +75,7 @@ int FlowSocketSrc::ExtractNextPDU()
 				(struct sockaddr*) &from, &fromlen);
 	if ( pdu_len < 0 )
 		{
-		run_time("problem reading NetFlow data from socket");
+		reporter->Error("problem reading NetFlow data from socket");
 		data = 0;
 		next_timestamp = -1.0;
 		closed = 1;
@@ -86,7 +84,7 @@ int FlowSocketSrc::ExtractNextPDU()
 
 	if ( fromlen != sizeof(from) )
 		{
-		run_time("malformed NetFlow PDU");
+		reporter->Error("malformed NetFlow PDU");
 		return 0;
 		}
 
@@ -171,7 +169,7 @@ int FlowFileSrc::ExtractNextPDU()
 
 	if ( pdu_header.pdu_length > NF_MAX_PKT_SIZE )
 		{
-		run_time("NetFlow packet too long");
+		reporter->Error("NetFlow packet too long");
 
 		// Safely skip over the too-long PDU.
 		if ( lseek(selectable_fd, pdu_header.pdu_length, SEEK_CUR) < 0 )
diff --git a/src/FlowSrc.h b/src/FlowSrc.h
index 3173badf66..7b0b14ad15 100644
--- a/src/FlowSrc.h
+++ b/src/FlowSrc.h
@@ -1,5 +1,3 @@
-// $Id: FlowSrc.h 4618 2007-07-09 18:12:32Z bager $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 //
 // Written by Bernhard Ager, TU Berlin (2006/2007).
diff --git a/src/Frag.cc b/src/Frag.cc
index b8cc5b5776..b72fac4b16 100644
--- a/src/Frag.cc
+++ b/src/Frag.cc
@@ -1,5 +1,3 @@
-// $Id: Frag.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -24,7 +22,7 @@ void FragTimer::Dispatch(double t, int /* is_expire */)
 	if ( f )
 		f->Expire(t);
 	else
-		internal_error("fragment timer dispatched w/o reassembler");
+		reporter->InternalError("fragment timer dispatched w/o reassembler");
 	}
 
 FragReassembler::FragReassembler(NetSessions* arg_s,
@@ -209,7 +207,7 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
 			break;
 
 		if ( b->upper > n )
-			internal_error("bad fragment reassembly");
+			reporter->InternalError("bad fragment reassembly");
 
 		memcpy((void*) &pkt[b->seq], (const void*) b->block,
 			b->upper - b->seq);
diff --git a/src/Frag.h b/src/Frag.h
index ddd5f73144..92bf1b3bbd 100644
--- a/src/Frag.h
+++ b/src/Frag.h
@@ -1,5 +1,3 @@
-// $Id: Frag.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef frag_h
diff --git a/src/Frame.cc b/src/Frame.cc
index 4eeb7e1fcc..f86fa32805 100644
--- a/src/Frame.cc
+++ b/src/Frame.cc
@@ -1,5 +1,3 @@
-// $Id: Frame.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/Frame.h b/src/Frame.h
index 34a4f63f89..85e1dbec2e 100644
--- a/src/Frame.h
+++ b/src/Frame.h
@@ -1,5 +1,3 @@
-// $Id: Frame.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef frame_h
diff --git a/src/Func.cc b/src/Func.cc
index 5d71be2b0f..65cb22b09d 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -1,5 +1,3 @@
-// $Id: Func.cc 6703 2009-05-13 22:27:44Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -48,12 +46,26 @@
 #include "RemoteSerializer.h"
 #include "Event.h"
 #include "Traverse.h"
+#include "Reporter.h"
 
 extern	RETSIGTYPE sig_handler(int signo);
 
 const Expr* calling_expr = 0;
 bool did_builtin_init = false;
 
+vector<Func*> Func::unique_ids;
+
+Func::Func() : scope(0), id(0), return_value(0)
+	{
+	unique_id = unique_ids.size();
+	unique_ids.push_back(this);
+	}
+
+Func::Func(Kind arg_kind) : scope(0), kind(arg_kind), id(0), return_value(0)
+	{
+	unique_id = unique_ids.size();
+	unique_ids.push_back(this);
+	}
 
 Func::~Func()
 	{
@@ -235,15 +247,19 @@ TraversalCode Func::Traverse(TraversalCallback* cb) const
 	}
 
 BroFunc::BroFunc(ID* arg_id, Stmt* arg_body, id_list* aggr_inits,
-		int arg_frame_size)
+		int arg_frame_size, int priority)
 : Func(BRO_FUNC)
 	{
 	id = arg_id;
-	Body b;
-	b.stmts = AddInits(arg_body, aggr_inits);
-	b.priority = 0;
-	bodies.push_back(b);
 	frame_size = arg_frame_size;
+
+	if ( arg_body )
+		{
+		Body b;
+		b.stmts = AddInits(arg_body, aggr_inits);
+		b.priority = priority;
+		bodies.push_back(b);
+		}
 	}
 
 BroFunc::~BroFunc()
@@ -267,6 +283,15 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 #ifdef PROFILE_BRO_FUNCTIONS
 	DEBUG_MSG("Function: %s\n", id->Name());
 #endif
+	if ( ! bodies.size() ) 
+		{
+		// Can only happen for events.
+		assert(IsEvent());
+		loop_over_list(*args, i)
+			Unref((*args)[i]);
+		return 0 ;
+		}
+
 	SegmentProfiler(segment_logger, location);
 	Frame* f = new Frame(frame_size, this, args);
 
@@ -322,7 +347,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 	     (flow != FLOW_RETURN /* we fell off the end */ ||
 	      ! result /* explicit return with no result */) &&
 	     ! f->HasDelayed() )
-		warn("non-void function returns without a value:", id->Name());
+		reporter->Warning("non-void function returns without a value: %s", id->Name());
 
 	if ( result && g_trace_state.DoTrace() )
 		{
@@ -414,9 +439,9 @@ BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
 
 	id = lookup_ID(name, GLOBAL_MODULE_NAME, false);
 	if ( ! id )
-		internal_error("built-in function %s missing", name);
+		reporter->InternalError("built-in function %s missing", name);
 	if ( id->HasVal() )
-		internal_error("built-in function %s multiply defined", name);
+		reporter->InternalError("built-in function %s multiply defined", name);
 
 	id->SetVal(new Val(this));
 	}
@@ -488,42 +513,44 @@ bool BuiltinFunc::DoUnserialize(UnserialInfo* info)
 	return UNSERIALIZE_STR(&name, 0);
 	}
 
-void builtin_run_time(const char* msg, BroObj* arg)
+void builtin_error(const char* msg, BroObj* arg)
 	{
 	if ( calling_expr )
-		calling_expr->RunTime(msg, arg);
+		calling_expr->Error(msg, arg);
 	else
-		run_time(msg, arg);
+		reporter->Error(msg, arg);
 	}
 
+#include "bro.bif.func_h"
+#include "logging.bif.func_h"
+#include "reporter.bif.func_h"
+#include "strings.bif.func_h"
+
 #include "bro.bif.func_def"
+#include "logging.bif.func_def"
+#include "reporter.bif.func_def"
 #include "strings.bif.func_def"
 
 void init_builtin_funcs()
 	{
 	ftp_port = internal_type("ftp_port")->AsRecordType();
 	bro_resources = internal_type("bro_resources")->AsRecordType();
+	net_stats = internal_type("NetStats")->AsRecordType();
 	matcher_stats = internal_type("matcher_stats")->AsRecordType();
 	var_sizes = internal_type("var_sizes")->AsTableType();
 	gap_info = internal_type("gap_info")->AsRecordType();
 
 #include "bro.bif.func_init"
-
-#include "common-rw.bif.func_init"
-#include "finger-rw.bif.func_init"
-#include "ftp-rw.bif.func_init"
-#include "http-rw.bif.func_init"
-#include "ident-rw.bif.func_init"
-#include "smtp-rw.bif.func_init"
+#include "logging.bif.func_init"
+#include "reporter.bif.func_init"
 #include "strings.bif.func_init"
-#include "dns-rw.bif.func_init"
 
 	did_builtin_init = true;
 	}
 
 bool check_built_in_call(BuiltinFunc* f, CallExpr* call)
 	{
-	if ( f->TheFunc() != bro_fmt )
+	if ( f->TheFunc() != BifFunc::bro_fmt )
 		return true;
 
 	const expr_list& args = call->Args()->Exprs();
diff --git a/src/Func.h b/src/Func.h
index f82b9ee539..909b2a9802 100644
--- a/src/Func.h
+++ b/src/Func.h
@@ -1,5 +1,3 @@
-// $Id: Func.h 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef func_h
@@ -15,14 +13,14 @@ class FuncType;
 class Stmt;
 class Frame;
 class ID;
+class CallExpr;
 
 class Func : public BroObj {
 public:
 
 	enum Kind { BRO_FUNC, BUILTIN_FUNC };
 
-	Func(Kind arg_kind)
-		{ scope = 0; kind = arg_kind; id = 0; return_value = 0; }
+	Func(Kind arg_kind);
 
 	virtual ~Func();
 
@@ -36,7 +34,8 @@ public:
 			{ return priority > other.priority; } // reverse sort
 	};
 
-	virtual const vector<Body>& GetBodies() const	{ return bodies; }
+	const vector<Body>& GetBodies() const	{ return bodies; }
+	bool HasBodies() const	{ return bodies.size(); }
 
 	// virtual Val* Call(ListExpr* args) const = 0;
 	virtual Val* Call(val_list* args, Frame* parent = 0) const = 0;
@@ -68,8 +67,12 @@ public:
 	ID* GetReturnValueID() const;
 	virtual TraversalCode Traverse(TraversalCallback* cb) const;
 
+	uint32 GetUniqueFuncID() const { return unique_id; }
+	static Func* GetFuncPtrByID(uint32 id)
+		{ return id >= unique_ids.size() ? 0 : unique_ids[id]; }
+
 protected:
-	Func()	{ scope = 0; id = 0; return_value = 0; }
+	Func();
 
 	DECLARE_ABSTRACT_SERIAL(Func);
 
@@ -78,12 +81,14 @@ protected:
 	Kind kind;
 	ID* id;
 	ID* return_value;
+	uint32 unique_id;
+	static vector<Func*> unique_ids;
 };
 
 
 class BroFunc : public Func {
 public:
-	BroFunc(ID* id, Stmt* body, id_list* inits, int frame_size);
+	BroFunc(ID* id, Stmt* body, id_list* inits, int frame_size, int priority);
 	~BroFunc();
 
 	int IsPure() const;
@@ -130,7 +135,7 @@ protected:
 };
 
 
-extern void builtin_run_time(const char* msg, BroObj* arg = 0);
+extern void builtin_error(const char* msg, BroObj* arg = 0);
 extern void init_builtin_funcs();
 
 extern bool check_built_in_call(BuiltinFunc* f, CallExpr* call);
diff --git a/src/Gnutella.cc b/src/Gnutella.cc
index 01a10f2969..448c8dcb3b 100644
--- a/src/Gnutella.cc
+++ b/src/Gnutella.cc
@@ -1,18 +1,17 @@
-// $Id: Gnutella.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
 
 #include <ctype.h>
 
+#include <algorithm>
+
 #include "NetVar.h"
 #include "HTTP.h"
 #include "Gnutella.h"
 #include "Event.h"
 #include "PIA.h"
 
-
 GnutellaMsgState::GnutellaMsgState()
 	{
 	buffer = "";
@@ -238,7 +237,7 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
 		vl->append(new StringVal(p->payload));
 		vl->append(new Val(p->payload_len, TYPE_COUNT));
 		vl->append(new Val((p->payload_len <
-				    min(p->msg_len, GNUTELLA_MAX_PAYLOAD)),
+				    min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)),
 				   TYPE_BOOL));
 		vl->append(new Val((p->payload_left == 0), TYPE_BOOL));
 
diff --git a/src/Gnutella.h b/src/Gnutella.h
index 74aed4523f..f06c816c90 100644
--- a/src/Gnutella.h
+++ b/src/Gnutella.h
@@ -1,5 +1,3 @@
-// $Id: Gnutella.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef gnutella_h
@@ -29,7 +27,7 @@ public:
 	u_char msg_type;
 	u_char msg_ttl;
 	char payload[GNUTELLA_MAX_PAYLOAD];
-	int payload_len;
+	unsigned int payload_len;
 	unsigned int payload_left;
 };
 
diff --git a/src/H3.h b/src/H3.h
index aeb0c0f38d..9e6f1c5c35 100644
--- a/src/H3.h
+++ b/src/H3.h
@@ -1,5 +1,3 @@
-// $Id: H3.h 3230 2006-06-08 02:19:25Z vern $
-
 // Copyright 2004, 2005
 // The Regents of the University of California
 // All Rights Reserved
@@ -52,15 +50,20 @@
 //     together to get the same result as hashing the full string.
 // Any number of hash functions can be created by creating new instances of H3,
 //     with the same or different template parameters.  The hash function is
-//     randomly generated using random(); you must call srandom() before the
-//     H3 constructor if you wish to seed it.
+//     randomly generated using bro_random(); you must call init_random_seed()
+//     before the H3 constructor if you wish to seed it.
 
 
 #ifndef H3_H
 #define H3_H
 
+#include <climits>
+
+// The number of values representable by a byte.
+#define H3_BYTE_RANGE (UCHAR_MAX+1)
+
 template<class T, int N> class H3 {
-    T byte_lookup[N][256];
+    T byte_lookup[N][H3_BYTE_RANGE];
 public:
     H3();
     ~H3() { free(byte_lookup); }
@@ -90,23 +93,23 @@ public:
 template<class T, int N>
 H3<T,N>::H3()
 {
-    T bit_lookup[N * 8];
+    T bit_lookup[N * CHAR_BIT];
 
-    for (size_t bit = 0; bit < N * 8; bit++) {
+    for (size_t bit = 0; bit < N * CHAR_BIT; bit++) {
 	bit_lookup[bit] = 0;
 	for (size_t i = 0; i < sizeof(T)/2; i++) {
 	    // assume random() returns at least 16 random bits
-	    bit_lookup[bit] = (bit_lookup[bit] << 16) | (random() & 0xFFFF);
+	    bit_lookup[bit] = (bit_lookup[bit] << 16) | (bro_random() & 0xFFFF);
 	}
     }
 
     for (size_t byte = 0; byte < N; byte++) {
-        for (unsigned val = 0; val < 256; val++) {
+        for (unsigned val = 0; val < H3_BYTE_RANGE; val++) {
             byte_lookup[byte][val] = 0;
-            for (size_t bit = 0; bit < 8; bit++) {
+            for (size_t bit = 0; bit < CHAR_BIT; bit++) {
 		// Does this mean byte_lookup[*][0] == 0? -RP
 	        if (val & (1 << bit))
-		    byte_lookup[byte][val] ^= bit_lookup[byte*8+bit];
+		    byte_lookup[byte][val] ^= bit_lookup[byte*CHAR_BIT+bit];
             }
         }
     }
diff --git a/src/HTTP-binpac.cc b/src/HTTP-binpac.cc
index 003d74d8e2..70cf37457b 100644
--- a/src/HTTP-binpac.cc
+++ b/src/HTTP-binpac.cc
@@ -1,5 +1,3 @@
-// $Id:$
-
 #include "HTTP-binpac.h"
 #include "TCP_Reassembler.h"
 
diff --git a/src/HTTP-binpac.h b/src/HTTP-binpac.h
index 9352515dc8..62b6fd0db3 100644
--- a/src/HTTP-binpac.h
+++ b/src/HTTP-binpac.h
@@ -1,5 +1,3 @@
-// $Id:$
-
 #ifndef http_binpac_h
 #define http_binpac_h
 
diff --git a/src/HTTP.cc b/src/HTTP.cc
index 0cccf75103..b41933156d 100644
--- a/src/HTTP.cc
+++ b/src/HTTP.cc
@@ -1,5 +1,3 @@
-// $Id: HTTP.cc 7073 2010-09-13 00:45:02Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -7,25 +5,30 @@
 #include <ctype.h>
 #include <math.h>
 #include <stdlib.h>
+#include <string>
+#include <algorithm>
 
 #include "NetVar.h"
 #include "HTTP.h"
 #include "Event.h"
 #include "MIME.h"
-#include "TCP_Rewriter.h"
 
 const bool DEBUG_http = false;
 
+// The EXPECT_*_NOTHING states are used to prevent further parsing. Used if a
+// message was interrupted.
 enum {
 	EXPECT_REQUEST_LINE,
 	EXPECT_REQUEST_MESSAGE,
 	EXPECT_REQUEST_TRAILER,
+	EXPECT_REQUEST_NOTHING,
 };
 
 enum {
 	EXPECT_REPLY_LINE,
 	EXPECT_REPLY_MESSAGE,
 	EXPECT_REPLY_TRAILER,
+	EXPECT_REPLY_NOTHING,
 };
 
 HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body)
@@ -40,9 +43,7 @@ HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity,
 	header_length = 0;
 	deliver_body = (http_entity_data != 0);
 	encoding = IDENTITY;
-#ifdef HAVE_LIBZ
 	zip = 0;
-#endif
 	}
 
 void HTTP_Entity::EndOfData()
@@ -50,7 +51,6 @@ void HTTP_Entity::EndOfData()
 	if ( DEBUG_http )
 		DEBUG_MSG("%.6f: end of data\n", network_time);
 
-#ifdef HAVE_LIBZ
 	if ( zip )
 		{
 		zip->Done();
@@ -58,7 +58,6 @@ void HTTP_Entity::EndOfData()
 		zip = 0;
 		encoding = IDENTITY;
 		}
-#endif
 
 	if ( body_length )
 		http_message->MyHTTP_Analyzer()->
@@ -85,7 +84,9 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF)
 
 	if ( in_header )
 		{
-		ASSERT(trailing_CRLF);
+		if ( ! trailing_CRLF )
+			http_message->MyHTTP_Analyzer()->Weird("http_no_crlf_in_header_list");
+
 		header_length += len;
 		MIME_Entity::Deliver(len, data, trailing_CRLF);
 		return;
@@ -174,7 +175,6 @@ private:
 
 void HTTP_Entity::DeliverBody(int len, const char* data, int trailing_CRLF)
 	{
-#ifdef HAVE_LIBZ
 	if ( encoding == GZIP || encoding == DEFLATE )
 		{
 		ZIP_Analyzer::Method method =
@@ -193,7 +193,6 @@ void HTTP_Entity::DeliverBody(int len, const char* data, int trailing_CRLF)
 		zip->NextStream(len, (const u_char*) data, false);
 		}
 	else
-#endif
 		DeliverBodyClear(len, data, trailing_CRLF);
 	}
 
@@ -223,11 +222,11 @@ void HTTP_Entity::DeliverBodyClear(int len, const char* data, int trailing_CRLF)
 
 // Returns 1 if the undelivered bytes are completely within the body,
 // otherwise returns 0.
-int HTTP_Entity::Undelivered(int len)
+int HTTP_Entity::Undelivered(int64_t len)
 	{
 	if ( DEBUG_http )
 		{
-		DEBUG_MSG("Content gap %d, expect_data_length %d\n",
+		DEBUG_MSG("Content gap %" PRId64", expect_data_length %" PRId64 "\n",
 			  len, expect_data_length);
 		}
 
@@ -280,7 +279,7 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
 		MIME_Entity::SubmitData(len, buf);
 	}
 
-void HTTP_Entity::SetPlainDelivery(int length)
+void HTTP_Entity::SetPlainDelivery(int64_t length)
 	{
 	ASSERT(length >= 0);
 	ASSERT(length == 0 || ! in_header);
@@ -299,7 +298,7 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
 		data_chunk_t vt = h->get_value_token();
 		if ( ! is_null_data_chunk(vt) )
 			{
-			int n;
+			int64_t n;
 			if ( atoi_n(vt.length, vt.data, 0, 10, n) )
 				content_length = n;
 			else
@@ -307,6 +306,67 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
 			}
 		}
 
+	// Figure out content-length for HTTP 206 Partial Content response
+	// that uses multipart/byteranges content-type.
+	else if ( strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() &&
+	          Parent()->MIMEContentType() == CONTENT_TYPE_MULTIPART &&
+		      http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 )
+		{
+		data_chunk_t vt = h->get_value_token();
+		string byte_unit(vt.data, vt.length);
+		vt = h->get_value_after_token();
+		string byte_range(vt.data, vt.length);
+		byte_range.erase(remove(byte_range.begin(), byte_range.end(), ' '),
+		                 byte_range.end());
+
+		if ( byte_unit != "bytes" )
+			{
+			http_message->Weird("HTTP_content_range_unknown_byte_unit");
+			return;
+			}
+
+		size_t p = byte_range.find("/");
+		if ( p == string::npos )
+			{
+			http_message->Weird("HTTP_content_range_cannot_parse");
+			return;
+			}
+
+		string byte_range_resp_spec = byte_range.substr(0, p);
+		string instance_length = byte_range.substr(p + 1);
+
+		p = byte_range_resp_spec.find("-");
+		if ( p == string::npos )
+			{
+			http_message->Weird("HTTP_content_range_cannot_parse");
+			return;
+			}
+
+		string first_byte_pos = byte_range_resp_spec.substr(0, p);
+		string last_byte_pos = byte_range_resp_spec.substr(p + 1);
+
+		if ( DEBUG_http )
+			DEBUG_MSG("Parsed Content-Range: %s %s-%s/%s\n", byte_unit.c_str(),
+		              first_byte_pos.c_str(), last_byte_pos.c_str(),
+		              instance_length.c_str());
+
+		int64_t f, l;
+		atoi_n(first_byte_pos.size(), first_byte_pos.c_str(), 0, 10, f);
+		atoi_n(last_byte_pos.size(), last_byte_pos.c_str(), 0, 10, l);
+		int64_t len = l - f + 1;
+
+		if ( DEBUG_http )
+			DEBUG_MSG("Content-Range length = %"PRId64"\n", len);
+
+		if ( len > 0 )
+			content_length = len;
+		else
+			{
+			http_message->Weird("HTTP_non_positive_content_range");
+			return;
+			}
+		}
+
 	else if ( strcasecmp_n(h->get_name(), "transfer-encoding") == 0 )
 		{
 		data_chunk_t vt = h->get_value_token();
@@ -384,9 +444,7 @@ void HTTP_Entity::SubmitAllHeaders()
 	// content-length headers or if connection is to be closed afterwards
 	// anyway.
 	else if ( http_message->MyHTTP_Analyzer()->IsConnectionClose ()
-#ifdef HAVE_LIBZ
 		  || encoding == GZIP || encoding == DEFLATE
-#endif
 		 )
 		{
 		// FIXME: Using INT_MAX is kind of a hack here.  Better
@@ -406,7 +464,7 @@ void HTTP_Entity::SubmitAllHeaders()
 
 HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
 				ContentLine_Analyzer* arg_cl, bool arg_is_orig,
-				int expect_body, int init_header_length)
+				int expect_body, int64_t init_header_length)
 : MIME_Message (arg_analyzer)
 	{
 	analyzer = arg_analyzer;
@@ -474,7 +532,7 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
 		}
 	}
 
-int HTTP_Message::Undelivered(int len)
+int HTTP_Message::Undelivered(int64_t len)
 	{
 	if ( ! top_level )
 		return 0;
@@ -571,7 +629,7 @@ void HTTP_Message::SubmitData(int len, const char* buf)
 	{
 	if ( buf != (const char*) data_buffer->Bytes() + buffer_offset ||
 	     buffer_offset + len > buffer_size )
-		internal_error("buffer misalignment");
+		reporter->InternalError("buffer misalignment");
 
 	buffer_offset += len;
 	if ( buffer_offset >= buffer_size )
@@ -619,17 +677,17 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail)
 		break;
 
 	default:
-		internal_error("unrecognized HTTP message event");
+		reporter->InternalError("unrecognized HTTP message event");
 	}
 
 	MyHTTP_Analyzer()->HTTP_Event(category, detail);
 	}
 
-void HTTP_Message::SetPlainDelivery(int length)
+void HTTP_Message::SetPlainDelivery(int64_t length)
 	{
 	content_line->SetPlainDelivery(length);
 
-	if ( length > 0 && skip_http_data )
+	if ( length > 0 && BifConst::skip_http_data )
 		content_line->SkipBytesAfterThisLine(length);
 
 	if ( ! data_buffer )
@@ -698,7 +756,7 @@ void HTTP_Message::DeliverEntityData()
 	total_buffer_size = 0;
 	}
 
-int HTTP_Message::InitBuffer(int length)
+int HTTP_Message::InitBuffer(int64_t length)
 	{
 	if ( length <= 0 )
 		return 0;
@@ -851,7 +909,23 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 					HTTP_Event("crud_trailing_HTTP_request",
 						   new_string_val(line, end_of_line));
 				else
-					ProtocolViolation("not a http request line");
+					{
+					// We do see HTTP requests with a
+					// trailing EOL that's not accounted
+					// for by the content-length. This
+					// will lead to a call to this method
+					// with len==0 while we are expecting
+					// a new request. Since HTTP servers
+					// handle such requests gracefully,
+					// we should do so as well.
+					if ( len == 0 )
+					    Weird("empty_http_request");
+					else
+						{
+						ProtocolViolation("not a http request line");
+						request_state = EXPECT_REQUEST_NOTHING;
+						}
+					}
 				}
 			break;
 
@@ -861,6 +935,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 		case EXPECT_REQUEST_TRAILER:
 			break;
+
+		case EXPECT_REQUEST_NOTHING:
+			break;
 		}
 		}
 	else
@@ -873,6 +950,8 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 				if ( unanswered_requests.empty() )
 					Weird("unmatched_HTTP_reply");
+				else
+					ProtocolConfirmation();
 
 				reply_state = EXPECT_REPLY_MESSAGE;
 				reply_ongoing = 1;
@@ -884,8 +963,11 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 						ExpectReplyMessageBody(),
 						len);
 				}
-		    else
+			else
+				{
 				ProtocolViolation("not a http reply line");
+				reply_state = EXPECT_REPLY_NOTHING;
+				}
 
 			break;
 
@@ -895,6 +977,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 		case EXPECT_REPLY_TRAILER:
 			break;
+
+		case EXPECT_REPLY_NOTHING:
+			break;
 		}
 		}
 	}
@@ -1042,6 +1127,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 		// HTTP methods for distributed authoring.
 		"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
 		"COPY", "MOVE", "LOCK", "UNLOCK",
+		"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
 
 		"SEARCH",
 
@@ -1064,7 +1150,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	request_method = new StringVal(http_methods[i]);
 
 	if ( ! ParseRequest(rest, end_of_line) )
-		internal_error("HTTP ParseRequest failed");
+		reporter->InternalError("HTTP ParseRequest failed");
 
 	Conn()->Match(Rule::HTTP_REQUEST,
 			(const u_char*) unescaped_URI->AsString()->Bytes(),
@@ -1256,7 +1342,10 @@ void HTTP_Analyzer::RequestMade(const int interrupted, const char* msg)
 
 	num_request_lines = 0;
 
-	request_state = EXPECT_REQUEST_LINE;
+	if ( interrupted )
+		request_state = EXPECT_REQUEST_NOTHING;
+	else
+		request_state = EXPECT_REQUEST_LINE;
 	}
 
 void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
@@ -1271,7 +1360,9 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
 	if ( reply_message )
 		reply_message->Done(interrupted, msg);
 
-	if ( ! unanswered_requests.empty() )
+	// 1xx replies do not indicate the final response to a request,
+	// so don't pop an unanswered request in that case.
+	if ( (reply_code < 100 || reply_code >= 200) && ! unanswered_requests.empty() )
 		{
 		Unref(unanswered_requests.front());
 		unanswered_requests.pop();
@@ -1285,7 +1376,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
 		reply_reason_phrase = 0;
 		}
 
-	reply_state = EXPECT_REPLY_LINE;
+	if ( interrupted )
+		reply_state = EXPECT_REPLY_NOTHING;
+	else
+		reply_state = EXPECT_REPLY_LINE;
 	}
 
 void HTTP_Analyzer::RequestClash(Val* /* clash_val */)
@@ -1596,7 +1690,7 @@ void HTTP_Analyzer::HTTP_MessageDone(int is_orig, HTTP_Message* /* message */)
 	}
 
 void HTTP_Analyzer::InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message,
-		bool is_orig, int expect_body, int init_header_length)
+		bool is_orig, int expect_body, int64_t init_header_length)
 	{
 	if ( message )
 		{
@@ -1718,5 +1812,3 @@ BroString* unescape_URI(const u_char* line, const u_char* line_end,
 
 	return new BroString(1, decoded_URI, URI_p - decoded_URI);
 	}
-
-#include "http-rw.bif.func_def"
diff --git a/src/HTTP.h b/src/HTTP.h
index 2faa1791d1..00524da20d 100644
--- a/src/HTTP.h
+++ b/src/HTTP.h
@@ -1,5 +1,3 @@
-// $Id: HTTP.h 6942 2009-11-16 03:54:08Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef http_h
@@ -31,17 +29,15 @@ public:
 			int expect_body);
 	~HTTP_Entity()
 		{
-#ifdef HAVE_LIBZ
 		if ( zip )
 			{ zip->Done(); delete zip; }
-#endif
 		}
 
 	void EndOfData();
 	void Deliver(int len, const char* data, int trailing_CRLF);
-	int Undelivered(int len);
-	int BodyLength() const 		{ return body_length; }
-	int HeaderLength() const 	{ return header_length; }
+	int Undelivered(int64_t len);
+	int64_t BodyLength() const 		{ return body_length; }
+	int64_t HeaderLength() const 	{ return header_length; }
 	void SkipBody() 		{ deliver_body = 0; }
 
 protected:
@@ -50,16 +46,14 @@ protected:
 
 	HTTP_Message* http_message;
 	int chunked_transfer_state;
-	int content_length;
-	int expect_data_length;
+	int64_t content_length;
+	int64_t expect_data_length;
 	int expect_body;
-	int body_length;
-	int header_length;
+	int64_t body_length;
+	int64_t header_length;
 	int deliver_body;
 	enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding;
-#ifdef HAVE_LIBZ
 	ZIP_Analyzer* zip;
-#endif
 
 	MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); }
 
@@ -68,7 +62,7 @@ protected:
 
 	void SubmitData(int len, const char* buf);
 
-	void SetPlainDelivery(int length);
+	void SetPlainDelivery(int64_t length);
 
 	void SubmitHeader(MIME_Header* h);
 	void SubmitAllHeaders();
@@ -94,12 +88,12 @@ enum {
 class HTTP_Message : public MIME_Message {
 public:
 	HTTP_Message(HTTP_Analyzer* analyzer, ContentLine_Analyzer* cl,
-			 bool is_orig, int expect_body, int init_header_length);
+			 bool is_orig, int expect_body, int64_t init_header_length);
 	~HTTP_Message();
 	void Done(const int interrupted, const char* msg);
 	void Done() { Done(0, "message ends normally"); }
 
-	int Undelivered(int len);
+	int Undelivered(int64_t len);
 
 	void BeginEntity(MIME_Entity* /* entity */);
 	void EndEntity(MIME_Entity* entity);
@@ -111,7 +105,7 @@ public:
 	void SubmitEvent(int event_type, const char* detail);
 
 	void SubmitTrailingHeaders(MIME_HeaderList& /* hlist */);
-	void SetPlainDelivery(int length);
+	void SetPlainDelivery(int64_t length);
 	void SkipEntityData();
 
 	HTTP_Analyzer* MyHTTP_Analyzer() const
@@ -135,16 +129,16 @@ protected:
 
 	double start_time;
 
-	int body_length;	// total length of entity bodies
-	int header_length;	// total length of headers, including the request/reply line
+	int64_t body_length;	// total length of entity bodies
+	int64_t header_length;	// total length of headers, including the request/reply line
 
 	// Total length of content gaps that are "successfully" skipped.
 	// Note: this might NOT include all content gaps!
-	int content_gap_length;
+	int64_t content_gap_length;
 
 	HTTP_Entity* current_entity;
 
-	int InitBuffer(int length);
+	int InitBuffer(int64_t length);
 	void DeliverEntityData();
 
 	Val* BuildMessageStat(const int interrupted, const char* msg);
@@ -165,12 +159,13 @@ public:
 
 	void SkipEntityData(int is_orig);
 
+	int IsConnectionClose()		{ return connection_close; }
+	int HTTP_ReplyCode() const { return reply_code; };
+
 	// Overriden from Analyzer.
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void Undelivered(int seq, int len, bool orig);
-	virtual int RewritingTrace()
-		{ return rewriting_http_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 
 	// Overriden from TCP_ApplicationAnalyzer
 	virtual void EndpointEOF(bool is_orig);
@@ -182,9 +177,10 @@ public:
 		{ return new HTTP_Analyzer(conn); }
 
 	static bool Available()
-		{ return (http_request || http_reply) && !FLAGS_use_binpac; }
-
-	int IsConnectionClose()		{ return connection_close; }
+		{ return (http_request || http_reply || http_header ||
+			http_all_headers || http_begin_entity || http_end_entity ||
+			http_content_type || http_entity_data || http_message_done ||
+			http_event || http_stats) && !FLAGS_use_binpac; }
 
 protected:
 	void GenStats();
@@ -193,7 +189,7 @@ protected:
 	int HTTP_ReplyLine(const char* line, const char* end_of_line);
 
 	void InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
-				int expect_body, int init_header_length);
+				int expect_body, int64_t init_header_length);
 
 	const char* PrefixMatch(const char* line, const char* end_of_line,
 				const char* prefix);
diff --git a/src/Hash.cc b/src/Hash.cc
index ef8b2a61cf..7873e398c3 100644
--- a/src/Hash.cc
+++ b/src/Hash.cc
@@ -1,5 +1,3 @@
-// $Id: Hash.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 // The hash function works as follows:
@@ -21,202 +19,14 @@
 
 #include "Hash.h"
 
-// Define *one* of the following as the universal hash function family to use.
-
-// #define USE_DIETZFELBINGER	// TwoWise
-#define USE_H3
-// #define USE_UHASH_CW
-// #define USE_UMAC_NH
-
-int hash_cnt_all = 0, hash_cnt_uhash = 0;
-
-#if defined(USE_DIETZFELBINGER)
-
-#include "TwoWise.h"
-const TwoWise* two_wise = 0;
-
-#elif defined(USE_H3)
-
 #include "H3.h"
 const H3<hash_t, UHASH_KEY_SIZE>* h3;
 
-#elif defined(USE_UHASH_CW)
-
-// The Carter-Wegman family of universal hash functions.
-// f(x) = (sum(a_i * x_i) mod p) mod N
-// where p is a prime number between N and 2N.
-// Here N = 2^32.
-
-class UHashCW {
-	typedef uint32 word_t;
-public:
-	UHashCW(int arg_max_key_size)
-		{
-		max_num_words = (arg_max_key_size + sizeof(word_t) - 1) /
-				sizeof(word_t);
-
-		a = new word_t[max_num_words + 1];
-		x = new word_t[max_num_words + 1];
-
-		for ( int i = 0; i < max_num_words + 1; ++i )
-			a[i] = rand32bit();
-
-		b = rand64bit();
-		}
-
-	~UHashCW()
-		{
-		delete [] a;
-		delete [] x;
-		}
-
-	uint32 hash(int len, const u_char* data) const
-		{
-		int xlen = (len + sizeof(word_t) - 1) / sizeof(word_t);
-		ASSERT(xlen <= max_num_words);
-
-		x[xlen] = 0;
-		x[xlen-1] = 0;	// pad with 0
-
-		memcpy(static_cast<void *>(x), data, len);
-
-		uint64 h = b;
-		for ( int i = 0; i < xlen; ++i )
-			h += (static_cast<uint64>(x[i]) * a[i]);
-
-		h += static_cast<uint64>(len) * a[xlen];
-
-		// h = h % kPrime
-		//
-		// Here we use a trick given that h is a Mersenne prime:
-		//
-		// Let K = 2^61. Let h = a * K + b.
-		// Thus, h = a * (K-1) + (a + b).
-
-		h = (h & kPrime) + (h >> 61);
-		if ( h >= kPrime )
-			h -= kPrime;
-
-		// h = h % 2^32
-		return static_cast<uint32>(0xffffffffUL & h);
-		}
-
-protected:
-	static const uint64 kPrime = (static_cast<uint64>(1) << 61) - 1;
-
-	int max_num_words;
-	word_t* a;
-	uint64 b;
-	word_t* x;
-};
-
-const UHashCW* uhash_cw = 0;
-
-#elif defined(USE_UMAC_NH)
-
-// Use the NH hash function proposed in UMAC.
-// (See http://www.cs.ucdavis.edu/~rogaway/umac/)
-//
-// Essentially, it is computed as:
-//
-//	H = (x_0 +_16 k_0) * (x_1 +_16 k_1) +
-//		(x_2 +_16 k_2) * (x_3 +_16 k_3) + ...
-//
-// where {k_i} are keys for universal hashing,
-// {x_i} are data words, and +_16 means plus mod 2^16.
-//
-// This is faster than UHASH_CW because no modulo operation
-// is needed.  But note that it is 2^-16 universal, while the
-// other universal functions are (almost) 2^-32 universal.
-//
-// Note: UMAC now has a code release under a BSD-like license, and we may want
-// to consider using it instead of our home-grown code.
-
-#ifndef DEBUG
-#error "UMAC/NH is experimental code."
-#endif
-
-class UMacNH {
-	// NH uses 16-bit words
-	typedef uint16 word_t;
-public:
-	UMacNH(int arg_max_key_size)
-		{
-		max_num_words = (arg_max_key_size + sizeof(word_t) - 1) /
-				sizeof(word_t);
-
-		// Make max_num_words 2n+1
-		if ( max_num_words % 2 == 0 )
-			++max_num_words;
-
-		a = new word_t[max_num_words + 1];
-		x = new word_t[max_num_words + 1];
-
-		for ( int i = 0; i < max_num_words + 1; ++i )
-			a[i] = rand16bit();
-		}
-
-	~UMacNH()
-		{
-		delete [] a;
-		delete [] x;
-		}
-
-	uint32 hash(int len, const u_char* data) const
-		{
-		int xlen = (len + sizeof(word_t) - 1) / sizeof(word_t);
-		if ( xlen % 2 == 0 )
-			++xlen;
-
-		ASSERT(xlen <= max_num_words);
-
-		x[xlen] = len;
-		x[xlen-1] = 0;	// pad with 0
-		if ( xlen >= 2 )
-			x[xlen-2] = 0;
-
-		memcpy(static_cast<void *>(x), data, len);
-
-		uint32 h = 0;
-		for ( int i = 0; i <= xlen; i += 2 )
-			h += (static_cast<uint32>(x[i] + a[i]) *
-			      static_cast<uint32>(x[i+1] + a[i+1]));
-
-		return h;
-		}
-
-protected:
-	int max_num_words;
-	word_t* a;
-	word_t* x;
-};
-
-const UMacNH* umac_nh = 0;
-
-#else
-
-#ifdef DEBUG
-#error "No universal hash function is used."
-#endif
-
-#endif
-
 void init_hash_function()
 	{
 	// Make sure we have already called init_random_seed().
 	ASSERT(hmac_key_set);
-
-	// Both Dietzfelbinger and H3 use random() to generate keys
-	// -- is it strong enough?
-#if defined(USE_DIETZFELBINGER)
-	two_wise = new TwoWise((UHASH_KEY_SIZE + 3) >> 2);
-#elif defined(USE_H3)
 	h3 = new H3<hash_t, UHASH_KEY_SIZE>();
-#elif defined(USE_UHASH_CW)
-	uhash_cw = new UHashCW(UHASH_KEY_SIZE);
-#elif defined(USE_UMAC_NH)
-	umac_nh = new UMacNH(UHASH_KEY_SIZE);
-#endif
 	}
 
 HashKey::HashKey(bro_int_t i)
@@ -354,28 +164,14 @@ void* HashKey::CopyKey(const void* k, int s) const
 
 hash_t HashKey::HashBytes(const void* bytes, int size)
 	{
-	++hash_cnt_all;
-
 	if ( size <= UHASH_KEY_SIZE )
 		{
-		const uint8* b = reinterpret_cast<const uint8*>(bytes);
-		++hash_cnt_uhash;
-#if defined(USE_DIETZFELBINGER)
-		return two_wise->Hash(size, b);
-#elif defined(USE_H3)
 		// H3 doesn't check if size is zero
 		return ( size == 0 ) ? 0 : (*h3)(bytes, size);
-#elif defined(USE_UHASH_CW)
-		return uhash_cw->hash(size, b);
-#elif defined(USE_UMAC_NH)
-		return umac_nh->hash(size, b);
-#else
-		--hash_cnt_uhash;
-#endif
 		}
 
 	// Fall back to HMAC/MD5 for longer data (which is usually rare).
 	hash_t digest[16];
-	hmac_md5(size, (unsigned char*) bytes, (unsigned char*) digest);
+	hmac_md5(size, (const unsigned char*) bytes, (unsigned char*) digest);
 	return digest[0];
 	}
diff --git a/src/Hash.h b/src/Hash.h
index fa1f00f91f..3a1b42084c 100644
--- a/src/Hash.h
+++ b/src/Hash.h
@@ -1,5 +1,3 @@
-// $Id: Hash.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef hash_h
@@ -11,7 +9,7 @@
 
 #define UHASH_KEY_SIZE 32
 
-typedef unsigned int hash_t;
+typedef uint64 hash_t;
 
 typedef enum {
 	HASH_KEY_INT,
@@ -86,7 +84,6 @@ protected:
 	int size, hash;
 };
 
-extern int hash_cnt_all, hash_cnt_uhash;
 extern void init_hash_function();
 
 #endif
diff --git a/src/ICMP.cc b/src/ICMP.cc
index 1ec1d2901c..4511bb04a5 100644
--- a/src/ICMP.cc
+++ b/src/ICMP.cc
@@ -1,7 +1,7 @@
-// $Id: ICMP.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <algorithm>
+
 #include "config.h"
 
 #include "Net.h"
@@ -53,7 +53,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
 
 	if ( ! ignore_checksums )
 	    {
-	    int chksum;
+	    int chksum = 0;
 
 #ifdef BROv6
 	    switch ( ip->NextProto() )
@@ -67,10 +67,10 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
 			break;
 
 		default:
-		     internal_error("unexpected IP proto in ICMP analyzer");
+			reporter->InternalError("unexpected IP proto in ICMP analyzer");
 		}
 #else
-	    # Classic v4 version.
+	    // Classic v4 version.
 	    chksum = icmp_checksum(icmpp, len);
 #endif
 
@@ -96,10 +96,15 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
 
 	if ( ip->NextProto() == IPPROTO_ICMP )
 		NextICMP4(current_timestamp, icmpp, len, caplen, data, ip);
+#ifdef BROv6
 	else
 		NextICMP6(current_timestamp, icmpp, len, caplen, data, ip);
+#endif
 
 
+	if ( caplen >= len )
+		ForwardPacket(len, data, is_orig, seq, ip, caplen);
+
 	if ( rule_matcher )
 		matcher_state.Match(Rule::PAYLOAD, data, len, is_orig,
 					false, false, true);
@@ -337,6 +342,7 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
 	return iprec;
 	}
 
+#ifdef BROv6
 RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
 	{
 	const IP_Hdr ip_hdr_data((const struct ip6_hdr*) data);
@@ -407,6 +413,7 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
 
 	return iprec;
 	}
+#endif
 
 
 bool ICMP_Analyzer::IsReuse(double /* t */, const u_char* /* pkt */)
@@ -435,6 +442,20 @@ void ICMP_Analyzer::Describe(ODesc* d) const
 	d->Add(dotted_addr(Conn()->RespAddr()));
 	}
 
+void ICMP_Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	int orig_endp_idx = connection_type->FieldOffset("orig");
+	int resp_endp_idx = connection_type->FieldOffset("resp");
+	RecordVal *orig_endp = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	RecordVal *resp_endp = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
+
+	UpdateEndpointVal(orig_endp, 1);
+	UpdateEndpointVal(resp_endp, 0);
+
+	// Call children's UpdateConnVal
+	Analyzer::UpdateConnVal(conn_val);
+	}
+
 void ICMP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
 	{
 	Conn()->EnableStatusUpdateTimer();
diff --git a/src/ICMP.h b/src/ICMP.h
index aed814d2b1..4d7b26270b 100644
--- a/src/ICMP.h
+++ b/src/ICMP.h
@@ -1,5 +1,3 @@
-// $Id: ICMP.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef icmp_h
@@ -18,6 +16,8 @@ class ICMP_Analyzer : public TransportLayerAnalyzer {
 public:
 	ICMP_Analyzer(Connection* conn);
 
+	virtual void UpdateConnVal(RecordVal *conn_val);
+
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new ICMP_Analyzer(conn); }
 
@@ -30,7 +30,6 @@ protected:
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
-	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig);
 	virtual bool IsReuse(double t, const u_char* pkt);
 	virtual unsigned int MemoryAllocation() const;
 
@@ -72,6 +71,9 @@ protected:
 	int request_len, reply_len;
 
 	RuleMatcherState matcher_state;
+
+private:
+	void UpdateEndpointVal(RecordVal* endp, int is_orig);
 };
 
 // Returns the counterpart type to the given type (e.g., the counterpart
diff --git a/src/ID.cc b/src/ID.cc
index c908a8c3c4..3f5c76ca1d 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -1,5 +1,3 @@
-// $Id: ID.cc 6724 2009-06-07 09:23:03Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -223,6 +221,7 @@ void ID::UpdateValAttrs()
 	if ( Type()->Tag() == TYPE_FUNC )
 		{
 		Attr* attr = attrs->FindAttr(ATTR_GROUP);
+
 		if ( attr )
 			{
 			Val* group = attr->AttrExpr()->ExprVal();
@@ -234,6 +233,30 @@ void ID::UpdateValAttrs()
 					Error("&group attribute takes string");
 				}
 			}
+
+		attr = attrs->FindAttr(ATTR_ERROR_HANDLER);
+
+		if ( attr )
+			event_registry->SetErrorHandler(Name());
+		}
+
+	if ( Type()->Tag() == TYPE_RECORD )
+		{
+		Attr* attr = attrs->FindAttr(ATTR_LOG);
+		if ( attr )
+			{
+			// Apply &log to all record fields.
+			RecordType* rt = Type()->AsRecordType();
+			for ( int i = 0; i < rt->NumFields(); ++i )
+				{
+				TypeDecl* fd = rt->FieldDecl(i);
+
+				if ( ! fd->attrs )
+					fd->attrs = new Attributes(new attr_list, rt->FieldType(i), true);
+
+				fd->attrs->AddAttr(new Attr(ATTR_LOG));
+				}
+			}
 		}
 	}
 
@@ -429,7 +452,7 @@ ID* ID::Unserialize(UnserialInfo* info)
 			break;
 
 		default:
-			internal_error("unknown type for UnserialInfo::id_policy");
+			reporter->InternalError("unknown type for UnserialInfo::id_policy");
 
 		}
 		}
@@ -533,7 +556,7 @@ bool ID::DoUnserialize(UnserialInfo* info)
 		}
 
 	if ( installed_tmp && ! global_scope()->Remove(name) )
-		internal_error("tmp id missing");
+		reporter->InternalError("tmp id missing");
 
 	return true;
 	}
@@ -607,6 +630,135 @@ void ID::DescribeExtended(ODesc* d) const
 		}
 	}
 
+void ID::DescribeReSTShort(ODesc* d) const
+	{
+	if ( is_type )
+		d->Add(":bro:type:`");
+	else
+		d->Add(":bro:id:`");
+
+	d->Add(name);
+	d->Add("`");
+
+	if ( type )
+		{
+		d->Add(": ");
+		d->Add(":bro:type:`");
+
+		if ( ! is_type && type->GetTypeID() )
+			d->Add(type->GetTypeID());
+		else
+			{
+			TypeTag t = type->Tag();
+
+			switch ( t ) {
+			case TYPE_TABLE:
+				d->Add(type->IsSet() ? "set" : type_name(t));
+				break;
+
+			case TYPE_FUNC:
+				d->Add(type->AsFuncType()->IsEvent() ? "event" : type_name(t));
+				break;
+
+			default:
+				d->Add(type_name(t));
+			}
+			}
+
+		d->Add("`");
+		}
+
+	if ( attrs )
+		{
+		d->SP();
+		attrs->DescribeReST(d);
+		}
+	}
+
+void ID::DescribeReST(ODesc* d, bool is_role) const
+	{
+	if ( is_role )
+		{
+		if ( is_type )
+			d->Add(":bro:type:`");
+		else
+			d->Add(":bro:id:`");
+		d->Add(name);
+		d->Add("`");
+		}
+	else
+		{
+		if ( is_type )
+			d->Add(".. bro:type:: ");
+		else
+			d->Add(".. bro:id:: ");
+		d->Add(name);
+		}
+
+	d->PushIndent();
+	d->NL();
+
+	if ( type )
+		{
+		d->Add(":Type: ");
+
+		if ( ! is_type && type->GetTypeID() )
+			{
+			d->Add(":bro:type:`");
+			d->Add(type->GetTypeID());
+			d->Add("`");
+			}
+		else
+			type->DescribeReST(d);
+
+		d->NL();
+		}
+
+	if ( attrs )
+		{
+		d->Add(":Attributes: ");
+		attrs->DescribeReST(d);
+		d->NL();
+		}
+
+	if ( val && type &&
+		type->Tag() != TYPE_FUNC &&
+		type->InternalType() != TYPE_INTERNAL_VOID )
+		{
+		d->Add(":Default:");
+
+		if ( type->InternalType() == TYPE_INTERNAL_OTHER )
+			{
+			switch ( type->Tag() ) {
+			case TYPE_TABLE:
+				if ( val->AsTable()->Length() == 0 )
+					{
+					d->Add(" ``{}``");
+					d->NL();
+					break;
+					}
+				// Fall-through.
+
+			default:
+				d->NL();
+				d->NL();
+				d->Add("::");
+				d->NL();
+				d->PushIndent();
+				val->DescribeReST(d);
+				d->PopIndent();
+			}
+			}
+
+		else
+			{
+			d->SP();
+			val->DescribeReST(d);
+			d->NL();
+			}
+		}
+	}
+
 #ifdef DEBUG
 void ID::UpdateValID()
 	{
diff --git a/src/ID.h b/src/ID.h
index f576232b0e..9c1f56e80f 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -1,5 +1,3 @@
-// $Id: ID.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef id_h
@@ -84,6 +82,9 @@ public:
 	void Describe(ODesc* d) const;
 	// Adds type and value to description.
 	void DescribeExtended(ODesc* d) const;
+	// Produces a description that's reST-ready.
+	void DescribeReST(ODesc* d, bool is_role=false) const;
+	void DescribeReSTShort(ODesc* d) const;
 
 	bool Serialize(SerialInfo* info) const;
 	static ID* Unserialize(UnserialInfo* info);
diff --git a/src/IOSource.cc b/src/IOSource.cc
index cc3ad8dbbd..d47007caad 100644
--- a/src/IOSource.cc
+++ b/src/IOSource.cc
@@ -1,10 +1,10 @@
-// $Id: IOSource.cc 4771 2007-08-11 05:50:24Z vern $
-
 #include <sys/types.h>
 #include <sys/time.h>
 #include <unistd.h>
 #include <assert.h>
 
+#include <algorithm>
+
 #include "util.h"
 #include "IOSource.h"
 
diff --git a/src/IOSource.h b/src/IOSource.h
index 53057f3583..db50bbd2a9 100644
--- a/src/IOSource.h
+++ b/src/IOSource.h
@@ -1,5 +1,3 @@
-// $Id: IOSource.h 6888 2009-08-20 18:23:11Z vern $
-//
 // Interface for classes providing/consuming data during Bro's main loop.
 
 #ifndef iosource_h
diff --git a/src/IP.h b/src/IP.h
index 4f76ef50ed..73ac4ee5c7 100644
--- a/src/IP.h
+++ b/src/IP.h
@@ -1,5 +1,3 @@
-// $Id: IP.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef ip_h
diff --git a/src/IRC.cc b/src/IRC.cc
index 78cc7b6edc..1918300ba2 100644
--- a/src/IRC.cc
+++ b/src/IRC.cc
@@ -1,5 +1,3 @@
-// $Id: IRC.cc 4582 2007-07-04 01:14:09Z vern $
-
 // An IRC analyzer contributed by Roland Gruber.
 
 #include <iostream>
@@ -33,8 +31,8 @@ bool IRC_Analyzer::Available()
 		{
 		// It's a lot of events, but for consistency with other
 		// analyzers we need to check for all of them.
-		avail = irc_client || irc_server || irc_request || irc_reply ||
-			irc_message || irc_enter_message || irc_quit_message ||
+		avail = irc_request || irc_reply ||
+			irc_message || irc_quit_message ||
 			irc_privmsg_message || irc_notice_message ||
 			irc_squery_message || irc_join_message ||
 			irc_part_message || irc_nick_message ||
@@ -97,28 +95,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 
 	if ( orig )
-		{
 		ProtocolConfirmation();
-		if ( irc_client )
-			{
-			val_list* vl = new val_list;
-			vl->append(BuildConnVal());
-			vl->append(new StringVal(prefix.c_str()));
-			vl->append(new StringVal(myline.c_str()));
-			ConnectionEvent(irc_client, vl);
-			}
-		}
-	else
-		{
-		if ( irc_server )
-			{
-			val_list* vl = new val_list;
-			vl->append(BuildConnVal());
-			vl->append(new StringVal(prefix.c_str()));
-			vl->append(new StringVal(myline.c_str()));
-			ConnectionEvent(irc_server, vl);
-			}
-		}
 
 	int code = 0;
 	string command = "";
@@ -260,6 +237,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new Val(users, TYPE_INT));
 			vl->append(new Val(services, TYPE_INT));
 			vl->append(new Val(servers, TYPE_INT));
@@ -296,6 +274,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(type.c_str()));
 			vl->append(new StringVal(channel.c_str()));
 
@@ -338,6 +317,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new Val(users, TYPE_INT));
 			vl->append(new Val(services, TYPE_INT));
 			vl->append(new Val(servers, TYPE_INT));
@@ -360,6 +340,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new Val(channels, TYPE_INT));
 
 			ConnectionEvent(irc_channel_info, vl);
@@ -392,6 +373,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(eop - prefix, prefix));
 			vl->append(new StringVal(++msg));
 			ConnectionEvent(irc_global_users, vl);
@@ -416,6 +398,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(parts[0].c_str()));
 			vl->append(new StringVal(parts[1].c_str()));
 			vl->append(new StringVal(parts[2].c_str()));
@@ -454,6 +437,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(parts[0].c_str()));
 
 			ConnectionEvent(irc_whois_operator_line, vl);
@@ -484,6 +468,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(nick.c_str()));
 			TableVal* set = new TableVal(string_set);
 			for ( unsigned int i = 0; i < parts.size(); ++i )
@@ -519,6 +504,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				val_list* vl = new val_list;
 
 				vl->append(BuildConnVal());
+				vl->append(new Val(orig, TYPE_BOOL));
 				vl->append(new StringVal(parts[1].c_str()));
 
 				const char* t = topic.c_str();
@@ -552,6 +538,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(parts[0].c_str()));
 			vl->append(new StringVal(parts[1].c_str()));
 			if ( parts[2][0] == '~' )
@@ -579,6 +566,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				{
 				val_list* vl = new val_list;
 				vl->append(BuildConnVal());
+				vl->append(new Val(orig, TYPE_BOOL));
 				ConnectionEvent(irc_invalid_nick, vl);
 				}
 			break;
@@ -590,6 +578,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				{
 				val_list* vl = new val_list;
 				vl->append(BuildConnVal());
+				vl->append(new Val(orig, TYPE_BOOL));
 				vl->append(new Val(code == 381, TYPE_BOOL));
 				ConnectionEvent(irc_oper_response, vl);
 				}
@@ -599,6 +588,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		default:
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(prefix.c_str()));
 			vl->append(new Val(code, TYPE_COUNT));
 			vl->append(new StringVal(params.c_str()));
@@ -622,7 +612,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		return;
 		}
 
-	else if ( irc_privmsg_message && command == "PRIVMSG")
+	else if ( irc_privmsg_message || (irc_dcc_message && command == "PRIVMSG") )
 		{
 		unsigned int pos = params.find(' ');
 		if ( pos >= params.size() )
@@ -649,8 +639,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			vector<string> parts = SplitWords(message, ' ');
 			if ( parts.size() < 5 || parts.size() > 6 )
 				{
-				Weird("irc_invalid_dcc_message_format");
-				return;
+				// Turbo DCC extension appends a "T" at the end of handshake.
+				if ( ! (parts.size() == 7 && parts[6] == "T") )
+					{
+					Weird("irc_invalid_dcc_message_format");
+					return;
+					}
 				}
 
 			// Calculate IP address.
@@ -663,17 +657,18 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(prefix.c_str()));
 			vl->append(new StringVal(target.c_str()));
 			vl->append(new StringVal(parts[1].c_str()));
 			vl->append(new StringVal(parts[2].c_str()));
 			vl->append(new AddrVal(htonl(raw_ip)));
-			vl->append(new Val(atoi(parts[4].c_str()), TYPE_INT));
-			if ( parts.size() == 6 )
+			vl->append(new Val(atoi(parts[4].c_str()), TYPE_COUNT));
+			if ( parts.size() >= 6 )
 				vl->append(new Val(atoi(parts[5].c_str()),
-							TYPE_INT));
+							TYPE_COUNT));
 			else
-				vl->append(new Val(0, TYPE_INT));
+				vl->append(new Val(0, TYPE_COUNT));
 
 			ConnectionEvent(irc_dcc_message, vl);
 			}
@@ -682,6 +677,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(prefix.c_str()));
 			vl->append(new StringVal(target.c_str()));
 			vl->append(new StringVal(message.c_str()));
@@ -706,6 +702,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(prefix.c_str()));
 		vl->append(new StringVal(target.c_str()));
 		vl->append(new StringVal(message.c_str()));
@@ -729,6 +726,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(prefix.c_str()));
 		vl->append(new StringVal(target.c_str()));
 		vl->append(new StringVal(message.c_str()));
@@ -742,6 +740,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		vector<string> parts = SplitWords(params, ' ');
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 
 		if ( parts.size() > 0 )
 			vl->append(new StringVal(parts[0].c_str()));
@@ -777,6 +776,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(parts[0].c_str()));
 			vl->append(new StringVal(parts[1].c_str()));
 
@@ -799,6 +799,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(prefix.c_str()));
 		vl->append(new StringVal(parts[0].c_str()));
 		vl->append(new StringVal(parts[1].c_str()));
@@ -842,6 +843,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 
 		TableVal* list = new TableVal(irc_join_list);
 		vector<string> channels = SplitWords(parts[0], ',');
@@ -888,6 +890,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 
 		TableVal* list = new TableVal(irc_join_list);
 		string empty_string = "";
@@ -965,6 +968,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(nick.c_str()));
 		vl->append(set);
 		vl->append(new StringVal(message.c_str()));
@@ -988,6 +992,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(nickname.c_str()));
 		vl->append(new StringVal(message.c_str()));
 
@@ -1002,6 +1008,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(prefix.c_str()));
 		vl->append(new StringVal(nick.c_str()));
 
@@ -1027,6 +1034,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(parts[0].c_str()));
 		vl->append(new Val(oper, TYPE_BOOL));
 
@@ -1055,6 +1063,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(server.c_str()));
 		vl->append(new StringVal(users.c_str()));
 
@@ -1065,6 +1074,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(prefix.c_str()));
 		if ( params[0] == ':' )
 			params = params.substr(1);
@@ -1083,6 +1093,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(prefix.c_str()));
 			vl->append(new StringVal(parts[0].c_str()));
 			vl->append(new StringVal(parts[1].c_str()));
@@ -1099,6 +1110,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(prefix.c_str()));
 			vl->append(new StringVal(params.c_str()));
 
@@ -1113,6 +1125,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(params.c_str()));
 		ConnectionEvent(irc_password_message, vl);
 		}
@@ -1133,6 +1146,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(prefix.c_str()));
 		vl->append(new StringVal(server.c_str()));
 		vl->append(new StringVal(message.c_str()));
@@ -1147,6 +1161,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(prefix.c_str()));
 			vl->append(new StringVal(command.c_str()));
 			vl->append(new StringVal(params.c_str()));
@@ -1161,6 +1176,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
+			vl->append(new Val(orig, TYPE_BOOL));
 			vl->append(new StringVal(prefix.c_str()));
 			vl->append(new StringVal(command.c_str()));
 			vl->append(new StringVal(params.c_str()));
@@ -1172,15 +1188,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	if ( orig_status == REGISTERED && resp_status == REGISTERED &&
 	     orig_zip_status == ACCEPT_ZIP && resp_zip_status == ACCEPT_ZIP )
 		{
-#ifdef HAVE_LIBZ
 		orig_zip_status = ZIP_LOADED;
 		resp_zip_status = ZIP_LOADED;
 		AddSupportAnalyzer(new ZIP_Analyzer(Conn(), true));
 		AddSupportAnalyzer(new ZIP_Analyzer(Conn(), false));
-#else
-		run_time("IRC analyzer lacking libz support");
-		Remove();
-#endif
 		}
 
 	return;
diff --git a/src/IRC.h b/src/IRC.h
index fb6e9869ae..0fe36957de 100644
--- a/src/IRC.h
+++ b/src/IRC.h
@@ -1,5 +1,3 @@
-// $Id: IRC.h 4582 2007-07-04 01:14:09Z vern $
-
 // An IRC analyzer contributed by Roland Gruber.
 
 #ifndef irc_h
diff --git a/src/Ident.cc b/src/Ident.cc
index d98c8891df..b2e82e5f12 100644
--- a/src/Ident.cc
+++ b/src/Ident.cc
@@ -1,5 +1,3 @@
-// $Id: Ident.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -9,7 +7,6 @@
 #include "NetVar.h"
 #include "Ident.h"
 #include "Event.h"
-#include "TCP_Rewriter.h"
 
 Ident_Analyzer::Ident_Analyzer(Connection* conn)
 : TCP_ApplicationAnalyzer(AnalyzerTag::Ident, conn)
@@ -74,7 +71,10 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			}
 
 		if ( line != end_of_line )
-			Weird("ident_request_addendum", length, orig_line);
+			{
+			BroString s((const u_char*)orig_line, length, true);
+			Weird("ident_request_addendum", s.CheckString());
+			}
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
@@ -234,17 +234,16 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
 
 void Ident_Analyzer::BadRequest(int length, const char* line)
 	{
-	Weird("bad_ident_request", length, line);
+	BroString s((const u_char*)line, length, true);
+	Weird("bad_ident_request", s.CheckString());
 	}
 
 void Ident_Analyzer::BadReply(int length, const char* line)
 	{
 	if ( ! did_bad_reply )
 		{
-		Weird("bad_ident_reply", length, line);
+		BroString s((const u_char*)line, length, true);
+		Weird("bad_ident_reply", s.CheckString());
 		did_bad_reply = 1;
 		}
 	}
-
-#include "ident-rw.bif.func_def"
-
diff --git a/src/Ident.h b/src/Ident.h
index 63bc64f560..a848d233e1 100644
--- a/src/Ident.h
+++ b/src/Ident.h
@@ -1,5 +1,3 @@
-// $Id: Ident.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef ident_h
@@ -14,11 +12,6 @@ public:
 	virtual void Done();
 
 	virtual void DeliverStream(int length, const u_char* data, bool is_orig);
-	virtual int RewritingTrace()
-		{
-		return rewriting_ident_trace ||
-			TCP_ApplicationAnalyzer::RewritingTrace();
-		}
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Ident_Analyzer(conn); }
diff --git a/src/IntSet.cc b/src/IntSet.cc
index a6c176f829..fb198f0e25 100644
--- a/src/IntSet.cc
+++ b/src/IntSet.cc
@@ -1,5 +1,3 @@
-// $Id: IntSet.cc 80 2004-07-14 20:15:50Z jason $
-
 #include "config.h"
 
 #ifdef HAVE_MEMORY_H
diff --git a/src/IntSet.h b/src/IntSet.h
index 412b06d418..ef58e8b12f 100644
--- a/src/IntSet.h
+++ b/src/IntSet.h
@@ -1,5 +1,3 @@
-// $Id: IntSet.h 80 2004-07-14 20:15:50Z jason $
-
 // A simple but fast data structure for sets of integers.
 // Only supported operations are insert, remove and membership test.
 //
diff --git a/src/InterConn.cc b/src/InterConn.cc
index 664982fd02..403081181a 100644
--- a/src/InterConn.cc
+++ b/src/InterConn.cc
@@ -1,5 +1,3 @@
-// $Id: InterConn.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/InterConn.h b/src/InterConn.h
index 1f9ee12f62..d9cd10de27 100644
--- a/src/InterConn.h
+++ b/src/InterConn.h
@@ -1,5 +1,3 @@
-// $Id: InterConn.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef interconn_h
diff --git a/src/List.cc b/src/List.cc
index 2a28d4ae00..9a1af3fe4f 100644
--- a/src/List.cc
+++ b/src/List.cc
@@ -1,5 +1,3 @@
-// $Id: List.cc 1905 2005-12-14 03:27:33Z vern $
-
 #include "config.h"
 
 #include <stdio.h>
diff --git a/src/List.h b/src/List.h
index 38afad35c9..bf87ade67d 100644
--- a/src/List.h
+++ b/src/List.h
@@ -1,5 +1,3 @@
-// $Id: List.h 463 2004-09-26 21:04:20Z vern $
-
 #ifndef list_h
 #define list_h
 
diff --git a/src/LogMgr.cc b/src/LogMgr.cc
new file mode 100644
index 0000000000..28e9a2ac1f
--- /dev/null
+++ b/src/LogMgr.cc
@@ -0,0 +1,1618 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <algorithm>
+
+#include "LogMgr.h"
+#include "Event.h"
+#include "EventHandler.h"
+#include "NetVar.h"
+#include "Net.h"
+
+#include "LogWriterAscii.h"
+#include "LogWriterNone.h"
+
+// Structure describing a log writer type.
+struct LogWriterDefinition {
+	bro_int_t type;			// The type.
+	const char *name;		// Descriptive name for error messages.
+	bool (*init)();			// An optional one-time initialization function.
+	LogWriter* (*factory)();	// A factory function creating instances.
+};
+
+// Static table defining all availabel log writers.
+LogWriterDefinition log_writers[] = {
+	{ BifEnum::Log::WRITER_NONE,  "None", 0, LogWriterNone::Instantiate },
+	{ BifEnum::Log::WRITER_ASCII, "Ascii", 0, LogWriterAscii::Instantiate },
+
+	// End marker, don't touch.
+	{ BifEnum::Log::WRITER_DEFAULT, "None", 0, (LogWriter* (*)())0 }
+};
+
+struct LogMgr::Filter {
+	string name;
+	EnumVal* id;
+	Func* pred;
+	Func* path_func;
+	string path;
+	Val* path_val;
+	EnumVal* writer;
+	bool local;
+	bool remote;
+	double interval;
+	Func* postprocessor;
+
+	int num_fields;
+	LogField** fields;
+
+	// Vector indexed by field number. Each element is a list of record
+	// indices defining a path leading to the value across potential
+	// sub-records.
+	vector<list<int> > indices;
+
+	~Filter();
+};
+
+struct LogMgr::WriterInfo {
+	EnumVal* type;
+	double open_time;
+	Timer* rotation_timer;
+	double interval;
+	Func* postprocessor;
+	LogWriter* writer;
+	};
+
+struct LogMgr::Stream {
+ 	EnumVal* id;
+	bool enabled;
+	string name;
+	RecordType* columns;
+	EventHandlerPtr event;
+	list<Filter*> filters;
+
+	typedef pair<int, string> WriterPathPair;
+
+	typedef map<WriterPathPair, WriterInfo*> WriterMap;
+
+	WriterMap writers;	// Writers indexed by id/path pair.
+
+	~Stream();
+	};
+
+bool LogField::Read(SerializationFormat* fmt)
+	{
+	int t;
+	int st;
+
+	bool success = (fmt->Read(&name, "name") && fmt->Read(&t, "type") && fmt->Read(&st, "subtype") );
+	type = (TypeTag) t;
+	subtype = (TypeTag) st;
+
+	return success;
+	}
+
+bool LogField::Write(SerializationFormat* fmt) const
+	{
+	return (fmt->Write(name, "name") && fmt->Write((int)type, "type") && fmt->Write((int)subtype, "subtype"));
+	}
+
+LogVal::~LogVal()
+	{
+	if ( (type == TYPE_ENUM || type == TYPE_STRING || type == TYPE_FILE || type == TYPE_FUNC)
+	     && present )
+		delete val.string_val;
+
+	if ( type == TYPE_TABLE && present )
+		{
+		for ( int i = 0; i < val.set_val.size; i++ )
+			delete val.set_val.vals[i];
+
+		delete [] val.set_val.vals;
+		}
+
+	if ( type == TYPE_VECTOR && present )
+		{
+		for ( int i = 0; i < val.vector_val.size; i++ )
+			delete val.vector_val.vals[i];
+
+		delete [] val.vector_val.vals;
+		}
+	}
+
+bool LogVal::IsCompatibleType(BroType* t, bool atomic_only)
+	{
+	if ( ! t )
+		return false;
+
+	switch ( t->Tag() )	{
+	case TYPE_BOOL:
+	case TYPE_INT:
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_PORT:
+	case TYPE_SUBNET:
+	case TYPE_ADDR:
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+	case TYPE_ENUM:
+	case TYPE_STRING:
+	case TYPE_FILE:
+	case TYPE_FUNC:
+		return true;
+
+	case TYPE_RECORD:
+		return ! atomic_only;
+
+	case TYPE_TABLE:
+		{
+		if ( atomic_only )
+			return false;
+
+		if ( ! t->IsSet() )
+			return false;
+
+		return IsCompatibleType(t->AsSetType()->Indices()->PureType(), true);
+		}
+
+	case TYPE_VECTOR:
+		{
+		if ( atomic_only )
+			return false;
+
+		return IsCompatibleType(t->AsVectorType()->YieldType(), true);
+		}
+
+	default:
+		return false;
+	}
+
+	return false;
+	}
+
+bool LogVal::Read(SerializationFormat* fmt)
+	{
+	int ty;
+
+	if ( ! (fmt->Read(&ty, "type") && fmt->Read(&present, "present")) )
+		return false;
+
+	type = (TypeTag)(ty);
+
+	if ( ! present )
+		return true;
+
+	switch ( type ) {
+	case TYPE_BOOL:
+	case TYPE_INT:
+		return fmt->Read(&val.int_val, "int");
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_PORT:
+		return fmt->Read(&val.uint_val, "uint");
+
+	case TYPE_SUBNET:
+		{
+		uint32 net[4];
+		if ( ! (fmt->Read(&net[0], "net0") &&
+			fmt->Read(&net[1], "net1") &&
+			fmt->Read(&net[2], "net2") &&
+			fmt->Read(&net[3], "net3") &&
+			fmt->Read(&val.subnet_val.width, "width")) )
+			return false;
+
+#ifdef BROv6
+		val.subnet_val.net[0] = net[0];
+		val.subnet_val.net[1] = net[1];
+		val.subnet_val.net[2] = net[2];
+		val.subnet_val.net[3] = net[3];
+#else
+		val.subnet_val.net = net[0];
+#endif
+		return true;
+		}
+
+	case TYPE_ADDR:
+		{
+		uint32 addr[4];
+		if ( ! (fmt->Read(&addr[0], "addr0") &&
+			fmt->Read(&addr[1], "addr1") &&
+			fmt->Read(&addr[2], "addr2") &&
+			fmt->Read(&addr[3], "addr3")) )
+			return false;
+
+		val.addr_val[0] = addr[0];
+#ifdef BROv6
+		val.addr_val[1] = addr[1];
+		val.addr_val[2] = addr[2];
+		val.addr_val[3] = addr[3];
+#endif
+		return true;
+		}
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		return fmt->Read(&val.double_val, "double");
+
+	case TYPE_ENUM:
+	case TYPE_STRING:
+	case TYPE_FILE:
+	case TYPE_FUNC:
+		{
+		val.string_val = new string;
+		return fmt->Read(val.string_val, "string");
+		}
+
+	case TYPE_TABLE:
+		{
+		if ( ! fmt->Read(&val.set_val.size, "set_size") )
+			return false;
+
+		val.set_val.vals = new LogVal* [val.set_val.size];
+
+		for ( int i = 0; i < val.set_val.size; ++i )
+			{
+			val.set_val.vals[i] = new LogVal;
+
+			if ( ! val.set_val.vals[i]->Read(fmt) )
+				return false;
+			}
+
+		return true;
+		}
+
+	case TYPE_VECTOR:
+		{
+		if ( ! fmt->Read(&val.vector_val.size, "vector_size") )
+			return false;
+
+		val.vector_val.vals = new LogVal* [val.vector_val.size];
+
+		for ( int i = 0; i < val.vector_val.size; ++i )
+			{
+			val.vector_val.vals[i] = new LogVal;
+
+			if ( ! val.vector_val.vals[i]->Read(fmt) )
+				return false;
+			}
+
+		return true;
+		}
+
+	default:
+		reporter->InternalError("unsupported type %s in LogVal::Write", type_name(type));
+	}
+
+	return false;
+	}
+
+bool LogVal::Write(SerializationFormat* fmt) const
+	{
+	if ( ! (fmt->Write((int)type, "type") &&
+		fmt->Write(present, "present")) )
+		return false;
+
+	if ( ! present )
+		return true;
+
+	switch ( type ) {
+	case TYPE_BOOL:
+	case TYPE_INT:
+		return fmt->Write(val.int_val, "int");
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_PORT:
+		return fmt->Write(val.uint_val, "uint");
+
+	case TYPE_SUBNET:
+		{
+		uint32 net[4];
+#ifdef BROv6
+		net[0] = val.subnet_val.net[0];
+		net[1] = val.subnet_val.net[1];
+		net[2] = val.subnet_val.net[2];
+		net[3] = val.subnet_val.net[3];
+#else
+		net[0] = val.subnet_val.net;
+		net[1] = net[2] = net[3] = 0;
+#endif
+		return fmt->Write(net[0], "net0") &&
+			fmt->Write(net[1], "net1") &&
+			fmt->Write(net[2], "net2") &&
+			fmt->Write(net[3], "net3") &&
+			fmt->Write(val.subnet_val.width, "width");
+		}
+
+	case TYPE_ADDR:
+		{
+		uint32 addr[4];
+		addr[0] = val.addr_val[0];
+#ifdef BROv6
+		addr[1] = val.addr_val[1];
+		addr[2] = val.addr_val[2];
+		addr[3] = val.addr_val[3];
+#else
+		addr[1] = addr[2] = addr[3] = 0;
+#endif
+		return fmt->Write(addr[0], "addr0") &&
+			fmt->Write(addr[1], "addr1") &&
+			fmt->Write(addr[2], "addr2") &&
+			fmt->Write(addr[3], "addr3");
+		}
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		return fmt->Write(val.double_val, "double");
+
+	case TYPE_ENUM:
+	case TYPE_STRING:
+	case TYPE_FILE:
+	case TYPE_FUNC:
+		return fmt->Write(*val.string_val, "string");
+
+	case TYPE_TABLE:
+		{
+		if ( ! fmt->Write(val.set_val.size, "set_size") )
+			return false;
+
+		for ( int i = 0; i < val.set_val.size; ++i )
+			{
+			if ( ! val.set_val.vals[i]->Write(fmt) )
+				return false;
+			}
+
+		return true;
+		}
+
+	case TYPE_VECTOR:
+		{
+		if ( ! fmt->Write(val.vector_val.size, "vector_size") )
+			return false;
+
+		for ( int i = 0; i < val.vector_val.size; ++i )
+			{
+			if ( ! val.vector_val.vals[i]->Write(fmt) )
+				return false;
+			}
+
+		return true;
+		}
+
+	default:
+		reporter->InternalError("unsupported type %s in LogVal::REad", type_name(type));
+	}
+
+	return false;
+	}
+
+LogMgr::Filter::~Filter()
+	{
+	for ( int i = 0; i < num_fields; ++i )
+		delete fields[i];
+
+	free(fields);
+
+	Unref(path_val);
+	}
+
+LogMgr::Stream::~Stream()
+	{
+	Unref(columns);
+
+	for ( WriterMap::iterator i = writers.begin(); i != writers.end(); i++ )
+		{
+		WriterInfo* winfo = i->second;
+
+		if ( ! winfo )
+			continue;
+
+		if ( winfo->rotation_timer )
+			timer_mgr->Cancel(winfo->rotation_timer);
+
+		Unref(winfo->type);
+		delete winfo->writer;
+		delete winfo;
+		}
+
+	for ( list<Filter*>::iterator f = filters.begin(); f != filters.end(); ++f )
+		delete *f;
+	}
+
+LogMgr::LogMgr()
+	{
+	}
+
+LogMgr::~LogMgr()
+	{
+	for ( vector<Stream *>::iterator s = streams.begin(); s != streams.end(); ++s )
+		delete *s;
+	}
+
+LogMgr::Stream* LogMgr::FindStream(EnumVal* id)
+	{
+	unsigned int idx = id->AsEnum();
+
+	if ( idx >= streams.size() || ! streams[idx] )
+		return 0;
+
+	return streams[idx];
+	}
+
+LogMgr::WriterInfo* LogMgr::FindWriter(LogWriter* writer)
+	{
+	for ( vector<Stream *>::iterator s = streams.begin(); s != streams.end(); ++s )
+		{
+		if ( ! *s )
+			continue;
+
+		for ( Stream::WriterMap::iterator i = (*s)->writers.begin(); i != (*s)->writers.end(); i++ )
+			{
+			WriterInfo* winfo = i->second;
+
+			if ( winfo && winfo->writer == writer )
+				return winfo;
+			}
+		}
+
+	return 0;
+	}
+
+void LogMgr::RemoveDisabledWriters(Stream* stream)
+	{
+	list<Stream::WriterPathPair> disabled;
+
+	for ( Stream::WriterMap::iterator j = stream->writers.begin(); j != stream->writers.end(); j++ )
+		{
+		if ( j->second && j->second->writer->Disabled() )
+			{
+			delete j->second;
+			disabled.push_back(j->first);
+			}
+		}
+
+	for ( list<Stream::WriterPathPair>::iterator j = disabled.begin(); j != disabled.end(); j++ )
+		stream->writers.erase(*j);
+	}
+
+bool LogMgr::CreateStream(EnumVal* id, RecordVal* sval)
+	{
+	RecordType* rtype = sval->Type()->AsRecordType();
+
+	if ( ! same_type(rtype, BifType::Record::Log::Stream, 0) )
+		{
+		reporter->Error("sval argument not of right type");
+		return false;
+		}
+
+	RecordType* columns = sval->Lookup(rtype->FieldOffset("columns"))
+		->AsType()->AsTypeType()->Type()->AsRecordType();
+
+	bool log_attr_present = false;
+
+	for ( int i = 0; i < columns->NumFields(); i++ )
+		{
+		if ( ! (columns->FieldDecl(i)->FindAttr(ATTR_LOG)) )
+		    continue;
+
+		if ( ! LogVal::IsCompatibleType(columns->FieldType(i)) )
+			{
+			reporter->Error("type of field '%s' is not support for logging output",
+				 columns->FieldName(i));
+
+			return false;
+			}
+
+		log_attr_present = true;
+		}
+
+	if ( ! log_attr_present )
+		{
+		reporter->Error("logged record type does not have any &log attributes");
+		return false;
+		}
+
+	Val* event_val = sval->Lookup(rtype->FieldOffset("ev"));
+	Func* event = event_val ? event_val->AsFunc() : 0;
+
+	if ( event )
+		{
+		// Make sure the event is prototyped as expected.
+		FuncType* etype = event->FType()->AsFuncType();
+
+		if ( ! etype->IsEvent() )
+			{
+			reporter->Error("stream event is a function, not an event");
+			return false;
+			}
+
+		const type_list* args = etype->ArgTypes()->Types();
+
+		if ( args->length() != 1 )
+			{
+			reporter->Error("stream event must take a single argument");
+			return false;
+			}
+
+		if ( ! same_type((*args)[0], columns) )
+			{
+			reporter->Error("stream event's argument type does not match column record type");
+			return new Val(0, TYPE_BOOL);
+			}
+		}
+
+	// Make sure the vector has an entries for all streams up to the one
+	// given.
+
+	unsigned int idx = id->AsEnum();
+
+	while ( idx >= streams.size() )
+		streams.push_back(0);
+
+	if ( streams[idx] )
+		// We already know this one, delete the previous definition.
+		delete streams[idx];
+
+	// Create new stream.
+	streams[idx] = new Stream;
+	streams[idx]->id = id->Ref()->AsEnumVal();
+	streams[idx]->enabled = true;
+	streams[idx]->name = id->Type()->AsEnumType()->Lookup(idx);
+	streams[idx]->event = event ? event_registry->Lookup(event->GetID()->Name()) : 0;
+	streams[idx]->columns = columns->Ref()->AsRecordType();
+
+	DBG_LOG(DBG_LOGGING, "Created new logging stream '%s', raising event %s",
+		streams[idx]->name.c_str(), event ? streams[idx]->event->Name() : "<none>");
+
+	return true;
+	}
+
+bool LogMgr::EnableStream(EnumVal* id)
+	{
+	Stream* stream = FindStream(id);
+
+	if ( ! stream )
+		return false;
+
+	if ( stream->enabled )
+		return true;
+
+	stream->enabled = true;
+
+	DBG_LOG(DBG_LOGGING, "Reenabled logging stream '%s'", stream->name.c_str());
+	return true;
+	}
+
+bool LogMgr::DisableStream(EnumVal* id)
+	{
+	Stream* stream = FindStream(id);
+
+	if ( ! stream )
+		return false;
+
+	if ( ! stream->enabled )
+		return true;
+
+	stream->enabled = false;
+
+	DBG_LOG(DBG_LOGGING, "Disabled logging stream '%s'", stream->name.c_str());
+	return true;
+	}
+
+// Helper for recursive record field unrolling.
+bool LogMgr::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
+			    TableVal* include, TableVal* exclude, string path, list<int> indices)
+	{
+	for ( int i = 0; i < rt->NumFields(); ++i )
+		{
+		BroType* t = rt->FieldType(i);
+
+		// Ignore if &log not specified.
+		if ( ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) )
+			continue;
+
+		list<int> new_indices = indices;
+		new_indices.push_back(i);
+
+		// Build path name.
+		string new_path;
+
+		if ( ! path.size() )
+			new_path = rt->FieldName(i);
+		else
+			new_path = path + "." + rt->FieldName(i);
+
+		if ( t->InternalType() == TYPE_INTERNAL_OTHER )
+			{
+			if ( t->Tag() == TYPE_RECORD )
+				{
+				// Recurse.
+				if ( ! TraverseRecord(stream, filter,
+						      t->AsRecordType(),
+						      include,
+						      exclude,
+						      new_path,
+						      new_indices) )
+					return false;
+
+				continue;
+				}
+
+			else if ( t->Tag() == TYPE_TABLE &&
+				  t->AsTableType()->IsSet() )
+				{
+				// That's ok, we handle it below.
+				}
+
+			else if ( t->Tag() == TYPE_VECTOR )
+				{
+				// That's ok, we handle it below.
+				}
+
+			else if ( t->Tag() == TYPE_FILE )
+				{
+				// That's ok, we handle it below.
+				}
+
+			else if ( t->Tag() == TYPE_FUNC )
+				{
+				// That's ok, we handle it below.
+				}
+
+			else
+				{
+				reporter->Error("unsupported field type for log column");
+				return false;
+				}
+			}
+
+		// If include fields are specified, only include if explicitly listed.
+		if ( include )
+			{
+			StringVal* new_path_val = new StringVal(new_path.c_str());
+			bool result = include->Lookup(new_path_val);
+
+			Unref(new_path_val);
+
+			if ( ! result )
+				continue;
+			}
+
+		// If exclude fields are specified, do not only include if listed.
+		if ( exclude )
+			{
+			StringVal* new_path_val = new StringVal(new_path.c_str());
+			bool result = exclude->Lookup(new_path_val);
+
+			Unref(new_path_val);
+
+			if ( result )
+				continue;
+			}
+
+		// Alright, we want this field.
+
+		filter->indices.push_back(new_indices);
+
+		filter->fields = (LogField**)
+			realloc(filter->fields,
+				sizeof(LogField) * ++filter->num_fields);
+
+		if ( ! filter->fields )
+			{
+			reporter->Error("out of memory in add_filter");
+			return false;
+			}
+
+		LogField* field = new LogField();
+		field->name = new_path;
+		field->type = t->Tag();
+		if ( field->type == TYPE_TABLE ) 
+			{
+				field->subtype = t->AsSetType()->Indices()->PureType()->Tag();
+			} 
+		else if ( field->type == TYPE_VECTOR ) 
+			{
+				field->subtype = t->AsVectorType()->YieldType()->Tag();
+			}
+		filter->fields[filter->num_fields - 1] = field;
+		}
+
+	return true;
+	}
+
+bool LogMgr::AddFilter(EnumVal* id, RecordVal* fval)
+	{
+	RecordType* rtype = fval->Type()->AsRecordType();
+
+	if ( ! same_type(rtype, BifType::Record::Log::Filter, 0) )
+		{
+		reporter->Error("filter argument not of right type");
+		return false;
+		}
+
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	// Find the right writer type.
+	int idx = rtype->FieldOffset("writer");
+	EnumVal* writer = fval->LookupWithDefault(idx)->AsEnumVal();
+
+	// Create a new Filter instance.
+
+	Val* name = fval->LookupWithDefault(rtype->FieldOffset("name"));
+	Val* pred = fval->LookupWithDefault(rtype->FieldOffset("pred"));
+	Val* path_func = fval->LookupWithDefault(rtype->FieldOffset("path_func"));
+	Val* log_local = fval->LookupWithDefault(rtype->FieldOffset("log_local"));
+	Val* log_remote = fval->LookupWithDefault(rtype->FieldOffset("log_remote"));
+	Val* interv = fval->LookupWithDefault(rtype->FieldOffset("interv"));
+	Val* postprocessor = fval->LookupWithDefault(rtype->FieldOffset("postprocessor"));
+
+	Filter* filter = new Filter;
+	filter->name = name->AsString()->CheckString();
+	filter->id = id->Ref()->AsEnumVal();
+	filter->pred = pred ? pred->AsFunc() : 0;
+	filter->path_func = path_func ? path_func->AsFunc() : 0;
+	filter->writer = writer->Ref()->AsEnumVal();
+	filter->local = log_local->AsBool();
+	filter->remote = log_remote->AsBool();
+	filter->interval = interv->AsInterval();
+	filter->postprocessor = postprocessor ? postprocessor->AsFunc() : 0;
+
+	Unref(name);
+	Unref(pred);
+	Unref(path_func);
+	Unref(log_local);
+	Unref(log_remote);
+	Unref(interv);
+	Unref(postprocessor);
+
+	// Build the list of fields that the filter wants included, including
+	// potentially rolling out fields.
+	Val* include = fval->Lookup(rtype->FieldOffset("include"));
+	Val* exclude = fval->Lookup(rtype->FieldOffset("exclude"));
+
+	filter->num_fields = 0;
+	filter->fields = 0;
+	if ( ! TraverseRecord(stream, filter, stream->columns,
+			      include ? include->AsTableVal() : 0,
+			      exclude ? exclude->AsTableVal() : 0,
+			      "", list<int>()) )
+		return false;
+
+	// Get the path for the filter.
+	Val* path_val = fval->Lookup(rtype->FieldOffset("path"));
+
+	if ( path_val )
+		{
+		filter->path = path_val->AsString()->CheckString();
+		filter->path_val = path_val->Ref();
+		}
+
+	else
+		{
+		// If no path is given, it's derived based upon the value returned by
+		// the first call to the filter's path_func (during first write).
+		filter->path_val = 0;
+		}
+
+	// Remove any filter with the same name we might already have.
+	RemoveFilter(id, filter->name);
+
+	// Add the new one.
+	stream->filters.push_back(filter);
+
+#ifdef DEBUG
+	ODesc desc;
+	writer->Describe(&desc);
+
+	DBG_LOG(DBG_LOGGING, "Created new filter '%s' for stream '%s'",
+		filter->name.c_str(), stream->name.c_str());
+
+	DBG_LOG(DBG_LOGGING, "   writer    : %s", desc.Description());
+	DBG_LOG(DBG_LOGGING, "   path      : %s", filter->path.c_str());
+	DBG_LOG(DBG_LOGGING, "   path_func : %s", (filter->path_func ? "set" : "not set"));
+	DBG_LOG(DBG_LOGGING, "   pred      : %s", (filter->pred ? "set" : "not set"));
+
+	for ( int i = 0; i < filter->num_fields; i++ )
+		{
+		LogField* field = filter->fields[i];
+		DBG_LOG(DBG_LOGGING, "   field %10s: %s",
+			field->name.c_str(), type_name(field->type));
+		}
+#endif
+
+	return true;
+	}
+
+bool LogMgr::RemoveFilter(EnumVal* id, StringVal* name)
+	{
+	return RemoveFilter(id, name->AsString()->CheckString());
+	}
+
+bool LogMgr::RemoveFilter(EnumVal* id, string name)
+	{
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	for ( list<Filter*>::iterator i = stream->filters.begin();
+	      i != stream->filters.end(); ++i )
+		{
+		if ( (*i)->name == name )
+			{
+			Filter* filter = *i;
+			stream->filters.erase(i);
+			DBG_LOG(DBG_LOGGING, "Removed filter '%s' from stream '%s'",
+				filter->name.c_str(), stream->name.c_str());
+			delete filter;
+			return true;
+			}
+		}
+
+	// If we don't find the filter, we don't treat that as an error.
+	DBG_LOG(DBG_LOGGING, "No filter '%s' for removing from stream '%s'",
+		name.c_str(), stream->name.c_str());
+
+	return true;
+	}
+
+bool LogMgr::Write(EnumVal* id, RecordVal* columns)
+	{
+	bool error = false;
+
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	if ( ! stream->enabled )
+		return true;
+
+	columns = columns->CoerceTo(stream->columns);
+
+	if ( ! columns )
+		{
+		reporter->Error("incompatible log record type");
+		return false;
+		}
+
+	// Raise the log event.
+	if ( stream->event )
+		{
+		val_list* vl = new val_list(1);
+		vl->append(columns->Ref());
+		mgr.QueueEvent(stream->event, vl, SOURCE_LOCAL);
+		}
+
+	// Send to each of our filters.
+	for ( list<Filter*>::iterator i = stream->filters.begin();
+	      i != stream->filters.end(); ++i )
+		{
+		Filter* filter = *i;
+		string path = filter->path;
+
+		if ( filter->pred )
+			{
+			// See whether the predicates indicates that we want
+			// to log this record.
+			val_list vl(1);
+			vl.append(columns->Ref());
+
+			int result = 1;
+
+			try
+				{
+				Val* v = filter->pred->Call(&vl);
+				result = v->AsBool();
+				Unref(v);
+				}
+
+			catch ( InterpreterException& e )
+				{ /* Already reported. */ }
+
+			if ( ! result )
+				continue;
+			}
+
+		if ( filter->path_func )
+			{
+			val_list vl(3);
+			vl.append(id->Ref());
+
+			Val* path_arg;
+			if ( filter->path_val )
+				path_arg = filter->path_val;
+			else
+				path_arg = new StringVal("");
+
+			vl.append(path_arg->Ref());
+
+			Val* rec_arg;
+			BroType* rt = filter->path_func->FType()->Args()->FieldType("rec");
+
+			if ( rt->Tag() == TYPE_RECORD )
+				rec_arg = columns->CoerceTo(rt->AsRecordType(), true);
+			else
+				// Can be TYPE_ANY here.
+				rec_arg = columns->Ref();
+
+			vl.append(rec_arg);
+
+			Val* v = 0;
+
+			try
+				{
+				v = filter->path_func->Call(&vl);
+				}
+
+			catch ( InterpreterException& e )
+				{
+				return false;
+				}
+
+			if ( ! v->Type()->Tag() == TYPE_STRING )
+				{
+				reporter->Error("path_func did not return string");
+				Unref(v);
+				return false;
+				}
+
+			if ( ! filter->path_val )
+				{
+				Unref(path_arg);
+				filter->path = v->AsString()->CheckString();
+				filter->path_val = v->Ref();
+				}
+
+			path = v->AsString()->CheckString();
+			Unref(v);
+
+#ifdef DEBUG
+			DBG_LOG(DBG_LOGGING, "Path function for filter '%s' on stream '%s' return '%s'",
+				filter->name.c_str(), stream->name.c_str(), path.c_str());
+#endif
+			}
+
+		// See if we already have a writer for this path.
+		Stream::WriterMap::iterator w =
+			stream->writers.find(Stream::WriterPathPair(filter->writer->AsEnum(), path));
+
+		LogWriter* writer = 0;
+
+		if ( w != stream->writers.end() )
+			// We know this writer already.
+			writer = w->second ? w->second->writer : 0;
+
+		else
+			{
+			// No, need to create one.
+
+			// Copy the fields for LogWriter::Init() as it will take
+			// ownership.
+			LogField** arg_fields = new LogField*[filter->num_fields];
+
+			for ( int j = 0; j < filter->num_fields; ++j )
+				arg_fields[j] = new LogField(*filter->fields[j]);
+
+			if ( filter->remote )
+				remote_serializer->SendLogCreateWriter(stream->id,
+								       filter->writer,
+								       path,
+								       filter->num_fields,
+								       arg_fields);
+
+			if ( filter->local )
+				{
+				writer = CreateWriter(stream->id, filter->writer,
+						      path, filter->num_fields,
+						      arg_fields);
+
+				if ( ! writer )
+					{
+					Unref(columns);
+					return false;
+					}
+				}
+			else
+				{
+				// Insert a null pointer into the map to make
+				// sure we don't try creating it again.
+				stream->writers.insert(Stream::WriterMap::value_type(
+				Stream::WriterPathPair(filter->writer->AsEnum(), path), 0));
+
+				for( int i = 0; i < filter->num_fields; ++i)
+					delete arg_fields[i];
+
+				delete [] arg_fields;
+				}
+			}
+
+		// Alright, can do the write now.
+
+		if ( filter->local || filter->remote )
+			{
+			LogVal** vals = RecordToFilterVals(stream, filter, columns);
+
+			if ( filter->remote )
+				remote_serializer->SendLogWrite(stream->id,
+								filter->writer,
+								path,
+								filter->num_fields,
+								vals);
+
+			if ( filter->local )
+				{
+				assert(writer);
+
+				// Write takes ownership of vals.
+				if ( ! writer->Write(filter->num_fields, vals) )
+					error = true;
+				}
+
+			else
+				DeleteVals(filter->num_fields, vals);
+
+			}
+
+
+#ifdef DEBUG
+		DBG_LOG(DBG_LOGGING, "Wrote record to filter '%s' on stream '%s'",
+			filter->name.c_str(), stream->name.c_str());
+#endif
+		}
+
+	Unref(columns);
+
+	if ( error )
+		RemoveDisabledWriters(stream);
+
+	return true;
+	}
+
+LogVal* LogMgr::ValToLogVal(Val* val, BroType* ty)
+	{
+	if ( ! ty )
+		ty = val->Type();
+
+	if ( ! val )
+		return new LogVal(ty->Tag(), false);
+
+	LogVal* lval = new LogVal(ty->Tag());
+
+	switch ( lval->type ) {
+	case TYPE_BOOL:
+	case TYPE_INT:
+		lval->val.int_val = val->InternalInt();
+		break;
+
+	case TYPE_ENUM:
+		{
+		const char* s =
+			val->Type()->AsEnumType()->Lookup(val->InternalInt());
+
+		lval->val.string_val = new string(s);
+		break;
+		}
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+		lval->val.uint_val = val->InternalUnsigned();
+		break;
+
+	case TYPE_PORT:
+		lval->val.uint_val = val->AsPortVal()->Port();
+		break;
+
+	case TYPE_SUBNET:
+		lval->val.subnet_val = *val->AsSubNet();
+		break;
+
+	case TYPE_ADDR:
+		{
+		addr_type t = val->AsAddr();
+#ifdef BROv6
+		copy_addr(t, lval->val.addr_val);
+#else
+		copy_addr(&t, lval->val.addr_val);
+#endif
+		break;
+		}
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		lval->val.double_val = val->InternalDouble();
+		break;
+
+	case TYPE_STRING:
+		{
+		const BroString* s = val->AsString();
+		lval->val.string_val =
+			new string((const char*) s->Bytes(), s->Len());
+		break;
+		}
+
+	case TYPE_FILE:
+		{
+		const BroFile* f = val->AsFile();
+		lval->val.string_val = new string(f->Name());
+		break;
+		}
+
+	case TYPE_FUNC:
+		{
+		ODesc d;
+		const Func* f = val->AsFunc();
+		f->Describe(&d);
+		lval->val.string_val = new string(d.Description());
+		break;
+		}
+
+	case TYPE_TABLE:
+		{
+		ListVal* set = val->AsTableVal()->ConvertToPureList();
+		if ( ! set )
+			// ConvertToPureList has reported an internal warning
+			// already. Just keep going by making something up.
+			set = new ListVal(TYPE_INT);
+
+		lval->val.set_val.size = set->Length();
+		lval->val.set_val.vals = new LogVal* [lval->val.set_val.size];
+
+		for ( int i = 0; i < lval->val.set_val.size; i++ )
+			lval->val.set_val.vals[i] = ValToLogVal(set->Index(i));
+
+		Unref(set);
+		break;
+		}
+
+	case TYPE_VECTOR:
+		{
+		VectorVal* vec = val->AsVectorVal();
+		lval->val.vector_val.size = vec->Size();
+		lval->val.vector_val.vals =
+			new LogVal* [lval->val.vector_val.size];
+
+		for ( int i = 0; i < lval->val.vector_val.size; i++ )
+			{
+			lval->val.vector_val.vals[i] =
+				ValToLogVal(vec->Lookup(i),
+					    vec->Type()->YieldType());
+			}
+
+		break;
+		}
+
+	default:
+		reporter->InternalError("unsupported type for log_write");
+	}
+
+	return lval;
+	}
+
+LogVal** LogMgr::RecordToFilterVals(Stream* stream, Filter* filter,
+				    RecordVal* columns)
+	{
+	LogVal** vals = new LogVal*[filter->num_fields];
+
+	for ( int i = 0; i < filter->num_fields; ++i )
+		{
+		TypeTag type = TYPE_ERROR;
+		Val* val = columns;
+
+		// For each field, first find the right value, which can
+		// potentially be nested inside other records.
+		list<int>& indices = filter->indices[i];
+
+		for ( list<int>::iterator j = indices.begin(); j != indices.end(); ++j )
+			{
+			type = val->Type()->AsRecordType()->FieldType(*j)->Tag();
+			val = val->AsRecordVal()->Lookup(*j);
+
+			if ( ! val )
+				{
+				// Value, or any of its parents, is not set.
+				vals[i] = new LogVal(filter->fields[i]->type, false);
+				break;
+				}
+			}
+
+		if ( val )
+			vals[i] = ValToLogVal(val);
+		}
+
+	return vals;
+	}
+
+LogWriter* LogMgr::CreateWriter(EnumVal* id, EnumVal* writer, string path,
+				int num_fields, LogField** fields)
+	{
+	Stream* stream = FindStream(id);
+
+	if ( ! stream )
+		// Don't know this stream.
+		return false;
+
+	Stream::WriterMap::iterator w =
+		stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), path));
+
+	if ( w != stream->writers.end() && w->second )
+		// If we already have a writer for this. That's fine, we just
+		// return it.
+		return w->second->writer;
+
+	// Need to instantiate a new writer.
+
+	LogWriterDefinition* ld = log_writers;
+
+	while ( true )
+		{
+		if ( ld->type == BifEnum::Log::WRITER_DEFAULT )
+			{
+			reporter->Error("unknow writer when creating writer");
+			return 0;
+			}
+
+		if ( ld->type == writer->AsEnum() )
+			break;
+
+		if ( ! ld->factory )
+			// Oops, we can't instantiate this guy.
+			return 0;
+
+		// If the writer has an init function, call it.
+		if ( ld->init )
+			{
+			if ( (*ld->init)() )
+				// Clear the init function so that we won't
+				// call it again later.
+				ld->init = 0;
+			else
+				// Init failed, disable by deleting factory
+				// function.
+				ld->factory = 0;
+
+			DBG_LOG(DBG_LOGGING, "failed to init writer class %s",
+				ld->name);
+
+			return false;
+			}
+
+		++ld;
+		}
+
+	assert(ld->factory);
+	LogWriter* writer_obj = (*ld->factory)();
+
+	if ( ! writer_obj->Init(path, num_fields, fields) )
+		{
+		DBG_LOG(DBG_LOGGING, "failed to init instance of writer %s",
+			ld->name);
+
+		return 0;
+		}
+
+	WriterInfo* winfo = new WriterInfo;
+	winfo->type = writer->Ref()->AsEnumVal();
+	winfo->writer = writer_obj;
+	winfo->open_time = network_time;
+	winfo->rotation_timer = 0;
+	winfo->interval = 0;
+	winfo->postprocessor = 0;
+
+	// Search for a corresponding filter for the writer/path pair and use its
+	// rotation settings.  If no matching filter is found, fall back on
+	// looking up the logging framework's default rotation interval.
+	bool found_filter_match = false;
+	list<Filter*>::const_iterator it;
+
+	for ( it = stream->filters.begin(); it != stream->filters.end(); ++it )
+		{
+		Filter* f = *it;
+		if ( f->writer->AsEnum() == writer->AsEnum() &&
+		     f->path == winfo->writer->Path() )
+			{
+			found_filter_match = true;
+			winfo->interval = f->interval;
+			winfo->postprocessor = f->postprocessor;
+			break;
+			}
+		}
+
+	if ( ! found_filter_match )
+		{
+		ID* id = global_scope()->Lookup("Log::default_rotation_interval");
+		assert(id);
+		winfo->interval = id->ID_Val()->AsInterval();
+		}
+
+	InstallRotationTimer(winfo);
+
+	stream->writers.insert(
+		Stream::WriterMap::value_type(Stream::WriterPathPair(writer->AsEnum(), path),
+		winfo));
+
+	return writer_obj;
+	}
+
+void LogMgr::DeleteVals(int num_fields, LogVal** vals)
+	{
+	for ( int i = 0; i < num_fields; i++ )
+		delete vals[i];
+
+	delete [] vals;
+	}
+
+bool LogMgr::Write(EnumVal* id, EnumVal* writer, string path, int num_fields,
+		   LogVal** vals)
+	{
+	Stream* stream = FindStream(id);
+
+	if ( ! stream )
+		{
+		// Don't know this stream.
+#ifdef DEBUG
+		ODesc desc;
+		id->Describe(&desc);
+		DBG_LOG(DBG_LOGGING, "unknown stream %s in LogMgr::Write()",
+			desc.Description());
+#endif
+		DeleteVals(num_fields, vals);
+		return false;
+		}
+
+	if ( ! stream->enabled )
+		{
+		DeleteVals(num_fields, vals);
+		return true;
+		}
+
+	Stream::WriterMap::iterator w =
+		stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), path));
+
+	if ( w == stream->writers.end() )
+		{
+		// Don't know this writer.
+#ifdef DEBUG
+		ODesc desc;
+		id->Describe(&desc);
+		DBG_LOG(DBG_LOGGING, "unknown writer %s in LogMgr::Write()",
+			desc.Description());
+#endif
+		DeleteVals(num_fields, vals);
+		return false;
+		}
+
+	bool success = (w->second ? w->second->writer->Write(num_fields, vals) : true);
+
+	DBG_LOG(DBG_LOGGING,
+		"Wrote pre-filtered record to path '%s' on stream '%s' [%s]",
+		path.c_str(), stream->name.c_str(), (success ? "ok" : "error"));
+
+	return success;
+	}
+
+void LogMgr::SendAllWritersTo(RemoteSerializer::PeerID peer)
+	{
+	for ( vector<Stream *>::iterator s = streams.begin(); s != streams.end(); ++s )
+		{
+		Stream* stream = (*s);
+
+		if ( ! stream )
+			continue;
+
+		for ( Stream::WriterMap::iterator i = stream->writers.begin();
+		      i != stream->writers.end(); i++ )
+			{
+			if ( ! i->second )
+				continue;
+
+			LogWriter* writer = i->second->writer;
+
+			EnumVal writer_val(i->first.first, BifType::Enum::Log::Writer);
+			remote_serializer->SendLogCreateWriter(peer, (*s)->id,
+							       &writer_val,
+							       i->first.second,
+							       writer->NumFields(),
+							       writer->Fields());
+			}
+		}
+	}
+
+bool LogMgr::SetBuf(EnumVal* id, bool enabled)
+	{
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	for ( Stream::WriterMap::iterator i = stream->writers.begin();
+	      i != stream->writers.end(); i++ )
+		{
+		if ( i->second )
+			i->second->writer->SetBuf(enabled);
+		}
+
+	RemoveDisabledWriters(stream);
+
+	return true;
+	}
+
+bool LogMgr::Flush(EnumVal* id)
+	{
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	if ( ! stream->enabled )
+		return true;
+
+	for ( Stream::WriterMap::iterator i = stream->writers.begin();
+	      i != stream->writers.end(); i++ )
+		{
+		if ( i->second )
+			i->second->writer->Flush();
+		}
+
+	RemoveDisabledWriters(stream);
+
+	return true;
+	}
+
+void LogMgr::Error(LogWriter* writer, const char* msg)
+	{
+	reporter->Error("error with writer for %s: %s",
+		     writer->Path().c_str(), msg);
+	}
+
+// Timer which on dispatching rotates the filter.
+class RotationTimer : public Timer {
+public:
+	RotationTimer(double t, LogMgr::WriterInfo* arg_winfo, bool arg_rotate)
+		: Timer(t, TIMER_ROTATE)
+			{
+			winfo = arg_winfo;
+			rotate = arg_rotate;
+			}
+
+	~RotationTimer();
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	LogMgr::WriterInfo* winfo;
+	bool rotate;
+};
+
+RotationTimer::~RotationTimer()
+	{
+	if ( winfo->rotation_timer == this )
+		winfo->rotation_timer = 0;
+	}
+
+void RotationTimer::Dispatch(double t, int is_expire)
+	{
+	winfo->rotation_timer = 0;
+
+	if ( rotate )
+		log_mgr->Rotate(winfo);
+
+	if ( ! is_expire )
+		{
+		winfo->open_time = network_time;
+		log_mgr->InstallRotationTimer(winfo);
+		}
+	}
+
+void LogMgr::InstallRotationTimer(WriterInfo* winfo)
+	{
+	if ( terminating )
+		return;
+
+	if ( winfo->rotation_timer )
+		{
+		timer_mgr->Cancel(winfo->rotation_timer);
+		winfo->rotation_timer = 0;
+		}
+
+	double rotation_interval = winfo->interval;
+
+	if ( rotation_interval )
+		{
+		// When this is called for the first time, network_time can still be
+		// zero. If so, we set a timer which fires immediately but doesn't
+		// rotate when it expires.
+		if ( ! network_time )
+			winfo->rotation_timer = new RotationTimer(1, winfo, false);
+		else
+			{
+			if ( ! winfo->open_time )
+				winfo->open_time = network_time;
+
+			const char* base_time = log_rotate_base_time ?
+				log_rotate_base_time->AsString()->CheckString() : 0;
+
+			double delta_t =
+				calc_next_rotate(rotation_interval, base_time);
+
+			winfo->rotation_timer =
+				new RotationTimer(network_time + delta_t, winfo, true);
+			}
+
+		timer_mgr->Add(winfo->rotation_timer);
+
+		DBG_LOG(DBG_LOGGING, "Scheduled rotation timer for %s to %.6f",
+			winfo->writer->Path().c_str(), winfo->rotation_timer->Time());
+		}
+	}
+
+void LogMgr::Rotate(WriterInfo* winfo)
+	{
+	DBG_LOG(DBG_LOGGING, "Rotating %s at %.6f",
+		winfo->writer->Path().c_str(), network_time);
+
+	// Build a temporary path for the writer to move the file to.
+	struct tm tm;
+	char buf[128];
+	const char* const date_fmt = "%y-%m-%d_%H.%M.%S";
+	time_t teatime = (time_t)winfo->open_time;
+
+	localtime_r(&teatime, &tm);
+	strftime(buf, sizeof(buf), date_fmt, &tm);
+
+	string tmp = string(fmt("%s-%s", winfo->writer->Path().c_str(), buf));
+
+	// Trigger the rotation.
+	winfo->writer->Rotate(tmp, winfo->open_time, network_time, terminating);
+	}
+
+bool LogMgr::FinishedRotation(LogWriter* writer, string new_name, string old_name,
+		      double open, double close, bool terminating)
+	{
+	DBG_LOG(DBG_LOGGING, "Finished rotating %s at %.6f, new name %s",
+		writer->Path().c_str(), network_time, new_name.c_str());
+
+	WriterInfo* winfo = FindWriter(writer);
+	if ( ! winfo )
+		return true;
+
+	// Create the RotationInfo record.
+	RecordVal* info = new RecordVal(BifType::Record::Log::RotationInfo);
+	info->Assign(0, winfo->type->Ref());
+	info->Assign(1, new StringVal(new_name.c_str()));
+	info->Assign(2, new StringVal(winfo->writer->Path().c_str()));
+	info->Assign(3, new Val(open, TYPE_TIME));
+	info->Assign(4, new Val(close, TYPE_TIME));
+	info->Assign(5, new Val(terminating, TYPE_BOOL));
+
+	Func* func = winfo->postprocessor;
+	if ( ! func )
+		{
+		ID* id = global_scope()->Lookup("Log::__default_rotation_postprocessor");
+		assert(id);
+		func = id->ID_Val()->AsFunc();
+		}
+
+	assert(func);
+
+	// Call the postprocessor function.
+	val_list vl(1);
+	vl.append(info);
+
+	int result = 0;
+
+	try
+		{
+		Val* v = func->Call(&vl);
+		result = v->AsBool();
+		Unref(v);
+		}
+
+	catch ( InterpreterException& e )
+		{ /* Already reported. */ }
+
+	return result;
+	}
+
diff --git a/src/LogMgr.h b/src/LogMgr.h
new file mode 100644
index 0000000000..3eaba360d5
--- /dev/null
+++ b/src/LogMgr.h
@@ -0,0 +1,142 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// A class managing log writers and filters.
+
+#ifndef LOGMGR_H
+#define LOGMGR_H
+
+#include "Val.h"
+#include "EventHandler.h"
+#include "RemoteSerializer.h"
+
+class SerializationFormat;
+
+// Description of a log field.
+struct LogField {
+	string name;
+	TypeTag type;
+	// inner type of sets
+	TypeTag subtype;
+
+	LogField() 	{ subtype = TYPE_VOID; }
+	LogField(const LogField& other)
+		: name(other.name), type(other.type), subtype(other.subtype) {  }
+
+	// (Un-)serialize.
+	bool Read(SerializationFormat* fmt);
+	bool Write(SerializationFormat* fmt) const;
+};
+
+// Values as logged by a writer.
+struct LogVal {
+	TypeTag type;
+	bool present; // False for unset fields.
+
+	// The following union is a subset of BroValUnion, including only the
+	// types we can log directly.
+	struct set_t { bro_int_t size; LogVal** vals; };
+	typedef set_t vec_t;
+
+	union _val {
+		bro_int_t int_val;
+		bro_uint_t uint_val;
+		uint32 addr_val[NUM_ADDR_WORDS];
+		subnet_type subnet_val;
+		double double_val;
+		string* string_val;
+		set_t set_val;
+		vec_t vector_val;
+	} val;
+
+	LogVal(TypeTag arg_type = TYPE_ERROR, bool arg_present = true)
+		: type(arg_type), present(arg_present)	{}
+	~LogVal();
+
+	// (Un-)serialize.
+	bool Read(SerializationFormat* fmt);
+	bool Write(SerializationFormat* fmt) const;
+
+	// Returns true if the type can be logged the framework. If
+	// `atomic_only` is true, will not permit composite types.
+	static bool IsCompatibleType(BroType* t, bool atomic_only=false);
+
+private:
+	LogVal(const LogVal& other)	{ }
+};
+
+class LogWriter;
+class RemoteSerializer;
+class RotationTimer;
+
+class LogMgr {
+public:
+	LogMgr();
+	~LogMgr();
+
+	// These correspond to the BiFs visible on the scripting layer. The
+	// actual BiFs just forward here.
+	bool CreateStream(EnumVal* id, RecordVal* stream);
+	bool EnableStream(EnumVal* id);
+	bool DisableStream(EnumVal* id);
+	bool AddFilter(EnumVal* id, RecordVal* filter);
+	bool RemoveFilter(EnumVal* id, StringVal* name);
+	bool RemoveFilter(EnumVal* id, string name);
+	bool Write(EnumVal* id, RecordVal* columns);
+	bool SetBuf(EnumVal* id, bool enabled);	// Adjusts all writers.
+	bool Flush(EnumVal* id);		// Flushes all writers..
+
+protected:
+	friend class LogWriter;
+	friend class RemoteSerializer;
+	friend class RotationTimer;
+
+	//// Function also used by the RemoteSerializer.
+
+	// Takes ownership of fields.
+	LogWriter* CreateWriter(EnumVal* id, EnumVal* writer, string path,
+				int num_fields, LogField** fields);
+
+	// Takes ownership of values..
+	bool Write(EnumVal* id, EnumVal* writer, string path,
+		   int num_fields, LogVal** vals);
+
+	// Announces all instantiated writers to peer.
+	void SendAllWritersTo(RemoteSerializer::PeerID peer);
+
+	//// Functions safe to use by writers.
+
+	// Signals that a file has been rotated.
+	bool FinishedRotation(LogWriter* writer, string new_name, string old_name,
+			      double open, double close, bool terminating);
+
+	// Reports an error for the given writer.
+	void Error(LogWriter* writer, const char* msg);
+
+	// Deletes the values as passed into Write().
+	void DeleteVals(int num_fields, LogVal** vals);
+
+private:
+	struct Filter;
+	struct Stream;
+	struct WriterInfo;
+
+	bool TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
+			    TableVal* include, TableVal* exclude, string path, list<int> indices);
+
+	LogVal** RecordToFilterVals(Stream* stream, Filter* filter,
+				    RecordVal* columns);
+
+	LogVal* ValToLogVal(Val* val, BroType* ty = 0);
+	Stream* FindStream(EnumVal* id);
+	void RemoveDisabledWriters(Stream* stream);
+	void InstallRotationTimer(WriterInfo* winfo);
+	void Rotate(WriterInfo* info);
+	Filter* FindFilter(EnumVal* id, StringVal* filter);
+	WriterInfo* FindWriter(LogWriter* writer);
+
+	vector<Stream *> streams;	// Indexed by stream enum.
+};
+
+extern LogMgr* log_mgr;
+
+#endif
diff --git a/src/LogWriter.cc b/src/LogWriter.cc
new file mode 100644
index 0000000000..8584a0b0b5
--- /dev/null
+++ b/src/LogWriter.cc
@@ -0,0 +1,158 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "util.h"
+#include "LogWriter.h"
+
+LogWriter::LogWriter()
+	{
+	buf = 0;
+	buf_len = 1024;
+	buffering = true;
+	disabled = false;
+	}
+
+LogWriter::~LogWriter()
+	{
+	if ( buf )
+		free(buf);
+
+	for(int i = 0; i < num_fields; ++i)
+		delete fields[i];
+
+	delete [] fields;
+	}
+
+bool LogWriter::Init(string arg_path, int arg_num_fields,
+		     const LogField* const * arg_fields)
+	{
+	path = arg_path;
+	num_fields = arg_num_fields;
+	fields = arg_fields;
+
+	if ( ! DoInit(arg_path, arg_num_fields, arg_fields) )
+		{
+		disabled = true;
+		return false;
+		}
+
+	return true;
+	}
+
+bool LogWriter::Write(int arg_num_fields, LogVal** vals)
+	{
+	// Double-check that the arguments match. If we get this from remote,
+	// something might be mixed up.
+	if ( num_fields != arg_num_fields )
+		{
+		DBG_LOG(DBG_LOGGING, "Number of fields don't match in LogWriter::Write() (%d vs. %d)",
+			arg_num_fields, num_fields);
+
+		DeleteVals(vals);
+		return false;
+		}
+
+	for ( int i = 0; i < num_fields; ++i )
+		{
+		if ( vals[i]->type != fields[i]->type )
+			{
+			DBG_LOG(DBG_LOGGING, "Field type doesn't match in LogWriter::Write() (%d vs. %d)",
+				vals[i]->type, fields[i]->type);
+			DeleteVals(vals);
+			return false;
+			}
+		}
+
+	bool result = DoWrite(num_fields, fields, vals);
+
+	DeleteVals(vals);
+
+	if ( ! result )
+		disabled = true;
+
+	return result;
+	}
+
+bool LogWriter::SetBuf(bool enabled)
+	{
+	if ( enabled == buffering )
+		// No change.
+		return true;
+
+	buffering = enabled;
+
+	if ( ! DoSetBuf(enabled) )
+		{
+		disabled = true;
+		return false;
+		}
+
+	return true;
+	}
+
+bool LogWriter::Rotate(string rotated_path, double open,
+		       double close, bool terminating)
+	{
+	if ( ! DoRotate(rotated_path, open, close, terminating) )
+		{
+		disabled = true;
+		return false;
+		}
+
+	return true;
+	}
+
+bool LogWriter::Flush()
+	{
+	if ( ! DoFlush() )
+		{
+		disabled = true;
+		return false;
+		}
+
+	return true;
+	}
+
+void LogWriter::Finish()
+	{
+	DoFinish();
+	}
+
+const char* LogWriter::Fmt(const char* format, ...)
+	{
+	if ( ! buf )
+		buf = (char*) malloc(buf_len);
+
+	va_list al;
+	va_start(al, format);
+	int n = safe_vsnprintf(buf, buf_len, format, al);
+	va_end(al);
+
+	if ( (unsigned int) n >= buf_len )
+		{ // Not enough room, grow the buffer.
+		buf_len = n + 32;
+		buf = (char*) realloc(buf, buf_len);
+
+		// Is it portable to restart?
+		va_start(al, format);
+		n = safe_vsnprintf(buf, buf_len, format, al);
+		va_end(al);
+		}
+
+	return buf;
+	}
+
+void LogWriter::Error(const char *msg)
+	{
+	log_mgr->Error(this, msg);
+	}
+
+void LogWriter::DeleteVals(LogVal** vals)
+	{
+	log_mgr->DeleteVals(num_fields, vals);
+	}
+
+bool LogWriter::FinishedRotation(string new_name, string old_name, double open,
+				 double close, bool terminating)
+	{
+	return log_mgr->FinishedRotation(this, new_name, old_name, open, close, terminating);
+	}
diff --git a/src/LogWriter.h b/src/LogWriter.h
new file mode 100644
index 0000000000..1d2f9fa4b2
--- /dev/null
+++ b/src/LogWriter.h
@@ -0,0 +1,192 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// Interface API for a log writer backend. The LogMgr creates a separate
+// writer instance of pair of (writer type, output path).
+//
+// Note thay classes derived from LogWriter must be fully thread-safe and not
+// use any non-thread-safe Bro functionality (which includes almost
+// everything ...). In particular, do not use fmt() but LogWriter::Fmt()!.
+//
+// The one exception to this rule is the constructor: it is guaranteed to be
+// executed inside the main thread and can thus in particular access global
+// script variables.
+
+#ifndef LOGWRITER_H
+#define LOGWRITER_H
+
+#include "LogMgr.h"
+#include "BroString.h"
+
+class LogWriter {
+public:
+	LogWriter();
+	virtual ~LogWriter();
+
+	//// Interface methods to interact with the writer. Note that these
+	//// methods are not necessarily thread-safe and must be called only
+	//// from the main thread (which will typically mean only from the
+	//// LogMgr). In particular, they must not be called from the
+	//// writer's derived implementation.
+
+	// One-time initialization of the writer to define the logged fields.
+	// Interpretation of "path" is left to the writer, and will be
+	// corresponding the value configured on the script-level.
+	// 
+	// Returns false if an error occured, in which case the writer must
+	// not be used further.
+	//
+	// The new instance takes ownership of "fields", and will delete them
+	// when done.
+	bool Init(string path, int num_fields, const LogField* const * fields);
+
+	// Writes one log entry. The method takes ownership of "vals" and
+	// will return immediately after queueing the write request, which is
+	// potentially before output has actually been written out.
+	//
+	// num_fields and the types of the LogVals must match what was passed
+	// to Init().
+	//
+	// Returns false if an error occured, in which case the writer must
+	// not be used any further.
+	bool Write(int num_fields, LogVal** vals);
+
+	// Sets the buffering status for the writer, if the writer supports
+	// that. (If not, it will be ignored).
+	bool SetBuf(bool enabled);
+
+	// Flushes any currently buffered output, if the writer supports 
+	// that. (If not, it will be ignored).
+	bool Flush();
+
+	// Triggers rotation, if the writer supports that. (If not, it will
+	// be ignored).
+	bool Rotate(string rotated_path, double open, double close, bool terminating);
+
+	// Finishes writing to this logger regularly. Must not be called if
+	// an error has been indicated earlier. After calling this, no
+	// further writing must be performed.
+	void Finish();
+
+	//// Thread-safe methods that may be called from the writer
+	//// implementation.
+
+	// The following methods return the information as passed to Init().
+	const string Path() const	{ return path; }
+	int NumFields() const	{ return num_fields; }
+	const LogField* const * Fields() const	{ return fields; }
+
+protected:
+	// Methods for writers to override. If any of these returs false, it
+	// will be assumed that a fatal error has occured that prevents the
+	// writer from further operation. It will then be disabled and
+	// deleted. When return false, the writer should also report the
+	// error via Error(). Note that even if a writer does not support the
+	// functionality for one these methods (like rotation), it must still
+	// return true if that is not to be considered a fatal error.
+	//
+	// Called once for initialization of the writer.
+	virtual bool DoInit(string path, int num_fields,
+			    const LogField* const * fields) = 0;
+
+	// Called once per log entry to record.
+	virtual bool DoWrite(int num_fields, const LogField* const * fields,
+			     LogVal** vals) = 0;
+
+	// Called when the buffering status for this writer is changed. If
+	// buffering is disabled, the writer should attempt to write out
+	// information as quickly as possible even if doing so may have a
+	// performance impact. If enabled (which is the default), it may
+	// buffer data as helpful and write it out later in a way optimized
+	// for performance. The current buffering state can be queried via
+	// IsBuf().
+	//
+	// A writer may ignore buffering changes if it doesn't fit with its
+	// semantics (but must still return true in that case).
+	virtual bool DoSetBuf(bool enabled) = 0;
+
+	// Called to flush any currently buffered output.
+	//
+	// A writer may ignore flush requests if it doesn't fit with its
+	// semantics (but must still return true in that case).
+	virtual bool DoFlush() = 0;
+
+	// Called when a log output is to be rotated. Most directly this only
+	// applies to writers writing into files, which should then close the
+	// current file and open a new one.  However, a writer may also
+	// trigger other apppropiate actions if semantics are similar.
+	// 
+	// Once rotation has finished, the implementation should call
+	// RotationDone() to signal the log manager that potential
+	// postprocessors can now run.
+	//
+	// "rotate_path" reflects the path to where the rotated output is to
+	// be moved, with specifics depending on the writer. It should
+	// generally be interpreted in a way consistent with that of "path"
+	// as passed into DoInit(). As an example, for file-based output, 
+	// "rotate_path" could be the original filename extended with a
+	// timestamp indicating the time of the rotation.
+	// 
+	// "open" and "close" are the network time's when the *current* file
+	// was opened and closed, respectively.
+	//
+	// "terminating" indicated whether the rotation request occurs due
+	// the main Bro prcoess terminating (and not because we've reach a
+	// regularly scheduled time for rotation).
+	//
+	// A writer may ignore rotation requests if it doesn't fit with its
+	// semantics (but must still return true in that case).
+	virtual bool DoRotate(string rotated_path, double open, double close,
+			      bool terminating) = 0;
+
+	// Called once on termination. Not called when any of the other
+	// methods has previously signaled an error, i.e., executing this
+	// method signals a regular shutdown of the writer.
+	virtual void DoFinish() = 0;
+
+	//// Methods for writers to use. These are thread-safe.
+
+	// A thread-safe version of fmt().
+	const char* Fmt(const char* format, ...);
+
+	// Returns the current buffering state.
+	bool IsBuf()	{ return buffering; }
+
+	// Reports an error to the user.
+	void Error(const char *msg);
+
+	// Signals to the log manager that a file has been rotated.
+	//
+	// new_name: The filename of the rotated file. old_name: The filename
+	// of the origina file.
+	//
+	// open/close: The timestamps when the original file was opened and
+	// closed, respectively.
+	//
+	// terminating: True if rotation request occured due to the main Bro
+	// process shutting down.
+	bool FinishedRotation(string new_name, string old_name, double open,
+			      double close, bool terminating);
+
+private:
+	friend class LogMgr;
+
+	// When an error occurs, we call this method to set a flag marking
+	// the writer as disabled. The LogMgr will check the flag later and
+	// remove the writer.
+	bool Disabled()	{ return disabled; }
+
+	// Deletes the values as passed into Write().
+	void DeleteVals(LogVal** vals);
+
+	string path;
+	int num_fields;
+	const LogField* const * fields;
+	bool buffering;
+	bool disabled;
+
+	// For implementing Fmt().
+	char* buf;
+	unsigned int buf_len;
+};
+
+#endif
diff --git a/src/LogWriterAscii.cc b/src/LogWriterAscii.cc
new file mode 100644
index 0000000000..d2c1d91370
--- /dev/null
+++ b/src/LogWriterAscii.cc
@@ -0,0 +1,348 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+#include <errno.h>
+
+#include "LogWriterAscii.h"
+#include "NetVar.h"
+
+LogWriterAscii::LogWriterAscii()
+	{
+	file = 0;
+
+	output_to_stdout = BifConst::LogAscii::output_to_stdout;
+	include_header = BifConst::LogAscii::include_header;
+
+	separator_len = BifConst::LogAscii::separator->Len();
+	separator = new char[separator_len];
+	memcpy(separator, BifConst::LogAscii::separator->Bytes(),
+	       separator_len);
+
+	set_separator_len = BifConst::LogAscii::set_separator->Len();
+	set_separator = new char[set_separator_len];
+	memcpy(set_separator, BifConst::LogAscii::set_separator->Bytes(),
+	       set_separator_len);
+
+	empty_field_len = BifConst::LogAscii::empty_field->Len();
+	empty_field = new char[empty_field_len];
+	memcpy(empty_field, BifConst::LogAscii::empty_field->Bytes(),
+	       empty_field_len);
+
+	unset_field_len = BifConst::LogAscii::unset_field->Len();
+	unset_field = new char[unset_field_len];
+	memcpy(unset_field, BifConst::LogAscii::unset_field->Bytes(),
+	       unset_field_len);
+
+	header_prefix_len = BifConst::LogAscii::header_prefix->Len();
+	header_prefix = new char[header_prefix_len];
+	memcpy(header_prefix, BifConst::LogAscii::header_prefix->Bytes(),
+	       header_prefix_len);
+
+	desc.EnableEscaping();
+	desc.AddEscapeSequence(separator, separator_len);
+	}
+
+LogWriterAscii::~LogWriterAscii()
+	{
+	if ( file )
+		fclose(file);
+
+	delete [] separator;
+	delete [] set_separator;
+	delete [] empty_field;
+	delete [] unset_field;
+	delete [] header_prefix;
+	}
+
+bool LogWriterAscii::WriteHeaderField(const string& key, const string& val)
+	{
+	string str = string(header_prefix, header_prefix_len) +
+		key + string(separator, separator_len) + val + "\n";
+
+	return (fwrite(str.c_str(), str.length(), 1, file) == 1);
+	}
+
+bool LogWriterAscii::DoInit(string path, int num_fields,
+			    const LogField* const * fields)
+	{
+	if ( output_to_stdout )
+		path = "/dev/stdout";
+
+	fname = IsSpecial(path) ? path : path + "." + LogExt();
+
+	if ( ! (file = fopen(fname.c_str(), "w")) )
+		{
+		Error(Fmt("cannot open %s: %s", fname.c_str(),
+			  strerror(errno)));
+
+		return false;
+		}
+
+	if ( include_header )
+		{
+		string str = string(header_prefix, header_prefix_len)
+			+ "separator " // Always use space as separator here.
+			+ get_escaped_string(string(separator, separator_len), false)
+			+ "\n";
+
+		if( fwrite(str.c_str(), str.length(), 1, file) != 1 )
+			goto write_error;
+
+		if ( ! (WriteHeaderField("set_separator", get_escaped_string(
+		            string(set_separator, set_separator_len), false)) &&
+		        WriteHeaderField("empty_field", get_escaped_string(
+		            string(empty_field, empty_field_len), false)) &&
+		        WriteHeaderField("unset_field", get_escaped_string(
+		            string(unset_field, unset_field_len), false)) &&
+		        WriteHeaderField("path", get_escaped_string(path, false))) )
+			goto write_error;
+
+		string names;
+		string types;
+
+		for ( int i = 0; i < num_fields; ++i )
+			{
+			if ( i > 0 )
+				{
+				names += string(separator, separator_len);
+				types += string(separator, separator_len);
+				}
+
+			const LogField* field = fields[i];
+			names += field->name;
+			types += type_name(field->type);
+			if ( (field->type == TYPE_TABLE) || (field->type == TYPE_VECTOR) )
+				{
+					types += "[";
+					types += type_name(field->subtype);
+					types += "]";
+				}
+			}
+
+		if ( ! (WriteHeaderField("fields", names)
+			&& WriteHeaderField("types", types)) )
+			goto write_error;
+		}
+
+	return true;
+
+write_error:
+	Error(Fmt("error writing to %s: %s", fname.c_str(), strerror(errno)));
+	return false;
+	}
+
+bool LogWriterAscii::DoFlush()
+	{
+	fflush(file);
+	return true;
+	}
+
+void LogWriterAscii::DoFinish()
+	{
+	}
+
+bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field)
+	{
+	if ( ! val->present )
+		{
+		desc->AddN(unset_field, unset_field_len);
+		return true;
+		}
+
+	switch ( val->type ) {
+
+	case TYPE_BOOL:
+		desc->Add(val->val.int_val ? "T" : "F");
+		break;
+
+	case TYPE_INT:
+		desc->Add(val->val.int_val);
+		break;
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_PORT:
+		desc->Add(val->val.uint_val);
+		break;
+
+	case TYPE_SUBNET:
+		desc->Add(dotted_addr(val->val.subnet_val.net));
+		desc->Add("/");
+		desc->Add(val->val.subnet_val.width);
+		break;
+
+	case TYPE_ADDR:
+		desc->Add(dotted_addr(val->val.addr_val));
+		break;
+
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		char buf[256];
+		modp_dtoa(val->val.double_val, buf, 6);
+		desc->Add(buf);
+		break;
+
+	case TYPE_DOUBLE:
+		desc->Add(val->val.double_val);
+	break;
+
+	case TYPE_ENUM:
+	case TYPE_STRING:
+	case TYPE_FILE:
+	case TYPE_FUNC:
+		{
+		int size = val->val.string_val->size();
+		const char* data = val->val.string_val->data();
+
+		if ( ! size )
+			{
+			desc->AddN(empty_field, empty_field_len);
+			break;
+			}
+
+		if ( size == unset_field_len && memcmp(data, unset_field, size) == 0 )
+			{
+			// The value we'd write out would match exactly the
+			// place-holder we use for unset optional fields. We
+			// escape the first character so that the output
+			// won't be ambigious.
+			static const char hex_chars[] = "0123456789abcdef";
+			char hex[6] = "\\x00";
+			hex[2] = hex_chars[((*data) & 0xf0) >> 4];
+			hex[3] = hex_chars[(*data) & 0x0f];
+			desc->AddRaw(hex, 4);
+
+			++data;
+			--size;
+			}
+
+		if ( size )
+			desc->AddN(data, size);
+
+		break;
+		}
+
+	case TYPE_TABLE:
+		{
+		if ( ! val->val.set_val.size )
+			{
+			desc->AddN(empty_field, empty_field_len);
+			break;
+			}
+
+		desc->AddEscapeSequence(set_separator, set_separator_len);
+		for ( int j = 0; j < val->val.set_val.size; j++ )
+			{
+			if ( j > 0 )
+				desc->AddRaw(set_separator, set_separator_len);
+
+			if ( ! DoWriteOne(desc, val->val.set_val.vals[j], field) )
+				{
+				desc->RemoveEscapeSequence(set_separator, set_separator_len);
+				return false;
+				}
+			}
+		desc->RemoveEscapeSequence(set_separator, set_separator_len);
+
+		break;
+		}
+
+	case TYPE_VECTOR:
+		{
+		if ( ! val->val.vector_val.size )
+			{
+			desc->AddN(empty_field, empty_field_len);
+			break;
+			}
+
+		desc->AddEscapeSequence(set_separator, set_separator_len);
+		for ( int j = 0; j < val->val.vector_val.size; j++ )
+			{
+			if ( j > 0 )
+				desc->AddRaw(set_separator, set_separator_len);
+
+			if ( ! DoWriteOne(desc, val->val.vector_val.vals[j], field) )
+				{
+				desc->RemoveEscapeSequence(set_separator, set_separator_len);
+				return false;
+				}
+			}
+		desc->RemoveEscapeSequence(set_separator, set_separator_len);
+
+		break;
+		}
+
+	default:
+		Error(Fmt("unsupported field format %d for %s", val->type,
+			  field->name.c_str()));
+		return false;
+	}
+
+	return true;
+	}
+
+bool LogWriterAscii::DoWrite(int num_fields, const LogField* const * fields,
+			     LogVal** vals)
+	{
+	if ( ! file )
+		DoInit(Path(), NumFields(), Fields());
+
+	desc.Clear();
+
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		if ( i > 0 )
+			desc.AddRaw(separator, separator_len);
+
+		if ( ! DoWriteOne(&desc, vals[i], fields[i]) )
+			return false;
+		}
+
+	desc.AddRaw("\n", 1);
+
+	if ( fwrite(desc.Bytes(), desc.Len(), 1, file) != 1 )
+		{
+		Error(Fmt("error writing to %s: %s", fname.c_str(), strerror(errno)));
+		return false;
+		}
+
+	if ( IsBuf() )
+		fflush(file);
+
+	return true;
+	}
+
+bool LogWriterAscii::DoRotate(string rotated_path, double open,
+			      double close, bool terminating)
+	{
+	// Don't rotate special files or if there's not one currently open.
+	if ( ! file || IsSpecial(Path()) )
+		return true;
+
+	fclose(file);
+	file = 0;
+
+	string nname = rotated_path + "." + LogExt();
+	rename(fname.c_str(), nname.c_str());
+
+	if ( ! FinishedRotation(nname, fname, open, close, terminating) )
+		{
+		Error(Fmt("error rotating %s to %s", fname.c_str(), nname.c_str()));
+		return false;
+		}
+
+	return true;
+	}
+
+bool LogWriterAscii::DoSetBuf(bool enabled)
+	{
+	// Nothing to do.
+	return true;
+	}
+
+string LogWriterAscii::LogExt()
+	{
+	const char* ext = getenv("BRO_LOG_SUFFIX");
+	if ( ! ext ) ext = "log";
+	return ext;
+	}
diff --git a/src/LogWriterAscii.h b/src/LogWriterAscii.h
new file mode 100644
index 0000000000..72127c8b1f
--- /dev/null
+++ b/src/LogWriterAscii.h
@@ -0,0 +1,58 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// Log writer for delimiter-separated ASCII logs.
+
+#ifndef LOGWRITERASCII_H
+#define LOGWRITERASCII_H
+
+#include "LogWriter.h"
+
+class LogWriterAscii : public LogWriter {
+public:
+	LogWriterAscii();
+	~LogWriterAscii();
+
+	static LogWriter* Instantiate()	{ return new LogWriterAscii; }
+	static string LogExt();
+
+protected:
+	virtual bool DoInit(string path, int num_fields,
+			    const LogField* const * fields);
+	virtual bool DoWrite(int num_fields, const LogField* const * fields,
+			     LogVal** vals);
+	virtual bool DoSetBuf(bool enabled);
+	virtual bool DoRotate(string rotated_path, double open, double close,
+			      bool terminating);
+	virtual bool DoFlush();
+	virtual void DoFinish();
+
+private:
+	bool IsSpecial(string path) 	{ return path.find("/dev/") == 0; }
+	bool DoWriteOne(ODesc* desc, LogVal* val, const LogField* field);
+	bool WriteHeaderField(const string& key, const string& value);
+
+	FILE* file;
+	string fname;
+	ODesc desc;
+
+	// Options set from the script-level.
+	bool output_to_stdout;
+	bool include_header;
+
+	char* separator;
+	int separator_len;
+
+	char* set_separator;
+	int set_separator_len;
+
+	char* empty_field;
+	int empty_field_len;
+
+	char* unset_field;
+	int unset_field_len;
+
+	char* header_prefix;
+	int header_prefix_len;
+};
+
+#endif
diff --git a/src/LogWriterNone.cc b/src/LogWriterNone.cc
new file mode 100644
index 0000000000..592772afdb
--- /dev/null
+++ b/src/LogWriterNone.cc
@@ -0,0 +1,16 @@
+
+#include "LogWriterNone.h"
+
+bool LogWriterNone::DoRotate(string rotated_path, double open,
+			      double close, bool terminating)
+	{
+	if ( ! FinishedRotation(string("/dev/null"), Path(), open, close, terminating))
+		{
+		Error(Fmt("error rotating %s", Path().c_str()));
+		return false;
+		}
+
+	return true;
+	}
+
+
diff --git a/src/LogWriterNone.h b/src/LogWriterNone.h
new file mode 100644
index 0000000000..3811a19469
--- /dev/null
+++ b/src/LogWriterNone.h
@@ -0,0 +1,30 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// Dummy log writer that just discards everything (but still pretends to rotate).
+
+#ifndef LOGWRITERNONE_H
+#define LOGWRITERNONE_H
+
+#include "LogWriter.h"
+
+class LogWriterNone : public LogWriter {
+public:
+	LogWriterNone()	{}
+	~LogWriterNone()	{};
+
+	static LogWriter* Instantiate()	{ return new LogWriterNone; }
+
+protected:
+	virtual bool DoInit(string path, int num_fields,
+			    const LogField* const * fields)	{ return true; }
+
+	virtual bool DoWrite(int num_fields, const LogField* const * fields,
+			     LogVal** vals)	{ return true; }
+	virtual bool DoSetBuf(bool enabled)	{ return true; }
+	virtual bool DoRotate(string rotated_path, double open, double close,
+			      bool terminating);
+	virtual bool DoFlush()	{ return true; }
+	virtual void DoFinish()	{}
+};
+
+#endif
diff --git a/src/Logger.cc b/src/Logger.cc
deleted file mode 100644
index ec1c48194d..0000000000
--- a/src/Logger.cc
+++ /dev/null
@@ -1,73 +0,0 @@
-// $Id: Logger.cc 6916 2009-09-24 20:48:36Z vern $
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include <stdlib.h>
-#include <math.h>
-#include <ctype.h>
-#include <syslog.h>
-
-#include "config.h"
-#include "File.h"
-#include "Logger.h"
-
-#ifdef SYSLOG_INT
-extern "C" {
-int openlog(const char* ident, int logopt, int facility);
-int syslog(int priority, const char* message_fmt, ...);
-int closelog();
-}
-#endif
-
-Logger::Logger(const char* name, BroFile* arg_f)
-	{
-	openlog(name, 0, LOG_LOCAL5);
-	f = arg_f;
-	enabled = 1;
-	}
-
-Logger::~Logger()
-	{
-	closelog();
-	Unref(f);
-	}
-
-void Logger::Log(const char* msg)
-	{
-	int has_timestamp =
-		(fabs(atof(msg) - network_time) <= 30.0) ||
-		(msg[0] == 't' && msg[1] == '=' && isdigit(msg[2]));
-
-	if ( enabled )
-		{
-		const char* sub_msg = msg;
-		if ( has_timestamp )
-			{
-			// Don't include the timestamp in the logging,
-			// as it gets tacked on by syslog anyway.
-			sub_msg = strchr(sub_msg, ' ');
-			if ( sub_msg )
-				++sub_msg;	// skip over ' '
-			else
-				sub_msg = msg;
-			}
-
-		syslog(LOG_NOTICE, "%s", sub_msg);
-		}
-
-	if ( f )
-		{
-		if ( has_timestamp )
-			f->Write(fmt("%s\n", msg));
-		else
-			f->Write(fmt("%.6f %s\n", network_time, msg));
-
-		f->Flush();
-		}
-	}
-
-void Logger::Describe(ODesc* d) const
-	{
-	d->AddSP("logger");
-	f->Describe(d);
-	}
diff --git a/src/Logger.h b/src/Logger.h
deleted file mode 100644
index 0c3f0d1ed7..0000000000
--- a/src/Logger.h
+++ /dev/null
@@ -1,33 +0,0 @@
-// $Id: Logger.h 6219 2008-10-01 05:39:07Z vern $
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef logger_h
-#define logger_h
-
-#include "util.h"
-#include "Obj.h"
-
-class BroFile;
-class Func;
-
-class Logger : public BroObj {
-public:
-	Logger(const char* name, BroFile* f = 0);
-	virtual ~Logger();
-
-	void Log(const char* msg);
-
-	void SetEnabled(int do_enabled)		{ enabled = do_enabled; }
-
-	void Describe(ODesc* d) const;
-
-protected:
-	BroFile* f;	// associated file
-	int enabled;	// if true, syslog'ing is done, otherwise just file log
-};
-
-extern Logger* bro_logger;
-extern Func* alarm_hook;
-
-#endif
diff --git a/src/Login.cc b/src/Login.cc
index 7ad309458d..56efd12f53 100644
--- a/src/Login.cc
+++ b/src/Login.cc
@@ -1,5 +1,3 @@
-// $Id: Login.cc 6724 2009-06-07 09:23:03Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -115,7 +113,7 @@ void Login_Analyzer::NewLine(bool orig, char* line)
 		}
 
 	if ( state != LOGIN_STATE_CONFUSED )
-		internal_error("bad state in Login_Analyzer::NewLine");
+		reporter->InternalError("bad state in Login_Analyzer::NewLine");
 
 	// When we're in "confused", we feed each user input line to
 	// login_confused_text, but also scan the text in the
@@ -572,7 +570,7 @@ void Login_Analyzer::AddUserText(const char* line)
 char* Login_Analyzer::PeekUserText() const
 	{
 	if ( num_user_text <= 0 )
-		internal_error("underflow in Login_Analyzer::PeekUserText()");
+		reporter->InternalError("underflow in Login_Analyzer::PeekUserText()");
 
 	return user_text[user_text_first];
 	}
diff --git a/src/Login.h b/src/Login.h
index 4bcecb0634..b186cc52d2 100644
--- a/src/Login.h
+++ b/src/Login.h
@@ -1,5 +1,3 @@
-// $Id: Login.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef login_h
diff --git a/src/MIME.cc b/src/MIME.cc
index 44da01a91e..103cf149ef 100644
--- a/src/MIME.cc
+++ b/src/MIME.cc
@@ -1,10 +1,9 @@
-// $Id: MIME.cc 5906 2008-07-03 19:52:50Z vern $
-
 #include "config.h"
 
 #include "NetVar.h"
 #include "MIME.h"
 #include "Event.h"
+#include "Reporter.h"
 
 // Here are a few things to do:
 //
@@ -268,7 +267,7 @@ void MIME_Entity::init()
 MIME_Entity::~MIME_Entity()
 	{
 	if ( ! end_of_data )
-		internal_error("EndOfData must be called before delete a MIME_Entity");
+		reporter->InternalError("EndOfData must be called before delete a MIME_Entity");
 
 	delete current_header_line;
 	Unref(content_type_str);
@@ -653,7 +652,7 @@ int MIME_Entity::CheckBoundaryDelimiter(int len, const char* data)
 	{
 	if ( ! multipart_boundary )
 		{
-		warn("boundary delimiter was not specified for a multipart message\n");
+		reporter->Warning("boundary delimiter was not specified for a multipart message\n");
 		DEBUG_MSG("headers of the MIME entity for debug:\n");
 		DebugPrintHeaders();
 		return NOT_MULTIPART_BOUNDARY;
@@ -799,7 +798,7 @@ void MIME_Entity::DecodeBase64(int len, const char* data)
 		char* prbuf = rbuf;
 		int decoded = base64_decoder->Decode(len, data, &rlen, &prbuf);
 		if ( prbuf != rbuf )
-			internal_error("buffer pointer modified in base64 decoding");
+			reporter->InternalError("buffer pointer modified in base64 decoding");
 		DataOctets(rlen, rbuf);
 		len -= decoded; data += decoded;
 		}
@@ -808,7 +807,7 @@ void MIME_Entity::DecodeBase64(int len, const char* data)
 void MIME_Entity::StartDecodeBase64()
 	{
 	if ( base64_decoder )
-		internal_error("previous Base64 decoder not released!");
+		reporter->InternalError("previous Base64 decoder not released!");
 
 	base64_decoder = new Base64Decoder(message->GetAnalyzer());
 	}
@@ -825,7 +824,7 @@ void MIME_Entity::FinishDecodeBase64()
 	if ( base64_decoder->Done(&rlen, &prbuf) )
 		{ // some remaining data
 		if ( prbuf != rbuf )
-			internal_error("buffer pointer modified in base64 decoding");
+			reporter->InternalError("buffer pointer modified in base64 decoding");
 		if ( rlen > 0 )
 			DataOctets(rlen, rbuf);
 		}
@@ -839,7 +838,7 @@ int MIME_Entity::GetDataBuffer()
 	int ret = message->RequestBuffer(&data_buf_length, &data_buf_data);
 	if ( ! ret || data_buf_length == 0 || data_buf_data == 0 )
 		{
-		// internal_error("cannot get data buffer from MIME_Message", "");
+		// reporter->InternalError("cannot get data buffer from MIME_Message", "");
 		return 0;
 		}
 
@@ -874,11 +873,11 @@ void MIME_Entity::DataOctets(int len, const char* data)
 		if ( data_buf_offset < 0 && ! GetDataBuffer() )
 			return;
 
-		while ( data_buf_offset < data_buf_length && len > 0 )
-			{
-			data_buf_data[data_buf_offset++] = *data;
-			++data; --len;
-			}
+		int n = min(data_buf_length - data_buf_offset, len);
+		memcpy(data_buf_data + data_buf_offset, data, n);
+		data += n;
+		data_buf_offset += n;
+		len -= n;
 
 		if ( data_buf_offset == data_buf_length )
 			{
@@ -1092,7 +1091,7 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
 void MIME_Mail::SubmitData(int len, const char* buf)
 	{
 	if ( buf != (char*) data_buffer->Bytes() + buffer_start )
-		internal_error("buffer misalignment");
+		reporter->InternalError("buffer misalignment");
 
 	if ( compute_content_hash )
 		{
@@ -1180,7 +1179,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
 			break;
 
 		default:
-			internal_error("unrecognized MIME_Mail event");
+			reporter->InternalError("unrecognized MIME_Mail event");
 	}
 
 	if ( mime_event )
diff --git a/src/MIME.h b/src/MIME.h
index c55cdcb42b..52d943fb15 100644
--- a/src/MIME.h
+++ b/src/MIME.h
@@ -1,5 +1,3 @@
-// $Id: MIME.h 3526 2006-09-12 07:32:21Z vern $
-
 #ifndef mime_h
 #define mime_h
 
@@ -97,6 +95,7 @@ public:
 	virtual void EndOfData();
 
 	MIME_Entity* Parent() const { return parent; }
+	int MIMEContentType() const { return content_type; }
 	StringVal* ContentType() const { return content_type_str; }
 	StringVal* ContentSubType() const { return content_subtype_str; }
 	int ContentTransferEncoding() const { return content_encoding; }
@@ -193,7 +192,7 @@ public:
 	virtual ~MIME_Message()
 		{
 		if ( ! finished )
-			internal_error("Done() must be called before destruction");
+			reporter->InternalError("Done() must be called before destruction");
 		}
 
 	virtual void Done()	{ finished = 1; }
diff --git a/src/NCP.cc b/src/NCP.cc
index c065e48e87..83378a09a7 100644
--- a/src/NCP.cc
+++ b/src/NCP.cc
@@ -1,5 +1,3 @@
-// $Id: NCP.cc 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/NCP.h b/src/NCP.h
index 714d1879f8..1e783ee3ab 100644
--- a/src/NCP.h
+++ b/src/NCP.h
@@ -1,5 +1,3 @@
-// $Id: NCP.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef ncp_h
diff --git a/src/NFA.cc b/src/NFA.cc
index 74958823dc..4849755941 100644
--- a/src/NFA.cc
+++ b/src/NFA.cc
@@ -1,5 +1,3 @@
-// $Id: NFA.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/NFA.h b/src/NFA.h
index 9dcb435d61..9877b8787c 100644
--- a/src/NFA.h
+++ b/src/NFA.h
@@ -1,5 +1,3 @@
-// $Id: NFA.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef nfa_h
diff --git a/src/NFS.cc b/src/NFS.cc
index 8d7e920e2d..2911ee7f59 100644
--- a/src/NFS.cc
+++ b/src/NFS.cc
@@ -1,7 +1,7 @@
-// $Id: NFS.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <algorithm>
+
 #include "config.h"
 
 #include "NetVar.h"
@@ -9,171 +9,296 @@
 #include "NFS.h"
 #include "Event.h"
 
-#define NFS_PROC_NULL 		0
-#define NFS_PROC_GETATTR 	1
-#define NFS_PROC_SETATTR 	2
-#define NFS_PROC_LOOKUP 	3
-#define NFS_PROC_READ 		6
-#define NFS_PROC_WRITE 		7
-#define NFS_PROC_FSSTAT 	18
-
 int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 	{
 	if ( c->Program() != 100003 )
-		Weird("bad_RPC_program");
+		Weird(fmt("bad_RPC_program (%d)", c->Program()));
 
 	uint32 proc = c->Proc();
+	// The call arguments, depends on the call type obviously ...
+	Val *callarg = 0;
+
 	switch ( proc ) {
-	case NFS_PROC_NULL:
+	case BifEnum::NFS3::PROC_NULL:
 		break;
 
-	case NFS_PROC_GETATTR:
-		{
-		Val* v = ExtractFH(buf, n);
-		if ( ! v )
-			return 0;
-		c->AddVal(v);
-		}
+	case BifEnum::NFS3::PROC_GETATTR:
+		callarg = nfs3_fh(buf, n);
 		break;
 
-	case NFS_PROC_LOOKUP:
-		{
-		StringVal* fh = ExtractFH(buf, n);
-
-		int name_len;
-		const u_char* name = extract_XDR_opaque(buf, n, name_len);
-
-		if ( ! fh || ! name )
-			return 0;
-
-		RecordVal* args = new RecordVal(nfs3_lookup_args);
-		args->Assign(0, fh);
-		args->Assign(1, new StringVal(new BroString(name, name_len, 0)));
-		c->AddVal(args);
-		}
+	case BifEnum::NFS3::PROC_LOOKUP:
+		callarg = nfs3_diropargs(buf, n);
 		break;
 
-	case NFS_PROC_FSSTAT:
-		{
-		Val* v = ExtractFH(buf, n);
-		if ( ! v )
-			return 0;
-		c->AddVal(v);
-		}
+	case BifEnum::NFS3::PROC_READ:
+		callarg = nfs3_readargs(buf, n);
 		break;
 
-	case NFS_PROC_READ:
+	case BifEnum::NFS3::PROC_READLINK:
+		callarg = nfs3_fh(buf, n);
+		break;
+
+	case BifEnum::NFS3::PROC_WRITE:
+		callarg = nfs3_writeargs(buf, n);
+		break;
+
+	case BifEnum::NFS3::PROC_CREATE:
+		callarg = nfs3_diropargs(buf, n);
+		// TODO: implement create attributes. For now we just skip
+		// over them.
+		n = 0;
+		break;
+
+	case BifEnum::NFS3::PROC_MKDIR:
+		callarg = nfs3_diropargs(buf, n);
+		// TODO: implement mkdir attributes. For now we just skip
+		// over them.
+		n = 0;
+		break;
+
+	case BifEnum::NFS3::PROC_REMOVE:
+		callarg = nfs3_diropargs(buf, n);
+		break;
+
+	case BifEnum::NFS3::PROC_RMDIR:
+		callarg = nfs3_diropargs(buf, n);
+		break;
+
+	case BifEnum::NFS3::PROC_READDIR:
+		callarg = nfs3_readdirargs(false, buf, n);
+		break;
+
+	case BifEnum::NFS3::PROC_READDIRPLUS:
+		callarg = nfs3_readdirargs(true, buf, n);
 		break;
 
 	default:
-		Weird(fmt("unknown_NFS_request(%u)", proc));
+		callarg = 0;
+		if ( proc < BifEnum::NFS3::PROC_END_OF_PROCS )
+			{
+			// We know the procedure but haven't implemented it.
+			// Otherwise DeliverRPC would complain about
+			// excess_RPC.
+			n = 0;
+			}
+		else
+			Weird(fmt("unknown_NFS_request(%u)", proc));
 
 		// Return 1 so that replies to unprocessed calls will still
-		// be processed, and the return status extracted
+		// be processed, and the return status extracted.
 		return 1;
 	}
 
+	if ( ! buf )
+		{
+		// There was a parse error while trying to extract the call
+		// arguments. However, we don't know where exactly it
+		// happened and whether Vals where already allocated (e.g., a
+		// RecordVal was allocated but we failed to fill it). So we
+		// Unref() the call arguments, and we are fine.
+		Unref(callarg);
+		callarg = 0;
+		return 0;
+		}
+
+	c->AddVal(callarg); // It's save to AddVal(0).
+
 	return 1;
 	}
 
-int NFS_Interp::RPC_BuildReply(const RPC_CallInfo* c, int success,
-					const u_char*& buf, int& n,
-					EventHandlerPtr& event, Val*& reply)
+int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
+			       const u_char*& buf, int& n, double start_time,
+			       double last_time, int reply_len)
 	{
-	reply = 0;
-	uint32 status = 0;
-	if ( success )
+	EventHandlerPtr event = 0;
+	Val *reply = 0;
+	BifEnum::NFS3::status_t nfs_status = BifEnum::NFS3::NFS3ERR_OK;
+	bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS );
+
+	// Reply always starts with the NFS status.
+	if ( rpc_success )
 		{
 		if ( n >= 4 )
-			status = extract_XDR_uint32(buf, n);
+			nfs_status = (BifEnum::NFS3::status_t)extract_XDR_uint32(buf, n);
 		else
-			status = 0xffffffff;
+			nfs_status = BifEnum::NFS3::NFS3ERR_UNKNOWN;
 		}
 
 	if ( nfs_reply_status )
 		{
-		val_list* vl = new val_list;
-		vl->append(analyzer->BuildConnVal());
-		vl->append(new Val(status, TYPE_COUNT));
+		val_list* vl = event_common_vl(c, rpc_status, nfs_status,
+					       start_time, last_time, reply_len);
 		analyzer->ConnectionEvent(nfs_reply_status, vl);
 		}
 
+	if ( ! rpc_success )
+		{
+		// We set the buffer to NULL, the function that extract the
+		// reply from the data stream will then return empty records.
+		//
+		buf = NULL;
+		n = 0;
+		}
+
 	switch ( c->Proc() ) {
-	case NFS_PROC_NULL:
-		event = success ? nfs_request_null : nfs_attempt_null;
+	case BifEnum::NFS3::PROC_NULL:
+		event = nfs_proc_null;
 		break;
 
-	case NFS_PROC_GETATTR:
-		if ( success )
-			{
-			if ( ! buf || status != 0 )
-				return 0;
-
-			reply = ExtractAttrs(buf, n);
-			event = nfs_request_getattr;
-			}
-		else
-			event = nfs_attempt_getattr;
-
+	case BifEnum::NFS3::PROC_GETATTR:
+		reply = nfs3_fattr(buf, n);
+		event = nfs_proc_getattr;
 		break;
 
-	case NFS_PROC_LOOKUP:
-		if ( success )
-			{
-			if ( ! buf || status != 0 )
-				return 0;
-
-			RecordVal* r = new RecordVal(nfs3_lookup_reply);
-			r->Assign(0, ExtractFH(buf, n));
-			r->Assign(1, ExtractOptAttrs(buf, n));
-			r->Assign(2, ExtractOptAttrs(buf, n));
-
-			reply = r;
-			event = nfs_request_lookup;
-			}
-		else
-			{
-			reply = ExtractOptAttrs(buf, n);
-			event = nfs_attempt_lookup;
-			}
-
+	case BifEnum::NFS3::PROC_LOOKUP:
+		reply = nfs3_lookup_reply(buf, n, nfs_status);
+		event = nfs_proc_lookup;
 		break;
 
-	case NFS_PROC_FSSTAT:
-		if ( success )
-			{
-			if ( ! buf || status != 0 )
-				return 0;
+	case BifEnum::NFS3::PROC_READ:
+		bro_uint_t offset;
+		offset = c->RequestVal()->AsRecordVal()->Lookup(1)->AsCount();
+		reply = nfs3_read_reply(buf, n, nfs_status, offset);
+		event = nfs_proc_read;
+		break;
 
-			RecordVal* r = new RecordVal(nfs3_fsstat);
-			r->Assign(0, ExtractOptAttrs(buf, n));
-			r->Assign(1, ExtractLongAsDouble(buf, n)); // tbytes
-			r->Assign(2, ExtractLongAsDouble(buf, n)); // fbytes
-			r->Assign(3, ExtractLongAsDouble(buf, n)); // abytes
-			r->Assign(4, ExtractLongAsDouble(buf, n)); // tfiles
-			r->Assign(5, ExtractLongAsDouble(buf, n)); // ffiles
-			r->Assign(6, ExtractLongAsDouble(buf, n)); // afiles
-			r->Assign(7, ExtractInterval(buf, n)); // invarsec
+	case BifEnum::NFS3::PROC_READLINK:
+		reply = nfs3_readlink_reply(buf, n, nfs_status);
+		event = nfs_proc_readlink;
+		break;
 
-			reply = r;
-			event = nfs_request_fsstat;
-			}
-		else
-			{
-			reply = ExtractOptAttrs(buf, n);
-			event = nfs_attempt_fsstat;
-			}
+	case BifEnum::NFS3::PROC_WRITE:
+		reply = nfs3_write_reply(buf, n, nfs_status);
+		event = nfs_proc_write;
+		break;
 
+	case BifEnum::NFS3::PROC_CREATE:
+		reply = nfs3_newobj_reply(buf, n, nfs_status);
+		event = nfs_proc_create;
+		break;
+
+	case BifEnum::NFS3::PROC_MKDIR:
+		reply = nfs3_newobj_reply(buf, n, nfs_status);
+		event = nfs_proc_mkdir;
+		break;
+
+	case BifEnum::NFS3::PROC_REMOVE:
+		reply = nfs3_delobj_reply(buf, n);
+		event = nfs_proc_remove;
+		break;
+
+	case BifEnum::NFS3::PROC_RMDIR:
+		reply = nfs3_delobj_reply(buf, n);
+		event = nfs_proc_rmdir;
+		break;
+
+	case BifEnum::NFS3::PROC_READDIR:
+		reply = nfs3_readdir_reply(false, buf, n, nfs_status);
+		event = nfs_proc_readdir;
+		break;
+
+	case BifEnum::NFS3::PROC_READDIRPLUS:
+		reply = nfs3_readdir_reply(true, buf, n, nfs_status);
+		event = nfs_proc_readdir;
 		break;
 
 	default:
-		return 0;
+		if ( c->Proc() < BifEnum::NFS3::PROC_END_OF_PROCS )
+			{
+			// We know the procedure but haven't implemented it.
+			// Otherwise DeliverRPC would complain about
+			// excess_RPC.
+			n = 0;
+			reply = new EnumVal(c->Proc(), BifType::Enum::NFS3::proc_t);
+			event = nfs_proc_not_implemented;
+			}
+		else
+			return 0;
 	}
 
+	if ( rpc_success && ! buf )
+		{
+		// There was a parse error. We have to unref the reply. (see
+		// also comments in RPC_BuildCall.
+		Unref(reply);
+		reply = 0;
+		return 0;
+		}
+
+	// Note: if reply == 0, it won't be added to the val_list for the
+	// event. While we can check for that on the policy layer it's kinda
+	// ugly, because it's contrary to the event prototype. But having
+	// this optional argument to the event is really helpful. Otherwise I
+	// have to let reply point to a RecordVal where all fields are
+	// optional and all are set to 0 ...
+	if ( event )
+		{
+		val_list* vl = event_common_vl(c, rpc_status, nfs_status,
+					start_time, last_time, reply_len);
+
+		Val *request = c->TakeRequestVal();
+
+		if ( request )
+			vl->append(request);
+
+		if ( reply )
+			vl->append(reply);
+
+		analyzer->ConnectionEvent(event, vl);
+		}
+
 	return 1;
 	}
 
-StringVal* NFS_Interp::ExtractFH(const u_char*& buf, int& n)
+StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size)
+	{
+	int data_n;
+
+	// extract the data, move buf and n
+	const u_char *data = extract_XDR_opaque(buf, n, data_n, 1 << 30, true);
+
+	// check whether we have to deliver data to the event
+	if ( ! BifConst::NFS3::return_data )
+		return 0;
+
+	if ( BifConst::NFS3::return_data_first_only && offset != 0 )
+		return 0;
+
+	// Ok, so we want to return some data
+	data_n = min(data_n, size);
+	data_n = min(data_n, int(BifConst::NFS3::return_data_max));
+
+	if ( data_n > 0 )
+		return new StringVal(new BroString(data, data_n, 0));
+
+	return 0;
+	}
+
+val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+				      BifEnum::NFS3::status_t nfs_status,
+				      double rep_start_time,
+				      double rep_last_time, int reply_len)
+	{
+	// Returns a new val_list that already has a conn_val, and nfs3_info.
+	// These are the first parameters for each nfs_* event ...
+	val_list *vl = new val_list;
+	vl->append(analyzer->BuildConnVal());
+
+	RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t);
+	info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status));
+	info->Assign(1, new EnumVal(nfs_status, BifType::Enum::NFS3::status_t));
+	info->Assign(2, new Val(c->StartTime(), TYPE_TIME));
+	info->Assign(3, new Val(c->LastTime()-c->StartTime(), TYPE_INTERVAL));
+	info->Assign(4, new Val(c->RPCLen(), TYPE_COUNT));
+	info->Assign(5, new Val(rep_start_time, TYPE_TIME));
+	info->Assign(6, new Val(rep_last_time-rep_start_time, TYPE_INTERVAL));
+	info->Assign(7, new Val(reply_len, TYPE_COUNT));
+
+	vl->append(info);
+	return vl;
+	}
+
+StringVal* NFS_Interp::nfs3_fh(const u_char*& buf, int& n)
 	{
 	int fh_n;
 	const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64);
@@ -184,20 +309,21 @@ StringVal* NFS_Interp::ExtractFH(const u_char*& buf, int& n)
 	return new StringVal(new BroString(fh, fh_n, 0));
 	}
 
-RecordVal* NFS_Interp::ExtractAttrs(const u_char*& buf, int& n)
+RecordVal* NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
 	{
-	RecordVal* attrs = new RecordVal(nfs3_attrs);
-	attrs->Assign(0, ExtractCount(buf, n));	// file type
-	attrs->Assign(1, ExtractCount(buf, n));	// mode
-	attrs->Assign(2, ExtractCount(buf, n));	// nlink
-	attrs->Assign(3, ExtractCount(buf, n));	// uid
-	attrs->Assign(4, ExtractCount(buf, n));	// gid
-	attrs->Assign(5, ExtractLongAsDouble(buf, n));	// size
-	attrs->Assign(6, ExtractLongAsDouble(buf, n));	// used
-	attrs->Assign(7, ExtractCount(buf, n));	// rdev1
-	attrs->Assign(8, ExtractCount(buf, n));	// rdev2
-	attrs->Assign(9, ExtractLongAsDouble(buf, n));	// fsid
-	attrs->Assign(10, ExtractLongAsDouble(buf, n));	// fileid
+	RecordVal* attrs = new RecordVal(BifType::Record::NFS3::fattr_t);
+
+	attrs->Assign(0, nfs3_ftype(buf, n));	// file type
+	attrs->Assign(1, ExtractUint32(buf, n));	// mode
+	attrs->Assign(2, ExtractUint32(buf, n));	// nlink
+	attrs->Assign(3, ExtractUint32(buf, n));	// uid
+	attrs->Assign(4, ExtractUint32(buf, n));	// gid
+	attrs->Assign(5, ExtractUint64(buf, n));	// size
+	attrs->Assign(6, ExtractUint64(buf, n));	// used
+	attrs->Assign(7, ExtractUint32(buf, n));	// rdev1
+	attrs->Assign(8, ExtractUint32(buf, n));	// rdev2
+	attrs->Assign(9, ExtractUint64(buf, n));	// fsid
+	attrs->Assign(10, ExtractUint64(buf, n));	// fileid
 	attrs->Assign(11, ExtractTime(buf, n));	// atime
 	attrs->Assign(12, ExtractTime(buf, n));	// mtime
 	attrs->Assign(13, ExtractTime(buf, n));	// ctime
@@ -205,27 +331,297 @@ RecordVal* NFS_Interp::ExtractAttrs(const u_char*& buf, int& n)
 	return attrs;
 	}
 
-RecordVal* NFS_Interp::ExtractOptAttrs(const u_char*& buf, int& n)
+EnumVal* NFS_Interp::nfs3_ftype(const u_char*& buf, int& n)
+	{
+	BifEnum::NFS3::file_type_t t = (BifEnum::NFS3::file_type_t)extract_XDR_uint32(buf, n);
+	return new EnumVal(t, BifType::Enum::NFS3::file_type_t);
+	}
+
+RecordVal* NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n)
+	{
+	RecordVal* attrs = new RecordVal(BifType::Record::NFS3::wcc_attr_t);
+
+	attrs->Assign(0, ExtractUint64(buf, n));	// size
+	attrs->Assign(1, ExtractTime(buf, n));	// mtime
+	attrs->Assign(2, ExtractTime(buf, n));	// ctime
+
+	return attrs;
+	}
+
+StringVal *NFS_Interp::nfs3_filename(const u_char*& buf, int& n)
+	{
+	int name_len;
+	const u_char* name = extract_XDR_opaque(buf, n, name_len);
+
+	if ( ! name )
+		return 0;
+
+	return new StringVal(new BroString(name, name_len, 0));
+	}
+
+RecordVal *NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
+	{
+	RecordVal *diropargs = new RecordVal(BifType::Record::NFS3::diropargs_t);
+
+	diropargs->Assign(0, nfs3_fh(buf, n));
+	diropargs->Assign(1, nfs3_filename(buf, n));
+
+	return diropargs;
+	}
+
+
+RecordVal* NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
 	{
 	int have_attrs = extract_XDR_uint32(buf, n);
 
-	RecordVal* opt_attrs = new RecordVal(nfs3_opt_attrs);
-	if ( buf && have_attrs )
-		opt_attrs->Assign(0, ExtractAttrs(buf, n));
-	else
-		opt_attrs->Assign(0, 0);
+	if ( have_attrs )
+		return nfs3_fattr(buf, n);
 
-	return opt_attrs;
+	return 0;
 	}
 
-Val* NFS_Interp::ExtractCount(const u_char*& buf, int& n)
+StringVal* NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n)
+	{
+	int have_fh = extract_XDR_uint32(buf, n);
+
+	if ( have_fh )
+		return nfs3_fh(buf, n);
+
+	return 0;
+	}
+
+RecordVal* NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n)
+	{
+	int have_attrs = extract_XDR_uint32(buf, n);
+
+	if ( have_attrs )
+		return nfs3_wcc_attr(buf, n);
+	return 0;
+	}
+
+EnumVal *NFS_Interp::nfs3_stable_how(const u_char*& buf, int& n)
+	{
+	BifEnum::NFS3::stable_how_t stable = (BifEnum::NFS3::stable_how_t)extract_XDR_uint32(buf, n);
+	return new EnumVal(stable, BifType::Enum::NFS3::stable_how_t);
+	}
+
+RecordVal* NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::lookup_reply_t);
+
+	if ( status == BifEnum::NFS3::NFS3ERR_OK )
+		{
+		rep->Assign(0, nfs3_fh(buf,n));
+		rep->Assign(1, nfs3_post_op_attr(buf, n));
+		rep->Assign(2, nfs3_post_op_attr(buf, n));
+		}
+	else
+		{
+		rep->Assign(0, 0);
+		rep->Assign(1, 0);
+		rep->Assign(2, nfs3_post_op_attr(buf, n));
+		}
+	return rep;
+	}
+
+RecordVal *NFS_Interp::nfs3_readargs(const u_char*& buf, int& n)
+	{
+	RecordVal *readargs = new RecordVal(BifType::Record::NFS3::readargs_t);
+
+	readargs->Assign(0, nfs3_fh(buf, n));
+	readargs->Assign(1, ExtractUint64(buf, n));  // offset
+	readargs->Assign(2, ExtractUint32(buf,n));   // size
+
+	return readargs;
+	}
+
+RecordVal* NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status,
+		bro_uint_t offset)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::read_reply_t);
+
+	if (status == BifEnum::NFS3::NFS3ERR_OK)
+		{
+		uint32_t bytes_read;
+
+		rep->Assign(0, nfs3_post_op_attr(buf, n));
+		bytes_read = extract_XDR_uint32(buf, n);
+		rep->Assign(1, new Val(bytes_read, TYPE_COUNT));
+		rep->Assign(2, ExtractBool(buf, n));
+		rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read));
+		}
+	else
+		{
+		rep->Assign(0, nfs3_post_op_attr(buf, n));
+		}
+
+	return rep;
+	}
+
+RecordVal* NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::readlink_reply_t);
+
+	if (status == BifEnum::NFS3::NFS3ERR_OK)
+		{
+		rep->Assign(0, nfs3_post_op_attr(buf, n));
+		rep->Assign(1, nfs3_nfspath(buf,n));
+		}
+	else
+		{
+		rep->Assign(0, nfs3_post_op_attr(buf, n));
+		}
+
+	return rep;
+	}
+
+RecordVal *NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
+	{
+	uint32_t bytes;
+	uint64_t offset;
+	RecordVal *writeargs = new RecordVal(BifType::Record::NFS3::writeargs_t);
+
+	offset = extract_XDR_uint64(buf, n);
+	bytes = extract_XDR_uint32(buf, n);
+
+	writeargs->Assign(0, nfs3_fh(buf, n));
+	writeargs->Assign(1, new Val(offset, TYPE_COUNT));
+	writeargs->Assign(2, new Val(bytes, TYPE_COUNT));
+	writeargs->Assign(3, nfs3_stable_how(buf, n));
+	writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes));
+
+	return writeargs;
+	}
+
+RecordVal *NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::write_reply_t);
+
+	if ( status == BifEnum::NFS3::NFS3ERR_OK )
+		{
+		rep->Assign(0, nfs3_pre_op_attr(buf, n));
+		rep->Assign(1, nfs3_post_op_attr(buf, n));
+		rep->Assign(2, ExtractUint32(buf, n));
+		rep->Assign(3, nfs3_stable_how(buf, n));
+
+		// Writeverf. While the RFC says that this should be a fixed
+		// length opaque, it specifies the lenght as 8 bytes, so we
+		// can also just as easily extract a uint64.
+		rep->Assign(4, ExtractUint64(buf, n));
+		}
+	else
+		{
+		rep->Assign(0, nfs3_post_op_attr(buf, n));
+		rep->Assign(1, nfs3_pre_op_attr(buf, n));
+		}
+
+	return rep;
+	}
+
+RecordVal* NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::newobj_reply_t);
+
+	if (status == BifEnum::NFS3::NFS3ERR_OK)
+		{
+		int i = 0;
+		rep->Assign(0, nfs3_post_op_fh(buf,n));
+		rep->Assign(1, nfs3_post_op_attr(buf, n));
+		// wcc_data
+		rep->Assign(2, nfs3_pre_op_attr(buf, n));
+		rep->Assign(3, nfs3_post_op_attr(buf, n));
+		}
+	else
+		{
+		rep->Assign(0, 0);
+		rep->Assign(1, 0);
+		rep->Assign(2, nfs3_pre_op_attr(buf, n));
+		rep->Assign(3, nfs3_post_op_attr(buf, n));
+		}
+
+	return rep;
+	}
+
+RecordVal* NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::delobj_reply_t);
+
+	// wcc_data
+	rep->Assign(0, nfs3_pre_op_attr(buf, n));
+	rep->Assign(1, nfs3_post_op_attr(buf, n));
+
+	return rep;
+	}
+
+RecordVal* NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n)
+	{
+	RecordVal *args = new RecordVal(BifType::Record::NFS3::readdirargs_t);
+
+	args->Assign(0, new Val(isplus, TYPE_BOOL));
+	args->Assign(1, nfs3_fh(buf, n));
+	args->Assign(2, ExtractUint64(buf,n));	// cookie
+	args->Assign(3, ExtractUint64(buf,n));	// cookieverf
+	args->Assign(4, ExtractUint32(buf,n));	// dircount
+
+	if ( isplus )
+		args->Assign(5, ExtractUint32(buf,n));
+
+	return args;
+	}
+
+RecordVal* NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
+		int&n, BifEnum::NFS3::status_t status)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::readdir_reply_t);
+
+	rep->Assign(0, new Val(isplus, TYPE_BOOL));
+
+	if ( status == BifEnum::NFS3::NFS3ERR_OK )
+		{
+		unsigned pos;
+		VectorVal *entries = new VectorVal(BifType::Vector::NFS3::direntry_vec_t);
+
+		rep->Assign(1, nfs3_post_op_attr(buf,n));   // dir_attr
+		rep->Assign(2, ExtractUint64(buf,n));  // cookieverf
+
+		pos = 1;
+
+		while ( extract_XDR_uint32(buf,n) )
+			{
+			RecordVal *entry = new RecordVal(BifType::Record::NFS3::direntry_t);
+			entry->Assign(0, ExtractUint64(buf,n)); // fileid
+			entry->Assign(1, nfs3_filename(buf,n)); // fname
+			entry->Assign(2, ExtractUint64(buf,n)); // cookie
+
+			if ( isplus )
+				{
+				entry->Assign(3, nfs3_post_op_attr(buf,n));
+				entry->Assign(4, nfs3_post_op_fh(buf,n));
+				}
+
+			entries->Assign(pos, entry, 0);
+			pos++;
+			}
+
+		rep->Assign(3, entries);
+		rep->Assign(4, ExtractBool(buf,n));	// eof
+		}
+	else
+		{
+		rep->Assign(1, nfs3_post_op_attr(buf,n));
+		}
+
+	return rep;
+	}
+
+Val* NFS_Interp::ExtractUint32(const u_char*& buf, int& n)
 	{
 	return new Val(extract_XDR_uint32(buf, n), TYPE_COUNT);
 	}
 
-Val* NFS_Interp::ExtractLongAsDouble(const u_char*& buf, int& n)
+Val* NFS_Interp::ExtractUint64(const u_char*& buf, int& n)
 	{
-	return new Val(extract_XDR_uint64_as_double(buf, n), TYPE_DOUBLE);
+	return new Val(extract_XDR_uint64(buf, n), TYPE_COUNT);
 	}
 
 Val* NFS_Interp::ExtractTime(const u_char*& buf, int& n)
@@ -238,37 +634,14 @@ Val* NFS_Interp::ExtractInterval(const u_char*& buf, int& n)
 	return new IntervalVal(double(extract_XDR_uint32(buf, n)), 1.0);
 	}
 
-void NFS_Interp::Event(EventHandlerPtr f, Val* request, int status, Val* reply)
+Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n)
 	{
-	if ( ! f )
-		{
-		Unref(request);
-		Unref(reply);
-		return;
-		}
-
-	val_list* vl = new val_list;
-
-	vl->append(analyzer->BuildConnVal());
-	if ( status == RPC_SUCCESS )
-		{
-		if ( request )
-			vl->append(request);
-		if ( reply )
-			vl->append(reply);
-		}
-	else
-		{
-		vl->append(new Val(status, TYPE_COUNT));
-		if ( request )
-			vl->append(request);
-		}
-
-	analyzer->ConnectionEvent(f, vl);
+	return new Val(extract_XDR_uint32(buf, n), TYPE_BOOL);
 	}
 
+
 NFS_Analyzer::NFS_Analyzer(Connection* conn)
-: RPC_Analyzer(AnalyzerTag::NFS, conn, new NFS_Interp(this))
+	: RPC_Analyzer(AnalyzerTag::NFS, conn, new NFS_Interp(this))
 	{
 	orig_rpc = resp_rpc = 0;
 	}
diff --git a/src/NFS.h b/src/NFS.h
index 87a0d041e9..6a65143808 100644
--- a/src/NFS.h
+++ b/src/NFS.h
@@ -1,11 +1,11 @@
-// $Id: NFS.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef nfs_h
 #define nfs_h
 
 #include "RPC.h"
+#include "XDR.h"
+#include "Event.h"
 
 class NFS_Interp : public RPC_Interpreter {
 public:
@@ -13,19 +13,61 @@ public:
 
 protected:
 	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
-	int RPC_BuildReply(const RPC_CallInfo* c, int success,
-				const u_char*& buf, int& n,
-				EventHandlerPtr& event, Val*& reply);
+	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
+				const u_char*& buf, int& n, double start_time,
+				double last_time, int reply_len);
+
+	// Returns a new val_list that already has a conn_val, rpc_status and
+	// nfs_status. These are the first parameters for each nfs_* event
+	// ...
+	val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+				BifEnum::NFS3::status_t nfs_status,
+				double rep_start_time, double rep_last_time,
+				int reply_len);
+
+	// These methods parse the appropriate NFSv3 "type" out of buf. If
+	// there are any errors (i.e., buffer to short, etc), buf will be set
+	// to 0. However, the methods might still return an allocated Val * !
+	// So, you might want to Unref() the Val if buf is 0. Method names
+	// are based on the type names of RFC 1813.
+	StringVal* nfs3_fh(const u_char*& buf, int& n);
+	RecordVal* nfs3_fattr(const u_char*& buf, int& n);
+	EnumVal* nfs3_ftype(const u_char*& buf, int& n);
+	RecordVal* nfs3_wcc_attr(const u_char*& buf, int& n);
+	RecordVal* nfs3_diropargs(const u_char*&buf, int &n);
+	StringVal* nfs3_filename(const u_char*& buf, int& n);
+	StringVal* nfs3_nfspath(const u_char*& buf, int& n)
+		{
+		return nfs3_filename(buf,n);
+		}
+
+	RecordVal* nfs3_post_op_attr(const u_char*&buf, int &n);	// Return 0 or an fattr
+	RecordVal* nfs3_pre_op_attr(const u_char*&buf, int &n);	// Return 0 or an wcc_attr
+	RecordVal* nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
+	RecordVal* nfs3_readargs(const u_char*& buf, int& n);
+	RecordVal* nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset);
+	RecordVal* nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
+	RecordVal* nfs3_writeargs(const u_char*& buf, int& n);
+	EnumVal* nfs3_stable_how(const u_char*& buf, int& n);
+	RecordVal* nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
+	RecordVal* nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
+	RecordVal* nfs3_delobj_reply(const u_char*& buf, int& n);
+	StringVal* nfs3_post_op_fh(const u_char*& buf, int& n);
+	RecordVal* nfs3_readdirargs(bool isplus, const u_char*& buf, int&n);
+	RecordVal* nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
+
+	// Consumes the file data in the RPC message. Depending on NFS::return_data* consts
+	// in bro.init returns NULL or the data as string val:
+	//   * offset is the offset of the read/write call
+	//   * size is the amount of bytes read (or requested to be written),
+	StringVal* nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size);
 
-	StringVal* ExtractFH(const u_char*& buf, int& n);
-	RecordVal* ExtractAttrs(const u_char*& buf, int& n);
 	RecordVal* ExtractOptAttrs(const u_char*& buf, int& n);
-	Val* ExtractCount(const u_char*& buf, int& n);
-	Val* ExtractLongAsDouble(const u_char*& buf, int& n);
+	Val* ExtractUint32(const u_char*& buf, int& n);
+	Val* ExtractUint64(const u_char*& buf, int& n);
 	Val* ExtractTime(const u_char*& buf, int& n);
 	Val* ExtractInterval(const u_char*& buf, int& n);
-
-	void Event(EventHandlerPtr f, Val* request, int status, Val* reply);
+	Val* ExtractBool(const u_char*& buf, int& n);
 };
 
 class NFS_Analyzer : public RPC_Analyzer {
@@ -36,7 +78,16 @@ public:
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new NFS_Analyzer(conn); }
 
-	static bool Available()	{ return nfs_request_getattr || rpc_call; }
+	static bool Available()
+		{
+		return ( nfs_proc_null || nfs_proc_not_implemented || nfs_proc_getattr ||
+		         nfs_proc_lookup || nfs_proc_read || nfs_proc_readlink ||
+		         nfs_proc_write || nfs_proc_create || nfs_proc_mkdir ||
+		         nfs_proc_remove || nfs_proc_rmdir || nfs_proc_readdir ||
+		         nfs_reply_status ||
+		         rpc_dialogue || rpc_call || rpc_reply );
+		}
 };
 
+
 #endif
diff --git a/src/NTP.cc b/src/NTP.cc
index ac7d12fb6d..60b7e6202d 100644
--- a/src/NTP.cc
+++ b/src/NTP.cc
@@ -1,5 +1,3 @@
-// $Id: NTP.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/NTP.h b/src/NTP.h
index c4ccdd644a..a22a7b231b 100644
--- a/src/NTP.h
+++ b/src/NTP.h
@@ -1,5 +1,3 @@
-// $Id: NTP.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef ntp_h
diff --git a/src/NVT.cc b/src/NVT.cc
index 66438a0589..5ba12ac32a 100644
--- a/src/NVT.cc
+++ b/src/NVT.cc
@@ -1,5 +1,3 @@
-// $Id: NVT.cc 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -38,7 +36,7 @@ void TelnetOption::RecvOption(unsigned int type)
 	{
 	TelnetOption* peer = endp->FindPeerOption(code);
 	if ( ! peer )
-		internal_error("option peer missing in TelnetOption::RecvOption");
+		reporter->InternalError("option peer missing in TelnetOption::RecvOption");
 
 	// WILL/WONT/DO/DONT are messages we've *received* from our peer.
 	switch ( type ) {
@@ -83,7 +81,7 @@ void TelnetOption::RecvOption(unsigned int type)
 		break;
 
 	default:
-		internal_error("bad option type in TelnetOption::RecvOption");
+		reporter->InternalError("bad option type in TelnetOption::RecvOption");
 	}
 	}
 
@@ -163,7 +161,7 @@ void TelnetEncryptOption::RecvSubOption(u_char* data, int len)
 			(TelnetEncryptOption*) endp->FindPeerOption(code);
 
 		if ( ! peer )
-			internal_error("option peer missing in TelnetEncryptOption::RecvSubOption");
+			reporter->InternalError("option peer missing in TelnetEncryptOption::RecvSubOption");
 
 		if ( peer->DidRequest() || peer->DoingEncryption() ||
 		     peer->Endpoint()->AuthenticationHasBeenAccepted() )
@@ -199,7 +197,7 @@ void TelnetAuthenticateOption::RecvSubOption(u_char* data, int len)
 			(TelnetAuthenticateOption*) endp->FindPeerOption(code);
 
 		if ( ! peer )
-			internal_error("option peer missing in TelnetAuthenticateOption::RecvSubOption");
+			reporter->InternalError("option peer missing in TelnetAuthenticateOption::RecvSubOption");
 
 		if ( ! peer->DidRequestAuthentication() )
 			InconsistentOption(0);
diff --git a/src/NVT.h b/src/NVT.h
index 63c0cc6620..61aa1ef740 100644
--- a/src/NVT.h
+++ b/src/NVT.h
@@ -1,5 +1,3 @@
-// $Id: NVT.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef nvt_h
diff --git a/src/Net.cc b/src/Net.cc
index 80ad234b64..2d8ee85353 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -1,5 +1,3 @@
-// $Id: Net.cc 6915 2009-09-22 05:04:17Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -26,9 +24,8 @@
 #include "Event.h"
 #include "Timer.h"
 #include "Var.h"
-#include "Logger.h"
+#include "Reporter.h"
 #include "Net.h"
-#include "TCP_Rewriter.h"
 #include "Anon.h"
 #include "PacketSort.h"
 #include "Serializer.h"
@@ -47,19 +44,11 @@ PList(PktSrc) pkt_srcs;
 // FIXME: We should really merge PktDumper and PacketDumper.
 // It's on my to-do [Robin].
 PktDumper* pkt_dumper = 0;
-PktDumper* pkt_transformed_dumper = 0;
-
-// For trace of rewritten packets
-PacketDumper* transformed_pkt_dump = 0;
-// For trace of original packets from selected connections
-PacketDumper* source_pkt_dump = 0;
-int transformed_pkt_dump_MTU = 1514;
 
 int reading_live = 0;
 int reading_traces = 0;
 int have_pending_timers = 0;
 double pseudo_realtime = 0.0;
-char* user_pcap_filter = 0;
 bool using_communication = false;
 
 double network_time = 0.0;	// time according to last packet timestamp
@@ -80,6 +69,7 @@ double current_timestamp = 0.0;
 PktSrc* current_pktsrc = 0;
 IOSource* current_iosrc;
 
+std::list<ScannedFile> files_scanned;
 
 RETSIGTYPE watchdog(int /* signo */)
 	{
@@ -117,15 +107,6 @@ RETSIGTYPE watchdog(int /* signo */)
 			int frac_pst =
 				int((processing_start_time - int_pst) * 1e6);
 
-			char msg[512];
-			safe_snprintf(msg, sizeof(msg),
-				      "**watchdog timer expired, t = %d.%06d, start = %d.%06d, dispatched = %d",
-				      int_ct, frac_ct, int_pst, frac_pst,
-				      current_dispatched);
-
-			bro_logger->Log(msg);
-			run_time("watchdog timer expired");
-
 			if ( current_hdr )
 				{
 				if ( ! pkt_dumper )
@@ -137,7 +118,7 @@ RETSIGTYPE watchdog(int /* signo */)
 					pkt_dumper = new PktDumper("watchdog-pkt.pcap");
 					if ( pkt_dumper->IsError() )
 						{
-						fprintf(stderr, "watchdog: can't open watchdog-pkt.pcap for writing\n");
+						reporter->Error("watchdog: can't open watchdog-pkt.pcap for writing\n");
 						pkt_dumper = 0;
 						}
 					}
@@ -149,8 +130,10 @@ RETSIGTYPE watchdog(int /* signo */)
 			net_get_final_stats();
 			net_finish(0);
 
-			abort();
-			exit(1);
+			reporter->FatalErrorWithCore(
+			          "**watchdog timer expired, t = %d.%06d, start = %d.%06d, dispatched = %d",
+				      int_ct, frac_ct, int_pst, frac_pst,
+					  current_dispatched);
 			}
 		}
 
@@ -162,9 +145,8 @@ RETSIGTYPE watchdog(int /* signo */)
 
 void net_init(name_list& interfaces, name_list& readfiles, 
 	      name_list& netflows, name_list& flowfiles,
-	        const char* writefile, const char* transformed_writefile,
-	        const char* filter, const char* secondary_filter,
-		int do_watchdog)
+	        const char* writefile, const char* filter,
+			const char* secondary_filter, int do_watchdog)
 	{
 	init_net_var();
 
@@ -178,11 +160,8 @@ void net_init(name_list& interfaces, name_list& readfiles,
 			PktFileSrc* ps = new PktFileSrc(readfiles[i], filter);
 
 			if ( ! ps->IsOpen() )
-				{
-				fprintf(stderr, "%s: problem with trace file %s - %s\n",
+				reporter->FatalError("%s: problem with trace file %s - %s\n",
 					prog, readfiles[i], ps->ErrorMsg());
-				exit(1);
-				}
 			else
 				{
 				pkt_srcs.append(ps);
@@ -198,12 +177,9 @@ void net_init(name_list& interfaces, name_list& readfiles,
 							TYPE_FILTER_SECONDARY);
 
 				if ( ! ps->IsOpen() )
-					{
-					fprintf(stderr, "%s: problem with trace file %s - %s\n",
+					reporter->FatalError("%s: problem with trace file %s - %s\n",
 						prog, readfiles[i],
 						ps->ErrorMsg());
-					exit(1);
-					}
 				else
 					{
 					pkt_srcs.append(ps);
@@ -219,11 +195,8 @@ void net_init(name_list& interfaces, name_list& readfiles,
 			FlowFileSrc* fs = new FlowFileSrc(flowfiles[i]);
 
 			if ( ! fs->IsOpen() )
-				{
-				fprintf(stderr, "%s: problem with netflow file %s - %s\n",
+				reporter->FatalError("%s: problem with netflow file %s - %s\n",
 					prog, flowfiles[i], fs->ErrorMsg());
-				exit(1);
-				}
 			else
 				{
 				io_sources.Register(fs);
@@ -242,11 +215,8 @@ void net_init(name_list& interfaces, name_list& readfiles,
 			ps = new PktInterfaceSrc(interfaces[i], filter);
 
 			if ( ! ps->IsOpen() )
-				{
-				fprintf(stderr, "%s: problem with interface %s - %s\n",
+				reporter->FatalError("%s: problem with interface %s - %s\n",
 					prog, interfaces[i], ps->ErrorMsg());
-				exit(1);
-				}
 			else
 				{
 				pkt_srcs.append(ps);
@@ -260,12 +230,9 @@ void net_init(name_list& interfaces, name_list& readfiles,
 					filter, TYPE_FILTER_SECONDARY);
 
 				if ( ! ps->IsOpen() )
-					{
-					fprintf(stderr, "%s: problem with interface %s - %s\n",
+					reporter->Error("%s: problem with interface %s - %s\n",
 						prog, interfaces[i],
 						ps->ErrorMsg());
-					exit(1);
-					}
 				else
 					{
 					pkt_srcs.append(ps);
@@ -281,11 +248,8 @@ void net_init(name_list& interfaces, name_list& readfiles,
 			FlowSocketSrc* fs = new FlowSocketSrc(netflows[i]);
 
 			if ( ! fs->IsOpen() )
-				{
-				fprintf(stderr, "%s: problem with netflow socket %s - %s\n",
+				reporter->Error("%s: problem with netflow socket %s - %s\n",
 					prog, netflows[i], fs->ErrorMsg());
-				exit(1);
-				}
 			else
 				{
 				io_sources.Register(fs);
@@ -307,50 +271,17 @@ void net_init(name_list& interfaces, name_list& readfiles,
 		// interfaces with different-lengthed media.
 		pkt_dumper = new PktDumper(writefile);
 		if ( pkt_dumper->IsError() )
-			{
-			fprintf(stderr, "%s: can't open write file \"%s\" - %s\n",
+			reporter->FatalError("%s: can't open write file \"%s\" - %s\n",
 				prog, writefile, pkt_dumper->ErrorMsg());
-			exit(1);
-			}
 
 		ID* id = global_scope()->Lookup("trace_output_file");
 		if ( ! id )
-			run_time("trace_output_file not defined in bro.init");
+			reporter->Error("trace_output_file not defined in bro.init");
 		else
 			id->SetVal(new StringVal(writefile));
 		}
 
-	if ( transformed_writefile )
-		{
-		pkt_transformed_dumper = new PktDumper(transformed_writefile);
-		if ( pkt_transformed_dumper->IsError() )
-			{
-			fprintf(stderr, "%s: can't open trace transformation write file \"%s\" - %s\n",
-				prog, writefile,
-				pkt_transformed_dumper->ErrorMsg());
-			exit(1);
-			}
-
-		transformed_pkt_dump =
-			new PacketDumper(pkt_transformed_dumper->PcapDumper());
-
-		// If both -A and -w are specified, -A will be the transformed
-		// trace file and -w will be the source packet trace file.
-		// Otherwise the packets will go to the same file.
-		if ( pkt_dumper )
-			source_pkt_dump =
-				new PacketDumper(pkt_dumper->PcapDumper());
-		}
-
-	else if ( pkt_dumper )
-		transformed_pkt_dump =
-			new PacketDumper(pkt_dumper->PcapDumper());
-
-	if ( anonymize_ip_addr )
-		init_ip_addr_anonymizers();
-	else
-		for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i )
-			ip_anonymizer[i] = 0;
+	init_ip_addr_anonymizers();
 
 	if ( packet_sort_window > 0 )
 		packet_sorter = new PacketSortGlobalPQ();
@@ -406,7 +337,7 @@ void net_packet_dispatch(double t, const struct pcap_pkthdr* hdr,
 		if ( load_freq == 0 )
 			load_freq = uint32(0xffffffff) / uint32(load_sample_freq);
 
-		if ( uint32(random() & 0xffffffff) < load_freq )
+		if ( uint32(bro_random() & 0xffffffff) < load_freq )
 			{
 			// Drain the queued timer events so they're not
 			// charged against this sample.
@@ -605,7 +536,7 @@ void net_get_final_stats()
 			{
 			struct PktSrc::Stats s;
 			ps->Statistics(&s);
-			fprintf(stderr, "%d packets received on interface %s, %d dropped\n",
+			reporter->Info("%d packets received on interface %s, %d dropped\n",
 					s.received, ps->Interface(), s.dropped);
 			}
 		}
@@ -627,9 +558,6 @@ void net_finish(int drain_events)
 		}
 
 	delete pkt_dumper;
-	delete pkt_transformed_dumper;
-
-	// fprintf(stderr, "uhash: %d/%d\n", hash_cnt_uhash, hash_cnt_all);
 
 #ifdef DEBUG
 	extern int reassem_seen_bytes, reassem_copied_bytes;
@@ -648,11 +576,6 @@ void net_delete()
 	delete sessions;
 	delete packet_sorter;
 
-	// Can't put this in net_finish() because packets might be
-	// dumped when connections are deleted.
-	if ( transformed_pkt_dump )
-		delete transformed_pkt_dump;
-
 	for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i )
 		delete ip_anonymizer[i];
 	}
@@ -687,7 +610,7 @@ static double suspend_start = 0;
 void net_suspend_processing()
 	{
 	if ( _processing_suspended == 0 )
-		bro_logger->Log("processing suspended");
+		reporter->Info("processing suspended");
 
 	++_processing_suspended;
 	}
@@ -696,7 +619,7 @@ void net_continue_processing()
 	{
 	if ( _processing_suspended == 1 )
 		{
-		bro_logger->Log("processing continued");
+		reporter->Info("processing continued");
 		loop_over_list(pkt_srcs, i)
 			pkt_srcs[i]->ContinueAfterSuspend();
 		}
diff --git a/src/Net.h b/src/Net.h
index 87c0ce2499..9e68cc025b 100644
--- a/src/Net.h
+++ b/src/Net.h
@@ -1,5 +1,3 @@
-// $Id: Net.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef net_h
@@ -15,9 +13,8 @@
 
 extern void net_init(name_list& interfaces, name_list& readfiles,
 		name_list& netflows, name_list& flowfiles,
-		const char* writefile, const char* transformed_writefile,
-		const char* filter, const char* secondary_filter,
-		int do_watchdog);
+		const char* writefile, const char* filter,
+		const char* secondary_filter, int do_watchdog);
 extern void net_run();
 extern void net_get_final_stats();
 extern void net_finish(int drain_events);
@@ -59,9 +56,6 @@ extern int have_pending_timers;
 // is the speedup (1 = real-time, 0.5 = half real-time, etc.).
 extern double pseudo_realtime;
 
-// Pcap filter supplied by the user on the command line (if any).
-extern char* user_pcap_filter;
-
 // When we started processing the current packet and corresponding event
 // queue.
 extern double processing_start_time;
@@ -79,6 +73,9 @@ extern bool terminating;
 // True if the remote serializer is to be activated.
 extern bool using_communication;
 
+// Snaplen passed to libpcap.
+extern int snaplen;
+
 extern const struct pcap_pkthdr* current_hdr;
 extern const u_char* current_pkt;
 extern int current_dispatched;
@@ -91,8 +88,28 @@ declare(PList,PktSrc);
 extern PList(PktSrc) pkt_srcs;
 
 extern PktDumper* pkt_dumper;	// where to save packets
-extern PktDumper* pkt_transformed_dumper;
 
 extern char* writefile;
 
+// Script file we have already scanned (or are in the process of scanning).
+// They are identified by inode number.
+struct ScannedFile {
+	ino_t inode;
+	int include_level;
+	string name;
+	string subpath;		// Path in BROPATH's policy/ containing the file.
+	bool skipped;		// This ScannedFile was @unload'd.
+	bool prefixes_checked;	// If loading prefixes for this file has been tried.
+
+	ScannedFile(ino_t arg_inode, int arg_include_level, string arg_name,
+		    string arg_subpath = "", bool arg_skipped = false,
+		    bool arg_prefixes_checked = false)
+			: inode(arg_inode), include_level(arg_include_level),
+			name(arg_name), subpath(arg_subpath), skipped(arg_skipped),
+			prefixes_checked(arg_prefixes_checked)
+		{ }
+};
+
+extern std::list<ScannedFile> files_scanned;
+
 #endif
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 2c817fdc17..5aed213508 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -1,5 +1,3 @@
-// $Id: NetVar.cc 6887 2009-08-20 05:17:33Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -18,11 +16,11 @@ RecordType* pcap_packet;
 RecordType* signature_state;
 EnumType* transport_proto;
 TableType* string_set;
-
-RecordType* net_stats;
+TableType* string_array;
+TableType* count_set;
+VectorType* string_vec;
 
 int watchdog_interval;
-double heartbeat_interval;
 
 int max_timer_expires;
 int max_remote_events_processed;
@@ -109,12 +107,6 @@ TableType* pm_mappings;
 RecordType* pm_port_request;
 RecordType* pm_callit_request;
 
-RecordType* nfs3_attrs;
-RecordType* nfs3_opt_attrs;
-RecordType* nfs3_lookup_args;
-RecordType* nfs3_lookup_reply;
-RecordType* nfs3_fsstat;
-
 RecordType* ntp_msg;
 
 TableVal* samba_cmds;
@@ -126,6 +118,8 @@ TableType* smb_negotiate;
 
 RecordType* geo_location;
 
+RecordType* entropy_test_result;
+
 TableType* dhcp_router_list;
 RecordType* dhcp_msg;
 
@@ -199,8 +193,6 @@ StringVal* ssl_private_key;
 StringVal* ssl_passphrase;
 
 StringVal* x509_crl_file;
-TableType* x509_extension;
-TableType* SSL_sessionID;
 
 Val* profiling_file;
 double profiling_interval;
@@ -247,7 +239,6 @@ int dump_used_event_handlers;
 int suppress_local_output;
 
 double timer_mgr_inactivity_timeout;
-double expected_connection_timeout;
 
 int time_machine_profiling;
 
@@ -257,9 +248,16 @@ int record_all_packets;
 
 RecordType* script_id;
 TableType* id_table;
+RecordType* record_field;
+TableType* record_field_table;
+
+StringVal* cmd_line_bpf_filter;
 
 #include "const.bif.netvar_def"
+#include "types.bif.netvar_def"
 #include "event.bif.netvar_def"
+#include "logging.bif.netvar_def"
+#include "reporter.bif.netvar_def"
 
 void init_event_handlers()
 	{
@@ -295,7 +293,7 @@ void init_general_global_var()
 	ssl_passphrase = internal_val("ssl_passphrase")->AsStringVal();
 
 	packet_filter_default = opt_internal_int("packet_filter_default");
-	
+
 	sig_max_group_size = opt_internal_int("sig_max_group_size");
 	enable_syslog = opt_internal_int("enable_syslog");
 
@@ -309,11 +307,17 @@ void init_general_global_var()
 	trace_output_file = internal_val("trace_output_file")->AsStringVal();
 
 	record_all_packets = opt_internal_int("record_all_packets");
+
+	cmd_line_bpf_filter =
+		internal_val("cmd_line_bpf_filter")->AsStringVal();
 	}
 
 void init_net_var()
 	{
 #include "const.bif.netvar_init"
+#include "types.bif.netvar_init"
+#include "logging.bif.netvar_init"
+#include "reporter.bif.netvar_init"
 
 	conn_id = internal_type("conn_id")->AsRecordType();
 	endpoint = internal_type("endpoint")->AsRecordType();
@@ -326,6 +330,8 @@ void init_net_var()
 	pcap_packet = internal_type("pcap_packet")->AsRecordType();
 	transport_proto = internal_type("transport_proto")->AsEnumType();
 	string_set = internal_type("string_set")->AsTableType();
+	string_array = internal_type("string_array")->AsTableType();
+	string_vec = internal_type("string_vec")->AsVectorType();
 
 	ignore_checksums = opt_internal_int("ignore_checksums");
 	partial_connection_ok = opt_internal_int("partial_connection_ok");
@@ -362,10 +368,7 @@ void init_net_var()
 	x509_trusted_cert_path = opt_internal_string("X509_trusted_cert_path");
 	ssl_store_cert_path = opt_internal_string("ssl_store_cert_path");
 	x509_type = internal_type("X509")->AsRecordType();
-	cipher_suites_list = internal_type("cipher_suites_list")->AsTableType();
 	x509_crl_file = opt_internal_string("X509_crl_file");
-	x509_extension = internal_type("X509_extension")->AsTableType();
-	SSL_sessionID = internal_type("SSL_sessionID")->AsTableType();
 
 	non_analyzed_lifetime = opt_internal_double("non_analyzed_lifetime");
 	tcp_inactivity_timeout = opt_internal_double("tcp_inactivity_timeout");
@@ -403,10 +406,7 @@ void init_net_var()
 	ntp_session_timeout = opt_internal_double("ntp_session_timeout");
 	rpc_timeout = opt_internal_double("rpc_timeout");
 
-	net_stats = internal_type("net_stats")->AsRecordType();
-
 	watchdog_interval = int(opt_internal_double("watchdog_interval"));
-	heartbeat_interval = opt_internal_double("heartbeat_interval");
 
 	max_timer_expires = opt_internal_int("max_timer_expires");
 	max_remote_events_processed =
@@ -443,12 +443,6 @@ void init_net_var()
 	pm_port_request = internal_type("pm_port_request")->AsRecordType();
 	pm_callit_request = internal_type("pm_callit_request")->AsRecordType();
 
-	nfs3_attrs = internal_type("nfs3_attrs")->AsRecordType();
-	nfs3_opt_attrs = internal_type("nfs3_opt_attrs")->AsRecordType();
-	nfs3_lookup_args = internal_type("nfs3_lookup_args")->AsRecordType();
-	nfs3_lookup_reply = internal_type("nfs3_lookup_reply")->AsRecordType();
-	nfs3_fsstat = internal_type("nfs3_fsstat")->AsRecordType();
-
 	ntp_msg = internal_type("ntp_msg")->AsRecordType();
 
 	samba_cmds = internal_val("samba_cmds")->AsTableVal();
@@ -460,6 +454,8 @@ void init_net_var()
 
 	geo_location = internal_type("geo_location")->AsRecordType();
 
+	entropy_test_result = internal_type("entropy_test_result")->AsRecordType();
+
 	dhcp_router_list = internal_type("dhcp_router_list")->AsTableType();
 	dhcp_msg = internal_type("dhcp_msg")->AsRecordType();
 
@@ -554,10 +550,10 @@ void init_net_var()
 
 	timer_mgr_inactivity_timeout =
 		opt_internal_double("timer_mgr_inactivity_timeout");
-	expected_connection_timeout =
-		opt_internal_double("expected_connection_timeout");
 	time_machine_profiling = opt_internal_int("time_machine_profiling");
 
 	script_id = internal_type("script_id")->AsRecordType();
 	id_table = internal_type("id_table")->AsTableType();
+	record_field = internal_type("record_field")->AsRecordType();
+	record_field_table = internal_type("record_field_table")->AsTableType();
 	}
diff --git a/src/NetVar.h b/src/NetVar.h
index 904bccdb77..4a513a8a53 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -1,5 +1,3 @@
-// $Id: NetVar.h 6887 2009-08-20 05:17:33Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef netvar_h
@@ -21,11 +19,11 @@ extern RecordType* SYN_packet;
 extern RecordType* pcap_packet;
 extern EnumType* transport_proto;
 extern TableType* string_set;
-
-extern RecordType* net_stats;
+extern TableType* string_array;
+extern TableType* count_set;
+extern VectorType* string_vec;
 
 extern int watchdog_interval;
-extern double heartbeat_interval;
 
 extern int max_timer_expires;
 extern int max_remote_events_processed;
@@ -61,11 +59,8 @@ extern int ssl_store_key_material;
 extern int ssl_max_cipherspec_size;
 extern StringVal* ssl_store_cert_path;
 extern StringVal* x509_trusted_cert_path;
-extern TableType* cipher_suites_list;
 extern RecordType* x509_type;
 extern StringVal* x509_crl_file;
-extern TableType* x509_extension;
-extern TableType* SSL_sessionID;
 
 extern double non_analyzed_lifetime;
 extern double tcp_inactivity_timeout;
@@ -116,12 +111,6 @@ extern TableType* pm_mappings;
 extern RecordType* pm_port_request;
 extern RecordType* pm_callit_request;
 
-extern RecordType* nfs3_attrs;
-extern RecordType* nfs3_opt_attrs;
-extern RecordType* nfs3_lookup_args;
-extern RecordType* nfs3_lookup_reply;
-extern RecordType* nfs3_fsstat;
-
 extern RecordType* ntp_msg;
 
 extern TableVal* samba_cmds;
@@ -133,6 +122,8 @@ extern TableType* smb_negotiate;
 
 extern RecordType* geo_location;
 
+extern RecordType* entropy_test_result;
+
 extern TableType* dhcp_router_list;
 extern RecordType* dhcp_msg;
 
@@ -251,7 +242,6 @@ extern int dump_used_event_handlers;
 extern int suppress_local_output;
 
 extern double timer_mgr_inactivity_timeout;
-extern double expected_connection_timeout;
 
 extern int time_machine_profiling;
 
@@ -261,6 +251,10 @@ extern int record_all_packets;
 
 extern RecordType* script_id;
 extern TableType* id_table;
+extern RecordType* record_field;
+extern TableType* record_field_table;
+
+extern StringVal* cmd_line_bpf_filter;
 
 // Initializes globals that don't pertain to network/event analysis.
 extern void init_general_global_var();
@@ -269,6 +263,9 @@ extern void init_event_handlers();
 extern void init_net_var();
 
 #include "const.bif.netvar_h"
+#include "types.bif.netvar_h"
 #include "event.bif.netvar_h"
+#include "logging.bif.netvar_h"
+#include "reporter.bif.netvar_h"
 
 #endif
diff --git a/src/NetbiosSSN.cc b/src/NetbiosSSN.cc
index 0bb135f59d..274e76f137 100644
--- a/src/NetbiosSSN.cc
+++ b/src/NetbiosSSN.cc
@@ -1,5 +1,3 @@
-// $Id: NetbiosSSN.cc 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/NetbiosSSN.h b/src/NetbiosSSN.h
index ba724fa2fb..7c4dd91b90 100644
--- a/src/NetbiosSSN.h
+++ b/src/NetbiosSSN.h
@@ -1,5 +1,3 @@
-// $Id: NetbiosSSN.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef netbios_ssn_h
diff --git a/src/OSFinger.cc b/src/OSFinger.cc
index 8d3d2057bf..f8032d60ee 100644
--- a/src/OSFinger.cc
+++ b/src/OSFinger.cc
@@ -1,5 +1,3 @@
-// $Id: OSFinger.cc 5857 2008-06-26 23:00:03Z vern $
-
 /*
   Taken with permission from:
 
@@ -87,8 +85,8 @@ void OSFingerprint::collide(uint32 id)
   if (sig[id].ttl % 32 && sig[id].ttl != 255 && sig[id].ttl % 30)
     {
     problems=1;
-    warn(fmt("OS fingerprinting: [!] Unusual TTL (%d) for signature '%s %s' (line %d).",
-          sig[id].ttl,sig[id].os,sig[id].desc,sig[id].line));
+    reporter->Warning("OS fingerprinting: [!] Unusual TTL (%d) for signature '%s %s' (line %d).",
+          sig[id].ttl,sig[id].os,sig[id].desc,sig[id].line);
     }
 
   for (i=0;i<id;i++)
@@ -96,8 +94,8 @@ void OSFingerprint::collide(uint32 id)
     if (!strcmp(sig[i].os,sig[id].os) &&
         !strcmp(sig[i].desc,sig[id].desc)) {
       problems=1;
-      warn(fmt("OS fingerprinting: [!] Duplicate signature name: '%s %s' (line %d and %d).",
-            sig[i].os,sig[i].desc,sig[i].line,sig[id].line));
+      reporter->Warning("OS fingerprinting: [!] Duplicate signature name: '%s %s' (line %d and %d).",
+            sig[i].os,sig[i].desc,sig[i].line,sig[id].line);
     }
 
     /* If TTLs are sufficiently away from each other, the risk of
@@ -279,10 +277,10 @@ do_const:
       if (sig[id].opt[j] ^ sig[i].opt[j]) goto reloop;
 
     problems=1;
-    warn(fmt("OS fingerprinting: [!] Signature '%s %s' (line %d)\n"
+    reporter->Warning("OS fingerprinting: [!] Signature '%s %s' (line %d)\n"
           "    is already covered by '%s %s' (line %d).",
           sig[id].os,sig[id].desc,sig[id].line,sig[i].os,sig[i].desc,
-          sig[i].line));
+          sig[i].line);
 
 reloop:
     ;
@@ -295,7 +293,7 @@ void OSFingerprint::load_config(const char* file)
   uint32 ln=0;
   char buf[MAXLINE];
   char* p;
-  FILE* c = search_for_file( file, "osf", 0);
+  FILE* c = search_for_file(file, "osf", 0, false, 0);
 
   if (!c)
     {
diff --git a/src/OSFinger.h b/src/OSFinger.h
index ca040f609a..e5a0829640 100644
--- a/src/OSFinger.h
+++ b/src/OSFinger.h
@@ -1,5 +1,3 @@
-// $Id: OSFinger.h 5857 2008-06-26 23:00:03Z vern $
-
 // Taken with permission from:
 //
 // p0f - passive OS fingerprinting (GNU LESSER GENERAL PUBLIC LICENSE)
@@ -15,7 +13,7 @@
 
 #include "util.h"
 #include "Dict.h"
-
+#include "Reporter.h"
 
 // Size limit for size wildcards.
 #define PACKET_BIG 100
@@ -105,19 +103,19 @@ protected:
 
 	void Error(const char* msg)
 		{
-		error(msg);
+		reporter->Error("%s", msg);
 		err = true;
 		}
 
 	void Error(const char* msg, int n)
 		{
-		error(msg, n);
+		reporter->Error(msg, n);
 		err = true;
 		}
 
 	void Error(const char* msg, const char* s)
 		{
-		error(msg, s);
+		reporter->Error(msg, s);
 		err = true;
 		}
 
diff --git a/src/Obj.cc b/src/Obj.cc
index d649b77b61..0b82695f3d 100644
--- a/src/Obj.cc
+++ b/src/Obj.cc
@@ -1,5 +1,3 @@
-// $Id: Obj.cc 6752 2009-06-14 04:24:52Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -52,6 +50,32 @@ bool Location::DoUnserialize(UnserialInfo* info)
 		&& UNSERIALIZE(&last_column);
 	}
 
+void Location::Describe(ODesc* d) const
+	{
+	if ( filename )
+		{
+		d->Add(filename);
+
+		if ( first_line == 0 )
+			return;
+
+		d->AddSP(",");
+		}
+
+	if ( last_line != first_line )
+		{
+		d->Add("lines ");
+		d->Add(first_line);
+		d->Add("-");
+		d->Add(last_line);
+		}
+	else
+		{
+		d->Add("line ");
+		d->Add(first_line);
+		}
+	}
+
 bool Location::operator==(const Location& l) const
 	{
 	if ( filename == l.filename ||
@@ -61,7 +85,7 @@ bool Location::operator==(const Location& l) const
 		return false;
 	}
 
-int BroObj::suppress_runtime = 0;
+int BroObj::suppress_errors = 0;
 
 BroObj::~BroObj()
 	{
@@ -70,23 +94,21 @@ BroObj::~BroObj()
 
 void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only) const
 	{
-	DoMsg("warning,", msg, obj2, pinpoint_only);
-	++nwarn;
+	ODesc d;
+	DoMsg(&d, msg, obj2, pinpoint_only);
+	reporter->Warning("%s", d.Description());
+	reporter->PopLocation();
 	}
 
 void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only) const
 	{
-	DoMsg("error,", msg, obj2, pinpoint_only);
-	++nerr;
-	}
+	if ( suppress_errors )
+		return;
 
-void BroObj::RunTime(const char* msg, const BroObj* obj2, int pinpoint_only) const
-	{
-	if ( ! suppress_runtime )
-		{
-		DoMsg("run-time error,", msg, obj2, pinpoint_only);
-		++nruntime;
-		}
+	ODesc d;
+	DoMsg(&d, msg, obj2, pinpoint_only);
+	reporter->Error("%s", d.Description());
+	reporter->PopLocation();
 	}
 
 void BroObj::BadTag(const char* msg, const char* t1, const char* t2) const
@@ -100,19 +122,26 @@ void BroObj::BadTag(const char* msg, const char* t1, const char* t2) const
 	else
 		snprintf(out, sizeof(out), "%s", msg);
 
-	DoMsg("bad tag in", out);
-	Fatal();
+	ODesc d;
+	DoMsg(&d, out);
+	reporter->FatalError("%s", d.Description());
+	reporter->PopLocation();
 	}
 
 void BroObj::Internal(const char* msg) const
 	{
-	DoMsg("internal error:", msg);
-	Fatal();
+	ODesc d;
+	DoMsg(&d, msg);
+	reporter->InternalError("%s", d.Description());
+	reporter->PopLocation();
 	}
 
 void BroObj::InternalWarning(const char* msg) const
 	{
-	DoMsg("internal warning:", msg);
+	ODesc d;
+	DoMsg(&d, msg);
+	reporter->InternalWarning("%s", d.Description());
+	reporter->PopLocation();
 	}
 
 void BroObj::AddLocation(ODesc* d) const
@@ -123,28 +152,7 @@ void BroObj::AddLocation(ODesc* d) const
 		return;
 		}
 
-	if ( location->filename )
-		{
-		d->Add(location->filename);
-
-		if ( location->first_line == 0 )
-			return;
-
-		d->AddSP(",");
-		}
-
-	if ( location->last_line != location->first_line )
-		{
-		d->Add("lines ");
-		d->Add(location->first_line);
-		d->Add("-");
-		d->Add(location->last_line);
-		}
-	else
-		{
-		d->Add("line ");
-		d->Add(location->first_line);
-		}
+	location->Describe(d);
 	}
 
 bool BroObj::SetLocationInfo(const Location* start, const Location* end)
@@ -177,39 +185,24 @@ void BroObj::UpdateLocationEndInfo(const Location& end)
 	location->last_column = end.last_column;
 	}
 
-void BroObj::DoMsg(const char s1[], const char s2[], const BroObj* obj2,
+void BroObj::DoMsg(ODesc* d, const char s1[], const BroObj* obj2,
 			int pinpoint_only) const
 	{
-	ODesc d;
-	d.SetShort();
+	d->SetShort();
 
-	PinPoint(&d, obj2, pinpoint_only);
-	d.SP();
-	d.Add(s1);
-	d.SP();
-	d.Add(s2);
-	fprintf(stderr, "%s\n", d.Description());
+	d->Add(s1);
+	PinPoint(d, obj2, pinpoint_only);
+
+	const Location* loc2 = 0;
+	if ( obj2 && obj2->GetLocationInfo() != &no_location &&
+		 *obj2->GetLocationInfo() != *GetLocationInfo() )
+		loc2 = obj2->GetLocationInfo();
+
+	reporter->PushLocation(GetLocationInfo(), loc2);
 	}
 
 void BroObj::PinPoint(ODesc* d, const BroObj* obj2, int pinpoint_only) const
 	{
-	if ( network_time > 0.0 )
-		{
-		char time[256];
-		safe_snprintf(time, sizeof(time), "%.6f", network_time);
-		d->Add(time);
-		d->SP();
-		}
-
-	AddLocation(d);
-	if ( obj2 && obj2->GetLocationInfo() != &no_location &&
-	     *obj2->GetLocationInfo() != *GetLocationInfo() )
-		{
-		d->Add(" and ");
-		obj2->AddLocation(d);
-		d->Add("\n  ");
-		}
-
 	d->Add(" (");
 	Describe(d);
 	if ( obj2 && ! pinpoint_only )
@@ -218,15 +211,7 @@ void BroObj::PinPoint(ODesc* d, const BroObj* obj2, int pinpoint_only) const
 		obj2->Describe(d);
 		}
 
-	d->Add("):");
-	}
-
-void BroObj::Fatal() const
-	{
-#ifdef DEBUG_BRO
-	internal_error("BroObj::Fatal()");
-#endif
-	exit(1);
+	d->Add(")");
 	}
 
 bool BroObj::DoSerialize(SerialInfo* info) const
@@ -246,6 +231,8 @@ bool BroObj::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(SerialObj);
 
+	delete location;
+
 	UNSERIALIZE_OPTIONAL(location, Location::Unserialize(info));
 	return true;
 	}
@@ -260,7 +247,7 @@ void print(const BroObj* obj)
 
 void bad_ref(int type)
 	{
-	internal_error("bad reference count [%d]", type);
+	reporter->InternalError("bad reference count [%d]", type);
 	abort();
 	}
 
diff --git a/src/Obj.h b/src/Obj.h
index 7bfec745ba..be0d91b398 100644
--- a/src/Obj.h
+++ b/src/Obj.h
@@ -1,5 +1,3 @@
-// $Id: Obj.h 6781 2009-06-28 00:50:04Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef obj_h
@@ -44,6 +42,8 @@ public:
 			delete [] filename;
 		}
 
+	void Describe(ODesc* d) const;
+
 	bool Serialize(SerialInfo* info) const;
 	static Location* Unserialize(UnserialInfo* info);
 
@@ -120,8 +120,6 @@ public:
 			int pinpoint_only = 0) const;
 	void Error(const char* msg, const BroObj* obj2 = 0,
 			int pinpoint_only = 0) const;
-	void RunTime(const char* msg, const BroObj* obj2 = 0,
-			int pinpoint_only = 0) const;
 
 	// Report internal errors.
 	void BadTag(const char* msg, const char* t1 = 0,
@@ -155,12 +153,12 @@ public:
 
 	int RefCnt() const	{ return ref_cnt; }
 
-	// Helper class to temporarily suppress run-time errors
+	// Helper class to temporarily suppress errors
 	// as long as there exist any instances.
-	class SuppressRunTimeErrors {
+	class SuppressErrors {
 	public:
-		SuppressRunTimeErrors()		{ ++BroObj::suppress_runtime; }
-		~SuppressRunTimeErrors()	{ --BroObj::suppress_runtime; }
+		SuppressErrors()	{ ++BroObj::suppress_errors; }
+		~SuppressErrors()	{ --BroObj::suppress_errors; }
 	};
 
 	bool in_ser_cache;
@@ -173,13 +171,12 @@ protected:
 	Location* location;	// all that matters in real estate
 
 private:
-	friend class SuppressRunTimeErrors;
+	friend class SuppressErrors;
 
-	void DoMsg(const char s1[], const char s2[], const BroObj* obj2 = 0,
+	void DoMsg(ODesc* d, const char s1[], const BroObj* obj2 = 0,
 			int pinpoint_only = 0) const;
 	void PinPoint(ODesc* d, const BroObj* obj2 = 0,
 			int pinpoint_only = 0) const;
-	void Fatal() const;
 
 	friend inline void Ref(BroObj* o);
 	friend inline void Unref(BroObj* o);
@@ -188,7 +185,7 @@ private:
 
 	// If non-zero, do not print runtime errors.  Useful for
 	// speculative evaluation.
-	static int suppress_runtime;
+	static int suppress_errors;
 };
 
 // Prints obj to stderr, primarily for debugging.
diff --git a/src/Op.h b/src/Op.h
index 7c8d4afe38..a628a6bb68 100644
--- a/src/Op.h
+++ b/src/Op.h
@@ -1,5 +1,3 @@
-// $Id: Op.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef op_h
diff --git a/src/PIA.cc b/src/PIA.cc
index a38cf608fc..6a00e7e1d0 100644
--- a/src/PIA.cc
+++ b/src/PIA.cc
@@ -1,5 +1,3 @@
-// $Id: PIA.cc,v 1.1.2.14 2006/05/31 23:19:07 sommer Exp $
-
 #include "PIA.h"
 #include "RuleMatcher.h"
 #include "TCP_Reassembler.h"
@@ -153,7 +151,7 @@ void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
 
 void PIA_UDP::DeactivateAnalyzer(AnalyzerTag::Tag tag)
 	{
-	internal_error("PIA_UDP::Deact not implemented yet");
+	reporter->InternalError("PIA_UDP::Deact not implemented yet");
 	}
 
 //// TCP PIA
@@ -375,7 +373,7 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
 
 void PIA_TCP::DeactivateAnalyzer(AnalyzerTag::Tag tag)
 	{
-	internal_error("PIA_TCP::Deact not implemented yet");
+	reporter->InternalError("PIA_TCP::Deact not implemented yet");
 	}
 
 void PIA_TCP::ReplayStreamBuffer(Analyzer* analyzer)
diff --git a/src/PIA.h b/src/PIA.h
index 8a1079f617..907350bbdf 100644
--- a/src/PIA.h
+++ b/src/PIA.h
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // An analyzer for application-layer protocol-detection.
 
 #ifndef PIA_H
diff --git a/src/POP3.cc b/src/POP3.cc
index 4f1f2a5ea7..4ffe67ef48 100644
--- a/src/POP3.cc
+++ b/src/POP3.cc
@@ -1,5 +1,3 @@
-// $Id: POP3.cc 6782 2009-06-28 02:19:03Z vern $
-
 // This code contributed to Bro by Florian Schimandl, Hugh Dollman and
 // Robin Sommer.
 
@@ -15,6 +13,7 @@
 #include "POP3.h"
 #include "Event.h"
 #include "NVT.h"
+#include "Reporter.h"
 
 #undef POP3_CMD_DEF
 #define POP3_CMD_DEF(cmd)	#cmd,
@@ -199,7 +198,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
 			break;
 
 		default:
-			internal_error("unexpected authorization state");
+			reporter->InternalError("unexpected authorization state");
 		}
 
 		delete decoded;
@@ -555,7 +554,7 @@ void POP3_Analyzer::ProcessClientCmd()
 		break;
 
 	default: 
-		internal_error("command not known");
+		reporter->InternalError("command not known");
 	}
 	}
 
@@ -576,9 +575,11 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 	if ( multiLine == true )
 		{
 		bool terminator =
-			length > 1 && line[0] == '.' &&
-			(line[1] == '\n' ||
-			 (length > 2 && line[1] == '\r' && line[2] == '\n'));
+			line[0] == '.' &&
+			(length == 1 ||
+			 (length > 1 &&
+			  (line[1] == '\n' ||
+			  (length > 2 && line[1] == '\r' && line[2] == '\n'))));
 
 		if ( terminator )
 			{
@@ -805,7 +806,7 @@ void POP3_Analyzer::BeginData()
 void POP3_Analyzer::EndData()
 	{
 	if ( ! mail )
-		warn("unmatched end of data");
+		reporter->Warning("unmatched end of data");
 	else
 		{
 		mail->Done();
diff --git a/src/POP3.h b/src/POP3.h
index 6ad0a7e755..8d09d5e686 100644
--- a/src/POP3.h
+++ b/src/POP3.h
@@ -1,5 +1,3 @@
-// $Id: POP3.h 3526 2006-09-12 07:32:21Z vern $
-
 // This code contributed to Bro by Florian Schimandl and Hugh Dollman.
 //
 // An analyser for the POP3 protocol.
diff --git a/src/PacketDumper.cc b/src/PacketDumper.cc
index f11137ff08..84b22ff17c 100644
--- a/src/PacketDumper.cc
+++ b/src/PacketDumper.cc
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 
@@ -18,7 +16,7 @@ PacketDumper::PacketDumper(pcap_dumper_t* arg_pkt_dump)
 
 	pkt_dump = arg_pkt_dump;
 	if ( ! pkt_dump )
-		internal_error("PacketDumper: nil dump file");
+		reporter->InternalError("PacketDumper: nil dump file");
 	}
 
 void PacketDumper::DumpPacket(const struct pcap_pkthdr* hdr,
@@ -29,7 +27,7 @@ void PacketDumper::DumpPacket(const struct pcap_pkthdr* hdr,
 		struct pcap_pkthdr h = *hdr;
 		h.caplen = len;
 		if ( h.caplen > hdr->caplen )
-			internal_error("bad modified caplen");
+			reporter->InternalError("bad modified caplen");
 
 		pcap_dump((u_char*) pkt_dump, &h, pkt);
 		}
diff --git a/src/PacketDumper.h b/src/PacketDumper.h
index bc22dda41e..baace47876 100644
--- a/src/PacketDumper.h
+++ b/src/PacketDumper.h
@@ -1,5 +1,3 @@
-// $Id:$
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef packetdumper_h
@@ -41,8 +39,4 @@ struct ltipid {
 typedef set<IP_ID, ltipid> IP_IDSet;
 uint16 NextIP_ID(const uint32 src_addr, const uint16 id);
 
-extern PacketDumper* transformed_pkt_dump;
-extern PacketDumper* source_pkt_dump;
-extern int transformed_pkt_dump_MTU;
-
 #endif
diff --git a/src/PacketFilter.cc b/src/PacketFilter.cc
index 7ff97fac46..9b6b881ce5 100644
--- a/src/PacketFilter.cc
+++ b/src/PacketFilter.cc
@@ -1,5 +1,3 @@
-// $Id: PacketFilter.cc 967 2005-01-03 07:19:06Z vern $
-
 #include "PacketFilter.h"
 
 void PacketFilter::AddSrc(addr_type src, uint32 tcp_flags, double probability)
@@ -102,5 +100,5 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
 			return false;
 		}
 
-	return uint32(random()) < f.probability;
+	return uint32(bro_random()) < f.probability;
 	}
diff --git a/src/PacketFilter.h b/src/PacketFilter.h
index 6a70504280..ed8000f40f 100644
--- a/src/PacketFilter.h
+++ b/src/PacketFilter.h
@@ -1,5 +1,3 @@
-// $Id: PacketFilter.h 80 2004-07-14 20:15:50Z jason $
-//
 // Provides some very limited but fast packet filter mechanisms
 
 #ifndef PACKETFILTER_H
diff --git a/src/PacketSort.cc b/src/PacketSort.cc
index e2c18c4a4f..0ff08b3280 100644
--- a/src/PacketSort.cc
+++ b/src/PacketSort.cc
@@ -1,5 +1,3 @@
-// $Id: PacketSort.cc 3228 2006-06-08 02:12:03Z vern $
-
 #include "IP.h"
 #include "PacketSort.h"
 
@@ -347,8 +345,8 @@ PacketSortElement* PacketSortGlobalPQ::RemoveMin(double timestamp)
 PacketSortConnPQ* PacketSortGlobalPQ::FindConnPQ(PacketSortElement* e)
 	{
 	if ( ! e->is_tcp )
-		internal_error("cannot find a connection for an invalid id");
-	
+		reporter->InternalError("cannot find a connection for an invalid id");
+
 	PacketSortConnPQ* pq = (PacketSortConnPQ*) conn_pq_table.Lookup(e->key);
 	if ( ! pq )
 		{
diff --git a/src/PacketSort.h b/src/PacketSort.h
index 6c6a4f4994..199da0732f 100644
--- a/src/PacketSort.h
+++ b/src/PacketSort.h
@@ -1,5 +1,3 @@
-// $Id: PacketSort.h 3228 2006-06-08 02:12:03Z vern $
-
 #ifndef packetsort_h
 #define packetsort_h
 
diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc
index f31fdb4d88..c757467f90 100644
--- a/src/PersistenceSerializer.cc
+++ b/src/PersistenceSerializer.cc
@@ -1,5 +1,3 @@
-// $Id: PersistenceSerializer.cc 6752 2009-06-14 04:24:52Z vern $
-
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
@@ -13,7 +11,7 @@
 #include "RemoteSerializer.h"
 #include "Conn.h"
 #include "Event.h"
-#include "Logger.h"
+#include "Reporter.h"
 #include "Net.h"
 
 class IncrementalWriteTimer : public Timer {
@@ -189,7 +187,7 @@ void PersistenceSerializer::RaiseFinishedSendState()
 	vl->append(new PortVal(remote_port));
 
 	mgr.QueueEvent(finished_send_state, vl);
-	bro_logger->Log("Serialization done.");
+	reporter->Log("Serialization done.");
 	}
 #endif
 
@@ -202,7 +200,13 @@ void PersistenceSerializer::GotEvent(const char* name, double time,
 void PersistenceSerializer::GotFunctionCall(const char* name, double time,
 					Func* func, val_list* args)
 	{
-	func->Call(args);
+	try
+		{
+		func->Call(args);
+		}
+
+	catch ( InterpreterException& e )
+		{ /* Already reported. */ }
 	}
 
 void PersistenceSerializer::GotStateAccess(StateAccess* s)
@@ -213,7 +217,7 @@ void PersistenceSerializer::GotStateAccess(StateAccess* s)
 
 void PersistenceSerializer::GotTimer(Timer* s)
 	{
-	run_time("PersistenceSerializer::GotTimer not implemented");
+	reporter->Error("PersistenceSerializer::GotTimer not implemented");
 	}
 
 void PersistenceSerializer::GotConnection(Connection* c)
@@ -228,7 +232,7 @@ void PersistenceSerializer::GotID(ID* id, Val* /* val */)
 
 void PersistenceSerializer::GotPacket(Packet* p)
 	{
-	run_time("PersistenceSerializer::GotPacket not implemented");
+	reporter->Error("PersistenceSerializer::GotPacket not implemented");
 	}
 
 bool PersistenceSerializer::LogAccess(const StateAccess& s)
@@ -286,7 +290,7 @@ bool PersistenceSerializer::SendState(SourceID peer, bool may_suspend)
 	status->conns = &persistent_conns;
 	status->peer = peer;
 
-	bro_logger->Log("Sending state...");
+	reporter->Info("Sending state...");
 
 	return RunSerialization(status);
 	}
@@ -301,7 +305,7 @@ bool PersistenceSerializer::SendConfig(SourceID peer, bool may_suspend)
 	status->ids = global_scope()->GetIDs();
 	status->peer = peer;
 
-	bro_logger->Log("Sending config...");
+	reporter->Info("Sending config...");
 
 	return RunSerialization(status);
 	}
@@ -319,8 +323,7 @@ bool PersistenceSerializer::RunSerialization(SerialStatus* status)
 			{
 			if ( running[i]->type == status->type )
 				{
-				// ### We don't report this anymore as it would go to stderr.
-				// Warning(fmt("Serialization of type %d already running.", status->type));
+				reporter->Warning("Serialization of type %d already running.", status->type);
 				return false;
 				}
 			}
@@ -348,9 +351,6 @@ bool PersistenceSerializer::RunSerialization(SerialStatus* status)
 			status->conn_cookie = status->conns->InitForIteration();
 			status->conns->MakeRobustCookie(status->conn_cookie);
 			}
-
-		if ( status->info.may_suspend )
-			bro_logger->Log("Starting incremental serialization...");
 		}
 
 	else if ( cont->ChildSuspended() )
@@ -385,14 +385,14 @@ bool PersistenceSerializer::RunSerialization(SerialStatus* status)
 			}
 
 		else
-			internal_error("unknown suspend state");
+			reporter->InternalError("unknown suspend state");
 		}
 
 	else if ( cont->Resuming() )
 		cont->Resume();
 
 	else
-		internal_error("unknown continuation state");
+		reporter->InternalError("unknown continuation state");
 
 	if ( status->id_cookie )
 		{
@@ -480,9 +480,6 @@ bool PersistenceSerializer::RunSerialization(SerialStatus* status)
 			}
 		}
 
-	if ( status->info.may_suspend )
-		bro_logger->Log("Finished incremental serialization.");
-
 	delete status;
 	return ret;
 	}
@@ -511,7 +508,7 @@ bool PersistenceSerializer::DoIDSerialization(SerialStatus* status, ID* id)
 		break;
 
 	default:
-		internal_error("unknown serialization type");
+		reporter->InternalError("unknown serialization type");
 	}
 
 	return success;
@@ -542,7 +539,7 @@ bool PersistenceSerializer::DoConnSerialization(SerialStatus* status,
 		break;
 
 	default:
-		internal_error("unknown serialization type");
+		reporter->InternalError("unknown serialization type");
 	}
 
 	return success;
@@ -567,7 +564,7 @@ bool PersistenceSerializer::DoAccessSerialization(SerialStatus* status,
 		break;
 
 	default:
-		internal_error("unknown serialization type");
+		reporter->InternalError("unknown serialization type");
 	}
 
 	return success;
diff --git a/src/PersistenceSerializer.h b/src/PersistenceSerializer.h
index 572ab0238e..dcd712bf84 100644
--- a/src/PersistenceSerializer.h
+++ b/src/PersistenceSerializer.h
@@ -1,5 +1,3 @@
-// $Id: PersistenceSerializer.h 2698 2006-04-03 05:50:52Z vern $
-//
 // Implements persistance for Bro's data structures.
 
 #ifndef persistence_serializer_h
diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index dea20c1396..68b9785e6f 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -1,5 +1,3 @@
-// $Id: PktSrc.cc 6951 2009-12-04 22:23:28Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include <errno.h>
@@ -19,13 +17,11 @@
 #include <pcap-int.h>
 #endif
 
-int snaplen = 8192;	// really want "capture entire packet"
-
-
 PktSrc::PktSrc()
 	{
 	interface = readfile = 0;
 	data = last_data = 0;
+	memset(&hdr, 0, sizeof(hdr));
 	hdr_size = 0;
 	datalink = 0;
 	netmask = 0xffffff00;
@@ -80,7 +76,9 @@ int PktSrc::ExtractNextPacket()
 		}
 
 	data = last_data = pcap_next(pd, &hdr);
-	next_timestamp = hdr.ts.tv_sec + double(hdr.ts.tv_usec) / 1e6;
+
+	if ( data )
+		next_timestamp = hdr.ts.tv_sec + double(hdr.ts.tv_usec) / 1e6;
 
 	if ( pseudo_realtime )
 		current_wallclock = current_time(true);
@@ -181,16 +179,98 @@ void PktSrc::Process()
 
 	current_timestamp = next_timestamp;
 
+	int pkt_hdr_size = hdr_size;
+
+	// Unfortunately some packets on the link might have MPLS labels
+	// while others don't. That means we need to ask the link-layer if
+	// labels are in place.
+	bool have_mpls = false;
+
+	int protocol = 0;
+
+	switch ( datalink ) {
+	case DLT_NULL:
+		{
+		protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0];
+
+		if ( protocol != AF_INET && protocol != AF_INET6 )
+			{
+			sessions->Weird("non_ip_packet_in_null_transport", &hdr, data);
+			data = 0;
+			return;
+			}
+
+		break;
+		}
+
+	case DLT_EN10MB:
+		{
+		// Get protocol being carried from the ethernet frame.
+		protocol = (data[12] << 8) + data[13];
+
+		// MPLS carried over the ethernet frame.
+		if ( protocol == 0x8847 )
+			have_mpls = true;
+
+		// VLAN carried over ethernet frame.
+		else if ( protocol == 0x8100 )
+			{
+			data += get_link_header_size(datalink);
+			data += 4; // Skip the vlan header
+			pkt_hdr_size = 0;
+			}
+
+		break;
+		}
+
+	case DLT_PPP_SERIAL:
+		{
+		// Get PPP protocol.
+		protocol = (data[2] << 8) + data[3];
+
+		if ( protocol == 0x0281 )
+			// MPLS Unicast
+			have_mpls = true;
+
+		else if ( protocol != 0x0021 && protocol != 0x0057 )
+			{
+			// Neither IPv4 nor IPv6.
+			sessions->Weird("non_ip_packet_in_ppp_encapsulation", &hdr, data);
+			data = 0;
+			return;
+			}
+		break;
+		}
+	}
+
+	if ( have_mpls )
+		{
+		// Remove the data link layer
+		data += get_link_header_size(datalink);
+
+		// Denote a header size of zero before the IP header
+		pkt_hdr_size = 0;
+
+		// Skip the MPLS label stack.
+		bool end_of_stack = false;
+
+		while ( ! end_of_stack )
+			{
+			end_of_stack = *(data + 2) & 0x01;
+			data += 4;
+			}
+		}
+
 	if ( pseudo_realtime )
 		{
 		current_pseudo = CheckPseudoTime();
-		net_packet_arrival(current_pseudo, &hdr, data, hdr_size, this);
+		net_packet_arrival(current_pseudo, &hdr, data, pkt_hdr_size, this);
 		if ( ! first_wallclock )
 			first_wallclock = current_time(true);
 		}
 
 	else
-		net_packet_arrival(current_timestamp, &hdr, data, hdr_size, this);
+		net_packet_arrival(current_timestamp, &hdr, data, pkt_hdr_size, this);
 
 	data = 0;
 	}
@@ -311,21 +391,27 @@ void PktSrc::AddSecondaryTablePrograms()
 
 void PktSrc::Statistics(Stats* s)
 	{
-	struct pcap_stat pstat;
-
 	if ( reading_traces )
 		s->received = s->dropped = s->link = 0;
 
-	else if ( pcap_stats(pd, &pstat) < 0 )
+	else
 		{
-		run_time("problem getting packet filter statistics: %s",
-				ErrorMsg());
-		s->received = s->dropped = s->link = 0;
+		struct pcap_stat pstat;
+		if ( pcap_stats(pd, &pstat) < 0 )
+			{
+			reporter->Error("problem getting packet filter statistics: %s",
+					ErrorMsg());
+			s->received = s->dropped = s->link = 0;
+			}
+
+		else
+			{
+			s->dropped = pstat.ps_drop;
+			s->link = pstat.ps_recv;
+			}
 		}
 
 	s->received = stats.received;
-	s->dropped = pstat.ps_drop;
-	s->link = pstat.ps_recv;
 
 	if ( pseudo_realtime )
 		s->dropped = 0;
@@ -381,7 +467,7 @@ PktInterfaceSrc::PktInterfaceSrc(const char* arg_interface, const char* filter,
 
 	// ### This needs autoconf'ing.
 #ifdef HAVE_PCAP_INT_H
-	fprintf(stderr, "pcap bufsize = %d\n", ((struct pcap *) pd)->bufsize);
+	reporter->Info("pcap bufsize = %d\n", ((struct pcap *) pd)->bufsize);
 #endif
 
 #ifdef HAVE_LINUX
@@ -399,7 +485,12 @@ PktInterfaceSrc::PktInterfaceSrc(const char* arg_interface, const char* filter,
 	if ( PrecompileFilter(0, filter) && SetFilter(0) )
 		{
 		SetHdrSize();
-		fprintf(stderr, "listening on %s\n", interface);
+
+		if ( closed )
+			// Couldn't get header size.
+			return;
+
+		reporter->Info("listening on %s, capture length %d bytes\n", interface, snaplen);
 		}
 	else
 		closed = true;
@@ -425,13 +516,12 @@ PktFileSrc::PktFileSrc(const char* arg_readfile, const char* filter,
 			return;
 
 		// We don't put file sources into non-blocking mode as
-		// otherwise we would not be able to identify the EOF
-		// via next_packet().
+		// otherwise we would not be able to identify the EOF.
 
 		selectable_fd = fileno(pcap_file(pd));
 
 		if ( selectable_fd < 0 )
-			internal_error("OS does not support selectable pcap fd");
+			reporter->InternalError("OS does not support selectable pcap fd");
 		}
 	else
 		closed = true;
@@ -647,6 +737,9 @@ int get_link_header_size(int dl)
 		return 16;
 #endif
 
+	case DLT_PPP_SERIAL:	// PPP_SERIAL
+		return 4;
+
 	case DLT_RAW:
 		return 0;
 	}
diff --git a/src/PktSrc.h b/src/PktSrc.h
index 04524ec405..70eef4dd00 100644
--- a/src/PktSrc.h
+++ b/src/PktSrc.h
@@ -1,5 +1,3 @@
-// $Id: PktSrc.h 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef pktsrc_h
diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc
index dd1feaf498..9f67ee88a1 100644
--- a/src/PolicyFile.cc
+++ b/src/PolicyFile.cc
@@ -1,5 +1,3 @@
-// $Id: PolicyFile.cc 1473 2005-10-06 21:32:45Z vern $
-
 #include "config.h"
 
 #include <sys/types.h>
@@ -16,6 +14,7 @@ using namespace std;
 #include "Debug.h"
 #include "util.h"
 #include "PolicyFile.h"
+#include "Reporter.h"
 
 struct PolicyFile {
 	PolicyFile ()	{ filedata = 0; lmtime = 0; }
@@ -32,7 +31,7 @@ static PolicyFileMap policy_files;
 int how_many_lines_in(const char* policy_filename)
 	{
 	if ( ! policy_filename )
-		internal_error("NULL value passed to how_many_lines_in\n");
+		reporter->InternalError("NULL value passed to how_many_lines_in\n");
 
 	FILE* throwaway = fopen(policy_filename, "r");
 	if ( ! throwaway )
@@ -89,7 +88,8 @@ bool LoadPolicyFileText(const char* policy_filename)
 	// ### This code is not necessarily Unicode safe!
 	// (probably fine with UTF-8)
 	pf->filedata = new char[size+1];
-	fread(pf->filedata, size, 1, f);
+	if ( fread(pf->filedata, size, 1, f) != 1 )
+        reporter->InternalError("Failed to fread() file data");
 	pf->filedata[size] = 0;
 	fclose(f);
 
diff --git a/src/PolicyFile.h b/src/PolicyFile.h
index ac040d5584..62c475a98b 100644
--- a/src/PolicyFile.h
+++ b/src/PolicyFile.h
@@ -1,5 +1,3 @@
-// $Id: PolicyFile.h 80 2004-07-14 20:15:50Z jason $
-
 // Functions for displaying the contents of policy files.
 // Mostly useful for debugging code that wants to show context.
 //
diff --git a/src/Portmap.cc b/src/Portmap.cc
index af9383297f..dd1049a361 100644
--- a/src/Portmap.cc
+++ b/src/Portmap.cc
@@ -1,5 +1,3 @@
-// $Id: Portmap.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -71,11 +69,14 @@ int PortmapperInterp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 	return 1;
 	}
 
-int PortmapperInterp::RPC_BuildReply(const RPC_CallInfo* c, int success,
-					const u_char*& buf, int& n,
-					EventHandlerPtr& event, Val*& reply)
+int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status,
+				     const u_char*& buf, int& n,
+				     double start_time, double last_time,
+				     int reply_len)
 	{
-	reply = 0;
+	EventHandlerPtr event;
+	Val *reply = 0;
+	int success = (status == BifEnum::RPC_SUCCESS);
 
 	switch ( c->Proc() ) {
 	case PMAPPROC_NULL:
@@ -184,6 +185,7 @@ int PortmapperInterp::RPC_BuildReply(const RPC_CallInfo* c, int success,
 		return 0;
 	}
 
+	Event(event, c->TakeRequestVal(), status, reply);
 	return 1;
 	}
 
@@ -267,7 +269,7 @@ uint32 PortmapperInterp::CheckPort(uint32 port)
 	return port;
 	}
 
-void PortmapperInterp::Event(EventHandlerPtr f, Val* request, int status, Val* reply)
+void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_status status, Val* reply)
 	{
 	if ( ! f )
 		{
@@ -279,7 +281,8 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, int status, Val* r
 	val_list* vl = new val_list;
 
 	vl->append(analyzer->BuildConnVal());
-	if ( status == RPC_SUCCESS )
+
+	if ( status == BifEnum::RPC_SUCCESS )
 		{
 		if ( request )
 			vl->append(request);
@@ -288,7 +291,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, int status, Val* r
 		}
 	else
 		{
-		vl->append(new EnumVal(status, enum_rpc_status));
+		vl->append(new EnumVal(status, BifType::Enum::rpc_status));
 		if ( request )
 			vl->append(request);
 		}
diff --git a/src/Portmap.h b/src/Portmap.h
index 6595fc86d3..62e954bc80 100644
--- a/src/Portmap.h
+++ b/src/Portmap.h
@@ -1,5 +1,3 @@
-// $Id: Portmap.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef portmap_h
@@ -13,12 +11,12 @@ public:
 
 protected:
 	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
-	int RPC_BuildReply(const RPC_CallInfo* c, int success,
-				const u_char*& buf, int& n,
-				EventHandlerPtr& event, Val*& reply);
+	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status success,
+			   const u_char*& buf, int& n, double start_time,
+			   double last_time, int reply_len);
 	uint32 CheckPort(uint32 port);
 
-	void Event(EventHandlerPtr f, Val* request, int status, Val* reply);
+	void Event(EventHandlerPtr f, Val* request, BifEnum::rpc_status status, Val* reply);
 
 	Val* ExtractMapping(const u_char*& buf, int& len);
 	Val* ExtractPortRequest(const u_char*& buf, int& len);
diff --git a/src/PrefixTable.cc b/src/PrefixTable.cc
index e654b8440e..e04c3f9294 100644
--- a/src/PrefixTable.cc
+++ b/src/PrefixTable.cc
@@ -1,6 +1,5 @@
-// $Id: PrefixTable.cc 1016 2005-01-31 21:23:50Z vern $
-
 #include "PrefixTable.h"
+#include "Reporter.h"
 
 // IPv4 version.
 inline static prefix_t* make_prefix(const uint32 addr, int width)
@@ -36,7 +35,7 @@ void* PrefixTable::Insert(const_addr_type addr, int width, void* data)
 	Deref_Prefix(prefix);
 
 	if ( ! node )
-		internal_error("Cannot create node in patricia tree");
+		reporter->InternalError("Cannot create node in patricia tree");
 
 	void* old = node->data;
 
@@ -65,7 +64,7 @@ void* PrefixTable::Insert(const Val* value, void* data)
 		break;
 
 	default:
-		internal_error("Wrong index type for PrefixTable");
+		reporter->InternalError("Wrong index type for PrefixTable");
 		return 0;
 	}
 	}
@@ -99,8 +98,8 @@ void* PrefixTable::Lookup(const Val* value, bool exact) const
 		break;
 
 	default:
-		internal_error(fmt("Wrong index type %d for PrefixTable",
-					value->Type()->Tag()));
+		reporter->InternalError("Wrong index type %d for PrefixTable",
+		               value->Type()->Tag());
 		return 0;
 	}
 	}
@@ -137,7 +136,7 @@ void* PrefixTable::Remove(const Val* value)
 		break;
 
 	default:
-		internal_error("Wrong index type for PrefixTable");
+		reporter->InternalError("Wrong index type for PrefixTable");
 		return 0;
 	}
 	}
diff --git a/src/PrefixTable.h b/src/PrefixTable.h
index b718b3c561..78596c7f35 100644
--- a/src/PrefixTable.h
+++ b/src/PrefixTable.h
@@ -1,5 +1,3 @@
-// $Id: PrefixTable.h 969 2005-01-04 06:36:21Z vern $
-
 #ifndef PREFIXTABLE_H
 #define PREFIXTABLE_H
 
diff --git a/src/PriorityQueue.cc b/src/PriorityQueue.cc
index 2ed4d17d93..8db161b10a 100644
--- a/src/PriorityQueue.cc
+++ b/src/PriorityQueue.cc
@@ -1,5 +1,3 @@
-// $Id: PriorityQueue.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -8,6 +6,7 @@
 #include <stdlib.h>
 
 #include "PriorityQueue.h"
+#include "Reporter.h"
 #include "util.h"
 
 PriorityQueue::PriorityQueue(int initial_size)
@@ -52,7 +51,7 @@ PQ_Element* PriorityQueue::Remove(PQ_Element* e)
 	PQ_Element* e2 = Remove();
 
 	if ( e != e2 )
-		internal_error("inconsistency in PriorityQueue::Remove");
+		reporter->InternalError("inconsistency in PriorityQueue::Remove");
 
 	return e2;
 	}
diff --git a/src/PriorityQueue.h b/src/PriorityQueue.h
index 45028553ce..87e10aa7ac 100644
--- a/src/PriorityQueue.h
+++ b/src/PriorityQueue.h
@@ -1,5 +1,3 @@
-// $Id: PriorityQueue.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef __PriorityQueue__
diff --git a/src/Queue.cc b/src/Queue.cc
index a0de35777b..28bcb92405 100644
--- a/src/Queue.cc
+++ b/src/Queue.cc
@@ -1,5 +1,3 @@
-// $Id: Queue.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/Queue.h b/src/Queue.h
index 293d74ba7a..c9a69ad926 100644
--- a/src/Queue.h
+++ b/src/Queue.h
@@ -1,5 +1,3 @@
-// $Id: Queue.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef queue_h
diff --git a/src/RE.cc b/src/RE.cc
index 19cc5737aa..b6f1a1361f 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -1,5 +1,3 @@
-// $Id: RE.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -114,7 +112,7 @@ int Specific_RE_Matcher::Compile(int lazy)
 	RE_set_input(pattern_text);
 	if ( RE_parse() )
 		{
-		run_time("error compiling pattern /%s/", pattern_text);
+		reporter->Error("error compiling pattern /%s/", pattern_text);
 		return 0;
 		}
 
@@ -134,7 +132,7 @@ int Specific_RE_Matcher::Compile(int lazy)
 int Specific_RE_Matcher::CompileSet(const string_list& set, const int_list& idx)
 	{
 	if ( set.length() != idx.length() )
-		internal_error("compileset: lengths of sets differ");
+		reporter->InternalError("compileset: lengths of sets differ");
 
 	rem = this;
 
@@ -145,7 +143,7 @@ int Specific_RE_Matcher::CompileSet(const string_list& set, const int_list& idx)
 		RE_set_input(set[i]);
 		if ( RE_parse() )
 			{
-			run_time("error compiling pattern /%s/", set[i]);
+			reporter->Error("error compiling pattern /%s/", set[i]);
 			return 0;
 			}
 
@@ -211,8 +209,8 @@ int Specific_RE_Matcher::MatchAll(const u_char* bv, int n)
 		// matched is empty.
 		return n == 0;
 
-	DFA_State_Handle* d = dfa->StartState();
-	d = (*d)->Xtion(ecs[SYM_BOL], dfa);
+	DFA_State* d = dfa->StartState();
+	d = d->Xtion(ecs[SYM_BOL], dfa);
 
 	while ( d )
 		{
@@ -220,13 +218,13 @@ int Specific_RE_Matcher::MatchAll(const u_char* bv, int n)
 			break;
 
 		int ec = ecs[*(bv++)];
-		d = (*d)->Xtion(ec, dfa);
+		d = d->Xtion(ec, dfa);
 		}
 
 	if ( d )
-		d = (*d)->Xtion(ecs[SYM_EOL], dfa);
+		d = d->Xtion(ecs[SYM_EOL], dfa);
 
-	return d && (*d)->Accept() != 0;
+	return d && d->Accept() != 0;
 	}
 
 
@@ -236,26 +234,26 @@ int Specific_RE_Matcher::Match(const u_char* bv, int n)
 		// An empty pattern matches anything.
 		return 1;
 
-	DFA_State_Handle* d = dfa->StartState();
+	DFA_State* d = dfa->StartState();
 
-	d = (*d)->Xtion(ecs[SYM_BOL], dfa);
+	d = d->Xtion(ecs[SYM_BOL], dfa);
 	if ( ! d ) return 0;
 
 	for ( int i = 0; i < n; ++i )
 		{
 		int ec = ecs[bv[i]];
-		d = (*d)->Xtion(ec, dfa);
+		d = d->Xtion(ec, dfa);
 		if ( ! d )
 			break;
 
-		if ( (*d)->Accept() )
+		if ( d->Accept() )
 			return i + 1;
 		}
 
 	if ( d )
 		{
-		d = (*d)->Xtion(ecs[SYM_EOL], dfa);
-		if ( d && (*d)->Accept() )
+		d = d->Xtion(ecs[SYM_EOL], dfa);
+		if ( d && d->Accept() )
 			return n > 0 ? n : 1;	// we can't return 0 here for match...
 		}
 
@@ -268,12 +266,6 @@ void Specific_RE_Matcher::Dump(FILE* f)
 	dfa->Dump(f);
 	}
 
-RE_Match_State::~RE_Match_State()
-	{
-	if ( current_state )
-		StateUnref(current_state);
-	}
-
 bool RE_Match_State::Match(const u_char* bv, int n,
 				bool bol, bool eol, bool clear)
 	{
@@ -289,9 +281,8 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 		// Initialize state and copy the accepting states of the start
 		// state into the acceptance set.
 		current_state = dfa->StartState();
-		StateRef(current_state);
 
-		const AcceptingSet* ac = (*current_state)->Accept();
+		const AcceptingSet* ac = current_state->Accept();
 		if ( ac )
 			{
 			loop_over_list(*ac, i)
@@ -303,20 +294,11 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 		}
 
 	else if ( clear )
-		{
-		if ( current_state )
-			StateUnref(current_state);
-
 		current_state = dfa->StartState();
-		StateRef(current_state);
-		}
 
 	if ( ! current_state )
 		return false;
 
-	else
-		(*current_state)->Unlock();
-
 	current_pos = 0;
 
 	int old_matches = accepted.length();
@@ -334,7 +316,7 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 		else
 			ec = ecs[*(bv++)];
 
-		DFA_State_Handle* next_state = (*current_state)->Xtion(ec,dfa);
+		DFA_State* next_state = current_state->Xtion(ec,dfa);
 
 		if ( ! next_state )
 			{
@@ -342,9 +324,9 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 			break;
 			}
 
-		if ( (*next_state)->Accept() )
+		if ( next_state->Accept() )
 			{
-			const AcceptingSet* ac = (*next_state)->Accept();
+			const AcceptingSet* ac = next_state->Accept();
 			loop_over_list(*ac, i)
 				{
 				if ( ! accepted.is_member((*ac)[i]) )
@@ -357,15 +339,9 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 
 		++current_pos;
 
-		StateRef(next_state);
-		StateUnref(current_state);
 		current_state = next_state;
 		}
 
-	// Make sure our state doesn't expire until we return.
-	if ( current_state )
-		(*current_state)->Lock();
-
 	return accepted.length() != old_matches;
 	}
 
@@ -377,31 +353,31 @@ int Specific_RE_Matcher::LongestMatch(const u_char* bv, int n)
 
 	// Use -1 to indicate no match.
 	int last_accept = -1;
-	DFA_State_Handle* d = dfa->StartState();
+	DFA_State* d = dfa->StartState();
 
-	d = (*d)->Xtion(ecs[SYM_BOL], dfa);
+	d = d->Xtion(ecs[SYM_BOL], dfa);
 	if ( ! d )
 		return -1;
 
-	if ( (*d)->Accept() )
+	if ( d->Accept() )
 		last_accept = 0;
 
 	for ( int i = 0; i < n; ++i )
 		{
 		int ec = ecs[bv[i]];
-		d = (*d)->Xtion(ec, dfa);
+		d = d->Xtion(ec, dfa);
 
 		if ( ! d )
 			break;
 
-		if ( (*d)->Accept() )
+		if ( d->Accept() )
 			last_accept = i + 1;
 		}
 
 	if ( d )
 		{
-		d = (*d)->Xtion(ecs[SYM_EOL], dfa);
-		if ( d && (*d)->Accept() )
+		d = d->Xtion(ecs[SYM_EOL], dfa);
+		if ( d && d->Accept() )
 			return n;
 		}
 
diff --git a/src/RE.h b/src/RE.h
index 08da19c495..a2fc709c88 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -1,5 +1,3 @@
-// $Id: RE.h 6781 2009-06-28 00:50:04Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef re_h
@@ -19,6 +17,7 @@ class NFA_Machine;
 class DFA_Machine;
 class Specific_RE_Matcher;
 class RE_Matcher;
+class DFA_State;
 
 declare(PDict,char);
 declare(PDict,CCL);
@@ -126,13 +125,6 @@ protected:
 	AcceptingSet* accepted;
 };
 
-#ifdef EXPIRE_DFA_STATES
-	class DFA_State_Handle;
-#else
-	class DFA_State;
-	typedef DFA_State DFA_State_Handle;
-#endif
-
 class RE_Match_State {
 public:
 	RE_Match_State(Specific_RE_Matcher* matcher)
@@ -143,8 +135,6 @@ public:
 		current_state = 0;
 		}
 
-	~RE_Match_State();
-
 	const AcceptingSet* Accepted() const	{ return &accepted; }
 	const int_list* MatchPositions() const	{ return &match_pos; }
 
@@ -169,7 +159,7 @@ protected:
 
 	AcceptingSet accepted;
 	int_list match_pos;
-	DFA_State_Handle* current_state;
+	DFA_State* current_state;
 	int current_pos;
 };
 
diff --git a/src/RPC.cc b/src/RPC.cc
index 278f8bfee5..81fd6709b1 100644
--- a/src/RPC.cc
+++ b/src/RPC.cc
@@ -1,11 +1,11 @@
-// $Id: RPC.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
-
 #include <stdlib.h>
 
+#include <algorithm>
+
+#include "config.h"
+
 #include "NetVar.h"
 #include "XDR.h"
 #include "RPC.h"
@@ -15,19 +15,19 @@ namespace { // local namespace
 	const bool DEBUG_rpc_resync = false;
 }
 
+// TODO: Should we add start_time and last_time to the rpc_* events??
+
+// TODO: make this configurable
 #define MAX_RPC_LEN 65536
 
-// The following correspond to the different RPC status values defined
-// in bro.init.
-// #define BRO_RPC_TIMEOUT 6
-// #define BRO_RPC_AUTH_ERROR 7
-// #define BRO_RPC_UNKNOWN_ERROR 8
 
-RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n)
+RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double arg_start_time, double arg_last_time, int arg_rpc_len)
 	{
 	xid = arg_xid;
 
-	start_time = network_time;
+	start_time = arg_start_time;
+	last_time = arg_last_time;
+	rpc_len = arg_rpc_len;
 	call_n = n;
 	call_buf = new u_char[call_n];
 	memcpy((void*) call_buf, (const void*) buf, call_n);
@@ -76,10 +76,12 @@ RPC_Interpreter::~RPC_Interpreter()
 	{
 	}
 
-int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
+int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int rpclen,
+				int is_orig, double start_time, double last_time)
 	{
 	uint32 xid = extract_XDR_uint32(buf, n);
 	uint32 msg_type = extract_XDR_uint32(buf, n);
+	int rpc_len = n;
 
 	if ( ! buf )
 		return 0;
@@ -97,6 +99,14 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 			if ( ! call->CompareRexmit(buf, n) )
 				Weird("RPC_rexmit_inconsistency");
 
+			// TODO: Should we update start_time and last_time or
+			// not??
+			call->SetStartTime(start_time);
+			call->SetLastTime(last_time);
+
+			// TODO: Not sure whether the handling if rexmit
+			// inconsistencies are correct. Maybe we should use
+			// the info in the new call for further processing.
 			if ( call->HeaderLen() > n )
 				{
 				Weird("RPC_underflow");
@@ -109,9 +119,10 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 
 		else
 			{
-			call = new RPC_CallInfo(xid, buf, n);
+			call = new RPC_CallInfo(xid, buf, n, start_time, last_time, rpc_len);
 			if ( ! buf )
 				{
+				Weird("bad_RPC");
 				delete call;
 				return 0;
 				}
@@ -119,6 +130,11 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 			calls.Insert(&h, call);
 			}
 
+		// We now have a valid RPC_CallInfo (either the previous one
+		// in case of a rexmit or the current one).
+		// TODO: What to do in case of a rexmit_inconistency??
+		Event_RPC_Call(call);
+
 		if ( RPC_BuildCall(call, buf, n) )
 			call->SetValidCall();
 		else
@@ -137,17 +153,17 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 		if ( ! buf )
 			return 0;
 
-		uint32 status = BroEnum::RPC_UNKNOWN_ERROR;
+		BifEnum::rpc_status status = BifEnum::RPC_UNKNOWN_ERROR;
 
 		if ( reply_stat == RPC_MSG_ACCEPTED )
 			{
 			(void) skip_XDR_opaque_auth(buf, n);
 			uint32 accept_stat = extract_XDR_uint32(buf, n);
 
-			// The first members of BroEnum::RPC_* correspond
+			// The first members of BifEnum::RPC_* correspond
 			// to accept_stat.
 			if ( accept_stat <= RPC_SYSTEM_ERR )
-				status = accept_stat;
+				status = (BifEnum::rpc_status)accept_stat;
 
 			if ( ! buf )
 				return 0;
@@ -171,7 +187,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 			if ( reject_stat == RPC_MISMATCH )
 				{
 				// Note that RPC_MISMATCH == 0 == RPC_SUCCESS.
-				status = BroEnum::RPC_VERS_MISMATCH;
+				status = BifEnum::RPC_VERS_MISMATCH;
 
 				(void) extract_XDR_uint32(buf, n);
 				(void) extract_XDR_uint32(buf, n);
@@ -182,7 +198,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 
 			else if ( reject_stat == RPC_AUTH_ERROR )
 				{
-				status = BroEnum::RPC_AUTH_ERROR;
+				status = BifEnum::RPC_AUTH_ERROR;
 
 				(void) extract_XDR_uint32(buf, n);
 				if ( ! buf )
@@ -191,7 +207,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 
 			else
 				{
-				status = BroEnum::RPC_UNKNOWN_ERROR;
+				status = BifEnum::RPC_UNKNOWN_ERROR;
 				Weird("bad_RPC");
 				}
 			}
@@ -199,13 +215,14 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 		else
 			Weird("bad_RPC");
 
+		// We now have extracted the status we want to use.
+		Event_RPC_Reply(xid, status, n);
+
 		if ( call )
 			{
-			int success = status == RPC_SUCCESS;
-
 			if ( ! call->IsValidCall() )
 				{
-				if ( success )
+				if ( status == BifEnum::RPC_SUCCESS )
 					Weird("successful_RPC_reply_to_invalid_request");
 				// We can't process this further, even if
 				// it was successful, because the call
@@ -214,19 +231,11 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 
 			else
 				{
-				EventHandlerPtr event;
-				Val* reply;
-				if ( ! RPC_BuildReply(call, success, buf,
-							n, event, reply) )
+				if ( ! RPC_BuildReply(call, (BifEnum::rpc_status)status, buf, n, start_time, last_time, rpc_len) )
 					Weird("bad_RPC");
-				else
-					{
-					Event(event, call->TakeRequestVal(),
-						status, reply);
-					}
 				}
 
-			RPC_Event(call, status, n);
+			Event_RPC_Dialogue(call, status, n);
 
 			delete calls.RemoveEntry(&h);
 			}
@@ -252,7 +261,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 		}
 
 	else if ( n < 0 )
-		internal_error("RPC underflow");
+		reporter->InternalError("RPC underflow");
 
 	return 1;
 	}
@@ -264,240 +273,404 @@ void RPC_Interpreter::Timeout()
 
 	while ( (c = calls.NextEntry(cookie)) )
 		{
-		RPC_Event(c, BroEnum::RPC_TIMEOUT, 0);
+		Event_RPC_Dialogue(c, BifEnum::RPC_TIMEOUT, 0);
+
 		if ( c->IsValidCall() )
 			{
 			const u_char* buf;
 			int n = 0;
-			EventHandlerPtr event;
-			Val* reply;
-			if ( ! RPC_BuildReply(c, 0, buf, n, event, reply) )
+
+			if ( ! RPC_BuildReply(c, BifEnum::RPC_TIMEOUT, buf, n, network_time, network_time, 0) )
 				Weird("bad_RPC");
-			else
-				{
-				Event(event, c->TakeRequestVal(),
-					BroEnum::RPC_TIMEOUT, reply);
-				}
 			}
 		}
 	}
 
-void RPC_Interpreter::RPC_Event(RPC_CallInfo* c, int status, int reply_len)
+void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status status, int reply_len)
 	{
-	if ( rpc_call )
+	if ( rpc_dialogue )
 		{
 		val_list* vl = new val_list;
 		vl->append(analyzer->BuildConnVal());
 		vl->append(new Val(c->Program(), TYPE_COUNT));
 		vl->append(new Val(c->Version(), TYPE_COUNT));
 		vl->append(new Val(c->Proc(), TYPE_COUNT));
-		vl->append(new Val(status, TYPE_COUNT));
+		vl->append(new EnumVal(status, BifType::Enum::rpc_status));
 		vl->append(new Val(c->StartTime(), TYPE_TIME));
 		vl->append(new Val(c->CallLen(), TYPE_COUNT));
 		vl->append(new Val(reply_len, TYPE_COUNT));
+		analyzer->ConnectionEvent(rpc_dialogue, vl);
+		}
+	}
+
+void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
+	{
+	if ( rpc_call )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(c->XID(), TYPE_COUNT));
+		vl->append(new Val(c->Program(), TYPE_COUNT));
+		vl->append(new Val(c->Version(), TYPE_COUNT));
+		vl->append(new Val(c->Proc(), TYPE_COUNT));
+		vl->append(new Val(c->CallLen(), TYPE_COUNT));
 		analyzer->ConnectionEvent(rpc_call, vl);
 		}
 	}
 
+void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len)
+	{
+	if ( rpc_reply )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(xid, TYPE_COUNT));
+		vl->append(new EnumVal(status, BifType::Enum::rpc_status));
+		vl->append(new Val(reply_len, TYPE_COUNT));
+		analyzer->ConnectionEvent(rpc_reply, vl);
+		}
+	}
+
 void RPC_Interpreter::Weird(const char* msg)
 	{
 	analyzer->Weird(msg);
 	}
 
 
+void RPC_Reasm_Buffer::Init(int64_t arg_maxsize, int64_t arg_expected) {
+	if ( buf )
+		delete [] buf;
+	expected = arg_expected;
+	maxsize = arg_maxsize;
+	fill = processed = 0;
+	buf = new u_char[maxsize];
+};
+
+bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len)
+	{
+	// How many bytes do we want to process with this call?  Either the
+	// all of the bytes available or the number of bytes that we are
+	// still missing.
+	int64_t to_process = min(int64_t(len), (expected-processed));
+
+	if ( fill < maxsize )
+		{
+		// We haven't yet filled the buffer. How many bytes to copy
+		// into the buff. Either all of the bytes we want to process
+		// or the number of bytes until we reach maxsize.
+		int64_t to_copy = min( to_process, (maxsize-fill) );
+		if ( to_copy )
+			memcpy(buf+fill, data, to_copy);
+
+		fill += to_copy;
+		}
+
+	processed += to_process;
+	len -= to_process;
+	data += to_process;
+	return (expected == processed);
+	}
+
 Contents_RPC::Contents_RPC(Connection* conn, bool orig,
 				RPC_Interpreter* arg_interp)
-: TCP_SupportAnalyzer(AnalyzerTag::Contents_RPC, conn, orig)
+	: TCP_SupportAnalyzer(AnalyzerTag::Contents_RPC, conn, orig)
 	{
 	interp = arg_interp;
-	resync = false;
-	msg_buf = 0;
-	InitBuffer();
+	state = WAIT_FOR_MESSAGE;
+	resync_state = RESYNC_INIT;
+	resync_toskip = 0;
+	start_time = 0;
+	last_time = 0;
 	}
 
 void Contents_RPC::Init()
 	{
 	TCP_SupportAnalyzer::Init();
-
-	TCP_Analyzer* tcp =
-		static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
-	assert(tcp);
-
-	resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
-						TCP_ENDPOINT_ESTABLISHED;
-	}
-
-void Contents_RPC::InitBuffer()
-	{
-	buf_len = 4;
-
-	// For record marker:
-	delete [] msg_buf;
-	msg_buf = new u_char[buf_len];
-
-	buf_n = 0;
-	last_frag = 0;
-	state = RPC_RECORD_MARKER;
 	}
 
 Contents_RPC::~Contents_RPC()
 	{
-	delete [] msg_buf;
 	}
 
 void Contents_RPC::Undelivered(int seq, int len, bool orig)
 	{
 	TCP_SupportAnalyzer::Undelivered(seq, len, orig);
-
-	// Re-sync after content gaps.
-	InitBuffer();
-	resync = true;
+	NeedResync();
 	}
 
-void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
+bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
 	{
-	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+	uint32 frame_len;
+	bool last_frag;
+	uint32 xid;
+	uint32 frame_type;
 
-	if ( state == RPC_COMPLETE )
-		InitBuffer();
+	bool discard_this_chunk = false;
 
-	// This is an attempt to re-synchronize the stream with RPC
-	// frames after a content gap.  We try to look for the beginning
-	// of an RPC frame, assuming (1) RPC frames begin at packet
-	// boundaries (though they may span over multiple packets) and
-	// (2) the first piece is longer than 12 bytes. (If we see a
-	// piece shorter than 12 bytes, it is likely that it's the
-	// remaining piece of a previous RPC frame, so the code here
-	// skips that piece.)  It then checks if the frame type and length
-	// make any sense, and if so, it assumes that is beginning of
-	// a frame.
-	if ( resync && state == RPC_RECORD_MARKER && buf_n == 0 )
+	if ( resync_state == RESYNC_INIT )
+		{ 
+		// First time CheckResync is called. If the TCP endpoint
+		// is fully established we are in sync (since it's the first chunk 
+		// of data after the SYN if its not established we need to 
+		// resync.
+		TCP_Analyzer* tcp =
+			static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+		assert(tcp);
+
+		if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
+							TCP_ENDPOINT_ESTABLISHED )
+			{
+			NeedResync();
+			}
+		else
+			resync_state = INSYNC;
+		}
+
+	if ( resync_state == INSYNC )
+		return true;
+
+	// This is an attempt to re-synchronize the stream with RPC frames
+	// after a content gap.  Returns true if we are in sync.  Returns
+	// false otherwise (we are in resync mode)
+	//
+	// We try to look for the beginning of a RPC frame, assuming RPC
+	// frames begin at packet boundaries (though they may span over
+	// multiple packets) (note that the data* of DeliverStream() usually
+	// starts at a packet boundrary).
+	//
+	// If we see a frame start that makes sense (direction and frame
+	// lenght seem ok), we try to read (skip over) the next RPC message.
+	// If this is successfull and we the place we are seems like a valid
+	// start of a RPC msg (direction and frame length seem ok). We assume
+	// that we have successfully resync'ed.
+
+	// Assuming RPC frames align with packet boundaries ...
+
+	while (len > 0)
 		{
-		// Assuming RPC frames align with packet boundaries ...
+		if ( resync_toskip )
+			{
+			if ( DEBUG_rpc_resync )
+				DEBUG_MSG("RPC resync: skipping %d bytes.\n", len);
+
+			// We have some bytes to skip over.
+			if ( resync_toskip < len )
+				{
+				len -= resync_toskip;
+				data += resync_toskip;
+				resync_toskip = 0;
+				}
+			else
+				{
+				resync_toskip -= len;
+				data += len;
+				len = 0;
+				return false;
+				}
+			}
+
+		if ( resync_toskip != 0 )
+			// Should never happen.
+			reporter->InternalError("RPC resync: skipping over data failed");
+
+		// Now lets see whether data points to the beginning of a RPC
+		// frame. If the resync processs is successful, we should be
+		// at the beginning of a frame.
+
+
 		if ( len < 12 )
 			{
-			// Ignore small fragmeents.
+			// Ignore small chunks.
 			if ( len != 1 && DEBUG_rpc_resync )
 				{
 				// One-byte fragments are likely caused by
 				// TCP keep-alive retransmissions.
 				DEBUG_MSG("%.6f RPC resync: "
-				          "discard small pieces: %d\n",
-			                  network_time, len);
+						  "discard small pieces: %d\n",
+							  network_time, len);
 				Conn()->Weird(
 					fmt("RPC resync: discard %d bytes\n",
 						len));
 				}
-			return;
+
+			NeedResync();
+			return false;
 			}
 
-		const u_char* xdata = data;
+
+		const u_char *xdata = data;
 		int xlen = len;
-		uint32 frame_len = extract_XDR_uint32(xdata, xlen);
-		uint32 xid = extract_XDR_uint32(xdata, xlen);
-		uint32 frame_type = extract_XDR_uint32(xdata, xlen);
+		frame_len = extract_XDR_uint32(xdata, xlen);
+		last_frag = (frame_len & 0x80000000) != 0;
+		frame_len &= 0x7fffffff;
+		xid = extract_XDR_uint32(xdata, xlen);
+		frame_type = extract_XDR_uint32(xdata, xlen);
 
+		// Check if the direction makes sense and the length of the
+		// frame to expect.
 		if ( (IsOrig() && frame_type != 0) ||
-		     (! IsOrig() && frame_type != 1) ||
-		     frame_len < 16 )
+			 (! IsOrig() && frame_type != 1) ||
+			 frame_len < 16 )
+
+			discard_this_chunk = true;
+
+		// Make sure the frame isn't too long.
+		// TODO: Could possible even reduce this number even further.
+		if ( frame_len > MAX_RPC_LEN )
+			discard_this_chunk = true;
+
+		if ( discard_this_chunk )
 			{
-			// Skip this packet.
+			// Skip this chunk
 			if ( DEBUG_rpc_resync )
-				{
-				DEBUG_MSG("RPC resync: skipping %d bytes\n",
-				          len);
-				}
-			return;
+				DEBUG_MSG("RPC resync: Need to resync. dicarding %d bytes.\n", len);
+
+			NeedResync();  // let's try the resync again from the beginning
+			return false;
 			}
 
-		resync = false;
-		}
+		// Looks like we are at the start of a frame and have successfully
+		// extracted the frame length (marker).
 
-	int n;
-	for ( n = 0; buf_n < buf_len && n < len; ++n )
-		msg_buf[buf_n++] = data[n];
+		switch (resync_state) {
+		case NEED_RESYNC:
+		case RESYNC_WAIT_FOR_MSG_START:
+			// Initial phase of resyncing. Skip frames until we get a frame
+			// with the last_fragment bit set.
+			resync_toskip = frame_len + 4;
 
-	if ( buf_n < buf_len )
-		// Haven't filled up the message buffer yet, no more to do.
-		return;
-
-	switch ( state ) {
-	case RPC_RECORD_MARKER:
-		{ // Have the whole record marker.
-		int prev_frag_len = buf_len - 4;
-		const u_char* buf = &msg_buf[prev_frag_len];
-		int n = 4;
-
-		uint32 marker = extract_XDR_uint32(buf, n);
-		if ( ! buf )
-			internal_error("inconsistent RPC record marker extraction");
-
-		if ( prev_frag_len > 0 && last_frag )
-			internal_error("last_frag set but more fragments");
-
-		last_frag = (marker & 0x80000000) != 0;
-
-		marker &= 0x7fffffff;
-
-		if ( prev_frag_len > 0 )
-			// We're adding another fragment.
-			marker += prev_frag_len;
-
-		// Fragment length is now given by marker.  Sanity-check.
-		if ( marker > MAX_RPC_LEN )
-			{
-			Conn()->Weird("excessive_RPC_len");
-			marker = MAX_RPC_LEN;
-			}
-
-		// The new size is either the full record size (if this
-		// is the last fragment), or that plus 4 more bytes for
-		// the next fragment header.
-		int new_size = last_frag ? marker : marker + 4;
-
-		u_char* tmp = new u_char[new_size];
-		int msg_len = (unsigned int) buf_len < marker ? buf_len : marker;
-		for ( int i = 0; i < msg_len; ++i )
-			tmp[i] = msg_buf[i];
-
-		delete [] msg_buf;
-		msg_buf = tmp;
-
-		buf_len = marker;	// we only want to fill to here
-		buf_n = prev_frag_len;	// overwrite this fragment's header
-
-		state = RPC_MESSAGE_BUFFER;
-		}
-		break;
-
-	case RPC_MESSAGE_BUFFER:
-		{ // Have the whole fragment.
-		if ( ! last_frag )
-			{
-			// We earlier made sure to leave an extra 4 bytes
-			// at the end of the buffer - use them now for
-			// the new fragment header.
-			buf_len += 4;
-			state = RPC_RECORD_MARKER;
+			if ( last_frag )
+				resync_state = RESYNC_WAIT_FOR_FULL_MSG;
+			else
+				resync_state = RESYNC_WAIT_FOR_MSG_START;
 			break;
-			}
 
-		if ( ! interp->DeliverRPC(msg_buf, buf_n, IsOrig()) )
-			Conn()->Weird("partial_RPC");
+		case RESYNC_WAIT_FOR_FULL_MSG:
+			// If the resync was successful so far, we should now be the start
+			// of a new RPC message. Try to skip over it.
+			resync_toskip = frame_len + 4;
 
-		state = RPC_COMPLETE;
-		delete [] msg_buf;
-		msg_buf = 0;
-		}
-		break;
+			if ( last_frag )
+				resync_state = RESYNC_HAD_FULL_MSG;
+			break;
 
-	case RPC_COMPLETE:
-		internal_error("RPC state inconsistency");
+		case RESYNC_HAD_FULL_MSG:
+			// We have now successfully skipped over a full RPC message.
+			// If we got that far, we are in sync.
+			resync_state = INSYNC;
+
+			if ( DEBUG_rpc_resync )
+				DEBUG_MSG("RPC resync: success.\n");
+			return true;
+
+		default:
+			// Should never happen.
+			NeedResync();
+			return false;
+		} // end switch
+		} // end while (len>0)
+
+	return false;
 	}
 
-	if ( n < len )
-		// More data to munch on.
-		DeliverStream(len - n, data + n, orig);
+
+
+
+void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+	uint32 marker;
+	bool last_frag;
+
+	if ( ! CheckResync(len, data, orig) )
+		return;	// Not in sync yet. Still resyncing.
+
+	// Should be in sync now.
+
+	while (len > 0)
+		{
+		last_time = network_time;
+
+		switch (state) {
+		case WAIT_FOR_MESSAGE:
+			// A new RPC message is starting. Initialize state.
+
+			// We expect and want 4 bytes of the frame markers.
+			marker_buf.Init(4,4);
+
+			// We want at most 64KB of message data and we don't
+			// know yet how much we expect, so we set expected to
+			// 0.
+			msg_buf.Init(MAX_RPC_LEN, 0);
+			last_frag = 0;
+			state = WAIT_FOR_MARKER;
+			start_time = network_time;
+			// no break. fall through
+
+		case WAIT_FOR_MARKER:
+			{
+			bool got_marker = marker_buf.ConsumeChunk(data,len);
+
+			if ( got_marker )
+				{
+				const u_char *dummy_p = marker_buf.GetBuf();
+				int dummy_len = (int) marker_buf.GetFill();
+
+				// have full marker
+				marker = extract_XDR_uint32(dummy_p, dummy_len);
+				marker_buf.Init(4,4);
+
+				if ( ! dummy_p )
+					reporter->InternalError("inconsistent RPC record marker extraction");
+
+				last_frag = (marker & 0x80000000) != 0;
+				marker &= 0x7fffffff;
+					//printf("%.6f %d marker= %u <> last_frag= %d <> expected=%llu <> processed= %llu <> len = %d\n",
+					//		network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len);
+
+				if ( ! msg_buf.AddToExpected(marker) )
+					Conn()->Weird(fmt("RPC_message_too_long (%" PRId64 ")" , msg_buf.GetExpected()));
+
+				if ( last_frag )
+					state = WAIT_FOR_LAST_DATA;
+				else
+					state = WAIT_FOR_DATA;
+				}
+			}
+			// Else remain in state. Haven't got the full 4 bytes
+			// for the marker yet.
+			break;
+
+		case WAIT_FOR_DATA:
+		case WAIT_FOR_LAST_DATA:
+			{
+			bool got_all_data = msg_buf.ConsumeChunk(data, len);
+
+			if ( got_all_data )
+				{
+				// Got all the data we expected. Now let's
+				// see whether there is another fragment
+				// coming or whether we just finished the
+				// last fragment.
+				if ( state == WAIT_FOR_LAST_DATA )
+					{
+					const u_char *dummy_p = msg_buf.GetBuf();
+					int dummy_len = (int) msg_buf.GetFill();
+
+					if ( ! interp->DeliverRPC(dummy_p, dummy_len, (int)msg_buf.GetExpected(), IsOrig(), start_time, last_time) )
+						Conn()->Weird("partial_RPC");
+
+					state = WAIT_FOR_MESSAGE;
+					}
+				else
+					state = WAIT_FOR_MARKER;
+				}
+			// Else remain in state. Haven't read all the data
+			// yet.
+			}
+			break;
+		} // end switch
+		} // end while
 	}
 
 RPC_Analyzer::RPC_Analyzer(AnalyzerTag::Tag tag, Connection* conn,
@@ -520,15 +693,16 @@ void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen)
 	{
 	TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	len = min(len, caplen);
 
 	if ( orig )
 		{
-		if ( ! interp->DeliverRPC(data, len, 1) )
+		if ( ! interp->DeliverRPC(data, len, len, 1, network_time, network_time) )
 			Weird("bad_RPC");
 		}
 	else
 		{
-		if ( ! interp->DeliverRPC(data, len, 0) )
+		if ( ! interp->DeliverRPC(data, len, len, 0, network_time, network_time) )
 			Weird("bad_RPC");
 		}
 	}
@@ -537,24 +711,7 @@ void RPC_Analyzer::Done()
 	{
 	TCP_ApplicationAnalyzer::Done();
 
-	// This code was replicated in NFS.cc and Portmap.cc, so we factor
-	// it into here.  The semantics have slightly changed - it used
-	// to be we'd always execute interp->Timeout(), but now we only
-	// do for UDP.
-
-	if ( Conn()->ConnTransport() == TRANSPORT_TCP && TCP() )
-		{
-		if ( orig_rpc->State() != RPC_COMPLETE &&
-		     (TCP()->OrigState() == TCP_ENDPOINT_CLOSED ||
-		      TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) &&
-		     // Sometimes things like tcpwrappers will immediately
-		     // close the connection, without any data having been
-		     // transferred.  Don't bother flagging these.
-		     TCP()->Orig()->Size() > 0 )
-			Weird("partial_RPC_request");
-		}
-	else
-		interp->Timeout();
+	interp->Timeout();
 	}
 
 void RPC_Analyzer::ExpireTimer(double /* t */)
@@ -562,44 +719,3 @@ void RPC_Analyzer::ExpireTimer(double /* t */)
 	Event(connection_timeout);
 	sessions->Remove(Conn());
 	}
-
-// The binpac version of interpreter.
-#include "rpc_pac.h"
-
-RPC_UDP_Analyzer_binpac::RPC_UDP_Analyzer_binpac(Connection* conn)
-: Analyzer(AnalyzerTag::RPC_UDP_BINPAC, conn)
-	{
-	interp = new binpac::SunRPC::RPC_Conn(this);
-	ADD_ANALYZER_TIMER(&RPC_UDP_Analyzer_binpac::ExpireTimer,
-			network_time + rpc_timeout, 1, TIMER_RPC_EXPIRE);
-	}
-
-RPC_UDP_Analyzer_binpac::~RPC_UDP_Analyzer_binpac()
-	{
-	delete interp;
-	}
-
-void RPC_UDP_Analyzer_binpac::Done()
-	{
-	Analyzer::Done();
-	interp->Timeout();
-	}
-
-void RPC_UDP_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
-	{
-	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-	try
-		{
-		interp->NewData(orig, data, data + len);
-		}
-	catch ( binpac::Exception &e )
-		{
-		Weird(fmt("bad_RPC: %s", e.msg().c_str()));
-		}
-	}
-
-void RPC_UDP_Analyzer_binpac::ExpireTimer(double /* t */)
-	{
-	Event(connection_timeout);
-	sessions->Remove(Conn());
-	}
diff --git a/src/RPC.h b/src/RPC.h
index 11acb68977..0eee423460 100644
--- a/src/RPC.h
+++ b/src/RPC.h
@@ -1,5 +1,3 @@
-// $Id: RPC.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef rpc_h
@@ -49,7 +47,8 @@ enum {
 
 class RPC_CallInfo {
 public:
-	RPC_CallInfo(uint32 xid, const u_char*& buf, int& n);
+	RPC_CallInfo(uint32 xid, const u_char*& buf, int& n, double start_time,
+		     double last_time, int rpc_len);
 	~RPC_CallInfo();
 
 	void AddVal(Val* arg_v)		{ Unref(v); v = arg_v; }
@@ -63,8 +62,12 @@ public:
 	uint32 Proc() const		{ return proc; }
 
 	double StartTime() const	{ return start_time; }
+	void SetStartTime(double t)	{ start_time = t; }
+	double LastTime() const	{ return last_time; }
+	void SetLastTime(double t)	{ last_time = t; }
 	int CallLen() const		{ return call_n; }
-	int HeaderLen() const		{ return header_len; }
+	int RPCLen() const	{ return rpc_len; }
+	int HeaderLen() const	{ return header_len; }
 
 	uint32 XID() const		{ return xid; }
 
@@ -76,6 +79,8 @@ protected:
 	uint32 cred_flavor, verf_flavor;
 	u_char* call_buf;	// copy of original call buffer
 	double start_time;
+	double last_time;
+	int rpc_len;		// size of the full RPC call, incl. xid and msg_type
 	int call_n;		// size of call buf
 	int header_len;		// size of data before the arguments
 	bool valid_call;	// whether call was well-formed
@@ -93,19 +98,19 @@ public:
 	// Delivers the given RPC.  Returns true if "len" bytes were
 	// enough, false otherwise.  "is_orig" is true if the data is
 	// from the originator of the connection.
-	int DeliverRPC(const u_char* data, int len, int is_orig);
+	int DeliverRPC(const u_char* data, int len, int caplen, int is_orig, double start_time, double last_time);
 
 	void Timeout();
 
 protected:
 	virtual int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) = 0;
-	virtual int RPC_BuildReply(const RPC_CallInfo* c, int success,
-					const u_char*& buf, int& n,
-					EventHandlerPtr& event, Val*& reply) = 0;
+	virtual int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status success,
+				   const u_char*& buf, int& n, double start_time, double last_time,
+				   int reply_len) = 0;
 
-	virtual void Event(EventHandlerPtr f, Val* request, int status, Val* reply) = 0;
-
-	void RPC_Event(RPC_CallInfo* c, int status, int reply_len);
+	void Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status status, int reply_len);
+	void Event_RPC_Call(RPC_CallInfo* c);
+	void Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len);
 
 	void Weird(const char* name);
 
@@ -113,35 +118,108 @@ protected:
 	Analyzer* analyzer;
 };
 
-typedef enum {
-	RPC_RECORD_MARKER,	// building up the stream record marker
-	RPC_MESSAGE_BUFFER,	// building up the message in the buffer
-	RPC_COMPLETE		// message fully built
-} TCP_RPC_state;
 
+/* A simple buffer for reassembling the fragments that RPC-over-TCP
+ * uses. Only needed by RPC_Contents.
+
+ * However, RPC messages can be quite large. As a first step, we only
+ * extract and analyzer the first part of an RPC message and skip
+ * over the rest.
+ *
+ * We specify:
+ *    maxsize:  the number of bytes we want to copy into the buffer to analyze.
+ *    expected: the total number of bytes in the RPC message. Can be
+ *              quite large. We will be "skipping over" expected-maxsize bytes.
+ *
+ * We can extend "expected" (by calling AddToExpected()), but maxsize is
+ * fixed.
+ *
+ * TODO: grow buffer dynamically
+ */
+class RPC_Reasm_Buffer {
+public:
+	RPC_Reasm_Buffer() {
+		maxsize = expected = 0;
+		fill = processed = 0;
+		buf = 0;
+	};
+
+	~RPC_Reasm_Buffer() { if (buf) delete [] buf; }
+
+	void Init(int64_t arg_maxsize, int64_t arg_expected);
+
+	const u_char *GetBuf() { return buf; }	// Pointer to the buffer
+	int64_t GetFill() { return fill; }	// Number of bytes in buf
+	int64_t GetSkipped() { return processed-fill; }	// How many bytes did we skipped?
+	int64_t GetExpected() { return expected; }	// How many bytes are we expecting?
+	int64_t GetProcessed() { return processed; }	// How many bytes are we expecting?
+
+	// Expand expected by delta bytes. Returns false if the number of
+	// expected bytes exceeds maxsize (which means that we will truncate
+	// the message).
+	bool AddToExpected(int64_t delta)
+		{ expected += delta; return ! (expected > maxsize); }
+
+	// Consume a chunk of input data (pointed to by data, up len in
+	// size). data and len will be adjusted accordingly. Returns true if
+	// "expected" bytes have been processed, i.e., returns true when we
+	// don't expect any more data.
+	bool ConsumeChunk(const u_char*& data, int& len);
+
+protected:
+	int64_t fill;	// how many bytes we currently have in the buffer
+	int64_t maxsize;	// maximum buffer size we want to allocate
+	int64_t processed;	// number of bytes we have processed so far
+	int64_t expected;	// number of input bytes we expect
+	u_char *buf;
+
+};
+
+/* Support Analyzer for reassembling RPC-over-TCP messages */
 class Contents_RPC : public TCP_SupportAnalyzer {
 public:
 	Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* interp);
 	virtual ~Contents_RPC();
 
-	TCP_RPC_state State() const		{ return state; }
-
 protected:
+	typedef enum {
+		WAIT_FOR_MESSAGE,
+		WAIT_FOR_MARKER,
+		WAIT_FOR_DATA,
+		WAIT_FOR_LAST_DATA,
+	} state_t;
+
+	typedef enum {
+		NEED_RESYNC,
+		RESYNC_WAIT_FOR_MSG_START,
+		RESYNC_WAIT_FOR_FULL_MSG,
+		RESYNC_HAD_FULL_MSG,
+		INSYNC,
+		RESYNC_INIT,
+	} resync_state_t;
+
 	virtual void Init();
+	virtual bool CheckResync(int& len, const u_char*& data, bool orig);
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void Undelivered(int seq, int len, bool orig);
 
-	virtual void InitBuffer();
+	virtual void NeedResync() {
+		resync_state = NEED_RESYNC;
+		resync_toskip = 0;
+		state = WAIT_FOR_MESSAGE;
+	}
 
 	RPC_Interpreter* interp;
 
-	u_char* msg_buf;
-	int buf_n;	// number of bytes in msg_buf
-	int buf_len;	// size off msg_buf
-	int last_frag;	// if this buffer corresponds to the last "fragment"
-	bool resync;
+	RPC_Reasm_Buffer marker_buf;	// reassembles the 32bit RPC-over-TCP marker
+	RPC_Reasm_Buffer msg_buf;	// reassembles RPC messages
+	state_t state;
 
-	TCP_RPC_state state;
+	double start_time;
+	double last_time;
+
+	resync_state_t resync_state;
+	int resync_toskip;
 };
 
 class RPC_Analyzer : public TCP_ApplicationAnalyzer {
@@ -164,28 +242,4 @@ protected:
 	Contents_RPC* resp_rpc;
 };
 
-#include "rpc_pac.h"
-
-class RPC_UDP_Analyzer_binpac : public Analyzer {
-public:
-	RPC_UDP_Analyzer_binpac(Connection* conn);
-	virtual ~RPC_UDP_Analyzer_binpac();
-
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
-
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
-		{ return new RPC_UDP_Analyzer_binpac(conn); }
-
-	static bool Available()
-		{ return pm_request || rpc_call; }
-
-protected:
-	friend class AnalyzerTimer;
-	void ExpireTimer(double t);
-
-	binpac::SunRPC::RPC_Conn* interp;
-};
-
 #endif
diff --git a/src/RSH.cc b/src/RSH.cc
index bfc78d04b7..ceef3ba7a4 100644
--- a/src/RSH.cc
+++ b/src/RSH.cc
@@ -1,5 +1,3 @@
-// $Id: RSH.cc 6219 2008-10-01 05:39:07Z vern $
-
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -15,7 +13,7 @@ Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig,
 						Rsh_Analyzer* arg_analyzer)
 : ContentLine_Analyzer(AnalyzerTag::Contents_Rsh, conn, orig)
 	{
-	num_bytes_to_scan = num_bytes_to_scan = 0;
+	num_bytes_to_scan = 0;
 	analyzer = arg_analyzer;
 
 	if ( orig )
@@ -127,7 +125,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
 			break;
 
 		default:
-			internal_error("bad state in Contents_Rsh_Analyzer::DoDeliver");
+			reporter->InternalError("bad state in Contents_Rsh_Analyzer::DoDeliver");
 			break;
 		}
 		}
@@ -179,7 +177,7 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void Rsh_Analyzer::ClientUserName(const char* s)
 	{
 	if ( client_name )
-		internal_error("multiple rsh client names");
+		reporter->InternalError("multiple rsh client names");
 
 	client_name = new StringVal(s);
 	}
@@ -187,7 +185,7 @@ void Rsh_Analyzer::ClientUserName(const char* s)
 void Rsh_Analyzer::ServerUserName(const char* s)
 	{
 	if ( username )
-		internal_error("multiple rsh initial client names");
+		reporter->InternalError("multiple rsh initial client names");
 
 	username = new StringVal(s);
 	}
diff --git a/src/RSH.h b/src/RSH.h
index 8a6c5fde6f..136d0b07f1 100644
--- a/src/RSH.h
+++ b/src/RSH.h
@@ -1,5 +1,3 @@
-// $Id: RSH.h 6219 2008-10-01 05:39:07Z vern $
-
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef rsh_h
diff --git a/src/RandTest.cc b/src/RandTest.cc
new file mode 100644
index 0000000000..638cc6c765
--- /dev/null
+++ b/src/RandTest.cc
@@ -0,0 +1,132 @@
+/*
+	Apply various randomness tests to a stream of bytes
+
+		by John Walker  --  September 1996
+			http://www.fourmilab.ch/random
+
+		This software is in the public domain. Permission to use, copy, modify,
+		and distribute this software and its documentation for any purpose and
+		without fee is hereby granted, without any conditions or restrictions.
+		This software is provided “as is� without express or implied warranty.
+
+	Modified for Bro by Seth Hall - July 2010
+*/
+
+#include <RandTest.h>
+
+RandTest::RandTest()
+	{
+	totalc = 0;
+	mp = 0;
+	sccfirst = 1;
+	inmont = mcount = 0;
+	cexp = montex = montey = montepi = sccu0 = scclast = scct1 = scct2 = scct3 = 0.0;
+
+	for (int i = 0; i < 256; i++)
+		{
+		ccount[i] = 0;
+		}
+	}
+
+void RandTest::add(void *buf, int bufl)
+	{
+	unsigned char *bp = (unsigned char*)buf;
+	int oc;
+
+	while (bufl-- > 0)
+		{
+		oc = *bp++;
+		ccount[oc]++;   /* Update counter for this bin */
+		totalc++;
+
+		/* Update inside / outside circle counts for Monte Carlo
+ 		   computation of PI */
+		monte[mp++] = oc;  /* Save character for Monte Carlo */
+		if (mp >= RT_MONTEN)  /* Calculate every RT_MONTEN character */
+			{
+			mp = 0;
+			mcount++;
+			montex = 0;
+			montey = 0;
+			for (int mj=0; mj < RT_MONTEN/2; mj++)
+				{
+				montex = (montex * 256.0) + monte[mj];
+				montey = (montey * 256.0) + monte[(RT_MONTEN / 2) + mj];
+				}
+			if (montex*montex + montey*montey <= RT_INCIRC)
+				{
+				inmont++;
+				}
+			}
+
+		/* Update calculation of serial correlation coefficient */
+		if (sccfirst)
+			{
+			sccfirst = 0;
+			scclast = 0;
+			sccu0 = oc;
+			}
+		else
+			{
+			scct1 = scct1 + scclast * oc;
+			}
+
+		scct2 = scct2 + oc;
+		scct3 = scct3 + (oc * oc);
+		scclast = oc;
+		oc <<= 1;
+		}
+	}
+
+void RandTest::end(double *r_ent, double *r_chisq,
+                   double *r_mean, double *r_montepicalc, double *r_scc)
+	{
+	int i;
+	double ent, chisq, scc, datasum;
+	ent = 0.0; chisq = 0.0; scc = 0.0; datasum = 0.0;
+	double prob[256];    /* Probabilities per bin for entropy */
+
+	/* Complete calculation of serial correlation coefficient */
+	scct1 = scct1 + scclast * sccu0;
+	scct2 = scct2 * scct2;
+	scc = totalc * scct3 - scct2;
+	if (scc == 0.0)
+	   scc = -100000;
+	else
+	   scc = (totalc * scct1 - scct2) / scc;
+
+	/* Scan bins and calculate probability for each bin and
+	   Chi-Square distribution.  The probability will be reused
+	   in the entropy calculation below.  While we're at it,
+	   we sum of all the data which will be used to compute the
+	   mean. */
+	cexp = totalc / 256.0;  /* Expected count per bin */
+	for (i = 0; i < 256; i++)
+		{
+		double a = ccount[i] - cexp;
+
+		prob[i] = ((double) ccount[i]) / totalc;
+		chisq += (a * a) / cexp;
+		datasum += ((double) i) * ccount[i];
+		}
+
+	/* Calculate entropy */
+	for (i = 0; i < 256; i++)
+		{
+		if (prob[i] > 0.0)
+			{
+			ent += prob[i] * rt_log2(1 / prob[i]);
+			}
+		}
+
+	/* Calculate Monte Carlo value for PI from percentage of hits
+	   within the circle */
+	montepi = 4.0 * (((double) inmont) / mcount);
+
+	/* Return results through arguments */
+	*r_ent = ent;
+	*r_chisq = chisq;
+	*r_mean = datasum / totalc;
+	*r_montepicalc = montepi;
+	*r_scc = scc;
+	}
diff --git a/src/RandTest.h b/src/RandTest.h
new file mode 100644
index 0000000000..a4f551b602
--- /dev/null
+++ b/src/RandTest.h
@@ -0,0 +1,34 @@
+#include <math.h>
+
+#define log2of10 3.32192809488736234787
+/*  RT_LOG2  --  Calculate log to the base 2  */
+static double rt_log2(double x)
+{
+    return log2of10 * log10(x);
+}
+
+#define RT_MONTEN 6  /* Bytes used as Monte Carlo
+                        co-ordinates. This should be no more
+                        bits than the mantissa of your "double"
+                        floating point type. */
+
+// RT_INCIRC = pow(pow(256.0, (double) (RT_MONTEN / 2)) - 1, 2.0);
+#define RT_INCIRC 281474943156225.0
+
+class RandTest {
+	public:
+		RandTest();
+		void add(void *buf, int bufl);
+		void end(double *r_ent, double *r_chisq, double *r_mean,
+		         double *r_montepicalc, double *r_scc);
+
+	private:
+		long ccount[256];  /* Bins to count occurrences of values */
+		long totalc;       /* Total bytes counted */
+		int mp;
+		int sccfirst;
+		unsigned int monte[RT_MONTEN];
+		long inmont, mcount;
+		double cexp, montex, montey, montepi,
+		       sccu0, scclast, scct1, scct2, scct3;
+	};
diff --git a/src/Reassem.cc b/src/Reassem.cc
index c6ec6a3420..89fe29e7d4 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -1,7 +1,7 @@
-// $Id: Reassem.cc 6703 2009-05-13 22:27:44Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <algorithm>
+
 #include "config.h"
 
 #include "Reassem.h"
@@ -22,7 +22,7 @@ DataBlock::DataBlock(const u_char* data, int size, int arg_seq,
 
 	block = new u_char[size];
 	if ( ! block )
-		internal_error("out of memory");
+		reporter->InternalError("out of memory");
 
 	memcpy((void*) block, (const void*) data, size);
 
@@ -48,15 +48,8 @@ Reassembler::Reassembler(int init_seq, const uint32* ip_addr,
 	{
 	blocks = last_block = 0;
 	trim_seq = last_reassem_seq = init_seq;
-
-	const NumericData* host_profile;
-	get_map_result(ip_addr[0], host_profile);	// breaks for IPv6
-
-	policy = (arg_type == REASSEM_TCP) ?
-			host_profile->tcp_reassem : host_profile->ip_reassem;
 	}
 
-
 Reassembler::~Reassembler()
 	{
 	ClearBlocks();
@@ -195,8 +188,10 @@ void Reassembler::Describe(ODesc* d) const
 	d->Add("reassembler");
 	}
 
-void Reassembler::Undelivered(int /* up_to_seq */)
+void Reassembler::Undelivered(int up_to_seq)
 	{
+	// TrimToSeq() expects this.
+	last_reassem_seq = up_to_seq;
 	}
 
 DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
@@ -241,67 +236,7 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 		return new_b;
 		}
 
-	// The blocks overlap.
-
-#ifdef ACTIVE_MAPPING
-	if ( policy != RP_UNKNOWN )
-		{
-		if ( seq_delta(seq, b->seq) < 0 )
-			{ // The new block has a prefix that comes before b.
-			int prefix_len = seq_delta(b->seq, seq);
-			new_b = new DataBlock(data, prefix_len, seq, b->prev, b);
-			if ( b == blocks )
-				blocks = new_b;
-
-			data += prefix_len;
-			seq += prefix_len;
-			}
-
-		if ( policy == RP_LAST ||
-			     // After handling the prefix block, BSD takes the rest
-		     (policy == RP_BSD && new_b) ||
-			     // Similar, but overwrite for same seq number
-		     (policy == RP_LINUX && (new_b || seq == b->seq)) )
-			{
-			DataBlock* bprev = b->prev;
-			bool b_was_first = b == blocks;
-			while ( b && b->upper <= upper )
-				{
-				DataBlock* next = b->next;
-				delete b;
-				b = next;
-				}
-
-			new_b = new DataBlock(data, upper - seq, seq, bprev, b);
-			if ( b_was_first )
-				blocks = new_b;
-
-			// Trim the next block as needed.
-			if ( b && seq_delta(new_b->upper, b->seq) > 0 )
-				{
-				DataBlock* next_b =
-					new DataBlock(&b->block[upper - b->seq],
-							b->upper - upper, upper,
-							new_b, b->next);
-				if ( b == last_block )
-					last_block = next_b;
-
-				delete b;
-				}
-			}
-
-		else
-			{ // handle the piece that sticks out past b
-			new_b = b;
-			int len = upper - b->upper;
-			if ( len > 0 )
-				new_b = AddAndCheck(b, b->upper, upper, &data[b->upper - seq]);
-			}
-		}
-	else
-		{
-#endif
-	// Default behavior - complain about overlaps.
+	// The blocks overlap, complain.
 	if ( seq_delta(seq, b->seq) < 0 )
 		{
 		// The new block has a prefix that comes before b.
@@ -336,10 +271,6 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 			(void) AddAndCheck(b, seq, upper, data);
 		}
 
-#ifdef ACTIVE_MAPPING
-		}	// else branch, for RP_UNKNOWN behavior
-#endif
-
 	if ( new_b->prev == last_block )
 		last_block = new_b;
 
@@ -363,7 +294,7 @@ bool Reassembler::DoSerialize(SerialInfo* info) const
 	// I'm not sure if it makes sense to actually save the buffered data.
 	// For now, we just remember the seq numbers so that we don't get
 	// complaints about missing content.
-	return SERIALIZE(trim_seq) && SERIALIZE(int(policy));
+	return SERIALIZE(trim_seq) && SERIALIZE(int(0));
 	}
 
 bool Reassembler::DoUnserialize(UnserialInfo* info)
@@ -372,11 +303,10 @@ bool Reassembler::DoUnserialize(UnserialInfo* info)
 
 	blocks = last_block = 0;
 
-	int p;
-	if ( ! UNSERIALIZE(&trim_seq) || ! UNSERIALIZE(&p) )
+	int dummy; // For backwards compatibility.
+	if ( ! UNSERIALIZE(&trim_seq) || ! UNSERIALIZE(&dummy) )
 		return false;
 
-	policy = ReassemblyPolicy(p);
 	last_reassem_seq = trim_seq;
 
 	return  true;
diff --git a/src/Reassem.h b/src/Reassem.h
index 0200f8577b..06d1e28f40 100644
--- a/src/Reassem.h
+++ b/src/Reassem.h
@@ -1,17 +1,14 @@
-// $Id: Reassem.h 6703 2009-05-13 22:27:44Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef reassem_h
 #define reassem_h
 
-#include "Active.h"
 #include "Obj.h"
 
 class DataBlock {
 public:
 	DataBlock(const u_char* data, int size, int seq,
-			DataBlock* next, DataBlock* prev);
+			DataBlock* prev, DataBlock* next);
 
 	~DataBlock();
 
@@ -74,8 +71,6 @@ protected:
 	int last_reassem_seq;
 	int trim_seq;	// how far we've trimmed
 
-	ReassemblyPolicy policy;
-
 	static unsigned int total_size;
 };
 
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index a9329cc9cb..b72a6dcc1a 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -1,5 +1,3 @@
-// $Id: RemoteSerializer.cc 6951 2009-12-04 22:23:28Z vern $
-//
 // Processes involved in the communication:
 //
 //	 (Local-Parent) <-> (Local-Child) <-> (Remote-Child) <-> (Remote-Parent)
@@ -173,6 +171,8 @@
 #endif
 #include <sys/resource.h>
 
+#include <algorithm>
+
 #include "RemoteSerializer.h"
 #include "Func.h"
 #include "EventRegistry.h"
@@ -183,6 +183,8 @@
 #include "Sessions.h"
 #include "File.h"
 #include "Conn.h"
+#include "LogMgr.h"
+#include "Reporter.h"
 
 extern "C" {
 #include "setsignal.h"
@@ -190,7 +192,7 @@ extern "C" {
 
 // Gets incremented each time there's an incompatible change
 // to the communication internals.
-static const unsigned short PROTOCOL_VERSION = 0x06;
+static const unsigned short PROTOCOL_VERSION = 0x07;
 
 static const char MSG_NONE = 0x00;
 static const char MSG_VERSION = 0x01;
@@ -216,9 +218,12 @@ static const char MSG_SYNC_POINT = 0x14;
 static const char MSG_TERMINATE = 0x15;
 static const char MSG_DEBUG_DUMP = 0x16;
 static const char MSG_REMOTE_PRINT = 0x17;
+static const char MSG_LOG_CREATE_WRITER = 0x18;
+static const char MSG_LOG_WRITE = 0x19;
+static const char MSG_REQUEST_LOGS = 0x20;
 
 // Update this one whenever adding a new ID:
-static const char MSG_ID_MAX = MSG_REMOTE_PRINT;
+static const char MSG_ID_MAX = MSG_REQUEST_LOGS;
 
 static const uint32 FINAL_SYNC_POINT = /* UINT32_MAX */ 4294967295U;
 
@@ -226,6 +231,9 @@ static const uint32 FINAL_SYNC_POINT = /* UINT32_MAX */ 4294967295U;
 static const int PRINT_BUFFER_SIZE = 10 * 1024;
 static const int SOCKBUF_SIZE = 1024 * 1024;
 
+// Buffer size for remote-log data.
+static const int LOG_BUFFER_SIZE = 50 * 1024;
+
 struct ping_args {
 	uint32 seq;
 	double time1; // Round-trip time parent1<->parent2
@@ -303,6 +311,9 @@ static const char* msgToStr(int msg)
 	MSG_STR(MSG_TERMINATE)
 	MSG_STR(MSG_DEBUG_DUMP)
 	MSG_STR(MSG_REMOTE_PRINT)
+	MSG_STR(MSG_LOG_CREATE_WRITER)
+	MSG_STR(MSG_LOG_WRITE)
+	MSG_STR(MSG_REQUEST_LOGS)
 	default:
 		return "UNKNOWN_MSG";
 	}
@@ -374,6 +385,9 @@ inline void RemoteSerializer::SetupSerialInfo(SerialInfo* info, Peer* peer)
 	     peer->phase == Peer::RUNNING )
 		info->new_cache_strategy = true;
 
+	if ( (peer->caps & Peer::BROCCOLI_PEER) )
+		info->broccoli_peer = true;
+
 	info->include_locations = false;
 	}
 
@@ -381,7 +395,7 @@ static bool sendToIO(ChunkedIO* io, ChunkedIO::Chunk* c)
 	{
 	if ( ! io->Write(c) )
 		{
-		warn(fmt("can't send chunk: %s", io->Error()));
+		reporter->Warning("can't send chunk: %s", io->Error());
 		return false;
 		}
 
@@ -393,7 +407,7 @@ static bool sendToIO(ChunkedIO* io, char msg_type, RemoteSerializer::PeerID id,
 	{
 	if ( ! sendCMsg(io, msg_type, id) )
 		{
-		warn(fmt("can't send message of type %d: %s", msg_type, io->Error()));
+		reporter->Warning("can't send message of type %d: %s", msg_type, io->Error());
 		return false;
 		}
 
@@ -408,7 +422,7 @@ static bool sendToIO(ChunkedIO* io, char msg_type, RemoteSerializer::PeerID id,
 	{
 	if ( ! sendCMsg(io, msg_type, id) )
 		{
-		warn(fmt("can't send message of type %d: %s", msg_type, io->Error()));
+		reporter->Warning("can't send message of type %d: %s", msg_type, io->Error());
 		return false;
 		}
 
@@ -469,7 +483,10 @@ static inline bool is_peer_msg(int msg)
 		msg == MSG_CAPS ||
 		msg == MSG_COMPRESS ||
 		msg == MSG_SYNC_POINT ||
-		msg == MSG_REMOTE_PRINT;
+		msg == MSG_REMOTE_PRINT ||
+		msg == MSG_LOG_CREATE_WRITER ||
+		msg == MSG_LOG_WRITE ||
+		msg == MSG_REQUEST_LOGS;
 	}
 
 bool RemoteSerializer::IsConnectedPeer(PeerID id)
@@ -512,6 +529,7 @@ RemoteSerializer::RemoteSerializer()
 	closed = false;
 	terminating = false;
 	in_sync = 0;
+	last_flush = 0;
 	}
 
 RemoteSerializer::~RemoteSerializer()
@@ -544,6 +562,36 @@ void RemoteSerializer::Init()
 	initialized = 1;
 	}
 
+void RemoteSerializer::SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose)
+	{
+	int defsize = 0;
+	socklen_t len = sizeof(defsize);
+
+	if ( getsockopt(fd, SOL_SOCKET, opt, (void *)&defsize, &len) < 0 )
+		{
+		if ( verbose )
+			Log(LogInfo, fmt("warning: cannot get socket buffer size (%s): %s", what, strerror(errno)));
+		return;
+		}
+
+	for ( int trysize = size; trysize > defsize; trysize -= 1024 )
+		{
+		if ( setsockopt(fd, SOL_SOCKET, opt, &trysize, sizeof(trysize)) >= 0 )
+			{
+			if ( verbose )
+			    {
+			    if ( trysize == size )
+				    Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK", defsize / 1024, trysize / 1024));
+			    else
+				    Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK (%dK was requested)", defsize / 1024, trysize / 1024, size / 1024));
+			    }
+			return;
+			}
+		}
+
+	Log(LogInfo, fmt("warning: cannot increase %s socket buffer size from %dK (%dK was requested)", what, defsize / 1024, size / 1024));
+	}
+
 void RemoteSerializer::Fork()
 	{
 	if ( child_pid )
@@ -562,25 +610,11 @@ void RemoteSerializer::Fork()
 		return;
 		}
 
-	int bufsize;
-	socklen_t len = sizeof(bufsize);
-
-	if ( getsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF, &bufsize, &len ) < 0 )
-		Log(LogInfo, fmt("warning: cannot get socket buffer size: %s", strerror(errno)));
-	else
-		Log(LogInfo, fmt("pipe's socket buffer size is %d, setting to %d", bufsize, SOCKBUF_SIZE));
-
-	bufsize = SOCKBUF_SIZE;
-
-	if ( setsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF,
-			&bufsize, sizeof(bufsize) ) < 0 ||
-	     setsockopt(pipe[0], SOL_SOCKET, SO_RCVBUF,
-			&bufsize, sizeof(bufsize) ) < 0 ||
-	     setsockopt(pipe[1], SOL_SOCKET, SO_SNDBUF,
-			&bufsize, sizeof(bufsize) ) < 0 ||
-	     setsockopt(pipe[1], SOL_SOCKET, SO_RCVBUF,
-			&bufsize, sizeof(bufsize) ) < 0 )
-		Log(LogInfo, fmt("warning: cannot set socket buffer size to %dK: %s", bufsize / 1024, strerror(errno)));
+	// Try to increase the size of the socket send and receive buffers.
+	SetSocketBufferSize(pipe[0], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 1);
+	SetSocketBufferSize(pipe[0], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0);
+	SetSocketBufferSize(pipe[1], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 0);
+	SetSocketBufferSize(pipe[1], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0);
 
 	child_pid = 0;
 
@@ -632,7 +666,7 @@ void RemoteSerializer::Fork()
 		setpriority(PRIO_PROCESS, 0, 5);
 
 		child.Run();
-		internal_error("cannot be reached");
+		reporter->InternalError("cannot be reached");
 		}
 	}
 
@@ -643,7 +677,7 @@ RemoteSerializer::PeerID RemoteSerializer::Connect(addr_type ip, uint16 port,
 		return true;
 
 	if ( ! initialized )
-		internal_error("remote serializer not initialized");
+		reporter->InternalError("remote serializer not initialized");
 
 #ifdef BROv6
 	if ( ! is_v4_addr(ip) )
@@ -676,6 +710,21 @@ RemoteSerializer::PeerID RemoteSerializer::Connect(addr_type ip, uint16 port,
 	return p->id;
 	}
 
+bool RemoteSerializer::CloseConnection(PeerID id)
+	{
+	if ( ! using_communication )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		{
+		reporter->Error("unknown peer id %d for closing connection", int(id));
+		return false;
+		}
+
+	return CloseConnection(peer);
+	}
+
 bool RemoteSerializer::CloseConnection(Peer* peer)
 	{
 	if ( peer->suspended_processing )
@@ -688,6 +737,7 @@ bool RemoteSerializer::CloseConnection(Peer* peer)
 		return true;
 
 	FlushPrintBuffer(peer);
+	FlushLogBuffer(peer);
 
 	Log(LogInfo, "closing connection", peer);
 
@@ -703,14 +753,14 @@ bool RemoteSerializer::RequestSync(PeerID id, bool auth)
 	Peer* peer = LookupPeer(id, true);
 	if ( ! peer )
 		{
-		run_time(fmt("unknown peer id %d for request sync", int(id)));
+		reporter->Error("unknown peer id %d for request sync", int(id));
 		return false;
 		}
 
 	if ( peer->phase != Peer::HANDSHAKE )
 		{
-		run_time(fmt("can't request sync from peer; wrong phase %d",
-				peer->phase));
+		reporter->Error("can't request sync from peer; wrong phase %d",
+				peer->phase);
 		return false;
 		}
 
@@ -722,6 +772,31 @@ bool RemoteSerializer::RequestSync(PeerID id, bool auth)
 	return true;
 	}
 
+bool RemoteSerializer::RequestLogs(PeerID id)
+	{
+	if ( ! using_communication )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		{
+		reporter->Error("unknown peer id %d for request logs", int(id));
+		return false;
+		}
+
+	if ( peer->phase != Peer::HANDSHAKE )
+		{
+		reporter->Error("can't request logs from peer; wrong phase %d",
+			     peer->phase);
+		return false;
+		}
+
+	if ( ! SendToChild(MSG_REQUEST_LOGS, peer, 0) )
+		return false;
+
+	return true;
+	}
+
 bool RemoteSerializer::RequestEvents(PeerID id, RE_Matcher* pattern)
 	{
 	if ( ! using_communication )
@@ -730,14 +805,14 @@ bool RemoteSerializer::RequestEvents(PeerID id, RE_Matcher* pattern)
 	Peer* peer = LookupPeer(id, true);
 	if ( ! peer )
 		{
-		run_time(fmt("unknown peer id %d for request sync", int(id)));
+		reporter->Error("unknown peer id %d for request sync", int(id));
 		return false;
 		}
 
 	if ( peer->phase != Peer::HANDSHAKE )
 		{
-		run_time(fmt("can't request events from peer; wrong phase %d",
-				peer->phase));
+		reporter->Error("can't request events from peer; wrong phase %d",
+				peer->phase);
 		return false;
 		}
 
@@ -797,8 +872,8 @@ bool RemoteSerializer::CompleteHandshake(PeerID id)
 
 	if ( p->phase != Peer::HANDSHAKE )
 		{
-		run_time(fmt("can't complete handshake; wrong phase %d",
-				p->phase));
+		reporter->Error("can't complete handshake; wrong phase %d",
+				p->phase);
 		return false;
 		}
 
@@ -823,14 +898,9 @@ bool RemoteSerializer::SendCall(SerialInfo* info, PeerID id,
 	if ( ! peer )
 		return false;
 
-	// Do not send events back to originating peer.
-	if ( current_peer == peer )
-		return true;
-
 	return SendCall(info, peer, name, vl);
 	}
 
-
 bool RemoteSerializer::SendCall(SerialInfo* info, Peer* peer,
 					const char* name, val_list* vl)
 	{
@@ -1071,7 +1141,7 @@ bool RemoteSerializer::SendCaptureFilter(PeerID id, const char* filter)
 
 	if ( peer->phase != Peer::HANDSHAKE )
 		{
-		run_time(fmt("can't sent capture filter to peer; wrong phase %d", peer->phase));
+		reporter->Error("can't sent capture filter to peer; wrong phase %d", peer->phase);
 		return false;
 		}
 
@@ -1148,17 +1218,14 @@ bool RemoteSerializer::SendCapabilities(Peer* peer)
 	{
 	if ( peer->phase != Peer::HANDSHAKE )
 		{
-		run_time(fmt("can't sent capabilties to peer; wrong phase %d",
-				peer->phase));
+		reporter->Error("can't sent capabilties to peer; wrong phase %d",
+				peer->phase);
 		return false;
 		}
 
 	uint32 caps = 0;
 
-#ifdef HAVE_LIBZ
 	caps |= Peer::COMPRESSION;
-#endif
-
 	caps |= Peer::PID_64BIT;
 	caps |= Peer::NEW_CACHE_STRATEGY;
 
@@ -1171,7 +1238,7 @@ bool RemoteSerializer::Listen(addr_type ip, uint16 port, bool expect_ssl)
 		return true;
 
 	if ( ! initialized )
-		internal_error("remote serializer not initialized");
+		reporter->InternalError("remote serializer not initialized");
 
 #ifdef BROv6
 	if ( ! is_v4_addr(ip) )
@@ -1237,7 +1304,14 @@ void RemoteSerializer::SendFinalSyncPoint()
 
 bool RemoteSerializer::Terminate()
 	{
+	loop_over_list(peers, i)
+	    {
+	    FlushPrintBuffer(peers[i]);
+	    FlushLogBuffer(peers[i]);
+	    }
+
 	Log(LogInfo, fmt("terminating..."));
+
 	return terminating = SendToChild(MSG_TERMINATE, 0, 0);
 	}
 
@@ -1387,7 +1461,9 @@ void RemoteSerializer::Finish()
 	while ( io->CanWrite() );
 
 	loop_over_list(peers, i)
+		{
 		CloseConnection(peers[i]);
+		}
 	}
 
 bool RemoteSerializer::Poll(bool may_block)
@@ -1432,6 +1508,7 @@ bool RemoteSerializer::Poll(bool may_block)
 		case MSG_PHASE_DONE:
 		case MSG_TERMINATE:
 		case MSG_DEBUG_DUMP:
+		case MSG_REQUEST_LOGS:
 			{
 			// No further argument chunk.
 			msgstate = TYPE;
@@ -1454,6 +1531,8 @@ bool RemoteSerializer::Poll(bool may_block)
 		case MSG_LOG:
 		case MSG_SYNC_POINT:
 		case MSG_REMOTE_PRINT:
+		case MSG_LOG_CREATE_WRITER:
+		case MSG_LOG_WRITE:
 			{
 			// One further argument chunk.
 			msgstate = ARGS;
@@ -1490,10 +1569,11 @@ bool RemoteSerializer::Poll(bool may_block)
 		}
 
 	default:
-		internal_error("unknown msgstate");
+		reporter->InternalError("unknown msgstate");
 	}
 
-	internal_error("cannot be reached");
+	reporter->InternalError("cannot be reached");
+	return false;
 	}
 
 bool RemoteSerializer::DoMessage()
@@ -1505,13 +1585,13 @@ bool RemoteSerializer::DoMessage()
 		{
 		// We shut the connection to this peer down,
 		// so we ignore all further messages.
-		DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%d",
+		DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%" PRI_SOURCE_ID,
 					msgToStr(current_msgtype),
 					current_peer ? current_peer->id : 0));
 		return true;
 		}
 
-	DEBUG_COMM(fmt("parent: %s from child; peer is #%d",
+	DEBUG_COMM(fmt("parent: %s from child; peer is #%" PRI_SOURCE_ID,
 			msgToStr(current_msgtype),
 			current_peer ? current_peer->id : 0));
 
@@ -1590,6 +1670,15 @@ bool RemoteSerializer::DoMessage()
 	case MSG_REMOTE_PRINT:
 		return ProcessRemotePrint();
 
+	case MSG_LOG_CREATE_WRITER:
+		return ProcessLogCreateWriter();
+
+	case MSG_LOG_WRITE:
+		return ProcessLogWrite();
+
+	case MSG_REQUEST_LOGS:
+		return ProcessRequestLogs();
+
 	default:
 		DEBUG_COMM(fmt("unexpected msg type: %d",
 					int(current_msgtype)));
@@ -1598,7 +1687,7 @@ bool RemoteSerializer::DoMessage()
 		return true; // keep going
 	}
 
-	internal_error("cannot be reached");
+	reporter->InternalError("cannot be reached");
 	return false;
 	}
 
@@ -1652,6 +1741,7 @@ void RemoteSerializer::PeerConnected(Peer* peer)
 	peer->cache_out->Clear();
 	peer->our_runtime = int(current_time(true) - bro_start_time);
 	peer->sync_point = 0;
+	peer->logs_requested = false;
 
 	if ( ! SendCMsgToChild(MSG_VERSION, peer) )
 		return;
@@ -1714,6 +1804,7 @@ RemoteSerializer::Peer* RemoteSerializer::AddPeer(uint32 ip, uint16 port,
 	peer->orig = false;
 	peer->accept_state = false;
 	peer->send_state = false;
+	peer->logs_requested = false;
 	peer->caps = 0;
 	peer->comp_level = 0;
 	peer->suspended_processing = false;
@@ -1724,6 +1815,8 @@ RemoteSerializer::Peer* RemoteSerializer::AddPeer(uint32 ip, uint16 port,
 	peer->sync_point = 0;
 	peer->print_buffer = 0;
 	peer->print_buffer_used = 0;
+	peer->log_buffer = new char[LOG_BUFFER_SIZE];
+	peer->log_buffer_used = 0;
 
 	peers.append(peer);
 	Log(LogInfo, "added peer", peer);
@@ -1756,6 +1849,7 @@ void RemoteSerializer::RemovePeer(Peer* peer)
 	int id = peer->id;
 	Unref(peer->val);
 	delete [] peer->print_buffer;
+	delete [] peer->log_buffer;
 	delete peer->cache_in;
 	delete peer->cache_out;
 	delete peer;
@@ -1841,10 +1935,9 @@ bool RemoteSerializer::EnterPhaseRunning(Peer* peer)
 	if ( in_sync == peer )
 		in_sync = 0;
 
-	current_peer->phase = Peer::RUNNING;
+	peer->phase = Peer::RUNNING;
 	Log(LogInfo, "phase: running", peer);
-
-	RaiseEvent(remote_connection_handshake_done, current_peer);
+	RaiseEvent(remote_connection_handshake_done, peer);
 
 	if ( remote_trace_sync_interval )
 		{
@@ -1885,7 +1978,7 @@ bool RemoteSerializer::ProcessConnected()
 
 	ID* descr = global_scope()->Lookup("peer_description");
 	if ( ! descr )
-		internal_error("peer_description not defined");
+		reporter->InternalError("peer_description not defined");
 
 	SerialInfo info(this);
 	SendID(&info, current_peer, *descr);
@@ -1950,6 +2043,17 @@ bool RemoteSerializer::ProcessRequestSyncMsg()
 	return true;
 	}
 
+bool RemoteSerializer::ProcessRequestLogs()
+	{
+	if ( ! current_peer )
+		return false;
+
+	Log(LogInfo, "peer requested logs", current_peer);
+
+	current_peer->logs_requested = true;
+	return true;
+	}
+
 bool RemoteSerializer::ProcessPhaseDone()
 	{
 	switch ( current_peer->phase ) {
@@ -2002,18 +2106,21 @@ bool RemoteSerializer::ProcessPhaseDone()
 
 bool RemoteSerializer::HandshakeDone(Peer* peer)
 	{
-#ifdef HAVE_LIBZ
 	if ( peer->caps & Peer::COMPRESSION && peer->comp_level > 0 )
 		if ( ! SendToChild(MSG_COMPRESS, peer, 1, peer->comp_level) )
 			return false;
-#endif
 
-	if ( ! (current_peer->caps & Peer::PID_64BIT) )
-		Log(LogInfo, "peer does not support 64bit PIDs; using compatibility mode", current_peer);
+	if ( ! (peer->caps & Peer::PID_64BIT) )
+		Log(LogInfo, "peer does not support 64bit PIDs; using compatibility mode", peer);
 
-	if ( (current_peer->caps & Peer::NEW_CACHE_STRATEGY) )
-		Log(LogInfo, "peer supports keep-in-cache; using that",
-			current_peer);
+	if ( (peer->caps & Peer::NEW_CACHE_STRATEGY) )
+		Log(LogInfo, "peer supports keep-in-cache; using that", peer);
+
+	if ( (peer->caps & Peer::BROCCOLI_PEER) )
+		Log(LogInfo, "peer is a Broccoli", peer);
+
+	if ( peer->logs_requested )
+		log_mgr->SendAllWritersTo(peer->id);
 
 	if ( peer->sync_requested != Peer::NONE )
 		{
@@ -2030,7 +2137,7 @@ bool RemoteSerializer::HandshakeDone(Peer* peer)
 			{
 			Log(LogError, "misconfiguration: authoritative state on both sides",
 				current_peer);
-			CloseConnection(current_peer);
+			CloseConnection(peer);
 			return false;
 			}
 
@@ -2053,7 +2160,7 @@ bool RemoteSerializer::HandshakeDone(Peer* peer)
 			else if ( peer->sync_requested & Peer::WE )
 				peer->send_state = false;
 			else
-				internal_error("illegal sync_requested value");
+				reporter->InternalError("illegal sync_requested value");
 			}
 		else
 			{
@@ -2264,6 +2371,9 @@ bool RemoteSerializer::ProcessSerialization()
 	     current_peer->phase == Peer::RUNNING )
 		info.new_cache_strategy = true;
 
+	if ( current_peer->caps & Peer::BROCCOLI_PEER )
+		info.broccoli_peer = true;
+
 	if ( ! forward_remote_state_changes )
 		ignore_accesses = true;
 
@@ -2290,7 +2400,7 @@ bool RemoteSerializer::FlushPrintBuffer(Peer* p)
 	if ( p->state == Peer::CLOSING )
 		return false;
 
-	if ( ! p->print_buffer )
+	if ( ! (p->print_buffer && p->print_buffer_used) )
 		return true;
 
 	SendToChild(MSG_REMOTE_PRINT, p, p->print_buffer, p->print_buffer_used);
@@ -2300,7 +2410,7 @@ bool RemoteSerializer::FlushPrintBuffer(Peer* p)
 	return true;
 	}
 
-bool RemoteSerializer::SendPrintHookEvent(BroFile* f, const char* txt)
+bool RemoteSerializer::SendPrintHookEvent(BroFile* f, const char* txt, size_t len)
 	{
 	loop_over_list(peers, i)
 		{
@@ -2313,12 +2423,10 @@ bool RemoteSerializer::SendPrintHookEvent(BroFile* f, const char* txt)
 		if ( ! fname )
 			continue; // not a managed file.
 
-		int len = strlen(txt);
-
 		// We cut off everything after the max buffer size.  That
 		// makes the code a bit easier, and we shouldn't have such
 		// long lines anyway.
-		len = min(len, PRINT_BUFFER_SIZE - strlen(fname) - 2);
+		len = min<size_t>(len, PRINT_BUFFER_SIZE - strlen(fname) - 2);
 
 		// If there's not enough space in the buffer, flush it.
 
@@ -2368,6 +2476,277 @@ bool RemoteSerializer::ProcessRemotePrint()
 	return true;
 	}
 
+bool RemoteSerializer::SendLogCreateWriter(EnumVal* id, EnumVal* writer, string path, int num_fields, const LogField* const * fields)
+	{
+	loop_over_list(peers, i)
+		{
+		SendLogCreateWriter(peers[i]->id, id, writer, path, num_fields, fields);
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendLogCreateWriter(PeerID peer_id, EnumVal* id, EnumVal* writer, string path, int num_fields, const LogField* const * fields)
+	{
+	SetErrorDescr("logging");
+
+	ChunkedIO::Chunk* c = 0;
+
+	Peer* peer = LookupPeer(peer_id, true);
+	if ( ! peer )
+		return false;
+
+	if ( peer->phase != Peer::HANDSHAKE && peer->phase != Peer::RUNNING )
+		return false;
+
+	BinarySerializationFormat fmt;
+
+	fmt.StartWrite();
+
+	bool success = fmt.Write(id->AsEnum(), "id") &&
+		fmt.Write(writer->AsEnum(), "writer") &&
+		fmt.Write(path, "path") &&
+		fmt.Write(num_fields, "num_fields");
+
+	if ( ! success )
+		goto error;
+
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		if ( ! fields[i]->Write(&fmt) )
+			goto error;
+		}
+
+	if ( ! SendToChild(MSG_LOG_CREATE_WRITER, peer, 0) )
+		goto error;
+
+	c = new ChunkedIO::Chunk;
+	c->data = 0;
+	c->len = fmt.EndWrite(&c->data);
+
+	if ( ! SendToChild(c) )
+		goto error;
+
+	return true;
+
+error:
+	if ( c )
+		{
+		delete c;
+		delete [] c->data;
+		}
+
+	FatalError(io->Error());
+	return false;
+	}
+
+bool RemoteSerializer::SendLogWrite(EnumVal* id, EnumVal* writer, string path, int num_fields, const LogVal* const * vals)
+	{
+	loop_over_list(peers, i)
+		{
+		SendLogWrite(peers[i], id, writer, path, num_fields, vals);
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendLogWrite(Peer* peer, EnumVal* id, EnumVal* writer, string path, int num_fields, const LogVal* const * vals)
+	{
+	if ( peer->phase != Peer::HANDSHAKE && peer->phase != Peer::RUNNING )
+		return false;
+
+	if ( ! peer->logs_requested )
+		return false;
+
+	assert(peer->log_buffer);
+
+	// Serialize the log record entry.
+
+	BinarySerializationFormat fmt;
+
+	fmt.StartWrite();
+
+	bool success = fmt.Write(id->AsEnum(), "id") &&
+		fmt.Write(writer->AsEnum(), "writer") &&
+		fmt.Write(path, "path") &&
+		fmt.Write(num_fields, "num_fields");
+
+	if ( ! success )
+		goto error;
+
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		if ( ! vals[i]->Write(&fmt) )
+			goto error;
+		}
+
+	// Ok, we have the binary data now.
+	char* data;
+	int len;
+
+	len = fmt.EndWrite(&data);
+
+	assert(len > 10);
+
+	// Do we have not enough space in the buffer, or was the last flush a
+	// while ago? If so, flush first.
+	if ( len > (LOG_BUFFER_SIZE - peer->log_buffer_used) || (network_time - last_flush > 1.0) )
+		{
+		if ( ! FlushLogBuffer(peer) )
+			return false;
+		}
+
+	// If the data is actually larger than our complete buffer, just send it out.
+	if ( len > LOG_BUFFER_SIZE )
+		return SendToChild(MSG_LOG_WRITE, peer, data, len);
+
+	// Now we have space in the buffer, copy it into there.
+	memcpy(peer->log_buffer + peer->log_buffer_used, data, len);
+	peer->log_buffer_used += len;
+	assert(peer->log_buffer_used <= LOG_BUFFER_SIZE);
+
+	delete [] data;
+
+	return true;
+
+error:
+	FatalError(io->Error());
+	return false;
+	}
+
+bool RemoteSerializer::FlushLogBuffer(Peer* p)
+	{
+	last_flush = network_time;
+
+	if ( p->state == Peer::CLOSING )
+		return false;
+
+	if ( ! (p->log_buffer && p->log_buffer_used) )
+		return true;
+
+	char* data = new char[p->log_buffer_used];
+	memcpy(data, p->log_buffer, p->log_buffer_used);
+	SendToChild(MSG_LOG_WRITE, p, data, p->log_buffer_used);
+
+	p->log_buffer_used = 0;
+	return true;
+	}
+
+bool RemoteSerializer::ProcessLogCreateWriter()
+	{
+	if ( current_peer->state == Peer::CLOSING )
+		return false;
+
+	assert(current_args);
+
+	EnumVal* id_val = 0;
+	EnumVal* writer_val = 0;
+	LogField** fields = 0;
+
+	BinarySerializationFormat fmt;
+	fmt.StartRead(current_args->data, current_args->len);
+
+	int id, writer;
+	string path;
+	int num_fields;
+
+	bool success = fmt.Read(&id, "id") &&
+		fmt.Read(&writer, "writer") &&
+		fmt.Read(&path, "path") &&
+		fmt.Read(&num_fields, "num_fields");
+
+	if ( ! success )
+		goto error;
+
+	fields = new LogField* [num_fields];
+
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		fields[i] = new LogField;
+		if ( ! fields[i]->Read(&fmt) )
+			goto error;
+		}
+
+	fmt.EndRead();
+
+	id_val = new EnumVal(id, BifType::Enum::Log::ID);
+	writer_val = new EnumVal(writer, BifType::Enum::Log::Writer);
+
+	if ( ! log_mgr->CreateWriter(id_val, writer_val, path, num_fields, fields) )
+		goto error;
+
+	Unref(id_val);
+	Unref(writer_val);
+
+	return true;
+
+error:
+	Unref(id_val);
+	Unref(writer_val);
+
+	Error("write error for creating writer");
+	return false;
+	}
+
+bool RemoteSerializer::ProcessLogWrite()
+	{
+	if ( current_peer->state == Peer::CLOSING )
+		return false;
+
+	assert(current_args);
+
+	BinarySerializationFormat fmt;
+	fmt.StartRead(current_args->data, current_args->len);
+
+	while ( fmt.BytesRead() != (int)current_args->len )
+		{
+		// Unserialize one entry.
+		EnumVal* id_val = 0;
+		EnumVal* writer_val = 0;
+		LogVal** vals = 0;
+
+		int id, writer;
+		string path;
+		int num_fields;
+
+		bool success = fmt.Read(&id, "id") &&
+			fmt.Read(&writer, "writer") &&
+			fmt.Read(&path, "path") &&
+			fmt.Read(&num_fields, "num_fields");
+
+		if ( ! success )
+			goto error;
+
+		vals = new LogVal* [num_fields];
+
+		for ( int i = 0; i < num_fields; i++ )
+			{
+			vals[i] = new LogVal;
+			if ( ! vals[i]->Read(&fmt) )
+				goto error;
+			}
+
+		id_val = new EnumVal(id, BifType::Enum::Log::ID);
+		writer_val = new EnumVal(writer, BifType::Enum::Log::Writer);
+
+		success = log_mgr->Write(id_val, writer_val, path, num_fields, vals);
+
+		Unref(id_val);
+		Unref(writer_val);
+
+		if ( ! success )
+			goto error;
+
+		}
+
+	fmt.EndRead();
+
+	return true;
+
+error:
+	Error("write error for log entry");
+	return false;
+	}
 
 void RemoteSerializer::GotEvent(const char* name, double time,
 				EventHandlerPtr event, val_list* args)
@@ -2395,6 +2774,30 @@ void RemoteSerializer::GotEvent(const char* name, double time,
 	e->handler = event;
 	e->args = args;
 
+	// If needed, coerce received record arguments to the expected record type.
+	if ( e->handler->FType() )
+		{
+		const type_list* arg_types = e->handler->FType()->ArgTypes()->Types();
+		loop_over_list(*args, i)
+			{
+			Val* v = (*args)[i];
+			BroType* v_t = v->Type();
+			BroType* arg_t = (*arg_types)[i];
+			if ( v_t->Tag() == TYPE_RECORD && arg_t->Tag() == TYPE_RECORD )
+				{
+				if ( ! same_type(v_t, arg_t) )
+					{
+					Val* nv = v->AsRecordVal()->CoerceTo(arg_t->AsRecordType());
+					if ( nv )
+						{
+						args->replace(i, nv);
+						Unref(v);
+						}
+					}
+				}
+			}
+		}
+
 	events.append(e);
 	}
 
@@ -2410,7 +2813,13 @@ void RemoteSerializer::GotFunctionCall(const char* name, double time,
 		return;
 		}
 
-	function->Call(args);
+	try
+		{
+		function->Call(args);
+		}
+
+	catch ( InterpreterException& e )
+		{ /* Already reported. */ }
 	}
 
 void RemoteSerializer::GotID(ID* id, Val* val)
@@ -2441,6 +2850,11 @@ void RemoteSerializer::GotID(ID* id, Val* val)
 					(desc && *desc) ? desc : "not set"),
 			current_peer);
 
+#ifdef USE_PERFTOOLS
+		// May still be cached, but we don't care.
+		heap_checker->IgnoreObject(id);
+#endif
+
 		Unref(id);
 		return;
 		}
@@ -2497,7 +2911,7 @@ void RemoteSerializer::GotStateAccess(StateAccess* s)
 
 void RemoteSerializer::GotTimer(Timer* s)
 	{
-	run_time("RemoteSerializer::GotTimer not implemented");
+	reporter->Error("RemoteSerializer::GotTimer not implemented");
 	}
 
 void RemoteSerializer::GotPacket(Packet* p)
@@ -2518,25 +2932,37 @@ void RemoteSerializer::Log(LogLevel level, const char* msg)
 void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
 				LogSrc src)
 	{
+	if ( peer )
+		{
+		val_list* vl = new val_list();
+		vl->append(peer->val->Ref());
+		vl->append(new Val(level, TYPE_COUNT));
+		vl->append(new Val(src, TYPE_COUNT));
+		vl->append(new StringVal(msg));
+		mgr.QueueEvent(remote_log_peer, vl);
+		}
+	else
+		{
+		val_list* vl = new val_list();
+		vl->append(new Val(level, TYPE_COUNT));
+		vl->append(new Val(src, TYPE_COUNT));
+		vl->append(new StringVal(msg));
+		mgr.QueueEvent(remote_log, vl);
+		}
+
+#ifdef DEBUG
 	const int BUFSIZE = 1024;
 	char buffer[BUFSIZE];
-
 	int len = 0;
 
 	if ( peer )
-		len += snprintf(buffer + len, sizeof(buffer) - len,
-				"[#%d/%s:%d] ", int(peer->id), ip2a(peer->ip),
-				peer->port);
+		len += snprintf(buffer + len, sizeof(buffer) - len, "[#%d/%s:%d] ",
+		                int(peer->id), ip2a(peer->ip), peer->port);
 
 	len += safe_snprintf(buffer + len, sizeof(buffer) - len, "%s", msg);
 
-	val_list* vl = new val_list();
-	vl->append(new Val(level, TYPE_COUNT));
-	vl->append(new Val(src, TYPE_COUNT));
-	vl->append(new StringVal(buffer));
-	mgr.QueueEvent(remote_log, vl);
-
 	DEBUG_COMM(fmt("parent: %.6f %s", current_time(), buffer));
+#endif
 	}
 
 void RemoteSerializer::RaiseEvent(EventHandlerPtr event, Peer* peer,
@@ -2601,8 +3027,8 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer)
 	{
 	if ( ! sendCMsg(io, msg_type, peer ? peer->id : PEER_NONE) )
 		{
-		warn(fmt("can't send message of type %d: %s",
-				msg_type, io->Error()));
+		reporter->Warning("can't send message of type %d: %s",
+				msg_type, io->Error());
 		return false;
 		}
 	return true;
@@ -2610,14 +3036,16 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer)
 
 bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len)
 	{
-	DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str));
+	DEBUG_COMM(fmt("parent: (->child) %s (#%" PRI_SOURCE_ID ", %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str));
+
+	if ( child_pid && sendToIO(io, type, peer ? peer->id : PEER_NONE, str, len) )
+		return true;
+
+	delete [] str;
 
 	if ( ! child_pid )
 		return false;
 
-	if ( sendToIO(io, type, peer ? peer->id : PEER_NONE, str, len) )
-		return true;
-
 	if ( io->Eof() )
 		ChildDied();
 
@@ -2629,22 +3057,25 @@ bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...)
 	{
 	va_list ap;
 
-	if ( ! child_pid )
-		return false;
-
 #ifdef DEBUG
 	va_start(ap, nargs);
-	DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)",
+	DEBUG_COMM(fmt("parent: (->child) %s (#%" PRI_SOURCE_ID ",%s)",
 			msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap)));
 	va_end(ap);
 #endif
 
-	va_start(ap, nargs);
-	bool ret = sendToIO(io, type, peer ? peer->id : PEER_NONE, nargs, ap);
-	va_end(ap);
+	if ( child_pid )
+		{
+		va_start(ap, nargs);
+		bool ret = sendToIO(io, type, peer ? peer->id : PEER_NONE, nargs, ap);
+		va_end(ap);
 
-	if ( ret )
-		return true;
+		if ( ret )
+			return true;
+		}
+
+	if ( ! child_pid )
+		return false;
 
 	if ( io->Eof() )
 		ChildDied();
@@ -2657,12 +3088,14 @@ bool RemoteSerializer::SendToChild(ChunkedIO::Chunk* c)
 	{
 	DEBUG_COMM(fmt("parent: (->child) chunk of size %d", c->len));
 
+	if ( child_pid && sendToIO(io, c) )
+		return true;
+
+	delete [] c->data;
+
 	if ( ! child_pid )
 		return false;
 
-	if ( sendToIO(io, c) )
-		return true;
-
 	if ( io->Eof() )
 		ChildDied();
 
@@ -2674,13 +3107,22 @@ void RemoteSerializer::FatalError(const char* msg)
 	{
 	msg = fmt("fatal error, shutting down communication: %s", msg);
 	Log(LogError, msg);
-	error(msg);
+	reporter->Error("%s", msg);
 
 	closed = true;
 	kill(child_pid, SIGQUIT);
 	child_pid = 0;
 	using_communication = false;
 	io->Clear();
+
+	loop_over_list(peers, i)
+		{
+		// Make perftools happy.
+		Peer* p = peers[i];
+		delete [] p->log_buffer;
+		delete [] p->print_buffer;
+		p->log_buffer = p->print_buffer = 0;
+		}
 	}
 
 bool RemoteSerializer::IsActive()
@@ -2696,13 +3138,6 @@ bool RemoteSerializer::IsActive()
 	return false;
 	}
 
-
-const char* const* RemoteSerializer::GetBuiltins() const
-	{
-	static const char* builtins[] = { "connect", "listen", 0 };
-	return builtins;
-	}
-
 void RemoteSerializer::ReportError(const char* msg)
 	{
 	if ( current_peer && current_peer->phase != Peer::SETUP )
@@ -2715,7 +3150,7 @@ void RemoteSerializer::InternalCommError(const char* msg)
 #ifdef DEBUG_COMMUNICATION
 	DumpDebugData();
 #else
-	internal_error(msg);
+	reporter->InternalError("%s", msg);
 #endif
 	}
 
@@ -2736,7 +3171,7 @@ static ChunkedIO* openDump(const char* file)
 
 	if ( fd < 0 )
 		{
-		fprintf(stderr, "cannot open %s: %s\n", file, strerror(errno));
+		reporter->Error("cannot open %s: %s\n", file, strerror(errno));
 		return 0;
 		}
 
@@ -2753,7 +3188,7 @@ void RemoteSerializer::ReadDumpAsMessageType(const char* file)
 
 	if ( ! io->Read(&chunk, true ) )
 		{
-		fprintf(stderr, "cannot read %s: %s\n", file, strerror(errno));
+		reporter->Error("cannot read %s: %s\n", file, strerror(errno));
 		return;
 		}
 
@@ -3039,6 +3474,7 @@ bool SocketComm::ProcessParentMessage()
 		case MSG_TERMINATE:
 		case MSG_PHASE_DONE:
 		case MSG_DEBUG_DUMP:
+		case MSG_REQUEST_LOGS:
 			{
 			// No further argument chunk.
 			parent_msgstate = TYPE;
@@ -3058,6 +3494,8 @@ bool SocketComm::ProcessParentMessage()
 		case MSG_CAPS:
 		case MSG_SYNC_POINT:
 		case MSG_REMOTE_PRINT:
+		case MSG_LOG_CREATE_WRITER:
+		case MSG_LOG_WRITE:
 			{
 			// One further argument chunk.
 			parent_msgstate = ARGS;
@@ -3065,11 +3503,11 @@ bool SocketComm::ProcessParentMessage()
 			}
 
 		default:
-			internal_error(fmt("unknown msg type %d", parent_msgtype));
+			InternalError(fmt("unknown msg type %d", parent_msgtype));
 			return true;
 		}
 
-		internal_error("cannot be reached");
+		InternalError("cannot be reached");
 		}
 
 	case ARGS:
@@ -3092,10 +3530,11 @@ bool SocketComm::ProcessParentMessage()
 		}
 
 	default:
-		internal_error("unknown msgstate");
+		InternalError("unknown msgstate");
 	}
 
-	internal_error("cannot be reached");
+	InternalError("cannot be reached");
+	return false;
 	}
 
 bool SocketComm::DoParentMessage()
@@ -3153,23 +3592,11 @@ bool SocketComm::DoParentMessage()
 			peers[j]->io->DumpDebugData(fmt("comm-dump.child.peer.%d", id), false);
 			}
 #else
-		internal_error("DEBUG_DUMP support not compiled in");
+		InternalError("DEBUG_DUMP support not compiled in");
 #endif
 		return true;
 		}
 
-	case MSG_PHASE_DONE:
-		{
-		// No argument block follows.
-		if ( parent_peer && parent_peer->connected )
-			{
-			DEBUG_COMM("child: forwarding with MSG_PHASE_DONE to peer");
-			if ( ! SendToPeer(parent_peer, MSG_PHASE_DONE, 0) )
-				return false;
-			}
-		return true;
-		}
-
 	case MSG_LISTEN:
 		return ProcessListen();
 
@@ -3197,6 +3624,20 @@ bool SocketComm::DoParentMessage()
 		return ForwardChunkToPeer();
 		}
 
+	case MSG_PHASE_DONE:
+	case MSG_REQUEST_LOGS:
+		{
+		// No argument block follows.
+		if ( parent_peer && parent_peer->connected )
+			{
+			DEBUG_COMM(fmt("child: forwarding %s to peer", msgToStr(parent_msgtype)));
+			if ( ! SendToPeer(parent_peer, parent_msgtype, 0) )
+				return false;
+			}
+
+		return true;
+		}
+
 	case MSG_REQUEST_EVENTS:
 	case MSG_REQUEST_SYNC:
 	case MSG_SERIAL:
@@ -3205,14 +3646,17 @@ bool SocketComm::DoParentMessage()
 	case MSG_CAPS:
 	case MSG_SYNC_POINT:
 	case MSG_REMOTE_PRINT:
+	case MSG_LOG_CREATE_WRITER:
+	case MSG_LOG_WRITE:
 		assert(parent_args);
 		return ForwardChunkToPeer();
 
 	default:
-		internal_error("ProcessParentMessage: unexpected state");
+		InternalError("ProcessParentMessage: unexpected state");
 	}
 
-	internal_error("cannot be reached");
+	InternalError("cannot be reached");
+	return false;
 	}
 
 bool SocketComm::ForwardChunkToPeer()
@@ -3235,7 +3679,7 @@ bool SocketComm::ForwardChunkToPeer()
 		{
 #ifdef DEBUG
 		if ( parent_peer )
-			DEBUG_COMM(fmt("child: not connected to #%d", parent_id));
+			DEBUG_COMM(fmt("child: not connected to #%" PRI_SOURCE_ID, parent_id));
 #endif
 		}
 
@@ -3254,8 +3698,7 @@ bool SocketComm::ProcessConnectTo()
 	peer->retry = ntohl(args[3]);
 	peer->ssl = ntohl(args[4]);
 
-	Connect(peer);
-	return true;
+	return Connect(peer);
 	}
 
 bool SocketComm::ProcessListen()
@@ -3272,11 +3715,6 @@ bool SocketComm::ProcessListen()
 
 bool SocketComm::ProcessParentCompress()
 	{
-#ifndef HAVE_LIBZ
-	internal_error("supposed to enable compression but don't have zlib");
-	return false;
-#else
-
 	assert(parent_args);
 	uint32* args = (uint32*) parent_args->data;
 
@@ -3300,7 +3738,6 @@ bool SocketComm::ProcessParentCompress()
 	Log(fmt("enabling compression (level %d)", level), parent_peer);
 
 	return true;
-#endif
 	}
 
 bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
@@ -3318,11 +3755,12 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 
 		CMsg* msg = (CMsg*) c->data;
 
-		DEBUG_COMM(fmt("child: %s from peer #%d",
+		DEBUG_COMM(fmt("child: %s from peer #%" PRI_SOURCE_ID,
 				msgToStr(msg->Type()), peer->id));
 
 		switch ( msg->Type() ) {
 		case MSG_PHASE_DONE:
+		case MSG_REQUEST_LOGS:
 			// No further argument block.
 			DEBUG_COMM("child: forwarding with 0 args to parent");
 			if ( ! SendToParent(msg->Type(), peer, 0) )
@@ -3379,6 +3817,8 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 	case MSG_CAPS:
 	case MSG_SYNC_POINT:
 	case MSG_REMOTE_PRINT:
+	case MSG_LOG_CREATE_WRITER:
+	case MSG_LOG_WRITE:
 		{
 		// Messages with one further argument block which we simply
 		// forward to our parent.
@@ -3390,7 +3830,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 		}
 
 	default:
-		internal_error("ProcessRemoteMessage: unexpected state");
+		InternalError("ProcessRemoteMessage: unexpected state");
 	}
 
 	return true;
@@ -3417,10 +3857,6 @@ bool SocketComm::ProcessPeerCompress(Peer* peer)
 	{
 	peer->state = MSG_NONE;
 
-#ifndef HAVE_LIBZ
-	Error("peer compresses although we do not support it", peer);
-	return false;
-#else
 	if ( ! parent_peer->compressor )
 		{
 		parent_peer->io = new CompressedChunkedIO(parent_peer->io);
@@ -3432,7 +3868,6 @@ bool SocketComm::ProcessPeerCompress(Peer* peer)
 	((CompressedChunkedIO*) peer->io)->EnableDecompression();
 	Log("enabling decompression", peer);
 	return true;
-#endif
 	}
 
 bool SocketComm::Connect(Peer* peer)
@@ -3493,7 +3928,7 @@ bool SocketComm::Connect(Peer* peer)
 		if ( ! peer->io->Init() )
 			{
 			Error(fmt("can't init peer io: %s",
-					peer->io->Error()), peer);
+					peer->io->Error()), false);
 			return 0;
 			}
 		}
@@ -3573,6 +4008,7 @@ bool SocketComm::Listen(uint32 ip, uint16 port, bool expect_ssl)
 	if ( bind(*listen_fd, (sockaddr*) &server, sizeof(server)) < 0 )
 		{
 		Error(fmt("can't bind to port %d, %s", port, strerror(errno)));
+		close(*listen_fd);
 		*listen_fd = -1;
 
 		if ( errno == EADDRINUSE )
@@ -3627,7 +4063,7 @@ bool SocketComm::AcceptConnection(int fd)
 	if ( ! peer->io->Init() )
 		{
 		Error(fmt("can't init peer io: %s",
-				  peer->io->Error()), peer);
+				  peer->io->Error()), false);
 		return false;
 		}
 
@@ -3699,6 +4135,12 @@ void SocketComm::Log(const char* msg, Peer* peer)
 	DEBUG_COMM(fmt("child: %s", buffer));
 	}
 
+void SocketComm::InternalError(const char* msg)
+	{
+	fprintf(stderr, "interal error in child: %s\n", msg);
+	Kill();
+	}
+
 void SocketComm::Kill()
 	{
 	if ( killing )
@@ -3795,7 +4237,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len)
 #ifdef DEBUG
 	// str  may already by constructed with fmt()
 	const char* tmp = copy_string(str);
-	DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp));
+	DEBUG_COMM(fmt("child: (->parent) %s (#%" PRI_SOURCE_ID ", %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp));
 	delete [] tmp;
 #endif
 	if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE,
@@ -3814,7 +4256,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...)
 
 #ifdef DEBUG
 	va_start(ap,nargs);
-	DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap)));
+	DEBUG_COMM(fmt("child: (->parent) %s (#%" PRI_SOURCE_ID ",%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap)));
 	va_end(ap);
 #endif
 
@@ -3850,7 +4292,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len)
 #ifdef DEBUG
 	// str  may already by constructed with fmt()
 	const char* tmp = copy_string(str);
-	DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), peer->id, tmp));
+	DEBUG_COMM(fmt("child: (->peer) %s to #%" PRI_SOURCE_ID " (%s)", msgToStr(type), peer->id, tmp));
 	delete [] tmp;
 #endif
 
@@ -3869,7 +4311,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...)
 
 #ifdef DEBUG
 	va_start(ap,nargs);
-	DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)",
+	DEBUG_COMM(fmt("child: (->peer) %s to #%" PRI_SOURCE_ID " (%s)",
 			msgToStr(type), peer->id, fmt_uint32s(nargs, ap)));
 	va_end(ap);
 #endif
@@ -3890,7 +4332,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...)
 
 bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c)
 	{
-	DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, peer->id));
+	DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%" PRI_SOURCE_ID, c->len, peer->id));
 	if ( ! sendToIO(peer->io, c) )
 		{
 		Error(fmt("child: write error %s", io->Error()), peer);
diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h
index a84a0619fa..b64fdcbe66 100644
--- a/src/RemoteSerializer.h
+++ b/src/RemoteSerializer.h
@@ -1,5 +1,3 @@
-// $Id: RemoteSerializer.h 6951 2009-12-04 22:23:28Z vern $
-//
 // Communication between two Bro's.
 
 #ifndef REMOTE_SERIALIZER
@@ -16,6 +14,8 @@
 // FIXME: Change this to network byte order
 
 class IncrementalSendTimer;
+class LogField;
+class LogVal;
 
 // This class handles the communication done in Bro's main loop.
 class RemoteSerializer : public Serializer, public IOSource {
@@ -34,6 +34,9 @@ public:
 	// Connect to host (returns PEER_NONE on error).
 	PeerID Connect(addr_type ip, uint16 port, const char* our_class, double retry, bool use_ssl);
 
+	// Close connection to host.
+	bool CloseConnection(PeerID peer);
+
 	// Request all events matching pattern from remote side.
 	bool RequestEvents(PeerID peer, RE_Matcher* pattern);
 
@@ -42,6 +45,9 @@ public:
 	// the peer right after the handshake.
 	bool RequestSync(PeerID peer, bool auth);
 
+	// Requests logs from the remote side.
+	bool RequestLogs(PeerID id);
+
 	// Sets flag whether we're accepting state from this peer
 	// (default: yes).
 	bool SetAcceptState(PeerID peer, bool accept);
@@ -90,7 +96,16 @@ public:
 	bool SendPing(PeerID peer, uint32 seq);
 
 	// Broadcast remote print.
-	bool SendPrintHookEvent(BroFile* f, const char* txt);
+	bool SendPrintHookEvent(BroFile* f, const char* txt, size_t len);
+
+	// Send a request to create a writer on a remote side.
+	bool SendLogCreateWriter(PeerID peer, EnumVal* id, EnumVal* writer, string path, int num_fields, const LogField* const * fields);
+
+	// Broadcasts a request to create a writer.
+	bool SendLogCreateWriter(EnumVal* id, EnumVal* writer, string path, int num_fields, const LogField* const * fields);
+
+	// Broadcast a log entry to everybody interested.
+	bool SendLogWrite(EnumVal* id, EnumVal* writer, string path, int num_fields, const LogVal* const * vals);
 
 	// Synchronzizes time with all connected peers. Returns number of
 	// current sync-point, or -1 on error.
@@ -114,10 +129,6 @@ public:
 	// Log some statistics.
 	void LogStats();
 
-	// Return a 0-terminated array of built-in functions which,
-	// when referenced, trigger the remote serializer's initialization.
-	const char* const* GetBuiltins() const;
-
 	// Tries to sent out all remaining data.
 	// FIXME: Do we still need this?
 	void Finish();
@@ -187,6 +198,7 @@ protected:
 		static const int NO_CACHING = 2;
 		static const int PID_64BIT = 4;
 		static const int NEW_CACHE_STRATEGY = 8;
+		static const int BROCCOLI_PEER = 16;
 
 		// Constants to remember to who did something.
 		static const int NONE = 0;
@@ -205,6 +217,7 @@ protected:
 		bool accept_state;	// True if we accept state from peer.
 		bool send_state; // True if we're supposed to initially sent our state.
 		int comp_level; // Compression level.
+		bool logs_requested; // True if the peer has requested logs.
 
 		// True if this peer triggered a net_suspend_processing().
 		bool suspended_processing;
@@ -217,6 +230,8 @@ protected:
 		uint32 sync_point;	// Highest sync-point received so far
 		char* print_buffer;	// Buffer for remote print or null.
 		int print_buffer_used;	// Number of bytes used in buffer.
+		char* log_buffer;	// Buffer for remote log or null.
+		int log_buffer_used;	// Number of bytes used in buffer.
 	};
 
 	// Shuts down remote serializer.
@@ -255,6 +270,9 @@ protected:
 	bool ProcessCapsMsg();
 	bool ProcessSyncPointMsg();
 	bool ProcessRemotePrint();
+	bool ProcessLogCreateWriter();
+	bool ProcessLogWrite();
+	bool ProcessRequestLogs();
 
 	Peer* AddPeer(uint32 ip, uint16 port, PeerID id = PEER_NONE);
 	Peer* LookupPeer(PeerID id, bool only_if_connected);
@@ -282,11 +300,13 @@ protected:
 	bool SendID(SerialInfo* info, Peer* peer, const ID& id);
 	bool SendCapabilities(Peer* peer);
 	bool SendPacket(SerialInfo* info, Peer* peer, const Packet& p);
+	bool SendLogWrite(Peer* peer, EnumVal* id, EnumVal* writer, string path, int num_fields, const LogVal* const * vals);
 
 	void UnregisterHandlers(Peer* peer);
 	void RaiseEvent(EventHandlerPtr event, Peer* peer, const char* arg = 0);
 	bool EnterPhaseRunning(Peer* peer);
 	bool FlushPrintBuffer(Peer* p);
+	bool FlushLogBuffer(Peer* p);
 
 	void ChildDied();
 	void InternalCommError(const char* msg);
@@ -297,12 +317,15 @@ protected:
 	bool SendToChild(char type, Peer* peer, int nargs, ...); // can send uints32 only
 	bool SendToChild(ChunkedIO::Chunk* c);
 
+	void SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose);
+
 private:
 	enum { TYPE, ARGS } msgstate;	// current state of reading comm.
 	Peer* current_peer;
 	PeerID current_id;
 	char current_msgtype;
 	ChunkedIO::Chunk* current_args;
+	double last_flush;
 
 	id_list sync_ids;
 
@@ -439,6 +462,9 @@ protected:
 	// Check whether everything has been sent out.
 	void CheckFinished();
 
+	// Reports the error and terminates the process.
+	void InternalError(const char* msg);
+
 	// Communication helpers.
 	bool SendToParent(char type, Peer* peer, const char* str, int len = -1);
 	bool SendToParent(char type, Peer* peer, int nargs, ...); // can send uints32 only
diff --git a/src/Reporter.cc b/src/Reporter.cc
new file mode 100644
index 0000000000..fca9a6a233
--- /dev/null
+++ b/src/Reporter.cc
@@ -0,0 +1,341 @@
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+
+#include <syslog.h>
+
+#include "config.h"
+#include "Reporter.h"
+#include "Event.h"
+#include "NetVar.h"
+#include "Net.h"
+#include "Conn.h"
+
+#ifdef SYSLOG_INT
+extern "C" {
+int openlog(const char* ident, int logopt, int facility);
+int syslog(int priority, const char* message_fmt, ...);
+int closelog();
+}
+#endif
+
+Reporter* reporter = 0;
+
+Reporter::Reporter()
+	{
+	errors = 0;
+	via_events = false;
+	in_error_handler = 0;
+
+	openlog("bro", 0, LOG_LOCAL5);
+	}
+
+Reporter::~Reporter()
+	{
+	closelog();
+	}
+
+void Reporter::Info(const char* fmt, ...)
+	{
+	va_list ap;
+	va_start(ap, fmt);
+	DoLog("", reporter_info, stderr, 0, 0, true, true, 0, fmt, ap);
+	va_end(ap);
+	}
+
+void Reporter::Warning(const char* fmt, ...)
+	{
+	va_list ap;
+	va_start(ap, fmt);
+	DoLog("warning", reporter_warning, stderr, 0, 0, true, true, 0, fmt, ap);
+	va_end(ap);
+	}
+
+void Reporter::Error(const char* fmt, ...)
+	{
+	++errors;
+	va_list ap;
+	va_start(ap, fmt);
+	DoLog("error", reporter_error, stderr, 0, 0, true, true, 0, fmt, ap);
+	va_end(ap);
+	}
+
+void Reporter::FatalError(const char* fmt, ...)
+	{
+	va_list ap;
+	va_start(ap, fmt);
+
+	// Always log to stderr.
+	DoLog("fatal error", 0, stderr, 0, 0, true, false, 0, fmt, ap);
+
+	va_end(ap);
+
+	set_processing_status("TERMINATED", "fatal_error");
+	exit(1);
+	}
+
+void Reporter::FatalErrorWithCore(const char* fmt, ...)
+	{
+	va_list ap;
+	va_start(ap, fmt);
+
+	// Always log to stderr.
+	DoLog("fatal error", 0, stderr, 0, 0, true, false, 0, fmt, ap);
+
+	va_end(ap);
+
+	set_processing_status("TERMINATED", "fatal_error");
+	abort();
+	}
+
+void Reporter::ExprRuntimeError(const Expr* expr, const char* fmt, ...)
+	{
+	++errors;
+
+	ODesc d;
+	expr->Describe(&d);
+
+	PushLocation(expr->GetLocationInfo());
+	va_list ap;
+	va_start(ap, fmt);
+	DoLog("expression error", reporter_error, stderr, 0, 0, true, true, d.Description(), fmt, ap);
+	va_end(ap);
+	PopLocation();
+	throw InterpreterException();
+	}
+
+void Reporter::InternalError(const char* fmt, ...)
+	{
+	va_list ap;
+	va_start(ap, fmt);
+
+	// Always log to stderr.
+	DoLog("internal error", 0, stderr, 0, 0, true, false, 0, fmt, ap);
+
+	va_end(ap);
+
+	set_processing_status("TERMINATED", "internal_error");
+	abort();
+	}
+
+void Reporter::InternalWarning(const char* fmt, ...)
+	{
+	va_list ap;
+	va_start(ap, fmt);
+	DoLog("internal warning", reporter_warning, stderr, 0, 0, true, true, 0, fmt, ap);
+	va_end(ap);
+	}
+
+void Reporter::Syslog(const char* fmt, ...)
+	{
+	if ( reading_traces )
+		return;
+
+	va_list ap;
+	va_start(ap, fmt);
+	vsyslog(LOG_NOTICE, fmt, ap);
+	va_end(ap);
+	}
+
+void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...)
+	{
+	val_list* vl = new val_list(1);
+
+	if ( conn_val )
+		vl->append(conn_val);
+
+	if ( addl )
+		vl->append(new StringVal(addl));
+
+	va_list ap;
+	va_start(ap, fmt_name);
+	DoLog("weird", event, stderr, 0, vl, false, false, 0, fmt_name, ap);
+	va_end(ap);
+
+	delete vl;
+	}
+
+void Reporter::WeirdFlowHelper(const uint32* orig, const uint32* resp, const char* fmt_name, ...)
+	{
+	val_list* vl = new val_list(2);
+	vl->append(new AddrVal(orig));
+	vl->append(new AddrVal(resp));
+
+	va_list ap;
+	va_start(ap, fmt_name);
+	DoLog("weird", flow_weird, stderr, 0, vl, false, false, 0, fmt_name, ap);
+	va_end(ap);
+
+	delete vl;
+	}
+
+void Reporter::Weird(const char* name)
+	{
+	WeirdHelper(net_weird, 0, 0, name);
+	}
+
+void Reporter::Weird(Connection* conn, const char* name, const char* addl)
+	{
+	WeirdHelper(conn_weird, conn->BuildConnVal(), addl, "%s", name);
+	}
+
+void Reporter::Weird(Val* conn_val, const char* name, const char* addl)
+	{
+	WeirdHelper(conn_weird, conn_val, addl, "%s", name);
+	}
+
+void Reporter::Weird(const uint32* orig, const uint32* resp, const char* name)
+	{
+	WeirdFlowHelper(orig, resp, "%s", name);
+	}
+
+void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out, Connection* conn, val_list* addl, bool location, bool time, const char* postfix, const char* fmt, va_list ap)
+	{
+	static char tmp[512];
+
+	int size = sizeof(tmp);
+	char* buffer  = tmp;
+	char* alloced = 0;
+
+	string loc_str;
+
+	if ( location )
+		{
+		string loc_file = "";
+		int loc_line = 0;
+
+		if ( locations.size() )
+			{
+			ODesc d;
+
+			std::pair<const Location*, const Location*> locs = locations.back();
+
+			if ( locs.first )
+				{
+				if ( locs.first != &no_location )
+					locs.first->Describe(&d);
+
+				else
+					d.Add("<no location>");
+
+				if ( locs.second )
+					{
+					d.Add(" and ");
+
+					if ( locs.second != &no_location )
+						locs.second->Describe(&d);
+
+					else
+						d.Add("<no location>");
+
+					}
+				}
+
+			loc_str = d.Description();
+			}
+
+		else if ( filename && *filename )
+			{
+			// Take from globals.
+			loc_str = filename;
+			char tmp[32];
+			snprintf(tmp, 32, "%d", line_number);
+			loc_str += string(", line ") + string(tmp);
+			}
+		}
+
+	while ( true )
+		{
+		va_list aq;
+		va_copy(aq, ap);
+		int n = vsnprintf(buffer, size, fmt, aq);
+		va_end(aq);
+
+		if ( postfix )
+			n += strlen(postfix) + 10; // Add a bit of slack.
+
+		if ( n > -1 && n < size )
+			// We had enough space;
+			break;
+
+		// Enlarge buffer;
+		size *= 2;
+		buffer = alloced = (char *)realloc(alloced, size);
+
+		if ( ! buffer )
+			FatalError("out of memory in Reporter");
+		}
+
+	if ( postfix )
+		// Note, if you change this fmt string, adjust the additional
+		// buffer size above.
+		sprintf(buffer + strlen(buffer), " [%s]", postfix);
+
+	if ( event && via_events && ! in_error_handler )
+		{
+		val_list* vl = new val_list;
+
+		if ( time )
+			vl->append(new Val((bro_start_network_time != 0.0) ? network_time : 0, TYPE_TIME));
+
+		vl->append(new StringVal(buffer));
+
+		if ( location )
+			vl->append(new StringVal(loc_str.c_str()));
+
+		if ( conn )
+			vl->append(conn->BuildConnVal());
+
+		if ( addl )
+			{
+			loop_over_list(*addl, i)
+				vl->append((*addl)[i]);
+			}
+
+		if ( conn )
+			conn->ConnectionEvent(event, 0, vl);
+		else
+			mgr.QueueEvent(event, vl);
+		}
+
+	else
+		{
+		string s = "";
+
+		if ( bro_start_network_time != 0.0 )
+			{
+			char tmp[32];
+			snprintf(tmp, 32, "%.6f", network_time);
+			s += string(tmp) + " ";
+			}
+
+		if ( prefix && *prefix )
+			{
+			if ( loc_str != "" )
+				s += string(prefix) + " in " + loc_str + ": ";
+			else
+				s += string(prefix) + ": ";
+			}
+
+		else
+			{
+			if ( loc_str != "" )
+				s += loc_str + ": ";
+			}
+
+		s += buffer;
+		s += "\n";
+
+		fprintf(out, "%s", s.c_str());
+
+		if ( addl )
+			{
+			loop_over_list(*addl, i)
+				Unref((*addl)[i]);
+			}
+		}
+
+	if ( alloced )
+		free(alloced);
+	}
+
diff --git a/src/Reporter.h b/src/Reporter.h
new file mode 100644
index 0000000000..20d7b17e2c
--- /dev/null
+++ b/src/Reporter.h
@@ -0,0 +1,135 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef REPORTER_H
+#define REPORTER_H
+
+#include <stdarg.h>
+
+#include <list>
+#include <utility>
+
+#include "util.h"
+#include "net_util.h"
+#include "EventHandler.h"
+
+class Connection;
+class Location;
+class Reporter;
+
+// One cannot raise this exception directly, go through the
+// Reporter's methods instead.
+
+class ReporterException {
+protected:
+	friend class Reporter;
+	ReporterException()	{}
+};
+
+class InterpreterException : public ReporterException {
+protected:
+	friend class Reporter;
+	InterpreterException()	{}
+};
+
+// Check printf-style variadic arguments if we can.
+#if __GNUC__
+#define FMT_ATTR __attribute__((format(printf, 2, 3))) // sic! 1st is "this" I guess.
+#else
+#define FMT_ATTR
+#endif
+
+class Reporter {
+public:
+	Reporter();
+	~Reporter();
+
+	// Report an informational message, nothing that needs specific
+	// attention.
+	void Info(const char* fmt, ...) FMT_ATTR;
+
+	// Report a warning that may indicate a problem.
+	void Warning(const char* fmt, ...) FMT_ATTR;
+
+	// Report a non-fatal error. Processing proceeds normally after the error
+	// has been reported.
+	void Error(const char* fmt, ...) FMT_ATTR;
+
+	// Returns the number of errors reported so far.
+	int Errors()	{ return errors; }
+
+	// Report a fatal error. Bro will terminate after the message has been
+	// reported.
+	void FatalError(const char* fmt, ...) FMT_ATTR;
+
+	// Report a fatal error. Bro will terminate after the message has been
+	// reported and always generate a core dump.
+	void FatalErrorWithCore(const char* fmt, ...) FMT_ATTR;
+
+	// Report a runtime error in evaluating a Bro script expression. This
+	// function will not return but raise an InterpreterException.
+	void ExprRuntimeError(const Expr* expr, const char* fmt, ...);
+
+	// Report a traffic weirdness, i.e., an unexpected protocol situation
+	// that may lead to incorrectly processing a connnection.
+	void Weird(const char* name);	// Raises net_weird().
+	void Weird(Connection* conn, const char* name, const char* addl = "");	// Raises conn_weird().
+	void Weird(Val* conn_val, const char* name, const char* addl = "");	// Raises conn_weird().
+	void Weird(const uint32* orig, const uint32* resp, const char* name);	// Raises flow_weird().
+
+	// Syslog a message. This methods does nothing if we're running
+	// offline from a trace.
+	void Syslog(const char* fmt, ...) FMT_ATTR;
+
+	// Report about a potential internal problem. Bro will continue
+	// normally.
+	void InternalWarning(const char* fmt, ...) FMT_ATTR;
+
+	// Report an internal program error. Bro will terminate with a core
+	// dump after the message has been reported.
+	void InternalError(const char* fmt, ...) FMT_ATTR;
+
+	// Toggle whether non-fatal messages should be reported through the
+	// scripting layer rather on standard output. Fatal errors are always
+	// reported via stderr.
+	void ReportViaEvents(bool arg_via_events)	 { via_events = arg_via_events; }
+
+	// Associates the given location with subsequent output. We create a
+	// stack of location so that the most recent is always the one that
+	// will be assumed to be the current one. The pointer must remain
+	// valid until the location is popped.
+	void PushLocation(const Location* location)
+		{ locations.push_back(std::pair<const Location*, const Location*>(location, 0)); }
+
+	void PushLocation(const Location* loc1, const Location* loc2)
+		{ locations.push_back(std::pair<const Location*, const Location*>(loc1, loc2)); }
+
+	// Removes the top-most location information from stack.
+	void PopLocation()
+		{ locations.pop_back(); }
+
+	// Signals that we're entering processing an error handler event.
+	void BeginErrorHandler()	{ ++in_error_handler; }
+
+	// Signals that we're done processing an error handler event.
+	void EndErrorHandler()	{ --in_error_handler; }
+
+private:
+	void DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
+		   Connection* conn, val_list* addl, bool location, bool time,
+		   const char* postfix, const char* fmt, va_list ap);
+
+	// The order if addl, name needs to be like that since fmt_name can
+	// contain format specifiers
+	void WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...);
+	void WeirdFlowHelper(const uint32* orig, const uint32* resp, const char* fmt_name, ...);
+
+	int errors;
+	bool via_events;
+	int in_error_handler;
+
+	std::list<std::pair<const Location*, const Location*> > locations;
+};
+
+extern Reporter* reporter;
+
+#endif
diff --git a/src/Rewriter.cc b/src/Rewriter.cc
deleted file mode 100644
index bfdb289de9..0000000000
--- a/src/Rewriter.cc
+++ /dev/null
@@ -1,35 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "TCP_Rewriter.h"
-#include "UDP_Rewriter.h"
-
-// The following two are called from .bif's to obtain handle of Rewriter.
-Rewriter* get_trace_rewriter(Val* conn_val)
-	{
-	Connection* conn = (Connection*) conn_val->AsRecordVal()->GetOrigin();
-	return get_trace_rewriter(conn);
-	}
-
-Rewriter* get_trace_rewriter(Connection* conn)
-	{
-	if ( ! conn ||
-	     (conn->ConnTransport() != TRANSPORT_TCP &&
-	      conn->ConnTransport() != TRANSPORT_UDP) )
-		internal_error("connection for the trace rewriter does not exist");
-
-	Rewriter* rewriter = conn->TraceRewriter();
-	if ( rewriter )
-		return rewriter;
-
-	if ( ! transformed_pkt_dump )
-		return 0;	// okay if we don't have an output file
-
-	else if ( ! conn->RewritingTrace() )
-		builtin_run_time("flag rewriting_..._trace is not set properly");
-	else
-		internal_error("trace rewriter not initialized");
-
-	return 0;
-	}
diff --git a/src/Rewriter.h b/src/Rewriter.h
deleted file mode 100644
index 91c36557ab..0000000000
--- a/src/Rewriter.h
+++ /dev/null
@@ -1,51 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef rewriter_h
-#define rewriter_h
-
-class TracePacket;
-
-class Rewriter {
-public:
-	virtual ~Rewriter()	{};
-
-	virtual void Done()	{};
-
-	virtual void WriteData(int is_orig, int len, const u_char* data) = 0;
-	virtual void WriteData(int is_orig, const char* data) = 0;
-	virtual void WriteData(int is_orig, int len, const char* data) = 0;
-	virtual void WriteData(int is_orig, const BroString* str) = 0;
-
-	virtual void Push(int is_orig) = 0;
-
-	virtual void AbortPackets(int apply_to_future) = 0;
-	virtual void CommitPackets(int apply_to_future) = 0;
-
-	virtual unsigned int ReserveSlot() = 0;
-	virtual int SeekSlot(unsigned int slot) = 0;
-	virtual int ReturnFromSlot() = 0;
-	virtual int ReleaseSlot(unsigned int slot) = 0;
-
-	// Needed by all rewriters.
-	virtual TracePacket* CurrentPacket() const = 0;
-	virtual TracePacket* RewritePacket() const = 0;
-
-	// Whether to not anonymize client/server IP addresses.
-	virtual int LeaveAddrInTheClear(int is_orig) = 0;
-};
-
-extern Rewriter* get_trace_rewriter(Val* conn_val);
-extern Rewriter* get_trace_rewriter(Connection* conn);
-
-// This is the actual packet.
-class TracePacket {
-public:
-	virtual ~TracePacket()	{ }
-
-	virtual RecordVal* PacketVal() = 0;
-	virtual double TimeStamp() const = 0;
-};
-
-#endif
diff --git a/src/Rlogin.cc b/src/Rlogin.cc
index 043baade7e..1ad3f16d7e 100644
--- a/src/Rlogin.cc
+++ b/src/Rlogin.cc
@@ -1,5 +1,3 @@
-// $Id: Rlogin.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -12,7 +10,7 @@
 Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer)
 : ContentLine_Analyzer(AnalyzerTag::Contents_Rlogin, conn, orig)
 	{
-	num_bytes_to_scan = num_bytes_to_scan = 0;
+	num_bytes_to_scan = 0;
 	analyzer = arg_analyzer;
 	peer = 0;
 
@@ -192,7 +190,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
 			break;
 
 		default:
-			internal_error("bad state in Contents_Rlogin_Analyzer::DoDeliver");
+			reporter->InternalError("bad state in Contents_Rlogin_Analyzer::DoDeliver");
 			break;
 		}
 		}
@@ -223,7 +221,7 @@ Rlogin_Analyzer::Rlogin_Analyzer(Connection* conn)
 void Rlogin_Analyzer::ClientUserName(const char* s)
 	{
 	if ( client_name )
-		internal_error("multiple rlogin client names");
+		reporter->InternalError("multiple rlogin client names");
 
 	client_name = new StringVal(s);
 	}
diff --git a/src/Rlogin.h b/src/Rlogin.h
index ae1946369c..f8ad480630 100644
--- a/src/Rlogin.h
+++ b/src/Rlogin.h
@@ -1,5 +1,3 @@
-// $Id: Rlogin.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef rlogin_h
diff --git a/src/Rule.cc b/src/Rule.cc
index f54a725320..e9847c1721 100644
--- a/src/Rule.cc
+++ b/src/Rule.cc
@@ -1,5 +1,3 @@
-// $Id: Rule.cc 6914 2009-09-22 00:35:24Z vern $
-
 #include "config.h"
 
 #include "Rule.h"
diff --git a/src/Rule.h b/src/Rule.h
index e95dadc074..959008fbf9 100644
--- a/src/Rule.h
+++ b/src/Rule.h
@@ -1,5 +1,3 @@
-// $Id: Rule.h 6914 2009-09-22 00:35:24Z vern $
-
 #ifndef rule_h
 #define rule_h
 
diff --git a/src/RuleAction.cc b/src/RuleAction.cc
index 9fe807ffb2..bf90c0681e 100644
--- a/src/RuleAction.cc
+++ b/src/RuleAction.cc
@@ -1,5 +1,3 @@
-// $Id: RuleAction.cc 5906 2008-07-03 19:52:50Z vern $
-
 #include <string>
 using std::string;
 
diff --git a/src/RuleAction.h b/src/RuleAction.h
index 33d37bc6e2..a9feb0c314 100644
--- a/src/RuleAction.h
+++ b/src/RuleAction.h
@@ -1,5 +1,3 @@
-// $Id: RuleAction.h 5880 2008-06-30 17:42:45Z vern $
-
 #ifndef ruleaction_h
 #define ruleaction_h
 
diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc
index 9067b39fb9..8852747cc4 100644
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@@ -1,5 +1,3 @@
-// $Id: RuleCondition.cc 6008 2008-07-23 00:24:22Z vern $
-
 #include "config.h"
 
 #include "RuleCondition.h"
@@ -113,7 +111,7 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state,
 		return payload_size >= val;
 
 	default:
-		internal_error("unknown comparision type");
+		reporter->InternalError("unknown comparision type");
 	}
 
 	// Should not be reached
@@ -135,7 +133,7 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
 	{
 	if ( ! id->HasVal() )
 		{
-		run_time("undefined value");
+		reporter->Error("undefined value");
 		return false;
 		}
 
@@ -151,9 +149,19 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
 	else
 		args.append(new StringVal(""));
 
-	Val* val = id->ID_Val()->AsFunc()->Call(&args);
-	bool result = val->AsBool();
-	Unref(val);
+	bool result = 0;
+
+	try
+		{
+		Val* val = id->ID_Val()->AsFunc()->Call(&args);
+		result = val->AsBool();
+		Unref(val);
+		}
+
+	catch ( InterpreterException& e )
+		{
+		result = false;
+		}
 
 	return result;
 	}
diff --git a/src/RuleCondition.h b/src/RuleCondition.h
index a092543d62..b859930581 100644
--- a/src/RuleCondition.h
+++ b/src/RuleCondition.h
@@ -1,5 +1,3 @@
-// $Id: RuleCondition.h 80 2004-07-14 20:15:50Z jason $
-
 #ifndef rulecondition_h
 #define rulecondition_h
 
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index 02eef0aad9..ac8f8a867c 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -1,4 +1,4 @@
-// $Id: RuleMatcher.cc 6724 2009-06-07 09:23:03Z vern $
+#include <algorithm>
 
 #include "config.h"
 
@@ -8,6 +8,7 @@
 #include "NetVar.h"
 #include "Scope.h"
 #include "File.h"
+#include "Reporter.h"
 
 // FIXME: Things that are not fully implemented/working yet:
 //
@@ -195,10 +196,10 @@ bool RuleMatcher::ReadFiles(const name_list& files)
 
 	for ( int i = 0; i < files.length(); ++i )
 		{
-		rules_in = search_for_file( files[i], "sig", 0);
+		rules_in = search_for_file(files[i], "sig", 0, false, 0);
 		if ( ! rules_in )
 			{
-			error("Can't open signature file", files[i]);
+			reporter->Error("Can't open signature file %s", files[i]);
 			return false;
 			}
 
@@ -398,7 +399,7 @@ static inline uint32 getval(const u_char* data, int size)
 		return ntohl(*(uint32*) data);
 
 	default:
-		internal_error("illegal HdrTest size");
+		reporter->InternalError("illegal HdrTest size");
 	}
 
 	// Should not be reached.
@@ -511,7 +512,7 @@ RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer,
 
 				default:
 					data = 0;
-					internal_error("unknown protocol");
+					reporter->InternalError("unknown protocol");
 				}
 
 				// ### data can be nil here if it's an
@@ -540,7 +541,7 @@ RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer,
 						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), >=);
 
 					default:
-						internal_error("unknown comparision type");
+						reporter->InternalError("unknown comparision type");
 				}
 
 no_match:
@@ -567,7 +568,7 @@ void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type,
 	{
 	if ( ! state )
 		{
-		warn("RuleEndpointState not initialized yet.");
+		reporter->Warning("RuleEndpointState not initialized yet.");
 		return;
 		}
 
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
index 085253c16e..5bba69e130 100644
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@@ -1,5 +1,3 @@
-// $Id: RuleMatcher.h 3526 2006-09-12 07:32:21Z vern $
-
 #ifndef sigs_h
 #define sigs_h
 
diff --git a/src/SMB.cc b/src/SMB.cc
index 7ee6986d3d..edce2a69b8 100644
--- a/src/SMB.cc
+++ b/src/SMB.cc
@@ -1,11 +1,10 @@
-// $Id: SMB.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "NetVar.h"
 #include "SMB.h"
 #include "smb_pac.h"
 #include "Val.h"
+#include "Reporter.h"
 
 namespace {
 	const bool DEBUG_smb_ipc = true;
@@ -166,7 +165,7 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data)
 			const u_char* tmp = data_start + next;
 			if ( data_start + next < data + body.length() )
 				{
-				Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %d", next, data + body.length() - data_start));
+				Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRIuPTR, next, data + body.length() - data_start));
 				break;
 				}
 
@@ -480,8 +479,8 @@ int SMB_Session::ParseTreeConnectAndx(binpac::SMB::SMB_header const& hdr,
 	r->Assign(0, new Val(req.flags(), TYPE_COUNT));
 	r->Assign(1, new StringVal(req.password_length(),
 					(const char*) req.password()));
-	r->Assign(3, new StringVal(path));
-	r->Assign(4, new StringVal(service));
+	r->Assign(2, new StringVal(path));
+	r->Assign(3, new StringVal(service));
 
 	if ( strstr_n(norm_path->Len(), norm_path->Bytes(), 5,
 		      (const u_char*) "\\IPC$") != -1 )
@@ -732,7 +731,7 @@ int SMB_Session::ParseTransaction(int is_orig, int cmd,
 		break;
 
 	default:
-		internal_error("command mismatch for ParseTransaction");
+		reporter->InternalError("command mismatch for ParseTransaction");
 	}
 
 	int ret;
@@ -932,7 +931,7 @@ void SMB_Session::Weird(const char* msg)
 // input can be in Unicode (little endian), and the returned string
 // will be in ASCII.  Note, Unicode strings have NUL characters
 // at the end of them already.  Adding an additional NUL byte at
-// the end leads to embedded-NUL warnings (CheckString() run_time error).
+// the end leads to embedded-NUL warnings (CheckString() run time error).
 
 BroString* SMB_Session::ExtractString(binpac::SMB::SMB_string const* s)
 	{
diff --git a/src/SMB.h b/src/SMB.h
index d41ef7f9e0..f7287efb79 100644
--- a/src/SMB.h
+++ b/src/SMB.h
@@ -1,5 +1,3 @@
-// $Id: SMB.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef smb_h
@@ -206,8 +204,6 @@ public:
 			DCE_RPC_Session::any_dce_rpc_event();
 		}
 
-	int RewritingTrace()	{ return rewriting_smb_trace; }
-
 protected:
 	SMB_Session* smb_session;
 	Contents_SMB* o_smb;
diff --git a/src/SMTP.cc b/src/SMTP.cc
index f16dc8ae2e..3af8af3b7b 100644
--- a/src/SMTP.cc
+++ b/src/SMTP.cc
@@ -1,5 +1,3 @@
-// $Id: SMTP.cc 6782 2009-06-28 02:19:03Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -10,7 +8,7 @@
 #include "SMTP.h"
 #include "Event.h"
 #include "ContentLine.h"
-#include "TCP_Rewriter.h"
+#include "Reporter.h"
 
 #undef SMTP_CMD_DEF
 #define SMTP_CMD_DEF(cmd)	#cmd,
@@ -866,7 +864,7 @@ void SMTP_Analyzer::BeginData()
 	skip_data = 0; // reset the flag at the beginning of the mail
 	if ( mail != 0 )
 		{
-		warn("nested mail transaction");
+		reporter->Warning("nested mail transaction");
 		mail->Done();
 		delete mail;
 		}
@@ -877,7 +875,7 @@ void SMTP_Analyzer::BeginData()
 void SMTP_Analyzer::EndData()
 	{
 	if ( ! mail )
-		warn("Unmatched end of data");
+		reporter->Warning("Unmatched end of data");
 	else
 		{
 		mail->Done();
@@ -885,5 +883,3 @@ void SMTP_Analyzer::EndData()
 		mail = 0;
 		}
 	}
-
-#include "smtp-rw.bif.func_def"
diff --git a/src/SMTP.h b/src/SMTP.h
index 6e3ad6cc29..5b15dc44c0 100644
--- a/src/SMTP.h
+++ b/src/SMTP.h
@@ -1,5 +1,3 @@
-// $Id: SMTP.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef smtp_h
@@ -46,8 +44,6 @@ public:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void ConnectionFinished(int half_finished);
 	virtual void Undelivered(int seq, int len, bool orig);
-	virtual int RewritingTrace()
-		{ return rewriting_smtp_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 
 	void SkipData()	{ skip_data = 1; }	// skip delivery of data lines
 
diff --git a/src/SMTP_cmd.def b/src/SMTP_cmd.def
index 79667ba7bd..545136048d 100644
--- a/src/SMTP_cmd.def
+++ b/src/SMTP_cmd.def
@@ -1,5 +1,3 @@
-// $Id: SMTP_cmd.def 80 2004-07-14 20:15:50Z jason $
-//
 // Definitions of SMTP commands.
 
 SMTP_CMD_DEF(EHLO)
diff --git a/src/SSH.cc b/src/SSH.cc
index b4ca9aa153..c07aad3dd1 100644
--- a/src/SSH.cc
+++ b/src/SSH.cc
@@ -1,5 +1,3 @@
-// $Id: SSH.cc 6782 2009-06-28 02:19:03Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/SSH.h b/src/SSH.h
index 503b1abcbe..ccdcd76929 100644
--- a/src/SSH.h
+++ b/src/SSH.h
@@ -1,5 +1,3 @@
-// $Id: SSH.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef ssh_h
diff --git a/src/SSL-binpac.cc b/src/SSL-binpac.cc
index 551861aaee..db9a7004d6 100644
--- a/src/SSL-binpac.cc
+++ b/src/SSL-binpac.cc
@@ -1,44 +1,32 @@
-// $Id:$
-
 #include "SSL-binpac.h"
 #include "TCP_Reassembler.h"
+#include "Reporter.h"
 #include "util.h"
 
-
-bool SSL_Analyzer_binpac::warnings_generated = false;
-
 SSL_Analyzer_binpac::SSL_Analyzer_binpac(Connection* c)
-: TCP_ApplicationAnalyzer(AnalyzerTag::SSL_BINPAC, c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::SSL, c)
 	{
-	ssl = new binpac::SSL::SSLAnalyzer;
-	ssl->set_bro_analyzer(this);
-
-	records = new binpac::SSLRecordLayer::SSLRecordLayerAnalyzer;
-	records->set_ssl_analyzer(ssl);
-
-	if ( ! warnings_generated )
-		generate_warnings();
+	interp = new binpac::SSL::SSL_Conn(this);
+	had_gap = false;
 	}
 
 SSL_Analyzer_binpac::~SSL_Analyzer_binpac()
 	{
-	delete records;
-	delete ssl;
+	delete interp;
 	}
 
 void SSL_Analyzer_binpac::Done()
 	{
 	TCP_ApplicationAnalyzer::Done();
 
-	records->FlowEOF(true);
-	records->FlowEOF(false);
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
 	}
 
 void SSL_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp)
 	{
 	TCP_ApplicationAnalyzer::EndpointEOF(endp);
-	records->FlowEOF(endp->IsOrig());
-	ssl->FlowEOF(endp->IsOrig());
+	interp->FlowEOF(endp->IsOrig());
 	}
 
 void SSL_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig)
@@ -50,26 +38,24 @@ void SSL_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig)
 	if ( TCP()->IsPartial() )
 		return;
 
-	records->NewData(orig, data, data + len);
+	if ( had_gap )
+		// XXX: If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can handle this.
+		return;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
 	}
 
 void SSL_Analyzer_binpac::Undelivered(int seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
-	records->NewGap(orig, len);
-	}
-
-void SSL_Analyzer_binpac::warn_(const char* msg)
-	{
-	warn("SSL_Analyzer_binpac: ", msg);
-	}
-
-void SSL_Analyzer_binpac::generate_warnings()
-	{
-	if ( ssl_store_certificates )
-		warn_("storage of certificates (ssl_store_certificates) not supported");
-	if ( ssl_store_key_material )
-		warn_("storage of key material (ssl_store_key_material) not supported");
-
-	warnings_generated = true;
+	had_gap = true;
+	interp->NewGap(orig, len);
 	}
diff --git a/src/SSL-binpac.h b/src/SSL-binpac.h
index 79b8b4d7fa..8dab19d00c 100644
--- a/src/SSL-binpac.h
+++ b/src/SSL-binpac.h
@@ -1,21 +1,21 @@
-// $Id:$
-
 #ifndef ssl_binpac_h
 #define ssl_binpac_h
 
 #include "TCP.h"
 
 #include "ssl_pac.h"
-#include "ssl-record-layer_pac.h"
 
 class SSL_Analyzer_binpac : public TCP_ApplicationAnalyzer {
 public:
 	SSL_Analyzer_binpac(Connection* conn);
 	virtual ~SSL_Analyzer_binpac();
 
+	// Overriden from Analyzer.
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void Undelivered(int seq, int len, bool orig);
+
+	// Overriden from TCP_ApplicationAnalyzer.
 	virtual void EndpointEOF(TCP_Reassembler* endp);
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
@@ -23,20 +23,15 @@ public:
 
 	static bool Available()
 		{
-		return FLAGS_use_binpac &&
-			(ssl_certificate_seen || ssl_certificate ||
-			 ssl_conn_attempt || ssl_conn_server_reply ||
-			 ssl_conn_established || ssl_conn_reused ||
-			 ssl_conn_alert);
+		return ( ssl_client_hello || ssl_server_hello ||
+			ssl_established || ssl_extension || ssl_alert ||
+			x509_certificate || x509_extension || x509_error );
 		}
 
-	static bool warnings_generated;
-	static void warn_(const char* msg);
-	static void generate_warnings();
-
 protected:
-	binpac::SSLRecordLayer::SSLRecordLayerAnalyzer* records;
-	binpac::SSL::SSLAnalyzer* ssl;
+	binpac::SSL::SSL_Conn* interp;
+	bool had_gap;
+
 };
 
 #endif
diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc
deleted file mode 100644
index 1eaf3898e2..0000000000
--- a/src/SSLCiphers.cc
+++ /dev/null
@@ -1,598 +0,0 @@
-// $Id: SSLCiphers.cc 1678 2005-11-08 19:16:37Z vern $
-
-#include "SSLCiphers.h"
-
-PDict(SSL_CipherSpec) SSL_CipherSpecDict;
-
-// --- definitions for ssl cipher handling ------------------------------------
-
-SSL_CipherSpec SSL_CipherSpecs[] = {
-	// --- SSL 2.0 cipher specs
-	{ SSL_CK_RC4_128_WITH_MD5,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_SSLv20,
-		SSL_CIPHER_RC4,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		128,
-		128
-	},
-	{ SSL_CK_RC4_128_EXPORT40_WITH_MD5,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv20,
-		SSL_CIPHER_RC4,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		88,
-		40,
-		128
-	},
-	{ SSL_CK_RC2_128_CBC_WITH_MD5,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv20,
-		SSL_CIPHER_RC2,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		128,
-		128
-	},
-	{ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv20,
-		SSL_CIPHER_RC2,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		88,
-		40,
-		128
-	},
-	{ SSL_CK_IDEA_128_CBC_WITH_MD5,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv20,
-		SSL_CIPHER_IDEA,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		128,
-		128
-	},
-	{ SSL_CK_DES_64_CBC_WITH_MD5,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv20,
-		SSL_CIPHER_DES,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		64,
-		128
-	},
-	{ SSL_CK_DES_192_EDE3_CBC_WITH_MD5,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv20,
-		SSL_CIPHER_3DES,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		192,
-		128
-	},
-	{ SSL_CK_RC4_64_WITH_MD5,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_SSLv20,
-		SSL_CIPHER_RC4,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		64,
-		128
-	},
-	// --- SSL 3.0 / 3.1 cipher specs
-	{ TLS_NULL_WITH_NULL_NULL,
-		SSL_CIPHER_TYPE_NULL,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_NULL,
-		SSL_MAC_NULL,
-		SSL_KEY_EXCHANGE_NULL,
-		0,
-		0,
-		0
-	},
-	{ TLS_RSA_WITH_NULL_MD5,
-		SSL_CIPHER_TYPE_NULL,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_NULL,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		0,
-		128
-	},
-	{ TLS_RSA_WITH_NULL_SHA,
-		SSL_CIPHER_TYPE_NULL,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_NULL,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		0,
-		160
-	},
-	{ TLS_RSA_EXPORT_WITH_RC4_40_MD5,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_RC4,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA_EXPORT,
-		0,
-		40,
-		128
-	},
-	{ TLS_RSA_WITH_RC4_128_MD5,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_RC4,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		128,
-		128
-	},
-	{ TLS_RSA_WITH_RC4_128_SHA,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_RC4,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		128,
-		160
-	},
-	{ TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_RC2,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_RSA_EXPORT,
-		0,
-		40,
-		128
-	},
-	{ TLS_RSA_WITH_IDEA_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_IDEA,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		128,
-		160
-	},
-	{ TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES40,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA_EXPORT,
-		0,
-		40,
-		160
-	},
-	{ TLS_RSA_WITH_DES_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		56,
-		160
-	},
-	{ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_3DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		168,
-		160
-	},
-	{ TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES40,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_DSS_EXPORT,
-		0,
-		40,
-		160
-	},
-	{ TLS_DH_DSS_WITH_DES_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_DSS,
-		0,
-		56,
-		160
-	},
-	{ TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_3DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_DSS,
-		0,
-		168,
-		160
-	},
-	{ TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES40,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_RSA_EXPORT,
-		0,
-		168,
-		160
-	},
-	{ TLS_DH_RSA_WITH_DES_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_RSA,
-		0,
-		56,
-		160
-	},
-	{ TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_3DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_RSA,
-		0,
-		168,
-		160
-	},
-	{ TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES40,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_DSS_EXPORT,
-		0,
-		40,
-		160
-	},
-	{ TLS_DHE_DSS_WITH_DES_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_DSS,
-		0,
-		56,
-		160
-	},
-	{ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_3DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_DSS,
-		0,
-		168,
-		160
-	},
-	{ TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES40,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_RSA_EXPORT,
-		0,
-		40,
-		160
-	},
-	{ TLS_DHE_RSA_WITH_DES_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_RSA,
-		0,
-		56,
-		160
-	},
-	{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_3DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_RSA,
-		0,
-		168,
-		160
-	},
-	{ TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_RC4,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_DH_ANON_EXPORT,
-		0,
-		40,
-		128
-	},
-	{ TLS_DH_ANON_WITH_RC4_128_MD5,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_RC4,
-		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_DH_ANON,
-		0,
-		128,
-		128
-	},
-	{ TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES40,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
-		0,
-		40,
-		160
-	},
-	{ TLS_DH_ANON_WITH_DES_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
-		0,
-		56,
-		160
-	},
-	{ TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_3DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
-		0,
-		168,
-		160
-	},
-	{ SSL_FORTEZZA_KEA_WITH_NULL_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30,
-		SSL_CIPHER_NULL,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_FORTEZZA_KEA,
-		0,
-		0,
-		160
-	},
-	{ SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30,
-		SSL_CIPHER_FORTEZZA,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_FORTEZZA_KEA,
-		0,
-		96,
-		160
-	},
-	{ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_SSLv30,
-		SSL_CIPHER_RC4,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_FORTEZZA_KEA,
-		0,
-		128,
-		160
-	},
-	// --- special SSLv3 FIPS ciphers
-	{ SSL_RSA_FIPS_WITH_DES_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		56,
-		160
-	},
-	{ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_3DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		168,
-		160
-	},
-	// --- new 56 bit export ciphers
-	{ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA_EXPORT1024,
-		0,
-		56,
-		160
-	},
-	{ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_RC4,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA_EXPORT1024,
-		0,
-		56,
-		160
-	},
-	{ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_DES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024,
-		0,
-		56,
-		160
-	},
-	{ TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_RC4,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024,
-		0,
-		56,
-		160
-	},
-	{ TLS_DHE_DSS_WITH_RC4_128_SHA,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_RC4,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_DSS,
-		0,
-		128,
-		160
-	},
-	// --- new AES ciphers
-	{ TLS_RSA_WITH_AES_128_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		128,
-		160
-	},
-	{ TLS_DH_DSS_WITH_AES_128_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_DSS,
-		0,
-		128,
-		160
-	},
-	{ TLS_DH_RSA_WITH_AES_128_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_RSA,
-		0,
-		128,
-		160
-	},
-	{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_DSS,
-		0,
-		128,
-		160
-	},
-	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_RSA,
-		0,
-		128,
-		160
-	},
-	{ TLS_DH_ANON_WITH_AES_128_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
-		0,
-		128,
-		160
-	},
-	{ TLS_RSA_WITH_AES_256_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_RSA,
-		0,
-		256,
-		160
-	},
-	{ TLS_DH_DSS_WITH_AES_256_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_DSS,
-		0,
-		256,
-		160
-	},
-	{ TLS_DH_RSA_WITH_AES_256_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_RSA,
-		0,
-		256,
-		160
-	},
-	{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_DSS,
-		0,
-		256,
-		160
-	},
-	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DHE_RSA,
-		0,
-		256,
-		160
-	},
-	{ TLS_DH_ANON_WITH_AES_256_CBC_SHA,
-		SSL_CIPHER_TYPE_BLOCK,
-		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
-		SSL_CIPHER_AES,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
-		0,
-		256,
-		160
-	}
-};
-
-const uint SSL_CipherSpecs_Count =
-	sizeof(SSL_CipherSpecs) / sizeof(SSL_CipherSpec);
diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h
deleted file mode 100644
index 389c4d1992..0000000000
--- a/src/SSLCiphers.h
+++ /dev/null
@@ -1,174 +0,0 @@
-// $Id: SSLCiphers.h 1678 2005-11-08 19:16:37Z vern $
-
-#ifndef SSL_CIPHERS_H
-#define SSL_CIPHERS_H
-
-#include "Dict.h"
-
-// --- definitions for sslv3x cipher handling ---------------------------------
-
-/*!
- * In SSLv2, a cipher spec consists of three bytes.
- */
-enum SSLv2_CipherSpec {
-	// --- standard SSLv2 ciphers
-	SSL_CK_RC4_128_WITH_MD5              = 0x010080,
-	SSL_CK_RC4_128_EXPORT40_WITH_MD5     = 0x020080,
-	SSL_CK_RC2_128_CBC_WITH_MD5          = 0x030080,
-	SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080,
-	SSL_CK_IDEA_128_CBC_WITH_MD5         = 0x050080,
-	SSL_CK_DES_64_CBC_WITH_MD5           = 0x060040,
-	SSL_CK_DES_192_EDE3_CBC_WITH_MD5     = 0x0700C0,
-	SSL_CK_RC4_64_WITH_MD5		     = 0x080080
-};
-
-
-/*!
- * In SSLv3x, a cipher spec consists of two bytes.
- */
-enum SSL3_1_CipherSpec {
-	// --- standard SSLv3x ciphers
-	TLS_NULL_WITH_NULL_NULL                = 0x0000,
-	TLS_RSA_WITH_NULL_MD5                  = 0x0001,
-	TLS_RSA_WITH_NULL_SHA                  = 0x0002,
-	TLS_RSA_EXPORT_WITH_RC4_40_MD5         = 0x0003,
-	TLS_RSA_WITH_RC4_128_MD5               = 0x0004,
-	TLS_RSA_WITH_RC4_128_SHA               = 0x0005,
-	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5     = 0x0006,
-	TLS_RSA_WITH_IDEA_CBC_SHA              = 0x0007,
-	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA      = 0x0008,
-	TLS_RSA_WITH_DES_CBC_SHA               = 0x0009,
-	TLS_RSA_WITH_3DES_EDE_CBC_SHA          = 0x000A,
-	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA   = 0x000B,
-	TLS_DH_DSS_WITH_DES_CBC_SHA            = 0x000C,
-	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA       = 0x000D,
-	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA   = 0x000E,
-	TLS_DH_RSA_WITH_DES_CBC_SHA            = 0x000F,
-	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA       = 0x0010,
-	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  = 0x0011,
-	TLS_DHE_DSS_WITH_DES_CBC_SHA           = 0x0012,
-	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA      = 0x0013,
-	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  = 0x0014,
-	TLS_DHE_RSA_WITH_DES_CBC_SHA           = 0x0015,
-	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA      = 0x0016,
-	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5     = 0x0017,
-	TLS_DH_ANON_WITH_RC4_128_MD5           = 0x0018,
-	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA  = 0x0019,
-	TLS_DH_ANON_WITH_DES_CBC_SHA           = 0x001A,
-	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA      = 0x001B,
-	// --- special SSLv3 ciphers
-	SSL_FORTEZZA_KEA_WITH_NULL_SHA         = 0x001C,
-	SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D,
-	SSL_FORTEZZA_KEA_WITH_RC4_128_SHA      = 0x001E,
-	// --- special SSLv3 FIPS ciphers
-	SSL_RSA_FIPS_WITH_DES_CBC_SHA		   = 0xFEFE,
-	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA	   = 0XFEFF,
-	// --- new 56 bit export ciphers
-	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     = 0x0062,
-	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      = 0x0064,
-	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
-	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  = 0x0065,
-	TLS_DHE_DSS_WITH_RC4_128_SHA            = 0x0066,
-	// --- new AES ciphers
-	TLS_RSA_WITH_AES_128_CBC_SHA      = 0x002F,
-	TLS_DH_DSS_WITH_AES_128_CBC_SHA   = 0x0030,
-	TLS_DH_RSA_WITH_AES_128_CBC_SHA   = 0x0031,
-	TLS_DHE_DSS_WITH_AES_128_CBC_SHA  = 0x0032,
-	TLS_DHE_RSA_WITH_AES_128_CBC_SHA  = 0x0033,
-	TLS_DH_ANON_WITH_AES_128_CBC_SHA  = 0x0034,
-	TLS_RSA_WITH_AES_256_CBC_SHA      = 0x0035,
-	TLS_DH_DSS_WITH_AES_256_CBC_SHA   = 0x0036,
-	TLS_DH_RSA_WITH_AES_256_CBC_SHA   = 0x0037,
-	TLS_DHE_DSS_WITH_AES_256_CBC_SHA  = 0x0038,
-	TLS_DHE_RSA_WITH_AES_256_CBC_SHA  = 0x0039,
-	TLS_DH_ANON_WITH_AES_256_CBC_SHA  = 0x003A
-};
-
-enum SSL_CipherType {
-	SSL_CIPHER_TYPE_STREAM,
-	SSL_CIPHER_TYPE_BLOCK,
-	SSL_CIPHER_TYPE_NULL
-};
-
-enum SSL_BulkCipherAlgorithm {
-	SSL_CIPHER_NULL,
-	SSL_CIPHER_RC4,
-	SSL_CIPHER_RC2,
-	SSL_CIPHER_DES,
-	SSL_CIPHER_3DES,
-	SSL_CIPHER_DES40,
-	SSL_CIPHER_FORTEZZA,
-	SSL_CIPHER_IDEA,
-	SSL_CIPHER_AES
-};
-
-enum SSL_MACAlgorithm {
-	SSL_MAC_NULL,
-	SSL_MAC_MD5,
-	SSL_MAC_SHA
-};
-
-enum SSL_KeyExchangeAlgorithm {
-	SSL_KEY_EXCHANGE_NULL,
-	SSL_KEY_EXCHANGE_RSA,
-	SSL_KEY_EXCHANGE_RSA_EXPORT,
-	SSL_KEY_EXCHANGE_DH,
-	SSL_KEY_EXCHANGE_DH_DSS,
-	SSL_KEY_EXCHANGE_DH_DSS_EXPORT,
-	SSL_KEY_EXCHANGE_DH_RSA,
-	SSL_KEY_EXCHANGE_DH_RSA_EXPORT,
-	SSL_KEY_EXCHANGE_DHE_DSS,
-	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT,
-	SSL_KEY_EXCHANGE_DHE_RSA,
-	SSL_KEY_EXCHANGE_DHE_RSA_EXPORT,
-	SSL_KEY_EXCHANGE_DH_ANON,
-	SSL_KEY_EXCHANGE_DH_ANON_EXPORT,
-	SSL_KEY_EXCHANGE_FORTEZZA_KEA,
-	// --- new 56 bit export ciphers
-	SSL_KEY_EXCHANGE_RSA_EXPORT1024,
-	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024
-};
-
-#if 0
-struct SSL_CipherSpecImprove {
-	uint32 identifier;
-
-	// SSL_CipherType cipherType;
-	SSL_BulkCipherAlgorithm encryptionAlgorithm;
-	SSL_BulkCipherAlgorithm authenticationAlgorithm;
-	SSL_BulkCipherAlgorithm keyAlgorithm;
-	SSL_MACAlgorithm        macAlgorithm;
-
-	int clearkeySize;
-	int encryptedkeySize;
-	uint32 flags;	// IsExportable IsSSLv2 IsSSLv30 IsSSLv31
-	const char* fullName = "TLS_WITH_NULL_NULL";
-
-};
-#endif
-
-struct SSL_CipherSpec {
-	uint32 identifier; ///< type code of the CIPHER-SPEC (2 or 3 Bytes)
-
-	SSL_CipherType cipherType;
-	uint32 flags;
-	SSL_BulkCipherAlgorithm bulkCipherAlgorithm;
-	SSL_MACAlgorithm macAlgorithm;
-	SSL_KeyExchangeAlgorithm keyExchangeAlgorithm;
-
-	int clearKeySize;     ///< size in bits of plaintext part of master key
-	int encryptedKeySize; ///< size in bits of encrypted part of master key
-	int hashSize;
-};
-
-const uint32 SSL_FLAG_EXPORT = 0x0001; ///< set if exportable cipher
-const uint32 SSL_FLAG_SSLv20 = 0x0002; ///< set if cipher defined for SSLv20
-const uint32 SSL_FLAG_SSLv30 = 0x0004; ///< set if cipher defined for SSLv30
-const uint32 SSL_FLAG_SSLv31 = 0x0008; ///< set if cipher defined for SSLv31
-
-declare(PDict, SSL_CipherSpec);
-extern PDict(SSL_CipherSpec) SSL_CipherSpecDict;
-extern SSL_CipherSpec SSL_CipherSpecs[];
-extern const uint SSL_CipherSpecs_Count;
-
-#endif
diff --git a/src/SSLDefines.h b/src/SSLDefines.h
deleted file mode 100644
index 331a03157a..0000000000
--- a/src/SSLDefines.h
+++ /dev/null
@@ -1,48 +0,0 @@
-// $Id: SSLDefines.h 80 2004-07-14 20:15:50Z jason $
-
-// Defines the states and transitions in the ssl-protocol-machine.
-
-#ifndef SSL_DEFINES_H
-#define SSL_DEFINES_H
-
-const int SSL3_1_NUM_STATES = 20;
-enum SSL3_1_States {
-	SSL3_1_STATE_ERROR = 0,
-	SSL3_1_STATE_INIT  = 1,
-	SSL3_1_STATE_SERVER_HELLO_REQ_SENT = 2,
-	SSL3_1_STATE_CLIENT_HELLO_SENT = 3,
-	SSL3_1_STATE_SERVER_HELLO_SENT = 4,
-	SSL3_1_STATE_SERVER_CERT_SENT = 5,
-	SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT = 6,
-	SSL3_1_STATE_SERVER_CERT_REQ_SENT = 7,
-	SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A = 8,
-	SSL3_1_STATE_SERVER_HELLO_DONE_SENT_B = 9,
-	SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_A = 10,
-	SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B = 11,
-	SSL3_1_STATE_CLIENT_CERT_SENT = 12,
-	SSL3_1_STATE_CLIENT_CERT_VERIFY_SENT = 13,
-	SSL3_1_STATE_CLIENT_FIN_SENT_A = 14,
-	SSL3_1_STATE_SERVER_FIN_SENT_A = 15,
-	SSL3_1_STATE_CLIENT_FIN_SENT_B = 16,
-	SSL3_1_STATE_SERVER_FIN_SENT_B = 17,
-	SSL3_1_STATE_HS_FIN_A = 18,
-	SSL3_1_STATE_HS_FIN_B = 19
-};
-
-const int SSL3_1_NUM_TRANS = 11;
-enum SSL_3_1_Transitions {
-	SSL3_1_TRANS_SERVER_HELLO_REQ = 0,
-	SSL3_1_TRANS_CLIENT_HELLO = 1,
-	SSL3_1_TRANS_SERVER_HELLO = 2,
-	SSL3_1_TRANS_SERVER_CERT = 3,
-	SSL3_1_TRANS_SERVER_KEY_EXCHANGE = 4,
-	SSL3_1_TRANS_SERVER_CERT_REQ = 5,
-	SSL3_1_TRANS_SERVER_HELLO_DONE = 6,
-	SSL3_1_TRANS_CLIENT_CERT = 3,
-	SSL3_1_TRANS_CLIENT_KEY_EXCHANGE = 7,
-	SSL3_1_TRANS_CLIENT_CERT_VERIFY = 8,
-	SSL3_1_TRANS_CLIENT_FIN = 9,
-	SSL3_1_TRANS_SERVER_FIN = 10
-};
-
-#endif
diff --git a/src/SSLInterpreter.cc b/src/SSLInterpreter.cc
deleted file mode 100644
index 7e185c9e7f..0000000000
--- a/src/SSLInterpreter.cc
+++ /dev/null
@@ -1,553 +0,0 @@
-// $Id: SSLInterpreter.cc 5988 2008-07-19 07:02:12Z vern $
-
-#include "SSLInterpreter.h"
-#include "SSLv2.h"
-
-#include "X509.h"
-
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-declare(PDict, CertStore);
-PDict(CertStore) cert_states;
-
-// --- Initalization of static variables --------------------------------------
-
-uint32 SSL_Interpreter::analyzedCertificates = 0;
-uint32 SSL_Interpreter::verifiedCertificates = 0;
-uint32 SSL_Interpreter::failedCertificates = 0;
-uint32 SSL_Interpreter::certificateChains = 0;
-
-// --- SSL_Interpreter --------------------------------------------------------
-
-/*!
- * The constructor.
- *
- * \param proxy Pointer to the SSLProxy_Analyzer which created this instance.
- */
-SSL_Interpreter::SSL_Interpreter(SSLProxy_Analyzer* proxy)
-	{
-	this->proxy = proxy;
-	}
-
-/*!
- * The destructor.
- */
-SSL_Interpreter::~SSL_Interpreter()
-	{
-	delete orig;
-	delete resp;
-	}
-
-/*!
- * Analogous to TCP_Connection::Init(), this method calls
- * BuildInterpreterEndpoints() to create the corresponding endpoints.
- */
-void SSL_Interpreter::Init()
-	{
-	BuildInterpreterEndpoints();
-	orig->SetPeer(resp);
-	resp->SetPeer(orig);
-	}
-
-/*!
- * This method analyzes a given certificate (chain), using the OpenSSL library.
- *
- * \param s Pointer to the SSL_InterpreterEndpoint which received the
- *          cerificate (chain).
- * \param data Pointer to the data block which contains the certificate (chain).
- * \param length Size of the data block.
- * \param type the certificate type
- * \param isChain false if data is pointing to a single certificate,
- *                true if data is pointing to a certificate chain
- * mod by scott in:
- *       uint32 ip_address = *(s->proxyEndpoint->Endpoint()->dst_addr);
- *       uint16 port = (uint16) s->proxyEndpoint->Endpoint()->conn->RespPort();
- * inserting endpoint
- */
-void SSL_Interpreter::analyzeCertificate(SSL_InterpreterEndpoint* s,
-			const u_char* data, int length, uint8 type, bool isChain)
-	{
-	// See if we should continue with this certificate.
-	if ( ssl_certificate_seen )
-		{
-		val_list* vl = new val_list;
-		vl->append(proxy->BuildConnVal());
-		vl->append(new Val(! s->IsOrig(), TYPE_BOOL));
-		proxy->ConnectionEvent(ssl_certificate_seen, vl);
-		}
-
-	++analyzedCertificates;
-
-	const u_char* pCert = data;
-	uint32 certLength = length;
-	uint certCount = 0;
-
-	if ( isChain )
-		{
-		++certificateChains;
-
-		// Sum of all cert sizes has to match certListLength.
-		int tempLength = 0;
-		while ( tempLength < length )
-			{
-			++certCount;
-			uint32 certLength =
-				uint32((data[tempLength + 0] << 16) |
-					data[tempLength + 1] << 8) |
-				data[tempLength + 2];
-
-			tempLength += certLength + 3;
-			}
-
-		if ( tempLength > length )
-			{
-			Weird( "SSLv3x: sum of size of certificates doesn't match size of certificate chain" );
-			return;
-			}
-
-		// Get the first certificate.
-		pCert = data + 3;
-		certLength = uint32((data[0] << 16) | data[1] << 8) | data[2];
-		}
-
-	// Create a hashsum of the current certificate.
-	hash_t hashsum = HashKey::HashBytes(pCert, certLength);
-
-	if ( ! proxy->TCP() )
-		return;
-
-	TCP_Endpoint* endp = s->IsOrig() ? proxy->TCP()->Orig() : proxy->TCP()->Resp();
-
-	// Check if we've seen a certificate from this addr/port before.
-	uint8 key[6];
-	// ### Won't work for IPv6.
-	uint32 ip_address = *(endp->dst_addr);
-	uint16 port = uint16(proxy->Conn()->RespPort());
-	memcpy(key, &ip_address, 4);
-	memcpy(&key[4], &port, 2);
-
-	HashKey h(key, sizeof(key));
-	CertStore* pCertState = 0;
-	pCertState = (CertStore*) cert_states.Lookup(&h);
-	if ( ! pCertState )
-		{ // new address
-		pCertState = new CertStore(ip_address, port, hashsum, certLength);
-		cert_states.Insert(&h, pCertState);
-		}
-	else
-		{
-		// We've seen this address/certificate before.  Check if
-		// certificate changed.
-		if ( ! pCertState->isSameCert(hashsum, certLength) )
-			{
-			// This shouldn't happen; ### make a stronger error.
-			Weird("SSL: Certificate changed for this ip+port !!!");
-
-			// Update status.
-			++pCertState->changes;
-			pCertState->certHash = hashsum;
-			pCertState->certSize = certLength;
-			pCertState->isValid = -1;
-			}
-		else
-			{ // cert didn't change
-			if ( pCertState->isValid == 0 )
-				{
-				// This is an invalid cert, but we
-				// warned before.
-				}
-
-			// Save time - don't analyze it any further.
-			return;
-			}
-		}
-
-	// Certificate verification.
-	if ( ssl_verify_certificates != 0 )
-		{
-		++verifiedCertificates;
-		int invalid = 0;
-		switch ( type ) {
-		case SSLv2_CT_X509_CERTIFICATE:
-			if ( ! isChain )
-				invalid = X509_Cert::verify(s->GetProxyEndpoint(),
-							pCert, certLength);
-			else
-				invalid = X509_Cert::verifyChain(s->GetProxyEndpoint(),
-							data, length);
-			break;
-
-		default:
-			Weird("SSL: Unknown CERTIFICATE-TYPE!");
-			invalid = 1; // quick 'n dirty :)
-			break;
-		}
-
-		if ( invalid )
-			{
-			proxy->Weak("SSL: Certificate check FAILED!");
-			pCertState->isValid = 0;
-			++failedCertificates;
-			}
-		else
-			pCertState->isValid = 1;
-		}
-
-	// Store the certificate.
-	if ( ssl_store_certificates != 0 )
-		{
-		// Let's hope the address is currently in network byte order!
-		in_addr addr;
-		addr.s_addr = ip_address;
-		char* pDummy = inet_ntoa(addr);
-		char sFileName[PATH_MAX];
-
-		if ( ssl_store_cert_path && 
-		     ssl_store_cert_path->AsString()->Len() > 0 )
-			{
-			const BroString* pString = ssl_store_cert_path->AsString();
-			safe_snprintf(sFileName, PATH_MAX, "%s/cert.%s-server-c%i.der",
-				      pString->Bytes(), pDummy, pCertState->changes);
-			}
-		else
-			safe_snprintf(sFileName, PATH_MAX, "cert.%s-server-c%i.der",
-				      pDummy, pCertState->changes);
-
-		FILE* certFile = fopen(sFileName, "wb");
-		if ( ! certFile )
-			{
-			Weird(fmt("SSL_Interpreter::analyzeCertificate(): Error opening '%s'!\n", sFileName));
-			return;
-			}
-
-		fwrite(pCert, 1, certLength, certFile);
-		fclose(certFile);
-		}
-
-	// TODO: test if cert is valid for the address we got it from.
-	}
-
-
-/*!
- * \return the originating SSL_InterpreterEndpoint
- */
-SSL_InterpreterEndpoint* SSL_Interpreter::Orig() const
-	{
-	return orig;
-	}
-
-/*!
- * \return the responding SSL_InterpreterEndpoint
- */
-SSL_InterpreterEndpoint* SSL_Interpreter::Resp() const
-	{
-	return resp;
-	}
-
-/*!
- * \param p Pointer to an SSL_InterpreterEndpoint to test
- *
- * \return true if p is the originating SSL_InterpreterEndpoint,
- *         false otherwise
- */
-int SSL_Interpreter::Is_Orig(SSL_InterpreterEndpoint* p) const
-	{
-	return p == orig;
-	}
-
-/*!
- * \return the responding SSL_InterpreterEndpoint
- */
-SSLProxy_Analyzer* SSL_Interpreter::Proxy() const
-	{
-	return proxy;
-	}
-
-/*!
- * This methods prints a string into the "weird" log file.
- *
- * \param name String to log into the "weird" file.
- */
-void SSL_Interpreter::Weird(const char* name) const
-	{
-	proxy->Weird(name);
-	}
-
-/*!
- * Prints some counters.
- */
-void SSL_Interpreter::printStats()
-	{
-	printf("SSL_Interpreter:\n");
-	printf("analyzedCertificates = %u\n", analyzedCertificates);
-	printf("verifiedCertificates = %u\n", verifiedCertificates);
-	printf("failedCertificates = %u\n", failedCertificates);
-	printf("certificateChains = %u\n", certificateChains);
-	}
-
-/*!
- * Wrapper function for the event ssl_conn_attempt.
- *
- * \param sslVersion the SSL version for which the event occured
- *
- * \see SSLProxy_Analyzer::SSL_Versions
- */
-void SSL_Interpreter::fire_ssl_conn_attempt(uint16 sslVersion,
-						TableVal* currentCipherSuites)
-	{
-	EventHandlerPtr event = ssl_conn_attempt;
-	if ( event )
-		{
-		val_list* vl = new val_list;
-		vl->append(proxy->BuildConnVal());
-		vl->append(new Val(sslVersion, TYPE_INT));
-		vl->append(currentCipherSuites);
-
-		proxy->ConnectionEvent(event, vl);
-		}
-	}
-
-/*!
- * Wrapper function for the event ssl_conn_server_reply.
- *
- * \param sslVersion the SSL version for which the event occured
- *
- * \see SSLProxy_Analyzer::SSL_Versions
- */
-void SSL_Interpreter::fire_ssl_conn_server_reply(uint16 sslVersion,
-						TableVal* currentCipherSuites)
-	{
-	EventHandlerPtr event = ssl_conn_server_reply;
-	if ( event )
-		{
-		val_list* vl = new val_list;
-		vl->append(proxy->BuildConnVal());
-		vl->append(new Val(sslVersion, TYPE_INT));
-		vl->append(currentCipherSuites);
-
-		proxy->ConnectionEvent(event, vl);
-		}
-	}
-
-/*!
- * Wrapper function for the event ssl_conn_established.
- *
- * \param sslVersion the SSL version for which the event occured
- * \param cipherSuite constant indicating the used SSL cipher suite
- *
- * \see SSLProxy_Analyzer::SSL_Versions, SSLv2_CipherSpecs and SSL3_1_CipherSpec.
- */
-void SSL_Interpreter::fire_ssl_conn_established(uint16 sslVersion,
-						uint32 cipherSuite)
-	{
-	EventHandlerPtr event = ssl_conn_established;
-	if ( event )
-		{
-		val_list* vl = new val_list;
-		vl->append(proxy->BuildConnVal());
-		vl->append(new Val(sslVersion, TYPE_INT));
-		vl->append(new Val(cipherSuite, TYPE_COUNT));
-
-		proxy->ConnectionEvent(event, vl);
-		}
-
-	}
-
-/*!
- * Wrapper function for the event ssl_conn_reused
- *
- * \param pData Pointer to a SSL_DataBlock which contains the SSL session ID
- *        of the originating ssl session.
- */
-void SSL_Interpreter::fire_ssl_conn_reused(const SSL_DataBlock* pData)
-	{
-	EventHandlerPtr event = ssl_conn_reused;
-	if ( event )
-		{
-		val_list* vl = new val_list;
-		vl->append(proxy->BuildConnVal());
-		vl->append(MakeSessionID(pData->data, pData->len));
-		proxy->ConnectionEvent(event, vl);
-		}
-	}
-
-/*!
- * Wrapper function for the event ssl_conn_alert
- *
- * \param sslVersion the SSL version for which the event occured
- * \param level constant indicating the level of severity
- * \param description constant indicating the type of alert/error
- *
- * \see SSLProxy_Analyzer::SSL_Versions, SSL3x_AlertLevel, SSL3_1_AlertDescription
- *      and SSLv2_ErrorCodes.
- */
-void SSL_Interpreter::fire_ssl_conn_alert(uint16 sslVersion, uint16 level,
-						uint16 description)
-	{
-	if ( ssl_conn_alert )
-		{
-		EventHandlerPtr event = ssl_conn_alert;
-		if ( event )
-			{
-			val_list* vl = new val_list;
-			vl->append(proxy->BuildConnVal());
-			vl->append(new Val(sslVersion, TYPE_INT));
-			vl->append(new Val(level, TYPE_COUNT));
-			vl->append(new Val(description, TYPE_COUNT));
-
-			proxy->ConnectionEvent(event, vl);
-			}
-		}
-	}
-
-// Generate a session ID table.  Returns an empty table
-// if len is zero.
-TableVal* SSL_Interpreter::MakeSessionID(const u_char* data, int len)
-	{
-	TableVal* sessionIDTable = new TableVal(SSL_sessionID);
-
-	if ( ! len )
-		return sessionIDTable;
-
-	for ( int i = 0; i < len; i += 4 )
-		{
-		uint32 temp = (data[i] << 24) | (data[i + 1] << 16) |
-			      (data[i + 2] << 8) | data[i + 3];
-
-		Val* index = new Val(i / 4, TYPE_COUNT);
-
-		sessionIDTable->Assign(index, new Val(temp, TYPE_COUNT));
-
-		Unref(index);
-		}
-
-	return sessionIDTable;
-	}
-
-
-//--- SSL_InterpreterEndpoint -------------------------------------------------
-
-/*!
- * The constructor.
- *
- * \param interpreter Pointer to the instance of an SSL_Interpreter to which
- *                    this endpoint belongs to.
- * \param is_orig true if this endpoint is the originator of the connection,
- *                false otherwise
- * SC: an adjustment was made here since the endpoints are now assosciated with
- * TCP_Contents base objects rather than TCP_Endpoint.
- */
-SSL_InterpreterEndpoint::SSL_InterpreterEndpoint(SSL_Interpreter* arg_interpreter,
-							bool arg_is_orig )
-	{
-	interpreter = arg_interpreter;
-	is_orig = arg_is_orig;
-	proxyEndpoint = new Contents_SSL(interpreter->Proxy()->Conn(), is_orig);
-	ourProxyEndpoint = true;
-	}
-
-/*!
- * The destructor.
- */
-SSL_InterpreterEndpoint::~SSL_InterpreterEndpoint()
-	{
-	SetProxyEndpoint(0);
-	}
-
-/*!
- * \return true if there's currently data pending for this endpoint,
- *         false otherwise
- */
-bool SSL_InterpreterEndpoint::isDataPending()
-	{
-	return proxyEndpoint->isDataPending();
-	}
-
-/*!
- * Sets the peer of this endpoint.
- *
- * \param p Pointer to an interpreter endpoint which will be set as the peer
- *          of this endpoint.
- */
-void SSL_InterpreterEndpoint::SetPeer(SSL_InterpreterEndpoint* p)
-	{
-	peer = p;
-	}
-
-/*!
- * Sets the proxy endpoint of this endpoint.
- *
- * \param p Pointer to a Contents_SSL analyzer which will be set as the proxy endpoint
- *          of this endpoint.
- */
-void SSL_InterpreterEndpoint::SetProxyEndpoint(Contents_SSL* p)
-	{
-	if ( ourProxyEndpoint )
-		{
-		proxyEndpoint->Done();
-		delete proxyEndpoint;
-		ourProxyEndpoint = false;
-		}
-
-	proxyEndpoint = p;
-	}
-
-/*!
- * \return is_orig true if this endpoint is the originator of the connection,
- *                 false otherwise
- */
-int SSL_InterpreterEndpoint::IsOrig() const
-	{
-	return is_orig;
-	}
-
-/*!
- * \return the peer of this endpoint
- */
-SSL_InterpreterEndpoint* SSL_InterpreterEndpoint::Peer() const
-	{
-	return peer;
-	}
-
-/*!
- * \return the interpreter of this endpoint
- */
-SSL_Interpreter* SSL_InterpreterEndpoint::Interpreter() const
-	{
-	return interpreter;
-	}
-
-// --- CertStore --------------------------------------------------------------
-
-/*
- * The constructor.
- *
- * \param ip ip adress where this certificate came from
- * \param port port number where this certificate came from
- * \param hash hahssum for this certificate
- * \param size of this certificate in bytes
- */
-CertStore::CertStore(uint32 ip, uint32 arg_port, hash_t hash, int size)
-	{
-	ip_addr = ip;
-	certHash = hash;
-	certSize = size;
-	isValid = -1;
-	changes = 0;
-	port = arg_port;
-	}
-
-/*
- * This method can be used to compare certificates by certain criterias.
- *
- * \param hash hashsum of the certificate to compare
- * \param size size of the certificate to compare
- *
- * \return true if the criterias match, false otherwise
- */
-bool CertStore::isSameCert(hash_t hash, int length)
-	{
-	return hash == certHash && length == certSize;
-	}
diff --git a/src/SSLInterpreter.h b/src/SSLInterpreter.h
deleted file mode 100644
index 27ef2500d5..0000000000
--- a/src/SSLInterpreter.h
+++ /dev/null
@@ -1,142 +0,0 @@
-// $Id: SSLInterpreter.h 5988 2008-07-19 07:02:12Z vern $
-
-#ifndef sslinterpreter_h
-#define sslinterpreter_h
-
-#include "util.h"
-#include "SSLProxy.h"
-
-// --- forward declarations ----------------------------------------------------
-
-class SSLProxy_Analyzer;
-class Contents_SSL;
-class SSL_InterpreterEndpoint;
-class SSL_DataBlock;
-
-// --- SSL_Interpreter --------------------------------------------------------
-
-/*!
- * \brief This class is the abstract base-class for the different ssl
- *        interpreters used for the different ssl versions.
- *
- * Since there is currently no support in Bro for a change of the connection
- * type (IMAP -> TLS, for example), we decided not to inherit from the class
- * Connection. This way, we can easily switch to SSLv3x after we've seen (and
- * analyzed) a SSLv2 client hello record with a version number > SSLv2.
- *
- * There currently two (non-abstract) interpreters: SSLv2_Interpreter and
- * SSLv3_Interpreter. The first one supports SSL 2.0, the second one supports
- * both SSL 3.0 and SSL 3.1/TLS 1.0.
- *
- * See SSLProxy_Analyzer for additional information.
- */
-class SSL_Interpreter {
-public:
-	SSL_Interpreter(SSLProxy_Analyzer* proxy);
-	virtual ~SSL_Interpreter();
-
-	static uint32 analyzedCertificates; ///< how often analyzeCertificate() has been called
-	static uint32 verifiedCertificates; ///< how many certificates have actually been verified
-	static uint32 failedCertificates;   ///< how many certificates have failed verification
-	static uint32 certificateChains;    ///< counter for certificate chains
-
-	// In order to initialize the correct SSL_InterpreterEndpoints,
-	// override it in the corresponding subclass.
-	virtual void BuildInterpreterEndpoints() = 0;
-	virtual void Init();
-
-	SSL_InterpreterEndpoint* Orig() const;
-	SSL_InterpreterEndpoint* Resp() const;
-	SSLProxy_Analyzer* Proxy() const;
-	int Is_Orig(SSL_InterpreterEndpoint* p) const;
-
-	virtual void analyzeCertificate(SSL_InterpreterEndpoint* s,
-					 const u_char* data, int length,
-					 uint8 type, bool isChain);
-
-	void Weird(const char* name) const;
-
-	static void printStats();
-
-	void fire_ssl_conn_attempt(uint16 sslVersion,
-					TableVal* currentCipherSuites);
-	void fire_ssl_conn_server_reply(uint16 sslVersion,
-					TableVal* currentCipherSuites);
-	void fire_ssl_conn_established(uint16 sslVersion, uint32 cipherSuite);
-	void fire_ssl_conn_reused(const SSL_DataBlock* pData);
-	void fire_ssl_conn_alert(uint16 sslVersion, uint16 level,
-					uint16 description);
-
-protected:
-	TableVal* MakeSessionID(const u_char* data, int len);
-
-	SSLProxy_Analyzer* proxy;
-	SSL_InterpreterEndpoint* orig;
-	SSL_InterpreterEndpoint* resp;
-};
-
-// --- SSL_InterpreterEndpoint ------------------------------------------------
-
-/*!
- * \brief This abstract class represents the SSL_InterpreterEndpoints for the
- *        SSL_Interpreter.
- *
- * The key-method is Deliver() which receives the ssl records
- * from the SSLProxy_Analyzer. So overwrite the Deliver()-method and do
- * whatever analysis on the record content (and/or pass it to the corresponding
- * SSL_Interpreter).
- */
-class SSL_InterpreterEndpoint {
-public:
-	SSL_InterpreterEndpoint(SSL_Interpreter* interpreter, bool is_orig);
-	virtual ~SSL_InterpreterEndpoint();
-
-	/**This method is called by corresponding SSLProxy_Analyzer and
-	 * delivers the data.
-	 * @param t time, when the segment was received by bro (?)
-	 * @param len length of TCP-Segment
-	 * @param data content of TCP-Segment
-	 */
-	virtual void Deliver(int len, const u_char* data) = 0;
-	bool isDataPending();
-	void SetPeer(SSL_InterpreterEndpoint* p);
-	int IsOrig() const;
-	SSL_InterpreterEndpoint* Peer() const;
-	SSL_Interpreter* Interpreter() const;
-
-	Contents_SSL* GetProxyEndpoint()	{ return proxyEndpoint; }
-
-	void SetProxyEndpoint(Contents_SSL* proxyEndpoint);
-
-protected:
-	SSL_Interpreter* interpreter;  ///< Pointer to the SSL_Interpreter to which this endpoint belongs to
-	SSL_InterpreterEndpoint* peer; ///< Pointer to the peer of this endpoint
-	Contents_SSL* proxyEndpoint; ///< Pointer to the corresponding Contents_SSL
-	bool ourProxyEndpoint;	// true if we need to delete the proxyEndpoint
-	int is_orig;                   ///< true if this endpoint is the originator of the connection, false otherwise
-};
-
-// --- class CertStore --------------------------------------------------------
-/*!
- * \brief This class is used to store some information about a X509 certificate.
- *
- * To save memory, we only store some characteristic criterias about a
- * certificate, that's currently it's size and a hashsum.
- *
- * \note This class is currently <b>experimental</b>.
- */
-class CertStore {
-public:
-	uint32 ip_addr; ///< ip address where this certificate is from
-	uint32 port;    ///< port number where this certificate is from
-
-	int certSize;    ///< size of the certificate in bytes
-	hash_t certHash; ///< hashsum obver the entire certificate
-	int isValid;     ///< boolean value indicating if the certificate is valid
-	int changes;     ///< counter for how often this certificate has changed for the above ip + port number
-
-	CertStore(uint32 ip, uint32 port, hash_t hash, int size);
-	bool isSameCert(hash_t hash, int length);
-};
-
-#endif
diff --git a/src/SSLProxy.cc b/src/SSLProxy.cc
deleted file mode 100644
index a0cf73b8fb..0000000000
--- a/src/SSLProxy.cc
+++ /dev/null
@@ -1,832 +0,0 @@
-// $Id: SSLProxy.cc 6008 2008-07-23 00:24:22Z vern $
-
-#include "SSLProxy.h"
-#include "SSLv3.h"
-#include "SSLv2.h"
-
-// --- Initalization of static variables --------------------------------------
-
-uint SSLProxy_Analyzer::totalPackets = 0;
-uint SSLProxy_Analyzer::totalRecords = 0;
-uint SSLProxy_Analyzer::nonSSLConnections = 0;
-
-// --- SSL_DataBlock --------------------------------------------------------
-
-/*!
- * This constructor will allocate a block of data on the heap. If min_len is
- * given, it will determine the minimum size of the new block. The data block
- * referenced by data will be then be copied into the new block.
- *
- * \param data    Pointer to the data which will be copied into the newly
- *                allocated heap block.
- * \param len     Length of the data block to copy.
- * \param min_len The minimum size of data to allocate on the heap, can be omitted.
- */
-
-SSL_DataBlock::SSL_DataBlock(const u_char* arg_data, int len, int min_len)
-	{
-	// For performance reasons, we allocate at least min_len.
-	if ( len < min_len )
-		{
-		data = new u_char[min_len];
-		size = min_len;
-		}
-	else
-		{
-		data = new u_char[len];
-		this->size = len;
-		}
-
-	memcpy(data, arg_data, len);
-	this->len = len;
-	next = 0;
-	}
-
-/*!
- * This is an experimental function which will print the contents of the
- * internal data block in a human-readable fashion to a stream.
- *
- * \param stream The stream for printing the data block to.
- */
-
-void SSL_DataBlock::toStream(FILE* stream) const
-	{
-	if ( len <= 0 )
-		return;
-
-	int idx;
-	for ( idx = 0; idx < len-1; ++idx )
-		fprintf(stream, "%02X:", data[idx]);
-
-	fprintf(stream, "%02X", data[idx]);
-	}
-
-/*!
- * This is an experimental function which will print the contents of the
- * internal data block in a human-readable fashion to a string.
- *
- * \return A string which has to be freed by the caller.
- */
-
-char* SSL_DataBlock::toString() const
-	{
-	if ( len <= 0 )
-		{
-		// Currently, we return an empty string if data block is empty.
-		char* pDummy = new char[1];
-		pDummy[0] = '\0';
-		return pDummy;
-		}
-
-	char* pString = new char[len*3];
-	char* pItx = pString;
-
-	int idx;
-	for ( idx = 0; idx < len-1; ++idx )
-		{
-		sprintf(pItx, "%02X:", data[idx]);
-		pItx += 3;
-		}
-
-	sprintf(pItx, "%02X", data[idx]);
-
-	return pString;
-	}
-
-// --- SSL_RecordBuilder ------------------------------------------------------
-
-uint SSL_RecordBuilder::maxAllocCount = 0;
-uint SSL_RecordBuilder::maxFragmentCount = 0;
-uint SSL_RecordBuilder::fragmentedHeaders = 0;
-
-/*!
- * The constructor takes an Contents_SSL as parameter. Whenever a SSL
- * record has been reassembled, the DoDeliver() function of this
- * Contents_SSL will be called.
- *
- * \param sslEndpoint The Contents_SSL to which this instance of
- *        SSL_RecordBuilder is bound.
- */
-
-SSL_RecordBuilder::SSL_RecordBuilder(Contents_SSL* arg_sslEndpoint)
-	{
-	head = tail = 0;
-	currentSize = 0;
-	expectedSize = -1; // -1 means we don't know yet
-	hasPendingData = false;
-	fragmentCounter = 0;
-	neededSize = 5;  // we need at least 5 bytes to determine version
-
-	sslEndpoint = arg_sslEndpoint;
-	}
-
-/*!
- * The destructor frees the chain of SSL_DataBlocks.
- */
-
-SSL_RecordBuilder::~SSL_RecordBuilder()
-	{
-	// Free the data chain.
-	SSL_DataBlock* idx = head;
-	SSL_DataBlock* rm;
-
-	while ( idx )
-		{
-		rm  = idx;
-		idx = idx->next;
-		delete rm;
-		}
-	}
-
-/*!
- * This function is the main entry point of the class. Call it with a segment
- * of data to process.
- *
- * \param data   pointer to a data segment that will be reassembled
- * \param length length of the data segment to be reassembled
- *
- * \return true if succesfull, false otherwise
- */
-
-bool SSL_RecordBuilder::addSegment(const u_char* data, int length)
-	{
-	while ( length > 0 )
-		{
-		if ( ! head )
-			{
-			// This is the first fragment of a SSLv2 record,
-			// so we analyze the header.
-
-			// Special case: SSL header has been fragmented.
-			if ( length < neededSize )
-				{
-				// We can't determine the record size yet,
-				// so we just add this stuff.
-				++fragmentedHeaders;
-				head = tail = new SSL_DataBlock(data, length,
-								MIN_ALLOC_SIZE);
-				currentSize += length;
-				expectedSize = -1;	// special meaning
-				break;
-				}
-
-			// Get the expected length of this record.
-			if ( ! computeExpectedSize(data, length) )
-				return false;
-
-			// Insert weird here replacing assert.
-			if ( neededSize > expectedSize )
-				{
-				sslEndpoint->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize");
-				return false;
-				}
-
-			if ( tail != 0 )
-				{
-				sslEndpoint->Parent()->Weird("SSL_RecordBuilder::addSegment tail != 0");
-				return false;
-				}
-
-			if ( length > expectedSize )
-				{
-				// No fragmentation -> no memory-reallocation.
-				// We have additional data pending.
-				hasPendingData = true;
-				sslEndpoint->DoDeliver(expectedSize, data);
-				length -= expectedSize;
-				data += expectedSize;
-				expectedSize = -1;
-				}
-
-			else if ( length == expectedSize )
-				{
-				// No fragmentation -> no memory-reallocation.
-				// No additional data pending.
-				hasPendingData = false;
-				sslEndpoint->DoDeliver(expectedSize, data);
-				length -= expectedSize;
-				data += expectedSize;
-				expectedSize = -1;
-				break;
-				}
-			else
-
-				{
-				// First fragment of a record.
-				head = tail = new SSL_DataBlock(data, length,
-								MIN_ALLOC_SIZE);
-				currentSize += length;
-				break;
-				}
-
-			continue;
-			}
-
-		// ! head.
-		// We already have some data, so add the current
-		// segment special case.
-		if ( expectedSize < 0 )
-			{
-			// We don't know the expected size of
-			// this record yet.
-			if ( currentSize + length < neededSize )
-				{
-				// We still can't determine the expected size,
-				// so we just add the current fragment.
-				addData(data, length);
-				break;
-				}
-
-			// Now we can determine the expected size the
-			// header has been fragmented, so we have to
-			// reassemble it.
-			uint8 Header[neededSize];
-			memcpy(Header, head->data, head->len);
-			memcpy(Header + head->len, data, neededSize - head->len);
-			if ( ! computeExpectedSize(Header, neededSize) )
-				{
-				// Since neededSize <= MIN_ALLOC_SIZE,
-				// we free only head.
-				delete head;
-				head = tail = 0;
-				return false;
-				}
-
-			if ( neededSize > expectedSize )
-				{
-				sslEndpoint->Parent()->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize");
-				return false;
-				}
-
-			// No break, go on with this packet.
-			}
-
-		if ( currentSize + length == expectedSize )
-			{ // this is exactly the last segment of the record
-			hasPendingData = false;
-
-			// Create a continuous data structure and call
-			// DoDeliver().
-			u_char* pBlock = assembleBlocks(data, length);
-			sslEndpoint->DoDeliver(expectedSize, pBlock);
-			delete [] pBlock;
-			expectedSize = -1;
-			break;
-			}
-
-		else if ( currentSize + length < expectedSize )
-			{ // another (middle) segment
-			if ( length <= MIN_FRAGMENT_SIZE )
-				sslEndpoint->Parent()->Weird( "SSLProxy: Excessive small TCP Segment!" );
-
-			addData(data, length);
-			break;
-			}
-
-		else
-			{
-			// This is the last fragment of the current record,
-			// but there's more data in this segment.
-			int deltaSize = expectedSize - currentSize;
-			hasPendingData = true;
-
-			// Create a continuous data structure and call
-			// DoDeliver().
-			u_char* pBlock = assembleBlocks(data, deltaSize);
-			sslEndpoint->DoDeliver(expectedSize, pBlock);
-			delete [] pBlock;
-			expectedSize = -1;
-
-			// Process the rest.
-			length -= deltaSize;
-			data += deltaSize;
-			}
-		} // while
-
-	return true;
-	}
-
-/*!
- * This function is called internally by addSegment(), and add's a new SSL
- * record fragment to the internally used list of SSL_DataBlocks. Note that
- * the data will be copied!
- *
- * \param data   pointer to the data that will be added
- * \param length length of the data that will be added
- */
-
-inline void SSL_RecordBuilder::addData(const u_char* data, int length)
-	{
-	++fragmentCounter;
-
-	// Check if there's some space left in the last datablock.
-	int bytesLeft = tail->size - tail->len;
-	if ( bytesLeft > 0 )
-		{
-		// There's some space left in the last data block.
-		if ( bytesLeft >= length )
-			{
-			// We can store all bytes in the last data block.
-			memcpy(tail->data + tail->len, data, length);
-			tail->len += length;
-			currentSize += length;
-			}
-		else
-			{
-			// We cannot store all bytes in the last data block,
-			// so we also need to add a new one.
-			memcpy(tail->data + tail->len, data, bytesLeft);
-			tail->len = tail->size;
-			currentSize += length;
-
-			data += bytesLeft;
-			length -= bytesLeft;
-
-			tail->next = new SSL_DataBlock(data, length, MIN_ALLOC_SIZE);
-			tail = tail->next;
-			}
-		}
-
-	else
-		{
-		// Last data block is full.
-		tail->next = new SSL_DataBlock(data, length, MIN_ALLOC_SIZE);
-		tail = tail->next;
-		currentSize += length;
-		}
-	}
-
-/*!
- * This function is called internally by addSegment(), whenever a SSL record
- * has been fully received. It creates a single data block from the list of
- * SSL record fragments while freeing them.
- *
- * \param data   pointer to the last SSL record fragment
- * \param length size of the last SSL record fragment
- *
- * \return pointer to a data block which contains the reassembled SSL record
- */
-
-u_char* SSL_RecordBuilder::assembleBlocks(const u_char* data, int length)
-	{
-	// We don't store the last SSL record fragment in a DataBlock,
-	// instead we get it directly as parameter.
-	u_char* dataptr = new u_char[currentSize + length];
-	u_char* nextseg = dataptr;
-
-	SSL_DataBlock* idx = head;
-	SSL_DataBlock* rm;
-	uint allocCounter = 0;
-
-	while ( idx )
-		{
-		++allocCounter;
-		memcpy(nextseg, idx->data, idx->len);
-		nextseg += idx->len;
-		rm = idx;
-		idx = idx->next;
-		delete rm;
-		}
-
-	// The last fragment isn't stored in a datablock.
-	memcpy(nextseg, data, length);
-
-	// The first and last fragments aren't counted.
-	fragmentCounter += 2;
-
-	// Update statistics.
-	if ( allocCounter > maxAllocCount )
-		maxAllocCount = allocCounter;
-
-	if ( fragmentCounter > maxFragmentCount )
-		maxFragmentCount = fragmentCounter;
-
-	fragmentCounter = 0;
-	currentSize = 0;
-	head = tail = 0;
-
-	return dataptr;
-	}
-
-/*!
- * This method is called internally by computeExpectedSize(), when the SSL
- * record format has not been determined yet. It tries to do so by using
- * heuristics, since there's no definitive way to distinguish SSLv2 vs. SSLv3
- * record headers.
- *
- * \param data   pointer to a data block containing the SSL record to analyze
- * \param length length of the SSL record to analyze, has to be >= neededSize!
- *
- * \return
- *         -  2 for SSLv2 record format
- *         -  3 for SSLv3 record format
- *         - -1 if an error occurred
- */
-
-int SSL_RecordBuilder::analyzeSSLRecordFormat(const u_char* data, int length)
-	{
-	// We have to use heuristics for this one.
-
-	if ( length < neededSize )
-		{
-		sslEndpoint->Parent()->Weird("SSLProxy: analyzeSSLRecordFormat length < neededSize");
-		return -1;
-		}
-
-	bool found_ssl3x = 0;
-	bool found_ssl2x = 0;
-
-	// SSLv3x-check.
-	SSL3_1_ContentType ct = SSL3_1_ContentType(uint8(*data));
-	switch ( ct ) {
-	case SSL3_1_TYPE_CHANGE_CIPHER_SPEC:
-	case SSL3_1_TYPE_ALERT:
-	case SSL3_1_TYPE_HANDSHAKE:
-	case SSL3_1_TYPE_APPLICATION_DATA:
-		{
-		sslEndpoint->sslVersion = ((data[1]) << 8) | data[2];
-		uint16 v = sslEndpoint->sslVersion;
-		if ( v == uint16(SSLProxy_Analyzer::SSLv30) ||
-		     v == uint16(SSLProxy_Analyzer::SSLv31) )
-			found_ssl3x = true;
-		break;
-		}
-	}
-
-	// SSLv2 check.
-	// We look for CLIENT-HELLOs, SERVER-HELLOs and ERRORs.
-	const u_char* pContents = data;
-	uint offset = 0;
-	uint16 size = 0;
-	if ( (data[0] & 0x80) > 0 )
-		{ // we have a two-byte record header
-		offset = 2;
-		size = (((data[0] & 0x7f) << 8) | data[1]) + 2;
-		}
-	else
-		{ // we have a three-byte record header
-		offset = 3;
-		size = (((data[0] & 0x3f) << 8) | data[1]) + 3;
-		}
-	pContents += offset;
-
-	switch ( SSLv2_MessageTypes(pContents[0]) ) {
-	case SSLv2_MT_ERROR:
-		if ( size == SSLv2_ERROR_RECORD_SIZE + offset)
-			{
-			found_ssl2x = true;
-			sslEndpoint->sslVersion =
-				uint16(SSLProxy_Analyzer::SSLv20);
-			}
-		break;
-
-	case SSLv2_MT_CLIENT_HELLO:
-		{
-		sslEndpoint->sslVersion =
-			uint16(pContents[1] << 8) | pContents[2];
-		uint16 v = sslEndpoint->sslVersion;
-
-		if ( v == SSLProxy_Analyzer::SSLv20 ||
-		     v == SSLProxy_Analyzer::SSLv30 ||
-		     v == SSLProxy_Analyzer::SSLv31 )
-			found_ssl2x = true;
-		break;
-		}
-
-	case SSLv2_MT_SERVER_HELLO:
-		{
-		sslEndpoint->sslVersion =
-			uint16(pContents[3] << 8) | pContents[4];
-		uint16 v = sslEndpoint->sslVersion;
-
-		if ( v == SSLProxy_Analyzer::SSLv20 ||
-		     v == SSLProxy_Analyzer::SSLv30 ||
-		     v == SSLProxy_Analyzer::SSLv31 )
-			found_ssl2x = true;
-		break;
-		}
-
-	default:
-		break;
-	}
-
-	// Consistency checks.
-	if ( (found_ssl3x || found_ssl2x) == false )
-		{
-		sslEndpoint->Parent()->Weird("SSLProxy: Could not determine SSL version!");
-		return -1;
-		}
-
-	if ( (found_ssl3x && found_ssl2x) == true )
-		{
-		sslEndpoint->Parent()->Weird("SSLProxy: Found ambigous SSL version!");
-		return -1;
-		}
-
-	if ( found_ssl2x )
-		return 2;
-	else
-		return 3;
-	}
-
-/*!
- * This method is called internally by addSegment() to determine the expected
- * size of a SSL record.
- *
- * \param data   pointer to the SSL record to analyze
- * \param length length of the SSL record to analyze
- *
- * \return true if succesfull, false otherwise
- */
-
-bool SSL_RecordBuilder::computeExpectedSize(const u_char* data, int length)
-	{
-	if ( sslEndpoint->sslRecordVersion < 0 )
-		{
-		// We don't know the ssl record format yet, so we try
-		// to find out.
-		sslEndpoint->sslRecordVersion =
-			analyzeSSLRecordFormat(data, length);
-
-		if ( sslEndpoint->sslRecordVersion != 2 &&
-		     sslEndpoint->sslRecordVersion != 3 )
-			// We could not determine the ssl record version.
-			return false;
-		}
-
-	// Get the expected length of this record.
-	if ( sslEndpoint->sslRecordVersion == 2 )
-		{
-		if ( (data[0] & 0x80) > 0 )
-			// We have a two-byte record header.
-			expectedSize = (((data[0] & 0x7f) << 8) | data[1]) + 2;
-		else
-			// We have a three-byte record header.
-			expectedSize = (((data[0] & 0x3f) << 8) | data[1]) + 3;
-		}
-
-	else if ( sslEndpoint->sslRecordVersion == 3 )
-		expectedSize = ((data[3] << 8) | data[4]) + 5;
-
-	if ( expectedSize < neededSize )
-		{
-		// This should never happen (otherwise: UNTESTED).
-		sslEndpoint->Parent()->Weird( "SSLProxy: expectedSize < neededSize in RecordBuilder!" );
-		return false;
-		}
-
-	return true;
-	}
-
-
-// --- SSL_Connection_Proxy ---------------------------------------------------
-
-bool SSLProxy_Analyzer::bInited = false;
-
-SSLProxy_Analyzer::SSLProxy_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::SSL, conn)
-	{
-	sSLv2Interpreter = new SSLv2_Interpreter(this);
-	sSLv3xInterpreter = new SSLv3_Interpreter(this);
-	sSLInterpreter = 0;
-	bPassThrough = false;
-	if ( ! bInited )
-		{
-		BuildCipherDict();
-		bInited = true;
-		}
-
-	AddSupportAnalyzer(sslpeo = new Contents_SSL(conn, true));
-	AddSupportAnalyzer(sslper = new Contents_SSL(conn, false));
-	}
-
-SSLProxy_Analyzer::~SSLProxy_Analyzer()
-	{
-	delete sSLv2Interpreter;
-	delete sSLv3xInterpreter;
-	}
-
-void SSLProxy_Analyzer::Init()
-	{
-	TCP_ApplicationAnalyzer::Init();
-
-	sSLv2Interpreter->Init();
-	sSLv3xInterpreter->Init();
-
-	sSLv2Interpreter->Orig()
-		->SetProxyEndpoint(sSLv3xInterpreter->Orig()->GetProxyEndpoint());
-	sSLv2Interpreter->Resp()
-		->SetProxyEndpoint(sSLv3xInterpreter->Resp()->GetProxyEndpoint());
-	}
-
-void SSLProxy_Analyzer::BuildCipherDict()
-	{
-	for ( uint idx = 0; idx < SSL_CipherSpecs_Count; ++idx )
-		{
-		HashKey h(static_cast<bro_uint_t>(SSL_CipherSpecs[idx].identifier));
-		SSL_CipherSpecDict.Insert(&h, &SSL_CipherSpecs[idx]);
-		}
-	}
-
-void SSLProxy_Analyzer::NewSSLRecord(Contents_SSL* endp,
-					int len, const u_char* data)
-	{
-	// This is to extract only SSLv2 traffic.
-	if ( recordSSLv2Traffic )
-		{
-		uint16 sslVersion = 0;
-		if ( (data[0] & 0x80) > 0 )
-			// We have a two-byte record header.
-			sslVersion = (data[3] << 8) | data[4];
-		else
-			// We have a three-byte record header.
-			sslVersion = (data[4] << 8) | data[5];
-
-		if ( ! endp->IsSSLv2Record() ||
-		     sslVersion != SSLProxy_Analyzer::SSLv20 )
-			{
-			SetSkip(1);
-			Conn()->SetRecordPackets(0);
-			Conn()->SetRecordContents(0);
-			// FIXME: Could do memory cleanup here.
-			}
-		else
-			// No analysis - only recording.
-			SetSkip(1);
-
-		return;
-		}
-
-	if ( bPassThrough )
-		{
-		DoDeliver(len, data, endp->IsOrig());
-		return;
-		}
-
-	if ( ! endp->IsSSLv2Record() )
-		{
-		// It's TLS or SSLv3, so we are done ...
-		sSLInterpreter = sSLv3xInterpreter;
-		bPassThrough = true;
-		// Tell the other record builder we have SSLv3x.
-		endp->sslRecordVersion = 3;
-		DoDeliver(len, data, endp->IsOrig());
-		}
-
-	else
-		{ // we have a SSLv2 record ...
-		sSLInterpreter = sSLv2Interpreter;
-
-		// Check whether it's the first or second we've seen ...
-		if ( sslpeo->VersionRecognized() &&
-		     sslper->VersionRecognized() )
-			{
-			// Second record we've seen.
-			// O.K. Both endpoints recognized the version.
-			// So this needs to be an SSLv2-Connection ...
-			bPassThrough = true;
-			DoDeliver(len, data, endp->IsOrig());
-			}
-
-		// First record we see.
-		// The next one may be SSLv2 or SSLv3x,
-		// we don't know yet ...
-		else if ( endp->sslVersion == SSLv20 )
-			{
-			// The client supports only SSLv2, so we're done.
-			bPassThrough = true;
-			endp->sslRecordVersion = 2;
-			endp->sslVersion = SSLv20;
-			DoDeliver(len, data, endp->IsOrig());
-			}
-
-		else
-			{
-			bPassThrough = false;
-			DoDeliver(len, data, endp->IsOrig());
-
-			// Transfer the state of the SSLv2-Interpreter
-			// to the state of the SSLv3x-Interpreter ...
-			if ( ((SSLv2_Interpreter*) sSLInterpreter)->ConnState() == CLIENT_HELLO_SEEN )
-				((SSLv3_Interpreter*) sSLv3xInterpreter)->SetState(SSL3_1_STATE_CLIENT_HELLO_SENT);
-			}
-		}
-	}
-
-void SSLProxy_Analyzer::DoDeliver(int len, const u_char* data, bool orig)
-	{
-	if ( orig )
-		sSLInterpreter->Orig()->Deliver(len, data);
-	else
-		sSLInterpreter->Resp()->Deliver(len, data);
-	}
-
-void SSLProxy_Analyzer::printStats()
-	{
-	printf("SSLProxy_Analyzer::totalPackets = %u\n", totalPackets);
-	printf("SSLProxy_Analyzer::totalRecords = %u\n", totalRecords);
-	printf("SSLProxy_Analyzer::nonSSLConnections = %u\n", nonSSLConnections);
-	}
-
-
-void SSLProxy_Analyzer::Weak(const char* name)
-	{
-	if ( ssl_conn_weak )
-		Event(ssl_conn_weak, name);
-	}
-
-// --- Contents_SSL ------------------------------------------------------
-
-/*!
- * mod Contents_SSL::Contents_SSL( TCP_Endpoint* arg_endpt, int stop_on_gap )
- *	: TCP_Contents( arg_conn, stop_on_gap, punt_on_partial )
- */
-
-Contents_SSL::Contents_SSL(Connection* conn, bool orig)
-: TCP_SupportAnalyzer(AnalyzerTag::Contents_SSL, conn, orig)
-	{
-	sslRecordBuilder = new SSL_RecordBuilder(this);
-	bVersionRecognized = false;
-	bIsSSLv2Record = false;
-
-	sslRecordVersion = -1;	// -1 means we don't know yet
-	sslVersion =  0;	// 0 means we don't know yet
-	}
-
-Contents_SSL::~Contents_SSL()
-	{
-	delete sslRecordBuilder;
-	}
-
-bool Contents_SSL::isDataPending()
-	{
-	return sslRecordBuilder->isDataPending();
-	}
-
-void Contents_SSL::DeliverStream(int len, const u_char* data, bool orig)
-	{
-	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
-
-	TCP_Analyzer* tcp = static_cast<TCP_ApplicationAnalyzer *>(Parent())->TCP();
-	assert(tcp);
-
-	if ( tcp->HadGap(orig) || tcp->IsPartial() )
-		 return;
-
-	++SSLProxy_Analyzer::totalPackets;
-
-	TCP_Endpoint* endp = orig ? tcp->Orig() : tcp->Resp();
-
-#if 0
-	// FIXME: What's this???
-	int ack = endp->AckSeq() - endp->StartSeq();
-	int top_seq = seq + len;
-
-	if ( top_seq <= ack )
-		// There is no new data in this packet.
-		return;
-#endif
-
-	if ( len <= 0 )
-		return;
-
-	// No further processing if we have a partial connection.
-	if ( endp->state == TCP_ENDPOINT_PARTIAL ||
-	     endp->peer->state == TCP_ENDPOINT_PARTIAL )
-		{
-		Parent()->SetSkip(1);
-		Conn()->SetRecordPackets(0);
-		return;
-		}
-
-	if ( ! sslRecordBuilder->addSegment(data, len) )
-		{
-		// The RecordBuilder failed to determine the SSL record version,
-		// so we can't analyze this connection any further.
-		++SSLProxy_Analyzer::nonSSLConnections;
-		Parent()->Weird("SSL: Skipping connection (not an SSL connection?!)!");
-		Parent()->SetSkip(1);
-	    Conn()->SetRecordPackets(0);
-		}
-	}
-
-// Called by the RecordBuilder with a complete SSL record.
-void Contents_SSL::DoDeliver(int len, const u_char* data)
-	{
-	++SSLProxy_Analyzer::totalRecords;
-
-	bIsSSLv2Record = sslRecordVersion == 2;
-	bVersionRecognized = true;
-
-	((SSLProxy_Analyzer*) Parent())->NewSSLRecord(this, len, data);
-	}
-
-bool Contents_SSL::IsSSLv2Record()
-	{
-	return bIsSSLv2Record;
-	}
-
-bool Contents_SSL::VersionRecognized()
-	{
-	return bVersionRecognized;
-	}
diff --git a/src/SSLProxy.h b/src/SSLProxy.h
deleted file mode 100644
index e2d2567d52..0000000000
--- a/src/SSLProxy.h
+++ /dev/null
@@ -1,287 +0,0 @@
-// $Id: SSLProxy.h 5952 2008-07-13 19:45:15Z vern $
-
-#ifndef SSLPROXY_H
-#define SSLPROXY_H
-
-#include "TCP.h"
-#include "SSLInterpreter.h"
-#include "binpac_bro.h"
-
-// --- forward declarations ---------------------------------------------------
-
-class SSL_Interpreter;
-class SSL_RecordBuilder;
-class Contents_SSL;
-
-// --- class SSL_DataBlock ----------------------------------------------------
-
-/*!
- * \brief This class is used to store a block of data on the heap, which is
- *        allocated and copied by the constructor, and freed by the destructor.
- *
- * It is mainly used by the SSL_RecordBuilder to store the received data. To
- * reduce heap operations (HeapOps), which can be quite expensive, it is
- * possible to let the constructor allocate a minimum heap block size. The
- * class members keep track of how much data has been allocated and how much of
- * it has been used. Plus, there's a pointer to the next SSL_DataBlock, for
- * easy creation of a single-linked list.
- */
-
-class SSL_DataBlock {
-public:
-	SSL_DataBlock(const u_char* data, int len, int min_len = 0);
-
-	int len;	///< The <b>used</b> size of the reserved heap block.
-	int size;	///< The <b>allocated</b> size of the reserved heap block.
-	u_char* data;	///< Pointer to the allocated heap block.
-	SSL_DataBlock* next;	///< Pointer to the next SSL_Datablock in the chain.
-
-	/*!
-	 * The destructor will free the allocated data block.
-	 */
-	~SSL_DataBlock() { delete [] data; }
-
-	void toStream(FILE* stream) const;
-	char* toString() const;
-};
-
-// --- class SSL_RecordBuilder ------------------------------------------------
-
-/*!
- * \brief This class is used to reassemble SSL records from a stream of data.
- *
- * It supports both SSLv2 and SSLv3 record formats at the same time. The record
- * builder has been designed to be robust, efficient and hard to attack. To add
- * a segments of data, call addSegment(). Whenever a SSL record has been
- * reassembled, the DoDeliver() function of the corresponding Contents_SSL
- * will be called.
- *
- * Two forms of attack have been taken into consideration:
- * -# The "fake size" attack, where the actual size of the SSL record is much
- *    smaller then the size given in the record header. This way, an attacker
- *    could force Bro to allocate a huge amount of memory and make it crash.
- * -# The "small fragment" attack, where an attacker sends huge SSL records
- *    in very small (1 byte or so) TCP segments. This could lead to a huge
- *    amount of very small memory blocks allocated by Bro. After the last byte
- *    of an SSL record has been received, all allocated blocks have to be
- *    freed. Freeing something like 32K blocks of memory can be quite expensive,
- *    so packet drops may occur, which could prevent Bro from detecting an
- *    attacker.
- *
- * The current implementation always allocates a minimum size of data on the
- * heap, which is MIN_ALLOC_SIZE. The processed SSL record fragments are stored
- * in a single-linked list of type SSL_DataBlock.
- *
- * The following assumptions are made:
- * - neededSize <= min( expectedSize )
- * - neededSize <= MIN_ALLOC_SIZE, so the data needed to determine the SSL
- *   record version fits in one SSL_DataBlock
- */
-
-class SSL_RecordBuilder {
-public:
-	SSL_RecordBuilder(Contents_SSL* sslEndpoint);
-	~SSL_RecordBuilder();
-
-	static const uint MIN_ALLOC_SIZE = 16;	///< min. size of memory to alloc
-	static const int MIN_FRAGMENT_SIZE = 100;	///< min. size of a middle TCP Segment
-	static uint maxAllocCount;	///< max. number of allocated data blocks for an instance of a reassembler
-	static uint maxFragmentCount;	///< max. number of fragments for a ssl record
-	static uint fragmentedHeaders;	///< counter for the number of fragmented headers (header=neededSize)
-
-	bool addSegment(const u_char* data, int length);
-
-	/*!
-	 * Calls this method to see if there's currently data in the
-	 * record builder pending.
-	 * \return true if there's data pending, false otherwise
-	 */
-	bool isDataPending() { return hasPendingData; };
-
-protected:
-	u_char* assembleBlocks(const u_char* data, int length);
-	int analyzeSSLRecordFormat(const u_char* data, int length);
-	bool computeExpectedSize (const u_char* data, int length);
-	void addData(const u_char* data, int length);
-
-	SSL_DataBlock* head;	///< pointer to the first element in the linked list of SSL_DataBlocks
-	SSL_DataBlock* tail;	///< pointer to the last element in the linked list of SSL_DataBlocks
-	Contents_SSL*  sslEndpoint;	///< pointer to the containing Contents_SSL
-	int  expectedSize;	///< expected size of SSLv2 record including header
-	int  currentSize;	///< current bytes stored in data blocks (that is, processed size of actual record)
-	int  neededSize;	///< min. size in bytes so that the length of the current record can be determinded
-	bool hasPendingData;	///< true if there's data following in the current tcp segment
-	uint fragmentCounter;	///< counter for the number of tcp segments for the current record
-};
-
-
-// --- class SSLProxy_Analyzer ----------------------------------------------
-
-/** This class represents an SSL_Connection with two SSL_ConnectionEndpoints.
- * Note, that this class acts as a proxy, because there are different versions
- * of the SSL protocol in use and you don't know in advance which SSL version
- * really will be used. This depends on the first two messages of the SSL handshake
- * process. Because Bro offers no possibility for switching connections we
- * decided only to inherit this proxy from TCP_Connection.
- * The different SSL versions are implemented in classed derived from
- * SSL_Interpreter/SSL_InterpreterEndpoint and so, we can easily switch the flow
- * of data to the appropriate SSL Interpreter.
- * Currently, we support SSL Version 2.0 and 3.0/3.1(TLS)(@see SSLv2_Interpreter and @see
- * SSLv3_Interpreter).
- * This class holds an instance of both SSLv2- and SSLv3_Interpreter. The version
- * of the SSL that is used for a connection is negotiated within the first
- * two records (SSL messages): client hello and server hello.
- * So after scanning this two records (which is mainly done in @see SSL_RecordBuilder and
- * @see Contents_SSL) and determing the versions, it is clear which
- * SSL version will be used for the succeding SSL records. From now
- * on, they can be directly passed through to the appropriate SSL_Interpreter.
- *
- * FIXME: Now we have a dynamic analyzer framework so this could be restructured.
- */
-class SSLProxy_Analyzer: public TCP_ApplicationAnalyzer {
-public:
-	SSLProxy_Analyzer(Connection* conn);
-	virtual ~SSLProxy_Analyzer();
-
-	static uint totalPackets;	///< counter for total ssl packets seen
-	static uint totalRecords;	///< counter for total ssl records seen
-	static uint nonSSLConnections;	///< counter for connections where we couldn't reassemble a ssl record
-
-	static const bool recordSSLv2Traffic = false;	///< if true, only recording of SSLv2 connections is done (no analysis)
-
-	static bool bInited;
-
-	enum SSL_Versions {
-		SSLv20 = 0x0002,
-		SSLv30 = 0x0300,
-		SSLv31 = 0x0301  // = TLS 1.0
-	};
-
-	/* This method is called from the corresponding Contents_SSL to
-	 * deliver the data to the SSL_ProxyConnection. It decides which
-	 * SSL_Interpreter (Version 2 or Version 3x) gets the record or
-	 * directly passes it through, if it's already clear which version
-	 * this SSL connection uses.
-	 * @param endp the sending endpoint
-	 * @param len length of SSL record
-	 * @param data the SSL record
-	 *
-	 * SC mod  - pass a TCP_Contents rather than endpoint in terms of an actual
-	 * Contents_SSL.  There is much less overall work to do since we
-	 * have already done the assosciation.
-	 */
-	void NewSSLRecord(Contents_SSL* endp, int len, const u_char* data);
-
-	// Initialises the SSLv2- and SSLv3_Interpreters.
-	virtual void Init();
-
-	// This method is used for passing messages to Bro that contain
-	// information about weaknesses in the choosen SSL encryption
-	// (short keys, unverifyable certificates, ...)
-	// @param name the name of the weakness.
-	void Weak(const char* name);
-
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
-		{ return new SSLProxy_Analyzer(conn); }
-
-	static bool Available()
-		{
-		return (ssl_certificate_seen || ssl_certificate ||
-			ssl_conn_attempt || ssl_conn_server_reply ||
-			ssl_conn_established || ssl_conn_reused ||
-			ssl_conn_alert)
-			&& ! FLAGS_use_binpac;
-		}
-
-	static void printStats();
-
-protected:
-	bool bPassThrough;	///< whether it is clear which SSL version the connection will use
-
-	SSL_Interpreter* sSLv2Interpreter;	///< Interpreter for SSL version 2
-	SSL_Interpreter* sSLv3xInterpreter;	///< Interpreter for SSL version 3.0 and 3.1
-	SSL_Interpreter* sSLInterpreter;	///< Pointer to the interpreter currently in use
-
-	Contents_SSL* sslpeo;
-	Contents_SSL* sslper;
-
-	/** Internally called from this class Deliver()-method.
-	 * It delivers the data to the correct corresponding
-	 * SSL_InterpreterEndpoint.
-	 * @param endp the sending endpoint
-	 * @param t time, when the segment was received by bro (not used)
-	 * @param seq relative sequenze number (from Endpoint::start_seq) (not used)
-	 * @param len length of SSL record
-	 * @param data the SSL record
-	 */
-	void DoDeliver(int len, const u_char* data, bool orig);
-
-	// Initialises the dictionary where the SSL cipher specs are stored.
-	// It needs only to be called once for a whole bro. @see SSLDefines.h
-	void BuildCipherDict();
-};
-
-// --- class Contents_SSL ------------------------------------------------
-
-/** This class represents an endpoint of a SSLProxy_Analyzer.
- * It receives the new data (TCP segments) within the Deliver()-method, does
- * some basic checks on the segment and passes it on to the SSL_RecordBuilder,
- * which reassembles the segments into SSL records and determines the
- * versions of the records. If the SSL_RecordBuilder was able to determine
- * the versions of the records it delivers the reassembled records back tho this
- * Contents_SSL by calling the DoDeliver()-method.
- * The Contents_SSL then hands the record over to the corresponding
- * SSLProxy_Analyzer by invoking it's NewSSLRecord()-method.
- *
- * SC mod: change class Contents_SSL: public TCP_EndpointContents
- * to class Contents_SSL: public TCP_Contents
- * this is done since the class uses the Deliver() method to take care of data.
- *
- */
-class Contents_SSL: public TCP_SupportAnalyzer {
-public:
-	/* The constructor builds up and initialises the Contents_SSL.
-	 * @param conn the corresponding Connection
-	 * @param whether this is the originator
-	 */
-	Contents_SSL(Connection* conn, bool orig);
-	~Contents_SSL();
-
-	int sslRecordVersion;	///< record version of the first SSL record seen (set by SSLProxy_Analyzer and SSL_RecordBuilder)
-	uint16 sslVersion;	///< SSL version of the SSL record seen (set by SSL_RecordBuilder)
-
-	/** Via this method, this Contents_SSL receives the
-	 * TCP segments.
-	 * @param len length of TCP-Segment
-	 * @param data content of TCP-Segment
-	 * @param orig whether sending endpoint is originator
-	 */
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-
-	/** This method is called by the corresponding SSL_RecordBuilder
-	 * upon delivering a new reassembled SSL record.
-	 * @param len the length of the record
-	 * @param data the record
-	 */
-	void DoDeliver(int len, const u_char* data);
-
-	/* @return whether we have already seen the first record of the connection of this endpoint yet
-	 */
-	bool VersionRecognized();
-
-	/* @return whether the first record was of SSL version 2.0
-	 */
-	bool IsSSLv2Record();
-
-	/* @return whether the corresponding SSL_RecordBuilder has pending data
-	 */
-	bool isDataPending(); // should be inline
-
-	SSL_RecordBuilder* sslRecordBuilder;
-
-protected:
-	bool bVersionRecognized;	///< False, if we haven't seen the first record of the connection of this endpoint yet
-	bool bIsSSLv2Record;	///< Was the first record of SSL version 2.0
-};
-
-#endif
diff --git a/src/SSLv2.cc b/src/SSLv2.cc
deleted file mode 100644
index 0252e4cb15..0000000000
--- a/src/SSLv2.cc
+++ /dev/null
@@ -1,946 +0,0 @@
-// $Id: SSLv2.cc 5988 2008-07-19 07:02:12Z vern $
-
-#include "SSLv2.h"
-#include "SSLv3.h"
-
-// --- Initalization of static variables --------------------------------------
-
-uint SSLv2_Interpreter::totalConnections = 0;
-uint SSLv2_Interpreter::analyzedConnections = 0;
-uint SSLv2_Interpreter::openedConnections = 0;
-uint SSLv2_Interpreter::failedConnections = 0;
-uint SSLv2_Interpreter::weirdConnections = 0;
-uint SSLv2_Interpreter::totalRecords = 0;
-uint SSLv2_Interpreter::clientHelloRecords = 0;
-uint SSLv2_Interpreter::serverHelloRecords = 0;
-uint SSLv2_Interpreter::clientMasterKeyRecords = 0;
-uint SSLv2_Interpreter::errorRecords = 0;
-
-
-// --- SSLv2_Interpreter -------------------------------------------------------
-
-/*!
- * The Constructor.
- *
- * \param proxy Pointer to the SSLProxy_Analyzer who created this instance.
- */
-SSLv2_Interpreter::SSLv2_Interpreter(SSLProxy_Analyzer* proxy)
-: SSL_Interpreter(proxy)
-	{
-	++totalConnections;
-	records = 0;
-	bAnalyzedCounted = false;
-	connState = START;
-
-	pServerCipherSpecs = 0;
-	pClientCipherSpecs = 0;
-	bClientWantsCachedSession = false;
-	usedCipherSpec = (SSLv2_CipherSpec) 0;
-
-	pConnectionId = 0;
-	pChallenge = 0;
-	pSessionId = 0;
-	pMasterClearKey = 0;
-	pMasterEncryptedKey = 0;
-	pClientReadKey = 0;
-	pServerReadKey = 0;
-	}
-
-/*!
- * The Destructor.
- */
-SSLv2_Interpreter::~SSLv2_Interpreter()
-	{
-	if ( connState != CLIENT_MASTERKEY_SEEN &&
-	     connState != CACHED_SESSION &&
-	     connState != START &&	// we only complain if we saw some data
-	     connState != ERROR_SEEN )
-		++failedConnections;
-
-	if ( connState != CLIENT_MASTERKEY_SEEN && connState != CACHED_SESSION )
-		++weirdConnections;
-
-	delete pServerCipherSpecs;
-	delete pClientCipherSpecs;
-	delete pConnectionId;
-	delete pChallenge;
-	delete pSessionId;
-	delete pMasterClearKey;
-	delete pMasterEncryptedKey;
-	delete pClientReadKey;
-	delete pServerReadKey;
-	}
-
-/*!
- * This method implements SSL_Interpreter::BuildInterpreterEndpoints()
- */
-void SSLv2_Interpreter::BuildInterpreterEndpoints()
-	{
-	orig = new SSLv2_Endpoint(this, 1);
-	resp = new SSLv2_Endpoint(this, 0);
-	}
-
-/*!
- * This method prints some counters.
- */
-void SSLv2_Interpreter::printStats()
-	{
-	printf("SSLv2:\n");
-	printf("totalConnections    = %u\n", totalConnections);
-	printf("analyzedConnections = %u\n", analyzedConnections);
-	printf("openedConnections   = %u\n", openedConnections);
-	printf("failedConnections   = %u\n", failedConnections);
-	printf("weirdConnections   = %u\n", weirdConnections);
-
-	printf("totalRecords            = %u\n", totalRecords);
-	printf("clientHelloRecords      = %u\n", clientHelloRecords);
-	printf("serverHelloRecords      = %u\n", serverHelloRecords);
-	printf("clientMasterKeyRecords  = %u\n", clientMasterKeyRecords);
-	printf("errorRecords            = %u\n", errorRecords);
-
-	printf("SSL_RecordBuilder::maxAllocCount     = %u\n", SSL_RecordBuilder::maxAllocCount);
-	printf("SSL_RecordBuilder::maxFragmentCount  = %u\n", SSL_RecordBuilder::maxFragmentCount);
-	printf("SSL_RecordBuilder::fragmentedHeaders = %u\n", SSL_RecordBuilder::fragmentedHeaders);
-	}
-
-/*!
- * \return the current state of the ssl connection
- */
-SSLv2_States SSLv2_Interpreter::ConnState()
-	{
-	return connState;
-	}
-
-/*!
- * This method is called by SSLv2_Endpoint::Deliver(). It is the main entry
- * point of this class. The header of the given SSLV2 record is analyzed and
- * its contents are then passed to the corresponding analyzer method. After
- * the record has been analyzed, the ssl connection state is updated.
- *
- * \param s Pointer to the endpoint which sent the record
- * \param length length of SSLv2 record
- * \param data pointer to SSLv2 record to analyze
- */
-void SSLv2_Interpreter::NewSSLRecord(SSL_InterpreterEndpoint* s,
-					int length, const u_char* data)
-	{
-	++records;
-	++totalRecords;
-
-	if ( ! bAnalyzedCounted )
-		{
-		++analyzedConnections;
-		bAnalyzedCounted = true;
-		}
-
-	// We should see a maximum of 4 cleartext records.
-	if ( records == 5 )
-		{ // so this should never happen
-		Weird("SSLv2: Saw more than 4 records, skipping connection...");
-		proxy->SetSkip(1);
-		return;
-		}
-
-	// SSLv2 record header analysis
-	uint32 recordLength = 0; // data length of SSLv2 record
-	bool isEscape = false;
-	uint8 padding = 0;
-	const u_char* contents;
-
-	if ( (data[0] & 0x80) > 0 )
-		{ // we have a two-byte record header
-		recordLength = ((data[0] & 0x7f) << 8) | data[1];
-		contents = data + 2;
-		if (  recordLength + 2 != uint32(length)  )
-			{
-			// This should never happen, otherwise
-			// we have a bug in the SSL_RecordBuilder.
-			Weird("SSLv2: FATAL: recordLength doesn't match data block length!");
-			connState = ERROR_REQUIRED;
-			proxy->SetSkip(1);
-			return;
-			}
-		}
-	else
-		{ // We have a three-byte record header.
-		recordLength = ((data[0] & 0x3f) << 8) | data[1];
-		isEscape = (data[0] & 0x40) != 0;
-		padding = data[2];
-		contents = data + 3;
-		if ( recordLength + 3 != uint32(length) )
-			{
-			// This should never happen, otherwise
-			// we have a bug in the SSL_RecordBuilder.
-			Weird("SSLv2: FATAL: recordLength doesn't match data block length!");
-			connState = ERROR_REQUIRED;
-			proxy->SetSkip(1);
-			return;
-			}
-
-		if ( padding == 0 && ! isEscape )
-			Weird("SSLv2: 3 Byte record header, but no escape, no padding!");
-		}
-
-	if ( recordLength == 0 )
-		{
-		Weird("SSLv2: Record length is zero (no record data)!");
-		return;
-		}
-
-	if ( isEscape )
-		Weird("SSLv2: Record has escape bit set (security escape)!");
-
-	if  ( padding > 0 && connState != CACHED_SESSION &&
-	      connState != CLIENT_MASTERKEY_SEEN )
-		Weird("SSLv2 record with padding > 0 in cleartext!");
-
-	// MISSING:
-	// A final consistency check is done when a block cipher is used
-	// and the protocol is using encryption. The amount of data present
-	// in a record (RECORD-LENGTH))must be a multiple of the cipher's
-	// block size.  If the received record is not a multiple of the
-	// cipher's block size then the record is considered damaged, and it
-	// is to be treated as if an "I/O Error" had occurred (i.e. an
-	// unrecoverable error is asserted and the connection is closed).
-
-	switch ( connState ) {
-	case START:
-		// Only CLIENT-HELLLOs allowed here.
-		if ( contents[0] != SSLv2_MT_CLIENT_HELLO )
-			{
-			Weird("SSLv2: First packet is not a CLIENT-HELLO!");
-			analyzeRecord(s, recordLength, contents);
-			connState = ERROR_REQUIRED;
-			}
-		else
-			connState = ClientHelloRecord(s, recordLength, contents);
-		break;
-
-	case CLIENT_HELLO_SEEN:
-		// Only SERVER-HELLOs or ERRORs allowed here.
-		if ( contents[0] == SSLv2_MT_SERVER_HELLO )
-			connState = ServerHelloRecord(s, recordLength, contents);
-		else if ( contents[0] == SSLv2_MT_ERROR )
-			connState = ErrorRecord(s, recordLength, contents);
-		else
-			{
-			Weird("SSLv2: State violation in CLIENT_HELLO_SEEN!");
-			analyzeRecord(s, recordLength, contents);
-			connState = ERROR_REQUIRED;
-			}
-		break;
-
-	case NEW_SESSION:
-		// We expect a client master key.
-		if ( contents[0] == SSLv2_MT_CLIENT_MASTER_KEY )
-			connState = ClientMasterKeyRecord(s, recordLength, contents);
-		else if ( contents[0] == SSLv2_MT_ERROR )
-			connState = ErrorRecord(s, recordLength, contents);
-		else
-			{
-			Weird("SSLv2: State violation in NEW_SESSION or encrypted record!");
-			analyzeRecord(s, recordLength, contents);
-			connState = ERROR_REQUIRED;
-			}
-
-		delete pServerCipherSpecs;
-		pServerCipherSpecs = 0;
-		break;
-
-	case CACHED_SESSION:
-		delete pServerCipherSpecs;
-		pServerCipherSpecs = 0;
-		// No break here.
-
-	case CLIENT_MASTERKEY_SEEN:
-		// If no error record, no further analysis.
-		if ( contents[0] == SSLv2_MT_ERROR &&
-		     recordLength == SSLv2_ERROR_RECORD_SIZE )
-			connState = ErrorRecord(s, recordLength, contents);
-		else
-			{
-			// So we finished the cleartext handshake.
-			// Skip all further data.
-
-			proxy->SetSkip(1);
-			++openedConnections;
-			}
-		break;
-
-	case ERROR_REQUIRED:
-		if ( contents[0] == SSLv2_MT_ERROR )
-			connState = ErrorRecord(s, recordLength, contents);
-		else
-			{
-			// We lost tracking: this should not happen.
-			Weird("SSLv2: State inconsistency in ERROR_REQUIRED (lost tracking!)!");
-			analyzeRecord(s, recordLength, contents);
-			connState = ERROR_REQUIRED;
-			}
-		break;
-
-	case ERROR_SEEN:
-		// We don't have recoverable errors in cleartext phase,
-		// so we shouldn't see anymore packets.
-		Weird("SSLv2: Traffic after error record!");
-		analyzeRecord(s, recordLength, contents);
-		break;
-
-	default:
-		internal_error("SSLv2: unknown state");
-		break;
-	}
-	}
-
-/*!
- * This method is called whenever the connection tracking failed. It calls
- * the corresponding analyzer method for the given SSLv2 record, but does not
- * update the ssl connection state.
- *
- * \param s Pointer to the endpoint which sent the record
- * \param length length of SSLv2 record
- * \param data pointer to SSLv2 record to analyze
- */
-void SSLv2_Interpreter::analyzeRecord(SSL_InterpreterEndpoint* s,
-					int length, const u_char* data)
-	{
-	switch ( data[0] ) {
-	case SSLv2_MT_ERROR:
-		ErrorRecord(s, length, data);
-		break;
-
-	case SSLv2_MT_CLIENT_HELLO:
-		ClientHelloRecord(s, length, data);
-		break;
-
-	case SSLv2_MT_CLIENT_MASTER_KEY:
-		ClientMasterKeyRecord(s, length, data);
-		break;
-
-	case SSLv2_MT_SERVER_HELLO:
-		ServerHelloRecord(s, length, data);
-		break;
-
-	case SSLv2_MT_CLIENT_FINISHED:
-	case SSLv2_MT_SERVER_VERIFY:
-	case SSLv2_MT_SERVER_FINISHED:
-	case SSLv2_MT_REQUEST_CERTIFICATE:
-	case SSLv2_MT_CLIENT_CERTIFICATE:
-		Weird("SSLv2: Encrypted record type seems to be in cleartext");
-		break;
-
-	default:
-		// Unknown record type.
-		Weird("SSLv2: Unknown record type or encrypted record");
-		break;
-	}
-	}
-
-/*!
- * This method analyses a SSLv2 CLIENT-HELLO record.
- *
- * \param s Pointer to the endpoint which sent the record
- * \param length length of SSLv2 CLIENT-HELLO record
- * \param data pointer to SSLv2 CLIENT-HELLO record to analyze
- *
- * \return the updated state of the current ssl connection
- */
-SSLv2_States SSLv2_Interpreter::ClientHelloRecord(SSL_InterpreterEndpoint* s,
-					int recordLength, const u_char* recordData)
-	{
-	// This method gets the record's data (without the header).
-	++clientHelloRecords;
-
-	if ( s != orig )
-		Weird("SSLv2: CLIENT-HELLO record from server!");
-
-	// There should not be any pending data in the SSLv2 reassembler,
-	// because the client should wait for a server response.
-	if ( ((SSLv2_Endpoint*) s)->isDataPending() )
-		Weird("SSLv2: Pending data in SSL_RecordBuilder after CLIENT-HELLO!");
-
-	// Client hello minimum header size check.
-	if ( recordLength < SSLv2_CLIENT_HELLO_HEADER_SIZE )
-		{
-		Weird("SSLv2: CLIENT-HELLO is too small!");
-		return ERROR_REQUIRED;
-		}
-
-	// Extract the data of the client hello header.
-	SSLv2_ClientHelloHeader ch;
-	ch.clientVersion = uint16(recordData[1] << 8) | recordData[2];
-	ch.cipherSpecLength = uint16(recordData[3] << 8) | recordData[4];
-	ch.sessionIdLength = uint16(recordData[5] << 8) | recordData[6];
-	ch.challengeLength = uint16(recordData[7] << 8) | recordData[8];
-
-	if ( ch.clientVersion != SSLProxy_Analyzer::SSLv20 &&
-	     ch.clientVersion != SSLProxy_Analyzer::SSLv30 &&
-	     ch.clientVersion != SSLProxy_Analyzer::SSLv31 )
-		{
-		Weird("SSLv2: Unsupported SSL-Version in CLIENT-HELLO");
-		return ERROR_REQUIRED;
-		}
-
-	if ( ch.challengeLength + ch.cipherSpecLength + ch.sessionIdLength +
-	     SSLv2_CLIENT_HELLO_HEADER_SIZE != recordLength )
-		{
-		Weird("SSLv2: Size inconsistency in CLIENT-HELLO");
-		return ERROR_REQUIRED;
-		}
-
-	// The CIPHER-SPECS-LENGTH must be > 0 and a multiple of 3.
-	if ( ch.cipherSpecLength == 0 || ch.cipherSpecLength % 3 != 0 )
-		{
-		Weird("SSLv2: Nonconform CIPHER-SPECS-LENGTH in CLIENT-HELLO.");
-		return ERROR_REQUIRED;
-		}
-
-	// The SESSION-ID-LENGTH must either be zero or 16.
-	if ( ch.sessionIdLength != 0 && ch.sessionIdLength != 16 )
-		Weird("SSLv2: Nonconform SESSION-ID-LENGTH in CLIENT-HELLO.");
-
-	if ( (ch.challengeLength < 16) || (ch.challengeLength > 32))
-		Weird("SSLv2: Nonconform CHALLENGE-LENGTH in CLIENT-HELLO.");
-
-	const u_char* ptr = recordData;
-	ptr += SSLv2_CLIENT_HELLO_HEADER_SIZE + ch.cipherSpecLength;
-
-	pSessionId = new SSL_DataBlock(ptr, ch.sessionIdLength);
-
-	// If decrypting, store the challenge.
-	if ( ssl_store_key_material && ch.challengeLength <= 32 )
-		pChallenge = new SSL_DataBlock(ptr, ch.challengeLength);
-
-	bClientWantsCachedSession = ch.sessionIdLength != 0;
-
-	TableVal* currentCipherSuites =
-		analyzeCiphers(s, ch.cipherSpecLength,
-			recordData + SSLv2_CLIENT_HELLO_HEADER_SIZE);
-
-	fire_ssl_conn_attempt(ch.clientVersion, currentCipherSuites);
-
-	return CLIENT_HELLO_SEEN;
-	}
-
-/*!
- * This method analyses a SSLv2 SERVER-HELLO record.
- *
- * \param s Pointer to the endpoint which sent the record
- * \param length length of SSLv2 SERVER-HELLO record
- * \param data pointer to SSLv2 SERVER-HELLO record to analyze
- *
- * \return the updated state of the current ssl connection
- */
-SSLv2_States SSLv2_Interpreter::ServerHelloRecord(SSL_InterpreterEndpoint* s,
-					int recordLength, const u_char* recordData)
-	{
-	++serverHelloRecords;
-	TableVal* currentCipherSuites = NULL;
-
-	if ( s != resp )
-		Weird("SSLv2: SERVER-HELLO from client!");
-
-	if ( recordLength < SSLv2_SERVER_HELLO_HEADER_SIZE )
-		{
-		Weird("SSLv2: SERVER-HELLO is too small!");
-		return ERROR_REQUIRED;
-		}
-
-	// Extract the data of the client hello header.
-	SSLv2_ServerHelloHeader sh;
-	sh.sessionIdHit = recordData[1];
-	sh.certificateType = recordData[2];
-	sh.serverVersion = uint16(recordData[3] << 8) | recordData[4];
-	sh.certificateLength = uint16(recordData[5] << 8) | recordData[6];
-	sh.cipherSpecLength = uint16(recordData[7] << 8) | recordData[8];
-	sh.connectionIdLength = uint16(recordData[9] << 8) | recordData[10];
-
-	if ( sh.serverVersion != SSLProxy_Analyzer::SSLv20 )
-		{
-		Weird("SSLv2: Unsupported SSL-Version in SERVER-HELLO");
-		return ERROR_REQUIRED;
-		}
-
-	if ( sh.certificateLength + sh.cipherSpecLength +
-	     sh.connectionIdLength +
-	     SSLv2_SERVER_HELLO_HEADER_SIZE != recordLength )
-		{
-		Weird("SSLv2: Size inconsistency in SERVER-HELLO");
-		return ERROR_REQUIRED;
-		}
-
-	// The length of the CONNECTION-ID must be between 16 and 32 bytes.
-	if ( sh.connectionIdLength < 16 || sh.connectionIdLength > 32 )
-		Weird("SSLv2: Nonconform CONNECTION-ID-LENGTH in SERVER-HELLO");
-
-	// If decrypting, store the connection ID.
-	if ( ssl_store_key_material && sh.connectionIdLength <= 32 )
-		{
-		const u_char* ptr = recordData;
-
-		ptr += SSLv2_SERVER_HELLO_HEADER_SIZE + sh.cipherSpecLength +
-		       sh.certificateLength;
-
-		pConnectionId = new SSL_DataBlock(ptr, sh.connectionIdLength);
-		}
-
-	if  ( sh.sessionIdHit == 0  )
-		{
-		// Generating reusing-connection event.
-		EventHandlerPtr event = ssl_session_insertion;
-
-		if ( event )
-			{
-			TableVal* sessionIDTable =
-				MakeSessionID(
-					recordData +
-						SSLv2_SERVER_HELLO_HEADER_SIZE +
-						sh.certificateLength +
-						sh.cipherSpecLength,
-					sh.connectionIdLength);
-
-			val_list* vl = new val_list;
-			vl->append(proxy->BuildConnVal());
-			vl->append(sessionIDTable);
-
-			proxy->ConnectionEvent(ssl_session_insertion, vl);
-			}
-		}
-
-	SSLv2_States nextState;
-
-	if ( sh.sessionIdHit != 0 )
-		{ // we're using a cached session
-
-		// There should not be any pending data in the SSLv2
-		// reassembler, because the server should wait for a
-		// client response.
-		if ( ((SSLv2_Endpoint*) s)->isDataPending() )
-			{
-			// But turns out some SSL Implementations do this
-			// when using a cached session.
-			}
-
-		// Consistency check for SESSION-ID-HIT.
-		if ( ! bClientWantsCachedSession )
-			Weird("SSLv2: SESSION-ID hit in SERVER-HELLO, but no SESSION-ID in CLIENT-HELLO!");
-
-		// If the SESSION-ID-HIT flag is non-zero then the
-		// CERTIFICATE-TYPE, CERTIFICATE-LENGTH and
-		// CIPHER-SPECS-LENGTH fields will be zero.
-		if ( sh.certificateType != 0 || sh.certificateLength != 0 ||
-		     sh.cipherSpecLength != 0 )
-			Weird("SSLv2: SESSION-ID-HIT, but session data in SERVER-HELLO");
-
-		// Generate reusing-connection event.
-		if ( pSessionId )
-			{
-			fire_ssl_conn_reused(pSessionId);
-			delete pSessionId;
-			pSessionId = 0;
-			}
-
-		nextState = CACHED_SESSION;
-		}
-	else
-		{ // we're starting a new session
-
-		// There should not be any pending data in the SSLv2
-		// reassembler, because the server should wait for
-		// a client response.
-		if ( ((SSLv2_Endpoint*) s)->isDataPending() )
-			Weird("SSLv2: Pending data in SSL_RecordBuilder after SERVER-HELLO (new session)!");
-
-		// TODO: check certificate length ???
-		if ( sh.certificateLength == 0 )
-			Weird("SSLv2: No certificate in SERVER-HELLO!");
-
-		// The CIPHER-SPECS-LENGTH must be > zero and a multiple of 3.
-		if ( sh.cipherSpecLength == 0 )
-			Weird("SSLv2: No CIPHER-SPECS in SERVER-HELLO!");
-
-		if ( sh.cipherSpecLength % 3 != 0 )
-			{
-			Weird("SSLv2: Nonconform CIPHER-SPECS-LENGTH in SERVER-HELLO");
-			return ERROR_REQUIRED;
-			}
-
-		const u_char* ptr = recordData;
-		ptr += sh.certificateLength + SSLv2_SERVER_HELLO_HEADER_SIZE;
-		currentCipherSuites = analyzeCiphers(s, sh.cipherSpecLength, ptr);
-
-		nextState = NEW_SESSION;
-		}
-
-	// Check if at least one cipher is supported by the client.
-	if ( pClientCipherSpecs && pServerCipherSpecs )
-		{
-		bool bFound = false;
-		for ( int i = 0; i < pClientCipherSpecs->len; i += 3 )
-			{
-			for ( int j = 0; j < pServerCipherSpecs->len; j += 3 )
-				{
-				if ( memcmp(pClientCipherSpecs + i,
-					    pServerCipherSpecs + j, 3) == 0 )
-					{
-					bFound = true;
-					i = pClientCipherSpecs->len;
-					break;
-					}
-				}
-			}
-
-		if ( ! bFound )
-			{
-			Weird("SSLv2: Client's and server's CIPHER-SPECS don't match!");
-			nextState = ERROR_REQUIRED;
-			}
-
-		delete pClientCipherSpecs;
-		pClientCipherSpecs = 0;
-		}
-
-	// Certificate analysis.
-	if ( sh.certificateLength > 0 && ssl_analyze_certificates != 0 )
-		{
-		analyzeCertificate(s, recordData + SSLv2_SERVER_HELLO_HEADER_SIZE,
-			sh.certificateLength, sh.certificateType, false);
-		}
-
-	if ( nextState == NEW_SESSION )
-		// generate server-reply event
-		fire_ssl_conn_server_reply(sh.serverVersion, currentCipherSuites);
-
-	else if ( nextState == CACHED_SESSION )
-		{ // generate server-reply event
-		fire_ssl_conn_server_reply(sh.serverVersion, currentCipherSuites);
-		// Generate a connection-established event with a dummy
-		// cipher suite, since we can't remember session information
-		// (yet).
-		// Note: A new session identifier is sent encrypted in SSLv2!
-		fire_ssl_conn_established(sh.serverVersion, 0xABCD);
-		}
-	else
-		// Unref, since the table is not delivered to any event.
-	        Unref(currentCipherSuites);
-
-	return nextState;
-	}
-
-/*!
- * This method analyses a SSLv2 CLIENT-MASTER-KEY record.
- *
- * \param s Pointer to the endpoint which sent the record
- * \param length length of SSLv2 CLIENT-MASTER-KEY record
- * \param data pointer to SSLv2 CLIENT-MASTER-KEY record to analyze
- *
- * \return the updated state of the current ssl connection
- */
-SSLv2_States SSLv2_Interpreter::
-	ClientMasterKeyRecord(SSL_InterpreterEndpoint* s, int recordLength,
-				const u_char* recordData)
-	{
-	++clientMasterKeyRecords;
-	SSLv2_States nextState = CLIENT_MASTERKEY_SEEN;
-
-	if ( s != orig )
-		Weird("SSLv2: CLIENT-MASTER-KEY from server!");
-
-	if ( recordLength < SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE )
-		{
-		Weird("SSLv2: CLIENT-MASTER-KEY is too small!");
-		return ERROR_REQUIRED;
-		}
-
-	// Extract the data of the client master key header.
-	SSLv2_ClientMasterKeyHeader cmk;
-	cmk.cipherKind =
-		((recordData[1] << 16) | recordData[2] << 8) | recordData[3];
-	cmk.clearKeyLength = uint16(recordData[4] << 8) | recordData[5];
-	cmk.encryptedKeyLength = uint16(recordData[6] << 8) | recordData[7];
-	cmk.keyArgLength = uint16(recordData[8] << 8) | recordData[9];
-
-	if ( cmk.clearKeyLength + cmk.encryptedKeyLength + cmk.keyArgLength +
-	     SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE != recordLength )
-		{
-		Weird("SSLv2: Size inconsistency in CLIENT-MASTER-KEY");
-		return ERROR_REQUIRED;
-		}
-
-	// Check if cipher is supported by the server.
-	if ( pServerCipherSpecs )
-		{
-		bool bFound = false;
-		for ( int i = 0; i < pServerCipherSpecs->len; i += 3 )
-			{
-			uint32 cipherSpec =
-				((pServerCipherSpecs->data[i] << 16) |
-				 pServerCipherSpecs->data[i+1] << 8) |
-				pServerCipherSpecs->data[i+2];
-
-			if ( cmk.cipherKind == cipherSpec )
-				{
-				bFound = true;
-				break;
-				}
-			}
-
-		if ( ! bFound )
-			{
-			Weird("SSLv2: Client chooses unadvertised cipher in CLIENT-MASTER-KEY!");
-			nextState = ERROR_REQUIRED;
-			}
-		else
-			nextState = CLIENT_MASTERKEY_SEEN;
-
-		delete pServerCipherSpecs;
-		pServerCipherSpecs = 0;
-		}
-
-	// TODO: check if cipher has been advertised before.
-
-	SSL_CipherSpec* pCipherSpecTemp = 0;
-
-	HashKey h(static_cast<bro_uint_t>(cmk.cipherKind));
-	pCipherSpecTemp = (SSL_CipherSpec*) SSL_CipherSpecDict.Lookup(&h);
-	if ( ! pCipherSpecTemp || ! (pCipherSpecTemp->flags & SSL_FLAG_SSLv20) )
-		Weird("SSLv2: Unknown CIPHER-SPEC in CLIENT-MASTER-KEY!");
-	else
-		{ // check for conistency of clearKeyLength
-		if ( cmk.clearKeyLength * 8 != pCipherSpecTemp->clearKeySize )
-			{
-			Weird("SSLv2: Inconsistency of clearKeyLength in CLIENT-MASTER-KEY!");
-			// nextState = ERROR_REQUIRED;
-			}
-
-		// TODO: check for consistency of encryptedKeyLength.
-		// TODO: check for consistency of keyArgLength.
-//		switch ( cmk.cipherKind )
-//			{
-//			case SSL_CK_RC4_128_WITH_MD5:
-//			case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
-//				if ( cmk.keyArgLength != 0 )
-//					{
-//					Weird("SSLv2: Inconsistency of keyArgLength in CLIENT-MASTER-KEY!");
-//					//nextState = ERROR_REQUIRED;
-//					}
-//			break;
-//			case SSL_CK_DES_64_CBC_WITH_MD5:
-//			case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
-//			case SSL_CK_RC2_128_CBC_WITH_MD5:
-//				case SSL_CK_IDEA_128_CBC_WITH_MD5:
-//			case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
-//				if ( cmk.keyArgLength != 8 )
-//					{
-//					Weird("SSLv2: Inconsistency of keyArgLength in CLIENT-MASTER-KEY!");
-//					}
-//			break;
-//			}
-		}
-
-	// Remember the used cipher spec.
-	usedCipherSpec = SSLv2_CipherSpec(cmk.cipherKind);
-
-	// If decrypting, store the clear key part of the master key.
-	if ( ssl_store_key_material /* && cmk.clearKeyLength == 11 */ )
-		{
-		pMasterClearKey =
-			new SSL_DataBlock((recordData + SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE), cmk.clearKeyLength);
-
-		pMasterEncryptedKey =
-			new SSL_DataBlock((recordData + SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE + cmk.clearKeyLength ), cmk.encryptedKeyLength);
-		}
-
-	if ( nextState == CLIENT_MASTERKEY_SEEN )
-		fire_ssl_conn_established(SSLProxy_Analyzer::SSLv20,
-						cmk.cipherKind);
-
-	return nextState;
-	}
-
-
-/*!
- * This method analyses a SSLv2 ERROR record.
- *
- * \param s Pointer to the endpoint which sent the record
- * \param length length of SSLv2 ERROR record
- * \param data pointer to SSLv2 ERROR record to analyze
- *
- * \return the updated state of the current ssl connection
- */
-SSLv2_States SSLv2_Interpreter::ErrorRecord(SSL_InterpreterEndpoint* s,
-					int recordLength, const u_char* recordData)
-	{
-	++errorRecords;
-
-	if ( unsigned(recordLength) != SSLv2_ERROR_RECORD_SIZE )
-		{
-		Weird("SSLv2: Size mismatch in Error Record!");
-		return ERROR_REQUIRED;
-		}
-
-	SSLv2_ErrorRecord er;
-	er.errorCode = (recordData[1] << 8) | recordData[2];
-	SSL3x_AlertLevel al = SSL3x_AlertLevel(255);
-
-	switch ( er.errorCode ) {
-	case SSLv2_PE_NO_CIPHER:
-		// The client doesn't support a cipher which the server
-		// supports.  Only from client to server and not recoverable!
-		al = SSL3x_ALERT_LEVEL_FATAL;
-		break;
-
-	case SSLv2_PE_NO_CERTIFICATE:
-		if ( s == orig )
-			// from client to server: not recoverable
-			al = SSL3x_ALERT_LEVEL_FATAL;
-		else
-			// from server to client: recoverable
-			al = SSL3x_ALERT_LEVEL_WARNING;
-		break;
-
-	case SSLv2_PE_BAD_CERTIFICATE:
-		if ( s == orig )
-			// from client to server: not recoverable
-			al = SSL3x_ALERT_LEVEL_FATAL;
-		else
-			// from server to client: recoverable
-			al = SSL3x_ALERT_LEVEL_WARNING;
-		break;
-
-	case SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE:
-		if ( s == orig )
-			// from client to server: not recoverable
-			al = SSL3x_ALERT_LEVEL_FATAL;
-		else
-			// from server to client: recoverable
-			al = SSL3x_ALERT_LEVEL_WARNING;
-		break;
-
-	default:
-		al = SSL3x_ALERT_LEVEL_FATAL;
-		break;
-	}
-
-	fire_ssl_conn_alert(SSLProxy_Analyzer::SSLv20, al, er.errorCode);
-
-	return ERROR_SEEN;
-	}
-
-/*!
- * This method analyses a set of SSLv2 cipher suites.
- *
- * \param s Pointer to the endpoint which sent the cipher suites
- * \param length length of cipher suites
- * \param data pointer to cipher suites to analyze
- *
- * \return a pointer to a Bro TableVal (of type cipher_suites_list) which contains
- *         the cipher suites list of the current analyzed record
- */
-TableVal* SSLv2_Interpreter::analyzeCiphers(SSL_InterpreterEndpoint* s,
-						int length, const u_char* data)
-	{
-	if ( length > MAX_CIPHERSPEC_SIZE )
-		{
-		if ( s == orig )
-			Weird("SSLv2: Client has CipherSpecs > MAX_CIPHERSPEC_SIZE");
-		else
-			Weird("SSLv2: Server has CipherSpecs > MAX_CIPHERSPEC_SIZE");
-		}
-	else
-		{ // cipher specs are not too big
-		if ( ssl_compare_cipherspecs )
-			{ // store cipher specs for state analysis
-			if ( s == resp )
-				pServerCipherSpecs =
-					new SSL_DataBlock(data, length);
-			else
-				pClientCipherSpecs =
-					new SSL_DataBlock(data, length);
-			}
-		}
-
-	const u_char* pCipher = data;
-	bool bExtractCipherSuite = false;
-	TableVal* pCipherTable = 0;
-
-	// We only extract the cipher suite when the corresponding
-	// ssl events are defined (otherwise we do work for nothing
-	// and suffer a memory leak).
-	// FIXME: This check needs to be done only once!
-	if ( (s == orig && ssl_conn_attempt) ||
-	     (s == resp && ssl_conn_server_reply) )
-		{
-		pCipherTable = new TableVal(cipher_suites_list);
-		bExtractCipherSuite = true;
-		}
-
-	for ( int i = 0; i < length; i += 3 )
-		{
-		SSL_CipherSpec* pCurrentCipherSpec;
-		uint32 cipherSpecID =
-			((pCipher[0] << 16) | pCipher[1] << 8) | pCipher[2];
-
-		// Check for unknown cipher specs.
-		HashKey h(static_cast<bro_uint_t>(cipherSpecID));
-		pCurrentCipherSpec =
-			(SSL_CipherSpec*) SSL_CipherSpecDict.Lookup(&h);
-
-		if ( ! pCurrentCipherSpec )
-			{
-			if ( s == orig )
-				Weird("SSLv2: Unknown CIPHER-SPEC in CLIENT-HELLO!");
-			else
-				Weird("SSLv2: Unknown CIPHER-SPEC in SERVER-HELLO!");
-			}
-
-		if ( bExtractCipherSuite )
-			{
-			Val* index = new Val(cipherSpecID, TYPE_COUNT);
-			pCipherTable->Assign(index, 0);
-			Unref(index);
-			}
-
-		pCipher += 3;
-		}
-
-	return pCipherTable;
-	}
-
-// --- SSLv2_EndPoint ---------------------------------------------------------
-
-/*!
- * The constructor.
- *
- * \param interpreter Pointer to the SSLv2 interpreter to whom this endpoint belongs to
- * \param is_orig true if this is the originating endpoint of the ssl connection,
- *                false otherwise
- */
-SSLv2_Endpoint::SSLv2_Endpoint(SSLv2_Interpreter* interpreter, int is_orig)
-: SSL_InterpreterEndpoint(interpreter, is_orig)
-	{
-	sentRecords = 0;
-	}
-
-/*!
- * The destructor.
- */
-SSLv2_Endpoint::~SSLv2_Endpoint()
-	{
-	}
-
-/*!
- * This method is called by the SSLProxy_Analyzer with a complete reassembled
- * SSLv2 record. It passes the record to SSLv2_Interpreter::NewSSLRecord().
- *
- * \param t <b>reserved</b> (always zero)
- * \param seq <b>reserved</b> (always zero)
- * \param len length of the data block containing the ssl record
- * \param data pointer to the data block containing the ssl record
- */
-void SSLv2_Endpoint::Deliver(int len, const u_char* data)
-	{
-	++((SSLv2_Endpoint*)peer)->sentRecords;
-
-	((SSLv2_Interpreter*)interpreter)->NewSSLRecord(this, len, data);
-	}
diff --git a/src/SSLv2.h b/src/SSLv2.h
deleted file mode 100644
index d4719a20c6..0000000000
--- a/src/SSLv2.h
+++ /dev/null
@@ -1,239 +0,0 @@
-// $Id: SSLv2.h 3526 2006-09-12 07:32:21Z vern $
-
-#ifndef SSLV2_H
-#define SSLV2_H
-
-#include "SSLInterpreter.h"
-#include "SSLCiphers.h"
-
-// --- constants for SSLv2 ---------------------------------------------------
-
-/*!
- * In SSLv2, each record is of a special message type. Note that the message
- * type is encrypted if the record has been encrypted, so we can determine
- * the message type only if we have a cleartext record.
- */
-enum SSLv2_MessageTypes {
-	SSLv2_MT_ERROR = 0,	///< can be in cleartext or encrypted
-	SSLv2_MT_CLIENT_HELLO = 1,	///< always in cleartext
-	SSLv2_MT_CLIENT_MASTER_KEY = 2,	///< always in cleartext
-	SSLv2_MT_CLIENT_FINISHED = 3,	///< always encrypted
-	SSLv2_MT_SERVER_HELLO = 4,	///< always in cleartext
-	SSLv2_MT_SERVER_VERIFY = 5,	///< always encrypted
-	SSLv2_MT_SERVER_FINISHED = 6,	///< always encrypted
-	SSLv2_MT_REQUEST_CERTIFICATE = 7,	///< always encrypted
-	SSLv2_MT_CLIENT_CERTIFICATE = 8,	///< always encrypted
-};
-
-// Certificate Type Codes.
-//
-// Authentication Type Codes
-// #define SSL_AT_MD5_WITH_RSA_ENCRYPTION		0x01
-// Upper/Lower Bounds
-// #define SSL_MAX_MASTER_KEY_LENGTH_IN_BITS	256
-// #define SSL_MAX_SESSION_ID_LENGTH_IN_BYTES	16
-// #define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES	64
-// #define SSL_MAX_RECORD_LENGTH_2_BYTE_HEADER	32767
-// #define SSL_MAX_RECORD_LENGTH_3_BYTE_HEADER	16383
-
-const uint8 SSLv2_CT_X509_CERTIFICATE = 0x01;
-
-/*!
- * Error codes used in the error record.
- */
-enum SSLv2_ErrorCodes {
-	SSLv2_PE_NO_CIPHER                    = 0x0001,
-	SSLv2_PE_NO_CERTIFICATE               = 0x0002,
-	SSLv2_PE_BAD_CERTIFICATE              = 0x0004,
-	SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE = 0x0006
-};
-
-// --- structs ----------------------------------------------------------------
-
-const int SSLv2_CLIENT_HELLO_HEADER_SIZE = 9;
-struct SSLv2_ClientHelloHeader {
-	uint8  messageType;
-	uint16 clientVersion;
-	uint16 cipherSpecLength;
-	uint16 sessionIdLength;
-	uint16 challengeLength;
-};
-
-const int SSLv2_SERVER_HELLO_HEADER_SIZE = 11;
-struct SSLv2_ServerHelloHeader {
-	uint8  messageType;
-	uint8  sessionIdHit;
-	uint8  certificateType;
-	uint16 serverVersion;
-	uint16 certificateLength;
-	uint16 cipherSpecLength;
-	uint16 connectionIdLength;
-};
-
-const int SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE = 10;
-struct SSLv2_ClientMasterKeyHeader {
-	uint8  messageType;
-	uint32 cipherKind; // caution: is an uint24
-	uint16 clearKeyLength;
-	uint16 encryptedKeyLength;
-	uint16 keyArgLength;
-};
-
-const unsigned int SSLv2_ERROR_RECORD_SIZE = 3;
-struct SSLv2_ErrorRecord {
-	uint8  messageType;
-	uint16 errorCode;
-};
-
-const unsigned int SSLv2_CLIENT_FINISHED_HEADER_SIZE = 1;
-struct SSLv2_ClientFinished {
-	uint8 messageType;
-	//char CONNECTION-ID[N-1]
-};
-
-struct SSLv2_ServerVerify {
-	uint8 messageType;
-	//char CHALLENGE-DATA[N-1]
-};
-
-struct SSLv2_ServerFinished {
-	uint8 messageType;
-	//char SESSION-ID-DATA[N-1]
-};
-
-// MISSING:
-// CLIENT-CERTIFICATE
-// REQUEST-CERTIFICATE
-
-/*!
- * States used by the internal SSLv2 automaton.
- */
-enum SSLv2_States {
-	START,                 ///< start state, no data seen yet
-	CLIENT_HELLO_SEEN,     ///< client hello flew by
-	NEW_SESSION,           ///< server hello with sessionIdHit == 0 seen
-	CACHED_SESSION,        ///< server hello with sessionIdHit != 0 seen
-	CLIENT_MASTERKEY_SEEN, ///< we saw a client master key record
-	ERROR_SEEN,            ///< we saw an error record
-	ERROR_REQUIRED         ///< one of our critical checks failed, so we think we should see an error record
-};
-
-
-// --- forward declarations ---------------------------------------------------
-
-class SSLv2_Interpreter;
-class SSLv2_Endpoint;
-class SSLv2_Record;
-class SSL_DataBlock;
-class SSL_RecordBuilder;
-
-// --- class SSLv2_Interpreter ------------------------------------------------
-
-/*!
- * \brief This class is used to analyze SSLv2 connections.
- *
- * Since there's currently no support for decrypting ssl connections, analysis
- * stops when a connection switches to encrypted communication.
- * The interpreter does several checks, both record- and connection-orientated.
- *
- * The record checks mainly consist of consistency checks, where the correct
- * use of the SSL 2.0 specification is checked. Furthermore, the CIPHER-SPECS
- * of the client and the server can be compared to detect non-intersecting sets.
- *
- * The connection check monitors the handshaking process for invalid transitions,
- * until the end of the cleartext phase.
- *
- * Several events are thrown for BroScript, including client connection attempt,
- * server reply, ssl connection establishment/reuse of former connection, proposed
- * cipher suites and certificates seen.
- *
- * \see SSLv2_Endpoint
- */
-class SSLv2_Interpreter : public SSL_Interpreter {
-public:
-	SSLv2_Interpreter(SSLProxy_Analyzer* proxy);
-	~SSLv2_Interpreter();
-
-	void NewSSLRecord(SSL_InterpreterEndpoint* s, int length, const u_char* data);
-	void analyzeRecord(SSL_InterpreterEndpoint* s, int length, const u_char* data);
-	SSLv2_States ClientHelloRecord(SSL_InterpreterEndpoint* s,
-	                                int recordLength,
-	                                const u_char* recordData);
-	SSLv2_States ServerHelloRecord(SSL_InterpreterEndpoint* s,
-	                                int recordLength, const u_char* recordData);
-	SSLv2_States ClientMasterKeyRecord(SSL_InterpreterEndpoint* s,
-	                                    int recordLength,
-	                                    const u_char* recordData);
-	SSLv2_States ErrorRecord(SSL_InterpreterEndpoint* s,
-	                          int recordLength,
-	                          const u_char* recordData);
-
-	TableVal* analyzeCiphers(SSL_InterpreterEndpoint* s,
-					int length, const u_char* data);
-	SSLv2_States ConnState();
-
-	static void printStats();
-
-#define MAX_CIPHERSPEC_SIZE ssl_max_cipherspec_size
-
-	// Global connection counters.
-	static uint totalConnections;	///< counter for total sslv2 connections
-	static uint analyzedConnections;	///< counter for analyzed (=not partial) connections
-	static uint openedConnections;	///< counter for SSLv2 connections with complete handshake
-	static uint failedConnections;	///< counter for SSLv2 connections with failed but correct handshake
-	static uint weirdConnections;	///< counter for SSLv2 connections with failed and weird handshake
-
-	// Global record counters.
-	static uint totalRecords;	///< counter for total SSLv2 records seen
-	static uint clientHelloRecords;	///< counter for SSLv2 CLIENT-HELLOs seen
-	static uint serverHelloRecords;	///< counter for SSLv2 SERVER-HELLOs seen
-	static uint clientMasterKeyRecords;	///< counter for SSLv2 CLIENT-MASTER-KEYSs seen
-	static uint errorRecords;	///< counter for SSLv2 ERRORs seen
-
-	// Counters for this instance.
-	uint32 records;	///< counter for SSLv2 records of this connection
-	SSLv2_States connState;	///< state of connection
-
-	bool bAnalyzedCounted;	///< flag for counting analyzedConnections
-
-	// FIXME: this should be states.
-	bool bClientWantsCachedSession;	///< true if the client wants a cached session, false otherwise
-
-
-protected:
-	void BuildInterpreterEndpoints();
-
-	SSL_DataBlock* pClientCipherSpecs;	///< the CIPHER-SPECs from the client
-	SSL_DataBlock* pServerCipherSpecs;	///< the CIPHER-SPECs from the server
-	SSLv2_CipherSpec usedCipherSpec;	///< the used CIPHER-SPEC for this connection
-
-	// Currently experimental:
-	SSL_DataBlock* pConnectionId;	// 16 <= ConnectionId <= 32
-	SSL_DataBlock* pChallenge;	// 16 <= Challenge <= 32
-	SSL_DataBlock* pSessionId;	// has to be 16 Bytes
-	SSL_DataBlock* pMasterClearKey;
-	SSL_DataBlock* pMasterEncryptedKey;
-	SSL_DataBlock* pClientReadKey;
-	SSL_DataBlock* pServerReadKey;
-};
-
-// --- class SSLv2_Endpoint ---------------------------------------------------
-
-/*!
- * \brief This class represents an endpoint of an SSLv2 connection.
- *
- * Fully reassembled SSLv2 records are passed to its Deliver() function.
- * There, some counters are updated and the record is then passed to
- * SSLv2_Interpreter::NewSSLRecord().
- */
-class SSLv2_Endpoint: public SSL_InterpreterEndpoint {
-public:
-	SSLv2_Endpoint(SSLv2_Interpreter* interpreter, int is_orig);
-	virtual ~SSLv2_Endpoint();
-
-	void Deliver(int len, const u_char* data);
-
-	uint32 sentRecords; ///< counter for sent records of this endpoint
-};
-
-#endif
diff --git a/src/SSLv3.cc b/src/SSLv3.cc
deleted file mode 100644
index 4d89f27ad8..0000000000
--- a/src/SSLv3.cc
+++ /dev/null
@@ -1,1471 +0,0 @@
-// $Id: SSLv3.cc 5988 2008-07-19 07:02:12Z vern $
-
-#include "SSLv3.h"
-#include "SSLCiphers.h"
-
-// --- Initalization of static variables --------------------------------------
-
-bool SSLv3_Interpreter::bInited = false;
-
-uint SSLv3_Interpreter::totalConnections = 0;
-uint SSLv3_Interpreter::openedConnections = 0;
-uint SSLv3_Interpreter::totalRecords = 0;
-uint SSLv3_Interpreter::handshakeRecords = 0;
-uint SSLv3_Interpreter::clientHelloRecords = 0;
-uint SSLv3_Interpreter::serverHelloRecords = 0;
-uint SSLv3_Interpreter::alertRecords = 0;
-uint SSLv3_Interpreter::changeCipherRecords = 0;
-
-
-// ---SSLv3_Interpreter--------------------------------------------------------
-
-// Initialize static:
-SSLv3_Automaton SSLv3_Interpreter::sslAutomaton(SSL3_1_NUM_STATES,
-					SSL3_1_NUM_TRANS, SSL3_1_STATE_ERROR);
-
-SSLv3_Interpreter::SSLv3_Interpreter(SSLProxy_Analyzer* proxy)
-: SSL_Interpreter(proxy)
-	{
-	pCipherSuite = 0;
-	cipherSuiteIdentifier = 0;
-	pClientCipherSpecs = 0;
-	clientSessionID = 0;
-	serverSessionID = 0;
-	clientRandom = 0;
-	serverRandom = 0;
-	serverRSApars = 0;
-	serverDHPars = 0;
-	encryptedPreSecret = 0;
-	clientDHpublic = 0;
-	// keyXAlgorithm = SSL_KEY_EXCHANGE_NULL;
-	change_cipher_client_seen = false;
-	change_cipher_server_seen = false;
-	fin_client_seen = false;
-	fin_server_seen = false;
-	helloRequestValid = true;
-
-	if ( ! bInited )
-		{
-		BuildAutomaton();
-		// BuildCipherDict();
-		bInited = true;
-		}
-
-	currentState = SSL3_1_STATE_INIT;
-	++totalConnections;
-	}
-
-SSLv3_Interpreter::~SSLv3_Interpreter()
-	{
-	delete pClientCipherSpecs;
-	delete clientSessionID;
-	delete serverSessionID;
-
-	if ( ssl_store_key_material )
-		{
-		if ( clientRandom )
-			delete clientRandom->random_bytes;
-		delete clientRandom;
-		if ( serverRandom )
-			delete serverRandom->random_bytes;
-		delete serverRandom;
-		delete serverRSApars;
-		delete serverDHPars;
-		delete encryptedPreSecret;
-		delete clientDHpublic;
-		}
-	}
-
-void SSLv3_Interpreter::BuildInterpreterEndpoints()
-	{
-	orig = new SSLv3_Endpoint(this, 1);
-	resp = new SSLv3_Endpoint(this, 0);
-	}
-
-void SSLv3_Interpreter::BuildAutomaton()
-	{
-	sslAutomaton.addTrans(SSL3_1_STATE_INIT, SSL3_1_TRANS_SERVER_HELLO_REQ,
-		SSL3_1_STATE_SERVER_HELLO_REQ_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_REQ_SENT,
-		SSL3_1_TRANS_CLIENT_HELLO, SSL3_1_STATE_CLIENT_HELLO_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_INIT, SSL3_1_TRANS_CLIENT_HELLO,
-		SSL3_1_STATE_CLIENT_HELLO_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_HELLO_SENT,
-		SSL3_1_TRANS_SERVER_HELLO, SSL3_1_STATE_SERVER_HELLO_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_SENT,
-		SSL3_1_TRANS_SERVER_CERT, SSL3_1_STATE_SERVER_CERT_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_SENT,
-		SSL3_1_TRANS_SERVER_KEY_EXCHANGE,
-		SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT);
-
-	// Server key-exchange and/or server requests cert from client.
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_CERT_SENT,
-		SSL3_1_TRANS_SERVER_KEY_EXCHANGE,
-		SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT,
-		SSL3_1_TRANS_SERVER_HELLO_DONE,
-		SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT,
-		SSL3_1_TRANS_SERVER_CERT_REQ,
-		SSL3_1_STATE_SERVER_CERT_REQ_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_CERT_SENT,
-		SSL3_1_TRANS_SERVER_CERT_REQ,
-		SSL3_1_STATE_SERVER_CERT_REQ_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_CERT_REQ_SENT,
-		SSL3_1_TRANS_SERVER_HELLO_DONE,
-		SSL3_1_STATE_SERVER_HELLO_DONE_SENT_B);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_DONE_SENT_B,
-		SSL3_1_TRANS_CLIENT_CERT, SSL3_1_STATE_CLIENT_CERT_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_CERT_SENT,
-		SSL3_1_TRANS_CLIENT_KEY_EXCHANGE,
-		SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B,
-		SSL3_1_TRANS_CLIENT_CERT_VERIFY,
-		SSL3_1_STATE_CLIENT_CERT_VERIFY_SENT);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B,
-		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_CLIENT_FIN_SENT_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_CERT_VERIFY_SENT,
-		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_CLIENT_FIN_SENT_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_FIN_SENT_A,
-		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_HS_FIN_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B,
-		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_SERVER_FIN_SENT_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_CERT_VERIFY_SENT,
-		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_SERVER_FIN_SENT_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_FIN_SENT_A,
-		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_HS_FIN_A);
-
-	// Server hello done after server cert sent.
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_CERT_SENT,
-		SSL3_1_TRANS_SERVER_HELLO_DONE,
-		SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A,
-		SSL3_1_TRANS_CLIENT_KEY_EXCHANGE,
-		SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_A,
-		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_CLIENT_FIN_SENT_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_A,
-		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_SERVER_FIN_SENT_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_FIN_SENT_A,
-		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_HS_FIN_A);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_FIN_SENT_A,
-		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_HS_FIN_A);
-
-	// When reestablishing a session:
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_SENT,
-		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_CLIENT_FIN_SENT_B);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_SENT,
-		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_SERVER_FIN_SENT_B);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_FIN_SENT_B,
-		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_HS_FIN_B);
-
-	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_FIN_SENT_B,
-		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_HS_FIN_B);
-
-	sslAutomaton.setStartState(SSL3_1_STATE_INIT);
-	}
-
-void SSLv3_Interpreter::printStats()
-	{
-	printf( "SSLv3x:\n" );
-	printf( "Note: Because handshake messages may be coalesced into a \n");
-	printf( "      single SSLv3x record, the number of total messages for SSLv3x plus \n");
-	printf( "      the number of total records seen for SSLv2 won't match \n");
-	printf( "      SSLProxy_Analyzer::totalRecords! \n");
-	printf( "total connections			= %u\n", totalConnections );
-	printf( "opened connections (complete handshake)	= %u\n", openedConnections );
-
-	printf( "total messages seen			= %u\n", totalRecords );
-	printf( "handshake messages seen			= %u\n", handshakeRecords );
-	printf( "alert records seen			= %u\n", alertRecords );
-	printf( "change cipher records seen		= %u\n", changeCipherRecords );
-	printf( "client hello messages seen		= %u\n", clientHelloRecords );
-	printf( "server hello messages seen		= %u\n", serverHelloRecords );
-	}
-
-int SSLv3_Interpreter::HandshakeType2Trans(int type)
-	{
-	switch ( SSL3_1_HandshakeType(type) ) {
-	case SSL3_1_HELLO_REQUEST: return SSL3_1_TRANS_SERVER_HELLO_REQ;
-	case SSL3_1_CLIENT_HELLO: return SSL3_1_TRANS_CLIENT_HELLO;
-	case SSL3_1_SERVER_HELLO: return SSL3_1_TRANS_SERVER_HELLO;
-
-	case SSL3_1_CERTIFICATE:
-		// Client- and server certificate handshake records lead
-		// to the same transition in the SSL automaton
-		// (see SSLDefines.h)
-		return SSL3_1_TRANS_SERVER_CERT;
-
-	case SSL3_1_SERVER_KEY_EXCHANGE: return SSL3_1_TRANS_SERVER_KEY_EXCHANGE;
-	case SSL3_1_CERTIFICATE_REQUEST: return SSL3_1_TRANS_SERVER_CERT_REQ;
-	case SSL3_1_SERVER_HELLO_DONE: return SSL3_1_TRANS_SERVER_HELLO_DONE;
-	case SSL3_1_CERTIFICATE_VERIFY: return SSL3_1_TRANS_CLIENT_CERT_VERIFY;
-	case SSL3_1_CLIENT_KEY_EXCHANGE: return SSL3_1_TRANS_CLIENT_KEY_EXCHANGE;
-
-	case SSL3_1_FINISHED:
-		// Client- and server certificate handshake records lead
-		// to the same transition in the SSL automaton
-		// (see SSLDefines.h)
-		return SSL3_1_TRANS_CLIENT_FIN;
-	default:
-		return -1;
-	}
-	}
-
-void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
-	{
-	++SSLv3_Interpreter::totalRecords;
-	++SSLv3_Interpreter::handshakeRecords;
-
-	TableVal* currentCipherSuites = 0;
-
-	// First: consistency checks.
-	// Special treatment for finished messages, because they are
-	// already encrypted (encrypted handshake message).
-	if ( (change_cipher_client_seen && (rec->endp)->IsOrig() &&
-	      ! fin_client_seen) ||
-	     (change_cipher_server_seen && ! rec->endp->IsOrig() &&
-	      ! fin_server_seen) )
-		{
-		// no checks can be performed due encryption...
-		}
-	else
-		{
-		SSL3_1_HandshakeType ht = SSL3_1_HandshakeType(rec->type);
-		switch ( ht ) {
-		case SSL3_1_HELLO_REQUEST:
-			if ( rec->length != 0 )
-				Weird("SSLv3x: Hello request too long!");
-			if ( ! helloRequestValid )
-				Weird("SSLv3x: Received hello request during handshake!");
-			// There should only be sent one hello request at a
-			// time.
-			helloRequestValid = false;
-			break;
-
-		case SSL3_1_CLIENT_HELLO:
-			{
-			++SSLv3_Interpreter::clientHelloRecords;
-
-			// During the handshaking phase, we don't want any
-			// more hello requests.
-			helloRequestValid = false;
-
-			if ( rec->checkClientHello() == 0 )
-				return;
-
-			const u_char* pTemp = rec->data;
-			uint8 sessionIDLength = uint8(pTemp[38]);
-			clientSessionID =
-				new SSL_DataBlock((pTemp + 39), sessionIDLength);
-			uint16 cipherSuiteLength =
-				uint16(pTemp[39 + sessionIDLength] << 8 ) |
-				pTemp[40 + sessionIDLength];
-
-			currentCipherSuites =
-				analyzeCiphers(rec->endp, cipherSuiteLength,
-					rec->data + 41 + sessionIDLength,
-					rec->sslVersion);
-
-			if ( ssl_store_key_material )
-				{
-				clientRandom = new SSLv3x_Random();
-				clientRandom->random_bytes = 0;
-				clientRandom->gmt_unix_time =
-					uint32(((pTemp[6] << 24) |
-						pTemp[7] << 16) |
-					       pTemp[8] << 8) | pTemp[9];
-
-				clientRandom->random_bytes =
-					new SSL_DataBlock(pTemp + 10, 28);
-				}
-			break;
-			}
-
-		case SSL3_1_SERVER_HELLO:
-			{
-			++SSLv3_Interpreter::serverHelloRecords;
-			if ( rec->checkServerHello() == 0)
-				return;
-
-			const u_char* pTemp = rec->data;
-			uint8 sessionIDLength = uint8(pTemp[38]);
-			serverSessionID =
-				new SSL_DataBlock(pTemp + 39, sessionIDLength);
-			currentCipherSuites =
-				analyzeCiphers(rec->endp, 2,
-					rec->data + 39 + sessionIDLength,
-					rec->sslVersion);
-
-			// Check whether the cipher suite the server choose
-			// was included in the cipher suites the client
-			// anounced.
-			if ( pClientCipherSpecs && pCipherSuite )
-				{
-				bool bFound = false;
-				uint16 tempClientCipher;
-				for ( int i = 0; i < pClientCipherSpecs->len;
-				      i += 2 )
-					{
-					tempClientCipher =
-						(pClientCipherSpecs->data[i] << 8) |
-						pClientCipherSpecs->data[i+1];
-
-					if ( tempClientCipher ==
-					     pCipherSuite->identifier )
-						{
-						bFound = true;
-						i = pClientCipherSpecs->len;
-						}
-					}
-
-				if ( ! bFound )
-					Weird("SSLv3x: Server choosed cipher spec that client didn't anounce!");
-
-				delete pClientCipherSpecs;
-				pClientCipherSpecs = 0;
-				}
-
-			if ( ssl_store_key_material )
-				{
-				serverRandom = new SSLv3x_Random();
-				serverRandom->gmt_unix_time =
-					uint32(((pTemp[6] << 8) |
-						pTemp[7] << 8) |
-					       pTemp[8] << 8) | pTemp[9];
-				serverRandom->random_bytes =
-					new SSL_DataBlock(pTemp + 10, 28);
-				}
-
-			// Insert session injection into here.
-
-			if ( ! ssl_session_insertion )
-				break; // in place of below
-
-			TableVal* sessionIDTable =
-				serverSessionID ?
-					MakeSessionID(serverSessionID->data,
-							serverSessionID->len) :
-					MakeSessionID(0, 0);
-
-			val_list* vl = new val_list;
-			vl->append(proxy->BuildConnVal());
-			vl->append(sessionIDTable);
-
-			proxy->ConnectionEvent(ssl_session_insertion, vl);
-			break;
-			}
-
-		case SSL3_1_CERTIFICATE:
-			{
-			if ( rec->length >= 3 )
-				{
-				const u_char* pData = rec->data;
-				uint32 certListLength =
-					uint32((pData[4] << 16) |
-					       pData[5] << 8) | pData[6];
-
-				// Size consistency checks.
-				if ( certListLength + 3 != uint32(rec->length) )
-					{
-					if ( rec->endp->IsOrig() )
-						Weird("SSLv3x: Corrupt length field in client certificate list!");
-					else
-						Weird("SSLv3x: Corrupt length field in server certificate list!");
-					return;
-					}
-
-				// Sum of all cert sizes has to match
-				// certListLength.
-				uint tempLength = 0;
-				uint certCount = 0;
-				while ( tempLength < certListLength )
-					{
-					if ( tempLength + 3 <= certListLength )
-						{
-						++certCount;
-						uint32 certLength =
-							uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9];
-						tempLength += certLength + 3;
-						}
-					else
-						{
-						Weird("SSLv3x: Corrupt length field in certificate list!");
-						return;
-						}
-					}
-
-				if ( tempLength > certListLength )
-					{
-					Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain");
-					return;
-					}
-
-				SSL_InterpreterEndpoint* pEp =
-					(SSL_InterpreterEndpoint*) rec->endp;
-
-				if ( certCount == 0 )
-					{ // we don't have a certificate...
-					if ( rec->endp->IsOrig() )
-						{
-						Weird("SSLv3x: Client certificate is missing!");
-						break;
-						}
-					else
-						{
-						Weird("SSLv3x: Server certificate is missing!");
-						break;
-						}
-					}
-
-				if ( certCount > 1 )
-					{ // we have a chain
-					analyzeCertificate(pEp,
-						rec->data + 7,
-						certListLength, 1, true);
-					}
-				else
-					{
-					// We have a single certificate.
-					// FIXME.
-					analyzeCertificate(pEp,
-						rec->data + 10,
-						certListLength-3, 1, false);
-					}
-
-				}
-			else
-				Weird("SSLv3x: Certificate record too small!" );
-			break;
-			}
-
-		case SSL3_1_SERVER_KEY_EXCHANGE:
-			{
-			/*
-			switch (cipherSuite)
-				{
-				// It would be necessary to have the RSA key length
-				// out of the server's certificate. If the cipher suite
-				// is EXPORT, than a RSA key length larger than 512 bits
-				// is not allowed for encryption and thus, the server needs
-				// to send a key-exchange-message in order to negotiate the
-				// pre-master secret (see rfc 2246 page 39)
-				case TLS_RSA_WITH_NULL_MD5:
-				case TLS_RSA_WITH_NULL_SHA:
-				// case TLS_RSA_EXPORT_WITH_RC4_40_MD5: //see comment above
-				case TLS_RSA_WITH_RC4_128_MD5:
-				case TLS_RSA_WITH_RC4_128_SHA:
-				// case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: //see comment above
-				case TLS_RSA_WITH_IDEA_CBC_SHA:
-				// case TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: //see comment above
-				case TLS_RSA_WITH_DES_CBC_SHA:
-				case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
-				case TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
-				case TLS_DH_DSS_WITH_DES_CBC_SHA:
-				case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
-				case TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
-				case TLS_DH_RSA_WITH_DES_CBC_SHA:
-				case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
-					{
-					Weird("SSLv3x: Sending server-key-exchange not allowed for this cipher suite!");
-					return;
-					break;
-					}
-				default:
-					break;
-				}
-			*/
-
-			if ( ! pCipherSuite )
-				// If we have an unknown CIPHER-SPEC,
-				// we can't do our weird checks.
-				break;
-
-			SSL_KeyExchangeAlgorithm keyXAlgorithm =
-				pCipherSuite->keyExchangeAlgorithm;
-
-			if ( keyXAlgorithm == SSL_KEY_EXCHANGE_RSA ||
-			     keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS ||
-			     keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA )
-				{
-				Weird("SSLv3x: Sending server-key-exchange not allowed for this cipher suite!");
-				return;
-
-				}
-			// FIXME: check where DHE_RSA etc. belongs to
-			const u_char* pTemp = rec->data;
-			if ( ssl_store_key_material )
-				{
-				if ( keyXAlgorithm == SSL_KEY_EXCHANGE_RSA ||
-				     keyXAlgorithm == SSL_KEY_EXCHANGE_RSA ||
-				     keyXAlgorithm == SSL_KEY_EXCHANGE_RSA_EXPORT1024 )
-					{ // some weird checks
-					if ( rec->length < 2 )
-						{
-						Weird("SSLv3x: server-key-exchange empty!");
-						return;
-						}
-
-					uint16 modulusLength = uint16(pTemp[4] << 8 ) | pTemp[5];
-					if ( modulusLength + 4 > rec->length )
-						{
-						Weird("SSLv3x: Corrupt length fields in server-key-exchange!");
-						break;
-						}
-
-					uint16 exponentLength = uint16(pTemp[6 + modulusLength] << 8 ) | pTemp[7 + modulusLength];
-					if ( modulusLength + exponentLength + 4 > rec->length )
-						{
-						Weird("SSLv3x: Corrupt length fields in server-key-exchange!");
-						return;
-						}
-
-					serverRSApars =
-						new SSLv3x_ServerRSAParams;
-					serverRSApars->rsa_modulus =
-						new SSL_DataBlock(pTemp + 6, modulusLength);
-					serverRSApars->rsa_exponent =
-						new SSL_DataBlock( pTemp + 8 + modulusLength, exponentLength);
-					}
-				else
-					{
-					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
-						{
-						if ( rec->length < 2 )
-							{
-							Weird("SSLv3x: server-key-exchange empty!");
-							return;
-							}
-
-						uint16 dh_pLength = (uint16) (pTemp[4] << 8 ) | pTemp[5];
-						if ( dh_pLength + 4 > rec->length )
-							{
-							Weird("SSLv3x: Corrupt length fields in server-key-exchange!");
-							break;
-							}
-
-						uint16 dh_gLength = uint16(pTemp[6 + dh_pLength] << 8 ) | pTemp[7 + dh_pLength];
-						uint16 dh_YsLength = uint16(pTemp[8 + dh_pLength + dh_gLength] << 8 ) | pTemp[9 + dh_pLength + dh_gLength];
-						if ( dh_pLength + dh_gLength + dh_YsLength + 6 > rec->length )
-							{
-							Weird("SSLv3x: Corrupt length fields in server-key-exchange!");
-							printf("xxx %u > %u \n", (dh_pLength + dh_gLength + dh_YsLength + 6), rec->length);
-							return;
-							}
-
-						serverDHPars = new SSLv3x_ServerDHParams;
-						serverDHPars->dh_p = new SSL_DataBlock(pTemp + 6 , dh_pLength);
-						serverDHPars->dh_g = new SSL_DataBlock(pTemp + 8 + dh_pLength, dh_gLength);
-						serverDHPars->dh_Ys = new SSL_DataBlock(pTemp + 10 + dh_pLength + dh_gLength, dh_YsLength);
-						}
-					}
-				}
-			break;
-			}
-
-		case SSL3_1_CERTIFICATE_REQUEST:
-			{
-			// Only if server not anonymous
-			/*
-			switch (cipherSuite)
-				{
-				case TLS_NULL_WITH_NULL_NULL:
-				case TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5:
-				case TLS_DH_ANON_WITH_RC4_128_MD5:
-				case TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:
-				case TLS_DH_ANON_WITH_DES_CBC_SHA:
-				case TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA:
-					{
-					Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
-					break;
-					}
-				default:
-					{
-					break;
-					}
-				}
-			*/
-
-			if ( ! pCipherSuite )
-				{
-				// if we have an unknown CIPHER-SPEC,
-				// we can't do our weird checks.
-				break;
-				}
-
-			if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT )
-				Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
-
-			// FIXME: Insert weird checks!
-			break;
-			}
-
-		case SSL3_1_SERVER_HELLO_DONE:
-			{
-			if ( rec->length != 0 )
-				Weird("SSLv3x: Server hello too long!");
-			break;
-			}
-
-		case SSL3_1_CLIENT_KEY_EXCHANGE:
-			{
-			if ( ! pCipherSuite )
-				// if we have an unknown CIPHER-SPEC,
-				// we can't do our weird checks
-				break;
-
-			const u_char* pTemp = rec->data;
-			if ( ssl_store_key_material )
-				{
-				SSL_KeyExchangeAlgorithm keyXAlgorithm =
-					pCipherSuite->keyExchangeAlgorithm;
-
-				if ( keyXAlgorithm == SSL_KEY_EXCHANGE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA )
-					{
-					encryptedPreSecret =
-						new SSLv3x_EncryptedPremasterSecret;
-					encryptedPreSecret->encryptedSecret =
-						new SSL_DataBlock( pTemp + 4, rec->length);
-					}
-				else
-					{
-					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
-						{
-						if ( rec->length < 2 )
-							{
-							// This can happen (see RFC 2246, p. 45).
-							return;
-							}
-
-						uint16 DHpublicLength =
-							uint16(pTemp[4] << 8) | pTemp[5];
-						if ( DHpublicLength + 2 < rec->length )
-							{
-							Weird("SSLv3x: Corrupt length fields in client-key-exchange!");
-							return;
-							}
-
-						clientDHpublic = new SSLv3x_ClientDHPublic;
-						clientDHpublic->dh_Yc = new SSL_DataBlock(pTemp + 6, DHpublicLength);
-						}
-					}
-
-				}
-			break;
-			}
-
-		case SSL3_1_CERTIFICATE_VERIFY:
-			{
-			// FIXME: Insert Weird checks!
-			break;
-			}
-
-		case SSL3_1_FINISHED:
-			{
-			// We won't get here, because finished messages
-			// are already encrypted, so we can't get
-			// the content type of this handshake-message...
-			break;
-			}
-
-		default:
-			{
-			if ( currentState == SSL3_1_STATE_SERVER_FIN_SENT_A ||
-			     currentState == SSL3_1_STATE_CLIENT_FIN_SENT_B )
-				{
-				Weird("SSLv3x: Handshake message (unknown type) after finished message!");
-				return;
-				}
-			else
-				{
-				Weird("SSLv3x: Invalid HandshakeType! Maybe finished message without predecessing change-cipher-message!");
-				return; }
-			}
-		}
-		}
-
-	int oldState = currentState;
-	bool alreadySwitchedState = false;
-
-	// First: Special handling of finished messages. They must be
-	// sent immediately after a change cipher message - already encrypted.
-	// from client?
-	if ( rec->endp->IsOrig() && change_cipher_client_seen )
-		{
-		if ( ! fin_client_seen )
-			{
-			// This must be a (valid) client finished.
-			// We assume it to be one, because the predecessing
-			// message was a change cipher.
-			fin_client_seen = true;
-			change_cipher_client_seen = false;
-			alreadySwitchedState = true;
-			currentState = sslAutomaton.getNextState(currentState,
-						SSL3_1_TRANS_CLIENT_FIN);
-			}
-		else
-			{
-			// We already saw a client finished (should not be
-			// possible).
-			Weird("SSLv3x: Already received client finished message!");
-			currentState = sslAutomaton.getNextState(currentState,
-						SSL3_1_TRANS_CLIENT_FIN);
-			fin_client_seen = true;
-			change_cipher_client_seen = false;
-			alreadySwitchedState = true;
-			}
-		}
-
-	// from server
-	else if ( ! rec->endp->IsOrig() && change_cipher_server_seen )
-		{
-		if ( ! fin_server_seen )
-			{
-			// This must be a (valid) server finished.
-			// We assume it to be one, because the predecessing
-			// message was a change cipher.
-			fin_server_seen = true;
-			change_cipher_server_seen = false;
-			alreadySwitchedState = true;
-			currentState = sslAutomaton.getNextState(currentState,
-				SSL3_1_TRANS_SERVER_FIN);
-			}
-		else
-			{
-			// We already saw a server-finished (should not be
-			// possible).
-			Weird("SSLv3x: Already received server finished message!");
-			currentState = sslAutomaton.getNextState(currentState,
-						SSL3_1_TRANS_SERVER_FIN);
-			alreadySwitchedState = true;
-			fin_server_seen = true;
-			change_cipher_server_seen = false;
-			}
-		}
-
-	if ( ! alreadySwitchedState )
-		{
-		// Check whether we are already finished with the
-		// handshaking process...
-		switch ( currentState ) {
-		case SSL3_1_STATE_HS_FIN_A:
-		case SSL3_1_STATE_HS_FIN_B:
-			Weird("SSLv3x: Received handshake message after finishing handshake!");
-			break;
-
-		default:
-			// It's a "normal" handshake message...
-			currentState = sslAutomaton.getNextState(currentState,
-				HandshakeType2Trans(rec->type));
-			break;
-		}
-		}
-
-	if ( currentState == SSL3_1_STATE_ERROR )
-		{
-		// proxy->SetSkip(1);
-		}
-
-	// Only if we changed the currentState, we need to call GenerateEvents
-	// because event generation in GenerateEvents() is based on
-	// currentState.
-	if ( oldState != currentState )
-		GenerateEvents(rec, currentCipherSuites);
-	else
-		Unref(currentCipherSuites);
-	}
-
-void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_AlertRecord* rec)
-	{
-	++SSLv3_Interpreter::totalRecords;
-	++SSLv3_Interpreter::alertRecords;
-
-	// First: consistency-checks.
-	// Only if handshake not already finished.
-	// Otherwise alerts may be encrypted, so we could do nothing...
-	if ( currentState == SSL3_1_STATE_SERVER_FIN_SENT_A ||
-	     currentState == SSL3_1_STATE_CLIENT_FIN_SENT_B ||
-	     currentState == SSL3_1_STATE_CLIENT_FIN_SENT_A ||
-	     currentState == SSL3_1_STATE_SERVER_FIN_SENT_B ||
-	     currentState == SSL3_1_STATE_HS_FIN_A ||
-	     currentState == SSL3_1_STATE_HS_FIN_B ||
-	     change_cipher_client_seen || change_cipher_server_seen )
-		return;
-
-	if ( rec->level != SSL3x_ALERT_LEVEL_WARNING &&
-	     rec->level != SSL3x_ALERT_LEVEL_FATAL )
-		Weird("SSLv3x: Unknown ssl alert level");
-
-	SSL3_1_AlertDescription ad = SSL3_1_AlertDescription(rec->description);
-	switch ( ad ) {
-	case SSL3_1_CLOSE_NOTIFY:
-	case SSL3_1_UNEXPECTED_MESSAGE:
-	case SSL3_1_BAD_RECORD_MAC:
-	case SSL3_1_DECRYPTION_FAILED:
-	case SSL3_1_RECORD_OVERFLOW:
-	case SSL3_1_DECOMPRESSION_FAILURE:
-	case SSL3_1_HANDSHAKE_FAILURE:
-		break;
-
-	case SSL3_0_NO_CERTIFICATE:
-		// This may happen ONLY in SSLv3.0 when the server sends
-		// a certificate request but the client has none.
-		if ( rec->sslVersion == SSLProxy_Analyzer::SSLv30 )
-			currentState = SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A;
-		else
-			Weird("SSLv3x: No certificate alert not defined for SSL 3.1!");
-		break;
-
-	case SSL3_1_BAD_CERTIFICATE:
-	case SSL3_1_UNSUPPORTED_CERTIFICATE:
-	case SSL3_1_CERTIFICATE_REVOKED:
-	case SSL3_1_CERTIFICATE_EXPIRED:
-	case SSL3_1_CERTIFICATE_UNKNOWN:
-	case SSL3_1_ILLEGAL_PARAMETER:
-	case SSL3_1_UNKNOWN_CA:
-	case SSL3_1_ACCESS_DENIED:
-	case SSL3_1_DECODE_ERROR:
-	case SSL3_1_DECRYPT_ERROR:
-	case SSL3_1_EXPORT_RESTRICTION:
-	case SSL3_1_PROTOCOL_VERSION:
-	case SSL3_1_INSUFFICIENT_SECURITY:
-	case SSL3_1_INTERNAL_ERROR:
-	case SSL3_1_USER_CANCELED:
-	case SSL3_1_NO_RENEGOTIATION:
-		break;
-
-	default:
-		Weird(" SSLv3x: Unknown ssl alert description!" );
-		break;
-	}
-
-	if ( rec->level == 2 )
-		// Fatal alert!
-		currentState = SSL3_1_STATE_INIT;
-
-	if ( rec->level == 1 && ad == SSL3_1_CLOSE_NOTIFY )
-		currentState = SSL3_1_STATE_INIT;
-
-	fire_ssl_conn_alert(rec->sslVersion, rec->level, rec->description);
-	}
-
-void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_ChangeCipherRecord* rec)
-	{
-	++SSLv3_Interpreter::totalRecords;
-	++SSLv3_Interpreter::changeCipherRecords;
-
-	if ( rec->type != 1 )
-		Weird("SSLv3x: Unknown change cipher type!");
-	if ( rec->recordLength != 1 )
-		Weird("SSLv3x: Change cipher message too long!");
-
-	// After receiving a change cipher spec message, the next message sent
-	// MUST be a finished message. So we set the appropriate flag:
-	// change_cipher_client/server_seen.
-	if ( rec->endp->IsOrig())
-		{
-		if ( change_cipher_client_seen )
-			Weird("SSLv3x: Received multiple change cipher message from client!");
-		change_cipher_client_seen = true;
-		fin_client_seen = false;
-		}
-	else
-		{
-		if ( change_cipher_server_seen )
-			Weird("SSLv3x: Received multiple change cipher message from server!");
-		change_cipher_server_seen = true;
-		fin_server_seen = false;
-		}
-
-	if ( currentState == SSL3_1_STATE_ERROR )
-		{
-		// proxy->SetSkip(1);
-		}
-
-	// We don't need a GenerateEvents here, because we didn't change
-	// the currentState of the SSL automaton.  (Event generation
-	// in GenerateEvents() is done based on currentState.)
-	// GenerateEvents(rec);
-	}
-
-void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_ApplicationRecord* rec)
-	{
-	++SSLv3_Interpreter::totalRecords;
-
-	if ( currentState == SSL3_1_STATE_HS_FIN_A ||
-	     currentState == SSL3_1_STATE_HS_FIN_B )
-		// O.K., sending application data is valid
-		// this was the last record we analyzed...
-		proxy->SetSkip(1);
-	else
-		{
-		// Sending application data now is not valid, so the SSL
-		// connection is probably already established and we
-		// didn't get the handshake.
-		Weird("SSLv3_data_without_full_handshake");
-		currentState = SSL3_1_STATE_ERROR;
-		GenerateEvents(rec, 0);
-		}
-	}
-
-TableVal* SSLv3_Interpreter::analyzeCiphers(const SSLv3_Endpoint* s, int length,
-					const u_char* data, uint16 version)
-	{
-	int is_orig = (SSL_InterpreterEndpoint*) s == orig;
-
-	if ( length > ssl_max_cipherspec_size )
-		{
-		if ( is_orig )
-			Weird("SSLv2: Client has CipherSpecs > ssl_max_cipherspec_size");
-		else
-			Weird("SSLv2: Server has CipherSpecs > ssl_max_cipherspec_size");
-		}
-
-	const u_char* pCipher = data;
-	SSL_CipherSpec* pCipherSuiteTemp = 0;
-	uint16 cipherSuite;
-	for ( int i = 0; i < length; i += 2 )
-		{
-		cipherSuite = uint16(pCipher[0+i] << 8) | pCipher[1+i];
-		HashKey h(static_cast<bro_uint_t>(cipherSuite));
-
-		pCipherSuiteTemp =
-			(SSL_CipherSpec*) SSL_CipherSpecDict.Lookup(&h);
-		if ( ! pCipherSuiteTemp )
-			{
-			if ( is_orig )
-				proxy->Weird("SSLv3x: Unknown CIPHER-SPEC in CLIENT-HELLO");
-			else
-				proxy->Weird("SSLv3x: Unknown CIPHER-SPEC in SERVER-HELLO");
-			}
-		}
-
-	// Store server's cipher specs.
-	if ( ! is_orig )
-		{
-		pCipherSuite = pCipherSuiteTemp;
-		if ( ! pCipherSuite )
-			{
-			// Special case: we store the identifier directly
-			// for unknown cipher-specs.
-			cipherSuiteIdentifier =
-				uint16(pCipher[0] << 8) | pCipher[1];
-			}
-		}
-
-	if ( ssl_compare_cipherspecs && length <= ssl_max_cipherspec_size )
-		{
-		// Store cipher specs for analysis: was the choosen
-		// server cipher suite announced by the client?
-		if ( is_orig )
-			{
-			pClientCipherSpecs =
-				new SSL_DataBlock(data, length);
-			}
-		}
-
-	if ( (! is_orig && ssl_conn_server_reply) ||
-	     (is_orig && ssl_conn_attempt) )
-		{
-		TableVal* pCipherTable = new TableVal(cipher_suites_list);
-		for ( int i = 0; i < length; i += 2 )
-			{
-			uint32 cipherSpec = (pCipher[0] << 8) | pCipher[1];
-			Val* index = new Val(cipherSpec, TYPE_COUNT);
-			pCipherTable->Assign(index, 0);
-			Unref(index);
-			pCipher += 2;
-			}
-
-		return pCipherTable;
-		}
-
-	else
-		return 0;
-	}
-
-void SSLv3_Interpreter::GenerateEvents(SSLv3_Record* rec, TableVal* curCipherSuites)
-	{
-	if ( curCipherSuites &&
-	     currentState != SSL3_1_STATE_CLIENT_HELLO_SENT &&
-	     currentState != SSL3_1_STATE_SERVER_HELLO_SENT )
-	        // Unref here, since the events won't do so in this case.
-	        Unref(curCipherSuites);
-
-	switch ( currentState ) {
-	case SSL3_1_STATE_CLIENT_HELLO_SENT:
-		fire_ssl_conn_attempt(rec->sslVersion, curCipherSuites);
-		break;
-
-	case SSL3_1_STATE_SERVER_HELLO_SENT:
-		fire_ssl_conn_server_reply(rec->sslVersion, curCipherSuites);
-		break;
-
-	case SSL3_1_STATE_HS_FIN_A:
-	case SSL3_1_STATE_HS_FIN_B:
-		++SSLv3_Interpreter::openedConnections;
-		fire_ssl_conn_established(rec->sslVersion,
-					  pCipherSuite ?
-						pCipherSuite->identifier : 0);
-
-		// We finished handshake.  Skip all further data.
-		proxy->SetSkip(1);
-		helloRequestValid = true;
-		break;
-
-	case SSL3_1_STATE_SERVER_FIN_SENT_B:
-		// First, check for session-ID match.
-		if ( clientSessionID && serverSessionID &&
-		     memcmp(clientSessionID->data, serverSessionID->data,
-			    clientSessionID->len) != 0 )
-			Weird("SSLv3x: Reusing session but session ID mismatch!");
-		fire_ssl_conn_reused(serverSessionID);
-		break;
-
-	case SSL3_1_STATE_ERROR:
-		Weird("unexpected_SSLv3_record");
-		proxy->SetSkip(1);
-	}
-	}
-
-void SSLv3_Interpreter::SetState(int i)
-	{
-	if ( i >= 0 && i < SSL3_1_NUM_STATES )
-		currentState = i;
-	}
-
-// ---SSLv3_Endpoint--------------------------------------------------------------
-
-SSLv3_Endpoint::SSLv3_Endpoint(SSL_Interpreter* interpreter, int is_orig)
-: SSL_InterpreterEndpoint(interpreter, is_orig)
-	{
-	sslVersion = 0;
-	}
-
-SSLv3_Endpoint::~SSLv3_Endpoint()
-	{
-	}
-
-void SSLv3_Endpoint::Deliver(int len, const u_char* data)
-	{
-	if ( SSL3_1_LENGTHOFFSET + sizeof(uint16) <= unsigned(len) )
-		{
-		currentMessage_length =
-			uint16(data[SSL3_1_LENGTHOFFSET] << 8) |
-			data[SSL3_1_LENGTHOFFSET+1];
-
-		// ### where does this magic number come from?
-		if ( currentMessage_length > 18432 )
-			interpreter->Weird("SSLv3x: Message length too long!");
-		}
-	else
-		{
-		interpreter->Weird("SSLv3x: Could not determine message length!");
-		return;
-		}
-
-	if ( currentMessage_length + 2 + SSL3_1_LENGTHOFFSET != len )
-		{
-		// This should never happen; otherwise there is a bug in the
-		// SSL_RecordBuilder.
-		interpreter->Weird("SSLv3x: FATAL: recordLength doesn't match data block length!");
-		interpreter->Proxy()->SetSkip(1);
-		return;
-		}
-
-	ProcessMessage(data, len);
-	}
-
-void SSLv3_Endpoint::ProcessMessage(const u_char* data, int len)
-	{
-	SSL3_1_ContentType ct = ExtractContentType(data, len);
-	if ( ! ExtractVersion(data, len) )
-		return;
-
-	switch ( ct ) {
-	case SSL3_1_TYPE_CHANGE_CIPHER_SPEC:
-		{
-		SSLv3_ChangeCipherRecord* rec = new
-			SSLv3_ChangeCipherRecord(data + SSL3_1_HEADERLENGTH,
-				len - SSL3_1_HEADERLENGTH, sslVersion, this);
-
-		// Multiple handshake messages may be coalesced into
-		// a single record.
-		rec->Deliver((SSLv3_Interpreter*) interpreter);
-		Unref(rec);
-		break;
-		}
-
-	case SSL3_1_TYPE_ALERT:
-		{
-		SSLv3_AlertRecord* rec = new
-			SSLv3_AlertRecord(data + SSL3_1_HEADERLENGTH,
-				len - SSL3_1_HEADERLENGTH, sslVersion, this);
-		rec->Deliver((SSLv3_Interpreter*) interpreter);
-		Unref(rec);
-		break;
-		}
-
-	case SSL3_1_TYPE_HANDSHAKE:
-		{
-		SSLv3_HandshakeRecord* rec =
-			new SSLv3_HandshakeRecord(data + SSL3_1_HEADERLENGTH,
-				len - SSL3_1_HEADERLENGTH, sslVersion, this);
-		rec->Deliver((SSLv3_Interpreter*) interpreter);
-		Unref(rec);
-		break;
-		}
-
-	case SSL3_1_TYPE_APPLICATION_DATA:
-		{
-		SSLv3_ApplicationRecord* rec =
-			new SSLv3_ApplicationRecord(data + SSL3_1_HEADERLENGTH,
-				len - SSL3_1_HEADERLENGTH, sslVersion, this);
-		rec->Deliver((SSLv3_Interpreter*) interpreter);
-		Unref(rec);
-		break;
-		}
-
-	default:
-		{
-		interpreter->Weird("SSLv3x: Could not determine content type!");
-		break;
-		}
-	}
-	}
-
-SSL3_1_ContentType SSLv3_Endpoint::ExtractContentType(const u_char* data,
-							int len)
-	{
-	return SSL3_1_ContentType(uint8(*(data + SSL3_1_CONTENTTYPEOFFSET)));
-	}
-
-int SSLv3_Endpoint::ExtractVersion(const u_char* data, int len)
-	{
-	sslVersion = uint16(data[SSL3_1_VERSIONTYPEOFFSET] << 8) |
-		     data[SSL3_1_VERSIONTYPEOFFSET + 1];
-
-	if ( sslVersion != SSLProxy_Analyzer::SSLv30 &&
-	     sslVersion != SSLProxy_Analyzer::SSLv31 )
-		{
-		interpreter->Weird("SSLv3x: Unsupported SSL-Version (not SSLv3x)!");
-		return 0;
-		}
-	else
-		return 1;
-	}
-
-// ---SSLv3_Record----------------------------------------------------------------
-
-SSLv3_Record::SSLv3_Record(const u_char* data, int len,
-			uint16 version, SSLv3_Endpoint const* e)
-	{
-	recordLength = len;
-	sslVersion = version;
-	endp = e;
-	this->data = data;
-	}
-
-SSLv3_Record::~SSLv3_Record()
-	{
-	// The memory for data is deleted after processing the ssl record
-	// in the common ssl reassembler.
-	}
-
-void SSLv3_Record::Describe(ODesc* d) const
-	{
-	d->Add("sslrecord");
-	}
-
-SSLv3_Endpoint const* SSLv3_Record::GetEndpoint() const
-	{
-	return endp;
-	}
-
-const u_char* SSLv3_Record::GetData() const
-	{
-	return data;
-	}
-
-int SSLv3_Record::ExtractInt24(const u_char* data, int len, int offset)
-	{
-	if ( offset + int(sizeof(unsigned long)) - 1 > len)
-		return 0;
-
-	uint32 val;
-
-	val = 0;
-	val = uint32(*(data + offset + 2));
-	val |= uint32(*(data + offset + 1)) << 8;
-	val |= uint32(*(data + offset)) << 16;
-
-	return val;
-	}
-
-int SSLv3_Record::GetRecordLength() const
-	{
-	return recordLength;
-	}
-
-SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len,
-				uint16 version, SSLv3_Endpoint const* e)
-: SSLv3_Record(data, len, version, e)
-	{
-	// Weird-check for minimum handshake length header.
-	if ( len < 4 )
-		{
-		e->Interpreter()->Weird("SSLv3x: Handshake-header-length too small!");
-		type = 255;
-		length = 0;
-		next = 0;
-		return;
-		}
-
-	// Don't analyze encrypted client handshake messages.
-	if ( e->IsOrig() &&
-	     ((SSLv3_Interpreter*) e->Interpreter())->change_cipher_client_seen &&
-	     ! ((SSLv3_Interpreter*) e->Interpreter())->fin_client_seen )
-		{
-		type = 255;
-		length = 0;
-		next = 0;
-		return;
-		}
-
-	// Don't analyze encrypted server handshake messages.
-	if ( ! e->IsOrig() &&
-	     ((SSLv3_Interpreter*) e->Interpreter())->change_cipher_server_seen &&
-	     ! ((SSLv3_Interpreter*) e->Interpreter())->fin_server_seen )
-		{
-		type = 255;
-		length = 0;
-		next = 0;
-		return;
-		}
-
-	type = uint8(*(this->data));
-	length = ExtractInt24(data, len, 1);
-	if ( length + 4 < len )
-		next = new SSLv3_HandshakeRecord(data + length + 4,
-					len - (length + 4), version, e);
-	else if ( length + 4 > len )
-		{
-		e->Interpreter()->Weird("SSLv3x: Handshake-header-length inconsistent (too big)");
-		next = 0;
-		}
-	else
-		next = 0;
-	}
-
-SSLv3_HandshakeRecord::~SSLv3_HandshakeRecord()
-	{
-	if ( next )
-		{
-		delete next;
-		}
-	}
-
-void SSLv3_HandshakeRecord::Deliver(SSLv3_Interpreter* conn)
-	{
-	SSLv3_HandshakeRecord* it = this;
-	while ( it != 0)
-		{
-		conn->DeliverSSLv3_Record(it);
-		it = it->GetNext();
-		}
-	}
-
-int SSLv3_HandshakeRecord::GetType() const
-	{
-	return type;
-	}
-
-int SSLv3_HandshakeRecord::GetLength() const
-	{
-	return length;
-	}
-
-SSLv3_HandshakeRecord* SSLv3_HandshakeRecord::GetNext()
-	{
-	return next;
-	}
-
-int SSLv3_HandshakeRecord::checkClientHello()
-	{
-	if ( recordLength < 42 )
-		{
-		endp->Interpreter()->Weird("SSLv3x: Client hello too small!");
-		return 0;
-		}
-
-	uint16 version = uint16(data[4] << 8 ) | data[5];
-	if ( version != SSLProxy_Analyzer::SSLv30 &&
-	     version != SSLProxy_Analyzer::SSLv31 )
-		endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Client hello!");
-
-	uint8 sessionIDLength = uint8(data[38]);
-	if ( sessionIDLength > 32 )
-		{
-		endp->Interpreter()->Weird("SSLv3x: SessionID too long in Client hello!");
-		return 0;
-		}
-
-	uint16 cipherSuiteLength =
-		uint16(data[39 + sessionIDLength] << 8 ) |
-		data[40 + sessionIDLength];
-
-	if ( cipherSuiteLength < 2 )
-		endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!");
-
-	if ( cipherSuiteLength + sessionIDLength + 41 > recordLength )
-		{
-		endp->Interpreter()->Weird("SSLv3x: Client hello too small, corrupt length fields!");
-		return 0;
-		}
-
-	uint8 compressionMethodLength =
-		uint8(data[41 + sessionIDLength + cipherSuiteLength]);
-
-	if ( compressionMethodLength < 1 )
-		endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!");
-
-	if ( sessionIDLength + cipherSuiteLength +
-	     compressionMethodLength + 38 != length )
-		{
-		endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!");
-		return 0;
-		}
-
-	return 1;
-	}
-
-int SSLv3_HandshakeRecord::checkServerHello()
-	{
-	if ( recordLength < 42 )
-		{
-		endp->Interpreter()->Weird("SSLv3x: Server hello too small!");
-		return 0;
-		}
-
-	uint16 version = uint16(data[4] << 8) | data[5];
-	if ( version != SSLProxy_Analyzer::SSLv30 &&
-	     version != SSLProxy_Analyzer::SSLv31 )
-		endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Server hello!");
-
-	uint8 sessionIDLength = uint8(data[38]);
-	if ( sessionIDLength > 32 )
-		{
-		endp->Interpreter()->Weird("SSLv3x: SessionID too long in Server hello!");
-		return 0;
-		}
-
-	if ( (sessionIDLength + 38) != length )
-		{
-		endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!");
-		return 0;
-		}
-
-	return 1;
-	}
-
-SSLv3_AlertRecord::SSLv3_AlertRecord(const u_char* data, int len,
-				uint16 version, SSLv3_Endpoint const* e)
-: SSLv3_Record(data, len, version, e)
-	{
-	if ( len < 2 )
-		{
-		e->Interpreter()->Weird("SSLv3x: Alert header length too small!");
-		level = 255;
-		description = 255;
-		}
-
-	// No further consistency-check, because alerts may be
-	// already encrypted.
-	level = uint8(*((this->data) + SSL3_1_ALERT_LEVEL_OFFSET));
-	description = uint8(*((this->data) + SSL3_1_ALERT_DESCRIPTION_OFFSET));
-	}
-
-SSLv3_AlertRecord::~SSLv3_AlertRecord()
-	{
-	}
-
-int SSLv3_AlertRecord::GetDescription() const
-	{
-	return description;
-	}
-
-int SSLv3_AlertRecord::GetLevel() const
-	{
-	return level;
-	}
-
-void SSLv3_AlertRecord::Deliver(SSLv3_Interpreter* conn)
-	{
-	conn->DeliverSSLv3_Record(this);
-	}
-
-SSLv3_ChangeCipherRecord::SSLv3_ChangeCipherRecord(const u_char* data, int len,
-				uint16 version, SSLv3_Endpoint const* e)
-: SSLv3_Record(data, len, version, e)
-	{
-	if ( len < 1 )
-		{
-		e->Interpreter()->Weird("SSLv3x: Change cipher header length too small!");
-		type = 255;
-		}
-	else
-		type = uint8(*((this->data) + SSL3_1_CHANGE_CIPHER_TYPE_OFFSET));
-	}
-
-SSLv3_ChangeCipherRecord::~SSLv3_ChangeCipherRecord()
-	{
-	}
-
-int SSLv3_ChangeCipherRecord::GetType() const
-	{
-	return type;
-	}
-
-void SSLv3_ChangeCipherRecord::Deliver(SSLv3_Interpreter* conn)
-	{
-	conn->DeliverSSLv3_Record(this);
-	}
-
-SSLv3_ApplicationRecord::SSLv3_ApplicationRecord(const u_char* data, int len, uint16 version, SSLv3_Endpoint const* e)
-: SSLv3_Record(data, len, version, e)
-	{
-	}
-
-SSLv3_ApplicationRecord::~SSLv3_ApplicationRecord()
-	{
-	}
-
-void SSLv3_ApplicationRecord::Deliver(SSLv3_Interpreter* conn)
-	{
-	conn->DeliverSSLv3_Record(this);
-	}
diff --git a/src/SSLv3.h b/src/SSLv3.h
deleted file mode 100644
index c3c3f4634e..0000000000
--- a/src/SSLv3.h
+++ /dev/null
@@ -1,590 +0,0 @@
-// $Id: SSLv3.h 3526 2006-09-12 07:32:21Z vern $
-
-#ifndef sslv3_h
-#define sslv3_h
-
-#include "SSLInterpreter.h"
-#include "SSLProxy.h"
-#include "SSLv3Automaton.h"
-#include "SSLDefines.h"
-
-// Offsets in SSL record layer header.
-const int SSL3_1_CONTENTTYPEOFFSET = 0;
-const int SSL3_1_VERSIONTYPEOFFSET = 1;
-const int SSL3_1_LENGTHOFFSET = 3;
-const int SSL3_1_HEADERLENGTH = 5;
-
-// --- forward declarations ---------------------------------------------------
-
-class SSL_Interpreter;
-class SSL_InterpreterEndpoint;
-class SSLProxy_Analyzer;
-class SSLv3_Endpoint;
-class SSLv3_Record;
-class SSLv3_HandshakeRecord;
-class SSLv3_AlertRecord;
-class SSLv3_ApplicationRecord;
-class SSLv3_ChangeCipherRecord;
-class CertStore;
-struct SSL_CipherSpec;
-
-// --- enums for SSLv3.0/3.1 message handling ---------------------------------
-
-enum SSL3_1_ContentType {
-	SSL3_1_TYPE_CHANGE_CIPHER_SPEC = 20,
-	SSL3_1_TYPE_ALERT = 21,
-	SSL3_1_TYPE_HANDSHAKE = 22,
-	SSL3_1_TYPE_APPLICATION_DATA = 23
-};
-
-enum SSL3_1_HandshakeType {
-	SSL3_1_HELLO_REQUEST = 0,
-	SSL3_1_CLIENT_HELLO = 1,
-	SSL3_1_SERVER_HELLO = 2,
-	SSL3_1_CERTIFICATE = 11,
-	SSL3_1_SERVER_KEY_EXCHANGE = 12,
-	SSL3_1_CERTIFICATE_REQUEST = 13,
-	SSL3_1_SERVER_HELLO_DONE = 14,
-	SSL3_1_CERTIFICATE_VERIFY = 15,
-	SSL3_1_CLIENT_KEY_EXCHANGE = 16,
-	SSL3_1_FINISHED = 20
-};
-
-enum SSL3_1_AlertDescription {
-	SSL3_1_CLOSE_NOTIFY = 0,
-	SSL3_1_UNEXPECTED_MESSAGE = 10,
-	SSL3_1_BAD_RECORD_MAC = 20,
-	SSL3_1_DECRYPTION_FAILED = 21,
-	SSL3_1_RECORD_OVERFLOW = 22,
-	SSL3_1_DECOMPRESSION_FAILURE = 30,
-	SSL3_1_HANDSHAKE_FAILURE = 40,
-	SSL3_0_NO_CERTIFICATE = 41,
-	SSL3_1_BAD_CERTIFICATE = 42,
-	SSL3_1_UNSUPPORTED_CERTIFICATE = 43,
-	SSL3_1_CERTIFICATE_REVOKED = 44,
-	SSL3_1_CERTIFICATE_EXPIRED = 45,
-	SSL3_1_CERTIFICATE_UNKNOWN = 46,
-	SSL3_1_ILLEGAL_PARAMETER = 47,
-	SSL3_1_UNKNOWN_CA = 48,
-	SSL3_1_ACCESS_DENIED = 49,
-	SSL3_1_DECODE_ERROR = 50,
-	SSL3_1_DECRYPT_ERROR = 51,
-	SSL3_1_EXPORT_RESTRICTION = 60,
-	SSL3_1_PROTOCOL_VERSION = 70,
-	SSL3_1_INSUFFICIENT_SECURITY = 71,
-	SSL3_1_INTERNAL_ERROR = 80,
-	SSL3_1_USER_CANCELED = 90,
-	SSL3_1_NO_RENEGOTIATION = 100
-};
-
-enum SSL3x_AlertLevel {
-	SSL3x_ALERT_LEVEL_WARNING = 1,
-	SSL3x_ALERT_LEVEL_FATAL = 2
-};
-
-// --- structs ----------------------------------------------------------------
-
-struct SSLv3x_Random {
-	uint32 gmt_unix_time;
-	SSL_DataBlock* random_bytes;	// 28-bytes
-};
-
-struct SSLv3x_ServerRSAParams {
-	SSL_DataBlock* rsa_modulus;	// <1..2^16-1>
-	SSL_DataBlock* rsa_exponent;	// <1..2^16-1>
-};
-
-struct SSLv3x_ServerDHParams{
-	SSL_DataBlock* dh_p;	// <1..2^16-1>
-	SSL_DataBlock* dh_g;	// <1..2^16-1>
-	SSL_DataBlock* dh_Ys;	// <1..2^16-1>
-};
-
-struct SSLv3x_EncryptedPremasterSecret{
-	SSL_DataBlock* encryptedSecret;
-};
-
-struct SSLv3x_ClientDHPublic{
-	SSL_DataBlock* dh_Yc;	// <1..2^16-1>
-};
-
-// ----------------------------------------------------------------------------
-
-/**
- * Class SSLv3_Interpreter is the implementation for a SSLv3.0/SSLv3.1 connection
- * interpreter (derived from the abstract class SSL_Interpreter).
- *
- * The corresponding SSLProxy_Analyzer creates an instance of this class and
- * properly initialises the corresponding SSLv3_Endpoints by calling the
- * SSL_Interpreter's Init() method which then invokes the BuildInterpreterEndpoints() method
- * (of the SSLv3_Interpreter) which causes the SSLv3_Endpoints to be created properly.
- *
- * The SSLv3_Interpreter receives the four various SSLv3_Records:
- * - SSLv3_HandshakeRecord
- * - SSLv3_AlertRecord
- * - SSLv3_ChangeCipherRecord
- * - SSLv3_ApplicationRecord
- * via the DeliverSSLv3_Record() methods from the two corresponding SSLv3_Endpoints
- * (which get fed by the SSLProxy_Analyzer).
- *
- * There is one global static SSLv3_Automaton which describes the possible transitions
- * in the SSLv3.0/SSLv3.1 state machine for the handshaking phase. This automaton
- * is initialised once, when Bro sees the first SSL connection. By the attribute
- * currentState every instance of SSLv3_Interpreter holds the automaton state it
- * is currently in and so is able
- * to track the correctness of the SSL handshaking process. It weird-checks and verifies
- * all arriving SSL records up to the point where handshaking is finished or an
- * error occures caused by weird SSL records or not allowed transitions in the
- * state machine. Information that was negotiated between the client and server
- * during the handshaking phase is/may also be stored. That is:
- * - used SSL version
- * - negotiated cipher suite
- * - session ID
- * - client/server random
- * - key exchange algorithms
- * - cryptographic parameters
- * - encrypted pre-master secret
- *
- * The certificates are verified using the analyzeCertificate() method of the
- * SSL_Interpreter class.
- * Events for Bro scripting are thrown for client connection attempt, server reply,
- * ssl connection establishment/reuse of former connection, proposed cipher suites and
- * seen certificates.
- *
- * @see SSLv3_Endpoint
- */
-class SSLv3_Interpreter : public SSL_Interpreter {
-public:
-	/** The constructor takes the SSLProxy_Analyzer as argument,
-	 * that created this SSLv3_Interpreter.
-	 *
-	 * @param proxy the creating SSL_ConectionProxy
-	 */
-	SSLv3_Interpreter(SSLProxy_Analyzer* proxy);
-	~SSLv3_Interpreter();
-
-	/** Delivers an SSLv3_HandshakeRecord to the SSLv3_Interpreter.
-	 * The record gets verified and it is checked whether it is allowed
-	 * in the current phase of the handshaking process.
-	 *
-	 * @param rec the SSLv3_HandshakeRecord
-	 */
-	void DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec);
-
-	/** Delivers an SSLv3_AlertRecord to the SSLv3_Interpreter.
-	 * The record gets verified and weird checked.
-	 *
-	 * @param rec the SSLv3_AlertRecord
-	 */
-	void DeliverSSLv3_Record(SSLv3_AlertRecord* rec);
-
-	/** Delivers an SSLv3_ChangeCipherRecord to the SSLv3_Interpreter.
-	 * The record gets verified and weird checked. If a change cipher
-	 * record is received the next record from this endpoint needs
-	 * to be a finished message.
-	 *
-	 * @param rec the SSLv3_ChangeCipherRecord
-	 */
-	void DeliverSSLv3_Record(SSLv3_ChangeCipherRecord* rec);
-
-	/** Delivers a SSLv3_ApplicationRecord to the SSLv3_Interpreter.
-	 * It is checked, whether handshaking phase is already finished
-	 * and sending application data is valid (the normal case is,
-	 * that after finishing the handshaking phase, all further data
-	 * is skipped).
-	 *
-	 * @param rec the SSLv3_AlertRecord
-	 */
-	void DeliverSSLv3_Record(SSLv3_ApplicationRecord* rec);
-
-	/** This method sets the currentState variable of this SSLv3_Interpreter
-	 * and so sets the SSLv3.0/SSLv3.1 state machine to the state passed
-	 * as parameter.It is invoked in the SSLProxy_Analyzer to enable
-	 * this SSLv3_Interpreter to start work without having seen the first
-	 * handshake record.  This happens, when the client hello is sent in
-	 * SSLv2 format and processed by the SSLv2_Interpreter but the further
-	 * SSL connection taking place as a SSLv3.0/SSLv3.1 session.
-	 *
-	 * @param i the new state of the sslAutomaton
-	 */
-	void SetState(int i);
-
-	static void printStats();
-
-	// Total SSLv3x connections.
-	static uint totalConnections;
-
-	// Total SSLv3x connections with <b>complete</b> handshake.
-	static uint openedConnections;
-
-	static uint totalRecords; ///< counter for total SSLv3x records seen
-	static uint handshakeRecords; ///< counter for SSLv3x handshake records seen
-	static uint clientHelloRecords; ///< counter for SSLv3x client hellos seen
-	static uint serverHelloRecords; ///< counter for SSLv3x server hellos seen
-	static uint alertRecords; ///< counter for SSLv3x alert records seen
-	static uint changeCipherRecords; ///< counter for SSLv3x change cipher records seen
-
-	/**Flags for handling the change-cipher-messages and fin-handshake-
-	 * messages
-	 */
-	bool change_cipher_client_seen; ///< whether a client change cipher record was seen
-	bool change_cipher_server_seen; ///< whether a server change cipher record was seen
-	bool fin_client_seen; ///< whether a client finished handshake message was seen (must immediately follow the client change cipher)
-	bool fin_server_seen; ///< whether a server finished handshake message was seen (must immediately follow the server change cipher)
-
-protected:
-	static SSLv3_Automaton sslAutomaton; ///< represents the SSLv3.0/SSLv3.1 automaton
-	static bool bInited; ///< whether the automaton is already initialised (has to be only done once)
-	int currentState; ///< the current state of the SSL automaton in this SSLv3_Interpreter instance
-
-	// uint16 cipherSuite; ///< the cipher spec client and server agreed upon
-	SSL_DataBlock* pClientCipherSpecs; ///< the CIPHER-SPECs from the client
-	SSL_CipherSpec* pCipherSuite; ///< pointer to the cipher spec definition client and server agreed upon
-	uint32 cipherSuiteIdentifier; ///< only used for unknown cipher-specs
-	SSL_DataBlock* clientSessionID; ///< the session ID of the client hello record
-	SSL_DataBlock* serverSessionID; ///< the session ID for this SSL session
-
-	/**Attributes for cryptographic computations*/
-	SSLv3x_Random* clientRandom;
-	SSLv3x_Random* serverRandom;
-	//SSL_KeyExchangeAlgorithm keyXAlgorithm;
-	SSLv3x_ServerRSAParams* serverRSApars;
-	SSLv3x_ServerDHParams* serverDHPars;
-	SSLv3x_EncryptedPremasterSecret* encryptedPreSecret;
-	SSLv3x_ClientDHPublic* clientDHpublic;
-
-	bool helloRequestValid; ///< Whether sending a hello request is valid (normally after handshaking phase)
-
-	/** This method builds the corresponding SSLv3_Endpoints for this SSLv3_Interpreter.
-	 * It is called in the SSL_Interpreter's Init() method.
-	 */
-	void BuildInterpreterEndpoints();
-
-	/** This method initialises the SSL state automaton; sets the states and transitions.
-	 * It needs only to be called once for a whole bro. @see SSLDefines.h
-	 */
-	void BuildAutomaton();
-
-	/** This helper method translates the handshake types included in the SSL handshake
-	 * records to the corresponding transition of the SSL automaton. It is invoked within
-	 * the DeliverSSLv3_Record(SSLv3_HandshakeRecord*) method.
-	 *
-	 * @param type the handshake type of the handshake record
-	 */
-	int HandshakeType2Trans(int type);
-
-	/** This method is used for event generation during the handshaking phase and
-	 * generates the connection-attempt, server-reply, connection-established, connection-reused
-	 * events dependant on the currentState of the SSL Automaton.
-	 * It calls the appropriate fire_* methods of the SSL_Interpreter for this.
-	 * The method is called within the the DeliverSSLv3_Record() methods.
-	 *
-	 * @param rec the SSLv3_Record which is currently processed
-	 */
-	void GenerateEvents(SSLv3_Record* rec, TableVal* curCipherSuites);
-
-	/** This method analyzes the cipher suites the client and server offer
-	 * each other during handshaking phase. It checks, whether it's a 'common'
-	 * cipher suite and sets the pCipherSuite attribute according to the
-	 * cipher suite client and server agreed on.
-	 *
-	 * @param s the SSLv3_Endpoint which sent the SSL record with the cipher suite(s) to be analyzed
-	 * @param length length of data
-	 * @param data pointer to where the cipher suites can be found
-	 * @param version SSL version of the SSL record that contained the cipher suite(s)
-	 * @return a pointer to a Bro TableVal (of type cipher_suites_list) which contains
-	 *	the cipher suites list of the current analyzed record
-	 */
-	 TableVal* analyzeCiphers(const SSLv3_Endpoint* s, int length, const u_char* data, uint16 version);
-
-};
-
-// ----------------------------------------------------------------------------
-
-/** Class SSLv3_Endpoint is the implementation for SSLv3.0/SSLv3.1 connection
- * endpoints (derived from the abstract class SSL_InterpreterEndpoint).
- *
- * A SSLv3_Endpoint gets completely reassembled ssl records via the method
- * Deliver(), which is invoked in this Endpoint's corresponding SSLProxy_Analyzer.
- * The defragmentation and reassembling already took place in the
- * SSLProxy_Analyzer's SSL_RecordBuilder.
- * The Deliver()-method does some basic weird checks and then calls
- * ProcessMessage() which determines the content type of the ssl record
- * and, dependant on that, creates an instance of the appropriate SSLv3_Record.
- * This is passed on to this endpoint's corresponding SSLv3_Interpreter via
- * the DeliverSSLv3_Record()-method.
- */
-class SSLv3_Endpoint : public SSL_InterpreterEndpoint {
-public:
-	/** The constructor takes the corresponding SSL_Interpreter as argument.
-	 * is_orig sets this endpoint as originator of the connection (1), and
-	 * responder otherwise (0).
-	 *
-	 * @param interpreter the SSL_Interpreter this endpoint is bound to.
-	 * @param is_orig whether this endpoint is the originator (1) of the
-	 *			connection or not (0).
-	 */
-	SSLv3_Endpoint(SSL_Interpreter* interpreter, int is_orig);
-	virtual ~SSLv3_Endpoint();
-
-	/** This method is invoked by this endpoint's corresponding
-	 * SSLProxy_Analyzer and receives completely reassembled SSL
-	 * records (by the data argument).
-	 *
-	 * @param t time is always 0 (former: when the segment was received
-	 *	by bro (?))
-	 * @param len length of SSL record
-	 * @param data content of SSL record
-	 */
-	void Deliver(int len, const u_char* data);
-
-protected:
-	uint16 sslVersion; ///< holds the version of the just delivered SSL record
-	uint16 currentMessage_length; ///< the length of the just delivered SSL record
-
-	/** This method extracts the content type of the SSL record passed
-	 * in the first parameter.
-	 *
-	 * @param data the SSL record
-	 * @param len length of the record
-	 * @return SSL3_1_ContentType of SSL record
-	 */
-	SSL3_1_ContentType ExtractContentType(const u_char* data, int len);
-
-	/** This method determines the version of the SSL record passed to it.
-	 * It sets the field sslVersion of this endpoint an is called within
-	 * the method ProcessMessage().
-	 *
-	 * @param data the SSL record
-	 * @param len length of the record
-	 * @return 0 if version is NOT 3.0/3.1, 1 otherwise
-	*/
-	int ExtractVersion(const u_char* data, int len);
-
-	/** This method processes a complete SSL record. It
-	 * determines the content type of the SSL record
-	 * (handshake, alert, change-cipher-spec, application),
-	 * cuts away the SSL record layer header and generates
-	 * the appropriate SSLv3_Record. Then it calls the SSLv3_Record's
-	 * Deliver() method, which manages the delivery of the record
-	 * to the corresponding SSLv3_Interpreter
-	 *
-	 * @param data the complete SSL record
-	 * @param len data's (record's) length
-	 */
-	void ProcessMessage(const u_char* data, int len);
-};
-
-// ----------------------------------------------------------------------------
-
-// Offsets are now relative to the end of the SSL record layer header
-#define SSL3_1_CHANGE_CIPHER_TYPE_OFFSET (SSL3_1_HEADERLENGTH - 5)
-#define SSL3_1_ALERT_LEVEL_OFFSET (SSL3_1_HEADERLENGTH - 5)
-#define SSL3_1_ALERT_DESCRIPTION_OFFSET (SSL3_1_HEADERLENGTH - 4)
-#define SSL3_1_SESSION_ID_LENGTH_OFFSET 38
-#define SSL3_1_SESSION_ID_OFFSET 39
-
-/** This class is an abstract base class for the four different
- * SSLv3.0/SSLv3.1 record types (handshake, alert, change-cipher-spec,
- * application).
- *
- * It contains a pointer to the data of the SSL record <b>without</b>
- * the SSL record layer header, it's length and the version information, which
- * was present in the now cut away SSL record layer header.
- *
- * (Note: the version field of the SSL record layer header may differ from
- * the version of the record format that was used when sending the record.
- * (e.g. a client may send a SSLv2 record including
- * a version field containing 3.1 (for SSLv3.1) to show, that he supports
- * version 3.1.))
- *
- * Every subclass of SSLv3_Record implements the Deliver() method, which
- * manages the delivery of the record to the corresponding SSLv3_Interpreter.
- * Instances of SSLv3_Record (resp. it's subclasses) are created within
- * the ProcessMessage() method of a SSLv3_Endpoint.
- * */
-class SSLv3_Record : public BroObj{
-public:
-	/** The constructor gets a pointer to the SSL record without the
-	 * record layer header, it's length, the version information
-	 * contained in the record layer header and a pointer to the
-	 * SSLv3_Endpoint that created this instance of SSLv3_Record.
-	 *
-	 * @param data pointer to the SSL record without record layer header
-	 * @param data's length
-	 * @param version version information contained in the SSL record layer header
-	 * @param e the SSLv3_Endpoint that created this instance
-	 */
-	SSLv3_Record(const u_char* data, int len, uint16 version,
-			SSLv3_Endpoint const* e);
-	~SSLv3_Record();
-
-	void Describe(ODesc* d) const;
-
-	int GetRecordLength() const;
-	const u_char* GetData() const;
-	uint16 GetVersion() const;
-	SSLv3_Endpoint const* GetEndpoint() const;
-
-	/** This abstract method is implemented by the various SSLv3_Record
-	 * subclasses for handshake, alert, change cipher spec and application
-	 * records.  It manages the delivery of the SSLv3_Record to the
-	 * SSLv3_Interpreter passed as argument.
-	 * SSLv3_Records are created within the ProcessMessage() method of the
-	 * SSLv3_Endpoint which then calls the just created SSLv3_Records
-	 * Deliver() method with it's corresponding SSLv3_Interpreter as
-	 * argument which then receives the (evtl. preprocessed) SSLv3_Record
-	 * (via the method(s) DeliverSSLv3_Record()).
-	 *
-	 * @param conn the SSLv3_Interpreter to which this SSLv3_Record should be deliverd
-	 */
-	virtual void Deliver(SSLv3_Interpreter* conn) =0;
-
-	/** Helper function that converts from 24-bit big endian integer
-	 * starting at offset to 32 bit integer in little endian format.
-	 *
-	 * @param data the ssl-record
-	 * @param len length of data (record)
-	 * @param offset where the 24 bit big endian starts
-	 * @return 32 bit little endian
-	 */
-	int ExtractInt24(const u_char* data, int len, int offset);
-
-	int recordLength; ///< total length of the SSL record <b>without</b> the record layer header
-	const u_char* data; ///< pointer to the SSL record without the record layer header
-	SSLv3_Endpoint const* endp; ///< pointer to the SSLv3_Endpoint that created this instance of SSLv3_Record
-	uint16 sslVersion; ///< version information of the SSL record layer header
-};
-
-// ----------------------------------------------------------------------------
-
-/* This class represents a handshake record used in SSLv3.0/SSLv3.1.
- *
- * Handshake records in SSLv3.0/SSLv3.1 need a special treatment,
- * because it is possible that multiple handshake messages are coalesced into
- * a single SSLv3.0/SSLv3.1 record.
- * I think, this only can happen to
- * handshake records (even RFC2246 page 16 generally talks about all
- * messages of a same content type), because only handshake records
- * have got an own length descriptor within and thus make de-coalescing
- * possible.
- * So when generating a new instance of a SSLv3_HandshakeRecord, it is checked whether there
- * are more handshake records within data.
- * If so, they are put apart and linked together to a chain by using
- * the next-pointer.
- * The Deliver() method takes this into account and delivers every single
- * handshake record one by one to the SSLv3_Interpreter.
- */
-class SSLv3_HandshakeRecord : public SSLv3_Record{
-public:
-	SSLv3_HandshakeRecord(const u_char* data, int len, uint16 version,
-				SSLv3_Endpoint const* e);
-	~SSLv3_HandshakeRecord();
-
-	int GetType() const;
-	int GetLength() const;
-
-	/** This method delivers the SSLv3_HandshakeRecord(s) to the
-	 * SSLv3_Interpreter passed as argument. The method follows
-	 * the next-pointer and delivers every SSLv3_HandshakeRecord
-	 * contained in this list to the SSLv3_Interpreter.
-	 *
-	 * @param conn the SSLv3_Interpreter to which this SSLv3_HandshakeRecord should be deliverd
-	 */
-	void Deliver(SSLv3_Interpreter* conn);
-
-	/* This method is invoked within the SSLv3_Interpreter and does lots of
-	 * weird and consistency checks on a client hello SSL handshake record.
-	 *
-	 * @return 0 if further processing of this client hello is not
-	 * possible due to inconsistency and 1 otherwise.
-	 */
-	int checkClientHello();
-
-	/* This method is invoked within the SSLv3_Interpreter and does lots of
-	 * weird and consistency checks on a server hello SSL handshake record.
-	 *
-	 * @return 0 if further processing of this server hello is not
-	 * possible due to inconsistency and 1 otherwise.
-	 */
-	int checkServerHello();
-
-	int type;	///< holds the handshake type of the handshake record (first byte)
-	int length;	///< holds the length of this handshake record (which is needed due to coalesced handshake messages)
-
-private:
-	SSLv3_HandshakeRecord* next;	///< pointer to the next ssl handshake record if they are coalesced into a single record
-
-	SSLv3_HandshakeRecord* GetNext();
-};
-
-// ----------------------------------------------------------------------------
-
-/** This class represents an alert record used in SSLv3.0/SSLv3.1.
- *
- * description holds the SSL alert description and level the alert level.
- */
-class SSLv3_AlertRecord : public SSLv3_Record {
-public:
-	SSLv3_AlertRecord(const u_char* data, int len, uint16 version,
-				SSLv3_Endpoint const* e);
-	~SSLv3_AlertRecord();
-
-	int GetDescription() const;
-	int GetLevel() const;
-
-	/** This method delivers the SSLv3_AlertRecord to the SSLv3_Interpreter passed as
-	 * argument.
-	 *
-	 * @param conn the SSLv3_Interpreter to which this SSLv3_AlertRecord should be deliverd
-	 */
-	void Deliver(SSLv3_Interpreter* conn);
-
-	int description;	///< holds the alert description
-	int level;	///< holds the alert level
-};
-
-// ----------------------------------------------------------------------------
-
-/** This class represents a change cipher record used in SSLv3.0/SSLv3.1.
- *
- *  type holds the change cipher type used (currently only 1 is valid (rfc 2246))
- */
-class SSLv3_ChangeCipherRecord : public SSLv3_Record{
-public:
-	SSLv3_ChangeCipherRecord(const u_char* data, int len, uint16 version,
-				SSLv3_Endpoint const* e);
-	~SSLv3_ChangeCipherRecord();
-	int GetType() const;
-
-	/** This method delivers the SSLv3_ChangeCipherRecord to the
-	 * SSLv3_Interpreter passed as argument.
-	 *
-	 * @param conn the SSLv3_Interpreter to which this
-	 * SSLv3_ChangeCipherRecord should be delivered
-	 */
-	void Deliver(SSLv3_Interpreter* conn);
-
-	int type;	///< holds the change cipher type
-};
-
-// ----------------------------------------------------------------------------
-
-/** This class represents an application record used in SSLv3.0/SSLv3.1.
- */
-class SSLv3_ApplicationRecord : public SSLv3_Record {
-public:
-	SSLv3_ApplicationRecord(const u_char* data, int len, uint16 version,
-				SSLv3_Endpoint const* e);
-	~SSLv3_ApplicationRecord();
-
-	/** This method delivers the SSLv3_ApplicationRecord to the
-	 * SSLv3_Interpreter passed as argument.
-	 *
-	 * @param conn the SSLv3_Interpreter to which this
-	 * SSLv3_ApplicationRecord should be deliverd
-	 */
-	void Deliver(SSLv3_Interpreter* conn);
-};
-
-#endif
diff --git a/src/SSLv3Automaton.cc b/src/SSLv3Automaton.cc
deleted file mode 100644
index a79c81bd7c..0000000000
--- a/src/SSLv3Automaton.cc
+++ /dev/null
@@ -1,83 +0,0 @@
-// $Id: SSLv3Automaton.cc 80 2004-07-14 20:15:50Z jason $
-
-// ---SSLv3_Automaton----------------------------------------------------------
-
-#include "SSLv3Automaton.h"
-
-SSLv3_Automaton::SSLv3_Automaton(int arg_num_states, int num_trans,
-					int error_state)
-	{
-	num_states = arg_num_states;
-	states = new SSLv3_State*[num_states];
-	for ( int i = 0; i < num_states; ++i )
-		states[i] = new SSLv3_State(num_trans, error_state);
-	}
-
-SSLv3_Automaton::~SSLv3_Automaton()
-	{
-	for ( int i = 0; i < num_states; ++i )
-		delete states[i];
-	delete [] states;
-	}
-
-void SSLv3_Automaton::Describe(ODesc* d) const
-	{
-	d->Add("sslAutomaton");
-	}
-
-void SSLv3_Automaton::setStartState(int state)
-	{
-	if ( state < num_states )
-		startState = state;
-	}
-
-void SSLv3_Automaton::addTrans(int state1, int trans, int state2)
-	{
-	if ( state1 < num_states && state2 < num_states )
-		states[state1]->addTrans(trans, state2);
-	}
-
-int SSLv3_Automaton::getNextState(int state, int trans)
-	{
-	if ( state < num_states )
-		return states[state]->getNextState(trans);
-	else
-		return 0;
-	}
-
-int SSLv3_Automaton::getStartState()
-	{
-	if (startState >= 0)
-		return startState;
-	else
-		return -1;
-	}
-
-// ---SSLv3_State--------------------------------------------------------------
-
-SSLv3_State::SSLv3_State(int num_trans, int error_state)
-	{
-	this->num_trans = num_trans;
-	transitions = new int[num_trans];
-	for ( int i = 0; i < num_trans; ++i )
-		transitions[i] = error_state;
-	}
-
-SSLv3_State::~SSLv3_State()
-	{
-	delete [] transitions;
-	}
-
-void SSLv3_State::addTrans(int trans, int state)
-	{
-	if ( trans < num_trans )
-		transitions[trans] = state;
-	}
-
-int SSLv3_State::getNextState(int trans)
-	{
-	if ( trans < num_trans )
-		return transitions[trans];
-	else
-		return 0;
-	}
diff --git a/src/SSLv3Automaton.h b/src/SSLv3Automaton.h
deleted file mode 100644
index f581edbde2..0000000000
--- a/src/SSLv3Automaton.h
+++ /dev/null
@@ -1,107 +0,0 @@
-// $Id: SSLv3Automaton.h 80 2004-07-14 20:15:50Z jason $
-
-#ifndef ssl_v3_automaton_h
-#define ssl_v3_automaton_h
-
-#include "Obj.h"
-#include "SSLDefines.h"
-
-class SSLv3_State;
-
-/** Class SSLv3_Automaton is there for holding the transitions of a state machine.
- * The States are simply Integer Constants >= 0. Same for the transitions.
- * The SSLv3_Automaton holds a pointer to an array of pointers to the
- * states of the automaton. The array is indexed by the integer that
- * represents the corresponding state.
- * By default, the automaton is initialized with every transition leading to
- * the error_state.
- * By calling addTrans() (done in the SSLv3_Interpreter's BuildAutomaton()-method)
- * the proper transitions for the SSL automaton are created.
- * When calling getNextState(state, trans), you get the next state of the
- * automaton, according to state and trans.
- * */
-class SSLv3_Automaton : public BroObj {
-public:
-	/* The constructor initialises the states 2-dim. array
-	 * (which's size depends on num_states and num_trans).
-	 * By default, every transition from every state leads to the error_state.
-	 * @param num_states how many states the automaton has
-	 * @param num_trans how many different transitions the automaton has
-	 * @param error_state which Integer the error_state has
-	 */
-	SSLv3_Automaton(int num_states, int num_trans, int error_state);
-	~SSLv3_Automaton();
-	void Describe(ODesc* d) const;
-
-	/* Sets the start state of the automaton.
-	 * @param state the start state
-	 */
-	void setStartState(int state);
-
-	/* This method is used for building up the automaton and defining
-	 * from which state you get to which state which what transition.
-	 * @param state1 the state from which the transition starts
-	 * @param trans the transition itself
-	 * @param to which state the transition leads
-	 */
-	void addTrans(int state1, int trans, int state2);
-
-	/* Used for determinig into which state the automaton gets by using the
-	 * given transition in the given state.
-	 * @param state the state from which the transition starts
-	 * @param trans the transition itself
-	 * @return the state to which the transition leads
-	 */
-	int getNextState(int state, int trans);
-	int getStartState();
-	int OutRef()
-		{
-		return RefCnt();
-		}
-
-protected:
-	int num_states;	///< how many states the automaton has
-	SSLv3_State** states;	///< the pointer to the array of pointers that holds the states
-	int startState;	///< the start state of the automaton
-
-};
-
-// ----------------------------------------------------------------------------
-
-/** This class represents a state of the SSLv3_Automaton.
- * It holds a pointer to an array of integers, which corresponds to the
- * succeeding states of this state when "taking" a transition.
- * The transition array is indexed by the integer-values corresponding to
- * the transitions of the automaton.
- * */
-class SSLv3_State {
-public:
-	/* The constructor initialises the state. By default, every transition
-	 * of the automaton leads to the error_state.
-	 * @param num_trans how many different transitions the automaton has
-	 * @param error_state how many different transitions the automaton has
-	 */
-	SSLv3_State(int num_trans, int error_state);
-	~SSLv3_State();
-
-	/* This method is used for building up the automaton and is invoked by
-	 * the SSLv3_Automaton's addTrans()-method. It defines the successing state
-	 * of the automaton by taking the transition trans in this state.
-	 * @param trans the transition,
-	 * @param that leads to the state
-	 */
-	void addTrans(int trans, int state);
-
-	/* Used for determinig into which state the automaton gets by using the
-	 * given transition in the this state.
-	 * @param trans which transition is to be taken
-	 * @return the resulting state of the automaton
-	 */
-	int getNextState(int trans);
-
-protected:
-	int num_trans;	///< how many transitions the automaton has
-	int* transitions;	///< the array of successing states of this state by taking the transition that indexes this array
-};
-
-#endif
diff --git a/src/Scope.cc b/src/Scope.cc
index f8fa9f4883..4916cdbfce 100644
--- a/src/Scope.cc
+++ b/src/Scope.cc
@@ -1,5 +1,3 @@
-// $Id: Scope.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -7,49 +5,11 @@
 #include "ID.h"
 #include "Val.h"
 #include "Scope.h"
+#include "Reporter.h"
 
 static scope_list scopes;
 static Scope* top_scope;
 
-extern const char* GLOBAL_MODULE_NAME = "GLOBAL";
-
-
-// Returns it without trailing "::".
-string extract_module_name(const char* name)
-	{
-	string module_name = name;
-	string::size_type pos = module_name.rfind("::");
-
-	if ( pos == string::npos )
-		return string(GLOBAL_MODULE_NAME);
-
-	module_name.erase(pos);
-
-	return module_name;
-	}
-
-string normalized_module_name(const char* module_name)
-	{
-	int mod_len;
-	if ( (mod_len = strlen(module_name)) >= 2 &&
-	     ! strcmp(module_name + mod_len - 2, "::") )
-		mod_len -= 2;
-
-	return string(module_name, mod_len);
-	}
-
-string make_full_var_name(const char* module_name, const char* var_name)
-	{
-	if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) ||
-	     strstr(var_name, "::") )
-		return string(var_name);
-
-	string full_name = normalized_module_name(module_name);
-	full_name += "::";
-	full_name += var_name;
-
-	return full_name;
-	}
 
 Scope::Scope(ID* id)
 	{
@@ -66,7 +26,7 @@ Scope::Scope(ID* id)
 		if ( id_type->Tag() == TYPE_ERROR )
 			return;
 		else if ( id_type->Tag() != TYPE_FUNC )
-			internal_error("bad scope id");
+			reporter->InternalError("bad scope id");
 
 		Ref(id);
 
@@ -152,9 +112,11 @@ TraversalCode Scope::Traverse(TraversalCallback* cb) const
 	}
 
 
-ID* lookup_ID(const char* name, const char* curr_module, bool no_global)
+ID* lookup_ID(const char* name, const char* curr_module, bool no_global,
+	      bool same_module_only)
 	{
 	string fullname = make_full_var_name(curr_module, name);
+
 	string ID_module = extract_module_name(fullname.c_str());
 	bool need_export = ID_module != GLOBAL_MODULE_NAME &&
 				ID_module != curr_module;
@@ -165,7 +127,7 @@ ID* lookup_ID(const char* name, const char* curr_module, bool no_global)
 		if ( id )
 			{
 			if ( need_export && ! id->IsExport() && ! in_debug )
-				error("identifier is not exported:",
+				reporter->Error("identifier is not exported: %s",
 				      fullname.c_str());
 
 			Ref(id);
@@ -173,7 +135,8 @@ ID* lookup_ID(const char* name, const char* curr_module, bool no_global)
 			}
 		}
 
-	if ( ! no_global )
+	if ( ! no_global && (strcmp(GLOBAL_MODULE_NAME, curr_module) == 0 ||
+			     ! same_module_only) )
 		{
 		string globalname = make_full_var_name(GLOBAL_MODULE_NAME, name);
 		ID* id = global_scope()->Lookup(globalname.c_str());
@@ -191,7 +154,7 @@ ID* install_ID(const char* name, const char* module_name,
 		bool is_global, bool is_export)
 	{
 	if ( scopes.length() == 0 && ! is_global )
-		internal_error("local identifier in global scope");
+		reporter->InternalError("local identifier in global scope");
 
 	IDScope scope;
 	if ( is_export || ! module_name ||
@@ -233,7 +196,7 @@ Scope* pop_scope()
 	{
 	int n = scopes.length() - 1;
 	if ( n < 0 )
-		internal_error("scope underflow");
+		reporter->InternalError("scope underflow");
 	scopes.remove_nth(n);
 
 	Scope* old_top = top_scope;
@@ -254,5 +217,5 @@ Scope* current_scope()
 
 Scope* global_scope()
 	{
-	return scopes[0];
+	return scopes.length() == 0 ? 0 : scopes[0];
 	}
diff --git a/src/Scope.h b/src/Scope.h
index 19b37ef600..1ef58d871c 100644
--- a/src/Scope.h
+++ b/src/Scope.h
@@ -1,5 +1,3 @@
-// $Id: Scope.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef scope_h
@@ -11,6 +9,7 @@
 #include "Obj.h"
 #include "BroList.h"
 #include "TraverseTypes.h"
+#include "module_util.h"
 
 class ID;
 class BroType;
@@ -59,20 +58,12 @@ protected:
 	id_list* inits;
 };
 
-extern const char* GLOBAL_MODULE_NAME;
-
-extern string extract_module_name(const char* name);
-extern string normalized_module_name(const char* module_name); // w/o ::
-
-// Concatenates module_name::var_name unless var_name is already fully
-// qualified, in which case it is returned unmodified.
-extern string make_full_var_name(const char* module_name, const char* var_name);
 
 extern bool in_debug;
 
 // If no_global is true, don't search in the default "global" namespace.
 extern ID* lookup_ID(const char* name, const char* module,
-			bool no_global = false);
+		     bool no_global = false, bool same_module_only=false);
 extern ID* install_ID(const char* name, const char* module_name,
 			bool is_global, bool is_export);
 
diff --git a/src/ScriptAnaly.cc b/src/ScriptAnaly.cc
index 700c0ed4e8..bca75cc800 100644
--- a/src/ScriptAnaly.cc
+++ b/src/ScriptAnaly.cc
@@ -1,5 +1,3 @@
-// $Id: ScriptAnaly.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "Dict.h"
diff --git a/src/ScriptAnaly.h b/src/ScriptAnaly.h
index 180971e769..0561ecd389 100644
--- a/src/ScriptAnaly.h
+++ b/src/ScriptAnaly.h
@@ -1,5 +1,3 @@
-// $Id: ScriptAnaly.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef scriptanaly_h
diff --git a/src/SerialInfo.h b/src/SerialInfo.h
index 3ed2e91d26..aa4c382349 100644
--- a/src/SerialInfo.h
+++ b/src/SerialInfo.h
@@ -1,5 +1,3 @@
-// $Id: SerialInfo.h 6752 2009-06-14 04:24:52Z vern $
-//
 // Helper classes to pass data between serialization methods.
 
 #ifndef serialinfo_h
@@ -17,6 +15,7 @@ public:
 		pid_32bit = false;
 		include_locations = true;
 		new_cache_strategy = false;
+		broccoli_peer = false;
 		}
 
 	SerialInfo(const SerialInfo& info)
@@ -30,6 +29,7 @@ public:
 		pid_32bit = info.pid_32bit;
 		include_locations = info.include_locations;
 		new_cache_strategy = info.new_cache_strategy;
+		broccoli_peer = info.broccoli_peer;
 		}
 
 	// Parameters that control serialization.
@@ -48,6 +48,11 @@ public:
 	// If true, we support keeping objs in cache permanently.
 	bool new_cache_strategy;
 
+	// If true, we're connecting to a Broccoli. If so, serialization
+	// specifics may be adapted for functionality Broccoli does not
+	// support.
+	bool broccoli_peer;
+
 	ChunkedIO::Chunk* chunk; // chunk written right before the serialization
 
 	// Attributes set during serialization.
@@ -72,6 +77,7 @@ public:
 		print = 0;
 		pid_32bit = false;
 		new_cache_strategy = false;
+		broccoli_peer = false;
 		}
 
 	UnserialInfo(const UnserialInfo& info)
@@ -88,6 +94,7 @@ public:
 		print = info.print;
 		pid_32bit = info.pid_32bit;
 		new_cache_strategy = info.new_cache_strategy;
+		broccoli_peer = info.broccoli_peer;
 		}
 
 	// Parameters that control unserialization.
@@ -108,6 +115,11 @@ public:
 	// If true, we support keeping objs in cache permanently.
 	bool new_cache_strategy;
 
+	// If true, we're connecting to a Broccoli. If so, serialization
+	// specifics may be adapted for functionality Broccoli does not
+	// support.
+	bool broccoli_peer;
+
 	// If a global ID already exits, of these policies is used.
 	enum {
 		Keep,	// keep the old ID and ignore the new
diff --git a/src/SerialObj.cc b/src/SerialObj.cc
index 02c312c1e7..a8ab969f5e 100644
--- a/src/SerialObj.cc
+++ b/src/SerialObj.cc
@@ -1,5 +1,3 @@
-// $Id: SerialObj.cc 7075 2010-09-13 02:39:38Z vern $
-
 #include "SerialObj.h"
 #include "Serializer.h"
 
@@ -21,7 +19,7 @@ SerialObj* SerialObj::Instantiate(SerialType type)
 		return o;
 		}
 
-	run_time(fmt("Unknown object type 0x%08x", type));
+	reporter->Error("Unknown object type 0x%08x", type);
 	return 0;
 	}
 
@@ -31,7 +29,7 @@ const char* SerialObj::ClassName(SerialType type)
 	if ( f != names->end() )
 		return f->second;
 
-	run_time(fmt("Unknown object type 0x%08x", type));
+	reporter->Error("Unknown object type 0x%08x", type);
 	return "<no-class-name>";
 	}
 
@@ -47,7 +45,7 @@ void SerialObj::Register(SerialType type, FactoryFunc f, const char* name)
 
 	FactoryMap::iterator i = factories->find(type);
 	if ( i != factories->end() )
-		internal_error("SerialType 0x%08x registered twice", type);
+		reporter->InternalError("SerialType 0x%08x registered twice", type);
 
 	(*factories)[type] = f;
 	(*names)[type] = name;
@@ -77,7 +75,7 @@ bool SerialObj::Serialize(SerialInfo* info) const
 		const TransientID* tid = GetTID();
 
 		if ( ! tid )
-			internal_error("no tid - missing DECLARE_SERIAL?");
+			reporter->InternalError("no tid - missing DECLARE_SERIAL?");
 
 		if ( info->cache )
 			pid = info->s->Cache()->Lookup(*tid);
@@ -211,7 +209,7 @@ SerialObj* SerialObj::Unserialize(UnserialInfo* info, SerialType type)
 
 	const TransientID* tid = obj->GetTID();
 	if ( ! tid )
-		internal_error("no tid - missing DECLARE_SERIAL?");
+		reporter->InternalError("no tid - missing DECLARE_SERIAL?");
 
 	if ( info->cache )
 		info->s->Cache()->Register(obj, pid, info->new_cache_strategy);
diff --git a/src/SerialObj.h b/src/SerialObj.h
index 9c02b21e5b..c3dc65684c 100644
--- a/src/SerialObj.h
+++ b/src/SerialObj.h
@@ -1,5 +1,3 @@
-// $Id: SerialObj.h 6752 2009-06-14 04:24:52Z vern $
-//
 // Infrastructure for serializable objects.
 //
 // How to make objects of class Foo serializable:
@@ -330,6 +328,29 @@ public:
 		dst = 0;	\
 	}
 
+#define UNSERIALIZE_OPTIONAL_STR_DEL(dst, del)	\
+	{	\
+	bool has_it;	\
+	if ( ! info->s->Read(&has_it, "has_" #dst) )	\
+		{	\
+		delete del;	\
+		return 0;	\
+		}	\
+	\
+	if ( has_it )	\
+		{	\
+		info->s->Read(&dst, 0, "has_" #dst);	\
+		if ( ! dst )	\
+			{	\
+			delete del;	\
+			return 0;	\
+			}	\
+		}	\
+	\
+	else	\
+		dst = 0;	\
+	}
+
 #define UNSERIALIZE_OPTIONAL_STATIC(dst, unserialize, del)	\
 	{	\
 	bool has_it;	\
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index a33b026fae..0ba48f89a9 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -1,5 +1,3 @@
-// $Id: SerialTypes.h 6752 2009-06-14 04:24:52Z vern $
-
 #ifndef serialtypes_h
 #define serialtypes_h
 
@@ -91,16 +89,15 @@ SERIAL_VAL(VAL, 1)
 SERIAL_VAL(INTERVAL_VAL,  2)
 SERIAL_VAL(PORT_VAL, 3)
 SERIAL_VAL(ADDR_VAL, 4)
-SERIAL_VAL(NET_VAL, 5)
-SERIAL_VAL(SUBNET_VAL, 6)
-SERIAL_VAL(STRING_VAL, 7)
-SERIAL_VAL(PATTERN_VAL, 8)
-SERIAL_VAL(LIST_VAL, 9)
-SERIAL_VAL(TABLE_VAL, 10)
-SERIAL_VAL(RECORD_VAL, 11)
-SERIAL_VAL(ENUM_VAL, 12)
-SERIAL_VAL(VECTOR_VAL, 13)
-SERIAL_VAL(MUTABLE_VAL, 14)
+SERIAL_VAL(SUBNET_VAL, 5)
+SERIAL_VAL(STRING_VAL, 6)
+SERIAL_VAL(PATTERN_VAL, 7)
+SERIAL_VAL(LIST_VAL, 8)
+SERIAL_VAL(TABLE_VAL, 9)
+SERIAL_VAL(RECORD_VAL, 10)
+SERIAL_VAL(ENUM_VAL, 11)
+SERIAL_VAL(VECTOR_VAL, 12)
+SERIAL_VAL(MUTABLE_VAL, 13)
 
 #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
 SERIAL_EXPR(EXPR, 1)
@@ -146,11 +143,12 @@ SERIAL_EXPR(TABLE_CONSTRUCTOR_EXPR, 40)
 SERIAL_EXPR(SET_CONSTRUCTOR_EXPR, 41)
 SERIAL_EXPR(VECTOR_CONSTRUCTOR_EXPR, 42)
 SERIAL_EXPR(TABLE_COERCE_EXPR, 43)
+SERIAL_EXPR(VECTOR_COERCE_EXPR, 44)
 
 #define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
 SERIAL_STMT(STMT, 1)
 SERIAL_STMT(EXPR_LIST_STMT, 2)
-SERIAL_STMT(ALARM_STMT, 3)
+// There used to be ALARM_STMT (3) here.
 SERIAL_STMT(PRINT_STMT, 4)
 SERIAL_STMT(EXPR_STMT, 5)
 SERIAL_STMT(IF_STMT, 6)
diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc
index d49233ec92..5e3a68a42e 100644
--- a/src/SerializationFormat.cc
+++ b/src/SerializationFormat.cc
@@ -1,10 +1,9 @@
-// $Id: SerializationFormat.cc 5873 2008-06-28 19:25:03Z vern $
-
 #include <ctype.h>
 
 #include "net_util.h"
 #include "SerializationFormat.h"
 #include "Serializer.h"
+#include "Reporter.h"
 
 SerializationFormat::SerializationFormat()
 	{
@@ -21,6 +20,7 @@ void SerializationFormat::StartRead(char* data, uint32 arg_len)
 	input = data;
 	input_len = arg_len;
 	input_pos = 0;
+	bytes_read = 0;
 	}
 
 void SerializationFormat::EndRead()
@@ -57,13 +57,15 @@ bool SerializationFormat::ReadData(void* b, size_t count)
 	{
 	if ( input_pos + count > input_len )
 		{
-		error("data underflow during read in binary format");
+		reporter->Error("data underflow during read in binary format");
 		abort();
 		return false;
 		}
 
 	memcpy(b, input + input_pos, count);
 	input_pos += count;
+	bytes_read += count;
+
 	return true;
 	}
 
@@ -201,7 +203,7 @@ bool BinarySerializationFormat::Read(char** str, int* len, const char* tag)
 		for ( int i = 0; i < l; i++ )
 			if ( ! s[i] )
 				{
-				error("binary Format: string contains null; replaced by '_'");
+				reporter->Error("binary Format: string contains null; replaced by '_'");
 				s[i] = '_';
 				}
 		}
@@ -214,6 +216,20 @@ bool BinarySerializationFormat::Read(char** str, int* len, const char* tag)
 	return true;
 	}
 
+bool BinarySerializationFormat::Read(string* v, const char* tag)
+	{
+	char* buffer;
+	int len;
+
+	if ( ! Read(&buffer, &len, tag) )
+		return false;
+
+	*v = string(buffer, len);
+
+	delete [] buffer;
+	return true;
+	}
+
 bool BinarySerializationFormat::Write(char v, const char* tag)
 	{
 	DBG_LOG(DBG_SERIAL, "Write char %s [%s]", fmt_bytes(&v, 1), tag);
@@ -278,6 +294,11 @@ bool BinarySerializationFormat::Write(const char* s, const char* tag)
 	return Write(s, strlen(s), tag);
 	}
 
+bool BinarySerializationFormat::Write(const string& s, const char* tag)
+	{
+	return Write(s.data(), s.size(), tag);
+	}
+
 bool BinarySerializationFormat::WriteOpenTag(const char* tag)
 	{
 	return true;
@@ -310,55 +331,61 @@ XMLSerializationFormat::~XMLSerializationFormat()
 
 bool XMLSerializationFormat::Read(int* v, const char* tag)
 	{
-	internal_error("no reading of xml");
+	reporter->InternalError("no reading of xml");
 	return false;
 	}
 
 bool XMLSerializationFormat::Read(uint16* v, const char* tag)
 	{
-	internal_error("no reading of xml");
+	reporter->InternalError("no reading of xml");
 	return false;
 	}
 
 bool XMLSerializationFormat::Read(uint32* v, const char* tag)
 	{
-	internal_error("no reading of xml");
+	reporter->InternalError("no reading of xml");
 	return false;
 	}
 
 bool XMLSerializationFormat::Read(int64* v, const char* tag)
 	{
-	internal_error("no reading of xml");
+	reporter->InternalError("no reading of xml");
 	return false;
 	}
 
 bool XMLSerializationFormat::Read(uint64* v, const char* tag)
 	{
-	internal_error("no reading of xml");
+	reporter->InternalError("no reading of xml");
 	return false;
 	}
 
 bool XMLSerializationFormat::Read(bool* v, const char* tag)
 	{
-	internal_error("no reading of xml");
+	reporter->InternalError("no reading of xml");
 	return false;
 	}
 
 bool XMLSerializationFormat::Read(double* d, const char* tag)
 	{
-	internal_error("no reading of xml");
+	reporter->InternalError("no reading of xml");
 	return false;
 	}
 
 bool XMLSerializationFormat::Read(char* v, const char* tag)
 	{
-	internal_error("no reading of xml");
+	reporter->InternalError("no reading of xml");
 	return false;
 	}
 
 bool XMLSerializationFormat::Read(char** str, int* len, const char* tag)
 	{
-	internal_error("no reading of xml");
+	reporter->InternalError("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Read(string* s, const char* tag)
+	{
+	reporter->InternalError("no reading of xml");
 	return false;
 	}
 
@@ -369,25 +396,25 @@ bool XMLSerializationFormat::Write(char v, const char* tag)
 
 bool XMLSerializationFormat::Write(uint16 v, const char* tag)
 	{
-	const char* tmp = fmt("%u", v);
+	const char* tmp = fmt("%" PRIu16, v);
 	return WriteElem(tag, "uint16", tmp, strlen(tmp));
 	}
 
 bool XMLSerializationFormat::Write(uint32 v, const char* tag)
 	{
-	const char* tmp = fmt("%u", v);
+	const char* tmp = fmt("%"PRIu32, v);
 	return WriteElem(tag, "uint32", tmp, strlen(tmp));
 	}
 
 bool XMLSerializationFormat::Write(uint64 v, const char* tag)
 	{
-	const char* tmp = fmt("%llu", v);
+	const char* tmp = fmt("%"PRIu64, v);
 	return WriteElem(tag, "uint64", tmp, strlen(tmp));
 	}
 
 bool XMLSerializationFormat::Write(int64 v, const char* tag)
 	{
-	const char* tmp = fmt("%lld", v);
+	const char* tmp = fmt("%"PRId64, v);
 	return WriteElem(tag, "int64", tmp, strlen(tmp));
 	}
 
@@ -416,6 +443,11 @@ bool XMLSerializationFormat::Write(const char* s, const char* tag)
 	return WriteElem(tag, "string", s, strlen(s));
 	}
 
+bool XMLSerializationFormat::Write(const string& s, const char* tag)
+	{
+	return WriteElem(tag, "string", s.data(), s.size());
+	}
+
 bool XMLSerializationFormat::WriteOpenTag(const char* tag)
 	{
 	return WriteData("<", 1) && WriteData(tag, strlen(tag) && WriteData(">", 1));
diff --git a/src/SerializationFormat.h b/src/SerializationFormat.h
index 8127343274..2067456bf1 100644
--- a/src/SerializationFormat.h
+++ b/src/SerializationFormat.h
@@ -1,10 +1,12 @@
-// $Id: SerializationFormat.h 5873 2008-06-28 19:25:03Z vern $
-//
 // Implements different data formats for serialization.
 
 #ifndef SERIALIZATION_FORMAT
 #define SERIALIZATION_FORMAT
 
+#include <string>
+
+using namespace std;
+
 #include "util.h"
 
 // Abstract base class.
@@ -25,6 +27,10 @@ public:
 	virtual bool Read(char* v, const char* tag) = 0;
 	virtual bool Read(bool* v, const char* tag) = 0;
 	virtual bool Read(double* d, const char* tag) = 0;
+	virtual bool Read(string* s, const char* tag) = 0;
+
+	// Returns number of raw bytes read since last call to StartRead().
+	int BytesRead() const	{ return bytes_read; }
 
 	// Passes ownership of string.
 	virtual bool Read(char** str, int* len, const char* tag) = 0;
@@ -43,6 +49,7 @@ public:
 	virtual bool Write(double d, const char* tag) = 0;
 	virtual bool Write(const char* s, const char* tag) = 0;
 	virtual bool Write(const char* buf, int len, const char* tag) = 0;
+	virtual bool Write(const string& s, const char* tag) = 0;
 
 	virtual bool WriteOpenTag(const char* tag) = 0;
 	virtual bool WriteCloseTag(const char* tag) = 0;
@@ -65,6 +72,7 @@ protected:
 	uint32 input_pos;
 
 	int bytes_written;
+	int bytes_read;
 };
 
 class BinarySerializationFormat : public SerializationFormat {
@@ -81,6 +89,7 @@ public:
 	virtual bool Read(bool* v, const char* tag);
 	virtual bool Read(double* d, const char* tag);
 	virtual bool Read(char** str, int* len, const char* tag);
+	virtual bool Read(string* s, const char* tag);
 	virtual bool Write(int v, const char* tag);
 	virtual bool Write(uint16 v, const char* tag);
 	virtual bool Write(uint32 v, const char* tag);
@@ -91,6 +100,7 @@ public:
 	virtual bool Write(double d, const char* tag);
 	virtual bool Write(const char* s, const char* tag);
 	virtual bool Write(const char* buf, int len, const char* tag);
+	virtual bool Write(const string& s, const char* tag);
 	virtual bool WriteOpenTag(const char* tag);
 	virtual bool WriteCloseTag(const char* tag);
 	virtual bool WriteSeparator();
@@ -112,6 +122,7 @@ public:
 	virtual bool Write(double d, const char* tag);
 	virtual bool Write(const char* s, const char* tag);
 	virtual bool Write(const char* buf, int len, const char* tag);
+	virtual bool Write(const string& s, const char* tag);
 	virtual bool WriteOpenTag(const char* tag);
 	virtual bool WriteCloseTag(const char* tag);
 	virtual bool WriteSeparator();
@@ -126,6 +137,7 @@ public:
 	virtual bool Read(bool* v, const char* tag);
 	virtual bool Read(double* d, const char* tag);
 	virtual bool Read(char** str, int* len, const char* tag);
+	virtual bool Read(string* s, const char* tag);
 
 private:
 	// Encodes non-printable characters.
diff --git a/src/Serializer.cc b/src/Serializer.cc
index c6a065f28f..b82da0aaf3 100644
--- a/src/Serializer.cc
+++ b/src/Serializer.cc
@@ -1,5 +1,3 @@
-// $Id: Serializer.cc 6752 2009-06-14 04:24:52Z vern $
-
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
@@ -12,7 +10,7 @@
 #include "Serializer.h"
 #include "Scope.h"
 #include "Stmt.h"
-#include "Logger.h"
+#include "Reporter.h"
 #include "Func.h"
 #include "Event.h"
 #include "EventRegistry.h"
@@ -911,7 +909,7 @@ bool FileSerializer::Read(UnserialInfo* info, const char* file, bool header)
 
 void FileSerializer::ReportError(const char* str)
 	{
-	run_time(str);
+	reporter->Error("%s", str);
 	}
 
 void FileSerializer::GotID(ID* id, Val* val)
@@ -971,7 +969,7 @@ ConversionSerializer::~ConversionSerializer()
 
 bool ConversionSerializer::Convert(const char* file_in, const char* file_out)
 	{
-	internal_error("Error: Printing as XML is broken.");
+	reporter->InternalError("Error: Printing as XML is broken.");
 
 	if ( ! serout->Open(file_out, true) )
 		return false;
@@ -1004,19 +1002,19 @@ void ConversionSerializer::GotFunctionCall(const char* name, double time,
 
 void ConversionSerializer::GotID(ID* id, Val* val)
 	{
-	warn("ConversionSerializer::GotID not implemented");
+	reporter->Warning("ConversionSerializer::GotID not implemented");
 	Unref(id);
 	}
 
 void ConversionSerializer::GotStateAccess(StateAccess* s)
 	{
-	warn("ConversionSerializer::GotID not implemented");
+	reporter->Warning("ConversionSerializer::GotID not implemented");
 	delete s;
 	}
 
 void ConversionSerializer::GotPacket(Packet* p)
 	{
-	warn("ConversionSerializer::GotPacket not implemented");
+	reporter->Warning("ConversionSerializer::GotPacket not implemented");
 	delete p;
 	}
 
@@ -1147,7 +1145,7 @@ Packet* Packet::Unserialize(UnserialInfo* info)
 	if ( ! info->s->Read((char**) &tag, 0, "tag") )
 		return 0;
 
-	u_char* pkt;
+	char* pkt;
 	int caplen;
 	if ( ! info->s->Read((char**) &pkt, &caplen, "data") )
 		{
@@ -1157,7 +1155,7 @@ Packet* Packet::Unserialize(UnserialInfo* info)
 
 	hdr->caplen = uint32(caplen);
 	p->hdr = hdr;
-	p->pkt = pkt;
+	p->pkt = (u_char*) pkt;
 	p->tag = tag;
 	p->hdr_size = get_link_header_size(p->link_type);
 
diff --git a/src/Serializer.h b/src/Serializer.h
index c8f9284b53..93581d83ce 100644
--- a/src/Serializer.h
+++ b/src/Serializer.h
@@ -1,5 +1,3 @@
-// $Id: Serializer.h 6752 2009-06-14 04:24:52Z vern $
-
 #ifndef SERIALIZER_H
 #define SERIALIZER_H
 
@@ -18,6 +16,7 @@
 #include "IP.h"
 #include "Timer.h"
 #include "IOSource.h"
+#include "Reporter.h"
 
 class SerializationCache;
 class SerialInfo;
@@ -122,7 +121,7 @@ protected:
 
 	// This will be increased whenever there is an incompatible change
 	// in the data format.
-	static const uint32 DATA_FORMAT_VERSION = 18;
+	static const uint32 DATA_FORMAT_VERSION = 21;
 
 	ChunkedIO* io;
 
@@ -262,7 +261,7 @@ public:
 	virtual ~CloneSerializer()	{ }
 
 protected:
-	virtual void ReportError(const char* msg)	{ run_time(msg); }
+	virtual void ReportError(const char* msg)	{ reporter->Error("%s", msg); }
 	virtual void GotID(ID* id, Val* val)	{ }
 	virtual void GotEvent(const char* name, double time,
 				EventHandlerPtr event, val_list* args)	{ }
diff --git a/src/Sessions.cc b/src/Sessions.cc
index de0a1cb488..f7ec2e8c4e 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -1,5 +1,3 @@
-// $Id: Sessions.cc 7075 2010-09-13 02:39:38Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 
@@ -15,7 +13,7 @@
 #include "Timer.h"
 #include "NetVar.h"
 #include "Sessions.h"
-#include "Active.h"
+#include "Reporter.h"
 #include "OSFinger.h"
 
 #include "ICMP.h"
@@ -44,27 +42,6 @@ enum NetBIOS_Service {
 
 NetSessions* sessions;
 
-
-class NetworkTimer : public Timer {
-public:
-	NetworkTimer(NetSessions* arg_sess, double arg_t)
-		: Timer(arg_t, TIMER_NETWORK)
-		{ sess = arg_sess; }
-
-	void Dispatch(double t, int is_expire);
-
-protected:
-	NetSessions* sess;
-};
-
-void NetworkTimer::Dispatch(double t, int is_expire)
-	{
-	if ( is_expire )
-		return;
-
-	sess->HeartBeat(t);
-	}
-
 void TimerMgrExpireTimer::Dispatch(double t, int is_expire)
 	{
 	if ( mgr->LastAdvance() + timer_mgr_inactivity_timeout < timer_mgr->Time() )
@@ -106,9 +83,6 @@ NetSessions::NetSessions()
 	udp_conns.SetDeleteFunc(bro_obj_delete_func);
 	fragments.SetDeleteFunc(bro_obj_delete_func);
 
-	if ( (reading_live || pseudo_realtime) && net_stats_update )
-		timer_mgr->Add(new NetworkTimer(this, 1.0));
-
 	if ( stp_correlate_pair )
 		stp_manager = new SteppingStoneManager();
 	else
@@ -201,7 +175,7 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 		//
 		// Should we discourage the use of encap_hdr_size for UDP
 		// tunnneling?  It is probably better handled by enabling
-		// parse_udp_tunnels instead of specifying a fixed
+		// BifConst::parse_udp_tunnels instead of specifying a fixed
 		// encap_hdr_size.
 		if ( udp_tunnel_port > 0 )
 			{
@@ -221,14 +195,14 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 			}
 
 		else
-			// Blanket encapsulation (e.g., for VLAN).
+			// Blanket encapsulation
 			hdr_size += encap_hdr_size;
 		}
 
 	// Check IP packets encapsulated through UDP tunnels.
 	// Specifying a udp_tunnel_port is optional but recommended (to avoid
 	// the cost of checking every UDP packet).
-	else if ( parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
+	else if ( BifConst::parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
 		{
 		const struct udphdr* udp_hdr =
 			reinterpret_cast<const struct udphdr*>(ip_data);
@@ -360,7 +334,14 @@ void NetSessions::NextPacketSecondary(double /* t */, const struct pcap_pkthdr*
 			args->append(cmd_val);
 			args->append(BuildHeader(ip));
 			// ### Need to queue event here.
-			sp->Event()->Event()->Call(args);
+			try
+				{
+				sp->Event()->Event()->Call(args);
+				}
+
+			catch ( InterpreterException& e )
+				{ /* Already reported. */ }
+
 			delete args;
 			}
 		}
@@ -468,37 +449,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		return;
 		}
 
-	// Check for TTL/MTU problems from Active Mapping
-#ifdef ACTIVE_MAPPING
-	const NumericData* numeric = 0;
-	if ( ip4 )
-		{
-		get_map_result(ip4->ip_dst.s_addr, numeric);
-
-		if ( numeric->hops && ip4->ip_ttl < numeric->hops )
-			{
-			debug_msg("Packet destined for %s had ttl %d but there are %d hops to host.\n",
-			inet_ntoa(ip4->ip_dst), ip4->ip_ttl, numeric->hops);
-			return;
-			}
-		}
-#endif
-
 	FragReassembler* f = 0;
 	uint32 frag_field = ip_hdr->FragField();
 
-#ifdef ACTIVE_MAPPING
-	if ( ip4 && numeric && numeric->path_MTU && (frag_field & IP_DF) )
-		{
-		if ( htons(ip4->ip_len) > numeric->path_MTU )
-			{
-			debug_msg("Packet destined for %s has DF flag but its size %d is greater than pmtu of %d\n",
-			inet_ntoa(ip4->ip_dst), htons(ip4->ip_len), numeric->path_MTU);
-			return;
-			}
-		}
-#endif
-
 	if ( (frag_field & 0x3fff) != 0 )
 		{
 		dump_this_packet = 1;	// always record fragments
@@ -620,7 +573,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 
 	HashKey* h = id.BuildConnKey();
 	if ( ! h )
-		internal_error("hash computation failed");
+		reporter->InternalError("hash computation failed");
 
 	Connection* conn = 0;
 
@@ -686,13 +639,6 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 				record_packet, record_content,
 			        hdr, pkt, hdr_size);
 
-	// Override content record setting according to
-	// flags set by the policy script.
-	if ( dump_original_packets_if_not_rewriting )
-		record_packet = record_content = 1;
-	if ( dump_selected_source_packets )
-		record_packet = record_content = 0;
-
 	if ( f )
 		{
 		// Above we already recorded the fragment in its entirety.
@@ -700,7 +646,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		Remove(f);	// ###
 		}
 
-	else if ( record_packet && ! conn->RewritingTrace() )
+	else if ( record_packet )
 		{
 		if ( record_content )
 			dump_this_packet = 1;	// save the whole thing
@@ -834,7 +780,7 @@ FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
 
 	HashKey* h = ch->ComputeHash(key, 1);
 	if ( ! h )
-		internal_error("hash computation failed");
+		reporter->InternalError("hash computation failed");
 
 	FragReassembler* f = fragments.Lookup(h);
 	if ( ! f )
@@ -928,7 +874,7 @@ Connection* NetSessions::FindConnection(Val* v)
 
 	HashKey* h = id.BuildConnKey();
 	if ( ! h )
-		internal_error("hash computation failed");
+		reporter->InternalError("hash computation failed");
 
 	Dictionary* d;
 
@@ -1006,21 +952,21 @@ void NetSessions::Remove(Connection* c)
 				;
 
 			else if ( ! tcp_conns.RemoveEntry(k) )
-				internal_error(fmt("connection missing"));
+				reporter->InternalError("connection missing");
 			break;
 
 		case TRANSPORT_UDP:
 			if ( ! udp_conns.RemoveEntry(k) )
-				internal_error("connection missing");
+				reporter->InternalError("connection missing");
 			break;
 
 		case TRANSPORT_ICMP:
 			if ( ! icmp_conns.RemoveEntry(k) )
-				internal_error("connection missing");
+				reporter->InternalError("connection missing");
 			break;
 
 		case TRANSPORT_UNKNOWN:
-			internal_error("unknown transport when removing connection");
+			reporter->InternalError("unknown transport when removing connection");
 			break;
 		}
 
@@ -1033,10 +979,10 @@ void NetSessions::Remove(FragReassembler* f)
 	{
 	HashKey* k = f->Key();
 	if ( ! k )
-		internal_error("fragment block not in dictionary");
+		reporter->InternalError("fragment block not in dictionary");
 
 	if ( ! fragments.RemoveEntry(k) )
-		internal_error("fragment block missing");
+		reporter->InternalError("fragment block missing");
 
 	Unref(f);
 	}
@@ -1072,7 +1018,7 @@ void NetSessions::Insert(Connection* c)
 		break;
 
 	default:
-		internal_error("unknown connection type");
+		reporter->InternalError("unknown connection type");
 	}
 
 	if ( old && old != c )
@@ -1123,39 +1069,6 @@ void NetSessions::Drain()
 	ExpireTimerMgrs();
 	}
 
-void NetSessions::HeartBeat(double t)
-	{
-	unsigned int recv = 0;
-	unsigned int drop = 0;
-	unsigned int link = 0;
-
-	loop_over_list(pkt_srcs, i)
-		{
-		PktSrc* ps = pkt_srcs[i];
-
-		struct PktSrc::Stats stat;
-		ps->Statistics(&stat);
-		recv += stat.received;
-		drop += stat.dropped;
-		link += stat.link;
-		}
-
-	val_list* vl = new val_list;
-
-	vl->append(new Val(t, TYPE_TIME));
-
-	RecordVal* ns = new RecordVal(net_stats);
-	ns->Assign(0, new Val(recv, TYPE_COUNT));
-	ns->Assign(1, new Val(drop, TYPE_COUNT));
-	ns->Assign(2, new Val(link, TYPE_COUNT));
-
-	vl->append(ns);
-
-	mgr.QueueEvent(net_stats_update, vl);
-
-	timer_mgr->Add(new NetworkTimer(this, t + heartbeat_interval));
-	}
-
 void NetSessions::GetStats(SessionStats& s) const
 	{
 	s.num_TCP_conns = tcp_conns.Length();
@@ -1184,7 +1097,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 	int flags = 0;
 
 	// Hmm... This is not great.
-	TransportProto tproto;
+	TransportProto tproto = TRANSPORT_UNKNOWN;
 	switch ( proto ) {
 		case IPPROTO_ICMP:
 			tproto = TRANSPORT_ICMP;
@@ -1199,7 +1112,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 			tproto = TRANSPORT_ICMP;
 			break;
 		default:
-			internal_error("unknown transport protocol");
+			reporter->InternalError("unknown transport protocol");
 			break;
 	};
 
@@ -1385,7 +1298,7 @@ void NetSessions::DumpPacket(const struct pcap_pkthdr* hdr,
 		struct pcap_pkthdr h = *hdr;
 		h.caplen = len;
 		if ( h.caplen > hdr->caplen )
-			internal_error("bad modified caplen");
+			reporter->InternalError("bad modified caplen");
 		pkt_dumper->Dump(&h, pkt);
 		}
 	}
@@ -1394,7 +1307,7 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr,
 				const u_char* pkt)
 	{
 	DumpPacket(hdr, pkt);
-	internal_error(msg);
+	reporter->InternalError("%s", msg);
 	}
 
 void NetSessions::Weird(const char* name,
@@ -1403,28 +1316,12 @@ void NetSessions::Weird(const char* name,
 	if ( hdr )
 		dump_this_packet = 1;
 
-	if ( net_weird )
-		{
-		val_list* vl = new val_list;
-		vl->append(new StringVal(name));
-		mgr.QueueEvent(net_weird, vl);
-		}
-	else
-		fprintf(stderr, "weird: %.06f %s\n", network_time, name);
+	reporter->Weird(name);
 	}
 
 void NetSessions::Weird(const char* name, const IP_Hdr* ip)
 	{
-	if ( flow_weird )
-		{
-		val_list* vl = new val_list;
-		vl->append(new StringVal(name));
-		vl->append(new AddrVal(ip->SrcAddr4()));
-		vl->append(new AddrVal(ip->DstAddr4()));
-		mgr.QueueEvent(flow_weird, vl);
-		}
-	else
-		fprintf(stderr, "weird: %.06f %s\n", network_time, name);
+	reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name);
 	}
 
 unsigned int NetSessions::ConnectionMemoryUsage()
diff --git a/src/Sessions.h b/src/Sessions.h
index a85af005f4..452de874db 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -1,5 +1,3 @@
-// $Id: Sessions.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef sessions_h
@@ -75,7 +73,7 @@ public:
 	void DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 			const u_char* const pkt, int hdr_size,
 			PktSrc* src_ps, PacketSortElement* pkt_elem);
-	
+
 	void Done();	// call to drain events before destructing
 
 	// Returns a reassembled packet, or nil if there are still
@@ -105,9 +103,6 @@ public:
 	// that are still active.
 	void Drain();
 
-	// Called periodically to generate statistics reports.
-	void HeartBeat(double t);
-
 	void GetStats(SessionStats& s) const;
 
 	void Weird(const char* name,
@@ -177,7 +172,7 @@ protected:
 	void NextPacket(double t, const struct pcap_pkthdr* hdr,
 			const u_char* const pkt, int hdr_size,
 			PacketSortElement* pkt_elem);
-		
+
 	void DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 			const IP_Hdr* ip_hdr, const u_char* const pkt,
 			int hdr_size);
@@ -185,7 +180,7 @@ protected:
 	void NextPacketSecondary(double t, const struct pcap_pkthdr* hdr,
 			const u_char* const pkt, int hdr_size,
 			const PktSrc* src_ps);
-	
+
 	// Record the given packet (if a dumper is active).  If len=0
 	// then the whole packet is recorded, otherwise just the first
 	// len bytes.
diff --git a/src/SmithWaterman.cc b/src/SmithWaterman.cc
index 34ca4bc87b..ef329e49a5 100644
--- a/src/SmithWaterman.cc
+++ b/src/SmithWaterman.cc
@@ -1,5 +1,3 @@
-// $Id: SmithWaterman.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -10,6 +8,7 @@
 #include "SmithWaterman.h"
 #include "Var.h"
 #include "util.h"
+#include "Reporter.h"
 
 BroSubstring::BroSubstring(const BroSubstring& bst)
 : BroString((const BroString&) bst), _new(bst._new)
@@ -185,7 +184,7 @@ bool BroSubstringCmp::operator()(const BroSubstring* bst1,
 	if ( _index >= bst1->GetNumAlignments() ||
 	     _index >= bst2->GetNumAlignments() )
 		{
-		warn("BroSubstringCmp::operator(): invalid index for input strings.\n");
+		reporter->Warning("BroSubstringCmp::operator(): invalid index for input strings.\n");
 		return false;
 		}
 
diff --git a/src/SmithWaterman.h b/src/SmithWaterman.h
index c8c80d09af..6ea191f5d9 100644
--- a/src/SmithWaterman.h
+++ b/src/SmithWaterman.h
@@ -1,5 +1,3 @@
-// $Id: SmithWaterman.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef smith_waterman_h
diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index 17f702f07e..136a006c52 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -1,5 +1,3 @@
-// $Id: StateAccess.cc 6888 2009-08-20 18:23:11Z vern $
-
 #include "Val.h"
 #include "StateAccess.h"
 #include "Serializer.h"
@@ -235,7 +233,7 @@ bool StateAccess::MergeTables(TableVal* dst, Val* src)
 	{
 	if ( ! src->Type()->Tag() == TYPE_TABLE )
 		{
-		run_time("type mismatch while merging tables");
+		reporter->Error("type mismatch while merging tables");
 		return false;
 		}
 
@@ -269,8 +267,8 @@ void StateAccess::Replay()
 		{
 		// FIXME: I think this warrants an internal error,
 		// but let's check that first ...
-		// internal_error("replay id lacking a value");
-		run_time("replay id lacks a value");
+		// reporter->InternalError("replay id lacking a value");
+		reporter->Error("replay id lacks a value");
 		return;
 		}
 
@@ -352,7 +350,7 @@ void StateAccess::Replay()
 				v->AsRecordVal()->Assign(idx, op2 ? op2->Ref() : 0);
 				}
 			else
-				run_time(fmt("access replay: unknown record field %s for assign", field));
+				reporter->Error("access replay: unknown record field %s for assign", field);
 			}
 
 		else if ( t == TYPE_VECTOR )
@@ -377,7 +375,7 @@ void StateAccess::Replay()
 			}
 
 		else
-			internal_error("unknown type in replaying index assign");
+			reporter->InternalError("unknown type in replaying index assign");
 
 		break;
 
@@ -413,7 +411,7 @@ void StateAccess::Replay()
 				v->AsRecordVal()->Assign(idx, new_val, OP_INCR);
 				}
 			else
-				run_time(fmt("access replay: unknown record field %s for assign", field));
+				reporter->Error("access replay: unknown record field %s for assign", field);
 			}
 
 		else if ( t == TYPE_VECTOR )
@@ -427,7 +425,7 @@ void StateAccess::Replay()
 			}
 
 		else
-			internal_error("unknown type in replaying index increment");
+			reporter->InternalError("unknown type in replaying index increment");
 
 		break;
 		}
@@ -489,7 +487,7 @@ void StateAccess::Replay()
 
 	case OP_PRINT:
 		assert(op1.val);
-		internal_error("access replay for print not implemented");
+		reporter->InternalError("access replay for print not implemented");
 		break;
 
 	case OP_READ_IDX:
@@ -518,11 +516,11 @@ void StateAccess::Replay()
 				}
 			}
 		else
-			run_time("read for non-table");
+			reporter->Error("read for non-table");
 		break;
 
 	default:
-		internal_error("access replay: unknown opcode for StateAccess");
+		reporter->InternalError("access replay: unknown opcode for StateAccess");
 		break;
 		}
 
@@ -630,7 +628,7 @@ bool StateAccess::DoSerialize(SerialInfo* info) const
 			break;
 
 		default:
-			internal_error("StateAccess::DoSerialize: unknown opcode");
+			reporter->InternalError("StateAccess::DoSerialize: unknown opcode");
 		}
 		}
 
@@ -854,7 +852,7 @@ void StateAccess::Describe(ODesc* d) const
 		break;
 
 	default:
-		internal_error("unknown opcode for StateAccess");
+		reporter->InternalError("unknown opcode for StateAccess");
 		break;
 		}
 
@@ -935,7 +933,7 @@ void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
 		attr_list* a = new attr_list;
 		Attr* attr = new Attr(ATTR_TRACKED);
 		a->append(attr);
-		id->SetAttrs(new Attributes(a, id->Type()));
+		id->SetAttrs(new Attributes(a, id->Type(), false));
 		Unref(attr);
 		}
 
diff --git a/src/StateAccess.h b/src/StateAccess.h
index 1154756c83..bc5064602b 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -1,5 +1,3 @@
-// $Id: StateAccess.h 6781 2009-06-28 00:50:04Z vern $
-//
 // A class describing a state-modyfing access to a Value or an ID.
 
 #ifndef STATEACESSS_H
diff --git a/src/Stats.cc b/src/Stats.cc
index 28c0b38c22..55835613e9 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -1,5 +1,3 @@
-// $Id: Stats.cc 7008 2010-03-25 02:42:20Z vern $
-
 #include "Conn.h"
 #include "File.h"
 #include "Event.h"
@@ -9,6 +7,8 @@
 #include "Scope.h"
 #include "cq.h"
 #include "ConnCompressor.h"
+#include "DNS_Mgr.h"
+#include "Trigger.h"
 
 
 int killed_by_inactivity = 0;
@@ -195,6 +195,19 @@ void ProfileLogger::Log()
 		    (timer_mgr->Size() * padded_sizeof(ConnectionTimer))) / 1024,
 		network_time - timer_mgr->LastTimestamp()));
 
+	DNS_Mgr::Stats dstats;
+	dns_mgr->GetStats(&dstats);
+
+	file->Write(fmt("%.06f DNS_Mgr: requests=%lu succesful=%lu failed=%lu pending=%lu cached_hosts=%lu cached_addrs=%lu\n",
+					network_time,
+					dstats.requests, dstats.successful, dstats.failed, dstats.pending,
+					dstats.cached_hosts, dstats.cached_addresses));
+
+	Trigger::Stats tstats;
+	Trigger::GetStats(&tstats);
+
+	file->Write(fmt("%.06f Triggers: total=%lu pending=%lu\n", network_time, tstats.total, tstats.pending));
+
 	unsigned int* current_timers = TimerMgr::CurrentTimers();
 	for ( int i = 0; i < NUM_TIMER_TYPES; ++i )
 		{
diff --git a/src/Stats.h b/src/Stats.h
index 8acb7ef190..eeebfe2213 100644
--- a/src/Stats.h
+++ b/src/Stats.h
@@ -1,5 +1,3 @@
-// $Id: Stats.h 6703 2009-05-13 22:27:44Z vern $
-//
 // Classes that collect and report statistics.
 
 #ifndef STATS_H
diff --git a/src/SteppingStone.cc b/src/SteppingStone.cc
index 96652456bf..32850d82c6 100644
--- a/src/SteppingStone.cc
+++ b/src/SteppingStone.cc
@@ -1,5 +1,3 @@
-// $Id: SteppingStone.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/SteppingStone.h b/src/SteppingStone.h
index 15165387f9..a47b268c83 100644
--- a/src/SteppingStone.h
+++ b/src/SteppingStone.h
@@ -1,5 +1,3 @@
-// $Id: SteppingStone.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef steppingstone_h
diff --git a/src/Stmt.cc b/src/Stmt.cc
index 7064e82635..582323bf91 100644
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@@ -1,5 +1,3 @@
-// $Id: Stmt.cc 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -8,7 +6,7 @@
 #include "Event.h"
 #include "Frame.h"
 #include "File.h"
-#include "Logger.h"
+#include "Reporter.h"
 #include "NetVar.h"
 #include "Stmt.h"
 #include "Scope.h"
@@ -21,7 +19,8 @@
 const char* stmt_name(BroStmtTag t)
 	{
 	static const char* stmt_names[int(NUM_STMTS)] = {
-		"alarm", "print", "event", "expr", "if", "when", "switch",
+		"alarm", // Does no longer exist, but kept for keeping enums consistent.
+		"print", "event", "expr", "if", "when", "switch",
 		"for", "next", "break", "return", "add", "delete",
 		"list", "bodylist",
 		"<init>",
@@ -255,51 +254,12 @@ TraversalCode ExprListStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-Val* AlarmStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
-	{
-	ODesc d;
-	PrintVals(&d, vals, 0);
-
-	if ( alarm_hook )
-		{
-		ListExpr* args = new ListExpr();
-		args->Append(new ConstExpr(new StringVal(d.Description())));
-
-		CallExpr* ce =
-			new CallExpr(new ConstExpr(new Val(alarm_hook)), args);
-
-		Val* hook_eval = ce->Eval(0);
-		int do_log = hook_eval->IsOne();
-
-		Unref(ce);
-		Unref(hook_eval);
-
-		if ( ! do_log )
-			return 0;
-		}
-
-	bro_logger->Log(d.Description());
-	return 0;
-	}
-
-IMPLEMENT_SERIAL(AlarmStmt, SER_ALARM_STMT);
-
-bool AlarmStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ALARM_STMT, ExprListStmt);
-	return true;
-	}
-
-bool AlarmStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprListStmt);
-	return true;
-	}
-
 static BroFile* print_stdout = 0;
 
 Val* PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
 	{
+	RegisterAccess();
+
 	if ( ! print_stdout )
 		print_stdout = new BroFile(stdout);
 
@@ -317,16 +277,28 @@ Val* PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
 
 	bool ph = print_hook && f->IsPrintHookEnabled();
 
-	desc_style style = f->IsRawOutput() ? ALTERNATIVE_STYLE : STANDARD_STYLE;
+	desc_style style = f->IsRawOutput() ? RAW_STYLE : STANDARD_STYLE;
 
 	if ( ! (suppress_local_output && ph) )
 		{
-		ODesc d(DESC_READABLE, f);
-		d.SetFlush(0);
-		d.SetStyle(style);
+		if ( f->IsRawOutput() )
+			{
+			ODesc d(DESC_READABLE);
+			d.SetFlush(0);
+			d.SetStyle(style);
 
-		PrintVals(&d, vals, offset);
-		f->Write("\n", 1);
+			PrintVals(&d, vals, offset);
+			f->Write(d.Description(), d.Len());
+			}
+		else
+			{
+			ODesc d(DESC_READABLE, f);
+			d.SetFlush(0);
+			d.SetStyle(style);
+
+			PrintVals(&d, vals, offset);
+			f->Write("\n", 1);
+			}
 		}
 
 	if ( ph )
@@ -340,14 +312,14 @@ Val* PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
 			val_list* vl = new val_list(2);
 			::Ref(f);
 			vl->append(new Val(f));
-			vl->append(new StringVal(d.Description()));
+			vl->append(new StringVal(d.Len(), d.Description()));
 
 			// Note, this doesn't do remote printing.
 			mgr.Dispatch(new Event(print_hook, vl), true);
 			}
 
 		if ( remote_serializer )
-			remote_serializer->SendPrintHookEvent(f, d.Description());
+			remote_serializer->SendPrintHookEvent(f, d.Description(), d.Len());
 		}
 
 	return 0;
@@ -1957,7 +1929,6 @@ int same_stmt(const Stmt* s1, const Stmt* s2)
 		return 0;
 
 	switch ( s1->Tag() ) {
-	case STMT_ALARM:
 	case STMT_PRINT:
 		{
 		const ListExpr* l1 = ((const ExprListStmt*) s1)->ExprList();
@@ -2101,7 +2072,7 @@ int same_stmt(const Stmt* s1, const Stmt* s2)
 		return 1;
 
 	default:
-		error("bad tag in same_stmt()");
+		reporter->Error("bad tag in same_stmt()");
 	}
 
 	return 0;
diff --git a/src/Stmt.h b/src/Stmt.h
index 4909ff9da5..7c3b42609b 100644
--- a/src/Stmt.h
+++ b/src/Stmt.h
@@ -1,5 +1,3 @@
-// $Id: Stmt.h 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef stmt_h
@@ -10,6 +8,7 @@
 #include "BroList.h"
 #include "Obj.h"
 #include "Expr.h"
+#include "Reporter.h"
 
 #include "StmtEnums.h"
 
@@ -53,6 +52,7 @@ public:
 
 	void RegisterAccess() const	{ last_access = network_time; access_count++; }
 	void AccessStats(ODesc* d) const;
+	uint32 GetAccessCount() const { return access_count; }
 
 	virtual void Describe(ODesc* d) const;
 
@@ -62,7 +62,7 @@ public:
 		if ( breakpoint_count )
 			--breakpoint_count;
 		else
-			internal_error("breakpoint count decremented below 0");
+			reporter->InternalError("breakpoint count decremented below 0");
 		}
 
 	virtual unsigned int BPCount() const	{ return breakpoint_count; }
@@ -115,19 +115,6 @@ protected:
 	ListExpr* l;
 };
 
-class AlarmStmt : public ExprListStmt {
-public:
-	AlarmStmt(ListExpr* l) : ExprListStmt(STMT_ALARM, l)	{ }
-
-protected:
-	friend class Stmt;
-	AlarmStmt()	{}
-
-	Val* DoExec(val_list* vals, stmt_flow_type& flow) const;
-
-	DECLARE_SERIAL(AlarmStmt);
-};
-
 class PrintStmt : public ExprListStmt {
 public:
 	PrintStmt(ListExpr* l) : ExprListStmt(STMT_PRINT, l)	{ }
diff --git a/src/StmtEnums.h b/src/StmtEnums.h
index 0a7f88e40e..f431e3fea1 100644
--- a/src/StmtEnums.h
+++ b/src/StmtEnums.h
@@ -1,5 +1,3 @@
-// $Id: StmtEnums.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 
@@ -9,7 +7,8 @@
 // These are in a separate file to break circular dependences 
 typedef enum {
 	STMT_ANY = -1,
-	STMT_ALARM, STMT_PRINT, STMT_EVENT,
+	STMT_ALARM, // Does no longer exist but kept to create enums consistent.
+	STMT_PRINT, STMT_EVENT,
 	STMT_EXPR,
 	STMT_IF, STMT_WHEN, STMT_SWITCH,
 	STMT_FOR, STMT_NEXT, STMT_BREAK,
diff --git a/src/Syslog-binpac.cc b/src/Syslog-binpac.cc
new file mode 100644
index 0000000000..c8697d0f3f
--- /dev/null
+++ b/src/Syslog-binpac.cc
@@ -0,0 +1,90 @@
+#include "Syslog-binpac.h"
+#include "TCP_Reassembler.h"
+
+Syslog_Analyzer_binpac::Syslog_Analyzer_binpac(Connection* conn)
+: Analyzer(AnalyzerTag::SYSLOG_BINPAC, conn)
+	{
+	interp = new binpac::Syslog::Syslog_Conn(this);
+	did_session_done = 0;
+	//ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer,
+	//		network_time + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE);
+	}
+
+Syslog_Analyzer_binpac::~Syslog_Analyzer_binpac()
+	{
+	delete interp;
+	}
+
+void Syslog_Analyzer_binpac::Done()
+	{
+	Analyzer::Done();
+
+	if ( ! did_session_done )
+		Event(udp_session_done);
+	}
+
+void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	interp->NewData(orig, data, data + len);
+	}
+
+//void Syslog_Analyzer_binpac::ExpireTimer(double t)
+//	{
+//	// The - 1.0 in the following is to allow 1 second for the
+//	// common case of a single request followed by a single reply,
+//	// so we don't needlessly set the timer twice in that case.
+//	if ( t - Conn()->LastTime() >= Syslog_session_timeout - 1.0 || terminating )
+//		{
+//		Event(connection_timeout);
+//		sessions->Remove(Conn());
+//		}
+//	else
+//		ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer,
+//				t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE);
+//	}
+
+//Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn)
+//: TCP_ApplicationAnalyzer(AnalyzerTag::Syslog_TCP_BINPAC, conn)
+//	{
+//	interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this);
+//	}
+
+//Syslog_TCP_Analyzer_binpac::~Syslog_TCP_Analyzer_binpac()
+//	{
+//	delete interp;
+//	}
+
+//void Syslog_TCP_Analyzer_binpac::Done()
+//	{
+//	TCP_ApplicationAnalyzer::Done();
+//
+//	interp->FlowEOF(true);
+//	interp->FlowEOF(false);
+//	}
+
+//void Syslog_TCP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp)
+//	{
+//	TCP_ApplicationAnalyzer::EndpointEOF(endp);
+//	interp->FlowEOF(endp->IsOrig());
+//	}
+
+//void Syslog_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data,
+//						bool orig)
+//	{
+//	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+//
+//	assert(TCP());
+//
+//	if ( TCP()->IsPartial() || TCP()->HadGap(orig) )
+//		// punt-on-partial or stop-on-gap.
+//		return;
+//
+//	interp->NewData(orig, data, data + len);
+//	}
+
+//void Syslog_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig)
+//	{
+//	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+//	interp->NewGap(orig, len);
+//	}
diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h
new file mode 100644
index 0000000000..fcd75edf0e
--- /dev/null
+++ b/src/Syslog-binpac.h
@@ -0,0 +1,55 @@
+#ifndef Syslog_binpac_h
+#define Syslog_binpac_h
+
+#include "UDP.h"
+#include "TCP.h"
+
+#include "syslog_pac.h"
+
+class Syslog_Analyzer_binpac : public Analyzer {
+public:
+	Syslog_Analyzer_binpac(Connection* conn);
+	virtual ~Syslog_Analyzer_binpac();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new Syslog_Analyzer_binpac(conn); }
+
+	static bool Available()
+		{ return syslog_message; }
+
+protected:
+	friend class AnalyzerTimer;
+	void ExpireTimer(double t);
+
+	int did_session_done;
+
+	binpac::Syslog::Syslog_Conn* interp;
+};
+
+// #include "Syslog_tcp_pac.h"
+//
+//class Syslog_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer {
+//public:
+//	Syslog_TCP_Analyzer_binpac(Connection* conn);
+//	virtual ~Syslog_TCP_Analyzer_binpac();
+//
+//	virtual void Done();
+//	virtual void DeliverStream(int len, const u_char* data, bool orig);
+//	virtual void Undelivered(int seq, int len, bool orig);
+//	virtual void EndpointEOF(TCP_Reassembler* endp);
+//
+//	static Analyzer* InstantiateAnalyzer(Connection* conn)
+//		{ return new Syslog_TCP_Analyzer_binpac(conn); }
+//
+//	static bool Available()
+//		{ return (Syslog_request || Syslog_full_request) && FLAGS_use_binpac; }
+//
+//protected:
+//	binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp;
+//};
+//
+#endif
diff --git a/src/TCP.cc b/src/TCP.cc
index ec84df9720..0fae07a24d 100644
--- a/src/TCP.cc
+++ b/src/TCP.cc
@@ -1,14 +1,12 @@
-// $Id: TCP.cc 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <algorithm>
 
-#include "Active.h"
+#include "NetVar.h"
 #include "PIA.h"
 #include "File.h"
 #include "TCP.h"
 #include "TCP_Reassembler.h"
-#include "TCP_Rewriter.h"
 #include "OSFinger.h"
 #include "Event.h"
 
@@ -48,23 +46,12 @@ TCP_Analyzer::TCP_Analyzer(Connection* conn)
 	finished = 0;
 	reassembling = 0;
 	first_packet_seen = 0;
-	src_pkt_writer = 0;
 
 	orig = new TCP_Endpoint(this, 1);
 	resp = new TCP_Endpoint(this, 0);
 
 	orig->SetPeer(resp);
 	resp->SetPeer(orig);
-
-	if ( dump_selected_source_packets )
-		{
-		if ( source_pkt_dump )
-			src_pkt_writer =
-				new TCP_SourcePacketWriter(this, source_pkt_dump);
-		else if ( transformed_pkt_dump )
-			src_pkt_writer =
-				new TCP_SourcePacketWriter(this, transformed_pkt_dump);
-		}
 	}
 
 TCP_Analyzer::~TCP_Analyzer()
@@ -74,7 +61,6 @@ TCP_Analyzer::~TCP_Analyzer()
 
 	delete orig;
 	delete resp;
-	delete src_pkt_writer;
 	}
 
 void TCP_Analyzer::Init()
@@ -82,12 +68,6 @@ void TCP_Analyzer::Init()
 	Analyzer::Init();
 	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
 		(*i)->Init();
-
-	// Can't put this in construction because RewritingTrace() is virtual.
-	if ( transformed_pkt_dump && Conn()->RewritingTrace() )
-		SetTraceRewriter(new TCP_Rewriter(this, transformed_pkt_dump,
-						transformed_pkt_dump_MTU,
-						requires_trace_commitment));
 	}
 
 void TCP_Analyzer::Done()
@@ -412,49 +392,6 @@ bool TCP_Analyzer::ProcessRST(double t, TCP_Endpoint* endpoint,
 	else if ( endpoint->RST_cnt == 0 )
 		++endpoint->RST_cnt;	// Remember we've seen a RST
 
-#ifdef ACTIVE_MAPPING
-//		if ( peer->state == TCP_ENDPOINT_INACTIVE )
-//		    debug_msg("rst while inactive\n"); // ### Cold-start: what to do?
-//		else
-
-	const NumericData* AM_policy;
-	get_map_result(ip->DstAddr4(), AM_policy);
-
-	if ( base_seq == endpoint->AckSeq() )
-		;	 // everyone should accept a RST in sequence
-
-	else if ( endpoint->window == 0 )
-		; // ### Cold Start: we don't know the window,
-		  // so just go along for now
-
-	else
-		{
-		uint32 right_edge = endpoint->AckSeq() +
-			(endpoint->window << endpoint->window_scale);
-
-		if ( base_seq < right_edge  )
-			{
-			if ( ! AM_policy->accepts_rst_in_window )
-				{
-#if 0
-				debug_msg("Machine does not accept RST merely in window; ignoring. t=%.6f,base=%u, ackseq=%u, window=%hd \n",
-					network_time, base_seq, endpoint->AckSeq(), window);
-#endif
-				return false;
-				}
-			}
-
-		else if ( ! AM_policy->accepts_rst_outside_window )
-			{
-#if 0
-			debug_msg("Machine does not accept RST outside window; ignoring. t=%.6f,base=%u, ackseq=%u, window=%hd \n",
-				network_time, base_seq, endpoint->AckSeq(), window);
-#endif
-			return false;
-			}
-		}
-#endif
-
 	if ( len > 0 )
 		{
 		// This now happens often enough that it's
@@ -737,7 +674,7 @@ void TCP_Analyzer::UpdateInactiveState(double t,
 			{
 			endpoint->SetState(TCP_ENDPOINT_PARTIAL);
 			Conn()->EnableStatusUpdateTimer();
-			
+
 			if ( peer->state == TCP_ENDPOINT_PARTIAL )
 				// We've seen both sides of a partial
 				// connection, report it.
@@ -985,9 +922,6 @@ int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
 	int need_contents = endpoint->DataSent(t, data_seq,
 					len, caplen, data, ip, tp);
 
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->NextPacket(len, data, is_orig, data_seq, ip, caplen);
-
 	return need_contents;
 	}
 
@@ -1091,16 +1025,6 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 	     tcp_hdr_len <= uint32(caplen) )
 		ParseTCPOptions(tp, TCPOptionEvent, this, is_orig, 0);
 
-	if ( TraceRewriter() && current_hdr )
-		{
-		TCP_Rewriter* r = (TCP_Rewriter*) TraceRewriter();
-		r->NextPacket(is_orig, t, current_hdr, current_pkt,
-				current_hdr_size, ip->IP4_Hdr(), tp);
-		}
-
-	if ( src_pkt_writer && current_hdr )
-		src_pkt_writer->NextPacket(current_hdr, current_pkt);
-
 	if ( DEBUG_tcp_data_sent )
 		{
 		DEBUG_MSG("%.6f before DataSent: len=%d caplen=%d skip=%d\n",
@@ -1126,6 +1050,12 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 
 	CheckRecording(need_contents, flags);
 
+	// Handle child_packet analyzers.  Note: This happens *after* the
+	// packet has been processed and the TCP state updated.
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->NextPacket(len, data, is_orig,
+				base_seq - endpoint->StartSeq(), ip, caplen);
+
 	if ( ! reassembling )
 		ForwardPacket(len, data, is_orig,
 				base_seq - endpoint->StartSeq(), ip, caplen);
@@ -1155,11 +1085,25 @@ void TCP_Analyzer::FlipRoles()
 	resp->is_orig = !resp->is_orig;
 	}
 
-void TCP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
+void TCP_Analyzer::UpdateConnVal(RecordVal *conn_val)
 	{
-	TCP_Endpoint* s = is_orig ? orig : resp;
-	endp->Assign(0, new Val(s->Size(), TYPE_COUNT));
-	endp->Assign(1, new Val(int(s->state), TYPE_COUNT));
+	int orig_endp_idx = connection_type->FieldOffset("orig");
+	int resp_endp_idx = connection_type->FieldOffset("resp");
+
+	RecordVal *orig_endp_val = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	RecordVal *resp_endp_val = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
+
+	orig_endp_val->Assign(0, new Val(orig->Size(), TYPE_COUNT));
+	orig_endp_val->Assign(1, new Val(int(orig->state), TYPE_COUNT));
+	resp_endp_val->Assign(0, new Val(resp->Size(), TYPE_COUNT));
+	resp_endp_val->Assign(1, new Val(int(resp->state), TYPE_COUNT));
+
+	// Call children's UpdateConnVal
+	Analyzer::UpdateConnVal(conn_val);
+
+	// Have to do packet_children ourselves.
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->UpdateConnVal(conn_val);
 	}
 
 Val* TCP_Analyzer::BuildSYNPacketVal(int is_orig, const IP_Hdr* ip,
@@ -1643,7 +1587,7 @@ BroFile* TCP_Analyzer::GetContentsFile(unsigned int direction) const
 	default:
 		break;
 	}
-	internal_error("inconsistency in TCP_Analyzer::GetContentsFile");
+	reporter->InternalError("inconsistency in TCP_Analyzer::GetContentsFile");
 	return 0;
 	}
 
@@ -1801,8 +1745,6 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
 	LOOP_OVER_CONST_CHILDREN(i)
 		static_cast<TCP_ApplicationAnalyzer*>(*i)->EndpointEOF(endp->IsOrig());
 
-	TraceRewriterEOF(endp);
-
 	if ( close_deferred )
 		{
 		if ( DataPending(endp->Endpoint()) )
@@ -1820,25 +1762,6 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
 		}
 	}
 
-void TCP_Analyzer::TraceRewriterEOF(TCP_Reassembler* endp)
-	{
-	const analyzer_list& children(GetChildren());
-	LOOP_OVER_CONST_CHILDREN(i)
-		static_cast<TCP_ApplicationAnalyzer*>(*i)->TraceRewriterEOF(endp->IsOrig());
-
-	TCP_Rewriter* r = (TCP_Rewriter*) TraceRewriter();
-	if ( r )
-		{
-		// Add a FIN packet if there is one in the original trace.
-		int FIN_cnt = endp->IsOrig() ?
-				endp->GetTCPAnalyzer()->Orig()->FIN_cnt :
-				endp->GetTCPAnalyzer()->Resp()->FIN_cnt;
-
-		if ( FIN_cnt > 0 )
-			r->ScheduleFIN(endp->IsOrig());
-		}
-	}
-
 void TCP_Analyzer::PacketWithRST()
 	{
 	const analyzer_list& children(GetChildren());
@@ -1955,13 +1878,6 @@ void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig)
 		static_cast<TCP_SupportAnalyzer*>(sa)->EndpointEOF(is_orig);
 	}
 
-void TCP_ApplicationAnalyzer::TraceRewriterEOF(bool is_orig)
-	{
-	SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters;
-	for ( ; sa; sa = sa->Sibling() )
-		static_cast<TCP_SupportAnalyzer*>(sa)->TraceRewriterEOF(is_orig);
-	}
-
 void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint,
 					TCP_Endpoint* peer, int gen_event)
 	{
@@ -2090,7 +2006,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
 	int seq_delta = top_seq - max_top_seq;
 	if ( seq_delta <= 0 )
 		{
-		if ( ! ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
+		if ( ! BifConst::ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
 			{
 			++num_rxmit;
 			num_rxmit_bytes += len;
diff --git a/src/TCP.h b/src/TCP.h
index d7faae6a3d..65f437856a 100644
--- a/src/TCP.h
+++ b/src/TCP.h
@@ -1,5 +1,3 @@
-// $Id: TCP.h 6782 2009-06-28 02:19:03Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef TCP_H
@@ -7,7 +5,6 @@
 
 #include "Analyzer.h"
 #include "TCP.h"
-#include "Rewriter.h"
 #include "PacketDumper.h"
 
 // We define two classes here:
@@ -18,8 +15,6 @@
 class PIA_TCP;
 class TCP_ApplicationAnalyzer;
 class TCP_Reassembler;
-class TCP_Rewriter;
-class TCP_SourcePacketWriter;
 
 class TCP_Flags {
 public:
@@ -75,14 +70,14 @@ public:
 	virtual void SetContentsFile(unsigned int direction, BroFile* f);
 	virtual BroFile* GetContentsFile(unsigned int direction) const;
 
-	TCP_SourcePacketWriter* SourcePacketWriter() const
-		{ return src_pkt_writer; }
-
 	// Callback to process a TCP option.
 	typedef int (*proc_tcp_option_t)(unsigned int opt, unsigned int optlen,
 			const u_char* option, TCP_Analyzer* analyzer,
 			bool is_orig, void* cookie);
 
+	// From Analyzer.h
+	virtual void UpdateConnVal(RecordVal *conn_val);
+
 	// Needs to be static because it's passed as a pointer-to-function
 	// rather than pointer-to-member-function.
 	static int ParseTCPOptions(const struct tcphdr* tcp,
@@ -106,7 +101,6 @@ protected:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual void FlipRoles();
-	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig);
 	virtual bool IsReuse(double t, const u_char* pkt);
 
 	// Returns the TCP header pointed to by data (which we assume is
@@ -220,7 +214,6 @@ protected:
 	void ConnDeleteTimer(double t)	{ Conn()->DeleteTimer(t); }
 
 	void EndpointEOF(TCP_Reassembler* endp);
-	void TraceRewriterEOF(TCP_Reassembler* endp);
 	void ConnectionClosed(TCP_Endpoint* endpoint,
 					TCP_Endpoint* peer, int gen_event);
 	void ConnectionFinished(int half_finished);
@@ -247,8 +240,6 @@ private:
 
 	analyzer_list packet_children;
 
-	TCP_SourcePacketWriter* src_pkt_writer;
-
 	unsigned int first_packet_seen: 2;
 	unsigned int reassembling: 1;
 	unsigned int is_partial: 1;
@@ -288,7 +279,6 @@ public:
 
 	// The given endpoint's data delivery is complete.
 	virtual void EndpointEOF(bool is_orig);
-	virtual void TraceRewriterEOF(bool is_orig);
 
 	// Called whenever an end enters TCP_ENDPOINT_CLOSED or
 	// TCP_ENDPOINT_RESET.  If gen_event is true and the connection
@@ -332,7 +322,6 @@ public:
 
 	// These are passed on from TCP_Analyzer.
 	virtual void EndpointEOF(bool is_orig)	{ }
-	virtual void TraceRewriterEOF(bool is_orig)	{ }
 	virtual void ConnectionClosed(TCP_Endpoint* endpoint,
 					TCP_Endpoint* peer, int gen_event) 	{ }
 	virtual void ConnectionFinished(int half_finished)	{ }
diff --git a/src/TCP_Endpoint.cc b/src/TCP_Endpoint.cc
index 6cb52f1f03..5a65a18d7c 100644
--- a/src/TCP_Endpoint.cc
+++ b/src/TCP_Endpoint.cc
@@ -1,11 +1,8 @@
-// $Id: TCP_Endpoint.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "Net.h"
 #include "NetVar.h"
 #include "TCP.h"
-#include "TCP_Rewriter.h"
 #include "TCP_Reassembler.h"
 #include "Sessions.h"
 #include "Event.h"
@@ -209,7 +206,7 @@ int TCP_Endpoint::DataSent(double t, int seq, int len, int caplen,
 
 		if ( fwrite(data, 1, len, f) < unsigned(len) )
 			// ### this should really generate an event
-			internal_error("contents write failed");
+			reporter->InternalError("contents write failed");
 		}
 
 	return status;
diff --git a/src/TCP_Endpoint.h b/src/TCP_Endpoint.h
index baae2037c4..758a504ff5 100644
--- a/src/TCP_Endpoint.h
+++ b/src/TCP_Endpoint.h
@@ -1,5 +1,3 @@
-// $Id: TCP_Endpoint.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef tcpendpoint_h
diff --git a/src/TCP_Reassembler.cc b/src/TCP_Reassembler.cc
index c6adec2294..ba31ab68d0 100644
--- a/src/TCP_Reassembler.cc
+++ b/src/TCP_Reassembler.cc
@@ -1,14 +1,20 @@
-// $Id: TCP_Reassembler.cc,v 1.1.2.8 2006/05/31 01:52:02 sommer Exp $
+#include <algorithm>
 
 #include "Analyzer.h"
 #include "TCP_Reassembler.h"
 #include "TCP.h"
 #include "TCP_Endpoint.h"
-#include "TCP_Rewriter.h"
 
 // Only needed for gap_report events.
 #include "Event.h"
 
+// Note, sequence numbers are relative. I.e., they start with 1.
+
+// TODO: The Reassembler should start using 64 bit ints for keeping track of
+// sequence numbers; currently they become negative once 2GB are exceeded.
+//
+// See #348 for more information.
+
 const bool DEBUG_tcp_contents = false;
 const bool DEBUG_tcp_connection_close = false;
 const bool DEBUG_tcp_match_undelivered = false;
@@ -35,7 +41,9 @@ TCP_Reassembler::TCP_Reassembler(Analyzer* arg_dst_analyzer,
 	deliver_tcp_contents = 0;
 	skip_deliveries = 0;
 	did_EOF = 0;
+#ifdef ENABLE_SEQ_TO_SKIP
 	seq_to_skip = 0;
+#endif
 	in_delivery = false;
 
 	if ( tcp_contents )
@@ -94,7 +102,7 @@ void TCP_Reassembler::SetContentsFile(BroFile* f)
 	{
 	if ( ! f->IsOpen() )
 		{
-		run_time("no such file \"%s\"", f->Name());
+		reporter->Error("no such file \"%s\"", f->Name());
 		return;
 		}
 
@@ -120,7 +128,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 	TCP_Endpoint* endpoint = endp;
 	TCP_Endpoint* peer = endpoint->peer;
 
-	if ( up_to_seq <= 2 && tcp_analyzer->IsPartial() )
+	if ( up_to_seq <= 2 && tcp_analyzer->IsPartial() ) {
 		// Since it was a partial connection, we faked up its
 		// initial sequence numbers as though we'd seen a SYN.
 		// We've now received the first ack and are getting a
@@ -129,7 +137,16 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		// (if up_to_seq is 2).  The latter can occur when the
 		// first packet we saw instantiating the partial connection
 		// was a keep-alive.  So, in either case, just ignore it.
-		return;
+
+		// TODO: Don't we need to update last_reassm_seq ????
+		if ( up_to_seq >=0 )
+			// Since seq are currently only 32 bit signed
+			// integers, they will become negative if a
+			// connection has more than 2GB of data. Remove the
+			// above if and always return here, once we're using
+			// 64 bit ints
+			return;
+	}
 
 #if 0
 	if ( endpoint->FIN_cnt > 0 )
@@ -144,16 +161,17 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f Undelivered: up_to_seq=%d, last_reassm=%d, "
+		DEBUG_MSG("%.6f Undelivered: is_orig=%d up_to_seq=%d, last_reassm=%d, "
 		          "endp: FIN_cnt=%d, RST_cnt=%d, "
 		          "peer: FIN_cnt=%d, RST_cnt=%d\n",
-		          network_time, up_to_seq, last_reassem_seq,
+		          network_time, is_orig, up_to_seq, last_reassem_seq,
 		          endpoint->FIN_cnt, endpoint->RST_cnt,
 		          peer->FIN_cnt, peer->RST_cnt);
 		}
 
 	if ( seq_delta(up_to_seq, last_reassem_seq) <= 0 )
-		return;
+		// This should never happen.
+		reporter->InternalError("Calling Undelivered for data that has already been delivered (or has already been marked as undelivered");
 
 	if ( last_reassem_seq == 1 &&
 	     (endpoint->FIN_cnt > 0 || endpoint->RST_cnt > 0 ||
@@ -166,10 +184,6 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		// one for filtered traces, and may fail, for example, when
 		// the SYN packet carries data.
 		//
-		// Note, this check will confuse the EOF checker (and cause a
-		// missing FIN in the rewritten trace) when the content gap
-		// in the middle is discovered only after the FIN packet.
-
 		// Skip the undelivered part without reporting to the endpoint.
 		skip_deliveries = 1;
 		}
@@ -177,9 +191,9 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		{
 		if ( DEBUG_tcp_contents )
 			{
-			DEBUG_MSG("%.6f Undelivered: seq=%d, len=%d, "
+			DEBUG_MSG("%.6f Undelivered: is_orig=%d, seq=%d, len=%d, "
 					  "skip_deliveries=%d\n",
-					  network_time, last_reassem_seq,
+					  network_time, is_orig, last_reassem_seq,
 					  seq_delta(up_to_seq, last_reassem_seq),
 					  skip_deliveries);
 			}
@@ -204,8 +218,9 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 			// handshakes, but Oh Well.
 
 			if ( content_gap &&
-			     endpoint->state == TCP_ENDPOINT_ESTABLISHED &&
-			     peer->state == TCP_ENDPOINT_ESTABLISHED )
+				(BifConst::report_gaps_for_partial ||
+					(endpoint->state == TCP_ENDPOINT_ESTABLISHED &&
+					peer->state == TCP_ENDPOINT_ESTABLISHED ) ) )
 				{
 				val_list* vl = new val_list;
 				vl->append(dst_analyzer->BuildConnVal());
@@ -216,11 +231,6 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 				dst_analyzer->ConnectionEvent(content_gap, vl);
 				}
 
-			TCP_Rewriter* r = (TCP_Rewriter*)
-				dst_analyzer->Conn()->TraceRewriter();
-			if ( r )
-				r->ContentGap(is_orig, len);
-
 			if ( type == Direct )
 				dst_analyzer->NextUndelivered(last_reassem_seq,
 								len, is_orig);
@@ -311,14 +321,14 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f)
 	unsigned int len = b->Size();
 	if ( ! f->Write((const char*) b->block, len) )
 		// ### this should really generate an event
-		internal_error("contents write failed");
+		reporter->InternalError("contents write failed");
 	}
 
 void TCP_Reassembler::RecordGap(int start_seq, int upper_seq, BroFile* f)
 	{
 	if ( ! f->Write(fmt("\n<<gap %d>>\n", seq_delta(upper_seq, start_seq))) )
 		// ### this should really generate an event
-		internal_error("contents gap write failed");
+		reporter->InternalError("contents gap write failed");
 	}
 
 void TCP_Reassembler::BlockInserted(DataBlock* start_block)
@@ -376,7 +386,7 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, int n)
 	{
 	if ( DEBUG_tcp_contents )
-		DEBUG_MSG("%.6f TCP contents overlap: %d\n", network_time,  n);
+		DEBUG_MSG("%.6f TCP contents overlap: %d is_orig=%d\n", network_time,  n, is_orig);
 
 	if ( rexmit_inconsistency &&
 	     memcmp((const void*) b1, (const void*) b2, n) &&
@@ -395,12 +405,14 @@ IMPLEMENT_SERIAL(TCP_Reassembler, SER_TCP_REASSEMBLER);
 
 bool TCP_Reassembler::DoSerialize(SerialInfo* info) const
 	{
-	internal_error("TCP_Reassembler::DoSerialize not implemented");
+	reporter->InternalError("TCP_Reassembler::DoSerialize not implemented");
+	return false; // Cannot be reached.
 	}
 
 bool TCP_Reassembler::DoUnserialize(UnserialInfo* info)
 	{
-	internal_error("TCP_Reassembler::DoUnserialize not implemented");
+	reporter->InternalError("TCP_Reassembler::DoUnserialize not implemented");
+	return false; // Cannot be reached.
 	}
 
 void TCP_Reassembler::Deliver(int seq, int len, const u_char* data)
@@ -419,8 +431,8 @@ int TCP_Reassembler::DataSent(double t, int seq, int len,
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f DataSent: seq=%d upper=%d ack=%d\n",
-		          network_time, seq, upper_seq, ack);
+		DEBUG_MSG("%.6f DataSent: is_orig=%d seq=%d upper=%d ack=%d\n",
+		          network_time, is_orig, seq, upper_seq, ack);
 		}
 
 	if ( skip_deliveries )
@@ -477,10 +489,10 @@ void TCP_Reassembler::AckReceived(int seq)
 		// Zero, or negative in sequence-space terms.  Nothing to do.
 		return;
 
-	bool test_active =
-	     ! skip_deliveries && ! tcp_analyzer->Skipping() &&
-	     endp->state == TCP_ENDPOINT_ESTABLISHED &&
-	     endp->peer->state == TCP_ENDPOINT_ESTABLISHED;
+	bool test_active = ! skip_deliveries && ! tcp_analyzer->Skipping() &&
+		( BifConst::report_gaps_for_partial ||
+			(endp->state == TCP_ENDPOINT_ESTABLISHED &&
+				endp->peer->state == TCP_ENDPOINT_ESTABLISHED ) );
 
 	int num_missing = TrimToSeq(seq);
 
@@ -569,6 +581,7 @@ void TCP_Reassembler::CheckEOF()
 
 void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 	{
+#ifdef ENABLE_SEQ_TO_SKIP
 	if ( seq_delta(seq + len, seq_to_skip) <= 0 )
 		return;
 
@@ -579,6 +592,7 @@ void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 		data += to_skip;
 		seq = seq_to_skip;
 		}
+#endif
 
 	if ( deliver_tcp_contents )
 		{
@@ -603,11 +617,13 @@ void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 	in_delivery = true;
 	Deliver(seq, len, data);
 	in_delivery = false;
-
+#ifdef ENABLE_SEQ_TO_SKIP
 	if ( seq_delta(seq + len, seq_to_skip) < 0 )
 		SkipToSeq(seq_to_skip);
+#endif
 	}
 
+#ifdef ENABLE_SEQ_TO_SKIP
 void TCP_Reassembler::SkipToSeq(int seq)
 	{
 	if ( seq_delta(seq, seq_to_skip) > 0 )
@@ -617,6 +633,7 @@ void TCP_Reassembler::SkipToSeq(int seq)
 			TrimToSeq(seq);
 		}
 	}
+#endif
 
 int TCP_Reassembler::DataPending() const
 	{
diff --git a/src/TCP_Reassembler.h b/src/TCP_Reassembler.h
index 3e8426c9fb..cb1750e2a2 100644
--- a/src/TCP_Reassembler.h
+++ b/src/TCP_Reassembler.h
@@ -1,11 +1,16 @@
-// $Id: TCP_Reassembler.h,v 1.1.2.8 2006/05/31 01:52:02 sommer Exp $
-
 #ifndef TCP_REASSEMBLER_H
 #define TCP_REASSEMBLER_H
 
 #include "Reassem.h"
 #include "TCP_Endpoint.h"
 
+// The skip_to_seq feature does not work correctly with connections >2GB due
+// to use of 32 bit signed ints (see comments in TCP_Reassembler.cc) Since
+// it's not used by any analyzer or policy script we disable it. Could be
+// added back in once we start using 64bit integers.
+//
+// #define ENABLE_SEQ_TO_SKIP
+
 class BroFile;
 class Connection;
 class TCP_Analyzer;
@@ -60,9 +65,11 @@ public:
 
 	void MatchUndelivered(int up_to_seq = -1);
 
+#ifdef ENABLE_SEQ_TO_SKIP
 	// Skip up to seq, as if there's a content gap.
 	// Can be used to skip HTTP data for performance considerations.
 	void SkipToSeq(int seq);
+#endif
 
 	int DataSent(double t, int seq, int len, const u_char* data,
 			bool replaying=true);
@@ -85,9 +92,10 @@ public:
 	const TCP_Endpoint* Endpoint() const	{ return endp; }
 
 	int IsOrig() const	{ return endp->IsOrig(); }
-
+#ifdef ENABLE_SEQ_TO_SKIP
 	bool IsSkippedContents(int seq, int length) const
 		{ return seq + length <= seq_to_skip; }
+#endif
 
 private:
 	TCP_Reassembler()	{ }
@@ -110,7 +118,9 @@ private:
 	unsigned int did_EOF:1;
 	unsigned int skip_deliveries:1;
 
+#ifdef ENABLE_SEQ_TO_SKIP
 	int seq_to_skip;
+#endif
 	bool in_delivery;
 
 	BroFile* record_contents_file;	// file on which to reassemble contents
diff --git a/src/TCP_Rewriter.cc b/src/TCP_Rewriter.cc
deleted file mode 100644
index 3a8ca8b7b6..0000000000
--- a/src/TCP_Rewriter.cc
+++ /dev/null
@@ -1,1575 +0,0 @@
-// $Id: TCP_Rewriter.cc 6008 2008-07-23 00:24:22Z vern $
-
-//  Overview of TCP trace rewriter:
-//
-//  1. Timestamp: Consider every packet arrival at a certain endpoint
-//  in the original trace as a tick for the endpoint; a packet will be
-//  dumped into the new trace (possibly with different content) in the
-//  tick (enforced by flush_rewriter_packet). When the user writes data
-//  into the new trace, the packet will carry a timestamp of the
-//  current tick, or the next tick if data is generated between
-//  ticks. Users may also choose to Push data, in which case the packet
-//  carries a timestamp of current network time. This gives us the
-//  'freshness' of timestamps.
-//
-//  2. Ordering of contents: user may choose to push contents in order
-//  to enforce ordering of contents between two directions, however,
-//  contents MIGHT be already dumped BEFORE they are pushed, once they
-//  are written into the trace. (similar to PUSH in TCP)
-//
-//  3. Acknowledgements: when a packet is dumped at a time when there
-//  is no corresponding packet in the original trace, an articial
-//  acknowledgement is generated from the peer with the same
-//  timestamp. This guarantees that additional packets will have
-//  acknowledgements. For those packets dumped at 'ticks', there
-//  should be corresponding acknowledgement packets in the original
-//  trace already, so we do not generate further artificial
-//  acknowledgement packets.
-//
-//  4. SYN, RST, FIN: SYN/RST packets in the new trace do not carry
-//  payloads -- additional packets may be generated for payloads. FIN
-//  packets are generated only when user calls ScheduleFIN, which by
-//  default corresponds to the moment that contents of the flow is
-//  completely delivered, which is usually when the FIN appears in the
-//  original trace. Change: now we will try to allow SYN/RST packets
-//  to carry payloads if they originally do.
-
-#include "config.h"
-
-#include <assert.h>
-#include <stdlib.h>
-
-#include "Event.h"
-#include "Net.h"
-#include "TCP_Rewriter.h"
-
-#define MSG_PREFIX	"TCP trace rewriter: "
-#define DEBUG_MSG_A(x...)
-// #define DEBUG_MSG_A	DEBUG_MSG
-
-static IP_IDSet* ip_id_set = 0;	// <IP, IP-ID> pairs in the output trace
-int num_packets_held, num_packets_cleaned;
-
-TCP_TracePacket::TCP_TracePacket(TCP_Rewriter* arg_trace_rewriter,
-				 int arg_packet_seq, double t, int arg_is_orig,
-				 const struct pcap_pkthdr* arg_hdr,
-				 int MTU, int initial_size)
-	{
-	trace_rewriter = arg_trace_rewriter;
-	pcap_hdr = *arg_hdr;
-	packet_seq = arg_packet_seq;
-	timestamp = t;
-	is_orig = arg_is_orig;
-	mtu = MTU;
-	pkt = new u_char[initial_size];
-	buffer_size = initial_size;
-
-	buffer_offset = 0;
-	ip_offset = tcp_offset = data_offset = -1;
-	reuse = 0;
-	FIN_scheduled = 0;
-	on_hold = 0;
-	seq_gap = 0;
-	packet_val = 0;
-	packet_val = PacketVal();
-	has_reserved_slot = 0;
-	predicted_as_empty_place_holder = 0;
-	}
-
-TCP_TracePacket::~TCP_TracePacket()
-	{
-	packet_val->SetOrigin(0);
-	Unref(packet_val);
-	if ( pkt )
-		delete [] pkt;
-	}
-
-int TCP_TracePacket::AppendLinkHeader(const u_char* chunk, int len)
-	{
-	if ( ip_offset >= 0 && ip_offset != buffer_offset )
-		internal_error(MSG_PREFIX "link header must be appended before IP header");
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	ip_offset = buffer_offset;
-	return 1;
-	}
-
-int TCP_TracePacket::AppendIPHeader(const u_char* chunk, int len)
-	{
-	if ( tcp_offset >= 0 && tcp_offset != buffer_offset )
-		internal_error(MSG_PREFIX "IP header must be appended before tcp header");
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	tcp_offset = buffer_offset;
-	return 1;
-	}
-
-int TCP_TracePacket::AppendTCPHeader(const u_char* chunk, int len)
-	{
-	if ( data_offset >= 0 && data_offset != buffer_offset )
-		internal_error(MSG_PREFIX "tcp header must be appended before payload");
-
-	if ( tcp_offset == buffer_offset )
-		{ // first TCP header chunk
-		int extra = (tcp_offset - ip_offset) % 4;
-		if ( extra )
-			{
-			DEBUG_MSG(MSG_PREFIX "padding IP header");
-			if ( ! AppendIPHeader(0, 4 - extra) )
-				return 0;
-			}
-		}
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	data_offset = buffer_offset;
-	return 1;
-	}
-
-int TCP_TracePacket::AppendData(const u_char* chunk, int len)
-	{
-	// All headers must be appended before any data.
-	ASSERT(ip_offset >= 0 && tcp_offset >= 0 && data_offset >= 0);
-
-	if ( data_offset == buffer_offset )
-		{ // first data chunk
-		int extra = (data_offset - tcp_offset) % 4;
-		if ( extra )
-			{
-			DEBUG_MSG(MSG_PREFIX "%.6f padding tcp header -- original header range: %d - %d\n",
-					network_time, tcp_offset, data_offset);
-			if ( ! AppendTCPHeader(0, 4 - extra) )
-				return 0;
-			}
-		}
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	return 1;
-	}
-
-int TCP_TracePacket::Append(const u_char* chunk, int len)
-	{
-	if ( buffer_offset + len > buffer_size )
-		{
-		if ( buffer_offset + len > mtu )
-			return 0;
-
-		u_char* tmp = new u_char[mtu];
-		for ( int i = 0 ; i < buffer_size; ++i )
-			tmp[i] = pkt[i];
-
-		delete [] pkt;
-		pkt = tmp;
-		buffer_size = mtu;
-		}
-
-	ASSERT(buffer_offset + len <= buffer_size);
-
-	if ( chunk )
-		{
-		if ( pkt + buffer_offset != chunk )
-			memcpy(pkt + buffer_offset, chunk, len);
-		}
-	else
-		// Fill with 0.
-		memset(pkt + buffer_offset, 0, len);
-
-	buffer_offset += len;
-	return 1;
-	}
-
-uint32 TCP_TracePacket::GetSeq() const
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	return ntohl(tp->th_seq);
-	}
-
-void TCP_TracePacket::SetSeq(uint32 seq)
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	tp->th_seq = htonl(seq);
-	}
-
-uint32 TCP_TracePacket::GetAck() const
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	return ntohl(tp->th_ack);
-	}
-
-void TCP_TracePacket::SetAck(uint32 ack)
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	tp->th_ack = htonl(ack);
-	}
-
-int TCP_TracePacket::GetTCP_Flag(int which) const
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	return tp->th_flags & which;
-	}
-
-void TCP_TracePacket::SetTCP_Flag(int which, int value)
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-
-	if ( value )
-		tp->th_flags |= which;
-	else
-		tp->th_flags &= (~which);
-	}
-
-int TCP_TracePacket::PayloadLength() const
-	{
-	if ( data_offset < 0 )
-		return 0;
-
-	return buffer_offset - data_offset;
-	}
-
-int TCP_TracePacket::SeqLength() const
-	{
-	int len = PayloadLength();
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-
-	if ( tp->th_flags & TH_SYN )
-		++len;
-
-	if ( tp->th_flags & TH_FIN )
-		++len;
-
-	return len;
-	}
-
-int TCP_TracePacket::Finish(struct pcap_pkthdr*& hdr,
-			    const u_char*& arg_pkt, int& length,
-			    ipaddr32_t anon_src, ipaddr32_t anon_dst)
-	{
-	// Set length fields in headers and compute checksums.
-	if ( tcp_offset < ip_offset + int(sizeof(struct ip)) ||
-	     data_offset < tcp_offset + int(sizeof(struct tcphdr)) )
-		return 0;
-
-	struct ip* ip = (struct ip*) (pkt + ip_offset);
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-
-	// TCP header.
-	ASSERT((data_offset - tcp_offset) % 4 == 0);
-
-	tp->th_off = (data_offset - tcp_offset) >> 2;
-	tp->th_x2 = 0;
-
-	// Shall we instead let URG flag&point stay?
-	// tp->th_flags &= (~TH_URG);	// set URG to 0
-	// tp->th_urp = 0;		// clear urgent pointer
-
-	// Fix IP addresses before computing the TCP checksum
-	if ( anonymize_ip_addr )
-		{
-		ip->ip_src.s_addr = anon_src;
-		ip->ip_dst.s_addr = anon_dst;
-		}
-
-	tp->th_sum = 0;
-	tp->th_sum = 0xffff - tcp_checksum(ip, tp, PayloadLength());
-
-	// IP header.
-
-	// What to do with ip_id? One way is to choose a pseudo-random
-	// number as the new id. We try to keep the original ID unless
-	// it would cause a conflict, in which case we increment the
-	// ID till there is no conflict.
-	//
-	// This is too expensive -- and ID conflicts do not really
-	// matter because there will never be fragmentation.
-	// Fix: just keep the original ID.
-	// ip->ip_id = NextIP_ID(ip->ip_src.s_addr, ip->ip_id);
-
-	ASSERT((tcp_offset - ip_offset) % 4 == 0);
-	ip->ip_hl = (tcp_offset - ip_offset) >> 2;
-	ip->ip_len = htons(buffer_offset - ip_offset);
-	ip->ip_off = 0;		// DF = 0, MF = 0, offset = 0
-	ip->ip_sum = 0;
-	ip->ip_sum = 0xffff - ones_complement_checksum((const void*) ip, tcp_offset - ip_offset, 0);
-
-	// Link level header:
-	// Question: what to do with the link level header? Currently we just
-	// keep the original header, even though the length field can
-	// be incorrect. ###
-
-	if ( timestamp < trace_rewriter->RewritePacket()->TimeStamp() )
-		// For out of order rewriting.
-		timestamp = trace_rewriter->RewritePacket()->TimeStamp();
-
-	// The below works around a potential type incompatibility
-	// on systems where pcap's timeval is different from the
-	// system-wide one. --cpk
-	//
-	timeval tv_tmp = double_to_timeval(timestamp);
-	pcap_hdr.ts.tv_sec = tv_tmp.tv_sec;
-	pcap_hdr.ts.tv_usec = tv_tmp.tv_usec;
-	pcap_hdr.caplen = pcap_hdr.len = buffer_offset;
-
-	hdr = &pcap_hdr;
-	arg_pkt = pkt;
-	length = buffer_offset;
-
-	return 1;
-	}
-
-void TCP_TracePacket::Reuse()
-	{
-	reuse = 1;
-
-	timestamp = trace_rewriter->RewritePacket()->TimeStamp();
-
-	// Question 1: Shall we keep TCP options in the header? Note
-	// that the TCP header of a packet is sometimes replicated in
-	// the rewritten trace (because we reuse headers). When an
-	// option have idempotent semantics, it is safe to keep the
-	// option; otherwise we should include the option only in the
-	// first one among replicated copies. Currently we keep
-	// options for simplicity and wait for things to happen. ###
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	tp->th_flags = 0;
-
-	// Clear all TCP options.
-	unsigned int prev_data_offset = data_offset;
-	buffer_offset = data_offset = tcp_offset + sizeof(struct tcphdr);
-	if ( prev_data_offset - tcp_offset > sizeof(*tp) )
-		TCP_Analyzer::ParseTCPOptions(tp,
-					TCP_Rewriter::RewriteTCPOption,
-					trace_rewriter->Analyzer(), is_orig, this);
-	}
-
-RecordVal* TCP_TracePacket::PacketVal()
-	{
-	if ( ! packet_val )
-		{
-		packet_val = new RecordVal(packet_type);
-		packet_val->Assign(0, TraceRewriter()->Analyzer()->BuildConnVal());
-		packet_val->Assign(1, new Val(IsOrig(), TYPE_BOOL));
-		packet_val->Assign(2, new Val(PacketSeq(), TYPE_COUNT));
-		packet_val->Assign(3, new Val(TimeStamp(), TYPE_TIME));
-		packet_val->SetOrigin(this);
-		}
-	else
-		Ref(packet_val);
-
-	return packet_val;
-	}
-
-uint16 NextIP_ID(const uint32 src_addr, const uint16 id)
-	{
-	if ( ip_id_set == 0 )
-		ip_id_set = new IP_IDSet();
-
-	IP_ID ipid;
-	ipid.ip = src_addr;
-	ipid.id = id;
-
-	while ( ip_id_set->find(ipid) != ip_id_set->end() )
-		{
-		ipid.id = (ipid.id + 1) & 0xffff;
-
-		if ( ipid.id == id )
-			{ // clear all entries of the IP
-			IP_ID first_id, last_id;
-			first_id.ip = last_id.ip = src_addr;
-			first_id.id = 0; last_id.id = 0xffff;
-			ip_id_set->erase(ip_id_set->find(first_id),
-						ip_id_set->find(last_id));
-			}
-		}
-
-	ip_id_set->insert(ipid);
-
-	return uint16(ipid.id & 0xffff);
-	}
-
-TCP_RewriterEndpoint::TCP_RewriterEndpoint(TCP_Rewriter* arg_rewriter)
-	{
-	rewriter = arg_rewriter;
-	next_packet = 0;
-	endp = 0;
-	established = 0;
-	end_of_data = 0;
-	peer = 0;
-	last_ack = 0;
-	last_packet_time = -1;
-	please_flush = 0;
-	flushed = 1;
-	flush_scheduled = 0;
-	there_is_a_gap = 0;
-	}
-
-TCP_RewriterEndpoint::~TCP_RewriterEndpoint()
-	{
-	if ( ! prolog.empty() )
-		{
-		if ( ! next_packet )
-			Weird(MSG_PREFIX "end point has data, but hasn't got any packet till destruction.");
-		else
-			internal_error(MSG_PREFIX "prolog should've been purged on the very first packet.");
-
-		while ( ! prolog.empty() )
-			{
-			delete prolog.front();
-			prolog.pop();
-			}
-		}
-
-	if ( ! end_of_data && next_packet && ! next_packet->IsEmpty() )
-		Weird(fmt(MSG_PREFIX "end of data missing before deleting the connection: %.6f",
-			  next_packet->TimeStamp()));
-
-	if ( next_packet )
-		Unref(next_packet);
-	}
-
-void TCP_RewriterEndpoint::Init()
-	{
-	// This cannot be put into the constructor because it requires
-	// existence of the peer.
-	peer = rewriter->GetPeer(this);
-	}
-
-// NextPacket sets 'ticks' of packet dumping according to packet
-// arrival in the original sequence.
-void TCP_RewriterEndpoint::NextPacket(TCP_TracePacket* p)
-	{
-	please_flush = 1;
-	flushed = 0;
-	last_packet_time = p->TimeStamp();
-
-	if ( ! endp )
-		endp = rewriter->GetEndpoint(this);
-
-	if ( endp->state == TCP_ENDPOINT_ESTABLISHED )
-		established = 1;
-
-	if ( ! next_packet || p->GetTCP_Flag(TH_SYN) )
-		{
-		if ( ! p->GetTCP_Flag(TH_SYN | TH_RST) &&
-		     ! rewriter->Analyzer()->IsPartial() )
-			Weird(MSG_PREFIX "first packet is not SYN or RST");
-
-		start_seq = next_seq = p->GetSeq();
-		}
-
-	SetNextPacket(p);
-	ScheduleFlush();
-	}
-
-void TCP_RewriterEndpoint::WriteData(int len, const u_char* data)
-	{
-	if ( end_of_data & (END_BY_FIN | END_BY_RST) )
-		Weird(MSG_PREFIX "write after end of data");
-
-	if ( ! next_packet )
-		{
-		// Till anybody really wants to use the prolog ...
-		run_time(fmt("pushing %d bytes into prolog", len));
-		prolog.push(new BroString(data, len, 0));
-		}
-	else
-		{
-		// Originally we did not send data along with SYN or RST.
-		// if ( next_packet->GetTCP_Flag(TH_SYN | TH_RST) )
-		//	internal_error("SYN/RST packet not immediately flushed");
-
-		// Question: shall we send data along with the ACK in the
-		// connection's three way handshake? Here it may do so.
-
-		DoWriteData(len, data);
-
-		if ( please_flush )
-			ScheduleFlush();
-		}
-	}
-
-void TCP_RewriterEndpoint::SkipGap(int len)
-	{
-	next_seq += len;
-	there_is_a_gap = 1;
-
-	if ( next_packet )
-		next_packet->SetSeqGap(0);
-	}
-
-void TCP_RewriterEndpoint::Push()
-	{
-	if ( ! next_packet )
-		return;
-
-	next_packet->SetTCP_Flag(TH_PUSH, 1);
-	PushPacket();
-	}
-
-void TCP_RewriterEndpoint::ReqAck()
-	{
-	if ( ! next_packet )
-		return;
-
-	PushPacket();
-	}
-
-void TCP_RewriterEndpoint::Flush()
-	{
-	if ( ! next_packet || next_packet->OnHold() )
-		// This may happen after the code change in
-		// TCP_Connection::NextPacket -- not every packet
-		// reaches the TCP rewriter.  Also, do not dump a packet
-		// on hold -- the packet will be flushed later.
-		// internal_error(MSG_PREFIX "flush before packet arrival");
-		return;
-
-	DEBUG_MSG_A("preparing to flush packet %d (%.6f)\n", next_packet->PacketSeq(), next_packet->TimeStamp());
-	if ( next_packet->FINScheduled() )
-		GenerateFIN();
-
-	if ( please_flush )
-		{
-		DEBUG_MSG_A("Flush packet %d (%.6f)\n", next_packet->PacketSeq(), next_packet->TimeStamp());
-		PushPacket();
-		}
-
-	if ( ! next_packet->IsEmpty() )
-		{
-		internal_error(MSG_PREFIX "packet is not empty after flushing");
-		}
-
-	flush_scheduled = 0;
-	}
-
-void TCP_RewriterEndpoint::ScheduleFlush()
-	{
-	if ( ! flush_scheduled )
-		{
-		schedule_flush(this);
-		flush_scheduled = 1;
-		DEBUG_MSG_A("%.6f flush scheduled for packet %d (%.6f)\n", network_time, next_packet->PacketSeq(), next_packet->TimeStamp());
-		}
-	}
-
-void TCP_RewriterEndpoint::GenerateFIN()
-	{
-	if ( end_of_data & END_BY_FIN )
-		return;
-
-	DEBUG_MSG_A("FIN at %.6f\n", next_packet->TimeStamp());
-	end_of_data |= END_BY_FIN;
-
-	if ( ! next_packet )
-		// Weird(MSG_PREFIX "FIN before packet arrival");
-		internal_error(MSG_PREFIX "FIN before packet arrival");
-	else
-		{
-		next_packet->ScheduleFIN(0);
-		next_packet->SetTCP_Flag(TH_FIN, 1);
-		please_flush = 1;
-		}
-	}
-
-void TCP_RewriterEndpoint::Reset(int self)
-	{
-	DEBUG_MSG_A("%.6f end by RST (empty = %d)\n", network_time, next_packet ? next_packet->IsEmpty() : -1);
-	if ( self )
-		end_of_data |= END_BY_RST;
-	else
-		end_of_data |= END_BY_PEER_RST;
-	}
-
-void TCP_RewriterEndpoint::SetNextPacket(TCP_TracePacket* p)
-	{
-	if ( next_packet )
-		{
-		if ( ! next_packet->IsEmpty() || next_packet->OnHold() )
-			internal_error(MSG_PREFIX "next packet (%.6f) arrives before the previous packet (%.6f) is flushed", p->TimeStamp(), next_packet->TimeStamp());
-			// PushPacket();
-
-		Unref(next_packet);
-		}
-
-	next_packet = p;
-
-	if ( next_packet->SeqGap() > 0 )
-		peer->SkipGap(next_packet->SeqGap());
-
-	// next_packet->SetTCP_Flag(TH_PUSH, 0);
-
-	// Do not send FIN at this moment because FIN may arrive out
-	// of order -- wait till all contents are delivered
-	next_packet->SetTCP_Flag(TH_FIN, 0);
-
-	if ( ! prolog.empty() )
-		{
-		// Do not put prolog into SYN/RST packets
-		if ( next_packet->GetTCP_Flag(TH_SYN | TH_RST) )
-			PushPacket();
-		PurgeProlog();
-		}
-	}
-
-void TCP_RewriterEndpoint::PurgeProlog()
-	{
-	while ( ! prolog.empty() )
-		{
-		BroString* s = prolog.front();
-		WriteData(s->Len(), s->Bytes());
-		prolog.pop();
-		delete s;
-		}
-	}
-
-void TCP_RewriterEndpoint::DoWriteData(int len, const u_char* data)
-	{
-	ASSERT(next_packet);
-
-	while ( len > 0 )
-		{
-		int left = next_packet->Space();
-
-		if ( ! left )
-			{
-			PushPacket();
-			left = next_packet->Space();
-			}
-
-		if ( left > len )
-			left = len;
-
-		if ( ! next_packet->AppendData(data, left) )
-			ASSERT(0);
-
-		data += left;
-		len -= left;
-		please_flush = 1;
-		}
-	}
-
-int TCP_RewriterEndpoint::IsPlaceHolderPacket(TCP_TracePacket* p)
-	{
-	return p->SeqLength() == 0 &&
-	       ! p->GetTCP_Flag(TH_SYN | TH_RST | TH_FIN | TH_URG ) &&
-	       ! (p->GetTCP_Flag(TH_ACK) && p->GetAck() > last_ack);
-	}
-
-void TCP_RewriterEndpoint::PushPacket()
-	{
-	if ( ! next_packet )
-		{
-		internal_error(MSG_PREFIX "cannot push packet before packet arrival");
-		return;
-		}
-
-	// Set sequence number ...
-	next_packet->SetSeq(next_seq);
-	int seq_len = next_packet->SeqLength();
-
-	next_seq += seq_len;
-
-	// ... and acknowledge peer's recently dumped packet.
-	if ( next_packet->GetTCP_Flag(TH_SYN | TH_RST) &&
-	     ! next_packet->GetTCP_Flag(TH_ACK) )
-		{
-		next_packet->SetTCP_Flag(TH_ACK, 0);
-		next_packet->SetAck(0);
-		}
-	else
-		{
-		next_packet->SetTCP_Flag(TH_ACK, 1);
-		if ( peer->HasPacket() )
-			next_packet->SetAck(peer->NextSeq());
-		}
-
-	int RST = next_packet->GetTCP_Flag(TH_RST);
-
-#if 0
-	// With the feature of reserve_rewrite_slot, packet dumping can
-	// be delayed.
-
-	// Enforce the order of timestamps; but delayed FIN is OK
-	// when there is a gap.
-	if ( next_packet->TimeStamp() < network_time &&
-	     ! (next_packet->GetTCP_Flag(TH_FIN) && there_is_a_gap) )
-		{
-		Weird(MSG_PREFIX "delayed packet");
-		Weird(fmt(MSG_PREFIX "packet time %.6f, dumping time %.6f\n",
-			 next_packet->TimeStamp(), network_time));
-		}
-#endif
-
-	if ( ! IsPlaceHolderPacket(next_packet) ||
-	     ! omit_rewrite_place_holder )
-		{
-		if ( next_packet->PredictedAsEmptyPlaceHolder() )
-			{
-			DEBUG_MSG("The packet to dump (%.6f, %d, %d, %s%s%s%s, %u > %u) was predicted to be an empty place holder.",
-				next_packet->TimeStamp(), next_packet->SeqLength(), next_packet->PayloadLength(),
-				next_packet->GetTCP_Flag(TH_SYN) ? "S" : "",
-				next_packet->GetTCP_Flag(TH_RST) ? "R" : "",
-				next_packet->GetTCP_Flag(TH_FIN) ? "F" : "",
-				next_packet->GetTCP_Flag(TH_URG) ? "U" : "",
-				next_packet->GetAck(), last_ack);
-			}
-
-		rewriter->DumpPacket(this, next_packet);
-		}
-
-	if ( next_packet->GetTCP_Flag(TH_ACK) &&
-	     next_packet->GetAck() > last_ack )
-		last_ack = next_packet->GetAck();
-
-	// Reuse the packet headers.
-	next_packet->Reuse();
-
-	if ( ! next_packet->FINScheduled() )
-		{
-		please_flush = 0;
-		if ( ! next_packet->IsEmpty() )
-			internal_error("should have been cleared");
-		}
-
-	if ( RST )
-		{
-		Reset(1);	// itself ...
-		peer->Reset(0); // ... and peer
-		return;
-		}
-
-	// Question: do we need to request an ACK? Yes, if the packet
-	// is an artificially generated packet.
-	if ( seq_len > 0 &&
-	     next_packet->TimeStamp() < rewriter->RewritePacket()->TimeStamp() )
-		peer->ReqAck();
-	}
-
-void TCP_RewriterEndpoint::Weird(const char* name) const
-	{
-#ifdef DEBUG_BRO
-	rewriter->Weird(name);
-#endif
-	}
-
-TCP_Rewriter::TCP_Rewriter(TCP_Analyzer* arg_analyzer, PacketDumper* arg_dumper,
-				int arg_MTU, int arg_wait_for_commitment)
-	{
-	analyzer = arg_analyzer;
-	dumper = arg_dumper;
-	MTU = arg_MTU;
-	wait_for_commitment = arg_wait_for_commitment;
-	discard_packets = 0;	// till AbortPackets(1);
-
-	packets_rewritten = 0;
-	next_packet_seq = 0;
-	pending_content_gap = 0;
-
-	orig = new TCP_RewriterEndpoint(this);
-	resp = new TCP_RewriterEndpoint(this);
-
-	orig->Init();
-	resp->Init();
-
-	anon_addr[0] = anon_addr[1] = 0;
-
-	if ( anonymize_ip_addr )
-		{
-		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
-						ORIG_ADDR);
-		anon_addr[1] = anonymize_ip(to_v4_addr(analyzer->Conn()->RespAddr()),
-						RESP_ADDR);
-		}
-
-	holding_packets = 0;
-	current_packet = next_packet = 0;
-
-	current_slot = first_slot = last_slot = 0;
-	highest_slot_number = 0;
-	answered[0] = answered[1] = 0;
-	}
-
-void TCP_Rewriter::Done()
-	{
-	// The wrap-up work needs to be done *after* event processing,
-	// therefore we schedule a funeral to be held right before
-	// packets are flushed.
-	schedule_funeral(this);
-	}
-
-void TCP_Rewriter::Funeral()
-	{
-	if ( ! uncommited_packet_queue.empty() )
-		{
-		warn(fmt(MSG_PREFIX
-			 "rewriter gets neither commit or abort, "
-			 "and %d packets will be discarded",
-			 int(uncommited_packet_queue.size())));
-		AbortPackets(0);
-		}
-
-	if ( ! slot_queue.empty() )
-		{
-		run_time("reserved slots are not completely released at the end of rewriter %s", analyzer->Conn());
-		for ( slot_map_t::iterator it = reserved_slots.begin();
-			it != reserved_slots.end();
-			++it )
-			{
-			TCP_RewriteSlot* slot = it->second;
-			run_time(fmt("unreleased slot: %d", slot->Number()));
-			}
-
-		while ( ! slot_queue.empty() )
-			{
-			TCP_RewriteSlot* slot = slot_queue.front();
-			slot_queue.pop_front();
-			slot->Dump();
-			delete slot;
-			}
-
-		reserved_slots.clear();
-		ReleasePacketsOnHold();
-		}
-
-	if ( ! packets_on_hold.empty() )
-		{
-		run_time("packets on hold at the end of rewriter %s", analyzer->Conn());
-		ReleasePacketsOnHold();
-		// And release the last one.
-		Endp(next_packet->IsOrig())->Flush();
-		}
-	}
-
-TCP_Rewriter::~TCP_Rewriter()
-	{
-	delete orig;
-	delete resp;
-	}
-
-void TCP_Rewriter::NextPacket(int is_orig, double t,
-			      const struct pcap_pkthdr* pcap_hdr,
-			      const u_char* pcap_pkt, int hdr_size,
-			      const struct ip* ip,
-			      const struct tcphdr* tp)
-	{
-	unsigned int ip_hdr_len = ip->ip_hl * 4;
-	unsigned int tcp_hdr_len = tp->th_off * 4;
-
-	TCP_TracePacket* p =
-		new TCP_TracePacket(this, ++next_packet_seq, t,
-					is_orig, pcap_hdr, MTU,
-					hdr_size + ip_hdr_len + tcp_hdr_len);
-
-	if ( ! p->AppendLinkHeader(pcap_pkt, hdr_size) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	if ( ! p->AppendIPHeader((const u_char*)ip, sizeof(*ip)) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	if ( ip_hdr_len > sizeof(*ip) )
-		{
-		// TODO: re-write IP options.
-		}
-
-	if ( ! p->AppendTCPHeader((const u_char*)tp, sizeof(*tp)) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	// Rewrite TCP options.
-	if ( tcp_hdr_len > sizeof(*tp) )
-		TCP_Analyzer::ParseTCPOptions(tp, RewriteTCPOption,
-						analyzer, is_orig, p);
-
-	// Pad the TCP header.
-	p->AppendData(0, 0);
-
-	// Before setting current_packet to p, first clean up empty
-	// place holders to save memory space.
-	if ( omit_rewrite_place_holder && holding_packets )
-		CleanUpEmptyPlaceHolders();
-
-	current_packet = p;
-
-	if ( pending_content_gap )
-		{
-		// A packet triggers a content gap only in the other
-		// direction.
-		if ( current_packet->IsOrig() )
-			pending_content_gap = -pending_content_gap;
-
-		if ( pending_content_gap < 0 )
-			internal_error("content gap out of sync with packet");
-
-		current_packet->SetSeqGap(pending_content_gap);
-		pending_content_gap = 0;
-		}
-
-	if ( current_slot )
-		add_slot();
-
-	if ( ! holding_packets )
-		{
-		next_packet = p;
-		Endp(is_orig)->NextPacket(p);
-		}
-	else
-		{
-		DEBUG_MSG_A("packet %d (%.6f) on hold\n",
-				p->PacketSeq(), p->TimeStamp());
-		packets_on_hold.push_back(p);
-		++num_packets_held;
-		}
-	}
-
-void TCP_Rewriter::ContentGap(int is_orig, int len)
-	{
-	if ( is_orig )
-		pending_content_gap = len;
-	else
-		pending_content_gap = -len;
-	}
-
-void TCP_Rewriter::ScheduleFIN(int is_orig)
-	{
-	if ( current_packet && current_packet->IsOrig() == is_orig )
-		current_packet->ScheduleFIN();
-
-	// Otherwise just ignore the FIN.
-	// Endp(is_orig)->ScheduleFIN();
-	}
-
-void TCP_Rewriter::WriteData(int is_orig, int len, const u_char* data)
-	{
-	if ( ! current_slot )
-		DoWriteData(is_orig, len, data);
-	else
-		current_slot->WriteData(is_orig, len, data);
-	}
-
-void TCP_Rewriter::DoWriteData(int is_orig, int len, const u_char* data)
-	{
-	if ( is_orig != next_packet->IsOrig() )
-		{
-		// Weird(fmt("%.6f rewriting packet on the opposite direction", network_time));
-		}
-
-	Endp(is_orig)->WriteData(len, data);
-	}
-
-void TCP_Rewriter::Push(int is_orig)
-	{
-	Endp(is_orig)->Push();
-	}
-
-void TCP_Rewriter::DumpPacket(TCP_RewriterEndpoint* endp, TCP_TracePacket* p)
-	{
-	struct pcap_pkthdr* hdr;
-	const u_char* pkt;
-	int length;
-	ipaddr32_t anon_src, anon_dst;		// anonymized IP addresses
-
-	if ( discard_packets )
-		return;
-
-	if ( endp == orig )
-		{
-		anon_src = anon_addr[0];
-		anon_dst = anon_addr[1];
-		}
-	else
-		{
-		anon_src = anon_addr[1];
-		anon_dst = anon_addr[0];
-		}
-
-	if ( p->Finish(hdr, pkt, length, anon_src, anon_dst) )
-		{
-		DEBUG_MSG_A("Packet %d (%.6f) dumped at %.6f\n", p->PacketSeq(), p->TimeStamp(), network_time);
-		++packets_rewritten;
-
-		if ( ! wait_for_commitment )
-			dumper->DumpPacket(hdr, pkt, length);
-		else
-			{
-			char* b = new char[sizeof(struct pcap_pkthdr) + length];
-			uncommited_packet_queue.push(b);
-
-			memcpy(b, hdr, sizeof(struct pcap_pkthdr));
-
-			b += sizeof(struct pcap_pkthdr);
-			memcpy(b, pkt, length);
-			}
-		}
-	else
-		internal_error(MSG_PREFIX "ill formed packet for dumping");
-	}
-
-void TCP_Rewriter::ReleaseNextPacket()
-	{
-	if ( packets_on_hold.empty() )
-		{
-		internal_error("there is no packet on hold to release");
-		return;
-		}
-
-	next_packet->SetOnHold(0);
-	Endp(next_packet->IsOrig())->Flush();
-	packets_on_hold.pop_front();
-
-	if ( ! packets_on_hold.empty() )
-		{
-		next_packet = packets_on_hold.front();
-		Endp(next_packet->IsOrig())->NextPacket(next_packet);
-		}
-	else
-		next_packet = 0;
-	}
-
-void TCP_Rewriter::HoldPacket(TCP_TracePacket* p)
-	{
-	if ( ! next_packet )
-		{
-		internal_error("should not try to hold a packet before packet arrival");
-		return;
-		}
-
-	holding_packets = 1;
-
-	while ( next_packet && next_packet->PacketSeq() < p->PacketSeq() )
-		ReleaseNextPacket();
-
-	if ( ! next_packet ||
-	     next_packet->PacketSeq() != p->PacketSeq() )
-		{
-		internal_error("packet sequence not found for hold_packet: %d",
-		    p->PacketSeq());
-		return;
-		}
-
-	next_packet->SetOnHold(1);
-	if ( packets_on_hold.empty() )
-		{
-		packets_on_hold.push_back(next_packet);
-		++num_packets_held;
-		answered[0] = answered[1] = 0;
-		}
-	}
-
-void TCP_Rewriter::ReleasePacketsOnHold()
-	{
-	holding_packets = 0;
-	if ( packets_on_hold.empty() )
-		return;
-
-	while ( packets_on_hold.size() > 1 )
-		ReleaseNextPacket();
-
-	next_packet->SetOnHold(0);
-	packets_on_hold.pop_front();
-	}
-
-void TCP_Rewriter::AbortPackets(int apply_to_future)
-	{
-	while ( ! uncommited_packet_queue.empty() )
-		{
-		char* p = uncommited_packet_queue.front();
-		uncommited_packet_queue.pop();
-		delete [] p;
-		}
-
-	if ( apply_to_future )
-		discard_packets = 1;
-	}
-
-void TCP_Rewriter::CommitPackets(int apply_to_future)
-	{
-	while ( ! uncommited_packet_queue.empty() )
-		{
-		struct pcap_pkthdr* hdr =
-			(struct pcap_pkthdr*) uncommited_packet_queue.front();
-
-		uncommited_packet_queue.pop();
-
-		dumper->DumpPacket(hdr,
-				((u_char*)hdr) + sizeof(struct pcap_pkthdr),
-				int((hdr->caplen)));
-
-		delete [] (char*) hdr;
-		}
-
-	if ( apply_to_future )
-		{ // dump all future packets immediately
-		wait_for_commitment = 0;
-		discard_packets = 0;
-		}
-	}
-
-void TCP_Rewriter::CleanUpEmptyPlaceHolders()
-	{
-	if ( ! last_slot )
-		return;
-
-	if ( last_slot->Packet() != current_packet )
-		internal_error("Mismatch: last_slot->packet != current_packet");
-
-	if ( packets_on_hold.empty() ||
-	     packets_on_hold.back() != current_packet )
-		internal_error("Mismatch: packets_on_hold.back() != current_packet");
-
-	int is_orig = current_packet->IsOrig() ? 1 : 0;
-
-	if ( current_packet->SeqGap() > 0 )
-		// This packet signals a sequence gap (on the opposite flow).
-		answered[is_orig] = 0;
-
-	// Is the current packet an empty placeholder packet?
-	int current_packet_is_empty =
-		last_slot->isEmpty() &&
-		current_packet->SeqLength() == 0 &&
-		! current_packet->GetTCP_Flag(TH_SYN|TH_RST|TH_FIN|TH_URG) &&
-		! current_packet->HasReservedSlot();
-
-	if ( current_packet_is_empty )
-		{
-		if ( answered[is_orig] )
-			{
-// #define DO_NOT_CLEAN_UP_ONLY_PREDICT
-#ifdef DO_NOT_CLEAN_UP_ONLY_PREDICT
-			// for debugging
-			current_packet->PredictAsEmptyPlaceHolder();
-#else
-			++num_packets_cleaned;
-			packets_on_hold.pop_back();
-			Unref(current_packet);
-			current_packet = 0;
-			slot_queue.pop_back();
-			delete last_slot;
-			last_slot = slot_queue.back();
-#endif
-			}
-		}
-	else
-		// Current packet may not be empty ...
-		answered[1 - is_orig] = 0;
-
-	answered[is_orig] = 1;
-	}
-
-int TCP_Rewriter::LeaveAddrInTheClear(int is_orig)
-	{
-	if ( packets_rewritten > 0 )
-		return 0;
-
-	if ( is_orig )
-		anon_addr[0] = to_v4_addr(analyzer->Conn()->OrigAddr());
-	else
-		anon_addr[1] = to_v4_addr(analyzer->Conn()->RespAddr());
-
-	return 1;
-	}
-
-TCP_Endpoint* TCP_Rewriter::GetEndpoint(TCP_RewriterEndpoint* endp)
-	{
-	if ( endp == orig )
-		return analyzer->Orig();
-	else
-		return analyzer->Resp();
-	}
-
-TCP_RewriterEndpoint* TCP_Rewriter::GetPeer(TCP_RewriterEndpoint* endp)
-	{
-	if ( endp == orig )
-		return resp;
-
-	else if ( endp == resp )
-		return orig;
-
-	else
-		return 0;
-	}
-
-#define KEEP_ORIG	1
-#define REUSE_OPT	1
-#define TO_NOP		0
-#define MAX_TCP_OPTION_REWRITING	9
-
-struct TCPOptionRewriting {
-	int keep_orig;
-	int reuse;
-} tcp_option_rewriting[MAX_TCP_OPTION_REWRITING] = {
-	//  0        -    End of Option List                 [RFC793]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  1        -    No-Operation                       [RFC793]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  2        4    Maximum Segment Size               [RFC793]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  3        3    WSOPT - Window Scale              [RFC1323]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  4        2    SACK Permitted                    [RFC2018]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  5        N    SACK                              [RFC2018]
-	{TO_NOP, TO_NOP},
-
-	//  6        6    Echo (obsoleted by option 8)      [RFC1072]
-	{TO_NOP, TO_NOP},
-
-	//  7        6    Echo Reply (obsoleted by option 8)[RFC1072]
-	{TO_NOP, TO_NOP},
-
-	//  8       10    TSOPT - Time Stamp Option         [RFC1323]
-	{KEEP_ORIG, REUSE_OPT},
-
-	// ** the rest is left for future work **
-	//  9        2    Partial Order Connection Permitted[RFC1693]
-	// 10        3    Partial Order Service Profile     [RFC1693]
-	// 11             CC                                [RFC1644]
-	// 12             CC.NEW                            [RFC1644]
-	// 13             CC.ECHO                           [RFC1644]
-	// 14         3   TCP Alternate Checksum Request    [RFC1146]
-	// 15         N   TCP Alternate Checksum Data       [RFC1146]
-	// 16             Skeeter                           [Knowles]
-	// 17             Bubba                             [Knowles]
-	// 18         3   Trailer Checksum Option    [Subbu & Monroe]
-	// 19        18   MD5 Signature Option              [RFC2385]
-	// 20             SCPS Capabilities                   [Scott]
-	// 21		Selective Negative Acknowledgements [Scott]
-	// 22		Record Boundaries                   [Scott]
-	// 23		Corruption experienced              [Scott]
-	// 24		SNAP				 [Sukonnik]
-	// 25		Unassigned (released 12/18/00)
-	// 26             TCP Compression Filter           [Bellovin]
-};
-
-int TCP_Rewriter::RewriteTCPOption(unsigned int opt, unsigned int optlen,
-				const u_char* option, TCP_Analyzer* analyzer,
-				bool is_orig, void* cookie)
-	{
-	TCP_TracePacket* p = (TCP_TracePacket*) cookie;
-
-	if ( opt < MAX_TCP_OPTION_REWRITING &&
-	     ( (! p->IsReuse() && tcp_option_rewriting[opt].keep_orig) ||
-	       (p->IsReuse() && tcp_option_rewriting[opt].reuse) ) )
-		// copy/reuse the TCP option
-		p->AppendTCPHeader(option, optlen);
-
-	else
-		{ // replace it with nop
-		static const u_char nop[16] = {
-			1, 1, 1, 1,  1, 1, 1, 1,  1, 1, 1, 1,  1, 1, 1, 1
-		};
-
-		while ( optlen > 0 )
-			{
-			int k = optlen > 16 ? 16 : optlen;
-			p->AppendTCPHeader(nop, k);
-			optlen -= k;
-			}
-		}
-
-	return 0;
-	}
-
-TCP_RewriteSlot* TCP_Rewriter::add_slot()
-	{
-	++highest_slot_number;
-
-	DEBUG_MSG_A("add slot %u\n", highest_slot_number);
-
-	last_slot = current_slot =
-		new TCP_RewriteSlot(current_packet, highest_slot_number);
-
-	slot_queue.push_back(current_slot);
-
-	return current_slot;
-	}
-
-TCP_RewriteSlot* TCP_Rewriter::find_slot(unsigned int slot)
-	{
-	// DEBUG_MSG_A("%d slots reserved\n", reserved_slots.size());
-	slot_map_t::iterator it = reserved_slots.find(slot);
-	if ( it == reserved_slots.end() )
-		return 0;
-
-	return it->second;
-	}
-
-unsigned int TCP_Rewriter::ReserveSlot()
-	{
-	if ( ! current_packet )
-		{
-		run_time("cannot reserve a rewrite slot before packet arrival");
-		return 0;
-		}
-
-	if ( ! current_slot )
-		{
-		first_slot = add_slot();
-		HoldPacket(current_packet);
-		}
-
-	if ( current_slot != last_slot )
-		{
-		run_time("cannot reserve a slot within a reserved slot");
-		return 0;
-		}
-
-	int slot_number = current_slot->Number();
-	DEBUG_MSG_A("reserved slot %d\n", slot_number);
-
-	reserved_slots[slot_number] = current_slot;
-	add_slot();
-	current_packet->AddReservedSlot();
-
-	return slot_number;
-	}
-
-int TCP_Rewriter::SeekSlot(unsigned int slot)
-	{
-	TCP_RewriteSlot* s = find_slot(slot);
-	if ( ! s )
-		return 0;
-
-	current_slot = s;
-	return 1;
-	}
-
-int TCP_Rewriter::ReturnFromSlot()
-	{
-	current_slot = last_slot;
-	return 1;
-	}
-
-int TCP_Rewriter::ReleaseSlot(unsigned int slot)
-	{
-	slot_map_t::iterator it = reserved_slots.find(slot);
-	if ( it == reserved_slots.end() )
-		{
-		run_time(fmt("cannot find slot %u", slot));
-		return 0;
-		}
-
-	TCP_RewriteSlot* s = it->second;
-	reserved_slots.erase(it);
-
-	if ( s == current_slot )
-		ReturnFromSlot();
-
-	DEBUG_MSG_A("release slot %u, slot [%u, %u]\n", s->Number(), first_slot->Number(), last_slot->Number());
-	if ( s == first_slot )
-		{
-		do	// release slots till we get to the next *reserved* slot
-			{
-			DEBUG_MSG_A("dump slot %d %.6f\n", first_slot->Number(), first_slot->Packet()->TimeStamp());
-
-			first_slot->Dump();
-			slot_queue.pop_front();
-			delete first_slot;
-
-			if ( slot_queue.empty() )
-				{
-				first_slot = last_slot = current_slot = 0;
-				DEBUG_MSG_A("release all packets on hold\n");
-				ReleasePacketsOnHold();
-				break;
-				}
-
-			first_slot = slot_queue.front();
-			HoldPacket(first_slot->Packet());
-			DEBUG_MSG_A("move on to packet %d (%.6f)\n", first_slot->Packet()->PacketSeq(), first_slot->Packet()->TimeStamp());
-			}
-		while ( ! find_slot(first_slot->Number()) );
-		}
-
-	return 1;
-	}
-
-TCP_RewriteSlot::TCP_RewriteSlot(TCP_TracePacket* p, unsigned int number)
-	{
-	packet = p;
-	slot_number = number;
-	rewriter = packet->TraceRewriter();
-	}
-
-void TCP_RewriteSlot::WriteData(int is_orig, int len, const u_char* data)
-	{
-	if ( is_orig != packet->IsOrig() )
-		{
-		run_time("writing data to a slot of wrong direction %s",
-			rewriter->analyzer->Conn());
-
-		BroString* tmp = new BroString(data, len, 1);
-		char* tmp_s = tmp->Render();
-		run_time(fmt("further info: dir = %s, len = %d, data = \"%s\"",
-				is_orig ? "orig" : "resp", len, tmp_s));
-		delete tmp_s;
-		delete tmp;
-		return;
-		}
-
-	BroString* s = new BroString((const u_char*) data, len, 1);
-	buf.push(s);
-	}
-
-void TCP_RewriteSlot::Dump()
-	{
-	while ( ! buf.empty() )
-		{
-		BroString* s = buf.front();
-		buf.pop();
-		DEBUG_MSG_A("dump: \"%s\"\n", s->Bytes());
-		rewriter->DoWriteData(packet->IsOrig(), s->Len(), s->Bytes());
-		delete s;
-		}
-	}
-
-static std::queue<TCP_Rewriter*> rewriter_funerals;
-static std::queue<TCP_RewriterEndpoint*> rewriters_to_flush;
-
-void schedule_funeral(TCP_Rewriter* rewriter)
-	{
-	Ref(rewriter->Analyzer()->Conn());
-	rewriter_funerals.push(rewriter);
-	}
-
-void schedule_flush(TCP_RewriterEndpoint* endp)
-	{
-	Ref(endp->Analyzer()->Conn());
-	rewriters_to_flush.push(endp);
-	}
-
-void flush_rewriter_packet()
-	{
-	while ( ! rewriter_funerals.empty() )
-		{
-		TCP_Rewriter* rewriter = rewriter_funerals.front();
-		rewriter_funerals.pop();
-		rewriter->Funeral();
-		Unref(rewriter->Analyzer()->Conn());
-		}
-
-	while ( ! rewriters_to_flush.empty() )
-		{
-		TCP_RewriterEndpoint* endp = rewriters_to_flush.front();
-		rewriters_to_flush.pop();
-
-		if ( endp )
-			{
-			endp->Flush();
-			Unref(endp->Analyzer()->Conn());
-			}
-		}
-
-	if ( mgr.HasEvents() )
-		internal_error("flushing packets generates additional events!");
-	}
-
-TCP_SourcePacket::TCP_SourcePacket(const struct pcap_pkthdr* pcap_hdr, const u_char* pcap_pkt)
-	{
-	hdr = *pcap_hdr;
-	if ( pcap_pkt )
-		{
-		pkt = new u_char[hdr.caplen];
-		memcpy(pkt, pcap_pkt, hdr.caplen);
-		}
-	else
-		{
-		hdr.caplen = 0;
-		pkt = 0;
-		}
-	}
-
-TCP_SourcePacket::~TCP_SourcePacket()
-	{
-	delete [] pkt;
-	}
-
-TCP_SourcePacketWriter::TCP_SourcePacketWriter(TCP_Analyzer* analyzer, PacketDumper* arg_dumper)
-	{
-	dumper = arg_dumper;
-	}
-
-TCP_SourcePacketWriter::~TCP_SourcePacketWriter()
-	{
-	// By default discard all packets of the connection
-	// if they are not explicitly dumped.
-	Purge(false);
-	}
-
-void TCP_SourcePacketWriter::NextPacket(const struct pcap_pkthdr* pcap_hdr,
-					const u_char* pcap_pkt)
-	{
-	source_packets.push(new TCP_SourcePacket(pcap_hdr, pcap_pkt));
-	}
-
-void TCP_SourcePacketWriter::Purge(bool dump)
-	{
-	while ( ! source_packets.empty() )
-		{
-		TCP_SourcePacket* p = source_packets.front();
-		if ( dump )
-			dumper->DumpPacket(p->Hdr(), p->Pkt(), p->Len());
-		source_packets.pop();
-		delete p;
-		}
-	}
-
-void TCP_SourcePacketWriter::Dump()
-	{
-	Purge(true);
-	}
-
-void TCP_SourcePacketWriter::Abort()
-	{
-	Purge(false);
-	}
-
-TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer)
-	{
-	if ( ! analyzer || analyzer->Conn()->ConnTransport() != TRANSPORT_TCP )
-		internal_error("connection for the trace rewriter does not exist");
-
-	TCP_SourcePacketWriter* writer = analyzer->SourcePacketWriter();
-	if ( ! writer )
-		{
-		if ( ! pkt_dumper )
-			return 0;	// don't complain if no output file
-		else if ( ! dump_selected_source_packets )
-			builtin_run_time("flag dump_source_packets is not set");
-		else
-			internal_error("source packet writer not initialized");
-		}
-
-	return writer;
-	}
-
-
-#include "common-rw.bif.func_def"
diff --git a/src/TCP_Rewriter.h b/src/TCP_Rewriter.h
deleted file mode 100644
index 27bf6a15fe..0000000000
--- a/src/TCP_Rewriter.h
+++ /dev/null
@@ -1,401 +0,0 @@
-// $Id: TCP_Rewriter.h 6916 2009-09-24 20:48:36Z vern $
-
-#ifndef tcp_rewriter_h
-#define tcp_rewriter_h
-
-#include <queue>
-#include <set>
-using namespace std;
-
-#include <pcap.h>
-
-#include "Val.h"
-#include "TCP.h"
-#include "Anon.h"
-#include "Analyzer.h"
-
-#include "PacketDumper.h"
-#include "Rewriter.h"
-
-class TCP_Rewriter;
-
-class TCP_TracePacket : public BroObj, virtual public TracePacket {
-public:
-	TCP_TracePacket(TCP_Rewriter* trace_rewriter,
-			int packet_seq, double t, int is_orig,
-			const struct pcap_pkthdr* hdr,
-			int MTU, int initial_size);
-	~TCP_TracePacket();
-
-	int AppendLinkHeader(const u_char* chunk, int len);
-	int AppendIPHeader(const u_char* chunk, int len);
-	int AppendTCPHeader(const u_char* chunk, int len);
-	int AppendData(const u_char* chunk, int len);
-
-	// Finish() is called before dumping the packet. It sets length
-	// fields and computes checksums in TCP/IP headers.
-	int Finish(struct pcap_pkthdr*& hdr, const u_char*& pkt, int& length,
-		   ipaddr32_t anon_src, ipaddr32_t anon_dst);
-
-	void Reuse();
-	int IsReuse() const	{ return reuse; }
-
-	double TimeStamp() const	{ return timestamp; }
-	int IsOrig() const	{ return is_orig; }
-
-	const struct pcap_pkthdr* Header() const	{ return &pcap_hdr; }
-
-	const u_char* Buffer() const	{ return pkt; }
-	int Length() const	{ return buffer_offset; }
-
-	// Note that Space() does not depend on buffer_size, but depends on MTU.
-	int Space() const		{ return mtu - buffer_offset; }
-	int IsEmpty() const
-		{ return SeqLength() == 0 && ! GetTCP_Flag(TH_RST); }
-
-	uint32 GetSeq() const;
-	void SetSeq(uint32 seq);
-
-	uint32 GetAck() const;
-	void SetAck(uint32 ack);
-
-	int GetTCP_Flag(int which) const;
-	void SetTCP_Flag(int which, int value);
-
-	int SeqLength() const;
-	int PayloadLength() const;
-
-	int FINScheduled() const	{ return FIN_scheduled; }
-	void ScheduleFIN(int fin = 1)	{ FIN_scheduled = fin; }
-
-	int OnHold() const	{ return on_hold; }
-	void SetOnHold(int x)	{ on_hold = x; }
-
-	int HasReservedSlot() const	{ return has_reserved_slot; }
-	void AddReservedSlot()		{ ++has_reserved_slot; }
-
-	int PredictedAsEmptyPlaceHolder() const
-		{ return predicted_as_empty_place_holder; }
-	void PredictAsEmptyPlaceHolder()
-		{ predicted_as_empty_place_holder = 1; }
-
-	// Whether the ACK on this packet confirms a content gap on
-	// the opposite direction.
-	int SeqGap() const	{ return seq_gap; }
-	void SetSeqGap(int len)	{ seq_gap = len; }
-
-	int PacketSeq() const		{ return packet_seq; }
-	TCP_Rewriter* TraceRewriter() const	{ return trace_rewriter; }
-
-	RecordVal* PacketVal();
-	void Describe(ODesc* d) const	{ packet_val->Describe(d); }
-
-protected:
-	int Append(const u_char* chunk, int len);
-
-	RecordVal* packet_val;
-	TCP_Rewriter* trace_rewriter;
-	double timestamp;
-	int packet_seq;
-	int is_orig;
-	struct pcap_pkthdr pcap_hdr;
-	int mtu;
-	u_char* pkt;	// of maximal length MTU
-	int ip_offset, tcp_offset, data_offset;
-	int buffer_size;
-	int buffer_offset;
-	int reuse;	// whether it is an artificially replicated packet
-	int FIN_scheduled;
-	int on_hold;	// do not dump it in Flush()
-	int seq_gap;
-	int has_reserved_slot;
-	int predicted_as_empty_place_holder;
-};
-
-// How a unidirectional flow ends.
-#define	END_BY_FIN	1
-#define	END_BY_RST	2
-#define	END_BY_PEER_RST	4
-
-class TCP_RewriterEndpoint {
-public:
-	TCP_RewriterEndpoint(TCP_Rewriter* rewriter);
-	~TCP_RewriterEndpoint();
-
-	void Init();
-
-	// A packet that contains a TCP segment.
-	void NextPacket(TCP_TracePacket* p);
-	void WriteData(int len, const u_char* data);
-	void SkipGap(int len);
-
-	void Push();
-	void ReqAck();
-	void Flush();
-	void Reset(int self);
-
-	uint32 NextSeq() const	{ return next_seq; }
-	int HasPacket() const	{ return next_packet != 0; }
-	inline TCP_Analyzer* Analyzer() const;
-
-protected:
-	TCP_Rewriter* rewriter;		// TCP rewriter for the connection
-	TCP_RewriterEndpoint* peer;	// the peer TCP rewriter endpoint
-	TCP_Endpoint* endp;		// the corresponding TCP endpoint
-
-	TCP_TracePacket* next_packet;
-	std::queue<BroString*> prolog;
-
-	double last_packet_time;
-	uint32 start_seq;	// start seq -- sent in SYN
-	uint32 next_seq;	// seq of next packet
-	uint32 last_ack;	// last acknowledgement seq
-
-	int please_flush;
-	int flush_scheduled;
-	int flushed;
-	int established;
-	int end_of_data;	// is it really useful?
-	int there_is_a_gap;
-
-	// Move onto the next packet header.
-	void SetNextPacket(TCP_TracePacket* p);
-
-	void PurgeProlog();
-
-	// Pour data into the current packet (next_packet).
-	void DoWriteData(int len, const u_char* data);
-
-	// Push the current packet (next_packet) to dumper.
-	void PushPacket();
-
-	// Please flush this endpoint after draining events.
-	void ScheduleFlush();
-
-	void GenerateFIN();
-
-	// Whether the packet is a "place holder" packet, i.e. it's
-	// harmless to omit the packet (except missing the timestamp
-	// it contains).
-	int IsPlaceHolderPacket(TCP_TracePacket* p);
-
-	void Weird(const char* name) const;
-};
-
-class TCP_RewriteSlot {
-public:
-	TCP_RewriteSlot(TCP_TracePacket* p, unsigned int slot_number);
-
-	void WriteData(int is_orig, int len, const u_char* data);
-
-	void Dump();
-
-	unsigned int Number() const	{ return slot_number; }
-	TCP_TracePacket* Packet() const	{ return packet; }
-
-	bool isEmpty() const	{ return buf.empty(); }
-protected:
-	TCP_Rewriter* rewriter;
-	TCP_TracePacket* packet;
-	unsigned int slot_number;
-	std::queue<BroString*> buf;
-};
-
-class TCP_Rewriter : public Rewriter {
-public:
-	TCP_Rewriter(TCP_Analyzer* analyzer, PacketDumper* dumper, int MTU,
-			int wait_for_commitment = 0);
-	virtual ~TCP_Rewriter();
-	virtual void Done();
-	void Funeral();
-
-	// Phase 1 methods: called in packet processing.
-
-	// A TCP/IP packet.
-	void NextPacket(int is_orig, double t,
-			const struct pcap_pkthdr* pcap_hdr,
-			const u_char* pcap_pkt,	// link level header
-			int hdr_size,		// link level header size
-			const struct ip* ip,
-			const struct tcphdr* tp);
-	void ContentGap(int is_orig, int len);
-	void ScheduleFIN(int is_orig);
-
-
-	// Phase 2 methods: called in event processing.
-
-	void WriteData(int is_orig, int len, const u_char* data);
-	void WriteData(int is_orig, const char* data)
-		{ WriteData(is_orig, strlen(data), data); }
-	void WriteData(int is_orig, int len, const char* data)
-		{ WriteData(is_orig, len, (const u_char*) data); }
-	void WriteData(int is_orig, const BroString* str)
-		{ WriteData(is_orig, str->Len(), str->Bytes()); }
-	void WriteData(int is_orig, StringVal* str)
-		{ WriteData(is_orig, str->AsString()); }
-	void Push(int is_orig);
-
-	// When wait_for_commitment = 1, packets are not dumped until
-	//   CommitPackets().
-	// When apply_to_future = 1, the same decision holds for future
-	//   packets as well.
-	//
-	// Regarding why AbortPackets() takes an apply_to_future flag:
-	//
-	//	The model is that there can be multiple commit/abort stages
-	//	during the course of a connection.  At the end of each
-	//	stage, a commit or abort decision is made for packets
-	//	generated during the stage.  A possible scenario is that
-	//	user may want to delete a middle part of a conversation
-	//	while keeping the parts before and after intact, and cannot
-	//	make the decision until the end of the middle part.
-
-	void AbortPackets(int apply_to_future);
-	void CommitPackets(int apply_to_future);
-
-	unsigned int ReserveSlot();
-	int SeekSlot(unsigned int slot);
-	int ReturnFromSlot();
-	int ReleaseSlot(unsigned int slot);
-
-	// Do not anonymize client/server IP address
-	int LeaveAddrInTheClear(int is_orig);
-
-
-	// Phase 3 methods: called in flushing after events.
-	// (None, because flushing is done through accessing endpoints directly.)
-
-	// Other methods.
-
-	void DumpPacket(TCP_RewriterEndpoint* endp, TCP_TracePacket* p);
-
-	void Weird(const char* name) const	{ analyzer->Weird(name); }
-	TCP_Analyzer* Analyzer() const	{ return analyzer; }
-
-	TCP_Endpoint* GetEndpoint(TCP_RewriterEndpoint* endp);
-	TCP_RewriterEndpoint* GetPeer(TCP_RewriterEndpoint* endp);
-
-	TracePacket* CurrentPacket() const	{ return current_packet; }
-	TracePacket* RewritePacket() const	{ return next_packet; }
-
-	// Needs to be static because it's passed as a pointer-to-function
-	// rather than pointer-to-member-function.
-	static int RewriteTCPOption(unsigned int opt, unsigned int optlen,
-				const u_char* option, TCP_Analyzer* analyzer,
-				bool is_orig, void* cookie);
-
-protected:
-	// Under normal circumstances, we always rewrite into the
-	// "current packet" of the connection. However, sometimes we'd
-	// want to look a few packets ahead before deciding what to
-	// rewrite, in which case we may use {hold,release}_packet to
-	// specify the packet we are writing to.
-
-	// rewrite_packet (next_packet) always equals to
-	// current_packet under *normal mode*. hold_packet(p) dumps
-	// all packets *before* p, fixes rewrite_packet at p and turns
-	// the connection into *look-ahead* mode. Under look-ahead
-	// mode, release_packet(c) dumps all packets of on hold
-	// connection and makes the connection returns to normal mode
-	// so that rewrite_packet changes along with current_packet.
-
-	// When a packet is held, it is illegal to write to packets on
-	// the other half of the connection.
-
-	// Release next_packet
-	void ReleaseNextPacket();
-
-	// Hold packet p and release all packets before p.
-	void HoldPacket(TCP_TracePacket* p);
-
-	// Release all packets on hold and dump all the packets except
-	// the last one, which will be flushed at the end of the event.
-	void ReleasePacketsOnHold();
-
-	void CleanUpEmptyPlaceHolders();
-	void DoWriteData(int is_orig, int len, const u_char* data);
-
-	TCP_RewriterEndpoint* Endp(int is_orig) const
-		{ return is_orig ? orig : resp; }
-
-	TCP_Analyzer* analyzer;
-	PacketDumper* dumper;
-	TCP_RewriterEndpoint* orig;
-	TCP_RewriterEndpoint* resp;
-	int MTU;
-	int wait_for_commitment;
-	int discard_packets;
-	std::queue<char*> uncommited_packet_queue;
-	int next_packet_seq;
-	int packets_rewritten;
-	ipaddr32_t anon_addr[2];
-	int pending_content_gap;
-
-	TCP_TracePacket* current_packet;
-	TCP_TracePacket* next_packet;
-	std::deque<TCP_TracePacket*> packets_on_hold;
-	int holding_packets;
-
-	TCP_RewriteSlot* current_slot;
-	TCP_RewriteSlot* first_slot;
-	TCP_RewriteSlot* last_slot;
-	std::deque<TCP_RewriteSlot*> slot_queue;
-	typedef map<unsigned int, TCP_RewriteSlot*> slot_map_t;
-	slot_map_t reserved_slots;
-	int highest_slot_number;
-
-	TCP_RewriteSlot* add_slot();
-	TCP_RewriteSlot* find_slot(unsigned int slot);
-
-	friend class TCP_RewriteSlot;
-	int answered[2];
-};
-
-inline TCP_Analyzer* TCP_RewriterEndpoint::Analyzer() const
-	{
-	return rewriter->Analyzer();
-	}
-
-// "Please flush the rewriter endpoint after event processing."
-extern void schedule_flush(TCP_RewriterEndpoint* endp);
-
-// "Please call rewriter->Funeral() after event processing."
-extern void schedule_funeral(TCP_Rewriter* rewriter);
-
-extern void flush_rewriter_packet();
-
-class TCP_SourcePacket {
-public:
-	TCP_SourcePacket(const struct pcap_pkthdr* pcap_hdr, const u_char* pcap_pkt);
-	~TCP_SourcePacket();
-
-	int Len() const	{ return hdr.caplen; }
-	const u_char* Pkt() const	{ return pkt; }
-	const struct pcap_pkthdr* Hdr() const	{ return &hdr; }
-
-protected:
-	struct pcap_pkthdr hdr;
-	u_char* pkt;
-};
-
-// Write selected original packets to the trace
-class TCP_SourcePacketWriter {
-public:
-	TCP_SourcePacketWriter(TCP_Analyzer* /* analyzer */,
-				PacketDumper* arg_dumper);
-	~TCP_SourcePacketWriter();
-
-	void NextPacket(const struct pcap_pkthdr* pcap_hdr,
-				const u_char* pcap_pkt);
-	void Dump();
-	void Abort();
-
-protected:
-	PacketDumper* dumper;
-	std::queue<TCP_SourcePacket*> source_packets;
-	void Purge(bool dump);
-};
-
-extern TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer);
-
-#endif
diff --git a/src/Telnet.cc b/src/Telnet.cc
index 91151fe735..62c7d7b500 100644
--- a/src/Telnet.cc
+++ b/src/Telnet.cc
@@ -1,5 +1,3 @@
-// $Id: Telnet.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
diff --git a/src/Telnet.h b/src/Telnet.h
index 89150bcbc7..5675775789 100644
--- a/src/Telnet.h
+++ b/src/Telnet.h
@@ -1,5 +1,3 @@
-// $Id: Telnet.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef telnet_h
diff --git a/src/Timer.cc b/src/Timer.cc
index 1349d1d488..2e2fb09c6b 100644
--- a/src/Timer.cc
+++ b/src/Timer.cc
@@ -1,5 +1,3 @@
-// $Id: Timer.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -127,7 +125,7 @@ void PQ_TimerMgr::Add(Timer* timer)
 	// multiple already-added timers are added, they'll still
 	// execute in sorted order.
 	if ( ! q->Add(timer) )
-		internal_error("out of memory");
+		reporter->InternalError("out of memory");
 
 	++current_timers[timer->Type()];
 	}
@@ -173,7 +171,7 @@ int PQ_TimerMgr::DoAdvance(double new_t, int max_expire)
 void PQ_TimerMgr::Remove(Timer* timer)
 	{
 	if ( ! q->Remove(timer) )
-		internal_error("asked to remove a missing timer");
+		reporter->InternalError("asked to remove a missing timer");
 
 	--current_timers[timer->Type()];
 	delete timer;
@@ -183,7 +181,7 @@ CQ_TimerMgr::CQ_TimerMgr(const Tag& tag) : TimerMgr(tag)
 	{
 	cq = cq_init(60.0, 1.0);
 	if ( ! cq )
-		internal_error("could not initialize calendar queue");
+		reporter->InternalError("could not initialize calendar queue");
 	}
 
 CQ_TimerMgr::~CQ_TimerMgr()
@@ -208,7 +206,7 @@ void CQ_TimerMgr::Add(Timer* timer)
 		t = network_time;
 
 	if ( cq_enqueue(cq, t, timer) < 0 )
-		internal_error("problem queueing timer");
+		reporter->InternalError("problem queueing timer");
 
 	++current_timers[timer->Type()];
 	}
diff --git a/src/Timer.h b/src/Timer.h
index c98aeefc22..bb6b8d56ae 100644
--- a/src/Timer.h
+++ b/src/Timer.h
@@ -1,5 +1,3 @@
-// $Id: Timer.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef timer_h
diff --git a/src/Traverse.cc b/src/Traverse.cc
index 733ceb450c..78eed27800 100644
--- a/src/Traverse.cc
+++ b/src/Traverse.cc
@@ -1,5 +1,3 @@
-// $Id: Traverse.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "Scope.h"
diff --git a/src/Traverse.h b/src/Traverse.h
index ea300fad18..3791a9bbdc 100644
--- a/src/Traverse.h
+++ b/src/Traverse.h
@@ -1,5 +1,3 @@
-// $Id: Traverse.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef traverse_h
diff --git a/src/TraverseTypes.h b/src/TraverseTypes.h
index 0cba17a5a9..b0528f34be 100644
--- a/src/TraverseTypes.h
+++ b/src/TraverseTypes.h
@@ -1,5 +1,3 @@
-// $Id: TraverseTypes.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef statictypes_h
diff --git a/src/Trigger.cc b/src/Trigger.cc
index c9e236f1fa..26f80c73d9 100644
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@@ -1,5 +1,3 @@
-// $Id: Trigger.cc 2359 2005-12-21 23:55:32Z vern $
-
 #include <algorithm>
 
 #include "Trigger.h"
@@ -43,7 +41,7 @@ TraversalCode TriggerTraversalCallback::PreExpr(const Expr* expr)
 	case EXPR_INDEX:
 		{
 		const IndexExpr* e = static_cast<const IndexExpr*>(expr);
-		BroObj::SuppressRunTimeErrors no_errors;
+		BroObj::SuppressErrors no_errors;
 		Val* v = e->Eval(trigger->frame);
 		if ( v )
 			trigger->Register(v);
@@ -112,6 +110,8 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
 	is_return = arg_is_return;
 	location = arg_location;
 
+	++total_triggers;
+
 	DBG_LOG(DBG_NOTIFIERS, "%s: instantiating", Name());
 
 	if ( is_return )
@@ -119,7 +119,7 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
 		Trigger* parent = frame->GetTrigger();
 		if ( ! parent )
 			{
-			run_time("return trigger in context which does not allow delaying result");
+			reporter->Error("return trigger in context which does not allow delaying result");
 			Unref(this);
 			return;
 			}
@@ -130,11 +130,17 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
 
 	Val* timeout = arg_timeout ? arg_timeout->ExprVal() : 0;
 
+	// Make sure we don't get deleted if somebody calls a method like
+	// Timeout() while evaluating the trigger. 
+	Ref(this);
+
 	if ( ! Eval() && timeout )
 		{
 		timer = new TriggerTimer(timeout->AsInterval(), this);
 		timer_mgr->Add(timer);
 		}
+
+	Unref(this);
 	}
 
 Trigger::~Trigger()
@@ -161,6 +167,7 @@ void Trigger::Init()
 	}
 
 Trigger::TriggerList* Trigger::pending = 0;
+unsigned long Trigger::total_triggers = 0;
 
 bool Trigger::Eval()
 	{
@@ -409,3 +416,9 @@ const char* Trigger::Name()
 	return fmt("%s:%d-%d", location->filename,
 			location->first_line, location->last_line);
 	}
+
+void Trigger::GetStats(Stats* stats)
+	{
+	stats->total = total_triggers;
+	stats->pending = pending ? pending->size() : 0;
+	}
diff --git a/src/Trigger.h b/src/Trigger.h
index 7f9931b033..ffec50d7ef 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -1,5 +1,3 @@
-// $Id: Trigger.h 2359 2005-12-21 23:55:32Z vern $
-
 #ifndef TRIGGER_H
 #define TRIGGER_H
 
@@ -69,6 +67,13 @@ public:
 	// Evaluates all queued Triggers.
 	static void EvaluatePending();
 
+	struct Stats {
+		unsigned long total;
+		unsigned long pending;
+	};
+
+	static void GetStats(Stats* stats);
+
 private:
 	friend class TriggerTraversalCallback;
 	friend class TriggerTimer;
@@ -101,6 +106,8 @@ private:
 
 	typedef list<Trigger*> TriggerList;
 	static TriggerList* pending;
+
+	static unsigned long total_triggers;
 };
 
 #endif
diff --git a/src/TwoWise.cc b/src/TwoWise.cc
deleted file mode 100644
index af86b1db71..0000000000
--- a/src/TwoWise.cc
+++ /dev/null
@@ -1,59 +0,0 @@
-/* -*-  Mode:C++; c-basic-offset:8; tab-width:8; indent-tabs-mode:t -*- */
-// $Id: TwoWise.cc 1386 2005-09-14 21:42:13Z vern $
-//
-// Implementation of 2-wise independent hash functions.  Contributed
-// by Yin Zhang.
-//
-
-#include <stdlib.h>
-
-#include "TwoWise.h"
-
-TwoWise::TwoWise(int arg_dim)
-	{
-	dim = arg_dim;
-	int n = dim > 2 ? dim : 2;
-
-	a = new uint64[n];
-	b = new uint64[n];
-	c = new uint32[n];
-
-	for ( int i = 0; i < n; ++i )
-		{
-		a[i] = rand64bit() & ~(1ULL);
-		b[i] = rand64bit() & ~(1ULL);
-		c[i] = 0;
-		}
-
-	a0 = a[0];
-	b0 = b[0];
-	a1 = a[1];
-	b1 = b[1];
-	}
-
-TwoWise::~TwoWise()
-	{
-	delete[] a;
-	delete[] b;
-	delete[] c;
-	}
-
-void TwoWise::TestSpeed(uint32 N)
-	{
-	uint32 x = 0, i;
-
-	double start_time = current_time();
-	for ( i = 0; i < N; ++i )
-		x ^= Hash(i);
-	double end_time = current_time();
-	double time0 = end_time - start_time;
-
-	start_time = current_time();
-	for ( i = 0; i < N; ++i )
-		x ^= Hash(i, i);
-	end_time = current_time();
-	double time1 = end_time - start_time;
-
-	fprintf(stderr, "time0=%.6f time1=%.6f x=%u\n",
-		time0, time1, x);
-	}
diff --git a/src/TwoWise.h b/src/TwoWise.h
deleted file mode 100644
index 08b8f8944a..0000000000
--- a/src/TwoWise.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/* -*-  Mode:C++; c-basic-offset:8; tab-width:8; indent-tabs-mode:t -*- */
-// $Id: TwoWise.h 2809 2006-04-23 20:26:07Z vern $
-//
-// Implementation of 2-wise independent hash functions.  Contributed
-// by Yin Zhang.
-//
-
-#ifndef twowise_h
-#define twowise_h
-
-#include "util.h"
-
-typedef union {
-	uint64 as_int64;
-	uint32 as_int32s[2];
-	uint32 as_int16s[4];
-} int64views;
-
-#ifdef WORDS_BIGENDIAN
-#define TOP32BITS(h) h.as_int32s[0]
-#else
-#define TOP32BITS(h) h.as_int32s[1]
-#endif
-
-typedef union {
-	uint32 as_int32;
-	uint16 as_int16s[2];
-	uint16 as_int8s[4];
-} int32views;
-
-class TwoWise {
-public:
-	TwoWise(int dim = 0);
-	~TwoWise();
-
-	uint32 Hash(uint32 k) const
-		{
-		int64views h;
-		h.as_int64 = a0*k + b0;
-		return TOP32BITS(h);
-		}
-
-	uint32 Hash(uint32 k0, uint32 k1) const
-		{
-		int64views h;
-		h.as_int64 = (a0*k0+b0) ^ (a1*k1+b1);
-		return TOP32BITS(h);
-		}
-
-	uint32 Hash(const uint32* k) const
-		{
-		int64views h;
-		h.as_int64 = (a0*k[0]+b0);
-
-		for ( int i = 1; i < dim; ++i )
-			h.as_int64 ^= (a[i]*k[i] + b[i]);
-
-		return TOP32BITS(h);
-		}
-
-	uint32 Hash(int size, const uint8* data) const
-		{
-		if ( size == 0 )
-			return 0;
-
-		// Copy data to c to resolve any potential alignment problem.
-		int num_words = (size + 3) >> 2;
-		c[num_words - 1] = 0;	// pad with 0
-		memcpy(c, data, size);
-
-		int64views h;
-		h.as_int64 = (a0*c[0]+b0);
-
-		for ( int i = 1; i < num_words; ++i )
-			h.as_int64 ^= (a[i]*c[i] + b[i]);
-
-		return TOP32BITS(h);
-		}
-
-	void TestSpeed(uint32 N = 1000000);
-
-private:
-
-	// Coefficients in Dietzfelbinger scheme.
-	uint64 a0, b0, a1, b1;	// for 1-d and 2-d case
-	uint64 *a, *b;		// for N-d case
-	uint32 *c;
-
-	int dim;
-};
-
-#endif // twowise_h
diff --git a/src/Type.cc b/src/Type.cc
index 1f5c22d58b..4d80eda6f7 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1,5 +1,3 @@
-// $Id: Type.cc 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -9,20 +7,13 @@
 #include "Expr.h"
 #include "Scope.h"
 #include "Serializer.h"
+#include "Reporter.h"
 
-RecordType* init_global_attrs();
+#include <string>
+#include <list>
+#include <map>
 
-bool in_global_attr_decl = false;
-RecordType* global_attributes_type = init_global_attrs();
-
-RecordType* init_global_attrs()
-	{
-	in_global_attr_decl = true;
-	RecordType* rt = new RecordType(new type_decl_list);
-	in_global_attr_decl = false;
-	rt->MakeGlobalAttributeType();
-	return rt;
-	}
+extern int generate_documentation;
 
 const char* type_name(TypeTag t)
 	{
@@ -35,12 +26,13 @@ const char* type_name(TypeTag t)
 		"string", "pattern",
 		"enum",
 		"timer",
-		"port", "addr", "net", "subnet",
+		"port", "addr", "subnet",
 		"any",
 		"table", "union", "record", "types",
 		"func",
 		"file",
 		"vector",
+		"type",
 		"error",
 	};
 
@@ -58,7 +50,7 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 	tag = t;
 	is_network_order = 0;
 	base_type = arg_base_type;
-	is_global_attributes_type = false;
+	type_id = 0;
 
 	switch ( tag ) {
 	case TYPE_VOID:
@@ -92,7 +84,6 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 		break;
 
 	case TYPE_ADDR:
-	case TYPE_NET:
 		internal_tag = TYPE_INTERNAL_ADDR;
 		break;
 
@@ -110,6 +101,7 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 	case TYPE_FUNC:
 	case TYPE_FILE:
 	case TYPE_VECTOR:
+	case TYPE_TYPE:
 		internal_tag = TYPE_INTERNAL_OTHER;
 		break;
 
@@ -118,28 +110,12 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 		break;
 	}
 
-	// Kind of hacky; we don't want an error while we're defining
-	// the global attrs!
-	if ( in_global_attr_decl )
-		{
-		attributes_type = 0;
-		return;
-		}
-
-	if ( ! global_attributes_type )
-		SetError();
-	else
-		attributes_type = global_attributes_type;
 	}
 
-bool BroType::SetAttributesType(type_decl_list* attr_types)
+BroType::~BroType()
 	{
-	TypeList* global = new TypeList();
-	global->Append(global_attributes_type);
-
-	attributes_type = refine_type(global, attr_types)->AsRecordType();
-
-	return (attributes_type != 0);
+	if ( type_id )
+		delete [] type_id;
 	}
 
 int BroType::MatchesIndex(ListExpr*& /* index */) const
@@ -176,6 +152,13 @@ void BroType::Describe(ODesc* d) const
 		}
 	}
 
+void BroType::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:type:`");
+	d->Add(type_name(Tag()));
+	d->Add("`");
+	}
+
 void BroType::SetError()
 	{
 	tag = TYPE_ERROR;
@@ -232,8 +215,9 @@ BroType* BroType::Unserialize(UnserialInfo* info, TypeTag want)
 	if ( ! t )
 		return 0;
 
-	// For base types, we return our current instance.
-	if ( t->base_type )
+	// For base types, we return our current instance
+	// if not in "documentation mode".
+	if ( t->base_type && ! generate_documentation )
 		{
 		BroType* t2 = ::base_type(TypeTag(t->tag));
 		Unref(t);
@@ -241,16 +225,6 @@ BroType* BroType::Unserialize(UnserialInfo* info, TypeTag want)
 		return t2;
 		}
 
-	// For the global_attribute_type, we also return our current instance.
-	if ( t->is_global_attributes_type )
-		{
-		BroType* t2 = global_attributes_type;
-		Unref(t);
-		t2->Ref();
-		assert(t2);
-		return t2;
-		}
-
 	assert(t);
 	return t;
 	}
@@ -267,10 +241,20 @@ bool BroType::DoSerialize(SerialInfo* info) const
 		return false;
 
 	if ( ! (SERIALIZE(is_network_order) && SERIALIZE(base_type) &&
-		SERIALIZE(is_global_attributes_type)) )
+		// Serialize the former "bool is_global_attributes_type" for
+		// backwards compatibility.
+		SERIALIZE(false)) )
 		return false;
 
-	SERIALIZE_OPTIONAL(attributes_type);
+	// Likewise, serialize the former optional "RecordType* attributes_type"
+	// for backwards compatibility.
+	void* null = NULL;
+	SERIALIZE(null);
+
+	if ( generate_documentation )
+		{
+		SERIALIZE_OPTIONAL_STR(type_id);
+		}
 
 	info->s->WriteCloseTag("Type");
 
@@ -288,13 +272,24 @@ bool BroType::DoUnserialize(UnserialInfo* info)
 	tag = (TypeTag) c1;
 	internal_tag = (InternalTypeTag) c2;
 
+	bool not_used;
+
 	if ( ! (UNSERIALIZE(&is_network_order) && UNSERIALIZE(&base_type)
-			&& UNSERIALIZE(&is_global_attributes_type)) )
+			// Unerialize the former "bool is_global_attributes_type" for
+			// backwards compatibility.
+			&& UNSERIALIZE(&not_used)) )
 		return 0;
 
-	BroType* type;
-	UNSERIALIZE_OPTIONAL(type, BroType::Unserialize(info, TYPE_RECORD));
-	attributes_type = (RecordType*) type;
+	BroType* not_used_either;
+
+	// Likewise, unserialize the former optional "RecordType*
+	// attributes_type" for backwards compatibility.
+	UNSERIALIZE_OPTIONAL(not_used_either, BroType::Unserialize(info, TYPE_RECORD));
+
+	if ( generate_documentation )
+		{
+		UNSERIALIZE_OPTIONAL_STR(type_id);
+		}
 
 	return true;
 	}
@@ -318,7 +313,7 @@ int TypeList::AllMatch(const BroType* t, int is_init) const
 void TypeList::Append(BroType* t)
 	{
 	if ( pure_type && ! same_type(t, pure_type) )
-		internal_error("pure type-list violation");
+		reporter->InternalError("pure type-list violation");
 
 	types.append(t);
 	}
@@ -449,6 +444,52 @@ void IndexType::Describe(ODesc* d) const
 		}
 	}
 
+void IndexType::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:type:`");
+
+	if ( IsSet() )
+		d->Add("set");
+	else
+		d->Add(type_name(Tag()));
+
+	d->Add("` ");
+	d->Add("[");
+
+	loop_over_list(*IndexTypes(), i)
+		{
+		if ( i > 0 )
+			d->Add(", ");
+
+		const BroType* t = (*IndexTypes())[i];
+
+		if ( t->GetTypeID() )
+			{
+			d->Add(":bro:type:`");
+			d->Add(t->GetTypeID());
+			d->Add("`");
+			}
+		else
+			t->DescribeReST(d);
+		}
+
+	d->Add("]");
+
+	if ( yield_type )
+		{
+		d->Add(" of ");
+
+		if ( yield_type->GetTypeID() )
+			{
+			d->Add(":bro:type:`");
+			d->Add(yield_type->GetTypeID());
+			d->Add("`");
+			}
+		else
+			yield_type->DescribeReST(d);
+		}
+	}
+
 bool IndexType::IsSubNetIndex() const
 	{
 	const type_list* types = indices->Types();
@@ -683,6 +724,30 @@ void FuncType::Describe(ODesc* d) const
 		}
 	}
 
+void FuncType::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:type:`");
+	d->Add(is_event ? "event" : "function");
+	d->Add("`");
+	d->Add(" (");
+	args->DescribeFieldsReST(d, true);
+	d->Add(")");
+
+	if ( yield )
+		{
+		d->AddSP(" :");
+
+		if ( yield->GetTypeID() )
+			{
+			d->Add(":bro:type:`");
+			d->Add(yield->GetTypeID());
+			d->Add("`");
+			}
+		else
+			yield->DescribeReST(d);
+		}
+	}
+
 IMPLEMENT_SERIAL(FuncType, SER_FUNC_TYPE);
 
 bool FuncType::DoSerialize(SerialInfo* info) const
@@ -716,14 +781,11 @@ bool FuncType::DoUnserialize(UnserialInfo* info)
 	return UNSERIALIZE(&is_event);
 	}
 
-TypeDecl::TypeDecl(BroType* t, const char* i, attr_list* arg_attrs)
+TypeDecl::TypeDecl(BroType* t, const char* i, attr_list* arg_attrs, bool in_record)
 	{
 	type = t;
-	attrs = arg_attrs ? new Attributes(arg_attrs, t) : 0;
+	attrs = arg_attrs ? new Attributes(arg_attrs, t, in_record) : 0;
 	id = i;
-
-	if ( in_global_attr_decl && ! attrs->FindAttr(ATTR_DEFAULT) )
-		error("global attribute types must have default values");
 	}
 
 TypeDecl::~TypeDecl()
@@ -740,7 +802,10 @@ bool TypeDecl::Serialize(SerialInfo* info) const
 
 	SERIALIZE_OPTIONAL(attrs);
 
-	return type->Serialize(info) && SERIALIZE(id);
+	if ( ! (type->Serialize(info) && SERIALIZE(id)) )
+		return false;
+
+	return true;
 	}
 
 TypeDecl* TypeDecl::Unserialize(UnserialInfo* info)
@@ -759,79 +824,73 @@ TypeDecl* TypeDecl::Unserialize(UnserialInfo* info)
 	return t;
 	}
 
-RecordField::RecordField(int arg_base, int arg_offset, int arg_total_offset)
+void TypeDecl::DescribeReST(ODesc* d) const
 	{
-	base = arg_base;
-	offset = arg_offset;
-	total_offset = arg_total_offset;
+	d->Add(id);
+	d->Add(": ");
+
+	if ( type->GetTypeID() )
+		{
+		d->Add(":bro:type:`");
+		d->Add(type->GetTypeID());
+		d->Add("`");
+		}
+	else
+		type->DescribeReST(d);
+
+	if ( attrs )
+		{
+		d->SP();
+		attrs->DescribeReST(d);
+		}
+	}
+
+CommentedTypeDecl::CommentedTypeDecl(BroType* t, const char* i,
+			attr_list* attrs, bool in_record, std::list<std::string>* cmnt_list)
+	: TypeDecl(t, i, attrs, in_record)
+	{
+	comments = cmnt_list;
+	}
+
+CommentedTypeDecl::~CommentedTypeDecl()
+	{
+	if ( comments ) delete comments;
+	}
+
+void CommentedTypeDecl::DescribeReST(ODesc* d) const
+	{
+	TypeDecl::DescribeReST(d);
+
+	if ( comments )
+		{
+		d->PushIndent();
+		std::list<std::string>::const_iterator i;
+
+		for ( i = comments->begin(); i != comments->end(); ++i)
+			{
+			if ( i != comments->begin() ) d->NL();
+			d->Add(i->c_str());
+			}
+
+		d->PopIndentNoNL();
+		}
 	}
 
 RecordType::RecordType(type_decl_list* arg_types) : BroType(TYPE_RECORD)
 	{
 	types = arg_types;
-	base = 0;
-	fields = 0;
 	num_fields = types ? types->length() : 0;
 	}
 
-RecordType::RecordType(TypeList* arg_base, type_decl_list* refinements)
-: BroType(TYPE_RECORD)
-	{
-	if ( refinements )
-		arg_base->Append(new RecordType(refinements));
-
-	Init(arg_base);
-	}
-
-void RecordType::Init(TypeList* arg_base)
-	{
-	base = arg_base;
-
-	if ( ! base )
-		Internal("empty RecordType");
-
-	fields = new PDict(RecordField)(ORDERED);
-	types = 0;
-
-	type_list* t = base->Types();
-	loop_over_list(*t, i)
-		{
-		BroType* ti = (*t)[i];
-		if ( ti->Tag() != TYPE_RECORD )
-			(*t)[i]->Error("non-record in base type list");
-
-		RecordType* rti = ti->AsRecordType();
-		int n = rti->NumFields();
-
-		for ( int j = 0; j < n; ++j )
-			{
-			const TypeDecl* tdij = rti->FieldDecl(j);
-			if ( fields->Lookup(tdij->id) )
-				{
-				error("duplicate field", tdij->id);
-				continue;
-				}
-
-			RecordField* rf = new RecordField(i, j, fields->Length());
-			if ( fields->Insert(tdij->id, rf) )
-				Internal("duplicate field when constructing record");
-			}
-		}
-
-	num_fields = fields->Length();
-	}
-
 RecordType::~RecordType()
 	{
 	if ( types )
 		{
 		loop_over_list(*types, i)
 			delete (*types)[i];
+
 		delete types;
 		}
-
-	delete fields;
-	Unref(base);
 	}
 
 int RecordType::HasField(const char* field) const
@@ -847,41 +906,31 @@ BroType* RecordType::FieldType(const char* field) const
 
 BroType* RecordType::FieldType(int field) const
 	{
-	if ( types )
-		return (*types)[field]->type;
-	else
-		{
-		RecordField* rf = fields->NthEntry(field);
-		if ( ! rf )
-			Internal("missing field in RecordType::FieldType");
-		BroType* bt = (*base->Types())[rf->base];
-		RecordType* rbt = bt->AsRecordType();
-		return rbt->FieldType(rf->offset);
-		}
+	return (*types)[field]->type;
+	}
+
+Val* RecordType::FieldDefault(int field) const
+	{
+	const TypeDecl* td = FieldDecl(field);
+
+	if ( ! td->attrs )
+		return false;
+
+	const Attr* def_attr = td->attrs->FindAttr(ATTR_DEFAULT);
+
+	return def_attr ? def_attr->AttrExpr()->Eval(0) : 0;
 	}
 
 int RecordType::FieldOffset(const char* field) const
 	{
-	if ( types )
+	loop_over_list(*types, i)
 		{
-		loop_over_list(*types, i)
-			{
-			TypeDecl* td = (*types)[i];
-			if ( streq(td->id, field) )
-				return i;
-			}
-
-		return -1;
+		TypeDecl* td = (*types)[i];
+		if ( streq(td->id, field) )
+			return i;
 		}
 
-	else
-		{
-		RecordField* rf = fields->Lookup(field);
-		if ( ! rf )
-			return -1;
-		else
-			return rf->total_offset;
-		}
+	return -1;
 	}
 
 const char* RecordType::FieldName(int field) const
@@ -891,33 +940,12 @@ const char* RecordType::FieldName(int field) const
 
 const TypeDecl* RecordType::FieldDecl(int field) const
 	{
-	if ( types )
-		return (*types)[field];
-	else
-		{
-		RecordField* rf = fields->NthEntry(field);
-		if ( ! rf )
-			internal_error("missing field in RecordType::FieldDecl");
-
-		BroType* bt = (*base->Types())[rf->base];
-		RecordType* rbt = bt->AsRecordType();
-		return rbt->FieldDecl(rf->offset);
-		}
+	return (*types)[field];
 	}
 
 TypeDecl* RecordType::FieldDecl(int field)
 	{
-	if ( types )
-		return (*types)[field];
-	else
-		{
-		RecordField* rf = fields->NthEntry(field);
-		if ( ! rf )
-			Internal("missing field in RecordType::FieldDecl");
-		BroType* bt = (*base->Types())[rf->base];
-		RecordType* rbt = bt->AsRecordType();
-		return rbt->FieldDecl(rf->offset);
-		}
+	return (*types)[field];
 	}
 
 void RecordType::Describe(ODesc* d) const
@@ -937,6 +965,53 @@ void RecordType::Describe(ODesc* d) const
 		}
 	}
 
+void RecordType::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:type:`record`");
+	d->NL();
+	DescribeFieldsReST(d, false);
+	}
+
+const char* RecordType::AddFields(type_decl_list* others, attr_list* attr)
+	{
+	assert(types);
+
+	bool log = false;
+
+	if ( attr )
+		{
+		loop_over_list(*attr, j)
+			{
+			if ( (*attr)[j]->Tag() == ATTR_LOG )
+				log = true;
+			}
+		}
+
+	loop_over_list(*others, i)
+		{
+		TypeDecl* td = (*others)[i];
+
+		if ( ! td->FindAttr(ATTR_DEFAULT) &&
+		     ! td->FindAttr(ATTR_OPTIONAL) )
+			return "extension field must be &optional or have &default";
+
+		if ( log )
+			{
+			if ( ! td->attrs )
+				td->attrs = new Attributes(new attr_list, td->type, true);
+
+			td->attrs->AddAttr(new Attr(ATTR_LOG));
+			}
+
+		types->append(td);
+		}
+
+	delete others;
+
+	num_fields = types->length();
+	return 0;
+	}
+
 void RecordType::DescribeFields(ODesc* d) const
 	{
 	if ( d->IsReadable() )
@@ -968,14 +1043,34 @@ void RecordType::DescribeFields(ODesc* d) const
 				d->SP();
 				}
 			}
-		else
-			{
-			d->AddCount(1);
-			base->Describe(d);
-			}
 		}
 	}
 
+void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
+	{
+	if ( ! func_args )
+		d->PushIndent();
+
+	for ( int i = 0; i < num_fields; ++i )
+		{
+		if ( i > 0 )
+			{
+			if ( func_args )
+				d->Add(", ");
+			else
+				{
+				d->NL();
+				d->NL();
+				}
+			}
+
+		FieldDecl(i)->DescribeReST(d);
+		}
+
+	if ( ! func_args )
+		d->PopIndentNoNL();
+	}
+
 IMPLEMENT_SERIAL(RecordType, SER_RECORD_TYPE)
 
 bool RecordType::DoSerialize(SerialInfo* info) const
@@ -1000,9 +1095,6 @@ bool RecordType::DoSerialize(SerialInfo* info) const
 	else if ( ! SERIALIZE(false) )
 		return false;
 
-	SERIALIZE_OPTIONAL(base);
-
-	// We don't serialize the fields as we can reconstruct them.
 	return true;
 	}
 
@@ -1037,13 +1129,6 @@ bool RecordType::DoUnserialize(UnserialInfo* info)
 	else
 		types = 0;
 
-	BroType* type;
-	UNSERIALIZE_OPTIONAL(type, BroType::Unserialize(info, TYPE_LIST));
-	base = (TypeList*) type;
-
-	if ( base )
-		Init(base);
-
 	return true;
 	}
 
@@ -1121,10 +1206,9 @@ bool FileType::DoUnserialize(UnserialInfo* info)
 	return yield != 0;
 	}
 
-EnumType::EnumType(bool arg_is_export)
+EnumType::EnumType()
 : BroType(TYPE_ENUM)
 	{
-	is_export = arg_is_export;
 	counter = 0;
 	}
 
@@ -1134,9 +1218,75 @@ EnumType::~EnumType()
 		delete [] iter->first;
 	}
 
-int EnumType::AddName(const string& module_name, const char* name)
+CommentedEnumType::~CommentedEnumType()
 	{
-	ID* id = lookup_ID(name, module_name.c_str());
+	for ( CommentMap::iterator iter = comments.begin(); iter != comments.end(); ++iter )
+		{
+		delete [] iter->first;
+		delete iter->second;
+		}
+	}
+
+// Note, we use reporter->Error() here (not Error()) to include the current script
+// location in the error message, rather than the one where the type was
+// originally defined.
+void EnumType::AddName(const string& module_name, const char* name, bool is_export)
+	{
+	/* implicit, auto-increment */
+	if ( counter < 0)
+		{
+		reporter->Error("cannot mix explicit enumerator assignment and implicit auto-increment");
+		SetError();
+		return;
+		}
+	AddNameInternal(module_name, name, counter, is_export);
+	counter++;
+	}
+
+void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export)
+	{
+	/* explicit value specified */
+	if ( counter > 0 )
+		{
+		reporter->Error("cannot mix explicit enumerator assignment and implicit auto-increment");
+		SetError();
+		return;
+		}
+	counter = -1;
+	AddNameInternal(module_name, name, val, is_export);
+	}
+
+void CommentedEnumType::AddComment(const string& module_name, const char* name,
+                                   std::list<std::string>* new_comments)
+	{
+	if ( ! new_comments )
+		return;
+
+	string fullname = make_full_var_name(module_name.c_str(), name);
+
+	CommentMap::iterator it = comments.find(fullname.c_str());
+
+	if ( it == comments.end() )
+		comments[copy_string(fullname.c_str())] = new_comments;
+	else
+		{
+		comments[fullname.c_str()]->splice(comments[fullname.c_str()]->end(),
+			*new_comments);
+		delete new_comments;
+		}
+	}
+
+void EnumType::AddNameInternal(const string& module_name, const char* name, bro_int_t val, bool is_export)
+	{
+	ID *id;
+	if ( Lookup(val) )
+		{
+		reporter->Error("enumerator value in enumerated type definition already exists");
+		SetError();
+		return;
+		}
+
+	id = lookup_ID(name, module_name.c_str());
 	if ( ! id )
 		{
 		id = install_ID(name, module_name.c_str(), true, is_export);
@@ -1145,31 +1295,22 @@ int EnumType::AddName(const string& module_name, const char* name)
 		}
 	else
 		{
-		debug_msg("identifier already exists: %s\n", name);
-		return -1;
+		reporter->Error("identifier or enumerator value in enumerated type definition already exists");
+		SetError();
+		return;
 		}
 
 	string fullname = make_full_var_name(module_name.c_str(), name);
-	names[copy_string(fullname.c_str())] = counter;
-	return counter++;
+	names[copy_string(fullname.c_str())] = val;
 	}
 
-int EnumType::AddNamesFrom(const string& module_name, EnumType* et)
+void CommentedEnumType::AddNameInternal(const string& module_name, const char* name, bro_int_t val, bool is_export)
 	{
-	int last_added = counter;
-	for ( NameMap::iterator iter = et->names.begin();
-	      iter != et->names.end(); ++iter )
-		{
-		ID* id = lookup_ID(iter->first, module_name.c_str());
-		id->SetType(this->Ref());
-		names[copy_string(id->Name())] = counter;
-		last_added = counter++;
-		}
-
-	return last_added;
+	string fullname = make_full_var_name(module_name.c_str(), name);
+	names[copy_string(fullname.c_str())] = val;
 	}
 
-int EnumType::Lookup(const string& module_name, const char* name)
+bro_int_t EnumType::Lookup(const string& module_name, const char* name)
 	{
 	NameMap::iterator pos =
 		names.find(make_full_var_name(module_name.c_str(), name).c_str());
@@ -1180,7 +1321,7 @@ int EnumType::Lookup(const string& module_name, const char* name)
 		return pos->second;
 	}
 
-const char* EnumType::Lookup(int value)
+const char* EnumType::Lookup(bro_int_t value)
 	{
 	for ( NameMap::iterator iter = names.begin();
 	      iter != names.end(); ++iter )
@@ -1190,15 +1331,60 @@ const char* EnumType::Lookup(int value)
 	return 0;
 	}
 
+void CommentedEnumType::DescribeReST(ODesc* d) const
+	{
+	// create temporary, reverse name map so that enums can be documented
+	// in ascending order of their actual integral value instead of by name
+	typedef std::map< bro_int_t, const char* > RevNameMap;
+	RevNameMap rev;
+	for ( NameMap::const_iterator it = names.begin(); it != names.end(); ++it )
+		rev[it->second] = it->first;
+
+	d->Add(":bro:type:`");
+	d->Add(type_name(Tag()));
+	d->Add("`");
+	d->PushIndent();
+	d->NL();
+
+	for ( RevNameMap::const_iterator it = rev.begin(); it != rev.end(); ++it )
+		{
+		if ( it != rev.begin() )
+			{
+			d->NL();
+			d->NL();
+			}
+
+		d->Add(".. bro:enum:: ");
+		d->AddSP(it->second);
+		d->Add(GetTypeID());
+
+		CommentMap::const_iterator cmnt_it = comments.find(it->second);
+		if ( cmnt_it != comments.end() )
+			{
+			d->PushIndent();
+			d->NL();
+			std::list<std::string>::const_iterator i;
+			const std::list<std::string>* cmnt_list = cmnt_it->second;
+			for ( i = cmnt_list->begin(); i != cmnt_list->end(); ++i)
+				{
+				if ( i != cmnt_list->begin() ) d->NL();
+				d->Add(i->c_str());
+				}
+			d->PopIndentNoNL();
+			}
+		}
+	d->PopIndentNoNL();
+	}
+
 IMPLEMENT_SERIAL(EnumType, SER_ENUM_TYPE);
 
 bool EnumType::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_ENUM_TYPE, BroType);
 
-	// I guess we don't really need both ...
 	if ( ! (SERIALIZE(counter) && SERIALIZE((unsigned int) names.size()) &&
-		SERIALIZE(is_export)) )
+		// Dummy boolean for backwards compatibility.
+		SERIALIZE(false)) )
 		return false;
 
 	for ( NameMap::const_iterator iter = names.begin();
@@ -1216,15 +1402,17 @@ bool EnumType::DoUnserialize(UnserialInfo* info)
 	DO_UNSERIALIZE(BroType);
 
 	unsigned int len;
+	bool dummy;
 	if ( ! UNSERIALIZE(&counter) ||
 	     ! UNSERIALIZE(&len) ||
-	     ! UNSERIALIZE(&is_export) )
+	     // Dummy boolean for backwards compatibility.
+	     ! UNSERIALIZE(&dummy) )
 		return false;
 
 	while ( len-- )
 		{
 		const char* name;
-		int val;
+		bro_int_t val;
 		if ( ! (UNSERIALIZE_STR(&name, 0) && UNSERIALIZE(&val)) )
 			return false;
 
@@ -1263,6 +1451,11 @@ int VectorType::MatchesIndex(ListExpr*& index) const
 				MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX;
 	}
 
+bool VectorType::IsUnspecifiedVector() const
+	{
+	return yield_type->Tag() == TYPE_ANY;
+	}
+
 IMPLEMENT_SERIAL(VectorType, SER_VECTOR_TYPE);
 
 bool VectorType::DoSerialize(SerialInfo* info) const
@@ -1278,21 +1471,6 @@ bool VectorType::DoUnserialize(UnserialInfo* info)
 	return yield_type != 0;
 	}
 
-BroType* refine_type(TypeList* base, type_decl_list* refinements)
-	{
-	type_list* t = base->Types();
-
-	if ( t->length() == 1 && ! refinements )
-		{ // Just a direct reference to a single type.
-		BroType* rt = (*t)[0]->Ref();
-		Unref(base);
-		return rt;
-		}
-
-	return new RecordType(base, refinements);
-	}
-
-
 BroType* base_type(TypeTag tag)
 	{
 	static BroType* base_types[NUM_TYPES];
@@ -1336,7 +1514,9 @@ static int is_init_compat(const BroType* t1, const BroType* t2)
 
 int same_type(const BroType* t1, const BroType* t2, int is_init)
 	{
-	if ( t1 == t2 )
+	if ( t1 == t2 ||
+	     t1->Tag() == TYPE_ANY ||
+	     t2->Tag() == TYPE_ANY )
 		return 1;
 
 	t1 = flatten_type(t1);
@@ -1366,7 +1546,6 @@ int same_type(const BroType* t1, const BroType* t2, int is_init)
 	case TYPE_TIMER:
 	case TYPE_PORT:
 	case TYPE_ADDR:
-	case TYPE_NET:
 	case TYPE_SUBNET:
 	case TYPE_ANY:
 	case TYPE_ERROR:
@@ -1463,12 +1642,26 @@ int same_type(const BroType* t1, const BroType* t2, int is_init)
 	case TYPE_FILE:
 		return same_type(t1->YieldType(), t2->YieldType(), is_init);
 
+	case TYPE_TYPE:
+		return same_type(t1, t2, is_init);
+
 	case TYPE_UNION:
-		error("union type in same_type()");
+		reporter->Error("union type in same_type()");
 	}
 	return 0;
 	}
 
+int same_attrs(const Attributes* a1, const Attributes* a2)
+	{
+	if ( ! a1 )
+		return (a2 == 0);
+
+	if ( ! a2 )
+		return (a1 == 0);
+
+	return (*a1 == *a2);
+	}
+
 int record_promotion_compatible(const RecordType* /* super_rec */,
 				const RecordType* /* sub_rec */)
 	{
@@ -1498,7 +1691,7 @@ const BroType* flatten_type(const BroType* t)
 	const type_list* types = tl->Types();
 
 	if ( types->length() == 0 )
-		internal_error("empty type list in flatten_type");
+		reporter->InternalError("empty type list in flatten_type");
 
 	const BroType* ft = (*types)[0];
 	if ( types->length() == 1 || tl->AllMatch(ft, 0) )
@@ -1528,7 +1721,6 @@ int is_assignable(BroType* t)
 	case TYPE_TIMER:
 	case TYPE_PORT:
 	case TYPE_ADDR:
-	case TYPE_NET:
 	case TYPE_SUBNET:
 	case TYPE_RECORD:
 	case TYPE_FUNC:
@@ -1540,13 +1732,14 @@ int is_assignable(BroType* t)
 	case TYPE_VECTOR:
 	case TYPE_FILE:
 	case TYPE_TABLE:
+	case TYPE_TYPE:
 		return 1;
 
 	case TYPE_VOID:
 		return 0;
 
 	case TYPE_UNION:
-		error("union type in is_assignable()");
+		reporter->Error("union type in is_assignable()");
 	}
 
 	return 0;
@@ -1575,7 +1768,7 @@ TypeTag max_type(TypeTag t1, TypeTag t2)
 		}
 	else
 		{
-		internal_error("non-arithmetic tags in max_type()");
+		reporter->InternalError("non-arithmetic tags in max_type()");
 		return TYPE_ERROR;
 		}
 	}
@@ -1605,8 +1798,8 @@ BroType* merge_types(const BroType* t1, const BroType* t2)
 	case TYPE_TIMER:
 	case TYPE_PORT:
 	case TYPE_ADDR:
-	case TYPE_NET:
 	case TYPE_SUBNET:
+	case TYPE_BOOL:
 	case TYPE_ANY:
 	case TYPE_ERROR:
 		return base_type(tg1);
@@ -1669,7 +1862,7 @@ BroType* merge_types(const BroType* t1, const BroType* t2)
 			return new TableType(tl3, y3);
 		else
 			{
-			internal_error("bad tag in merge_types");
+			reporter->InternalError("bad tag in merge_types");
 			return 0;
 			}
 		}
@@ -1787,11 +1980,11 @@ BroType* merge_types(const BroType* t1, const BroType* t2)
 		return new FileType(merge_types(t1->YieldType(), t2->YieldType()));
 
 	case TYPE_UNION:
-		internal_error("union type in merge_types()");
+		reporter->InternalError("union type in merge_types()");
 		return 0;
 
 	default:
-		internal_error("bad type in merge_types()");
+		reporter->InternalError("bad type in merge_types()");
 		return 0;
 	}
 	}
@@ -1803,7 +1996,7 @@ BroType* merge_type_list(ListExpr* elements)
 
 	if ( tl->length() < 1 )
 		{
-		error("no type can be inferred for empty list");
+		reporter->Error("no type can be inferred for empty list");
 		return 0;
 		}
 
@@ -1820,7 +2013,7 @@ BroType* merge_type_list(ListExpr* elements)
 		}
 
 	if ( ! t )
-		error("inconsistent types in list");
+		reporter->Error("inconsistent types in list");
 
 	return t;
 	}
diff --git a/src/Type.h b/src/Type.h
index 7778fabc1e..e935ba2267 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -1,11 +1,10 @@
-// $Id: Type.h 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef type_h
 #define type_h
 
 #include <string>
+#include <list>
 #include <map>
 
 #include "Obj.h"
@@ -22,7 +21,7 @@ typedef enum {
 	TYPE_STRING, TYPE_PATTERN,
 	TYPE_ENUM,
 	TYPE_TIMER,
-	TYPE_PORT, TYPE_ADDR, TYPE_NET, TYPE_SUBNET,
+	TYPE_PORT, TYPE_ADDR, TYPE_SUBNET,
 	TYPE_ANY,
 	TYPE_TABLE,
 	TYPE_UNION,
@@ -31,6 +30,7 @@ typedef enum {
 	TYPE_FUNC,
 	TYPE_FILE,
 	TYPE_VECTOR,
+	TYPE_TYPE,
 	TYPE_ERROR
 #define NUM_TYPES (int(TYPE_ERROR) + 1)
 } TypeTag;
@@ -59,9 +59,7 @@ class ListExpr;
 class EnumType;
 class Serializer;
 class VectorType;
-
-extern bool in_global_attr_decl;
-extern RecordType* global_attributes_type;
+class TypeType;
 
 const int DOES_NOT_MATCH_INDEX = 0;
 const int MATCHES_INDEX_SCALAR = 1;
@@ -70,19 +68,11 @@ const int MATCHES_INDEX_VECTOR = 2;
 class BroType : public BroObj {
 public:
 	BroType(TypeTag tag, bool base_type = false);
+	~BroType();
 
 	TypeTag Tag() const		{ return tag; }
 	InternalTypeTag InternalType() const	{ return internal_tag; }
 
-	// Type for the attributes (metadata) on this type.
-	RecordType* AttributesType()
-		{
-		if ( ! attributes_type )
-			attributes_type = global_attributes_type;
-		return attributes_type;
-		}
-	bool SetAttributesType(type_decl_list* attr_types);
-
 	// Whether it's stored in network order.
 	int IsNetworkOrder() const	{ return is_network_order; }
 
@@ -163,6 +153,7 @@ public:
 		CHECK_TYPE_TAG(TYPE_SUBNET, "BroType::AsSubNetType");
 		return (const SubNetType*) this;
 		}
+
 	SubNetType* AsSubNetType()
 		{
 		CHECK_TYPE_TAG(TYPE_SUBNET, "BroType::AsSubNetType");
@@ -204,6 +195,18 @@ public:
 		return (VectorType*) this;
 		}
 
+	const TypeType* AsTypeType() const
+	        {
+		CHECK_TYPE_TAG(TYPE_TYPE, "BroType::AsTypeType");
+		return (TypeType*) this;
+		}
+
+	TypeType* AsTypeType()
+	        {
+		CHECK_TYPE_TAG(TYPE_TYPE, "BroType::AsTypeType");
+		return (TypeType*) this;
+		}
+
 	int IsSet() const
 		{
 		return tag == TYPE_TABLE && (YieldType() == 0);
@@ -211,17 +214,19 @@ public:
 
 	BroType* Ref()		{ ::Ref(this); return this; }
 
-	void MakeGlobalAttributeType()	{ is_global_attributes_type = true; }
-
 	virtual void Describe(ODesc* d) const;
+	virtual void DescribeReST(ODesc* d) const;
 
 	virtual unsigned MemoryAllocation() const;
 
 	bool Serialize(SerialInfo* info) const;
 	static BroType* Unserialize(UnserialInfo* info, TypeTag want = TYPE_ANY);
 
+	void SetTypeID(const char* id)	{ type_id = id; }
+	const char* GetTypeID() const	{ return type_id; }
+
 protected:
-	BroType()	{ attributes_type = 0; }
+	BroType()	{ type_id = 0; }
 
 	void SetError();
 
@@ -232,8 +237,10 @@ private:
 	InternalTypeTag internal_tag;
 	bool is_network_order;
 	bool base_type;
-	bool is_global_attributes_type;
-	RecordType* attributes_type;
+
+	// This type_id field is only used by the documentation framework to
+	// track the names of declared types.
+	const char* type_id;
 };
 
 class TypeList : public BroType {
@@ -289,6 +296,7 @@ public:
 	BroType* YieldType();
 
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
 
 	// Returns true if this table is solely indexed by subnet.
 	bool IsSubNetIndex() const;
@@ -363,6 +371,7 @@ public:
 	ID* GetReturnValueID() const;
 
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
 
 protected:
 	FuncType()	{ args = 0; arg_types = 0; yield = 0; return_value = 0; }
@@ -375,10 +384,23 @@ protected:
 	ID* return_value;
 };
 
+class TypeType : public BroType {
+public:
+	TypeType(BroType* t) : BroType(TYPE_TYPE)	{ type = t->Ref(); }
+	~TypeType()	{ Unref(type); }
+
+	BroType* Type()	{ return type; }
+
+protected:
+	TypeType()	{}
+
+	BroType* type;
+};
+
 class TypeDecl {
 public:
-	TypeDecl(BroType* t, const char* i, attr_list* attrs = 0);
-	~TypeDecl();
+	TypeDecl(BroType* t, const char* i, attr_list* attrs = 0, bool in_record = false);
+	virtual ~TypeDecl();
 
 	const Attr* FindAttr(attr_tag a) const
 		{ return attrs ? attrs->FindAttr(a) : 0; }
@@ -386,31 +408,34 @@ public:
 	bool Serialize(SerialInfo* info) const;
 	static TypeDecl* Unserialize(UnserialInfo* info);
 
+	virtual void DescribeReST(ODesc* d) const;
+
 	BroType* type;
 	Attributes* attrs;
 	const char* id;
 };
 
-class RecordField {
+class CommentedTypeDecl : public TypeDecl {
 public:
-	RecordField(int arg_base, int arg_offset, int arg_total_offset);
+	CommentedTypeDecl(BroType* t, const char* i, attr_list* attrs = 0,
+			bool in_record = false, std::list<std::string>* cmnt_list = 0);
+	virtual ~CommentedTypeDecl();
 
-	int base;	// which base element it belongs to
-	int offset;	// where it is in that base
-	int total_offset;	// where it is in the aggregate record
+	void DescribeReST(ODesc* d) const;
+
+	std::list<std::string>* comments;
 };
-declare(PDict,RecordField);
 
 class RecordType : public BroType {
 public:
 	RecordType(type_decl_list* types);
-	RecordType(TypeList* base, type_decl_list* refinements);
 
 	~RecordType();
 
 	int HasField(const char* field) const;
 	BroType* FieldType(const char* field) const;
 	BroType* FieldType(int field) const;
+	Val* FieldDefault(int field) const; // Ref's the returned value; 0 if none.
 
 	// A field's offset is its position in the type_decl_list,
 	// starting at 0.  Returns negative if the field doesn't exist.
@@ -419,25 +444,29 @@ public:
 	// Given an offset, returns the field's name.
 	const char* FieldName(int field) const;
 
+	type_decl_list* Types() { return types; }
+
 	// Given an offset, returns the field's TypeDecl.
 	const TypeDecl* FieldDecl(int field) const;
 	TypeDecl* FieldDecl(int field);
 
 	int NumFields() const			{ return num_fields; }
 
+	// Returns 0 if all is ok, otherwise a pointer to an error message.
+	// Takes ownership of list.
+	const char* AddFields(type_decl_list* types, attr_list* attr);
+
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
 	void DescribeFields(ODesc* d) const;
+	void DescribeFieldsReST(ODesc* d, bool func_args) const;
 
 protected:
-	RecordType() { fields = 0; base = 0; types = 0; }
-
-	void Init(TypeList* arg_base);
+	RecordType() { types = 0; }
 
 	DECLARE_SERIAL(RecordType)
 
 	int num_fields;
-	PDict(RecordField)* fields;
-	TypeList* base;
 	type_decl_list* types;
 };
 
@@ -468,31 +497,59 @@ protected:
 
 class EnumType : public BroType {
 public:
-	EnumType(bool arg_is_export);
+	EnumType();
 	~EnumType();
 
-	// The value of this name is next counter value, which is returned.
-	// A return value of -1 means that the identifier already existed
-	// (and thus could not be used).
-	int AddName(const string& module_name, const char* name);
+	// The value of this name is next internal counter value, starting
+	// with zero. The internal counter is incremented.
+	void AddName(const string& module_name, const char* name, bool is_export);
 
-	// Add in names from the suppled EnumType; the return value is
-	// the value of the last enum added.
-	int AddNamesFrom(const string& module_name, EnumType* et);
+	// The value of this name is set to val. Once a value has been
+	// explicitly assigned using this method, no further names can be
+	// added that aren't likewise explicitly initalized.
+	void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export);
 
 	// -1 indicates not found.
-	int Lookup(const string& module_name, const char* name);
-	const char* Lookup(int value); // Returns 0 if not found
+	bro_int_t Lookup(const string& module_name, const char* name);
+	const char* Lookup(bro_int_t value); // Returns 0 if not found
 
 protected:
-	EnumType()	{}
-
 	DECLARE_SERIAL(EnumType)
 
-	typedef std::map< const char*, int, ltstr > NameMap;
+	virtual void AddNameInternal(const string& module_name,
+			const char* name, bro_int_t val, bool is_export);
+
+	typedef std::map< const char*, bro_int_t, ltstr > NameMap;
 	NameMap names;
-	int counter;
-	bool is_export;
+
+	// The counter is initialized to 0 and incremented on every implicit
+	// auto-increment name that gets added (thus its > 0 if
+	// auto-increment is used).  Once an explicit value has been
+	// specified, the counter is set to -1. This way counter can be used
+	// as a flag to prevent mixing of auto-increment and explicit
+	// enumerator specifications.
+	bro_int_t counter;
+};
+
+class CommentedEnumType: public EnumType {
+public:
+	CommentedEnumType() {}
+	~CommentedEnumType();
+
+	void DescribeReST(ODesc* d) const;
+	void AddComment(const string& module_name, const char* name,
+			std::list<std::string>* comments);
+
+protected:
+	// This overriden method does not install the given ID name into a
+	// scope and it also does not do any kind of checking that the
+	// provided name already exists.
+	void AddNameInternal(const string& module_name, const char* name,
+			bro_int_t val, bool is_export);
+
+	// Comments are only filled when in "documentation mode".
+	typedef std::map< const char*, std::list<std::string>*, ltstr > CommentMap;
+	CommentMap comments;
 };
 
 class VectorType : public BroType {
@@ -503,6 +560,10 @@ public:
 
 	int MatchesIndex(ListExpr*& index) const;
 
+	// Returns true if this table type is "unspecified", which is what one
+	// gets using an empty "vector()" constructor.
+	bool IsUnspecifiedVector() const;
+
 protected:
 	VectorType()	{ yield_type = 0; }
 
@@ -511,10 +572,6 @@ protected:
 	BroType* yield_type;
 };
 
-
-// Returns the given type refinement, or error_type() if it's illegal.
-extern BroType* refine_type(TypeList* base, type_decl_list* refinements);
-
 // Returns the BRO basic (non-parameterized) type with the given type.
 extern BroType* base_type(TypeTag tag);
 
@@ -525,6 +582,9 @@ inline BroType* error_type()	{ return base_type(TYPE_ERROR); }
 // test is done in the context of an initialization.
 extern int same_type(const BroType* t1, const BroType* t2, int is_init=0);
 
+// True if the two attribute lists are equivalent.
+extern int same_attrs(const Attributes* a1, const Attributes* a2);
+
 // Returns true if the record sub_rec can be promoted to the record
 // super_rec.
 extern int record_promotion_compatible(const RecordType* super_rec,
diff --git a/src/UDP.cc b/src/UDP.cc
index fc697bf105..35e9f58388 100644
--- a/src/UDP.cc
+++ b/src/UDP.cc
@@ -1,13 +1,13 @@
-// $Id: UDP.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <algorithm>
+
 #include "config.h"
 
 #include "Net.h"
 #include "NetVar.h"
 #include "UDP.h"
-#include "UDP_Rewriter.h"
+#include "Reporter.h"
 
 UDP_Analyzer::UDP_Analyzer(Connection* conn)
 : TransportLayerAnalyzer(AnalyzerTag::UDP, conn)
@@ -25,9 +25,6 @@ UDP_Analyzer::~UDP_Analyzer()
 
 void UDP_Analyzer::Init()
 	{
-	if ( transformed_pkt_dump && RewritingTrace() )
-		SetTraceRewriter(new UDP_Rewriter(this, transformed_pkt_dump_MTU,
-					transformed_pkt_dump));
 	}
 
 void UDP_Analyzer::Done()
@@ -137,7 +134,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			request_len += ulen;
 #ifdef DEBUG
 			if ( request_len < 0 )
-				warn("wrapping around for UDP request length");
+				reporter->Warning("wrapping around for UDP request length");
 #endif
 			}
 
@@ -155,7 +152,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			reply_len += ulen;
 #ifdef DEBUG
 			if ( reply_len < 0 )
-				warn("wrapping around for UDP reply length");
+				reporter->Warning("wrapping around for UDP reply length");
 #endif
 			}
 
@@ -164,17 +161,22 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 
 	if ( caplen >= len )
 		ForwardPacket(len, data, is_orig, seq, ip, caplen);
+	}
 
-	if ( TraceRewriter() && current_hdr )
-		((UDP_Rewriter*) TraceRewriter())->NextPacket(is_orig,
-					current_timestamp, current_hdr, current_pkt,
-					current_hdr_size, ip->IP4_Hdr(), up);
+void UDP_Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	int orig_endp_idx = connection_type->FieldOffset("orig");
+	int resp_endp_idx = connection_type->FieldOffset("resp");
+	RecordVal *orig_endp = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	RecordVal *resp_endp = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
 
-#if 0
-		// XXX: needs to be implemented fully!
-	if ( src_pkt_writer && current_hdr )
-		src_pkt_writer->NextPacket(current_hdr, current_pkt);
-#endif
+	orig_endp = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	resp_endp = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
+	UpdateEndpointVal(orig_endp, 1);
+	UpdateEndpointVal(resp_endp, 0);
+
+	// Call children's UpdateConnVal
+	Analyzer::UpdateConnVal(conn_val);
 	}
 
 void UDP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
diff --git a/src/UDP.h b/src/UDP.h
index 6666be998a..5124adf4cd 100644
--- a/src/UDP.h
+++ b/src/UDP.h
@@ -1,14 +1,9 @@
-// $Id: UDP.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef udp_h
 #define udp_h
 
 #include "Analyzer.h"
-#include "Rewriter.h"
-
-class UDP_Rewriter;
 
 typedef enum {
 	UDP_INACTIVE,	// no packet seen
@@ -22,25 +17,25 @@ public:
 
 	virtual void Init();
 
+	virtual void UpdateConnVal(RecordVal *conn_val);
+
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new UDP_Analyzer(conn); }
 
 	static bool Available() { return true; }
 
-	// -- XXX -- only want to return yes if the protocol flag is
-	//  on similar to TCP. (e.g. FTP_Connection etc.) /mc
-	int RewritingTrace() const	{ return 0; }
-
 protected:
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
-	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig);
 	virtual bool IsReuse(double t, const u_char* pkt);
 	virtual unsigned int MemoryAllocation() const;
 
 	bro_int_t request_len, reply_len;
 
+private:
+	void UpdateEndpointVal(RecordVal* endp, int is_orig);
+
 #define HIST_ORIG_DATA_PKT 0x1
 #define HIST_RESP_DATA_PKT 0x2
 #define HIST_ORIG_CORRUPT_PKT 0x4
diff --git a/src/UDP_Rewriter.cc b/src/UDP_Rewriter.cc
deleted file mode 100644
index 967f2087f1..0000000000
--- a/src/UDP_Rewriter.cc
+++ /dev/null
@@ -1,362 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-
-#include "config.h"
-
-#include <assert.h>
-#include <stdlib.h>
-
-#include "Event.h"
-#include "Net.h"
-#include "UDP_Rewriter.h"
-
-#define MSG_PREFIX	"UDP trace rewriter: "
-#define DEBUG_MSG_A(x...)
-// #define DEBUG_MSG_A	DEBUG_MSG
-
-
-UDP_Rewriter::UDP_Rewriter(Analyzer* arg_analyzer, int arg_MTU,
-				PacketDumper* arg_dumper)
-	{
-	analyzer = arg_analyzer;
-	MTU = arg_MTU;
-	dumper = arg_dumper;
-	packets_rewritten = 0;
-	current_packet = next_packet = 0;
-
-	if ( anonymize_ip_addr )
-		{
-		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
-						ORIG_ADDR);
-		anon_addr[1] = anonymize_ip(to_v4_addr(analyzer->Conn()->RespAddr()),
-						RESP_ADDR);
-		}
-	else
-		anon_addr[0] = anon_addr[1] = 0;
-	}
-
-void UDP_Rewriter::Done()
-	{
-	}
-
-UDP_Rewriter::~UDP_Rewriter()
-	{
-	delete current_packet;
-	}
-
-void UDP_Rewriter::WriteData(int is_orig, int len, const u_char* data)
-	{
-	DoWriteData(is_orig, len, data);
-	}
-
-void UDP_Rewriter::DoWriteData(int is_orig, int len, const u_char* data)
-	{
- 	struct pcap_pkthdr* hdr;
-	int length = len;
-	ipaddr32_t src = 0, dst = 0;
-
-	current_packet->AppendData(data,len);
-	// Mark data to be written.
-	current_packet->SetModified();
-	}
-
-// Compose the packet so it can be written.
-// Compute UDP/IP checksums, lengths, addresses.
-int UDP_TracePacket::BuildPacket(struct pcap_pkthdr*& hdr,
-				const u_char*& arg_pkt, int& length,
-				ipaddr32_t anon_src, ipaddr32_t anon_dst)
-	{
-	struct ip* ip = (struct ip*) (pkt + ip_offset);
-	struct udphdr* up = (struct udphdr*) (pkt + udp_offset);
-	uint32 sum = 0;
-
-	// Fix IP addresses before computing the UDP checksum
-	if ( anonymize_ip_addr )
-		{
-		ip->ip_src.s_addr = anon_src;
-		ip->ip_dst.s_addr = anon_dst;
-		}
-
-	// Create the IP header.
-	ip->ip_off = 0;
-	ip->ip_sum = 0;
-	ip->ip_hl = (udp_offset - ip_offset) >> 2;
-	ip->ip_len = htons(buffer_offset - ip_offset);
-	ip->ip_off = 0;	// DF = 0, MF = 0, offset = 0
-	ip->ip_sum = 0;
-	ip->ip_sum = 0xffff - ones_complement_checksum((const void*) ip,
-						(udp_offset-ip_offset), sum);
-
-	pcap_hdr.caplen = pcap_hdr.len = buffer_offset;
-
-	hdr = &pcap_hdr;
-	arg_pkt = pkt;
-	length = buffer_offset;
-
-	// Create the UDP header.
-	up->uh_ulen = htons(buffer_offset - udp_offset);
-	up->uh_sum = 0;
-	up->uh_sum = 0xffff - udp_checksum(ip, up, buffer_offset - udp_offset);
-
-	// Create the pcap header.
-	//
-	// The below works around a potential type incompatibility
-	// on systems where pcap's timeval is different from the
-	// system-wide one. --cpk
-	//
-	timeval tv_tmp = double_to_timeval(timestamp);
-	pcap_hdr.ts.tv_sec = tv_tmp.tv_sec;
-	pcap_hdr.ts.tv_usec = tv_tmp.tv_usec;
-	pcap_hdr.caplen = pcap_hdr.len = buffer_offset;
-
-	hdr = &pcap_hdr;
-	arg_pkt = pkt;
-	length = buffer_offset;
-
-	return 1;
-	}
-
-void UDP_Rewriter::NextPacket(int is_orig, double t,
-				const struct pcap_pkthdr* pcap_hdr,
-				const u_char* pcap_pkt, int hdr_size,
-				const struct ip* ip, const struct udphdr* up)
-	{
-	unsigned int ip_hdr_len = ip->ip_hl * 4;
-
-	// Cache the packet ....
-	UDP_TracePacket* p = new UDP_TracePacket(this, t, is_orig,
-				pcap_hdr, /*MTU */ 1024,
-				hdr_size + ip_hdr_len + sizeof(struct udphdr));
-
-	if ( ! p->AppendLinkHeader(pcap_pkt, hdr_size) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	if ( ! p->AppendIPHeader((const u_char*) ip, sizeof(*ip)) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	if ( ! p->AppendUDPHeader((const u_char*) up, sizeof(*up)) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	// We only ever use one packet in UDP.
-	// ### This is potentially a leak.
-	next_packet = current_packet = p;
-	}
-
-void UDP_Rewriter::Push(int)
-	{
-	internal_error("UDP_Rewriter::Push not implemented");
-	}
-
-void UDP_Rewriter::AbortPackets(int)
-	{
-	internal_error("UDP_Rewriter::AbortPackets not implemented");
-	}
-
-unsigned int UDP_Rewriter::ReserveSlot()
-	{
-	internal_error("UDP_Rewriter::ReserveSlot not implemented");
-	return 0;
-	}
-
-int UDP_Rewriter::SeekSlot(unsigned int)
-	{
-	internal_error("UDP_Rewriter::SeekSlot not implemented");
-	return 0;
-	}
-
-int UDP_Rewriter::ReturnFromSlot()
-	{
-	internal_error("UDP_Rewriter::ReturnFromSlot not implemented");
-	return 0;
-	}
-int UDP_Rewriter::ReleaseSlot(unsigned int)
-	{
-	internal_error("UDP_Rewriter::ReleaseSlot not implemented");
-	return 0;
-	}
-
-int UDP_Rewriter::LeaveAddrInTheClear(int is_orig)
-	{
-	internal_error("UDP_Rewriter::LeaveAddrInTheClear not implemented");
-	return 0;
-	}
-
-void UDP_Rewriter::CommitPackets(int commit)
-	{
-	if ( current_packet && current_packet->IsModified() )
-		{
-		ipaddr32_t anon_src = 0, anon_dst = 0;
-
-		if ( current_packet->IsOrig() )
-			{
-			anon_src = anon_addr[0];
-			anon_dst = anon_addr[1];
-			}
-		else
-			{
-			anon_src = anon_addr[1];
-			anon_dst = anon_addr[0];
-			}
-
-		struct pcap_pkthdr* hdr;
-		const u_char* pkt;
-		int len;
-		current_packet->BuildPacket(hdr, pkt, len, anon_src, anon_dst);
-
-		dumper->DumpPacket(hdr, pkt, hdr->caplen);
-		}
-
-	delete current_packet;
-	next_packet = current_packet = 0;
-
-	++packets_rewritten;
-	}
-
-UDP_TracePacket::UDP_TracePacket(UDP_Rewriter* arg_trace_rewriter,
-					double t, int arg_is_orig,
-					const struct pcap_pkthdr* arg_hdr,
-					int MTU, int initial_size)
-	{
-	trace_rewriter = arg_trace_rewriter;
-	pcap_hdr = *arg_hdr;
-	// packet_seq = arg_packet_seq;
-	timestamp = t;
-	is_orig = arg_is_orig;
-	mtu = MTU;
-	buffer_size = initial_size;
-	buffer_offset = 0;
-
-	pkt = new u_char[buffer_size];
-
-	ip_offset = udp_offset = data_offset = -1;
-
-	reuse = 0;
-	on_hold = 0;
-	modified = 0;
-	seq_gap = 0;
-
-	packet_val = 0;
-	packet_val = PacketVal();
-	}
-
-UDP_TracePacket::~UDP_TracePacket()
-	{
-	packet_val->SetOrigin(0);
-	Unref(packet_val);
-	delete [] pkt;
-	}
-
-RecordVal* UDP_TracePacket::PacketVal()
-	{
-	if ( packet_val )
-		Ref(packet_val);
-	else
-		{
-		packet_val = new RecordVal(packet_type);
-		packet_val->Assign(0, TraceRewriter()->GetAnalyzer()->BuildConnVal());
-		packet_val->Assign(1, new Val(IsOrig(), TYPE_BOOL));
-		packet_val->Assign(2, new Val(TimeStamp(), TYPE_TIME));
-		packet_val->SetOrigin(this);
-		}
-
-	return packet_val;
-	}
-
-int UDP_TracePacket::AppendLinkHeader(const u_char* chunk, int len)
-	{
-	if ( ip_offset >= 0 && ip_offset != buffer_offset )
-		internal_error(MSG_PREFIX "link header must be appended before IP header");
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	ip_offset = buffer_offset;
-	return 1;
-	}
-
-int UDP_TracePacket::AppendIPHeader(const u_char* chunk, int len)
-	{
-	if ( udp_offset >= 0 && udp_offset != buffer_offset )
-		internal_error(MSG_PREFIX "IP header must be appended before udp header");
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	udp_offset = buffer_offset;
-	return 1;
-	}
-
-int UDP_TracePacket::AppendUDPHeader(const u_char* chunk, int len)
-	{
-	if ( data_offset >= 0 && data_offset != buffer_offset )
-		internal_error(MSG_PREFIX "tcp header must be appended before payload");
-
-	if ( udp_offset == buffer_offset )
-		{ // first UDP header chunk
-		int extra = (udp_offset - ip_offset) % 4;
-		if ( extra )
-			{
-			DEBUG_MSG(MSG_PREFIX "padding IP header");
-			if ( ! AppendIPHeader(0, 4 - extra) )
-				return 0;
-			}
-		}
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	data_offset = buffer_offset;
-	return 1;
-	}
-
-int UDP_TracePacket::AppendData(const u_char* chunk, int len)
-	{
-	// All headers must be appended before any data.
-	ASSERT(ip_offset >= 0 && udp_offset >= 0 && data_offset >= 0);
-
-	if ( data_offset == buffer_offset )
-		{ // first data chunk
-		int extra = (data_offset - udp_offset) % 4;
-		if ( extra )
-			{
-			if ( ! AppendUDPHeader(0, 4 - extra) )
-				return 0;
-			}
-		}
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	return 1;
-	}
-
-int UDP_TracePacket::Append(const u_char* chunk, int len)
-	{
-	if ( buffer_offset + len > buffer_size )
-		{
-		if ( buffer_offset + len > mtu )
-			return 0;
-
-		u_char* tmp = new u_char[mtu];
-		for ( int i = 0 ; i < buffer_size; ++i )
-			tmp[i] = pkt[i];
-
-		delete [] pkt;
-		pkt = tmp;
-		buffer_size = mtu;
-		}
-
-	ASSERT(buffer_offset + len <= buffer_size);
-
-	if ( chunk )
-		memcpy(pkt + buffer_offset, chunk, len);
-	else
-		// Fill with 0.
-		memset(pkt + buffer_offset, 0, len);
-
-	buffer_offset += len;
-
-	return 1;
-	}
diff --git a/src/UDP_Rewriter.h b/src/UDP_Rewriter.h
deleted file mode 100644
index 5fdfd9e5c1..0000000000
--- a/src/UDP_Rewriter.h
+++ /dev/null
@@ -1,138 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef udp_rewriter_h
-#define udp_rewriter_h
-
-using namespace std;
-
-#include <queue>
-#include <set>
-
-#include <pcap.h>
-
-#include "Val.h"
-#include "UDP.h"
-#include "Anon.h"
-#include "Rewriter.h"
-#include "PacketDumper.h"
-
-class UDP_TracePacket : public BroObj, virtual public TracePacket {
-public:
-	UDP_TracePacket(UDP_Rewriter* trace_rewriter, double t, int is_orig,
-		    const struct pcap_pkthdr* hdr, int MTU, int initial_size);
-	~UDP_TracePacket();
-
-	int AppendLinkHeader(const u_char* chunk, int len);
-	int AppendIPHeader(const u_char* chunk, int len);
-	int AppendUDPHeader(const u_char* chunk, int len);
-	int AppendData(const u_char* chunk, int len);
-
-	void Reuse();
-	int IsReuse() const	{ return reuse; }
-
-	double TimeStamp() const	{ return timestamp; }
-	int IsOrig() const	{ return is_orig; }
-
-	const struct pcap_pkthdr* Header() const	{ return &pcap_hdr; }
-
-	const u_char* Buffer() const	{ return pkt; }
-	int Length() const	{ return buffer_offset; }
-
-	// Note that Space() does not depend on buffer_size, but depends on MTU.
-	int Space() const	{ return mtu - buffer_offset; }
-
-	void Describe(ODesc* d) const	{ packet_val->Describe(d); }
-	RecordVal* PacketVal();
-	UDP_Rewriter* TraceRewriter() const	{ return trace_rewriter;}
-
-	// has the packet been written to?
-	int IsModified() const	{ return modified; }
-	void SetModified()		{ modified = 1; }
-
-	// BuildPacket() is called before dumping the packet. It sets length
-	// fields and computes checksums in UDP/IP headers.
-	int BuildPacket(struct pcap_pkthdr*& hdr, const u_char*& arg_pkt,
-			int& length, ipaddr32_t anon_src, ipaddr32_t anon_dst);
-
-private:
-	int Append(const u_char* chunk, int len);
-
-	RecordVal* packet_val;
-	UDP_Rewriter* trace_rewriter;
-	double timestamp;
-	int packet_seq;
-	int is_orig;
-	struct pcap_pkthdr pcap_hdr;
-	int mtu;
-	u_char* pkt;	// of maximal length MTU
-	int ip_offset, udp_offset, data_offset;
-	int buffer_size;
-	int buffer_offset;
-	int reuse;	// whether it is an artificially replicated packet
-	int on_hold;	// do not dump it in Flush()
-	int seq_gap;
-	int modified;
-};
-
-class UDP_Rewriter: public Rewriter {
-public:
-	UDP_Rewriter(Analyzer* analyzer, int arg_MTU, PacketDumper* dumper);
-
-	virtual ~UDP_Rewriter();
-
-	void Done();
-
-	// these are the virt funcs in Rewriter....
-	void WriteData(int is_orig, int len, const u_char* data);
-
-	void WriteData(int is_orig, const char* data)
-		{ WriteData(is_orig, strlen(data), data); }
-
-	void WriteData(int is_orig, int len, const char* data)
-		{ WriteData(is_orig, len, (const u_char*) data); }
-
-	void WriteData(int is_orig, const BroString* str)
-		{ WriteData(is_orig, str->Len(), str->Bytes()); }
-
-	Analyzer* GetAnalyzer() const	{ return analyzer; }
-
-	// Not need for udp, but declared in the virtual
-	// and might be useful
-	void Push(int);
-	void AbortPackets(int);
-	void CommitPackets(int);
-	unsigned int ReserveSlot();
-	int SeekSlot(unsigned int);
-	int ReturnFromSlot();
-	int ReleaseSlot(unsigned int);
-
-	TracePacket* CurrentPacket() const	{ return current_packet; };
-	TracePacket* RewritePacket() const	{ return next_packet; };
-
-	// A UDP/IP packet.
-	void NextPacket(int is_orig, double t,
-			const struct pcap_pkthdr* pcap_hdr,
-			const u_char* pcap_pkt,	// link level header
-			int hdr_size,		// link level header size
-			const struct ip* ip, const struct udphdr* tp);
-
-	// Do not anonymize client/server IP address.
-	int LeaveAddrInTheClear(int is_orig);
-
-protected:
-	void DoWriteData(int is_orig, int len, const u_char* data);
-
-	Analyzer* analyzer;
-	PacketDumper* dumper;
-
-	int packets_rewritten;
-	int MTU;
-	ipaddr32_t anon_addr[2];
-
-	UDP_TracePacket* current_packet;
-	UDP_TracePacket* next_packet;
-};
-
-#endif
diff --git a/src/Val.cc b/src/Val.cc
index 66770cbdb1..30976c4178 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1,5 +1,3 @@
-// $Id: Val.cc 6945 2009-11-27 19:25:10Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -26,7 +24,7 @@
 #include "RemoteSerializer.h"
 #include "PrefixTable.h"
 #include "Conn.h"
-#include "Logger.h"
+#include "Reporter.h"
 
 
 Val::Val(Func* f)
@@ -253,7 +251,7 @@ bool Val::DoSerialize(SerialInfo* info) const
 		return false;
 	}
 
-	internal_error("should not be reached");
+	reporter->InternalError("should not be reached");
 	return false;
 	}
 
@@ -410,19 +408,10 @@ bool Val::DoUnserialize(UnserialInfo* info)
 		return false;
 	}
 
-	internal_error("should not be reached");
+	reporter->InternalError("should not be reached");
 	return false;
 	}
 
-RecordVal* Val::GetAttribs(bool instantiate)
-	{
-	if ( ! instantiate || attribs )
-		return attribs;
-
-	attribs = new RecordVal(type->AttributesType());
-	return attribs;
-	}
-
 int Val::IsZero() const
 	{
 	switch ( type->InternalType() ) {
@@ -524,7 +513,12 @@ Val* Val::SizeVal() const
 	{
 	switch ( type->InternalType() ) {
 	case TYPE_INTERNAL_INT:
-		return new Val(llabs(val.int_val), TYPE_COUNT);
+		// Return abs value. However abs() only works on ints and llabs
+		// doesn't work on Mac OS X 10.5. So we do it by hand
+		if ( val.int_val < 0 )
+			return new Val(-val.int_val, TYPE_COUNT);
+		else
+			return new Val(val.int_val, TYPE_COUNT);
 
 	case TYPE_INTERNAL_UNSIGNED:
 		return new Val(val.uint_val, TYPE_COUNT);
@@ -578,6 +572,11 @@ void Val::Describe(ODesc* d) const
 		Val::ValDescribe(d);
 	}
 
+void Val::DescribeReST(ODesc* d) const
+	{
+	ValDescribeReST(d);
+	}
+
 void Val::ValDescribe(ODesc* d) const
 	{
 	if ( d->IsReadable() && type->Tag() == TYPE_BOOL )
@@ -615,7 +614,21 @@ void Val::ValDescribe(ODesc* d) const
 
 	default:
 		// Don't call Internal(), that'll loop!
-		internal_error("Val description unavailable");
+		reporter->InternalError("Val description unavailable");
+	}
+	}
+
+void Val::ValDescribeReST(ODesc* d) const
+	{
+	switch ( type->InternalType() ) {
+	case TYPE_INTERNAL_OTHER:
+		Describe(d);
+		break;
+
+	default:
+		d->Add("``");
+		ValDescribe(d);
+		d->Add("``");
 	}
 	}
 
@@ -623,14 +636,16 @@ MutableVal::~MutableVal()
 	{
 	for ( list<ID*>::iterator i = aliases.begin(); i != aliases.end(); ++i )
 		{
-		global_scope()->Remove((*i)->Name());
+		if ( global_scope() )
+			global_scope()->Remove((*i)->Name());
 		(*i)->ClearVal();	// just to make sure.
 		Unref((*i));
 		}
 
 	if ( id )
 		{
-		global_scope()->Remove(id->Name());
+		if ( global_scope() )
+			global_scope()->Remove(id->Name());
 		id->ClearVal(); // just to make sure.
 		Unref(id);
 		}
@@ -948,7 +963,7 @@ AddrVal::AddrVal(const char* text) : Val(TYPE_ADDR)
 #ifdef BROv6
 		Init(dotted_to_addr6(text));
 #else
-		error("bro wasn't compiled with IPv6 support");
+		reporter->Error("bro wasn't compiled with IPv6 support");
 		Init(uint32(0));
 #endif
 		}
@@ -982,7 +997,7 @@ Val* AddrVal::SizeVal() const
 #ifdef BROv6
 	if ( ! is_v4_addr(val.addr_val) )
 		{
-		RunTime("|addr| for IPv6 addresses not supported");
+		Error("|addr| for IPv6 addresses not supported");
 		return new Val(0, TYPE_COUNT);
 		}
 
@@ -1069,13 +1084,13 @@ static uint32 parse_dotted(const char* text, int& dots)
 		}
 
 	else
-		internal_error("scanf failed in parse_dotted()");
+		reporter->InternalError("scanf failed in parse_dotted()");
 
 	for ( int i = 0; i <= dots; ++i )
 		{
 		if ( addr[i] < 0 || addr[i] > 255 )
 			{
-			error("bad dotted address", text);
+			reporter->Error("bad dotted address %s", text);
 			break;
 			}
 		}
@@ -1083,84 +1098,6 @@ static uint32 parse_dotted(const char* text, int& dots)
 	return a;
 	}
 
-NetVal::NetVal(const char* text) : AddrVal(TYPE_NET)
-	{
-	int dots;
-	uint32 a = parse_dotted(text, dots);
-
-	if ( addr_to_net(a) != a )
-		error("bad net address", text);
-
-	Init(uint32(htonl(a)));
-	}
-
-NetVal::NetVal(uint32 addr) : AddrVal(TYPE_NET)
-	{
-	Init(addr);
-	}
-
-#ifdef BROv6
-NetVal::NetVal(const uint32* addr) : AddrVal(TYPE_NET)
-	{
-	Init(addr);
-	}
-#endif
-
-Val* NetVal::SizeVal() const
-	{
-	uint32 addr;
-
-#ifdef BROv6
-	if ( ! is_v4_addr(val.addr_val) )
-		{
-		RunTime("|net| for IPv6 addresses not supported");
-		return new Val(0.0, TYPE_DOUBLE);
-		}
-
-	addr = to_v4_addr(val.addr_val);
-#else
-	addr = val.addr_val;
-#endif
-	addr = ntohl(addr);
-
-	if ( (addr & 0xFFFFFFFF) == 0L )
-		return new Val(4294967296.0, TYPE_DOUBLE);
-
-	if ( (addr & 0x00FFFFFF) == 0L )
-		return new Val(double(0xFFFFFF + 1), TYPE_DOUBLE);
-
-	if ( (addr & 0x0000FFFF) == 0L )
-		return new Val(double(0xFFFF + 1), TYPE_DOUBLE);
-
-	if ( (addr & 0x000000FF) == 0L )
-		return new Val(double(0xFF + 1), TYPE_DOUBLE);
-
-	return new Val(1.0, TYPE_DOUBLE);
-	}
-
-void NetVal::ValDescribe(ODesc* d) const
-	{
-#ifdef BROv6
-	d->Add(dotted_net6(val.addr_val));
-#else
-	d->Add(dotted_net(val.addr_val));
-#endif
-	}
-
-IMPLEMENT_SERIAL(NetVal, SER_NET_VAL);
-
-bool NetVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_NET_VAL, AddrVal);
-	return true;
-	}
-
-bool NetVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(AddrVal);
-	return true;
-	}
-
 SubNetVal::SubNetVal(const char* text) : Val(TYPE_SUBNET)
 	{
 	const char* sep = strchr(text, '/');
@@ -1525,6 +1462,7 @@ TableVal* ListVal::ConvertToSet() const
 	loop_over_list(vals, i)
 		t->Assign(vals[i], 0);
 
+	Unref(s);
 	return t;
 	}
 
@@ -1644,6 +1582,7 @@ TableVal::TableVal(TableType* t, Attributes* a) : MutableVal(t)
 
 void TableVal::Init(TableType* t)
 	{
+	::Ref(t);
 	table_type = t;
 	expire_expr = 0;
 	expire_time = 0;
@@ -1666,6 +1605,7 @@ TableVal::~TableVal()
 	if ( timer )
 		timer_mgr->Cancel(timer);
 
+	Unref(table_type);
 	delete table_hash;
 	delete AsTable();
 	delete subnets;
@@ -1737,7 +1677,7 @@ void TableVal::CheckExpireAttr(attr_tag at)
 			a->AttrExpr()->Error("value of timeout not fixed");
 			return;
 			}
-		
+
 		expire_time = timeout->AsInterval();
 
 		if ( timer )
@@ -1982,7 +1922,7 @@ int TableVal::ExpandAndInit(Val* index, Val* new_val)
 	if ( iv->BaseTag() != TYPE_ANY )
 		{
 		if ( table_type->Indices()->Types()->length() != 1 )
-			internal_error("bad singleton list index");
+			reporter->InternalError("bad singleton list index");
 
 		for ( int i = 0; i < iv->Length(); ++i )
 			if ( ! ExpandAndInit(iv->Index(i), new_val ? new_val->Ref() : 0) )
@@ -2026,11 +1966,27 @@ Val* TableVal::Default(Val* index)
 		return 0;
 
 	if ( ! def_val )
-		def_val = def_attr->AttrExpr()->Eval(0);
+		{
+		BroType* ytype = Type()->YieldType();
+		BroType* dtype = def_attr->AttrExpr()->Type();
+
+		if ( dtype->Tag() == TYPE_RECORD && ytype->Tag() == TYPE_RECORD &&
+		     ! same_type(dtype, ytype) &&
+		     record_promotion_compatible(dtype->AsRecordType(),
+						 ytype->AsRecordType()) )
+			{
+			Expr* coerce = new RecordCoerceExpr(def_attr->AttrExpr(), ytype->AsRecordType());
+			def_val = coerce->Eval(0);
+			Unref(coerce);
+			}
+
+		else
+			def_val = def_attr->AttrExpr()->Eval(0);
+		}
 
 	if ( ! def_val )
 		{
-		RunTime("non-constant default attribute");
+		Error("non-constant default attribute");
 		return 0;
 		}
 
@@ -2050,12 +2006,21 @@ Val* TableVal::Default(Val* index)
 	else
 		vl->append(index->Ref());
 
-	Val* result = f->Call(vl);
+	Val* result = 0;
+
+	try
+		{
+		result = f->Call(vl);
+		}
+
+	catch ( InterpreterException& e )
+		{ /* Already reported. */ }
+
 	delete vl;
 
 	if ( ! result )
 		{
-		RunTime("no value returned from &default function");
+		Error("no value returned from &default function");
 		return 0;
 		}
 
@@ -2161,7 +2126,7 @@ Val* TableVal::Delete(const Val* index)
 	Val* va = v ? (v->Value() ? v->Value() : this->Ref()) : 0;
 
 	if ( subnets && ! subnets->Remove(index) )
-		internal_error( "index not in prefix table" );
+		reporter->InternalError("index not in prefix table");
 
 	if ( LoggingAccess() )
 		{
@@ -2203,7 +2168,7 @@ Val* TableVal::Delete(const HashKey* k)
 		{
 		Val* index = table_hash->RecoverVals(k);
 		if ( ! subnets->Remove(index) )
-			internal_error( "index not in prefix table" );
+			reporter->InternalError("index not in prefix table");
 		Unref(index);
 		}
 
@@ -2252,7 +2217,10 @@ ListVal* TableVal::ConvertToPureList() const
 	{
 	type_list* tl = table_type->Indices()->Types();
 	if ( tl->length() != 1 )
+		{
 		InternalWarning("bad index type in TableVal::ConvertToPureList");
+		return 0;
+		}
 
 	return ConvertToList((*tl)[0]->Tag());
 	}
@@ -2284,7 +2252,7 @@ void TableVal::Describe(ODesc* d) const
 		TableEntryVal* v = tbl->NextEntry(k, c);
 
 		if ( ! v )
-			internal_error("hash table underflow in TableVal::Describe");
+			reporter->InternalError("hash table underflow in TableVal::Describe");
 
 		ListVal* vl = table_hash->RecoverVals(k);
 		int dim = vl->Length();
@@ -2335,7 +2303,7 @@ void TableVal::Describe(ODesc* d) const
 		}
 
 	if ( tbl->NextEntry(c) )
-		internal_error("hash table overflow in TableVal::Describe");
+		reporter->InternalError("hash table overflow in TableVal::Describe");
 
 	if ( d->IsPortable() || d->IsReadable() )
 		{
@@ -2457,7 +2425,7 @@ void TableVal::DoExpire(double t)
 				{
 				Val* index = RecoverIndex(k);
 				if ( ! subnets->Remove(index) )
-					internal_error( "index not in prefix table" );
+					reporter->InternalError("index not in prefix table");
 				Unref(index);
 				}
 
@@ -2506,10 +2474,20 @@ double TableVal::CallExpireFunc(Val* idx)
 
 	vl->append(idx);
 
-	Val* vs = expire_expr->Eval(0)->AsFunc()->Call(vl);
-	double secs = vs->AsInterval();
-	Unref(vs);
-	delete vl;
+	double secs;
+
+	try
+		{
+		Val* vs = expire_expr->Eval(0)->AsFunc()->Call(vl);
+		secs = vs->AsInterval();
+		Unref(vs);
+		delete vl;
+		}
+
+	catch ( InterpreterException& e )
+		{
+		secs = 0;
+		}
 
 	return secs;
 	}
@@ -2540,7 +2518,7 @@ bool TableVal::DoSerialize(SerialInfo* info) const
 		IterCookie* c;
 		TableEntryVal* v;	// current value
 		bool did_index;	// already wrote the val's index
-	}* state;
+	}* state = 0;
 
 	PDict(TableEntryVal)* tbl =
 		const_cast<TableVal*>(this)->AsNonConstTable();
@@ -2578,7 +2556,7 @@ bool TableVal::DoSerialize(SerialInfo* info) const
 		state = (State*) info->cont.RestoreState();
 		}
 	else
-		internal_error("unknown continuation state");
+		reporter->InternalError("unknown continuation state");
 
 	HashKey* k;
 	int count = 0;
@@ -2663,7 +2641,7 @@ bool TableVal::DoSerialize(SerialInfo* info) const
 			{
 			info->cont.SaveState(state);
 			info->cont.Suspend();
-			bro_logger->Log("TableVals serialization suspended right in the middle.");
+			reporter->Info("TableVals serialization suspended right in the middle.");
 			return true;
 			}
 		}
@@ -2834,7 +2812,7 @@ RecordVal::RecordVal(RecordType* t) : MutableVal(t)
 			else if ( tag == TYPE_TABLE )
 				def = new TableVal(type->AsTableType(), a);
 
-			else if ( t->Tag() == TYPE_VECTOR )
+			else if ( tag == TYPE_VECTOR )
 				def = new VectorVal(type->AsVectorType());
 			}
 
@@ -2851,7 +2829,7 @@ RecordVal::~RecordVal()
 
 void RecordVal::Assign(int field, Val* new_val, Opcode op)
 	{
-	if ( Lookup(field) &&
+	if ( new_val && Lookup(field) &&
 	     record_type->FieldType(field)->Tag() == TYPE_TABLE &&
 	     new_val->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
 		{
@@ -2896,6 +2874,83 @@ Val* RecordVal::Lookup(int field) const
 	return (*AsRecord())[field];
 	}
 
+Val* RecordVal::LookupWithDefault(int field) const
+	{
+	Val* val = (*AsRecord())[field];
+
+	if ( val )
+		return val->Ref();
+
+	return record_type->FieldDefault(field);
+	}
+
+RecordVal* RecordVal::CoerceTo(const RecordType* t, Val* aggr, bool allow_orphaning) const
+	{
+	if ( ! record_promotion_compatible(t->AsRecordType(), Type()->AsRecordType()) )
+		return 0;
+
+	if ( ! aggr )
+		aggr = new RecordVal(const_cast<RecordType*>(t->AsRecordType()));
+
+	RecordVal* ar = aggr->AsRecordVal();
+	RecordType* ar_t = aggr->Type()->AsRecordType();
+
+	const RecordType* rv_t = Type()->AsRecordType();
+
+	int i;
+	for ( i = 0; i < rv_t->NumFields(); ++i )
+		{
+		int t_i = ar_t->FieldOffset(rv_t->FieldName(i));
+
+		if ( t_i < 0 )
+			{
+			if ( allow_orphaning )
+				continue;
+
+			char buf[512];
+			safe_snprintf(buf, sizeof(buf),
+					"orphan field \"%s\" in initialization",
+					rv_t->FieldName(i));
+			Error(buf);
+			break;
+			}
+
+		if ( ar_t->FieldType(t_i)->Tag() == TYPE_RECORD
+				&& ! same_type(ar_t->FieldType(t_i), Lookup(i)->Type()) )
+			{
+			Expr* rhs = new ConstExpr(Lookup(i)->Ref());
+			Expr* e = new RecordCoerceExpr(rhs, ar_t->FieldType(t_i)->AsRecordType());
+			ar->Assign(t_i, e->Eval(0));
+			continue;
+			}
+
+		ar->Assign(t_i, Lookup(i)->Ref());
+		}
+
+	for ( i = 0; i < ar_t->NumFields(); ++i )
+		if ( ! ar->Lookup(i) &&
+			 ! ar_t->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
+			{
+			char buf[512];
+			safe_snprintf(buf, sizeof(buf),
+					"non-optional field \"%s\" missing in initialization", ar_t->FieldName(i));
+			Error(buf);
+			}
+
+	return ar;
+	}
+
+RecordVal* RecordVal::CoerceTo(RecordType* t, bool allow_orphaning)
+	{
+	if ( same_type(Type(), t) )
+		{
+		this->Ref();
+		return this;
+		}
+
+	return CoerceTo(t, 0, allow_orphaning);
+	}
+
 void RecordVal::Describe(ODesc* d) const
 	{
 	const val_list* vl = AsRecord();
@@ -2932,6 +2987,34 @@ void RecordVal::Describe(ODesc* d) const
 		d->Add("]");
 	}
 
+void RecordVal::DescribeReST(ODesc* d) const
+	{
+	const val_list* vl = AsRecord();
+	int n = vl->length();
+
+	d->Add("{");
+	d->PushIndent();
+
+	loop_over_list(*vl, i)
+		{
+		if ( i > 0 )
+			d->NL();
+
+		d->Add(record_type->FieldName(i));
+		d->Add("=");
+
+		Val* v = (*vl)[i];
+
+		if ( v )
+			v->Describe(d);
+		else
+			d->Add("<uninitialized>");
+		}
+
+	d->PopIndent();
+	d->Add("}");
+	}
+
 IMPLEMENT_SERIAL(RecordVal, SER_RECORD_VAL);
 
 bool RecordVal::DoSerialize(SerialInfo* info) const
@@ -3026,14 +3109,13 @@ unsigned int RecordVal::MemoryAllocation() const
 	{
 	unsigned int size = 0;
 
-	for ( int i = 0; i < type->AsRecordType()->NumFields(); ++i )
-		{
-		Val* v = (*val.val_list_val)[i];
+	const val_list* vl = AsRecord();
 
-		// v might be nil for records that don't wind
-		// up being set to a value.
+	loop_over_list(*vl, i)
+		{
+		Val* v = (*vl)[i];
 		if ( v )
-			size += v->MemoryAllocation();
+		    size += v->MemoryAllocation();
 		}
 
 	return size + padded_sizeof(*this) + val.val_list_val->MemoryAllocation();
@@ -3046,10 +3128,6 @@ void EnumVal::ValDescribe(ODesc* d) const
 	if ( ! ename )
 		ename = "<undefined>";
 
-	const char* module_offset = strstr(ename, "::");
-	if ( module_offset )
-		ename = module_offset + 2;
-
 	d->Add(ename);
 	}
 
@@ -3093,15 +3171,6 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 		return false;
 		}
 
-	if ( index == 0 || index > (1 << 30) )
-		{
-		if ( assigner )
-			assigner->Error(fmt("index (%d) must be positive",
-						index));
-		Unref(element);
-		return true;	// true = "no fatal error"
-		}
-
 	BroType* yt = Type()->AsVectorType()->YieldType();
 
 	if ( yt && yt->Tag() == TYPE_TABLE &&
@@ -3116,7 +3185,7 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 				Val* ival = new Val(index, TYPE_COUNT);
 				StateAccess::Log(new StateAccess(OP_ASSIGN_IDX,
 						this, ival, element,
-						(*val.vector_val)[index - 1]));
+						(*val.vector_val)[index]));
 				Unref(ival);
 				}
 
@@ -3126,10 +3195,10 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 			}
 		}
 
-	if ( index <= val.vector_val->size() )
-		Unref((*val.vector_val)[index - 1]);
+	if ( index < val.vector_val->size() )
+		Unref((*val.vector_val)[index]);
 	else
-		val.vector_val->resize(index);
+		val.vector_val->resize(index + 1);
 
 	if ( LoggingAccess() && op != OP_NONE )
 		{
@@ -3140,14 +3209,14 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 
 		StateAccess::Log(new StateAccess(op == OP_INCR ?
 				OP_INCR_IDX : OP_ASSIGN_IDX,
-				this, ival, element, (*val.vector_val)[index - 1]));
+				this, ival, element, (*val.vector_val)[index]));
 		Unref(ival);
 		}
 
 	// Note: we do *not* Ref() the element, if any, at this point.
 	// AssignExpr::Eval() already does this; other callers must remember
 	// to do it similarly.
-	(*val.vector_val)[index - 1] = element;
+	(*val.vector_val)[index] = element;
 
 	Modified();
 	return true;
@@ -3156,7 +3225,7 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
 				Val* element, const Expr* assigner)
 	{
-	ResizeAtLeast(index + how_many - 1);
+	ResizeAtLeast(index + how_many);
 
 	for ( unsigned int i = index; i < index + how_many; ++i )
 		if ( ! Assign(i, element, assigner) )
@@ -3168,10 +3237,10 @@ bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
 
 Val* VectorVal::Lookup(unsigned int index) const
 	{
-	if ( index == 0 || index > val.vector_val->size() )
+	if ( index >= val.vector_val->size() )
 		return 0;
 
-	return (*val.vector_val)[index - 1];
+	return (*val.vector_val)[index];
 	}
 
 unsigned int VectorVal::Resize(unsigned int new_num_elements)
@@ -3260,7 +3329,7 @@ bool VectorVal::DoUnserialize(UnserialInfo* info)
 		{
 		Val* v;
 		UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info, TYPE_ANY));
-		Assign(i + VECTOR_MIN, v, 0);
+		Assign(i, v, 0);
 		}
 
 	return true;
@@ -3296,6 +3365,10 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	TypeTag t_tag = t->Tag();
 	TypeTag v_tag = vt->Tag();
 
+	// More thought definitely needs to go into this.
+	if ( t_tag == TYPE_ANY || v_tag == TYPE_ANY )
+		return v;
+
 	if ( ! EitherArithmetic(t_tag, v_tag) ||
 	     /* allow sets as initializers */
 	     (is_init && v_tag == TYPE_TABLE) )
@@ -3356,7 +3429,7 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 		break;
 
 	default:
-		internal_error("bad internal type in check_and_promote()");
+		reporter->InternalError("bad internal type in check_and_promote()");
 		Unref(v);
 		return 0;
 	}
@@ -3367,7 +3440,7 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 
 int same_val(const Val* /* v1 */, const Val* /* v2 */)
 	{
-	internal_error("same_val not implemented");
+	reporter->InternalError("same_val not implemented");
 	return 0;
 	}
 
@@ -3418,7 +3491,7 @@ int same_atomic_val(const Val* v1, const Val* v2)
 		return subnet_eq(v1->AsSubNet(), v2->AsSubNet());
 
 	default:
-		internal_error("same_atomic_val called for non-atomic value");
+		reporter->InternalError("same_atomic_val called for non-atomic value");
 		return 0;
 	}
 
@@ -3435,7 +3508,7 @@ void describe_vals(const val_list* vals, ODesc* d, int offset)
 
 	for ( int i = offset; i < vals->length(); ++i )
 		{
-		if ( i > offset && d->IsReadable() )
+		if ( i > offset && d->IsReadable() && d->Style() != RAW_STYLE )
 			d->Add(", ");
 
 		(*vals)[i]->Describe(d);
diff --git a/src/Val.h b/src/Val.h
index b6effcb9e9..94296f7170 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -1,5 +1,3 @@
-// $Id: Val.h 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef val_h
@@ -30,7 +28,6 @@ class SerialInfo;
 
 class PortVal;
 class AddrVal;
-class NetVal;
 class SubNetVal;
 
 class IntervalVal;
@@ -39,6 +36,7 @@ class TableVal;
 class RecordVal;
 class ListVal;
 class StringVal;
+class EnumVal;
 class MutableVal;
 
 class StateAccess;
@@ -87,7 +85,7 @@ public:
 #endif
 		}
 
-	Val(int i, TypeTag t)
+	Val(int32 i, TypeTag t)
 		{
 		val.int_val = bro_int_t(i);
 		type = base_type(t);
@@ -97,27 +95,7 @@ public:
 #endif
 		}
 
-	Val(long i, TypeTag t)
-		{
-		val.int_val = bro_int_t(i);
-		type = base_type(t);
-		attribs = 0;
-#ifdef DEBUG
-		bound_id = 0;
-#endif
-		}
-
-	Val(unsigned int u, TypeTag t)
-		{
-		val.uint_val = bro_uint_t(u);
-		type = base_type(t);
-		attribs = 0;
-#ifdef DEBUG
-		bound_id = 0;
-#endif
-		}
-
-	Val(unsigned long u, TypeTag t)
+	Val(uint32 u, TypeTag t)
 		{
 		val.uint_val = bro_uint_t(u);
 		type = base_type(t);
@@ -163,6 +141,15 @@ public:
 	// class has ref'd it.
 	Val(BroFile* f);
 
+	Val(BroType* t, bool type_type) // Extra arg to differentiate from protected version.
+		{
+		type = new TypeType(t->Ref());
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
 	Val()
 		{
 		val.int_val = 0;
@@ -178,13 +165,6 @@ public:
 	Val* Ref()			{ ::Ref(this); return this; }
 	virtual Val* Clone() const;
 
-	RecordVal* GetAttribs(bool instantiate);
-	void SetAttribs(RecordVal* arg_attribs)
-		{
-		Unref((Val*) attribs);
-		attribs = arg_attribs;
-		}
-
 	int IsZero() const;
 	int IsOne() const;
 
@@ -252,10 +232,16 @@ public:
 		return &val.subnet_val;
 		}
 
+	BroType* AsType() const
+		{
+		CHECK_TAG(type->Tag(), TYPE_TYPE, "Val::Type", type_name)
+		return type;
+		}
+
 	// ... in network byte order
 	const addr_type AsAddr() const
 		{
-		if ( type->Tag() != TYPE_ADDR && type->Tag() != TYPE_NET )
+		if ( type->Tag() != TYPE_ADDR )
 			BadTag("Val::AsAddr", type_name(type->Tag()));
 		return val.addr_val;
 		}
@@ -295,13 +281,13 @@ public:
 
 	CONVERTER(TYPE_PATTERN, PatternVal*, AsPatternVal)
 	CONVERTER(TYPE_PORT, PortVal*, AsPortVal)
-	CONVERTER(TYPE_NET, NetVal*, AsNetVal)
 	CONVERTER(TYPE_SUBNET, SubNetVal*, AsSubNetVal)
 	CONVERTER(TYPE_TABLE, TableVal*, AsTableVal)
 	CONVERTER(TYPE_RECORD, RecordVal*, AsRecordVal)
 	CONVERTER(TYPE_LIST, ListVal*, AsListVal)
 	CONVERTER(TYPE_STRING, StringVal*, AsStringVal)
 	CONVERTER(TYPE_VECTOR, VectorVal*, AsVectorVal)
+	CONVERTER(TYPE_ENUM, EnumVal*, AsEnumVal)
 
 #define CONST_CONVERTER(tag, ctype, name) \
 	const ctype name() const \
@@ -312,7 +298,6 @@ public:
 
 	CONST_CONVERTER(TYPE_PATTERN, PatternVal*, AsPatternVal)
 	CONST_CONVERTER(TYPE_PORT, PortVal*, AsPortVal)
-	CONST_CONVERTER(TYPE_NET, NetVal*, AsNetVal)
 	CONST_CONVERTER(TYPE_SUBNET, SubNetVal*, AsSubNetVal)
 	CONST_CONVERTER(TYPE_TABLE, TableVal*, AsTableVal)
 	CONST_CONVERTER(TYPE_RECORD, RecordVal*, AsRecordVal)
@@ -340,6 +325,7 @@ public:
 		}
 
 	void Describe(ODesc* d) const;
+	virtual void DescribeReST(ODesc* d) const;
 
 	bool Serialize(SerialInfo* info) const;
 	static Val* Unserialize(UnserialInfo* info, TypeTag type = TYPE_ANY)
@@ -374,6 +360,7 @@ protected:
 		}
 
 	virtual void ValDescribe(ODesc* d) const;
+	virtual void ValDescribeReST(ODesc* d) const;
 
 	Val(TypeTag t)
 		{
@@ -585,23 +572,6 @@ protected:
 	DECLARE_SERIAL(AddrVal);
 };
 
-class NetVal : public AddrVal {
-public:
-	NetVal(const char* text);
-	NetVal(uint32 addr);
-	NetVal(const uint32* addr);
-
-	Val* SizeVal() const;
-
-protected:
-	friend class Val;
-	NetVal()	{}
-
-	void ValDescribe(ODesc* d) const;
-
-	DECLARE_SERIAL(NetVal);
-};
-
 class SubNetVal : public Val {
 public:
 	SubNetVal(const char* text);
@@ -901,7 +871,7 @@ protected:
 
 	DECLARE_SERIAL(TableVal);
 
-	const TableType* table_type;
+	TableType* table_type;
 	CompositeHash* table_hash;
 	Attributes* attrs;
 	double expire_time;
@@ -921,7 +891,8 @@ public:
 		{ return new Val(record_type->NumFields(), TYPE_COUNT); }
 
 	void Assign(int field, Val* new_val, Opcode op = OP_ASSIGN);
-	Val* Lookup(int field) const;
+	Val* Lookup(int field) const;	// Does not Ref() value.
+	Val* LookupWithDefault(int field) const;	// Does Ref() value.
 
 	void Describe(ODesc* d) const;
 
@@ -930,7 +901,22 @@ public:
 	void SetOrigin(BroObj* o)	{ origin = o; }
 	BroObj* GetOrigin() const	{ return origin; }
 
+	// Returns a new value representing the value coerced to the given
+	// type. If coercion is not possible, returns 0. The non-const
+	// version may return the current value ref'ed if its type matches
+	// directly.
+	//
+	// *aggr* is optional; if non-zero, we add to it. See
+	// Expr::InitVal(). We leave it out in the non-const version to make
+	// the choice unambigious.
+	//
+	// The *allow_orphaning* parameter allows for a record to be demoted
+	// down to a record type that contains less fields.
+	RecordVal* CoerceTo(const RecordType* other, Val* aggr, bool allow_orphaning = false) const;
+	RecordVal* CoerceTo(RecordType* other, bool allow_orphaning = false);
+
 	unsigned int MemoryAllocation() const;
+	void DescribeReST(ODesc* d) const;
 
 protected:
 	friend class Val;
@@ -966,9 +952,6 @@ protected:
 };
 
 
-// The minimum index for vectors (0 or 1).
-const int VECTOR_MIN = 1;
-
 class VectorVal : public MutableVal {
 public:
 	VectorVal(VectorType* t);
diff --git a/src/Var.cc b/src/Var.cc
index b107156b3a..d54d94a078 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -1,5 +1,3 @@
-// $Id: Var.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -12,6 +10,8 @@
 #include "RemoteSerializer.h"
 #include "EventRegistry.h"
 
+extern int generate_documentation;
+
 static Val* init_val(Expr* init, const BroType* t, Val* aggr)
 	{
 	return init->InitVal(t, aggr);
@@ -107,7 +107,7 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 	id->SetType(t);
 
 	if ( attr )
-		id->AddAttrs(new Attributes(attr, t));
+		id->AddAttrs(new Attributes(attr, t, false));
 
 	if ( id->FindAttr(ATTR_PERSISTENT) || id->FindAttr(ATTR_SYNCHRONIZED) )
 		{
@@ -170,6 +170,16 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 		}
 
 	id->UpdateValAttrs();
+
+	if ( t && t->Tag() == TYPE_FUNC && t->AsFuncType()->IsEvent() )
+		{
+		// For events, add a function value (without any body) here so that
+		// we can later access the ID even if no implementations have been
+		// defined.
+		Func* f = new BroFunc(id, 0, 0, 0, 0);
+		id->SetVal(new Val(f));
+		id->SetConst();
+		}
 	}
 
 
@@ -192,7 +202,8 @@ Stmt* add_local(ID* id, BroType* t, init_class c, Expr* init,
 		Ref(id);
 
 		Stmt* stmt =
-			new ExprStmt(new AssignExpr(new NameExpr(id), init, 0));
+		    new ExprStmt(new AssignExpr(new NameExpr(id), init, 0, 0,
+		        id->Attrs() ? id->Attrs()->Attrs() : 0 ));
 		stmt->SetLocationInfo(init->GetLocationInfo());
 
 		return stmt;
@@ -217,11 +228,65 @@ extern Expr* add_and_assign_local(ID* id, Expr* init, Val* val)
 
 void add_type(ID* id, BroType* t, attr_list* attr, int /* is_event */)
 	{
-	id->SetType(t);
+	BroType* tnew = t;
+
+	// In "documentation mode", we'd like to to be able to associate
+	// an identifier name with a declared type.  Dealing with declared
+	// types that are "aliases" to a builtin type requires that the BroType
+	// is cloned before setting the identifier name that resolves to it.
+	// And still this is not enough to document cases where the declared type
+	// is an alias for another declared type -- but that's not a natural/common
+	// practice.  If documenting that corner case is desired, one way
+	// is to add an ID* to class ID that tracks aliases and set it here if
+	// t->GetTypeID() is true.
+	if ( generate_documentation )
+		{
+		switch ( t->Tag() ) {
+		// Only "shallow" copy types that may contain records because
+		// we want to be able to see additions to the original record type's
+		// list of fields
+		case TYPE_RECORD:
+			tnew = new RecordType(t->AsRecordType()->Types());
+			break;
+		case TYPE_TABLE:
+			tnew = new TableType(t->AsTableType()->Indices(),
+			                     t->AsTableType()->YieldType());
+			break;
+		case TYPE_VECTOR:
+			tnew = new VectorType(t->AsVectorType()->YieldType());
+			break;
+		case TYPE_FUNC:
+			tnew = new FuncType(t->AsFuncType()->Args(),
+			                    t->AsFuncType()->YieldType(),
+			                    t->AsFuncType()->IsEvent());
+			break;
+		default:
+			SerializationFormat* form = new BinarySerializationFormat();
+			form->StartWrite();
+			CloneSerializer ss(form);
+			SerialInfo sinfo(&ss);
+			sinfo.cache = false;
+
+			t->Serialize(&sinfo);
+			char* data;
+			uint32 len = form->EndWrite(&data);
+			form->StartRead(data, len);
+
+			UnserialInfo uinfo(&ss);
+			uinfo.cache = false;
+			tnew = t->Unserialize(&uinfo);
+
+			delete [] data;
+		}
+
+		tnew->SetTypeID(copy_string(id->Name()));
+		}
+
+	id->SetType(tnew);
 	id->MakeType();
 
 	if ( attr )
-		id->SetAttrs(new Attributes(attr, t));
+		id->SetAttrs(new Attributes(attr, tnew, false));
 	}
 
 void begin_func(ID* id, const char* module_name, function_flavor flavor,
@@ -326,7 +391,7 @@ void end_func(Stmt* body, attr_list* attrs)
 		id->ID_Val()->AsFunc()->AddBody(body, inits, frame_size, priority);
 	else
 		{
-		Func* f = new BroFunc(id, body, inits, frame_size);
+		Func* f = new BroFunc(id, body, inits, frame_size, priority);
 		id->SetVal(new Val(f));
 		id->SetConst();
 		}
@@ -338,7 +403,19 @@ Val* internal_val(const char* name)
 	{
 	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
 	if ( ! id )
-		internal_error("internal variable %s missing", name);
+		reporter->InternalError("internal variable %s missing", name);
+
+	return id->ID_Val();
+	}
+
+Val* internal_const_val(const char* name)
+	{
+	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	if ( ! id )
+		reporter->InternalError("internal variable %s missing", name);
+
+	if ( ! id->IsConst() )
+		reporter->InternalError("internal variable %s is not constant", name);
 
 	return id->ID_Val();
 	}
@@ -399,7 +476,7 @@ ListVal* internal_list_val(const char* name)
 			}
 
 		else
-			internal_error("internal variable %s is not a list", name);
+			reporter->InternalError("internal variable %s is not a list", name);
 		}
 
 	return 0;
@@ -409,7 +486,7 @@ BroType* internal_type(const char* name)
 	{
 	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
 	if ( ! id )
-		internal_error("internal type %s missing", name);
+		reporter->InternalError("internal type %s missing", name);
 
 	return id->Type();
 	}
diff --git a/src/Var.h b/src/Var.h
index 3be8ecc079..8b9866ed2d 100644
--- a/src/Var.h
+++ b/src/Var.h
@@ -1,5 +1,3 @@
-// $Id: Var.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef var_h
@@ -27,6 +25,7 @@ extern void begin_func(ID* id, const char* module_name, function_flavor flavor,
 extern void end_func(Stmt* body, attr_list* attrs = 0);
 
 extern Val* internal_val(const char* name);
+extern Val* internal_const_val(const char* name); // internal error if not const
 extern Val* opt_internal_val(const char* name);	// returns nil if not defined
 extern double opt_internal_double(const char* name);
 extern bro_int_t opt_internal_int(const char* name);
@@ -38,7 +37,6 @@ extern BroType* internal_type(const char* name);
 extern Func* internal_func(const char* name);
 extern EventHandlerPtr internal_handler(const char* name);
 
-extern EventHandlerPtr bro_signal;
 extern int signal_val;	// 0 if no signal pending
 
 #endif
diff --git a/src/X509.cc b/src/X509.cc
index 9de73d2a9d..55b6b78f04 100644
--- a/src/X509.cc
+++ b/src/X509.cc
@@ -1,5 +1,3 @@
-// $Id: X509.cc 6724 2009-06-07 09:23:03Z vern $
-
 #include <openssl/err.h>
 
 #include "X509.h"
@@ -80,7 +78,7 @@ int X509_Cert::init()
 		lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir());
 		if ( ! lookup )
 			{
-			fprintf(stderr, "X509_Cert::init(): initing lookup failed\n");
+			reporter->Error("X509_Cert::init(): initing lookup failed\n");
 			flag = 1;
 			}
 
@@ -89,7 +87,7 @@ int X509_Cert::init()
 				X509_FILETYPE_PEM);
 		if ( ! i )
 			{
-			fprintf( stderr, "X509_Cert::init(): error adding lookup directory\n" );
+			reporter->Error("X509_Cert::init(): error adding lookup directory\n");
 			ret = 0;
 			}
 		}
@@ -108,7 +106,7 @@ int X509_Cert::init()
 		if ( X509_load_crl_file(lookup, (const char*) rString->Bytes(),
 					X509_FILETYPE_PEM) != 1 )
 			{
-			fprintf(stderr, "X509_Cert::init(): error reading CRL file\n");
+			reporter->Error("X509_Cert::init(): error reading CRL file\n");
 			ret = 1;
 			}
 
diff --git a/src/X509.h b/src/X509.h
deleted file mode 100644
index 284fd3512c..0000000000
--- a/src/X509.h
+++ /dev/null
@@ -1,33 +0,0 @@
-// $Id: X509.h 3526 2006-09-12 07:32:21Z vern $
-
-#ifndef X509_H
-#define X509_H
-
-#include <sys/types.h>
-#include <openssl/x509.h>
-#include <openssl/x509_vfy.h>
-
-#include "SSLProxy.h"
-
-class X509_Cert {
-public:
-	static X509_STORE* ctx;
-	static X509_LOOKUP* lookup;
-	static X509_STORE_CTX csc;
-	static bool bInited;
-
-	// Initializes the OpenSSL library, which is used for verify().
-	static int init();
-
-	// Wrapper for X.509 error event.
-	static void sslCertificateError(Contents_SSL* e, int error_numbe);
-
-	// Retrieves a DER-encoded X.509 certificate.  Returns 0 on failure.
-	static int verify(Contents_SSL* e, const u_char* data, uint32 len);
-	static int verifyChain(Contents_SSL* e, const u_char* data, uint32 len);
-
-	// Wrapper for the ssl_certificate event.
-	static void sslCertificateEvent(Contents_SSL* e, X509* pCert);
-};
-
-#endif
diff --git a/src/XDR.cc b/src/XDR.cc
index 4e6a05ff10..96d855ddbd 100644
--- a/src/XDR.cc
+++ b/src/XDR.cc
@@ -1,7 +1,7 @@
-// $Id: XDR.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <algorithm>
+
 #include "config.h"
 
 #include "XDR.h"
@@ -17,27 +17,27 @@ uint32 extract_XDR_uint32(const u_char*& buf, int& len)
 		return 0;
 		}
 
-	uint32 bits32 = XDR_aligned(buf) ? *(uint32*) buf :
-		((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
+	// Takes care of alignment and endianess differences. 
+	uint32 bits32 = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3];
 
 	buf += 4;
 	len -= 4;
 
-	return ntohl(bits32);
+	return bits32;
 	}
 
-double extract_XDR_uint64_as_double(const u_char*& buf, int& len)
+uint64 extract_XDR_uint64(const u_char*& buf, int& len)
 	{
 	if ( ! buf || len < 8 )
 		{
 		buf = 0;
-		return 0.0;
+		return 0;
 		}
 
-	uint32 uhi = extract_XDR_uint32(buf, len);
-	uint32 ulo = extract_XDR_uint32(buf, len);
+	uint64 uhi = extract_XDR_uint32(buf, len);
+	uint64 ulo = extract_XDR_uint32(buf, len);
 
-	return double(uhi) * 4294967296.0 + double(ulo);
+	return (uhi << 32) + ulo;
 	}
 
 double extract_XDR_time(const u_char*& buf, int& len)
@@ -54,12 +54,15 @@ double extract_XDR_time(const u_char*& buf, int& len)
 	return double(uhi) + double(ulo) / 1e9;
 	}
 
-const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len)
+const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len, bool short_buf_ok)
 	{
 	n = int(extract_XDR_uint32(buf, len));
 	if ( ! buf )
 		return 0;
 
+	if ( short_buf_ok )
+		n = std::min(n, len);
+
 	if ( n < 0 || n > len || n > max_len )
 		{ // ### Should really flag this as a different sort of error.
 		buf = 0;
@@ -75,6 +78,25 @@ const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_l
 	return opaque;
 	}
 
+const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n)
+	{
+	if ( ! buf )
+		return 0;
+	if ( n < 0 || n > len)
+		{
+		buf = 0;
+		return 0;
+		}
+	int n4 = ((n + 3) >> 2) << 2;	// n rounded up to next multiple of 4
+
+	len -= n4;
+	const u_char* opaque = buf;
+	buf += n4;
+
+	return opaque;
+	}
+
+
 uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len)
 	{
 	uint32 auth_flavor = extract_XDR_uint32(buf, len);
diff --git a/src/XDR.h b/src/XDR.h
index 070e13ee6c..65192d6067 100644
--- a/src/XDR.h
+++ b/src/XDR.h
@@ -1,5 +1,3 @@
-// $Id: XDR.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef xdr_h
@@ -10,16 +8,12 @@
 
 #include "util.h"
 
-inline int XDR_aligned(const u_char* buf)
-	{
-	return (((unsigned long) buf) & 0x3) == 0;
-	}
-
 extern uint32 extract_XDR_uint32(const u_char*& buf, int& len);
-extern double extract_XDR_uint64_as_double(const u_char*& buf, int& len);
+extern uint64 extract_XDR_uint64(const u_char*& buf, int& len);
 extern double extract_XDR_time(const u_char*& buf, int& len);
 extern const u_char* extract_XDR_opaque(const u_char*& buf, int& len,
-					int& n, int max_len=8192);
+					int& n, int max_len=8192, bool short_buf_ok=false);
+extern const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n);
 extern uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len);
 
 #endif
diff --git a/src/ZIP.cc b/src/ZIP.cc
index 84643c2874..0ebe93abe6 100644
--- a/src/ZIP.cc
+++ b/src/ZIP.cc
@@ -1,11 +1,7 @@
-// $Id: ZIP.cc,v 1.1.4.2 2006/05/31 21:49:29 sommer Exp $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "ZIP.h"
 
-#ifdef HAVE_LIBZ
-
 ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method)
 : TCP_SupportAnalyzer(AnalyzerTag::Zip, conn, orig)
 	{
@@ -91,4 +87,3 @@ void ZIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	while ( zip->avail_out == 0 );
 	}
-#endif
diff --git a/src/ZIP.h b/src/ZIP.h
index 3debb6c3c8..6a8a180d1a 100644
--- a/src/ZIP.h
+++ b/src/ZIP.h
@@ -1,5 +1,3 @@
-// $Id: ZIP.h,v 1.1.4.2 2006/05/31 21:49:29 sommer Exp $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef zip_h
@@ -7,8 +5,6 @@
 
 #include "config.h"
 
-#ifdef HAVE_LIBZ
-
 #include "zlib.h"
 #include "TCP.h"
 
@@ -31,4 +27,3 @@ protected:
 };
 
 #endif
-#endif
diff --git a/src/bif_arg.cc b/src/bif_arg.cc
index 2befed495a..a4772e4d73 100644
--- a/src/bif_arg.cc
+++ b/src/bif_arg.cc
@@ -1,5 +1,3 @@
-// $Id: bif_arg.cc 3234 2006-06-08 02:38:11Z vern $
-
 #include "config.h"
 
 #include <set>
@@ -24,7 +22,6 @@ static struct {
 };
 
 extern const char* arg_list_name;
-extern set<string> enum_types;
 
 BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, int arg_type)
 	{
@@ -45,9 +42,6 @@ BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, const char* arg_type_str)
 			type = i;
 			type_str = "";
 			}
-
-	if ( enum_types.find(type_str) != enum_types.end() )
-		type = TYPE_ENUM;
 	}
 
 void BuiltinFuncArg::PrintBro(FILE* fp)
@@ -75,21 +69,11 @@ void BuiltinFuncArg::PrintCArg(FILE* fp, int n)
 	{
 	const char* ctype = builtin_func_arg_type[type].c_type;
 	char buf[1024];
-	if ( type == TYPE_ENUM )
-		{
-		snprintf(buf, sizeof(buf),
-			builtin_func_arg_type[type].c_type, type_str);
-		ctype = buf;
-		}
 
 	fprintf(fp, "%s %s", ctype, name);
 	}
 
 void BuiltinFuncArg::PrintBroValConstructor(FILE* fp)
 	{
-	if ( type == TYPE_ENUM )
-		fprintf(fp, builtin_func_arg_type[type].constructor,
-			name, type_str);
-	else
-		fprintf(fp, builtin_func_arg_type[type].constructor, name);
+	fprintf(fp, builtin_func_arg_type[type].constructor, name);
 	}
diff --git a/src/bif_arg.h b/src/bif_arg.h
index 0462f6e173..4ba6fa0c4f 100644
--- a/src/bif_arg.h
+++ b/src/bif_arg.h
@@ -1,5 +1,3 @@
-// $Id: bif_arg.h 3234 2006-06-08 02:38:11Z vern $
-
 #ifndef bif_arg_h
 #define bif_arg_h
 
diff --git a/src/bif_type.def b/src/bif_type.def
index 94e12997e8..4e206ceea2 100644
--- a/src/bif_type.def
+++ b/src/bif_type.def
@@ -1,5 +1,3 @@
-// $Id: bif_type.def 5083 2007-11-28 17:42:58Z vern $
-
 // DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor)
 
 DEFINE_BIF_TYPE(TYPE_ADDR, 	"addr", "addr", "addr_type", 		"%s->AsAddr()", 	"new AddrVal(%s)")
@@ -12,7 +10,6 @@ DEFINE_BIF_TYPE(TYPE_DOUBLE, 	"double", "double", "double", 		"%s->AsDouble()",
 DEFINE_BIF_TYPE(TYPE_FILE, 	"file", "file", "BroFile*", 		"%s->AsFile()", 	"new Val(%s)")
 DEFINE_BIF_TYPE(TYPE_INT, 	"int", "int", "bro_int_t", 		"%s->AsInt()", 		"new Val(%s, TYPE_BOOL)")
 DEFINE_BIF_TYPE(TYPE_INTERVAL, 	"interval", "interval", "double", 	"%s->AsInterval()", 	"new IntervalVal(%s, Seconds)")
-DEFINE_BIF_TYPE(TYPE_NET, 	"net", "net", "addr_type", 		"%s->AsAddr()",		"new NetVal(%s)")
 DEFINE_BIF_TYPE(TYPE_PACKET, 	"packet", "packet", "TCP_TracePacket*", "%s->AsRecordVal()->GetOrigin()", "%s->PacketVal()")
 DEFINE_BIF_TYPE(TYPE_PATTERN, 	"pattern", "pattern", "RE_Matcher*", 	"%s->AsPattern()",	"new PatternVal(%s)")
 // DEFINE_BIF_TYPE(TYPE_PORT, 	"port", "port", "uint32", 		"%s->AsPortVal()->Port()", "incomplete data")
@@ -22,5 +19,4 @@ DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "StringVal*", 	"%s->AsStringVa
 // DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "BroString*", 	"%s->AsString()",	"new StringVal(%s)")
 DEFINE_BIF_TYPE(TYPE_SUBNET, 	"subnet", "subnet", "SubNetVal*", 	"%s->AsSubNetVal()",	"%s")
 DEFINE_BIF_TYPE(TYPE_TIME, 	"time", "time", "double", 		"%s->AsTime()", 	"new Val(%s, TYPE_TIME)")
-DEFINE_BIF_TYPE(TYPE_ENUM, 	"", "", "BroEnum::%s", 			"%s->InternalInt()",	"new EnumVal(%s, enum_%s)")
 DEFINE_BIF_TYPE(TYPE_OTHER, 	"", "", "Val*", 			"%s", 			"%s")
diff --git a/src/binpac-lib.pac b/src/binpac-lib.pac
index 4e95a1a3db..2c501d90a4 100644
--- a/src/binpac-lib.pac
+++ b/src/binpac-lib.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %extern{
 #include <string.h>
 
diff --git a/src/binpac.pac b/src/binpac.pac
index 8704fb5a61..ae601ce6b9 100644
--- a/src/binpac.pac
+++ b/src/binpac.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 # Prototypes for functions implemented in binpac-lib.pac.
 
 function bytestring_to_int(s: const_bytestring, base: int): int;
diff --git a/src/binpac_bro-lib.pac b/src/binpac_bro-lib.pac
index 20648e2d4f..c7cee6dc98 100644
--- a/src/binpac_bro-lib.pac
+++ b/src/binpac_bro-lib.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %extern{
 #include "util.h"
 %}
diff --git a/src/binpac_bro.h b/src/binpac_bro.h
index ffeb4ff28d..dcdbe94f57 100644
--- a/src/binpac_bro.h
+++ b/src/binpac_bro.h
@@ -1,5 +1,3 @@
-// $Id:$
-
 #ifndef binpac_bro_h
 #define binpac_bro_h
 
diff --git a/src/bittorrent-analyzer.pac b/src/bittorrent-analyzer.pac
index f159588f0b..ee7a70ea21 100644
--- a/src/bittorrent-analyzer.pac
+++ b/src/bittorrent-analyzer.pac
@@ -1,5 +1,3 @@
-# $Id:$
-#
 # This code contributed by Nadi Sarrar.
 
 connection BitTorrent_Conn(bro_analyzer: BroAnalyzer) {
@@ -64,7 +62,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		handshake_ok = true;
 		if ( ::bittorrent_peer_handshake )
 			{
-			bro_event_bittorrent_peer_handshake(
+			BifEvent::generate_bittorrent_peer_handshake(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -82,7 +80,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_keep_alive )
 			{
-			bro_event_bittorrent_peer_keep_alive(
+			BifEvent::generate_bittorrent_peer_keep_alive(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -95,7 +93,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_choke )
 			{
-			bro_event_bittorrent_peer_choke(
+			BifEvent::generate_bittorrent_peer_choke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -108,7 +106,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unchoke )
 			{
-			bro_event_bittorrent_peer_unchoke(
+			BifEvent::generate_bittorrent_peer_unchoke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -121,7 +119,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_interested )
 			{
-			bro_event_bittorrent_peer_interested(
+			BifEvent::generate_bittorrent_peer_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -134,7 +132,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_not_interested )
 			{
-			bro_event_bittorrent_peer_not_interested(
+			BifEvent::generate_bittorrent_peer_not_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -147,7 +145,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_have )
 			{
-			bro_event_bittorrent_peer_have(
+			BifEvent::generate_bittorrent_peer_have(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -161,7 +159,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_bitfield )
 			{
-			bro_event_bittorrent_peer_bitfield(
+			BifEvent::generate_bittorrent_peer_bitfield(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -176,7 +174,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_request )
 			{
-			bro_event_bittorrent_peer_request(
+			BifEvent::generate_bittorrent_peer_request(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -191,7 +189,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_piece )
 			{
-			bro_event_bittorrent_peer_piece(
+			BifEvent::generate_bittorrent_peer_piece(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -206,7 +204,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_cancel )
 			{
-			bro_event_bittorrent_peer_cancel(
+			BifEvent::generate_bittorrent_peer_cancel(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -220,7 +218,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_port )
 			{
-			bro_event_bittorrent_peer_port(
+			BifEvent::generate_bittorrent_peer_port(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -234,7 +232,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unknown )
 			{
-			bro_event_bittorrent_peer_unknown(
+			BifEvent::generate_bittorrent_peer_unknown(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
diff --git a/src/bittorrent-protocol.pac b/src/bittorrent-protocol.pac
index 8bd1652cfa..d3a147f157 100644
--- a/src/bittorrent-protocol.pac
+++ b/src/bittorrent-protocol.pac
@@ -1,5 +1,3 @@
-# $Id:$
-#
 # This code contributed by Nadi Sarrar.
 
 enum BitTorrent_peer_msg_type {
diff --git a/src/bro.bif b/src/bro.bif
index 0de77bfc49..27d6216f1a 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -1,6 +1,8 @@
-# $Id: bro.bif 7075 2010-09-13 02:39:38Z vern $
-#
-# Definitions of Bro built-in functions.
+##! A collection of built-in functions that implement a variety of things
+##! such as general programming algorithms, string processing, math functions,
+##! introspection, type conversion, file/directory manipulation, packet
+##! filtering, inter-process communication and controlling protocol analyzer
+##! behavior.
 
 %%{ // C segment
 #include <math.h>
@@ -9,11 +11,14 @@
 #include <algorithm>
 #include <cmath>
 #include <sys/stat.h>
+#include <cstdio>
 
+#include "Reporter.h"
 
 using namespace std;
 
 RecordType* ftp_port;
+RecordType* net_stats;
 RecordType* bro_resources;
 RecordType* matcher_stats;
 TableType* var_sizes;
@@ -93,7 +98,7 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
 
 	if ( field_width > 128 || precision > 128 )
 		{
-		builtin_run_time("excessive field width or precision");
+		builtin_error("excessive field width or precision");
 		return;
 		}
 
@@ -124,7 +129,7 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
 		}
 
 	if ( precision >= 0 && *fmt != 'e' && *fmt != 'f' && *fmt != 'g' )
-		builtin_run_time("precision specified for non-floating point");
+		builtin_error("precision specified for non-floating point");
 
 	switch ( *fmt ) {
 	case 'D':
@@ -132,7 +137,7 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
 		{
 		if ( t != TYPE_TIME )
 			{
-			builtin_run_time("bad type for Date/Time format", v);
+			builtin_error("bad type for Date/Time format", v);
 			break;
 			}
 
@@ -206,7 +211,7 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
 
 		else if ( ! check_fmt_type(t, ok_d_fmt) )
 			{
-			builtin_run_time("bad type for %d/%x format", v);
+			builtin_error("bad type for %d/%x format", v);
 			break;
 			}
 
@@ -249,7 +254,7 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
 		{
 		if ( ! check_fmt_type(t, ok_f_fmt) )
 			{
-			builtin_run_time("bad type for floating-point format", v);
+			builtin_error("bad type for floating-point format", v);
 			break;
 			}
 
@@ -260,7 +265,7 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
 		break;
 
 	default:
-		builtin_run_time("bad format");
+		builtin_error("bad format");
 	}
 
 	// Left-padding with whitespace, if any.
@@ -316,482 +321,48 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n)
 	}
 %%}
 
-function length%(v: any%): count
-	%{
-	TableVal* tv = v->Type()->Tag() == TYPE_TABLE ? v->AsTableVal() : 0;
-
-	if ( tv )
-		return new Val(tv->Size(), TYPE_COUNT);
-
-	else if ( v->Type()->Tag() == TYPE_VECTOR )
-		return new Val(v->AsVectorVal()->Size(), TYPE_COUNT);
-
-	else
-		{
-		builtin_run_time("length() requires a table/set/vector argument");
-		return new Val(0, TYPE_COUNT);
-		}
-	%}
-
-function same_object%(o1: any, o2: any%): bool
-	%{
-	return new Val(o1 == o2, TYPE_BOOL);
-	%}
-
-function clear_table%(v: any%): any
-	%{
-	if ( v->Type()->Tag() == TYPE_TABLE )
-		v->AsTableVal()->RemoveAll();
-	else
-		builtin_run_time("clear_table() requires a table/set argument");
-
-	return 0;
-	%}
-
-function cat%(...%): string
-	%{
-	ODesc d;
-	loop_over_list(@ARG@, i)
-		@ARG@[i]->Describe(&d);
-
-	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
-	s->SetUseFreeToDelete(true);
-
-	return new StringVal(s);
-	%}
-
-function cat_sep%(sep: string, def: string, ...%): string
-	%{
-	ODesc d;
-	int pre_size = 0;
-
-	loop_over_list(@ARG@, i)
-		{
-		// Skip named parameters.
-		if ( i < 2 )
-			continue;
-
-		if ( i > 2 )
-			d.Add(sep->CheckString(), 0);
-
-		Val* v = @ARG@[i];
-		if ( v->Type()->Tag() == TYPE_STRING && ! v->AsString()->Len() )
-			v = def;
-
-		v->Describe(&d);
-		}
-
-	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
-	s->SetUseFreeToDelete(true);
-
-	return new StringVal(s);
-	%}
-
-function fmt%(...%): string
-	%{
-	if ( @ARGC@ == 0 )
-		return new StringVal("");
-
-	Val* fmt_v = @ARG@[0];
-	if ( fmt_v->Type()->Tag() != TYPE_STRING )
-		return bro_cat(frame, @ARGS@);
-
-	const char* fmt = fmt_v->AsString()->CheckString();
-	ODesc d;
-	int n = 0;
-
-	while ( next_fmt(fmt, @ARGS@, &d, n) )
-		;
-
-	if ( n < @ARGC@ - 1 )
-		builtin_run_time("too many arguments for format", fmt_v);
-
-	else if ( n >= @ARGC@ )
-		builtin_run_time("too few arguments for format", fmt_v);
-
-	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
-	s->SetUseFreeToDelete(true);
-
-	return new StringVal(s);
-	%}
-
-function type_name%(t: any%): string
-	%{
-	ODesc d;
-	t->Type()->Describe(&d);
-
-	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
-	s->SetUseFreeToDelete(true);
-
-	return new StringVal(s);
-	%}
-
-function to_int%(str: string%): int
-	%{
-	const char* s = str->CheckString();
-	char* end_s;
-
-	long l = strtol(s, &end_s, 10);
-	int i = int(l);
-
-#if 0
-	// Not clear we should complain.  For example, is " 205 "
-	// a legal conversion?
-	if ( s[0] == '\0' || end_s[0] != '\0' )
-		builtin_run_time("bad conversion to integer", @ARG@[0]);
-#endif
-
-	return new Val(i, TYPE_INT);
-	%}
-
-function int_to_count%(n: int%): count
-	%{
-	if ( n < 0 )
-		{
-		builtin_run_time("bad conversion to count", @ARG@[0]);
-		n = 0;
-		}
-	return new Val(n, TYPE_COUNT);
-	%}
-
-function double_to_count%(d: double%): count
-	%{
-	if ( d < 0.0 )
-		builtin_run_time("bad conversion to count", @ARG@[0]);
-
-	return new Val(bro_uint_t(rint(d)), TYPE_COUNT);
-	%}
-
-function to_count%(str: string%): count
-	%{
-	const char* s = str->CheckString();
-	char* end_s;
-
-	long l = strtol(s, &end_s, 10);
-	uint32 u = uint32(l);
-
-#if 0
-	if ( s[0] == '\0' || end_s[0] != '\0' )
-		builtin_run_time("bad conversion to count", @ARGS@[0]);
-#endif
-
-	return new Val(u, TYPE_COUNT);
-	%}
-
-function interval_to_double%(i: interval%): double
-	%{
-	return new Val(i, TYPE_DOUBLE);
-	%}
-
-function time_to_double%(t: time%): double
-	%{
-	return new Val(t, TYPE_DOUBLE);
-	%}
-
-function double_to_time%(d: double%): time
-	%{
-	return new Val(d, TYPE_TIME);
-	%}
-
-function double_to_interval%(d: double%): interval
-	%{
-	return new Val(d, TYPE_INTERVAL);
-	%}
-
-function addr_to_count%(a: addr%): count
-	%{
-#ifdef BROv6
-	if ( ! is_v4_addr(a) )
-		{
-		builtin_run_time("conversion of non-IPv4 address to count", @ARG@[0]);
-		return new Val(0, TYPE_COUNT);
-		}
-
-	uint32 addr = to_v4_addr(a);
-#else
-	uint32 addr = a;
-#endif
-	return new Val(ntohl(addr), TYPE_COUNT);
-	%}
-
-function port_to_count%(p: port%): count
-	%{
-	return new Val(p->Port(), TYPE_COUNT);
-	%}
-
-function count_to_port%(c: count, t: transport_proto%): port
-	%{
-	return new PortVal(c, (TransportProto)(t->InternalInt()));
-	%}
-
-function floor%(d: double%): double
-	%{
-	return new Val(floor(d), TYPE_DOUBLE);
-	%}
-
-function to_addr%(ip: string%): addr
-	%{
-	char* s = ip->AsString()->Render();
-	Val* ret = new AddrVal(s);
-	delete [] s;
-	return ret;
-	%}
-
-# Interprets the first 4 bytes of 'b' as an IPv4 address in network order.
-function raw_bytes_to_v4_addr%(b: string%): addr
-	%{
-	uint32 a = 0;
-
-	if ( b->Len() < 4 )
-		builtin_run_time("too short a string as input to raw_bytes_to_v4_addr()");
-
-	else
-		{
-		const u_char* bp = b->Bytes();
-		a = (bp[0] << 24) | (bp[1] << 16) | (bp[2] << 8) | bp[3];
-		}
-
-	return new AddrVal(htonl(a));
-	%}
-
-function to_net%(a: addr%): net
-	%{
-#ifdef BROv6
-	if ( ! is_v4_addr(a) )
-		{
-		builtin_run_time("conversion of non-IPv4 address to net", @ARG@[0]);
-		return new NetVal(uint32(0));
-		}
-
-	uint32 addr = to_v4_addr(a);
-#else
-	uint32 addr = a;
-#endif
-
-	addr = htonl(addr_to_net(ntohl(addr)));
-
-	return new NetVal(addr);
-	%}
-
-function net_to_subnet%(a: net%): subnet
-	%{
-#ifdef BROv6
-	if ( ! is_v4_addr(a) )
-		{
-		builtin_run_time("conversion of non-IPv4 address to subnet", @ARG@[0]);
-		return new SubNetVal(uint32(0), 0);
-		}
-
-	uint32 addr = to_v4_addr(a);
-#else
-	uint32 addr = a;
-#endif
-
-	switch ( addr_to_class(ntohl(addr)) ) {
-	case 'A':
-		return new SubNetVal(addr, 8);
-	case 'B':
-		return new SubNetVal(addr, 16);
-	case 'C':
-	case 'D':
-		return new SubNetVal(addr, 24);
-
-	default:
-		return new SubNetVal(addr, 0);
-	}
-	%}
-
-function to_port%(num: count, proto: transport_proto%): port
-	%{
-	return new PortVal(num, (TransportProto)proto->AsEnum());
-	%}
-
-function mask_addr%(a: addr, top_bits_to_keep: count%): addr
-	%{
-	return new AddrVal(mask_addr(a, top_bits_to_keep));
-	%}
-
-# Take some top bits (e.g. subnet address) from a1 and the other
-# bits (intra-subnet part) from a2 and merge them to get a new address.
-# This is useful for anonymizing at subnet level while preserving
-# serial scans.
-function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr
-	%{
-#ifdef BROv6
-	if ( ! is_v4_addr(a1) || ! is_v4_addr(a2) )
-		{
-		builtin_run_time("cannot use remask_addr on IPv6 addresses");
-		return new AddrVal(a1);
-		}
-
-	uint32 x1 = to_v4_addr(a1);
-	uint32 x2 = to_v4_addr(a2);
-#else
-	uint32 x1 = a1;
-	uint32 x2 = a2;
-#endif
-	return new AddrVal(
-		mask_addr(x1, top_bits_from_a1) |
-		(x2 ^ mask_addr(x2, top_bits_from_a1)) );
-	%}
-
-function is_tcp_port%(p: port%): bool
-	%{
-	return new Val(p->IsTCP(), TYPE_BOOL);
-	%}
-
-function is_udp_port%(p: port%): bool
-	%{
-	return new Val(p->IsUDP(), TYPE_BOOL);
-	%}
-
-function is_icmp_port%(p: port%): bool
-	%{
-	return new Val(p->IsICMP(), TYPE_BOOL);
-	%}
-
-function reading_live_traffic%(%): bool
-	%{
-	return new Val(reading_live, TYPE_BOOL);
-	%}
-
-function reading_traces%(%): bool
-	%{
-	return new Val(reading_traces, TYPE_BOOL);
-	%}
-
-function open%(f: string%): file
-	%{
-	const char* file = f->CheckString();
-
-	if ( streq(file, "-") )
-		return new Val(new BroFile(stdout, "-", "w"));
-	else
-		return new Val(new BroFile(file, "w"));
-	%}
-
-function open_for_append%(f: string%): file
-	%{
-	return new Val(new BroFile(f->CheckString(), "a"));
-	%}
-
-function close%(f: file%): bool
-	%{
-	return new Val(f->Close(), TYPE_BOOL);
-	%}
-
-function write_file%(f: file, data: string%): bool
-	%{
-	if ( ! f )
-		return new Val(0, TYPE_BOOL);
-
-	return new Val(f->Write((const char*) data->Bytes(), data->Len()),
-			TYPE_BOOL);
-	%}
-
-function set_buf%(f: file, buffered: bool%): any
-	%{
-	f->SetBuf(buffered);
-	return new Val(0, TYPE_VOID);
-	%}
-
-function flush_all%(%): bool
-	%{
-	return new Val(fflush(0) == 0, TYPE_BOOL);
-	%}
-
-function mkdir%(f: string%): bool
-	%{
-	const char* filename = f->CheckString();
-	if ( mkdir(filename, 0777) < 0 && errno != EEXIST )
-		{
-		builtin_run_time("cannot create directory", @ARG@[0]);
-		return new Val(0, TYPE_BOOL);
-		}
-	else
-		return new Val(1, TYPE_BOOL);
-	%}
-
-function active_file%(f: file%): bool
-	%{
-	return new Val(f->IsOpen(), TYPE_BOOL);
-	%}
-
-function active_connection%(id: conn_id%): bool
-	%{
-	Connection* c = sessions->FindConnection(id);
-	return new Val(c ? 1 : 0, TYPE_BOOL);
-	%}
-
-# Note, you *must* first make sure that the connection is active
-# (e.g., by calling active_connection()) before invoking this.
-function connection_record%(cid: conn_id%): connection
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( c )
-		return c->BuildConnVal();
-	else
-		{
-		// Hard to recover from this until we have union types ...
-		builtin_run_time("connection ID not a known connection (fatal)", cid);
-		exit(0);
-		return 0;
-		}
-	%}
-
-%%{
-EnumVal* map_conn_type(TransportProto tp)
-	{
-	switch ( tp ) {
-	case TRANSPORT_UNKNOWN:
-		return new EnumVal(0, transport_proto);
-		break;
-
-	case TRANSPORT_TCP:
-		return new EnumVal(1, transport_proto);
-		break;
-
-	case TRANSPORT_UDP:
-		return new EnumVal(2, transport_proto);
-		break;
-
-	case TRANSPORT_ICMP:
-		return new EnumVal(3, transport_proto);
-		break;
-
-	default:
-		internal_error("bad connection type in map_conn_type()");
-	}
-	}
-%%}
-
-function get_conn_transport_proto%(cid: conn_id%): transport_proto
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		{
-		builtin_run_time("unknown connection id in get_conn_transport_proto()", cid);
-		return new EnumVal(0, transport_proto);
-		}
-
-	return map_conn_type(c->ConnTransport());
-	%}
-
-function get_port_transport_proto%(p: port%): transport_proto
-	%{
-	return map_conn_type(p->PortType());
-	%}
-
+# ===========================================================================
+#
+#                                    Core
+#
+# ===========================================================================
+
+## Returns the current wall-clock time.
+##
+## In general, you should use :bro:id:`network_time` instead
+## unless you are using Bro for non-networking uses (such as general
+## scripting; not particularly recommended), because otherwise your script
+## may behave very differently on live traffic versus played-back traffic
+## from a save file.
+##
+## Returns: The wall-clock time.
+##
+## .. bro:see:: network_time
 function current_time%(%): time
 	%{
 	return new Val(current_time(), TYPE_TIME);
 	%}
 
+## Returns the timestamp of the last packet processed. This function returns
+## the timestamp of the most recently read packet, whether read from a
+## live network interface or from a save file.
+##
+## Returns: The timestamp of the packet processed.
+##
+## .. bro:see:: current_time
 function network_time%(%): time
 	%{
 	return new Val(network_time, TYPE_TIME);
 	%}
 
+## Returns a system environment variable.
+##
+## var: The name of the variable whose value to request.
+##
+## Returns: The system environment variable identified by *var*, or an empty
+##          string if it is not defined.
+##
+## .. bro:see:: setenv
 function getenv%(var: string%): string
 	%{
 	const char* env_val = getenv(var->CheckString());
@@ -800,40 +371,42 @@ function getenv%(var: string%): string
 	return new StringVal(env_val);
 	%}
 
-function sqrt%(x: double%): double
+## Sets a system environment variable.
+##
+## var: The name of the variable.
+##
+## val: The (new) value of the variable *var*.
+##
+## Returns: True on success.
+##
+## .. bro:see:: getenv
+function setenv%(var: string, val: string%): bool
 	%{
-	if ( x < 0 )
-		{
-		run_time("negative sqrt argument");
-		return new Val(-1.0, TYPE_DOUBLE);
-		}
+	int result = setenv(var->AsString()->CheckString(),
+	                    val->AsString()->CheckString(), 1);
 
-	return new Val(sqrt(x), TYPE_DOUBLE);
+	if ( result < 0 )
+		return new Val(0, TYPE_BOOL);
+	return new Val(1, TYPE_BOOL);
 	%}
 
-function exp%(d: double%): double
+## Shuts down the Bro process immediately.
+##
+## code: The exit code to return with.
+##
+## .. bro:see:: terminate
+function exit%(code: int%): any
 	%{
-	return new Val(exp(d), TYPE_DOUBLE);
-	%}
-
-# Natural log.
-function ln%(d: double%): double
-	%{
-	return new Val(log(d), TYPE_DOUBLE);
-	%}
-
-# Common log.
-function log10%(d: double%): double
-	%{
-	return new Val(log10(d), TYPE_DOUBLE);
-	%}
-
-function exit%(%): int
-	%{
-	exit(0);
+	exit(code);
 	return 0;
 	%}
 
+## Gracefully shut down Bro by terminating outstanding processing.
+##
+## Returns: True after successful termination and false when Bro is still in
+##          the process of shutting down.
+##
+## .. bro:see:: exit bro_is_terminating
 function terminate%(%): bool
 	%{
 	if ( terminating )
@@ -859,7 +432,7 @@ static bool prepare_environment(TableVal* tbl, bool set)
 		if ( key->Type()->Tag() != TYPE_STRING ||
 		     val->Type()->Tag() != TYPE_STRING )
 			{
-			builtin_run_time("system_env() needs a table[string] of string");
+			builtin_error("system_env() needs a table[string] of string");
 			return false;
 			}
 
@@ -890,17 +463,46 @@ static int do_system(const char* s)
 	}
 %%}
 
+## Invokes a command via the ``system`` function of the OS.
+## The command runs in the background with ``stdout`` redirecting to
+## ``stderr``. Here is a usage example:
+## ``system(fmt("rm \"%s\"", str_shell_escape(sniffed_data)));``
+##
+## str: The command to execute.
+##
+## Returns: The return value from the OS ``system`` function.
+##
+## .. bro:see:: system_env str_shell_escape piped_exec
+##
+## .. note::
+##
+##      Note that this corresponds to the status of backgrounding the
+##      given command, not to the exit status of the command itself. A
+##      value of 127 corresponds to a failure to execute ``sh``, and -1
+##      to an internal system failure.
 function system%(str: string%): int
 	%{
 	int result = do_system(str->CheckString());
 	return new Val(result, TYPE_INT);
 	%}
 
+## Invokes a command via the ``system`` function of the OS with a prepared
+## environment. The function is essentially the same as :bro:id:`system`,
+## but changes the environment before invoking the command.
+##
+## str: The command to execute.
+##
+## env: A :bro:type:`set` or :bro:type:`table` with the environment variables
+##      in the form of key-value pairs (where the value is optional).
+##
+## Returns: The return value from the OS ``system`` function.
+##
+## .. bro:see:: system str_shell_escape piped_exec
 function system_env%(str: string, env: any%): int
 	%{
 	if ( env->Type()->Tag() != TYPE_TABLE )
 		{
-		builtin_run_time("system_env() requires a table/set argument");
+		builtin_error("system_env() requires a table/set argument");
 		return new Val(-1, TYPE_INT);
 		}
 
@@ -914,524 +516,1181 @@ function system_env%(str: string, env: any%): int
 	return new Val(result, TYPE_INT);
 	%}
 
-
-%%{
-static Val* parse_eftp(const char* line)
-	{
-	RecordVal* r = new RecordVal(ftp_port);
-
-	int net_proto = 0;	// currently not used
-	uint32 addr = 0;
-	int port = 0;
-	int good = 0;
-
-	if ( line )
-		{
-		while ( isspace(*line) )	// skip whitespace
-			++line;
-
-		char delimiter = *line;
-		good = 1;
-		char* next_delim;
-
-		++line;	// cut off delimiter
-		net_proto = strtol(line, &next_delim, 10);	// currently ignored
-		if ( *next_delim != delimiter )
-			good = 0;
-
-		line = next_delim + 1;
-		if ( *line != delimiter )	// default of 0 is ok
-			{
-			addr = dotted_to_addr(line);
-			if ( addr == 0 )
-				good = 0;
-			}
-
-		// FIXME: check for garbage between IP and delimiter.
-		line = strchr(line, delimiter);
-
-		++line;	// now the port
-		port = strtol(line, &next_delim, 10);
-		if ( *next_delim != delimiter )
-			good = 0;
-		}
-
-	r->Assign(0, new AddrVal(addr));
-	r->Assign(1, new PortVal(port, TRANSPORT_TCP));
-	r->Assign(2, new Val(good, TYPE_BOOL));
-
-	return r;
-	}
-%%}
-
-%%{
-static Val* parse_port(const char* line)
-	{
-	RecordVal* r = new RecordVal(ftp_port);
-
-	int bytes[6];
-	if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d",
-			&bytes[0], &bytes[1], &bytes[2],
-			&bytes[3], &bytes[4], &bytes[5]) == 6 )
-		{
-		int good = 1;
-
-		for ( int i = 0; i < 6; ++i )
-			if ( bytes[i] < 0 || bytes[i] > 255 )
-				{
-				good = 0;
-				break;
-				}
-
-		uint32 addr = (bytes[0] << 24) | (bytes[1] << 16) |
-				(bytes[2] << 8) | bytes[3];
-		uint32 port = (bytes[4] << 8) | bytes[5];
-
-		// Since port is unsigned, no need to check for < 0.
-		if ( port > 65535 )
-			{
-			port = 0;
-			good = 0;
-			}
-
-		r->Assign(0, new AddrVal(htonl(addr)));
-		r->Assign(1, new PortVal(port, TRANSPORT_TCP));
-		r->Assign(2, new Val(good, TYPE_BOOL));
-		}
-	else
-		{
-		r->Assign(0, new AddrVal(uint32(0)));
-		r->Assign(1, new PortVal(0, TRANSPORT_TCP));
-		r->Assign(2, new Val(0, TYPE_BOOL));
-		}
-
-	return r;
-	}
-%%}
-
-# Returns true if the given connection exists, false otherwise.
-function connection_exists%(c: conn_id%): bool
+## Opens a program with ``popen`` and writes a given string to the returned
+## stream to send it to the opened process's stdin.
+##
+## program: The program to execute.
+##
+## to_write: Data to pipe to the opened program's process via ``stdin``.
+##
+## Returns: True on success.
+##
+## .. bro:see:: system system_env
+function piped_exec%(program: string, to_write: string%): bool
 	%{
-	if ( sessions->FindConnection(c) )
-		return new Val(1, TYPE_BOOL);
-	else
-		return new Val(0, TYPE_BOOL);
-	%}
+	const char* prog = program->CheckString();
 
-# For a given connection ID, returns the corresponding "connection" record.
-# Generates a run-time error and returns a dummy value if the connection
-# doesn't exist.
-function lookup_connection%(cid: conn_id%): connection
-	%{
-	Connection* conn = sessions->FindConnection(cid);
-	if ( conn )
-		return conn->BuildConnVal();
-
-	builtin_run_time("connection ID not a known connection", cid);
-
-	// Return a dummy connection record.
-	RecordVal* c = new RecordVal(connection_type);
-
-	RecordVal* id_val = new RecordVal(conn_id);
-	id_val->Assign(0, new AddrVal((unsigned int) 0));
-	id_val->Assign(1, new PortVal(ntohs(0), TRANSPORT_UDP));
-	id_val->Assign(2, new AddrVal((unsigned int) 0));
-	id_val->Assign(3, new PortVal(ntohs(0), TRANSPORT_UDP));
-	c->Assign(0, id_val);
-
-	RecordVal* orig_endp = new RecordVal(endpoint);
-	orig_endp->Assign(0, new Val(0, TYPE_COUNT));
-	orig_endp->Assign(1, new Val(int(0), TYPE_COUNT));
-
-	RecordVal* resp_endp = new RecordVal(endpoint);
-	resp_endp->Assign(0, new Val(0, TYPE_COUNT));
-	resp_endp->Assign(1, new Val(int(0), TYPE_COUNT));
-
-	c->Assign(1, orig_endp);
-	c->Assign(2, resp_endp);
-
-	c->Assign(3, new Val(network_time, TYPE_TIME));
-	c->Assign(4, new Val(0.0, TYPE_INTERVAL));
-	c->Assign(5, new TableVal(string_set));	// service
-	c->Assign(6, new StringVal(""));	// addl
-	c->Assign(7, new Val(0, TYPE_COUNT));	// hot
-	c->Assign(8, new StringVal(""));	// history
-
-	return c;
-	%}
-
-function skip_further_processing%(cid: conn_id%): bool
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		return new Val(0, TYPE_BOOL);
-
-	c->SetSkip(1);
-	return new Val(1, TYPE_BOOL);
-	%}
-
-function set_record_packets%(cid: conn_id, do_record: bool%): bool
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		return new Val(0, TYPE_BOOL);
-
-	c->SetRecordPackets(do_record);
-	return new Val(1, TYPE_BOOL);
-	%}
-
-function set_contents_file%(cid: conn_id, direction: count, f: file%): bool
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		return new Val(0, TYPE_BOOL);
-
-	c->GetRootAnalyzer()->SetContentsFile(direction, f);
-	return new Val(1, TYPE_BOOL);
-	%}
-
-function get_contents_file%(cid: conn_id, direction: count%): file
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	BroFile* f = c ? c->GetRootAnalyzer()->GetContentsFile(direction) : 0;
-
-	if ( f )
-		{
-		Ref(f);
-		return new Val(f);
-		}
-
-	// Return some sort of error value.
-	if ( ! c )
-		builtin_run_time("unknown connection id in get_contents_file()", cid);
-	else
-		builtin_run_time("no contents file for given direction");
-
-	return new Val(new BroFile(stderr, "-", "w"));
-	%}
-
-function get_file_name%(f: file%): string
-	%{
+	FILE* f = popen(prog, "w");
 	if ( ! f )
+		{
+		reporter->Error("Failed to popen %s", prog);
+		return new Val(0, TYPE_BOOL);
+		}
+
+	const u_char* input_data = to_write->Bytes();
+	int input_data_len = to_write->Len();
+
+	int bytes_written = fwrite(input_data, 1, input_data_len, f);
+
+	pclose(f);
+
+	if ( bytes_written != input_data_len )
+		{
+		reporter->Error("Failed to write all given data to %s", prog);
+		return new Val(0, TYPE_BOOL);
+		}
+
+	return new Val(1, TYPE_BOOL);
+	%}
+
+%%{
+static void hash_md5_val(val_list& vlist, unsigned char digest[16])
+	{
+	md5_state_s h;
+
+	md5_init(&h);
+	loop_over_list(vlist, i)
+		{
+		Val* v = vlist[i];
+		if ( v->Type()->Tag() == TYPE_STRING )
+			{
+			const BroString* str = v->AsString();
+			md5_append(&h, str->Bytes(), str->Len());
+			}
+		else
+			{
+			ODesc d(DESC_BINARY);
+			v->Describe(&d);
+			md5_append(&h, (const md5_byte_t *) d.Bytes(), d.Len());
+			}
+		}
+	md5_finish(&h, digest);
+	}
+
+static void hmac_md5_val(val_list& vlist, unsigned char digest[16])
+	{
+	hash_md5_val(vlist, digest);
+	for ( int i = 0; i < 16; ++i )
+		digest[i] = digest[i] ^ shared_hmac_md5_key[i];
+	hash_md5(16, digest, digest);
+	}
+%%}
+
+## Computes the MD5 hash value of the provided list of arguments.
+##
+## Returns: The MD5 hash value of the concatenated arguments.
+##
+## .. bro:see:: md5_hmac md5_hash_init md5_hash_update md5_hash_finish
+##
+## .. note::
+##
+##      This function performs a one-shot computation of its arguments.
+##      For incremental hash computation, see :bro:id:`md5_hash_init` and
+##      friends.
+function md5_hash%(...%): string
+	%{
+	unsigned char digest[16];
+	hash_md5_val(@ARG@, digest);
+	return new StringVal(md5_digest_print(digest));
+	%}
+
+## Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC
+## secret key is generated from available entropy when Bro starts up, or it can
+## be specified for repeatability using the ``-K`` command line flag.
+##
+## Returns: The HMAC-MD5 hash value of the concatenated arguments.
+##
+## .. bro:see:: md5_hash md5_hash_init md5_hash_update md5_hash_finish
+function md5_hmac%(...%): string
+	%{
+	unsigned char digest[16];
+	hmac_md5_val(@ARG@, digest);
+	return new StringVal(md5_digest_print(digest));
+	%}
+
+%%{
+static map<BroString, md5_state_s> md5_states;
+
+BroString* convert_index_to_string(Val* index)
+	{
+	ODesc d;
+	index->Describe(&d);
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(1);
+	return s;
+	}
+%%}
+
+## Initializes MD5 state to enable incremental hash computation. After
+## initializing the MD5 state with this function, you can feed data to
+## :bro:id:`md5_hash_update` and finally need to call :bro:id:`md5_hash_finish`
+## to finish the computation and get the final hash value.
+##
+## For example, when computing incremental MD5 values of transferred files in
+## multiple concurrent HTTP connections, one would call ``md5_hash_init(c$id)``
+## once before invoking ``md5_hash_update(c$id, some_more_data)`` in the
+## :bro:id:`http_entity_data` event handler. When all data has arrived, a call
+## to :bro:id:`md5_hash_finish` returns the final hash value.
+##
+## index: The unique identifier to associate with this hash computation.
+##
+## .. bro:see:: md5_hash md5_hmac md5_hash_update md5_hash_finish
+function md5_hash_init%(index: any%): bool
+	%{
+	BroString* s = convert_index_to_string(index);
+	int status = 0;
+
+	if ( md5_states.count(*s) < 1 )
+		{
+		md5_state_s h;
+		md5_init(&h);
+		md5_states[*s] = h;
+		status = 1;
+		}
+
+	delete s;
+	return new Val(status, TYPE_BOOL);
+	%}
+
+## Update the MD5 value associated with a given index. It is required to
+## call :bro:id:`md5_hash_init` once before calling this
+## function.
+##
+## index: The unique identifier to associate with this hash computation.
+##
+## data: The data to add to the hash computation.
+##
+## .. bro:see:: md5_hash md5_hmac md5_hash_init md5_hash_finish
+function md5_hash_update%(index: any, data: string%): bool
+	%{
+	BroString* s = convert_index_to_string(index);
+	int status = 0;
+
+	if ( md5_states.count(*s) > 0 )
+		{
+		md5_append(&md5_states[*s], data->Bytes(), data->Len());
+		status = 1;
+		}
+
+	delete s;
+	return new Val(status, TYPE_BOOL);
+	%}
+
+## Returns the final MD5 digest of an incremental hash computation.
+##
+## index: The unique identifier of this hash computation.
+##
+## Returns: The hash value associated with the computation at *index*.
+##
+## .. bro:see:: md5_hash md5_hmac md5_hash_init md5_hash_update
+function md5_hash_finish%(index: any%): string
+	%{
+	BroString* s = convert_index_to_string(index);
+	StringVal* printable_digest;
+
+	if ( md5_states.count(*s) > 0 )
+		{
+		unsigned char digest[16];
+		md5_finish(&md5_states[*s], digest);
+		md5_states.erase(*s);
+		printable_digest = new StringVal(md5_digest_print(digest));
+		}
+	else
+		printable_digest = new StringVal("");
+
+	delete s;
+	return printable_digest;
+	%}
+
+## Generates a random number.
+##
+## max: The maximum value the random number.
+##
+## Returns: a random positive integer in the interval *[0, max)*.
+##
+## .. bro:see:: srand
+##
+## .. note::
+##
+##      This function is a wrapper about the function ``rand`` provided by
+##      the OS.
+function rand%(max: count%): count
+	%{
+	int result;
+	result = bro_uint_t(double(max) * double(rand()) / (RAND_MAX + 1.0));
+	return new Val(result, TYPE_COUNT);
+	%}
+
+## Sets the seed for subsequent :bro:id:`rand` calls.
+##
+## seed: The seed for the PRNG.
+##
+## .. bro:see:: rand
+##
+## .. note::
+##
+##      This function is a wrapper about the function ``srand`` provided
+##      by the OS.
+function srand%(seed: count%): any
+	%{
+	srand(seed);
+	return 0;
+	%}
+
+%%{
+#include <syslog.h>
+%%}
+
+## Send a string to syslog.
+##
+## s: The string to log via syslog
+function syslog%(s: string%): any
+	%{
+	reporter->Syslog("%s", s->CheckString());
+	return 0;
+	%}
+
+%%{
+extern "C" {
+#include <magic.h>
+}
+%%}
+
+## Determines the MIME type of a piece of data using ``libmagic``.
+##
+## data: The data to find the MIME type for.
+##
+## return_mime: If true, the function returns a short MIME type string (e.g.,
+##              ``text/plain`` instead of a more elaborate textual description.
+##
+## Returns: The MIME type of *data*.
+function identify_data%(data: string, return_mime: bool%): string
+	%{
+	const char* descr = "";
+
+	static magic_t magic_mime = 0;
+	static magic_t magic_descr = 0;
+
+	magic_t* magic = return_mime ? &magic_mime : &magic_descr;
+
+	if( ! *magic )
+		{
+		*magic = magic_open(return_mime ? MAGIC_MIME : MAGIC_NONE);
+
+		if ( ! *magic )
+			{
+			reporter->Error("can't init libmagic: %s", magic_error(*magic));
+			return new StringVal("");
+			}
+
+		if ( magic_load(*magic, 0) < 0 )
+			{
+			reporter->Error("can't load magic file: %s", magic_error(*magic));
+			magic_close(*magic);
+			*magic = 0;
+			return new StringVal("");
+			}
+		}
+
+	descr = magic_buffer(*magic, data->Bytes(), data->Len());
+
+	return new StringVal(descr);
+	%}
+
+%%{
+#include <RandTest.h>
+static map<BroString, RandTest*> entropy_states;
+%%}
+
+## Performs an entropy test on the given data.
+## See http://www.fourmilab.ch/random.
+##
+## data: The data to compute the entropy for.
+##
+## Returns: The result of the entropy test, which contains the following
+##          fields.
+##
+##              - ``entropy``: The information density expressed as a number of
+##                bits per character.
+##
+##              - ``chi_square``: The chi-square test value expressed as an
+##                absolute number and a percentage which indicates how
+##                frequently a truly random sequence would exceed the value
+##                calculated, i.e., the degree to which the sequence tested is
+##                suspected of being non-random.
+##
+##                If the percentage is greater than 99% or less than 1%, the
+##                sequence is almost certainly not random. If the percentage is
+##                between 99% and 95% or between 1% and 5%, the sequence is
+##                suspect. Percentages between 90\% and 95\% and 5\% and 10\%
+##                indicate the sequence is "almost suspect."
+##
+##              - ``mean``: The arithmetic mean of all the bytes. If the data
+##                are close to random, it should be around 127.5.
+##
+##              - ``monte_carlo_pi``: Each successive sequence of six bytes is
+##                used as 24-bit *x* and *y* coordinates within a square. If
+##                the distance of the randomly-generated point is less than the
+##                radius of a circle inscribed within the square, the six-byte
+##                sequence is considered a "hit." The percentage of hits can
+##                be used to calculate the value of pi. For very large streams
+##                the value will approach the correct value of pi if the
+##                sequence is close to random.
+##
+##              - ``serial_correlation``: This quantity measures the extent to
+##                which each byte in the file depends upon the previous byte.
+##                For random sequences this value will be close to zero.
+##
+## .. bro:see:: entropy_test_init entropy_test_add entropy_test_finish
+function find_entropy%(data: string%): entropy_test_result
+	%{
+	double montepi, scc, ent, mean, chisq;
+	montepi = scc = ent = mean = chisq = 0.0;
+	RecordVal* ent_result = new RecordVal(entropy_test_result);
+	RandTest *rt = new RandTest();
+
+	rt->add((char*) data->Bytes(), data->Len());
+	rt->end(&ent, &chisq, &mean, &montepi, &scc);
+	delete rt;
+
+	ent_result->Assign(0, new Val(ent,     TYPE_DOUBLE));
+	ent_result->Assign(1, new Val(chisq,   TYPE_DOUBLE));
+	ent_result->Assign(2, new Val(mean,    TYPE_DOUBLE));
+	ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE));
+	ent_result->Assign(4, new Val(scc,     TYPE_DOUBLE));
+	return ent_result;
+	%}
+
+## Initializes data structures for incremental entropy calculation.
+##
+## index: An arbitrary unique value per distinct computation.
+##
+## Returns: True on success.
+##
+## .. bro:see:: find_entropy entropy_test_add entropy_test_finish
+function entropy_test_init%(index: any%): bool
+	%{
+	BroString* s = convert_index_to_string(index);
+	int status = 0;
+
+	if ( entropy_states.count(*s) < 1 )
+		{
+		entropy_states[*s] = new RandTest();
+		status = 1;
+		}
+
+	delete s;
+	return new Val(status, TYPE_BOOL);
+	%}
+
+## Adds data to an incremental entropy calculation. Before using this function,
+## one needs to invoke :bro:id:`entropy_test_init`.
+##
+## data: The data to add to the entropy calculation.
+##
+## index: An arbitrary unique value that identifies a particular entropy
+##        computation.
+##
+## Returns: True on success.
+##
+## .. bro:see:: find_entropy entropy_test_add entropy_test_finish
+function entropy_test_add%(index: any, data: string%): bool
+	%{
+	BroString* s = convert_index_to_string(index);
+	int status = 0;
+
+	if ( entropy_states.count(*s) > 0 )
+		{
+		entropy_states[*s]->add((char*) data->Bytes(), data->Len());
+		status = 1;
+		}
+
+	delete s;
+	return new Val(status, TYPE_BOOL);
+	%}
+
+## Finishes an incremental entropy calculation. Before using this function,
+## one needs to initialize the computation with :bro:id:`entropy_test_init` and
+## add data to it via :bro:id:`entropy_test_add`.
+##
+## index: An arbitrary unique value that identifies a particular entropy
+##        computation.
+##
+## Returns: The result of the entropy test. See :bro:id:`find_entropy` for a
+##          description of the individual components.
+##
+## .. bro:see:: find_entropy entropy_test_init entropy_test_add
+function entropy_test_finish%(index: any%): entropy_test_result
+	%{
+	BroString* s = convert_index_to_string(index);
+	double montepi, scc, ent, mean, chisq;
+	montepi = scc = ent = mean = chisq = 0.0;
+	RecordVal* ent_result = new RecordVal(entropy_test_result);
+
+	if ( entropy_states.count(*s) > 0 )
+		{
+		RandTest *rt = entropy_states[*s];
+		rt->end(&ent, &chisq, &mean, &montepi, &scc);
+		entropy_states.erase(*s);
+		delete rt;
+		}
+
+	ent_result->Assign(0, new Val(ent,     TYPE_DOUBLE));
+	ent_result->Assign(1, new Val(chisq,   TYPE_DOUBLE));
+	ent_result->Assign(2, new Val(mean,    TYPE_DOUBLE));
+	ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE));
+	ent_result->Assign(4, new Val(scc,     TYPE_DOUBLE));
+
+	delete s;
+	return ent_result;
+	%}
+
+## Creates an identifier that is unique with high probability.
+##
+## prefix: A custom string prepended to the result.
+##
+## .. bro:see:: unique_id_from
+function unique_id%(prefix: string%) : string
+	%{
+	char tmp[20];
+	uint64 uid = calculate_unique_id(UID_POOL_DEFAULT_SCRIPT);
+	return new StringVal(uitoa_n(uid, tmp, sizeof(tmp), 62, prefix->CheckString()));
+	%}
+
+## Creates an identifier that is unique with high probability.
+##
+## pool: A seed for determinism.
+##
+## prefix: A custom string prepended to the result.
+##
+## .. bro:see:: unique_id
+function unique_id_from%(pool: int, prefix: string%) : string
+	%{
+	pool += UID_POOL_CUSTOM_SCRIPT; // Make sure we don't conflict with internal pool.
+
+	char tmp[20];
+	uint64 uid = calculate_unique_id(pool);
+	return new StringVal(uitoa_n(uid, tmp, sizeof(tmp), 62, prefix->CheckString()));
+	%}
+
+# ===========================================================================
+#
+#                             Generic Programming
+#
+# ===========================================================================
+
+## Removes all elements from a set or table.
+##
+## v: The set or table
+##
+## Returns: The cleared set/table or 0 if *v* is not a set/table type.
+function clear_table%(v: any%): any
+	%{
+	if ( v->Type()->Tag() == TYPE_TABLE )
+		v->AsTableVal()->RemoveAll();
+	else
+		builtin_error("clear_table() requires a table/set argument");
+
+	return 0;
+	%}
+
+## Returns the number of elements in a container. This function works with all
+## container types, i.e., sets, tables, and vectors.
+##
+## v: The container whose elements are counted.
+##
+## Returns: The number of elements in *v*.
+function length%(v: any%): count
+	%{
+	TableVal* tv = v->Type()->Tag() == TYPE_TABLE ? v->AsTableVal() : 0;
+
+	if ( tv )
+		return new Val(tv->Size(), TYPE_COUNT);
+
+	else if ( v->Type()->Tag() == TYPE_VECTOR )
+		return new Val(v->AsVectorVal()->Size(), TYPE_COUNT);
+
+	else
+		{
+		builtin_error("length() requires a table/set/vector argument");
+		return new Val(0, TYPE_COUNT);
+		}
+	%}
+
+## Checks whether two objects reference the same internal object. This function
+## uses equality comparison of C++ raw pointer values to determine if the two
+## objects are the same.
+##
+## o1: The first object.
+##
+## o2: The second object.
+##
+## Returns: True if *o1* and *o2* are equal.
+function same_object%(o1: any, o2: any%): bool
+	%{
+	return new Val(o1 == o2, TYPE_BOOL);
+	%}
+
+## Returns the number bytes that a value occupies in memory.
+##
+## v: The value
+##
+## Returns: The number of bytes that *v* occupies.
+function val_size%(v: any%): count
+	%{
+	return new Val(v->MemoryAllocation(), TYPE_COUNT);
+	%}
+
+## Resizes a vector.
+##
+## aggr: The vector instance.
+##
+## newsize: The new size of *aggr*.
+##
+## Returns: The old size of *aggr* and 0 if *aggr* is not a :bro:type:`vector`.
+function resize%(aggr: any, newsize: count%) : count
+	%{
+	if ( aggr->Type()->Tag() != TYPE_VECTOR )
+		{
+		builtin_error("resize() operates on vectors");
+		return 0;
+		}
+
+	return new Val(aggr->AsVectorVal()->Resize(newsize), TYPE_COUNT);
+	%}
+
+## Tests whether a boolean vector (``vector of bool``) has *any* true
+## element.
+##
+## v: The boolean vector instance.
+##
+## Returns: True if any element in *v* is true.
+##
+## .. bro:see:: all_set
+function any_set%(v: any%) : bool
+	%{
+	if ( v->Type()->Tag() != TYPE_VECTOR ||
+	     v->Type()->YieldType()->Tag() != TYPE_BOOL )
+		{
+		builtin_error("any_set() requires vector of bool");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	VectorVal* vv = v->AsVectorVal();
+	for ( unsigned int i = 0; i < vv->Size(); ++i )
+		if ( vv->Lookup(i) && vv->Lookup(i)->AsBool() )
+			return new Val(true, TYPE_BOOL);
+
+	return new Val(false, TYPE_BOOL);
+	%}
+
+## Tests whether *all* elements of a boolean vector (``vector of bool``) are
+## true.
+##
+## v: The boolean vector instance.
+##
+## Returns: True iff all elements in *v* are true.
+##
+## .. bro:see:: any_set
+##
+## .. note::
+##
+##      Missing elements count as false.
+function all_set%(v: any%) : bool
+	%{
+	if ( v->Type()->Tag() != TYPE_VECTOR ||
+	     v->Type()->YieldType()->Tag() != TYPE_BOOL )
+		{
+		builtin_error("all_set() requires vector of bool");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	VectorVal* vv = v->AsVectorVal();
+	for ( unsigned int i = 0; i < vv->Size(); ++i )
+		if ( ! vv->Lookup(i) || ! vv->Lookup(i)->AsBool() )
+			return new Val(false, TYPE_BOOL);
+
+	return new Val(true, TYPE_BOOL);
+	%}
+
+%%{
+static Func* sort_function_comp = 0;
+static Val** index_map = 0;	// used for indirect sorting to support order()
+
+bool sort_function(Val* a, Val* b)
+	{
+	// Sort missing values as "high".
+	if ( ! a )
+		return 0;
+	if ( ! b )
+		return 1;
+
+	val_list sort_func_args;
+	sort_func_args.append(a->Ref());
+	sort_func_args.append(b->Ref());
+
+	Val* result = sort_function_comp->Call(&sort_func_args);
+	int int_result = result->CoerceToInt();
+	Unref(result);
+
+	sort_func_args.remove_nth(1);
+	sort_func_args.remove_nth(0);
+
+	return int_result < 0;
+	}
+
+bool indirect_sort_function(int a, int b)
+	{
+	return sort_function(index_map[a], index_map[b]);
+	}
+
+bool int_sort_function (Val* a, Val* b)
+	{
+	if ( ! a )
+		return 0;
+	if ( ! b )
+		return 1;
+
+	int ia = a->CoerceToInt();
+	int ib = b->CoerceToInt();
+
+	return ia < ib;
+	}
+
+bool indirect_int_sort_function(int a, int b)
+	{
+	return int_sort_function(index_map[a], index_map[b]);
+	}
+%%}
+
+## Sorts a vector in place. The second argument is a comparison function that
+## takes two arguments: if the vector type is \verb|vector of T|, then the
+## comparison function must be ``function(a: T, b: T): bool``, which returns
+## ``a < b`` for some type-specific notion of the less-than operator.
+##
+## v: The vector instance to sort.
+##
+## Returns: The original vector.
+##
+## .. bro:see:: order
+function sort%(v: any, ...%) : any
+	%{
+	v->Ref();	// we always return v
+
+	if ( v->Type()->Tag() != TYPE_VECTOR )
+		{
+		builtin_error("sort() requires vector");
+		return v;
+		}
+
+	BroType* elt_type = v->Type()->YieldType();
+	Func* comp = 0;
+
+	if ( @ARG@.length() > 2 )
+		builtin_error("sort() called with extraneous argument");
+
+	if ( @ARG@.length() == 2 )
+		{
+		Val* comp_val = @ARG@[1];
+		if ( ! IsFunc(comp_val->Type()->Tag()) )
+			{
+			builtin_error("second argument to sort() needs to be comparison function");
+			return v;
+			}
+
+		comp = comp_val->AsFunc();
+		}
+
+	if ( ! comp && ! IsIntegral(elt_type->Tag()) )
+		builtin_error("comparison function required for sort() with non-integral types");
+
+	vector<Val*>& vv = *v->AsVector();
+
+	if ( comp )
+		{
+		FuncType* comp_type = comp->FType()->AsFuncType();
+		if ( comp_type->YieldType()->Tag() != TYPE_INT ||
+		     ! comp_type->ArgTypes()->AllMatch(elt_type, 0) )
+			{
+			builtin_error("invalid comparison function in call to sort()");
+			return v;
+			}
+
+		sort_function_comp = comp;
+
+		sort(vv.begin(), vv.end(), sort_function);
+		}
+	else
+		sort(vv.begin(), vv.end(), int_sort_function);
+
+	return v;
+	%}
+
+## Returns the order of the elements in a vector according to some
+## comparison function. See :bro:id:`sort` for details about the comparison
+## function.
+##
+## v: The vector whose order to compute.
+##
+## Returns: A ``vector of count`` with the indices of the ordered elements.
+##
+## .. bro:see:: sort
+function order%(v: any, ...%) : index_vec
+	%{
+	VectorVal* result_v =
+		new VectorVal(new VectorType(base_type(TYPE_COUNT)));
+
+	if ( v->Type()->Tag() != TYPE_VECTOR )
+		{
+		builtin_error("order() requires vector");
+		return result_v;
+		}
+
+	BroType* elt_type = v->Type()->YieldType();
+	Func* comp = 0;
+
+	if ( @ARG@.length() > 2 )
+		builtin_error("order() called with extraneous argument");
+
+	if ( @ARG@.length() == 2 )
+		{
+		Val* comp_val = @ARG@[1];
+		if ( ! IsFunc(comp_val->Type()->Tag()) )
+			{
+			builtin_error("second argument to order() needs to be comparison function");
+			return v;
+			}
+
+		comp = comp_val->AsFunc();
+		}
+
+	if ( ! comp && ! IsIntegral(elt_type->Tag()) )
+		builtin_error("comparison function required for sort() with non-integral types");
+
+	vector<Val*>& vv = *v->AsVector();
+	int n = vv.size();
+
+	// Set up initial mapping of indices directly to corresponding
+	// elements.  We stay zero-based until after the sorting.
+	vector<int> ind_vv(n);
+	index_map = new Val*[n];
+	int i;
+	for ( i = 0; i < n; ++i )
+		{
+		ind_vv[i] = i;
+		index_map[i] = vv[i];
+		}
+
+	if ( comp )
+		{
+		FuncType* comp_type = comp->FType()->AsFuncType();
+		if ( comp_type->YieldType()->Tag() != TYPE_INT ||
+		     ! comp_type->ArgTypes()->AllMatch(elt_type, 0) )
+			{
+			builtin_error("invalid comparison function in call to sort()");
+			return v;
+			}
+
+		sort_function_comp = comp;
+
+		sort(ind_vv.begin(), ind_vv.end(), indirect_sort_function);
+		}
+	else
+		sort(ind_vv.begin(), ind_vv.end(), indirect_int_sort_function);
+
+	delete [] index_map;
+	index_map = 0;
+
+	// Now spin through ind_vv to read out the rearrangement,
+	// adjusting indices as we do so.
+	for ( i = 0; i < n; ++i )
+		{
+		int ind = ind_vv[i];
+		result_v->Assign(i, new Val(ind, TYPE_COUNT), 0);
+		}
+
+	return result_v;
+	%}
+
+# ===========================================================================
+#
+#                              String Processing
+#
+# ===========================================================================
+
+## Returns the concatenation of the string representation of its arguments. The
+## arguments can be of any type. For example, ``cat("foo", 3, T)`` returns
+## ``"foo3T"``.
+##
+## Returns: A string concatentation of all arguments.
+function cat%(...%): string
+	%{
+	ODesc d;
+	loop_over_list(@ARG@, i)
+		@ARG@[i]->Describe(&d);
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
+	%}
+
+## Concatenates all arguments, with a separator placed between each one. This
+## function is similar to :bro:id:`cat`, but places a separator between each
+## given argument. If any of the variable arguments is an empty string it is
+## replaced by a given default string instead.
+##
+## sep: The separator to place betwen each argument.
+##
+## def: The default string to use when an argument is the empty string.
+##
+## Returns: A concatenation of all arguments with *sep* between each one and
+##          empty strings replaced with *def*.
+##
+## .. bro:see:: cat string_cat cat_string_array cat_string_array_n
+function cat_sep%(sep: string, def: string, ...%): string
+	%{
+	ODesc d;
+	int pre_size = 0;
+
+	loop_over_list(@ARG@, i)
+		{
+		// Skip named parameters.
+		if ( i < 2 )
+			continue;
+
+		if ( i > 2 )
+			d.Add(sep->CheckString(), 0);
+
+		Val* v = @ARG@[i];
+		if ( v->Type()->Tag() == TYPE_STRING && ! v->AsString()->Len() )
+			v = def;
+
+		v->Describe(&d);
+		}
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
+	%}
+
+## Produces a formatted string à la ``printf``. The first argument is the
+## *format string* and specifies how subsequent arguments are converted for
+## output. It is composed of zero or more directives: ordinary characters (not
+## ``%``), which are copied unchanged to the output, and conversion
+## specifications, each of which fetches zero or more subsequent arguments.
+## Conversion specifications begin with ``%`` and the arguments must properly
+## correspond to the specifier. After the ``%``, the following characters
+## may appear in sequence:
+##
+##    - ``%``: Literal ``%``
+##
+##    - ``-``: Left-align field
+##
+##    - ``[0-9]+``: The field width (< 128)
+##
+##    - ``.``: Precision of floating point specifiers ``[efg]`` (< 128)
+##
+##    - ``A``: Escape NUL bytes, i.e., replace ``0`` with ``\0``
+##
+##    - ``[DTdxsefg]``: Format specifier
+##
+##        - ``[DT]``: ISO timestamp with microsecond precision
+##
+##        - ``d``: Signed/Unsigned integer (using C-style ``%lld|``/``%llu``
+##                 for ``int``/``count``)
+##
+##        - ``x``: Unsigned hexadecimal (using C-style ``%llx``);
+##                 addresses/ports are converted to host-byte order
+##
+##        - ``s``: Escaped string
+##
+##        - ``[efg]``: Double
+##
+## Returns: Given no arguments, :bro:id:`fmt` returns an empty string. Given a
+##          non-string first argument, :bro:id:`fmt` returns the concatenation
+##          of all its arguments, per :bro:id:`cat`. Finally, given the wrong
+##          number of additional arguments for the given format specifier,
+##          :bro:id:`fmt` generates a run-time error.
+##
+## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n
+function fmt%(...%): string
+	%{
+	if ( @ARGC@ == 0 )
 		return new StringVal("");
 
-	return new StringVal(f->Name());
+	Val* fmt_v = @ARG@[0];
+	if ( fmt_v->Type()->Tag() != TYPE_STRING )
+		return bro_cat(frame, @ARGS@);
+
+	const char* fmt = fmt_v->AsString()->CheckString();
+	ODesc d;
+	int n = 0;
+
+	while ( next_fmt(fmt, @ARGS@, &d, n) )
+		;
+
+	if ( n < @ARGC@ - 1 )
+		builtin_error("too many arguments for format", fmt_v);
+
+	else if ( n >= @ARGC@ )
+		builtin_error("too few arguments for format", fmt_v);
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
 	%}
 
-# Set an individual inactivity timeout for this connection
-# (overrides the global inactivity_timeout).  Returns previous
-# timeout interval.
-function set_inactivity_timeout%(cid: conn_id, t: interval%): interval
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		return new Val(0, TYPE_INTERVAL);
-
-	double old_timeout = c->InactivityTimeout();
-	c->SetInactivityTimeout(t);
-
-	return new Val(old_timeout, TYPE_INTERVAL);
-	%}
-
-function get_login_state%(cid: conn_id%): count
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		return new Val(0, TYPE_BOOL);
-
-	Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login);
-	if ( ! la )
-		return new Val(0, TYPE_BOOL);
-
-	return new Val(int(static_cast<Login_Analyzer*>(la)->LoginState()),
-			TYPE_COUNT);
-	%}
-
-function set_login_state%(cid: conn_id, new_state: count%): bool
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		return new Val(0, TYPE_BOOL);
-
-	Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login);
-	if ( ! la )
-		return new Val(0, TYPE_BOOL);
-
-	static_cast<Login_Analyzer*>(la)->SetLoginState(login_state(new_state));
-	return new Val(1, TYPE_BOOL);
-	%}
-
-%%{
-#include "TCP.h"
-%%}
-
-function get_orig_seq%(cid: conn_id%): count
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		return new Val(0, TYPE_COUNT);
-
-	if ( c->ConnTransport() != TRANSPORT_TCP )
-		return new Val(0, TYPE_COUNT);
-
-	Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP);
-	if ( tc )
-		return new Val(static_cast<TCP_Analyzer*>(tc)->OrigSeq(),
-				TYPE_COUNT);
-	else
-		{
-		run_time("connection does not have TCP analyzer");
-		return new Val(0, TYPE_COUNT);
-		}
-	%}
-
-function get_resp_seq%(cid: conn_id%): count
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		return new Val(0, TYPE_COUNT);
-
-	if ( c->ConnTransport() != TRANSPORT_TCP )
-		return new Val(0, TYPE_COUNT);
-
-	Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP);
-	if ( tc )
-		return new Val(static_cast<TCP_Analyzer*>(tc)->RespSeq(),
-				TYPE_COUNT);
-	else
-		{
-		run_time("connection does not have TCP analyzer");
-		return new Val(0, TYPE_COUNT);
-		}
-	%}
-
-# These convert addresses <-> n3.n2.n1.n0.in-addr.arpa
-function ptr_name_to_addr%(s: string%): addr
-	%{
-	int a[4];
-	uint32 addr;
-
-	if ( sscanf(s->CheckString(),
-			"%d.%d.%d.%d.in-addr.arpa",
-			a, a+1, a+2, a+3) != 4 )
-		{
-		builtin_run_time("bad PTR name", @ARG@[0]);
-		addr = 0;
-		}
-	else
-		addr = (a[3] << 24) | (a[2] << 16) | (a[1] << 8) | a[0];
-
-	return new AddrVal(htonl(addr));
-	%}
-
-function addr_to_ptr_name%(a: addr%): string
-	%{
-	// ## Question:
-	// uint32 addr = ntohl((*args)[0]->InternalUnsigned());
-	uint32 addr;
-#ifdef BROv6
-	if ( is_v4_addr(a) )
-		addr = a[3];
-	else
-		{
-		builtin_run_time("conversion of non-IPv4 address to net", @ARG@[0]);
-		addr = 0;
-		}
-#else
-	addr = a;
-#endif
-
-	addr = ntohl(addr);
-	uint32 a3 = (addr >> 24) & 0xff;
-	uint32 a2 = (addr >> 16) & 0xff;
-	uint32 a1 = (addr >> 8) & 0xff;
-	uint32 a0 = addr & 0xff;
-
-	char buf[256];
-	sprintf(buf, "%u.%u.%u.%u.in-addr.arpa", a0, a1, a2, a3);
-
-	return new StringVal(buf);
-	%}
-
-# Transforms n0.n1.n2.n3 -> addr.
-function parse_dotted_addr%(s: string%): addr
-	%{
-	return new AddrVal(dotted_to_addr(s->CheckString()));
-	%}
-
-function parse_ftp_port%(s: string%): ftp_port
-	%{
-	return parse_port(s->CheckString());
-	%}
-
-function parse_eftp_port%(s: string%): ftp_port
-	%{
-	return parse_eftp(s->CheckString());
-	%}
-
-function parse_ftp_pasv%(str: string%): ftp_port
-	%{
-	const char* s = str->CheckString();
-	const char* line = strchr(s, '(');
-	if ( line )
-		++line;	// move past '('
-	else if ( (line = strstr(s, "PORT")) )
-		line += 5;	// Skip over
-	else if ( (line = strchr(s, ',')) )
-		{ // Look for comma-separated list.
-		while ( --line >= s && isdigit(*line) )
-			;	// Back up over preceding digits.
-		++line;	// now points to first digit, or beginning of s
-		}
-
-	return parse_port(line);
-	%}
-
-function parse_ftp_epsv%(str: string%): ftp_port
-	%{
-	const char* s = str->CheckString();
-	const char* line = strchr(s, '(');
-	if ( line )
-		++line; // move past '('
-	return parse_eftp(line);
-	%}
-
-function fmt_ftp_port%(a: addr, p: port%): string
-	%{
-#ifdef BROv6
-	if ( ! is_v4_addr(a) )
-		builtin_run_time("conversion of non-IPv4 address to net", @ARG@[0]);
-
-	uint32 addr = to_v4_addr(a);
-#else
-	uint32 addr = a;
-#endif
-	addr = ntohl(addr);
-	uint32 pn = p->Port();
-	return new StringVal(fmt("%d,%d,%d,%d,%d,%d",
-					addr >> 24, (addr >> 16) & 0xff,
-					(addr >> 8) & 0xff, addr & 0xff,
-					pn >> 8, pn & 0xff));
-	%}
-
-function decode_netbios_name%(name: string%): string
-	%{
-	char buf[16];
-	char result[32];
-	const u_char* s = name->Bytes();
-	int i, j;
-
-	for ( i = 0, j = 0; i < 16; ++i )
-		{
-		char c0 = (j < name->Len()) ? toupper(s[j++]) : 'A';
-		char c1 = (j < name->Len()) ? toupper(s[j++]) : 'A';
-		buf[i] = ((c0 - 'A') << 4) + (c1 - 'A');
-		}
-
-	for ( i = 0; i < 15; ++i )
-		if ( isalnum(buf[i]) || ispunct(buf[i]) )
-			result[i] = buf[i];
-		else
-			break;
-
-	// The last byte denotes the name type.
-	snprintf(result + i, sizeof(result) - i, "<%02x>", buf[15]);
-
-	return new StringVal(result);
-	%}
-
-%%{
-#include "HTTP.h"
-
-const char* conn_id_string(Val* c)
-	{
-	Val* id = (*(c->AsRecord()))[0];
-	const val_list* vl = id->AsRecord();
-
-	addr_type orig_h = (*vl)[0]->AsAddr();
-	uint32 orig_p = (*vl)[1]->AsPortVal()->Port();
-	addr_type resp_h = (*vl)[2]->AsAddr();
-	uint32 resp_p = (*vl)[3]->AsPortVal()->Port();
-
-	return fmt("%s/%u -> %s/%u\n", dotted_addr(orig_h), orig_p, dotted_addr(resp_h), resp_p);
-	}
-%%}
-
-# Skip data of the HTTP entity on the connection
-function skip_http_entity_data%(c: connection, is_orig: bool%): any
-	%{
-	AnalyzerID id = mgr.CurrentAnalyzer();
-	if ( id )
-		{
-		Analyzer* ha = c->FindAnalyzer(id);
-
-		if ( ha->GetTag() == AnalyzerTag::HTTP )
-			static_cast<HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
-		else
-			run_time("non-HTTP analyzer associated with connection record");
-		}
-
-	else
-		run_time("no analyzer associated with connection record");
-
-	return 0;
-	%}
-
-# Unescape all characters in the URI, i.e. decode every %xx group.
+# ===========================================================================
 #
-# Note that unescaping reserved characters may cause loss of
-# information (see below).
+#                                    Math
 #
-# RFC 2396: A URI is always in an "escaped" form, since escaping or
-# unescaping a completed URI might change its semantics.  Normally,
-# the only time escape encodings can safely be made is when the URI
-# is being created from its component parts.
+# ===========================================================================
 
-function unescape_URI%(URI: string%): string
+## Chops off any decimal digits of the given double, i.e., computes the
+## "floor" of it. For example, ``floor(3.14)`` returns ``3.0``.
+##
+## d: The :bro:type:`double` to manipulate.
+##
+## Returns: The next lowest integer of *d* as :bro:type:`double`.
+##
+## .. bro:see:: sqrt exp ln log10
+function floor%(d: double%): double
 	%{
-	const u_char* line = URI->Bytes();
-	const u_char* const line_end = line + URI->Len();
-
-	return new StringVal(unescape_URI(line, line_end, 0));
+	return new Val(floor(d), TYPE_DOUBLE);
 	%}
 
-%%{
-#include "SMTP.h"
-%%}
-
-# Skip smtp_data till next mail
-function skip_smtp_data%(c: connection%): any
+## Computes the square root of a :bro:type:`double`.
+##
+## x: The number to compute the square root of.
+##
+## Returns: The square root of *x*.
+##
+## .. bro:see:: floor exp ln log10
+function sqrt%(x: double%): double
 	%{
-	Analyzer* sa = c->FindAnalyzer(AnalyzerTag::SMTP);
-	if ( sa )
-		static_cast<SMTP_Analyzer*>(sa)->SkipData();
-	return 0;
+	if ( x < 0 )
+		{
+		reporter->Error("negative sqrt argument");
+		return new Val(-1.0, TYPE_DOUBLE);
+		}
+
+	return new Val(sqrt(x), TYPE_DOUBLE);
 	%}
 
-
-function bytestring_to_hexstr%(bytestring: string%): string
+## Computes the exponential function.
+##
+## d: The argument to the exponential function.
+##
+## Returns: *e* to the power of *d*.
+##
+## .. bro:see:: floor sqrt ln log10
+function exp%(d: double%): double
 	%{
-	bro_uint_t len = bytestring->AsString()->Len();
-	const u_char* bytes = bytestring->AsString()->Bytes();
-	char hexstr[(2 * len) + 1];
+	return new Val(exp(d), TYPE_DOUBLE);
+	%}
 
-	hexstr[0] = 0;
-	for ( bro_uint_t i = 0; i < len; ++i )
-		snprintf(hexstr + (2 * i), 3, "%.2hhx", bytes[i]);
+## Computes the natural logarithm of a number.
+##
+## d: The argument to the logarithm.
+##
+## Returns: The natural logarithm of *d*.
+##
+## .. bro:see:: exp floor sqrt log10
+function ln%(d: double%): double
+	%{
+	return new Val(log(d), TYPE_DOUBLE);
+	%}
 
-	return new StringVal(hexstr);
+## Computes the common logarithm of a number.
+##
+## d: The argument to the logarithm.
+##
+## Returns: The common logarithm of *d*.
+##
+## .. bro:see:: exp floor sqrt ln
+function log10%(d: double%): double
+	%{
+	return new Val(log10(d), TYPE_DOUBLE);
+	%}
+
+# ===========================================================================
+#
+#                                Introspection
+#
+# ===========================================================================
+
+## Determines whether *c* has been received externally. For example,
+## Broccoli or the Time Machine can send packets to Bro via a mechanism that
+## one step lower than sending events. This function checks whether the packets
+## of a connection stem from one of these external *packet sources*.
+##
+## c: The connection to test.
+##
+## Returns: True if *c* has been received externally.
+function is_external_connection%(c: connection%) : bool
+	%{
+	return new Val(c && c->IsExternal(), TYPE_BOOL);
+	%}
+
+## Returns the ID of the analyzer which raised the current event.
+##
+## Returns: The ID of the analyzer which raised hte current event, or 0 if
+##          none.
+function current_analyzer%(%) : count
+	%{
+	return new Val(mgr.CurrentAnalyzer(), TYPE_COUNT);
+	%}
+
+## Returns Bro's process ID.
+##
+## Returns: Bro's process ID.
+function getpid%(%) : count
+	%{
+	return new Val(getpid(), TYPE_COUNT);
 	%}
 
 %%{
 extern const char* bro_version();
 %%}
 
+## Returns the Bro version string.
+##
+## Returns: Bro's version, e.g., 2.0-beta-47-debug.
+function bro_version%(%): string
+	%{
+	return new StringVal(bro_version());
+	%}
+
+## Converts a record type name to a vector of strings, where each element is
+## the name of a record field. Nested records are flattened.
+##
+## rt: The name of the record type.
+##
+## Returns: A string vector with the field names of *rt*.
+function record_type_to_vector%(rt: string%): string_vec
+	%{
+	VectorVal* result =
+		new VectorVal(internal_type("string_vec")->AsVectorType());
+
+	RecordType *type = internal_type(rt->CheckString())->AsRecordType();
+
+	if ( type )
+		{
+		for ( int i = 0; i < type->NumFields(); ++i )
+			{
+			StringVal* val = new StringVal(type->FieldName(i));
+			result->Assign(i+1, val, 0);
+			}
+		}
+
+	return result;
+	%}
+
+## Returns the type name of an arbitrary Bro variable.
+##
+## t: An arbitrary object.
+##
+## Returns: The type name of *t*.
+function type_name%(t: any%): string
+	%{
+	ODesc d;
+	t->Type()->Describe(&d);
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
+	%}
+
+## Checks whether Bro reads traffic from one or more network interfaces (as
+## opposed to from a network trace in a file). Note that this function returns
+## true even after Bro has stopped reading network traffic, for example due to
+## receiving a termination signal.
+##
+## Returns: True if reading traffic from a network interface.
+##
+## .. bro:see:: reading_traces
+function reading_live_traffic%(%): bool
+	%{
+	return new Val(reading_live, TYPE_BOOL);
+	%}
+
+## Checks whether Bro reads traffic from a trace file (as opposed to from a
+## network interface).
+##
+## Returns: True if reading traffic from a network trace.
+##
+## .. bro:see:: reading_live_traffic
+function reading_traces%(%): bool
+	%{
+	return new Val(reading_traces, TYPE_BOOL);
+	%}
+
+## Returns statistics about the number of packets *(i)* received by Bro,
+## *(ii)* dropped, and *(iii)* seen on the link (not always available).
+##
+## Returns: A record of packet statistics.
+##
+## .. bro:see:: do_profiling
+##              resource_usage
+##              get_matcher_stats
+##              dump_rule_stats
+##              get_gap_summary
+function net_stats%(%): NetStats
+	%{
+	unsigned int recv = 0;
+	unsigned int drop = 0;
+	unsigned int link = 0;
+
+	loop_over_list(pkt_srcs, i)
+		{
+		PktSrc* ps = pkt_srcs[i];
+
+		struct PktSrc::Stats stat;
+		ps->Statistics(&stat);
+		recv += stat.received;
+		drop += stat.dropped;
+		link += stat.link;
+		}
+
+	RecordVal* ns = new RecordVal(net_stats);
+	ns->Assign(0, new Val(recv, TYPE_COUNT));
+	ns->Assign(1, new Val(drop, TYPE_COUNT));
+	ns->Assign(2, new Val(link, TYPE_COUNT));
+
+	return ns;
+	%}
+
+## Returns Bro process statistics, such as real/user/sys CPU time, memory
+## usage, page faults, number of TCP/UDP/ICMP connections, timers, and events
+## queued/dispatched.
+##
+## Returns: A record with resource usage statistics.
+##
+## .. bro:see:: do_profiling
+##              net_stats
+##              get_matcher_stats
+##              dump_rule_stats
+##              get_gap_summary
 function resource_usage%(%): bro_resources
 	%{
 	struct rusage r;
 
 	if ( getrusage(RUSAGE_SELF, &r) < 0 )
-		internal_error("getrusage() failed in bro_resource_usage()");
+		reporter->InternalError("getrusage() failed in bro_resource_usage()");
 
 	double elapsed_time = current_time() - bro_start_time;
 
@@ -1492,6 +1751,18 @@ function resource_usage%(%): bro_resources
 	return res;
 	%}
 
+## Returns statistics about the regular expression engine, such as the number
+## of distinct matchers, DFA states, DFA state transitions, memory usage of
+## DFA states, cache hits/misses, and average number of NFA states across all
+## matchers.
+##
+## Returns: A record with matcher statistics.
+##
+## .. bro:see:: do_profiling
+##              net_stats
+##              resource_usage
+##              dump_rule_stats
+##              get_gap_summary
 function get_matcher_stats%(%): matcher_stats
 	%{
 	RuleMatcher::Stats s;
@@ -1512,6 +1783,15 @@ function get_matcher_stats%(%): matcher_stats
 	return r;
 	%}
 
+## Returns statistics about TCP gaps.
+##
+## Returns: A record with TCP gap statistics.
+##
+## .. bro:see:: do_profiling
+##              net_stats
+##              resource_usage
+##              dump_rule_stats
+##              get_matcher_stats
 function get_gap_summary%(%): gap_info
 	%{
 	RecordVal* r = new RecordVal(gap_info);
@@ -1523,11 +1803,12 @@ function get_gap_summary%(%): gap_info
 	return r;
 	%}
 
-function val_size%(v: any%): count
-	%{
-	return new Val(v->MemoryAllocation(), TYPE_COUNT);
-	%}
-
+## Generates a table of the size of all global variables. The table index is
+## the variable name and the value the variable size in bytes.
+##
+## Returns: A table that maps variable names to their sizes.
+##
+## .. bro:see:: global_ids
 function global_sizes%(%): var_sizes
 	%{
 	TableVal* sizes = new TableVal(var_sizes);
@@ -1548,6 +1829,14 @@ function global_sizes%(%): var_sizes
 	return sizes;
 	%}
 
+## Generates a table with information about all global identifiers. The table
+## value is a record containing the type name of the identifier, whether it is
+## exported, a constant, an enum constant, redefinable, and its value (if it
+## has one).
+##
+## Returns: A table that maps identifier names to information about them.
+##
+## .. bro:see:: global_sizes
 function global_ids%(%): id_table
 	%{
 	TableVal* ids = new TableVal(id_table);
@@ -1582,222 +1871,799 @@ function global_ids%(%): id_table
 	return ids;
 	%}
 
-%%{
-#include "TCP_Rewriter.h"
-
-// Trace rewriting functions.
-class PacketDumper;
-extern PacketDumper* transformed_pkt_dump;
-extern void commit_trace(Val* conn_val, int commit, int future);
-%%}
-
-# True if we're rewriting (anonymizing), false otherwise.
-function rewriting_trace%(%): bool
+## Returns the value of a global identifier.
+##
+## id: The global identifier.
+##
+## Returns the value of *id*. If *id* does not describe a valid identifier, the
+## function returns the string ``"<unknown id>"`` or ``"<no ID value>"``.
+function lookup_ID%(id: string%) : any
 	%{
-	return new Val(transformed_pkt_dump != 0, TYPE_BOOL);
+	ID* i = global_scope()->Lookup(id->CheckString());
+	if ( ! i )
+		return new StringVal("<unknown id>");
+
+	if ( ! i->ID_Val() )
+		return new StringVal("<no ID value>");
+
+	return i->ID_Val()->Ref();
 	%}
 
-%%{
-#include "Anon.h"
-%%}
-
-# Preserve prefix as original one in anonymization.
-function preserve_prefix%(a: addr, width: count%): any
+## Generates meta data about a record fields. The returned information
+## includes the field name, whether it is logged, its value (if it has one),
+## and its default value (if specified).
+##
+## rec: The record to inspect.
+##
+## Returns: A table that describes the fields of a record.
+function record_fields%(rec: any%): record_field_table
 	%{
-	AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
-	if ( ip_anon )
+	TableVal* fields = new TableVal(record_field_table);
+
+	RecordVal* rv = rec->AsRecordVal();
+	RecordType* rt = rv->Type()->AsRecordType();
+
+	if ( rt->Tag() != TYPE_RECORD )
 		{
-#ifdef BROv6
-		if ( ! is_v4_addr(a) )
-			builtin_run_time("preserve_prefix() not supported for IPv6 addresses");
-		else
-			ip_anon->PreservePrefix(a[3], width);
-#else
-		ip_anon->PreservePrefix(a, width);
-#endif
+		reporter->Error("non-record passed to record_fields");
+		return fields;
 		}
 
-
-	return 0;
-	%}
-
-function preserve_subnet%(a: subnet%): any
-	%{
-	DEBUG_MSG("%s/%d\n", dotted_addr(a->AsAddr()), a->Width());
-	AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
-	if ( ip_anon )
+	for ( int i = 0; i < rt->NumFields(); ++i )
 		{
-#ifdef BROv6
-		if ( ! is_v4_addr(a->AsAddr()) )
-			builtin_run_time("preserve_subnet() not supported for IPv6 addresses");
-		else
-			ip_anon->PreservePrefix(a->AsAddr()[3], a->Width());
-#else
-		ip_anon->PreservePrefix(a->AsAddr(), a->Width());
-#endif
+		BroType* ft = rt->FieldType(i);
+		TypeDecl* fd = rt->FieldDecl(i);
+		Val* fv = rv->Lookup(i);
+
+		if ( fv )
+			Ref(fv);
+
+		bool logged = (fd->attrs && fd->FindAttr(ATTR_LOG) != 0);
+
+		RecordVal* nr = new RecordVal(record_field);
+		nr->Assign(0, new StringVal(type_name(rt->Tag())));
+		nr->Assign(1, new Val(logged, TYPE_BOOL));
+		nr->Assign(2, fv);
+		nr->Assign(3, rt->FieldDefault(i));
+
+		Val* field_name = new StringVal(rt->FieldName(i));
+		fields->Assign(field_name, nr);
+		Unref(field_name);
 		}
 
+	return fields;
+	%}
+
+## Enables detailed collections of statistics about CPU/memory usage,
+## connections, TCP states/reassembler, DNS lookups, timers, and script-level
+## state. The script variable :bro:id:`profiling_file` holds the name of the
+## file.
+##
+## .. bro:see:: net_stats
+##              resource_usage
+##              get_matcher_stats
+##              dump_rule_stats
+##              get_gap_summary
+function do_profiling%(%) : any
+	%{
+	if ( profiling_logger )
+		profiling_logger->Log();
+
 	return 0;
 	%}
 
-function preserve_net%(a: net%): any
+## Checks whether a given IP address belongs to a local interface.
+##
+## ip: The IP address to check.
+##
+## Returns: True if *ip* belongs to a local interface.
+function is_local_interface%(ip: addr%) : bool
 	%{
+	static uint32* addrs;
+	static int len = -1;
+
+	if ( len < 0 )
+		{
+		char host[MAXHOSTNAMELEN];
+
+		strcpy(host, "localhost");
+		gethostname(host, MAXHOSTNAMELEN);
+		host[MAXHOSTNAMELEN-1] = '\0';
+
+		struct hostent* ent = gethostbyname(host);
+
+		for ( len = 0; ent->h_addr_list[len]; ++len )
+			;
+
+		addrs = new uint32[len + 1];
+		for ( int i = 0; i < len; i++ )
+			addrs[i] = *(uint32*) ent->h_addr_list[i];
+
+		addrs[len++] = 0x0100007f; // 127.0.0.1
+		}
+
 #ifdef BROv6
-	builtin_run_time("preserve_net() not supported with --enable-BROv6");
+	if ( ! is_v4_addr(ip) )
+		{
+		builtin_error("is_local_interface() only supports IPv4 addresses");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	uint32 ip4 = to_v4_addr(ip);
 #else
-	AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
-	if ( ip_anon )
-		ip_anon->PreserveNet(a);
+	uint32 ip4 = ip;
 #endif
 
-	return 0;
+	for ( int i = 0; i < len; i++ )
+		if ( addrs[i] == ip4 )
+			return new Val(1, TYPE_BOOL);
+
+	return new Val(0, TYPE_BOOL);
 	%}
 
-# Anonymize given IP address.
-function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr
+## Write rule matcher statistics (DFA states, transitions, memory usage, cache
+## hits/misses) to a file.
+##
+## f: The file to write to.
+##
+## Returns: True (unconditionally).
+##
+## .. bro:see:: do_profiling
+##              resource_usage
+##              get_matcher_stats
+##              net_stats
+##              get_gap_summary
+##
+## .. todo:: The return value should be changed to any or check appropriately.
+function dump_rule_stats%(f: file%): bool
 	%{
-	int anon_class = cl->InternalInt();
-	if ( anon_class < 0 || anon_class >= NUM_ADDR_ANONYMIZATION_CLASSES )
-		builtin_run_time("anonymize_addr(): invalid ip addr anonymization class");
+	if ( rule_matcher )
+		rule_matcher->DumpStats(f);
 
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Checks wheter Bro is terminating.
+##
+## Returns: True if Bro is in the process of shutting down.
+##
+## .. bro:see: terminate
+function bro_is_terminating%(%): bool
+	%{
+	return new Val(terminating, TYPE_BOOL);
+	%}
+
+## Returns the hostname of the machine Bro runs on.
+##
+## Returns: The hostname of the machine Bro runs on.
+function gethostname%(%) : string
+	%{
+	char buffer[MAXHOSTNAMELEN];
+	if ( gethostname(buffer, MAXHOSTNAMELEN) < 0 )
+		strcpy(buffer, "<unknown>");
+
+	buffer[MAXHOSTNAMELEN-1] = '\0';
+	return new StringVal(buffer);
+	%}
+
+# ===========================================================================
+#
+#                                 Conversion
+#
+# ===========================================================================
+
+## Converts a :bro:type:`string` to a :bro:type:`int`.
+##
+## str: The :bro:type:`string` to convert.
+##
+## Returns: The :bro:type:`string` *str* as :bro:type:`int`.
+##
+## .. bro:see:: to_addr to_port
+function to_int%(str: string%): int
+	%{
+	const char* s = str->CheckString();
+	char* end_s;
+
+	long l = strtol(s, &end_s, 10);
+	int i = int(l);
+
+#if 0
+	// Not clear we should complain.  For example, is " 205 "
+	// a legal conversion?
+	if ( s[0] == '\0' || end_s[0] != '\0' )
+		builtin_error("bad conversion to integer", @ARG@[0]);
+#endif
+
+	return new Val(i, TYPE_INT);
+	%}
+
+
+## Converts a (positive) :bro:type:`int` to a :bro:type:`count`.
+##
+## n: The :bro:type:`int` to convert.
+##
+## Returns: The :bro:type:`int` *n* as unsigned integer or 0 if *n* < 0.
+function int_to_count%(n: int%): count
+	%{
+	if ( n < 0 )
+		{
+		builtin_error("bad conversion to count", @ARG@[0]);
+		n = 0;
+		}
+	return new Val(n, TYPE_COUNT);
+	%}
+
+## Converts a :bro:type:`double` to a :bro:type:`count`.
+##
+## d: The :bro:type:`double` to convert.
+##
+## Returns: The :bro:type:`double` *d* as unsigned integer or 0 if *d* < 0.0.
+##
+## .. bro:see:: double_to_time
+function double_to_count%(d: double%): count
+	%{
+	if ( d < 0.0 )
+		builtin_error("bad conversion to count", @ARG@[0]);
+
+	return new Val(bro_uint_t(rint(d)), TYPE_COUNT);
+	%}
+
+## Converts a :bro:type:`string` to a :bro:type:`count`.
+##
+## str: The :bro:type:`string` to convert.
+##
+## Returns: The :bro:type:`string` *str* as unsigned integer or if in invalid
+##          format.
+##
+## .. bro:see:: to_addr to_int to_port
+function to_count%(str: string%): count
+	%{
+	const char* s = str->CheckString();
+	char* end_s;
+
+	uint64 u = (uint64) strtoll(s, &end_s, 10);
+
+	if ( s[0] == '\0' || end_s[0] != '\0' )
+    	{
+		builtin_error("bad conversion to count", @ARG@[0]);
+        u = 0;
+        }
+
+	return new Val(u, TYPE_COUNT);
+	%}
+
+## Converts an :bro:type:`interval` to a :bro:type:`double`.
+##
+## i: The :bro:type:`interval` to convert.
+##
+## Returns: The :bro:type:`interval` *i* as :bro:type:`double`.
+##
+## .. bro:see:: double_to_interval
+function interval_to_double%(i: interval%): double
+	%{
+	return new Val(i, TYPE_DOUBLE);
+	%}
+
+## Converts a :bro:type:`time` value to a :bro:type:`double`.
+##
+## t: The :bro:type:`interval` to convert.
+##
+## Returns: The :bro:type:`time` value *t* as :bro:type:`double`.
+##
+## .. bro:see:: double_to_time
+function time_to_double%(t: time%): double
+	%{
+	return new Val(t, TYPE_DOUBLE);
+	%}
+
+## Converts a :bro:type:`time` value to a :bro:type:`double`.
+##
+## t: The :bro:type:`interval` to convert.
+##
+## Returns: The :bro:type:`time` value *t* as :bro:type:`double`.
+##
+## .. bro:see:: time_to_double double_to_count
+function double_to_time%(d: double%): time
+	%{
+	return new Val(d, TYPE_TIME);
+	%}
+
+## Converts a :bro:type:`double` to an :bro:type:`interval`.
+##
+## d: The :bro:type:`double` to convert.
+##
+## Returns: The :bro:type:`double` *d* as :bro:type:`interval`.
+##
+## .. bro:see:: interval_to_double
+function double_to_interval%(d: double%): interval
+	%{
+	return new Val(d, TYPE_INTERVAL);
+	%}
+
+## Converts a :bro:type:`addr` to a :bro:type:`count`.
+##
+## a: The :bro:type:`addr` to convert.
+##
+## Returns: The :bro:type:`addr` *a* as :bro:type:`count`.
+##
+## .. bro:see:: addr_to_ptr_name
+function addr_to_count%(a: addr%): count
+	%{
 #ifdef BROv6
 	if ( ! is_v4_addr(a) )
 		{
-		builtin_run_time("anonymize_addr() not supported for IPv6 addresses");
-		return 0;
+		builtin_error("conversion of non-IPv4 address to count", @ARG@[0]);
+		return new Val(0, TYPE_COUNT);
 		}
-	else
-		return new AddrVal(anonymize_ip(a[3],
-			(enum ip_addr_anonymization_class_t) anon_class));
+
+	uint32 addr = to_v4_addr(a);
 #else
-	return new AddrVal(anonymize_ip(a,
-		(enum ip_addr_anonymization_class_t) anon_class));
+	uint32 addr = a;
 #endif
+	return new Val(ntohl(addr), TYPE_COUNT);
 	%}
 
-%%{
-static void hash_md5_val(val_list& vlist, unsigned char digest[16])
-	{
-	md5_state_s h;
+## Converts a :bro:type:`port` to a :bro:type:`count`.
+##
+## p: The :bro:type:`port` to convert.
+##
+## Returns: The :bro:type:`port` *p* as :bro:type:`count`.
+##
+## .. bro:see:: count_to_port
+function port_to_count%(p: port%): count
+	%{
+	return new Val(p->Port(), TYPE_COUNT);
+	%}
 
-	md5_init(&h);
-	loop_over_list(vlist, i)
+## Converts a :bro:type:`count` and ``transport_proto`` to a :bro:type:`port`.
+##
+## num: The :bro:type:`port` number.
+##
+## proto: The transport protocol.
+##
+## Returns: The :bro:type:`count` *c* as :bro:type:`port`.
+##
+## .. bro:see:: port_to_count
+function count_to_port%(num: count, proto: transport_proto%): port
+	%{
+	return new PortVal(num, (TransportProto)proto->AsEnum());
+	%}
+
+## Converts a :bro:type:`string` to an :bro:type:`addr`.
+##
+## ip: The :bro:type:`string` to convert.
+##
+## Returns: The :bro:type:`string` *ip* as :bro:type:`addr`.
+##
+## .. bro:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr
+function to_addr%(ip: string%): addr
+	%{
+	char* s = ip->AsString()->Render();
+	Val* ret = new AddrVal(s);
+	delete [] s;
+	return ret;
+	%}
+
+## Converts a :bro:type:`count` to an :bro:type:`addr`.
+##
+## ip: The :bro:type:`count` to convert.
+##
+## Returns: The :bro:type:`count` *ip* as :bro:type:`addr`.
+##
+## .. bro:see:: raw_bytes_to_v4_addr to_addr
+function count_to_v4_addr%(ip: count%): addr
+	%{
+	if ( ip > 4294967295LU )
 		{
-		Val* v = vlist[i];
-		if ( v->Type()->Tag() == TYPE_STRING )
-			{
-			const BroString* str = v->AsString();
-			md5_append(&h, str->Bytes(), str->Len());
-			}
-		else
-			{
-			ODesc d(DESC_BINARY);
-			v->Describe(&d);
-			md5_append(&h, (const md5_byte_t *) d.Bytes(), d.Len());
-			}
-		}
-	md5_finish(&h, digest);
-	}
-
-static void hmac_md5_val(val_list& vlist, unsigned char digest[16])
-	{
-	hash_md5_val(vlist, digest);
-	for ( int i = 0; i < 16; ++i )
-		digest[i] = digest[i] ^ shared_hmac_md5_key[i];
-	hash_md5(16, digest, digest);
-	}
-%%}
-
-function md5_hash%(...%): string
-	%{
-	unsigned char digest[16];
-	hash_md5_val(@ARG@, digest);
-	return new StringVal(md5_digest_print(digest));
-	%}
-
-function md5_hmac%(...%): string
-	%{
-	unsigned char digest[16];
-	hmac_md5_val(@ARG@, digest);
-	return new StringVal(md5_digest_print(digest));
-	%}
-
-%%{
-static map<BroString, md5_state_s> md5_states;
-
-BroString* convert_md5_index_to_string(Val* index)
-	{
-	ODesc d;
-	index->Describe(&d);
-	return new BroString(1, d.TakeBytes(), d.Len());
-	}
-%%}
-
-function md5_hash_init%(index: any%): bool
-	%{
-	BroString* s = convert_md5_index_to_string(index);
-	int status = 0;
-
-	if ( md5_states.count(*s) < 1 )
-		{
-		md5_state_s h;
-		md5_init(&h);
-		md5_states[*s] = h;
-		status = 1;
+		builtin_error("conversion of non-IPv4 count to addr", @ARG@[0]);
+		return new AddrVal(uint32(0));
 		}
 
-	delete s;
-	return new Val(status, TYPE_BOOL);
+	return new AddrVal(htonl(uint32(ip)));
 	%}
 
-function md5_hash_update%(index: any, data: string%): bool
+## Converts a :bro:type:`string` of bytes into an IP address. In particular,
+## this function interprets the first 4 bytes of the string as an IPv4 address
+## in network order.
+##
+## b: The raw bytes (:bro:type:`string`) to convert.
+##
+## Returns: The byte :bro:type:`string` *ip* as :bro:type:`addr`.
+##
+## .. bro:see:: raw_bytes_to_v4_addr to_addr
+function raw_bytes_to_v4_addr%(b: string%): addr
 	%{
-	BroString* s = convert_md5_index_to_string(index);
-	int status = 0;
+	uint32 a = 0;
 
-	if ( md5_states.count(*s) > 0 )
+	if ( b->Len() < 4 )
+		builtin_error("too short a string as input to raw_bytes_to_v4_addr()");
+
+	else
 		{
-		md5_append(&md5_states[*s], data->Bytes(), data->Len());
-		status = 1;
+		const u_char* bp = b->Bytes();
+		a = (bp[0] << 24) | (bp[1] << 16) | (bp[2] << 8) | bp[3];
 		}
 
-	delete s;
-	return new Val(status, TYPE_BOOL);
+	return new AddrVal(htonl(a));
 	%}
 
-function md5_hash_finish%(index: any%): string
-	%{
-	BroString* s = convert_md5_index_to_string(index);
-	StringVal* printable_digest;
+## Converts a :bro:type:`string` to an :bro:type:`port`.
+##
+## s: The :bro:type:`string` to convert.
+##
+## Returns: A :bro:type:`port` converted from *s*.
+##
+## .. bro:see:: to_addr to_count to_int
+function to_port%(s: string%): port
+    %{
+    int port = 0;
+    if ( s->Len() < 10 )
+        {
+        char* slash;
+        port = strtol(s->CheckString(), &slash, 10);
+        if ( port )
+            {
+            ++slash;
+            if ( streq(slash, "tcp") )
+                return new PortVal(port, TRANSPORT_TCP);
+            else if ( streq(slash, "udp") )
+                return new PortVal(port, TRANSPORT_UDP);
+            else if ( streq(slash, "icmp") )
+                return new PortVal(port, TRANSPORT_ICMP);
+            }
+        }
 
-	if ( md5_states.count(*s) > 0 )
+    builtin_error("wrong port format, must be /[0-9]{1,5}\\/(tcp|udp|icmp)/");
+    return new PortVal(port, TRANSPORT_UNKNOWN);
+	%}
+
+## Converts a reverse pointer name to an address. For example,
+## ``1.0.168.192.in-addr.arpa`` to ``192.168.0.1``.
+##
+## s: The string with the reverse pointer name.
+##
+## Returns: The IP address corresponding to *s*.
+##
+## .. bro:see:: addr_to_ptr_name parse_dotted_addr
+function ptr_name_to_addr%(s: string%): addr
+	%{
+	int a[4];
+	uint32 addr;
+
+	if ( sscanf(s->CheckString(),
+			"%d.%d.%d.%d.in-addr.arpa",
+			a, a+1, a+2, a+3) != 4 )
 		{
-		unsigned char digest[16];
-		md5_finish(&md5_states[*s], digest);
-		md5_states.erase(*s);
-		printable_digest = new StringVal(md5_digest_print(digest));
+		builtin_error("bad PTR name", @ARG@[0]);
+		addr = 0;
 		}
 	else
-		printable_digest = new StringVal("");
+		addr = (a[3] << 24) | (a[2] << 16) | (a[1] << 8) | a[0];
 
-	delete s;
-	return printable_digest;
+	return new AddrVal(htonl(addr));
 	%}
 
-# Wrappings for rand() and srand()
-function rand%(max: count%): count
+## Converts an IP address to a reverse pointer name. For example,
+## ``192.168.0.1`` to ``1.0.168.192.in-addr.arpa``.
+##
+## a: The IP address to convert to a reverse pointer name.
+##
+## Returns: The reverse pointer representation of *a*.
+##
+## .. bro:see:: addr_to_count ptr_name_to_addr parse_dotted_addr
+function addr_to_ptr_name%(a: addr%): string
 	%{
-	int result;
-	result = bro_uint_t(double(max) * double(rand()) / (RAND_MAX + 1.0));
-	return new Val(result, TYPE_COUNT);
+	// ## Question:
+	// uint32 addr = ntohl((*args)[0]->InternalUnsigned());
+	uint32 addr;
+#ifdef BROv6
+	if ( is_v4_addr(a) )
+		addr = a[3];
+	else
+		{
+		builtin_error("conversion of non-IPv4 address to net", @ARG@[0]);
+		addr = 0;
+		}
+#else
+	addr = a;
+#endif
+
+	addr = ntohl(addr);
+	uint32 a3 = (addr >> 24) & 0xff;
+	uint32 a2 = (addr >> 16) & 0xff;
+	uint32 a1 = (addr >> 8) & 0xff;
+	uint32 a0 = addr & 0xff;
+
+	char buf[256];
+	sprintf(buf, "%u.%u.%u.%u.in-addr.arpa", a0, a1, a2, a3);
+
+	return new StringVal(buf);
 	%}
 
-function srand%(seed: count%): any
+# Transforms n0.n1.n2.n3 -> addr.
+
+## Converts a decimal dotted IP address in a :bro:type:`string` to an
+## :bro:type:`addr` type.
+##
+## s: The IP address in the form ``n0.n1.n2.n3``.
+##
+## Returns: The IP address as type :bro:type:`addr`.
+##
+## .. bro:see:: addr_to_ptr_name parse_dotted_addr addr_to_count
+function parse_dotted_addr%(s: string%): addr
 	%{
-	srand(seed);
-	return 0;
+	return new AddrVal(dotted_to_addr(s->CheckString()));
 	%}
 
+%%{
+static Val* parse_port(const char* line)
+	{
+	RecordVal* r = new RecordVal(ftp_port);
+
+	int bytes[6];
+	if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d",
+			&bytes[0], &bytes[1], &bytes[2],
+			&bytes[3], &bytes[4], &bytes[5]) == 6 )
+		{
+		int good = 1;
+
+		for ( int i = 0; i < 6; ++i )
+			if ( bytes[i] < 0 || bytes[i] > 255 )
+				{
+				good = 0;
+				break;
+				}
+
+		uint32 addr = (bytes[0] << 24) | (bytes[1] << 16) |
+				(bytes[2] << 8) | bytes[3];
+		uint32 port = (bytes[4] << 8) | bytes[5];
+
+		// Since port is unsigned, no need to check for < 0.
+		if ( port > 65535 )
+			{
+			port = 0;
+			good = 0;
+			}
+
+		r->Assign(0, new AddrVal(htonl(addr)));
+		r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+		r->Assign(2, new Val(good, TYPE_BOOL));
+		}
+	else
+		{
+		r->Assign(0, new AddrVal(uint32(0)));
+		r->Assign(1, new PortVal(0, TRANSPORT_TCP));
+		r->Assign(2, new Val(0, TYPE_BOOL));
+		}
+
+	return r;
+	}
+
+static Val* parse_eftp(const char* line)
+	{
+	RecordVal* r = new RecordVal(ftp_port);
+
+	int net_proto = 0;	// currently not used
+	uint32 addr = 0;
+	int port = 0;
+	int good = 0;
+
+	if ( line )
+		{
+		while ( isspace(*line) )	// skip whitespace
+			++line;
+
+		char delimiter = *line;
+		good = 1;
+		char* next_delim;
+
+		++line;	// cut off delimiter
+		net_proto = strtol(line, &next_delim, 10);	// currently ignored
+		if ( *next_delim != delimiter )
+			good = 0;
+
+		line = next_delim + 1;
+		if ( *line != delimiter )	// default of 0 is ok
+			{
+			addr = dotted_to_addr(line);
+			if ( addr == 0 )
+				good = 0;
+			}
+
+		// FIXME: check for garbage between IP and delimiter.
+		line = strchr(line, delimiter);
+
+		++line;	// now the port
+		port = strtol(line, &next_delim, 10);
+		if ( *next_delim != delimiter )
+			good = 0;
+		}
+
+	r->Assign(0, new AddrVal(addr));
+	r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+	r->Assign(2, new Val(good, TYPE_BOOL));
+
+	return r;
+	}
+%%}
+
+## Converts a string representation of the FTP PORT command to an ``ftp_port``.
+##
+## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``.
+##
+## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``
+##
+## .. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
+function parse_ftp_port%(s: string%): ftp_port
+	%{
+	return parse_port(s->CheckString());
+	%}
+
+## Converts a string representation of the FTP EPRT command to an ``ftp_port``.
+## (see `RFC 2428 <http://tools.ietf.org/html/rfc2428>`_).
+## The format is ``EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>``,
+## where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
+##
+## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``.
+##
+## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``
+##
+## .. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
+function parse_eftp_port%(s: string%): ftp_port
+	%{
+	return parse_eftp(s->CheckString());
+	%}
+
+## Converts the result of the FTP PASV command to an ``ftp_port``.
+##
+## str: The string containing the result of the FTP PASV command.
+##
+## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``
+##
+## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port
+function parse_ftp_pasv%(str: string%): ftp_port
+	%{
+	const char* s = str->CheckString();
+	const char* line = strchr(s, '(');
+	if ( line )
+		++line;	// move past '('
+	else if ( (line = strstr(s, "PORT")) )
+		line += 5;	// Skip over
+	else if ( (line = strchr(s, ',')) )
+		{ // Look for comma-separated list.
+		while ( --line >= s && isdigit(*line) )
+			;	// Back up over preceding digits.
+		++line;	// now points to first digit, or beginning of s
+		}
+
+	return parse_port(line);
+	%}
+
+## Converts the result of the FTP EPSV command to an ``ftp_port``.
+## See `RFC 2428 <http://tools.ietf.org/html/rfc2428>`_.
+## The format is ``<text> (<d><d><d><tcp-port><d>)``, where ``<d>`` is a
+## delimiter in the ASCII range 33-126 (usually ``|``).
+##
+## str: The string containing the result of the FTP PASV command.
+##
+## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``
+##
+## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port
+function parse_ftp_epsv%(str: string%): ftp_port
+	%{
+	const char* s = str->CheckString();
+	const char* line = strchr(s, '(');
+	if ( line )
+		++line; // move past '('
+	return parse_eftp(line);
+	%}
+
+## Formats an IP address and TCP port as an FTP PORT command. For example,
+## ``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``.
+##
+## a: The IP address.
+##
+## p: The TCP port.
+##
+## Returns: The FTP PORT string.
+##
+## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
+function fmt_ftp_port%(a: addr, p: port%): string
+	%{
+#ifdef BROv6
+	if ( ! is_v4_addr(a) )
+		builtin_error("conversion of non-IPv4 address to net", @ARG@[0]);
+
+	uint32 addr = to_v4_addr(a);
+#else
+	uint32 addr = a;
+#endif
+	addr = ntohl(addr);
+	uint32 pn = p->Port();
+	return new StringVal(fmt("%d,%d,%d,%d,%d,%d",
+					addr >> 24, (addr >> 16) & 0xff,
+					(addr >> 8) & 0xff, addr & 0xff,
+					pn >> 8, pn & 0xff));
+	%}
+
+## Decode a NetBIOS name.  See http://support.microsoft.com/kb/194203.
+##
+## name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF:``.
+##
+## Returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAME"``.
+##
+## .. bro:see:: decode_netbios_name_type
+function decode_netbios_name%(name: string%): string
+	%{
+	char buf[16];
+	char result[16];
+	const u_char* s = name->Bytes();
+	int i, j;
+
+	for ( i = 0, j = 0; i < 16; ++i )
+		{
+		char c0 = (j < name->Len()) ? toupper(s[j++]) : 'A';
+		char c1 = (j < name->Len()) ? toupper(s[j++]) : 'A';
+		buf[i] = ((c0 - 'A') << 4) + (c1 - 'A');
+		}
+
+	for ( i = 0; i < 15; ++i )
+		{
+		if ( isalnum(buf[i]) || ispunct(buf[i]) ||
+		     // \x01\x02 is seen in at least one case as the first two bytes.
+		     // I think that any \x01 and \x02 should always be passed through.
+		     buf[i] < 3 )
+			result[i] = buf[i];
+		else
+			break;
+		}
+
+	return new StringVal(i, result);
+	%}
+
+## Converts a NetBIOS name type to its corresonding numeric value.
+## See http://support.microsoft.com/kb/163409.
+##
+## name: The NetBIOS name type.
+##
+## Returns: The numeric value of *name*.
+##
+## .. bro:see:: decode_netbios_name
+function decode_netbios_name_type%(name: string%): count
+	%{
+	const u_char* s = name->Bytes();
+	char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A');
+	return new Val(return_val, TYPE_COUNT);
+	%}
+
+## Converts a string of bytes into its hexadecimal representation, e.g.,
+## ``"04"`` to ``"3034"``.
+##
+## bytestring: The string of bytes.
+##
+## Returns: The hexadecimal reprsentation of *bytestring*.
+##
+## .. bro:see:: hexdump
+function bytestring_to_hexstr%(bytestring: string%): string
+	%{
+	bro_uint_t len = bytestring->AsString()->Len();
+	const u_char* bytes = bytestring->AsString()->Bytes();
+	char hexstr[(2 * len) + 1];
+
+	hexstr[0] = 0;
+	for ( bro_uint_t i = 0; i < len; ++i )
+		snprintf(hexstr + (2 * i), 3, "%.2hhx", bytes[i]);
+
+	return new StringVal(hexstr);
+	%}
+
+## Decodes a Base64-encoded string.
+##
+## s: The Base64-encoded string.
+##
+## Returns: The decoded version of *s*.
+##
+## .. bro:see:: decode_base64_custom
 function decode_base64%(s: string%): string
 	%{
 	BroString* t = decode_base64(s->AsString());
@@ -1805,7 +2671,30 @@ function decode_base64%(s: string%): string
 		return new StringVal(t);
 	else
 		{
-		run_time("error in decoding string %s", @ARG@[0]);
+		reporter->Error("error in decoding string %s", s->CheckString());
+		return new StringVal("");
+		}
+	%}
+
+## Decodes a Base64-encoded string with a custom alphabet.
+##
+## s: The Base64-encoded string.
+##
+## a: The custom alphabet. The empty string indicates the default alphabet. The
+##    lengh of *a* must bt 64. For example, a custom alphabet could be
+##    ``"!#$%&/(),-.:;<>@[]^ `_{|}~abcdefghijklmnopqrstuvwxyz0123456789+?"``.
+##
+## Returns: The decoded version of *s*.
+##
+## .. bro:see:: decode_base64
+function decode_base64_custom%(s: string, a: string%): string
+	%{
+	BroString* t = decode_base64(s->AsString(), a->AsString());
+	if ( t )
+		return new StringVal(t);
+	else
+		{
+		reporter->Error("error in decoding string %s", s->CheckString());
 		return new StringVal("");
 		}
 	%}
@@ -1823,6 +2712,14 @@ typedef struct {
 } bro_uuid_t;
 %%}
 
+## Converts a bytes representation of a UUID into its string form. For example,
+## given a string of 16 bytes, it produces an output string in this format:
+## ``550e8400-e29b-41d4-a716-446655440000``.
+## See `<http://en.wikipedia.org/wiki/Universally_unique_identifier>`_.
+##
+## uuid: The 16 bytes of the UUID.
+##
+## Returns: The string representation of *uuid*.
 function uuid_to_string%(uuid: string%): string
 	%{
 	if ( uuid->Len() != 16 )
@@ -1847,16 +2744,25 @@ function uuid_to_string%(uuid: string%): string
 	return new StringVal(s);
 	%}
 
-
-# The following functions are attempts to convert strings into
-# patterns at run-time. These attempts were later *abandoned* because
-# NFA and DFA cannot be cleanly deallocated.
-
+## Merges and compiles two regular expressions at initialization time.
+##
+## p1: The first pattern.
+##
+## p2: The second pattern.
+##
+## Returns: The compiled pattern of the concatentation of *p1* and *p2*.
+##
+## .. bro:see:: convert_for_pattern string_to_pattern
+##
+## .. note::
+##
+##      This function must be called at Bro startup time, e.g., in the event
+##      :bro:id:`bro_init`.
 function merge_pattern%(p1: pattern, p2: pattern%): pattern
 	%{
-	if ( reading_live )
+	if ( bro_start_network_time != 0.0 )
 		{
-		builtin_run_time("should not call merge_pattern while reading live traffic");
+		builtin_error("merge_pattern can only be called at init time");
 		return 0;
 		}
 
@@ -1890,6 +2796,17 @@ char* to_pat_str(int sn, const char* ss)
 	}
 %%}
 
+## Escapes a string so that it becomes a valid :bro:type:`pattern` and can be
+## used with the :bro:id:`string_to_pattern`. Any character from the set
+## ``^$-:"\/|*+?.(){}[]`` is prefixed with a ``\``.
+##
+## s: The string to escape.
+##
+## Returns: An escaped version of *s* that has the structure of a valid
+##          :bro:type:`pattern`.
+##
+## .. bro:see:: merge_pattern string_to_pattern
+##
 function convert_for_pattern%(s: string%): string
 	%{
 	char* t = to_pat_str(s->Len(), (const char*)(s->Bytes()));
@@ -1898,11 +2815,27 @@ function convert_for_pattern%(s: string%): string
 	return ret;
 	%}
 
+## Converts a :bro:type:`string` into a :bro:type:`pattern`.
+##
+## s: The string to convert.
+##
+## convert: If true, *s* is first passed through the function
+##          :bro:id:`convert_for_pattern` to escape special characters of
+##          patterns.
+##
+## Returns: *s* as :bro:type:`pattern`.
+##
+## .. bro:see:: convert_for_pattern merge_pattern
+##
+## .. note::
+##
+##      This function must be called at Bro startup time, e.g., in the event
+##      :bro:id:`bro_init`.
 function string_to_pattern%(s: string, convert: bool%): pattern
 	%{
-	if ( reading_live )
+	if ( bro_start_network_time != 0.0 )
 		{
-		builtin_run_time("should not call merge_pattern while reading live traffic");
+		builtin_error("string_to_pattern can only be called at init time");
 		return 0;
 		}
 
@@ -1925,347 +2858,320 @@ function string_to_pattern%(s: string, convert: bool%): pattern
 	return new PatternVal(re);
 	%}
 
-# Precompile a pcap filter.
-function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool
+## Formats a given time value according to a format string.
+##
+## fmt: The format string. See ``man strftime`` for the syntax.
+##
+## d: The time value.
+##
+## Returns: The time *d* formatted according to *fmt*.
+function strftime%(fmt: string, d: time%) : string
 	%{
-	bool success = true;
+	static char buffer[128];
 
-	loop_over_list(pkt_srcs, i)
-		{
-		pkt_srcs[i]->ClearErrorMsg();
+	time_t t = time_t(d);
 
-		if ( ! pkt_srcs[i]->PrecompileFilter(id->ForceAsInt(),
-							s->CheckString()) )
-			{
-			run_time( "precompile_pcap_filter: %s",
-				pkt_srcs[i]->ErrorMsg() );
-			success = false;
-			}
-		}
+	if ( strftime(buffer, 128, fmt->CheckString(), localtime(&t)) == 0 )
+		return new StringVal("<strftime error>");
 
-	return new Val(success, TYPE_BOOL);
+	return new StringVal(buffer);
 	%}
 
-# Install precompiled pcap filter.
-function install_pcap_filter%(id: PcapFilterID%): bool
+# ===========================================================================
+#
+#                           Network Type Processing
+#
+# ===========================================================================
+
+## Masks an address down to the number of given upper bits. For example,
+## ``mask_addr(1.2.3.4, 18)`` returns ``1.2.0.0``.
+##
+## a: The address to mask.
+##
+## top_bits_to_keep: The number of top bits to keep in *a*; must be greater
+##                   than 0 and less than 33.
+##
+## Returns: The address *a* masked down to *top_bits_to_keep* bits.
+##
+## .. bro:see:: remask_addr
+function mask_addr%(a: addr, top_bits_to_keep: count%): subnet
 	%{
-	// Don't allow the script-level to change the filter when
-	// the user has specified one on the command line.
-	if ( user_pcap_filter )
-		return new Val(0, TYPE_BOOL);
-
-	bool success = true;
-
-	loop_over_list(pkt_srcs, i)
-		{
-		pkt_srcs[i]->ClearErrorMsg();
-
-		if ( ! pkt_srcs[i]->SetFilter(id->ForceAsInt()) )
-			success = false;
-		}
-
-	return new Val(success, TYPE_BOOL);
+	return new SubNetVal(mask_addr(a, top_bits_to_keep), top_bits_to_keep);
 	%}
 
-# If last pcap function failed, returns a descriptive error message
-function pcap_error%(%): string
+## Takes some top bits (e.g., subnet address) from one address and the other
+## bits (intra-subnet part) from a second address and merges them to get a new
+## address. This is useful for anonymizing at subnet level while preserving
+## serial scans.
+##
+## a1: The address to mask with *top_bits_from_a1*.
+##
+## a2: The address to take the remaining bits from.
+##
+## top_bits_from_a1: The number of top bits to keep in *a1*; must be greater
+##                   than 0 and less than 33.
+##
+## Returns: The address *a* masked down to *top_bits_to_keep* bits.
+##
+## .. bro:see:: mask_addr
+function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr
 	%{
-	loop_over_list(pkt_srcs, i)
-		{
-		const char* err = pkt_srcs[i]->ErrorMsg();
-		if ( *err )
-			return new StringVal(err);
-		}
-
-	return new StringVal("no error");
-	%}
-
-# Install filter to drop packets from a source (addr/subnet) with a given
-# probability (0.0-1.0) if none of the given TCP flags is set.
-function install_src_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : bool
-	%{
-	sessions->GetPacketFilter()->AddSrc(ip, tcp_flags, prob);
-	return new Val(1, TYPE_BOOL);
-	%}
-
-function install_src_net_filter%(snet: subnet, tcp_flags: count, prob: double%) : bool
-	%{
-	sessions->GetPacketFilter()->AddSrc(snet, tcp_flags, prob);
-	return new Val(1, TYPE_BOOL);
-	%}
-
-# Remove the filter for the source.
-function uninstall_src_addr_filter%(ip: addr%) : bool
-	%{
-	return new Val(sessions->GetPacketFilter()->RemoveSrc(ip), TYPE_BOOL);
-	%}
-
-function uninstall_src_net_filter%(snet: subnet%) : bool
-	%{
-	return new Val(sessions->GetPacketFilter()->RemoveSrc(snet), TYPE_BOOL);
-	%}
-
-# Same for destination.
-function install_dst_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : bool
-	%{
-	sessions->GetPacketFilter()->AddDst(ip, tcp_flags, prob);
-	return new Val(1, TYPE_BOOL);
-	%}
-
-function install_dst_net_filter%(snet: subnet, tcp_flags: count, prob: double%) : bool
-	%{
-	sessions->GetPacketFilter()->AddDst(snet, tcp_flags, prob);
-	return new Val(1, TYPE_BOOL);
-	%}
-
-function uninstall_dst_addr_filter%(ip: addr%) : bool
-	%{
-	return new Val(sessions->GetPacketFilter()->RemoveDst(ip), TYPE_BOOL);
-	%}
-
-function uninstall_dst_net_filter%(snet: subnet%) : bool
-	%{
-	return new Val(sessions->GetPacketFilter()->RemoveDst(snet), TYPE_BOOL);
-	%}
-
-function checkpoint_state%(%) : bool
-	%{
-	return new Val(persistence_serializer->WriteState(true), TYPE_BOOL);
-	%}
-
-function dump_config%(%) : bool
-	%{
-	return new Val(persistence_serializer->WriteConfig(true), TYPE_BOOL);
-	%}
-
-function rescan_state%(%) : bool
-	%{
-	return new Val(persistence_serializer->ReadAll(false, true), TYPE_BOOL);
-	%}
-
-function capture_events%(filename: string%) : bool
-	%{
-	if ( ! event_serializer )
-		event_serializer = new FileSerializer();
-	else
-		event_serializer->Close();
-
-	return new Val(event_serializer->Open(
-		(const char*) filename->CheckString()), TYPE_BOOL);
-	%}
-
-function capture_state_updates%(filename: string%) : bool
-	%{
-	if ( ! state_serializer )
-		state_serializer = new FileSerializer();
-	else
-		state_serializer->Close();
-
-	return new Val(state_serializer->Open(
-		(const char*) filename->CheckString()), TYPE_BOOL);
-	%}
-
-function connect%(ip: addr, p: port, our_class: string, retry: interval, ssl: bool%) : count
-	%{
-	return new Val(uint32(remote_serializer->Connect(ip, p->Port(),
-				our_class->CheckString(), retry, ssl)),
-			TYPE_COUNT);
-	%}
-
-function request_remote_events%(p: event_peer, handlers: pattern%) : bool
-	%{
-	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
-	return new Val(remote_serializer->RequestEvents(id, handlers),
-			TYPE_BOOL);
-	%}
-
-function request_remote_sync%(p: event_peer, auth: bool%) : bool
-	%{
-	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
-	return new Val(remote_serializer->RequestSync(id, auth), TYPE_BOOL);
-	%}
-
-function set_accept_state%(p: event_peer, accept: bool%) : bool
-	%{
-	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
-	return new Val(remote_serializer->SetAcceptState(id, accept),
-			TYPE_BOOL);
-	%}
-
-function set_compression_level%(p: event_peer, level: count%) : bool
-	%{
-	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
-	return new Val(remote_serializer->SetCompressionLevel(id, level),
-			TYPE_BOOL);
-	%}
-
-function listen%(ip: addr, p: port, ssl: bool %) : bool
-	%{
-	return new Val(remote_serializer->Listen(ip, p->Port(), ssl), TYPE_BOOL);
-	%}
-
-function is_remote_event%(%) : bool
-	%{
-	return new Val(mgr.CurrentSource() != SOURCE_LOCAL, TYPE_BOOL);
-	%}
-
-function send_state%(p: event_peer%) : bool
-	%{
-	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
-	return new Val(persistence_serializer->SendState(id, true), TYPE_BOOL);
-	%}
-
-# Send the value of the given global ID to the peer (which might
-# then install it locally).
-function send_id%(p: event_peer, id: string%) : bool
-	%{
-	RemoteSerializer::PeerID pid = p->AsRecordVal()->Lookup(0)->AsCount();
-
-	ID* i = global_scope()->Lookup(id->CheckString());
-	if ( ! i )
-		{
-		run_time(fmt("send_id: no global id %s", id->CheckString()));
-		return new Val(0, TYPE_BOOL);
-		}
-
-	SerialInfo info(remote_serializer);
-	return new Val(remote_serializer->SendID(&info, pid, *i), TYPE_BOOL);
-	%}
-
-# Gracely shut down communication.
-function terminate_communication%(%) : bool
-	%{
-	return new Val(remote_serializer->Terminate(), TYPE_BOOL);
-	%}
-
-function complete_handshake%(p: event_peer%) : bool
-	%{
-	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
-	return new Val(remote_serializer->CompleteHandshake(id), TYPE_BOOL);
-	%}
-
-function send_ping%(p: event_peer, seq: count%) : bool
-	%{
-	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
-	return new Val(remote_serializer->SendPing(id, seq), TYPE_BOOL);
-	%}
-
-function send_current_packet%(p: event_peer%) : bool
-	%{
-	Packet pkt("");
-
-	if ( ! current_pktsrc ||
-	     ! current_pktsrc->GetCurrentPacket(&pkt.hdr, &pkt.pkt) )
-		return new Val(0, TYPE_BOOL);
-
-	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
-
-	pkt.time = pkt.hdr->ts.tv_sec + double(pkt.hdr->ts.tv_usec) / 1e6;
-	pkt.hdr_size = current_pktsrc->HdrSize();
-	pkt.link_type = current_pktsrc->LinkType();
-
-	SerialInfo info(remote_serializer);
-	return new Val(remote_serializer->SendPacket(&info, id, pkt), TYPE_BOOL);
-	%}
-
-function do_profiling%(%) : bool
-	%{
-	if ( profiling_logger )
-		profiling_logger->Log();
-
-	return new Val(1, TYPE_BOOL);
-	%}
-
-function get_event_peer%(%) : event_peer
-	%{
-	SourceID src = mgr.CurrentSource();
-
-	if ( src == SOURCE_LOCAL )
-		{
-		RecordVal* p = mgr.GetLocalPeerVal();
-		Ref(p);
-		return p;
-		}
-
-	if ( ! remote_serializer )
-		internal_error("remote_serializer not initialized");
-
-	Val* v = remote_serializer->GetPeerVal(src);
-	if ( ! v )
-		{
-		run_time(fmt("peer %d does not exist anymore", int(src)));
-		RecordVal* p = mgr.GetLocalPeerVal();
-		Ref(p);
-		return p;
-		}
-
-	return v;
-	%}
-
-function get_local_event_peer%(%) : event_peer
-	%{
-	RecordVal* p = mgr.GetLocalPeerVal();
-	Ref(p);
-	return p;
-	%}
-
-
-function send_capture_filter%(p: event_peer, s: string%) : bool
-	%{
-	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
-	return new Val(remote_serializer->SendCaptureFilter(id, s->CheckString()), TYPE_BOOL);
-	%}
-
-function make_connection_persistent%(c: connection%) : bool
-	%{
-	c->MakePersistent();
-	return new Val(1, TYPE_BOOL);
-	%}
-
-function is_local_interface%(ip: addr%) : bool
-	%{
-	static uint32* addrs;
-	static int len = -1;
-
-	if ( len < 0 )
-		{
-		char host[MAXHOSTNAMELEN];
-
-		strcpy(host, "localhost");
-		gethostname(host, MAXHOSTNAMELEN);
-		host[MAXHOSTNAMELEN-1] = '\0';
-
-		struct hostent* ent = gethostbyname(host);
-
-		for ( len = 0; ent->h_addr_list[len]; ++len )
-			;
-
-		addrs = new uint32[len + 1];
-		for ( int i = 0; i < len; i++ )
-			addrs[i] = *(uint32*) ent->h_addr_list[i];
-
-		addrs[len++] = 0x0100007f; // 127.0.0.1
-		}
-
 #ifdef BROv6
-	if ( ! is_v4_addr(ip) )
+	if ( ! is_v4_addr(a1) || ! is_v4_addr(a2) )
 		{
-		builtin_run_time("is_local_interface() only supports IPv4 addresses");
-		return new Val(0, TYPE_BOOL);
+		builtin_error("cannot use remask_addr on IPv6 addresses");
+		return new AddrVal(a1);
 		}
 
-	uint32 ip4 = to_v4_addr(ip);
+	uint32 x1 = to_v4_addr(a1);
+	uint32 x2 = to_v4_addr(a2);
 #else
-	uint32 ip4 = ip;
+	uint32 x1 = a1;
+	uint32 x2 = a2;
 #endif
-
-	for ( int i = 0; i < len; i++ )
-		if ( addrs[i] == ip4 )
-			return new Val(1, TYPE_BOOL);
-
-	return new Val(0, TYPE_BOOL);
+	return new AddrVal(
+		mask_addr(x1, top_bits_from_a1) |
+		(x2 ^ mask_addr(x2, top_bits_from_a1)) );
 	%}
 
+## Checks whether a given :bro:type:`port` has TCP as transport protocol.
+##
+## p: The :bro:type:`port` to check.
+##
+## Returns: True iff *p* is a TCP port.
+##
+## .. bro:see:: is_udp_port is_icmp_port
+function is_tcp_port%(p: port%): bool
+	%{
+	return new Val(p->IsTCP(), TYPE_BOOL);
+	%}
+
+## Checks whether a given :bro:type:`port` has UDP as transport protocol.
+##
+## p: The :bro:type:`port` to check.
+##
+## Returns: True iff *p* is a UDP port.
+##
+## .. bro:see:: is_icmp_port is_tcp_port
+function is_udp_port%(p: port%): bool
+	%{
+	return new Val(p->IsUDP(), TYPE_BOOL);
+	%}
+
+## Checks whether a given :bro:type:`port` has ICMP as transport protocol.
+##
+## p: The :bro:type:`port` to check.
+##
+## Returns: True iff *p* is a ICMP port.
+##
+## .. bro:see:: is_tcp_port is_udp_port
+function is_icmp_port%(p: port%): bool
+	%{
+	return new Val(p->IsICMP(), TYPE_BOOL);
+	%}
+
+%%{
+EnumVal* map_conn_type(TransportProto tp)
+	{
+	switch ( tp ) {
+	case TRANSPORT_UNKNOWN:
+		return new EnumVal(0, transport_proto);
+		break;
+
+	case TRANSPORT_TCP:
+		return new EnumVal(1, transport_proto);
+		break;
+
+	case TRANSPORT_UDP:
+		return new EnumVal(2, transport_proto);
+		break;
+
+	case TRANSPORT_ICMP:
+		return new EnumVal(3, transport_proto);
+		break;
+
+	default:
+		reporter->InternalError("bad connection type in map_conn_type()");
+	}
+
+	// Cannot be reached;
+	assert(false);
+	return 0; // Make compiler happy.
+	}
+%%}
+
+## Extracts the transport protocol from a connection.
+##
+## cid: The connection identifier.
+##
+## Returns: The transport protocol of the connection identified by *id*.
+##
+## .. bro:see:: get_port_transport_proto
+##              get_orig_seq get_resp_seq
+function get_conn_transport_proto%(cid: conn_id%): transport_proto
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		{
+		builtin_error("unknown connection id in get_conn_transport_proto()", cid);
+		return new EnumVal(0, transport_proto);
+		}
+
+	return map_conn_type(c->ConnTransport());
+	%}
+
+## Extracts the transport protocol from a :bro:type:`port`.
+##
+## p: The port.
+##
+## Returns: The transport protocol of the port *p*.
+##
+## .. bro:see:: get_conn_transport_proto
+##              get_orig_seq get_resp_seq
+function get_port_transport_proto%(p: port%): transport_proto
+	%{
+	return map_conn_type(p->PortType());
+	%}
+
+## Checks whether a connection is (still) active.
+##
+## c: The connection id to check.
+##
+## Returns: True if the connection identified by *c* exists.
+##
+## .. bro:see:: lookup_connection
+function connection_exists%(c: conn_id%): bool
+	%{
+	if ( sessions->FindConnection(c) )
+		return new Val(1, TYPE_BOOL);
+	else
+		return new Val(0, TYPE_BOOL);
+	%}
+
+## Returns the :bro:type:`connection` record for a given connection identifier.
+##
+## cid: The connection ID.
+##
+## Returns: The :bro:type:`connection` record for *cid*. If *cid* does not point
+##          to an existing connection, the function generates a run-time error
+##          and returns a dummy value.
+##
+## .. bro:see:: connection_exists
+function lookup_connection%(cid: conn_id%): connection
+	%{
+	Connection* conn = sessions->FindConnection(cid);
+	if ( conn )
+		return conn->BuildConnVal();
+
+	builtin_error("connection ID not a known connection", cid);
+
+	// Return a dummy connection record.
+	RecordVal* c = new RecordVal(connection_type);
+
+	RecordVal* id_val = new RecordVal(conn_id);
+	id_val->Assign(0, new AddrVal((unsigned int) 0));
+	id_val->Assign(1, new PortVal(ntohs(0), TRANSPORT_UDP));
+	id_val->Assign(2, new AddrVal((unsigned int) 0));
+	id_val->Assign(3, new PortVal(ntohs(0), TRANSPORT_UDP));
+	c->Assign(0, id_val);
+
+	RecordVal* orig_endp = new RecordVal(endpoint);
+	orig_endp->Assign(0, new Val(0, TYPE_COUNT));
+	orig_endp->Assign(1, new Val(int(0), TYPE_COUNT));
+
+	RecordVal* resp_endp = new RecordVal(endpoint);
+	resp_endp->Assign(0, new Val(0, TYPE_COUNT));
+	resp_endp->Assign(1, new Val(int(0), TYPE_COUNT));
+
+	c->Assign(1, orig_endp);
+	c->Assign(2, resp_endp);
+
+	c->Assign(3, new Val(network_time, TYPE_TIME));
+	c->Assign(4, new Val(0.0, TYPE_INTERVAL));
+	c->Assign(5, new TableVal(string_set));	// service
+	c->Assign(6, new StringVal(""));	// addl
+	c->Assign(7, new Val(0, TYPE_COUNT));	// hot
+	c->Assign(8, new StringVal(""));	// history
+
+	return c;
+	%}
+
+%%{
+#include "HTTP.h"
+
+const char* conn_id_string(Val* c)
+	{
+	Val* id = (*(c->AsRecord()))[0];
+	const val_list* vl = id->AsRecord();
+
+	addr_type orig_h = (*vl)[0]->AsAddr();
+	uint32 orig_p = (*vl)[1]->AsPortVal()->Port();
+	addr_type resp_h = (*vl)[2]->AsAddr();
+	uint32 resp_p = (*vl)[3]->AsPortVal()->Port();
+
+	return fmt("%s/%u -> %s/%u\n", dotted_addr(orig_h), orig_p, dotted_addr(resp_h), resp_p);
+	}
+%%}
+
+## Skips the data of the HTTP entity.
+##
+## c: The HTTP connection.
+##
+## is_orig: If true, the client data is skipped and the server data otherwise.
+##
+## .. bro:see:: skip_smtp_data
+function skip_http_entity_data%(c: connection, is_orig: bool%): any
+	%{
+	AnalyzerID id = mgr.CurrentAnalyzer();
+	if ( id )
+		{
+		Analyzer* ha = c->FindAnalyzer(id);
+
+		if ( ha )
+			{
+			if ( ha->GetTag() == AnalyzerTag::HTTP )
+				static_cast<HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
+			else
+				reporter->Error("non-HTTP analyzer associated with connection record");
+			}
+		else
+			reporter->Error("could not find analyzer for skip_http_entity_data");
+
+		}
+	else
+		reporter->Error("no analyzer associated with connection record");
+
+	return 0;
+	%}
+
+## Unescapes all characters in a URI, i.e., decodes every ``%xx`` group.
+##
+## URI: The URI to unescape.
+##
+## Returns: The unescaped URI with all ``%xx`` groups decoded.
+##
+## .. note::
+##
+##      Unescaping reserved characters may cause loss of information. RFC 2396:
+##      A URI is always in an "escaped" form, since escaping or unescaping a
+##      completed URI might change its semantics.  Normally, the only time
+##      escape encodings can safely be made is when the URI is being created
+##      from its component parts.
+function unescape_URI%(URI: string%): string
+	%{
+	const u_char* line = URI->Bytes();
+	const u_char* const line_end = line + URI->Len();
+
+	return new StringVal(unescape_URI(line, line_end, 0));
+	%}
+
+## Writes the current packet to a file.
+##
+## file_name: The name of the file to write the packet to.
+##
+## Returns: True on success.
+##
+## .. bro:see:: dump_packet get_current_packet send_current_packet
 function dump_current_packet%(file_name: string%) : bool
 	%{
 	const struct pcap_pkthdr* hdr;
@@ -2284,6 +3190,12 @@ function dump_current_packet%(file_name: string%) : bool
 	return new Val(! addl_pkt_dumper->IsError(), TYPE_BOOL);
 	%}
 
+## Returns the currently processed PCAP packet.
+##
+## Returns: The currently processed packet, which is as a record
+##          containing the timestamp, ``snaplen``, and packet data.
+##
+## .. bro:see:: dump_current_packet dump_packet send_current_packet
 function get_current_packet%(%) : pcap_packet
 	%{
 	const struct pcap_pkthdr* hdr;
@@ -2310,6 +3222,15 @@ function get_current_packet%(%) : pcap_packet
 	return pkt;
 	%}
 
+## Writes a given packet to a file.
+##
+## pkt: The PCAP packet.
+##
+## file_name: The name of the file to write *pkt* to.
+##
+## Returns: True on success
+##
+## .. bro:see:: get_current_packet dump_current_packet send_current_packet
 function dump_packet%(pkt: pcap_packet, file_name: string%) : bool
 	%{
 	struct pcap_pkthdr hdr;
@@ -2329,311 +3250,1151 @@ function dump_packet%(pkt: pcap_packet, file_name: string%) : bool
 	return new Val(addl_pkt_dumper->IsError(), TYPE_BOOL);
 	%}
 
-# The return value is the old size of the vector.
-# ### Need better type checking on the argument here and in subsequent
-# vector builtins -- probably need to update "bif" code generator.
-function resize%(aggr: any, newsize: count%) : count
-	%{
-	if ( aggr->Type()->Tag() != TYPE_VECTOR )
-		{
-		builtin_run_time("resize() operates on vectors");
-		return 0;
-		}
-
-	return new Val(aggr->AsVectorVal()->Resize(newsize), TYPE_COUNT);
-	%}
-
-# Returns true if any element is T.
-function any_set%(v: any%) : bool
-	%{
-	if ( v->Type()->Tag() != TYPE_VECTOR ||
-	     v->Type()->YieldType()->Tag() != TYPE_BOOL )
-		{
-		builtin_run_time("any_set() requires vector of bool");
-		return new Val(false, TYPE_BOOL);
-		}
-
-	VectorVal* vv = v->AsVectorVal();
-	for ( unsigned int i = VECTOR_MIN; i < vv->Size() + VECTOR_MIN; ++i )
-		if ( vv->Lookup(i) && vv->Lookup(i)->AsBool() )
-			return new Val(true, TYPE_BOOL);
-
-	return new Val(false, TYPE_BOOL);
-	%}
-
-# Returns true if all elements are T (missing counts as F).
-function all_set%(v: any%) : bool
-	%{
-	if ( v->Type()->Tag() != TYPE_VECTOR ||
-	     v->Type()->YieldType()->Tag() != TYPE_BOOL )
-		{
-		builtin_run_time("all_set() requires vector of bool");
-		return new Val(false, TYPE_BOOL);
-		}
-
-	VectorVal* vv = v->AsVectorVal();
-	for ( unsigned int i = VECTOR_MIN; i < vv->Size() + VECTOR_MIN; ++i )
-		if ( ! vv->Lookup(i) || ! vv->Lookup(i)->AsBool() )
-			return new Val(false, TYPE_BOOL);
-
-	return new Val(true, TYPE_BOOL);
-	%}
-
-# sort() takes a vector and comparison function on the elements and
-# sorts the vector in place.  It returns the original vector.
-
 %%{
-static Func* sort_function_comp = 0;
-static Val** index_map = 0;	// used for indirect sorting to support order()
+#include "DNS_Mgr.h"
+#include "Trigger.h"
 
-bool sort_function(Val* a, Val* b)
-	{
-	// Sort missing values as "high".
-	if ( ! a )
-		return 0;
-	if ( ! b )
-		return 1;
+class LookupHostCallback : public DNS_Mgr::LookupCallback {
+public:
+	LookupHostCallback(Trigger* arg_trigger, const CallExpr* arg_call,
+				bool arg_lookup_name)
+		{
+		Ref(arg_trigger);
+		trigger = arg_trigger;
+		call = arg_call;
+		lookup_name = arg_lookup_name;
+		}
 
-	val_list sort_func_args;
-	sort_func_args.append(a->Ref());
-	sort_func_args.append(b->Ref());
+	~LookupHostCallback()
+		{
+		Unref(trigger);
+		}
 
-	Val* result = sort_function_comp->Call(&sort_func_args);
-	int int_result = result->CoerceToInt();
-	Unref(result);
+	// Overridden from DNS_Mgr:Lookup:Callback.
+	virtual void Resolved(const char* name)
+		{
+		Val* result = new StringVal(name);
+		trigger->Cache(call, result);
+		Unref(result);
+		trigger->Release();
+		}
 
-	sort_func_args.remove_nth(1);
-	sort_func_args.remove_nth(0);
+	virtual void Resolved(TableVal* addrs)
+		{
+		// No Ref() for addrs.
+		trigger->Cache(call, addrs);
+		trigger->Release();
+		}
 
-	return int_result < 0;
-	}
+	virtual void Timeout()
+		{
+		if ( lookup_name )
+			{
+			Val* result = new StringVal("<\?\?\?>");
+			trigger->Cache(call, result);
+			Unref(result);
+			}
 
-bool indirect_sort_function(int a, int b)
-	{
-	return sort_function(index_map[a], index_map[b]);
-	}
+		else
+			{
+			ListVal* lv = new ListVal(TYPE_ADDR);
+			lv->Append(new AddrVal("0.0.0.0"));
+			Val* result = lv->ConvertToSet();
+			trigger->Cache(call, result);
+			Unref(result);
+			Unref(lv);
+			}
 
-bool int_sort_function (Val* a, Val* b)
-	{
-	if ( ! a )
-		return 0;
-	if ( ! b )
-		return 1;
+		trigger->Release();
+		}
 
-	int ia = a->CoerceToInt();
-	int ib = b->CoerceToInt();
-
-	return ia < ib;
-	}
-
-bool indirect_int_sort_function(int a, int b)
-	{
-	return int_sort_function(index_map[a], index_map[b]);
-	}
+private:
+	Trigger* trigger;
+	const CallExpr* call;
+	bool lookup_name;
+};
 %%}
 
-function sort%(v: any, ...%) : any
+## Issues an asynchronous reverse DNS lookup and delays the function result.
+## This function can therefore only be called inside a ``when`` condition,
+## e.g., ``when ( local host = lookup_addr(10.0.0.1) ) { f(host); }``.
+##
+## host: The IP address to lookup.
+##
+## Returns: The DNS name of *host*.
+##
+## .. bro:see:: lookup_hostname
+function lookup_addr%(host: addr%) : string
 	%{
-	v->Ref();	// we always return v
+	// FIXME: It should be easy to adapt the function to synchronous
+	// lookups if we're reading a trace.
+	Trigger* trigger = frame->GetTrigger();
 
-	if ( v->Type()->Tag() != TYPE_VECTOR )
+	if ( ! trigger)
 		{
-		builtin_run_time("sort() requires vector");
-		return v;
+		builtin_error("lookup_addr() can only be called inside a when-condition");
+		return new StringVal("<error>");
 		}
 
-	BroType* elt_type = v->Type()->YieldType();
-	Func* comp = 0;
+	frame->SetDelayed();
+	trigger->Hold();
 
-	if ( @ARG@.length() > 2 )
-		builtin_run_time("sort() called with extraneous argument");
-
-	if ( @ARG@.length() == 2 )
+#ifdef BROv6
+	if ( ! is_v4_addr(host) )
 		{
-		Val* comp_val = @ARG@[1];
-		if ( ! IsFunc(comp_val->Type()->Tag()) )
+		// FIXME: This is a temporary work-around until we get this
+		// fixed. We warn the user once, and always trigger a timeout.
+		// Ticket #355 records the problem.
+		static bool warned = false;
+		if ( ! warned )
 			{
-			builtin_run_time("second argument to sort() needs to be comparison function");
-			return v;
+			reporter->Warning("lookup_addr() only supports IPv4 addresses currently");
+			warned = true;
 			}
 
-		comp = comp_val->AsFunc();
+		trigger->Timeout();
+		return 0;
 		}
 
-	if ( ! comp && ! IsIntegral(elt_type->Tag()) )
-		builtin_run_time("comparison function required for sort() with non-integral types");
-
-	vector<Val*>& vv = *v->AsVector();
-
-	if ( comp )
-		{
-		FuncType* comp_type = comp->FType()->AsFuncType();
-		if ( comp_type->YieldType()->Tag() != TYPE_INT ||
-		     ! comp_type->ArgTypes()->AllMatch(elt_type, 0) )
-			{
-			builtin_run_time("invalid comparison function in call to sort()");
-			return v;
-			}
-
-		sort_function_comp = comp;
-
-		sort(vv.begin(), vv.end(), sort_function);
-		}
-	else
-		sort(vv.begin(), vv.end(), int_sort_function);
-
-	return v;
-	%}
-
-function order%(v: any, ...%) : index_vec
-	%{
-	VectorVal* result_v =
-		new VectorVal(new VectorType(base_type(TYPE_COUNT)));
-
-	if ( v->Type()->Tag() != TYPE_VECTOR )
-		{
-		builtin_run_time("order() requires vector");
-		return result_v;
-		}
-
-	BroType* elt_type = v->Type()->YieldType();
-	Func* comp = 0;
-
-	if ( @ARG@.length() > 2 )
-		builtin_run_time("order() called with extraneous argument");
-
-	if ( @ARG@.length() == 2 )
-		{
-		Val* comp_val = @ARG@[1];
-		if ( ! IsFunc(comp_val->Type()->Tag()) )
-			{
-			builtin_run_time("second argument to order() needs to be comparison function");
-			return v;
-			}
-
-		comp = comp_val->AsFunc();
-		}
-
-	if ( ! comp && ! IsIntegral(elt_type->Tag()) )
-		builtin_run_time("comparison function required for sort() with non-integral types");
-
-	vector<Val*>& vv = *v->AsVector();
-	int n = vv.size();
-
-	// Set up initial mapping of indices directly to corresponding
-	// elements.  We stay zero-based until after the sorting.
-	vector<int> ind_vv(n);
-	index_map = new Val*[n];
-	int i;
-	for ( i = 0; i < n; ++i )
-		{
-		ind_vv[i] = i;
-		index_map[i] = vv[i];
-		}
-
-	if ( comp )
-		{
-		FuncType* comp_type = comp->FType()->AsFuncType();
-		if ( comp_type->YieldType()->Tag() != TYPE_INT ||
-		     ! comp_type->ArgTypes()->AllMatch(elt_type, 0) )
-			{
-			builtin_run_time("invalid comparison function in call to sort()");
-			return v;
-			}
-
-		sort_function_comp = comp;
-
-		sort(ind_vv.begin(), ind_vv.end(), indirect_sort_function);
-		}
-	else
-		sort(ind_vv.begin(), ind_vv.end(), indirect_int_sort_function);
-
-	delete [] index_map;
-	index_map = 0;
-
-	// Now spin through ind_vv to read out the rearrangement,
-	// adjusting indices as we do so.
-	for ( i = 0; i < n; ++i )
-		{
-		int ind = ind_vv[i] + VECTOR_MIN;
-		result_v->Assign(i + VECTOR_MIN, new Val(ind, TYPE_COUNT), 0);
-		}
-
-	return result_v;
-	%}
-
-%%{
-// Experimental code to add support for IDMEF XML output based on
-// notices.  For now, we're implementing it as a builtin you can call on an
-// notices record.
-
-#ifdef USE_IDMEF
-extern "C" {
-#include <libidmef/idmefxml.h>
-}
-#endif
-
-#include <sys/socket.h>
-
-char* port_to_string(PortVal* port)
-	{
-	char buf[256];	// to hold sprintf results on port numbers
-	snprintf(buf, sizeof(buf), "%u", port->Port());
-	return copy_string(buf);
-	}
-
-%%}
-
-function generate_idmef%(src_ip: addr, src_port: port,
-				dst_ip: addr, dst_port: port%) : bool
-	%{
-#ifdef USE_IDMEF
-	xmlNodePtr message =
-		newIDMEF_Message(newAttribute("version","1.0"),
-			newAlert(newCreateTime(NULL),
-			newSource(
-				newNode(newAddress(
-					newAttribute("category","ipv4-addr"),
-					newSimpleElement("address",
-					copy_string(dotted_addr(src_ip))),
-					NULL), NULL),
-				newService(
-					newSimpleElement("port",
-						port_to_string(src_port)),
-					NULL), NULL),
-			newTarget(
-				newNode(newAddress(
-					newAttribute("category","ipv4-addr"),
-					newSimpleElement("address",
-					copy_string(dotted_addr(dst_ip))),
-					NULL), NULL),
-				newService(
-					newSimpleElement("port",
-						port_to_string(dst_port)),
-					NULL), NULL), NULL), NULL);
-
-	// if ( validateCurrentDoc() )
-	printCurrentMessage(stderr);
-	return new Val(1, TYPE_BOOL);
+	dns_mgr->AsyncLookupAddr(to_v4_addr(host),
+			new LookupHostCallback(trigger, frame->GetCall(), true));
 #else
-	builtin_run_time("Bro was not configured for IDMEF support");
-	return new Val(0, TYPE_BOOL);
+	dns_mgr->AsyncLookupAddr(host,
+			new LookupHostCallback(trigger, frame->GetCall(), true));
 #endif
+	return 0;
 	%}
 
-function dump_rule_stats%(f: file%): bool
+## Issues an asynchronous DNS lookup and delays the function result.
+## This function can therefore only be called inside a ``when`` condition,
+## e.g., ``when ( local h = lookup_hostname("www.bro-ids.org") ) { f(h); }``.
+##
+## host: The hostname to lookup.
+##
+## Returns: A set of DNS A records associated with *host*.
+##
+## .. bro:see:: lookup_addr
+function lookup_hostname%(host: string%) : addr_set
 	%{
-	if ( rule_matcher )
-		rule_matcher->DumpStats(f);
+	// FIXME: Is should be easy to adapt the function to synchronous
+	// lookups if we're reading a trace.
+	Trigger* trigger = frame->GetTrigger();
 
+	if ( ! trigger)
+		{
+		builtin_error("lookup_hostname() can only be called inside a when-condition");
+		return new StringVal("<error>");
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	dns_mgr->AsyncLookupName(host->CheckString(),
+			new LookupHostCallback(trigger, frame->GetCall(), false));
+	return 0;
+	%}
+
+%%{
+#ifdef USE_GEOIP
+extern "C" {
+#include <GeoIPCity.h>
+}
+
+static GeoIP* open_geoip_db(GeoIPDBTypes type)
+	{
+	GeoIP* geoip = 0;
+
+	if ( GeoIP_db_avail(type) )
+		geoip = GeoIP_open_type(type, GEOIP_MEMORY_CACHE);
+
+	if ( ! geoip )
+		reporter->Warning("Failed to open GeoIP database: %s",
+		                  GeoIPDBFileName[type]);
+	return geoip;
+	}
+
+#endif
+%%}
+
+## Performs a geo-lookup of an IP address.
+## Requires Bro to be built with ``libgeoip``.
+##
+## a: The IP address to lookup.
+##
+## Returns: A record with country, region, city, latitude, and longitude.
+##
+## .. bro:see:: lookup_asn
+function lookup_location%(a: addr%) : geo_location
+	%{
+	RecordVal* location = new RecordVal(geo_location);
+
+#ifdef USE_GEOIP
+	static bool geoip_initialized = false;
+	static GeoIP* geoip = 0;
+	static GeoIP* geoip_v6 = 0;
+	static bool have_city_db = false;
+	static bool have_cityv6_db = false;
+	GeoIPRecord* gir = 0;
+	const char* cc = 0;
+
+	if ( ! geoip_initialized )
+		{
+		geoip_initialized = true;
+		geoip = open_geoip_db(GEOIP_CITY_EDITION_REV0);
+
+		if ( ! geoip )
+			{
+			geoip = open_geoip_db(GEOIP_COUNTRY_EDITION);
+			if ( ! geoip )
+				builtin_error("Can't initialize GeoIP City/Country database");
+			else
+				reporter->Warning("Fell back to GeoIP Country database");
+			}
+		else
+			have_city_db = true;
+
+#ifdef BROv6
+
+#ifdef HAVE_GEOIP_CITY_EDITION_REV0_V6
+		geoip_v6 = open_geoip_db(GEOIP_CITY_EDITION_REV0_V6);
+		if ( geoip_v6 )
+			have_cityv6_db = true;
+#endif
+
+#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
+		if ( ! geoip_v6 )
+			geoip_v6 = open_geoip_db(GEOIP_COUNTRY_EDITION_V6);
+#endif
+		if ( ! geoip_v6 )
+			builtin_error("Can't initialize GeoIPv6 City/Country database");
+#endif
+		}
+
+#ifdef BROv6
+
+#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
+	if ( geoip_v6 && ! is_v4_addr(a) )
+		{
+		geoipv6_t ga;
+		memcpy(&ga, a, 16);
+		if ( have_cityv6_db )
+			gir = GeoIP_record_by_ipnum_v6(geoip_v6, ga);
+		else
+			cc = GeoIP_country_code_by_ipnum_v6(geoip_v6, ga);
+		}
+	else
+#endif
+
+	if ( geoip && is_v4_addr(a) )
+		{
+		uint32 addr = to_v4_addr(a);
+		if ( have_city_db )
+			gir = GeoIP_record_by_ipnum(geoip, ntohl(addr));
+		else
+			cc = GeoIP_country_code_by_ipnum(geoip, ntohl(addr));
+		}
+
+#else // not BROv6
+	if ( geoip )
+		{
+		if ( have_city_db )
+			gir = GeoIP_record_by_ipnum(geoip, ntohl(a));
+		else
+			cc = GeoIP_country_code_by_ipnum(geoip, ntohl(a));
+		}
+#endif
+
+	if ( gir )
+		{
+		if ( gir->country_code )
+			location->Assign(0, new StringVal(gir->country_code));
+
+		if ( gir->region )
+			location->Assign(1, new StringVal(gir->region));
+
+		if ( gir->city )
+			location->Assign(2, new StringVal(gir->city));
+
+		if ( gir->latitude )
+			location->Assign(3, new Val(gir->latitude,
+							TYPE_DOUBLE));
+
+		if ( gir->longitude )
+			location->Assign(4, new Val(gir->longitude,
+						TYPE_DOUBLE));
+
+		GeoIPRecord_delete(gir);
+
+		return location;
+		}
+
+	else if ( cc )
+		{
+		location->Assign(0, new StringVal(cc));
+		return location;
+		}
+
+#else // not USE_GEOIP
+	static int missing_geoip_reported = 0;
+
+	if ( ! missing_geoip_reported )
+		{
+		builtin_error("Bro was not configured for GeoIP support");
+		missing_geoip_reported = 1;
+		}
+#endif
+
+	// We can get here even if we have GeoIP support if we weren't
+	// able to initialize it or it didn't return any information for
+	// the address.
+
+	return location;
+	%}
+
+## Performs an AS lookup of an IP address.
+##
+## a: The IP address to lookup.
+##
+## Returns: The number of the AS that contains *a*.
+##
+## .. bro:see:: lookup_location
+function lookup_asn%(a: addr%) : count
+	%{
+#ifdef USE_GEOIP
+	static GeoIP* geoip_asn = 0;
+	static bool geoip_asn_initialized = false;
+	char* gir = 0;
+
+	if ( ! geoip_asn_initialized )
+		{
+		geoip_asn_initialized = true;
+		geoip_asn = open_geoip_db(GEOIP_ASNUM_EDITION);
+		if ( ! geoip_asn )
+			builtin_error("Can't initialize GeoIP ASNUM database");
+		}
+
+	if ( geoip_asn )
+		{
+#ifdef BROv6
+
+// IPv6 support showed up in 1.4.5.
+#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
+		if ( ! is_v4_addr(a) )
+			{
+			geoipv6_t ga;
+			memcpy(&ga, a, 16);
+			gir = GeoIP_name_by_ipnum_v6(geoip_asn, ga);
+			}
+		else
+#endif
+
+		if ( is_v4_addr(a) )
+			{
+			uint32 addr = to_v4_addr(a);
+			gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(addr));
+			}
+
+#else // not BROv6
+		gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(a));
+#endif
+		}
+
+	if ( gir )
+		{
+		// Move the pointer +2 so we don't return
+		// the first two characters: "AS".
+		return new Val(atoi(gir+2), TYPE_COUNT);
+		}
+
+#else // not USE_GEOIP
+	static int missing_geoip_reported = 0;
+
+	if ( ! missing_geoip_reported )
+		{
+		builtin_error("Bro was not configured for GeoIP ASN support");
+		missing_geoip_reported = 1;
+		}
+#endif
+
+	// We can get here even if we have GeoIP support, if we weren't
+	// able to initialize it or it didn't return any information for
+	// the address.
+	return new Val(0, TYPE_COUNT);
+	%}
+
+%%{
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/x509_vfy.h>
+
+// This is the indexed map of X509 certificate stores.
+static map<Val*, X509_STORE*> x509_stores;
+
+// ### NOTE: while d2i_X509 does not take a const u_char** pointer,
+// here we assume d2i_X509 does not write to <data>, so it is safe to
+// convert data to a non-const pointer.  Could some X509 guru verify
+// this?
+
+X509* d2i_X509_(X509** px, const u_char** in, int len)
+	{
+#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR
+	  return d2i_X509(px, in, len);
+#else
+	  return d2i_X509(px, (u_char**)in, len);
+#endif
+	}
+
+%%}
+
+
+## Verifies a certificate.
+##
+## der_cert: The X.509 certificate in DER format.
+##
+## cert_stack: Specifies a certificate chain to validate against, with index 0
+##             typically being the root CA. Bro uses the Mozilla root CA list
+##             by default.
+##
+## root_certs: A list of additional root certificates that extends
+##             *cert_stack*.
+##
+## Returns: A status code of the verification which can be converted into an
+##          ASCII string via :bro:id:`x509_err2str`.
+##
+## .. bro:see:: x509_err2str
+function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: table_string_of_string%): count
+	%{
+	X509_STORE* ctx = 0;
+	int i = 0;
+
+	// If this certificate store was built previously, just reuse the old one.
+	if ( x509_stores.count(root_certs) > 0 )
+		ctx = x509_stores[root_certs];
+
+	if ( ! ctx ) // lookup to see if we have this one built already!
+		{
+		ctx = X509_STORE_new();
+		TableVal* root_certs2 = root_certs->AsTableVal();
+		ListVal* idxs = root_certs2->ConvertToPureList();
+
+		// Build the validation store
+		for ( i = 0; i < idxs->Length(); ++i )
+			{
+			Val* key = idxs->Index(i);
+			StringVal *sv = root_certs2->Lookup(key)->AsStringVal();
+			const uint8* data = sv->Bytes();
+			X509* x = d2i_X509_(NULL, &data, sv->Len());
+			if ( ! x )
+				{
+				builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
+				return new Val((uint64) ERR_get_error(), TYPE_COUNT);
+				}
+			X509_STORE_add_cert(ctx, x);
+			}
+		delete idxs;
+
+		// Save the newly constructed certificate store into the cacheing map.
+		x509_stores[root_certs] = ctx;
+		}
+
+	const uint8 *cert_data = der_cert->Bytes();
+	X509* cert = d2i_X509_(NULL, &cert_data, der_cert->Len());
+	if ( ! cert )
+		{
+		builtin_error(fmt("Certificate error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
+		return new Val((uint64) ERR_get_error(), TYPE_COUNT);
+		}
+
+	STACK_OF(X509)* untrusted_certs = sk_X509_new_null();
+	if ( ! untrusted_certs )
+		{
+		builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
+		return new Val((uint64) ERR_get_error(), TYPE_COUNT);
+		}
+
+	VectorVal *cert_stack_vec = cert_stack->AsVectorVal();
+	for ( i = 0; i < (int) cert_stack_vec->Size(); ++i )
+		{
+		StringVal *sv = cert_stack_vec->Lookup(i)->AsStringVal();
+		const uint8 *data = sv->Bytes();
+		X509* x = d2i_X509_(NULL, &data, sv->Len());
+		if ( ! x )
+			{
+			X509_free(cert);
+			sk_X509_pop_free(untrusted_certs, X509_free);
+			builtin_error(fmt("Untrusted certificate stack creation error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
+			return new Val((uint64) ERR_get_error(), TYPE_COUNT);
+			}
+		sk_X509_push(untrusted_certs, x);
+		}
+
+	X509_STORE_CTX csc;
+	X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs);
+	X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time);
+
+	int result = X509_verify_cert(&csc);
+	X509_STORE_CTX_cleanup(&csc);
+
+	if ( untrusted_certs )
+		sk_X509_pop_free(untrusted_certs, X509_free);
+	X509_free(cert);
+
+	return new Val((uint64) csc.error, TYPE_COUNT);
+	%}
+
+## Converts a certificate verification error code into an ASCII string.
+##
+## err_num: The error code.
+##
+## Returns: A string representation of *err_num*.
+##
+## .. bro:see:: x509_verify
+function x509_err2str%(err_num: count%): string
+	%{
+	return new StringVal(X509_verify_cert_error_string(err_num));
+	%}
+
+## Converts UNIX file permissions given by a mode to an ASCII string.
+##
+## mode: The permisssions, e.g., 644 or 755.
+##
+## Returns: A string representation of *mode* in the format
+##          ``rw[xsS]rw[xsS]rw[xtT]``.
+function file_mode%(mode: count%): string
+	%{
+	char str[12];
+	char *p = str;
+
+	/* usr */
+	if (mode & S_IRUSR)
+		*p++ = 'r';
+	else
+		*p++ = '-';
+
+	if (mode & S_IWUSR)
+		*p++ = 'w';
+	else
+		*p++ = '-';
+
+	switch (mode & (S_IXUSR | S_ISUID)) {
+	case 0:
+		*p++ = '-';
+		break;
+	case S_IXUSR:
+		*p++ = 'x';
+		break;
+	case S_ISUID:
+		*p++ = 'S';
+		break;
+	case S_IXUSR | S_ISUID:
+		*p++ = 's';
+		break;
+	}
+
+	/* group */
+	if (mode & S_IRGRP)
+		*p++ = 'r';
+	else
+		*p++ = '-';
+	if (mode & S_IWGRP)
+		*p++ = 'w';
+	else
+		*p++ = '-';
+
+	switch (mode & (S_IXGRP | S_ISGID)) {
+	case 0:
+		*p++ = '-';
+		break;
+	case S_IXGRP:
+		*p++ = 'x';
+		break;
+	case S_ISGID:
+		*p++ = 'S';
+		break;
+	case S_IXGRP | S_ISGID:
+		*p++ = 's';
+		break;
+	}
+
+	/* other */
+	if (mode & S_IROTH)
+		*p++ = 'r';
+	else
+		*p++ = '-';
+	if (mode & S_IWOTH)
+		*p++ = 'w';
+	else
+		*p++ = '-';
+
+	switch (mode & (S_IXOTH | S_ISVTX)) {
+	case 0:
+		*p++ = '-';
+		break;
+	case S_IXOTH:
+		*p++ = 'x';
+		break;
+	case S_ISVTX:
+		*p++ = 'T';
+		break;
+	case S_IXOTH | S_ISVTX:
+		*p++ = 't';
+		break;
+	}
+
+	*p = '\0';
+
+	return new StringVal(str);
+	%}
+
+# ===========================================================================
+#
+#                        Controlling Analyzer Behavior
+#
+# ===========================================================================
+
+%%{
+#include "DPM.h"
+%%}
+
+## Schedules an analyzer for a future connection from a given IP address and
+## port. The function ignores the scheduling request if the connection did
+## not occur within the specified time interval.
+##
+## orig: The IP address originating a connection in the future.
+##
+## resp: The IP address responding to a connection from *orig*.
+##
+## resp_p: The destination port at *resp*.
+##
+## analyzer: The analyzer ID.
+##
+## tout: The timeout interval after which to ignore the scheduling request.
+##
+## Returns: True (unconditionally).
+##
+## .. bro:see:: disable_analyzer analyzer_name
+##
+## .. todo:: The return value should be changed to any.
+function expect_connection%(orig: addr, resp: addr, resp_p: port,
+				analyzer: count, tout: interval%) : any
+	%{
+	dpm->ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(),
+				(AnalyzerTag::Tag) analyzer, tout, 0);
+	return 0;
+	%}
+
+## Disables the analyzer which raised the current event (if the analyzer
+## belongs to the given connection).
+##
+## cid: The connection identifier.
+##
+## aid: The analyzer ID.
+##
+## Returns: True if the connection identified by *cid* exists and has analyzer
+##          *aid*.
+##
+## .. bro:see:: expect_connection analyzer_name
+function disable_analyzer%(cid: conn_id, aid: count%) : bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		{
+		reporter->Error("cannot find connection");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	Analyzer* a = c->FindAnalyzer(aid);
+	if ( ! a )
+		{
+		reporter->Error("connection does not have analyzer specified to disable");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	a->Remove();
 	return new Val(1, TYPE_BOOL);
 	%}
 
-function bro_is_terminating%(%): bool
+## Translate an analyzer type to an ASCII string.
+##
+## aid: The analyzer ID.
+##
+## Returns: The analyzer *aid* as string.
+##
+## .. bro:see:: expect_connection disable_analyzer current_analyzer
+function analyzer_name%(aid: count%) : string
 	%{
-	return new Val(terminating, TYPE_BOOL);
+	return new StringVal(Analyzer::GetTagName((AnalyzerTag::Tag) aid));
 	%}
 
+## Informs Bro that it should skip any further processing of the contents of
+## a given connection. In particular, Bro will refrain from reassembling the
+## TCP byte stream and from generating events relating to any analyzers that
+## have been processing the connection.
+##
+## cid: The connection ID.
+##
+## Returns: False if *id* does not point to an active connection and true
+##          otherwise.
+##
+## .. note::
+##
+##     Bro will still generate connection-oriented events such as
+##     :bro:id:`connection_finished`.
+function skip_further_processing%(cid: conn_id%): bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	c->SetSkip(1);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Controls whether packet contents belonging to a connection should be
+## recorded (when ``-w`` option is provided on the command line).
+##
+## cid: The connection identifier.
+##
+## do_record: True to enable packet contens and false to disable for the
+##            connection identified by *cid*.
+##
+## Returns: False if *id* does not point to an active connection and true
+##          otherwise.
+##
+## .. bro:see:: skip_further_processing
+##
+## .. note::
+##
+##     This is independent of whether Bro processes the packets of this
+##     connection, which is controlled separately by
+##     :bro:id:`skip_further_processing`.
+##
+## .. bro:see: get_contents_file set_contents_file
+function set_record_packets%(cid: conn_id, do_record: bool%): bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	c->SetRecordPackets(do_record);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Associates a file handle with a connection for writing TCP byte stream
+## contents.
+##
+## cid: The connection ID.
+##
+## direction: Controls what sides of the connection to record. The argument can
+##            take one the four values:
+##
+##            - ``CONTENTS_NONE``: Stop recording the connection's content.
+##            - ``CONTENTS_ORIG``: Record the data sent by the connection
+##                                 originator (often the client).
+##            - ``CONTENTS_RESP``: Record the data sent by the connection
+##                                 responder (often the server).
+##            - ``CONTENTS_BOTH``: Record the data sent in both directions.
+##                                 Results in the two directions being
+##                                 intermixed in the file, in the order the
+##                                 data was seen by Bro.
+##
+## f: The file handle of the file to write the contents to.
+##
+## Returns: Returns false if *id* does not point to an active connection and
+##          true otherwise.
+##
+## .. note::
+##
+##     The data recorded to the file reflects the byte stream, not the
+##     contents of individual packets. Reordering and duplicates are
+##     removed. If any data is missing, the recording stops at the
+##     missing data; this can happen, e.g., due to an
+##     :bro:id:`ack_above_hole` event.
+##
+## .. bro:see: get_contents_file set_record_packets
+function set_contents_file%(cid: conn_id, direction: count, f: file%): bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	c->GetRootAnalyzer()->SetContentsFile(direction, f);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Returns the file handle of the contents file of a connection.
+##
+## cid: The connection ID.
+##
+## direction: Controls what sides of the connection to record. SEe
+##            :bro:id:`set_contents_file` for possible values.
+##
+## Returns: The :bro:type:`file` handle for the contentents file of the
+##          connection identified by *cid*. If the connection exists
+##          but no contents file for *direction*, the function generates a
+##          error and returns a file handle to ``stderr``.
+##
+## .. bro:see: set_contents_file set_record_packets
+function get_contents_file%(cid: conn_id, direction: count%): file
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	BroFile* f = c ? c->GetRootAnalyzer()->GetContentsFile(direction) : 0;
+
+	if ( f )
+		{
+		Ref(f);
+		return new Val(f);
+		}
+
+	// Return some sort of error value.
+	if ( ! c )
+		builtin_error("unknown connection id in get_contents_file()", cid);
+	else
+		builtin_error("no contents file for given direction");
+
+	return new Val(new BroFile(stderr, "-", "w"));
+	%}
+
+## Sets an individual inactivity timeout for a connection and thus
+## overrides the global inactivity timeout.
+##
+## cid: The connection ID.
+##
+## t: The new inactivity timeout for the connection identified by *cid*.
+##
+## Returns: The previous timeout interval.
+function set_inactivity_timeout%(cid: conn_id, t: interval%): interval
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_INTERVAL);
+
+	double old_timeout = c->InactivityTimeout();
+	c->SetInactivityTimeout(t);
+
+	return new Val(old_timeout, TYPE_INTERVAL);
+	%}
+
+## Returns the state of the given login (Telnet or Rlogin) connection.
+##
+## cid: The connection ID.
+##
+## Returns: False if the connection is not active or is not tagged as a
+##          login analyzer. Otherwise the function returns the state, which can
+##          be one of:
+##
+##              - ``LOGIN_STATE_AUTHENTICATE``: The connection is in its
+##                initial authentication dialog.
+##              - ``OGIN_STATE_LOGGED_IN``: The analyzer believes the user has
+##                successfully authenticated.
+##              - ``LOGIN_STATE_SKIP``: The analyzer has skipped any further
+##                processing of the connection.
+##              - ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it
+##                does not correctly know the state of the connection, and/or
+##                the username associated with it.
+##
+## .. bro:see: set_login_state
+function get_login_state%(cid: conn_id%): count
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login);
+	if ( ! la )
+		return new Val(0, TYPE_BOOL);
+
+	return new Val(int(static_cast<Login_Analyzer*>(la)->LoginState()),
+			TYPE_COUNT);
+	%}
+
+## Sets the login state of a connection with a login analyzer.
+##
+## cid: The connection ID.
+##
+## new_state: The new state of the login analyzer. See
+##            :bro:id:`get_login_state` for possible values.
+##
+## Returns: Returns false if *cid* is not an active connection
+##          or does not tagged as login analyzer, and true otherwise.
+##
+## .. bro:see: get_login_state
+function set_login_state%(cid: conn_id, new_state: count%): bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login);
+	if ( ! la )
+		return new Val(0, TYPE_BOOL);
+
+	static_cast<Login_Analyzer*>(la)->SetLoginState(login_state(new_state));
+	return new Val(1, TYPE_BOOL);
+	%}
+
+%%{
+#include "TCP.h"
+%%}
+
+## Get the originator sequence number of a TCP connection. Sequence numbers
+## are absolute (i.e., they reflect the values seen directly in packet headers;
+## they are not relative to the beginning of the connection).
+##
+## cid: The connection ID.
+##
+## Returns: The highest sequence number sent by a connection's originator, or 0
+##          if *cid* does not point to an active TCP connection.
+##
+## .. bro:see:: get_resp_seq
+function get_orig_seq%(cid: conn_id%): count
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_COUNT);
+
+	if ( c->ConnTransport() != TRANSPORT_TCP )
+		return new Val(0, TYPE_COUNT);
+
+	Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP);
+	if ( tc )
+		return new Val(static_cast<TCP_Analyzer*>(tc)->OrigSeq(),
+				TYPE_COUNT);
+	else
+		{
+		reporter->Error("connection does not have TCP analyzer");
+		return new Val(0, TYPE_COUNT);
+		}
+	%}
+
+## Get the responder sequence number of a TCP connection. Sequence numbers
+## are absolute (i.e., they reflect the values seen directly in packet headers;
+## they are not relative to the beginning of the connection).
+##
+## cid: The connection ID.
+##
+## Returns: The highest sequence number sent by a connection's responder, or 0
+##          if *cid* does not point to an active TCP connection.
+##
+## .. bro:see:: get_orig_seq
+function get_resp_seq%(cid: conn_id%): count
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_COUNT);
+
+	if ( c->ConnTransport() != TRANSPORT_TCP )
+		return new Val(0, TYPE_COUNT);
+
+	Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP);
+	if ( tc )
+		return new Val(static_cast<TCP_Analyzer*>(tc)->RespSeq(),
+				TYPE_COUNT);
+	else
+		{
+		reporter->Error("connection does not have TCP analyzer");
+		return new Val(0, TYPE_COUNT);
+		}
+	%}
+
+%%{
+#include "SMTP.h"
+%%}
+
+## Skips SMTP data until the next email in a connection.
+##
+## c: The SMTP connection.
+##
+## .. bro:see:: skip_http_entity_data
+function skip_smtp_data%(c: connection%): any
+	%{
+	Analyzer* sa = c->FindAnalyzer(AnalyzerTag::SMTP);
+	if ( sa )
+		static_cast<SMTP_Analyzer*>(sa)->SkipData();
+	return 0;
+	%}
+
+## Enables all event handlers in a given group. One can tag event handlers with
+## the :bro:attr:`&group` attribute to logically group them together, e.g,
+## ``event foo() &group="bar"``. This function enables all event handlers that
+## belong to such a group.
+##
+## group: The group.
+##
+## .. bro:see:: disable_event_group
+function enable_event_group%(group: string%) : any
+	%{
+	event_registry->EnableGroup(group->CheckString(), true);
+	return 0;
+	%}
+
+## Disables all event handlers in a given group.
+##
+## group: The group.
+##
+## .. bro:see:: enable_event_group
+function disable_event_group%(group: string%) : any
+	%{
+	event_registry->EnableGroup(group->CheckString(), false);
+	return 0;
+	%}
+
+# ===========================================================================
+#
+#                            Files and Directories
+#
+# ===========================================================================
+
+## Opens a file for writing. If a file with the same name already exists, this
+## function overwrites it (as opposed to :bro:id:`open_for_append`).
+##
+## f: The path to the file.
+##
+##  Returns: A :bro:type:`file` handle for subsequent operations.
+##
+## .. bro:see;: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all mkdir enable_raw_output
+function open%(f: string%): file
+	%{
+	const char* file = f->CheckString();
+
+	if ( streq(file, "-") )
+		return new Val(new BroFile(stdout, "-", "w"));
+	else
+		return new Val(new BroFile(file, "w"));
+	%}
+
+## Opens a file for writing or appending. If a file with the same name already
+## exists, this function appends to it (as opposed to :bro:id:`open`).
+##
+## f: The path to the file.
+##
+##  Returns: A :bro:type:`file` handle for subsequent operations.
+##
+## .. bro:see;: active_file open close write_file
+##              get_file_name set_buf flush_all mkdir enable_raw_output
+function open_for_append%(f: string%): file
+	%{
+	return new Val(new BroFile(f->CheckString(), "a"));
+	%}
+
+## Closes an open file and flushes any buffered content.
+## exists, this function appends to it (as opposed to :bro:id:`open`).
+##
+## f: A :bro:type:`file` handle to an open file.
+##
+##  Returns: True on success.
+##
+## .. bro:see;: active_file open open_for_append write_file
+##              get_file_name set_buf flush_all mkdir enable_raw_output
+function close%(f: file%): bool
+	%{
+	return new Val(f->Close(), TYPE_BOOL);
+	%}
+
+## Writes data to an open file.
+##
+## f: A :bro:type:`file` handle to an open file.
+##
+## data: The data to write to *f*.
+##
+##  Returns: True on success.
+##
+## .. bro:see;: active_file open open_for_append close
+##              get_file_name set_buf flush_all mkdir enable_raw_output
+function write_file%(f: file, data: string%): bool
+	%{
+	if ( ! f )
+		return new Val(0, TYPE_BOOL);
+
+	return new Val(f->Write((const char*) data->Bytes(), data->Len()),
+			TYPE_BOOL);
+	%}
+
+## Alters the buffering behavior of a file.
+##
+## f: A :bro:type:`file` handle to an open file.
+##
+## buffered: When true, *f* is fully buffered, i.e., bytes are saved in a
+##           buffered until the block size has been reached. When
+##           false, *f* is line buffered, i.e., bytes are saved up until a
+##           newline occurs.
+##
+## .. bro:see;: active_file open open_for_append close
+##              get_file_name write_file flush_all mkdir enable_raw_output
+function set_buf%(f: file, buffered: bool%): any
+	%{
+	f->SetBuf(buffered);
+	return new Val(0, TYPE_VOID);
+	%}
+
+## Flushes all open files to disk.
+##
+##  Returns: True on success.
+##
+## .. bro:see;: active_file open open_for_append close
+##              get_file_name write_file set_buf mkdir enable_raw_output
+function flush_all%(%): bool
+	%{
+	return new Val(fflush(0) == 0, TYPE_BOOL);
+	%}
+
+## Creates a new directory.
+##
+## f: The directory name.
+##
+##  Returns: Returns true if the operation succeeds and false if the
+##           creation fails or if *f* exists already.
+##
+## .. bro:see;: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+function mkdir%(f: string%): bool
+	%{
+	const char* filename = f->CheckString();
+	if ( mkdir(filename, 0777) < 0 && errno != EEXIST )
+		{
+		builtin_error("cannot create directory", @ARG@[0]);
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+## Checks whether a given file is open.
+##
+## f: The file to check.
+##
+## Returns: True if *f* is an open :bro:type:`file`.
+##
+## .. todo:: Rename to ``is_open``.
+function active_file%(f: file%): bool
+	%{
+	return new Val(f->IsOpen(), TYPE_BOOL);
+	%}
+
+## Gets the filename associated with a file handle.
+##
+## f: The file handle to inquire the name for.
+##
+## Returns: The filename associated with *f*.
+##
+## .. bro:see:: open
+function get_file_name%(f: file%): string
+	%{
+	if ( ! f )
+		return new StringVal("");
+
+	return new StringVal(f->Name());
+	%}
+
+## Rotates a file.
+##
+## f: An open file handle.
+##
+## Returns: Rotations statistics which include the original file name, the name
+##          after the rotation, and the time when *f* was opened/closed.
+##
+## .. bro:see:: rotate_file_by_name calc_next_rotate
 function rotate_file%(f: file%): rotate_info
 	%{
 	RecordVal* info = f->Rotate();
@@ -2650,6 +4411,14 @@ function rotate_file%(f: file%): rotate_info
 	return info;
 	%}
 
+## Rotates a file identified by its name.
+##
+## f: The name of the file to rotate
+##
+## Returns: Rotations statistics which include the original file name, the name
+##          after the rotation, and the time when *f* was opened/closed.
+##
+## .. bro:see:: rotate_file calc_next_rotate
 function rotate_file_by_name%(f: string%): rotate_info
 	%{
 	RecordVal* info = new RecordVal(rotate_info);
@@ -2696,6 +4465,14 @@ function rotate_file_by_name%(f: string%): rotate_info
 	return info;
 	%}
 
+## Calculates the duration until the next time a file is to be rotated, based
+## on a given rotate interval.
+##
+## i: The rotate interval to base the calculation on.
+##
+## Returns: The duration until the next file rotation time.
+##
+## .. bro:see:: rotate_file rotate_file_by_name
 function calc_next_rotate%(i: interval%) : interval
 	%{
 	const char* base_time = log_rotate_base_time ?
@@ -2703,6 +4480,11 @@ function calc_next_rotate%(i: interval%) : interval
 	return new Val(calc_next_rotate(i, base_time), TYPE_INTERVAL);
 	%}
 
+## Returns the size of a given file.
+##
+## f: The name of the file whose size to lookup.
+##
+## Returns: The size of *f* in bytes.
 function file_size%(f: string%) : double
 	%{
 	struct stat s;
@@ -2713,18 +4495,792 @@ function file_size%(f: string%) : double
 	return new Val(double(s.st_size), TYPE_DOUBLE);
 	%}
 
-function strftime%(fmt: string, d: time%) : string
+## Disables sending :bro:id:`print_hook` events to remote peers for a given
+## file. This function is equivalent to :bro:attr:`&disable_print_hook`. In a
+## distributed setup, communicating Bro instances generate the event
+## :bro:id:`print_hook` for each print statement and send it to the remote
+## side. When disabled for a particular file, these events will not be
+## propagated to other peers.
+##
+## f: The file to disable :bro:id:`print_hook` events for.
+##
+## .. bro:see:: enable_raw_output
+function disable_print_hook%(f: file%): any
 	%{
-	static char buffer[128];
-
-	time_t t = time_t(d);
-
-	if ( strftime(buffer, 128, fmt->CheckString(), localtime(&t)) == 0 )
-		return new StringVal("<strftime error>");
-
-	return new StringVal(buffer);
+	f->DisablePrintHook();
+	return 0;
 	%}
 
+## Prevents escaping of non-ASCII character when writing to a file.
+## This function is equivalent to :bro:attr:`&disable_print_hook`.
+##
+## f: The file to disable raw output for.
+##
+## .. bro:see:: disable_print_hook
+function enable_raw_output%(f: file%): any
+	%{
+	f->EnableRawOutput();
+	return 0;
+	%}
+
+# ===========================================================================
+#
+#                              Packet Filtering
+#
+# ===========================================================================
+
+## Precompiles a PCAP filter and binds it to a given identifier.
+##
+## id: The PCAP identifier to reference the filter *s* later on.
+##
+## s: The PCAP filter. See ``man tcpdump`` for valid expressions.
+##
+## Returns: True if *s* is valid and precompiles successfully.
+##
+## .. bro:see:: install_pcap_filter
+##          install_src_addr_filter
+##          install_src_net_filter
+##          uninstall_src_addr_filter
+##          uninstall_src_net_filter
+##          install_dst_addr_filter
+##          install_dst_net_filter
+##          uninstall_dst_addr_filter
+##          uninstall_dst_net_filter
+##          pcap_error
+function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool
+	%{
+	bool success = true;
+
+	loop_over_list(pkt_srcs, i)
+		{
+		pkt_srcs[i]->ClearErrorMsg();
+
+		if ( ! pkt_srcs[i]->PrecompileFilter(id->ForceAsInt(),
+							s->CheckString()) )
+			{
+			reporter->Error("precompile_pcap_filter: %s",
+				pkt_srcs[i]->ErrorMsg());
+			success = false;
+			}
+		}
+
+	return new Val(success, TYPE_BOOL);
+	%}
+
+## Installs a PCAP filter that has been precompiled with
+## :bro:id:`precompile_pcap_filter`.
+##
+## id: The PCAP filter id of a precompiled filter.
+##
+## Returns: True if the filter associated with *id* has been installed
+##          successfully.
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_src_addr_filter
+##              install_src_net_filter
+##              uninstall_src_addr_filter
+##              uninstall_src_net_filter
+##              install_dst_addr_filter
+##              install_dst_net_filter
+##              uninstall_dst_addr_filter
+##              uninstall_dst_net_filter
+##              pcap_error
+function install_pcap_filter%(id: PcapFilterID%): bool
+	%{
+	bool success = true;
+
+	loop_over_list(pkt_srcs, i)
+		{
+		pkt_srcs[i]->ClearErrorMsg();
+
+		if ( ! pkt_srcs[i]->SetFilter(id->ForceAsInt()) )
+			success = false;
+		}
+
+	return new Val(success, TYPE_BOOL);
+	%}
+
+## Returns a string representation of the last PCAP error.
+##
+## Returns: A descriptive error message of the PCAP function that failed.
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_pcap_filter
+##              install_src_addr_filter
+##              install_src_net_filter
+##              uninstall_src_addr_filter
+##              uninstall_src_net_filter
+##              install_dst_addr_filter
+##              install_dst_net_filter
+##              uninstall_dst_addr_filter
+##              uninstall_dst_net_filter
+function pcap_error%(%): string
+	%{
+	loop_over_list(pkt_srcs, i)
+		{
+		const char* err = pkt_srcs[i]->ErrorMsg();
+		if ( *err )
+			return new StringVal(err);
+		}
+
+	return new StringVal("no error");
+	%}
+
+## Installs a filter to drop packets from a given IP source address with
+## a certain probability if none of a given set of TCP flags are set.
+##
+## ip: The IP address to drop.
+##
+## tcp_flags: If none of these TCP flags are set, drop packets from *ip* with
+##            probability *prob*.
+##
+## prob: The probability [0.0, 1.0] used to drop packets from *ip*.
+##
+## Returns: True (unconditionally).
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_pcap_filter
+##              install_src_net_filter
+##              uninstall_src_addr_filter
+##              uninstall_src_net_filter
+##              install_dst_addr_filter
+##              install_dst_net_filter
+##              uninstall_dst_addr_filter
+##              uninstall_dst_net_filter
+##              pcap_error
+##
+## .. todo:: The return value should be changed to any.
+function install_src_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : bool
+	%{
+	sessions->GetPacketFilter()->AddSrc(ip, tcp_flags, prob);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Installs a filter to drop packets originating from a given subnet with
+## a certain probability if none of a given set of TCP flags are set.
+##
+## snet: The subnet to drop packets from.
+##
+## tcp_flags: If none of these TCP flags are set, drop packets from *snet* with
+##            probability *prob*.
+##
+## prob: The probability [0.0, 1.0] used to drop packets from *snet*.
+##
+## Returns: True (unconditionally).
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_pcap_filter
+##              install_src_addr_filter
+##              uninstall_src_addr_filter
+##              uninstall_src_net_filter
+##              install_dst_addr_filter
+##              install_dst_net_filter
+##              uninstall_dst_addr_filter
+##              uninstall_dst_net_filter
+##              pcap_error
+##
+## .. todo:: The return value should be changed to any.
+function install_src_net_filter%(snet: subnet, tcp_flags: count, prob: double%) : bool
+	%{
+	sessions->GetPacketFilter()->AddSrc(snet, tcp_flags, prob);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Removes a source address filter.
+##
+## ip: The IP address for which a source filter was previously installed.
+##
+## Returns: True on success.
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_pcap_filter
+##              install_src_addr_filter
+##              install_src_net_filter
+##              uninstall_src_net_filter
+##              install_dst_addr_filter
+##              install_dst_net_filter
+##              uninstall_dst_addr_filter
+##              uninstall_dst_net_filter
+##              pcap_error
+function uninstall_src_addr_filter%(ip: addr%) : bool
+	%{
+	return new Val(sessions->GetPacketFilter()->RemoveSrc(ip), TYPE_BOOL);
+	%}
+
+## Removes a source subnet filter.
+##
+## snet: The subnet for which a source filter was previously installed.
+##
+## Returns: True on success.
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_pcap_filter
+##              install_src_addr_filter
+##              install_src_net_filter
+##              uninstall_src_addr_filter
+##              install_dst_addr_filter
+##              install_dst_net_filter
+##              uninstall_dst_addr_filter
+##              uninstall_dst_net_filter
+##              pcap_error
+function uninstall_src_net_filter%(snet: subnet%) : bool
+	%{
+	return new Val(sessions->GetPacketFilter()->RemoveSrc(snet), TYPE_BOOL);
+	%}
+
+## Installs a filter to drop packets destined to a given IP address with
+## a certain probability if none of a given set of TCP flags are set.
+##
+## ip: Drop packets to this IP address.
+##
+## tcp_flags: If none of these TCP flags are set, drop packets to *ip* with
+##            probability *prob*.
+##
+## prob: The probability [0.0, 1.0] used to drop packets to *ip*.
+##
+## Returns: True (unconditionally).
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_pcap_filter
+##              install_src_addr_filter
+##              install_src_net_filter
+##              uninstall_src_addr_filter
+##              uninstall_src_net_filter
+##              install_dst_net_filter
+##              uninstall_dst_addr_filter
+##              uninstall_dst_net_filter
+##              pcap_error
+##
+## .. todo:: The return value should be changed to any.
+function install_dst_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : bool
+	%{
+	sessions->GetPacketFilter()->AddDst(ip, tcp_flags, prob);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Installs a filter to drop packets destined to a given subnet with
+## a certain probability if none of a given set of TCP flags are set.
+##
+## snet: Drop packets to this subnet.
+##
+## tcp_flags: If none of these TCP flags are set, drop packets to *snet* with
+##            probability *prob*.
+##
+## prob: The probability [0.0, 1.0] used to drop packets to *snet*.
+##
+## Returns: True (unconditionally).
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_pcap_filter
+##              install_src_addr_filter
+##              install_src_net_filter
+##              uninstall_src_addr_filter
+##              uninstall_src_net_filter
+##              install_dst_addr_filter
+##              uninstall_dst_addr_filter
+##              uninstall_dst_net_filter
+##              pcap_error
+##
+## .. todo:: The return value should be changed to any.
+function install_dst_net_filter%(snet: subnet, tcp_flags: count, prob: double%) : bool
+	%{
+	sessions->GetPacketFilter()->AddDst(snet, tcp_flags, prob);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Removes a destination address filter.
+##
+## ip: The IP address for which a destination filter was previously installed.
+##
+## Returns: True on success.
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_pcap_filter
+##              install_src_addr_filter
+##              install_src_net_filter
+##              uninstall_src_addr_filter
+##              uninstall_src_net_filter
+##              install_dst_addr_filter
+##              install_dst_net_filter
+##              uninstall_dst_net_filter
+##              pcap_error
+function uninstall_dst_addr_filter%(ip: addr%) : bool
+	%{
+	return new Val(sessions->GetPacketFilter()->RemoveDst(ip), TYPE_BOOL);
+	%}
+
+## Removes a destination subnet filter.
+##
+## snet: The subnet for which a destination filter was previously installed.
+##
+## Returns: True on success.
+##
+## .. bro:see:: precompile_pcap_filter
+##              install_pcap_filter
+##              install_src_addr_filter
+##              install_src_net_filter
+##              uninstall_src_addr_filter
+##              uninstall_src_net_filter
+##              install_dst_addr_filter
+##              install_dst_net_filter
+##              uninstall_dst_addr_filter
+##              pcap_error
+function uninstall_dst_net_filter%(snet: subnet%) : bool
+	%{
+	return new Val(sessions->GetPacketFilter()->RemoveDst(snet), TYPE_BOOL);
+	%}
+
+# ===========================================================================
+#
+#                                Communication
+#
+# ===========================================================================
+
+## Enables the communication system. By default, the communication is off until
+## explicitly enabled, and all other calls to communication-related functions
+## will be ignored until done so.
+function enable_communication%(%): any
+	%{
+	if ( bro_start_network_time != 0.0 )
+		{
+		builtin_error("communication must be enabled in bro_init");
+		return 0;
+		}
+
+	if ( using_communication )
+		// Ignore duplicate calls.
+		return 0;
+
+	using_communication = 1;
+	remote_serializer->Init();
+	return 0;
+	%}
+
+## Flushes in-memory state tagged with the :bro:attr:`&persistent` attribute
+## to disk. The function writes the state to the file ``.state/state.bst`` in
+## the directory where Bro was started.
+##
+## Returns: True on success.
+##
+## .. bro:see:: rescan_state
+function checkpoint_state%(%) : bool
+	%{
+	return new Val(persistence_serializer->WriteState(true), TYPE_BOOL);
+	%}
+
+## Reads persistent state from the \texttt{.state} directory and populates the
+## in-memory data structures accordingly. This function is the dual to
+## :bro:id:`checkpoint_state`.
+##
+## Returns: True on success.
+##
+## .. bro:see:: checkpoint_state
+function rescan_state%(%) : bool
+	%{
+	return new Val(persistence_serializer->ReadAll(false, true), TYPE_BOOL);
+	%}
+
+## Writes the binary event stream generated by the core to a given file.
+## Use the ``-x <filename>`` command line switch to replay saved events.
+##
+## filename: The name of the file which stores the events.
+##
+## Returns: True if opening the target file succeeds.
+##
+## .. bro:see:: capture_state_updates
+function capture_events%(filename: string%) : bool
+	%{
+	if ( ! event_serializer )
+		event_serializer = new FileSerializer();
+	else
+		event_serializer->Close();
+
+	return new Val(event_serializer->Open(
+		(const char*) filename->CheckString()), TYPE_BOOL);
+	%}
+
+## Writes state updates generated by :bro:attr:`&synchronized` variables to a
+## file.
+##
+## filename: The name of the file which stores the state updates.
+##
+## Returns: True if opening the target file succeeds.
+##
+## .. bro:see:: capture_events
+function capture_state_updates%(filename: string%) : bool
+	%{
+	if ( ! state_serializer )
+		state_serializer = new FileSerializer();
+	else
+		state_serializer->Close();
+
+	return new Val(state_serializer->Open(
+		(const char*) filename->CheckString()), TYPE_BOOL);
+	%}
+
+## Establishes a connection to a remote Bro or Broccoli instance.
+##
+## ip: The IP address of the remote peer.
+##
+## port: The port of the remote peer.
+##
+## our_class: If an non-empty string, the remote (listening) peer checks it
+##            against its class name in its peer table and terminates the
+##            connection if they don't match.
+##
+## retry: If the connection fails, try to reconnect with the peer after this
+##        time interval.
+##
+## ssl: If true,  uses SSL to encrypt the session.
+##
+## Returns: A locally unique ID of the new peer.
+##
+## .. bro:see:: disconnect
+##              listen
+##              request_remote_events
+##              request_remote_sync
+##              request_remote_logs
+##              request_remote_events
+##              set_accept_state
+##              set_compression_level
+##              send_state
+##              send_id
+function connect%(ip: addr, p: port, our_class: string, retry: interval, ssl: bool%) : count
+	%{
+	return new Val(uint32(remote_serializer->Connect(ip, p->Port(),
+				our_class->CheckString(), retry, ssl)),
+			TYPE_COUNT);
+	%}
+
+## Terminate the connection with a peer.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## Returns: True on success.
+##
+## .. bro:see:: connect listen
+function disconnect%(p: event_peer%) : bool
+    %{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->CloseConnection(id), TYPE_BOOL);
+	%}
+
+## Subscribes to all events from a remote peer whose names match a given
+## pattern.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## handlers: The pattern describing the events to request from peer *p*.
+##
+## Returns: True on success.
+##
+## .. bro:see:: request_remote_sync
+##              request_remote_logs
+##              set_accept_state
+function request_remote_events%(p: event_peer, handlers: pattern%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->RequestEvents(id, handlers),
+			TYPE_BOOL);
+	%}
+
+## Requests synchronization of IDs with a remote peer.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## auth: If true, the local instance considers its current state authoritative
+##       and sends it to *p* right after the handshake.
+##
+## Returns: True on success.
+##
+## .. bro:see:: request_remote_events
+##              request_remote_logs
+##              set_accept_state
+function request_remote_sync%(p: event_peer, auth: bool%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->RequestSync(id, auth), TYPE_BOOL);
+	%}
+
+## Requests logs from a remote peer.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## Returns: True on success.
+##
+## .. bro:see:: request_remote_events
+##              request_remote_sync
+function request_remote_logs%(p: event_peer%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->RequestLogs(id), TYPE_BOOL);
+	%}
+
+## Sets a boolean flag whether Bro accepts state from a remote peer.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## Returns: True on success.
+##
+## .. bro:see:: request_remote_events
+##              request_remote_sync
+##              set_compression_level
+function set_accept_state%(p: event_peer, accept: bool%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->SetAcceptState(id, accept),
+			TYPE_BOOL);
+	%}
+
+## Sets the compression level of the session with a remote peer.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## level: Allowed values are in the range *[0, 9]*, where 0 is the default and
+##        means no compression.
+##
+## Returns: True on success.
+##
+## .. bro:see:: set_accept_state
+function set_compression_level%(p: event_peer, level: count%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->SetCompressionLevel(id, level),
+			TYPE_BOOL);
+	%}
+
+## Listens on address a given IP address and port for remote connections.
+##
+## ip: The IP address to bind to.
+##
+## p: The TCP port to listen to.
+##
+## ssl: If true, Bro uses SSL to encrypt the session.
+##
+## Returns: True on success.
+##
+## .. bro:see:: connect disconnect
+function listen%(ip: addr, p: port, ssl: bool %) : bool
+	%{
+	return new Val(remote_serializer->Listen(ip, p->Port(), ssl), TYPE_BOOL);
+	%}
+
+## Checks whether the last raised event came from a remote peer.
+##
+## Returns: True if the last raised event came from a remote peer.
+function is_remote_event%(%) : bool
+	%{
+	return new Val(mgr.CurrentSource() != SOURCE_LOCAL, TYPE_BOOL);
+	%}
+
+## Sends all persistent state to a remote peer.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## Returns: True on success.
+##
+## .. bro:see:: send_id send_ping send_current_packet send_capture_filter
+function send_state%(p: event_peer%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(persistence_serializer->SendState(id, true), TYPE_BOOL);
+	%}
+
+## Sends a global identifier to a remote peer, which them might install it
+## locally.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## id: The identifier to send.
+##
+## Returns: True on success.
+##
+## .. bro:see:: send_state send_ping send_current_packet send_capture_filter
+function send_id%(p: event_peer, id: string%) : bool
+	%{
+	RemoteSerializer::PeerID pid = p->AsRecordVal()->Lookup(0)->AsCount();
+
+	ID* i = global_scope()->Lookup(id->CheckString());
+	if ( ! i )
+		{
+		reporter->Error("send_id: no global id %s", id->CheckString());
+		return new Val(0, TYPE_BOOL);
+		}
+
+	SerialInfo info(remote_serializer);
+	return new Val(remote_serializer->SendID(&info, pid, *i), TYPE_BOOL);
+	%}
+
+## Gracefully finishes communication by first making sure that all remaining
+## data from parent and child has been sent out.
+##
+## Returns: True if the termination process has been started successfully.
+function terminate_communication%(%) : bool
+	%{
+	return new Val(remote_serializer->Terminate(), TYPE_BOOL);
+	%}
+
+## Signals a remote peer that the local Bro instance finished the initial
+## handshake.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## Returns: True on success.
+function complete_handshake%(p: event_peer%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->CompleteHandshake(id), TYPE_BOOL);
+	%}
+
+## Sends a ping event to a remote peer. In combination with an event handler
+## for :bro:id:`remote_pong`, this function can be used to measure latency
+## between two peers.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## seq: A sequence number (also included by :bro:id:`remote_pong`).
+##
+## Returns: True if sending the ping succeeds.
+##
+## .. bro:see:: send_state send_id send_current_packet send_capture_filter
+function send_ping%(p: event_peer, seq: count%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->SendPing(id, seq), TYPE_BOOL);
+	%}
+
+## Sends the currently processed packet to a remote peer.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## Returns: True if sending the packet succeeds.
+##
+## .. bro:see:: send_id send_state send_ping send_capture_filter
+##              dump_packet dump_current_packet get_current_packet
+function send_current_packet%(p: event_peer%) : bool
+	%{
+	Packet pkt("");
+
+	if ( ! current_pktsrc ||
+	     ! current_pktsrc->GetCurrentPacket(&pkt.hdr, &pkt.pkt) )
+		return new Val(0, TYPE_BOOL);
+
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+
+	pkt.time = pkt.hdr->ts.tv_sec + double(pkt.hdr->ts.tv_usec) / 1e6;
+	pkt.hdr_size = current_pktsrc->HdrSize();
+	pkt.link_type = current_pktsrc->LinkType();
+
+	SerialInfo info(remote_serializer);
+	return new Val(remote_serializer->SendPacket(&info, id, pkt), TYPE_BOOL);
+	%}
+
+## Returns the peer who generated the last event.
+##
+## Returns: The ID of the peer who genereated the last event.
+##
+## .. bro:see:: get_local_event_peer
+function get_event_peer%(%) : event_peer
+	%{
+	SourceID src = mgr.CurrentSource();
+
+	if ( src == SOURCE_LOCAL )
+		{
+		RecordVal* p = mgr.GetLocalPeerVal();
+		Ref(p);
+		return p;
+		}
+
+	if ( ! remote_serializer )
+		reporter->InternalError("remote_serializer not initialized");
+
+	Val* v = remote_serializer->GetPeerVal(src);
+	if ( ! v )
+		{
+		reporter->Error("peer %d does not exist anymore", int(src));
+		RecordVal* p = mgr.GetLocalPeerVal();
+		Ref(p);
+		return p;
+		}
+
+	return v;
+	%}
+
+## Returns the local peer ID.
+##
+## Returns: The peer ID of the local Bro instance.
+##
+## .. bro:see:: get_event_peer
+function get_local_event_peer%(%) : event_peer
+	%{
+	RecordVal* p = mgr.GetLocalPeerVal();
+	Ref(p);
+	return p;
+	%}
+
+## Sends a capture filter to a remote peer.
+##
+## p: The peer ID return from :bro:id:`connect`.
+##
+## s: The capture filter.
+##
+## Returns: True if sending the packet succeeds.
+##
+## .. bro:see:: send_id send_state send_ping send_current_packet
+function send_capture_filter%(p: event_peer, s: string%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->SendCaptureFilter(id, s->CheckString()), TYPE_BOOL);
+	%}
+
+## Stops Bro's packet processing. This function is used to synchronize
+## distributed trace processing with communication enabled
+## (*pseudo-realtime* mode).
+##
+## .. bro:see: continue_processing suspend_state_updates resume_state_updates
+function suspend_processing%(%) : any
+	%{
+	net_suspend_processing();
+	return 0;
+	%}
+
+## Resumes Bro's packet processing.
+##
+## .. bro:see: suspend_processing suspend_state_updates resume_state_updates
+function continue_processing%(%) : any
+	%{
+	net_continue_processing();
+	return 0;
+	%}
+
+## Stops propagating :bro:attr:`&synchronized` accesses.
+##
+## .. bro:see: suspend_processing continue_processing resume_state_updates
+function suspend_state_updates%(%) : any
+	%{
+	if ( remote_serializer )
+		remote_serializer->SuspendStateUpdates();
+	return 0;
+	%}
+
+## Resumes propagating :bro:attr:`&synchronized` accesses.
+##
+## .. bro:see: suspend_processing continue_processing suspend_state_updates
+function resume_state_updates%(%) : any
+	%{
+	if ( remote_serializer )
+		remote_serializer->ResumeStateUpdates();
+	return 0;
+	%}
+
+# ===========================================================================
+#
+#                             Internal Functions
+#
+# ===========================================================================
+
+## Manually triggers the signature engine for a given connection.
+## This is an internal function.
 function match_signatures%(c: connection, pattern_type: int, s: string,
 				bol: bool, eol: bool,
 				from_orig: bool, clear: bool%) : bool
@@ -2738,461 +5294,189 @@ function match_signatures%(c: connection, pattern_type: int, s: string,
 	return new Val(1, TYPE_BOOL);
 	%}
 
-function gethostname%(%) : string
-	%{
-	char buffer[MAXHOSTNAMELEN];
-	if ( gethostname(buffer, MAXHOSTNAMELEN) < 0 )
-		strcpy(buffer, "<unknown>");
-
-	buffer[MAXHOSTNAMELEN-1] = '\0';
-	return new StringVal(buffer);
-	%}
+# ===========================================================================
+#
+#                            Deprecated Functions
+#
+# ===========================================================================
 
 %%{
-#include "DNS_Mgr.h"
-#include "Trigger.h"
-
-class LookupHostCallback : public DNS_Mgr::LookupCallback {
-public:
-	LookupHostCallback(Trigger* arg_trigger, const CallExpr* arg_call,
-				bool arg_lookup_name)
-		{
-		Ref(arg_trigger);
-		trigger = arg_trigger;
-		call = arg_call;
-		lookup_name = arg_lookup_name;
-		}
-
-	~LookupHostCallback()
-		{
-		Unref(trigger);
-		}
-
-	// Overridden from DNS_Mgr:Lookup:Callback.
-	virtual void Resolved(const char* name)
-		{
-		trigger->Cache(call, new StringVal(name));
-		trigger->Release();
-		}
-
-	virtual void Resolved(TableVal* addrs)
-		{
-		Ref(addrs);
-		trigger->Cache(call, addrs);
-		trigger->Release();
-		}
-
-	virtual void Timeout()
-		{
-		if ( lookup_name )
-			trigger->Cache(call, new StringVal("<\?\?\?>"));
-		else
-			{
-			ListVal* lv = new ListVal(TYPE_ADDR);
-			lv->Append(new AddrVal("0.0.0.0"));
-			trigger->Cache(call, lv->ConvertToSet());
-			Unref(lv);
-			}
-
-		trigger->Release();
-		}
-
-private:
-	Trigger* trigger;
-	const CallExpr* call;
-	bool lookup_name;
-};
+#include "Anon.h"
 %%}
 
-# These two functions issue DNS lookups asynchronously and delay the
-# function result.  Therefore, they can only be called inside a when-condition.
-function lookup_addr%(host: addr%) : string
+## Preserves the prefix of an IP address in anonymization.
+##
+## a: The address to preserve.
+##
+## width: The number of bits from the top that should remain intact.
+##
+## .. bro:see:: preserve_subnet anonymize_addr
+##
+## .. todo:: Currently dysfunctional.
+function preserve_prefix%(a: addr, width: count%): any
 	%{
-	// FIXME: Is should be easy to adapt the function to synchronous
-	// lookups if we're reading a trace.
-	Trigger* trigger = frame->GetTrigger();
-
-	if ( ! trigger)
-		{
-		builtin_run_time("lookup_addr() can only be called inside a when-condition");
-		return new StringVal("<error>");
-		}
-
-	frame->SetDelayed();
-	trigger->Hold();
-
-#ifdef BROv6
-	if ( ! is_v4_addr(host) )
-		{
-		builtin_run_time("lookup_addr() only supports IPv4 addresses");
-		return new StringVal("<ipv6-address>");
-		}
-
-	dns_mgr->AsyncLookupAddr(to_v4_addr(host),
-			new LookupHostCallback(trigger, frame->GetCall(), true));
-#else
-	dns_mgr->AsyncLookupAddr(host,
-			new LookupHostCallback(trigger, frame->GetCall(), true));
-#endif
-	return 0;
-	%}
-
-function lookup_hostname%(host: string%) : addr_set
-	%{
-	// FIXME: Is should be easy to adapt the function to synchronous
-	// lookups if we're reading a trace.
-	Trigger* trigger = frame->GetTrigger();
-
-	if ( ! trigger)
-		{
-		builtin_run_time("lookup_hostname() can only be called inside a when-condition");
-		return new StringVal("<error>");
-		}
-
-	frame->SetDelayed();
-	trigger->Hold();
-
-	dns_mgr->AsyncLookupName(host->CheckString(),
-			new LookupHostCallback(trigger, frame->GetCall(), false));
-	return 0;
-	%}
-
-# Stop Bro's packet processing.
-function suspend_processing%(%) : any
-	%{
-	net_suspend_processing();
-	return 0;
-	%}
-
-# Resume Bro's packet processing.
-function continue_processing%(%) : any
-	%{
-	net_continue_processing();
-	return 0;
-	%}
-
-%%{
-#include "DPM.h"
-%%}
-
-# Schedule analyzer for a future connection.
-function expect_connection%(orig: addr, resp: addr, resp_p: port,
-				analyzer: count, tout: interval%) : bool
-	%{
-	dpm->ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(),
-				(AnalyzerTag::Tag) analyzer, tout, 0);
-	return new Val(1, TYPE_BOOL);
-	%}
-
-# Disables the analyzer which raised the current event (if the analyzer
-# belongs to the given connection).
-function disable_analyzer%(cid: conn_id, aid: count%) : bool
-	%{
-	Connection* c = sessions->FindConnection(cid);
-	if ( ! c )
-		{
-		run_time("cannot find connection");
-		return new Val(0, TYPE_BOOL);
-		}
-
-	Analyzer* a = c->FindAnalyzer(aid);
-	if ( ! a )
-		{
-		run_time("connection does not have analyzer specified to disable");
-		return new Val(0, TYPE_BOOL);
-		}
-
-	a->Remove();
-	return new Val(1, TYPE_BOOL);
-	%}
-
-# Translate analyzer type into an ASCII string.
-function analyzer_name%(aid: count%) : string
-	%{
-	return new StringVal(Analyzer::GetTagName((AnalyzerTag::Tag) aid));
-	%}
-
-function lookup_ID%(id: string%) : any
-	%{
-	ID* i = global_scope()->Lookup(id->CheckString());
-	if ( ! i )
-		return new StringVal("<unknown id>");
-
-	if ( ! i->ID_Val() )
-		return new StringVal("<no ID value>");
-
-	return i->ID_Val()->Ref();
-	%}
-
-# Stop propagating &synchronized accesses.
-function suspend_state_updates%(%) : any
-	%{
-	if ( remote_serializer )
-		remote_serializer->SuspendStateUpdates();
-	return 0;
-	%}
-
-# Resume propagating &synchronized accesses.
-function resume_state_updates%(%) : any
-	%{
-	if ( remote_serializer )
-		remote_serializer->ResumeStateUpdates();
-	return 0;
-	%}
-
-# Return ID of analyzer which raised current event, or 0 if none.
-function current_analyzer%(%) : count
-	%{
-	return new Val(mgr.CurrentAnalyzer(), TYPE_COUNT);
-	%}
-
-# Returns Bro's process id.
-function getpid%(%) : count
-	%{
-	return new Val(getpid(), TYPE_COUNT);
-	%}
-%%{
-#include <syslog.h>
-%%}
-
-function syslog%(s: string%): any
-	%{
-	syslog(LOG_NOTICE, "%s", s->CheckString());
-	return 0;
-	%}
-
-%%{
-#ifdef USE_GEOIP
-extern "C" {
-#include <GeoIPCity.h>
-}
-#endif
-%%}
-
-# Return a record with the city, region, and country of an IPv4 address.
-function lookup_location%(a: addr%) : geo_location
-	%{
-	RecordVal* location = new RecordVal(geo_location);
-
-#ifdef USE_GEOIP
-	static GeoIP* geoip = 0;
-	static GeoIP* geoip_v6 = 0;
-	static bool geoip_initialized = false;
-	GeoIPRecord* gir = 0;
-
-	if ( ! geoip_initialized )
-		{
-		geoip_initialized = true;
-		geoip = GeoIP_open_type(GEOIP_CITY_EDITION_REV0,
-					GEOIP_MEMORY_CACHE);
-		if ( ! geoip )
-			{
-			builtin_run_time("can't initialize GeoIP City database.. trying Country version");
-			geoip = GeoIP_open_type(GEOIP_COUNTRY_EDITION,
-						GEOIP_MEMORY_CACHE);
-			if ( ! geoip )
-				builtin_run_time("can't initialize GeoIP Country database");
-			}
-
-#ifdef BROv6
-#ifdef GEOIP_COUNTRY_EDITION_V6
-		geoip_v6 = GeoIP_open_type(GEOIP_COUNTRY_EDITION_V6,
-						GEOIP_MEMORY_CACHE);
-		if ( ! geoip_v6 )
-			builtin_run_time("can't initialize the GeoIPv6 Country database");
-#endif
-#endif
-		}
-
-#ifdef BROv6
-#ifdef GEOIP_COUNTRY_EDITION_V6
-	if ( geoip_v6 && ! is_v4_addr(a) )
-		gir = GeoIP_record_by_ipnum_v6(geoip_v6, geoipv6_t(a));
-	else 
-#endif
-	if ( geoip && is_v4_addr(a) )
-		{
-		uint32 addr = to_v4_addr(a);
-		gir = GeoIP_record_by_ipnum(geoip, ntohl(addr));
-		}
-#else
-	if ( geoip )
-		gir = GeoIP_record_by_ipnum(geoip, ntohl(a));
-#endif
-
-	if ( gir )
-		{
-		if ( gir->country_code )
-			location->Assign(0, new StringVal(gir->country_code));
-		else
-			location->Assign(0, new StringVal(""));
-
-		if ( gir->region )
-			location->Assign(1, new StringVal(gir->region));
-		else
-			location->Assign(1, new StringVal(""));
-
-		if ( gir->city )
-			location->Assign(2, new StringVal(gir->city));
-		else
-			location->Assign(2, new StringVal(""));
-
-		if ( gir->latitude )
-			location->Assign(3, new Val(gir->latitude,
-							TYPE_DOUBLE));
-		else
-			location->Assign(3, new Val(0.0, TYPE_DOUBLE));
-
-		if ( gir->longitude )
-			location->Assign(4, new Val(gir->longitude,
-						TYPE_DOUBLE));
-		else
-			location->Assign(4, new Val(0.0, TYPE_DOUBLE));
-
-		GeoIPRecord_delete(gir);
-
-		return location;
-		}
-
-#else
-	builtin_run_time("Bro was not configured for GeoIP support");
-#endif
-
-	// We can get here even if we have GeoIP support if we weren't
-	// able to initialize it or it didn't return any information for
-	// the address.
-	location->Assign(0, new StringVal(""));
-	location->Assign(1, new StringVal(""));
-	location->Assign(2, new StringVal(""));
-	location->Assign(3, new Val(0.0, TYPE_DOUBLE));
-	location->Assign(4, new Val(0.0, TYPE_DOUBLE));
-
-	return location;
-	%}
-
-function lookup_asn%(a: addr%) : count
-	%{
-#ifdef USE_GEOIP
-	static GeoIP* geoip_asn = 0;
-	static bool geoip_asn_initialized = false;
-	char* gir = 0;
-
-	if ( ! geoip_asn_initialized )
-		{
-		geoip_asn_initialized = true;
-		geoip_asn = GeoIP_open_type(GEOIP_ASNUM_EDITION,
-						GEOIP_MEMORY_CACHE);
-		if ( ! geoip_asn )
-			builtin_run_time("can't initialize GeoIP ASNUM database");
-		}
-
-	if ( geoip_asn )
+	AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
+	if ( ip_anon )
 		{
 #ifdef BROv6
-
-// IPv6 support showed up in 1.4.5.
-#ifdef GEOIP_COUNTRY_EDITION_V6
 		if ( ! is_v4_addr(a) )
-			gir = GeoIP_name_by_ipnum_v6(geoip_asn, geoipv6_t(a));
+			builtin_error("preserve_prefix() not supported for IPv6 addresses");
 		else
-#endif
-		if ( is_v4_addr(a) ) 
-			{
-			uint32 addr = to_v4_addr(a);
-			gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(addr));
-			}
+			ip_anon->PreservePrefix(a[3], width);
 #else
-		gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(a));
+		ip_anon->PreservePrefix(a, width);
 #endif
 		}
 
-	if ( gir )
-		{
-		// Move the pointer +2 so we don't return 
-		// the first two characters: "AS".
-		return new Val(atoi(gir+2), TYPE_COUNT);
-		}
-#else
-	builtin_run_time("Bro was not configured for GeoIP ASN support");
-#endif
 
-	// We can get here even if we have GeoIP support, if we weren't
-	// able to initialize it or it didn't return any information for
-	// the address.
-	return new Val(0, TYPE_COUNT);
-	%}
-
-# Returns true if connection has been received externally.
-function is_external_connection%(c: connection%) : bool
-	%{
-	return new Val(c && c->IsExternal(), TYPE_BOOL);
-	%}
-
-# Function equivalent of the &disable_print_hook attribute.
-function disable_print_hook%(f: file%): any
-	%{
-	f->DisablePrintHook();
 	return 0;
 	%}
 
-# Function equivalent of the &raw_output attribute.
-function enable_raw_output%(f: file%): any
+## Preserves the prefix of a subnet in anonymization.
+##
+## a: The subnet to preserve.
+##
+## width: The number of bits from the top that should remain intact.
+##
+## .. bro:see:: preserve_prefix anonymize_addr
+##
+## .. todo:: Currently dysfunctional.
+function preserve_subnet%(a: subnet%): any
 	%{
-	f->EnableRawOutput();
+	DEBUG_MSG("%s/%d\n", dotted_addr(a->AsAddr()), a->Width());
+	AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
+	if ( ip_anon )
+		{
+#ifdef BROv6
+		if ( ! is_v4_addr(a->AsAddr()) )
+			builtin_error("preserve_subnet() not supported for IPv6 addresses");
+		else
+			ip_anon->PreservePrefix(a->AsAddr()[3], a->Width());
+#else
+		ip_anon->PreservePrefix(a->AsAddr(), a->Width());
+#endif
+		}
+
+	return 0;
+	%}
+
+## Anonymizes an IP address.
+##
+## a: The address to anonymize.
+##
+## cl: The anonymization class, which can take on three different values:
+##
+##     - ``ORIG_ADDR``: Tag *a* as an originator address.
+##
+##     - ``RESP_ADDR``: Tag *a* as an responder address.
+##
+##     - ``OTHER_ADDR``: Tag *a* as an arbitrary address.
+##
+## Returns: An anonymized version of *a*.
+##
+## .. bro:see:: preserve_prefix preserve_subnet
+##
+## .. todo:: Currently dysfunctional.
+function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr
+	%{
+	int anon_class = cl->InternalInt();
+	if ( anon_class < 0 || anon_class >= NUM_ADDR_ANONYMIZATION_CLASSES )
+		builtin_error("anonymize_addr(): invalid ip addr anonymization class");
+
+#ifdef BROv6
+	if ( ! is_v4_addr(a) )
+		{
+		builtin_error("anonymize_addr() not supported for IPv6 addresses");
+		return 0;
+		}
+	else
+		return new AddrVal(anonymize_ip(a[3],
+			(enum ip_addr_anonymization_class_t) anon_class));
+#else
+	return new AddrVal(anonymize_ip(a,
+		(enum ip_addr_anonymization_class_t) anon_class));
+#endif
+	%}
+
+## Deprecated. Will be removed.
+function dump_config%(%) : bool
+	%{
+	return new Val(persistence_serializer->WriteConfig(true), TYPE_BOOL);
+	%}
+
+## Deprecated. Will be removed.
+function make_connection_persistent%(c: connection%) : any
+	%{
+	c->MakePersistent();
 	return 0;
 	%}
 
 %%{
-#ifdef HAVE_LIBMAGIC
+// Experimental code to add support for IDMEF XML output based on
+// notices.  For now, we're implementing it as a builtin you can call on an
+// notices record.
+
+#ifdef USE_IDMEF
 extern "C" {
-#include <magic.h>
+#include <libidmef/idmefxml.h>
 }
 #endif
+
+#include <sys/socket.h>
+
+char* port_to_string(PortVal* port)
+	{
+	char buf[256];	// to hold sprintf results on port numbers
+	snprintf(buf, sizeof(buf), "%u", port->Port());
+	return copy_string(buf);
+	}
+
 %%}
 
-function identify_data%(data: string, return_mime: bool%): string
+## Deprecated. Will be removed.
+function generate_idmef%(src_ip: addr, src_port: port,
+				dst_ip: addr, dst_port: port%) : bool
 	%{
-	const char* descr = "";
+#ifdef USE_IDMEF
+	xmlNodePtr message =
+		newIDMEF_Message(newAttribute("version","1.0"),
+			newAlert(newCreateTime(NULL),
+			newSource(
+				newNode(newAddress(
+					newAttribute("category","ipv4-addr"),
+					newSimpleElement("address",
+					copy_string(dotted_addr(src_ip))),
+					NULL), NULL),
+				newService(
+					newSimpleElement("port",
+						port_to_string(src_port)),
+					NULL), NULL),
+			newTarget(
+				newNode(newAddress(
+					newAttribute("category","ipv4-addr"),
+					newSimpleElement("address",
+					copy_string(dotted_addr(dst_ip))),
+					NULL), NULL),
+				newService(
+					newSimpleElement("port",
+						port_to_string(dst_port)),
+					NULL), NULL), NULL), NULL);
 
-#ifdef HAVE_LIBMAGIC
-	static magic_t magic_mime = 0;
-	static magic_t magic_descr = 0;
-
-	magic_t* magic = return_mime ? &magic_mime : &magic_descr;
-
-	if( ! *magic )
-		{
-		*magic = magic_open(return_mime ? MAGIC_MIME : MAGIC_NONE);
-
-		if ( ! *magic )
-			{
-			error(fmt("can't init libmagic: %s", magic_error(*magic)));
-			return new StringVal("");
-			}
-
-		if ( magic_load(*magic, 0) < 0 )
-			{
-			error(fmt("can't load magic file: %s", magic_error(*magic)));
-			magic_close(*magic);
-			*magic = 0;
-			return new StringVal("");
-			}
-		}
-
-	descr = magic_buffer(*magic, data->Bytes(), data->Len());
+	// if ( validateCurrentDoc() )
+	printCurrentMessage(stderr);
+	return new Val(1, TYPE_BOOL);
+#else
+	builtin_error("Bro was not configured for IDMEF support");
+	return new Val(0, TYPE_BOOL);
 #endif
-
-	return new StringVal(descr);
 	%}
 
-function enable_event_group%(group: string%) : any
-	%{
-	event_registry->EnableGroup(group->CheckString(), true);
-	return 0;
-	%}
-
-function disable_event_group%(group: string%) : any
-	%{
-	event_registry->EnableGroup(group->CheckString(), false);
-	return 0;
-	%}
+## Deprecated. Will be removed.
+function bro_has_ipv6%(%) : bool
+    %{
+#ifdef BROv6
+	return new Val(1, TYPE_BOOL);
+#else
+	return new Val(0, TYPE_BOOL);
+#endif
+    %}
diff --git a/src/bro.pac b/src/bro.pac
index 169f7c27ef..b622041c12 100644
--- a/src/bro.pac
+++ b/src/bro.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %extern{
 #include "binpac_bro.h"
 %}
diff --git a/src/bsd-getopt-long.c b/src/bsd-getopt-long.c
index 5b3cc093b0..7ecb064fc8 100644
--- a/src/bsd-getopt-long.c
+++ b/src/bsd-getopt-long.c
@@ -1,5 +1,3 @@
-/* $Id: bsd-getopt-long.c 1362 2005-09-12 19:49:08Z vern $ */
-
 /*    $OpenBSD: getopt_long.c,v 1.17 2004/06/03 18:46:52 millert Exp $    */
 /*    $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $    */
 
diff --git a/src/bsd-getopt-long.h b/src/bsd-getopt-long.h
index e2c381f3b7..c94589afaa 100644
--- a/src/bsd-getopt-long.h
+++ b/src/bsd-getopt-long.h
@@ -1,5 +1,3 @@
-/* $Id: bsd-getopt-long.h 1361 2005-09-12 19:48:26Z vern $ */
-
 /*    $OpenBSD: getopt_long.c,v 1.13 2003/06/03 01:52:40 millert Exp $    */
 /*    $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $    */
 
diff --git a/src/builtin-func.l b/src/builtin-func.l
index ca7923b852..1d61f31734 100644
--- a/src/builtin-func.l
+++ b/src/builtin-func.l
@@ -1,7 +1,6 @@
 %{
-// $Id: builtin-func.l 6015 2008-07-23 05:42:37Z vern $
-
 #include <string.h>
+#include <unistd.h>
 #include "bif_arg.h"
 #include "bif_parse.h"
 
@@ -27,8 +26,15 @@ int check_c_mode(int t)
 %}
 
 WS	[ \t]+
-ID	[A-Za-z_][A-Za-z_0-9]*
+ /* Note, bifcl only accepts a single "::" in IDs while the policy
+    layer acceptes multiple. (But the policy layer doesn't have 
+	a hierachy. */
+IDCOMPONENT [A-Za-z_][A-Za-z_0-9]*
+ID	{IDCOMPONENT}(::{IDCOMPONENT})?
 ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
+DEC [[:digit:]]+
+HEX	[0-9a-fA-F]+
+
 
 %option nodefault
 
@@ -60,24 +66,34 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 "%)"		return check_c_mode(TOK_RPP);
 "..."		return check_c_mode(TOK_VAR_ARG);
 "function"	return check_c_mode(TOK_FUNCTION);
-"rewriter"	return check_c_mode(TOK_REWRITER);
 "event"		return check_c_mode(TOK_EVENT);
 "const"		return check_c_mode(TOK_CONST);
 "enum"		return check_c_mode(TOK_ENUM);
-"declare"	return check_c_mode(TOK_DECLARE);
+"type"		return check_c_mode(TOK_TYPE);
+"record"	return check_c_mode(TOK_RECORD);
+"set"		return check_c_mode(TOK_SET);
+"table"		return check_c_mode(TOK_TABLE);
+"vector"	return check_c_mode(TOK_VECTOR);
+"module"    return check_c_mode(TOK_MODULE);
 
 "@ARG@"		return TOK_ARG;
 "@ARGS@"	return TOK_ARGS;
 "@ARGC@"	return TOK_ARGC;
 
-"@WRITE@"	return TOK_WRITE;
-"@PUSH@"	return TOK_PUSH;
-"@EOF@"		return TOK_EOF;
-"@TRACE@"	return TOK_TRACE;
-
 "T"	yylval.val = 1; return TOK_BOOL;
 "F"	yylval.val = 0; return TOK_BOOL;
 
+{DEC}	{
+	yylval.str = copy_string(yytext);
+	return TOK_INT;
+	}
+
+"0x"{HEX} {
+	yylval.str = copy_string(yytext);
+	return TOK_INT;
+	}
+
+
 {ID}	{
 	yylval.str = copy_string(yytext);
 	return TOK_ID;
@@ -120,13 +136,20 @@ int yywrap()
 extern int yyparse();
 char* input_filename = 0;
 
-FILE* fp_bro_init;
-FILE* fp_func_def;
-FILE* fp_func_h;
-FILE* fp_func_init;
-FILE* fp_netvar_h;
-FILE* fp_netvar_def;
-FILE* fp_netvar_init;
+FILE* fp_bro_init = 0;
+FILE* fp_func_def = 0;
+FILE* fp_func_h = 0;
+FILE* fp_func_init = 0;
+FILE* fp_netvar_h = 0;
+FILE* fp_netvar_def = 0;
+FILE* fp_netvar_init = 0;
+
+void remove_file(const char *surfix);
+void err_exit(void);
+FILE* open_output_file(const char* surfix);
+void close_if_open(FILE **fpp);
+void close_all_output_files(void);
+
 
 FILE* open_output_file(const char* surfix)
 	{
@@ -137,12 +160,13 @@ FILE* open_output_file(const char* surfix)
 	if ( (fp = fopen(fn, "w")) == NULL )
 		{
 		fprintf(stderr, "Error: cannot open file: %s\n", fn);
-		exit(1);
+		err_exit();
 		}
 
 	return fp;
 	}
 
+
 int main(int argc, char* argv[])
 	{
 	for ( int i = 1; i < argc; i++ )
@@ -156,6 +180,7 @@ int main(int argc, char* argv[])
 		if ( (fp_input = fopen(input_filename, "r")) == NULL )
 			{
 			fprintf(stderr, "Error: cannot open file: %s\n", input_filename);
+			/* no output files open. can simply exit */
 			exit(1);
 			}
 
@@ -174,12 +199,48 @@ int main(int argc, char* argv[])
 		yyparse();
 
 		fclose(fp_input);
-		fclose(fp_bro_init);
-		fclose(fp_func_h);
-		fclose(fp_func_def);
-		fclose(fp_func_init);
-		fclose(fp_netvar_h);
-		fclose(fp_netvar_def);
-		fclose(fp_netvar_init);
+		close_all_output_files();
+
 		}
 	}
+
+void close_if_open(FILE **fpp)
+	{
+	if (*fpp)
+		fclose(*fpp);
+	*fpp = NULL;
+	}
+
+void close_all_output_files(void)
+	{
+	close_if_open(&fp_bro_init);
+	close_if_open(&fp_func_h);
+	close_if_open(&fp_func_def);
+	close_if_open(&fp_func_init);
+	close_if_open(&fp_netvar_h);
+	close_if_open(&fp_netvar_def);
+	close_if_open(&fp_netvar_init);
+	}
+
+void remove_file(const char *surfix)
+	{
+	char fn[1024];
+
+	snprintf(fn, sizeof(fn), "%s.%s", input_filename, surfix);
+	unlink(fn);
+	}
+
+void err_exit(void) 
+	{
+	close_all_output_files();
+	/* clean up. remove all output files we've generated so far */
+	remove_file("bro");
+	remove_file("func_h");
+	remove_file("func_def");
+	remove_file("func_init");
+	remove_file("netvar_h");
+	remove_file("netvar_def");
+	remove_file("netvar_init");
+	exit(1);
+	}
+
diff --git a/src/builtin-func.y b/src/builtin-func.y
index 268288bc39..fd40613236 100644
--- a/src/builtin-func.y
+++ b/src/builtin-func.y
@@ -9,6 +9,10 @@ using namespace std;
 #include <stdio.h>
 #include <stdlib.h>
 
+#include "module_util.h"
+
+using namespace std;
+
 extern int line_number;
 extern char* input_filename;
 
@@ -23,53 +27,153 @@ extern FILE* fp_netvar_def;
 extern FILE* fp_netvar_init;
 
 int in_c_code = 0;
+string current_module = GLOBAL_MODULE_NAME;
 int definition_type;
-const char* bro_prefix;
-const char* c_prefix;
+string type_name;
+
 
 enum {
 	C_SEGMENT_DEF,
 	FUNC_DEF,
-	REWRITER_DEF,
 	EVENT_DEF,
+	TYPE_DEF,
+	CONST_DEF,
 };
 
-void set_definition_type(int type)
+// Holds the name of a declared object (function, enum, record type, event,
+// etc. and information about namespaces, etc.
+struct decl_struct {
+	string module_name;
+	string bare_name; // name without module or namespace
+	string c_namespace_start; // "opening" namespace for use in netvar_*
+	string c_namespace_end;   // closing "}" for all the above namespaces
+	string c_fullname; // fully qualified name (namespace::....) for use in netvar_init
+	string bro_fullname; // fully qualified bro name, for netvar (and lookup_ID())
+	string bro_name;  // the name as we read it from input. What we write into the .bro file
+
+	// special cases for events. Events have an EventHandlerPtr
+	// and a generate_* function. This name is for the generate_* function
+	string generate_bare_name;
+	string generate_c_fullname;
+	string generate_c_namespace_start;
+	string generate_c_namespace_end;
+} decl;
+
+void set_definition_type(int type, const char *arg_type_name)
 	{
 	definition_type = type;
-	switch ( type ) {
-	case FUNC_DEF:
-		bro_prefix = "";
-		c_prefix = "bro_";
+	if ( type == TYPE_DEF && arg_type_name )
+		type_name = string(arg_type_name);
+	else
+		type_name = "";
+	}
+
+void set_decl_name(const char *name)
+	{
+	decl.bare_name = extract_var_name(name);
+
+	// make_full_var_name prepends the correct module, if any
+	// then we can extract the module name again.
+	string varname = make_full_var_name(current_module.c_str(), name);
+	decl.module_name = extract_module_name(varname.c_str());
+
+	decl.c_namespace_start = "";
+	decl.c_namespace_end = "";
+	decl.c_fullname = "";
+	decl.bro_fullname = "";
+	decl.bro_name = "";
+
+	decl.generate_c_fullname = "";
+	decl.generate_bare_name = string("generate_") + decl.bare_name;
+	decl.generate_c_namespace_start = "";
+	decl.generate_c_namespace_end = "";
+
+	switch ( definition_type ) {
+	case TYPE_DEF:
+		decl.c_namespace_start = "namespace BifType { namespace " + type_name + "{ ";
+		decl.c_namespace_end = " } }";
+		decl.c_fullname = "BifType::" + type_name + "::";
 		break;
 
-	case REWRITER_DEF:
-		bro_prefix = "rewrite_";
-		c_prefix = "bro_rewrite_";
+	case CONST_DEF:
+		decl.c_namespace_start = "namespace BifConst { ";
+		decl.c_namespace_end = " } ";
+		decl.c_fullname = "BifConst::";
+		break;
+
+	case FUNC_DEF:
+		decl.c_namespace_start = "namespace BifFunc { ";
+		decl.c_namespace_end = " } ";
+		decl.c_fullname = "BifFunc::";
 		break;
 
 	case EVENT_DEF:
-		bro_prefix = "";
-		c_prefix = "bro_event_";
+		decl.c_namespace_start = "";
+		decl.c_namespace_end = "";
+		decl.c_fullname = "::";  // need this for namespace qualified events due do event_c_body
+		decl.generate_c_namespace_start = "namespace BifEvent { ";
+		decl.generate_c_namespace_end = " } ";
+		decl.generate_c_fullname = "BifEvent::";
 		break;
 
-	case C_SEGMENT_DEF:
+	default:
 		break;
 	}
+
+	if ( decl.module_name != GLOBAL_MODULE_NAME )
+		{
+		decl.c_namespace_start += "namespace " + decl.module_name + " { ";
+		decl.c_namespace_end += string(" }");
+		decl.c_fullname += decl.module_name + "::";
+		decl.bro_fullname += decl.module_name + "::";
+
+		decl.generate_c_namespace_start  += "namespace " + decl.module_name + " { ";
+		decl.generate_c_namespace_end += " } ";
+		decl.generate_c_fullname += decl.module_name + "::";
+		}
+
+	decl.bro_fullname += decl.bare_name;
+	if ( definition_type == FUNC_DEF )
+		decl.bare_name = string("bro_") + decl.bare_name;
+
+	decl.c_fullname += decl.bare_name;
+	decl.bro_name += name;
+	decl.generate_c_fullname += decl.generate_bare_name;
+
 	}
 
 const char* arg_list_name = "BiF_ARGS";
-const char* trace_rewriter_name = "trace_rewriter";
 
 #include "bif_arg.h"
 
-extern const char* decl_name;
+/* Map bif/bro type names to C types for use in const declaration */
+static struct {
+	const char* bif_type;
+	const char* bro_type;
+	const char* c_type;
+	const char* accessor;
+	const char* constructor;
+} builtin_types[] = {
+#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
+	{bif_type, bro_type, c_type, accessor, constructor},
+#include "bif_type.def"
+#undef DEFINE_BIF_TYPE
+};
+
+int get_type_index(const char *type_name)
+	{
+	for ( int i = 0; builtin_types[i].bif_type[0] != '\0'; ++i )
+		{
+		if ( strcmp(builtin_types[i].bif_type, type_name) == 0 )
+			return i;
+		}
+		return TYPE_OTHER;
+	}
+
+
 int var_arg; // whether the number of arguments is variable
 std::vector<BuiltinFuncArg*> args;
 
-// enum types declared by "declare enum <id>"
-set<string> enum_types;
-
 extern int yyerror(const char[]);
 extern int yywarn(const char msg[]);
 extern int yylex();
@@ -90,9 +194,15 @@ char* concat(const char* str1, const char* str2)
 	}
 
 // Print the bro_event_* function prototype in C++, without the ending ';'
-void print_event_c_prototype(FILE *fp)
+void print_event_c_prototype(FILE *fp, bool is_header)
 	{
-	fprintf(fp, "void %s%s(Analyzer* analyzer%s", c_prefix, decl_name,
+	if ( is_header )
+		fprintf(fp, "%s void %s(Analyzer* analyzer%s",
+			decl.generate_c_namespace_start.c_str(), decl.generate_bare_name.c_str(),
+			args.size() ? ", " : "" );
+	else
+		fprintf(fp, "void %s(Analyzer* analyzer%s",
+			decl.generate_c_fullname.c_str(),
 			args.size() ? ", " : "" );
 	for ( int i = 0; i < (int) args.size(); ++i )
 		{
@@ -101,6 +211,10 @@ void print_event_c_prototype(FILE *fp)
 		args[i]->PrintCArg(fp, i);
 		}
 	fprintf(fp, ")");
+	if ( is_header )
+		fprintf(fp, "; %s\n", decl.generate_c_namespace_end.c_str());
+	else
+		fprintf(fp, "\n");
 	}
 
 // Print the bro_event_* function body in C++.
@@ -109,9 +223,9 @@ void print_event_c_body(FILE *fp)
 	fprintf(fp, "\t{\n");
 	fprintf(fp, "\t// Note that it is intentional that here we do not\n");
 	fprintf(fp, "\t// check if %s is NULL, which should happen *before*\n",
-		decl_name);
-	fprintf(fp, "\t// bro_event_%s is called to avoid unnecessary Val\n",
-		decl_name);
+		decl.c_fullname.c_str());
+	fprintf(fp, "\t// %s is called to avoid unnecessary Val\n",
+		decl.generate_c_fullname.c_str());
 	fprintf(fp, "\t// allocation.\n");
 	fprintf(fp, "\n");
 
@@ -141,7 +255,7 @@ void print_event_c_body(FILE *fp)
 
 	fprintf(fp, "\n");
 	fprintf(fp, "\tmgr.QueueEvent(%s, vl, SOURCE_LOCAL, analyzer->GetID(), timer_mgr",
-		decl_name);
+		decl.c_fullname.c_str());
 
 	if ( connection_arg )
 		// Pass the connection to the EventMgr as the "cookie"
@@ -149,20 +263,21 @@ void print_event_c_body(FILE *fp)
 
 	fprintf(fp, ");\n");
 	fprintf(fp, "\t} // event generation\n");
+	//fprintf(fp, "%s // end namespace\n", decl.generate_c_namespace_end.c_str());
 	}
 %}
 
 %token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG
 %token TOK_BOOL
-%token TOK_FUNCTION TOK_REWRITER TOK_EVENT TOK_CONST TOK_ENUM TOK_DECLARE
-%token TOK_WRITE TOK_PUSH TOK_EOF TOK_TRACE
+%token TOK_FUNCTION TOK_EVENT TOK_CONST TOK_ENUM
+%token TOK_TYPE TOK_RECORD TOK_SET TOK_VECTOR TOK_TABLE TOK_MODULE
 %token TOK_ARGS TOK_ARG TOK_ARGC
 %token TOK_ID TOK_ATTR TOK_CSTR TOK_LF TOK_WS TOK_COMMENT
-%token TOK_ATOM TOK_C_TOKEN
+%token TOK_ATOM TOK_INT TOK_C_TOKEN
 
 %left ',' ':'
 
-%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR opt_ws
+%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws
 %type <val> TOK_ATOM TOK_BOOL
 
 %union	{
@@ -172,8 +287,21 @@ void print_event_c_body(FILE *fp)
 
 %%
 
+builtin_lang:	definitions
+			{
+			fprintf(fp_bro_init, "} # end of export section\n");
+			fprintf(fp_bro_init, "module %s;\n", GLOBAL_MODULE_NAME);
+			}
+
+
+
 definitions:	definitions definition opt_ws
-			{ fprintf(fp_func_def, "%s", $3); }
+			{
+			if ( in_c_code )
+				fprintf(fp_func_def, "%s", $3);
+			else
+				fprintf(fp_bro_init, "%s", $3);
+			}
 	|	opt_ws
 			{
 			int n = 1024 + strlen(input_filename);
@@ -191,63 +319,104 @@ definitions:	definitions definition opt_ws
 			fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment);
 			fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment);
 
-			fprintf(fp_func_def, "%s", $1);
+			fprintf(fp_bro_init, "%s", $1);
+			fprintf(fp_bro_init, "export {\n");
 			}
 	;
 
 definition:	event_def
 	|	func_def
-	|	rewriter_def
 	|	c_code_segment
 	|	enum_def
 	|	const_def
-	|	declare_def
+	|	type_def
+	|   module_def
 	;
 
-declare_def:	TOK_DECLARE opt_ws TOK_ENUM opt_ws TOK_ID opt_ws ';'
+
+module_def:	TOK_MODULE opt_ws TOK_ID opt_ws ';'
 			{
-			enum_types.insert($5);
+			current_module = string($3);
+			fprintf(fp_bro_init, "module %s;\n", $3);
 			}
+
+	 // XXX: Add the netvar glue so that the event engine knows about
+	 // the type. One still has to define the type in bro.init.
+	 // Would be nice, if we could just define the record type here
+	 // and then copy to the .bif.bro file, but type declarations in
+	 // Bro can be quite powerful. Don't know whether it's worth it
+	 // extend the bif-language to be able to handle that all....
+	 // Or we just support a simple form of record type definitions
+	 // TODO: add other types (tables, sets)
+type_def:	TOK_TYPE opt_ws TOK_ID opt_ws ':' opt_ws type_def_types opt_ws ';'
+			{
+			set_decl_name($3);
+
+			fprintf(fp_netvar_h, "%s extern %sType * %s; %s\n",
+				decl.c_namespace_start.c_str(), type_name.c_str(),
+				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_def, "%s %sType * %s; %s\n",
+				decl.c_namespace_start.c_str(), type_name.c_str(),
+				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_init,
+				"\t%s = internal_type(\"%s\")->As%sType();\n",
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
+				type_name.c_str());
+			}
+	;
+
+type_def_types: TOK_RECORD
+			{ set_definition_type(TYPE_DEF, "Record"); }
+	| TOK_SET
+			{ set_definition_type(TYPE_DEF, "Set"); }
+	| TOK_VECTOR
+			{ set_definition_type(TYPE_DEF, "Vector"); }
+	| TOK_TABLE
+			{ set_definition_type(TYPE_DEF, "Table"); }
 	;
 
 event_def:	event_prefix opt_ws plain_head opt_attr end_of_head ';'
 			{
-			print_event_c_prototype(fp_func_h);
-			fprintf(fp_func_h, ";\n");
-			print_event_c_prototype(fp_func_def);
-			fprintf(fp_func_def, "\n");
+			print_event_c_prototype(fp_func_h, true);
+			print_event_c_prototype(fp_func_def, false);
 			print_event_c_body(fp_func_def);
 			}
-	;
 
 func_def:	func_prefix opt_ws typed_head end_of_head body
 	;
 
-rewriter_def:	rewriter_prefix opt_ws plain_head end_of_head body
-	;
-
 enum_def:	enum_def_1 enum_list TOK_RPB
 			{
 			// First, put an end to the enum type decl.
 			fprintf(fp_bro_init, "};\n");
-			fprintf(fp_netvar_h, "}; }\n");
+			if ( decl.module_name != GLOBAL_MODULE_NAME )
+				fprintf(fp_netvar_h, "}; } }\n");
+			else
+				fprintf(fp_netvar_h, "}; }\n");
 
 			// Now generate the netvar's.
-			fprintf(fp_netvar_h,
-				"extern EnumType* enum_%s;\n", decl_name);
-			fprintf(fp_netvar_def,
-				"EnumType* enum_%s;\n", decl_name);
+			fprintf(fp_netvar_h, "%s extern EnumType * %s; %s\n",
+				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_def, "%s EnumType * %s; %s\n",
+				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 			fprintf(fp_netvar_init,
-				"\tenum_%s = internal_type(\"%s\")->AsEnumType();\n",
-				decl_name, decl_name);
+				"\t%s = internal_type(\"%s\")->AsEnumType();\n",
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 			}
 	;
 
 enum_def_1:	TOK_ENUM opt_ws TOK_ID opt_ws TOK_LPB opt_ws
 			{
-			decl_name = $3;
-			fprintf(fp_bro_init, "type %s: enum %s{%s", $3, $4, $6);
-			fprintf(fp_netvar_h, "namespace BroEnum { ");
+			set_definition_type(TYPE_DEF, "Enum");
+			set_decl_name($3);
+			fprintf(fp_bro_init, "type %s: enum %s{%s", decl.bro_name.c_str(), $4, $6);
+
+			// this is the namespace were the enumerators are defined, not where
+			// the type is defined.
+			// We don't support fully qualified names as enumerators. Use a module name
+			fprintf(fp_netvar_h, "namespace BifEnum { ");
+			if ( decl.module_name != GLOBAL_MODULE_NAME )
+				fprintf(fp_netvar_h, "namespace %s { ", decl.module_name.c_str());
 			fprintf(fp_netvar_h, "enum %s {\n", $3);
 			}
 	;
@@ -257,33 +426,42 @@ enum_list:	enum_list TOK_ID opt_ws ',' opt_ws
 			fprintf(fp_bro_init, "%s%s,%s", $2, $3, $5);
 			fprintf(fp_netvar_h, "\t%s,\n", $2);
 			}
+	| 		enum_list TOK_ID opt_ws '=' opt_ws TOK_INT opt_ws ',' opt_ws
+			{
+			fprintf(fp_bro_init, "%s = %s%s,%s", $2, $6, $7, $9);
+			fprintf(fp_netvar_h, "\t%s = %s,\n", $2, $6);
+			}
 	|	/* nothing */
 	;
 
-const_def:	const_def_1 const_init opt_attr ';'
-			{
-			fprintf(fp_bro_init, ";\n");
-			fprintf(fp_netvar_h, "extern int %s;\n", decl_name);
-			fprintf(fp_netvar_def, "int %s;\n", decl_name);
-			fprintf(fp_netvar_init, "\t%s = internal_val(\"%s\")->AsBool();\n",
-				decl_name, decl_name);
-			}
-	;
 
-const_def_1:	TOK_CONST opt_ws TOK_ID opt_ws
+const_def:	TOK_CONST opt_ws TOK_ID opt_ws ':' opt_ws TOK_ID opt_ws ';'
 			{
-			decl_name = $3;
-			fprintf(fp_bro_init, "const%s", $2);
-			fprintf(fp_bro_init, "%s: bool%s", $3, $4);
-			}
-	;
+			set_definition_type(CONST_DEF, 0);
+			set_decl_name($3);
+			int typeidx = get_type_index($7);
+			char accessor[1024];
+
+			snprintf(accessor, sizeof(accessor), builtin_types[typeidx].accessor, "");
+
+
+			fprintf(fp_netvar_h, "%s extern %s %s; %s\n",
+					decl.c_namespace_start.c_str(),
+					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
+					decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_def, "%s %s %s; %s\n",
+					decl.c_namespace_start.c_str(),
+					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
+					decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_init, "\t%s = internal_const_val(\"%s\")%s;\n",
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
+				accessor);
+			}
 
-opt_const_init:	/* nothing */
-	|	const_init
-	;
 
 /* Currently support only boolean and string values */
-const_init:	'=' opt_ws TOK_BOOL opt_ws
+opt_attr_init:	/* nothing */
+	|	'=' opt_ws TOK_BOOL opt_ws
 			{
 			fprintf(fp_bro_init, "=%s%c%s", $2, ($3) ? 'T' : 'F', $4);
 			}
@@ -293,19 +471,15 @@ const_init:	'=' opt_ws TOK_BOOL opt_ws
 
 opt_attr:	/* nothing */
 	|	opt_attr TOK_ATTR { fprintf(fp_bro_init, "%s", $2); }
-		opt_ws opt_const_init
+		opt_ws opt_attr_init
 	;
 
 func_prefix:	TOK_FUNCTION
-			{ set_definition_type(FUNC_DEF); }
-	;
-
-rewriter_prefix: TOK_REWRITER
-			{ set_definition_type(REWRITER_DEF); }
+			{ set_definition_type(FUNC_DEF, 0); }
 	;
 
 event_prefix:	TOK_EVENT
-			{ set_definition_type(EVENT_DEF); }
+			{ set_definition_type(EVENT_DEF, 0); }
 	;
 
 end_of_head:	/* nothing */
@@ -325,12 +499,9 @@ plain_head:	head_1 args arg_end opt_ws
 				fprintf(fp_bro_init, "va_args: any");
 			else
 				{
-				if ( definition_type == REWRITER_DEF )
-					fprintf(fp_bro_init, "c: connection");
-
 				for ( int i = 0; i < (int) args.size(); ++i )
 					{
-					if ( i > 0 || definition_type == REWRITER_DEF )
+					if ( i > 0 )
 						fprintf(fp_bro_init, ", ");
 					args[i]->PrintBro(fp_bro_init);
 					}
@@ -346,9 +517,9 @@ plain_head:	head_1 args arg_end opt_ws
 head_1:		TOK_ID opt_ws arg_begin
 			{
 			const char* method_type = 0;
-			decl_name = $1;
+			set_decl_name($1);
 
-			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
+			if ( definition_type == FUNC_DEF )
 				{
 				method_type = "function";
 				print_line_directive(fp_func_def);
@@ -358,40 +529,37 @@ head_1:		TOK_ID opt_ws arg_begin
 
 			if ( method_type )
 				fprintf(fp_bro_init,
-					"global %s%s: %s%s(",
-					bro_prefix, decl_name, method_type, $2);
+					"global %s: %s%s(",
+					decl.bro_name.c_str(), method_type, $2);
 
-			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
+			if ( definition_type == FUNC_DEF )
 				{
 				fprintf(fp_func_init,
-					"\textern Val* %s%s(Frame* frame, val_list*);\n",
-					c_prefix, decl_name);
-
-				fprintf(fp_func_init,
-					"\t(void) new BuiltinFunc(%s%s, \"%s%s\", 0);\n",
-					c_prefix, decl_name, bro_prefix, decl_name);
+					"\t(void) new BuiltinFunc(%s, \"%s\", 0);\n",
+					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 
 				fprintf(fp_func_h,
-					"extern Val* %s%s(Frame* frame, val_list*);\n",
-					c_prefix, decl_name);
+					"%sextern Val* %s(Frame* frame, val_list*);%s\n",
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 
 				fprintf(fp_func_def,
-					"Val* %s%s(Frame* frame, val_list* %s)",
-					c_prefix, decl_name, arg_list_name);
+					"Val* %s(Frame* frame, val_list* %s)",
+					decl.c_fullname.c_str(), arg_list_name);
 				}
 			else if ( definition_type == EVENT_DEF )
 				{
+				// TODO: add namespace for events here
 				fprintf(fp_netvar_h,
-					"extern EventHandlerPtr %s;\n",
-					decl_name);
+					"%sextern EventHandlerPtr %s; %s\n",
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 
 				fprintf(fp_netvar_def,
-					"EventHandlerPtr %s;\n",
-					decl_name);
+					"%sEventHandlerPtr %s; %s\n",
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 
 				fprintf(fp_netvar_init,
 					"\t%s = internal_handler(\"%s\");\n",
-					decl_name, decl_name);
+					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 
 				// C++ prototypes of bro_event_* functions will
 				// be generated later.
@@ -437,7 +605,7 @@ return_type:	':' opt_ws TOK_ID opt_ws
 
 body:		body_start c_body body_end
 			{
-			fprintf(fp_func_def, " // end of %s\n", decl_name);
+			fprintf(fp_func_def, " // end of %s\n", decl.c_fullname.c_str());
 			print_line_directive(fp_func_def);
 			}
 	;
@@ -459,11 +627,6 @@ body_start:	TOK_LPB c_code_begin
 			int argc = args.size();
 
 			fprintf(fp_func_def, "{");
-			if ( definition_type == REWRITER_DEF )
-				{
-				implicit_arg = 1;
-				++argc;
-				}
 
 			if ( argc > 0 || ! var_arg )
 				fprintf(fp_func_def, "\n");
@@ -473,8 +636,8 @@ body_start:	TOK_LPB c_code_begin
 				fprintf(fp_func_def, "\tif ( %s->length() != %d )\n", arg_list_name, argc);
 				fprintf(fp_func_def, "\t\t{\n");
 				fprintf(fp_func_def,
-					"\t\trun_time(\"%s() takes exactly %d argument(s)\");\n",
-					decl_name, argc);
+					"\t\treporter->Error(\"%s() takes exactly %d argument(s)\");\n",
+					decl.bro_fullname.c_str(), argc);
 				fprintf(fp_func_def, "\t\treturn 0;\n");
 				fprintf(fp_func_def, "\t\t}\n");
 				}
@@ -483,21 +646,12 @@ body_start:	TOK_LPB c_code_begin
 				fprintf(fp_func_def, "\tif ( %s->length() < %d )\n", arg_list_name, argc);
 				fprintf(fp_func_def, "\t\t{\n");
 				fprintf(fp_func_def,
-					"\t\trun_time(\"%s() takes at least %d argument(s)\");\n",
-					decl_name, argc);
+					"\t\treporter->Error(\"%s() takes at least %d argument(s)\");\n",
+					decl.bro_fullname.c_str(), argc);
 				fprintf(fp_func_def, "\t\treturn 0;\n");
 				fprintf(fp_func_def, "\t\t}\n");
 				}
 
-			if ( definition_type == REWRITER_DEF )
-				{
-				fprintf(fp_func_def,
-					"\tRewriter* %s = get_trace_rewriter((*%s)[0]);\n",
-					trace_rewriter_name,
-					arg_list_name);
-				fprintf(fp_func_def, "\tif ( ! trace_rewriter )\n");
-				fprintf(fp_func_def, "\t\treturn 0;\n");
-				}
 			for ( int i = 0; i < (int) args.size(); ++i )
 				args[i]->PrintCDef(fp_func_def, i + implicit_arg);
 			print_line_directive(fp_func_def);
@@ -506,8 +660,6 @@ body_start:	TOK_LPB c_code_begin
 
 body_end:	TOK_RPB c_code_end
 			{
-			if ( definition_type == REWRITER_DEF )
-				fprintf(fp_func_def, "\n\treturn 0;\n");
 			fprintf(fp_func_def, "}");
 			}
 	;
@@ -531,18 +683,13 @@ c_atom:		TOK_ID
 			{ fprintf(fp_func_def, "%s", arg_list_name); }
 	|	TOK_ARGC
 			{ fprintf(fp_func_def, "%s->length()", arg_list_name); }
-	|	TOK_TRACE
-			{ fprintf(fp_func_def, "%s", trace_rewriter_name); }
-	|	TOK_WRITE
-			{ fprintf(fp_func_def, "%s->WriteData", trace_rewriter_name); }
-	|	TOK_PUSH
-			{ fprintf(fp_func_def, "%s->Push", trace_rewriter_name); }
-	|	TOK_EOF
-			{ fprintf(fp_func_def, "%s->EndOfData", trace_rewriter_name); }
 	|	TOK_CSTR
 			{ fprintf(fp_func_def, "%s", $1); }
 	|	TOK_ATOM
 			{ fprintf(fp_func_def, "%c", $1); }
+	|	TOK_INT
+			{ fprintf(fp_func_def, "%s", $1); }
+
 	;
 
 opt_ws:		opt_ws TOK_WS
@@ -554,7 +701,12 @@ opt_ws:		opt_ws TOK_WS
 			if ( in_c_code )
 				$$ = concat($1, $2);
 			else
-				$$ = $1;
+				if ( $2[1] == '#' )
+					// This is a special type of comment that is used to
+					// generate bro script documentation, so pass it through.
+					$$ = concat($1, $2);
+				else
+					$$ = $1;
 			}
 	|	/* empty */
 			{ $$ = ""; }
@@ -565,7 +717,7 @@ opt_ws:		opt_ws TOK_WS
 extern char* yytext;
 extern char* input_filename;
 extern int line_number;
-const char* decl_name;
+void err_exit(void);
 
 void print_msg(const char msg[])
 	{
@@ -605,7 +757,6 @@ int yyerror(const char msg[])
 	{
 	print_msg(msg);
 
-	abort();
-	exit(1);
+	err_exit();
 	return 0;
 	}
diff --git a/src/common-rw.bif b/src/common-rw.bif
deleted file mode 100644
index 6554c4355d..0000000000
--- a/src/common-rw.bif
+++ /dev/null
@@ -1,107 +0,0 @@
-%%{
-#include "TCP_Rewriter.h"
-%%}
-
-rewriter commit_trace%(commit: bool, future: bool%)
-	%{
-	if ( commit )
-		@TRACE@->CommitPackets(future);
-	else
-		@TRACE@->AbortPackets(future);
-	%}
-
-rewriter push_packet%(is_orig: bool%)
-	%{
-	@PUSH@(is_orig);
-	%}
-
-rewriter leave_addr_in_the_clear%(is_orig: bool%)
-	%{
-	if ( ! @TRACE@->LeaveAddrInTheClear(is_orig) )
-		builtin_run_time("cannot leave IP address in the clear"
-			" (probably because some packets have already been rewritten before this call)");
-	%}
-
-function current_packet%(c: connection%): packet
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	if ( ! rewriter )
-		{
-		builtin_run_time("current_packet is not supported without specifying an output file");
-		return 0;
-		}
-
-	return rewriter->CurrentPacket()->PacketVal();	
-	%}
-
-function current_rewrite_packet%(c: connection%): packet
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	if ( ! rewriter )
-		{
-		builtin_run_time("current_rewrite_packet is not supported without specifying an output file");
-		return 0;
-		}
-
-	return rewriter->RewritePacket()->PacketVal();
-	%}
-
-# Reserve a slot in the current packet of the trace so that the
-# slot can be filled later by seeking to it.
-function reserve_rewrite_slot%(c: connection%): count
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	if ( ! rewriter )
-		return new Val(0, TYPE_COUNT);
-
-	unsigned int slot = rewriter->ReserveSlot();
-	if ( slot == 0 )
-		builtin_run_time("reserve_rewrite_slot returning 0");
-
-	return new Val(slot, TYPE_COUNT);
-	%}
-
-# Seek to a previously reserved slot so that rewrites afterwards
-# will go into the slot instead of the current packet.
-function seek_rewrite_slot%(c: connection, slot: count%): any
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	if ( ! rewriter->SeekSlot(slot) )
-		builtin_run_time("cannot seek the rewrite slot");
-
-	return 0;
-	%}
-
-# Return from any reserved slot to bring the rewrite pointer back to
-# the current packet.
-function return_from_rewrite_slot%(c: connection%): any
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	rewriter->ReturnFromSlot();
-	return 0;
-	%}
-
-# Release a rewrite slot and dump the slot to the trace (it cannot be
-# seek'd again). If the rewrite pointer is currently at the slot, it
-# will return to the current packet.
-function release_rewrite_slot%(c: connection, slot: count%): any
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	rewriter->ReleaseSlot(slot);
-	return 0;
-	%}
-
-# Dump original packets on the connection up to this point to the
-# output trace, if any.
-function dump_packets_of_connection%(c: connection%): any
-	%{
-	Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP);
-	if ( ! tc )
-		run_time("connection does not have TCP analyzer");
-
-	TCP_SourcePacketWriter* pkt_writer = get_src_pkt_writer((TCP_Analyzer*) tc);
-	if ( pkt_writer )
-		pkt_writer->Dump();
-
-	return 0;
-	%}
diff --git a/src/const.bif b/src/const.bif
index 2c4f2d1f1c..bc960caeb6 100644
--- a/src/const.bif
+++ b/src/const.bif
@@ -1,97 +1,14 @@
-# $Id: const.bif 3929 2007-01-14 00:37:59Z vern $
+##! Declaration of various scripting-layer constants that the Bro core uses
+##! internally.  Documentation and default values for the scripting-layer
+##! variables themselves are found in :doc:`/scripts/base/init-bare`.
 
-# Some connections (e.g., SSH) retransmit the acknowledged last
-# byte to keep the connection alive. If ignore_keep_alive_rexmit
-# is set to T, such retransmissions will be excluded in the rexmit
-# counter in conn_stats.
-const ignore_keep_alive_rexmit = F &redef;
+const ignore_keep_alive_rexmit: bool;
+const skip_http_data: bool;
+const parse_udp_tunnels: bool;
+const use_conn_size_analyzer: bool;
+const report_gaps_for_partial: bool;
 
-# Skip HTTP data portions for performance considerations (the skipped
-# portion will not go through TCP reassembly).
-const skip_http_data = F &redef;
+const NFS3::return_data: bool;
+const NFS3::return_data_max: count;
+const NFS3::return_data_first_only: bool;
 
-# Whether the analysis engine parses IP packets encapsulated in
-# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro.
-const parse_udp_tunnels = F &redef;
-
-# Whether a commitment is required before writing the transformed
-# trace for a connection into the dump file.
-const requires_trace_commitment = F &redef;
-
-# Whether IP address anonymization is enabled.
-const anonymize_ip_addr = F &redef;
-
-# Whether to omit place holder packets when rewriting.
-const omit_rewrite_place_holder = T &redef;
-
-# Whether trace of various protocols is being rewritten.
-const rewriting_http_trace = F &redef;
-const rewriting_smtp_trace = F &redef;
-const rewriting_ftp_trace = F &redef;
-const rewriting_ident_trace = F &redef;
-const rewriting_finger_trace = F &redef;
-const rewriting_dns_trace = F &redef;
-const rewriting_smb_trace = F &redef;
-
-# Whether we dump selected original packets to the output trace.
-const dump_selected_source_packets = F &redef;
-
-# If true, we dump original packets to the output trace *if and only if*
-# the connection is not rewritten; if false, the policy script can decide
-# whether to dump a particular connection by calling dump_packets_of_connection.
-#
-# NOTE: DO NOT SET THIS TO TRUE WHEN ANONYMIZING A TRACE! 
-# (TODO: this variable should be disabled when using '-A' option)
-const dump_original_packets_if_not_rewriting = F &redef;
-
-enum dce_rpc_ptype %{
-	DCE_RPC_REQUEST,
-	DCE_RPC_PING,
-	DCE_RPC_RESPONSE,
-	DCE_RPC_FAULT,
-	DCE_RPC_WORKING,
-	DCE_RPC_NOCALL,
-	DCE_RPC_REJECT,
-	DCE_RPC_ACK,
-	DCE_RPC_CL_CANCEL,
-	DCE_RPC_FACK,
-	DCE_RPC_CANCEL_ACK,
-	DCE_RPC_BIND,
-	DCE_RPC_BIND_ACK,
-	DCE_RPC_BIND_NAK,
-	DCE_RPC_ALTER_CONTEXT,
-	DCE_RPC_ALTER_CONTEXT_RESP,
-	DCE_RPC_SHUTDOWN,
-	DCE_RPC_CO_CANCEL,
-	DCE_RPC_ORPHANED,
-%}
-
-enum dce_rpc_if_id %{
-	DCE_RPC_unknown_if,
-	DCE_RPC_epmapper,
-	DCE_RPC_lsarpc,
-	DCE_RPC_lsa_ds,
-	DCE_RPC_mgmt,
-	DCE_RPC_netlogon,
-	DCE_RPC_samr,
-	DCE_RPC_srvsvc,
-	DCE_RPC_spoolss,
-	DCE_RPC_drs,
-	DCE_RPC_winspipe,
-	DCE_RPC_wkssvc,
-	DCE_RPC_oxid,
-	DCE_RPC_ISCMActivator,
-%}
-
-enum rpc_status %{
-	RPC_SUCCESS,
-	RPC_PROG_UNAVAIL,
-	RPC_PROG_MISMATCH,
-	RPC_PROC_UNAVAIL,
-	RPC_GARBAGE_ARGS,
-	RPC_SYSTEM_ERR,
-	RPC_TIMEOUT,
-	RPC_VERS_MISMATCH,
-	RPC_AUTH_ERROR,
-	RPC_UNKNOWN_ERROR,
-%}
diff --git a/src/cq.c b/src/cq.c
index 63e4275369..c5405e526a 100644
--- a/src/cq.c
+++ b/src/cq.c
@@ -2,11 +2,6 @@
  * See the file "COPYING" in the main distribution directory for copyright.
  */
 
-#ifndef lint
-static const char rcsid[] =
-    "@(#) $Id: cq.c 6219 2008-10-01 05:39:07Z vern $ (LBL)";
-#endif
-
 #include <sys/types.h>
 
 #include <errno.h>
@@ -570,8 +565,8 @@ cq_debugbucket(register struct cq_handle *hp,
 			bp2 = hp->buckets + PRI2BUCKET(hp, bp->pri);
 			if (bp2 != buckets) {
 				fprintf(stderr,
-				    "%f in wrong bucket! (off by %d)\n",
-				    bp->pri, bp2 - buckets);
+				    "%f in wrong bucket! (off by %ld)\n",
+				    bp->pri, (long)(bp2 - buckets));
 				cq_dump(hp);
 				abort();
 			}
diff --git a/src/cq.h b/src/cq.h
index 38c5204f0c..540cccde74 100644
--- a/src/cq.h
+++ b/src/cq.h
@@ -1,5 +1,3 @@
-/* @(#) $Id: cq.h 80 2004-07-14 20:15:50Z jason $ (LBL) */
-
 struct cq_handle *cq_init(double, double);
 void cq_destroy(struct cq_handle *);
 int cq_enqueue(struct cq_handle *, double, void *);
diff --git a/src/dce_rpc-analyzer.pac b/src/dce_rpc-analyzer.pac
index 8f412401f7..ddc99abd8e 100644
--- a/src/dce_rpc-analyzer.pac
+++ b/src/dce_rpc-analyzer.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 # DCE/RPC protocol data unit.
 
 type DCE_RPC_PDU = record {
@@ -88,7 +86,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 					bind_elems.p_cont_elem[i].abstract_syntax.if_uuid};
 
 				// Queue the event
-				bro_event_dce_rpc_bind(
+				BifEvent::generate_dce_rpc_bind(
 					${connection.bro_analyzer},
 					${connection.bro_analyzer}->Conn(),
 					bytestring_to_val(${if_uuid}));
@@ -106,7 +104,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 		%{
 		if ( dce_rpc_request )
 			{
-			bro_event_dce_rpc_request(
+			BifEvent::generate_dce_rpc_request(
 				${connection.bro_analyzer},
 				${connection.bro_analyzer}->Conn(),
 				${req.opnum},
@@ -124,7 +122,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 		%{
 		if ( dce_rpc_response )
 			{
-			bro_event_dce_rpc_response(
+			BifEvent::generate_dce_rpc_response(
 				${connection.bro_analyzer},
 				${connection.bro_analyzer}->Conn(),
 				${connection}->get_cont_id_opnum_map(${resp.p_cont_id}),
diff --git a/src/dce_rpc-protocol.pac b/src/dce_rpc-protocol.pac
index 77c7aaff62..a7bfcb5368 100644
--- a/src/dce_rpc-protocol.pac
+++ b/src/dce_rpc-protocol.pac
@@ -1,5 +1,3 @@
-# $Id: dce_rpc-protocol.pac,v 1.1.4.2 2006/06/02 15:13:09 rpang Exp $
-#
 # Definitions for DCE RPC.
 
 enum dce_rpc_ptype {
diff --git a/src/dce_rpc.pac b/src/dce_rpc.pac
index 0aa689b532..cbcd0cbdc4 100644
--- a/src/dce_rpc.pac
+++ b/src/dce_rpc.pac
@@ -1,5 +1,3 @@
-# $Id: dce_rpc.pac 4608 2007-07-05 18:23:58Z vern $
-
 %include binpac.pac
 %include bro.pac
 
@@ -8,5 +6,5 @@ analyzer DCE_RPC withcontext {
 	flow: DCE_RPC_Flow;
 };
 
-%include "dce_rpc-protocol.pac"
-%include "dce_rpc-analyzer.pac"
+%include dce_rpc-protocol.pac
+%include dce_rpc-analyzer.pac
diff --git a/src/dce_rpc_simple.pac b/src/dce_rpc_simple.pac
index ff495a2e2b..f31c2a078b 100644
--- a/src/dce_rpc_simple.pac
+++ b/src/dce_rpc_simple.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %include bro.pac
 
 analyzer DCE_RPC_Simple withcontext {};
diff --git a/src/dhcp-analyzer.pac b/src/dhcp-analyzer.pac
index 4bebc0ba4f..a9f1c6bab0 100644
--- a/src/dhcp-analyzer.pac
+++ b/src/dhcp-analyzer.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 connection DHCP_Conn(bro_analyzer: BroAnalyzer) {
 	upflow = DHCP_Flow(true);
 	downflow = DHCP_Flow(false);
@@ -91,31 +89,31 @@ flow DHCP_Flow(is_orig: bool) {
 		switch ( type )
 		{
 		case DHCPDISCOVER:
-			bro_event_dhcp_discover(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), req_addr);
 			break;
 
 		case DHCPREQUEST:
-			bro_event_dhcp_request(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dhcp_msg_val_->Ref(), req_addr, serv_addr);
 			break;
 
 		case DHCPDECLINE:
-			bro_event_dhcp_decline(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_decline(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
 
 		case DHCPRELEASE:
-			bro_event_dhcp_release(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_release(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
 
 		case DHCPINFORM:
-			bro_event_dhcp_inform(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
@@ -204,21 +202,21 @@ flow DHCP_Flow(is_orig: bool) {
 
 		switch ( type ) {
 		case DHCPOFFER:
-			bro_event_dhcp_offer(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), subnet_mask,
 					router_list, lease, serv_addr);
 			break;
 
 		case DHCPACK:
-			bro_event_dhcp_ack(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), subnet_mask,
 					router_list, lease, serv_addr);
 			break;
 
 		case DHCPNAK:
-			bro_event_dhcp_nak(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
diff --git a/src/dhcp-protocol.pac b/src/dhcp-protocol.pac
index 46cceb56c6..d77780b1b3 100644
--- a/src/dhcp-protocol.pac
+++ b/src/dhcp-protocol.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 # DHCP Message Type according to RFC 1533.
 
 # Refer to RFC 2131 for op types.
diff --git a/src/dhcp.pac b/src/dhcp.pac
index 852433a410..9e9d7755a4 100644
--- a/src/dhcp.pac
+++ b/src/dhcp.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %include bro.pac
 
 analyzer DHCP withcontext {
diff --git a/src/dns-analyzer.pac b/src/dns-analyzer.pac
index 2e9a6496c3..0c2dc1b491 100644
--- a/src/dns-analyzer.pac
+++ b/src/dns-analyzer.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %extern{
 #include <set>
 %}
@@ -124,7 +122,7 @@ flow DNS_Flow
 
 		if ( msg->header()->qr() == 0 )
 			{
-			bro_event_dns_request(
+			BifEvent::generate_dns_request(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(),
@@ -137,7 +135,7 @@ flow DNS_Flow
 		          msg->header()->nscount() == 0 &&
 		          msg->header()->arcount() == 0 )
 			{
-			bro_event_dns_rejected(
+			BifEvent::generate_dns_rejected(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(),
@@ -253,7 +251,7 @@ flow DNS_Flow
 			// above fixes for BROv6, we can probably now introduce
 			// their own events.  (It's not clear A6 is needed -
 			// do we actually encounter it in practice?)
-			bro_event_dns_A_reply(connection()->bro_analyzer(),
+			BifEvent::generate_dns_A_reply(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(), build_dns_answer(rr), addr);
 			break;
@@ -261,7 +259,7 @@ flow DNS_Flow
 		case TYPE_NS:
 			if ( dns_NS_reply )
 				{
-				bro_event_dns_NS_reply(connection()->bro_analyzer(),
+				BifEvent::generate_dns_NS_reply(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
 					build_dns_answer(rr),
@@ -272,7 +270,7 @@ flow DNS_Flow
 		case TYPE_CNAME:
 			if ( dns_CNAME_reply )
 				{
-				bro_event_dns_CNAME_reply(
+				BifEvent::generate_dns_CNAME_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -284,7 +282,7 @@ flow DNS_Flow
 		case TYPE_SOA:
 			if ( dns_SOA_reply )
 				{
-				bro_event_dns_SOA_reply(
+				BifEvent::generate_dns_SOA_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -296,7 +294,7 @@ flow DNS_Flow
 		case TYPE_PTR:
 			if ( dns_PTR_reply )
 				{
-				bro_event_dns_PTR_reply(
+				BifEvent::generate_dns_PTR_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -308,7 +306,7 @@ flow DNS_Flow
 		case TYPE_MX:
 			if ( dns_MX_reply )
 				{
-				bro_event_dns_MX_reply(
+				BifEvent::generate_dns_MX_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -321,7 +319,7 @@ flow DNS_Flow
 		case TYPE_EDNS:
 			if ( dns_EDNS_addl )
 				{
-				bro_event_dns_EDNS_addl(
+				BifEvent::generate_dns_EDNS_addl(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
diff --git a/src/dns-protocol.pac b/src/dns-protocol.pac
index d5b8036e11..fbeb9d0fa3 100644
--- a/src/dns-protocol.pac
+++ b/src/dns-protocol.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 enum DNS_answer_type {
 	DNS_QUESTION,
 	DNS_ANSWER,
diff --git a/src/dns-rw.bif b/src/dns-rw.bif
deleted file mode 100644
index 07e03172c0..0000000000
--- a/src/dns-rw.bif
+++ /dev/null
@@ -1,99 +0,0 @@
-# $Id: dns-rw.bif,v 1.1.2.6 2006/01/11 21:20:09 jason Exp $
-
-# This is called for every message - snake out the header.
-rewriter dns_message%(is_orig: bool, msg: dns_msg, len: count%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->SetOrig(is_orig);
-	dnsrewriter->DnsCopyHeader(msg);
-	%}
-
-# Rewrite an DNS request.
-rewriter dns_request%(query: string, msg: dns_msg, qtype: count, qclass: count%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyQuery(query->AsString(), qtype, qclass);
-	%}
-
-# Called for every reply, contains the query part.
-rewriter dns_reply_question%(msg: dns_msg,
-				qname: string, qtype: count, qclass: count%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyQuery(qname->AsString(), qtype, qclass);
-	%}
-
-
-# Rewrite an DNS NS reply.
-rewriter dns_NS_reply%(msg: dns_msg, dns_ans: dns_answer, name: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyNS(dns_ans, name->AsString());
-	%}
-
-
-rewriter dns_A_reply%(msg: dns_msg, ans: dns_answer, a: addr%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-#ifdef BROv6
-	dnsrewriter->DnsCopyA(ans, to_v4_addr(a));
-#else
-	dnsrewriter->DnsCopyA(ans, a);
-#endif
-	%}
-
-rewriter dns_AAAA_reply%(msg: dns_msg, ans: dns_answer, a: addr, astr: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyAAAA(ans, a, astr->AsString());
-	%}
-
-rewriter dns_CNAME_reply%(msg: dns_msg, ans: dns_answer, name: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyCNAME(ans, name->AsString());
-	%}
-
-rewriter dns_TXT_reply%(msg: dns_msg, ans: dns_answer, content: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyTXT(ans, content->AsString());
-	%}
-
-rewriter dns_PTR_reply%(msg: dns_msg, ans: dns_answer, name: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyPTR(ans, name->AsString());
-	%}
-
-rewriter dns_MX_reply%(msg: dns_msg, ans: dns_answer,
-			name: string, preference: count%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyMX(ans, name->AsString(), preference);
-	%}
-
-rewriter dns_SOA_reply%(msg: dns_msg, ans: dns_answer, soa: dns_soa%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopySOA(ans, soa);
-	%}
-
-rewriter dns_EDNS_addl%(msg: dns_msg, ans: dns_edns_additional%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyEDNSaddl(ans);
-	%}
-
-
-# Call this at end of processing a DNS packet.
-rewriter dns_end%(commit: bool%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-
-	// We have been building the packet in the DNS rewriter, now
-	// write the whole packet here at once, then commit it.
-	@WRITE@(dnsrewriter->IsOrig(), dnsrewriter->PacketSize(),
-		(const u_char*) dnsrewriter->Packet());
-	@TRACE@->CommitPackets(commit);
-	%}
diff --git a/src/dns.pac b/src/dns.pac
index dc5ca586f8..aeffdf0bc7 100644
--- a/src/dns.pac
+++ b/src/dns.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %include bro.pac
 
 analyzer DNS withcontext {
diff --git a/src/dns_tcp.pac b/src/dns_tcp.pac
index f2c7f5f523..d31ff58c6e 100644
--- a/src/dns_tcp.pac
+++ b/src/dns_tcp.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %extern{
 #include "dns_pac.h"	// for DNS_Conn
 %}
diff --git a/src/epmapper.pac b/src/epmapper.pac
index c9eea3c139..7fbaf47418 100644
--- a/src/epmapper.pac
+++ b/src/epmapper.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 type epmapper_lookup_req = record {
 	inquiry_type	: uint32;
 	# object	: uuid_p_t;
diff --git a/src/event.bif b/src/event.bif
index d0cee28c03..4ed0f884cd 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -1,62 +1,826 @@
-# $Id: event.bif 6942 2009-11-16 03:54:08Z vern $
+##! The events that the C/C++ core of Bro can generate.  This is mostly
+##! consisting of high-level network events that protocol analyzers detect,
+##! but there are also several general-utility events generated by internal
+##! Bro frameworks.
 
-# Declare to bifcl the following types as enum types.
-declare enum dce_rpc_ptype;
-declare enum dce_rpc_if_id;
-declare enum rpc_status;
+#
+# Documentation conventions:
+#
+#     - Use past tense for activity that has already occured.
+#
+#     - List parameters with an empty line in between.
+#
+#     - Within the description, reference other parameters of the same events
+#       as *arg*.
+#
+#     - Order:
+#
+#         - Short initial sentence  (which doesn't need to be a sentence),
+#           starting with "Generated ..."
+#
+#         - Description
+#
+#         - Parameters
+#
+#         - .. bro:see::
+#
+#         - .. note::
+#
+#         - .. todo::
 
+## Generated at Bro initialization time. The event engine generates this
+## event just before normal input processing begins. It can be used to execute
+## one-time initialization code at startup. At the time a handler runs, Bro will
+## have  executed any global initializations and statements.
+##
+## .. bro:see:: bro_done
+##
+## .. note::
+##
+##    When a ``bro_init`` handler executes, Bro has not yet seen any input packets
+##    and therefore :bro:id:`network_time` is not  initialized yet. An artifact
+##    of that is that any timer installed in a ``bro_init`` handler will fire
+##    immediately with the first packet. The standard way to work around that is to
+##    ignore the first time the timer fires and immediately reschedule.
+##
 event bro_init%(%);
+
+## Generated at Bro termination time. The event engine generates this event when
+## Bro is about to terminate, either due to having exhausted reading its input
+## trace file(s), receiving a termination signal, or because Bro was run without
+## a network input source and has finished executing any global statements.
+##
+## .. bro:see:: bro_init
+##
+## .. note::
+##
+##    If Bro terminates due to an invocation of :bro:id:`exit`, then this event is
+##    not generated.
 event bro_done%(%);
 
-# bro_signal is initiated in main.cc
-# event bro_signal%(signal: count%);
-
+## Generated when an internal DNS lookup reduces the same result as last time.
+## Bro keeps an internal DNS cache for host names and IP addresses it has
+## already resolved. This event is generated when subsequent lookup returns
+## the same result as stored in the cache.
+##
+## dm: A record describing the new resolver result (which matches the old one).
+##
+## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified
 event dns_mapping_valid%(dm: dns_mapping%);
+
+## Generated when an internal DNS lookup got no answer even though it had succeeded he
+## past. Bro keeps an internal DNS cache for host names and IP addresses it has
+## already resolved. This event is generated when a subsequent lookup does not
+## produce an answer even though we have already stored a result in the cache.
+##
+## dm: A record describing the old resolver result.
+##
+## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_valid
 event dns_mapping_unverified%(dm: dns_mapping%);
+
+## Generated when an internal DNS lookup succeeed but an earlier attempt not. had
+## had succeeded he past. Bro keeps an internal DNS cache for host names and IP
+## addresses it has already resolved. This event is generated when a subsequent
+## lookup produces an answer for a query that was marked as failed in the cache.
+##
+## dm: A record describing the new resolver result.
+##
+## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified
+##    dns_mapping_valid
 event dns_mapping_new_name%(dm: dns_mapping%);
+
+## Generated when an internal DNS lookup returned zero answers even though it
+## had succeeded he past. Bro keeps an internal DNS cache for host names and IP
+## addresses it has already resolved. This event is generated when for a subsequent
+## lookup we received answer that however was empty even though we have
+## already stored a result in the cache.
+##
+## dm: A record describing the old resolver result.
+##
+## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid
 event dns_mapping_lost_name%(dm: dns_mapping%);
-event dns_mapping_name_changed%(old_dm: dns_mapping, new_dm: dns_mapping%);
+
+## Generated when an internal DNS lookup produced a different result than in
+## past.  Bro keeps an internal DNS cache for host names and IP addresses it has
+## already resolved. This event is generated when a subsequent lookup returns
+## a different answer than we have stored in the cache.
+##
+## dm: A record describing the new resolver result.
+##
+## old_addrs: Addresses that used to be part of the returned set for the query
+##            described by *dm*, but are not anymore.
+##
+## new_addrs: Addresses that did not use to be part of the returned set for the
+##            query described by *dm*, but now are.
+##
+## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid
 event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%);
 
+## Generated for every new connection. The event is raised with the first packet
+## of a previously unknown connection. Bro uses a flow-based definition of
+## "connection" here that includes not only TCP sessions but also UDP and ICMP
+## flows.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending connection_rejected connection_reset connection_reused
+##    connection_state_remove connection_status_update connection_timeout
+##    expected_connection_seen new_connection_contents partial_connection
+##
+## .. note::
+##
+##    Handling this event is potentially expensive. For example, during a SYN
+##    flooding attack, every spoofed SYN packet will lead to a new
+##    event.
 event new_connection%(c: connection%);
+
+## Generated when reassembly starts for a TCP connection. The event is raised
+## at the moment when Bro's TCP analyzer enables stream reassembly for a
+## connection.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending connection_rejected connection_reset connection_reused
+##    connection_state_remove connection_status_update connection_timeout
+##    expected_connection_seen new_connection partial_connection
 event new_connection_contents%(c: connection%);
-event new_packet%(c: connection, p: pkt_hdr%);
+
+## Generated for an unsuccessful connection attempt. The event is raised when an
+## originator unsuccessfully attempted to establish a connection. "Unsuccessful"
+## is defined as at least :bro:id:`tcp_attempt_delay` seconds having elapsed since
+## the originator first sent a connection establishment packet to the destination
+## without seeing a reply.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_established
+##    connection_external connection_finished connection_first_ACK
+##    connection_half_finished connection_partial_close connection_pending
+##    connection_rejected connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
 event connection_attempt%(c: connection%);
+
+## Generated for an established TCP connection. The event is raised when the
+## initial 3-way TCP handshake has successfully finished for a connection.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_external connection_finished connection_first_ACK
+##    connection_half_finished connection_partial_close connection_pending
+##    connection_rejected connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
 event connection_established%(c: connection%);
+
+## Generated for a new active TCP connection if Bro did not see the initial
+## handshake. The event is raised when Bro has observed traffic from each endpoint,
+## but the activity did not begin with the usual connection establishment.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending connection_rejected connection_reset connection_reused
+##    connection_state_remove connection_status_update connection_timeout
+##    expected_connection_seen new_connection new_connection_contents
+##
 event partial_connection%(c: connection%);
+
+## Generated when a previously inactive endpoint attempts to close a TCP connection
+## via a normal FIN handshake or an abort RST sequence. When the endpoint sent
+## one of these packets, Bro waits :bro:id:`tcp_partial_close_delay` prior
+## to generating the event, to give the other endpoint a chance to close the
+## connection normally.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_pending
+##    connection_rejected connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
 event connection_partial_close%(c: connection%);
+
+## Generated for a TCP connection that finished normally. The event is raised
+## when a regular FIN handshake from both endpoints was observed.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_first_ACK
+##    connection_half_finished connection_partial_close connection_pending
+##    connection_rejected connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
 event connection_finished%(c: connection%);
+
+## Generated when one endpoint of a TCP connection attempted to gracefully close
+## the connection, but the other endpoint is in the TCP_INACTIVE state. This can
+## happen due to split routing, in which Bro only sees one side of a connection.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK  connection_partial_close connection_pending
+##    connection_rejected connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
 event connection_half_finished%(c: connection%);
+
+## Generated for a rejected TCP connection. The event is raised when an originator
+## attempted to setup a TCP connection but the responder replied with a RST packet
+## denying it.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending  connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
+##
+## c: The connection.
+##
+## .. note::
+##
+##    If the responder does not respond at all, :bro:id:`connection_attempt` is
+##    raised instead. If the responder initially accepts the connection but aborts
+##    it later, Bro first generates :bro:id:`connection_established` and then
+##    :bro:id:`connection_reset`.
 event connection_rejected%(c: connection%);
+
+## Generated when an endpoint aborted a TCP connection. The event is raised
+## when one endpoint of an established TCP connection aborted by sending a RST
+## packet.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending connection_rejected  connection_reused
+##    connection_state_remove connection_status_update connection_timeout
+##    expected_connection_seen new_connection new_connection_contents
+##    partial_connection
 event connection_reset%(c: connection%);
+
+## Generated for each still-open connection when Bro terminates.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_rejected connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection bro_done
 event connection_pending%(c: connection%);
+
+## Generated when a connection's internal state is about to be removed from
+## memory. Bro generates this event reliably once for every connection when it
+## is about to delete the internal state. As such, the event is well-suited for
+## scrip-level cleanup that needs to be performed for every connection.  The
+## ``connection_state_remove`` event is generated not only for TCP sessions but
+## also for UDP and ICMP flows.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending connection_rejected connection_reset connection_reused
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection udp_inactivity_timeout
+##    tcp_inactivity_timeout icmp_inactivity_timeout conn_stats
 event connection_state_remove%(c: connection%);
+
+## Generated for a SYN packet. Bro raises this event for every SYN packet seen by
+## its TCP analyzer.
+##
+## c: The connection.
+##
+## pkt: Information extracted from the SYN packet.
+##
+## .. bro:see:: connection_EOF  connection_attempt connection_established
+##    connection_external connection_finished connection_first_ACK
+##    connection_half_finished connection_partial_close connection_pending
+##    connection_rejected connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
+##
+## .. note::
+##
+##    This event has quite low-level semantics and can potentially be expensive to
+##    generate. It should only be used if one really needs the specific information
+##    passed into the handler via the ``pkt`` argument. If not, handling one of the
+##    other ``connection_*`` events is typically the better approach.
 event connection_SYN_packet%(c: connection, pkt: SYN_packet%);
+
+## Generated for the first ACK packet seen for a TCP connection from
+## its *orginator*.
+##
+## c: The connection.
+##
+## pkt: Information extracted from the SYN packet.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_half_finished connection_partial_close connection_pending
+##    connection_rejected connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
+##
+## .. note::
+##
+##    This event has quite low-level semantics and should be used only rarely.
 event connection_first_ACK%(c: connection%);
+
+## Generated when a TCP connection timed out. This event is raised when no activity
+## was  seen for an interval of at least :bro:id:`tcp_connection_linger`, and
+## either one endpoint has already closed the connection or one side never
+## never became active.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending connection_rejected connection_reset connection_reused
+##    connection_state_remove connection_status_update expected_connection_seen
+##    new_connection new_connection_contents partial_connection
+##
+## .. note::
+##
+##    The precise semantics of this event can be unintuitive  as it only
+##    covers a subset of cases where a connection times out. Often, handling
+##    :bro:id:`connection_state_remove` is the better option. That one will be
+##    generated reliably when an interval of ``tcp_inactivity_timeout`` has passed
+##    with out any activity seen (but also for all other ways a connection may
+##    terminate).
 event connection_timeout%(c: connection%);
+
+## Generated when a connection 4-tuple is reused. The event is raised when Bro
+## sees a new TCP session or UDP flow using a 4-tuple matching that of an earlier
+## connection it still consideres active.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending connection_rejected connection_reset connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
 event connection_reused%(c: connection%);
+
+## Generated in regular intervals during the life time of a connection. The
+## events is raised each ``connection_status_update_interval`` seconds
+## and can be used to check conditions on a regular basis.
+##
+## c: The connection.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending connection_rejected connection_reset connection_reused
+##    connection_state_remove  connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
 event connection_status_update%(c: connection%);
+
+## Generated at the end of reassembled TCP connections. The TCP reassembler
+## raised the event once for each endpoint of a connection when it finished
+## reassembling the corresponding side of the communication.
+##
+## c: The connection.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## .. bro:see::  connection_SYN_packet connection_attempt connection_established
+##    connection_external connection_finished connection_first_ACK
+##    connection_half_finished connection_partial_close connection_pending
+##    connection_rejected connection_reset connection_reused connection_state_remove
+##    connection_status_update connection_timeout expected_connection_seen
+##    new_connection new_connection_contents partial_connection
 event connection_EOF%(c: connection, is_orig: bool%);
+
+## Generated for a new connection received from the communication subsystem. Remote
+## peers can inject packets into Bro's packet loop, for example via :doc:`Broccoli
+## </components/broccoli/README>`.  The communication systems raises this event
+## with the first packet of a connection coming in this way.
 event connection_external%(c: connection, tag: string%);
+
+## Generated when a connected is seen that has previously marked as being expected.
+## The function :bro:id:`expect_connection` tells Bro to expect a particular
+## connection to come up, and which analyzer to associate with it. Once the
+## first packet of such a connection is indeed seen, this event is raised.
+##
+## c: The connection.
+##
+## a: The analyzer that was scheduled for the connection with the
+##    :bro:id:`expect_connection` call. When the event is raised, that
+##    analyzer will already have been activated to process the connection. The
+##    ``count`` is one of the ``ANALYZER_*`` constants, e.g., ``ANALYZER_HTTP``.
+##
+## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
+##    connection_established connection_external connection_finished
+##    connection_first_ACK connection_half_finished connection_partial_close
+##    connection_pending connection_rejected connection_reset connection_reused
+##    connection_state_remove connection_status_update connection_timeout
+##    new_connection new_connection_contents partial_connection
+##
+## .. todo: We don't have a good way to document the automatically generated
+##    ``ANALYZER_*`` constants right now.
 event expected_connection_seen%(c: connection, a: count%);
 
+## Generated for every packet Bro sees. This is a very low-level and expensive
+## event that should be avoided when at all possible. Is's usually infeasible to
+## handle when processing even medium volumes of traffic in real-time. That
+## said, if you work from a trace and want to do some packet-level analysis,
+## it may come in handy.
+##
+## c: The connection the packet is part of.
+##
+## p: Informattion from the header of the packet that triggered the event.
+##
+## .. bro:see:: tcp_packet packet_contents
+event new_packet%(c: connection, p: pkt_hdr%);
+
+## Generated for every packet that has non-empty transport-layer payload. This is a
+## very low-level and expensive event that should be avoided when at all possible.
+## It's usually  infeasible to handle when processing even medium volumes of
+## traffic in real-time. It's even worse than :bro:id:`new_packet`. That said, if
+## you work from a trace and want to do some packet-level analysis, it may come in
+## handy.
+##
+## c: The connection the packet is part of.
+##
+## contants: The raw transport-layer payload.
+##
+## .. bro:see:: new_packet tcp_packet
+event packet_contents%(c: connection, contents: string%);
+
+## Generated for every TCP packet. This is a very low-level and expensive event
+## that should be avoided when at all possible. It's usually  infeasible to handle
+## when processing even medium volumes of traffic in real-time.  It's slightly
+## better than :bro:id:`new_packet` because it affects only TCP, but not much. That
+## said, if you work from a trace and want to do some packet-level analysis, it may
+## come in handy.
+##
+## c: The connection the packet is part of.
+##
+## is_orig: True if the packet was sent by the connection's originator.
+##
+## flags: A string with the packet's TCP flags. In the string, each character
+##        corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN;
+##        ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH.
+##
+## seq: The packet's TCP sequence number.
+##
+## ack: The packet's ACK number.
+##
+## len: The length of the TCP payload, as specified in the packet header.
+##
+## payload: The raw TCP payload. Note that this may less than *len* if the packet
+##          was not fully captured.
+##
+## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit
+event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%);
+
+## Generated for each option found in a TCP header. Like many of the ``tcp_*``
+## events, this is a very low-level event and potentially expensive as it may
+## be raised very often.
+##
+## c: The connection the packet is part of.
+##
+## is_orig: True if the packet was sent by the connection's originator.
+##
+## opt: The numerical option number, as found in the TCP header.
+##
+## optlen: The length of the options value.
+##
+## .. bro:see:: tcp_packet tcp_contents tcp_rexmit
+##
+## .. note:: There is currently no way to get the actual option value, if any.
+event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%);
+
+## Generated for each chunk of reassembled TCP payload. When content delivery is
+## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`,
+## :bro:id:`tcp_content_delivery_ports_resp`,
+## :bro:id:`tcp_content_deliver_all_orig`,
+## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk
+## of in-order payload reconstructed from the packet stream. Note that this event
+## is potentially expensive if many connections carry signficant amounts of data as
+## then all that needs to be passed on to the scripting layer.
+##
+## c: The connection the payload is part of.
+##
+## is_orig: True if the packet was sent by the connection's originator.
+##
+## seq: The sequence number corresponding to the first byte of the payload
+##      chunk.
+##
+## payload: The raw payload, which will be non-empty.
+##
+## .. bro:see:: tcp_packet tcp_option tcp_rexmit
+##    tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp
+##    tcp_content_deliver_all_resp tcp_content_deliver_all_orig
+##
+## .. note::
+##
+##    The payload received by this event is the same that is also passed into
+##    application-layer protocol analyzers internally. Subsequent invocations of
+##    this event for the same connection receive non-overlapping in-order chunks
+##    of its TCP payload stream. It is however undefined what size each chunk
+##    has; while Bro passes the data on as soon as possible, specifics depend on
+##    network-level effects such as latency, acknowledgements, reordering, etc.
+event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
+
+## Generated
+event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
+
+## Generated when Bro detects a TCP retransmission inconsistency. When
+## reassemling TCP stream, Bro buffers all payload until it seens the responder
+## acking it. If during time, the sender resends a chunk of payload but with
+## content than originally, this event will be raised.
+##
+## c: The connection showing the inconsistency.
+##
+## t1: The original payload.
+##
+## t2: The new payload.
+##
+## .. bro:see:: tcp_rexmit tcp_contents
+event rexmit_inconsistency%(c: connection, t1: string, t2: string%);
+
+## Generated when a TCP endpoint acknowledges payload that Bro did never see.
+##
+## c: The connection.
+##
+## .. bro:see:: content_gap
+##
+## .. note::
+##
+##    Seeing an acknowledgment indicates that the responder of the connection
+##    says it has received the corresponding data. If Bro did not, it must have
+##    either missed one or more packets, or the responder's TCP stack is broken
+##    (which isn't unheard of). In practice, one will always see a few of these
+##    events in any larger volume of network traffic. If there are lots of them,
+##    however, that typically  means that there is a problem with the monitoring
+##    infrastructure such as a tap dropping packets, split routing on the path, or
+##    reordering at the tap.
+##
+##    This event reports similar situations as :bro:id:`content_gap`, though their
+##    specifics differ slightly. Often, however, both will be raised for the same
+##    connection if some of its data is missing. We should eventually merge
+##    the two.
+event ack_above_hole%(c: connection%);
+
+## Generated when Bro detects a gap in a reassembled TCP payload stream. This event
+## is raised when Bro, while reassemling a payload stream, determines that a chunk
+## of payload is missing (e.g., because the responder has already acknowledged it,
+## even though Bro didn't see it).
+##
+## c: The connection.
+##
+## is_orig: True if the gap is on the originator's side.
+##
+## seq: The sequence number where the gap starts.
+##
+## length: The number of bytes missing.
+##
+## .. bro:see:: ack_above_hole
+##
+## .. note::
+##
+##    Content gaps tend to occur occasionally for various reasons, including broken
+##    TCP stacks. If, however, one finds lots of them, that typically means that
+##    there is a problem with the monitoring infrastructure such as a tap dropping
+##    packets, split routing on the path, or reordering at the tap.
+##
+##    This event reports similar situations as :bro:id:`ack_above_hole`, though
+##    their specifics differ slightly. Often, however, both will be raised for
+##    connection if some of its data is missing. We should eventually merge the
+##    two.
+event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
+
+## Summarizes the amount of missing TCP payload at regular intervals. Internally,
+## Bro tracks (1) the number of :bro:id:`ack_above_hole` events, including the
+## numer of bytes missing; and (2) the total number of TCP acks seen, with the
+## total volume of bytes that have been acked. This event reports these statistics
+## in :bro:id:`gap_report_freq` intervals for the purpose of determining packet
+## loss.
+##
+## dt: The time that has past since the last ``gap_report`` interval.
+##
+## info: The gap statistics.
+##
+## .. bro:see:: content_gap ack_above_hole
+##
+## .. note::
+##
+##    Bro comes with a script :doc:`/scripts/policy/misc/capture-loss`  that uses
+##    this event to estimate packet loss and report when a predefined threshold is
+##    exceeded.
+event gap_report%(dt: interval, info: gap_info%);
+
+
+## Generated when a protocol analyzer confirms that a connection is indeed
+## using that protocol. Bro's dynamic protocol detection heuristically activates
+## analyzers as soon as it believe a connection *could* be using a particular
+## protocol. It is then left to the corresponding analyzer to verify whether that
+## is indeed the case; if so, this event will be generated.
+##
+## c: The connection.
+##
+## atype: The type of the analyzer confirming that its protocol is in
+##        use. The value is one of the ``ANALYZER_*`` constants. For example,
+##        ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed
+##        parsing an HTTP connection.
+##
+## aid:   A unique integer ID identifying the specific *instance* of the
+##        analyzer *atype*  that is analyzing the connection ``c``. The ID can
+##        be used to reference the analyzer when using  builtin functions like
+##        :bro:id:`disable_analyzer`.
+##
+## .. bro:see:: protocol_violation
+##
+## .. note::
+##
+##    Bro's default scripts use this event to determine the ``service`` column of
+##    :bro:type:`Conn::Info`: once confirmed, the protocol will be listed there
+##    (and thus in ``conn.log``).
 event protocol_confirmation%(c: connection, atype: count, aid: count%);
+
+## Generated when a protocol analyzer determines that a connection it is parsing
+## is not conforming to the protocol it expects. Bro's dynamic protocol detection
+## heuristically activates analyzers as soon as it believe a connection *could* be
+## using a particular protocol. It is then left to the corresponding analyzer to
+## verify whether that is indeed the case;  if not, the analyzer will trigger this
+## event.
+##
+## c: The connection.
+##
+## atype: The type of the analyzer confirming that its protocol is in
+##        use. The value is one of the ``ANALYZER_*`` constants. For example,
+##        ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed
+##        parsing an HTTP connection.
+##
+## aid:   A unique integer ID identifying the specific *instance* of the
+##        analyzer *atype*  that is analyzing the connection ``c``. The ID can
+##        be used to reference the analyzer when using  builtin functions like
+##        :bro:id:`disable_analyzer`.
+##
+## .. bro:see:: protocol_confirmation
+##
+## .. note::
+##
+##    Bro's default scripts use this event to disable an analyzer via
+##    :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's however
+##    a script-level decision and not done automatically by the event eninge.
 event protocol_violation%(c: connection, atype: count, aid: count, reason: string%);
 
-event packet_contents%(c: connection, contents: string%);
-event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%);
-event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%);
-event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
-event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
+## Generated for each packet sent by a UDP flow's originator. This a potentially
+## expsensive event due to the volume of UDP traffic and should be used with care.
+##
+## u: The connection record for the corresponding UDP flow.
+##
+## .. bro:see:: udp_contents udp_reply  udp_session_done
 event udp_request%(u: connection%);
+
+## Generated for each packet sent by a UDP flow's responder. This a potentially
+## expsensive event due to the volume of UDP traffic and should be used with care.
+##
+## u: The connection record for the corresponding UDP flow.
+##
+## .. bro:see:: udp_contents  udp_request udp_session_done
 event udp_reply%(u: connection%);
+
+## Generated for UDP packets to pass on their payload. As the number of UDP
+## packets  can be very large, this event is normally raised only for those on
+## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets sent
+## by the flow's orgininator) or :bro:id:`udp_content_delivery_ports_resp` (for
+## packets sent by the flow's responder). However, delivery can be enabled for all
+## UDP request and reply packets by setting :bro:id:`udp_content_deliver_all_orig`
+## or :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this event is
+## also raised for all matching UDP packets, including empty ones.
+##
+## u: The connection record for the corresponding UDP flow.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## .. bro:see::  udp_reply udp_request udp_session_done
+##    udp_content_deliver_all_orig udp_content_deliver_all_resp
+##    udp_content_delivery_ports_orig udp_content_delivery_ports_resp
 event udp_contents%(u: connection, is_orig: bool, contents: string%);
+
+## Generated when a UDP session for a supported protocol has finished. Some of
+## Bro's application-layer UDP analyzers flag the end of a session by raising this
+## event. Currently, the analyzers for DNS, NTP, Netbios, and Syslog support this.
+##
+## u: The connection record for the corresponding UDP flow.
+##
+## .. bro:see:: udp_contents udp_reply udp_request
 event udp_session_done%(u: connection%);
 
+## Generated for all ICMP messages that are not handled separetely with dedicated
+## ICMP events. Bro's ICMP analyzer handles  a number of ICMP messages directly
+## with dedicated events. This handlers acts as a fallback for those it doesn't.
+## The *icmp* record provides more information about the message.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard
+##       connection record *c*.
+##
+## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect
+##    icmp_time_exceeded icmp_unreachable
 event icmp_sent%(c: connection, icmp: icmp_conn%);
+
+## Generated for ICMP *echo request* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard
+##       connection record *c*.
+##
+## id: The *echo request* identifier.
+##
+## seq: The *echo request* sequence number.
+##
+## payload: The message-specific data of the packet payload, i.e., everything after
+##          the first 8 bytes of the ICMP header.
+##
+## .. bro:see:: icmp_echo_reply  icmp_redirect icmp_sent
+##    icmp_time_exceeded icmp_unreachable
 event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
+
+## Generated for ICMP *echo reply* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## id: The *echo reply* identifier.
+##
+## seq: The *echo reply* sequence number.
+##
+## payload: The message-specific data of the packet payload, i.e., everything after
+##          the first 8 bytes of the ICMP header.
+##
+## .. bro:see::  icmp_echo_request icmp_redirect icmp_sent
+##    icmp_time_exceeded icmp_unreachable
 event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
+
+## Generated for ICMP *destination unreachable* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## code: The ICMP code of the *unreachable* message.
+##
+## context: A record with specifics of the original packet that the message refers
+##          to. *Unreachable* messages should include the original IP header from the packet
+##          that triggered them, and Bro parses that into the *context* structure. Note
+##          that if the *unreachable* includes only a partial IP header for some reason, no
+##          fields of *context* will be filled out.
+##
+## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent
+##    icmp_time_exceeded
 event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
+
 event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 event icmp_router_advertisement%(c: connection, icmp: icmp_conn%);
 
@@ -65,414 +829,5443 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn%);
 event icmp6_placeholder%(c: connection, icmp: icmp_conn, ICMP6: bool%);
 
 
+## Generated for ICMP *time exceeded* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## code: The ICMP code of the *exceeded* message.
+##
+## context: A record with specifics of the original packet that the message refers
+##          to. *Unreachable* messages should include the original IP header from the packet
+##          that triggered them, and Bro parses that into the *context* structure. Note that
+##          if the *exceeded* includes only a partial IP header for some reason, no fields
+##          of *context* will be filled out.
+##
+## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent
+##     icmp_unreachable
+event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 
+## Generated for ICMP *redirect* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## a: The new destination address the message is redirecting to.
+##
+## .. bro:see:: icmp_echo_reply icmp_echo_request  icmp_sent
+##    icmp_time_exceeded icmp_unreachable
+event icmp_redirect%(c: connection, icmp: icmp_conn, a: addr%);
 
-event net_stats_update%(t: time, ns: net_stats%);
+## Generated when a TCP connection terminated, passing on statistics about the
+## two endpoints. This event is always generated when Bro flushes the internal
+## connection state, independent of how a connection terminates.
+##
+## c: The connection.
+##
+## os: Statistics for the originator endpoint.
+##
+## rs: Statistics for the responder endpoint.
+##
+## .. bro:see:: connection_state_remove
 event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
-event conn_weird%(name: string, c: connection%);
-event conn_weird_addl%(name: string, c: connection, addl: string%);
-event flow_weird%(name: string, src: addr, dst: addr%);
-event net_weird%(name: string%);
-event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
-event rexmit_inconsistency%(c: connection, t1: string, t2: string%);
-event ack_above_hole%(c: connection%);
-event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
-event gap_report%(dt: interval, info: gap_info%);
-event inconsistent_option%(c: connection%);
-event bad_option%(c: connection%);
-event bad_option_termination%(c: connection%);
 
+## Generated for unexpected activity related to a specific connection.  When
+## Bro's packet analysis encounters activity that does not conform to a protocol's
+## specification, it raises one of the ``*_weird`` events to report that. This
+## event is raised if the activity is tied directly to a specific connection.
+##
+## name: A unique name for the specific type of "weird" situation. Bro's default
+##       scripts use this name in filtering policies that specify which "weirds" are
+##       worth reporting.
+##
+## c: The corresponding connection.
+##
+## addl: Optional additional context further describing the situation.
+##
+## .. bro:see:: flow_weird net_weird
+##
+## .. note:: "Weird" activity is much more common in real-world network traffic
+##    than one would intuitively expect. While in principle, any protocol violation
+##    could be an attack attempt, it's much more likely that an endpoint's
+##    implementation interprets an RFC quite liberally.
+event conn_weird%(name: string, c: connection, addl: string%);
+
+## Generated for unexpected activity related to a pair of hosts, but independent
+## of a specific connection.  When Bro's packet analysis encounters activity that
+## does not conform to a protocol's specification, it raises one of the ``*_weird``
+## event to report that. This event is raised if the activity is related to a
+## pair of hosts, yet not to a specific connection between them.
+##
+## name: A unique name for the specific type of "weird" situation. Bro's default
+##       scripts use this name in filtering policies that specify which "weirds" are
+##       worth reporting.
+##
+## src: The source address corresponding to the activity.
+##
+## dst: The destination address corresponding to the activity.
+##
+## .. bro:see:: conn_weird net_weird
+##
+## .. note:: "Weird" activity is much more common in real-world network traffic
+##    than one would intuitively expect. While in principle, any protocol violation
+##    could be an attack attempt, it's much more likely that an endpoint's
+##    implementation interprets an RFC quite liberally.
+event flow_weird%(name: string, src: addr, dst: addr%);
+
+## Generated for unexpected activity that is not tied to a specific connection
+## or pair of hosts. When Bro's packet analysis encounters activity that
+## does not conform to a protocol's specification, it raises one of the
+## ``*_weird`` event to report that. This event is raised if the activity is
+## not tied directly to a specific connection or pair of hosts.
+##
+## name: A unique name for the specific type of "weird" situation. Bro's default
+##       scripts use this name in filtering policies that specify which "weirds" are
+##       worth reporting.
+##
+## .. bro:see:: flow_weird
+##
+## .. note:: "Weird" activity is much more common in real-world network traffic
+##    than one would intuitively expect. While in principle, any protocol violation
+##    could be an attack attempt, it's much more likely that an endpoint's
+##    implementation interprets an RFC quite liberally.
+event net_weird%(name: string%);
+
+## Generated regularly for the purpose of profiling Bro's processing. This event
+## is raised for every :bro:id:`load_sample_freq` packet. For these packets,
+## Bro records script-level functions executed during their processing as well as
+## further internal locations. By sampling the processing in this form, one can
+## understand where Bro spends its time.
+##
+## samples: A set with functions and locations seens during the processing of
+##          the sampled packet.
+##
+## CPU: The CPU time spent on processing the sampled.
+##
+## dmem: The difference in memory usage caused by processing the sampled packet.
+event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
+
+## Generated for ARP requests.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__ for
+## more information about the ARP protocol.
+##
+## mac_src: The request's source MAC address.
+##
+## mac_dst: The request's destination MAC address.
+##
+## SPA: The sender protocol address.
+##
+## SHA: The sender hardware address.
+##
+## TPA: The target protocol address.
+##
+## THA: The target hardware address.
+##
+## .. bro:see:: arp_reply  bad_arp
 event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 			TPA: addr, THA: string%);
+
+## Generated for ARP replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__ for
+## more information about the ARP protocol.
+##
+## mac_src: The replies's source MAC address.
+##
+## mac_dst: The replies's destination MAC address.
+##
+## SPA: The sender protocol address.
+##
+## SHA: The sender hardware address.
+##
+## TPA: The target protocol address.
+##
+## THA: The target hardware address.
+##
+## .. bro:see::  arp_request bad_arp
 event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 			TPA: addr, THA: string%);
+
+## Generated for ARP packets that Bro cannot interpret. Examples are packets with
+## non-standard hardware address formats or hardware addresses that not match the
+## originator of the packet.
+##
+## SPA: The sender protocol address.
+##
+## SHA: The sender hardware address.
+##
+## TPA: The target protocol address.
+##
+## THA: The target hardware address.
+##
+## explanation: A short description of why the ARP packet is considered "bad".
+##
+## .. bro:see:: arp_reply arp_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);
 
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
 event bittorrent_peer_handshake%(c: connection, is_orig: bool,
 			reserved: string, info_hash: string, peer_id: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
 event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
 event bittorrent_peer_choke%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request
+##    bittorrent_peer_unknown bittorrent_peer_weird
 event bittorrent_peer_unchoke%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
 event bittorrent_peer_interested%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive  bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
 event bittorrent_peer_not_interested%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake  bittorrent_peer_interested bittorrent_peer_keep_alive
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
 event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see::  bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
+##    bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
 event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port  bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
 event bittorrent_peer_request%(c: connection, is_orig: bool, index: count,
 				begin: count, length: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
 event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count,
 				begin: count, piece_length: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield  bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
 event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count,
 				begin: count, length: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
 event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_weird
 event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count,
 				data: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown
 event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
 event bt_tracker_request%(c: connection, uri: string,
 				headers: bt_tracker_headers%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
 event bt_tracker_response%(c: connection, status: count,
 					headers: bt_tracker_headers,
 					peers: bittorrent_peer_set,
 					benc: bittorrent_benc_dir%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
 event bt_tracker_response_not_ok%(c: connection, status: count,
 					headers: bt_tracker_headers%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
+## information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
 event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%);
 
+## Generated for Finger requests.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## full: True if verbose information is requested (``/W`` switch).
+##
+## username: The request's user name.
+##
+## hostname: The request's host name.
+##
+## .. bro:see:: finger_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event finger_request%(c: connection, full: bool, username: string, hostname: string%);
+
+## Generated for Finger replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## reply_line: The reply as returned by the server
+##
+## .. bro:see:: finger_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event finger_reply%(c: connection, reply_line: string%);
 
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see::  gnutella_binary_msg gnutella_establish gnutella_http_notify
+##    gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
+##
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
+##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
 				ttl: count, hops: count, msg_len: count,
 				payload: string, payload_len: count,
 				trunc: bool, complete: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+##    gnutella_not_establish  gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event gnutella_partial_binary_msg%(c: connection, orig: bool,
 					msg: string, len: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
+##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event gnutella_establish%(c: connection%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event gnutella_not_establish%(c: connection%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
+##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event gnutella_http_notify%(c: connection%);
 
+## Generated for Ident requests.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/indent_protocol>`__ for more
+## information about the Ident protocol.
+##
+## c: The connection.
+##
+## lport: The request's local port.
+##
+## rport: The request's remote port.
+##
+## .. bro:see:: ident_error ident_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event ident_request%(c: connection, lport: port, rport: port%);
+
+## Generated for Ident replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/indent_protocol>`__ for more
+## information about the Ident protocol.
+##
+## c: The connection.
+##
+## lport: The corresponding request's local port.
+##
+## rport: The corresponding request's remote port.
+##
+## user_id: The user id returned by the reply.
+##
+## system: The operating system returned by the reply.
+##
+## .. bro:see:: ident_error  ident_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
+
+## Generated for Ident error replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/indent_protocol>`__ for more
+## information about the Ident protocol.
+##
+## c: The connection.
+##
+## lport: The corresponding request's local port.
+##
+## rport: The corresponding request's remote port.
+##
+## line: The error description returned by the reply.
+##
+## .. bro:see:: ident_reply ident_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event ident_error%(c: connection, lport: port, rport: port, line: string%);
 
+## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects
+## Telnet/Rlogin sessions to heuristically extract username and password
+## information as well as the text returned by the login server. This event is
+## raised if a login attempt appears to have been unsuccessful.
+##
+## c: The connection.
+##
+## user: The user name tried.
+##
+## client_user: For Telnet connections, this is an empty string, but for Rlogin
+##       connections, it is the client name passed in the initial authentication
+##       information (to check against .rhosts).
+##
+## password:  The password tried.
+##
+## line:  line is the line of text that led the analyzer to conclude that the
+##        authentication had failed.
+##
+## .. bro:see:: login_confused login_confused_text login_display login_input_line
+##    login_output_line login_prompt login_success login_terminal direct_login_prompts
+##    get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
+##    login_timeouts set_login_state
+##
+## .. note:: The login analyzer depends on a set of script-level variables that
+##    need to  configured with patterns identifying login attempts. This configuration
+##    has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is
+##    therefore not directly usable at the moment.
+##
+## .. todo: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%);
+
+## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects
+## Telnet/Rlogin sessions to heuristically extract username and password
+## information as well as the text returned by the login server. This event is
+## raised if a login attempt appears to have been successful.
+##
+## c: The connection.
+##
+## user: The user name used.
+##
+## client_user: For Telnet connections, this is an empty string, but for Rlogin
+##       connections, it is the client name passed in the initial authentication
+##       information (to check against .rhosts).
+##
+## password: The password used.
+##
+## line:  line is the line of text that led the analyzer to conclude that the
+##        authentication had succeeded.
+##
+## .. bro:see:: login_confused login_confused_text login_display login_failure
+##    login_input_line login_output_line login_prompt login_terminal
+##    direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs
+##    login_prompts login_success_msgs login_timeouts set_login_state
+##
+## .. note:: The login analyzer depends on a set of script-level variables that
+##    need to  configured with patterns identifying login attempts. This configuration
+##    has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is
+##    therefore not directly usable at the moment.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event login_success%(c: connection, user: string, client_user: string, password: string, line: string%);
+
+## Generated for lines of input on Telnet/Rlogin sessions. The line will have
+## control characters (such as in-band Telnet options) removed.
+##
+## c: The connection.
+##
+## line: The input line.
+##
+## .. bro:see:: login_confused login_confused_text login_display login_failure
+##    login_output_line login_prompt login_success login_terminal    rsh_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event login_input_line%(c: connection, line: string%);
+
+## Generated for lines of output on Telnet/Rlogin sessions. The line will have
+## control characters (such as in-band Telnet options) removed.
+##
+## c: The connection.
+##
+## line: The ouput line.
+##
+## .. bro:see:: login_confused login_confused_text login_display login_failure
+##    login_input_line  login_prompt login_success login_terminal rsh_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event login_output_line%(c: connection, line: string%);
+
+## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's *login*
+## analyzer uses a number of heuristics to extract authentication information, it
+## may become confused. If it can no longer correctly track the authentication
+## dialog, it raised this event.
+##
+## c: The connection.
+##
+## msg: Gives the particular problem the heuristics detected (for example,
+##      ``multiple_login_prompts`` means that the engine saw several login prompts in
+##      a row, without the type-ahead from the client side presumed necessary to cause
+##      them)
+##
+## line: The line of text that caused the heuristics to conclude they were
+##       confused.
+##
+## .. bro:see::  login_confused_text login_display login_failure login_input_line login_output_line
+##    login_prompt login_success login_terminal direct_login_prompts get_login_state
+##    login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
+##    login_timeouts set_login_state
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event login_confused%(c: connection, msg: string, line: string%);
+
+## Generated after getting confused while tracking a Telnet/Rlogin authentication
+## dialog. The *login* analyzer generates this even for every line of user input
+## after it has reported :bro:id:`login_confused` for a connection.
+##
+## c: The connection.
+##
+## line: The line the user typed.
+##
+## .. bro:see:: login_confused  login_display login_failure login_input_line
+##    login_output_line login_prompt login_success login_terminal direct_login_prompts
+##    get_login_state login_failure_msgs login_non_failure_msgs login_prompts
+##    login_success_msgs login_timeouts set_login_state
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event login_confused_text%(c: connection, line: string%);
+
+## Generated for clients transmitting a terminal type in an Telnet session.  This
+## information is extracted out of environment variables sent as Telnet options.
+##
+## c: The connection.
+##
+## terminal: The TERM value transmitted.
+##
+## .. bro:see:: login_confused login_confused_text login_display login_failure
+##    login_input_line login_output_line login_prompt login_success
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event login_terminal%(c: connection, terminal: string%);
+
+## Generated for clients transmitting a X11 DISPLAY in a Telnet session. This
+## information is extracted out of environment variables sent as Telnet options.
+##
+## c: The connection.
+##
+## terminal: The DISPLAY transmitted.
+##
+## .. bro:see:: login_confused login_confused_text  login_failure login_input_line
+##    login_output_line login_prompt login_success login_terminal
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event login_display%(c: connection, display: string%);
-event login_prompt%(c: connection, prompt: string%);
-event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%);
-event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%);
-event excessive_line%(c: connection%);
+
+## Generated when a Telnet authentication has been successful. The Telnet protocol
+## includes options for negotiating authentication. When such an option is sent
+## from client to server and the server replies that it accepts the authentication,
+## then the event engine generates this event.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+## about the Telnet protocol.
+##
+## name: The authenticated name.
+##
+## c: The connection.
+##
+## .. bro:see::  authentication_rejected authentication_skipped login_success
+##
+## .. note::  This event inspects the corresponding Telnet option while :bro:id:`login_success`
+##    heuristically determines success by watching session data.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event authentication_accepted%(name: string, c: connection%);
+
+## Generated when a Telnet authentication has been unsuccessful. The Telnet
+## protocol includes options for negotiating authentication. When such an option
+## is sent from client to server and the server replies that it did not accept the
+## authentication, then the event engine generates this event.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+## about the Telnet protocol.
+##
+## name: The attempted authentication name.
+##
+## c: The connection.
+##
+## .. bro:see:: authentication_accepted authentication_skipped login_failure
+##
+## .. note::  This event inspects the corresponding Telnet option while :bro:id:`login_success`
+##    heuristically determines failure by watching session
+##    data.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event authentication_rejected%(name: string, c: connection%);
+
+## Generated when for Telnet/Rlogin sessions when a pattern match indicates
+## that no authentication is performed.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+## about the Telnet protocol.
+##
+## c: The connection.
+##
+## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts
+##    get_login_state login_failure_msgs login_non_failure_msgs login_prompts
+##    login_success_msgs login_timeouts set_login_state
+##
+## .. note:: The login analyzer depends on a set of script-level variables that
+##    need to be configured with patterns identifying actvity. This configuration has
+##    not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore
+##    not directly usable at the moment.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event authentication_skipped%(c: connection%);
+
+## Generated for clients transmitting a terminal prompt in a Telnet session. This
+## information is extracted out of environment variables sent as Telnet options.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+## about the Telnet protocol.
+##
+## c: The connection.
+##
+## terminal: The TTYPROMPT transmitted.
+##
+## .. bro:see:: login_confused login_confused_text login_display login_failure
+##    login_input_line login_output_line  login_success login_terminal
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event login_prompt%(c: connection, prompt: string%);
+
+## Generated for Telnet sessions when encryption is activated. The Telnet protoco;
+## includes options for negotiating encryption. When such a series of options is
+## successfully negotiated, the event engine generates this event.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+## about the Telnet protocol.
+##
+## c: The connection.
+##
+## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped
+##    login_confused login_confused_text login_display login_failure login_input_line
+##    login_output_line login_prompt login_success login_terminal
 event activating_encryption%(c: connection%);
 
+## Generated for inconsistent Telnet options observed. Telnet options are specified
+## by the client and server stating which options they are willing to support
+## vs. which they are not, and then instructing one another which in fact they
+## should or should not use for the current connection. If the event engine sees
+## a peer violate either what the other peer has instructed it to do, or what it
+## itself offered in terms of options in the past, then the engine generates an
+## inconsistent_option event.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+## about the Telnet protocol.
+##
+## c: The connection.
+##
+## .. bro:see:: bad_option bad_option_termination  authentication_accepted
+##    authentication_rejected authentication_skipped login_confused
+##    login_confused_text login_display login_failure login_input_line
+##    login_output_line login_prompt login_success login_terminal
+event inconsistent_option%(c: connection%);
+
+## Generated for an ill-formed or unrecognized Telnet option.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+## about the Telnet protocol.
+##
+## c: The connection.
+##
+## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted
+##    authentication_rejected authentication_skipped login_confused
+##    login_confused_text login_display login_failure login_input_line
+##    login_output_line login_prompt login_success login_terminal
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event bad_option%(c: connection%);
+
+## Generated for a Telnet option that's incorrectly terminated.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+## about the Telnet protocol.
+##
+## .. bro:see:: inconsistent_option bad_option authentication_accepted
+##    authentication_rejected authentication_skipped login_confused
+##    login_confused_text login_display login_failure login_input_line
+##    login_output_line login_prompt login_success login_terminal
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event bad_option_termination%(c: connection%);
+
+## Generated for client side commands on an RSH connection.
+##
+## See `RFC 1258 <http://tools.ietf.org/html/rfc1258>`__ for more information about
+## the Rlogin/Rsh protocol.
+##
+## c: The connection.
+##
+## client_user: The client-side user name as sent in the initial protocol
+##       handshake.
+##
+## client_user: The server-side user name as sent in the initial protocol
+##       handshake.
+##
+## line: The command line sent in the request.
+##
+## new_session: True if this is the first command of the Rsh session.
+##
+## .. bro:see:: rsh_reply login_confused login_confused_text login_display
+##    login_failure login_input_line login_output_line login_prompt login_success
+##    login_terminal
+##
+## .. note: For historical reasons, these events are separate from the ``login_``
+##    events. Ideally, they would all be handled uniquely.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%);
+
+## Generated for client side commands on an RSH connection.
+##
+## See `RFC 1258 <http://tools.ietf.org/html/rfc1258>`__ for more information about
+## the Rlogin/Rsh protocol.
+##
+## c: The connection.
+##
+## client_user: The client-side user name as sent in the initial protocol
+##       handshake.
+##
+## client_user: The server-side user name as sent in the initial protocol
+##       handshake.
+##
+## line: The command line sent in the request.
+##
+## new_session: True if this is the first command of the Rsh session.
+##
+## .. bro:see:: rsh_request login_confused login_confused_text login_display
+##    login_failure login_input_line login_output_line login_prompt login_success
+##    login_terminal
+##
+## .. note: For historical reasons, these events are separate from the ``login_``
+##    events. Ideally, they would all be handled uniquely.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%);
+
+## Generated for client-side FTP commands.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for more
+## information about the FTP protocol.
+##
+## c: The connection.
+##
+## command: The FTP command issued by the client (without any arguments).
+##
+## arg: The arguments going with the command.
+##
+## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port
+##    parse_ftp_epsv parse_ftp_pasv parse_ftp_port
 event ftp_request%(c: connection, command: string, arg: string%) &group="ftp";
+
+## Generated for server-side FTP replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for more
+## information about the FTP protocol.
+##
+## c: The connection.
+##
+## code: The numerical response code the server responded with.
+##
+## msg:  The textual message of the response.
+##
+## cont_resp: True if the reply line is tagged as being continued to the next line.
+##       If so, further events will be raised and a handler may want to reassemle the
+##       pieces before processing the response any further.
+##
+## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port
+##    parse_ftp_epsv parse_ftp_pasv parse_ftp_port
 event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &group="ftp";
 
+## Generated for client-side SMTP commands.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+## for more information about the SMTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the sender of the command is the originator of the TCP
+##       connection. Note that this is not redundant: the SMTP ``TURN`` command allows
+##       client and server to flip roles on established SMTP sessions, and hence a
+##       "request" might still come from the TCP-level responder. In practice, however,
+##       that will rarely happen as TURN is considered insecure and rarely used.
+##
+## command: The request's command, without any arguments.
+##
+## arg: The request command's arguments.
+##
+## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+##    mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
+##    smtp_data smtp_reply
+##
+## .. note:: Bro does not support the newer ETRN extension yet.
 event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) &group="smtp";
+
+## Generated for server-side SMTP commands.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+## for more information about the SMTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the sender of the command is the originator of the TCP
+##       connection. Note that this is not redundant: the SMTP ``TURN`` command
+##       allows client and server to flip roles on established SMTP sessions,
+##       and hence a "reply" might still come from the TCP-level originator. In
+##       practice, however, that will rarely happen as TURN is considered insecure
+##       and rarely used.
+##
+## code: The reply's numerical code.
+##
+## msg: The reply's textual description.
+##
+## cont_resp: True if the reply line is tagged as being continued to the next line.
+##       If so, further events will be raised and a handler may want to reassemle the
+##       pieces before processing the response any further.
+##
+## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+##    mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
+##    smtp_data  smtp_request
+##
+## .. note:: Bro doesn't support the newer ETRN extension yet.
 event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%) &group="smtp";
+
+## Generated for DATA transmitted on SMTP sessions. This event is raised for
+## subsequent chunks of raw data following the ``DATA`` SMTP command until the
+## corresponding end marker ``.`` is seen. A handler may want to reassembly
+## the pieces as they come in if stream-analysis is required.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+## for more information about the SMTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the sender of the data is the originator of the TCP
+##       connection.
+##
+## data: The raw data. Note that the size of each chunk is undefined and
+##       depends on specifics of the underlying TCP connection.
+##
+## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+##    mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
+##    smtp_reply smtp_request skip_smtp_data
+##
+## .. note:: This event received the unprocessed raw data. There is a separate
+##    set ``mime_*`` events that strip out the outer MIME-layer of emails and provide
+##    structured access to their content.
 event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp";
+
+## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the
+## state of SMTP sessions and reports commands and other activity with this event
+## that it sees even though it would not expect so at the current point of the
+## communication.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+## for more information about the SMTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the sender of the unexpected activity is the originator of the
+##       TCP connection.
+##
+## msg: A descriptive message of what was unexpected.
+##
+## detail: The actual SMTP line triggering the event.
+##
+## .. bro:see:: smtp_data  smtp_request smtp_reply
 event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp";
 
+## Generated  when starting to parse a email MIME entity. MIME is a
+## protocol-independent data format for encoding text and files, along with
+## corresponding meta-data, for transmission. Bro raises this event when it begin
+## parsing a MIME entity extracted from an email protocol.
+##
+## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
+## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
+## protocol.
+##
+## c: The connection.
+##
+## .. bro:see:: mime_all_data mime_all_headers  mime_content_hash mime_end_entity
+##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
+##    http_begin_entity
+##
+## .. note:: Bro also extracts MIME entities from HTTP session. For those, however,
+##    it raises :bro:id:`http_begin_entity` instead.
 event mime_begin_entity%(c: connection%);
-event mime_next_entity%(c: connection%);
+
+## Generated  when finishing parsing an email MIME entity.  MIME is a
+## protocol-independent data format for encoding text and files, along with
+## corresponding meta-data, for transmission. Bro raises this event when it
+## finished parsing a MIME entity extracted from an email protocol.
+##
+## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
+## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
+## protocol.
+##
+## c: The connection.
+##
+## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
+##    http_end_entity
+##
+## .. note:: Bro also extracts MIME entities from HTTP session. For those, however,
+##    it raises :bro:id:`http_end_entity` instead.
 event mime_end_entity%(c: connection%);
+
+## Generated for individual MIME headers extracted from email MIME
+## entities.  MIME is a protocol-independent data format for encoding text and
+## files, along with corresponding meta-data, for transmission.
+##
+## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
+## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
+## protocol.
+##
+## c: The connection.
+##
+## h: The parsed MIME header.
+##
+## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+##    mime_end_entity mime_entity_data mime_event  mime_segment_data
+##    http_header  http_all_headers
+##
+## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however,
+##    it raises :bro:id:`http_header` instead.
 event mime_one_header%(c: connection, h: mime_header_rec%);
+
+## Generated for MIME headers extracted from email MIME entities, passing all
+## headers at once.  MIME is a protocol-independent data format for encoding text
+## and files, along with corresponding meta-data, for transmission.
+##
+## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
+## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
+## protocol.
+##
+## c: The connection.
+##
+## hlist: A *table* containing all headers extracted from the current entity.
+##        The table is indexed by the position of the header (1 for the first, 2 for the
+##        second, etc.).
+##
+## .. bro:see:: mime_all_data  mime_begin_entity mime_content_hash mime_end_entity
+##    mime_entity_data mime_event mime_one_header mime_segment_data
+##    http_header  http_all_headers
+##
+## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however,
+##    it raises :bro:id:`http_header` instead.
 event mime_all_headers%(c: connection, hlist: mime_header_list%);
+
+## Generated for chunks of decoded MIME  data from email MIME entities.   MIME
+## is a protocol-independent data format for encoding text and files, along with
+## corresponding meta-data, for transmission. As Bro parses the data of an entity,
+## it raises a sequence of these events, each coming as soon as a new chunk of
+## data is available. In contrast, there is also :bro:id:`mime_entity_data`, which
+## passes all of an entities data at once in a single block. While the latter is
+## more convinient to handle, ``mime_segment_data`` is more efficient as Bro does
+## not need to buffer the data. Thus, if possible, this event should be prefered.
+##
+## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
+## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
+## protocol.
+##
+## c: The connection.
+##
+## length: The length of *data*.
+##
+## data: The raw data of one segment of the current entity.
+##
+## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+##    mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
+##    mime_segment_length mime_segment_overlap_length
+##
+## .. note:: Bro also extracts MIME data from HTTP sessions. For those, however, it
+##    raises :bro:id:`http_entity_data` (sic!) instead.
 event mime_segment_data%(c: connection, length: count, data: string%);
+
+## Generated for data decoded from an email MIME entity. This event delivers
+## the complete content of a single MIME entity. In contrast, there is also
+## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as
+## they. come in. While ``mime_entity_data`` is more convinient to handle,
+## ``mime_segment_data`` is more efficient as Bro does not need to buffer the data.
+## Thus, if possible, the latter should be prefered.
+##
+## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
+## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
+## protocol.
+##
+## c: The connection.
+##
+## length: The length of *data*.
+##
+## data: The raw data of the complete entity.
+##
+## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+##    mime_end_entity  mime_event mime_one_header mime_segment_data
+##
+## .. note:: While Bro also decodes MIME entities extracted from HTTP
+##    sessions, there's no corresponding event for that currently.
 event mime_entity_data%(c: connection, length: count, data: string%);
+
+## Generated for passing on all data decoded from an single email MIME
+## message. If an email message has more than one MIME entity, this event
+## combines all their data into a single value for analysis. Note that because
+## of the potentially significant buffering necessary, using this event can be
+## expensive.
+##
+## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
+## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
+## protocol.
+##
+## c: The connection.
+##
+## length: The length of *data*.
+##
+## data: The raw data of all MIME entities concatenated.
+##
+## .. bro:see::  mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
+##    mime_entity_data mime_event mime_one_header mime_segment_data
+##
+## .. note:: While Bro also decodes MIME entities extracted from HTTP
+##    sessions, there's no corresponding event for that currently.
 event mime_all_data%(c: connection, length: count, data: string%);
+
+## Generated for errors  found when decoding email MIME entities.
+##
+## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
+## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
+## protocol.
+##
+## event_type: A string describing the general category of the problem found (e.g.,
+##       ``illegal format``).
+##
+## detail: Further more detailed description of the error.
+##
+## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+##    mime_end_entity mime_entity_data  mime_one_header mime_segment_data http_event
+##
+## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however,
+##    it raises :bro:id:`http_event` instead.
 event mime_event%(c: connection, event_type: string, detail: string%);
+
+## Generated for decoded MIME entities extracted from email meessage, passing on
+## their MD5 checksums. Bro computes the MD5 over the complete decoded data of
+## each MIME entity.
+##
+## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
+## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
+## protocol.
+##
+## c: The connection.
+##
+## content_len: The length of entity being hashed.
+##
+## hash_value: The MD5 hash.
+##
+## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
+##    mime_entity_data mime_event mime_one_header mime_segment_data
+##
+## .. note:: While Bro also decodes MIME entities extracted from HTTP
+##    sessions, there's no corresponding event for that currently.
 event mime_content_hash%(c: connection, content_len: count, hash_value: string%);
 
-event rpc_call%(c: connection, prog: count, ver: count, proc: count, status: count, start_time: time, call_len: count, reply_len: count%);
+## Generated for RPC request/reply *pairs*. The RPC analyzer associates request
+## and reply by their transactions identifiers and raise this event once both
+## have been seen. If there's not reply, the will still be generated eventually
+## on timeout. In that case, *status* will be set to :bro:enum:`RPC_TIMEOUT`.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
+## about the ONC RPC protocol.
+## c: The connection.
+##
+## xid: The transaction identifier allowing to match requests with replies.
+##
+## prog: The remote program to call.
+##
+## ver: The version of the remote program to call.
+##
+## proc: The procedure of the remote program to call.
+##
+## status: The status of the reply, which should be one of the index values of
+##         :bro:id:`RPC_status`.
+##
+## start_time: Then time when the *call* was seen.
+##
+## call_len: The size of the *call_body* PDU.
+##
+## reply_len: The size of the *reply_body* PDU.
+##
+## .. bro:see:: rpc_call  rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
+##    dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%);
 
+## Generated for RPC *call* messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
+## about the ONC RPC protocol.
+##
+## c: The connection.
+##
+## xid: The transaction identifier allowing to match requests with replies.
+##
+## prog: The remote program to call.
+##
+## ver: The version of the remote program to call.
+##
+## proc: The procedure of the remote program to call.
+##
+## call_len: The size of the *call_body* PDU.
+##
+## .. bro:see::  rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
+##    dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%);
+
+## Generated for RPC *reply* messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
+## about the ONC RPC protocol.
+##
+## c: The connection.
+##
+## xid: The transaction identifier allowing to match requests with replies.
+##
+## status: The status of the reply, which should be one of the index values of
+##         :bro:id:`RPC_status`.
+##
+## reply_len: The size of the *reply_body* PDU.
+##
+## .. bro:see:: rpc_call rpc_dialogue  dce_rpc_bind dce_rpc_message dce_rpc_request
+##    dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
+
+## Generated for Portmapper requests of type *null*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
+##
+## r: The RPC connection.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_dump pm_request_getport  pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_request_null%(r: connection%);
+
+## Generated for Portmapper request/reply dialogues of type *set*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
+##
+## r: The RPC connection.
+##
+## m: The argument to the request.
+##
+## success: True if the request was successful, according to the corresponding
+##          reply. If no reply was seen, this will be false once the request times out.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
+
+## Generated for Portmapper request/reply dialogues of type *unset*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
+##
+## r: The RPC connection.
+##
+## m: The argument to the request.
+##
+## success: True if the request was successful, according to the corresponding
+##          reply. If no reply was seen, this will be false once the request times out.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
+
+## Generated for Portmapper request/reply dialogues of type *getport*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
+##
+## r: The RPC connection.
+##
+## pr: The argument to the request.
+##
+## p: The port returned by the server.
+##
+## success: True if the request was successful, according to the corresponding
+##          reply. If no reply was seen, this will be false once the request times out.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_dump  pm_request_null pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
+
+## Generated for Portmapper request/reply dialogues of type *dump*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
+##
+## r: The RPC connection.
+##
+## m: The mappings returned by the server.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_request_dump%(r: connection, m: pm_mappings%);
+
+## Generated for Portmapper request/reply dialogues of type *callit*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+## service.
+##
+## r: The RPC connection.
+##
+## m: The argument to the request.
+##
+## p: The port value returned by the call.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump
+##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
+
+## Generated for failed Portmapper requests of type *null*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+## service.
+##
+## r: The RPC connection.
+##
+## status: The status of the reply, which should be one of the index values of
+##         :bro:id:`RPC_status`.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_attempt_null%(r: connection, status: rpc_status%);
+
+## Generated for failed Portmapper requests of type *set*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+## service.
+##
+## r: The RPC connection.
+##
+## status: The status of the reply, which should be one of the index values of
+##         :bro:id:`RPC_status`.
+##
+## m: The argument to the original request.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null  pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
+
+## Generated for failed Portmapper requests of type *unset*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+## service.
+##
+## r: The RPC connection.
+##
+## status: The status of the reply, which should be one of the index values of
+##         :bro:id:`RPC_status`.
+##
+## m: The argument to the original request.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null pm_attempt_set  pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
+
+## Generated for failed Portmapper requests of type *getport*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+## service.
+##
+## r: The RPC connection.
+##
+## status: The status of the reply, which should be one of the index values of
+##         :bro:id:`RPC_status`.
+##
+## pr: The argument to the original request.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null
+##    pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%);
+
+## Generated for failed Portmapper requests of type *dump*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+## service.
+##
+## r: The RPC connection.
+##
+## status: The status of the reply, which should be one of the index values of
+##         :bro:id:`RPC_status`.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit  pm_attempt_getport pm_attempt_null
+##    pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_attempt_dump%(r: connection, status: rpc_status%);
+
+## Generated for failed Portmapper requests of type *callit*.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+## service.
+##
+## r: The RPC connection.
+##
+## status: The status of the reply, which should be one of the index values of
+##         :bro:id:`RPC_status`.
+##
+## call: The argument to the original request.
+##
+## .. bro:see:: epm_map_response  pm_attempt_dump pm_attempt_getport pm_attempt_null
+##    pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%);
+
+## Generated for Portmapper requests or replies that include an invalid port
+## number. Since ports are represented by unsigned 4-byte integers, they can stray
+## outside the allowed range of 0--65535 by being >= 65536. If so, this event is
+## generated.
+##
+## Portmapper is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+## service.
+##
+## r: The RPC connection.
+##
+## bad_p: The invalid port value.
+##
+## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+##    pm_attempt_null pm_attempt_set pm_attempt_unset  pm_request_callit
+##    pm_request_dump pm_request_getport pm_request_null pm_request_set
+##    pm_request_unset rpc_call rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pm_bad_port%(r: connection, bad_p: count%);
 
-event nfs_request_null%(n: connection%);
-event nfs_request_getattr%(n: connection, fh: string, attrs: nfs3_attrs%);
-event nfs_request_lookup%(n: connection, req: nfs3_lookup_args, rep: nfs3_lookup_reply%);
-event nfs_request_fsstat%(n: connection, root_fh: string, stat: nfs3_fsstat%);
-event nfs_attempt_null%(n: connection, status: count%);
-event nfs_attempt_getattr%(n: connection, status: count, fh: string%);
-event nfs_attempt_lookup%(n: connection, status: count, req: nfs3_lookup_args%);
-event nfs_attempt_fsstat%(n: connection, status: count, root_fh: string%);
-event nfs_reply_status%(n: connection, status: count%);
+## Generated for NFSv3 request/reply dialogues of type *null*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented  nfs_proc_read nfs_proc_readdir nfs_proc_readlink
+##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 
+## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## attr: The attributes returned in the reply. The values may not be valid if the
+##       request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##    rpc_call rpc_dialogue rpc_reply file_mode
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr  nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##    rpc_call rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *read*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir
+##    nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
+##    NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## fh: The file handle passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *write*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## fh: The file handle passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir  nfs_reply_status rpc_call
+##    rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
+##    NFS3::return_data_max
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *create*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## fh: The file handle passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see::  nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##    rpc_call rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## fh: The file handle passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##    rpc_call rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *remove*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## fh: The file handle passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink  nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## fh: The file handle passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove  nfs_proc_write nfs_reply_status rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is
+## generated once we have either seen both the request and its corresponding reply,
+## or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## fh: The file handle passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink
+##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%);
+
+## Generated for NFS3 request/reply dialogues of a type that Bro's NFS3 analyzer
+## does not implement.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## proc: The procedure called that Bro does not implement.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
+##    nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%);
+
+## Generated for each NFS3 reply message received, reporting just the
+## status included.
+##
+## info: Reports the status included in the reply.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
+##    rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
+event nfs_reply_status%(n: connection, info: NFS3::info_t%);
+
+## Generated for all NTP messages. Different from many other of Bro's events, this
+## one is generated for both client-side and server-side messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocoll>`__ for more
+## information about the NTP protocol.
+##
+## u: The connection record describing the corresponding UDP flow.
+##
+## msg: The parsed NTP message.
+##
+## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
+##         further parse any optional fields.
+##
+## .. bro:see:: ntp_session_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event ntp_message%(u: connection, msg: ntp_msg, excess: string%);
 
+## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer processes
+## the NetBIOS session service running on TCP port 139, and (despite its name!) the
+## NetBIOS datagram service on UDP port 138.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
+## the packet format for NetBIOS over TCP/IP, which Bro parses.
+##
+## c: The connection, which may be a TCP or UDP, depending on the type of the
+##    NetBIOS session.
+##
+## is_orig:  True if the message was sent by the originator of the connection.
+##
+## msg_type: The general type of message, as defined in Section 4.3.1 of `RFC 1002
+##       <http://tools.ietf.org/html/rfc1002>`__.
+##
+## data_len: The length of the message's payload.
+##
+## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+##    netbios_session_raw_message netbios_session_rejected netbios_session_request
+##    netbios_session_ret_arg_resp  decode_netbios_name decode_netbios_name_type
+##
+## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
+##    anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%);
+
+## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS analyzer
+## processes the NetBIOS session service running on TCP port 139, and (despite its
+## name!) the NetBIOS datagram service on UDP port 138.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
+## the packet format for NetBIOS over TCP/IP, which Bro parses.
+##
+## c: The connection, which may be a TCP or UDP, depending on the type of the
+##    NetBIOS session.
+##
+## msg: The raw payload of the message sent, excluding the common NetBIOS
+##      header.
+##
+## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+##    netbios_session_message netbios_session_raw_message netbios_session_rejected
+##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+##
+## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
+##    anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event netbios_session_request%(c: connection, msg: string%);
+
+## Generated for NetBIOS messages of type *positive session response*. Bro's
+## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139,
+## and (despite its name!) the NetBIOS datagram service on UDP port 138.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
+## the packet format for NetBIOS over TCP/IP, which Bro parses.
+##
+## c: The connection, which may be a TCP or UDP, depending on the type of the
+##    NetBIOS session.
+##
+## msg: The raw payload of the message sent, excluding the common NetBIOS
+##      header.
+##
+## .. bro:see::  netbios_session_keepalive netbios_session_message
+##    netbios_session_raw_message netbios_session_rejected netbios_session_request
+##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+##
+## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
+##    anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event netbios_session_accepted%(c: connection, msg: string%);
+
+## Generated for NetBIOS messages of type *negative session response*. Bro's
+## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139,
+## and (despite its name!) the NetBIOS datagram service on UDP port 138.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
+## the packet format for NetBIOS over TCP/IP, which Bro parses.
+##
+## c: The connection, which may be a TCP or UDP, depending on the type of the
+##    NetBIOS session.
+##
+## msg: The raw payload of the message sent, excluding the common NetBIOS
+##      header.
+##
+## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+##    netbios_session_message netbios_session_raw_message netbios_session_request
+##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+##
+## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
+##    anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event netbios_session_rejected%(c: connection, msg: string%);
+
+## Generated for NetBIOS message of type *session message* that are not carrying
+## SMB payload.
+##
+## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139,
+## and (despite its name!) the NetBIOS datagram service on UDP port 138.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
+## the packet format for NetBIOS over TCP/IP, which Bro parses.
+##
+## c: The connection, which may be a TCP or UDP, depending on the type of the
+##    NetBIOS session.
+##
+## is_orig: True if the message was sent by the originator of the connection.
+##
+## msg: The raw payload of the message sent, excluding the common NetBIOS
+##      header (i.e., the ``user_data``).
+##
+## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+##    netbios_session_message netbios_session_rejected netbios_session_request
+##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+##
+## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
+##    anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+##
+## .. todo:: This is an oddly named event. In fact, it's probably an odd event to
+##    have to begin with.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
+
+## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS
+## analyzer processes the NetBIOS session service running on TCP port 139, and
+## (despite its name!) the NetBIOS datagram service on UDP port 138.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
+## the packet format for NetBIOS over TCP/IP, which Bro parses.
+##
+## c: The connection, which may be a TCP or UDP, depending on the type of the
+##    NetBIOS session.
+##
+## msg: The raw payload of the message sent, excluding the common NetBIOS header.
+##
+## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+##    netbios_session_message netbios_session_raw_message netbios_session_rejected
+##    netbios_session_request decode_netbios_name decode_netbios_name_type
+##
+## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
+##    anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+##
+## .. todo: This is an oddly named event.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event netbios_session_ret_arg_resp%(c: connection, msg: string%);
+
+## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer
+## processes the NetBIOS session service running on TCP port 139, and (despite its
+## name!) the NetBIOS datagram service on UDP port 138.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
+## the packet format for NetBIOS over TCP/IP, which Bro parses.
+##
+## c: The connection, which may be a TCP or UDP, depending on the type of the
+##    NetBIOS session.
+##
+## msg: The raw payload of the message sent, excluding the common NetBIOS header.
+##
+## .. bro:see:: netbios_session_accepted netbios_session_message
+##    netbios_session_raw_message netbios_session_rejected netbios_session_request
+##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+##
+## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
+##    anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event netbios_session_keepalive%(c: connection, msg: string%);
 
+## Generated for all SMB/CIFS messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## is_orig: True if the message was sent by the originator of the underlying
+##       transport-level connection.
+##
+## cmd: A string mmenonic of the SMB command code.
+##
+## body_length: The length of the SMB message body, i.e. the data starting after
+##         the SMB header.
+##
+## body: The raw SMB message body, i.e., the data starting after the SMB header.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
+##    smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error
+##    smb_get_dfs_referral
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%);
+
+## Generated for SMB/CIFS messages of type *tree connect andx*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## path: The ``path`` attribute  specified in the message.
+##
+## service: The ``service`` attribute specified in the message.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%);
+
+## Generated for SMB/CIFS messages of type *tree disconnect*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## path: The ``path`` attribute  specified in the message.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
+##    smb_com_tree_connect_andx  smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%);
+
+## Generated for SMB/CIFS messages of type *nt create andx*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## name: The ``name`` attribute  specified in the message.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_read_andx
+##    smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%);
+
+## Generated for SMB/CIFS messages of type *nt transaction*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## trans: The parsed transaction header.
+##
+## data: The raw transaction data.
+##
+## is_orig: True if the message was sent by the originator of the connection.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe
+##    smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+
+## Generated for SMB/CIFS messages of type *nt transaction 2*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## trans: The parsed transaction header.
+##
+## data: The raw transaction data.
+##
+## is_orig: True if the message was sent by the originator of the connection.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe
+##    smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+
+## Generated for SMB/CIFS messages of type *transaction mailslot*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## trans: The parsed transaction header.
+##
+## data: The raw transaction data.
+##
+## is_orig: True if the message was sent by the originator of the connection.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+
+## Generated for SMB/CIFS messages of type *transaction rap*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## trans: The parsed transaction header.
+##
+## data: The raw transaction data.
+##
+## is_orig: True if the message was sent by the originator of the connection.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+##    smb_com_trans_pipe  smb_com_transaction smb_com_transaction2
+##    smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error
+##    smb_get_dfs_referral smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+
+## Generated for SMB/CIFS messages of type *transaction pipe*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## trans: The parsed transaction header.
+##
+## data: The raw transaction data.
+##
+## is_orig: True if the message was sent by the originator of the connection.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+
+## Generated for SMB/CIFS messages of type *read andx*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## data: Always empty.
+##
+## is_orig: True if the message was sent by the originator of the connection.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%);
+
+## Generated for SMB/CIFS messages of type *read andx*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## data: Always empty.
+##
+## is_orig: True if the message was sent by the originator of the connection.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
+##    smb_com_tree_connect_andx smb_com_tree_disconnect  smb_error
+##    smb_get_dfs_referral smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%);
+
+## Generated for SMB/CIFS messages of type *get dfs referral*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## max_referral_level: The ``max_referral_level`` attribute specified in the
+##                     message.
+##
+## file_name: The ``filene_name`` attribute specified in the message.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
+##    smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%);
+
+## Generated for SMB/CIFS messages of type *negotiate*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx
+##    smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
+##    smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
+##    smb_com_write_andx smb_error smb_get_dfs_referral smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_negotiate%(c: connection, hdr: smb_hdr%);
+
+## Generated for SMB/CIFS messages of type *negotiate response*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## dialect_index: The ``dialect`` indicated in the message.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate  smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx
+##    smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
+##    smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
+##    smb_com_write_andx smb_error smb_get_dfs_referral smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%);
+
+## Generated for SMB/CIFS messages of type *setup andx*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx  smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_setup_andx%(c: connection, hdr: smb_hdr%);
+
+## Generated for SMB/CIFS messages of type *generic andx*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## .. bro:see:: smb_com_close  smb_com_logoff_andx smb_com_negotiate
+##    smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx
+##    smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_generic_andx%(c: connection, hdr: smb_hdr%);
+
+## Generated for SMB/CIFS messages of type *close*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## .. bro:see::  smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate
+##    smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx
+##    smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_close%(c: connection, hdr: smb_hdr%);
+
+## Generated for SMB/CIFS messages of type *logoff andx*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
+## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
+## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate
+##    smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx
+##    smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
+##    smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
+##    smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
+##    smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%);
+
+## Generated for SMB/CIFS messages that indicate an error. This event is triggered
+## by an SMB header including a status that signals an error.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the SMB message.
+##
+## cmd: The SMB command code.
+##
+## cmd_str: A string mmenonic of the SMB command code.
+##
+## body: The raw SMB message body, i.e., the data starting after the SMB header.
+##
+## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
+##    smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx
+##    smb_get_dfs_referral smb_message
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%);
 
+## Generated for all DNS messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## is_orig:  True if the message was sent by the originator of the connection.
+##
+## msg: The parsed DNS message header.
+##
+## len: The length of the message's raw representation (i.e, the DNS payload).
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid  dns_query_reply dns_rejected
+##    dns_request non_dns_request  dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &group="dns";
+
+## Generated for DNS requests. For requests with multiple queries, this event
+## is raised once for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
-event dns_full_request%(%) &group="dns";
+
+## Generated for DNS replies that reject a query. This event is raised if a DNS
+## reply either indicates failure via its status code or does not pass on any
+## answers to a query. Note that all of the event's paramaters are parsed out of
+## the reply; there's no stateful correlation with the query.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
-event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
-event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr, astr: string%) &group="dns";
-event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
-event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
-event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
-event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns";
-event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
-event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
-event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns";
-event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns";
-event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
-event dns_EDNS%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
-event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns";
-event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns";
-
-# Generated at the end of processing a DNS packet.
-event dns_end%(c: connection, msg: dns_msg%) &group="dns";
 
+## Generated for DNS replies with an *ok* status code but no question section.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
+##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_query_reply%(c: connection, msg: dns_msg, query: string,
 			qtype: count, qclass: count%) &group="dns";
 
-# Generated when a port 53 UDP message cannot be parsed as a DNS request.
+## Generated when the DNS analyzer processes what seems to be a non-DNS packets.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The raw DNS payload.
+##
+## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
+##    detection framework.
 event non_dns_request%(c: connection, msg: string%) &group="dns";
 
+## Generated for DNS replies of type *A*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## a: The address returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply  dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
+##    dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+##
+## .. note: This event is currently also raised for ``AAAA`` records. In that
+##    case, the address *a* will correspond to the lower-order 4 bytes of the
+##    IPv6 address. This will go away once IPv6 support is improved.
+##
+## .. todo: IPv6 handling is obviously very broken here ...
+event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
+
+## Generated for DNS replies of type *AAAA*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## a: The address returned by the reply.
+##
+## .. bro:see::  dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+##
+## .. todo: Raising this event is not implemented currently, not even when
+##    Bro's compiled IPv6 support. ``AAAA`` are currently always turned into
+##    :bro:id:`dns_A_reply` events.
+event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr, astr: string%) &group="dns";
+
+## Generated for DNS replies of type *NS*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## name: The name returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply  dns_PTR_reply dns_SOA_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
+
+## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## name: The name returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply  dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
+
+## Generated for DNS replies of type *PTR*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## name: The name returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply  dns_SOA_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
+
+## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## soa: The parsed SOA value
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns";
+
+## Generated for DNS replies of type *WKS*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply  dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+
+## Generated for DNS replies of type *HINFO*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## name: The name returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
+##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+
+## Generated for DNS replies of type *MX*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## name: The name returned by the reply.
+##
+## preference: The preference for *name* specificed by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply  dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns";
+
+## Generated for DNS replies of type *TXT*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## str: The textual information returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl  dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns";
+
+## Generated for DNS replies of type *SRV*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+
+## Generated for DNS replies of type *EDNS*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The parsed EDNS reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns";
+
+## Generated for DNS replies of type *TSIG*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The parsed TSIG reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply  dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns";
+
+## Generated at the end of processing a DNS packet. This event is the last
+## ``dns_*`` event that will be raised for a DNS query/reply and signals that
+## all resource records have been passed on.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_end%(c: connection, msg: dns_msg%) &group="dns";
+
+## Generated for DHCP messages of type *discover*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
+## information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow..
+##
+## msg: The parsed type-indepedent part of the DHCP message.
+##
+## req_addr: The specific address requested by the client.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+##
+## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
+##    It treats broadcast addresses just like any other and associates packets into
+##    transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%);
+
+## Generated for DHCP messages of type *offer*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
+## information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow..
+##
+## mask: The subnet mask specified by the mesage.
+##
+## router: The list of routers specified by the message.
+##
+## lease: The least interval specificed by the message.
+##
+## serv_addr: The server address specified by the message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
+##    It treats broadcast addresses just like any other and associates packets into
+##    transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
+
+## Generated for DHCP messages of type *request*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
+## information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow..
+##
+## msg: The parsed type-indepedent part of the DHCP message.
+##
+## req_addr: The client address specified by the message.
+##
+## serv_addr: The server address specified by the message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
+##    It treats broadcast addresses just like any other and associates packets into
+##    transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%);
+
+## Generated for DHCP messages of type *decline*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
+## information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow..
+##
+## msg: The parsed type-indepedent part of the DHCP message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
+##    It treats broadcast addresses just like any other and associates packets into
+##    transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dhcp_decline%(c: connection, msg: dhcp_msg%);
+
+## Generated for DHCP messages of type *acknowledgment*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
+## information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow..
+##
+## msg: The parsed type-indepedent part of the DHCP message.
+##
+## mask: The subnet mask specified by the mesage.
+##
+## router: The list of routers specified by the message.
+##
+## lease: The least interval specificed by the message.
+##
+## serv_addr: The server address specified by the message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
+##    It treats broadcast addresses just like any other and associates packets into
+##    transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
+
+## Generated for DHCP messages of type *negative acknowledgment*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
+## information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow..
+##
+## msg: The parsed type-indepedent part of the DHCP message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
+##    It treats broadcast addresses just like any other and associates packets into
+##    transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dhcp_nak%(c: connection, msg: dhcp_msg%);
+
+## Generated for DHCP messages of type *release*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
+## information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow..
+##
+## msg: The parsed type-indepedent part of the DHCP message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
+##    It treats broadcast addresses just like any other and associates packets into
+##    transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dhcp_release%(c: connection, msg: dhcp_msg%);
+
+## Generated for DHCP messages of type *inform*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
+## information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow..
+##
+## msg: The parsed type-indepedent part of the DHCP message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
+##    It treats broadcast addresses just like any other and associates packets into
+##    transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dhcp_inform%(c: connection, msg: dhcp_msg%);
 
+## Generated for HTTP requests. Bro supports persistent and pipelined HTTP sessions
+## and raises corresponding events as it parses client/server dialogues. This event
+## is generated as soon as a request's initial line has been parsed, and before any
+## :bro:id:`http_header` events are raised.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``).
+##
+## original_URI: The unprocessed URI as specified in the request.
+##
+## unescaped_URI: The URI with all percent-encodings decoded.
+##
+## version: The version number specified in the request (e.g., ``1.1``).
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+##    http_entity_data http_event http_header http_message_done http_reply http_stats
+##    truncate_http_URI
 event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request";
+
+## Generated for HTTP replies. Bro supports persistent and pipelined HTTP sessions
+## and raises corresponding events as it parses client/server dialogues. This event
+## is generated as soon as a reply's initial line has been parsed, and before any
+## :bro:id:`http_header` events are raised.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## version: The version number specified in the reply (e.g., ``1.1``).
+##
+## code: The numerical response code returned by the server.
+##
+## reason: The textual description returned by the server along with *code*.
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+##    http_entity_data http_event http_header http_message_done http_request
+##    http_stats
 event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply";
+
+## Generated for HTTP headers. Bro supports persistent and pipelined HTTP sessions
+## and raises corresponding events as it parses client/server dialogues.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the header was sent by the originator of the TCP connection.
+##
+## name: The name of the header.
+##
+## value: The value of the header.
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+##    http_entity_data http_event  http_message_done http_reply http_request
+##    http_stats
+##
+## .. note:: This event is also raised for headers found in nested body entities.
 event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header";
+
+## Generated for HTTP headers, passing on all headers of an HTTP message at once.
+## Bro supports persistent and pipelined HTTP sessions and raises corresponding
+## events as it parses client/server dialogues.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the header was sent by the originator of the TCP connection.
+##
+## hlist: A *table* containing all headers extracted from the current entity.
+##        The table is indexed by the position of the header (1 for the first, 2 for the
+##        second, etc.).
+##
+## .. bro:see::  http_begin_entity http_content_type http_end_entity http_entity_data
+##    http_event http_header http_message_done http_reply http_request http_stats
+##
+## .. note:: This event is also raised for headers found in nested body entities.
 event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header";
+
+## Generated  when starting to parse an HTTP body entity. This event is generated
+## at least once for each non-empty (client or server) HTTP body; and potentially
+## more than once if the body contains further nested MIME entities. Bro raises
+## this event just before it starts parsing each entity's content.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the entity was  was sent by the originator of the TCP
+##          connection.
+##
+## .. bro:see:: http_all_headers  http_content_type http_end_entity http_entity_data
+##    http_event http_header http_message_done http_reply http_request http_stats
+##    mime_begin_entity
 event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body";
+
+## Generated  when finishing parsing an HTTP body entity. This event is generated
+## at least once for each non-empty (client or server) HTTP body; and potentially
+## more than once if the body contains further nested MIME entities. Bro raises
+## this event at the point when it has finished parsing an entity's content.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the entity was  was sent by the originator of the TCP
+##          connection.
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data
+##    http_event http_header http_message_done http_reply http_request
+##    http_stats   mime_end_entity
 event http_end_entity%(c: connection, is_orig: bool%) &group="http-body";
-event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body";
+
+## Generated when parsing an HTTP body entity, passing on the data. This event
+## can potentially be raised many times for each entity, each time passing a
+## chunk of the data of not further defined size.
+##
+## A common idiom for using this event is to first *reassemble* the data
+## at the scripting layer by concatening it to a successvily growing
+## string; and only perform further content analysis once the corresponding
+## :bro:id:`http_end_entity`   event has been raised. Note, however, that doing so
+## can be quite expensive for HTTP tranders. At the very least, one should
+## impose an upper size limit on how much data is being buffered.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the entity was  was sent by the originator of the TCP
+##          connection.
+##
+## length: The length of *data*.
+##
+## data: One chunk of raw entity data.
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+##    http_event http_header http_message_done http_reply http_request http_stats
+##    mime_entity_data http_entity_data_delivery_size skip_http_data
 event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body";
+
+## Generated for reporting an HTTP bodie's content type.  This event is
+## generated at the end of parsing an HTTP header, passing on the MIME
+## type as specified by the ``Content-Type`` header. If that header is
+## missing, this event is still raised with a default value of ``text/plain``.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the entity was  was sent by the originator of the TCP
+##          connection.
+##
+## ty: The main type.
+##
+## subty: The subtype.
+##
+## .. bro:see:: http_all_headers http_begin_entity  http_end_entity http_entity_data
+##    http_event http_header http_message_done http_reply http_request http_stats
+##
+## .. note:: This event is also raised for headers found in nested body
+##    entities.
+event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body";
+
+## Generated once at the end of parsing an HTTP message. Bro supports persistent
+## and pipelined HTTP sessions and raises corresponding events as it parses
+## client/server dialogues. A "message" is one top-level HTTP entity, such as a
+## complete request or reply. Each message can have further nested sub-entities
+## inside. This event is raised once all sub-entities belonging to a top-level
+## message have been processed (and their corresponding ``http_entity_*`` events
+## generated).
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the entity was  was sent by the originator of the TCP
+##          connection.
+##
+## stat: Further meta information about the message.
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+##    http_entity_data http_event http_header  http_reply http_request http_stats
 event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body";
+
+## Generated for errors found when decoding HTTP requests or replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
+## more information about the HTTP protocol.
+##
+## c: The connection.
+##
+## event_type: A string describing the general category of the problem found (e.g.,
+##             ``illegal format``).
+##
+## detail: Further more detailed description of the error.
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+##    http_entity_data  http_header http_message_done http_reply http_request
+##    http_stats mime_event
 event http_event%(c: connection, event_type: string, detail: string%);
+
+## Generated at the end of an HTTP session to report statistics about it. This
+## event is raised after all of an HTTP session's requests and replies have been
+## fully processed.
+##
+## c: The connection.
+##
+## stats: Statistics summarizing HTTP-level properties of the finished connection.
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+##    http_entity_data http_event http_header http_message_done http_reply
+##    http_request
 event http_stats%(c: connection, stats: http_stats_rec%);
 
+## Generated when seeing an SSH client's version identification. The SSH protocol
+## starts with a clear-test handshake message that reports client and server
+## protocol/software versions. This event provides access to what the client
+## sent.
+##
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Secure_Shell>`__ for more
+## information about the SSH protocol.
+##
+## c: The connection.
+##
+## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`).
+##
+## .. bro:see:: ssh_server_version
+##
+## .. note:: As everything after the initial version handshake proceeds encrypted,
+##    Bro cannot further analyze SSH sessions.
 event ssh_client_version%(c: connection, version: string%);
+
+## Generated when seeing an SSH server's version identification. The SSH protocol
+## starts with a clear-test handshake message that reports client and server
+## protocol/software versions. This event provides access to what the server
+## sent.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Secure_Shell>`__ for more
+## information about the SSH protocol.
+##
+## c: The connection.
+##
+## version: The version string the server sent (e.g.,
+##          ``SSH-1.99-OpenSSH_3.9p1``).
+##
+## .. bro:see:: ssh_client_version
+##
+## .. note:: As everything coming after the initial version handshake proceeds
+##    encrypted, Bro cannot further analyze SSH sessions.
 event ssh_server_version%(c: connection, version: string%);
 
-event ssl_certificate_seen%(c: connection, is_server: bool%);
-event ssl_certificate%(c: connection, cert: X509, is_server: bool%);
-event ssl_conn_attempt%(c: connection, version: count, ciphers: cipher_suites_list%);
-event ssl_conn_server_reply%(c: connection, version: count, ciphers: cipher_suites_list%);
-event ssl_conn_established%(c: connection, version: count, cipher_suite: count%);
-event ssl_conn_reused%(c: connection, session_id: SSL_sessionID%);
-event ssl_conn_alert%(c: connection, version: count, level: count,
-			description: count%);
-event ssl_conn_weak%(name: string, c: connection%);
+## Generated for an SSL/TLS client's initial *hello* message.  SSL/TLS sessions
+## start with an unencrypted handshake, and Bro extracts as much information out
+## that it as it can. This event provides access to the initial information sent by
+## the client.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+## more information about the SSL/TLS protocol.
+##
+## c: The connection.
+##
+## version: The protocol version as extracted from the client's
+##          message.  The values are standardized as part of the SSL/TLS protocol. The
+##          :bro:id:`SSL::version_strings` table maps them to descriptive names.
+##
+## possible_ts: The current time as sent by the client. Note that SSL/TLS does not
+##              require clocks to be set correctly, so treat with care.
+##
+## session_id: The session ID sent by the client (if any).
+##
+## ciphers: The list of ciphers the client offered to use. The values are
+##          standardized as part of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table
+##          maps them to descriptive names.
+##
+## .. bro:see:: ssl_alert  ssl_established ssl_extension ssl_server_hello
+##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+##    ssl_max_cipherspec_size
+event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%);
 
-event ssl_session_insertion%(c: connection, id: SSL_sessionID%);
-event process_X509_extensions%(c: connection, ex: X509_extension%);
-event ssl_X509_error%(c: connection, err: int, err_string: string%);
+## Generated for an SSL/TLS servers's initial *hello* message. SSL/TLS sessions
+## start with an unencrypted handshake, and Bro extracts as much information out
+## of that as it can. This event provides access to the initial information sent by
+## the client.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+## more information about the SSL/TLS protocol.
+##
+## c: The connection.
+##
+## version: The protocol version as extracted from the servers's message.
+##          The values are standardized as part of the SSL/TLS protocol. The
+##          :bro:id:`SSL::version_strings` table maps them to descriptive names.
+##
+## possible_ts: The current time as sent by the server. Note that SSL/TLS does not
+##              require clocks to be set correctly, so treat with care.
+##
+## session_id: The session ID as sent back by the server (if any).
+##
+## cipher: The cipher chosen by the server.  The values are standardized as part
+##         of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps them to
+##         descriptive names.
+##
+## comp_method: The compression method chosen by the client. The values are
+##              standardized as part of the SSL/TLS protocol.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
+##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+##    ssl_max_cipherspec_size
+event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%);
 
-event stp_create_endp%(c: connection, e: int, is_orig: bool%);
-event stp_resume_endp%(e: int%);
-event stp_correlate_pair%(e1: int, e2: int%);
-event stp_remove_pair%(e1: int, e2: int%);
-event stp_remove_endp%(e: int%);
+## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS sessions
+## start with an unencrypted handshake, and Bro extracts as much information out of
+## that as it can. This event provides access to any extensions either side sents
+## as part of extended *hello* message.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## code: The numerical code of the extension.  The values are standardized as
+##       part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps them to
+##       descriptive names.
+##
+## val: The raw extension value that was sent in the message.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
+## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
+## an  unencrypted handshake, and Bro extracts as much information out of that as
+## it can. This event signals the time when an SSL/TLS has finished the handshake
+## and its endpoints consider it as fully established. Typically, everything from
+## now on will be encrypted.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+## more information about the SSL/TLS protocol.
+##
+## c: The connection.
+##
+## .. bro:see:: ssl_alert ssl_client_hello  ssl_extension ssl_server_hello
+##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+event ssl_established%(c: connection%);
+
+## Generated for SSL/TLS alert records. SSL/TLS sessions start with an  unencrypted
+## handshake, and Bro extracts as much information out of that as it can. If during
+## that handshake, an endpoint encounteres a fatal error, it sends an *alert*
+## record, that it turns triggers this event. After an *alert*, any endpoint
+## may close the connection immediately.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+## more information about the SSL/TLS protocol.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## level: The severity level, as sent in the *alert*. The values are defined as
+##        part of the SSL/TLS protocol.
+##
+## desc: A numerical value identifying the cause of the *alert*. The values are
+##       defined as part of the SSL/TLS protocol.
+##
+## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
+
+## Generated for SSL/TLS handshake messages that are a part of the stateless-server
+## session resumption mechanism. SSL/TLS sessions start with an unencrypted
+## handshake, and Bro extracts as much information out of that as it can. This
+## event is raised when an SSL/TLS server passes session ticket to the client that
+## can later be used for resuming the session. The mechanism is described in
+## :rfc:`4507`
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+## more information about the SSL/TLS protocol.
+##
+## c: The connection.
+##
+## ticket_lifetime_hint: A hint from the server about how long the ticket
+##                       should be stored by the client.
+##
+## ticket: The raw ticket data.
+##
+## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+##    x509_certificate x509_error x509_extension ssl_alert
+event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
+
+## Generated for x509 certificates seen in SSL/TLS connections. During the initial
+## SSL/TLS handshake, certificates are exchanged in the clear. Bro raises this
+## event for each certificate seen (including both a site's primary cert, and
+## further certs sent as part of the validation chain).
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information about
+## the X.509 format.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## cert: The parsed certificate.
+##
+## chain_idx: The index in the validation chain that this cert has. Index zero
+##            indicates an endpoints primary cert, while higher indices
+##            indicate the place in the validation chain (which has length
+##            *chain_len*).
+##
+## chain_len: The total length of the validation chain that this cert is part
+##            of.
+##
+## der_cert: The complete cert encoded in `DER
+##           <http://en.wikipedia.org/wiki/Distinguished_Encoding_Rules>`__ format.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
+##    ssl_server_hello  x509_error x509_extension x509_verify
+event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%);
+
+## Generated for X.509 extensions seen in a certificate.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information about
+## the X.509 format.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## data: The raw data associated with the extension.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
+##    ssl_server_hello x509_certificate x509_error  x509_verify
+event x509_extension%(c: connection, is_orig: bool, data: string%);
+
+## Generated when errors occur during parsing an X.509 certificate.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information about
+## the X.509 format.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` maps
+##      error codes to a textual description.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
+##    ssl_server_hello x509_certificate  x509_extension x509_err2str x509_verify
+event x509_error%(c: connection, is_orig: bool, err: count%);
+
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request
+##    dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%);
+
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply  dce_rpc_message dce_rpc_request
+##    dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dce_rpc_bind%(c: connection, uuid: string%);
+
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
+##    dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dce_rpc_request%(c: connection, opnum: count, stub: string%);
+
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
+##    dce_rpc_request  rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event dce_rpc_response%(c: connection, opnum: count, stub: string%);
 
-# DCE/RPC endpoint mapper events.
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
+##    dce_rpc_request dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event epm_map_response%(c: connection, uuid: string, p: port, h: addr%);
 
-# "length" is the length of body (not including the frame header)
+## Generated for NCP requests (Netware Core Protocol).
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for more
+## information about the NCP protocol.
+##
+## c: The connection.
+##
+## frame_type: The frame type, as specified by the protocol.
+##
+## length: The length of the request body, excluding the frame header,
+##
+## func: The requested function, as  specified by the protocol.
+##
+## .. bro:see:: ncp_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event ncp_request%(c: connection, frame_type: count, length: count, func: count%);
+
+## Generated for NCP replies (Netware Core Protocol).
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for more
+## information about the NCP protocol.
+##
+## c: The connection.
+##
+## frame_type: The frame type, as specified by the protocol.
+##
+## length: The length of the request body, excluding the frame header,
+##
+## req_frame: The frame type from the corresponding request.
+##
+## req_frame: The function code from the corresponding request.
+##
+## completion_code: The replie's completion code, as specified by the protocol.
+##
+## .. bro:see:: ncp_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%);
 
-event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%);
-event interconn_remove_conn%(c: connection%);
-
-event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%);
-event backdoor_remove_conn%(c: connection%);
-event ssh_signature_found%(c: connection, is_orig: bool%);
-event telnet_signature_found%(c: connection, is_orig: bool, len: count%);
-event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%);
-event root_backdoor_signature_found%(c: connection%);
-event ftp_signature_found%(c: connection%);
-event napster_signature_found%(c: connection%);
-event gnutella_signature_found%(c: connection%);
-event kazaa_signature_found%(c: connection%);
-event http_signature_found%(c: connection%);
-event http_proxy_signature_found%(c: connection%);
-event smtp_signature_found%(c: connection%);
-event irc_signature_found%(c: connection%);
-event gaobot_signature_found%(c: connection%);
-
+## Generated for client-side commands on POP3 connections.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
+## the POP3 protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP connection.
+##
+## command: The command sent.
+##
+## arg: The argument to the command.
+##
+## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
+##    pop3_terminate pop3_unexpected
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pop3_request%(c: connection, is_orig: bool,
 			command: string, arg: string%);
+
+## Generated for server-side replies to commands on POP3 connections.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
+## the POP3 protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP connection.
+##
+## cmd: The success indicator sent by the server. This corresponds to the
+##      first token on the line sent, and should be either ``OK`` or ``ERR``.
+##
+## msg: The textual description the server sent along with *cmd*.
+##
+## arg: The argument to the command.
+##
+## .. bro:see:: pop3_data pop3_login_failure pop3_login_success  pop3_request
+##    pop3_terminate pop3_unexpected
+##
+## .. todo: This event is receiving odd parameters, should unify.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
+
+## Generated for server-side multi-lines responses on POP3 connections. POP3
+## connection use multi-line responses to send buld data, such as the actual
+## mails. This event is generated once for each line that's part of such a
+## response.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
+## the POP3 protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the data was sent by the originator of the TCP connection.
+##
+## data: The data sent.
+##
+## .. bro:see::  pop3_login_failure pop3_login_success pop3_reply pop3_request
+##    pop3_terminate pop3_unexpected
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pop3_data%(c: connection, is_orig: bool, data: string%);
+
+## Generated for errors encountered on POP3 sessions. If the POP3 analyzers finds
+## state transition that do not confirm to the protocol specification, or other
+## situations it can't handle, it raises this event.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
+## the POP3 protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the data was sent by the originator of the TCP connection.
+##
+## msg: A textual description of the situation.
+##
+## detail: The input that triggered the event.
+##
+## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
+##    pop3_terminate
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pop3_unexpected%(c: connection, is_orig: bool,
 			msg: string, detail: string%);
+
+## Generated when POP3 connection go encrypted. While POP3 is by default a
+## clear-text protocol, extensions exist to switch to encryption. This event is
+## generated if that happens and the analyzers then stops processing the
+## connection.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
+## the POP3 protocol.
+##
+## c: The connection.
+##
+## is_orig: Always false.
+##
+## msg: A descriptive message why processing was stopped.
+##
+## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
+##    pop3_unexpected
+##
+## .. note:: Currently, only the ``STARTLS`` command is recognized and
+##    triggers this.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pop3_terminate%(c: connection, is_orig: bool, msg: string%);
+
+## Generated for successful authentications on POP3 connections.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
+## the POP3 protocol.
+##
+## c: The connection.
+##
+## is_orig: Always false.
+##
+## user: The user name used for authentication. The event is only generated if
+##       a non-empty user name was used.
+##
+## password: The password used for authentication.
+##
+## .. bro:see:: pop3_data pop3_login_failure  pop3_reply pop3_request pop3_terminate
+##    pop3_unexpected
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pop3_login_success%(c: connection, is_orig: bool,
 				user: string, password: string%);
+
+## Generated for unsuccessful authentications on POP3 connections.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
+## the POP3 protocol.
+##
+## c: The connection.
+##
+## is_orig: Always false.
+##
+## user: The user name attempted for authentication. The event is only generated if
+##       a non-empty user name was used.
+##
+## password: The password attempted for authentication.
+##
+## .. bro:see:: pop3_data  pop3_login_success pop3_reply pop3_request pop3_terminate
+##    pop3_unexpected
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
 event pop3_login_failure%(c: connection, is_orig: bool,
 				user: string, password: string%);
 
-event irc_client%(c: connection, prefix: string, data: string%);
-event irc_server%(c: connection, prefix: string, data: string%);
-event irc_request%(c: connection, prefix: string,
+
+## Generated for all client-side IRC commands.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: Always true.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## command: The command.
+##
+## arguments: The arguments for the command.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+##
+## .. note:: This event is generated only for message that originate at the
+##    clients-side. Commands coming in from remote trigger the ge:bro:id:`irc_message`
+##    event instead.
+event irc_request%(c: connection, is_orig: bool, prefix: string,
 			command: string, arguments: string%);
-event irc_reply%(c: connection, prefix: string,
+
+## Generated for all IRC replies. IRC replies are sent in response to a
+## request and come with a reply code.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## prefix: The optional prefix comming with the reply. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## code: The reply code, as specified by the protocol.
+##
+## params: The reply's parameters.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_reply%(c: connection, is_orig: bool, prefix: string,
 			code: count, params: string%);
-event irc_message%(c: connection, prefix: string,
+
+## Generated for IRC commands forwarded from the server to the client.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: Always false.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## command: The command.
+##
+## arguments: The arguments for the command.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message  irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+##
+## .. note::
+##
+##    This event is generated only for messages that are forwarded by the server
+##    to the client. Commands coming from client trigger the :bro:id:`irc_request`
+##    event instead.
+event irc_message%(c: connection, is_orig: bool, prefix: string,
 			command: string, message: string%);
-event irc_enter_message%(c: connection, nick: string, real_name: string%);
-event irc_quit_message%(c: connection, nick: string, message: string%);
-event irc_privmsg_message%(c: connection, source: string,
+
+## Generated for IRC messages of type *quit*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## nick: The nick name coming with the message.
+##
+## message: The text included with the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%);
+
+## Generated for IRC messages of type *privmsg*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## source: The source of the private communication.
+##
+## target: The target of the private communication.
+##
+## message: The text of communication.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_privmsg_message%(c: connection, is_orig: bool, source: string,
 				target: string, message: string%);
-event irc_notice_message%(c: connection, source: string,
+
+## Generated for IRC messages of type *notice*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## source: The source of the private communication.
+##
+## target: The target of the private communication.
+##
+## message: The text of communication.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message  irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_notice_message%(c: connection, is_orig: bool, source: string,
 				target: string, message: string%);
-event irc_squery_message%(c: connection, source: string,
+
+## Generated for IRC messages of type *squery*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## source: The source of the private communication.
+##
+## target: The target of the private communication.
+##
+## message: The text of communication.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_squery_message%(c: connection, is_orig: bool, source: string,
 				target: string, message: string%);
-event irc_join_message%(c: connection, info_list: irc_join_list%);
-event irc_part_message%(c: connection, nick: string,
+
+## Generated for IRC messages of type *join*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## info_list: The user information coming with the command.
+##
+## message: The text of communication.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%);
+
+## Generated for IRC messages of type *part*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## nick: The nickname coming with the message.
+##
+## chans: The set of channels affected.
+##
+## message: The text coming with the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_password_message
+event irc_part_message%(c: connection, is_orig: bool, nick: string,
 				chans: string_set, message: string%);
-event irc_nick_message%(c: connection, who: string, newnick: string%);
-event irc_invalid_nick%(c: connection%);
-event irc_network_info%(c: connection, users: count,
+
+## Generated for IRC messages of type *nick*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## who: The user changing its nickname.
+##
+## newnick: The new nickname.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%);
+
+## Generated when a server rejects an IRC nickname.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users  irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_invalid_nick%(c: connection, is_orig: bool%);
+
+## Generated for an IRC reply of type *luserclient*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## users: The number of users as returned in the reply.
+##
+## services: The number of services as returned in the reply.
+##
+## servers: The number of servers as returned in the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_network_info%(c: connection, is_orig: bool, users: count,
 				services: count, servers: count%);
-event irc_server_info%(c: connection, users: count,
+
+## Generated for an IRC reply of type *luserme*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## users: The number of users as returned in the reply.
+##
+## services: The number of services as returned in the reply.
+##
+## servers: The number of servers as returned in the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_server_info%(c: connection, is_orig: bool, users: count,
 				services: count, servers: count%);
-event irc_channel_info%(c: connection, chans: count%);
-event irc_who_line%(c: connection, target_nick: string,
+
+## Generated for an IRC reply of type *luserchannels*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## chans: The number of channels as returned in the reply.
+##
+## .. bro:see::  irc_channel_topic irc_dcc_message irc_error_message irc_global_users
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_channel_info%(c: connection, is_orig: bool, chans: count%);
+
+## Generated for an IRC reply of type *whoreply*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## target_nick: The target nick name.
+##
+## channel: The channel.
+##
+## user: The user.
+##
+## host: The host.
+##
+## server: The server.
+##
+## nick: The nick name.
+##
+## params: The parameters.
+##
+## hops: The hop count.
+##
+## real_name: The real name.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_who_line%(c: connection, is_orig: bool, target_nick: string,
 				channel: string, user: string, host: string,
 				server: string, nick: string, params: string,
 				hops: count, real_name: string%);
-event irc_who_message%(c: connection, mask: string, oper: bool%);
-event irc_whois_message%(c: connection, server: string, users: string%);
-event irc_whois_user_line%(c: connection, nick: string,
-				user: string, host: string, real_name: string%);
-event irc_whois_operator_line%(c: connection, nick: string%);
-event irc_whois_channel_line%(c: connection, nick: string,
-				chans: string_set%);
-event irc_oper_message%(c: connection, user: string, password: string%);
-event irc_oper_response%(c: connection, got_oper: bool%);
-event irc_kick_message%(c: connection, prefix: string,
-			chans: string, users: string, comment: string%);
-event irc_error_message%(c: connection, prefix: string, message: string%);
-event irc_invite_message%(c: connection, prefix: string,
-				nickname: string, channel: string%);
-event irc_mode_message%(c: connection, prefix: string, params: string%);
-event irc_squit_message%(c: connection, prefix: string,
-				server: string, message: string%);
-event irc_names_info%(c: connection, c_type: string,
+
+
+## Generated for an IRC reply of type *namereply*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## c_type: The channel type.
+##
+## channel: The channel.
+##
+## users: The set of users.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message  irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_names_info%(c: connection, is_orig: bool, c_type: string,
 				channel: string, users: string_set%);
-event irc_dcc_message%(c: connection, prefix: string, target: string,
+
+## Generated for an IRC reply of type *whoisoperator*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## nick: The nick name specified in the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%);
+
+## Generated for an IRC reply of type *whoischannels*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## nick: The nick name specified in the reply.
+##
+## chans: The set of channels returned.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string,
+				chans: string_set%);
+
+## Generated for an IRC reply of type *whoisuser*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## nick: The nick name specified in the reply.
+##
+## user: The user name specified in the reply.
+##
+## host: The host name specified in the reply.
+##
+## user: The user name specified in the reply.
+##
+## real_name: The real name specified in the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_whois_user_line%(c: connection, is_orig: bool, nick: string,
+				user: string, host: string, real_name: string%);
+
+## Generated for IRC replies of type *youreoper* and *nooperhost*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## got_oper: True if the *oper* command was executed successfully
+##           (*youreport*) and false otherwise (*nooperhost*).
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_part_message
+##    irc_password_message
+event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%);
+
+## Generated for an IRC reply of type *globalusers*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## msg: The message coming with the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%);
+
+## Generated for an IRC reply of type *topic*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## channel: The channel name specified in the reply.
+##
+## topic: The topic specified in the reply.
+##
+## .. bro:see:: irc_channel_info  irc_dcc_message irc_error_message irc_global_users
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%);
+
+## Generated for IRC messages of type *who*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command what sent by the originator of the TCP connection.
+##
+## mask: The mask specified in the message.
+##
+## oper: True if the operator flag was set.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%);
+
+## Generated for IRC messages of type *whois*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+##
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%);
+
+## Generated for IRC messages of type *oper*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## user: The user specified in the message.
+##
+## password: The password specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message  irc_oper_response irc_part_message
+##    irc_password_message
+event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%);
+
+## Generated for IRC messages of type *kick*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## chans: The channels specified in the message.
+##
+## users: The users specified in the message.
+##
+## comment: The comment specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_kick_message%(c: connection, is_orig: bool, prefix: string,
+			chans: string, users: string, comment: string%);
+
+## Generated for IRC messages of type *error*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## message: The textual description specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%);
+
+## Generated for IRC messages of type *invite*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## nickname: The nick name specified in the message.
+##
+## channel: The channel specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick  irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_invite_message%(c: connection, is_orig: bool, prefix: string,
+				nickname: string, channel: string%);
+
+## Generated for IRC messages of type *mode*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## params: The parameters coming with the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message  irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%);
+
+## Generated for IRC messages of type *squit*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## server: The server specified in the message.
+##
+## messate: The textual description specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_squit_message%(c: connection, is_orig: bool, prefix: string,
+				server: string, message: string%);
+
+## Generated for IRC messages of type *dcc*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## target: The target specified in the message.
+##
+## dcc_type: The DCC type specified in the message.
+##
+## argument:  The argument specified in the message.
+##
+## address: The address specified in the message.
+##
+## dest_port: The destination port specified in the message.
+##
+## size: The size specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic  irc_error_message irc_global_users
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_dcc_message%(c: connection, is_orig: bool,
+				prefix: string, target: string,
 				dcc_type: string, argument: string,
 				address: addr, dest_port: count, size: count%);
-event irc_global_users%(c: connection, prefix: string, msg: string%);
-event irc_user_message%(c: connection, user: string, host: string, server: string, real_name: string%);
-event irc_channel_topic%(c: connection, channel: string, topic: string%);
-event irc_password_message%(c: connection, password: string%);
 
+## Generated for IRC messages of type *user*. This event is generated for messages
+## coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## user: The user specified in the message.
+##
+## host: The host name specified in the message.
+##
+## server: The server name specified in the message.
+##
+## real_name: The real name specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%);
+
+## Generated for IRC messages of type *password*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## password: The password specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message
+event irc_password_message%(c: connection, is_orig: bool, password: string%);
+
+## TODO.
+##
+## .. bro:see::
 event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%);
-event file_virus%(c: connection, virname: string%);
 
+## Generated for monitored Syslog messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Syslog>`__ for more
+## information about the Syslog protocol.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## facility: The "facility" included in the message.
+##
+## severity: The "severity" included in the message.
+##
+## msg: The message logged.
+##
+## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP syslog
+##    will be added soon.
+event syslog_message%(c: connection, facility: count, severity: count, msg: string%);
+
+## Generated when a signature matches. Bro's signature engine provide
+## high-performance pattern matching separately from the normal script processing.
+## If a signature with an ``event`` action matches, this event is raised.
+##
+## See the :doc:`user manual </signatures>` for more information about Bro's
+## signature engine.
+##
+## state: Context about the match, including which signatures triggered the
+##        event and the connection for which the match was found.
+##
+## msg: The message passed to the ``event`` signature action.
+##
+## data; The last chunk of input that triggered the match. Note that the specifics
+## here are no well-defined as Bro does not buffer any input. If a match is split
+## across packet boundaries, only the last chunk triggering the will be passed on
+## to the event.
 event signature_match%(state: signature_state, msg: string, data: string%);
 
-# Generated if a handler finds an identification of the software
-# used on a system.
+## Generated when a protocol analyzer finds an identification of a software
+## used on a system. This is a protocol-independent event that is fed by
+## different analyzers. For example, the HTTP analyzer reports user-agent and
+## server software by raising this event, assuming it can parse it (if not,
+## :bro:id:`software_parse_error` will be generated instead).
+##
+## c: The connection.
+##
+## host: The host running the reported software.
+##
+## s: A description of the software found.
+##
+## descr: The raw (unparsed) software identification string as extracted from the
+##        protocol.
+##
+## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found
 event software_version_found%(c: connection, host: addr,
 				s: software, descr: string%);
 
-# Generated if a handler finds a version but cannot parse it.
+## Generated when a protocol analyzer finds an identification of a software used on
+## a system but cannot parse it. This is a protocol-independent event that is fed
+## by different analyzers. For example, the HTTP analyzer reports user-agent and
+## server software by raising this event if it cannot parse them directly (if canit
+## :bro:id:`software_version_found` will be generated instead).
+##
+## c: The connection.
+##
+## host: The host running the reported software.
+##
+## descr: The raw (unparsed) software identification string as extracted from the
+##        protocol.
+##
+## .. bro:see:: software_version_found software_unparsed_version_found
+##    OS_version_found
 event software_parse_error%(c: connection, host: addr, descr: string%);
 
-# Generated once for each raw (unparsed) software identification.
+## Generated when a protocol analyzer finds an identification of a software
+## used on a system. This is a protocol-independent event that is fed by
+## different analyzers. For example, the HTTP analyzer reports user-agent and
+## server software by raising this event. Different from
+## :bro:id:`software_version_found`  and :bro:id:`software_parse_error`, this
+## event is always raised, independent of whether Bro can parse the version
+## string.
+##
+## c: The connection.
+##
+## host: The host running the reported software.
+##
+## descr: The software identification string as extracted from the protocol.
+##
+## .. bro:see:: software_parse_error software_version_found OS_version_found
 event software_unparsed_version_found%(c: connection, host: addr, str: string%);
 
-# Generated when an operating system has been fingerprinted.
+## Generated when an operating system has been fingerprinted. Bro uses `p0f
+## <http://lcamtuf.coredump.cx/p0f.shtml>`__ to fingerprint endpoints passively,
+## and it raises this event for each system identified. The p0f fingerprints are
+## defined by :bro:id:`passive_fingerprint_file`.
+##
+## .. bro:see:: passive_fingerprint_file software_parse_error
+##    software_version_found software_unparsed_version_found
+##    generate_OS_version_event
 event OS_version_found%(c: connection, host: addr, OS: OS_version%);
 
-# Generated when an IP address gets mapped for the first time.
-event anonymization_mapping%(orig: addr, mapped: addr%);
-
-# Generated when a connection to a remote Bro has been established.
+## Generated when a connection to a remote Bro has been established. This event
+## is intended primarily for use by Bro's communication framework, but it can also
+## trigger additional code if helpful.
+##
+## p: A record describing the peer.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
+##    remote_connection_handshake_done remote_event_registered remote_log remote_pong
+##    remote_state_access_performed remote_state_inconsistency print_hook
 event remote_connection_established%(p: event_peer%);
 
-# Generated when a connection to a remote Bro has been closed.
+## Generated when a connection to a remote Bro has been closed. This event is
+## intended primarily for use by Bro's communication framework, but it can
+## also trigger additional code if helpful.
+##
+## p: A record describing the peer.
+##
+## .. bro:see:: remote_capture_filter  remote_connection_error
+##    remote_connection_established remote_connection_handshake_done
+##    remote_event_registered remote_log remote_pong remote_state_access_performed
+##    remote_state_inconsistency print_hook
 event remote_connection_closed%(p: event_peer%);
 
-# Generated when a remote connection's handshake has been completed.
+## Generated when a remote connection's initial handshake has been completed. This
+## event is intended primarily for use by Bro's communication framework, but it can
+## also trigger additional code if helpful.
+##
+## p: A record describing the peer.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
+##    remote_connection_established remote_event_registered remote_log remote_pong
+##    remote_state_access_performed remote_state_inconsistency print_hook
 event remote_connection_handshake_done%(p: event_peer%);
 
-# Generated for each event registered by a remote peer.
+## Generated for each event registered by a remote peer. This event is intended
+## primarily for use by Bro's communication framework, but it can also trigger
+## additional code if helpful.
+##
+## p: A record describing the peer.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed
+##    remote_connection_error remote_connection_established
+##    remote_connection_handshake_done remote_log remote_pong
+##    remote_state_access_performed remote_state_inconsistency print_hook
 event remote_event_registered%(p: event_peer, name: string%);
 
-# Generated when a connection to a remote Bro causes some error.
+## Generated when a connection to a remote Bro encountered an error. This event
+## is intended primarily for use by Bro's communication framework, but it can also
+## trigger additional code if helpful.
+##
+## p: A record describing the peer.
+##
+## reason: A textual description of the error.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed
+##    remote_connection_established remote_connection_handshake_done
+##    remote_event_registered remote_log remote_pong remote_state_access_performed
+##    remote_state_inconsistency print_hook
 event remote_connection_error%(p: event_peer, reason: string%);
 
-# Generated when a remote peer sends us some capture filter.
+
+
+## Generated when a remote peer sent us a capture filter. While this event is
+## intended primarily for use by Bro's communication framework, it can also trigger
+## additional code if helpful.
+##
+## p: A record describing the peer.
+##
+## filter: The filter string sent by the peer.
+##
+## .. bro:see::  remote_connection_closed remote_connection_error
+##    remote_connection_established remote_connection_handshake_done
+##    remote_event_registered remote_log remote_pong remote_state_access_performed
+##    remote_state_inconsistency print_hook
 event remote_capture_filter%(p: event_peer, filter: string%);
 
-# Generated after a call to send_state() when all data has been successfully
-# sent to the remote side.
+## Generated after a call to :bro:id:`send_state` when all data has been
+## successfully sent to the remote side. While this event is
+## intended primarily for use by Bro's communication framework, it can also trigger
+## additional code if helpful.
+##
+## p: A record describing the remote peer.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed
+##    remote_connection_error remote_connection_established
+##    remote_connection_handshake_done remote_event_registered remote_log remote_pong
+##    remote_state_access_performed remote_state_inconsistency print_hook
 event finished_send_state%(p: event_peer%);
 
-# Generated if state synchronization detects an inconsistency.
+## Generated if state synchronization detects an inconsistency.  While this event
+## is intended primarily for use by Bro's communication framework, it can also
+## trigger additional code if helpful. This event is only raised if
+## :bro:id:`remote_check_sync_consistency` is false.
+##
+## operation: The textual description of the state operation performed.
+##
+## id: The name of the Bro script identifier that was operated on.
+##
+## expected_old: A textual representation of the value of *id* that was expected to
+##               be found before the operation was carried out.
+##
+## real_old: A textual representation of the value of *id* that was actually found
+##           before the operation was carried out. The difference between
+##           *real_old* and *expected_old* is the inconsistency being reported.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed
+##    remote_connection_error remote_connection_established
+##    remote_connection_handshake_done remote_event_registered remote_log remote_pong
+##    remote_state_access_performed print_hook remote_check_sync_consistency
 event remote_state_inconsistency%(operation: string, id: string,
 				  expected_old: string, real_old: string%);
 
-# Generated for communication log message.
+## Generated for communication log messages. While this event is
+## intended primarily for use by Bro's communication framework, it can also trigger
+## additional code if helpful.
+##
+## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or
+##        :bro:id:`REMOTE_LOG_ERROR`.
+##
+## src: The component of the comminication system that logged the message.
+##      Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's
+##      child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or
+##      :bro:id:`REMOTE_SRC_SCRIPT` (the script level).
+##
+## msg: The message logged.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
+##    remote_connection_established remote_connection_handshake_done
+##    remote_event_registered  remote_pong remote_state_access_performed
+##    remote_state_inconsistency print_hook remote_log_peer
 event remote_log%(level: count, src: count, msg: string%);
 
-# Generated when a remote peer has answered to our ping.
+## Generated for communication log messages. While this event is
+## intended primarily for use by Bro's communication framework, it can also trigger
+## additional code if helpful.  This event is equivalent to
+## :bro:see:`remote_log` except the message is with respect to a certain peer.
+##
+## p: A record describing the remote peer.
+##
+## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or
+##        :bro:id:`REMOTE_LOG_ERROR`.
+##
+## src: The component of the comminication system that logged the message.
+##      Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's
+##      child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or
+##      :bro:id:`REMOTE_SRC_SCRIPT` (the script level).
+##
+## msg: The message logged.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
+##    remote_connection_established remote_connection_handshake_done
+##    remote_event_registered  remote_pong remote_state_access_performed
+##    remote_state_inconsistency print_hook remote_log
+event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%);
+
+## Generated when a remote peer has answered to our ping. This event is part of
+## Bro's infrastructure for measuring communication latency. One can send a ping
+## by calling :bro:id:`send_ping` and when a corresponding reply is received, this
+## event will be raised.
+##
+## p: The peer sending us the pong.
+##
+## seq: The sequence number passed to the original :bro:id:`send_ping`  call.
+##      The number is sent back by the peer in its response.
+##
+## d1: The time interval between sending the ping and receiving the pong. This
+##     is the latency of the complete path.
+##
+## d2: The time interval between sending out the ping to the network and its
+##     reception at the peer. This is the network latency.
+##
+## d3: The time interval between when the peer's child process received the
+##     ping and when its parent process sent the pong. This is the
+##     processing latency at the the peer.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
+##    remote_connection_established remote_connection_handshake_done
+##    remote_event_registered remote_log  remote_state_access_performed
+##    remote_state_inconsistency print_hook
 event remote_pong%(p: event_peer, seq: count,
 			d1: interval, d2: interval, d3: interval%);
 
-# Generated each time a remote state access has been replayed locally
-# (primarily for debugging).
+## Generated each time a remote state access has been replayed locally. This event
+## is primarily intended for debugging. measurments.
+##
+## id: The name of the Bro script variable that's being operated on.
+##
+## v: The new value of the variable.
+##
+## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
+##    remote_connection_established remote_connection_handshake_done
+##    remote_event_registered remote_log remote_pong remote_state_inconsistency
+##    print_hook
 event remote_state_access_performed%(id: string, v: any%);
 
-# Generated each time profiling_file is updated.  "expensive" means that
-# this event corresponds to heavier-weight profiling as indicated by the
-# expensive_profiling_multiple variable.
+## Generated each time Bro's internal profiling log is updated. The file is
+## defined by :bro:id:`profiling_file`, and its update frequency by
+## :bro:id:`profiling_interval`  and :bro:id:`expensive_profiling_multiple`.
+##
+## f: The profiling file.
+##
+## expensive: True if this event corresponds to heavier-weight profiling as
+##            indicated by the :bro:id:`expensive_profiling_multiple` variable.
+##
+## .. bro:see::  profiling_interval expensive_profiling_multiple
 event profiling_update%(f: file, expensive: bool%);
 
+## Generated each time Bro's script interpreter opens a file. This event is
+## triggered only for files opened via :bro:id:`open`, and in particular not for
+## normal log files as created by a  log writers.
+##
+## f: The opened file.
 event file_opened%(f: file%);
 
-# Each print statement generates an event.
-event print_hook%(f:file, s: string%);
+## Generated for a received NetFlow v5 header.  Bro's NetFlow processor raises this
+## event whenever it either receives a NetFlow header on the port it's listening
+## on, or reads one from a trace file.
+##
+## h: The parsed NetFlow header.
+##
+## .. bro:see:: netflow_v5_record
+event netflow_v5_header%(h: nf_v5_header%);
 
-# Generated for &rotate_interval.
+## Generated for a received NetFlow v5 record.  Bro's NetFlow processor raises this
+## event whenever it either receives a NetFlow record on the port it's listening
+## on, or reads one from a trace file.
+##
+## h: The parsed NetFlow header.
+##
+## .. bro:see:: netflow_v5_record
+event netflow_v5_record%(r: nf_v5_record%);
+
+## Raised for informational messages reported via Bro's reporter framework. Such
+## messages may be generated internally by the event engine and also by other
+## scripts calling :bro:id:`Reporter::info`.
+##
+## t: The time the message was passed to the reporter.
+##
+## msg: The message itself.
+##
+## location: A (potentially empty) string describing a location associated with the
+##           message.
+##
+## .. bro:see:: reporter_warning reporter_error Reporter::info Reporter::warning
+##    Reporter::error
+##
+## .. note:: Bro will not call reporter events recursively. If the handler of any
+##    reporter event triggers a new reporter message itself, the output will go to
+##    ``stderr`` instead.
+event reporter_info%(t: time, msg: string, location: string%) &error_handler;
+
+## Raised for warnings reported via Bro's reporter framework. Such messages may
+## be generated internally by the event engine and also by other scripts calling
+## :bro:id:`Reporter::warning`.
+##
+## t: The time the warning was passed to the reporter.
+##
+## msg: The warning message.
+##
+## location: A (potentially empty) string describing a location associated with the
+##     warning.
+##
+## .. bro:see:: reporter_info reporter_error Reporter::info Reporter::warning
+##    Reporter::error
+##
+## .. note:: Bro will not call reporter events recursively. If the handler of any
+##    reporter event triggers a new reporter message itself, the output will go to
+##    ``stderr`` instead.
+event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
+
+## Raised for errors reported via Bro's reporter framework. Such messages may
+## be generated internally by the event engine and also by other scripts calling
+## :bro:id:`Reporter::error`.
+##
+## t: The time the error was passed to the reporter.
+##
+## msg: The error message.
+##
+## location: A (potentially empty) string describing a location associated with the
+##     error.
+##
+## .. bro:see:: reporter_info reporter_warning Reporter::info Reporter::warning
+##    Reporter::error
+##
+## .. note:: Bro will not call reporter events recursively. If the handler of any
+##    reporter event triggers a new reporter message itself, the output will go to
+##    ``stderr`` instead.
+event reporter_error%(t: time, msg: string, location: string%) &error_handler;
+
+## Raised for each policy script loaded by the script interpreter.
+##
+## path: The full path to the script loaded.
+##
+## level: The "nesting level": zero for a top-level Bro script and incremented
+##        recursively for each ``@load``.
+event bro_script_loaded%(path: string, level: count%);
+
+## Deprecated. Will be removed.
+event stp_create_endp%(c: connection, e: int, is_orig: bool%);
+
+# ##### Internal events. Not further documented.
+
+## Event internal to the stepping stone detector.
+event stp_resume_endp%(e: int%);
+
+## Event internal to the stepping stone detector.
+event stp_correlate_pair%(e1: int, e2: int%);
+
+## Event internal to the stepping stone detector.
+event stp_remove_pair%(e1: int, e2: int%);
+
+## Event internal to the stepping stone detector.
+event stp_remove_endp%(e: int%);
+
+# ##### Deprecated events. Proposed for removal.
+
+## Deprecated. Will be removed.
+event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%);
+
+## Deprecated. Will be removed.
+event interconn_remove_conn%(c: connection%);
+
+## Deprecated. Will be removed.
+event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%);
+
+## Deprecated. Will be removed.
+event backdoor_remove_conn%(c: connection%);
+
+## Deprecated. Will be removed.
+event ssh_signature_found%(c: connection, is_orig: bool%);
+
+## Deprecated. Will be removed.
+event telnet_signature_found%(c: connection, is_orig: bool, len: count%);
+
+## Deprecated. Will be removed.
+event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%);
+
+## Deprecated. Will be removed.
+event root_backdoor_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event ftp_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event napster_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event gnutella_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event kazaa_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event http_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event http_proxy_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event smtp_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event irc_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event gaobot_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+##
+## .. todo:: Unclear what this event is for; it's never raised. We should just
+##    remove it.
+event dns_full_request%(%) &group="dns";
+
+## Deprecated. Will be removed.
+event anonymization_mapping%(orig: addr, mapped: addr%);
+
+## Deprecated. Will be removed.
 event rotate_interval%(f: file%);
 
-# Generated for &rotate_size.
+## Deprecated. Will be removed.
 event rotate_size%(f: file%);
 
-event netflow_v5_header%(h: nf_v5_header%);
-event netflow_v5_record%(r: nf_v5_record%);
+## Deprecated. Will be removed.
+event print_hook%(f:file, s: string%);
diff --git a/src/finger-rw.bif b/src/finger-rw.bif
deleted file mode 100644
index a32d9b30c6..0000000000
--- a/src/finger-rw.bif
+++ /dev/null
@@ -1,22 +0,0 @@
-# Write a finger request to trace.
-rewriter finger_request %(full: bool, username: string, hostpart: string%)
-	%{
-	const int is_orig = 1;
-	if ( full )
-		@WRITE@(is_orig, "/W ");
-	@WRITE@(is_orig, username->AsString());
-	if ( hostpart->Len() > 0 )
-		{
-		@WRITE@(is_orig, "@");
-		@WRITE@(is_orig, hostpart->AsString());
-		}
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-# Write a finger reply to trace.
-rewriter finger_reply %(reply: string%)
-	%{
-	const int is_orig = 0;
-	@WRITE@(is_orig, reply->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
diff --git a/src/ftp-rw.bif b/src/ftp-rw.bif
deleted file mode 100644
index f12931ab28..0000000000
--- a/src/ftp-rw.bif
+++ /dev/null
@@ -1,27 +0,0 @@
-# Rewrite an FTP request.
-rewriter ftp_request%(command: string, arg: string%)
-	%{
-	const int is_orig = 1;
-	@WRITE@(is_orig, command->AsString());
-	if ( command->Len() > 0 && arg->Len() > 0 )
-		@WRITE@(is_orig, " ");
-	@WRITE@(is_orig, arg->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-# Rewrite an FTP reply.
-rewriter ftp_reply%(code: count, msg: string, cont_resp: bool%)
-	%{
-	const int is_orig = 0;
-
-	if ( code > 0 )
-		{
-		@WRITE@(is_orig, fmt("%03lu", (unsigned long) code));
-		if ( cont_resp )
-			@WRITE@(is_orig, "-");
-		else
-			@WRITE@(is_orig, " ");
-		}
-	@WRITE@(is_orig, msg->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
diff --git a/src/http-analyzer.pac b/src/http-analyzer.pac
index 38402a9d67..e12be59438 100644
--- a/src/http-analyzer.pac
+++ b/src/http-analyzer.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %extern{
 #include <ctype.h>
 
@@ -84,7 +82,7 @@ flow HTTP_Flow(is_orig: bool) {
 		if ( ::http_request )
 			{
 			bytestring unescaped_uri = unescape_uri(uri);
-			bro_event_http_request(connection()->bro_analyzer(),
+			BifEvent::generate_http_request(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				bytestring_to_val(method),
 				bytestring_to_val(uri),
@@ -103,7 +101,7 @@ flow HTTP_Flow(is_orig: bool) {
 		%{
 		if ( ::http_reply )
 			{
-			bro_event_http_reply(connection()->bro_analyzer(),
+			BifEvent::generate_http_reply(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				bytestring_to_val(${vers.vers_str}), code,
 				bytestring_to_val(reason));
@@ -205,7 +203,7 @@ flow HTTP_Flow(is_orig: bool) {
 
 		if ( ::http_header )
 			{
-			bro_event_http_header(connection()->bro_analyzer(),
+			BifEvent::generate_http_header(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
 				bytestring_to_val(name)->ToUpper(),
@@ -236,7 +234,7 @@ flow HTTP_Flow(is_orig: bool) {
 		%{
 		if ( ::http_all_headers )
 			{
-			bro_event_http_all_headers(connection()->bro_analyzer(),
+			BifEvent::generate_http_all_headers(connection()->bro_analyzer(),
 						connection()->bro_analyzer()->Conn(),
 						is_orig(),
 						build_http_headers_val());
@@ -263,7 +261,7 @@ flow HTTP_Flow(is_orig: bool) {
 		msg_start_time_ = network_time();
 		if ( ::http_begin_entity )
 			{
-			bro_event_http_begin_entity(connection()->bro_analyzer(),
+			BifEvent::generate_http_begin_entity(connection()->bro_analyzer(),
 							connection()->bro_analyzer()->Conn(), is_orig());
 			}
 		%}
@@ -295,13 +293,13 @@ flow HTTP_Flow(is_orig: bool) {
 
 		if ( ::http_end_entity )
 			{
-			bro_event_http_end_entity(connection()->bro_analyzer(),
+			BifEvent::generate_http_end_entity(connection()->bro_analyzer(),
 							connection()->bro_analyzer()->Conn(), is_orig());
 			}
 
 		if ( ::http_message_done )
 			{
-			bro_event_http_message_done(connection()->bro_analyzer(),
+			BifEvent::generate_http_message_done(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					is_orig(), build_http_message_stat());
 			}
diff --git a/src/http-protocol.pac b/src/http-protocol.pac
index 1c9f4b4c17..e4487a75e3 100644
--- a/src/http-protocol.pac
+++ b/src/http-protocol.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 enum ExpectBody {
 	BODY_EXPECTED,
 	BODY_NOT_EXPECTED,
diff --git a/src/http-rw.bif b/src/http-rw.bif
deleted file mode 100644
index c839dcaf2a..0000000000
--- a/src/http-rw.bif
+++ /dev/null
@@ -1,61 +0,0 @@
-%%{
-#include "HTTP.h"
-
-BroString* encode_URI(BroString* URI)
-	{
-	byte_vec encoded_URI = new unsigned char[URI->Len() * 3 + 1];
-	byte_vec end_of_URI = URI->Bytes() + URI->Len();
-
-	byte_vec q = encoded_URI;
-	for ( byte_vec p = URI->Bytes(); p < end_of_URI; ++p )
-		{
-		if ( is_reserved_URI_char(*p) ||
-		     is_unreserved_URI_char(*p) || *p == '%' )
-			*q++ = *p;
-		else
-			escape_URI_char(*p, q);
-		}
-	*q = '\0';
-	return new BroString(1, encoded_URI, q - encoded_URI);
-	}
-%%}
-
-rewriter http_request%(method: string, URI: string, version: string%)
-	%{
-	const int is_orig = 1;
-
-	@WRITE@(is_orig, method->AsString());
-	@WRITE@(is_orig, " ");
-
-	@WRITE@(is_orig, URI->AsString());
-
-	@WRITE@(is_orig, " HTTP/");
-	@WRITE@(is_orig, version->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-rewriter http_reply%(version: string, code: count, reason: string%)
-	%{
-	const int is_orig = 0;
-
-	@WRITE@(is_orig, "HTTP/");
-	@WRITE@(is_orig, version->AsString());
-	@WRITE@(is_orig, " ");
-	@WRITE@(is_orig, fmt("%lu", (unsigned long) code));
-	@WRITE@(is_orig, " ");
-	@WRITE@(is_orig, reason->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-rewriter http_header%(is_orig: bool, name: string, value: string%)
-	%{
-	@WRITE@(is_orig, name->AsString());
-	@WRITE@(is_orig, ":");
-	@WRITE@(is_orig, value->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-rewriter http_data%(is_orig: bool, data: string%)
-	%{
-	@WRITE@(is_orig, data->AsString());
-	%}
diff --git a/src/http.pac b/src/http.pac
index 217215e998..38e6ad0b5e 100644
--- a/src/http.pac
+++ b/src/http.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 %include binpac.pac
 %include bro.pac
 
diff --git a/src/ident-rw.bif b/src/ident-rw.bif
deleted file mode 100644
index 290cbe6b34..0000000000
--- a/src/ident-rw.bif
+++ /dev/null
@@ -1,23 +0,0 @@
-rewriter ident_request %(lport: port, rport: port%)
-	%{
-	const int is_orig = 1;
-	@WRITE@(is_orig, fmt("%u, %u\r\n", rport->Port(), lport->Port()));
-	%}
-
-rewriter ident_reply %(lport: port, rport: port, sys_str: string, id_str: string%)
-	%{
-	const int is_orig = 0;
-	@WRITE@(is_orig, fmt("%u, %u : USERID : ", rport->Port(), lport->Port()));
-	@WRITE@(is_orig, sys_str->AsString());
-	@WRITE@(is_orig, " : ");
-	@WRITE@(is_orig, id_str->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-rewriter ident_error %(lport: port, rport: port, msg_str: string%)
-	%{ 
-	const int is_orig = 0;
-	@WRITE@(is_orig, fmt("%u, %u : ERROR : ", rport->Port(), lport->Port()));
-	@WRITE@(is_orig, msg_str->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
diff --git a/src/input.h b/src/input.h
index 004d366748..8fcceb256b 100644
--- a/src/input.h
+++ b/src/input.h
@@ -1,5 +1,3 @@
-// $Id: input.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef input_h
@@ -30,6 +28,8 @@ extern void do_atifdef(const char* id);
 extern void do_atifndef(const char* id);
 extern void do_atelse();
 extern void do_atendif();
+extern void do_doc_token_start();
+extern void do_doc_token_stop();
 
 extern int line_number;
 extern const char* filename;
@@ -47,8 +47,4 @@ extern Stmt* stmts;	// global statements
 
 extern int optimize;
 
-extern int nwarn;
-extern int nerr;
-extern int nruntime;
-
 #endif
diff --git a/src/logging.bif b/src/logging.bif
new file mode 100644
index 0000000000..31e1bebacd
--- /dev/null
+++ b/src/logging.bif
@@ -0,0 +1,73 @@
+##! Internal functions and types used by the logging framework.
+
+module Log;
+
+%%{
+#include "LogMgr.h"
+#include "NetVar.h"
+%%}
+
+type Filter: record;
+type Stream: record;
+type RotationInfo: record;
+
+function Log::__create_stream%(id: Log::ID, stream: Log::Stream%) : bool
+	%{
+	bool result = log_mgr->CreateStream(id->AsEnumVal(), stream->AsRecordVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__enable_stream%(id: Log::ID%) : bool
+	%{
+	bool result = log_mgr->EnableStream(id->AsEnumVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__disable_stream%(id: Log::ID%) : bool
+	%{
+	bool result = log_mgr->DisableStream(id->AsEnumVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__add_filter%(id: Log::ID, filter: Log::Filter%) : bool
+	%{
+	bool result = log_mgr->AddFilter(id->AsEnumVal(), filter->AsRecordVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__remove_filter%(id: Log::ID, name: string%) : bool
+	%{
+	bool result = log_mgr->RemoveFilter(id->AsEnumVal(), name);
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__write%(id: Log::ID, columns: any%) : bool
+	%{
+	bool result = log_mgr->Write(id->AsEnumVal(), columns->AsRecordVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__set_buf%(id: Log::ID, buffered: bool%): bool
+	%{
+	bool result = log_mgr->SetBuf(id->AsEnumVal(), buffered);
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__flush%(id: Log::ID%): bool
+	%{
+	bool result = log_mgr->Flush(id->AsEnumVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+# Options for the ASCII writer.
+
+module LogAscii;
+
+const output_to_stdout: bool;
+const include_header: bool;
+const header_prefix: string;
+const separator: string;
+const set_separator: string;
+const empty_field: string;
+const unset_field: string;
+
diff --git a/src/main.cc b/src/main.cc
index 5df9b1c65c..bcc0498123 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -1,5 +1,3 @@
-// $Id: main.cc 6829 2009-07-09 09:12:59Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -8,6 +6,8 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <signal.h>
+#include <string.h>
+#include <list>
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
@@ -22,14 +22,14 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 
 #include "bsd-getopt-long.h"
 #include "input.h"
-#include "Active.h"
 #include "ScriptAnaly.h"
 #include "DNS_Mgr.h"
 #include "Frame.h"
 #include "Scope.h"
 #include "Event.h"
 #include "File.h"
-#include "Logger.h"
+#include "Reporter.h"
+#include "LogMgr.h"
 #include "Net.h"
 #include "NetVar.h"
 #include "Var.h"
@@ -46,9 +46,14 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 #include "Stats.h"
 #include "ConnCompressor.h"
 #include "DPM.h"
+#include "BroDoc.h"
+#include "Brofiler.h"
+#include "LogWriterAscii.h"
 
 #include "binpac_bro.h"
 
+Brofiler brofiler;
+
 #ifndef HAVE_STRSEP
 extern "C" {
 char* strsep(char**, const char*);
@@ -70,10 +75,8 @@ char* writefile = 0;
 name_list prefixes;
 DNS_Mgr* dns_mgr;
 TimerMgr* timer_mgr;
-Logger* bro_logger;
-Func* alarm_hook = 0;
+LogMgr* log_mgr;
 Stmt* stmts;
-EventHandlerPtr bro_signal = 0;
 EventHandlerPtr net_done = 0;
 RuleMatcher* rule_matcher = 0;
 PersistenceSerializer* persistence_serializer = 0;
@@ -90,16 +93,19 @@ DPM* dpm = 0;
 int optimize = 0;
 int do_notice_analysis = 0;
 int rule_bench = 0;
-int print_loaded_scripts = 0;
+int generate_documentation = 0;
 SecondaryPath* secondary_path = 0;
 ConnCompressor* conn_compressor = 0;
 extern char version[];
 char* command_line_policy = 0;
 vector<string> params;
 char* proc_status_file = 0;
+int snaplen = 0;	// this gets set from the scripting-layer's value
 
 int FLAGS_use_binpac = false;
 
+extern std::list<BroDoc*> docs_generated;
+
 // Keep copy of command line
 int bro_argc;
 char** bro_argv;
@@ -122,21 +128,26 @@ const char* bro_version()
 #endif
 	}
 
+const char* bro_dns_fake()
+	{
+	if ( ! getenv("BRO_DNS_FAKE") )
+		return "off";
+	else
+		return "on";
+	}
+
 void usage()
 	{
 	fprintf(stderr, "bro version %s\n", bro_version());
 	fprintf(stderr, "usage: %s [options] [file ...]\n", prog);
 	fprintf(stderr, "    <file>                         | policy file, or read stdin\n");
-#ifdef ACTIVE_MAPPING
-	fprintf(stderr, "    -a|--active-mapping <mapfile>  | use active mapping results\n");
-#endif
+	fprintf(stderr, "    -b|--bare-mode                 | don't load scripts from the base/ directory\n");
 	fprintf(stderr, "    -d|--debug-policy              | activate policy file debugging\n");
 	fprintf(stderr, "    -e|--exec <bro code>           | augment loaded policies by given code\n");
 	fprintf(stderr, "    -f|--filter <filter>           | tcpdump filter\n");
 	fprintf(stderr, "    -g|--dump-config               | dump current config into .state dir\n");
 	fprintf(stderr, "    -h|--help|-?                   | command line help\n");
 	fprintf(stderr, "    -i|--iface <interface>         | read from given interface\n");
-	fprintf(stderr, "    -l|--print-scripts             | print all loaded scripts\n");
 	fprintf(stderr, "    -p|--prefix <prefix>           | add given prefix to policy file resolution\n");
 	fprintf(stderr, "    -r|--readfile <readfile>       | read from given tcpdump file\n");
 	fprintf(stderr, "    -y|--flowfile <file>[=<ident>] | read from given flow file\n");
@@ -147,7 +158,6 @@ void usage()
 	fprintf(stderr, "    -v|--version                   | print version and exit\n");
 	fprintf(stderr, "    -x|--print-state <file.bst>    | print contents of state file\n");
 	fprintf(stderr, "    -z|--analyze <analysis>        | run the specified policy file analysis\n");
-	fprintf(stderr, "    -A|--transfile <writefile>     | write transformed trace to given tcpdump file\n");
 #ifdef DEBUG
 	fprintf(stderr, "    -B|--debug <dbgstreams>        | Enable debugging output for selected streams\n");
 #endif
@@ -164,6 +174,7 @@ void usage()
 	fprintf(stderr, "    -T|--re-level <level>          | set 'RE_level' for rules\n");
 	fprintf(stderr, "    -U|--status-file <file>        | Record process status in file\n");
 	fprintf(stderr, "    -W|--watchdog                  | activate watchdog timer\n");
+	fprintf(stderr, "    -Z|--doc-scripts               | generate documentation for all loaded scripts\n");
 
 #ifdef USE_PERFTOOLS
 	fprintf(stderr, "    -m|--mem-leaks                 | show leaks  [perftools]\n");
@@ -184,6 +195,10 @@ void usage()
 
 	fprintf(stderr, "    $BROPATH                       | file search path (%s)\n", bro_path());
 	fprintf(stderr, "    $BRO_PREFIXES                  | prefix list (%s)\n", bro_prefixes());
+	fprintf(stderr, "    $BRO_DNS_FAKE                  | disable DNS lookups (%s)\n", bro_dns_fake());
+	fprintf(stderr, "    $BRO_SEED_FILE                 | file to load seeds from (not set)\n");
+	fprintf(stderr, "    $BRO_LOG_SUFFIX                | ASCII log file extension (.%s)\n", LogWriterAscii::LogExt().c_str());
+	fprintf(stderr, "    $BRO_PROFILER_FILE             | Output file for script execution statistics (not set)\n");
 
 	exit(1);
 	}
@@ -219,6 +234,8 @@ void done_with_network()
 
 	dpm->Done();
 	timer_mgr->Expire();
+	dns_mgr->Flush();
+	mgr.Drain();
 	mgr.Drain();
 
 	if ( remote_serializer )
@@ -248,6 +265,8 @@ void terminate_bro()
 
 	terminating = true;
 
+	brofiler.WriteStats();
+
 	EventHandlerPtr bro_done = internal_handler("bro_done");
 	if ( bro_done )
 		mgr.QueueEvent(bro_done, new val_list);
@@ -269,7 +288,6 @@ void terminate_bro()
 		remote_serializer->LogStats();
 
 	delete timer_mgr;
-	delete bro_logger;
 	delete dns_mgr;
 	delete persistence_serializer;
 	delete event_player;
@@ -280,6 +298,8 @@ void terminate_bro()
 	delete conn_compressor;
 	delete remote_serializer;
 	delete dpm;
+	delete log_mgr;
+	delete reporter;
 	}
 
 void termination_signal()
@@ -287,7 +307,7 @@ void termination_signal()
 	set_processing_status("TERMINATING", "termination_signal");
 
 	Val sval(signal_val, TYPE_COUNT);
-	message("received termination signal");
+	reporter->Info("received termination signal");
 	net_get_final_stats();
 	done_with_network();
 	net_delete();
@@ -322,6 +342,8 @@ static void bro_new_handler()
 
 int main(int argc, char** argv)
 	{
+	brofiler.ReadStats();
+
 	bro_argc = argc;
 	bro_argv = new char* [argc];
 
@@ -333,12 +355,14 @@ int main(int argc, char** argv)
 	name_list netflows;
 	name_list flow_files;
 	name_list rule_files;
-	char* transformed_writefile = 0;
 	char* bst_file = 0;
 	char* id_name = 0;
 	char* events_file = 0;
-	char* seed_load_file = 0;
+	char* seed_load_file = getenv("BRO_SEED_FILE");
 	char* seed_save_file = 0;
+	char* user_pcap_filter = 0;
+	char* debug_streams = 0;
+	int bare_mode = false;
 	int seed = 0;
 	int dump_cfg = false;
 	int to_xml = 0;
@@ -348,13 +372,14 @@ int main(int argc, char** argv)
 	int RE_level = 4;
 
 	static struct option long_opts[] = {
+		{"bare-mode",	no_argument,		0,	'b'},
 		{"debug-policy",	no_argument,		0,	'd'},
 		{"dump-config",		no_argument,		0,	'g'},
 		{"exec",		required_argument,	0,	'e'},
 		{"filter",		required_argument,	0,	'f'},
 		{"help",		no_argument,		0,	'h'},
 		{"iface",		required_argument,	0,	'i'},
-		{"print-scripts",	no_argument,		0,	'l'},
+		{"doc-scripts",		no_argument,		0,	'Z'},
 		{"prefix",		required_argument,	0,	'p'},
 		{"readfile",		required_argument,	0,	'r'},
 		{"flowfile",		required_argument,	0,	'y'},
@@ -365,7 +390,6 @@ int main(int argc, char** argv)
 		{"version",		no_argument,		0,	'v'},
 		{"print-state",		required_argument,	0,	'x'},
 		{"analyze",		required_argument,	0,	'z'},
-		{"transfile",		required_argument,	0,	'A'},
 		{"no-checksums",	no_argument,		0,	'C'},
 		{"dfa-cache",		required_argument,	0,	'D'},
 		{"force-dns",		no_argument,		0,	'F'},
@@ -383,9 +407,6 @@ int main(int argc, char** argv)
 		{"print-id",		required_argument,	0,	'I'},
 		{"status-file",		required_argument,	0,	'U'},
 
-#ifdef	ACTIVE_MAPPING
-		{"active-mapping",	no_argument,		0,	'a'},
-#endif
 #ifdef	DEBUG
 		{"debug",		required_argument,	0,	'B'},
 #endif
@@ -412,7 +433,7 @@ int main(int argc, char** argv)
 
 	prog = argv[0];
 
-	prefixes.append("");	// "" = "no prefix"
+	prefixes.append(strdup(""));	// "" = "no prefix"
 
 	char* p = getenv("BRO_PREFIXES");
 	if ( p )
@@ -431,7 +452,7 @@ int main(int argc, char** argv)
 	opterr = 0;
 
 	char opts[256];
-	safe_strncpy(opts, "A:a:B:D:e:f:I:i:K:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGHLOPSWdghlv",
+	safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLOPSWbdghvZ",
 		     sizeof(opts));
 
 #ifdef USE_PERFTOOLS
@@ -441,14 +462,8 @@ int main(int argc, char** argv)
 	int op;
 	while ( (op = getopt_long(argc, argv, opts, long_opts, &long_optsind)) != EOF )
 		switch ( op ) {
-		case 'a':
-#ifdef ACTIVE_MAPPING
-			fprintf(stderr, "Using active mapping file %s.\n", optarg);
-			active_file = optarg;
-#else
-			fprintf(stderr, "Bro not compiled for active mapping.\n");
-			exit(1);
-#endif
+		case 'b':
+			bare_mode = true;
 			break;
 
 		case 'd':
@@ -472,10 +487,6 @@ int main(int argc, char** argv)
 			interfaces.append(optarg);
 			break;
 
-		case 'l':
-			print_loaded_scripts = 1;
-			break;
-
 		case 'p':
 			prefixes.append(optarg);
 			break;
@@ -511,10 +522,6 @@ int main(int argc, char** argv)
 				}
 			break;
 
-		case 'A':
-			transformed_writefile = optarg;
-			break;
-
 		case 'C':
 			override_ignore_checksums = 1;
 			break;
@@ -624,6 +631,10 @@ int main(int argc, char** argv)
 			break;
 #endif
 
+		case 'Z':
+			generate_documentation = 1;
+			break;
+
 #ifdef USE_IDMEF
 		case 'n':
 			fprintf(stderr, "Using IDMEF XML DTD from %s\n", optarg);
@@ -632,9 +643,7 @@ int main(int argc, char** argv)
 #endif
 
 		case 'B':
-#ifdef DEBUG
-			debug_logger.EnableStreams(optarg);
-#endif
+			debug_streams = optarg;
 			break;
 
 		case 0:
@@ -652,8 +661,14 @@ int main(int argc, char** argv)
 	set_processing_status("INITIALIZING", "main");
 
 	bro_start_time = current_time(true);
+	reporter = new Reporter();
 
-	init_random_seed(seed, seed_load_file, seed_save_file);
+#ifdef DEBUG
+	if ( debug_streams )
+		debug_logger.EnableStreams(debug_streams);
+#endif
+
+	init_random_seed(seed, (seed_load_file && *seed_load_file ? seed_load_file : 0) , seed_save_file);
 	// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
 	init_hash_function();
 
@@ -666,7 +681,7 @@ int main(int argc, char** argv)
 	// seed the PRNG. We should do this here (but at least Linux, FreeBSD
 	// and Solaris provide /dev/urandom).
 
-	if ( (interfaces.length() > 0 || netflows.length() > 0) && 
+	if ( (interfaces.length() > 0 || netflows.length() > 0) &&
 	     (read_files.length() > 0 || flow_files.length() > 0 ))
 		usage();
 
@@ -681,10 +696,13 @@ int main(int argc, char** argv)
 	timer_mgr = new PQ_TimerMgr("<GLOBAL>");
 	// timer_mgr = new CQ_TimerMgr();
 
-	add_input_file("bro.init");
+	add_input_file("base/init-bare.bro");
+	if ( ! bare_mode )
+		add_input_file("base/init-default.bro");
 
 	if ( optind == argc &&
 	     read_files.length() == 0 && flow_files.length() == 0 &&
+	     interfaces.length() == 0 &&
 	     ! (id_name || bst_file) && ! command_line_policy )
 		add_input_file("-");
 
@@ -699,13 +717,6 @@ int main(int argc, char** argv)
 			add_input_file(argv[optind++]);
 		}
 
-	if ( ! load_mapping_table(active_file.c_str()) )
-		{
-		fprintf(stderr, "Could not load active mapping file %s\n",
-			active_file.c_str());
-		exit(1);
-		}
-
 	dns_mgr = new DNS_Mgr(dns_type);
 
 	// It would nice if this were configurable.  This is similar to the
@@ -715,7 +726,8 @@ int main(int argc, char** argv)
 
 	persistence_serializer = new PersistenceSerializer();
 	remote_serializer = new RemoteSerializer();
-	event_registry = new EventRegistry;
+	event_registry = new EventRegistry();
+	log_mgr = new LogMgr();
 
 	if ( events_file )
 		event_player = new EventPlayer(events_file);
@@ -744,7 +756,21 @@ int main(int argc, char** argv)
 	}
 #endif
 
-	if ( nerr > 0 )
+	if ( generate_documentation )
+		{
+		std::list<BroDoc*>::iterator it;
+
+		for ( it = docs_generated.begin(); it != docs_generated.end(); ++it )
+			(*it)->WriteDocFile();
+
+		for ( it = docs_generated.begin(); it != docs_generated.end(); ++it )
+			delete *it;
+
+		terminate_bro();
+		return 0;
+		}
+
+	if ( reporter->Errors() > 0 )
 		{
 		delete dns_mgr;
 		exit(1);
@@ -752,6 +778,16 @@ int main(int argc, char** argv)
 
 	init_general_global_var();
 
+	if ( user_pcap_filter )
+		{
+		ID* id = global_scope()->Lookup("cmd_line_bpf_filter");
+
+		if ( ! id )
+			reporter->InternalError("global cmd_line_bpf_filter not defined");
+
+		id->SetVal(new StringVal(user_pcap_filter));
+		}
+
 	// Parse rule files defined on the script level.
 	char* script_rule_files =
 		copy_string(internal_val("signature_files")->AsString()->CheckString());
@@ -783,12 +819,7 @@ int main(int argc, char** argv)
 		// ### Add support for debug command file.
 		dbg_init_debugger(0);
 
-	Val* bro_alarm_file = internal_val("bro_alarm_file");
-	bro_logger = new Logger("bro",
-			bro_alarm_file ?
-				bro_alarm_file->AsFile() : new BroFile(stderr));
-
-	if ( (flow_files.length() == 0 || read_files.length() == 0) && 
+	if ( (flow_files.length() == 0 || read_files.length() == 0) &&
 	     (netflows.length() == 0 || interfaces.length() == 0) )
 		{
 		Val* interfaces_val = internal_val("interfaces");
@@ -804,25 +835,18 @@ int main(int argc, char** argv)
 			}
 		}
 
+	snaplen = internal_val("snaplen")->AsCount();
+
 	// Initialize the secondary path, if it's needed.
 	secondary_path = new SecondaryPath();
 
 	if ( dns_type != DNS_PRIME )
 		net_init(interfaces, read_files, netflows, flow_files,
-			writefile, transformed_writefile,
-			user_pcap_filter ? user_pcap_filter : "tcp or udp",
+			writefile, "tcp or udp or icmp",
 			secondary_path->Filter(), do_watchdog);
 
-	if ( ! reading_traces )
-		// Only enable actual syslog'ing for live input.
-		bro_logger->SetEnabled(enable_syslog);
-	else
-		bro_logger->SetEnabled(0);
-
 	BroFile::SetDefaultRotation(log_rotate_interval, log_max_size);
 
-	alarm_hook = internal_func("alarm_hook");
-	bro_signal = internal_handler("bro_signal");
 	net_done = internal_handler("net_done");
 
 	if ( ! g_policy_debug )
@@ -842,10 +866,7 @@ int main(int argc, char** argv)
 		dns_mgr->Resolve();
 
 		if ( ! dns_mgr->Save() )
-			{
-			bro_logger->Log("**Can't update DNS cache");
-			exit(1);
-			}
+			reporter->FatalError("can't update DNS cache");
 
 		mgr.Drain();
 		delete dns_mgr;
@@ -869,15 +890,13 @@ int main(int argc, char** argv)
 			UnserialInfo info(&s);
 			info.print = stdout;
 			info.install_uniques = true;
-			s.Read(&info, bst_file);
+			if ( ! s.Read(&info, bst_file) )
+				reporter->Error("Failed to read events from %s\n", bst_file);
 			}
 
 		exit(0);
 		}
 
-	if ( using_communication )
-		remote_serializer->Init();
-
 	persistence_serializer->SetDir((const char *)state_dir->AsString()->CheckString());
 
 	// Print the ID.
@@ -887,10 +906,7 @@ int main(int argc, char** argv)
 
 		ID* id = global_scope()->Lookup(id_name);
 		if ( ! id )
-			{
-			fprintf(stderr, "No such ID: %s\n", id_name);
-			exit(1);
-			}
+			reporter->FatalError("No such ID: %s\n", id_name);
 
 		ODesc desc;
 		desc.SetQuotes(true);
@@ -932,9 +948,8 @@ int main(int argc, char** argv)
 
 	if ( dead_handlers->length() > 0 && check_for_unused_event_handlers )
 		{
-		warn("event handlers never invoked:");
 		for ( int i = 0; i < dead_handlers->length(); ++i )
-			warn("\t", (*dead_handlers)[i]);
+			reporter->Warning("event handler never invoked: %s", (*dead_handlers)[i]);
 		}
 
 	delete dead_handlers;
@@ -944,9 +959,9 @@ int main(int argc, char** argv)
 
 	if ( alive_handlers->length() > 0 && dump_used_event_handlers )
 		{
-		message("invoked event handlers:");
+		reporter->Info("invoked event handlers:");
 		for ( int i = 0; i < alive_handlers->length(); ++i )
-			message((*alive_handlers)[i]);
+			reporter->Info("%s", (*alive_handlers)[i]);
 		}
 
 	delete alive_handlers;
@@ -966,8 +981,22 @@ int main(int argc, char** argv)
 	if ( override_ignore_checksums )
 		ignore_checksums = 1;
 
+	// Queue events reporting loaded scripts.
+	for ( std::list<ScannedFile>::iterator i = files_scanned.begin(); i != files_scanned.end(); i++ )
+		{
+		if ( i->skipped )
+			continue;
+
+		val_list* vl = new val_list;
+		vl->append(new StringVal(i->name.c_str()));
+		vl->append(new Val(i->include_level, TYPE_COUNT));
+		mgr.QueueEvent(bro_script_loaded, vl);
+		}
+
 	dpm->PostScriptInit();
 
+	reporter->ReportViaEvents(true);
+
 	mgr.Drain();
 
 	have_pending_timers = ! reading_traces && timer_mgr->Size() > 0;
@@ -988,6 +1017,7 @@ int main(int argc, char** argv)
 			}
 
 #endif
+
 		net_run();
 		done_with_network();
 		net_delete();
diff --git a/src/make_dbg_constants.pl b/src/make_dbg_constants.pl
index d4781dccf6..29efac8050 100644
--- a/src/make_dbg_constants.pl
+++ b/src/make_dbg_constants.pl
@@ -1,5 +1,3 @@
-# $Id: make_dbg_constants.pl 80 2004-07-14 20:15:50Z jason $
-#
 # Build the DebugCmdConstants.h and DebugCmdInfoConstants.h files from the
 # DebugCmdInfoConstants.in file.
 #
diff --git a/src/malloc.c b/src/malloc.c
deleted file mode 100644
index 809e19aa4e..0000000000
--- a/src/malloc.c
+++ /dev/null
@@ -1,5061 +0,0 @@
-/*
-  This is a version (aka dlmalloc) of malloc/free/realloc written by
-  Doug Lea and released to the public domain, as explained at
-  http://creativecommons.org/licenses/publicdomain.  Send questions,
-  comments, complaints, performance data, etc to dl@cs.oswego.edu
-
-* Version 2.8.3 Thu Sep 22 11:16:15 2005  Doug Lea  (dl at gee)
-
-   Note: There may be an updated version of this malloc obtainable at
-           ftp://gee.cs.oswego.edu/pub/misc/malloc.c
-         Check before installing!
-
-* Quickstart
-
-  This library is all in one file to simplify the most common usage:
-  ftp it, compile it (-O3), and link it into another program. All of
-  the compile-time options default to reasonable values for use on
-  most platforms.  You might later want to step through various
-  compile-time and dynamic tuning options.
-
-  For convenience, an include file for code using this malloc is at:
-     ftp://gee.cs.oswego.edu/pub/misc/malloc-2.8.3.h
-  You don't really need this .h file unless you call functions not
-  defined in your system include files.  The .h file contains only the
-  excerpts from this file needed for using this malloc on ANSI C/C++
-  systems, so long as you haven't changed compile-time options about
-  naming and tuning parameters.  If you do, then you can create your
-  own malloc.h that does include all settings by cutting at the point
-  indicated below. Note that you may already by default be using a C
-  library containing a malloc that is based on some version of this
-  malloc (for example in linux). You might still want to use the one
-  in this file to customize settings or to avoid overheads associated
-  with library versions.
-
-* Vital statistics:
-
-  Supported pointer/size_t representation:       4 or 8 bytes
-       size_t MUST be an unsigned type of the same width as
-       pointers. (If you are using an ancient system that declares
-       size_t as a signed type, or need it to be a different width
-       than pointers, you can use a previous release of this malloc
-       (e.g. 2.7.2) supporting these.)
-
-  Alignment:                                     8 bytes (default)
-       This suffices for nearly all current machines and C compilers.
-       However, you can define MALLOC_ALIGNMENT to be wider than this
-       if necessary (up to 128bytes), at the expense of using more space.
-
-  Minimum overhead per allocated chunk:   4 or  8 bytes (if 4byte sizes)
-                                          8 or 16 bytes (if 8byte sizes)
-       Each malloced chunk has a hidden word of overhead holding size
-       and status information, and additional cross-check word
-       if FOOTERS is defined.
-
-  Minimum allocated size: 4-byte ptrs:  16 bytes    (including overhead)
-                          8-byte ptrs:  32 bytes    (including overhead)
-
-       Even a request for zero bytes (i.e., malloc(0)) returns a
-       pointer to something of the minimum allocatable size.
-       The maximum overhead wastage (i.e., number of extra bytes
-       allocated than were requested in malloc) is less than or equal
-       to the minimum size, except for requests >= mmap_threshold that
-       are serviced via mmap(), where the worst case wastage is about
-       32 bytes plus the remainder from a system page (the minimal
-       mmap unit); typically 4096 or 8192 bytes.
-
-  Security: static-safe; optionally more or less
-       The "security" of malloc refers to the ability of malicious
-       code to accentuate the effects of errors (for example, freeing
-       space that is not currently malloc'ed or overwriting past the
-       ends of chunks) in code that calls malloc.  This malloc
-       guarantees not to modify any memory locations below the base of
-       heap, i.e., static variables, even in the presence of usage
-       errors.  The routines additionally detect most improper frees
-       and reallocs.  All this holds as long as the static bookkeeping
-       for malloc itself is not corrupted by some other means.  This
-       is only one aspect of security -- these checks do not, and
-       cannot, detect all possible programming errors.
-
-       If FOOTERS is defined nonzero, then each allocated chunk
-       carries an additional check word to verify that it was malloced
-       from its space.  These check words are the same within each
-       execution of a program using malloc, but differ across
-       executions, so externally crafted fake chunks cannot be
-       freed. This improves security by rejecting frees/reallocs that
-       could corrupt heap memory, in addition to the checks preventing
-       writes to statics that are always on.  This may further improve
-       security at the expense of time and space overhead.  (Note that
-       FOOTERS may also be worth using with MSPACES.)
-
-       By default detected errors cause the program to abort (calling
-       "abort()"). You can override this to instead proceed past
-       errors by defining PROCEED_ON_ERROR.  In this case, a bad free
-       has no effect, and a malloc that encounters a bad address
-       caused by user overwrites will ignore the bad address by
-       dropping pointers and indices to all known memory. This may
-       be appropriate for programs that should continue if at all
-       possible in the face of programming errors, although they may
-       run out of memory because dropped memory is never reclaimed.
-
-       If you don't like either of these options, you can define
-       CORRUPTION_ERROR_ACTION and USAGE_ERROR_ACTION to do anything
-       else. And if if you are sure that your program using malloc has
-       no errors or vulnerabilities, you can define INSECURE to 1,
-       which might (or might not) provide a small performance improvement.
-
-  Thread-safety: NOT thread-safe unless USE_LOCKS defined
-       When USE_LOCKS is defined, each public call to malloc, free,
-       etc is surrounded with either a pthread mutex or a win32
-       spinlock (depending on WIN32). This is not especially fast, and
-       can be a major bottleneck.  It is designed only to provide
-       minimal protection in concurrent environments, and to provide a
-       basis for extensions.  If you are using malloc in a concurrent
-       program, consider instead using ptmalloc, which is derived from
-       a version of this malloc. (See http://www.malloc.de).
-
-  System requirements: Any combination of MORECORE and/or MMAP/MUNMAP
-       This malloc can use unix sbrk or any emulation (invoked using
-       the CALL_MORECORE macro) and/or mmap/munmap or any emulation
-       (invoked using CALL_MMAP/CALL_MUNMAP) to get and release system
-       memory.  On most unix systems, it tends to work best if both
-       MORECORE and MMAP are enabled.  On Win32, it uses emulations
-       based on VirtualAlloc. It also uses common C library functions
-       like memset.
-
-  Compliance: I believe it is compliant with the Single Unix Specification
-       (See http://www.unix.org). Also SVID/XPG, ANSI C, and probably
-       others as well.
-
-* Overview of algorithms
-
-  This is not the fastest, most space-conserving, most portable, or
-  most tunable malloc ever written. However it is among the fastest
-  while also being among the most space-conserving, portable and
-  tunable.  Consistent balance across these factors results in a good
-  general-purpose allocator for malloc-intensive programs.
-
-  In most ways, this malloc is a best-fit allocator. Generally, it
-  chooses the best-fitting existing chunk for a request, with ties
-  broken in approximately least-recently-used order. (This strategy
-  normally maintains low fragmentation.) However, for requests less
-  than 256bytes, it deviates from best-fit when there is not an
-  exactly fitting available chunk by preferring to use space adjacent
-  to that used for the previous small request, as well as by breaking
-  ties in approximately most-recently-used order. (These enhance
-  locality of series of small allocations.)  And for very large requests
-  (>= 256Kb by default), it relies on system memory mapping
-  facilities, if supported.  (This helps avoid carrying around and
-  possibly fragmenting memory used only for large chunks.)
-
-  All operations (except malloc_stats and mallinfo) have execution
-  times that are bounded by a constant factor of the number of bits in
-  a size_t, not counting any clearing in calloc or copying in realloc,
-  or actions surrounding MORECORE and MMAP that have times
-  proportional to the number of non-contiguous regions returned by
-  system allocation routines, which is often just 1.
-
-  The implementation is not very modular and seriously overuses
-  macros. Perhaps someday all C compilers will do as good a job
-  inlining modular code as can now be done by brute-force expansion,
-  but now, enough of them seem not to.
-
-  Some compilers issue a lot of warnings about code that is
-  dead/unreachable only on some platforms, and also about intentional
-  uses of negation on unsigned types. All known cases of each can be
-  ignored.
-
-  For a longer but out of date high-level description, see
-     http://gee.cs.oswego.edu/dl/html/malloc.html
-
-* MSPACES
-  If MSPACES is defined, then in addition to malloc, free, etc.,
-  this file also defines mspace_malloc, mspace_free, etc. These
-  are versions of malloc routines that take an "mspace" argument
-  obtained using create_mspace, to control all internal bookkeeping.
-  If ONLY_MSPACES is defined, only these versions are compiled.
-  So if you would like to use this allocator for only some allocations,
-  and your system malloc for others, you can compile with
-  ONLY_MSPACES and then do something like...
-    static mspace mymspace = create_mspace(0,0); // for example
-    #define mymalloc(bytes)  mspace_malloc(mymspace, bytes)
-
-  (Note: If you only need one instance of an mspace, you can instead
-  use "USE_DL_PREFIX" to relabel the global malloc.)
-
-  You can similarly create thread-local allocators by storing
-  mspaces as thread-locals. For example:
-    static __thread mspace tlms = 0;
-    void*  tlmalloc(size_t bytes) {
-      if (tlms == 0) tlms = create_mspace(0, 0);
-      return mspace_malloc(tlms, bytes);
-    }
-    void  tlfree(void* mem) { mspace_free(tlms, mem); }
-
-  Unless FOOTERS is defined, each mspace is completely independent.
-  You cannot allocate from one and free to another (although
-  conformance is only weakly checked, so usage errors are not always
-  caught). If FOOTERS is defined, then each chunk carries around a tag
-  indicating its originating mspace, and frees are directed to their
-  originating spaces.
-
- -------------------------  Compile-time options ---------------------------
-
-Be careful in setting #define values for numerical constants of type
-size_t. On some systems, literal values are not automatically extended
-to size_t precision unless they are explicitly casted.
-
-WIN32                    default: defined if _WIN32 defined
-  Defining WIN32 sets up defaults for MS environment and compilers.
-  Otherwise defaults are for unix.
-
-MALLOC_ALIGNMENT         default: (size_t)8
-  Controls the minimum alignment for malloc'ed chunks.  It must be a
-  power of two and at least 8, even on machines for which smaller
-  alignments would suffice. It may be defined as larger than this
-  though. Note however that code and data structures are optimized for
-  the case of 8-byte alignment.
-
-MSPACES                  default: 0 (false)
-  If true, compile in support for independent allocation spaces.
-  This is only supported if HAVE_MMAP is true.
-
-ONLY_MSPACES             default: 0 (false)
-  If true, only compile in mspace versions, not regular versions.
-
-USE_LOCKS                default: 0 (false)
-  Causes each call to each public routine to be surrounded with
-  pthread or WIN32 mutex lock/unlock. (If set true, this can be
-  overridden on a per-mspace basis for mspace versions.)
-
-FOOTERS                  default: 0
-  If true, provide extra checking and dispatching by placing
-  information in the footers of allocated chunks. This adds
-  space and time overhead.
-
-INSECURE                 default: 0
-  If true, omit checks for usage errors and heap space overwrites.
-
-USE_DL_PREFIX            default: NOT defined
-  Causes compiler to prefix all public routines with the string 'dl'.
-  This can be useful when you only want to use this malloc in one part
-  of a program, using your regular system malloc elsewhere.
-
-ABORT                    default: defined as abort()
-  Defines how to abort on failed checks.  On most systems, a failed
-  check cannot die with an "assert" or even print an informative
-  message, because the underlying print routines in turn call malloc,
-  which will fail again.  Generally, the best policy is to simply call
-  abort(). It's not very useful to do more than this because many
-  errors due to overwriting will show up as address faults (null, odd
-  addresses etc) rather than malloc-triggered checks, so will also
-  abort.  Also, most compilers know that abort() does not return, so
-  can better optimize code conditionally calling it.
-
-PROCEED_ON_ERROR           default: defined as 0 (false)
-  Controls whether detected bad addresses cause them to bypassed
-  rather than aborting. If set, detected bad arguments to free and
-  realloc are ignored. And all bookkeeping information is zeroed out
-  upon a detected overwrite of freed heap space, thus losing the
-  ability to ever return it from malloc again, but enabling the
-  application to proceed. If PROCEED_ON_ERROR is defined, the
-  static variable malloc_corruption_error_count is compiled in
-  and can be examined to see if errors have occurred. This option
-  generates slower code than the default abort policy.
-
-DEBUG                    default: NOT defined
-  The DEBUG setting is mainly intended for people trying to modify
-  this code or diagnose problems when porting to new platforms.
-  However, it may also be able to better isolate user errors than just
-  using runtime checks.  The assertions in the check routines spell
-  out in more detail the assumptions and invariants underlying the
-  algorithms.  The checking is fairly extensive, and will slow down
-  execution noticeably. Calling malloc_stats or mallinfo with DEBUG
-  set will attempt to check every non-mmapped allocated and free chunk
-  in the course of computing the summaries.
-
-ABORT_ON_ASSERT_FAILURE   default: defined as 1 (true)
-  Debugging assertion failures can be nearly impossible if your
-  version of the assert macro causes malloc to be called, which will
-  lead to a cascade of further failures, blowing the runtime stack.
-  ABORT_ON_ASSERT_FAILURE cause assertions failures to call abort(),
-  which will usually make debugging easier.
-
-MALLOC_FAILURE_ACTION     default: sets errno to ENOMEM, or no-op on win32
-  The action to take before "return 0" when malloc fails to be able to
-  return memory because there is none available.
-
-HAVE_MORECORE             default: 1 (true) unless win32 or ONLY_MSPACES
-  True if this system supports sbrk or an emulation of it.
-
-MORECORE                  default: sbrk
-  The name of the sbrk-style system routine to call to obtain more
-  memory.  See below for guidance on writing custom MORECORE
-  functions. The type of the argument to sbrk/MORECORE varies across
-  systems.  It cannot be size_t, because it supports negative
-  arguments, so it is normally the signed type of the same width as
-  size_t (sometimes declared as "intptr_t").  It doesn't much matter
-  though. Internally, we only call it with arguments less than half
-  the max value of a size_t, which should work across all reasonable
-  possibilities, although sometimes generating compiler warnings.  See
-  near the end of this file for guidelines for creating a custom
-  version of MORECORE.
-
-MORECORE_CONTIGUOUS       default: 1 (true)
-  If true, take advantage of fact that consecutive calls to MORECORE
-  with positive arguments always return contiguous increasing
-  addresses.  This is true of unix sbrk. It does not hurt too much to
-  set it true anyway, since malloc copes with non-contiguities.
-  Setting it false when definitely non-contiguous saves time
-  and possibly wasted space it would take to discover this though.
-
-MORECORE_CANNOT_TRIM      default: NOT defined
-  True if MORECORE cannot release space back to the system when given
-  negative arguments. This is generally necessary only if you are
-  using a hand-crafted MORECORE function that cannot handle negative
-  arguments.
-
-HAVE_MMAP                 default: 1 (true)
-  True if this system supports mmap or an emulation of it.  If so, and
-  HAVE_MORECORE is not true, MMAP is used for all system
-  allocation. If set and HAVE_MORECORE is true as well, MMAP is
-  primarily used to directly allocate very large blocks. It is also
-  used as a backup strategy in cases where MORECORE fails to provide
-  space from system. Note: A single call to MUNMAP is assumed to be
-  able to unmap memory that may have be allocated using multiple calls
-  to MMAP, so long as they are adjacent.
-
-HAVE_MREMAP               default: 1 on linux, else 0
-  If true realloc() uses mremap() to re-allocate large blocks and
-  extend or shrink allocation spaces.
-
-MMAP_CLEARS               default: 1 on unix
-  True if mmap clears memory so calloc doesn't need to. This is true
-  for standard unix mmap using /dev/zero.
-
-USE_BUILTIN_FFS            default: 0 (i.e., not used)
-  Causes malloc to use the builtin ffs() function to compute indices.
-  Some compilers may recognize and intrinsify ffs to be faster than the
-  supplied C version. Also, the case of x86 using gcc is special-cased
-  to an asm instruction, so is already as fast as it can be, and so
-  this setting has no effect. (On most x86s, the asm version is only
-  slightly faster than the C version.)
-
-malloc_getpagesize         default: derive from system includes, or 4096.
-  The system page size. To the extent possible, this malloc manages
-  memory from the system in page-size units.  This may be (and
-  usually is) a function rather than a constant. This is ignored
-  if WIN32, where page size is determined using getSystemInfo during
-  initialization.
-
-USE_DEV_RANDOM             default: 0 (i.e., not used)
-  Causes malloc to use /dev/random to initialize secure magic seed for
-  stamping footers. Otherwise, the current time is used.
-
-NO_MALLINFO                default: 0
-  If defined, don't compile "mallinfo". This can be a simple way
-  of dealing with mismatches between system declarations and
-  those in this file.
-
-MALLINFO_FIELD_TYPE        default: size_t
-  The type of the fields in the mallinfo struct. This was originally
-  defined as "int" in SVID etc, but is more usefully defined as
-  size_t. The value is used only if  HAVE_USR_INCLUDE_MALLOC_H is not set
-
-REALLOC_ZERO_BYTES_FREES    default: not defined
-  This should be set if a call to realloc with zero bytes should 
-  be the same as a call to free. Some people think it should. Otherwise, 
-  since this malloc returns a unique pointer for malloc(0), so does 
-  realloc(p, 0).
-
-LACKS_UNISTD_H, LACKS_FCNTL_H, LACKS_SYS_PARAM_H, LACKS_SYS_MMAN_H
-LACKS_STRINGS_H, LACKS_STRING_H, LACKS_SYS_TYPES_H,  LACKS_ERRNO_H
-LACKS_STDLIB_H                default: NOT defined unless on WIN32
-  Define these if your system does not have these header files.
-  You might need to manually insert some of the declarations they provide.
-
-DEFAULT_GRANULARITY        default: page size if MORECORE_CONTIGUOUS,
-                                system_info.dwAllocationGranularity in WIN32,
-                                otherwise 64K.
-      Also settable using mallopt(M_GRANULARITY, x)
-  The unit for allocating and deallocating memory from the system.  On
-  most systems with contiguous MORECORE, there is no reason to
-  make this more than a page. However, systems with MMAP tend to
-  either require or encourage larger granularities.  You can increase
-  this value to prevent system allocation functions to be called so
-  often, especially if they are slow.  The value must be at least one
-  page and must be a power of two.  Setting to 0 causes initialization
-  to either page size or win32 region size.  (Note: In previous
-  versions of malloc, the equivalent of this option was called
-  "TOP_PAD")
-
-DEFAULT_TRIM_THRESHOLD    default: 2MB
-      Also settable using mallopt(M_TRIM_THRESHOLD, x)
-  The maximum amount of unused top-most memory to keep before
-  releasing via malloc_trim in free().  Automatic trimming is mainly
-  useful in long-lived programs using contiguous MORECORE.  Because
-  trimming via sbrk can be slow on some systems, and can sometimes be
-  wasteful (in cases where programs immediately afterward allocate
-  more large chunks) the value should be high enough so that your
-  overall system performance would improve by releasing this much
-  memory.  As a rough guide, you might set to a value close to the
-  average size of a process (program) running on your system.
-  Releasing this much memory would allow such a process to run in
-  memory.  Generally, it is worth tuning trim thresholds when a
-  program undergoes phases where several large chunks are allocated
-  and released in ways that can reuse each other's storage, perhaps
-  mixed with phases where there are no such chunks at all. The trim
-  value must be greater than page size to have any useful effect.  To
-  disable trimming completely, you can set to MAX_SIZE_T. Note that the trick
-  some people use of mallocing a huge space and then freeing it at
-  program startup, in an attempt to reserve system memory, doesn't
-  have the intended effect under automatic trimming, since that memory
-  will immediately be returned to the system.
-
-DEFAULT_MMAP_THRESHOLD       default: 256K
-      Also settable using mallopt(M_MMAP_THRESHOLD, x)
-  The request size threshold for using MMAP to directly service a
-  request. Requests of at least this size that cannot be allocated
-  using already-existing space will be serviced via mmap.  (If enough
-  normal freed space already exists it is used instead.)  Using mmap
-  segregates relatively large chunks of memory so that they can be
-  individually obtained and released from the host system. A request
-  serviced through mmap is never reused by any other request (at least
-  not directly; the system may just so happen to remap successive
-  requests to the same locations).  Segregating space in this way has
-  the benefits that: Mmapped space can always be individually released
-  back to the system, which helps keep the system level memory demands
-  of a long-lived program low.  Also, mapped memory doesn't become
-  `locked' between other chunks, as can happen with normally allocated
-  chunks, which means that even trimming via malloc_trim would not
-  release them.  However, it has the disadvantage that the space
-  cannot be reclaimed, consolidated, and then used to service later
-  requests, as happens with normal chunks.  The advantages of mmap
-  nearly always outweigh disadvantages for "large" chunks, but the
-  value of "large" may vary across systems.  The default is an
-  empirically derived value that works well in most systems. You can
-  disable mmap by setting to MAX_SIZE_T.
-
-*/
-
-#ifndef WIN32
-#ifdef _WIN32
-#define WIN32 1
-#endif  /* _WIN32 */
-#endif  /* WIN32 */
-#ifdef WIN32
-#define WIN32_LEAN_AND_MEAN
-#include <windows.h>
-#define HAVE_MMAP 1
-#define HAVE_MORECORE 0
-#define LACKS_UNISTD_H
-#define LACKS_SYS_PARAM_H
-#define LACKS_SYS_MMAN_H
-#define LACKS_STRING_H
-#define LACKS_STRINGS_H
-#define LACKS_SYS_TYPES_H
-#define LACKS_ERRNO_H
-#define MALLOC_FAILURE_ACTION
-#define MMAP_CLEARS 0 /* WINCE and some others apparently don't clear */
-#endif  /* WIN32 */
-
-#if defined(DARWIN) || defined(_DARWIN)
-/* Mac OSX docs advise not to use sbrk; it seems better to use mmap */
-#ifndef HAVE_MORECORE
-#define HAVE_MORECORE 0
-#define HAVE_MMAP 1
-#endif  /* HAVE_MORECORE */
-#endif  /* DARWIN */
-
-#ifndef LACKS_SYS_TYPES_H
-#include <sys/types.h>  /* For size_t */
-#endif  /* LACKS_SYS_TYPES_H */
-
-/* The maximum possible size_t value has all bits set */
-#define MAX_SIZE_T           (~(size_t)0)
-
-#ifndef ONLY_MSPACES
-#define ONLY_MSPACES 0
-#endif  /* ONLY_MSPACES */
-#ifndef MSPACES
-#if ONLY_MSPACES
-#define MSPACES 1
-#else   /* ONLY_MSPACES */
-#define MSPACES 0
-#endif  /* ONLY_MSPACES */
-#endif  /* MSPACES */
-#ifndef MALLOC_ALIGNMENT
-#define MALLOC_ALIGNMENT ((size_t)8U)
-#endif  /* MALLOC_ALIGNMENT */
-#ifndef FOOTERS
-#define FOOTERS 0
-#endif  /* FOOTERS */
-#ifndef ABORT
-#define ABORT  abort()
-#endif  /* ABORT */
-#ifndef ABORT_ON_ASSERT_FAILURE
-#define ABORT_ON_ASSERT_FAILURE 1
-#endif  /* ABORT_ON_ASSERT_FAILURE */
-#ifndef PROCEED_ON_ERROR
-#define PROCEED_ON_ERROR 0
-#endif  /* PROCEED_ON_ERROR */
-#ifndef USE_LOCKS
-#define USE_LOCKS 0
-#endif  /* USE_LOCKS */
-#ifndef INSECURE
-#define INSECURE 0
-#endif  /* INSECURE */
-#ifndef HAVE_MMAP
-#define HAVE_MMAP 1
-#endif  /* HAVE_MMAP */
-#ifndef MMAP_CLEARS
-#define MMAP_CLEARS 1
-#endif  /* MMAP_CLEARS */
-#ifndef HAVE_MREMAP
-#ifdef linux
-#define HAVE_MREMAP 1
-#else   /* linux */
-#define HAVE_MREMAP 0
-#endif  /* linux */
-#endif  /* HAVE_MREMAP */
-#ifndef MALLOC_FAILURE_ACTION
-#define MALLOC_FAILURE_ACTION  errno = ENOMEM;
-#endif  /* MALLOC_FAILURE_ACTION */
-#ifndef HAVE_MORECORE
-#if ONLY_MSPACES
-#define HAVE_MORECORE 0
-#else   /* ONLY_MSPACES */
-#define HAVE_MORECORE 1
-#endif  /* ONLY_MSPACES */
-#endif  /* HAVE_MORECORE */
-#if !HAVE_MORECORE
-#define MORECORE_CONTIGUOUS 0
-#else   /* !HAVE_MORECORE */
-#ifndef MORECORE
-#define MORECORE sbrk
-#endif  /* MORECORE */
-#ifndef MORECORE_CONTIGUOUS
-#define MORECORE_CONTIGUOUS 1
-#endif  /* MORECORE_CONTIGUOUS */
-#endif  /* HAVE_MORECORE */
-#ifndef DEFAULT_GRANULARITY
-#if MORECORE_CONTIGUOUS
-#define DEFAULT_GRANULARITY (0)  /* 0 means to compute in init_mparams */
-#else   /* MORECORE_CONTIGUOUS */
-#define DEFAULT_GRANULARITY ((size_t)64U * (size_t)1024U)
-#endif  /* MORECORE_CONTIGUOUS */
-#endif  /* DEFAULT_GRANULARITY */
-#ifndef DEFAULT_TRIM_THRESHOLD
-#ifndef MORECORE_CANNOT_TRIM
-#define DEFAULT_TRIM_THRESHOLD ((size_t)2U * (size_t)1024U * (size_t)1024U)
-#else   /* MORECORE_CANNOT_TRIM */
-#define DEFAULT_TRIM_THRESHOLD MAX_SIZE_T
-#endif  /* MORECORE_CANNOT_TRIM */
-#endif  /* DEFAULT_TRIM_THRESHOLD */
-#ifndef DEFAULT_MMAP_THRESHOLD
-#if HAVE_MMAP
-#define DEFAULT_MMAP_THRESHOLD ((size_t)256U * (size_t)1024U)
-#else   /* HAVE_MMAP */
-#define DEFAULT_MMAP_THRESHOLD MAX_SIZE_T
-#endif  /* HAVE_MMAP */
-#endif  /* DEFAULT_MMAP_THRESHOLD */
-#ifndef USE_BUILTIN_FFS
-#define USE_BUILTIN_FFS 0
-#endif  /* USE_BUILTIN_FFS */
-#ifndef USE_DEV_RANDOM
-#define USE_DEV_RANDOM 0
-#endif  /* USE_DEV_RANDOM */
-#ifndef NO_MALLINFO
-#define NO_MALLINFO 0
-#endif  /* NO_MALLINFO */
-#ifndef MALLINFO_FIELD_TYPE
-#define MALLINFO_FIELD_TYPE size_t
-#endif  /* MALLINFO_FIELD_TYPE */
-
-/*
-  mallopt tuning options.  SVID/XPG defines four standard parameter
-  numbers for mallopt, normally defined in malloc.h.  None of these
-  are used in this malloc, so setting them has no effect. But this
-  malloc does support the following options.
-*/
-
-#define M_TRIM_THRESHOLD     (-1)
-#define M_GRANULARITY        (-2)
-#define M_MMAP_THRESHOLD     (-3)
-
-/* ------------------------ Mallinfo declarations ------------------------ */
-
-#if !NO_MALLINFO
-/*
-  This version of malloc supports the standard SVID/XPG mallinfo
-  routine that returns a struct containing usage properties and
-  statistics. It should work on any system that has a
-  /usr/include/malloc.h defining struct mallinfo.  The main
-  declaration needed is the mallinfo struct that is returned (by-copy)
-  by mallinfo().  The malloinfo struct contains a bunch of fields that
-  are not even meaningful in this version of malloc.  These fields are
-  are instead filled by mallinfo() with other numbers that might be of
-  interest.
-
-  HAVE_USR_INCLUDE_MALLOC_H should be set if you have a
-  /usr/include/malloc.h file that includes a declaration of struct
-  mallinfo.  If so, it is included; else a compliant version is
-  declared below.  These must be precisely the same for mallinfo() to
-  work.  The original SVID version of this struct, defined on most
-  systems with mallinfo, declares all fields as ints. But some others
-  define as unsigned long. If your system defines the fields using a
-  type of different width than listed here, you MUST #include your
-  system version and #define HAVE_USR_INCLUDE_MALLOC_H.
-*/
-
-/* #define HAVE_USR_INCLUDE_MALLOC_H */
-
-#ifdef HAVE_USR_INCLUDE_MALLOC_H
-#include "/usr/include/malloc.h"
-#else /* HAVE_USR_INCLUDE_MALLOC_H */
-
-struct mallinfo {
-  MALLINFO_FIELD_TYPE arena;    /* non-mmapped space allocated from system */
-  MALLINFO_FIELD_TYPE ordblks;  /* number of free chunks */
-  MALLINFO_FIELD_TYPE smblks;   /* always 0 */
-  MALLINFO_FIELD_TYPE hblks;    /* always 0 */
-  MALLINFO_FIELD_TYPE hblkhd;   /* space in mmapped regions */
-  MALLINFO_FIELD_TYPE usmblks;  /* maximum total allocated space */
-  MALLINFO_FIELD_TYPE fsmblks;  /* always 0 */
-  MALLINFO_FIELD_TYPE uordblks; /* total allocated space */
-  MALLINFO_FIELD_TYPE fordblks; /* total free space */
-  MALLINFO_FIELD_TYPE keepcost; /* releasable (via malloc_trim) space */
-};
-
-#endif /* HAVE_USR_INCLUDE_MALLOC_H */
-#endif /* NO_MALLINFO */
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-#if !ONLY_MSPACES
-
-/* ------------------- Declarations of public routines ------------------- */
-
-#ifndef USE_DL_PREFIX
-#define dlcalloc               calloc
-#define dlfree                 free
-#define dlmalloc               malloc
-#define dlmemalign             memalign
-#define dlrealloc              realloc
-#define dlvalloc               valloc
-#define dlpvalloc              pvalloc
-#define dlmallinfo             mallinfo
-#define dlmallopt              mallopt
-#define dlmalloc_trim          malloc_trim
-#define dlmalloc_stats         malloc_stats
-#define dlmalloc_usable_size   malloc_usable_size
-#define dlmalloc_footprint     malloc_footprint
-#define dlmalloc_max_footprint malloc_max_footprint
-#define dlindependent_calloc   independent_calloc
-#define dlindependent_comalloc independent_comalloc
-#endif /* USE_DL_PREFIX */
-
-
-/*
-  malloc(size_t n)
-  Returns a pointer to a newly allocated chunk of at least n bytes, or
-  null if no space is available, in which case errno is set to ENOMEM
-  on ANSI C systems.
-
-  If n is zero, malloc returns a minimum-sized chunk. (The minimum
-  size is 16 bytes on most 32bit systems, and 32 bytes on 64bit
-  systems.)  Note that size_t is an unsigned type, so calls with
-  arguments that would be negative if signed are interpreted as
-  requests for huge amounts of space, which will often fail. The
-  maximum supported value of n differs across systems, but is in all
-  cases less than the maximum representable value of a size_t.
-*/
-void* dlmalloc(size_t);
-
-/*
-  free(void* p)
-  Releases the chunk of memory pointed to by p, that had been previously
-  allocated using malloc or a related routine such as realloc.
-  It has no effect if p is null. If p was not malloced or already
-  freed, free(p) will by default cause the current program to abort.
-*/
-void  dlfree(void*);
-
-/*
-  calloc(size_t n_elements, size_t element_size);
-  Returns a pointer to n_elements * element_size bytes, with all locations
-  set to zero.
-*/
-void* dlcalloc(size_t, size_t);
-
-/*
-  realloc(void* p, size_t n)
-  Returns a pointer to a chunk of size n that contains the same data
-  as does chunk p up to the minimum of (n, p's size) bytes, or null
-  if no space is available.
-
-  The returned pointer may or may not be the same as p. The algorithm
-  prefers extending p in most cases when possible, otherwise it
-  employs the equivalent of a malloc-copy-free sequence.
-
-  If p is null, realloc is equivalent to malloc.
-
-  If space is not available, realloc returns null, errno is set (if on
-  ANSI) and p is NOT freed.
-
-  if n is for fewer bytes than already held by p, the newly unused
-  space is lopped off and freed if possible.  realloc with a size
-  argument of zero (re)allocates a minimum-sized chunk.
-
-  The old unix realloc convention of allowing the last-free'd chunk
-  to be used as an argument to realloc is not supported.
-*/
-
-void* dlrealloc(void*, size_t);
-
-/*
-  memalign(size_t alignment, size_t n);
-  Returns a pointer to a newly allocated chunk of n bytes, aligned
-  in accord with the alignment argument.
-
-  The alignment argument should be a power of two. If the argument is
-  not a power of two, the nearest greater power is used.
-  8-byte alignment is guaranteed by normal malloc calls, so don't
-  bother calling memalign with an argument of 8 or less.
-
-  Overreliance on memalign is a sure way to fragment space.
-*/
-void* dlmemalign(size_t, size_t);
-
-/*
-  valloc(size_t n);
-  Equivalent to memalign(pagesize, n), where pagesize is the page
-  size of the system. If the pagesize is unknown, 4096 is used.
-*/
-void* dlvalloc(size_t);
-
-/*
-  mallopt(int parameter_number, int parameter_value)
-  Sets tunable parameters The format is to provide a
-  (parameter-number, parameter-value) pair.  mallopt then sets the
-  corresponding parameter to the argument value if it can (i.e., so
-  long as the value is meaningful), and returns 1 if successful else
-  0.  SVID/XPG/ANSI defines four standard param numbers for mallopt,
-  normally defined in malloc.h.  None of these are use in this malloc,
-  so setting them has no effect. But this malloc also supports other
-  options in mallopt. See below for details.  Briefly, supported
-  parameters are as follows (listed defaults are for "typical"
-  configurations).
-
-  Symbol            param #  default    allowed param values
-  M_TRIM_THRESHOLD     -1   2*1024*1024   any   (MAX_SIZE_T disables)
-  M_GRANULARITY        -2     page size   any power of 2 >= page size
-  M_MMAP_THRESHOLD     -3      256*1024   any   (or 0 if no MMAP support)
-*/
-int dlmallopt(int, int);
-
-/*
-  malloc_footprint();
-  Returns the number of bytes obtained from the system.  The total
-  number of bytes allocated by malloc, realloc etc., is less than this
-  value. Unlike mallinfo, this function returns only a precomputed
-  result, so can be called frequently to monitor memory consumption.
-  Even if locks are otherwise defined, this function does not use them,
-  so results might not be up to date.
-*/
-size_t dlmalloc_footprint(void);
-
-/*
-  malloc_max_footprint();
-  Returns the maximum number of bytes obtained from the system. This
-  value will be greater than current footprint if deallocated space
-  has been reclaimed by the system. The peak number of bytes allocated
-  by malloc, realloc etc., is less than this value. Unlike mallinfo,
-  this function returns only a precomputed result, so can be called
-  frequently to monitor memory consumption.  Even if locks are
-  otherwise defined, this function does not use them, so results might
-  not be up to date.
-*/
-size_t dlmalloc_max_footprint(void);
-
-#if !NO_MALLINFO
-/*
-  mallinfo()
-  Returns (by copy) a struct containing various summary statistics:
-
-  arena:     current total non-mmapped bytes allocated from system
-  ordblks:   the number of free chunks
-  smblks:    always zero.
-  hblks:     current number of mmapped regions
-  hblkhd:    total bytes held in mmapped regions
-  usmblks:   the maximum total allocated space. This will be greater
-                than current total if trimming has occurred.
-  fsmblks:   always zero
-  uordblks:  current total allocated space (normal or mmapped)
-  fordblks:  total free space
-  keepcost:  the maximum number of bytes that could ideally be released
-               back to system via malloc_trim. ("ideally" means that
-               it ignores page restrictions etc.)
-
-  Because these fields are ints, but internal bookkeeping may
-  be kept as longs, the reported values may wrap around zero and
-  thus be inaccurate.
-*/
-struct mallinfo dlmallinfo(void);
-#endif /* NO_MALLINFO */
-
-/*
-  independent_calloc(size_t n_elements, size_t element_size, void* chunks[]);
-
-  independent_calloc is similar to calloc, but instead of returning a
-  single cleared space, it returns an array of pointers to n_elements
-  independent elements that can hold contents of size elem_size, each
-  of which starts out cleared, and can be independently freed,
-  realloc'ed etc. The elements are guaranteed to be adjacently
-  allocated (this is not guaranteed to occur with multiple callocs or
-  mallocs), which may also improve cache locality in some
-  applications.
-
-  The "chunks" argument is optional (i.e., may be null, which is
-  probably the most typical usage). If it is null, the returned array
-  is itself dynamically allocated and should also be freed when it is
-  no longer needed. Otherwise, the chunks array must be of at least
-  n_elements in length. It is filled in with the pointers to the
-  chunks.
-
-  In either case, independent_calloc returns this pointer array, or
-  null if the allocation failed.  If n_elements is zero and "chunks"
-  is null, it returns a chunk representing an array with zero elements
-  (which should be freed if not wanted).
-
-  Each element must be individually freed when it is no longer
-  needed. If you'd like to instead be able to free all at once, you
-  should instead use regular calloc and assign pointers into this
-  space to represent elements.  (In this case though, you cannot
-  independently free elements.)
-
-  independent_calloc simplifies and speeds up implementations of many
-  kinds of pools.  It may also be useful when constructing large data
-  structures that initially have a fixed number of fixed-sized nodes,
-  but the number is not known at compile time, and some of the nodes
-  may later need to be freed. For example:
-
-  struct Node { int item; struct Node* next; };
-
-  struct Node* build_list() {
-    struct Node** pool;
-    int n = read_number_of_nodes_needed();
-    if (n <= 0) return 0;
-    pool = (struct Node**)(independent_calloc(n, sizeof(struct Node), 0);
-    if (pool == 0) die();
-    // organize into a linked list...
-    struct Node* first = pool[0];
-    for (i = 0; i < n-1; ++i)
-      pool[i]->next = pool[i+1];
-    free(pool);     // Can now free the array (or not, if it is needed later)
-    return first;
-  }
-*/
-void** dlindependent_calloc(size_t, size_t, void**);
-
-/*
-  independent_comalloc(size_t n_elements, size_t sizes[], void* chunks[]);
-
-  independent_comalloc allocates, all at once, a set of n_elements
-  chunks with sizes indicated in the "sizes" array.    It returns
-  an array of pointers to these elements, each of which can be
-  independently freed, realloc'ed etc. The elements are guaranteed to
-  be adjacently allocated (this is not guaranteed to occur with
-  multiple callocs or mallocs), which may also improve cache locality
-  in some applications.
-
-  The "chunks" argument is optional (i.e., may be null). If it is null
-  the returned array is itself dynamically allocated and should also
-  be freed when it is no longer needed. Otherwise, the chunks array
-  must be of at least n_elements in length. It is filled in with the
-  pointers to the chunks.
-
-  In either case, independent_comalloc returns this pointer array, or
-  null if the allocation failed.  If n_elements is zero and chunks is
-  null, it returns a chunk representing an array with zero elements
-  (which should be freed if not wanted).
-
-  Each element must be individually freed when it is no longer
-  needed. If you'd like to instead be able to free all at once, you
-  should instead use a single regular malloc, and assign pointers at
-  particular offsets in the aggregate space. (In this case though, you
-  cannot independently free elements.)
-
-  independent_comallac differs from independent_calloc in that each
-  element may have a different size, and also that it does not
-  automatically clear elements.
-
-  independent_comalloc can be used to speed up allocation in cases
-  where several structs or objects must always be allocated at the
-  same time.  For example:
-
-  struct Head { ... }
-  struct Foot { ... }
-
-  void send_message(char* msg) {
-    int msglen = strlen(msg);
-    size_t sizes[3] = { sizeof(struct Head), msglen, sizeof(struct Foot) };
-    void* chunks[3];
-    if (independent_comalloc(3, sizes, chunks) == 0)
-      die();
-    struct Head* head = (struct Head*)(chunks[0]);
-    char*        body = (char*)(chunks[1]);
-    struct Foot* foot = (struct Foot*)(chunks[2]);
-    // ...
-  }
-
-  In general though, independent_comalloc is worth using only for
-  larger values of n_elements. For small values, you probably won't
-  detect enough difference from series of malloc calls to bother.
-
-  Overuse of independent_comalloc can increase overall memory usage,
-  since it cannot reuse existing noncontiguous small chunks that
-  might be available for some of the elements.
-*/
-void** dlindependent_comalloc(size_t, size_t*, void**);
-
-
-/*
-  pvalloc(size_t n);
-  Equivalent to valloc(minimum-page-that-holds(n)), that is,
-  round up n to nearest pagesize.
- */
-void*  dlpvalloc(size_t);
-
-/*
-  malloc_trim(size_t pad);
-
-  If possible, gives memory back to the system (via negative arguments
-  to sbrk) if there is unused memory at the `high' end of the malloc
-  pool or in unused MMAP segments. You can call this after freeing
-  large blocks of memory to potentially reduce the system-level memory
-  requirements of a program. However, it cannot guarantee to reduce
-  memory. Under some allocation patterns, some large free blocks of
-  memory will be locked between two used chunks, so they cannot be
-  given back to the system.
-
-  The `pad' argument to malloc_trim represents the amount of free
-  trailing space to leave untrimmed. If this argument is zero, only
-  the minimum amount of memory to maintain internal data structures
-  will be left. Non-zero arguments can be supplied to maintain enough
-  trailing space to service future expected allocations without having
-  to re-obtain memory from the system.
-
-  Malloc_trim returns 1 if it actually released any memory, else 0.
-*/
-int  dlmalloc_trim(size_t);
-
-/*
-  malloc_usable_size(void* p);
-
-  Returns the number of bytes you can actually use in
-  an allocated chunk, which may be more than you requested (although
-  often not) due to alignment and minimum size constraints.
-  You can use this many bytes without worrying about
-  overwriting other allocated objects. This is not a particularly great
-  programming practice. malloc_usable_size can be more useful in
-  debugging and assertions, for example:
-
-  p = malloc(n);
-  assert(malloc_usable_size(p) >= 256);
-*/
-size_t dlmalloc_usable_size(void*);
-
-/*
-  malloc_stats();
-  Prints on stderr the amount of space obtained from the system (both
-  via sbrk and mmap), the maximum amount (which may be more than
-  current if malloc_trim and/or munmap got called), and the current
-  number of bytes allocated via malloc (or realloc, etc) but not yet
-  freed. Note that this is the number of bytes allocated, not the
-  number requested. It will be larger than the number requested
-  because of alignment and bookkeeping overhead. Because it includes
-  alignment wastage as being in use, this figure may be greater than
-  zero even when no user-level chunks are allocated.
-
-  The reported current and maximum system memory can be inaccurate if
-  a program makes other calls to system memory allocation functions
-  (normally sbrk) outside of malloc.
-
-  malloc_stats prints only the most commonly interesting statistics.
-  More information can be obtained by calling mallinfo.
-*/
-void  dlmalloc_stats(void);
-
-#endif /* ONLY_MSPACES */
-
-#if MSPACES
-
-/*
-  mspace is an opaque type representing an independent
-  region of space that supports mspace_malloc, etc.
-*/
-typedef void* mspace;
-
-/*
-  create_mspace creates and returns a new independent space with the
-  given initial capacity, or, if 0, the default granularity size.  It
-  returns null if there is no system memory available to create the
-  space.  If argument locked is non-zero, the space uses a separate
-  lock to control access. The capacity of the space will grow
-  dynamically as needed to service mspace_malloc requests.  You can
-  control the sizes of incremental increases of this space by
-  compiling with a different DEFAULT_GRANULARITY or dynamically
-  setting with mallopt(M_GRANULARITY, value).
-*/
-mspace create_mspace(size_t capacity, int locked);
-
-/*
-  destroy_mspace destroys the given space, and attempts to return all
-  of its memory back to the system, returning the total number of
-  bytes freed. After destruction, the results of access to all memory
-  used by the space become undefined.
-*/
-size_t destroy_mspace(mspace msp);
-
-/*
-  create_mspace_with_base uses the memory supplied as the initial base
-  of a new mspace. Part (less than 128*sizeof(size_t) bytes) of this
-  space is used for bookkeeping, so the capacity must be at least this
-  large. (Otherwise 0 is returned.) When this initial space is
-  exhausted, additional memory will be obtained from the system.
-  Destroying this space will deallocate all additionally allocated
-  space (if possible) but not the initial base.
-*/
-mspace create_mspace_with_base(void* base, size_t capacity, int locked);
-
-/*
-  mspace_malloc behaves as malloc, but operates within
-  the given space.
-*/
-void* mspace_malloc(mspace msp, size_t bytes);
-
-/*
-  mspace_free behaves as free, but operates within
-  the given space.
-
-  If compiled with FOOTERS==1, mspace_free is not actually needed.
-  free may be called instead of mspace_free because freed chunks from
-  any space are handled by their originating spaces.
-*/
-void mspace_free(mspace msp, void* mem);
-
-/*
-  mspace_realloc behaves as realloc, but operates within
-  the given space.
-
-  If compiled with FOOTERS==1, mspace_realloc is not actually
-  needed.  realloc may be called instead of mspace_realloc because
-  realloced chunks from any space are handled by their originating
-  spaces.
-*/
-void* mspace_realloc(mspace msp, void* mem, size_t newsize);
-
-/*
-  mspace_calloc behaves as calloc, but operates within
-  the given space.
-*/
-void* mspace_calloc(mspace msp, size_t n_elements, size_t elem_size);
-
-/*
-  mspace_memalign behaves as memalign, but operates within
-  the given space.
-*/
-void* mspace_memalign(mspace msp, size_t alignment, size_t bytes);
-
-/*
-  mspace_independent_calloc behaves as independent_calloc, but
-  operates within the given space.
-*/
-void** mspace_independent_calloc(mspace msp, size_t n_elements,
-                                 size_t elem_size, void* chunks[]);
-
-/*
-  mspace_independent_comalloc behaves as independent_comalloc, but
-  operates within the given space.
-*/
-void** mspace_independent_comalloc(mspace msp, size_t n_elements,
-                                   size_t sizes[], void* chunks[]);
-
-/*
-  mspace_footprint() returns the number of bytes obtained from the
-  system for this space.
-*/
-size_t mspace_footprint(mspace msp);
-
-/*
-  mspace_max_footprint() returns the peak number of bytes obtained from the
-  system for this space.
-*/
-size_t mspace_max_footprint(mspace msp);
-
-
-#if !NO_MALLINFO
-/*
-  mspace_mallinfo behaves as mallinfo, but reports properties of
-  the given space.
-*/
-struct mallinfo mspace_mallinfo(mspace msp);
-#endif /* NO_MALLINFO */
-
-/*
-  mspace_malloc_stats behaves as malloc_stats, but reports
-  properties of the given space.
-*/
-void mspace_malloc_stats(mspace msp);
-
-/*
-  mspace_trim behaves as malloc_trim, but
-  operates within the given space.
-*/
-int mspace_trim(mspace msp, size_t pad);
-
-/*
-  An alias for mallopt.
-*/
-int mspace_mallopt(int, int);
-
-#endif /* MSPACES */
-
-#ifdef __cplusplus
-};  /* end of extern "C" */
-#endif /* __cplusplus */
-
-/*
-  ========================================================================
-  To make a fully customizable malloc.h header file, cut everything
-  above this line, put into file malloc.h, edit to suit, and #include it
-  on the next line, as well as in programs that use this malloc.
-  ========================================================================
-*/
-
-/* #include "malloc.h" */
-
-/*------------------------------ internal #includes ---------------------- */
-
-#ifdef WIN32
-#pragma warning( disable : 4146 ) /* no "unsigned" warnings */
-#endif /* WIN32 */
-
-#include <stdio.h>       /* for printing in malloc_stats */
-
-#ifndef LACKS_ERRNO_H
-#include <errno.h>       /* for MALLOC_FAILURE_ACTION */
-#endif /* LACKS_ERRNO_H */
-#if FOOTERS
-#include <time.h>        /* for magic initialization */
-#endif /* FOOTERS */
-#ifndef LACKS_STDLIB_H
-#include <stdlib.h>      /* for abort() */
-#endif /* LACKS_STDLIB_H */
-#ifdef DEBUG
-#if ABORT_ON_ASSERT_FAILURE
-#define assert(x) if(!(x)) ABORT
-#else /* ABORT_ON_ASSERT_FAILURE */
-#include <assert.h>
-#endif /* ABORT_ON_ASSERT_FAILURE */
-#else  /* DEBUG */
-#define assert(x)
-#endif /* DEBUG */
-#ifndef LACKS_STRING_H
-#include <string.h>      /* for memset etc */
-#endif  /* LACKS_STRING_H */
-#if USE_BUILTIN_FFS
-#ifndef LACKS_STRINGS_H
-#include <strings.h>     /* for ffs */
-#endif /* LACKS_STRINGS_H */
-#endif /* USE_BUILTIN_FFS */
-#if HAVE_MMAP
-#ifndef LACKS_SYS_MMAN_H
-#include <sys/mman.h>    /* for mmap */
-#endif /* LACKS_SYS_MMAN_H */
-#ifndef LACKS_FCNTL_H
-#include <fcntl.h>
-#endif /* LACKS_FCNTL_H */
-#endif /* HAVE_MMAP */
-#if HAVE_MORECORE
-#ifndef LACKS_UNISTD_H
-#include <unistd.h>     /* for sbrk */
-#else /* LACKS_UNISTD_H */
-#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__)
-extern void*     sbrk(ptrdiff_t);
-#endif /* FreeBSD etc */
-#endif /* LACKS_UNISTD_H */
-#endif /* HAVE_MMAP */
-
-#ifndef WIN32
-#ifndef malloc_getpagesize
-#  ifdef _SC_PAGESIZE         /* some SVR4 systems omit an underscore */
-#    ifndef _SC_PAGE_SIZE
-#      define _SC_PAGE_SIZE _SC_PAGESIZE
-#    endif
-#  endif
-#  ifdef _SC_PAGE_SIZE
-#    define malloc_getpagesize sysconf(_SC_PAGE_SIZE)
-#  else
-#    if defined(BSD) || defined(DGUX) || defined(HAVE_GETPAGESIZE)
-       extern size_t getpagesize();
-#      define malloc_getpagesize getpagesize()
-#    else
-#      ifdef WIN32 /* use supplied emulation of getpagesize */
-#        define malloc_getpagesize getpagesize()
-#      else
-#        ifndef LACKS_SYS_PARAM_H
-#          include <sys/param.h>
-#        endif
-#        ifdef EXEC_PAGESIZE
-#          define malloc_getpagesize EXEC_PAGESIZE
-#        else
-#          ifdef NBPG
-#            ifndef CLSIZE
-#              define malloc_getpagesize NBPG
-#            else
-#              define malloc_getpagesize (NBPG * CLSIZE)
-#            endif
-#          else
-#            ifdef NBPC
-#              define malloc_getpagesize NBPC
-#            else
-#              ifdef PAGESIZE
-#                define malloc_getpagesize PAGESIZE
-#              else /* just guess */
-#                define malloc_getpagesize ((size_t)4096U)
-#              endif
-#            endif
-#          endif
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-#endif
-
-/* ------------------- size_t and alignment properties -------------------- */
-
-/* The byte and bit size of a size_t */
-#define SIZE_T_SIZE         (sizeof(size_t))
-#define SIZE_T_BITSIZE      (sizeof(size_t) << 3)
-
-/* Some constants coerced to size_t */
-/* Annoying but necessary to avoid errors on some plaftorms */
-#define SIZE_T_ZERO         ((size_t)0)
-#define SIZE_T_ONE          ((size_t)1)
-#define SIZE_T_TWO          ((size_t)2)
-#define TWO_SIZE_T_SIZES    (SIZE_T_SIZE<<1)
-#define FOUR_SIZE_T_SIZES   (SIZE_T_SIZE<<2)
-#define SIX_SIZE_T_SIZES    (FOUR_SIZE_T_SIZES+TWO_SIZE_T_SIZES)
-#define HALF_MAX_SIZE_T     (MAX_SIZE_T / 2U)
-
-/* The bit mask value corresponding to MALLOC_ALIGNMENT */
-#define CHUNK_ALIGN_MASK    (MALLOC_ALIGNMENT - SIZE_T_ONE)
-
-/* True if address a has acceptable alignment */
-#define is_aligned(A)       (((size_t)((A)) & (CHUNK_ALIGN_MASK)) == 0)
-
-/* the number of bytes to offset an address to align it */
-#define align_offset(A)\
- ((((size_t)(A) & CHUNK_ALIGN_MASK) == 0)? 0 :\
-  ((MALLOC_ALIGNMENT - ((size_t)(A) & CHUNK_ALIGN_MASK)) & CHUNK_ALIGN_MASK))
-
-/* -------------------------- MMAP preliminaries ------------------------- */
-
-/*
-   If HAVE_MORECORE or HAVE_MMAP are false, we just define calls and
-   checks to fail so compiler optimizer can delete code rather than
-   using so many "#if"s.
-*/
-
-
-/* MORECORE and MMAP must return MFAIL on failure */
-#define MFAIL                ((void*)(MAX_SIZE_T))
-#define CMFAIL               ((char*)(MFAIL)) /* defined for convenience */
-
-#if !HAVE_MMAP
-#define IS_MMAPPED_BIT       (SIZE_T_ZERO)
-#define USE_MMAP_BIT         (SIZE_T_ZERO)
-#define CALL_MMAP(s)         MFAIL
-#define CALL_MUNMAP(a, s)    (-1)
-#define DIRECT_MMAP(s)       MFAIL
-
-#else /* HAVE_MMAP */
-#define IS_MMAPPED_BIT       (SIZE_T_ONE)
-#define USE_MMAP_BIT         (SIZE_T_ONE)
-
-#ifndef WIN32
-#define CALL_MUNMAP(a, s)    munmap((a), (s))
-#define MMAP_PROT            (PROT_READ|PROT_WRITE)
-#if !defined(MAP_ANONYMOUS) && defined(MAP_ANON)
-#define MAP_ANONYMOUS        MAP_ANON
-#endif /* MAP_ANON */
-#ifdef MAP_ANONYMOUS
-#define MMAP_FLAGS           (MAP_PRIVATE|MAP_ANONYMOUS)
-#define CALL_MMAP(s)         mmap(0, (s), MMAP_PROT, MMAP_FLAGS, -1, 0)
-#else /* MAP_ANONYMOUS */
-/*
-   Nearly all versions of mmap support MAP_ANONYMOUS, so the following
-   is unlikely to be needed, but is supplied just in case.
-*/
-#define MMAP_FLAGS           (MAP_PRIVATE)
-static int dev_zero_fd = -1; /* Cached file descriptor for /dev/zero. */
-#define CALL_MMAP(s) ((dev_zero_fd < 0) ? \
-           (dev_zero_fd = open("/dev/zero", O_RDWR), \
-            mmap(0, (s), MMAP_PROT, MMAP_FLAGS, dev_zero_fd, 0)) : \
-            mmap(0, (s), MMAP_PROT, MMAP_FLAGS, dev_zero_fd, 0))
-#endif /* MAP_ANONYMOUS */
-
-#define DIRECT_MMAP(s)       CALL_MMAP(s)
-#else /* WIN32 */
-
-/* Win32 MMAP via VirtualAlloc */
-static void* win32mmap(size_t size) {
-  void* ptr = VirtualAlloc(0, size, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
-  return (ptr != 0)? ptr: MFAIL;
-}
-
-/* For direct MMAP, use MEM_TOP_DOWN to minimize interference */
-static void* win32direct_mmap(size_t size) {
-  void* ptr = VirtualAlloc(0, size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
-                           PAGE_READWRITE);
-  return (ptr != 0)? ptr: MFAIL;
-}
-
-/* This function supports releasing coalesed segments */
-static int win32munmap(void* ptr, size_t size) {
-  MEMORY_BASIC_INFORMATION minfo;
-  char* cptr = ptr;
-  while (size) {
-    if (VirtualQuery(cptr, &minfo, sizeof(minfo)) == 0)
-      return -1;
-    if (minfo.BaseAddress != cptr || minfo.AllocationBase != cptr ||
-        minfo.State != MEM_COMMIT || minfo.RegionSize > size)
-      return -1;
-    if (VirtualFree(cptr, 0, MEM_RELEASE) == 0)
-      return -1;
-    cptr += minfo.RegionSize;
-    size -= minfo.RegionSize;
-  }
-  return 0;
-}
-
-#define CALL_MMAP(s)         win32mmap(s)
-#define CALL_MUNMAP(a, s)    win32munmap((a), (s))
-#define DIRECT_MMAP(s)       win32direct_mmap(s)
-#endif /* WIN32 */
-#endif /* HAVE_MMAP */
-
-#if HAVE_MMAP && HAVE_MREMAP
-#define CALL_MREMAP(addr, osz, nsz, mv) mremap((addr), (osz), (nsz), (mv))
-#else  /* HAVE_MMAP && HAVE_MREMAP */
-#define CALL_MREMAP(addr, osz, nsz, mv) MFAIL
-#endif /* HAVE_MMAP && HAVE_MREMAP */
-
-#if HAVE_MORECORE
-#define CALL_MORECORE(S)     MORECORE(S)
-#else  /* HAVE_MORECORE */
-#define CALL_MORECORE(S)     MFAIL
-#endif /* HAVE_MORECORE */
-
-/* mstate bit set if continguous morecore disabled or failed */
-#define USE_NONCONTIGUOUS_BIT (4U)
-
-/* segment bit set in create_mspace_with_base */
-#define EXTERN_BIT            (8U)
-
-
-/* --------------------------- Lock preliminaries ------------------------ */
-
-#if USE_LOCKS
-
-/*
-  When locks are defined, there are up to two global locks:
-
-  * If HAVE_MORECORE, morecore_mutex protects sequences of calls to
-    MORECORE.  In many cases sys_alloc requires two calls, that should
-    not be interleaved with calls by other threads.  This does not
-    protect against direct calls to MORECORE by other threads not
-    using this lock, so there is still code to cope the best we can on
-    interference.
-
-  * magic_init_mutex ensures that mparams.magic and other
-    unique mparams values are initialized only once.
-*/
-
-#ifndef WIN32
-/* By default use posix locks */
-#include <pthread.h>
-#define MLOCK_T pthread_mutex_t
-#define INITIAL_LOCK(l)      pthread_mutex_init(l, NULL)
-#define ACQUIRE_LOCK(l)      pthread_mutex_lock(l)
-#define RELEASE_LOCK(l)      pthread_mutex_unlock(l)
-
-#if HAVE_MORECORE
-static MLOCK_T morecore_mutex = PTHREAD_MUTEX_INITIALIZER;
-#endif /* HAVE_MORECORE */
-
-static MLOCK_T magic_init_mutex = PTHREAD_MUTEX_INITIALIZER;
-
-#else /* WIN32 */
-/*
-   Because lock-protected regions have bounded times, and there
-   are no recursive lock calls, we can use simple spinlocks.
-*/
-
-#define MLOCK_T long
-static int win32_acquire_lock (MLOCK_T *sl) {
-  for (;;) {
-#ifdef InterlockedCompareExchangePointer
-    if (!InterlockedCompareExchange(sl, 1, 0))
-      return 0;
-#else  /* Use older void* version */
-    if (!InterlockedCompareExchange((void**)sl, (void*)1, (void*)0))
-      return 0;
-#endif /* InterlockedCompareExchangePointer */
-    Sleep (0);
-  }
-}
-
-static void win32_release_lock (MLOCK_T *sl) {
-  InterlockedExchange (sl, 0);
-}
-
-#define INITIAL_LOCK(l)      *(l)=0
-#define ACQUIRE_LOCK(l)      win32_acquire_lock(l)
-#define RELEASE_LOCK(l)      win32_release_lock(l)
-#if HAVE_MORECORE
-static MLOCK_T morecore_mutex;
-#endif /* HAVE_MORECORE */
-static MLOCK_T magic_init_mutex;
-#endif /* WIN32 */
-
-#define USE_LOCK_BIT               (2U)
-#else  /* USE_LOCKS */
-#define USE_LOCK_BIT               (0U)
-#define INITIAL_LOCK(l)
-#endif /* USE_LOCKS */
-
-#if USE_LOCKS && HAVE_MORECORE
-#define ACQUIRE_MORECORE_LOCK()    ACQUIRE_LOCK(&morecore_mutex);
-#define RELEASE_MORECORE_LOCK()    RELEASE_LOCK(&morecore_mutex);
-#else /* USE_LOCKS && HAVE_MORECORE */
-#define ACQUIRE_MORECORE_LOCK()
-#define RELEASE_MORECORE_LOCK()
-#endif /* USE_LOCKS && HAVE_MORECORE */
-
-#if USE_LOCKS
-#define ACQUIRE_MAGIC_INIT_LOCK()  ACQUIRE_LOCK(&magic_init_mutex);
-#define RELEASE_MAGIC_INIT_LOCK()  RELEASE_LOCK(&magic_init_mutex);
-#else  /* USE_LOCKS */
-#define ACQUIRE_MAGIC_INIT_LOCK()
-#define RELEASE_MAGIC_INIT_LOCK()
-#endif /* USE_LOCKS */
-
-
-/* -----------------------  Chunk representations ------------------------ */
-
-/*
-  (The following includes lightly edited explanations by Colin Plumb.)
-
-  The malloc_chunk declaration below is misleading (but accurate and
-  necessary).  It declares a "view" into memory allowing access to
-  necessary fields at known offsets from a given base.
-
-  Chunks of memory are maintained using a `boundary tag' method as
-  originally described by Knuth.  (See the paper by Paul Wilson
-  ftp://ftp.cs.utexas.edu/pub/garbage/allocsrv.ps for a survey of such
-  techniques.)  Sizes of free chunks are stored both in the front of
-  each chunk and at the end.  This makes consolidating fragmented
-  chunks into bigger chunks fast.  The head fields also hold bits
-  representing whether chunks are free or in use.
-
-  Here are some pictures to make it clearer.  They are "exploded" to
-  show that the state of a chunk can be thought of as extending from
-  the high 31 bits of the head field of its header through the
-  prev_foot and PINUSE_BIT bit of the following chunk header.
-
-  A chunk that's in use looks like:
-
-   chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-           | Size of previous chunk (if P = 1)                             |
-           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |P|
-         | Size of this chunk                                         1| +-+
-   mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-         |                                                               |
-         +-                                                             -+
-         |                                                               |
-         +-                                                             -+
-         |                                                               :
-         +-      size - sizeof(size_t) available payload bytes          -+
-         :                                                               |
- chunk-> +-                                                             -+
-         |                                                               |
-         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1|
-       | Size of next chunk (may or may not be in use)               | +-+
- mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-    And if it's free, it looks like this:
-
-   chunk-> +-                                                             -+
-           | User payload (must be in use, or we would have merged!)       |
-           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |P|
-         | Size of this chunk                                         0| +-+
-   mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-         | Next pointer                                                  |
-         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-         | Prev pointer                                                  |
-         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-         |                                                               :
-         +-      size - sizeof(struct chunk) unused bytes               -+
-         :                                                               |
- chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-         | Size of this chunk                                            |
-         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0|
-       | Size of next chunk (must be in use, or we would have merged)| +-+
- mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                                                               :
-       +- User payload                                                -+
-       :                                                               |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-                                                                     |0|
-                                                                     +-+
-  Note that since we always merge adjacent free chunks, the chunks
-  adjacent to a free chunk must be in use.
-
-  Given a pointer to a chunk (which can be derived trivially from the
-  payload pointer) we can, in O(1) time, find out whether the adjacent
-  chunks are free, and if so, unlink them from the lists that they
-  are on and merge them with the current chunk.
-
-  Chunks always begin on even word boundaries, so the mem portion
-  (which is returned to the user) is also on an even word boundary, and
-  thus at least double-word aligned.
-
-  The P (PINUSE_BIT) bit, stored in the unused low-order bit of the
-  chunk size (which is always a multiple of two words), is an in-use
-  bit for the *previous* chunk.  If that bit is *clear*, then the
-  word before the current chunk size contains the previous chunk
-  size, and can be used to find the front of the previous chunk.
-  The very first chunk allocated always has this bit set, preventing
-  access to non-existent (or non-owned) memory. If pinuse is set for
-  any given chunk, then you CANNOT determine the size of the
-  previous chunk, and might even get a memory addressing fault when
-  trying to do so.
-
-  The C (CINUSE_BIT) bit, stored in the unused second-lowest bit of
-  the chunk size redundantly records whether the current chunk is
-  inuse. This redundancy enables usage checks within free and realloc,
-  and reduces indirection when freeing and consolidating chunks.
-
-  Each freshly allocated chunk must have both cinuse and pinuse set.
-  That is, each allocated chunk borders either a previously allocated
-  and still in-use chunk, or the base of its memory arena. This is
-  ensured by making all allocations from the the `lowest' part of any
-  found chunk.  Further, no free chunk physically borders another one,
-  so each free chunk is known to be preceded and followed by either
-  inuse chunks or the ends of memory.
-
-  Note that the `foot' of the current chunk is actually represented
-  as the prev_foot of the NEXT chunk. This makes it easier to
-  deal with alignments etc but can be very confusing when trying
-  to extend or adapt this code.
-
-  The exceptions to all this are
-
-     1. The special chunk `top' is the top-most available chunk (i.e.,
-        the one bordering the end of available memory). It is treated
-        specially.  Top is never included in any bin, is used only if
-        no other chunk is available, and is released back to the
-        system if it is very large (see M_TRIM_THRESHOLD).  In effect,
-        the top chunk is treated as larger (and thus less well
-        fitting) than any other available chunk.  The top chunk
-        doesn't update its trailing size field since there is no next
-        contiguous chunk that would have to index off it. However,
-        space is still allocated for it (TOP_FOOT_SIZE) to enable
-        separation or merging when space is extended.
-
-     3. Chunks allocated via mmap, which have the lowest-order bit
-        (IS_MMAPPED_BIT) set in their prev_foot fields, and do not set
-        PINUSE_BIT in their head fields.  Because they are allocated
-        one-by-one, each must carry its own prev_foot field, which is
-        also used to hold the offset this chunk has within its mmapped
-        region, which is needed to preserve alignment. Each mmapped
-        chunk is trailed by the first two fields of a fake next-chunk
-        for sake of usage checks.
-
-*/
-
-struct malloc_chunk {
-  size_t               prev_foot;  /* Size of previous chunk (if free).  */
-  size_t               head;       /* Size and inuse bits. */
-  struct malloc_chunk* fd;         /* double links -- used only if free. */
-  struct malloc_chunk* bk;
-};
-
-typedef struct malloc_chunk  mchunk;
-typedef struct malloc_chunk* mchunkptr;
-typedef struct malloc_chunk* sbinptr;  /* The type of bins of chunks */
-typedef unsigned int bindex_t;         /* Described below */
-typedef unsigned int binmap_t;         /* Described below */
-typedef unsigned int flag_t;           /* The type of various bit flag sets */
-
-/* ------------------- Chunks sizes and alignments ----------------------- */
-
-#define MCHUNK_SIZE         (sizeof(mchunk))
-
-#if FOOTERS
-#define CHUNK_OVERHEAD      (TWO_SIZE_T_SIZES)
-#else /* FOOTERS */
-#define CHUNK_OVERHEAD      (SIZE_T_SIZE)
-#endif /* FOOTERS */
-
-/* MMapped chunks need a second word of overhead ... */
-#define MMAP_CHUNK_OVERHEAD (TWO_SIZE_T_SIZES)
-/* ... and additional padding for fake next-chunk at foot */
-#define MMAP_FOOT_PAD       (FOUR_SIZE_T_SIZES)
-
-/* The smallest size we can malloc is an aligned minimal chunk */
-#define MIN_CHUNK_SIZE\
-  ((MCHUNK_SIZE + CHUNK_ALIGN_MASK) & ~CHUNK_ALIGN_MASK)
-
-/* conversion from malloc headers to user pointers, and back */
-#define chunk2mem(p)        ((void*)((char*)(p)       + TWO_SIZE_T_SIZES))
-#define mem2chunk(mem)      ((mchunkptr)((char*)(mem) - TWO_SIZE_T_SIZES))
-/* chunk associated with aligned address A */
-#define align_as_chunk(A)   (mchunkptr)((A) + align_offset(chunk2mem(A)))
-
-/* Bounds on request (not chunk) sizes. */
-#define MAX_REQUEST         ((-MIN_CHUNK_SIZE) << 2)
-#define MIN_REQUEST         (MIN_CHUNK_SIZE - CHUNK_OVERHEAD - SIZE_T_ONE)
-
-/* pad request bytes into a usable size */
-#define pad_request(req) \
-   (((req) + CHUNK_OVERHEAD + CHUNK_ALIGN_MASK) & ~CHUNK_ALIGN_MASK)
-
-/* pad request, checking for minimum (but not maximum) */
-#define request2size(req) \
-  (((req) < MIN_REQUEST)? MIN_CHUNK_SIZE : pad_request(req))
-
-
-/* ------------------ Operations on head and foot fields ----------------- */
-
-/*
-  The head field of a chunk is or'ed with PINUSE_BIT when previous
-  adjacent chunk in use, and or'ed with CINUSE_BIT if this chunk is in
-  use. If the chunk was obtained with mmap, the prev_foot field has
-  IS_MMAPPED_BIT set, otherwise holding the offset of the base of the
-  mmapped region to the base of the chunk.
-*/
-
-#define PINUSE_BIT          (SIZE_T_ONE)
-#define CINUSE_BIT          (SIZE_T_TWO)
-#define INUSE_BITS          (PINUSE_BIT|CINUSE_BIT)
-
-/* Head value for fenceposts */
-#define FENCEPOST_HEAD      (INUSE_BITS|SIZE_T_SIZE)
-
-/* extraction of fields from head words */
-#define cinuse(p)           ((p)->head & CINUSE_BIT)
-#define pinuse(p)           ((p)->head & PINUSE_BIT)
-#define chunksize(p)        ((p)->head & ~(INUSE_BITS))
-
-#define clear_pinuse(p)     ((p)->head &= ~PINUSE_BIT)
-#define clear_cinuse(p)     ((p)->head &= ~CINUSE_BIT)
-
-/* Treat space at ptr +/- offset as a chunk */
-#define chunk_plus_offset(p, s)  ((mchunkptr)(((char*)(p)) + (s)))
-#define chunk_minus_offset(p, s) ((mchunkptr)(((char*)(p)) - (s)))
-
-/* Ptr to next or previous physical malloc_chunk. */
-#define next_chunk(p) ((mchunkptr)( ((char*)(p)) + ((p)->head & ~INUSE_BITS)))
-#define prev_chunk(p) ((mchunkptr)( ((char*)(p)) - ((p)->prev_foot) ))
-
-/* extract next chunk's pinuse bit */
-#define next_pinuse(p)  ((next_chunk(p)->head) & PINUSE_BIT)
-
-/* Get/set size at footer */
-#define get_foot(p, s)  (((mchunkptr)((char*)(p) + (s)))->prev_foot)
-#define set_foot(p, s)  (((mchunkptr)((char*)(p) + (s)))->prev_foot = (s))
-
-/* Set size, pinuse bit, and foot */
-#define set_size_and_pinuse_of_free_chunk(p, s)\
-  ((p)->head = (s|PINUSE_BIT), set_foot(p, s))
-
-/* Set size, pinuse bit, foot, and clear next pinuse */
-#define set_free_with_pinuse(p, s, n)\
-  (clear_pinuse(n), set_size_and_pinuse_of_free_chunk(p, s))
-
-#define is_mmapped(p)\
-  (!((p)->head & PINUSE_BIT) && ((p)->prev_foot & IS_MMAPPED_BIT))
-
-/* Get the internal overhead associated with chunk p */
-#define overhead_for(p)\
- (is_mmapped(p)? MMAP_CHUNK_OVERHEAD : CHUNK_OVERHEAD)
-
-/* Return true if malloced space is not necessarily cleared */
-#if MMAP_CLEARS
-#define calloc_must_clear(p) (!is_mmapped(p))
-#else /* MMAP_CLEARS */
-#define calloc_must_clear(p) (1)
-#endif /* MMAP_CLEARS */
-
-/* ---------------------- Overlaid data structures ----------------------- */
-
-/*
-  When chunks are not in use, they are treated as nodes of either
-  lists or trees.
-
-  "Small"  chunks are stored in circular doubly-linked lists, and look
-  like this:
-
-    chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Size of previous chunk                            |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    `head:' |             Size of chunk, in bytes                         |P|
-      mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Forward pointer to next chunk in list             |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Back pointer to previous chunk in list            |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Unused space (may be 0 bytes long)                .
-            .                                                               .
-            .                                                               |
-nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    `foot:' |             Size of chunk, in bytes                           |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-  Larger chunks are kept in a form of bitwise digital trees (aka
-  tries) keyed on chunksizes.  Because malloc_tree_chunks are only for
-  free chunks greater than 256 bytes, their size doesn't impose any
-  constraints on user chunk sizes.  Each node looks like:
-
-    chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Size of previous chunk                            |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    `head:' |             Size of chunk, in bytes                         |P|
-      mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Forward pointer to next chunk of same size        |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Back pointer to previous chunk of same size       |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Pointer to left child (child[0])                  |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Pointer to right child (child[1])                 |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Pointer to parent                                 |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             bin index of this chunk                           |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-            |             Unused space                                      .
-            .                                                               |
-nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    `foot:' |             Size of chunk, in bytes                           |
-            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-  Each tree holding treenodes is a tree of unique chunk sizes.  Chunks
-  of the same size are arranged in a circularly-linked list, with only
-  the oldest chunk (the next to be used, in our FIFO ordering)
-  actually in the tree.  (Tree members are distinguished by a non-null
-  parent pointer.)  If a chunk with the same size an an existing node
-  is inserted, it is linked off the existing node using pointers that
-  work in the same way as fd/bk pointers of small chunks.
-
-  Each tree contains a power of 2 sized range of chunk sizes (the
-  smallest is 0x100 <= x < 0x180), which is is divided in half at each
-  tree level, with the chunks in the smaller half of the range (0x100
-  <= x < 0x140 for the top nose) in the left subtree and the larger
-  half (0x140 <= x < 0x180) in the right subtree.  This is, of course,
-  done by inspecting individual bits.
-
-  Using these rules, each node's left subtree contains all smaller
-  sizes than its right subtree.  However, the node at the root of each
-  subtree has no particular ordering relationship to either.  (The
-  dividing line between the subtree sizes is based on trie relation.)
-  If we remove the last chunk of a given size from the interior of the
-  tree, we need to replace it with a leaf node.  The tree ordering
-  rules permit a node to be replaced by any leaf below it.
-
-  The smallest chunk in a tree (a common operation in a best-fit
-  allocator) can be found by walking a path to the leftmost leaf in
-  the tree.  Unlike a usual binary tree, where we follow left child
-  pointers until we reach a null, here we follow the right child
-  pointer any time the left one is null, until we reach a leaf with
-  both child pointers null. The smallest chunk in the tree will be
-  somewhere along that path.
-
-  The worst case number of steps to add, find, or remove a node is
-  bounded by the number of bits differentiating chunks within
-  bins. Under current bin calculations, this ranges from 6 up to 21
-  (for 32 bit sizes) or up to 53 (for 64 bit sizes). The typical case
-  is of course much better.
-*/
-
-struct malloc_tree_chunk {
-  /* The first four fields must be compatible with malloc_chunk */
-  size_t                    prev_foot;
-  size_t                    head;
-  struct malloc_tree_chunk* fd;
-  struct malloc_tree_chunk* bk;
-
-  struct malloc_tree_chunk* child[2];
-  struct malloc_tree_chunk* parent;
-  bindex_t                  index;
-};
-
-typedef struct malloc_tree_chunk  tchunk;
-typedef struct malloc_tree_chunk* tchunkptr;
-typedef struct malloc_tree_chunk* tbinptr; /* The type of bins of trees */
-
-/* A little helper macro for trees */
-#define leftmost_child(t) ((t)->child[0] != 0? (t)->child[0] : (t)->child[1])
-
-/* ----------------------------- Segments -------------------------------- */
-
-/*
-  Each malloc space may include non-contiguous segments, held in a
-  list headed by an embedded malloc_segment record representing the
-  top-most space. Segments also include flags holding properties of
-  the space. Large chunks that are directly allocated by mmap are not
-  included in this list. They are instead independently created and
-  destroyed without otherwise keeping track of them.
-
-  Segment management mainly comes into play for spaces allocated by
-  MMAP.  Any call to MMAP might or might not return memory that is
-  adjacent to an existing segment.  MORECORE normally contiguously
-  extends the current space, so this space is almost always adjacent,
-  which is simpler and faster to deal with. (This is why MORECORE is
-  used preferentially to MMAP when both are available -- see
-  sys_alloc.)  When allocating using MMAP, we don't use any of the
-  hinting mechanisms (inconsistently) supported in various
-  implementations of unix mmap, or distinguish reserving from
-  committing memory. Instead, we just ask for space, and exploit
-  contiguity when we get it.  It is probably possible to do
-  better than this on some systems, but no general scheme seems
-  to be significantly better.
-
-  Management entails a simpler variant of the consolidation scheme
-  used for chunks to reduce fragmentation -- new adjacent memory is
-  normally prepended or appended to an existing segment. However,
-  there are limitations compared to chunk consolidation that mostly
-  reflect the fact that segment processing is relatively infrequent
-  (occurring only when getting memory from system) and that we
-  don't expect to have huge numbers of segments:
-
-  * Segments are not indexed, so traversal requires linear scans.  (It
-    would be possible to index these, but is not worth the extra
-    overhead and complexity for most programs on most platforms.)
-  * New segments are only appended to old ones when holding top-most
-    memory; if they cannot be prepended to others, they are held in
-    different segments.
-
-  Except for the top-most segment of an mstate, each segment record
-  is kept at the tail of its segment. Segments are added by pushing
-  segment records onto the list headed by &mstate.seg for the
-  containing mstate.
-
-  Segment flags control allocation/merge/deallocation policies:
-  * If EXTERN_BIT set, then we did not allocate this segment,
-    and so should not try to deallocate or merge with others.
-    (This currently holds only for the initial segment passed
-    into create_mspace_with_base.)
-  * If IS_MMAPPED_BIT set, the segment may be merged with
-    other surrounding mmapped segments and trimmed/de-allocated
-    using munmap.
-  * If neither bit is set, then the segment was obtained using
-    MORECORE so can be merged with surrounding MORECORE'd segments
-    and deallocated/trimmed using MORECORE with negative arguments.
-*/
-
-struct malloc_segment {
-  char*        base;             /* base address */
-  size_t       size;             /* allocated size */
-  struct malloc_segment* next;   /* ptr to next segment */
-  flag_t       sflags;           /* mmap and extern flag */
-};
-
-#define is_mmapped_segment(S)  ((S)->sflags & IS_MMAPPED_BIT)
-#define is_extern_segment(S)   ((S)->sflags & EXTERN_BIT)
-
-typedef struct malloc_segment  msegment;
-typedef struct malloc_segment* msegmentptr;
-
-/* ---------------------------- malloc_state ----------------------------- */
-
-/*
-   A malloc_state holds all of the bookkeeping for a space.
-   The main fields are:
-
-  Top
-    The topmost chunk of the currently active segment. Its size is
-    cached in topsize.  The actual size of topmost space is
-    topsize+TOP_FOOT_SIZE, which includes space reserved for adding
-    fenceposts and segment records if necessary when getting more
-    space from the system.  The size at which to autotrim top is
-    cached from mparams in trim_check, except that it is disabled if
-    an autotrim fails.
-
-  Designated victim (dv)
-    This is the preferred chunk for servicing small requests that
-    don't have exact fits.  It is normally the chunk split off most
-    recently to service another small request.  Its size is cached in
-    dvsize. The link fields of this chunk are not maintained since it
-    is not kept in a bin.
-
-  SmallBins
-    An array of bin headers for free chunks.  These bins hold chunks
-    with sizes less than MIN_LARGE_SIZE bytes. Each bin contains
-    chunks of all the same size, spaced 8 bytes apart.  To simplify
-    use in double-linked lists, each bin header acts as a malloc_chunk
-    pointing to the real first node, if it exists (else pointing to
-    itself).  This avoids special-casing for headers.  But to avoid
-    waste, we allocate only the fd/bk pointers of bins, and then use
-    repositioning tricks to treat these as the fields of a chunk.
-
-  TreeBins
-    Treebins are pointers to the roots of trees holding a range of
-    sizes. There are 2 equally spaced treebins for each power of two
-    from TREE_SHIFT to TREE_SHIFT+16. The last bin holds anything
-    larger.
-
-  Bin maps
-    There is one bit map for small bins ("smallmap") and one for
-    treebins ("treemap).  Each bin sets its bit when non-empty, and
-    clears the bit when empty.  Bit operations are then used to avoid
-    bin-by-bin searching -- nearly all "search" is done without ever
-    looking at bins that won't be selected.  The bit maps
-    conservatively use 32 bits per map word, even if on 64bit system.
-    For a good description of some of the bit-based techniques used
-    here, see Henry S. Warren Jr's book "Hacker's Delight" (and
-    supplement at http://hackersdelight.org/). Many of these are
-    intended to reduce the branchiness of paths through malloc etc, as
-    well as to reduce the number of memory locations read or written.
-
-  Segments
-    A list of segments headed by an embedded malloc_segment record
-    representing the initial space.
-
-  Address check support
-    The least_addr field is the least address ever obtained from
-    MORECORE or MMAP. Attempted frees and reallocs of any address less
-    than this are trapped (unless INSECURE is defined).
-
-  Magic tag
-    A cross-check field that should always hold same value as mparams.magic.
-
-  Flags
-    Bits recording whether to use MMAP, locks, or contiguous MORECORE
-
-  Statistics
-    Each space keeps track of current and maximum system memory
-    obtained via MORECORE or MMAP.
-
-  Locking
-    If USE_LOCKS is defined, the "mutex" lock is acquired and released
-    around every public call using this mspace.
-*/
-
-/* Bin types, widths and sizes */
-#define NSMALLBINS        (32U)
-#define NTREEBINS         (32U)
-#define SMALLBIN_SHIFT    (3U)
-#define SMALLBIN_WIDTH    (SIZE_T_ONE << SMALLBIN_SHIFT)
-#define TREEBIN_SHIFT     (8U)
-#define MIN_LARGE_SIZE    (SIZE_T_ONE << TREEBIN_SHIFT)
-#define MAX_SMALL_SIZE    (MIN_LARGE_SIZE - SIZE_T_ONE)
-#define MAX_SMALL_REQUEST (MAX_SMALL_SIZE - CHUNK_ALIGN_MASK - CHUNK_OVERHEAD)
-
-struct malloc_state {
-  binmap_t   smallmap;
-  binmap_t   treemap;
-  size_t     dvsize;
-  size_t     topsize;
-  char*      least_addr;
-  mchunkptr  dv;
-  mchunkptr  top;
-  size_t     trim_check;
-  size_t     magic;
-  mchunkptr  smallbins[(NSMALLBINS+1)*2];
-  tbinptr    treebins[NTREEBINS];
-  size_t     footprint;
-  size_t     max_footprint;
-  flag_t     mflags;
-#if USE_LOCKS
-  MLOCK_T    mutex;     /* locate lock among fields that rarely change */
-#endif /* USE_LOCKS */
-  msegment   seg;
-};
-
-typedef struct malloc_state*    mstate;
-
-/* ------------- Global malloc_state and malloc_params ------------------- */
-
-/*
-  malloc_params holds global properties, including those that can be
-  dynamically set using mallopt. There is a single instance, mparams,
-  initialized in init_mparams.
-*/
-
-struct malloc_params {
-  size_t magic;
-  size_t page_size;
-  size_t granularity;
-  size_t mmap_threshold;
-  size_t trim_threshold;
-  flag_t default_mflags;
-};
-
-static struct malloc_params mparams;
-
-/* The global malloc_state used for all non-"mspace" calls */
-static struct malloc_state _gm_;
-#define gm                 (&_gm_)
-#define is_global(M)       ((M) == &_gm_)
-#define is_initialized(M)  ((M)->top != 0)
-
-/* -------------------------- system alloc setup ------------------------- */
-
-/* Operations on mflags */
-
-#define use_lock(M)           ((M)->mflags &   USE_LOCK_BIT)
-#define enable_lock(M)        ((M)->mflags |=  USE_LOCK_BIT)
-#define disable_lock(M)       ((M)->mflags &= ~USE_LOCK_BIT)
-
-#define use_mmap(M)           ((M)->mflags &   USE_MMAP_BIT)
-#define enable_mmap(M)        ((M)->mflags |=  USE_MMAP_BIT)
-#define disable_mmap(M)       ((M)->mflags &= ~USE_MMAP_BIT)
-
-#define use_noncontiguous(M)  ((M)->mflags &   USE_NONCONTIGUOUS_BIT)
-#define disable_contiguous(M) ((M)->mflags |=  USE_NONCONTIGUOUS_BIT)
-
-#define set_lock(M,L)\
- ((M)->mflags = (L)?\
-  ((M)->mflags | USE_LOCK_BIT) :\
-  ((M)->mflags & ~USE_LOCK_BIT))
-
-/* page-align a size */
-#define page_align(S)\
- (((S) + (mparams.page_size)) & ~(mparams.page_size - SIZE_T_ONE))
-
-/* granularity-align a size */
-#define granularity_align(S)\
-  (((S) + (mparams.granularity)) & ~(mparams.granularity - SIZE_T_ONE))
-
-#define is_page_aligned(S)\
-   (((size_t)(S) & (mparams.page_size - SIZE_T_ONE)) == 0)
-#define is_granularity_aligned(S)\
-   (((size_t)(S) & (mparams.granularity - SIZE_T_ONE)) == 0)
-
-/*  True if segment S holds address A */
-#define segment_holds(S, A)\
-  ((char*)(A) >= S->base && (char*)(A) < S->base + S->size)
-
-/* Return segment holding given address */
-static msegmentptr segment_holding(mstate m, char* addr) {
-  msegmentptr sp = &m->seg;
-  for (;;) {
-    if (addr >= sp->base && addr < sp->base + sp->size)
-      return sp;
-    if ((sp = sp->next) == 0)
-      return 0;
-  }
-}
-
-/* Return true if segment contains a segment link */
-static int has_segment_link(mstate m, msegmentptr ss) {
-  msegmentptr sp = &m->seg;
-  for (;;) {
-    if ((char*)sp >= ss->base && (char*)sp < ss->base + ss->size)
-      return 1;
-    if ((sp = sp->next) == 0)
-      return 0;
-  }
-}
-
-#ifndef MORECORE_CANNOT_TRIM
-#define should_trim(M,s)  ((s) > (M)->trim_check)
-#else  /* MORECORE_CANNOT_TRIM */
-#define should_trim(M,s)  (0)
-#endif /* MORECORE_CANNOT_TRIM */
-
-/*
-  TOP_FOOT_SIZE is padding at the end of a segment, including space
-  that may be needed to place segment records and fenceposts when new
-  noncontiguous segments are added.
-*/
-#define TOP_FOOT_SIZE\
-  (align_offset(chunk2mem(0))+pad_request(sizeof(struct malloc_segment))+MIN_CHUNK_SIZE)
-
-
-/* -------------------------------  Hooks -------------------------------- */
-
-/*
-  PREACTION should be defined to return 0 on success, and nonzero on
-  failure. If you are not using locking, you can redefine these to do
-  anything you like.
-*/
-
-#if USE_LOCKS
-
-/* Ensure locks are initialized */
-#define GLOBALLY_INITIALIZE() (mparams.page_size == 0 && init_mparams())
-
-#define PREACTION(M)  ((GLOBALLY_INITIALIZE() || use_lock(M))? ACQUIRE_LOCK(&(M)->mutex) : 0)
-#define POSTACTION(M) { if (use_lock(M)) RELEASE_LOCK(&(M)->mutex); }
-#else /* USE_LOCKS */
-
-#ifndef PREACTION
-#define PREACTION(M) (0)
-#endif  /* PREACTION */
-
-#ifndef POSTACTION
-#define POSTACTION(M)
-#endif  /* POSTACTION */
-
-#endif /* USE_LOCKS */
-
-/*
-  CORRUPTION_ERROR_ACTION is triggered upon detected bad addresses.
-  USAGE_ERROR_ACTION is triggered on detected bad frees and
-  reallocs. The argument p is an address that might have triggered the
-  fault. It is ignored by the two predefined actions, but might be
-  useful in custom actions that try to help diagnose errors.
-*/
-
-#if PROCEED_ON_ERROR
-
-/* A count of the number of corruption errors causing resets */
-int malloc_corruption_error_count;
-
-/* default corruption action */
-static void reset_on_error(mstate m);
-
-#define CORRUPTION_ERROR_ACTION(m)  reset_on_error(m)
-#define USAGE_ERROR_ACTION(m, p)
-
-#else /* PROCEED_ON_ERROR */
-
-#ifndef CORRUPTION_ERROR_ACTION
-#define CORRUPTION_ERROR_ACTION(m) ABORT
-#endif /* CORRUPTION_ERROR_ACTION */
-
-#ifndef USAGE_ERROR_ACTION
-#define USAGE_ERROR_ACTION(m,p) ABORT
-#endif /* USAGE_ERROR_ACTION */
-
-#endif /* PROCEED_ON_ERROR */
-
-/* -------------------------- Debugging setup ---------------------------- */
-
-#if ! DEBUG
-
-#define check_free_chunk(M,P)
-#define check_inuse_chunk(M,P)
-#define check_malloced_chunk(M,P,N)
-#define check_mmapped_chunk(M,P)
-#define check_malloc_state(M)
-#define check_top_chunk(M,P)
-
-#else /* DEBUG */
-#define check_free_chunk(M,P)       do_check_free_chunk(M,P)
-#define check_inuse_chunk(M,P)      do_check_inuse_chunk(M,P)
-#define check_top_chunk(M,P)        do_check_top_chunk(M,P)
-#define check_malloced_chunk(M,P,N) do_check_malloced_chunk(M,P,N)
-#define check_mmapped_chunk(M,P)    do_check_mmapped_chunk(M,P)
-#define check_malloc_state(M)       do_check_malloc_state(M)
-
-static void   do_check_any_chunk(mstate m, mchunkptr p);
-static void   do_check_top_chunk(mstate m, mchunkptr p);
-static void   do_check_mmapped_chunk(mstate m, mchunkptr p);
-static void   do_check_inuse_chunk(mstate m, mchunkptr p);
-static void   do_check_free_chunk(mstate m, mchunkptr p);
-static void   do_check_malloced_chunk(mstate m, void* mem, size_t s);
-static void   do_check_tree(mstate m, tchunkptr t);
-static void   do_check_treebin(mstate m, bindex_t i);
-static void   do_check_smallbin(mstate m, bindex_t i);
-static void   do_check_malloc_state(mstate m);
-static int    bin_find(mstate m, mchunkptr x);
-static size_t traverse_and_check(mstate m);
-#endif /* DEBUG */
-
-/* ---------------------------- Indexing Bins ---------------------------- */
-
-#define is_small(s)         (((s) >> SMALLBIN_SHIFT) < NSMALLBINS)
-#define small_index(s)      ((s)  >> SMALLBIN_SHIFT)
-#define small_index2size(i) ((i)  << SMALLBIN_SHIFT)
-#define MIN_SMALL_INDEX     (small_index(MIN_CHUNK_SIZE))
-
-/* addressing by index. See above about smallbin repositioning */
-#define smallbin_at(M, i)   ((sbinptr)((char*)&((M)->smallbins[(i)<<1])))
-#define treebin_at(M,i)     (&((M)->treebins[i]))
-
-/* assign tree index for size S to variable I */
-#if defined(__GNUC__) && defined(i386)
-#define compute_tree_index(S, I)\
-{\
-  size_t X = S >> TREEBIN_SHIFT;\
-  if (X == 0)\
-    I = 0;\
-  else if (X > 0xFFFF)\
-    I = NTREEBINS-1;\
-  else {\
-    unsigned int K;\
-    __asm__("bsrl %1,%0\n\t" : "=r" (K) : "rm"  (X));\
-    I =  (bindex_t)((K << 1) + ((S >> (K + (TREEBIN_SHIFT-1)) & 1)));\
-  }\
-}
-#else /* GNUC */
-#define compute_tree_index(S, I)\
-{\
-  size_t X = S >> TREEBIN_SHIFT;\
-  if (X == 0)\
-    I = 0;\
-  else if (X > 0xFFFF)\
-    I = NTREEBINS-1;\
-  else {\
-    unsigned int Y = (unsigned int)X;\
-    unsigned int N = ((Y - 0x100) >> 16) & 8;\
-    unsigned int K = (((Y <<= N) - 0x1000) >> 16) & 4;\
-    N += K;\
-    N += K = (((Y <<= K) - 0x4000) >> 16) & 2;\
-    K = 14 - N + ((Y <<= K) >> 15);\
-    I = (K << 1) + ((S >> (K + (TREEBIN_SHIFT-1)) & 1));\
-  }\
-}
-#endif /* GNUC */
-
-/* Bit representing maximum resolved size in a treebin at i */
-#define bit_for_tree_index(i) \
-   (i == NTREEBINS-1)? (SIZE_T_BITSIZE-1) : (((i) >> 1) + TREEBIN_SHIFT - 2)
-
-/* Shift placing maximum resolved bit in a treebin at i as sign bit */
-#define leftshift_for_tree_index(i) \
-   ((i == NTREEBINS-1)? 0 : \
-    ((SIZE_T_BITSIZE-SIZE_T_ONE) - (((i) >> 1) + TREEBIN_SHIFT - 2)))
-
-/* The size of the smallest chunk held in bin with index i */
-#define minsize_for_tree_index(i) \
-   ((SIZE_T_ONE << (((i) >> 1) + TREEBIN_SHIFT)) |  \
-   (((size_t)((i) & SIZE_T_ONE)) << (((i) >> 1) + TREEBIN_SHIFT - 1)))
-
-
-/* ------------------------ Operations on bin maps ----------------------- */
-
-/* bit corresponding to given index */
-#define idx2bit(i)              ((binmap_t)(1) << (i))
-
-/* Mark/Clear bits with given index */
-#define mark_smallmap(M,i)      ((M)->smallmap |=  idx2bit(i))
-#define clear_smallmap(M,i)     ((M)->smallmap &= ~idx2bit(i))
-#define smallmap_is_marked(M,i) ((M)->smallmap &   idx2bit(i))
-
-#define mark_treemap(M,i)       ((M)->treemap  |=  idx2bit(i))
-#define clear_treemap(M,i)      ((M)->treemap  &= ~idx2bit(i))
-#define treemap_is_marked(M,i)  ((M)->treemap  &   idx2bit(i))
-
-/* index corresponding to given bit */
-
-#if defined(__GNUC__) && defined(i386)
-#define compute_bit2idx(X, I)\
-{\
-  unsigned int J;\
-  __asm__("bsfl %1,%0\n\t" : "=r" (J) : "rm" (X));\
-  I = (bindex_t)J;\
-}
-
-#else /* GNUC */
-#if  USE_BUILTIN_FFS
-#define compute_bit2idx(X, I) I = ffs(X)-1
-
-#else /* USE_BUILTIN_FFS */
-#define compute_bit2idx(X, I)\
-{\
-  unsigned int Y = X - 1;\
-  unsigned int K = Y >> (16-4) & 16;\
-  unsigned int N = K;        Y >>= K;\
-  N += K = Y >> (8-3) &  8;  Y >>= K;\
-  N += K = Y >> (4-2) &  4;  Y >>= K;\
-  N += K = Y >> (2-1) &  2;  Y >>= K;\
-  N += K = Y >> (1-0) &  1;  Y >>= K;\
-  I = (bindex_t)(N + Y);\
-}
-#endif /* USE_BUILTIN_FFS */
-#endif /* GNUC */
-
-/* isolate the least set bit of a bitmap */
-#define least_bit(x)         ((x) & -(x))
-
-/* mask with all bits to left of least bit of x on */
-#define left_bits(x)         ((x<<1) | -(x<<1))
-
-/* mask with all bits to left of or equal to least bit of x on */
-#define same_or_left_bits(x) ((x) | -(x))
-
-
-/* ----------------------- Runtime Check Support ------------------------- */
-
-/*
-  For security, the main invariant is that malloc/free/etc never
-  writes to a static address other than malloc_state, unless static
-  malloc_state itself has been corrupted, which cannot occur via
-  malloc (because of these checks). In essence this means that we
-  believe all pointers, sizes, maps etc held in malloc_state, but
-  check all of those linked or offsetted from other embedded data
-  structures.  These checks are interspersed with main code in a way
-  that tends to minimize their run-time cost.
-
-  When FOOTERS is defined, in addition to range checking, we also
-  verify footer fields of inuse chunks, which can be used guarantee
-  that the mstate controlling malloc/free is intact.  This is a
-  streamlined version of the approach described by William Robertson
-  et al in "Run-time Detection of Heap-based Overflows" LISA'03
-  http://www.usenix.org/events/lisa03/tech/robertson.html The footer
-  of an inuse chunk holds the xor of its mstate and a random seed,
-  that is checked upon calls to free() and realloc().  This is
-  (probablistically) unguessable from outside the program, but can be
-  computed by any code successfully malloc'ing any chunk, so does not
-  itself provide protection against code that has already broken
-  security through some other means.  Unlike Robertson et al, we
-  always dynamically check addresses of all offset chunks (previous,
-  next, etc). This turns out to be cheaper than relying on hashes.
-*/
-
-#if !INSECURE
-/* Check if address a is at least as high as any from MORECORE or MMAP */
-#define ok_address(M, a) ((char*)(a) >= (M)->least_addr)
-/* Check if address of next chunk n is higher than base chunk p */
-#define ok_next(p, n)    ((char*)(p) < (char*)(n))
-/* Check if p has its cinuse bit on */
-#define ok_cinuse(p)     cinuse(p)
-/* Check if p has its pinuse bit on */
-#define ok_pinuse(p)     pinuse(p)
-
-#else /* !INSECURE */
-#define ok_address(M, a) (1)
-#define ok_next(b, n)    (1)
-#define ok_cinuse(p)     (1)
-#define ok_pinuse(p)     (1)
-#endif /* !INSECURE */
-
-#if (FOOTERS && !INSECURE)
-/* Check if (alleged) mstate m has expected magic field */
-#define ok_magic(M)      ((M)->magic == mparams.magic)
-#else  /* (FOOTERS && !INSECURE) */
-#define ok_magic(M)      (1)
-#endif /* (FOOTERS && !INSECURE) */
-
-
-/* In gcc, use __builtin_expect to minimize impact of checks */
-#if !INSECURE
-#if defined(__GNUC__) && __GNUC__ >= 3
-#define RTCHECK(e)  __builtin_expect(e, 1)
-#else /* GNUC */
-#define RTCHECK(e)  (e)
-#endif /* GNUC */
-#else /* !INSECURE */
-#define RTCHECK(e)  (1)
-#endif /* !INSECURE */
-
-/* macros to set up inuse chunks with or without footers */
-
-#if !FOOTERS
-
-#define mark_inuse_foot(M,p,s)
-
-/* Set cinuse bit and pinuse bit of next chunk */
-#define set_inuse(M,p,s)\
-  ((p)->head = (((p)->head & PINUSE_BIT)|s|CINUSE_BIT),\
-  ((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT)
-
-/* Set cinuse and pinuse of this chunk and pinuse of next chunk */
-#define set_inuse_and_pinuse(M,p,s)\
-  ((p)->head = (s|PINUSE_BIT|CINUSE_BIT),\
-  ((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT)
-
-/* Set size, cinuse and pinuse bit of this chunk */
-#define set_size_and_pinuse_of_inuse_chunk(M, p, s)\
-  ((p)->head = (s|PINUSE_BIT|CINUSE_BIT))
-
-#else /* FOOTERS */
-
-/* Set foot of inuse chunk to be xor of mstate and seed */
-#define mark_inuse_foot(M,p,s)\
-  (((mchunkptr)((char*)(p) + (s)))->prev_foot = ((size_t)(M) ^ mparams.magic))
-
-#define get_mstate_for(p)\
-  ((mstate)(((mchunkptr)((char*)(p) +\
-    (chunksize(p))))->prev_foot ^ mparams.magic))
-
-#define set_inuse(M,p,s)\
-  ((p)->head = (((p)->head & PINUSE_BIT)|s|CINUSE_BIT),\
-  (((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT), \
-  mark_inuse_foot(M,p,s))
-
-#define set_inuse_and_pinuse(M,p,s)\
-  ((p)->head = (s|PINUSE_BIT|CINUSE_BIT),\
-  (((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT),\
- mark_inuse_foot(M,p,s))
-
-#define set_size_and_pinuse_of_inuse_chunk(M, p, s)\
-  ((p)->head = (s|PINUSE_BIT|CINUSE_BIT),\
-  mark_inuse_foot(M, p, s))
-
-#endif /* !FOOTERS */
-
-/* ---------------------------- setting mparams -------------------------- */
-
-/* Initialize mparams */
-static int init_mparams(void) {
-  if (mparams.page_size == 0) {
-    size_t s;
-
-    mparams.mmap_threshold = DEFAULT_MMAP_THRESHOLD;
-    mparams.trim_threshold = DEFAULT_TRIM_THRESHOLD;
-#if MORECORE_CONTIGUOUS
-    mparams.default_mflags = USE_LOCK_BIT|USE_MMAP_BIT;
-#else  /* MORECORE_CONTIGUOUS */
-    mparams.default_mflags = USE_LOCK_BIT|USE_MMAP_BIT|USE_NONCONTIGUOUS_BIT;
-#endif /* MORECORE_CONTIGUOUS */
-
-#if (FOOTERS && !INSECURE)
-    {
-#if USE_DEV_RANDOM
-      int fd;
-      unsigned char buf[sizeof(size_t)];
-      /* Try to use /dev/urandom, else fall back on using time */
-      if ((fd = open("/dev/urandom", O_RDONLY)) >= 0 &&
-          read(fd, buf, sizeof(buf)) == sizeof(buf)) {
-        s = *((size_t *) buf);
-        close(fd);
-      }
-      else
-#endif /* USE_DEV_RANDOM */
-        s = (size_t)(time(0) ^ (size_t)0x55555555U);
-
-      s |= (size_t)8U;    /* ensure nonzero */
-      s &= ~(size_t)7U;   /* improve chances of fault for bad values */
-
-    }
-#else /* (FOOTERS && !INSECURE) */
-    s = (size_t)0x58585858U;
-#endif /* (FOOTERS && !INSECURE) */
-    ACQUIRE_MAGIC_INIT_LOCK();
-    if (mparams.magic == 0) {
-      mparams.magic = s;
-      /* Set up lock for main malloc area */
-      INITIAL_LOCK(&gm->mutex);
-      gm->mflags = mparams.default_mflags;
-    }
-    RELEASE_MAGIC_INIT_LOCK();
-
-#ifndef WIN32
-    mparams.page_size = malloc_getpagesize;
-    mparams.granularity = ((DEFAULT_GRANULARITY != 0)?
-                           DEFAULT_GRANULARITY : mparams.page_size);
-#else /* WIN32 */
-    {
-      SYSTEM_INFO system_info;
-      GetSystemInfo(&system_info);
-      mparams.page_size = system_info.dwPageSize;
-      mparams.granularity = system_info.dwAllocationGranularity;
-    }
-#endif /* WIN32 */
-
-    /* Sanity-check configuration:
-       size_t must be unsigned and as wide as pointer type.
-       ints must be at least 4 bytes.
-       alignment must be at least 8.
-       Alignment, min chunk size, and page size must all be powers of 2.
-    */
-    if ((sizeof(size_t) != sizeof(char*)) ||
-        (MAX_SIZE_T < MIN_CHUNK_SIZE)  ||
-        (sizeof(int) < 4)  ||
-        (MALLOC_ALIGNMENT < (size_t)8U) ||
-        ((MALLOC_ALIGNMENT    & (MALLOC_ALIGNMENT-SIZE_T_ONE))    != 0) ||
-        ((MCHUNK_SIZE         & (MCHUNK_SIZE-SIZE_T_ONE))         != 0) ||
-        ((mparams.granularity & (mparams.granularity-SIZE_T_ONE)) != 0) ||
-        ((mparams.page_size   & (mparams.page_size-SIZE_T_ONE))   != 0))
-      ABORT;
-  }
-  return 0;
-}
-
-/* support for mallopt */
-static int change_mparam(int param_number, int value) {
-  size_t val = (size_t)value;
-  init_mparams();
-  switch(param_number) {
-  case M_TRIM_THRESHOLD:
-    mparams.trim_threshold = val;
-    return 1;
-  case M_GRANULARITY:
-    if (val >= mparams.page_size && ((val & (val-1)) == 0)) {
-      mparams.granularity = val;
-      return 1;
-    }
-    else
-      return 0;
-  case M_MMAP_THRESHOLD:
-    mparams.mmap_threshold = val;
-    return 1;
-  default:
-    return 0;
-  }
-}
-
-#if DEBUG
-/* ------------------------- Debugging Support --------------------------- */
-
-/* Check properties of any chunk, whether free, inuse, mmapped etc  */
-static void do_check_any_chunk(mstate m, mchunkptr p) {
-  assert((is_aligned(chunk2mem(p))) || (p->head == FENCEPOST_HEAD));
-  assert(ok_address(m, p));
-}
-
-/* Check properties of top chunk */
-static void do_check_top_chunk(mstate m, mchunkptr p) {
-  msegmentptr sp = segment_holding(m, (char*)p);
-  size_t  sz = chunksize(p);
-  assert(sp != 0);
-  assert((is_aligned(chunk2mem(p))) || (p->head == FENCEPOST_HEAD));
-  assert(ok_address(m, p));
-  assert(sz == m->topsize);
-  assert(sz > 0);
-  assert(sz == ((sp->base + sp->size) - (char*)p) - TOP_FOOT_SIZE);
-  assert(pinuse(p));
-  assert(!next_pinuse(p));
-}
-
-/* Check properties of (inuse) mmapped chunks */
-static void do_check_mmapped_chunk(mstate m, mchunkptr p) {
-  size_t  sz = chunksize(p);
-  size_t len = (sz + (p->prev_foot & ~IS_MMAPPED_BIT) + MMAP_FOOT_PAD);
-  assert(is_mmapped(p));
-  assert(use_mmap(m));
-  assert((is_aligned(chunk2mem(p))) || (p->head == FENCEPOST_HEAD));
-  assert(ok_address(m, p));
-  assert(!is_small(sz));
-  assert((len & (mparams.page_size-SIZE_T_ONE)) == 0);
-  assert(chunk_plus_offset(p, sz)->head == FENCEPOST_HEAD);
-  assert(chunk_plus_offset(p, sz+SIZE_T_SIZE)->head == 0);
-}
-
-/* Check properties of inuse chunks */
-static void do_check_inuse_chunk(mstate m, mchunkptr p) {
-  do_check_any_chunk(m, p);
-  assert(cinuse(p));
-  assert(next_pinuse(p));
-  /* If not pinuse and not mmapped, previous chunk has OK offset */
-  assert(is_mmapped(p) || pinuse(p) || next_chunk(prev_chunk(p)) == p);
-  if (is_mmapped(p))
-    do_check_mmapped_chunk(m, p);
-}
-
-/* Check properties of free chunks */
-static void do_check_free_chunk(mstate m, mchunkptr p) {
-  size_t sz = p->head & ~(PINUSE_BIT|CINUSE_BIT);
-  mchunkptr next = chunk_plus_offset(p, sz);
-  do_check_any_chunk(m, p);
-  assert(!cinuse(p));
-  assert(!next_pinuse(p));
-  assert (!is_mmapped(p));
-  if (p != m->dv && p != m->top) {
-    if (sz >= MIN_CHUNK_SIZE) {
-      assert((sz & CHUNK_ALIGN_MASK) == 0);
-      assert(is_aligned(chunk2mem(p)));
-      assert(next->prev_foot == sz);
-      assert(pinuse(p));
-      assert (next == m->top || cinuse(next));
-      assert(p->fd->bk == p);
-      assert(p->bk->fd == p);
-    }
-    else  /* markers are always of size SIZE_T_SIZE */
-      assert(sz == SIZE_T_SIZE);
-  }
-}
-
-/* Check properties of malloced chunks at the point they are malloced */
-static void do_check_malloced_chunk(mstate m, void* mem, size_t s) {
-  if (mem != 0) {
-    mchunkptr p = mem2chunk(mem);
-    size_t sz = p->head & ~(PINUSE_BIT|CINUSE_BIT);
-    do_check_inuse_chunk(m, p);
-    assert((sz & CHUNK_ALIGN_MASK) == 0);
-    assert(sz >= MIN_CHUNK_SIZE);
-    assert(sz >= s);
-    /* unless mmapped, size is less than MIN_CHUNK_SIZE more than request */
-    assert(is_mmapped(p) || sz < (s + MIN_CHUNK_SIZE));
-  }
-}
-
-/* Check a tree and its subtrees.  */
-static void do_check_tree(mstate m, tchunkptr t) {
-  tchunkptr head = 0;
-  tchunkptr u = t;
-  bindex_t tindex = t->index;
-  size_t tsize = chunksize(t);
-  bindex_t idx;
-  compute_tree_index(tsize, idx);
-  assert(tindex == idx);
-  assert(tsize >= MIN_LARGE_SIZE);
-  assert(tsize >= minsize_for_tree_index(idx));
-  assert((idx == NTREEBINS-1) || (tsize < minsize_for_tree_index((idx+1))));
-
-  do { /* traverse through chain of same-sized nodes */
-    do_check_any_chunk(m, ((mchunkptr)u));
-    assert(u->index == tindex);
-    assert(chunksize(u) == tsize);
-    assert(!cinuse(u));
-    assert(!next_pinuse(u));
-    assert(u->fd->bk == u);
-    assert(u->bk->fd == u);
-    if (u->parent == 0) {
-      assert(u->child[0] == 0);
-      assert(u->child[1] == 0);
-    }
-    else {
-      assert(head == 0); /* only one node on chain has parent */
-      head = u;
-      assert(u->parent != u);
-      assert (u->parent->child[0] == u ||
-              u->parent->child[1] == u ||
-              *((tbinptr*)(u->parent)) == u);
-      if (u->child[0] != 0) {
-        assert(u->child[0]->parent == u);
-        assert(u->child[0] != u);
-        do_check_tree(m, u->child[0]);
-      }
-      if (u->child[1] != 0) {
-        assert(u->child[1]->parent == u);
-        assert(u->child[1] != u);
-        do_check_tree(m, u->child[1]);
-      }
-      if (u->child[0] != 0 && u->child[1] != 0) {
-        assert(chunksize(u->child[0]) < chunksize(u->child[1]));
-      }
-    }
-    u = u->fd;
-  } while (u != t);
-  assert(head != 0);
-}
-
-/*  Check all the chunks in a treebin.  */
-static void do_check_treebin(mstate m, bindex_t i) {
-  tbinptr* tb = treebin_at(m, i);
-  tchunkptr t = *tb;
-  int empty = (m->treemap & (1U << i)) == 0;
-  if (t == 0)
-    assert(empty);
-  if (!empty)
-    do_check_tree(m, t);
-}
-
-/*  Check all the chunks in a smallbin.  */
-static void do_check_smallbin(mstate m, bindex_t i) {
-  sbinptr b = smallbin_at(m, i);
-  mchunkptr p = b->bk;
-  unsigned int empty = (m->smallmap & (1U << i)) == 0;
-  if (p == b)
-    assert(empty);
-  if (!empty) {
-    for (; p != b; p = p->bk) {
-      size_t size = chunksize(p);
-      mchunkptr q;
-      /* each chunk claims to be free */
-      do_check_free_chunk(m, p);
-      /* chunk belongs in bin */
-      assert(small_index(size) == i);
-      assert(p->bk == b || chunksize(p->bk) == chunksize(p));
-      /* chunk is followed by an inuse chunk */
-      q = next_chunk(p);
-      if (q->head != FENCEPOST_HEAD)
-        do_check_inuse_chunk(m, q);
-    }
-  }
-}
-
-/* Find x in a bin. Used in other check functions. */
-static int bin_find(mstate m, mchunkptr x) {
-  size_t size = chunksize(x);
-  if (is_small(size)) {
-    bindex_t sidx = small_index(size);
-    sbinptr b = smallbin_at(m, sidx);
-    if (smallmap_is_marked(m, sidx)) {
-      mchunkptr p = b;
-      do {
-        if (p == x)
-          return 1;
-      } while ((p = p->fd) != b);
-    }
-  }
-  else {
-    bindex_t tidx;
-    compute_tree_index(size, tidx);
-    if (treemap_is_marked(m, tidx)) {
-      tchunkptr t = *treebin_at(m, tidx);
-      size_t sizebits = size << leftshift_for_tree_index(tidx);
-      while (t != 0 && chunksize(t) != size) {
-        t = t->child[(sizebits >> (SIZE_T_BITSIZE-SIZE_T_ONE)) & 1];
-        sizebits <<= 1;
-      }
-      if (t != 0) {
-        tchunkptr u = t;
-        do {
-          if (u == (tchunkptr)x)
-            return 1;
-        } while ((u = u->fd) != t);
-      }
-    }
-  }
-  return 0;
-}
-
-/* Traverse each chunk and check it; return total */
-static size_t traverse_and_check(mstate m) {
-  size_t sum = 0;
-  if (is_initialized(m)) {
-    msegmentptr s = &m->seg;
-    sum += m->topsize + TOP_FOOT_SIZE;
-    while (s != 0) {
-      mchunkptr q = align_as_chunk(s->base);
-      mchunkptr lastq = 0;
-      assert(pinuse(q));
-      while (segment_holds(s, q) &&
-             q != m->top && q->head != FENCEPOST_HEAD) {
-        sum += chunksize(q);
-        if (cinuse(q)) {
-          assert(!bin_find(m, q));
-          do_check_inuse_chunk(m, q);
-        }
-        else {
-          assert(q == m->dv || bin_find(m, q));
-          assert(lastq == 0 || cinuse(lastq)); /* Not 2 consecutive free */
-          do_check_free_chunk(m, q);
-        }
-        lastq = q;
-        q = next_chunk(q);
-      }
-      s = s->next;
-    }
-  }
-  return sum;
-}
-
-/* Check all properties of malloc_state. */
-static void do_check_malloc_state(mstate m) {
-  bindex_t i;
-  size_t total;
-  /* check bins */
-  for (i = 0; i < NSMALLBINS; ++i)
-    do_check_smallbin(m, i);
-  for (i = 0; i < NTREEBINS; ++i)
-    do_check_treebin(m, i);
-
-  if (m->dvsize != 0) { /* check dv chunk */
-    do_check_any_chunk(m, m->dv);
-    assert(m->dvsize == chunksize(m->dv));
-    assert(m->dvsize >= MIN_CHUNK_SIZE);
-    assert(bin_find(m, m->dv) == 0);
-  }
-
-  if (m->top != 0) {   /* check top chunk */
-    do_check_top_chunk(m, m->top);
-    assert(m->topsize == chunksize(m->top));
-    assert(m->topsize > 0);
-    assert(bin_find(m, m->top) == 0);
-  }
-
-  total = traverse_and_check(m);
-  assert(total <= m->footprint);
-  assert(m->footprint <= m->max_footprint);
-}
-#endif /* DEBUG */
-
-/* ----------------------------- statistics ------------------------------ */
-
-#if !NO_MALLINFO
-static struct mallinfo internal_mallinfo(mstate m) {
-  struct mallinfo nm = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
-  if (!PREACTION(m)) {
-    check_malloc_state(m);
-    if (is_initialized(m)) {
-      size_t nfree = SIZE_T_ONE; /* top always free */
-      size_t mfree = m->topsize + TOP_FOOT_SIZE;
-      size_t sum = mfree;
-      msegmentptr s = &m->seg;
-      while (s != 0) {
-        mchunkptr q = align_as_chunk(s->base);
-        while (segment_holds(s, q) &&
-               q != m->top && q->head != FENCEPOST_HEAD) {
-          size_t sz = chunksize(q);
-          sum += sz;
-          if (!cinuse(q)) {
-            mfree += sz;
-            ++nfree;
-          }
-          q = next_chunk(q);
-        }
-        s = s->next;
-      }
-
-      nm.arena    = sum;
-      nm.ordblks  = nfree;
-      nm.hblkhd   = m->footprint - sum;
-      nm.usmblks  = m->max_footprint;
-      nm.uordblks = m->footprint - mfree;
-      nm.fordblks = mfree;
-      nm.keepcost = m->topsize;
-    }
-
-    POSTACTION(m);
-  }
-  return nm;
-}
-#endif /* !NO_MALLINFO */
-
-static void internal_malloc_stats(mstate m) {
-  if (!PREACTION(m)) {
-    size_t maxfp = 0;
-    size_t fp = 0;
-    size_t used = 0;
-    check_malloc_state(m);
-    if (is_initialized(m)) {
-      msegmentptr s = &m->seg;
-      maxfp = m->max_footprint;
-      fp = m->footprint;
-      used = fp - (m->topsize + TOP_FOOT_SIZE);
-
-      while (s != 0) {
-        mchunkptr q = align_as_chunk(s->base);
-        while (segment_holds(s, q) &&
-               q != m->top && q->head != FENCEPOST_HEAD) {
-          if (!cinuse(q))
-            used -= chunksize(q);
-          q = next_chunk(q);
-        }
-        s = s->next;
-      }
-    }
-
-    fprintf(stderr, "max system bytes = %10lu\n", (unsigned long)(maxfp));
-    fprintf(stderr, "system bytes     = %10lu\n", (unsigned long)(fp));
-    fprintf(stderr, "in use bytes     = %10lu\n", (unsigned long)(used));
-
-    POSTACTION(m);
-  }
-}
-
-/* ----------------------- Operations on smallbins ----------------------- */
-
-/*
-  Various forms of linking and unlinking are defined as macros.  Even
-  the ones for trees, which are very long but have very short typical
-  paths.  This is ugly but reduces reliance on inlining support of
-  compilers.
-*/
-
-/* Link a free chunk into a smallbin  */
-#define insert_small_chunk(M, P, S) {\
-  bindex_t I  = small_index(S);\
-  mchunkptr B = smallbin_at(M, I);\
-  mchunkptr F = B;\
-  assert(S >= MIN_CHUNK_SIZE);\
-  if (!smallmap_is_marked(M, I))\
-    mark_smallmap(M, I);\
-  else if (RTCHECK(ok_address(M, B->fd)))\
-    F = B->fd;\
-  else {\
-    CORRUPTION_ERROR_ACTION(M);\
-  }\
-  B->fd = P;\
-  F->bk = P;\
-  P->fd = F;\
-  P->bk = B;\
-}
-
-/* Unlink a chunk from a smallbin  */
-#define unlink_small_chunk(M, P, S) {\
-  mchunkptr F = P->fd;\
-  mchunkptr B = P->bk;\
-  bindex_t I = small_index(S);\
-  assert(P != B);\
-  assert(P != F);\
-  assert(chunksize(P) == small_index2size(I));\
-  if (F == B)\
-    clear_smallmap(M, I);\
-  else if (RTCHECK((F == smallbin_at(M,I) || ok_address(M, F)) &&\
-                   (B == smallbin_at(M,I) || ok_address(M, B)))) {\
-    F->bk = B;\
-    B->fd = F;\
-  }\
-  else {\
-    CORRUPTION_ERROR_ACTION(M);\
-  }\
-}
-
-/* Unlink the first chunk from a smallbin */
-#define unlink_first_small_chunk(M, B, P, I) {\
-  mchunkptr F = P->fd;\
-  assert(P != B);\
-  assert(P != F);\
-  assert(chunksize(P) == small_index2size(I));\
-  if (B == F)\
-    clear_smallmap(M, I);\
-  else if (RTCHECK(ok_address(M, F))) {\
-    B->fd = F;\
-    F->bk = B;\
-  }\
-  else {\
-    CORRUPTION_ERROR_ACTION(M);\
-  }\
-}
-
-/* Replace dv node, binning the old one */
-/* Used only when dvsize known to be small */
-#define replace_dv(M, P, S) {\
-  size_t DVS = M->dvsize;\
-  if (DVS != 0) {\
-    mchunkptr DV = M->dv;\
-    assert(is_small(DVS));\
-    insert_small_chunk(M, DV, DVS);\
-  }\
-  M->dvsize = S;\
-  M->dv = P;\
-}
-
-/* ------------------------- Operations on trees ------------------------- */
-
-/* Insert chunk into tree */
-#define insert_large_chunk(M, X, S) {\
-  tbinptr* H;\
-  bindex_t I;\
-  compute_tree_index(S, I);\
-  H = treebin_at(M, I);\
-  X->index = I;\
-  X->child[0] = X->child[1] = 0;\
-  if (!treemap_is_marked(M, I)) {\
-    mark_treemap(M, I);\
-    *H = X;\
-    X->parent = (tchunkptr)H;\
-    X->fd = X->bk = X;\
-  }\
-  else {\
-    tchunkptr T = *H;\
-    size_t K = S << leftshift_for_tree_index(I);\
-    for (;;) {\
-      if (chunksize(T) != S) {\
-        tchunkptr* C = &(T->child[(K >> (SIZE_T_BITSIZE-SIZE_T_ONE)) & 1]);\
-        K <<= 1;\
-        if (*C != 0)\
-          T = *C;\
-        else if (RTCHECK(ok_address(M, C))) {\
-          *C = X;\
-          X->parent = T;\
-          X->fd = X->bk = X;\
-          break;\
-        }\
-        else {\
-          CORRUPTION_ERROR_ACTION(M);\
-          break;\
-        }\
-      }\
-      else {\
-        tchunkptr F = T->fd;\
-        if (RTCHECK(ok_address(M, T) && ok_address(M, F))) {\
-          T->fd = F->bk = X;\
-          X->fd = F;\
-          X->bk = T;\
-          X->parent = 0;\
-          break;\
-        }\
-        else {\
-          CORRUPTION_ERROR_ACTION(M);\
-          break;\
-        }\
-      }\
-    }\
-  }\
-}
-
-/*
-  Unlink steps:
-
-  1. If x is a chained node, unlink it from its same-sized fd/bk links
-     and choose its bk node as its replacement.
-  2. If x was the last node of its size, but not a leaf node, it must
-     be replaced with a leaf node (not merely one with an open left or
-     right), to make sure that lefts and rights of descendents
-     correspond properly to bit masks.  We use the rightmost descendent
-     of x.  We could use any other leaf, but this is easy to locate and
-     tends to counteract removal of leftmosts elsewhere, and so keeps
-     paths shorter than minimally guaranteed.  This doesn't loop much
-     because on average a node in a tree is near the bottom.
-  3. If x is the base of a chain (i.e., has parent links) relink
-     x's parent and children to x's replacement (or null if none).
-*/
-
-#define unlink_large_chunk(M, X) {\
-  tchunkptr XP = X->parent;\
-  tchunkptr R;\
-  if (X->bk != X) {\
-    tchunkptr F = X->fd;\
-    R = X->bk;\
-    if (RTCHECK(ok_address(M, F))) {\
-      F->bk = R;\
-      R->fd = F;\
-    }\
-    else {\
-      CORRUPTION_ERROR_ACTION(M);\
-    }\
-  }\
-  else {\
-    tchunkptr* RP;\
-    if (((R = *(RP = &(X->child[1]))) != 0) ||\
-        ((R = *(RP = &(X->child[0]))) != 0)) {\
-      tchunkptr* CP;\
-      while ((*(CP = &(R->child[1])) != 0) ||\
-             (*(CP = &(R->child[0])) != 0)) {\
-        R = *(RP = CP);\
-      }\
-      if (RTCHECK(ok_address(M, RP)))\
-        *RP = 0;\
-      else {\
-        CORRUPTION_ERROR_ACTION(M);\
-      }\
-    }\
-  }\
-  if (XP != 0) {\
-    tbinptr* H = treebin_at(M, X->index);\
-    if (X == *H) {\
-      if ((*H = R) == 0) \
-        clear_treemap(M, X->index);\
-    }\
-    else if (RTCHECK(ok_address(M, XP))) {\
-      if (XP->child[0] == X) \
-        XP->child[0] = R;\
-      else \
-        XP->child[1] = R;\
-    }\
-    else\
-      CORRUPTION_ERROR_ACTION(M);\
-    if (R != 0) {\
-      if (RTCHECK(ok_address(M, R))) {\
-        tchunkptr C0, C1;\
-        R->parent = XP;\
-        if ((C0 = X->child[0]) != 0) {\
-          if (RTCHECK(ok_address(M, C0))) {\
-            R->child[0] = C0;\
-            C0->parent = R;\
-          }\
-          else\
-            CORRUPTION_ERROR_ACTION(M);\
-        }\
-        if ((C1 = X->child[1]) != 0) {\
-          if (RTCHECK(ok_address(M, C1))) {\
-            R->child[1] = C1;\
-            C1->parent = R;\
-          }\
-          else\
-            CORRUPTION_ERROR_ACTION(M);\
-        }\
-      }\
-      else\
-        CORRUPTION_ERROR_ACTION(M);\
-    }\
-  }\
-}
-
-/* Relays to large vs small bin operations */
-
-#define insert_chunk(M, P, S)\
-  if (is_small(S)) insert_small_chunk(M, P, S)\
-  else { tchunkptr TP = (tchunkptr)(P); insert_large_chunk(M, TP, S); }
-
-#define unlink_chunk(M, P, S)\
-  if (is_small(S)) unlink_small_chunk(M, P, S)\
-  else { tchunkptr TP = (tchunkptr)(P); unlink_large_chunk(M, TP); }
-
-
-/* Relays to internal calls to malloc/free from realloc, memalign etc */
-
-#if ONLY_MSPACES
-#define internal_malloc(m, b) mspace_malloc(m, b)
-#define internal_free(m, mem) mspace_free(m,mem);
-#else /* ONLY_MSPACES */
-#if MSPACES
-#define internal_malloc(m, b)\
-   (m == gm)? dlmalloc(b) : mspace_malloc(m, b)
-#define internal_free(m, mem)\
-   if (m == gm) dlfree(mem); else mspace_free(m,mem);
-#else /* MSPACES */
-#define internal_malloc(m, b) dlmalloc(b)
-#define internal_free(m, mem) dlfree(mem)
-#endif /* MSPACES */
-#endif /* ONLY_MSPACES */
-
-/* -----------------------  Direct-mmapping chunks ----------------------- */
-
-/*
-  Directly mmapped chunks are set up with an offset to the start of
-  the mmapped region stored in the prev_foot field of the chunk. This
-  allows reconstruction of the required argument to MUNMAP when freed,
-  and also allows adjustment of the returned chunk to meet alignment
-  requirements (especially in memalign).  There is also enough space
-  allocated to hold a fake next chunk of size SIZE_T_SIZE to maintain
-  the PINUSE bit so frees can be checked.
-*/
-
-/* Malloc using mmap */
-static void* mmap_alloc(mstate m, size_t nb) {
-  size_t mmsize = granularity_align(nb + SIX_SIZE_T_SIZES + CHUNK_ALIGN_MASK);
-  if (mmsize > nb) {     /* Check for wrap around 0 */
-    char* mm = (char*)(DIRECT_MMAP(mmsize));
-    if (mm != CMFAIL) {
-      size_t offset = align_offset(chunk2mem(mm));
-      size_t psize = mmsize - offset - MMAP_FOOT_PAD;
-      mchunkptr p = (mchunkptr)(mm + offset);
-      p->prev_foot = offset | IS_MMAPPED_BIT;
-      (p)->head = (psize|CINUSE_BIT);
-      mark_inuse_foot(m, p, psize);
-      chunk_plus_offset(p, psize)->head = FENCEPOST_HEAD;
-      chunk_plus_offset(p, psize+SIZE_T_SIZE)->head = 0;
-
-      if (mm < m->least_addr)
-        m->least_addr = mm;
-      if ((m->footprint += mmsize) > m->max_footprint)
-        m->max_footprint = m->footprint;
-      assert(is_aligned(chunk2mem(p)));
-      check_mmapped_chunk(m, p);
-      return chunk2mem(p);
-    }
-  }
-  return 0;
-}
-
-/* Realloc using mmap */
-static mchunkptr mmap_resize(mstate m, mchunkptr oldp, size_t nb) {
-  size_t oldsize = chunksize(oldp);
-  if (is_small(nb)) /* Can't shrink mmap regions below small size */
-    return 0;
-  /* Keep old chunk if big enough but not too big */
-  if (oldsize >= nb + SIZE_T_SIZE &&
-      (oldsize - nb) <= (mparams.granularity << 1))
-    return oldp;
-  else {
-    size_t offset = oldp->prev_foot & ~IS_MMAPPED_BIT;
-    size_t oldmmsize = oldsize + offset + MMAP_FOOT_PAD;
-    size_t newmmsize = granularity_align(nb + SIX_SIZE_T_SIZES +
-                                         CHUNK_ALIGN_MASK);
-    char* cp = (char*)CALL_MREMAP((char*)oldp - offset,
-                                  oldmmsize, newmmsize, 1);
-    if (cp != CMFAIL) {
-      mchunkptr newp = (mchunkptr)(cp + offset);
-      size_t psize = newmmsize - offset - MMAP_FOOT_PAD;
-      newp->head = (psize|CINUSE_BIT);
-      mark_inuse_foot(m, newp, psize);
-      chunk_plus_offset(newp, psize)->head = FENCEPOST_HEAD;
-      chunk_plus_offset(newp, psize+SIZE_T_SIZE)->head = 0;
-
-      if (cp < m->least_addr)
-        m->least_addr = cp;
-      if ((m->footprint += newmmsize - oldmmsize) > m->max_footprint)
-        m->max_footprint = m->footprint;
-      check_mmapped_chunk(m, newp);
-      return newp;
-    }
-  }
-  return 0;
-}
-
-/* -------------------------- mspace management -------------------------- */
-
-/* Initialize top chunk and its size */
-static void init_top(mstate m, mchunkptr p, size_t psize) {
-  /* Ensure alignment */
-  size_t offset = align_offset(chunk2mem(p));
-  p = (mchunkptr)((char*)p + offset);
-  psize -= offset;
-
-  m->top = p;
-  m->topsize = psize;
-  p->head = psize | PINUSE_BIT;
-  /* set size of fake trailing chunk holding overhead space only once */
-  chunk_plus_offset(p, psize)->head = TOP_FOOT_SIZE;
-  m->trim_check = mparams.trim_threshold; /* reset on each update */
-}
-
-/* Initialize bins for a new mstate that is otherwise zeroed out */
-static void init_bins(mstate m) {
-  /* Establish circular links for smallbins */
-  bindex_t i;
-  for (i = 0; i < NSMALLBINS; ++i) {
-    sbinptr bin = smallbin_at(m,i);
-    bin->fd = bin->bk = bin;
-  }
-}
-
-#if PROCEED_ON_ERROR
-
-/* default corruption action */
-static void reset_on_error(mstate m) {
-  int i;
-  ++malloc_corruption_error_count;
-  /* Reinitialize fields to forget about all memory */
-  m->smallbins = m->treebins = 0;
-  m->dvsize = m->topsize = 0;
-  m->seg.base = 0;
-  m->seg.size = 0;
-  m->seg.next = 0;
-  m->top = m->dv = 0;
-  for (i = 0; i < NTREEBINS; ++i)
-    *treebin_at(m, i) = 0;
-  init_bins(m);
-}
-#endif /* PROCEED_ON_ERROR */
-
-/* Allocate chunk and prepend remainder with chunk in successor base. */
-static void* prepend_alloc(mstate m, char* newbase, char* oldbase,
-                           size_t nb) {
-  mchunkptr p = align_as_chunk(newbase);
-  mchunkptr oldfirst = align_as_chunk(oldbase);
-  size_t psize = (char*)oldfirst - (char*)p;
-  mchunkptr q = chunk_plus_offset(p, nb);
-  size_t qsize = psize - nb;
-  set_size_and_pinuse_of_inuse_chunk(m, p, nb);
-
-  assert((char*)oldfirst > (char*)q);
-  assert(pinuse(oldfirst));
-  assert(qsize >= MIN_CHUNK_SIZE);
-
-  /* consolidate remainder with first chunk of old base */
-  if (oldfirst == m->top) {
-    size_t tsize = m->topsize += qsize;
-    m->top = q;
-    q->head = tsize | PINUSE_BIT;
-    check_top_chunk(m, q);
-  }
-  else if (oldfirst == m->dv) {
-    size_t dsize = m->dvsize += qsize;
-    m->dv = q;
-    set_size_and_pinuse_of_free_chunk(q, dsize);
-  }
-  else {
-    if (!cinuse(oldfirst)) {
-      size_t nsize = chunksize(oldfirst);
-      unlink_chunk(m, oldfirst, nsize);
-      oldfirst = chunk_plus_offset(oldfirst, nsize);
-      qsize += nsize;
-    }
-    set_free_with_pinuse(q, qsize, oldfirst);
-    insert_chunk(m, q, qsize);
-    check_free_chunk(m, q);
-  }
-
-  check_malloced_chunk(m, chunk2mem(p), nb);
-  return chunk2mem(p);
-}
-
-
-/* Add a segment to hold a new noncontiguous region */
-static void add_segment(mstate m, char* tbase, size_t tsize, flag_t mmapped) {
-  /* Determine locations and sizes of segment, fenceposts, old top */
-  char* old_top = (char*)m->top;
-  msegmentptr oldsp = segment_holding(m, old_top);
-  char* old_end = oldsp->base + oldsp->size;
-  size_t ssize = pad_request(sizeof(struct malloc_segment));
-  char* rawsp = old_end - (ssize + FOUR_SIZE_T_SIZES + CHUNK_ALIGN_MASK);
-  size_t offset = align_offset(chunk2mem(rawsp));
-  char* asp = rawsp + offset;
-  char* csp = (asp < (old_top + MIN_CHUNK_SIZE))? old_top : asp;
-  mchunkptr sp = (mchunkptr)csp;
-  msegmentptr ss = (msegmentptr)(chunk2mem(sp));
-  mchunkptr tnext = chunk_plus_offset(sp, ssize);
-  mchunkptr p = tnext;
-  int nfences = 0;
-
-  /* reset top to new space */
-  init_top(m, (mchunkptr)tbase, tsize - TOP_FOOT_SIZE);
-
-  /* Set up segment record */
-  assert(is_aligned(ss));
-  set_size_and_pinuse_of_inuse_chunk(m, sp, ssize);
-  *ss = m->seg; /* Push current record */
-  m->seg.base = tbase;
-  m->seg.size = tsize;
-  m->seg.sflags = mmapped;
-  m->seg.next = ss;
-
-  /* Insert trailing fenceposts */
-  for (;;) {
-    mchunkptr nextp = chunk_plus_offset(p, SIZE_T_SIZE);
-    p->head = FENCEPOST_HEAD;
-    ++nfences;
-    if ((char*)(&(nextp->head)) < old_end)
-      p = nextp;
-    else
-      break;
-  }
-  assert(nfences >= 2);
-
-  /* Insert the rest of old top into a bin as an ordinary free chunk */
-  if (csp != old_top) {
-    mchunkptr q = (mchunkptr)old_top;
-    size_t psize = csp - old_top;
-    mchunkptr tn = chunk_plus_offset(q, psize);
-    set_free_with_pinuse(q, psize, tn);
-    insert_chunk(m, q, psize);
-  }
-
-  check_top_chunk(m, m->top);
-}
-
-/* -------------------------- System allocation -------------------------- */
-
-/* Get memory from system using MORECORE or MMAP */
-static void* sys_alloc(mstate m, size_t nb) {
-  char* tbase = CMFAIL;
-  size_t tsize = 0;
-  flag_t mmap_flag = 0;
-
-  init_mparams();
-
-  /* Directly map large chunks */
-  if (use_mmap(m) && nb >= mparams.mmap_threshold) {
-    void* mem = mmap_alloc(m, nb);
-    if (mem != 0)
-      return mem;
-  }
-
-  /*
-    Try getting memory in any of three ways (in most-preferred to
-    least-preferred order):
-    1. A call to MORECORE that can normally contiguously extend memory.
-       (disabled if not MORECORE_CONTIGUOUS or not HAVE_MORECORE or
-       or main space is mmapped or a previous contiguous call failed)
-    2. A call to MMAP new space (disabled if not HAVE_MMAP).
-       Note that under the default settings, if MORECORE is unable to
-       fulfill a request, and HAVE_MMAP is true, then mmap is
-       used as a noncontiguous system allocator. This is a useful backup
-       strategy for systems with holes in address spaces -- in this case
-       sbrk cannot contiguously expand the heap, but mmap may be able to
-       find space.
-    3. A call to MORECORE that cannot usually contiguously extend memory.
-       (disabled if not HAVE_MORECORE)
-  */
-
-  if (MORECORE_CONTIGUOUS && !use_noncontiguous(m)) {
-    char* br = CMFAIL;
-    msegmentptr ss = (m->top == 0)? 0 : segment_holding(m, (char*)m->top);
-    size_t asize = 0;
-    ACQUIRE_MORECORE_LOCK();
-
-    if (ss == 0) {  /* First time through or recovery */
-      char* base = (char*)CALL_MORECORE(0);
-      if (base != CMFAIL) {
-        asize = granularity_align(nb + TOP_FOOT_SIZE + SIZE_T_ONE);
-        /* Adjust to end on a page boundary */
-        if (!is_page_aligned(base))
-          asize += (page_align((size_t)base) - (size_t)base);
-        /* Can't call MORECORE if size is negative when treated as signed */
-        if (asize < HALF_MAX_SIZE_T &&
-            (br = (char*)(CALL_MORECORE(asize))) == base) {
-          tbase = base;
-          tsize = asize;
-        }
-      }
-    }
-    else {
-      /* Subtract out existing available top space from MORECORE request. */
-      asize = granularity_align(nb - m->topsize + TOP_FOOT_SIZE + SIZE_T_ONE);
-      /* Use mem here only if it did continuously extend old space */
-      if (asize < HALF_MAX_SIZE_T &&
-          (br = (char*)(CALL_MORECORE(asize))) == ss->base+ss->size) {
-        tbase = br;
-        tsize = asize;
-      }
-    }
-
-    if (tbase == CMFAIL) {    /* Cope with partial failure */
-      if (br != CMFAIL) {    /* Try to use/extend the space we did get */
-        if (asize < HALF_MAX_SIZE_T &&
-            asize < nb + TOP_FOOT_SIZE + SIZE_T_ONE) {
-          size_t esize = granularity_align(nb + TOP_FOOT_SIZE + SIZE_T_ONE - asize);
-          if (esize < HALF_MAX_SIZE_T) {
-            char* end = (char*)CALL_MORECORE(esize);
-            if (end != CMFAIL)
-              asize += esize;
-            else {            /* Can't use; try to release */
-              CALL_MORECORE(-asize);
-              br = CMFAIL;
-            }
-          }
-        }
-      }
-      if (br != CMFAIL) {    /* Use the space we did get */
-        tbase = br;
-        tsize = asize;
-      }
-      else
-        disable_contiguous(m); /* Don't try contiguous path in the future */
-    }
-
-    RELEASE_MORECORE_LOCK();
-  }
-
-  if (HAVE_MMAP && tbase == CMFAIL) {  /* Try MMAP */
-    size_t req = nb + TOP_FOOT_SIZE + SIZE_T_ONE;
-    size_t rsize = granularity_align(req);
-    if (rsize > nb) { /* Fail if wraps around zero */
-      char* mp = (char*)(CALL_MMAP(rsize));
-      if (mp != CMFAIL) {
-        tbase = mp;
-        tsize = rsize;
-        mmap_flag = IS_MMAPPED_BIT;
-      }
-    }
-  }
-
-  if (HAVE_MORECORE && tbase == CMFAIL) { /* Try noncontiguous MORECORE */
-    size_t asize = granularity_align(nb + TOP_FOOT_SIZE + SIZE_T_ONE);
-    if (asize < HALF_MAX_SIZE_T) {
-      char* br = CMFAIL;
-      char* end = CMFAIL;
-      ACQUIRE_MORECORE_LOCK();
-      br = (char*)(CALL_MORECORE(asize));
-      end = (char*)(CALL_MORECORE(0));
-      RELEASE_MORECORE_LOCK();
-      if (br != CMFAIL && end != CMFAIL && br < end) {
-        size_t ssize = end - br;
-        if (ssize > nb + TOP_FOOT_SIZE) {
-          tbase = br;
-          tsize = ssize;
-        }
-      }
-    }
-  }
-
-  if (tbase != CMFAIL) {
-
-    if ((m->footprint += tsize) > m->max_footprint)
-      m->max_footprint = m->footprint;
-
-    if (!is_initialized(m)) { /* first-time initialization */
-      m->seg.base = m->least_addr = tbase;
-      m->seg.size = tsize;
-      m->seg.sflags = mmap_flag;
-      m->magic = mparams.magic;
-      init_bins(m);
-      if (is_global(m)) 
-        init_top(m, (mchunkptr)tbase, tsize - TOP_FOOT_SIZE);
-      else {
-        /* Offset top by embedded malloc_state */
-        mchunkptr mn = next_chunk(mem2chunk(m));
-        init_top(m, mn, (size_t)((tbase + tsize) - (char*)mn) -TOP_FOOT_SIZE);
-      }
-    }
-
-    else {
-      /* Try to merge with an existing segment */
-      msegmentptr sp = &m->seg;
-      while (sp != 0 && tbase != sp->base + sp->size)
-        sp = sp->next;
-      if (sp != 0 &&
-          !is_extern_segment(sp) &&
-          (sp->sflags & IS_MMAPPED_BIT) == mmap_flag &&
-          segment_holds(sp, m->top)) { /* append */
-        sp->size += tsize;
-        init_top(m, m->top, m->topsize + tsize);
-      }
-      else {
-        if (tbase < m->least_addr)
-          m->least_addr = tbase;
-        sp = &m->seg;
-        while (sp != 0 && sp->base != tbase + tsize)
-          sp = sp->next;
-        if (sp != 0 &&
-            !is_extern_segment(sp) &&
-            (sp->sflags & IS_MMAPPED_BIT) == mmap_flag) {
-          char* oldbase = sp->base;
-          sp->base = tbase;
-          sp->size += tsize;
-          return prepend_alloc(m, tbase, oldbase, nb);
-        }
-        else
-          add_segment(m, tbase, tsize, mmap_flag);
-      }
-    }
-
-    if (nb < m->topsize) { /* Allocate from new or extended top space */
-      size_t rsize = m->topsize -= nb;
-      mchunkptr p = m->top;
-      mchunkptr r = m->top = chunk_plus_offset(p, nb);
-      r->head = rsize | PINUSE_BIT;
-      set_size_and_pinuse_of_inuse_chunk(m, p, nb);
-      check_top_chunk(m, m->top);
-      check_malloced_chunk(m, chunk2mem(p), nb);
-      return chunk2mem(p);
-    }
-  }
-
-  MALLOC_FAILURE_ACTION;
-  return 0;
-}
-
-/* -----------------------  system deallocation -------------------------- */
-
-/* Unmap and unlink any mmapped segments that don't contain used chunks */
-static size_t release_unused_segments(mstate m) {
-  size_t released = 0;
-  msegmentptr pred = &m->seg;
-  msegmentptr sp = pred->next;
-  while (sp != 0) {
-    char* base = sp->base;
-    size_t size = sp->size;
-    msegmentptr next = sp->next;
-    if (is_mmapped_segment(sp) && !is_extern_segment(sp)) {
-      mchunkptr p = align_as_chunk(base);
-      size_t psize = chunksize(p);
-      /* Can unmap if first chunk holds entire segment and not pinned */
-      if (!cinuse(p) && (char*)p + psize >= base + size - TOP_FOOT_SIZE) {
-        tchunkptr tp = (tchunkptr)p;
-        assert(segment_holds(sp, (char*)sp));
-        if (p == m->dv) {
-          m->dv = 0;
-          m->dvsize = 0;
-        }
-        else {
-          unlink_large_chunk(m, tp);
-        }
-        if (CALL_MUNMAP(base, size) == 0) {
-          released += size;
-          m->footprint -= size;
-          /* unlink obsoleted record */
-          sp = pred;
-          sp->next = next;
-        }
-        else { /* back out if cannot unmap */
-          insert_large_chunk(m, tp, psize);
-        }
-      }
-    }
-    pred = sp;
-    sp = next;
-  }
-  return released;
-}
-
-static int sys_trim(mstate m, size_t pad) {
-  size_t released = 0;
-  if (pad < MAX_REQUEST && is_initialized(m)) {
-    pad += TOP_FOOT_SIZE; /* ensure enough room for segment overhead */
-
-    if (m->topsize > pad) {
-      /* Shrink top space in granularity-size units, keeping at least one */
-      size_t unit = mparams.granularity;
-      size_t extra = ((m->topsize - pad + (unit - SIZE_T_ONE)) / unit -
-                      SIZE_T_ONE) * unit;
-      msegmentptr sp = segment_holding(m, (char*)m->top);
-
-      if (!is_extern_segment(sp)) {
-        if (is_mmapped_segment(sp)) {
-          if (HAVE_MMAP &&
-              sp->size >= extra &&
-              !has_segment_link(m, sp)) { /* can't shrink if pinned */
-            size_t newsize = sp->size - extra;
-            /* Prefer mremap, fall back to munmap */
-            if ((CALL_MREMAP(sp->base, sp->size, newsize, 0) != MFAIL) ||
-                (CALL_MUNMAP(sp->base + newsize, extra) == 0)) {
-              released = extra;
-            }
-          }
-        }
-        else if (HAVE_MORECORE) {
-          if (extra >= HALF_MAX_SIZE_T) /* Avoid wrapping negative */
-            extra = (HALF_MAX_SIZE_T) + SIZE_T_ONE - unit;
-          ACQUIRE_MORECORE_LOCK();
-          {
-            /* Make sure end of memory is where we last set it. */
-            char* old_br = (char*)(CALL_MORECORE(0));
-            if (old_br == sp->base + sp->size) {
-              char* rel_br = (char*)(CALL_MORECORE(-extra));
-              char* new_br = (char*)(CALL_MORECORE(0));
-              if (rel_br != CMFAIL && new_br < old_br)
-                released = old_br - new_br;
-            }
-          }
-          RELEASE_MORECORE_LOCK();
-        }
-      }
-
-      if (released != 0) {
-        sp->size -= released;
-        m->footprint -= released;
-        init_top(m, m->top, m->topsize - released);
-        check_top_chunk(m, m->top);
-      }
-    }
-
-    /* Unmap any unused mmapped segments */
-    if (HAVE_MMAP) 
-      released += release_unused_segments(m);
-
-    /* On failure, disable autotrim to avoid repeated failed future calls */
-    if (released == 0)
-      m->trim_check = MAX_SIZE_T;
-  }
-
-  return (released != 0)? 1 : 0;
-}
-
-/* ---------------------------- malloc support --------------------------- */
-
-/* allocate a large request from the best fitting chunk in a treebin */
-static void* tmalloc_large(mstate m, size_t nb) {
-  tchunkptr v = 0;
-  size_t rsize = -nb; /* Unsigned negation */
-  tchunkptr t;
-  bindex_t idx;
-  compute_tree_index(nb, idx);
-
-  if ((t = *treebin_at(m, idx)) != 0) {
-    /* Traverse tree for this bin looking for node with size == nb */
-    size_t sizebits = nb << leftshift_for_tree_index(idx);
-    tchunkptr rst = 0;  /* The deepest untaken right subtree */
-    for (;;) {
-      tchunkptr rt;
-      size_t trem = chunksize(t) - nb;
-      if (trem < rsize) {
-        v = t;
-        if ((rsize = trem) == 0)
-          break;
-      }
-      rt = t->child[1];
-      t = t->child[(sizebits >> (SIZE_T_BITSIZE-SIZE_T_ONE)) & 1];
-      if (rt != 0 && rt != t)
-        rst = rt;
-      if (t == 0) {
-        t = rst; /* set t to least subtree holding sizes > nb */
-        break;
-      }
-      sizebits <<= 1;
-    }
-  }
-
-  if (t == 0 && v == 0) { /* set t to root of next non-empty treebin */
-    binmap_t leftbits = left_bits(idx2bit(idx)) & m->treemap;
-    if (leftbits != 0) {
-      bindex_t i;
-      binmap_t leastbit = least_bit(leftbits);
-      compute_bit2idx(leastbit, i);
-      t = *treebin_at(m, i);
-    }
-  }
-
-  while (t != 0) { /* find smallest of tree or subtree */
-    size_t trem = chunksize(t) - nb;
-    if (trem < rsize) {
-      rsize = trem;
-      v = t;
-    }
-    t = leftmost_child(t);
-  }
-
-  /*  If dv is a better fit, return 0 so malloc will use it */
-  if (v != 0 && rsize < (size_t)(m->dvsize - nb)) {
-    if (RTCHECK(ok_address(m, v))) { /* split */
-      mchunkptr r = chunk_plus_offset(v, nb);
-      assert(chunksize(v) == rsize + nb);
-      if (RTCHECK(ok_next(v, r))) {
-        unlink_large_chunk(m, v);
-        if (rsize < MIN_CHUNK_SIZE)
-          set_inuse_and_pinuse(m, v, (rsize + nb));
-        else {
-          set_size_and_pinuse_of_inuse_chunk(m, v, nb);
-          set_size_and_pinuse_of_free_chunk(r, rsize);
-          insert_chunk(m, r, rsize);
-        }
-        return chunk2mem(v);
-      }
-    }
-    CORRUPTION_ERROR_ACTION(m);
-  }
-  return 0;
-}
-
-/* allocate a small request from the best fitting chunk in a treebin */
-static void* tmalloc_small(mstate m, size_t nb) {
-  tchunkptr t, v;
-  size_t rsize;
-  bindex_t i;
-  binmap_t leastbit = least_bit(m->treemap);
-  compute_bit2idx(leastbit, i);
-
-  v = t = *treebin_at(m, i);
-  rsize = chunksize(t) - nb;
-
-  while ((t = leftmost_child(t)) != 0) {
-    size_t trem = chunksize(t) - nb;
-    if (trem < rsize) {
-      rsize = trem;
-      v = t;
-    }
-  }
-
-  if (RTCHECK(ok_address(m, v))) {
-    mchunkptr r = chunk_plus_offset(v, nb);
-    assert(chunksize(v) == rsize + nb);
-    if (RTCHECK(ok_next(v, r))) {
-      unlink_large_chunk(m, v);
-      if (rsize < MIN_CHUNK_SIZE)
-        set_inuse_and_pinuse(m, v, (rsize + nb));
-      else {
-        set_size_and_pinuse_of_inuse_chunk(m, v, nb);
-        set_size_and_pinuse_of_free_chunk(r, rsize);
-        replace_dv(m, r, rsize);
-      }
-      return chunk2mem(v);
-    }
-  }
-
-  CORRUPTION_ERROR_ACTION(m);
-  return 0;
-}
-
-/* --------------------------- realloc support --------------------------- */
-
-static void* internal_realloc(mstate m, void* oldmem, size_t bytes) {
-  if (bytes >= MAX_REQUEST) {
-    MALLOC_FAILURE_ACTION;
-    return 0;
-  }
-  if (!PREACTION(m)) {
-    mchunkptr oldp = mem2chunk(oldmem);
-    size_t oldsize = chunksize(oldp);
-    mchunkptr next = chunk_plus_offset(oldp, oldsize);
-    mchunkptr newp = 0;
-    void* extra = 0;
-
-    /* Try to either shrink or extend into top. Else malloc-copy-free */
-
-    if (RTCHECK(ok_address(m, oldp) && ok_cinuse(oldp) &&
-                ok_next(oldp, next) && ok_pinuse(next))) {
-      size_t nb = request2size(bytes);
-      if (is_mmapped(oldp))
-        newp = mmap_resize(m, oldp, nb);
-      else if (oldsize >= nb) { /* already big enough */
-        size_t rsize = oldsize - nb;
-        newp = oldp;
-        if (rsize >= MIN_CHUNK_SIZE) {
-          mchunkptr remainder = chunk_plus_offset(newp, nb);
-          set_inuse(m, newp, nb);
-          set_inuse(m, remainder, rsize);
-          extra = chunk2mem(remainder);
-        }
-      }
-      else if (next == m->top && oldsize + m->topsize > nb) {
-        /* Expand into top */
-        size_t newsize = oldsize + m->topsize;
-        size_t newtopsize = newsize - nb;
-        mchunkptr newtop = chunk_plus_offset(oldp, nb);
-        set_inuse(m, oldp, nb);
-        newtop->head = newtopsize |PINUSE_BIT;
-        m->top = newtop;
-        m->topsize = newtopsize;
-        newp = oldp;
-      }
-    }
-    else {
-      USAGE_ERROR_ACTION(m, oldmem);
-      POSTACTION(m);
-      return 0;
-    }
-
-    POSTACTION(m);
-
-    if (newp != 0) {
-      if (extra != 0) {
-        internal_free(m, extra);
-      }
-      check_inuse_chunk(m, newp);
-      return chunk2mem(newp);
-    }
-    else {
-      void* newmem = internal_malloc(m, bytes);
-      if (newmem != 0) {
-        size_t oc = oldsize - overhead_for(oldp);
-        memcpy(newmem, oldmem, (oc < bytes)? oc : bytes);
-        internal_free(m, oldmem);
-      }
-      return newmem;
-    }
-  }
-  return 0;
-}
-
-/* --------------------------- memalign support -------------------------- */
-
-static void* internal_memalign(mstate m, size_t alignment, size_t bytes) {
-  if (alignment <= MALLOC_ALIGNMENT)    /* Can just use malloc */
-    return internal_malloc(m, bytes);
-  if (alignment <  MIN_CHUNK_SIZE) /* must be at least a minimum chunk size */
-    alignment = MIN_CHUNK_SIZE;
-  if ((alignment & (alignment-SIZE_T_ONE)) != 0) {/* Ensure a power of 2 */
-    size_t a = MALLOC_ALIGNMENT << 1;
-    while (a < alignment) a <<= 1;
-    alignment = a;
-  }
-  
-  if (bytes >= MAX_REQUEST - alignment) {
-    if (m != 0)  { /* Test isn't needed but avoids compiler warning */
-      MALLOC_FAILURE_ACTION;
-    }
-  }
-  else {
-    size_t nb = request2size(bytes);
-    size_t req = nb + alignment + MIN_CHUNK_SIZE - CHUNK_OVERHEAD;
-    char* mem = (char*)internal_malloc(m, req);
-    if (mem != 0) {
-      void* leader = 0;
-      void* trailer = 0;
-      mchunkptr p = mem2chunk(mem);
-
-      if (PREACTION(m)) return 0;
-      if ((((size_t)(mem)) % alignment) != 0) { /* misaligned */
-        /*
-          Find an aligned spot inside chunk.  Since we need to give
-          back leading space in a chunk of at least MIN_CHUNK_SIZE, if
-          the first calculation places us at a spot with less than
-          MIN_CHUNK_SIZE leader, we can move to the next aligned spot.
-          We've allocated enough total room so that this is always
-          possible.
-        */
-        char* br = (char*)mem2chunk((size_t)(((size_t)(mem +
-                                                       alignment -
-                                                       SIZE_T_ONE)) &
-                                             -alignment));
-        char* pos = ((size_t)(br - (char*)(p)) >= MIN_CHUNK_SIZE)?
-          br : br+alignment;
-        mchunkptr newp = (mchunkptr)pos;
-        size_t leadsize = pos - (char*)(p);
-        size_t newsize = chunksize(p) - leadsize;
-
-        if (is_mmapped(p)) { /* For mmapped chunks, just adjust offset */
-          newp->prev_foot = p->prev_foot + leadsize;
-          newp->head = (newsize|CINUSE_BIT);
-        }
-        else { /* Otherwise, give back leader, use the rest */
-          set_inuse(m, newp, newsize);
-          set_inuse(m, p, leadsize);
-          leader = chunk2mem(p);
-        }
-        p = newp;
-      }
-
-      /* Give back spare room at the end */
-      if (!is_mmapped(p)) {
-        size_t size = chunksize(p);
-        if (size > nb + MIN_CHUNK_SIZE) {
-          size_t remainder_size = size - nb;
-          mchunkptr remainder = chunk_plus_offset(p, nb);
-          set_inuse(m, p, nb);
-          set_inuse(m, remainder, remainder_size);
-          trailer = chunk2mem(remainder);
-        }
-      }
-
-      assert (chunksize(p) >= nb);
-      assert((((size_t)(chunk2mem(p))) % alignment) == 0);
-      check_inuse_chunk(m, p);
-      POSTACTION(m);
-      if (leader != 0) {
-        internal_free(m, leader);
-      }
-      if (trailer != 0) {
-        internal_free(m, trailer);
-      }
-      return chunk2mem(p);
-    }
-  }
-  return 0;
-}
-
-/* ------------------------ comalloc/coalloc support --------------------- */
-
-static void** ialloc(mstate m,
-                     size_t n_elements,
-                     size_t* sizes,
-                     int opts,
-                     void* chunks[]) {
-  /*
-    This provides common support for independent_X routines, handling
-    all of the combinations that can result.
-
-    The opts arg has:
-    bit 0 set if all elements are same size (using sizes[0])
-    bit 1 set if elements should be zeroed
-  */
-
-  size_t    element_size;   /* chunksize of each element, if all same */
-  size_t    contents_size;  /* total size of elements */
-  size_t    array_size;     /* request size of pointer array */
-  void*     mem;            /* malloced aggregate space */
-  mchunkptr p;              /* corresponding chunk */
-  size_t    remainder_size; /* remaining bytes while splitting */
-  void**    marray;         /* either "chunks" or malloced ptr array */
-  mchunkptr array_chunk;    /* chunk for malloced ptr array */
-  flag_t    was_enabled;    /* to disable mmap */
-  size_t    size;
-  size_t    i;
-
-  /* compute array length, if needed */
-  if (chunks != 0) {
-    if (n_elements == 0)
-      return chunks; /* nothing to do */
-    marray = chunks;
-    array_size = 0;
-  }
-  else {
-    /* if empty req, must still return chunk representing empty array */
-    if (n_elements == 0)
-      return (void**)internal_malloc(m, 0);
-    marray = 0;
-    array_size = request2size(n_elements * (sizeof(void*)));
-  }
-
-  /* compute total element size */
-  if (opts & 0x1) { /* all-same-size */
-    element_size = request2size(*sizes);
-    contents_size = n_elements * element_size;
-  }
-  else { /* add up all the sizes */
-    element_size = 0;
-    contents_size = 0;
-    for (i = 0; i != n_elements; ++i)
-      contents_size += request2size(sizes[i]);
-  }
-
-  size = contents_size + array_size;
-
-  /*
-     Allocate the aggregate chunk.  First disable direct-mmapping so
-     malloc won't use it, since we would not be able to later
-     free/realloc space internal to a segregated mmap region.
-  */
-  was_enabled = use_mmap(m);
-  disable_mmap(m);
-  mem = internal_malloc(m, size - CHUNK_OVERHEAD);
-  if (was_enabled)
-    enable_mmap(m);
-  if (mem == 0)
-    return 0;
-
-  if (PREACTION(m)) return 0;
-  p = mem2chunk(mem);
-  remainder_size = chunksize(p);
-
-  assert(!is_mmapped(p));
-
-  if (opts & 0x2) {       /* optionally clear the elements */
-    memset((size_t*)mem, 0, remainder_size - SIZE_T_SIZE - array_size);
-  }
-
-  /* If not provided, allocate the pointer array as final part of chunk */
-  if (marray == 0) {
-    size_t  array_chunk_size;
-    array_chunk = chunk_plus_offset(p, contents_size);
-    array_chunk_size = remainder_size - contents_size;
-    marray = (void**) (chunk2mem(array_chunk));
-    set_size_and_pinuse_of_inuse_chunk(m, array_chunk, array_chunk_size);
-    remainder_size = contents_size;
-  }
-
-  /* split out elements */
-  for (i = 0; ; ++i) {
-    marray[i] = chunk2mem(p);
-    if (i != n_elements-1) {
-      if (element_size != 0)
-        size = element_size;
-      else
-        size = request2size(sizes[i]);
-      remainder_size -= size;
-      set_size_and_pinuse_of_inuse_chunk(m, p, size);
-      p = chunk_plus_offset(p, size);
-    }
-    else { /* the final element absorbs any overallocation slop */
-      set_size_and_pinuse_of_inuse_chunk(m, p, remainder_size);
-      break;
-    }
-  }
-
-#if DEBUG
-  if (marray != chunks) {
-    /* final element must have exactly exhausted chunk */
-    if (element_size != 0) {
-      assert(remainder_size == element_size);
-    }
-    else {
-      assert(remainder_size == request2size(sizes[i]));
-    }
-    check_inuse_chunk(m, mem2chunk(marray));
-  }
-  for (i = 0; i != n_elements; ++i)
-    check_inuse_chunk(m, mem2chunk(marray[i]));
-
-#endif /* DEBUG */
-
-  POSTACTION(m);
-  return marray;
-}
-
-
-/* -------------------------- public routines ---------------------------- */
-
-#if !ONLY_MSPACES
-
-void* dlmalloc(size_t bytes) {
-  /*
-     Basic algorithm:
-     If a small request (< 256 bytes minus per-chunk overhead):
-       1. If one exists, use a remainderless chunk in associated smallbin.
-          (Remainderless means that there are too few excess bytes to
-          represent as a chunk.)
-       2. If it is big enough, use the dv chunk, which is normally the
-          chunk adjacent to the one used for the most recent small request.
-       3. If one exists, split the smallest available chunk in a bin,
-          saving remainder in dv.
-       4. If it is big enough, use the top chunk.
-       5. If available, get memory from system and use it
-     Otherwise, for a large request:
-       1. Find the smallest available binned chunk that fits, and use it
-          if it is better fitting than dv chunk, splitting if necessary.
-       2. If better fitting than any binned chunk, use the dv chunk.
-       3. If it is big enough, use the top chunk.
-       4. If request size >= mmap threshold, try to directly mmap this chunk.
-       5. If available, get memory from system and use it
-
-     The ugly goto's here ensure that postaction occurs along all paths.
-  */
-
-  if (!PREACTION(gm)) {
-    void* mem;
-    size_t nb;
-    if (bytes <= MAX_SMALL_REQUEST) {
-      bindex_t idx;
-      binmap_t smallbits;
-      nb = (bytes < MIN_REQUEST)? MIN_CHUNK_SIZE : pad_request(bytes);
-      idx = small_index(nb);
-      smallbits = gm->smallmap >> idx;
-
-      if ((smallbits & 0x3U) != 0) { /* Remainderless fit to a smallbin. */
-        mchunkptr b, p;
-        idx += ~smallbits & 1;       /* Uses next bin if idx empty */
-        b = smallbin_at(gm, idx);
-        p = b->fd;
-        assert(chunksize(p) == small_index2size(idx));
-        unlink_first_small_chunk(gm, b, p, idx);
-        set_inuse_and_pinuse(gm, p, small_index2size(idx));
-        mem = chunk2mem(p);
-        check_malloced_chunk(gm, mem, nb);
-        goto postaction;
-      }
-
-      else if (nb > gm->dvsize) {
-        if (smallbits != 0) { /* Use chunk in next nonempty smallbin */
-          mchunkptr b, p, r;
-          size_t rsize;
-          bindex_t i;
-          binmap_t leftbits = (smallbits << idx) & left_bits(idx2bit(idx));
-          binmap_t leastbit = least_bit(leftbits);
-          compute_bit2idx(leastbit, i);
-          b = smallbin_at(gm, i);
-          p = b->fd;
-          assert(chunksize(p) == small_index2size(i));
-          unlink_first_small_chunk(gm, b, p, i);
-          rsize = small_index2size(i) - nb;
-          /* Fit here cannot be remainderless if 4byte sizes */
-          if (SIZE_T_SIZE != 4 && rsize < MIN_CHUNK_SIZE)
-            set_inuse_and_pinuse(gm, p, small_index2size(i));
-          else {
-            set_size_and_pinuse_of_inuse_chunk(gm, p, nb);
-            r = chunk_plus_offset(p, nb);
-            set_size_and_pinuse_of_free_chunk(r, rsize);
-            replace_dv(gm, r, rsize);
-          }
-          mem = chunk2mem(p);
-          check_malloced_chunk(gm, mem, nb);
-          goto postaction;
-        }
-
-        else if (gm->treemap != 0 && (mem = tmalloc_small(gm, nb)) != 0) {
-          check_malloced_chunk(gm, mem, nb);
-          goto postaction;
-        }
-      }
-    }
-    else if (bytes >= MAX_REQUEST)
-      nb = MAX_SIZE_T; /* Too big to allocate. Force failure (in sys alloc) */
-    else {
-      nb = pad_request(bytes);
-      if (gm->treemap != 0 && (mem = tmalloc_large(gm, nb)) != 0) {
-        check_malloced_chunk(gm, mem, nb);
-        goto postaction;
-      }
-    }
-
-    if (nb <= gm->dvsize) {
-      size_t rsize = gm->dvsize - nb;
-      mchunkptr p = gm->dv;
-      if (rsize >= MIN_CHUNK_SIZE) { /* split dv */
-        mchunkptr r = gm->dv = chunk_plus_offset(p, nb);
-        gm->dvsize = rsize;
-        set_size_and_pinuse_of_free_chunk(r, rsize);
-        set_size_and_pinuse_of_inuse_chunk(gm, p, nb);
-      }
-      else { /* exhaust dv */
-        size_t dvs = gm->dvsize;
-        gm->dvsize = 0;
-        gm->dv = 0;
-        set_inuse_and_pinuse(gm, p, dvs);
-      }
-      mem = chunk2mem(p);
-      check_malloced_chunk(gm, mem, nb);
-      goto postaction;
-    }
-
-    else if (nb < gm->topsize) { /* Split top */
-      size_t rsize = gm->topsize -= nb;
-      mchunkptr p = gm->top;
-      mchunkptr r = gm->top = chunk_plus_offset(p, nb);
-      r->head = rsize | PINUSE_BIT;
-      set_size_and_pinuse_of_inuse_chunk(gm, p, nb);
-      mem = chunk2mem(p);
-      check_top_chunk(gm, gm->top);
-      check_malloced_chunk(gm, mem, nb);
-      goto postaction;
-    }
-
-    mem = sys_alloc(gm, nb);
-
-  postaction:
-    POSTACTION(gm);
-    return mem;
-  }
-
-  return 0;
-}
-
-void dlfree(void* mem) {
-  /*
-     Consolidate freed chunks with preceeding or succeeding bordering
-     free chunks, if they exist, and then place in a bin.  Intermixed
-     with special cases for top, dv, mmapped chunks, and usage errors.
-  */
-
-  if (mem != 0) {
-    mchunkptr p  = mem2chunk(mem);
-#if FOOTERS
-    mstate fm = get_mstate_for(p);
-    if (!ok_magic(fm)) {
-      USAGE_ERROR_ACTION(fm, p);
-      return;
-    }
-#else /* FOOTERS */
-#define fm gm
-#endif /* FOOTERS */
-    if (!PREACTION(fm)) {
-      check_inuse_chunk(fm, p);
-      if (RTCHECK(ok_address(fm, p) && ok_cinuse(p))) {
-        size_t psize = chunksize(p);
-        mchunkptr next = chunk_plus_offset(p, psize);
-        if (!pinuse(p)) {
-          size_t prevsize = p->prev_foot;
-          if ((prevsize & IS_MMAPPED_BIT) != 0) {
-            prevsize &= ~IS_MMAPPED_BIT;
-            psize += prevsize + MMAP_FOOT_PAD;
-            if (CALL_MUNMAP((char*)p - prevsize, psize) == 0)
-              fm->footprint -= psize;
-            goto postaction;
-          }
-          else {
-            mchunkptr prev = chunk_minus_offset(p, prevsize);
-            psize += prevsize;
-            p = prev;
-            if (RTCHECK(ok_address(fm, prev))) { /* consolidate backward */
-              if (p != fm->dv) {
-                unlink_chunk(fm, p, prevsize);
-              }
-              else if ((next->head & INUSE_BITS) == INUSE_BITS) {
-                fm->dvsize = psize;
-                set_free_with_pinuse(p, psize, next);
-                goto postaction;
-              }
-            }
-            else
-              goto erroraction;
-          }
-        }
-
-        if (RTCHECK(ok_next(p, next) && ok_pinuse(next))) {
-          if (!cinuse(next)) {  /* consolidate forward */
-            if (next == fm->top) {
-              size_t tsize = fm->topsize += psize;
-              fm->top = p;
-              p->head = tsize | PINUSE_BIT;
-              if (p == fm->dv) {
-                fm->dv = 0;
-                fm->dvsize = 0;
-              }
-              if (should_trim(fm, tsize))
-                sys_trim(fm, 0);
-              goto postaction;
-            }
-            else if (next == fm->dv) {
-              size_t dsize = fm->dvsize += psize;
-              fm->dv = p;
-              set_size_and_pinuse_of_free_chunk(p, dsize);
-              goto postaction;
-            }
-            else {
-              size_t nsize = chunksize(next);
-              psize += nsize;
-              unlink_chunk(fm, next, nsize);
-              set_size_and_pinuse_of_free_chunk(p, psize);
-              if (p == fm->dv) {
-                fm->dvsize = psize;
-                goto postaction;
-              }
-            }
-          }
-          else
-            set_free_with_pinuse(p, psize, next);
-          insert_chunk(fm, p, psize);
-          check_free_chunk(fm, p);
-          goto postaction;
-        }
-      }
-    erroraction:
-      USAGE_ERROR_ACTION(fm, p);
-    postaction:
-      POSTACTION(fm);
-    }
-  }
-#if !FOOTERS
-#undef fm
-#endif /* FOOTERS */
-}
-
-void* dlcalloc(size_t n_elements, size_t elem_size) {
-  void* mem;
-  size_t req = 0;
-  if (n_elements != 0) {
-    req = n_elements * elem_size;
-    if (((n_elements | elem_size) & ~(size_t)0xffff) &&
-        (req / n_elements != elem_size))
-      req = MAX_SIZE_T; /* force downstream failure on overflow */
-  }
-  mem = dlmalloc(req);
-  if (mem != 0 && calloc_must_clear(mem2chunk(mem)))
-    memset(mem, 0, req);
-  return mem;
-}
-
-void* dlrealloc(void* oldmem, size_t bytes) {
-  if (oldmem == 0)
-    return dlmalloc(bytes);
-#ifdef REALLOC_ZERO_BYTES_FREES
-  if (bytes == 0) {
-    dlfree(oldmem);
-    return 0;
-  }
-#endif /* REALLOC_ZERO_BYTES_FREES */
-  else {
-#if ! FOOTERS
-    mstate m = gm;
-#else /* FOOTERS */
-    mstate m = get_mstate_for(mem2chunk(oldmem));
-    if (!ok_magic(m)) {
-      USAGE_ERROR_ACTION(m, oldmem);
-      return 0;
-    }
-#endif /* FOOTERS */
-    return internal_realloc(m, oldmem, bytes);
-  }
-}
-
-void* dlmemalign(size_t alignment, size_t bytes) {
-  return internal_memalign(gm, alignment, bytes);
-}
-
-void** dlindependent_calloc(size_t n_elements, size_t elem_size,
-                                 void* chunks[]) {
-  size_t sz = elem_size; /* serves as 1-element array */
-  return ialloc(gm, n_elements, &sz, 3, chunks);
-}
-
-void** dlindependent_comalloc(size_t n_elements, size_t sizes[],
-                                   void* chunks[]) {
-  return ialloc(gm, n_elements, sizes, 0, chunks);
-}
-
-void* dlvalloc(size_t bytes) {
-  size_t pagesz;
-  init_mparams();
-  pagesz = mparams.page_size;
-  return dlmemalign(pagesz, bytes);
-}
-
-void* dlpvalloc(size_t bytes) {
-  size_t pagesz;
-  init_mparams();
-  pagesz = mparams.page_size;
-  return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE));
-}
-
-int dlmalloc_trim(size_t pad) {
-  int result = 0;
-  if (!PREACTION(gm)) {
-    result = sys_trim(gm, pad);
-    POSTACTION(gm);
-  }
-  return result;
-}
-
-size_t dlmalloc_footprint(void) {
-  return gm->footprint;
-}
-
-size_t dlmalloc_max_footprint(void) {
-  return gm->max_footprint;
-}
-
-#if !NO_MALLINFO
-struct mallinfo dlmallinfo(void) {
-  return internal_mallinfo(gm);
-}
-#endif /* NO_MALLINFO */
-
-void dlmalloc_stats() {
-  internal_malloc_stats(gm);
-}
-
-size_t dlmalloc_usable_size(void* mem) {
-  if (mem != 0) {
-    mchunkptr p = mem2chunk(mem);
-    if (cinuse(p))
-      return chunksize(p) - overhead_for(p);
-  }
-  return 0;
-}
-
-int dlmallopt(int param_number, int value) {
-  return change_mparam(param_number, value);
-}
-
-#endif /* !ONLY_MSPACES */
-
-/* ----------------------------- user mspaces ---------------------------- */
-
-#if MSPACES
-
-static mstate init_user_mstate(char* tbase, size_t tsize) {
-  size_t msize = pad_request(sizeof(struct malloc_state));
-  mchunkptr mn;
-  mchunkptr msp = align_as_chunk(tbase);
-  mstate m = (mstate)(chunk2mem(msp));
-  memset(m, 0, msize);
-  INITIAL_LOCK(&m->mutex);
-  msp->head = (msize|PINUSE_BIT|CINUSE_BIT);
-  m->seg.base = m->least_addr = tbase;
-  m->seg.size = m->footprint = m->max_footprint = tsize;
-  m->magic = mparams.magic;
-  m->mflags = mparams.default_mflags;
-  disable_contiguous(m);
-  init_bins(m);
-  mn = next_chunk(mem2chunk(m));
-  init_top(m, mn, (size_t)((tbase + tsize) - (char*)mn) - TOP_FOOT_SIZE);
-  check_top_chunk(m, m->top);
-  return m;
-}
-
-mspace create_mspace(size_t capacity, int locked) {
-  mstate m = 0;
-  size_t msize = pad_request(sizeof(struct malloc_state));
-  init_mparams(); /* Ensure pagesize etc initialized */
-
-  if (capacity < (size_t) -(msize + TOP_FOOT_SIZE + mparams.page_size)) {
-    size_t rs = ((capacity == 0)? mparams.granularity :
-                 (capacity + TOP_FOOT_SIZE + msize));
-    size_t tsize = granularity_align(rs);
-    char* tbase = (char*)(CALL_MMAP(tsize));
-    if (tbase != CMFAIL) {
-      m = init_user_mstate(tbase, tsize);
-      m->seg.sflags = IS_MMAPPED_BIT;
-      set_lock(m, locked);
-    }
-  }
-  return (mspace)m;
-}
-
-mspace create_mspace_with_base(void* base, size_t capacity, int locked) {
-  mstate m = 0;
-  size_t msize = pad_request(sizeof(struct malloc_state));
-  init_mparams(); /* Ensure pagesize etc initialized */
-
-  if (capacity > msize + TOP_FOOT_SIZE &&
-      capacity < (size_t) -(msize + TOP_FOOT_SIZE + mparams.page_size)) {
-    m = init_user_mstate((char*)base, capacity);
-    m->seg.sflags = EXTERN_BIT;
-    set_lock(m, locked);
-  }
-  return (mspace)m;
-}
-
-size_t destroy_mspace(mspace msp) {
-  size_t freed = 0;
-  mstate ms = (mstate)msp;
-  if (ok_magic(ms)) {
-    msegmentptr sp = &ms->seg;
-    while (sp != 0) {
-      char* base = sp->base;
-      size_t size = sp->size;
-      flag_t flag = sp->sflags;
-      sp = sp->next;
-      if ((flag & IS_MMAPPED_BIT) && !(flag & EXTERN_BIT) &&
-          CALL_MUNMAP(base, size) == 0)
-        freed += size;
-    }
-  }
-  else {
-    USAGE_ERROR_ACTION(ms,ms);
-  }
-  return freed;
-}
-
-/*
-  mspace versions of routines are near-clones of the global
-  versions. This is not so nice but better than the alternatives.
-*/
-
-
-void* mspace_malloc(mspace msp, size_t bytes) {
-  mstate ms = (mstate)msp;
-  if (!ok_magic(ms)) {
-    USAGE_ERROR_ACTION(ms,ms);
-    return 0;
-  }
-  if (!PREACTION(ms)) {
-    void* mem;
-    size_t nb;
-    if (bytes <= MAX_SMALL_REQUEST) {
-      bindex_t idx;
-      binmap_t smallbits;
-      nb = (bytes < MIN_REQUEST)? MIN_CHUNK_SIZE : pad_request(bytes);
-      idx = small_index(nb);
-      smallbits = ms->smallmap >> idx;
-
-      if ((smallbits & 0x3U) != 0) { /* Remainderless fit to a smallbin. */
-        mchunkptr b, p;
-        idx += ~smallbits & 1;       /* Uses next bin if idx empty */
-        b = smallbin_at(ms, idx);
-        p = b->fd;
-        assert(chunksize(p) == small_index2size(idx));
-        unlink_first_small_chunk(ms, b, p, idx);
-        set_inuse_and_pinuse(ms, p, small_index2size(idx));
-        mem = chunk2mem(p);
-        check_malloced_chunk(ms, mem, nb);
-        goto postaction;
-      }
-
-      else if (nb > ms->dvsize) {
-        if (smallbits != 0) { /* Use chunk in next nonempty smallbin */
-          mchunkptr b, p, r;
-          size_t rsize;
-          bindex_t i;
-          binmap_t leftbits = (smallbits << idx) & left_bits(idx2bit(idx));
-          binmap_t leastbit = least_bit(leftbits);
-          compute_bit2idx(leastbit, i);
-          b = smallbin_at(ms, i);
-          p = b->fd;
-          assert(chunksize(p) == small_index2size(i));
-          unlink_first_small_chunk(ms, b, p, i);
-          rsize = small_index2size(i) - nb;
-          /* Fit here cannot be remainderless if 4byte sizes */
-          if (SIZE_T_SIZE != 4 && rsize < MIN_CHUNK_SIZE)
-            set_inuse_and_pinuse(ms, p, small_index2size(i));
-          else {
-            set_size_and_pinuse_of_inuse_chunk(ms, p, nb);
-            r = chunk_plus_offset(p, nb);
-            set_size_and_pinuse_of_free_chunk(r, rsize);
-            replace_dv(ms, r, rsize);
-          }
-          mem = chunk2mem(p);
-          check_malloced_chunk(ms, mem, nb);
-          goto postaction;
-        }
-
-        else if (ms->treemap != 0 && (mem = tmalloc_small(ms, nb)) != 0) {
-          check_malloced_chunk(ms, mem, nb);
-          goto postaction;
-        }
-      }
-    }
-    else if (bytes >= MAX_REQUEST)
-      nb = MAX_SIZE_T; /* Too big to allocate. Force failure (in sys alloc) */
-    else {
-      nb = pad_request(bytes);
-      if (ms->treemap != 0 && (mem = tmalloc_large(ms, nb)) != 0) {
-        check_malloced_chunk(ms, mem, nb);
-        goto postaction;
-      }
-    }
-
-    if (nb <= ms->dvsize) {
-      size_t rsize = ms->dvsize - nb;
-      mchunkptr p = ms->dv;
-      if (rsize >= MIN_CHUNK_SIZE) { /* split dv */
-        mchunkptr r = ms->dv = chunk_plus_offset(p, nb);
-        ms->dvsize = rsize;
-        set_size_and_pinuse_of_free_chunk(r, rsize);
-        set_size_and_pinuse_of_inuse_chunk(ms, p, nb);
-      }
-      else { /* exhaust dv */
-        size_t dvs = ms->dvsize;
-        ms->dvsize = 0;
-        ms->dv = 0;
-        set_inuse_and_pinuse(ms, p, dvs);
-      }
-      mem = chunk2mem(p);
-      check_malloced_chunk(ms, mem, nb);
-      goto postaction;
-    }
-
-    else if (nb < ms->topsize) { /* Split top */
-      size_t rsize = ms->topsize -= nb;
-      mchunkptr p = ms->top;
-      mchunkptr r = ms->top = chunk_plus_offset(p, nb);
-      r->head = rsize | PINUSE_BIT;
-      set_size_and_pinuse_of_inuse_chunk(ms, p, nb);
-      mem = chunk2mem(p);
-      check_top_chunk(ms, ms->top);
-      check_malloced_chunk(ms, mem, nb);
-      goto postaction;
-    }
-
-    mem = sys_alloc(ms, nb);
-
-  postaction:
-    POSTACTION(ms);
-    return mem;
-  }
-
-  return 0;
-}
-
-void mspace_free(mspace msp, void* mem) {
-  if (mem != 0) {
-    mchunkptr p  = mem2chunk(mem);
-#if FOOTERS
-    mstate fm = get_mstate_for(p);
-#else /* FOOTERS */
-    mstate fm = (mstate)msp;
-#endif /* FOOTERS */
-    if (!ok_magic(fm)) {
-      USAGE_ERROR_ACTION(fm, p);
-      return;
-    }
-    if (!PREACTION(fm)) {
-      check_inuse_chunk(fm, p);
-      if (RTCHECK(ok_address(fm, p) && ok_cinuse(p))) {
-        size_t psize = chunksize(p);
-        mchunkptr next = chunk_plus_offset(p, psize);
-        if (!pinuse(p)) {
-          size_t prevsize = p->prev_foot;
-          if ((prevsize & IS_MMAPPED_BIT) != 0) {
-            prevsize &= ~IS_MMAPPED_BIT;
-            psize += prevsize + MMAP_FOOT_PAD;
-            if (CALL_MUNMAP((char*)p - prevsize, psize) == 0)
-              fm->footprint -= psize;
-            goto postaction;
-          }
-          else {
-            mchunkptr prev = chunk_minus_offset(p, prevsize);
-            psize += prevsize;
-            p = prev;
-            if (RTCHECK(ok_address(fm, prev))) { /* consolidate backward */
-              if (p != fm->dv) {
-                unlink_chunk(fm, p, prevsize);
-              }
-              else if ((next->head & INUSE_BITS) == INUSE_BITS) {
-                fm->dvsize = psize;
-                set_free_with_pinuse(p, psize, next);
-                goto postaction;
-              }
-            }
-            else
-              goto erroraction;
-          }
-        }
-
-        if (RTCHECK(ok_next(p, next) && ok_pinuse(next))) {
-          if (!cinuse(next)) {  /* consolidate forward */
-            if (next == fm->top) {
-              size_t tsize = fm->topsize += psize;
-              fm->top = p;
-              p->head = tsize | PINUSE_BIT;
-              if (p == fm->dv) {
-                fm->dv = 0;
-                fm->dvsize = 0;
-              }
-              if (should_trim(fm, tsize))
-                sys_trim(fm, 0);
-              goto postaction;
-            }
-            else if (next == fm->dv) {
-              size_t dsize = fm->dvsize += psize;
-              fm->dv = p;
-              set_size_and_pinuse_of_free_chunk(p, dsize);
-              goto postaction;
-            }
-            else {
-              size_t nsize = chunksize(next);
-              psize += nsize;
-              unlink_chunk(fm, next, nsize);
-              set_size_and_pinuse_of_free_chunk(p, psize);
-              if (p == fm->dv) {
-                fm->dvsize = psize;
-                goto postaction;
-              }
-            }
-          }
-          else
-            set_free_with_pinuse(p, psize, next);
-          insert_chunk(fm, p, psize);
-          check_free_chunk(fm, p);
-          goto postaction;
-        }
-      }
-    erroraction:
-      USAGE_ERROR_ACTION(fm, p);
-    postaction:
-      POSTACTION(fm);
-    }
-  }
-}
-
-void* mspace_calloc(mspace msp, size_t n_elements, size_t elem_size) {
-  void* mem;
-  size_t req = 0;
-  mstate ms = (mstate)msp;
-  if (!ok_magic(ms)) {
-    USAGE_ERROR_ACTION(ms,ms);
-    return 0;
-  }
-  if (n_elements != 0) {
-    req = n_elements * elem_size;
-    if (((n_elements | elem_size) & ~(size_t)0xffff) &&
-        (req / n_elements != elem_size))
-      req = MAX_SIZE_T; /* force downstream failure on overflow */
-  }
-  mem = internal_malloc(ms, req);
-  if (mem != 0 && calloc_must_clear(mem2chunk(mem)))
-    memset(mem, 0, req);
-  return mem;
-}
-
-void* mspace_realloc(mspace msp, void* oldmem, size_t bytes) {
-  if (oldmem == 0)
-    return mspace_malloc(msp, bytes);
-#ifdef REALLOC_ZERO_BYTES_FREES
-  if (bytes == 0) {
-    mspace_free(msp, oldmem);
-    return 0;
-  }
-#endif /* REALLOC_ZERO_BYTES_FREES */
-  else {
-#if FOOTERS
-    mchunkptr p  = mem2chunk(oldmem);
-    mstate ms = get_mstate_for(p);
-#else /* FOOTERS */
-    mstate ms = (mstate)msp;
-#endif /* FOOTERS */
-    if (!ok_magic(ms)) {
-      USAGE_ERROR_ACTION(ms,ms);
-      return 0;
-    }
-    return internal_realloc(ms, oldmem, bytes);
-  }
-}
-
-void* mspace_memalign(mspace msp, size_t alignment, size_t bytes) {
-  mstate ms = (mstate)msp;
-  if (!ok_magic(ms)) {
-    USAGE_ERROR_ACTION(ms,ms);
-    return 0;
-  }
-  return internal_memalign(ms, alignment, bytes);
-}
-
-void** mspace_independent_calloc(mspace msp, size_t n_elements,
-                                 size_t elem_size, void* chunks[]) {
-  size_t sz = elem_size; /* serves as 1-element array */
-  mstate ms = (mstate)msp;
-  if (!ok_magic(ms)) {
-    USAGE_ERROR_ACTION(ms,ms);
-    return 0;
-  }
-  return ialloc(ms, n_elements, &sz, 3, chunks);
-}
-
-void** mspace_independent_comalloc(mspace msp, size_t n_elements,
-                                   size_t sizes[], void* chunks[]) {
-  mstate ms = (mstate)msp;
-  if (!ok_magic(ms)) {
-    USAGE_ERROR_ACTION(ms,ms);
-    return 0;
-  }
-  return ialloc(ms, n_elements, sizes, 0, chunks);
-}
-
-int mspace_trim(mspace msp, size_t pad) {
-  int result = 0;
-  mstate ms = (mstate)msp;
-  if (ok_magic(ms)) {
-    if (!PREACTION(ms)) {
-      result = sys_trim(ms, pad);
-      POSTACTION(ms);
-    }
-  }
-  else {
-    USAGE_ERROR_ACTION(ms,ms);
-  }
-  return result;
-}
-
-void mspace_malloc_stats(mspace msp) {
-  mstate ms = (mstate)msp;
-  if (ok_magic(ms)) {
-    internal_malloc_stats(ms);
-  }
-  else {
-    USAGE_ERROR_ACTION(ms,ms);
-  }
-}
-
-size_t mspace_footprint(mspace msp) {
-  size_t result;
-  mstate ms = (mstate)msp;
-  if (ok_magic(ms)) {
-    result = ms->footprint;
-  }
-  USAGE_ERROR_ACTION(ms,ms);
-  return result;
-}
-
-
-size_t mspace_max_footprint(mspace msp) {
-  size_t result;
-  mstate ms = (mstate)msp;
-  if (ok_magic(ms)) {
-    result = ms->max_footprint;
-  }
-  USAGE_ERROR_ACTION(ms,ms);
-  return result;
-}
-
-
-#if !NO_MALLINFO
-struct mallinfo mspace_mallinfo(mspace msp) {
-  mstate ms = (mstate)msp;
-  if (!ok_magic(ms)) {
-    USAGE_ERROR_ACTION(ms,ms);
-  }
-  return internal_mallinfo(ms);
-}
-#endif /* NO_MALLINFO */
-
-int mspace_mallopt(int param_number, int value) {
-  return change_mparam(param_number, value);
-}
-
-#endif /* MSPACES */
-
-/* -------------------- Alternative MORECORE functions ------------------- */
-
-/*
-  Guidelines for creating a custom version of MORECORE:
-
-  * For best performance, MORECORE should allocate in multiples of pagesize.
-  * MORECORE may allocate more memory than requested. (Or even less,
-      but this will usually result in a malloc failure.)
-  * MORECORE must not allocate memory when given argument zero, but
-      instead return one past the end address of memory from previous
-      nonzero call.
-  * For best performance, consecutive calls to MORECORE with positive
-      arguments should return increasing addresses, indicating that
-      space has been contiguously extended.
-  * Even though consecutive calls to MORECORE need not return contiguous
-      addresses, it must be OK for malloc'ed chunks to span multiple
-      regions in those cases where they do happen to be contiguous.
-  * MORECORE need not handle negative arguments -- it may instead
-      just return MFAIL when given negative arguments.
-      Negative arguments are always multiples of pagesize. MORECORE
-      must not misinterpret negative args as large positive unsigned
-      args. You can suppress all such calls from even occurring by defining
-      MORECORE_CANNOT_TRIM,
-
-  As an example alternative MORECORE, here is a custom allocator
-  kindly contributed for pre-OSX macOS.  It uses virtually but not
-  necessarily physically contiguous non-paged memory (locked in,
-  present and won't get swapped out).  You can use it by uncommenting
-  this section, adding some #includes, and setting up the appropriate
-  defines above:
-
-      #define MORECORE osMoreCore
-
-  There is also a shutdown routine that should somehow be called for
-  cleanup upon program exit.
-
-  #define MAX_POOL_ENTRIES 100
-  #define MINIMUM_MORECORE_SIZE  (64 * 1024U)
-  static int next_os_pool;
-  void *our_os_pools[MAX_POOL_ENTRIES];
-
-  void *osMoreCore(int size)
-  {
-    void *ptr = 0;
-    static void *sbrk_top = 0;
-
-    if (size > 0)
-    {
-      if (size < MINIMUM_MORECORE_SIZE)
-         size = MINIMUM_MORECORE_SIZE;
-      if (CurrentExecutionLevel() == kTaskLevel)
-         ptr = PoolAllocateResident(size + RM_PAGE_SIZE, 0);
-      if (ptr == 0)
-      {
-        return (void *) MFAIL;
-      }
-      // save ptrs so they can be freed during cleanup
-      our_os_pools[next_os_pool] = ptr;
-      next_os_pool++;
-      ptr = (void *) ((((size_t) ptr) + RM_PAGE_MASK) & ~RM_PAGE_MASK);
-      sbrk_top = (char *) ptr + size;
-      return ptr;
-    }
-    else if (size < 0)
-    {
-      // we don't currently support shrink behavior
-      return (void *) MFAIL;
-    }
-    else
-    {
-      return sbrk_top;
-    }
-  }
-
-  // cleanup any allocated memory pools
-  // called as last thing before shutting down driver
-
-  void osCleanupMem(void)
-  {
-    void **ptr;
-
-    for (ptr = our_os_pools; ptr < &our_os_pools[MAX_POOL_ENTRIES]; ptr++)
-      if (*ptr)
-      {
-         PoolDeallocate(*ptr);
-         *ptr = 0;
-      }
-  }
-
-*/
-
-
-/* -----------------------------------------------------------------------
-History:
-    V2.8.3 Thu Sep 22 11:16:32 2005  Doug Lea  (dl at gee)
-      * Add max_footprint functions
-      * Ensure all appropriate literals are size_t
-      * Fix conditional compilation problem for some #define settings
-      * Avoid concatenating segments with the one provided
-        in create_mspace_with_base
-      * Rename some variables to avoid compiler shadowing warnings
-      * Use explicit lock initialization.
-      * Better handling of sbrk interference.
-      * Simplify and fix segment insertion, trimming and mspace_destroy
-      * Reinstate REALLOC_ZERO_BYTES_FREES option from 2.7.x
-      * Thanks especially to Dennis Flanagan for help on these.
-
-    V2.8.2 Sun Jun 12 16:01:10 2005  Doug Lea  (dl at gee)
-      * Fix memalign brace error.
-
-    V2.8.1 Wed Jun  8 16:11:46 2005  Doug Lea  (dl at gee)
-      * Fix improper #endif nesting in C++
-      * Add explicit casts needed for C++
-
-    V2.8.0 Mon May 30 14:09:02 2005  Doug Lea  (dl at gee)
-      * Use trees for large bins
-      * Support mspaces
-      * Use segments to unify sbrk-based and mmap-based system allocation,
-        removing need for emulation on most platforms without sbrk.
-      * Default safety checks
-      * Optional footer checks. Thanks to William Robertson for the idea.
-      * Internal code refactoring
-      * Incorporate suggestions and platform-specific changes.
-        Thanks to Dennis Flanagan, Colin Plumb, Niall Douglas,
-        Aaron Bachmann,  Emery Berger, and others.
-      * Speed up non-fastbin processing enough to remove fastbins.
-      * Remove useless cfree() to avoid conflicts with other apps.
-      * Remove internal memcpy, memset. Compilers handle builtins better.
-      * Remove some options that no one ever used and rename others.
-
-    V2.7.2 Sat Aug 17 09:07:30 2002  Doug Lea  (dl at gee)
-      * Fix malloc_state bitmap array misdeclaration
-
-    V2.7.1 Thu Jul 25 10:58:03 2002  Doug Lea  (dl at gee)
-      * Allow tuning of FIRST_SORTED_BIN_SIZE
-      * Use PTR_UINT as type for all ptr->int casts. Thanks to John Belmonte.
-      * Better detection and support for non-contiguousness of MORECORE.
-        Thanks to Andreas Mueller, Conal Walsh, and Wolfram Gloger
-      * Bypass most of malloc if no frees. Thanks To Emery Berger.
-      * Fix freeing of old top non-contiguous chunk im sysmalloc.
-      * Raised default trim and map thresholds to 256K.
-      * Fix mmap-related #defines. Thanks to Lubos Lunak.
-      * Fix copy macros; added LACKS_FCNTL_H. Thanks to Neal Walfield.
-      * Branch-free bin calculation
-      * Default trim and mmap thresholds now 256K.
-
-    V2.7.0 Sun Mar 11 14:14:06 2001  Doug Lea  (dl at gee)
-      * Introduce independent_comalloc and independent_calloc.
-        Thanks to Michael Pachos for motivation and help.
-      * Make optional .h file available
-      * Allow > 2GB requests on 32bit systems.
-      * new WIN32 sbrk, mmap, munmap, lock code from <Walter@GeNeSys-e.de>.
-        Thanks also to Andreas Mueller <a.mueller at paradatec.de>,
-        and Anonymous.
-      * Allow override of MALLOC_ALIGNMENT (Thanks to Ruud Waij for
-        helping test this.)
-      * memalign: check alignment arg
-      * realloc: don't try to shift chunks backwards, since this
-        leads to  more fragmentation in some programs and doesn't
-        seem to help in any others.
-      * Collect all cases in malloc requiring system memory into sysmalloc
-      * Use mmap as backup to sbrk
-      * Place all internal state in malloc_state
-      * Introduce fastbins (although similar to 2.5.1)
-      * Many minor tunings and cosmetic improvements
-      * Introduce USE_PUBLIC_MALLOC_WRAPPERS, USE_MALLOC_LOCK
-      * Introduce MALLOC_FAILURE_ACTION, MORECORE_CONTIGUOUS
-        Thanks to Tony E. Bennett <tbennett@nvidia.com> and others.
-      * Include errno.h to support default failure action.
-
-    V2.6.6 Sun Dec  5 07:42:19 1999  Doug Lea  (dl at gee)
-      * return null for negative arguments
-      * Added Several WIN32 cleanups from Martin C. Fong <mcfong at yahoo.com>
-         * Add 'LACKS_SYS_PARAM_H' for those systems without 'sys/param.h'
-          (e.g. WIN32 platforms)
-         * Cleanup header file inclusion for WIN32 platforms
-         * Cleanup code to avoid Microsoft Visual C++ compiler complaints
-         * Add 'USE_DL_PREFIX' to quickly allow co-existence with existing
-           memory allocation routines
-         * Set 'malloc_getpagesize' for WIN32 platforms (needs more work)
-         * Use 'assert' rather than 'ASSERT' in WIN32 code to conform to
-           usage of 'assert' in non-WIN32 code
-         * Improve WIN32 'sbrk()' emulation's 'findRegion()' routine to
-           avoid infinite loop
-      * Always call 'fREe()' rather than 'free()'
-
-    V2.6.5 Wed Jun 17 15:57:31 1998  Doug Lea  (dl at gee)
-      * Fixed ordering problem with boundary-stamping
-
-    V2.6.3 Sun May 19 08:17:58 1996  Doug Lea  (dl at gee)
-      * Added pvalloc, as recommended by H.J. Liu
-      * Added 64bit pointer support mainly from Wolfram Gloger
-      * Added anonymously donated WIN32 sbrk emulation
-      * Malloc, calloc, getpagesize: add optimizations from Raymond Nijssen
-      * malloc_extend_top: fix mask error that caused wastage after
-        foreign sbrks
-      * Add linux mremap support code from HJ Liu
-
-    V2.6.2 Tue Dec  5 06:52:55 1995  Doug Lea  (dl at gee)
-      * Integrated most documentation with the code.
-      * Add support for mmap, with help from
-        Wolfram Gloger (Gloger@lrz.uni-muenchen.de).
-      * Use last_remainder in more cases.
-      * Pack bins using idea from  colin@nyx10.cs.du.edu
-      * Use ordered bins instead of best-fit threshhold
-      * Eliminate block-local decls to simplify tracing and debugging.
-      * Support another case of realloc via move into top
-      * Fix error occuring when initial sbrk_base not word-aligned.
-      * Rely on page size for units instead of SBRK_UNIT to
-        avoid surprises about sbrk alignment conventions.
-      * Add mallinfo, mallopt. Thanks to Raymond Nijssen
-        (raymond@es.ele.tue.nl) for the suggestion.
-      * Add `pad' argument to malloc_trim and top_pad mallopt parameter.
-      * More precautions for cases where other routines call sbrk,
-        courtesy of Wolfram Gloger (Gloger@lrz.uni-muenchen.de).
-      * Added macros etc., allowing use in linux libc from
-        H.J. Lu (hjl@gnu.ai.mit.edu)
-      * Inverted this history list
-
-    V2.6.1 Sat Dec  2 14:10:57 1995  Doug Lea  (dl at gee)
-      * Re-tuned and fixed to behave more nicely with V2.6.0 changes.
-      * Removed all preallocation code since under current scheme
-        the work required to undo bad preallocations exceeds
-        the work saved in good cases for most test programs.
-      * No longer use return list or unconsolidated bins since
-        no scheme using them consistently outperforms those that don't
-        given above changes.
-      * Use best fit for very large chunks to prevent some worst-cases.
-      * Added some support for debugging
-
-    V2.6.0 Sat Nov  4 07:05:23 1995  Doug Lea  (dl at gee)
-      * Removed footers when chunks are in use. Thanks to
-        Paul Wilson (wilson@cs.texas.edu) for the suggestion.
-
-    V2.5.4 Wed Nov  1 07:54:51 1995  Doug Lea  (dl at gee)
-      * Added malloc_trim, with help from Wolfram Gloger
-        (wmglo@Dent.MED.Uni-Muenchen.DE).
-
-    V2.5.3 Tue Apr 26 10:16:01 1994  Doug Lea  (dl at g)
-
-    V2.5.2 Tue Apr  5 16:20:40 1994  Doug Lea  (dl at g)
-      * realloc: try to expand in both directions
-      * malloc: swap order of clean-bin strategy;
-      * realloc: only conditionally expand backwards
-      * Try not to scavenge used bins
-      * Use bin counts as a guide to preallocation
-      * Occasionally bin return list chunks in first scan
-      * Add a few optimizations from colin@nyx10.cs.du.edu
-
-    V2.5.1 Sat Aug 14 15:40:43 1993  Doug Lea  (dl at g)
-      * faster bin computation & slightly different binning
-      * merged all consolidations to one part of malloc proper
-         (eliminating old malloc_find_space & malloc_clean_bin)
-      * Scan 2 returns chunks (not just 1)
-      * Propagate failure in realloc if malloc returns 0
-      * Add stuff to allow compilation on non-ANSI compilers
-          from kpv@research.att.com
-
-    V2.5 Sat Aug  7 07:41:59 1993  Doug Lea  (dl at g.oswego.edu)
-      * removed potential for odd address access in prev_chunk
-      * removed dependency on getpagesize.h
-      * misc cosmetics and a bit more internal documentation
-      * anticosmetics: mangled names in macros to evade debugger strangeness
-      * tested on sparc, hp-700, dec-mips, rs6000
-          with gcc & native cc (hp, dec only) allowing
-          Detlefs & Zorn comparison study (in SIGPLAN Notices.)
-
-    Trial version Fri Aug 28 13:14:29 1992  Doug Lea  (dl at g.oswego.edu)
-      * Based loosely on libg++-1.2X malloc. (It retains some of the overall
-         structure of old version,  but most details differ.)
- 
-*/
diff --git a/src/md5.c b/src/md5.c
index 941c0d37e5..888993b9c4 100644
--- a/src/md5.c
+++ b/src/md5.c
@@ -21,7 +21,6 @@
   ghost@aladdin.com
 
  */
-/* $Id: md5.c 80 2004-07-14 20:15:50Z jason $ */
 /*
   Independent implementation of MD5 (RFC 1321).
 
diff --git a/src/md5.h b/src/md5.h
index 8cff20d0af..2806b5b9b5 100644
--- a/src/md5.h
+++ b/src/md5.h
@@ -21,7 +21,6 @@
   ghost@aladdin.com
 
  */
-/* $Id: md5.h 80 2004-07-14 20:15:50Z jason $ */
 /*
   Independent implementation of MD5 (RFC 1321).
 
diff --git a/src/modp_numtoa.c b/src/modp_numtoa.c
new file mode 100644
index 0000000000..6deb8a70ed
--- /dev/null
+++ b/src/modp_numtoa.c
@@ -0,0 +1,291 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 4 -*- */
+/* vi: set expandtab shiftwidth=4 tabstop=4: */
+
+#include "modp_numtoa.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include <math.h>
+
+// other interesting references on num to string convesion
+// http://www.jb.man.ac.uk/~slowe/cpp/itoa.html
+// and http://www.ddj.com/dept/cpp/184401596?pgno=6
+
+// Version 19-Nov-2007
+// Fixed round-to-even rules to match printf
+//   thanks to Johannes Otepka
+
+/**
+ * Powers of 10
+ * 10^0 to 10^9
+ */
+static const double _pow10[] = {1, 10, 100, 1000, 10000, 100000, 1000000,
+                               10000000, 100000000, 1000000000};
+
+static void strreverse(char* begin, char* end)
+{
+    char aux;
+    while (end > begin)
+        aux = *end, *end-- = *begin, *begin++ = aux;
+}
+
+void modp_itoa10(int32_t value, char* str)
+{
+    char* wstr=str;
+    // Take care of sign
+    unsigned int uvalue = (value < 0) ? -value : value;
+    // Conversion. Number is reversed.
+    do *wstr++ = (char)(48 + (uvalue % 10)); while(uvalue /= 10);
+    if (value < 0) *wstr++ = '-';
+    *wstr='\0';
+
+    // Reverse string
+    strreverse(str,wstr-1);
+}
+
+void modp_uitoa10(uint32_t value, char* str)
+{
+    char* wstr=str;
+    // Conversion. Number is reversed.
+    do *wstr++ = (char)(48 + (value % 10)); while (value /= 10);
+    *wstr='\0';
+    // Reverse string
+    strreverse(str, wstr-1);
+}
+
+void modp_litoa10(int64_t value, char* str)
+{
+    char* wstr=str;
+    unsigned long uvalue = (value < 0) ? -value : value;
+
+    // Conversion. Number is reversed.
+    do *wstr++ = (char)(48 + (uvalue % 10)); while(uvalue /= 10);
+    if (value < 0) *wstr++ = '-';
+    *wstr='\0';
+
+    // Reverse string
+    strreverse(str,wstr-1);
+}
+
+void modp_ulitoa10(uint64_t value, char* str)
+{
+    char* wstr=str;
+    // Conversion. Number is reversed.
+    do *wstr++ = (char)(48 + (value % 10)); while (value /= 10);
+    *wstr='\0';
+    // Reverse string
+    strreverse(str, wstr-1);
+}
+
+void modp_dtoa(double value, char* str, int prec)
+{
+    /* Hacky test for NaN
+     * under -fast-math this won't work, but then you also won't
+     * have correct nan values anyways.  The alternative is
+     * to link with libmath (bad) or hack IEEE double bits (bad)
+     */
+    if (! (value == value)) {
+        str[0] = 'n'; str[1] = 'a'; str[2] = 'n'; str[3] = '\0';
+        return;
+    }
+    /* if input is larger than thres_max, revert to exponential */
+    const double thres_max = (double)(0x7FFFFFFF);
+
+    double diff = 0.0;
+    char* wstr = str;
+
+    if (prec < 0) {
+        prec = 0;
+    } else if (prec > 9) {
+        /* precision of >= 10 can lead to overflow errors */
+        prec = 9;
+    }
+
+
+    /* we'll work in positive values and deal with the
+       negative sign issue later */
+    int neg = 0;
+    if (value < 0) {
+        neg = 1;
+        value = -value;
+    }
+
+
+    int whole = (int) value;
+    double tmp = (value - whole) * _pow10[prec];
+    uint32_t frac = (uint32_t)(tmp);
+    diff = tmp - frac;
+
+    if (diff > 0.5) {
+        ++frac;
+        /* handle rollover, e.g.  case 0.99 with prec 1 is 1.0  */
+        if (frac >= _pow10[prec]) {
+            frac = 0;
+            ++whole;
+        }
+    } else if (diff == 0.5 && ((frac == 0) || (frac & 1))) {
+        /* if halfway, round up if odd, OR
+           if last digit is 0.  That last part is strange */
+        ++frac;
+    }
+
+    /* for very large numbers switch back to native sprintf for exponentials.
+       anyone want to write code to replace this? */
+    /*
+      normal printf behavior is to print EVERY whole number digit
+      which can be 100s of characters overflowing your buffers == bad
+    */
+    if (value > thres_max) {
+        sprintf(str, "%e", neg ? -value : value);
+        return;
+    }
+
+    if (prec == 0) {
+        diff = value - whole;
+        if (diff > 0.5) {
+            /* greater than 0.5, round up, e.g. 1.6 -> 2 */
+            ++whole;
+        } else if (diff == 0.5 && (whole & 1)) {
+            /* exactly 0.5 and ODD, then round up */
+            /* 1.5 -> 2, but 2.5 -> 2 */
+            ++whole;
+        }
+    } else {
+        int count = prec;
+        // now do fractional part, as an unsigned number
+        do {
+            --count;
+            *wstr++ = (char)(48 + (frac % 10));
+        } while (frac /= 10);
+        // add extra 0s
+        while (count-- > 0) *wstr++ = '0';
+        // add decimal
+        *wstr++ = '.';
+    }
+
+    // do whole part
+    // Take care of sign
+    // Conversion. Number is reversed.
+    do *wstr++ = (char)(48 + (whole % 10)); while (whole /= 10);
+    if (neg) {
+        *wstr++ = '-';
+    }
+    *wstr='\0';
+    strreverse(str, wstr-1);
+}
+
+
+// This is near identical to modp_dtoa above
+//   The differnce is noted below
+void modp_dtoa2(double value, char* str, int prec)
+{
+    /* Hacky test for NaN
+     * under -fast-math this won't work, but then you also won't
+     * have correct nan values anyways.  The alternative is
+     * to link with libmath (bad) or hack IEEE double bits (bad)
+     */
+    if (! (value == value)) {
+        str[0] = 'n'; str[1] = 'a'; str[2] = 'n'; str[3] = '\0';
+        return;
+    }
+
+    /* if input is larger than thres_max, revert to exponential */
+    const double thres_max = (double)(0x7FFFFFFF);
+
+    int count;
+    double diff = 0.0;
+    char* wstr = str;
+
+    if (prec < 0) {
+        prec = 0;
+    } else if (prec > 9) {
+        /* precision of >= 10 can lead to overflow errors */
+        prec = 9;
+    }
+
+
+    /* we'll work in positive values and deal with the
+       negative sign issue later */
+    int neg = 0;
+    if (value < 0) {
+        neg = 1;
+        value = -value;
+    }
+
+
+    int whole = (int) value;
+    double tmp = (value - whole) * _pow10[prec];
+    uint32_t frac = (uint32_t)(tmp);
+    diff = tmp - frac;
+
+    if (diff > 0.5) {
+        ++frac;
+        /* handle rollover, e.g.  case 0.99 with prec 1 is 1.0  */
+        if (frac >= _pow10[prec]) {
+            frac = 0;
+            ++whole;
+        }
+    } else if (diff == 0.5 && ((frac == 0) || (frac & 1))) {
+        /* if halfway, round up if odd, OR
+           if last digit is 0.  That last part is strange */
+        ++frac;
+    }
+
+    /* for very large numbers switch back to native sprintf for exponentials.
+       anyone want to write code to replace this? */
+    /*
+      normal printf behavior is to print EVERY whole number digit
+      which can be 100s of characters overflowing your buffers == bad
+    */
+    if (value > thres_max) {
+        sprintf(str, "%e", neg ? -value : value);
+        return;
+    }
+
+    if (prec == 0) {
+        diff = value - whole;
+        if (diff > 0.5) {
+            /* greater than 0.5, round up, e.g. 1.6 -> 2 */
+            ++whole;
+        } else if (diff == 0.5 && (whole & 1)) {
+            /* exactly 0.5 and ODD, then round up */
+            /* 1.5 -> 2, but 2.5 -> 2 */
+            ++whole;
+        }
+
+        //vvvvvvvvvvvvvvvvvvv  Diff from modp_dto2
+    } else if (frac) {
+        count = prec;
+        // now do fractional part, as an unsigned number
+        // we know it is not 0 but we can have leading zeros, these
+        // should be removed
+        while (!(frac % 10)) {
+            --count;
+            frac /= 10;
+        }
+        //^^^^^^^^^^^^^^^^^^^  Diff from modp_dto2
+
+        // now do fractional part, as an unsigned number
+        do {
+            --count;
+            *wstr++ = (char)(48 + (frac % 10));
+        } while (frac /= 10);
+        // add extra 0s
+        while (count-- > 0) *wstr++ = '0';
+        // add decimal
+        *wstr++ = '.';
+    }
+
+    // do whole part
+    // Take care of sign
+    // Conversion. Number is reversed.
+    do *wstr++ = (char)(48 + (whole % 10)); while (whole /= 10);
+    if (neg) {
+        *wstr++ = '-';
+    }
+    *wstr='\0';
+    strreverse(str, wstr-1);
+}
+
+
+
diff --git a/src/modp_numtoa.h b/src/modp_numtoa.h
new file mode 100644
index 0000000000..b848163d1d
--- /dev/null
+++ b/src/modp_numtoa.h
@@ -0,0 +1,102 @@
+/* -*- mode: c++; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 4 -*- */
+/* vi: set expandtab shiftwidth=4 tabstop=4: */
+
+/**
+ * \file
+ *
+ * <pre>
+ * Copyright &copy; 2007, Nick Galbreath -- nickg [at] modp [dot] com
+ * All rights reserved.
+ * http://code.google.com/p/stringencoders/
+ * Released under the bsd license.
+ * </pre>
+ *
+ * This defines signed/unsigned integer, and 'double' to char buffer
+ * converters.  The standard way of doing this is with "sprintf", however
+ * these functions are
+ *   * guarenteed maximum size output
+ *   * 5-20x faster!
+ *   * core-dump safe
+ *
+ *
+ */
+
+#ifndef COM_MODP_STRINGENCODERS_NUMTOA_H
+#define COM_MODP_STRINGENCODERS_NUMTOA_H
+
+#ifdef __cplusplus
+#define BEGIN_C extern "C" {
+#define END_C }
+#else
+#define BEGIN_C
+#define END_C
+#endif
+
+BEGIN_C
+
+#include <stdint.h>
+
+/** \brief convert an signed integer to char buffer
+ *
+ * \param[in] value
+ * \param[out] buf the output buffer.  Should be 16 chars or more.
+ */
+void modp_itoa10(int32_t value, char* buf);
+
+/** \brief convert an unsigned integer to char buffer
+ *
+ * \param[in] value
+ * \param[out] buf The output buffer, should be 16 chars or more.
+ */
+void modp_uitoa10(uint32_t value, char* buf);
+
+/** \brief convert an signed long integer to char buffer
+ *
+ * \param[in] value
+ * \param[out] buf the output buffer.  Should be 24 chars or more.
+ */
+void modp_litoa10(int64_t value, char* buf);
+
+/** \brief convert an unsigned long integer to char buffer
+ *
+ * \param[in] value
+ * \param[out] buf The output buffer, should be 24 chars or more.
+ */
+void modp_ulitoa10(uint64_t value, char* buf);
+
+/** \brief convert a floating point number to char buffer with
+ *         fixed-precision format
+ *
+ * This is similar to "%.[0-9]f" in the printf style.  It will include
+ * trailing zeros
+ *
+ * If the input value is greater than 1<<31, then the output format
+ * will be switched exponential format.
+ *
+ * \param[in] value
+ * \param[out] buf  The allocated output buffer.  Should be 32 chars or more.
+ * \param[in] precision  Number of digits to the right of the decimal point.
+ *    Can only be 0-9.
+ */
+void modp_dtoa(double value, char* buf, int precision);
+
+/** \brief convert a floating point number to char buffer with a
+ *         variable-precision format, and no trailing zeros
+ *
+ * This is similar to "%.[0-9]f" in the printf style, except it will
+ * NOT include trailing zeros after the decimal point.  This type
+ * of format oddly does not exists with printf.
+ *
+ * If the input value is greater than 1<<31, then the output format
+ * will be switched exponential format.
+ *
+ * \param[in] value
+ * \param[out] buf  The allocated output buffer.  Should be 32 chars or more.
+ * \param[in] precision  Number of digits to the right of the decimal point.
+ *    Can only be 0-9.
+ */
+void modp_dtoa2(double value, char* buf, int precision);
+
+END_C
+
+#endif
diff --git a/src/module_util.cc b/src/module_util.cc
new file mode 100644
index 0000000000..d9aa1af645
--- /dev/null
+++ b/src/module_util.cc
@@ -0,0 +1,62 @@
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+#include <string.h>
+#include "module_util.h"
+
+static int streq(const char* s1, const char* s2)
+	{
+	return ! strcmp(s1, s2);
+	}
+
+// Returns it without trailing "::".
+string extract_module_name(const char* name)
+	{
+	string module_name = name;
+	string::size_type pos = module_name.rfind("::");
+
+	if ( pos == string::npos )
+		return string(GLOBAL_MODULE_NAME);
+
+	module_name.erase(pos);
+
+	return module_name;
+	}
+
+string extract_var_name(const char *name)
+	{
+	string var_name = name;
+	string::size_type pos = var_name.rfind("::");
+
+	if ( pos == string::npos )
+		return var_name;
+
+	if ( pos + 2 > var_name.size() )
+		return string("");
+
+	return var_name.substr(pos+2);
+	}
+
+string normalized_module_name(const char* module_name)
+	{
+	int mod_len;
+	if ( (mod_len = strlen(module_name)) >= 2 &&
+	     streq(module_name + mod_len - 2, "::") )
+		mod_len -= 2;
+
+	return string(module_name, mod_len);
+	}
+
+string make_full_var_name(const char* module_name, const char* var_name)
+	{
+	if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) ||
+	     strstr(var_name, "::") )
+		return string(var_name);
+
+	string full_name = normalized_module_name(module_name);
+	full_name += "::";
+	full_name += var_name;
+
+	return full_name;
+	}
diff --git a/src/module_util.h b/src/module_util.h
new file mode 100644
index 0000000000..4f957f2958
--- /dev/null
+++ b/src/module_util.h
@@ -0,0 +1,17 @@
+//
+// These functions are used by both Bro and bifcl.
+//
+
+#include <string>
+
+using namespace std;
+
+static const char* GLOBAL_MODULE_NAME = "GLOBAL";
+
+extern string extract_module_name(const char* name);
+extern string extract_var_name(const char* name);
+extern string normalized_module_name(const char* module_name); // w/o ::
+
+// Concatenates module_name::var_name unless var_name is already fully
+// qualified, in which case it is returned unmodified.
+extern string make_full_var_name(const char* module_name, const char* var_name);
diff --git a/src/nb_dns.c b/src/nb_dns.c
index 5033aadad4..475ba3b8b0 100644
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@@ -1,10 +1,6 @@
 /*
  * See the file "COPYING" in the main distribution directory for copyright.
  */
-#ifndef lint
-static const char rcsid[] =
-    "@(#) $Id: nb_dns.c 6219 2008-10-01 05:39:07Z vern $ (LBL)";
-#endif
 /*
  * nb_dns - non-blocking dns routines
  *
@@ -438,6 +434,7 @@ nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)
 	register char **ap, **hap;
 	register u_int16_t id;
 	register const u_char *rdata;
+	register u_int32_t rttl = 0;	// make compiler happy.
 	register struct hostent *he;
 	register size_t rdlen;
 	ns_msg handle;
@@ -557,6 +554,7 @@ nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)
 
 		rdata = ns_rr_rdata(rr);
 		rdlen = ns_rr_rdlen(rr);
+		rttl = ns_rr_ttl(rr);
 		switch (atype) {
 
 		case T_A:
@@ -603,10 +601,12 @@ nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)
 
 			/* "Find first satisfactory answer" */
 			nr->hostent = he;
+			nr->ttl = rttl;
 			return (1);
 		}
 	}
 
 	nr->hostent = he;
+	nr->ttl = rttl;
 	return (1);
 }
diff --git a/src/nb_dns.h b/src/nb_dns.h
index 41b5946e48..d458f61716 100644
--- a/src/nb_dns.h
+++ b/src/nb_dns.h
@@ -1,5 +1,4 @@
-/* @(#) $Id: nb_dns.h 6219 2008-10-01 05:39:07Z vern $ (LBL)
- *
+/*
  * See the file "COPYING" in the main distribution directory for copyright.
  */
 
@@ -11,6 +10,7 @@ struct nb_dns_result {
 	void *cookie;
 	int host_errno;
 	struct hostent *hostent;
+	uint32_t ttl;
 };
 
 typedef unsigned int nb_uint32_t;
diff --git a/src/ncp.pac b/src/ncp.pac
index 8a3fcf1478..86b8bca5da 100644
--- a/src/ncp.pac
+++ b/src/ncp.pac
@@ -1,5 +1,3 @@
-# $Id: ncp.pac 4608 2007-07-05 18:23:58Z vern $
-#
 # Netware Core Protocol
 
 %include bro.pac
diff --git a/src/net_util.cc b/src/net_util.cc
index 75dfd929c2..7f4fba0c25 100644
--- a/src/net_util.cc
+++ b/src/net_util.cc
@@ -1,5 +1,3 @@
-// $Id: net_util.cc 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -13,6 +11,7 @@
 #include <arpa/inet.h>
 #endif
 
+#include "Reporter.h"
 #include "net_util.h"
 
 // - adapted from tcpdump
@@ -37,8 +36,7 @@ int tcp_checksum(const struct ip* ip, const struct tcphdr* tp, int len)
 	{
 	// ### Note, this is only correct for IPv4.  This routine is only
 	// used by the connection compressor (which we turn off for IPv6
-	// traffic) and trace rewriting (which currently doesn't support
-	// IPv6 either).
+	// traffic).
 
 	int tcp_len = tp->th_off * 4 + len;
 	uint32 sum;
@@ -101,6 +99,7 @@ int udp6_checksum(const struct ip6_hdr* ip6, const struct udphdr* up, int len)
 
 	uint32 l = htonl(len);
 	sum = ones_complement_checksum((void*) &l, 4, sum);
+
 	uint32 addl_pseudo = htons(IPPROTO_UDP);
 
 	sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum);
@@ -258,14 +257,14 @@ uint32 dotted_to_addr(const char* addr_text)
 	if ( sscanf(addr_text,
 		    "%d.%d.%d.%d", addr+0, addr+1, addr+2, addr+3) != 4 )
 		{
-		error("bad dotted address:", addr_text );
+		reporter->Error("bad dotted address: %s", addr_text );
 		return 0;
 		}
 
 	if ( addr[0] < 0 || addr[1] < 0 || addr[2] < 0 || addr[3] < 0 ||
 	     addr[0] > 255 || addr[1] > 255 || addr[2] > 255 || addr[3] > 255 )
 		{
-		error("bad dotted address:", addr_text);
+		reporter->Error("bad dotted address: %s", addr_text);
 		return 0;
 		}
 
@@ -282,7 +281,7 @@ uint32* dotted_to_addr6(const char* addr_text)
 	uint32* addr = new uint32[4];
 	if ( inet_pton(AF_INET6, addr_text, addr) <= 0 )
 		{
-		error("bad IPv6 address:", addr_text );
+		reporter->Error("bad IPv6 address: %s", addr_text );
 		addr[0] = addr[1] = addr[2] = addr[3] = 0;
 		}
 
@@ -302,7 +301,7 @@ uint32 to_v4_addr(const uint32* addr)
 	{
 #ifdef BROv6
 	if ( ! is_v4_addr(addr) )
-		internal_error("conversion of non-IPv4 address to IPv4 address");
+		reporter->InternalError("conversion of non-IPv4 address to IPv4 address");
 	return addr[3];
 #else
 	return addr[0];
@@ -313,7 +312,7 @@ uint32 mask_addr(uint32 a, uint32 top_bits_to_keep)
 	{
 	if ( top_bits_to_keep > 32 )
 		{
-		error("bad address mask value", top_bits_to_keep);
+		reporter->Error("bad address mask value %d", top_bits_to_keep);
 		return a;
 		}
 
@@ -352,7 +351,7 @@ const uint32* mask_addr(const uint32* a, uint32 top_bits_to_keep)
 
 	if ( top_bits_to_keep == 0 || top_bits_to_keep > max_bits )
 		{
-		error("bad address mask value", top_bits_to_keep);
+		reporter->Error("bad address mask value %s", top_bits_to_keep);
 		return addr;
 		}
 
diff --git a/src/net_util.h b/src/net_util.h
index 9a6c12b3c3..08895c9540 100644
--- a/src/net_util.h
+++ b/src/net_util.h
@@ -1,5 +1,3 @@
-// $Id: net_util.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef netutil_h
diff --git a/src/netflow-analyzer.pac b/src/netflow-analyzer.pac
index 68de4d4a4e..e89a0181a2 100644
--- a/src/netflow-analyzer.pac
+++ b/src/netflow-analyzer.pac
@@ -1,4 +1,3 @@
-# $Id:$
 # Code written by Bernhard Ager (2007).
 
 analyzer NetFlow withcontext {
diff --git a/src/netflow-protocol.pac b/src/netflow-protocol.pac
index 7d106aed34..6b97b7cee6 100644
--- a/src/netflow-protocol.pac
+++ b/src/netflow-protocol.pac
@@ -1,4 +1,3 @@
-# $Id:$
 # Code written by Bernhard Ager (2007).
 
 type NetFlowPacket = record {
diff --git a/src/netflow.pac b/src/netflow.pac
index 8484d5fd11..91040aadeb 100644
--- a/src/netflow.pac
+++ b/src/netflow.pac
@@ -1,4 +1,3 @@
-# $Id:$
 # Code written by Bernhard Ager (2007).
 
 %extern{
diff --git a/src/parse.y b/src/parse.y
index b0bb39f0ea..1b05171ecf 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -1,15 +1,16 @@
 %{
-// $Id: parse.in 6688 2009-04-16 22:44:55Z vern $
 // See the file "COPYING" in the main distribution directory for copyright.
 %}
 
-%token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ALARM TOK_ANY
+%expect 87
+
+%token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
 %token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST
 %token TOK_CONSTANT TOK_COPY TOK_COUNT TOK_COUNTER TOK_DEFAULT TOK_DELETE
 %token TOK_DOUBLE TOK_ELSE TOK_ENUM TOK_EVENT TOK_EXPORT TOK_FILE TOK_FOR
-%token TOK_FUNCTION TOK_GLOBAL TOK_GLOBAL_ATTR TOK_ID TOK_IF TOK_INT
-%token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE TOK_MATCH TOK_NET
+%token TOK_FUNCTION TOK_GLOBAL TOK_ID TOK_IF TOK_INT
+%token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE TOK_MATCH
 %token TOK_NEXT TOK_OF TOK_PATTERN TOK_PATTERN_TEXT
 %token TOK_PORT TOK_PRINT TOK_RECORD TOK_REDEF
 %token TOK_REMOVE_FROM TOK_RETURN TOK_SCHEDULE TOK_SET
@@ -22,10 +23,14 @@
 %token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE
 %token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED
 %token TOK_ATTR_DISABLE_PRINT_HOOK TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE
-%token TOK_ATTR_PRIORITY TOK_ATTR_GROUP
+%token TOK_ATTR_PRIORITY TOK_ATTR_GROUP TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER
 
 %token TOK_DEBUG
 
+%token TOK_DOC TOK_POST_DOC
+
+%token TOK_NO_TEST
+
 %left ',' '|'
 %right '=' TOK_ADD_TO TOK_REMOVE_FROM
 %right '?' ':' TOK_USING
@@ -39,8 +44,10 @@
 %right '!'
 %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
 
-%type <str> TOK_ID TOK_PATTERN_TEXT single_pattern
-%type <id> local_id global_id event_id global_or_event_id resolve_id begin_func
+%type <b> opt_no_test opt_no_test_block
+%type <str> TOK_ID TOK_PATTERN_TEXT single_pattern TOK_DOC TOK_POST_DOC
+%type <str_l> opt_doc_list opt_post_doc_list
+%type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func
 %type <id_l> local_id_list
 %type <ic> init_class
 %type <expr> opt_init
@@ -49,11 +56,11 @@
 %type <expr> expr init anonymous_function
 %type <event_expr> event
 %type <stmt> stmt stmt_list func_body for_head
-%type <type> type opt_type refined_type enum_id_list
+%type <type> type opt_type enum_body
 %type <func_type> func_hdr func_params
 %type <type_l> type_list
 %type <type_decl> type_decl formal_args_decl
-%type <type_decl_l> type_decl_list formal_args_decl_list opt_attr_attr
+%type <type_decl_l> type_decl_list formal_args_decl_list
 %type <record> formal_args
 %type <list> expr_list opt_expr_list
 %type <c_case> case
@@ -73,6 +80,18 @@
 #include "DNS.h"
 #include "RE.h"
 #include "Scope.h"
+#include "Reporter.h"
+#include "BroDoc.h"
+#include "BroDocObj.h"
+#include "Brofiler.h"
+
+#include <list>
+#include <string>
+
+extern Brofiler brofiler;
+extern BroDoc* current_reST_doc;
+extern int generate_documentation;
+extern std::list<std::string>* reST_doc_comments;
 
 YYLTYPE GetCurrentLocation();
 extern int yyerror(const char[]);
@@ -98,14 +117,91 @@ extern Expr* g_curr_debug_expr;
 
 Expr* bro_this = 0;
 int in_init = 0;
+int in_record = 0;
 bool in_debug = false;
 bool resolving_global_ID = false;
+bool defining_global_ID = false;
 
 ID* func_id = 0;
+EnumType *cur_enum_type = 0;
+CommentedEnumType *cur_enum_type_doc = 0;
+const char* cur_enum_elem_id = 0;
+
+type_decl_list* fake_type_decl_list = 0;
+TypeDecl* last_fake_type_decl = 0;
+
+static void parser_new_enum (void)
+	{
+	/* Starting a new enum definition. */
+	assert(cur_enum_type == NULL);
+	cur_enum_type = new EnumType();
+
+	// For documentation purposes, a separate type object is created
+	// in order to avoid overlap that can be caused by redefs.
+	if ( generate_documentation )
+		cur_enum_type_doc = new CommentedEnumType();
+	}
+
+static void parser_redef_enum (ID *id)
+	{
+	/* Redef an enum. id points to the enum to be redefined.
+	   Let cur_enum_type point to it. */
+	assert(cur_enum_type == NULL);
+	if ( ! id->Type() )
+		id->Error("unknown identifier");
+	else
+		{
+		cur_enum_type = id->Type()->AsEnumType();
+		if ( ! cur_enum_type )
+			id->Error("not an enum");
+		}
+
+	if ( generate_documentation )
+		cur_enum_type_doc = new CommentedEnumType();
+	}
+
+static void add_enum_comment (std::list<std::string>* comments)
+	{
+	cur_enum_type_doc->AddComment(current_module, cur_enum_elem_id, comments);
+	}
+
+static ID* create_dummy_id (ID* id, BroType* type)
+	{
+	ID* fake_id = new ID(copy_string(id->Name()), (IDScope) id->Scope(),
+	                     is_export);
+
+	fake_id->SetType(type->Ref());
+
+	if ( id->AsType() )
+		{
+		type->SetTypeID(copy_string(id->Name()));
+		fake_id->MakeType();
+		}
+
+	return fake_id;
+	}
+
+static std::list<std::string>* concat_opt_docs (std::list<std::string>* pre,
+                                                std::list<std::string>* post)
+	{
+	if ( ! pre && ! post ) return 0;
+
+	if ( pre && ! post ) return pre;
+
+	if ( ! pre && post ) return post;
+
+	pre->splice(pre->end(), *post);
+	delete post;
+
+	return pre;
+	}
+
 %}
 
 %union {
+	bool b;
 	char* str;
+	std::list<std::string>* str_l;
 	ID* id;
 	id_list* id_l;
 	init_class ic;
@@ -376,6 +472,12 @@ expr:
 				$$ = $2;
 			}
 
+	|	'[' ']'
+			{
+			// We interpret this as an empty record constructor.
+			$$ = new RecordConstructorExpr(new ListExpr);
+			}
+
 
 	|	TOK_RECORD '(' expr_list ')'
 			{
@@ -417,13 +519,7 @@ expr:
 	|	expr TOK_HAS_FIELD TOK_ID
 			{
 			set_location(@1, @3);
-			$$ = new HasFieldExpr($1, $3, false);
-			}
-
-	|	expr TOK_HAS_ATTR TOK_ID
-			{
-			set_location(@1, @3);
-			$$ = new HasFieldExpr($1, $3, true);
+			$$ = new HasFieldExpr($1, $3);
 			}
 
 	|	anonymous_function
@@ -472,7 +568,7 @@ expr:
 					int intval = t->Lookup(id->ModuleName(),
 							       id->Name());
 					if ( intval < 0 )
-						internal_error("enum value not found for %s", id->Name());
+						reporter->InternalError("enum value not found for %s", id->Name());
 					$$ = new ConstExpr(new EnumVal(intval, t));
 					}
 				else
@@ -526,11 +622,6 @@ opt_expr_list:
 		{ $$ = new ListExpr(); }
 	;
 
-opt_comma:
-		','
-	|
-	;
-
 pattern:
 		pattern '|' single_pattern
 			{
@@ -550,24 +641,93 @@ single_pattern:
 			{ $$ = $3; }
 	;
 
-enum_id_list:
-		TOK_ID
+enum_body:
+		enum_body_list opt_post_doc_list
 			{
-			set_location(@1);
+			$$ = cur_enum_type;
 
-			EnumType* et = new EnumType(is_export);
-			if ( et->AddName(current_module, $1) < 0 )
-				error("identifier in enumerated type definition already exists");
-			$$ = et;
+			if ( generate_documentation )
+				{
+				add_enum_comment($2);
+				cur_enum_elem_id = 0;
+				}
+
+			cur_enum_type = NULL;
 			}
 
-	|	enum_id_list ',' TOK_ID
+	|	enum_body_list ',' opt_post_doc_list
 			{
-			set_location(@1, @3);
+			$$ = cur_enum_type;
 
-			if ( $1->AsEnumType()->AddName(current_module, $3) < 1 )
-				error("identifier in enumerated type definition already exists");
-			$$ = $1;
+			if ( generate_documentation )
+				{
+				add_enum_comment($3);
+				cur_enum_elem_id = 0;
+				}
+
+			cur_enum_type = NULL;
+			}
+	;
+
+enum_body_list:
+		enum_body_elem opt_post_doc_list
+			{
+			if ( generate_documentation )
+				add_enum_comment($2);
+			}
+
+	|	enum_body_list ',' opt_post_doc_list
+			{
+			if ( generate_documentation )
+				add_enum_comment($3);
+			} enum_body_elem
+;
+
+enum_body_elem:
+		/* TODO: We could also define this as TOK_ID '=' expr, (or
+		   TOK_ID '=' = TOK_ID) so that we can return more descriptive
+		   error messages if someboy tries to use constant variables as
+		   enumerator.
+		*/
+		opt_doc_list TOK_ID '=' TOK_CONSTANT
+			{
+			set_location(@2, @4);
+			assert(cur_enum_type);
+
+			if ( $4->Type()->Tag() != TYPE_COUNT )
+				reporter->Error("enumerator is not a count constant");
+			else
+				cur_enum_type->AddName(current_module, $2, $4->InternalUnsigned(), is_export);
+
+			if ( generate_documentation )
+				{
+				cur_enum_type_doc->AddName(current_module, $2, $4->InternalUnsigned(), is_export);
+				cur_enum_elem_id = $2;
+				add_enum_comment($1);
+				}
+			}
+
+	|	opt_doc_list TOK_ID '=' '-' TOK_CONSTANT
+			{
+			/* We only accept counts as enumerator, but we want to return a nice
+			   error message if users triy to use a negative integer (will also
+			   catch other cases, but that's fine.)
+			*/
+			reporter->Error("enumerator is not a count constant");
+			}
+
+	|	opt_doc_list TOK_ID
+			{
+			set_location(@2);
+			assert(cur_enum_type);
+			cur_enum_type->AddName(current_module, $2, is_export);
+
+			if ( generate_documentation )
+				{
+				cur_enum_type_doc->AddName(current_module, $2, is_export);
+				cur_enum_elem_id = $2;
+				add_enum_comment($1);
+				}
 			}
 	;
 
@@ -632,11 +792,6 @@ type:
 				$$ = base_type(TYPE_ADDR);
 				}
 
-	|	TOK_NET		{
-				set_location(@1);
-				$$ = base_type(TYPE_NET);
-				}
-
 	|	TOK_SUBNET	{
 				set_location(@1);
 				$$ = base_type(TYPE_SUBNET);
@@ -659,30 +814,37 @@ type:
 				$$ = new SetType($3, 0);
 				}
 
-	|	TOK_RECORD '{' type_decl_list '}'
+	|	TOK_RECORD '{'
+			{ ++in_record; do_doc_token_start(); }
+		type_decl_list
+			{ --in_record; }
+		'}'
 				{
-				set_location(@1, @4);
-				$$ = new RecordType($3);
+				do_doc_token_stop();
+				set_location(@1, @5);
+				$$ = new RecordType($4);
 				}
 
 	|	TOK_UNION '{' type_list '}'
 				{
 				set_location(@1, @4);
-				error("union type not implemented");
+				reporter->Error("union type not implemented");
 				$$ = 0;
 				}
 
-	|	TOK_ENUM '{' enum_id_list opt_comma '}'
+	|	TOK_ENUM '{' { set_location(@1); parser_new_enum(); do_doc_token_start(); } enum_body '}'
 				{
-				set_location(@1, @4);
-				$$ = $3;
+				do_doc_token_stop();
+				set_location(@1, @5);
+				$4->UpdateLocationEndInfo(@5);
+				$$ = $4;
 				}
 
 	|	TOK_LIST
 				{
 				set_location(@1);
 				// $$ = new TypeList();
-				error("list type not implemented");
+				reporter->Error("list type not implemented");
 				$$ = 0;
 				}
 
@@ -690,7 +852,7 @@ type:
 				{
 				set_location(@1);
 				// $$ = new TypeList($3);
-				error("list type not implemented");
+				reporter->Error("list type not implemented");
 				$$ = 0;
 				}
 
@@ -750,16 +912,47 @@ type_list:
 
 type_decl_list:
 		type_decl_list type_decl
-			{ $1->append($2); }
+			{
+			$1->append($2);
+
+			if ( generate_documentation && last_fake_type_decl )
+				{
+				fake_type_decl_list->append(last_fake_type_decl);
+				last_fake_type_decl = 0;
+				}
+			}
 	|
-			{ $$ = new type_decl_list(); }
+			{
+			$$ = new type_decl_list();
+
+			if ( generate_documentation )
+				fake_type_decl_list = new type_decl_list();
+			}
 	;
 
 type_decl:
-		TOK_ID ':' type opt_attr ';'
+		opt_doc_list TOK_ID ':' type opt_attr ';' opt_post_doc_list
 			{
-			set_location(@1, @5);
-			$$ = new TypeDecl($3, $1, $4);
+			set_location(@2, @6);
+
+			if ( generate_documentation )
+				{
+				// TypeDecl ctor deletes the attr list, so make a copy
+				attr_list* a = $5;
+				attr_list* a_copy = 0;
+
+				if ( a )
+					{
+					a_copy = new attr_list;
+					loop_over_list(*a, i)
+						a_copy->append((*a)[i]);
+					}
+
+				last_fake_type_decl = new CommentedTypeDecl(
+					$4, $2, a_copy, (in_record > 0), concat_opt_docs($1, $7));
+				}
+
+			$$ = new TypeDecl($4, $2, $5, (in_record > 0));
 			}
 	;
 
@@ -791,51 +984,170 @@ formal_args_decl:
 
 decl:
 		TOK_MODULE TOK_ID ';'
-			{ current_module = $2; }
+			{
+			current_module = $2;
+
+			if ( generate_documentation )
+				current_reST_doc->AddModule(current_module);
+			}
 
 	|	TOK_EXPORT '{' { is_export = true; } decl_list '}'
 			{ is_export = false; }
 
-	|	TOK_GLOBAL global_id opt_type init_class opt_init opt_attr ';'
-			{ add_global($2, $3, $4, $5, $6, VAR_REGULAR); }
+	|	TOK_GLOBAL def_global_id opt_type init_class opt_init opt_attr ';'
+			{
+			add_global($2, $3, $4, $5, $6, VAR_REGULAR);
 
-	|	TOK_CONST global_id opt_type init_class opt_init opt_attr ';'
-			{ add_global($2, $3, $4, $5, $6, VAR_CONST); }
+			if ( generate_documentation )
+				{
+				ID* id = $2;
+				if ( id->Type()->Tag() == TYPE_FUNC )
+					{
+					if ( id->Type()->AsFuncType()->IsEvent() )
+						current_reST_doc->AddEvent(
+							new BroDocObj(id, reST_doc_comments));
+					else
+						current_reST_doc->AddFunction(
+							new BroDocObj(id, reST_doc_comments));
+					}
+
+				else
+					{
+					current_reST_doc->AddStateVar(
+						new BroDocObj(id, reST_doc_comments));
+					}
+				}
+			}
+
+	|	TOK_CONST def_global_id opt_type init_class opt_init opt_attr ';'
+			{
+			add_global($2, $3, $4, $5, $6, VAR_CONST);
+
+			if ( generate_documentation )
+				{
+				if ( $2->FindAttr(ATTR_REDEF) )
+					current_reST_doc->AddOption(
+						new BroDocObj($2, reST_doc_comments));
+				else
+					current_reST_doc->AddConstant(
+						new BroDocObj($2, reST_doc_comments));
+				}
+			}
 
 	|	TOK_REDEF global_id opt_type init_class opt_init opt_attr ';'
-			{ add_global($2, $3, $4, $5, $6, VAR_REDEF); }
+			{
+			add_global($2, $3, $4, $5, $6, VAR_REDEF);
 
-	|       TOK_REDEF TOK_ENUM global_id TOK_ADD_TO
-		'{' enum_id_list opt_comma '}' ';'
+			if ( generate_documentation &&
+				! streq("capture_filters", $2->Name()) &&
+				! streq("dpd_config", $2->Name()) )
+				{
+				ID* fake_id = create_dummy_id($2, $2->Type());
+				BroDocObj* o = new BroDocObj(fake_id, reST_doc_comments, true);
+				o->SetRole(true);
+				current_reST_doc->AddRedef(o);
+				}
+			}
+
+	|	TOK_REDEF TOK_ENUM global_id TOK_ADD_TO
+		'{' { parser_redef_enum($3); do_doc_token_start(); } enum_body '}' ';'
+			{
+			do_doc_token_stop();
+
+			if ( generate_documentation )
+				{
+				ID* fake_id = create_dummy_id($3, cur_enum_type_doc);
+				cur_enum_type_doc = 0;
+				BroDocObj* o = new BroDocObj(fake_id, reST_doc_comments, true);
+				o->SetRole(true);
+
+				if ( extract_module_name(fake_id->Name()) == "Notice" &&
+				     extract_var_name(fake_id->Name()) == "Type" )
+					current_reST_doc->AddNotice(o);
+				else
+					current_reST_doc->AddRedef(o);
+				}
+			}
+
+	|	TOK_REDEF TOK_RECORD global_id TOK_ADD_TO
+			'{' { ++in_record; do_doc_token_start(); }
+			type_decl_list
+			{ --in_record; do_doc_token_stop(); } '}' opt_attr ';'
 			{
 			if ( ! $3->Type() )
 				$3->Error("unknown identifier");
 			else
 				{
-				EnumType* add_to = $3->Type()->AsEnumType();
+				RecordType* add_to = $3->Type()->AsRecordType();
 				if ( ! add_to )
-					$3->Error("not an enum");
+					$3->Error("not a record type");
 				else
-					add_to->AddNamesFrom(current_module,
-							     $6->AsEnumType());
+					{
+					const char* error = add_to->AddFields($7, $10);
+					if ( error )
+						$3->Error(error);
+					else if ( generate_documentation )
+						{
+						if ( fake_type_decl_list )
+							{
+							BroType* fake_record =
+								new RecordType(fake_type_decl_list);
+							ID* fake = create_dummy_id($3, fake_record);
+							fake_type_decl_list = 0;
+							BroDocObj* o =
+								new BroDocObj(fake, reST_doc_comments, true);
+							o->SetRole(true);
+							current_reST_doc->AddRedef(o);
+							}
+						else
+							{
+							fprintf(stderr, "Warning: doc mode did not process "
+								"record extension for '%s', CommentedTypeDecl"
+								"list unavailable.\n", $3->Name());
+							}
+						}
+					}
 				}
 			}
 
-	|	TOK_TYPE global_id ':' refined_type opt_attr opt_attr_attr ';'
+	|	TOK_TYPE global_id ':' type opt_attr ';'
 			{
 			add_type($2, $4, $5, 0);
-			if ( $6 )
-				$2->AsType()->SetAttributesType($6);
+
+			if ( generate_documentation )
+				{
+				TypeTag t = $2->AsType()->Tag();
+				if ( t == TYPE_ENUM && cur_enum_type_doc )
+					{
+					ID* fake = create_dummy_id($2, cur_enum_type_doc);
+					cur_enum_type_doc = 0;
+					current_reST_doc->AddType(
+						new BroDocObj(fake, reST_doc_comments, true));
+					}
+
+				else if ( t == TYPE_RECORD && fake_type_decl_list )
+					{
+					BroType* fake_record = new RecordType(fake_type_decl_list);
+					ID* fake = create_dummy_id($2, fake_record);
+					fake_type_decl_list = 0;
+					current_reST_doc->AddType(
+						new BroDocObj(fake, reST_doc_comments, true));
+					}
+
+				else
+					current_reST_doc->AddType(
+						new BroDocObj($2, reST_doc_comments));
+				}
 			}
 
-	|	TOK_GLOBAL_ATTR ':' { in_global_attr_decl = true; }
-		'{' type_decl_list '}' ';' { in_global_attr_decl = false; }
+	|	TOK_EVENT event_id ':' type_list opt_attr ';'
 			{
-			global_attributes_type = new RecordType($5);
-			}
+			add_type($2, $4, $5, 1);
 
-	|	TOK_EVENT event_id ':' refined_type opt_attr ';'
-			{ add_type($2, $4, $5, 1); }
+			if ( generate_documentation )
+				current_reST_doc->AddEvent(
+					new BroDocObj($2, reST_doc_comments));
+			}
 
 	|	func_hdr func_body
 			{ }
@@ -856,25 +1168,24 @@ conditional:
 			{ do_atelse(); }
 	;
 
-opt_attr_attr:
-		TOK_ATTR_ATTR '=' '{' type_decl_list '}'
-			{ $$ = $4; }
-	|
-			{ $$ = 0; }
-	;
-
 func_hdr:
-		TOK_FUNCTION global_id func_params
+		TOK_FUNCTION def_global_id func_params
 			{
 			begin_func($2, current_module.c_str(),
-				   FUNC_FLAVOR_FUNCTION, 0, $3);
+				FUNC_FLAVOR_FUNCTION, 0, $3);
 			$$ = $3;
+			if ( generate_documentation )
+				current_reST_doc->AddFunction(
+					new BroDocObj($2, reST_doc_comments));
 			}
 	|	TOK_EVENT event_id func_params
 			{
 			begin_func($2, current_module.c_str(),
 				   FUNC_FLAVOR_EVENT, 0, $3);
 			$$ = $3;
+			if ( generate_documentation )
+				current_reST_doc->AddEventHandler(
+					new BroDocObj($2, reST_doc_comments));
 			}
 	|	TOK_REDEF TOK_EVENT event_id func_params
 			{
@@ -915,13 +1226,6 @@ func_params:
 			{ $$ = new FuncType($2, base_type(TYPE_VOID), 0); }
 	;
 
-refined_type:
-		type_list '{' type_decl_list '}'
-			{ $$ = refine_type($1, $3); }
-	|	type_list
-			{ $$ = refine_type($1, 0); }
-	;
-
 opt_type:
 		':' type
 			{ $$ = $2; }
@@ -1008,31 +1312,35 @@ attr:
 			{ $$ = new Attr(ATTR_PRIORITY, $3); }
 	|	TOK_ATTR_GROUP '=' expr
 			{ $$ = new Attr(ATTR_GROUP, $3); }
+	|	TOK_ATTR_LOG
+			{ $$ = new Attr(ATTR_LOG); }
+	|	TOK_ATTR_ERROR_HANDLER
+			{ $$ = new Attr(ATTR_ERROR_HANDLER); }
 	;
 
 stmt:
-		'{' stmt_list '}'
+		'{' opt_no_test_block stmt_list '}'
 			{
-			set_location(@1, @3);
-			$$ = $2;
+			set_location(@1, @4);
+			$$ = $3;
+			if ( $2 )
+			    brofiler.DecIgnoreDepth();
 			}
 
-	|	TOK_ALARM expr_list ';'
-			{
-			set_location(@1, @3);
-			$$ = new AlarmStmt($2);
-			}
-
-	|	TOK_PRINT expr_list ';'
+	|	TOK_PRINT expr_list ';' opt_no_test
 			{
 			set_location(@1, @3);
 			$$ = new PrintStmt($2);
+			if ( ! $4 )
+			    brofiler.AddStmt($$);
 			}
 
-	|	TOK_EVENT event ';'
+	|	TOK_EVENT event ';' opt_no_test
 			{
 			set_location(@1, @3);
 			$$ = new EventStmt($2);
+			if ( ! $4 )
+			    brofiler.AddStmt($$);
 			}
 
 	|	TOK_IF '(' expr ')' stmt
@@ -1054,54 +1362,72 @@ stmt:
 			}
 
 	|	for_head stmt
-			{ $1->AsForStmt()->AddBody($2); }
+			{
+			$1->AsForStmt()->AddBody($2);
+			}
 
-	|	TOK_NEXT ';'
+	|	TOK_NEXT ';' opt_no_test
 			{
 			set_location(@1, @2);
 			$$ = new NextStmt;
+			if ( ! $3 )
+			    brofiler.AddStmt($$);
 			}
 
-	|	TOK_BREAK ';'
+	|	TOK_BREAK ';' opt_no_test
 			{
 			set_location(@1, @2);
 			$$ = new BreakStmt;
+			if ( ! $3 )
+			    brofiler.AddStmt($$);
 			}
 
-	|	TOK_RETURN ';'
+	|	TOK_RETURN ';' opt_no_test
 			{
 			set_location(@1, @2);
 			$$ = new ReturnStmt(0);
+			if ( ! $3 )
+			    brofiler.AddStmt($$);
 			}
 
-	|	TOK_RETURN expr ';'
+	|	TOK_RETURN expr ';' opt_no_test
 			{
 			set_location(@1, @2);
 			$$ = new ReturnStmt($2);
+			if ( ! $4 )
+			    brofiler.AddStmt($$);
 			}
 
-	|	TOK_ADD expr ';'
+	|	TOK_ADD expr ';' opt_no_test
 			{
 			set_location(@1, @3);
 			$$ = new AddStmt($2);
+			if ( ! $4 )
+			    brofiler.AddStmt($$);
 			}
 
-	|	TOK_DELETE expr ';'
+	|	TOK_DELETE expr ';' opt_no_test
 			{
 			set_location(@1, @3);
 			$$ = new DelStmt($2);
+			if ( ! $4 )
+			    brofiler.AddStmt($$);
 			}
 
-	|	TOK_LOCAL local_id opt_type init_class opt_init opt_attr ';'
+	|	TOK_LOCAL local_id opt_type init_class opt_init opt_attr ';' opt_no_test
 			{
 			set_location(@1, @7);
 			$$ = add_local($2, $3, $4, $5, $6, VAR_REGULAR);
+			if ( ! $8 )
+			    brofiler.AddStmt($$);
 			}
 
-	|	TOK_CONST local_id opt_type init_class opt_init opt_attr ';'
+	|	TOK_CONST local_id opt_type init_class opt_init opt_attr ';' opt_no_test
 			{
 			set_location(@1, @6);
 			$$ = add_local($2, $3, $4, $5, $6, VAR_CONST);
+			if ( ! $8 )
+			    brofiler.AddStmt($$);
 			}
 
 	|	TOK_WHEN '(' expr ')' stmt
@@ -1110,10 +1436,12 @@ stmt:
 			$$ = new WhenStmt($3, $5, 0, 0, false);
 			}
 
-	|	TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' stmt_list '}'
+	|	TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' opt_no_test_block stmt_list '}'
 			{
-			set_location(@3, @8);
-			$$ = new WhenStmt($3, $5, $9, $7, false);
+			set_location(@3, @9);
+			$$ = new WhenStmt($3, $5, $10, $7, false);
+			if ( $9 )
+			    brofiler.DecIgnoreDepth();
 			}
 
 
@@ -1123,16 +1451,20 @@ stmt:
 			$$ = new WhenStmt($4, $6, 0, 0, true);
 			}
 
-	|	TOK_RETURN TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' stmt_list '}'
+	|	TOK_RETURN TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' opt_no_test_block stmt_list '}'
 			{
-			set_location(@4, @9);
-			$$ = new WhenStmt($4, $6, $10, $8, true);
+			set_location(@4, @10);
+			$$ = new WhenStmt($4, $6, $11, $8, true);
+			if ( $10 )
+			    brofiler.DecIgnoreDepth();
 			}
 
-	|	expr ';'
+	|	expr ';' opt_no_test
 			{
 			set_location(@1, @2);
 			$$ = new ExprStmt($1);
+			if ( ! $3 )
+			    brofiler.AddStmt($$);
 			}
 
 	|	';'
@@ -1246,6 +1578,11 @@ global_id:
 		{ $$ = $2; }
 	;
 
+def_global_id:
+	{ defining_global_ID = 1; } global_id { defining_global_ID = 0; } 
+		{ $$ = $2; }
+	;
+
 event_id:
 	{ resolving_global_ID = 0; } global_or_event_id
 		{ $$ = $2; }
@@ -1256,7 +1593,7 @@ global_or_event_id:
 			{
 			set_location(@1);
 
-			$$ = lookup_ID($1, current_module.c_str(), false);
+			$$ = lookup_ID($1, current_module.c_str(), false, defining_global_ID);
 			if ( $$ )
 				{
 				if ( ! $$->IsGlobal() )
@@ -1270,7 +1607,7 @@ global_or_event_id:
 				const char* module_name =
 					resolving_global_ID ?
 						current_module.c_str() : 0;
-					
+
 				$$ = install_ID($1, module_name,
 						true, is_export);
 				}
@@ -1283,17 +1620,65 @@ resolve_id:
 			{
 			set_location(@1);
 			$$ = lookup_ID($1, current_module.c_str());
+
 			if ( ! $$ )
-				error("identifier not defined:", $1);
+				reporter->Error("identifier not defined: %s", $1);
+
 			delete [] $1;
 			}
 	;
 
+opt_post_doc_list:
+		opt_post_doc_list TOK_POST_DOC
+			{
+			$1->push_back($2);
+			$$ = $1;
+			}
+	|
+		TOK_POST_DOC
+			{
+			$$ = new std::list<std::string>();
+			$$->push_back($1);
+			delete [] $1;
+			}
+	|
+			{ $$ = 0; }
+	;
+
+opt_doc_list:
+		opt_doc_list TOK_DOC
+			{
+			$1->push_back($2);
+			$$ = $1;
+			}
+	|
+		TOK_DOC
+			{
+			$$ = new std::list<std::string>();
+			$$->push_back($1);
+			delete [] $1;
+			}
+	|
+			{ $$ = 0; }
+	;
+
+opt_no_test:
+		TOK_NO_TEST
+			{ $$ = true; }
+	|
+			{ $$ = false; }
+
+opt_no_test_block:
+		TOK_NO_TEST
+			{ $$ = true; brofiler.IncIgnoreDepth(); }
+	|
+			{ $$ = false; }
+
 %%
 
 int yyerror(const char msg[])
 	{
-	char* msgbuf = new char[strlen(msg) + strlen(last_tok) + 64];
+	char* msgbuf = new char[strlen(msg) + strlen(last_tok) + 128];
 
 	if ( last_tok[0] == '\n' )
 		sprintf(msgbuf, "%s, on previous line", msg);
@@ -1302,7 +1687,11 @@ int yyerror(const char msg[])
 	else
 		sprintf(msgbuf, "%s, at or near \"%s\"", msg, last_tok);
 
-	error(msgbuf);
+	if ( generate_documentation )
+		strcat(msgbuf, "\nDocumentation mode is enabled: "
+		       "remember to check syntax of ## style comments\n");
+
+	reporter->Error("%s", msgbuf);
 
 	return 0;
 	}
diff --git a/src/patricia.c b/src/patricia.c
index c9d271803c..ef9c008f4b 100644
--- a/src/patricia.c
+++ b/src/patricia.c
@@ -1,5 +1,4 @@
 /*
- * $Id: patricia.c 80 2004-07-14 20:15:50Z jason $
  * Dave Plonka <plonka@doit.wisc.edu>
  *
  * This product includes software developed by the University of Michigan,
@@ -1027,7 +1026,7 @@ lookup_then_remove (patricia_tree_t *tree, char *string)
 {
     patricia_node_t *node;
 
-    if (node = try_search_exact (tree, string))
+    if ( (node = try_search_exact(tree, string)) )
         patricia_remove (tree, node);
 }
 
diff --git a/src/patricia.h b/src/patricia.h
index 0118679331..4bc2f9b81f 100644
--- a/src/patricia.h
+++ b/src/patricia.h
@@ -1,5 +1,4 @@
 /*
- * $Id: patricia.h 967 2005-01-03 07:19:06Z vern $
  * Dave Plonka <plonka@doit.wisc.edu>
  *
  * This product includes software developed by the University of Michigan,
diff --git a/src/portmap-analyzer.pac b/src/portmap-analyzer.pac
deleted file mode 100644
index 546be2e9cc..0000000000
--- a/src/portmap-analyzer.pac
+++ /dev/null
@@ -1,187 +0,0 @@
-# $Id:$
-
-%include portmap-protocol.pac
-
-# Add a function to the hook in the RPC connection to build the call Val.
-refine casefunc RPC_BuildCallVal += {
-	RPC_SERVICE_PORTMAP ->
-		PortmapBuildCallVal(call, call.params.portmap);
-};
-
-# ... and a function invocation to handle successful portmap replies.
-refine typeattr PortmapResults += &let {
-	action_reply: bool = $context.connection.ProcessPortmapReply(this);
-};
-
-# ... and a function to handle failed portmap calls.
-refine casefunc RPC_CallFailed += {
-	RPC_SERVICE_PORTMAP	-> PortmapCallFailed(connection, call, status);
-};
-
-# Build portmap call Val.
-function PortmapBuildCallVal(call: RPC_Call, params: PortmapParams): BroVal =
-	case call.proc of {
-		PMAPPROC_NULL, PMAPPROC_DUMP
-			-> NULL;
-		PMAPPROC_SET, PMAPPROC_UNSET
-			-> PortmapBuildMappingVal(params.mapping);
-		PMAPPROC_GETPORT
-			-> PortmapBuildPortRequest(params.mapping);
-		PMAPPROC_CALLIT
-			-> PortmapBuildCallItVal(params.callit);
-	};
-
-function PortmapBuildPortVal(port: uint32, proto: uint32): BroPortVal
-	%{
-	// TODO: replace port with CheckPort(port)
-	return new PortVal(port, proto == IPPROTO_TCP ?
-					TRANSPORT_TCP : TRANSPORT_UDP);
-	%}
-
-function PortmapBuildMappingVal(params: PortmapMapping): BroVal
-	%{
-	RecordVal* mapping = new RecordVal(pm_mapping);
-
-	mapping->Assign(0, new Val(params->prog(), TYPE_COUNT));
-	mapping->Assign(1, new Val(params->vers(), TYPE_COUNT));
-	mapping->Assign(2, PortmapBuildPortVal(params->port(),
-	                                       params->proto()));
-
-	return mapping;
-	%}
-
-function PortmapBuildPortRequest(params: PortmapMapping): BroVal
-	%{
-	RecordVal* request = new RecordVal(pm_port_request);
-
-	request->Assign(0, new Val(params->prog(), TYPE_COUNT));
-	request->Assign(1, new Val(params->vers(), TYPE_COUNT));
-	request->Assign(2, new Val(params->proto() == IPPROTO_TCP, TYPE_BOOL));
-
-	return request;
-	%}
-
-function PortmapBuildCallItVal(params: PortmapCallItParams): BroVal
-	%{
-	RecordVal* c = new RecordVal(pm_callit_request);
-
-	c->Assign(0, new Val(params->prog(), TYPE_COUNT));
-	c->Assign(1, new Val(params->vers(), TYPE_COUNT));
-	c->Assign(2, new Val(params->proc(), TYPE_COUNT));
-	c->Assign(3, new Val(params->params()->length(), TYPE_COUNT));
-
-	return c;
-	%}
-
-function PortmapBuildDumpVal(params: PortmapDumpResults): BroVal
-	%{
-	TableVal* mappings = new TableVal(pm_mappings);
-
-	for ( int i = 0; i < params->size(); ++i )
-		{
-		Val* m = PortmapBuildMappingVal((*params)[i]->mapping());
-		Val* index = new Val(i + 1, TYPE_COUNT);
-		mappings->Assign(index, m);
-		Unref(index);
-		}
-
-	return mappings;
-	%}
-
-refine connection RPC_Conn += {
-	function ProcessPortmapReply(results: PortmapResults): bool
-		%{
-		RPC_Call const* call = results->call();
-		PortmapParams const* params = call->params()->portmap();
-
-		switch ( call->proc() ) {
-		case PMAPPROC_NULL:
-			bro_event_pm_request_null(bro_analyzer(), bro_analyzer()->Conn());
-			break;
-
-		case PMAPPROC_SET:
-			bro_event_pm_request_set(bro_analyzer(),
-				bro_analyzer()->Conn(),
-				call->call_val(), results->set());
-			break;
-
-		case PMAPPROC_UNSET:
-			bro_event_pm_request_unset(bro_analyzer(),
-				bro_analyzer()->Conn(),
-				call->call_val(), results->unset());
-			break;
-
-		case PMAPPROC_GETPORT:
-			bro_event_pm_request_getport(bro_analyzer(),
-				bro_analyzer()->Conn(),
-				call->call_val(),
-				PortmapBuildPortVal(results->getport(),
-					params->mapping()->proto()));
-			break;
-
-		case PMAPPROC_DUMP:
-			bro_event_pm_request_dump(bro_analyzer(),
-				bro_analyzer()->Conn(),
-				PortmapBuildDumpVal(results->dump()));
-			break;
-
-		case PMAPPROC_CALLIT:
-			bro_event_pm_request_callit(bro_analyzer(),
-				bro_analyzer()->Conn(),
-				call->call_val(),
-				new PortVal(results->callit()->port(),
-					    TRANSPORT_UDP));
-			break;
-
-		default:
-			return false;
-		}
-
-		return true;
-		%}
-};
-
-function PortmapCallFailed(connection: RPC_Conn,
-			call: RPC_Call,
-			status: EnumRPCStatus): bool
-	%{
-	// BroEnum::rpc_status st = static_cast<BroEnum::rpc_status>(status);
-	BroEnum::rpc_status st = (BroEnum::rpc_status) status;
-
-	switch ( call->proc() ) {
-	case PMAPPROC_NULL:
-		bro_event_pm_attempt_null(connection->bro_analyzer(),
-			connection->bro_analyzer()->Conn(), st);
-		break;
-
-	case PMAPPROC_SET:
-		bro_event_pm_attempt_set(connection->bro_analyzer(),
-			connection->bro_analyzer()->Conn(), st, call->call_val());
-		break;
-
-	case PMAPPROC_UNSET:
-		bro_event_pm_attempt_unset(connection->bro_analyzer(),
-			connection->bro_analyzer()->Conn(), st, call->call_val());
-		break;
-
-	case PMAPPROC_GETPORT:
-		bro_event_pm_attempt_getport(connection->bro_analyzer(),
-			connection->bro_analyzer()->Conn(), st, call->call_val());
-		break;
-
-	case PMAPPROC_DUMP:
-		bro_event_pm_attempt_dump(connection->bro_analyzer(),
-			connection->bro_analyzer()->Conn(), st);
-		break;
-
-	case PMAPPROC_CALLIT:
-		bro_event_pm_attempt_callit(connection->bro_analyzer(),
-			connection->bro_analyzer()->Conn(), st, call->call_val());
-		break;
-
-	default:
-		return false;
-	}
-
-	return true;
-	%}
diff --git a/src/portmap-protocol.pac b/src/portmap-protocol.pac
deleted file mode 100644
index d9f3e5be97..0000000000
--- a/src/portmap-protocol.pac
+++ /dev/null
@@ -1,76 +0,0 @@
-# $Id:$
-
-# Extends rpc-protocol.pac.
-
-###################
-# Hooks into RPC data structures.
-
-refine casefunc RPC_Service += {
-	100000	-> RPC_SERVICE_PORTMAP;
-};
-
-refine casetype RPC_Params += {
-	RPC_SERVICE_PORTMAP	-> portmap:	PortmapParams(call);
-};
-
-refine casetype RPC_Results += {
-	RPC_SERVICE_PORTMAP	-> portmap:	PortmapResults(call);
-};
-
-###################
-# Portmap types.
-
-enum PortmapProc {
-	PMAPPROC_NULL		= 0,
-	PMAPPROC_SET		= 1,
-	PMAPPROC_UNSET		= 2,
-	PMAPPROC_GETPORT	= 3,
-	PMAPPROC_DUMP		= 4,
-	PMAPPROC_CALLIT		= 5,
-};
-
-type PortmapParams(call: RPC_Call) = case call.proc of {
-	PMAPPROC_NULL		-> null:	empty;
-	PMAPPROC_SET, PMAPPROC_UNSET, PMAPPROC_GETPORT
-				-> mapping:	PortmapMapping;
-	PMAPPROC_DUMP		-> dump:	empty;
-	PMAPPROC_CALLIT		-> callit:	PortmapCallItParams;
-};
-
-type PortmapResults(call: RPC_Call) = case call.proc of {
-	PMAPPROC_NULL		-> null:	empty;
-	PMAPPROC_SET		-> set:		uint32;
-	PMAPPROC_UNSET		-> unset:	uint32;
-	PMAPPROC_GETPORT	-> getport:	uint32;
-	PMAPPROC_DUMP		-> dump:	PortmapDumpResults;
-	PMAPPROC_CALLIT		-> callit:	PortmapCallItResults;
-};
-
-type PortmapMapping = record {
-	prog:	uint32;
-	vers:	uint32;
-	proto:	uint32;
-	port:	uint32;
-};
-
-type PortmapCallItParams = record {
-	prog:	uint32;
-	vers:	uint32;
-	proc:	uint32;
-	params:	RPC_Opaque;	# TODO: parse params
-};
-
-type PortmapDumpEntry = record {
-	cont:		uint32;
-	optmapping:	case cont of {
-		0 ->		none: empty;
-		default ->	mapping: PortmapMapping;
-	};
-};
-
-type PortmapDumpResults = PortmapDumpEntry[] &until($element.cont != 1);
-
-type PortmapCallItResults = record {
-	port:	uint32;
-	results: RPC_Opaque;	# TODO: parse results
-};
diff --git a/src/re-parse.y b/src/re-parse.y
index f4c0722c51..3847c06f29 100644
--- a/src/re-parse.y
+++ b/src/re-parse.y
@@ -1,13 +1,12 @@
 // parse.y - parser for flex input
 
 %{
-// $Id: re-parse.y 5857 2008-06-26 23:00:03Z vern $
-
 #include <stdlib.h>
 
 #include "CCL.h"
 #include "NFA.h"
 #include "EquivClass.h"
+#include "Reporter.h"
 
 int csize = 256;
 int syntax_error = 0;
@@ -220,7 +219,7 @@ int clower(int sym)
 void synerr(const char str[])
 	{
 	syntax_error = true;
-	run_time("%s (compiling pattern /%s/)", str, RE_parse_input);
+	reporter->Error("%s (compiling pattern /%s/)", str, RE_parse_input);
 	}
 
 void yyerror(const char msg[])
diff --git a/src/re-scan.l b/src/re-scan.l
index fbd85899a4..0d737f08a6 100644
--- a/src/re-scan.l
+++ b/src/re-scan.l
@@ -5,8 +5,6 @@
  */
 
 %{
-// $Id: re-scan.l 6219 2008-10-01 05:39:07Z vern $
-
 #include "CCL.h"
 #include "NFA.h"
 #include "util.h"
diff --git a/src/reporter.bif b/src/reporter.bif
new file mode 100644
index 0000000000..c0f83205c3
--- /dev/null
+++ b/src/reporter.bif
@@ -0,0 +1,73 @@
+##! The reporter built-in functions allow for the scripting layer to
+##! generate messages of varying severity.  If no event handlers
+##! exist for reporter messages, the messages are output to stderr.
+##! If event handlers do exist, it's assumed they take care of determining
+##! how/where to output the messages.
+##!
+##! See :doc:`/scripts/base/frameworks/reporter/main` for a convenient
+##! reporter message logging framework.
+
+module Reporter;
+
+%%{
+#include "NetVar.h"
+%%}
+
+## Generates an informational message.
+##
+## msg: The informational message to report.
+##
+## Returns: Always true.
+##
+## .. bro:see:: reporter_info
+function Reporter::info%(msg: string%): bool
+	%{
+	reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+	reporter->Info("%s", msg->CheckString());
+	reporter->PopLocation();
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Generates a message that warns of a potential problem.
+##
+## msg: The warning message to report.
+##
+## Returns: Always true.
+##
+## .. bro:see:: reporter_warning
+function Reporter::warning%(msg: string%): bool
+	%{
+	reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+	reporter->Warning("%s", msg->CheckString());
+	reporter->PopLocation();
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Generates a non-fatal error indicative of a definite problem that should
+## be addressed. Program execution does not terminate.
+##
+## msg: The error message to report.
+##
+## Returns: Always true.
+##
+## .. bro:see:: reporter_error
+function Reporter::error%(msg: string%): bool
+	%{
+	reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+	reporter->Error("%s", msg->CheckString());
+	reporter->PopLocation();
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Generates a fatal error on stderr and terminates program execution.
+##
+## msg: The error message to report.
+##
+## Returns: Always true.
+function Reporter::fatal%(msg: string%): bool
+	%{
+	reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+	reporter->FatalError("%s", msg->CheckString());
+	reporter->PopLocation();
+	return new Val(1, TYPE_BOOL);
+	%}
diff --git a/src/rpc-analyzer.pac b/src/rpc-analyzer.pac
deleted file mode 100644
index 6c455f7028..0000000000
--- a/src/rpc-analyzer.pac
+++ /dev/null
@@ -1,196 +0,0 @@
-# $Id:$
-
-########################################
-# Protocol Syntax.
-
-%include rpc-protocol.pac
-
-########################################
-# Connections and flows.
-
-# External headers (placed outside the "binpac" namespace).
-%extern{
-#include <map>
-using namespace std;
-%}
-
-# Extensible function for building a Bro Val for the RPC call.
-# See portmap-connection.pac.
-function RPC_BuildCallVal(call: RPC_Call): BroVal =
-	case RPC_Service(call) of {
-		default		-> NULL;
-	};
-
-# Adding extra let-fields to type RPC_Call.
-refine typeattr RPC_Call += &let {
-	start_time: double = network_time();
-
-	# Build the Bro Val.
-	call_val: BroVal = RPC_BuildCallVal(this);
-
-	action_call: bool = $context.flow.ProcessCall(this);
-};
-
-# ... and to RPC_Reply.
-refine typeattr RPC_Reply += &let {
-	status = RPC_Status(this);
-	action_reply: bool = $context.flow.ProcessReply(this);
-};
-
-# RPC status in Bro (this is a repeat of enum rpc_status in const.bif :-().
-enum EnumRPCStatus {
-	RPC_STATUS_SUCCESS	= 0,
-	RPC_STATUS_PROG_UNAVAIL	= 1,
-	RPC_STATUS_PROG_MISMATCH= 2,
-	RPC_STATUS_PROC_UNAVAIL	= 3,
-	RPC_STATUS_GARBAGE_ARGS	= 4,
-	RPC_STATUS_SYSTEM_ERR	= 5,
-	RPC_STATUS_TIMEOUT	= 6,
-	RPC_STATUS_MISMATCH	= 7,
-	RPC_STATUS_AUTH_ERROR	= 8,
-	RPC_STATUS_UNKNOWN_ERROR = 9,
-};
-
-function RPC_Status(reply: RPC_Reply): EnumRPCStatus =
-	case reply.stat of {
-		MSG_ACCEPTED	-> reply.areply.stat;
-		MSG_DENIED	-> case reply.rreply.stat of {
-			RPC_MISMATCH	-> RPC_STATUS_MISMATCH;
-			AUTH_ERROR	-> RPC_STATUS_AUTH_ERROR;
-		};
-	};
-
-# An RPC interpreter.
-connection RPC_Conn(bro_analyzer: BroAnalyzer) {
-	upflow = RPC_Flow(true);
-	downflow = RPC_Flow(false);
-
-	# Returns the call corresponding to the xid. Returns
-	# NULL if not found.
-	function FindCall(xid: uint32): RPC_Call
-		%{
-		RPC_CallTable::const_iterator it = call_table.find(xid);
-		return it == call_table.end() ? 0 : it->second;
-		%}
-
-	function NewCall(xid: uint32, call: RPC_Call): bool
-		%{
-		if ( call_table.find(xid) != call_table.end() )
-			{
-			// Compare retransmission with the original.
-			RPC_Call* orig_call = call_table[xid];
-			if ( RPC_CompareRexmit(orig_call, call) )
-				Weird("RPC_rexmit_inconsistency");
-			return false;
-			}
-		else
-			{
-			// Add reference count to msg.
-			call->msg()->Ref();
-			call_table[xid] = call;
-			return true;
-			}
-		%}
-
-	# Returns true if different.
-	function RPC_CompareRexmit(orig_call: RPC_Call, new_call: RPC_Call): bool
-		%{
-		if ( ${orig_call.msg.length} != ${new_call.msg.length} )
-			return true;
-
-		return memcmp(${orig_call.msg_source_data}.begin(),
-		              ${new_call.msg_source_data}.begin(),
-		              ${orig_call.msg.length}) != 0;
-		%}
-
-	function FinishCall(call: RPC_Call): void
-		%{
-		call_table.erase(call->msg()->xid());
-		Unref(call->msg());
-		%}
-
-	function Timeout(): void
-		%{
-		for ( RPC_CallTable::const_iterator it = call_table.begin();
-		      it != call_table.end(); ++it )
-			{
-			RPC_Call* call = it->second;
-			RPC_CallFailed(this, call, RPC_STATUS_TIMEOUT);
-			Unref(call->msg());
-			}
-
-		call_table.clear();
-		%}
-
-	function Weird(msg: string): void
-		%{
-		bro_analyzer()->Weird(msg.c_str());
-		%}
-
-	%member{
-		typedef ::std::map<uint32, RPC_Call*> RPC_CallTable;
-		RPC_CallTable call_table;
-	%}
-};
-
-# A virtual RPC flow.
-flow RPC_Flow (is_orig: bool) {
-	# An RPC flow consists of RPC_Message datagrams.
-	datagram = RPC_Message withcontext (connection, this);
-
-	function ProcessCall(call: RPC_Call): bool
-		%{
-		if ( ! is_orig() )
-			Weird("responder_RPC_call");
-		return true;
-		%}
-
-	function ProcessReply(reply: RPC_Reply): bool
-		%{
-		if ( is_orig() )
-			Weird("originator_RPC_reply");
-
-		RPC_Call* call = reply->call();
-		if ( ! call )
-			{
-			Weird("unpaired_RPC_response");
-			return false;
-			}
-
-		bro_event_rpc_call(connection()->bro_analyzer(),
-		                   connection()->bro_analyzer()->Conn(),
-		                   call->prog(),
-		                   call->vers(),
-		                   call->proc(),
-		                   reply->status(),
-		                   call->start_time(),
-		                   call->msg()->length(),
-		                   reply->msg()->length());
-
-		if ( ! reply->success() )
-			RPC_CallFailed(connection(), call, reply->status());
-
-		connection()->FinishCall(call);
-
-		return true;
-		%}
-
-	function Weird(msg: string): void
-		%{
-		connection()->Weird(msg);
-		%}
-
-#	TODO: deal with exceptions
-#	exception(e: Exception)
-#		{
-#		Weird(string("bad RPC: ") + e.msg());
-#		}
-};
-
-# Extensible function for handling failed (rejected/timeout) RPC calls.
-function RPC_CallFailed(connection: RPC_Conn,
-                        call: RPC_Call,
-                        status: EnumRPCStatus): bool =
-	case RPC_Service(call) of {
-		default		-> false;
-	};
diff --git a/src/rpc-protocol.pac b/src/rpc-protocol.pac
deleted file mode 100644
index d70195bac6..0000000000
--- a/src/rpc-protocol.pac
+++ /dev/null
@@ -1,164 +0,0 @@
-# $Id:$
-
-# RPCv2. RFC 1831: http://www.ietf.org/rfc/rfc1831.txt
-
-# This is an analyzer-independent (almost) description of the RPC protocol.
-
-########################################
-# Constants.
-
-enum RPC_MsgType {
-	RPC_CALL	= 0,
-	RPC_REPLY	= 1,
-};
-
-enum RPC_ReplyStat {
-	MSG_ACCEPTED	= 0,
-	MSG_DENIED	= 1,
-};
-
-enum RPC_AcceptStat {
-	SUCCESS		= 0,
-	PROG_UNAVAIL	= 1,
-	PROG_MISMATCH	= 2,
-	PROC_UNAVAIL	= 3,
-	GARBAGE_ARGS	= 4,
-	SYSTEM_ERR	= 5,
-};
-
-enum RPC_RejectStat {
-	RPC_MISMATCH	= 0,
-	AUTH_ERROR	= 1,
-};
-
-enum RPC_AuthStat {
-	AUTH_OK			= 0,
-
-	# failed at remote end
-	AUTH_BADCRED		= 1,  # bad credential (seal broken)
-	AUTH_REJECTEDCRED	= 2,  # client must begin new session
-	AUTH_BADVERF		= 3,  # bad verifier (seal broken)
-	AUTH_REJECTEDVERF	= 4,  # verifier expired or replayed
-	AUTH_TOOWEAK		= 5,  # rejected for security reasons
-	# failed locally
-	AUTH_INVALIDRESP	= 6,  # bogus response verifier
-	AUTH_FAILED		= 7,  # reason unknown
-};
-
-
-########################################
-
-# To be redef'ed in various protocols.
-function RPC_Service(prog: uint32, vers: uint32): EnumRPCService =
-	case prog of {
-		default -> RPC_SERVICE_UNKNOWN;
-	};
-
-# Param "call" might be NULL for RPC_Results, thus "RPC_Service(call)"
-# rather than simply "call.service".
-
-%code{
-
-inline EnumRPCService RPC_Service(const RPC_Call* call)
-	{
-	// If it's an unpaired response, we ignore it for now and
-	// complain later in the analyzer.
-	return call ? call->service() : RPC_SERVICE_UNKNOWN;
-	}
-%}
-
-
-########################################
-# Data structures.
-
-# Export the source data for each RPC_Message for RPC retransmission checking.
-# With &exportsourcedata, "sourcedata" are defined as members of
-# class RPC_Message.
-
-type RPC_Message = record {
-	xid:		uint32;
-	msg_type:	uint32;
-	msg_body:	case msg_type of {
-		RPC_CALL	-> call:	RPC_Call(this);
-		RPC_REPLY	-> reply:	RPC_Reply(this);
-	} &requires(length);
-} &let {
-	length = sourcedata.length();	# length of the RPC_Message
-} &byteorder = bigendian, &exportsourcedata, &refcount;
-
-type RPC_Call(msg: RPC_Message) = record {
-	rpcvers:	uint32;
-	prog:		uint32;
-	vers:		uint32;
-	proc:		uint32;
-	cred:		RPC_OpaqueAuth;
-	verf:		RPC_OpaqueAuth;
-
-	# Compute 'service' before parsing params.
-	params:		RPC_Params(this) &requires(service);
-} &let {
-	service: EnumRPCService = RPC_Service(prog, vers);
-
-	# Copy the source data for retransmission checking.
-	msg_source_data: bytestring = msg.sourcedata;
-
-	# Register the RPC call by the xid.
-	newcall: bool = context.connection.NewCall(msg.xid, this)
-		&requires(msg_source_data);
-};
-
-type RPC_Reply(msg: RPC_Message) = record {
-	# Find the corresponding RPC call.
-	# Further parsing of reply depends on call.{prog, vers, proc}
-	stat:		uint32;
-	reply:		case stat of {
-		MSG_ACCEPTED	-> areply:	RPC_AcceptedReply(call);
-		MSG_DENIED	-> rreply:	RPC_RejectedReply(call);
-	} &requires(call);
-} &let {
-	call: RPC_Call = context.connection.FindCall(msg.xid);
-	success: bool = (stat == MSG_ACCEPTED && areply.stat == SUCCESS);
-};
-
-type RPC_AcceptedReply(call: RPC_Call) = record {
-	verf:		RPC_OpaqueAuth;
-	stat:		uint32;
-	data:		case stat of {
-		SUCCESS		-> results:	RPC_Results(call);
-		PROG_MISMATCH	-> mismatch:	RPC_MismatchInfo;
-		default		-> other:	empty;
-	};
-};
-
-type RPC_RejectedReply(call: RPC_Call) = record {
-	stat:		uint32;
-	data:		case stat of {
-		RPC_MISMATCH	-> mismatch:	RPC_MismatchInfo;
-		AUTH_ERROR	-> auth_stat:	uint32;	# RPC_AuthStat
-	};
-};
-
-type RPC_MismatchInfo = record {
-	hi:	uint32;
-	low:	uint32;
-};
-
-type RPC_Opaque = record {
-	length:	uint32;
-	data:	uint8[length];
-	pad:	padding align 4;	# pad to 4-byte boundary
-};
-
-type RPC_OpaqueAuth = record {
-	flavor: uint32;
-	opaque: RPC_Opaque;
-};
-
-# To be extended by higher level protocol analyzers. See portmap-protocol.pac.
-type RPC_Params(call: RPC_Call) = case RPC_Service(call) of {
-	default			-> stub: uint8[] &restofdata;
-};
-
-type RPC_Results(call: RPC_Call) = case RPC_Service(call) of {
-	default		-> stub: uint8[] &restofdata;
-};
diff --git a/src/rpc.pac b/src/rpc.pac
deleted file mode 100644
index 486a3f4f5c..0000000000
--- a/src/rpc.pac
+++ /dev/null
@@ -1,19 +0,0 @@
-# $Id:$
-
-# RPCv2. RFC 1831: http://www.ietf.org/rfc/rfc1831.txt
-
-%include binpac.pac
-%include bro.pac
-
-analyzer SunRPC withcontext {
-	connection:	RPC_Conn;
-	flow:		RPC_Flow;
-};
-
-enum EnumRPCService {
-	RPC_SERVICE_UNKNOWN,
-	RPC_SERVICE_PORTMAP,
-};
-
-%include rpc-analyzer.pac
-%include portmap-analyzer.pac
diff --git a/src/rule-parse.y b/src/rule-parse.y
index da3437d9e8..c8770c3e22 100644
--- a/src/rule-parse.y
+++ b/src/rule-parse.y
@@ -1,8 +1,7 @@
 %{
-/* $Id: rule-parse.y 5988 2008-07-19 07:02:12Z vern $ */
-
 #include <stdio.h>
 #include "RuleMatcher.h"
+#include "Reporter.h"
 
 extern void begin_PS();
 extern void end_PS();
@@ -169,7 +168,7 @@ rule_attr:
 	|	TOK_PATTERN_TYPE '[' rangeopt ']' pattern
 			{
 			if ( $3.offset > 0 )
-				warn("Offsets are currently ignored for patterns");
+				reporter->Warning("Offsets are currently ignored for patterns");
 			current_rule->AddPattern($5, $1, 0, $3.len);
 			}
 
@@ -316,14 +315,14 @@ pattern:
 
 void rules_error(const char* msg)
 	{
-	fprintf(stderr, "Error in signature (%s:%d): %s\n",
+	reporter->Error("Error in signature (%s:%d): %s\n",
 			current_rule_file, rules_line_number+1, msg);
 	rule_matcher->SetParseError();
 	}
 
 void rules_error(const char* msg, const char* addl)
 	{
-	fprintf(stderr, "Error in signature (%s:%d): %s (%s)\n",
+	reporter->Error("Error in signature (%s:%d): %s (%s)\n",
 			current_rule_file, rules_line_number+1, msg, addl);
 	rule_matcher->SetParseError();
 	}
@@ -331,7 +330,7 @@ void rules_error(const char* msg, const char* addl)
 void rules_error(Rule* r, const char* msg)
 	{
 	const Location& l = r->GetLocation();
-	fprintf(stderr, "Error in signature %s (%s:%d): %s\n",
+	reporter->Error("Error in signature %s (%s:%d): %s\n",
 			r->ID(), l.filename, l.first_line, msg);
 	rule_matcher->SetParseError();
 	}
diff --git a/src/rule-scan.l b/src/rule-scan.l
index 0c444543b2..1ba9bed1de 100644
--- a/src/rule-scan.l
+++ b/src/rule-scan.l
@@ -1,5 +1,3 @@
-/* $Id: rule-scan.l 6914 2009-09-22 00:35:24Z vern $ */
-
 %{
 typedef unsigned int uint32;
 
diff --git a/src/scan.l b/src/scan.l
index 0d479dc44e..4914783c44 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -1,9 +1,15 @@
-/* $Id: scan.l 6510 2009-01-08 14:51:04Z vern $ */
 %{
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include <errno.h>
 
+#include <stack>
+#include <list>
+#include <string>
+#include <algorithm>
+#include <sys/stat.h>
+#include <libgen.h>
+
 #include "input.h"
 #include "util.h"
 #include "Scope.h"
@@ -15,26 +21,25 @@
 #include "Debug.h"
 #include "PolicyFile.h"
 #include "broparse.h"
-
-#include <stack>
+#include "BroDoc.h"
+#include "Analyzer.h"
+#include "AnalyzerTags.h"
+#include "Reporter.h"
 
 extern YYLTYPE yylloc;	// holds start line and column of token
 extern int print_loaded_scripts;
-
-int nwarn = 0;
-int nerr = 0;
-int nruntime = 0;
+extern int generate_documentation;
 
 // Track the @if... depth.
 ptr_compat_int current_depth = 0;
 
-declare(List,ptr_compat_int);
-typedef List(ptr_compat_int) int_list;
 int_list if_stack;
 
 int line_number = 1;
-int include_level = 0;
 const char* filename = 0;
+BroDoc* current_reST_doc = 0;
+static BroDoc* last_reST_doc = 0;
+string current_scanned_file_path;
 
 char last_tok[128];
 
@@ -45,10 +50,60 @@ char last_tok[128];
 // a read fails.
 #define YY_INPUT(buf,result,max_size) \
 	if ( ((result = fread(buf, 1, max_size, yyin)) == 0) && ferror(yyin) ) \
-		error(fmt("read failed with \"%s\"", strerror(errno)));
+		reporter->Error("read failed with \"%s\"", strerror(errno));
 
-// Files we have already scanned (or are in the process of scanning).
-static PList(char) files_scanned;
+// reST documents that we've created (or have at least opened so far).
+std::list<BroDoc*> docs_generated;
+
+// reST comments (those starting with ##) seen so far.
+std::list<std::string>* reST_doc_comments = 0;
+
+// Print current contents of reST_doc_comments list to stderr.
+void print_current_reST_doc_comments();
+
+// Delete the reST_doc_comments list object.
+void clear_reST_doc_comments();
+
+// Adds changes to capture_filter to the current script's reST documentation.
+static void check_capture_filter_changes();
+
+// Adds changes to dpd_config to the current script's reST documentation.
+static void check_dpd_config_changes();
+
+static const char* canon_doc_comment(const char* comment)
+	{
+	// "##Text" and "## Text" are treated the same in order to be able
+	// to still preserve indentation level, but not unintentionally
+	// signify an indentation level for all the text when using
+	// the "## Text" style.
+	return ( comment[0] == ' ' ) ? comment + 1 : comment;
+	}
+
+static std::string canon_doc_func_param(const char* id_start)
+	{
+	std::string id_name(id_start, strcspn(id_start, ":"));
+	const char* comment = id_start + id_name.size() + 1;
+	std::string doc;
+
+	if ( id_name == "Returns" )
+		doc.append(":returns:").append(comment);
+	else
+		doc.append(":param ").append(id_name).append(":").append(comment);
+	return doc;
+	}
+
+static ino_t get_inode_num(FILE* f, const char* filename)
+	{
+	struct stat b;
+
+	if ( fstat(fileno(f), &b) )
+		{
+		reporter->Error("failed to fstat fd of %s\n", filename);
+		exit(1);
+		}
+
+	return b.st_ino;
+	}
 
 class FileInfo {
 public:
@@ -60,6 +115,8 @@ public:
 	const char* name;
 	int line;
 	int level;
+	BroDoc* doc;
+	string path;
 };
 
 // A stack of input buffers we're scanning.  file_stack[len-1] is the
@@ -74,11 +131,7 @@ static PList(FileInfo) file_stack;
 	}
 
 // Returns true if the file is new, false if it's already been scanned.
-static int load_files_with_prefix(const char* file);
-
-// If print_loaded_files is true, print current filename if we haven't
-// reported it already.
-static void report_file();
+static int load_files(const char* file);
 
 // ### TODO: columns too - use yyless with '.' action?
 %}
@@ -87,6 +140,7 @@ static void report_file();
 
 %x RE
 %x IGNORE
+%s DOC
 
 OWS	[ \t]*
 WS	[ \t]+
@@ -102,12 +156,73 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 
 %%
 
+##!.* {
+	// Add this format of comments to the script documentation's "summary".
+	if ( generate_documentation )
+		current_reST_doc->AddSummary(canon_doc_comment(yytext + 3));
+	}
+
+<DOC>##<.* {
+	yylval.str = copy_string(canon_doc_comment(yytext + 3));
+	return TOK_POST_DOC;
+}
+
+<DOC>##{OWS}{ID}:{WS}.* {
+	const char* id_start = skip_whitespace(yytext + 2);
+	yylval.str = copy_string(canon_doc_func_param(id_start).c_str());
+	return TOK_DOC;
+}
+
+<DOC>##.* {
+	if ( yytext[2] != '#' )
+		{
+		yylval.str = copy_string(canon_doc_comment(yytext + 2));
+		return TOK_DOC;
+		}
+}
+
+##{OWS}{ID}:{WS}.* {
+	if ( generate_documentation )
+		{
+		// Comment is documenting either a function parameter or return type,
+		// so appropriate reST markup substitutions are automatically made
+		// in order to distinguish them from other comments.
+		if ( ! reST_doc_comments )
+			reST_doc_comments = new std::list<std::string>();
+
+		// always insert a blank line so that this param/return markup
+		// 1) doesn't show up in the summary section in the case that it's
+		//    the first comment for the function/event
+		// 2) has a blank line between it and non-field-list reST markup,
+		//    which is required for correct HTML rendering by Sphinx
+		reST_doc_comments->push_back("");
+		const char* id_start = skip_whitespace(yytext + 2);
+		reST_doc_comments->push_back(canon_doc_func_param(id_start));
+		}
+}
+
+##<.* {
+	if ( generate_documentation && BroDocObj::last )
+		BroDocObj::last->AddDocString(canon_doc_comment(yytext + 3));
+}
+
+##.* {
+	if ( generate_documentation && (yytext[2] != '#') )
+		{
+		if ( ! reST_doc_comments )
+			reST_doc_comments = new std::list<std::string>();
+
+		reST_doc_comments->push_back(canon_doc_comment(yytext + 2));
+		}
+}
+
+#{OWS}@no-test.* return TOK_NO_TEST;
+
 #.*	/* eat comments */
 
 {WS}	/* eat whitespace */
 
-<INITIAL,IGNORE>\n	{
-			report_file();
+<INITIAL,IGNORE,DOC>\n	{
 			++line_number;
 			++yylloc.first_line;
 			++yylloc.last_line;
@@ -131,7 +246,6 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 
 add	return TOK_ADD;
 addr	return TOK_ADDR;
-alarm	return TOK_ALARM;
 any	return TOK_ANY;
 bool	return TOK_BOOL;
 break	return TOK_BREAK;
@@ -151,9 +265,7 @@ file	return TOK_FILE;
 for	return TOK_FOR;
 function	return TOK_FUNCTION;
 global	return TOK_GLOBAL;
-global_attr	return TOK_GLOBAL_ATTR;
 "?$"	return TOK_HAS_FIELD;
-"?$$"	return TOK_HAS_ATTR;
 if	return TOK_IF;
 in	return TOK_IN;
 "!"{OWS}in/[^A-Za-z0-9]	return TOK_NOT_IN;	/* don't confuse w "! infoo"! */
@@ -163,7 +275,6 @@ list	return TOK_LIST;
 local	return TOK_LOCAL;
 match	return TOK_MATCH;
 module	return TOK_MODULE;
-net	return TOK_NET;
 next	return TOK_NEXT;
 of	return TOK_OF;
 pattern	return TOK_PATTERN;
@@ -196,8 +307,10 @@ when	return TOK_WHEN;
 &disable_print_hook	return TOK_ATTR_DISABLE_PRINT_HOOK;
 &raw_output return TOK_ATTR_RAW_OUTPUT;
 &encrypt	return TOK_ATTR_ENCRYPT;
+&error_handler	return TOK_ATTR_ERROR_HANDLER;
 &expire_func	return TOK_ATTR_EXPIRE_FUNC;
 &group		return TOK_ATTR_GROUP;
+&log		return TOK_ATTR_LOG;
 &mergeable	return TOK_ATTR_MERGEABLE;
 &optional	return TOK_ATTR_OPTIONAL;
 &persistent	return TOK_ATTR_PERSISTENT;
@@ -213,7 +326,19 @@ when	return TOK_WHEN;
 
 @load{WS}{FILE}	{
 	const char* new_file = skip_whitespace(yytext + 5);	// Skip "@load".
-	(void) load_files_with_prefix(new_file);
+	if ( generate_documentation )
+		{
+		current_reST_doc->AddImport(new_file);
+
+		if ( reST_doc_comments )
+			{
+			fprintf(stderr, "Warning: unconsumed reST documentation is being "
+					"discarded before doing '@load %s' in %s:\n",
+					 new_file, current_reST_doc->GetSourceFileName());
+			clear_reST_doc_comments();
+			}
+		}
+	(void) load_files(new_file);
 	}
 
 @unload{WS}{FILE}	{
@@ -221,7 +346,20 @@ when	return TOK_WHEN;
 	const char* new_file = skip_whitespace(yytext + 7);
 
 	// All we have to do is pretend we've already scanned it.
-	files_scanned.append(copy_string(new_file));
+	const char* full_filename;
+	FILE* f = search_for_file(new_file, "bro", &full_filename, true, 0);
+
+	if ( f )
+		{
+		ScannedFile sf(get_inode_num(f, full_filename), file_stack.length(), full_filename, "", true);
+		files_scanned.push_back(sf);
+
+		fclose(f);
+		delete [] full_filename;
+		}
+
+	else
+		reporter->Error("failed find file associated with @unload %s", new_file);
 	}
 
 @prefixes{WS}("+"?)={WS}{PREFIX}	{
@@ -266,10 +404,10 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 	}
 
 {D}		{
- 		// TODO: check if we can use strtoull instead of atol, 
+ 		// TODO: check if we can use strtoull instead of atol,
 		// and similarly for {HEX}.
-		RET_CONST(new Val(static_cast<unsigned int>(atol(yytext)), 
-			  TYPE_COUNT))		
+		RET_CONST(new Val(static_cast<unsigned int>(atol(yytext)),
+			  TYPE_COUNT))
 		}
 {FLOAT}		RET_CONST(new Val(atof(yytext), TYPE_DOUBLE))
 
@@ -277,7 +415,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 		uint32 p = atoi(yytext);
 		if ( p > 65535 )
 			{
-			error("bad port number -", yytext);
+			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
 		RET_CONST(new PortVal(p, TRANSPORT_TCP))
@@ -286,7 +424,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 		uint32 p = atoi(yytext);
 		if ( p > 65535 )
 			{
-			error("bad port number -", yytext);
+			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
 		RET_CONST(new PortVal(p, TRANSPORT_UDP))
@@ -295,7 +433,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 		uint32 p = atoi(yytext);
 		if ( p > 255 )
 			{
-			error("bad port number -", yytext);
+			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
 		RET_CONST(new PortVal(p, TRANSPORT_ICMP))
@@ -304,14 +442,12 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 		uint32 p = atoi(yytext);
 		if ( p > 255 )
 			{
-			error("bad port number -", yytext);
+			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
 		RET_CONST(new PortVal(p, TRANSPORT_UNKNOWN))
 		}
 
-{D}"."{D}"."		RET_CONST(new NetVal(yytext))
-({D}"."){2}{D}		RET_CONST(new NetVal(yytext))
 ({D}"."){3}{D}		RET_CONST(new AddrVal(yytext))
 
 ({HEX}:){7}{HEX}	RET_CONST(new AddrVal(yytext))
@@ -350,13 +486,13 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 			{
 			s[i++] = *text;
 			if ( i >= len )
-				internal_error("bad string length computation");
+				reporter->InternalError("bad string length computation");
 			}
 		}
 
 	// Get rid of trailing quote.
 	if ( s[i-1] != '"' )
-		internal_error("string scanning confused");
+		reporter->InternalError("string scanning confused");
 
 	s[i-1] = '\0';
 
@@ -370,7 +506,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 
 <RE>[/\\\n]	return yytext[0];
 
-<*>.	error("unrecognized character -", yytext);
+<*>.	reporter->Error("unrecognized character - %s", yytext);
 
 <<EOF>>	last_tok[0] = '\0'; return EOF;
 
@@ -386,128 +522,119 @@ YYLTYPE GetCurrentLocation()
 	return currloc;
 	}
 
-static int load_files_with_prefix(const char* orig_file)
+static int load_files(const char* orig_file)
 	{
-	loop_over_list(files_scanned, j)
-		{
-		if ( streq(files_scanned[j], orig_file) )
-			return 0;
-		}
-
-	// Be sure to copy "orig_file", since it could be an alias
-	// for yytext, which is ephemeral and will be zapped
-	// if we do a yy_switch_to_buffer() below.
-	char* file = copy_string(orig_file);
-
 	// Whether we pushed on a FileInfo that will restore the
 	// current module after the final file has been scanned. 
 	bool did_module_restore = false;
 
-	files_scanned.append(file);
+	const char* full_filename = "<internal error>";
+	const char* bropath_subpath = "<internal error>";
+	const char* bropath_subpath_delete = 0;
+	FILE* f;
 
-	// If the file has a .bro extension, add a second version to the list
-	// of known files which has it stripped.
-	char* ext = strrchr(file, '.');
-	if ( ext && streq(ext, ".bro") )
+	if ( streq(orig_file, "-") )
 		{
-		char* s = copy_string(file);
-		s[ext - file] = '\0';
-		files_scanned.append(s);
+		f = stdin;
+		full_filename = "<stdin>";
+		bropath_subpath = "";
+
+		if ( g_policy_debug )
+			{
+			debug_msg("Warning: can't use debugger while reading policy from stdin; turning off debugging.\n");
+			g_policy_debug = false;
+			}
 		}
 
-	// Note, we need to loop through the prefixes backwards, since
-	// we push them onto a stack, with the last one we push on the
-	// stack being the first one we will scan.
-	for ( int i = prefixes.length() - 1; i >= 0; --i )
+	else
 		{
-		const char* prefix = prefixes[i];
+		f = search_for_file(orig_file, "bro", &full_filename, true, &bropath_subpath);
+		bropath_subpath_delete = bropath_subpath; // This will be deleted.
+		}
 
-		const char* full_filename = "<internal error>";
-		FILE* f;
+	if ( f )
+		{
+		ino_t i = get_inode_num(f, full_filename);
+		std::list<ScannedFile>::const_iterator it;
 
-		if ( streq(file, "-") )
+		for ( it = files_scanned.begin(); it != files_scanned.end(); ++it )
 			{
-			f = stdin;
-			full_filename = "<stdin>";
-
-			if ( g_policy_debug )
+			if ( it->inode == i )
 				{
-				debug_msg("Warning: can't use debugger while reading policy from stdin; turning off debugging.\n");
-				g_policy_debug = false;
+				fclose(f);
+				delete [] full_filename;
+				delete [] bropath_subpath_delete;
+				return 0;
 				}
 			}
 
-		else
+		ScannedFile sf(i, file_stack.length(), full_filename, bropath_subpath);
+		files_scanned.push_back(sf);
+
+		if ( g_policy_debug )
 			{
-			int n = strlen(prefix) + strlen(file) + 2;
-			char* new_filename = new char[n];
+			// Add the filename to the file mapping
+			// table (Debug.h).
+			Filemap* map = new Filemap;
 
-			if ( prefix[0] )
-				sprintf(new_filename, "%s.%s", prefix, file);
-			else
-				strcpy(new_filename, file);
-
-			f = search_for_file(new_filename, "bro", &full_filename);
-
-			delete [] new_filename;
-			}
-
-		if ( f )
-			{
-			if ( g_policy_debug )
+			// Make sure it wasn't already read in.
+			HashKey* key = new HashKey(full_filename);
+			if ( g_dbgfilemaps.Lookup(key) )
 				{
-				// Add the filename to the file mapping
-				// table (Debug.h).
-				Filemap* map = new Filemap;
-
-				// Make sure it wasn't already read in.
-				HashKey* key = new HashKey(full_filename);
-				if ( g_dbgfilemaps.Lookup(key) )
-					{
-					// warn("Not re-reading policy file; check BRO_PREFIXES:", full_filename);
-					fclose(f);
-					delete key;
-					continue;
-					}
-				else
-					{
-					g_dbgfilemaps.Insert(key, map);
-					}
-
-				if ( full_filename )
-					LoadPolicyFileText(full_filename);
-				}
-
-			// Remember where we were.  If this is the first
-			// file being pushed on the stack, i.e., the *last*
-			// one that will be processed, then we want to
-			// restore the module scope in which this @load
-			// was done when we're finished processing it.
-			if ( ! did_module_restore )
-				{
-				file_stack.append(new FileInfo(current_module));
-				did_module_restore = true;
+				// reporter->Warning("Not re-reading policy file; check BRO_PREFIXES:", full_filename);
+				fclose(f);
+				delete key;
+				return 0;
 				}
 			else
-				file_stack.append(new FileInfo);
-
-			yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));
-
-			yylloc.first_line = yylloc.last_line = line_number = 1;
-
-			// Don't delete the old filename - it's pointed to by
-			// every BroObj created when parsing it.
-			yylloc.filename = filename = full_filename;
-			}
-
-		else
-			{
-			if ( streq(prefixes[i], "") )
 				{
-				error("can't open", full_filename);
-				exit(1);
+				g_dbgfilemaps.Insert(key, map);
 				}
+
+			if ( full_filename )
+				LoadPolicyFileText(full_filename);
 			}
+
+		// Remember where we were.  If this is the first
+		// file being pushed on the stack, i.e., the *last*
+		// one that will be processed, then we want to
+		// restore the module scope in which this @load
+		// was done when we're finished processing it.
+		if ( ! did_module_restore )
+			{
+			file_stack.append(new FileInfo(current_module));
+			did_module_restore = true;
+			}
+		else
+			file_stack.append(new FileInfo);
+
+		char* tmp = copy_string(full_filename);
+		current_scanned_file_path = dirname(tmp);
+		delete [] tmp;
+
+		if ( generate_documentation )
+			{
+			current_reST_doc = new BroDoc(bropath_subpath, full_filename);
+			docs_generated.push_back(current_reST_doc);
+			}
+
+		delete [] bropath_subpath_delete;
+
+		// "orig_file", could be an alias for yytext, which is ephemeral
+		//  and will be zapped after the yy_switch_to_buffer() below.
+		yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));
+
+		yylloc.first_line = yylloc.last_line = line_number = 1;
+
+		// Don't delete the old filename - it's pointed to by
+		// every BroObj created when parsing it.
+		yylloc.filename = filename = full_filename;
+		}
+
+	else
+		{
+		reporter->Error("can't open %s", full_filename);
+		exit(1);
 		}
 
 	return 1;
@@ -560,7 +687,7 @@ void do_atifndef(const char *id)
 void do_atelse()
 	{
 	if ( current_depth == 0 )
-		error("@else without @if...");
+		reporter->Error("@else without @if...");
 
 	if ( if_stack.length() && current_depth > if_stack.last() )
 		return;
@@ -580,7 +707,7 @@ void do_atelse()
 void do_atendif()
 	{
 	if ( current_depth == 0 )
-		error("unbalanced @if... @endif");
+		reporter->Error("unbalanced @if... @endif");
 
 	if ( current_depth == if_stack.last() )
 		{
@@ -591,6 +718,18 @@ void do_atendif()
 	--current_depth;
 	}
 
+void do_doc_token_start()
+	{
+	if ( generate_documentation )
+	    BEGIN(DOC);
+	}
+
+void do_doc_token_stop()
+	{
+	if ( generate_documentation )
+	    BEGIN(INITIAL);
+	}
+
 // Be careful to never delete things from this list, as the strings
 // are referred to (in order to save the locations of tokens and statements,
 // for error reporting and debugging).
@@ -604,10 +743,10 @@ const char* get_current_input_filename()
 void add_input_file(const char* file)
 	{
 	if ( ! file )
-		internal_error("empty filename");
+		reporter->InternalError("empty filename");
 
 	if ( ! filename )
-		(void) load_files_with_prefix(file);
+		(void) load_files(file);
 	else
 		input_files.append(copy_string(file));
 	}
@@ -631,11 +770,9 @@ void add_to_name_list(char* s, char delim, name_list& nl)
 
 int yywrap()
 	{
-	if ( nerr > 0 )
+	if ( reporter->Errors() > 0 )
 		return 1;
 
-	--include_level;
-
 	if ( ! did_builtin_init && file_stack.length() == 1 )
 		{
 		// ### This is a gross hack - we know that the first file
@@ -657,7 +794,10 @@ int yywrap()
 	// Stack is now empty.
 	while ( input_files.length() > 0 )
 		{
-		if ( load_files_with_prefix(input_files[0]) )
+		check_capture_filter_changes();
+		check_dpd_config_changes();
+
+		if ( load_files(input_files[0]) )
 			{
 			// Don't delete the filename - it's pointed to by
 			// every BroObj created when parsing it.
@@ -670,6 +810,54 @@ int yywrap()
 		(void) input_files.remove_nth(0);
 		}
 
+	check_capture_filter_changes();
+	check_dpd_config_changes();
+
+	// For each file scanned so far, and for each @prefix, look for a
+	// prefixed and flattened version of the loaded file in BROPATH. The
+	// flattening involves taking the path in BROPATH in which the
+	// scanned file lives and replacing '/' path separators with a '.' If
+	// the scanned file is "__load__.bro", that part of the flattened
+	// file name is discarded. If the prefix is non-empty, it gets placed
+	// in front of the flattened path, separated with another '.'
+	std::list<ScannedFile>::iterator it;
+	bool found_prefixed_files = false;
+	for ( it = files_scanned.begin(); it != files_scanned.end(); ++it )
+		{
+		if ( it->skipped || it->prefixes_checked )
+			continue;
+
+		it->prefixes_checked = true;
+		// Prefixes are pushed onto a stack, so iterate backwards.
+		for ( int i = prefixes.length() - 1; i >= 0; --i )
+			{
+			// Don't look at empty prefixes.
+			if ( ! prefixes[i][0] )
+				continue;
+
+			string s;
+			s = dot_canon(it->subpath.c_str(), it->name.c_str(), prefixes[i]);
+			FILE* f = search_for_file(s.c_str(), "bro", 0, false, 0);
+
+			//printf("====== prefix search ======\n");
+			//printf("File  : %s\n", it->name.c_str());
+			//printf("Path  : %s\n", it->subpath.c_str());
+			//printf("Dotted: %s\n", s.c_str());
+			//printf("Found : %s\n", f ? "T" : "F");
+			//printf("===========================\n");
+
+			if ( f )
+				{
+				add_input_file(s.c_str());
+				found_prefixed_files = true;
+				fclose(f);
+				}
+			}
+		}
+
+	if ( found_prefixed_files )
+		return 0;
+
 	// Add redef statements for any X=Y command line parameters.
 	if ( params.size() > 0 )
 		{
@@ -733,6 +921,9 @@ int yywrap()
 		return 0;
 		}
 
+	if ( generate_documentation )
+		clear_reST_doc_comments();
+
 	// Otherwise, we are done.
 	return 1;
 	}
@@ -743,7 +934,8 @@ FileInfo::FileInfo(string arg_restore_module)
 	restore_module = arg_restore_module;
 	name = ::filename;
 	line = ::line_number;
-	level = ::include_level;
+	doc = ::current_reST_doc;
+	path = current_scanned_file_path;
 	}
 
 FileInfo::~FileInfo()
@@ -754,30 +946,101 @@ FileInfo::~FileInfo()
 	yy_switch_to_buffer(buffer_state);
 	yylloc.filename = filename = name;
 	yylloc.first_line = yylloc.last_line = line_number = line;
-	include_level = level;
+	last_reST_doc = current_reST_doc;
+	current_reST_doc = doc;
+	current_scanned_file_path = path;
 
 	if ( restore_module != "" )
 		current_module = restore_module;
 	}
 
-static void report_file()
+static void check_capture_filter_changes()
 	{
-	if ( ! print_loaded_scripts || ! filename )
-		return;
+	if ( ! generate_documentation )
+	    return;
 
-	static PList(char) files_reported;
+	// Lookup the "capture_filters" identifier, if it has any defined
+	// value, add it to the script's reST documentation, and finally
+	// clear the table so it doesn't taint the documentation for
+	// subsequent scripts.
 
-	loop_over_list(files_reported, i)
+	ID* capture_filters = global_scope()->Lookup("capture_filters");
+
+	if ( capture_filters )
 		{
-		if ( streq(files_reported[i], filename) )
-			return;
+		ODesc desc;
+		desc.SetIndentSpaces(4);
+		capture_filters->ID_Val()->Describe(&desc);
+		last_reST_doc->SetPacketFilter(desc.Description());
+		capture_filters->ID_Val()->AsTableVal()->RemoveAll();
 		}
-
-	for ( int i = include_level - 1; i >= 0; --i )
-		fprintf(stderr, "   ");
-	fprintf(stderr, "loading %s\n", filename);
-
-	++include_level;
-	files_reported.append(copy_string(filename));
 	}
 
+static void check_dpd_config_changes()
+	{
+	if ( ! generate_documentation )
+		return;
+
+	// Lookup the "dpd_config" identifier, if it has any defined value,
+	// add it to the script's documentation, and clear the table so that
+	// it doesn't taint the documentation for subsequent scripts.
+	ID* dpd_config = global_scope()->Lookup("dpd_config");
+	if ( ! dpd_config )
+		return;
+
+	TableVal* dpd_table = dpd_config->ID_Val()->AsTableVal();
+	ListVal* dpd_list = dpd_table->ConvertToList();
+
+	for ( int i = 0; i < dpd_list->Length(); ++i )
+		{
+		Val* key = dpd_list->Index(i);
+		if ( ! key )
+			continue;
+
+		Val* v = dpd_table->Lookup(key);
+		if ( ! v )
+			continue;
+
+		int tag = key->AsListVal()->Index(0)->AsCount();
+		ODesc valdesc;
+		valdesc.SetIndentSpaces(4);
+		valdesc.PushIndent();
+		v->Describe(&valdesc);
+
+		if ( tag < AnalyzerTag::Error || tag > AnalyzerTag::LastAnalyzer )
+			{
+			fprintf(stderr, "Warning: skipped bad analyzer tag: %i\n", tag);
+			continue;
+			}
+
+		last_reST_doc->AddPortAnalysis(
+			Analyzer::GetTagName((AnalyzerTag::Tag)tag),
+			valdesc.Description());
+		}
+
+	dpd_table->RemoveAll();
+	}
+
+void print_current_reST_doc_comments()
+	{
+	if ( ! reST_doc_comments )
+		return;
+
+	std::list<std::string>::iterator it;
+
+	for ( it = reST_doc_comments->begin(); it != reST_doc_comments->end(); ++it )
+		fprintf(stderr, "##%s\n", it->c_str());
+	}
+
+void clear_reST_doc_comments()
+	{
+	if ( ! reST_doc_comments )
+		return;
+
+	fprintf(stderr, "Warning: %zu unconsumed reST comments:\n",
+			reST_doc_comments->size());
+
+	print_current_reST_doc_comments();
+	delete reST_doc_comments;
+	reST_doc_comments = 0;
+	}
diff --git a/src/setsignal.c b/src/setsignal.c
index f5263bb06d..b49f0784e9 100644
--- a/src/setsignal.c
+++ b/src/setsignal.c
@@ -2,11 +2,6 @@
  * See the file "COPYING" in the main distribution directory for copyright.
  */
 
-#ifndef lint
-static const char rcsid[] =
-    "@(#) $Id: setsignal.c 6219 2008-10-01 05:39:07Z vern $ (LBL)";
-#endif
-
 #include "config.h"			/* must appear before first ifdef */
 
 #include <sys/types.h>
diff --git a/src/setsignal.h b/src/setsignal.h
index 8bacdca8db..b768ed031f 100644
--- a/src/setsignal.h
+++ b/src/setsignal.h
@@ -1,7 +1,6 @@
 /*
  * See the file "COPYING" in the main distribution directory for copyright.
  *
- * @(#) $Id: setsignal.h 6219 2008-10-01 05:39:07Z vern $ (LBL)
  */
 #ifndef setsignal_h
 #define setsignal_h
diff --git a/src/smb-protocol.pac b/src/smb-protocol.pac
index b00613f16c..585edfacd6 100644
--- a/src/smb-protocol.pac
+++ b/src/smb-protocol.pac
@@ -1,5 +1,3 @@
-# $Id$
-#
 # CIFS/SMB
 
 # TODO:
diff --git a/src/smb-rw.bif b/src/smb-rw.bif
deleted file mode 100644
index 49cfeeaa24..0000000000
--- a/src/smb-rw.bif
+++ /dev/null
@@ -1,16 +0,0 @@
-rewriter smb_header%(is_orig: bool, hdr: smb_hdr%)
-	%{
-	const int is_orig = 0;
-
-	@WRITE@(is_orig, 1, "\xff");
-	@WRITE@(is_orig, 3, "SMB");
-	@WRITE@(is_orig, 1, hdr->command);
-	@WRITE@(is_orig, 4, hdr->error);
-	@WRITE@(is_orig, 1, hdr->flags);
-	@WRITE@(is_orig, 2, hdr->flags2);
-	@WRITE@(is_orig, 6, "\x0\x0\x0\x0\x0\x0");
-	@WRITE@(is_orig, 6, "\x0\x0\x0\x0\x0\x0");
-	@WRITE@(is_orig, 2, hdr->tid);
-	@WRITE@(is_orig, 2, hdr->pid);
-	@WRITE@(is_orig, 2, hdr->mid);
-	%}
diff --git a/src/smb.pac b/src/smb.pac
index 4bd2c34bc5..740ad47991 100644
--- a/src/smb.pac
+++ b/src/smb.pac
@@ -1,5 +1,3 @@
-# $Id: smb.pac 3929 2007-01-14 00:37:59Z vern $
-
 %include binpac.pac
 %include bro.pac
 
diff --git a/src/smtp-rw.bif b/src/smtp-rw.bif
deleted file mode 100644
index a74ce776c2..0000000000
--- a/src/smtp-rw.bif
+++ /dev/null
@@ -1,45 +0,0 @@
-rewriter smtp_request%(is_orig: bool, command: string, arg: string%)
-	%{
-	if ( command->Len() > 0 )
-		{
-		u_char ch = command->Bytes()[0];
-
-		if ( isalpha(ch) )
-			{ // Do not dump artificial commands: ">", ".", "***"
-			@WRITE@(is_orig, command->AsString());
-			@WRITE@(is_orig, 1, " ");
-			}
-		}
-
-	@WRITE@(is_orig, arg->AsString());
-	@WRITE@(is_orig, 2, "\r\n");
-	%}
-
-rewriter smtp_reply%(is_orig: bool, code: count, msg: string, cont_resp: bool%)
-	%{
-	const char* str = fmt("%lu", (unsigned long) code);
-	int len = strlen(str);
-
-	@WRITE@(is_orig, len, str);
-
-	if ( cont_resp )
-		@WRITE@(is_orig, "-");
-	else
-		@WRITE@(is_orig, " ");
-
-	@WRITE@(is_orig, msg->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-# Since SMTP data is delivered by lines ending with CRLF, this
-# function takes a line without the trailing CRLF and dumps the string
-# followed by CRLF. If you want to dump multiple lines, please dump
-# them one at a time (without trailing CRLF's).
-rewriter smtp_data%(is_orig: bool, data: string%)
-	%{
-	if ( data->Len() > 0 && data->Bytes()[0] == '.')
-		@WRITE@(is_orig, ".");
-
-	@WRITE@(is_orig, data->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
diff --git a/src/ssl-analyzer.pac b/src/ssl-analyzer.pac
index 78baecc5cc..f41fb8639b 100644
--- a/src/ssl-analyzer.pac
+++ b/src/ssl-analyzer.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 # Analyzer for SSL (Bro-specific part).
 
 %extern{
@@ -11,8 +9,7 @@
 #include "util.h"
 
 #include <openssl/x509.h>
-#include <openssl/x509_vfy.h>
-#include "X509.h"
+#include <openssl/asn1.h>
 %}
 
 
@@ -25,11 +22,17 @@
 			}
 	};
 
+	string orig_label(bool is_orig);
 	void free_X509(void *);
 	X509* d2i_X509_binpac(X509** px, const uint8** in, int len);
 	%}
 
 %code{
+string orig_label(bool is_orig)
+		{
+		return string(is_orig ? "originator" :"responder");
+		}
+
 	void free_X509(void* cert)
 		{
 		X509_free((X509*) cert);
@@ -46,22 +49,19 @@
 %}
 
 
-function to_table_val(data : uint8[]) : TableVal
+function to_string_val(data : uint8[]) : StringVal
 	%{
-	TableVal* tv = new TableVal(SSL_sessionID);
-	for ( unsigned int i = 0; i < data->size(); i += 4 )
-		{
-		uint32 temp = 0;
-		for ( unsigned int j = 0; j < 4; ++j )
-		if ( i + j < data->size() )
-			temp |= (*data)[i + j] << (24 - 8 * j);
+	char tmp[32];
+	memset(tmp, 0, sizeof(tmp));
 
-		Val* idx = new Val(i / 4, TYPE_COUNT);
-		tv->Assign(idx, new Val((*data)[i], TYPE_COUNT));
-		Unref(idx);
+	// Just return an empty string if the string is longer than 32 bytes
+	if ( data && data->size() <= 32 )
+		{
+		for ( unsigned int i = data->size(); i > 0; --i )
+			tmp[i-1] = (*data)[i-1];
 		}
 
-	return tv;
+	return new StringVal(32, tmp);
 	%}
 
 function version_ok(vers : uint16) : bool
@@ -78,349 +78,251 @@ function version_ok(vers : uint16) : bool
 	}
 	%}
 
-function convert_ciphers_uint24(ciph : uint24[]) : int[]
-	%{
-	vector<int>* newciph = new vector<int>();
+refine connection SSL_Conn += {
 
-	std::transform(ciph->begin(), ciph->end(),
-	std::back_inserter(*newciph), to_int());
-
-	return newciph;
-	%}
-
-function convert_ciphers_uint16(ciph : uint16[]) : int[]
-	%{
-	vector<int>* newciph = new vector<int>();
-
-	std::copy(ciph->begin(), ciph->end(),
-	std::back_inserter(*newciph));
-
-	return newciph;
-	%}
-
-refine analyzer SSLAnalyzer += {
 	%member{
-		Analyzer* bro_analyzer_;
-
-		vector<uint8>* client_session_id_;
-		vector<int>* advertised_ciphers_;
-		int version_;
-		int cipher_;
+		int eof;
 	%}
 
 	%init{
-		bro_analyzer_ = 0;
-
-		client_session_id_ = 0;
-		advertised_ciphers_ = new vector<int>;
-		version_ = -1;
-		cipher_ = -1;
-
-		if ( ! X509_Cert::bInited )
-			X509_Cert::init();
+		eof=0;
 	%}
 
 	%eof{
-		if ( state_ != STATE_CONN_ESTABLISHED &&
-		     state_ != STATE_TRACK_LOST && state_ != STATE_INITIAL )
+		if ( ! eof &&
+		     state_ != STATE_CONN_ESTABLISHED &&
+		     state_ != STATE_TRACK_LOST &&
+		     state_ != STATE_INITIAL )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected end of connection in state %s",
 				state_label(state_).c_str()));
+		++eof;
 	%}
 
 	%cleanup{
-		delete client_session_id_;
-		client_session_id_ = 0;
-
-		delete advertised_ciphers_;
-		advertised_ciphers_ = 0;
 	%}
 
-	function bro_analyzer() : Analyzer
-		%{
-		return bro_analyzer_;
-		%}
-
-	function set_bro_analyzer(a : Analyzer) : void
-		%{
-		bro_analyzer_ = a;
-		%}
-
-	function check_cipher(cipher : int) : bool
-		%{
-		if ( ! ssl_compare_cipherspecs )
-			return true;
-
-		if ( std::find(advertised_ciphers_->begin(),
-				advertised_ciphers_->end(), cipher) ==
-		     advertised_ciphers_->end() )
-			{
-			bro_analyzer()->ProtocolViolation("chosen cipher not advertised before");
-			return false;
-			}
-
-		return true;
-		%}
-
-	function certificate_error(err_num : int) : void
-		%{
-		StringVal* err_str =
-			new StringVal(X509_verify_cert_error_string(err_num));
-		bro_event_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
-						err_num, err_str);
-		%}
-
-	function proc_change_cipher_spec(msg : ChangeCipherSpec) : bool
+	function proc_change_cipher_spec(rec: SSLRecord) : bool
 		%{
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected ChangeCipherSpec from %s at state %s",
-				orig_label(current_record_is_orig_).c_str(),
+				orig_label(${rec.is_orig}).c_str(),
 				state_label(old_state_).c_str()));
 		return true;
 		%}
 
-	function proc_application_data(msg : ApplicationData) : bool
+	function proc_application_data(rec: SSLRecord) : bool
 		%{
-		if ( state_ != STATE_CONN_ESTABLISHED )
+		if ( state_ != STATE_CONN_ESTABLISHED &&
+		     (state_ != STATE_CLIENT_FINISHED && ! ${rec.is_orig}) )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected ApplicationData from %s at state %s",
-				orig_label(current_record_is_orig_).c_str(),
+				orig_label(${rec.is_orig}).c_str(),
 				state_label(old_state_).c_str()));
 		return true;
 		%}
 
-	function proc_alert(level : int, description : int) : bool
+	function proc_alert(rec: SSLRecord, level : int, desc : int) : bool
 		%{
-		bro_event_ssl_conn_alert(bro_analyzer_, bro_analyzer_->Conn(),
-						current_record_version_, level,
-						description);
+		BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
+						${rec.is_orig}, level, desc);
 		return true;
 		%}
 
-	function proc_client_hello(version : uint16, session_id : uint8[],
-					csuits : int[]) : bool
+	function proc_client_hello(rec: SSLRecord,
+					version : uint16, ts : double,
+					session_id : uint8[],
+					cipher_suites16 : uint16[],
+					cipher_suites24 : uint24[]) : bool
 		%{
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected client hello message from %s in state %s",
-				orig_label(current_record_is_orig_).c_str(),
+				orig_label(${rec.is_orig}).c_str(),
 				state_label(old_state_).c_str()));
 
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version));
 
-		delete client_session_id_;
-		client_session_id_ = new vector<uint8>(*session_id);
-
-		TableVal* cipher_table = new TableVal(cipher_suites_list);
-		for ( unsigned int i = 0; i < csuits->size(); ++i )
+		if ( ssl_client_hello )
 			{
-			Val* ciph = new Val((*csuits)[i], TYPE_COUNT);
-			cipher_table->Assign(ciph, 0);
-			Unref(ciph);
-			}
+			vector<int>* cipher_suites = new vector<int>();
+			if ( cipher_suites16 )
+				std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(*cipher_suites));
+			else
+				std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*cipher_suites), to_int());
 
-		bro_event_ssl_conn_attempt(bro_analyzer_, bro_analyzer_->Conn(),
-						version, cipher_table);
+			TableVal* cipher_set = new TableVal(internal_type("count_set")->AsTableType());
+			for ( unsigned int i = 0; i < cipher_suites->size(); ++i )
+				{
+				Val* ciph = new Val((*cipher_suites)[i], TYPE_COUNT);
+				cipher_set->Assign(ciph, 0);
+				Unref(ciph);
+				}
 
-		if ( ssl_compare_cipherspecs )
-			{
-			delete advertised_ciphers_;
-			advertised_ciphers_ = csuits;
+			BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
+							version, ts,
+							to_string_val(session_id),
+							cipher_set);
+
+			delete cipher_suites;
 			}
-		else
-			delete csuits;
 
 		return true;
 		%}
 
-	function proc_server_hello(version : uint16, session_id : uint8[],
-				ciphers : int[], v2_sess_hit : int) : bool
+	function proc_server_hello(rec: SSLRecord,
+					version : uint16, ts : double,
+					session_id : uint8[],
+					cipher_suites16 : uint16[],
+					cipher_suites24 : uint24[],
+					comp_method : uint8) : bool
 		%{
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected server hello message from %s in state %s",
-				orig_label(current_record_is_orig_).c_str(),
+				orig_label(${rec.is_orig}).c_str(),
 				state_label(old_state_).c_str()));
 
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version));
-
-		version_ = version;
-
-		TableVal* chosen_ciphers = new TableVal(cipher_suites_list);
-		for ( unsigned int i = 0; i < ciphers->size(); ++i )
-			{
-			Val* ciph = new Val((*ciphers)[i], TYPE_COUNT);
-			chosen_ciphers->Assign(ciph, 0);
-			Unref(ciph);
-			}
-
-		bro_event_ssl_conn_server_reply(bro_analyzer_,
-						bro_analyzer_->Conn(),
-						version_, chosen_ciphers);
-
-		if ( v2_sess_hit < 0 )
-			{ // this is SSLv3
-			cipher_ = (*ciphers)[0];
-			check_cipher(cipher_);
-			TableVal* tv = to_table_val(session_id);
-			if ( client_session_id_ &&
-			     *client_session_id_ == *session_id )
-				bro_event_ssl_conn_reused(bro_analyzer_,
-						bro_analyzer_->Conn(), tv);
-			else
-				bro_event_ssl_session_insertion(bro_analyzer_,
-						bro_analyzer_->Conn(), tv);
-
-			delete ciphers;
-			}
-
-		else if ( v2_sess_hit > 0 )
-			{ // this is SSLv2 and a session hit
-			if ( client_session_id_ )
-				{
-				TableVal* tv = to_table_val(client_session_id_);
-				bro_event_ssl_conn_reused(bro_analyzer_,
-						bro_analyzer_->Conn(), tv);
-				}
-
-			// We don't know the chosen cipher, as there is
-			// no session storage.
-			bro_event_ssl_conn_established(bro_analyzer_,
-							bro_analyzer_->Conn(),
-							version_, 0xffffffff);
-			delete ciphers;
-			}
-
 		else
+			bro_analyzer()->ProtocolConfirmation();
+
+		if ( ssl_server_hello )
 			{
-			// This is SSLv2; we have to set advertised
-			// ciphers to server ciphers.
-			if ( ssl_compare_cipherspecs )
-				{
-				delete advertised_ciphers_;
-				advertised_ciphers_ = ciphers;
-				}
+			vector<int>* ciphers = new vector<int>();
+
+			if ( cipher_suites16 )
+				std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(*ciphers));
+			else
+				std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*ciphers), to_int());
+
+			BifEvent::generate_ssl_server_hello(bro_analyzer(),
+							bro_analyzer()->Conn(),
+							version, ts,
+							to_string_val(session_id),
+							ciphers->size()==0 ? 0 : ciphers->at(0), comp_method);
+
+			delete ciphers;
 			}
 
-		bro_analyzer()->ProtocolConfirmation();
+		return true;
+		%}
+		
+	function proc_session_ticket_handshake(rec: SessionTicketHandshake, is_orig: bool): bool
+		%{
+		if ( ssl_session_ticket_handshake )
+			{
+			BifEvent::generate_ssl_session_ticket_handshake(bro_analyzer(),
+							bro_analyzer()->Conn(),
+							${rec.ticket_lifetime_hint},
+							new StringVal(${rec.data}.length(), (const char*) ${rec.data}.data()));
+			}
 		return true;
 		%}
 
-	function proc_certificate(certificates : bytestring[]) : bool
+	function proc_ssl_extension(rec: SSLRecord, type: int, data: bytestring) : bool
+		%{
+		if ( ssl_extension )
+			BifEvent::generate_ssl_extension(bro_analyzer(),
+						bro_analyzer()->Conn(), ${rec.is_orig}, type,
+						new StringVal(data.length(), (const char*) data.data()));
+		return true;
+		%}
+
+	function proc_certificate(rec: SSLRecord, certificates : bytestring[]) : bool
 		%{
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected certificate message from %s in state %s",
-				orig_label(current_record_is_orig_).c_str(),
+				orig_label(${rec.is_orig}).c_str(),
 				state_label(old_state_).c_str()));
 
-		if ( ! ssl_analyze_certificates )
-			return true;
 		if ( certificates->size() == 0 )
 			return true;
 
-		bro_event_ssl_certificate_seen(bro_analyzer_,
-						bro_analyzer_->Conn(),
-						! current_record_is_orig_);
-
-		const bytestring& cert = (*certificates)[0];
-		const uint8* data = cert.data();
-
-		X509* pCert = d2i_X509_binpac(NULL, &data, cert.length());
-		if ( ! pCert )
-			{
-			// X509_V_UNABLE_TO_DECRYPT_CERT_SIGNATURE
-			certificate_error(4);
-			return false;
-			}
-
-		RecordVal* pX509Cert = new RecordVal(x509_type);
-
-		char tmp[256];
-		X509_NAME_oneline(X509_get_issuer_name(pCert), tmp, sizeof tmp);
-		pX509Cert->Assign(0, new StringVal(tmp));
-		X509_NAME_oneline(X509_get_subject_name(pCert), tmp, sizeof tmp);
-
-		pX509Cert->Assign(1, new StringVal(tmp));
-		pX509Cert->Assign(2, new AddrVal(bro_analyzer_->Conn()->OrigAddr()));
-
-		bro_event_ssl_certificate(bro_analyzer_, bro_analyzer_->Conn(),
-					pX509Cert, current_record_is_orig_);
-
-		if ( X509_get_ext_count(pCert) > 0 )
-			{
-			TableVal* x509ex = new TableVal(x509_extension);
-
-			for ( int k = 0; k < X509_get_ext_count(pCert); ++k )
-				{
-				X509_EXTENSION* ex = X509_get_ext(pCert, k);
-				ASN1_OBJECT* obj = X509_EXTENSION_get_object(ex);
-
-				char buf[256];
-				i2t_ASN1_OBJECT(buf, sizeof(buf), obj);
-				Val* index = new Val(k+1, TYPE_COUNT);
-				Val* value = new StringVal(strlen(buf), buf);
-				x509ex->Assign(index, value);
-				Unref(index);
-				}
-
-			bro_event_process_X509_extensions(bro_analyzer_,
-						bro_analyzer_->Conn(), x509ex);
-			}
-
-		if ( ssl_verify_certificates )
+		if ( x509_certificate )
 			{
 			STACK_OF(X509)* untrusted_certs = 0;
-			if ( certificates->size() > 1 )
+
+			for ( unsigned int i = 0; i < certificates->size(); ++i )
 				{
-				untrusted_certs = sk_X509_new_null();
-				if ( ! untrusted_certs )
+				const bytestring& cert = (*certificates)[i];
+				const uint8* data = cert.data();
+				X509* pTemp = d2i_X509_binpac(NULL, &data, cert.length());
+				if ( ! pTemp )
 					{
-					// X509_V_ERR_OUT_OF_MEM;
-					certificate_error(17);
+					BifEvent::generate_x509_error(bro_analyzer(), bro_analyzer()->Conn(),
+					                              ${rec.is_orig}, ERR_get_error());
 					return false;
 					}
 
-				for ( unsigned int i = 1;
-				      i < certificates->size(); ++i )
+				RecordVal* pX509Cert = new RecordVal(x509_type);
+				char tmp[256];
+				BIO *bio = BIO_new(BIO_s_mem());
+
+				pX509Cert->Assign(0, new Val((uint64) X509_get_version(pTemp), TYPE_COUNT));
+				i2a_ASN1_INTEGER(bio, X509_get_serialNumber(pTemp));
+				int len = BIO_read(bio, &(*tmp), sizeof tmp);
+				pX509Cert->Assign(1, new StringVal(len, tmp));
+
+				X509_NAME_print_ex(bio, X509_get_subject_name(pTemp), 0, XN_FLAG_RFC2253);
+				len = BIO_gets(bio, &(*tmp), sizeof tmp);
+				pX509Cert->Assign(2, new StringVal(len, tmp));
+				X509_NAME_print_ex(bio, X509_get_issuer_name(pTemp), 0, XN_FLAG_RFC2253);
+				len = BIO_gets(bio, &(*tmp), sizeof tmp);
+				pX509Cert->Assign(3, new StringVal(len, tmp));
+				BIO_free(bio);
+
+				pX509Cert->Assign(4, new Val(get_time_from_asn1(X509_get_notBefore(pTemp)), TYPE_TIME));
+				pX509Cert->Assign(5, new Val(get_time_from_asn1(X509_get_notAfter(pTemp)), TYPE_TIME));
+				StringVal* der_cert = new StringVal(cert.length(), (const char*) cert.data());
+
+				BifEvent::generate_x509_certificate(bro_analyzer(), bro_analyzer()->Conn(),
+							${rec.is_orig},
+							pX509Cert,
+							i, certificates->size(),
+							der_cert);
+
+				// Are there any X509 extensions?
+				//printf("Number of x509 extensions: %d\n", X509_get_ext_count(pTemp));
+				if ( x509_extension && X509_get_ext_count(pTemp) > 0 )
 					{
-					const bytestring& temp =
-						(*certificates)[i];
-					const uint8* tdata = temp.data();
-					X509* pTemp = d2i_X509_binpac(NULL,
-							&tdata, temp.length());
-					if ( ! pTemp )
+					int num_ext = X509_get_ext_count(pTemp);
+					for ( int k = 0; k < num_ext; ++k )
 						{
-						// X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
-						certificate_error(2);
-						return false;
+						unsigned char *pBuffer = 0;
+						uint length = 0;
+
+						X509_EXTENSION* ex = X509_get_ext(pTemp, k);
+						if (ex)
+							{
+							ASN1_STRING *pString = X509_EXTENSION_get_data(ex);
+							length = ASN1_STRING_to_UTF8(&pBuffer, pString);
+							//i2t_ASN1_OBJECT(&pBuffer, length, obj)
+							// printf("extension length: %u\n", length);
+							// -1 indicates an error.
+							if ( length < 0 )
+								continue;
+
+							StringVal* value = new StringVal(length, (char*)pBuffer);
+							BifEvent::generate_x509_extension(bro_analyzer(),
+										bro_analyzer()->Conn(), ${rec.is_orig}, value);
+							OPENSSL_free(pBuffer);
+							}
 						}
-
-					sk_X509_push(untrusted_certs, pTemp);
 					}
+				X509_free(pTemp);
 				}
-
-			X509_STORE_CTX csc;
-			X509_STORE_CTX_init(&csc, X509_Cert::ctx,
-						pCert, untrusted_certs);
-			X509_STORE_CTX_set_time(&csc, 0, time_t(network_time()));
-			if (! X509_verify_cert(&csc))
-				certificate_error(csc.error);
-			X509_STORE_CTX_cleanup(&csc);
-
-			sk_X509_pop_free(untrusted_certs, X509_free);
 			}
-
-		X509_free(pCert);
-	return true;
+		return true;
 		%}
 
-	function proc_v2_certificate(cert : bytestring) : bool
+	function proc_v2_certificate(rec: SSLRecord, cert : bytestring) : bool
 		%{
 		vector<bytestring>* cert_list = new vector<bytestring>(1,cert);
-		bool ret = proc_certificate(cert_list);
+		bool ret = proc_certificate(rec, cert_list);
 		delete cert_list;
 		return ret;
 		%}
 
-	function proc_v3_certificate(cl : CertificateList) : bool
+	function proc_v3_certificate(rec: SSLRecord, cl : CertificateList) : bool
 		%{
 		vector<X509Certificate*>* certs = cl->val();
 		vector<bytestring>* cert_list = new vector<bytestring>();
@@ -428,138 +330,143 @@ refine analyzer SSLAnalyzer += {
 		std::transform(certs->begin(), certs->end(),
 		std::back_inserter(*cert_list), extract_certs());
 
-		bool ret = proc_certificate(cert_list);
+		bool ret = proc_certificate(rec, cert_list);
 		delete cert_list;
-
 		return ret;
 		%}
 
-	function proc_v2_client_master_key(cipher : int) : bool
+	function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool
 		%{
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected v2 client master key message from %s in state %s",
-				orig_label(current_record_is_orig_).c_str(),
+				orig_label(${rec.is_orig}).c_str(),
 				state_label(old_state_).c_str()));
 
-		check_cipher(cipher);
-		bro_event_ssl_conn_established(bro_analyzer_,
-				bro_analyzer_->Conn(), version_, cipher);
+		BifEvent::generate_ssl_established(bro_analyzer(),
+				bro_analyzer()->Conn());
 
 		return true;
 		%}
 
-	function proc_unknown_handshake(msg_type : int) : bool
+	function proc_unknown_handshake(hs: Handshake, is_orig: bool) : bool
 		%{
 		bro_analyzer()->ProtocolViolation(fmt("unknown handshake message (%d) from %s",
-			msg_type, orig_label(current_record_is_orig_).c_str()));
+			${hs.msg_type}, orig_label(is_orig).c_str()));
 		return true;
 		%}
 
-	function proc_handshake(msg : Handshake) : bool
+	function proc_handshake(hs: Handshake, is_orig: bool) : bool
 		%{
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected Handshake message %s from %s in state %s",
-				handshake_type_label(msg->msg_type()).c_str(),
-				orig_label(current_record_is_orig_).c_str(),
+				handshake_type_label(${hs.msg_type}).c_str(),
+				orig_label(is_orig).c_str(),
 				state_label(old_state_).c_str()));
 		return true;
 		%}
 
-	function proc_unknown_record(msg : UnknownRecord) : bool
+	function proc_unknown_record(rec: SSLRecord) : bool
 		%{
 		bro_analyzer()->ProtocolViolation(fmt("unknown SSL record type (%d) from %s",
-				current_record_type_,
-				orig_label(current_record_is_orig_).c_str()));
+				${rec.content_type},
+				orig_label(${rec.is_orig}).c_str()));
 		return true;
 		%}
 
-	function proc_ciphertext_record(msg : CiphertextRecord) : bool
+	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
-				orig_label(current_record_is_orig_).c_str(),
+				orig_label(${rec.is_orig}).c_str(),
 				state_label(old_state_).c_str()));
 
-		if ( state_ == STATE_CONN_ESTABLISHED &&
-		     old_state_ == STATE_COMM_ENCRYPTED )
+		else if ( state_ == STATE_CONN_ESTABLISHED &&
+		          old_state_ == STATE_COMM_ENCRYPTED )
 			{
-			bro_event_ssl_conn_established(bro_analyzer_,
-							bro_analyzer_->Conn(),
-							version_, cipher_);
+			BifEvent::generate_ssl_established(bro_analyzer(),
+							bro_analyzer()->Conn());
 			}
 
 		return true;
 		%}
-
 };
 
 refine typeattr ChangeCipherSpec += &let {
-	proc : bool = $context.analyzer.proc_change_cipher_spec(this)
+	proc : bool = $context.connection.proc_change_cipher_spec(rec)
 		&requires(state_changed);
 };
 
 refine typeattr Alert += &let {
-	proc : bool = $context.analyzer.proc_alert(level, description);
+	proc : bool = $context.connection.proc_alert(rec, level, description);
 };
 
 refine typeattr V2Error += &let {
-	proc : bool = $context.analyzer.proc_alert(-1, error_code);
+	proc : bool = $context.connection.proc_alert(rec, -1, error_code);
 };
 
 refine typeattr ApplicationData += &let {
-	proc : bool = $context.analyzer.proc_application_data(this);
+	proc : bool = $context.connection.proc_application_data(rec);
 };
 
 refine typeattr ClientHello += &let {
-	proc : bool = $context.analyzer.proc_client_hello(client_version,
-				session_id, convert_ciphers_uint16(csuits))
+	proc : bool = $context.connection.proc_client_hello(rec, client_version,
+				gmt_unix_time,
+				session_id, csuits, 0)
 		&requires(state_changed);
 };
 
 refine typeattr V2ClientHello += &let {
-	proc : bool = $context.analyzer.proc_client_hello(client_version,
-				session_id, convert_ciphers_uint24(ciphers))
+	proc : bool = $context.connection.proc_client_hello(rec, client_version, 0,
+				session_id, 0, ciphers)
 		&requires(state_changed);
 };
 
 refine typeattr ServerHello += &let {
-	proc : bool = $context.analyzer.proc_server_hello(server_version,
-			session_id, convert_ciphers_uint16(cipher_suite), -1)
+	proc : bool = $context.connection.proc_server_hello(rec, server_version,
+			gmt_unix_time, session_id, cipher_suite, 0,
+			compression_method)
 		&requires(state_changed);
 };
 
 refine typeattr V2ServerHello += &let {
-	proc : bool = $context.analyzer.proc_server_hello(server_version, 0,
-				convert_ciphers_uint24(ciphers), session_id_hit)
+	proc : bool = $context.connection.proc_server_hello(rec, server_version, 0, 0,
+				0, ciphers, 0)
 		&requires(state_changed);
 
-	cert : bool = $context.analyzer.proc_v2_certificate(cert_data)
+	cert : bool = $context.connection.proc_v2_certificate(rec, cert_data)
 		&requires(proc);
 };
 
 refine typeattr Certificate += &let {
-	proc : bool = $context.analyzer.proc_v3_certificate(certificates)
+	proc : bool = $context.connection.proc_v3_certificate(rec, certificates)
 		&requires(state_changed);
 };
 
 refine typeattr V2ClientMasterKey += &let {
-	proc : bool = $context.analyzer.proc_v2_client_master_key(to_int()(cipher_kind))
+	proc : bool = $context.connection.proc_v2_client_master_key(rec, cipher_kind)
 		&requires(state_changed);
 };
 
 refine typeattr UnknownHandshake += &let {
-	proc : bool = $context.analyzer.proc_unknown_handshake(msg_type);
+	proc : bool = $context.connection.proc_unknown_handshake(hs, is_orig);
 };
 
 refine typeattr Handshake += &let {
-	proc : bool = $context.analyzer.proc_handshake(this);
+	proc : bool = $context.connection.proc_handshake(this, rec.is_orig);
 };
 
+refine typeattr SessionTicketHandshake += &let {
+	proc : bool = $context.connection.proc_session_ticket_handshake(this, rec.is_orig);
+}
+
 refine typeattr UnknownRecord += &let {
-	proc : bool = $context.analyzer.proc_unknown_record(this);
+	proc : bool = $context.connection.proc_unknown_record(rec);
 };
 
 refine typeattr CiphertextRecord += &let {
-	proc : bool = $context.analyzer.proc_ciphertext_record(this)
-		&requires(state_changed);
+	proc : bool = $context.connection.proc_ciphertext_record(rec);
+}
+
+refine typeattr SSLExtension += &let {
+	proc : bool = $context.connection.proc_ssl_extension(rec, type, data);
 };
diff --git a/src/ssl-defs.pac b/src/ssl-defs.pac
index 6a4a91bb36..31d90338f5 100644
--- a/src/ssl-defs.pac
+++ b/src/ssl-defs.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 # Some common definitions for the SSL and SSL record-layer analyzers.
 
 %extern{
diff --git a/src/ssl-protocol.pac b/src/ssl-protocol.pac
index a0121c2496..627645e4da 100644
--- a/src/ssl-protocol.pac
+++ b/src/ssl-protocol.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 # Analyzer for SSL messages (general part).
 # To be used in conjunction with an SSL record-layer analyzer.
 # Separation is necessary due to possible fragmentation of SSL records.
@@ -22,10 +20,65 @@ type uint24 = record {
 		return (num->byte1() << 16) | (num->byte2() << 8) | num->byte3();
 		}
 	};
+
+	string state_label(int state_nr);
+	double get_time_from_asn1(const ASN1_TIME * atime);
+	string handshake_type_label(int type);
 %}
 
 extern type to_int;
 
+type SSLRecord(is_orig: bool) = record {
+	head0 : uint8;
+	head1 : uint8;
+	head2 : uint8;
+	head3 : uint8;
+	head4 : uint8;
+	rec : RecordText(this)[] &length=length, &requires(content_type);
+} &length = length+5, &byteorder=bigendian,
+  &let {
+	version : int =
+		$context.connection.determine_ssl_version(head0, head1, head2);
+
+	content_type : int = case version of {
+		UNKNOWN_VERSION -> 0;
+		SSLv20 -> head2+300;
+		default -> head0;
+	};
+
+	length : int = case version of {
+		UNKNOWN_VERSION -> 0;
+		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
+		default -> (head3 << 8) | head4;
+	};
+};
+
+type RecordText(rec: SSLRecord) = case $context.connection.state() of {
+	STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED,
+	STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED
+		-> ciphertext : CiphertextRecord(rec);
+	default
+		-> plaintext : PlaintextRecord(rec);
+};
+
+type PlaintextRecord(rec: SSLRecord) = case rec.content_type of {
+	CHANGE_CIPHER_SPEC	-> ch_cipher : ChangeCipherSpec(rec);
+	ALERT			-> alert : Alert(rec);
+	HANDSHAKE		-> handshake : Handshake(rec);
+	APPLICATION_DATA	-> app_data : ApplicationData(rec);
+	V2_ERROR		-> v2_error : V2Error(rec);
+	V2_CLIENT_HELLO		-> v2_client_hello : V2ClientHello(rec);
+	V2_CLIENT_MASTER_KEY	-> v2_client_master_key : V2ClientMasterKey(rec);
+	V2_SERVER_HELLO		-> v2_server_hello : V2ServerHello(rec);
+	default			-> unknown_record : UnknownRecord(rec);
+};
+
+type SSLExtension(rec: SSLRecord) = record {
+	type: uint16;
+	data_len: uint16;
+	data: bytestring &length=data_len;
+};
+
 ######################################################################
 # state management according to Section 7.3. in spec
 ######################################################################
@@ -95,10 +148,104 @@ enum AnalyzerState {
 		}
 		}
 
-	string orig_label(bool is_orig)
+
+	double get_time_from_asn1(const ASN1_TIME * atime)
 		{
-		return string(is_orig ? "originator" :"responder");
-		}
+		time_t lResult = 0;
+
+		char lBuffer[24];
+		char * pBuffer = lBuffer;
+
+		size_t lTimeLength = atime->length;
+		char * pString = (char *) atime->data;
+
+		if ( atime->type == V_ASN1_UTCTIME )
+			{
+			if ( lTimeLength < 11 || lTimeLength > 17 )
+				return 0;
+
+			memcpy(pBuffer, pString, 10);
+			pBuffer += 10;
+			pString += 10;
+			}
+		else
+			{
+			if ( lTimeLength < 13 )
+				return 0;
+
+			memcpy(pBuffer, pString, 12);
+			pBuffer += 12;
+			pString += 12;
+			}
+
+		if ((*pString == 'Z') || (*pString == '-') || (*pString == '+'))
+			{
+			*(pBuffer++) = '0';
+			*(pBuffer++) = '0';
+			}
+		else
+			{
+			*(pBuffer++) = *(pString++);
+			*(pBuffer++) = *(pString++);
+
+			// Skip any fractional seconds...
+			if (*pString == '.')
+				{
+				pString++;
+				while ((*pString >= '0') && (*pString <= '9'))
+					pString++;
+				}
+			}
+
+		*(pBuffer++) = 'Z';
+		*(pBuffer++) = '\0';
+
+		time_t lSecondsFromUTC;
+
+		if ( *pString == 'Z' )
+			lSecondsFromUTC = 0;
+
+		else
+			{
+			if ((*pString != '+') && (pString[5] != '-'))
+				return 0;
+
+			lSecondsFromUTC = ((pString[1]-'0') * 10 + (pString[2]-'0')) * 60;
+			lSecondsFromUTC += (pString[3]-'0') * 10 + (pString[4]-'0');
+
+			if (*pString == '-')
+				lSecondsFromUTC = -lSecondsFromUTC;
+			}
+
+		tm lTime;
+		lTime.tm_sec  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
+		lTime.tm_min  = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
+		lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
+		lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0');
+		lTime.tm_mon  = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1;
+		lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0');
+
+		if ( lTime.tm_year < 50 )
+			lTime.tm_year += 100; // RFC 2459
+
+		lTime.tm_wday = 0;
+		lTime.tm_yday = 0;
+		lTime.tm_isdst = 0;  // No DST adjustment requested
+
+		lResult = mktime(&lTime);
+
+		if ( lResult )
+			{
+			if ( 0 != lTime.tm_isdst )
+				lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
+
+			lResult += lSecondsFromUTC;
+			}
+		else
+			lResult = 0;
+
+		return lResult;
+	}
 %}
 
 ######################################################################
@@ -106,16 +253,19 @@ enum AnalyzerState {
 ######################################################################
 
 enum HandshakeType {
-	HELLO_REQUEST		= 0,
-	CLIENT_HELLO		= 1,
-	SERVER_HELLO		= 2,
-	CERTIFICATE		= 11,
-	SERVER_KEY_EXCHANGE	= 12,
-	CERTIFICATE_REQUEST	= 13,
-	SERVER_HELLO_DONE	= 14,
-	CERTIFICATE_VERIFY	= 15,
-	CLIENT_KEY_EXCHANGE	= 16,
-	FINISHED		= 20
+	HELLO_REQUEST       = 0,
+	CLIENT_HELLO        = 1,
+	SERVER_HELLO        = 2,
+	SESSION_TICKET      = 4, # RFC 5077
+	CERTIFICATE         = 11,
+	SERVER_KEY_EXCHANGE = 12,
+	CERTIFICATE_REQUEST = 13,
+	SERVER_HELLO_DONE   = 14,
+	CERTIFICATE_VERIFY  = 15,
+	CLIENT_KEY_EXCHANGE = 16,
+	FINISHED            = 20,
+	CERTIFICATE_URL     = 21, # RFC 3546
+	CERTIFICATE_STATUS  = 22, # RFC 3546
 };
 
 %code{
@@ -125,6 +275,7 @@ enum HandshakeType {
 		case HELLO_REQUEST: return string("HELLO_REQUEST");
 		case CLIENT_HELLO: return string("CLIENT_HELLO");
 		case SERVER_HELLO: return string("SERVER_HELLO");
+		case SESSION_TICKET: return string("SESSION_TICKET");
 		case CERTIFICATE: return string("CERTIFICATE");
 		case SERVER_KEY_EXCHANGE: return string("SERVER_KEY_EXCHANGE");
 		case CERTIFICATE_REQUEST: return string("CERTIFICATE_REQUEST");
@@ -132,6 +283,8 @@ enum HandshakeType {
 		case CERTIFICATE_VERIFY: return string("CERTIFICATE_VERIFY");
 		case CLIENT_KEY_EXCHANGE: return string("CLIENT_KEY_EXCHANGE");
 		case FINISHED: return string("FINISHED");
+		case CERTIFICATE_URL: return string("CERTIFICATE_URL");
+		case CERTIFICATE_STATUS: return string("CERTIFICATE_STATUS");
 		default: return string(fmt("UNKNOWN (%d)", type));
 		}
 		}
@@ -142,23 +295,25 @@ enum HandshakeType {
 # V3 Change Cipher Spec Protocol (7.1.)
 ######################################################################
 
-type ChangeCipherSpec = record {
+type ChangeCipherSpec(rec: SSLRecord) = record {
 	type : uint8;
 } &length = 1, &let {
 	state_changed : bool =
-	    $context.analyzer.transition(STATE_CLIENT_FINISHED,
-					 STATE_COMM_ENCRYPTED, false) ||
-	    $context.analyzer.transition(STATE_IN_SERVER_HELLO,
-					 STATE_ABBREV_SERVER_ENCRYPTED, false) ||
-	    $context.analyzer.transition(STATE_CLIENT_KEY_NO_CERT,
-					 STATE_CLIENT_ENCRYPTED, true) ||
-	    $context.analyzer.transition(STATE_CLIENT_CERT_VERIFIED,
-					 STATE_CLIENT_ENCRYPTED, true) ||
-	    $context.analyzer.transition(STATE_CLIENT_KEY_WITH_CERT,
-					 STATE_CLIENT_ENCRYPTED, true) ||
-	    $context.analyzer.transition(STATE_ABBREV_SERVER_FINISHED,
-					 STATE_COMM_ENCRYPTED, true) ||
-	    $context.analyzer.lost_track();
+		$context.connection.transition(STATE_CLIENT_FINISHED,
+					 STATE_COMM_ENCRYPTED, rec.is_orig, false) ||
+		$context.connection.transition(STATE_IN_SERVER_HELLO,
+					 STATE_ABBREV_SERVER_ENCRYPTED, rec.is_orig, false) ||
+		$context.connection.transition(STATE_CLIENT_KEY_NO_CERT,
+					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
+		$context.connection.transition(STATE_CLIENT_CERT_VERIFIED,
+					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
+		$context.connection.transition(STATE_CLIENT_CERT,
+					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
+		$context.connection.transition(STATE_CLIENT_KEY_WITH_CERT,
+					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
+		$context.connection.transition(STATE_ABBREV_SERVER_FINISHED,
+					 STATE_COMM_ENCRYPTED, rec.is_orig, true) ||
+		$context.connection.lost_track();
 };
 
 
@@ -166,19 +321,21 @@ type ChangeCipherSpec = record {
 # V3 Alert Protocol (7.2.)
 ######################################################################
 
-type Alert = record {
+type Alert(rec: SSLRecord) = record {
 	level : uint8;
 	description: uint8;
-} &length = 2;
+};
 
 
 ######################################################################
 # V2 Error Records (SSLv2 2.7.)
 ######################################################################
 
-type V2Error = record {
-	error_code : uint16;
-} &length = 2;
+type V2Error(rec: SSLRecord) = record {
+	data:   bytestring &restofdata &transient;
+} &let {
+	error_code : uint16 = ((rec.head3 << 8) | rec.head4);
+};
 
 
 ######################################################################
@@ -187,8 +344,8 @@ type V2Error = record {
 
 # Application data should always be encrypted, so we should not
 # reach this point.
-type ApplicationData = empty &let {
-	discard: bool = $context.flow.discard_data();
+type ApplicationData(rec: SSLRecord) = record {
+	data : bytestring &restofdata &transient;
 };
 
 ######################################################################
@@ -200,8 +357,8 @@ type ApplicationData = empty &let {
 ######################################################################
 
 # Hello Request is empty
-type HelloRequest = empty &let {
-	hr: bool = $context.analyzer.set_hello_requested(true);
+type HelloRequest(rec: SSLRecord) = empty &let {
+	hr: bool = $context.connection.set_hello_requested(true);
 };
 
 
@@ -209,7 +366,7 @@ type HelloRequest = empty &let {
 # V3 Client Hello (7.4.1.2.)
 ######################################################################
 
-type ClientHello = record {
+type ClientHello(rec: SSLRecord) = record {
 	client_version : uint16;
 	gmt_unix_time : uint32;
 	random_bytes : bytestring &length = 28 &transient;
@@ -219,13 +376,17 @@ type ClientHello = record {
 	csuits : uint16[csuit_len/2];
 	cmeth_len : uint8 &check(cmeth_len > 0);
 	cmeths : uint8[cmeth_len];
+	# This weirdness is to deal with the possible existence or absence
+	# of the following fields.
+	ext_len: uint16[] &until($element == 0 || $element != 0);
+	extensions : SSLExtension(rec)[] &until($input.length() == 0);
 } &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_INITIAL,
-				STATE_CLIENT_HELLO_RCVD, true) ||
-		($context.analyzer.hello_requested() &&
-		 $context.analyzer.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, true)) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_INITIAL,
+				STATE_CLIENT_HELLO_RCVD, rec.is_orig, true) ||
+		($context.connection.hello_requested() &&
+		 $context.connection.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, rec.is_orig, true)) ||
+		$context.connection.lost_track();
 };
 
 
@@ -233,21 +394,22 @@ type ClientHello = record {
 # V2 Client Hello (SSLv2 2.5.)
 ######################################################################
 
-type V2ClientHello = record {
-	client_version : uint16;
+type V2ClientHello(rec: SSLRecord) = record {
 	csuit_len : uint16;
 	session_len : uint16;
 	chal_len : uint16;
 	ciphers : uint24[csuit_len/3];
 	session_id : uint8[session_len];
 	challenge : bytestring &length = chal_len;
-} &length = 8 + csuit_len + session_len + chal_len, &let {
+} &length = 6 + csuit_len + session_len + chal_len, &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_INITIAL,
-			STATE_CLIENT_HELLO_RCVD, true) ||
-		($context.analyzer.hello_requested() &&
-		 $context.analyzer.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, true)) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_INITIAL,
+			STATE_CLIENT_HELLO_RCVD, rec.is_orig, true) ||
+		($context.connection.hello_requested() &&
+		 $context.connection.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, rec.is_orig, true)) ||
+		$context.connection.lost_track();
+
+	client_version : int = rec.version;
 };
 
 
@@ -255,7 +417,7 @@ type V2ClientHello = record {
 # V3 Server Hello (7.4.1.3.)
 ######################################################################
 
-type ServerHello = record {
+type ServerHello(rec: SSLRecord) = record {
 	server_version : uint16;
 	gmt_unix_time : uint32;
 	random_bytes : bytestring &length = 28 &transient;
@@ -265,9 +427,9 @@ type ServerHello = record {
 	compression_method : uint8;
 } &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_CLIENT_HELLO_RCVD,
-					   STATE_IN_SERVER_HELLO, false) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_CLIENT_HELLO_RCVD,
+					   STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
+		$context.connection.lost_track();
 };
 
 
@@ -275,9 +437,9 @@ type ServerHello = record {
 # V2 Server Hello (SSLv2 2.6.)
 ######################################################################
 
-type V2ServerHello = record {
-	session_id_hit : uint8;
-	cert_type : uint8;
+type V2ServerHello(rec: SSLRecord) = record {
+	#session_id_hit : uint8;
+	#cert_type : uint8;
 	server_version : uint16;
 	cert_len : uint16;
 	ciph_len : uint16;
@@ -285,14 +447,17 @@ type V2ServerHello = record {
 	cert_data : bytestring &length = cert_len;
 	ciphers : uint24[ciph_len/3];
 	conn_id_data : bytestring &length = conn_id_len;
-} &length = 10 + cert_len + ciph_len + conn_id_len, &let {
+} &let {
 	state_changed : bool =
 		(session_id_hit > 0 ?
-			$context.analyzer.transition(STATE_CLIENT_HELLO_RCVD,
-				STATE_CONN_ESTABLISHED, false) :
-			$context.analyzer.transition(STATE_CLIENT_HELLO_RCVD,
-				STATE_V2_CL_MASTER_KEY_EXPECTED, false)) ||
-		$context.analyzer.lost_track();
+			$context.connection.transition(STATE_CLIENT_HELLO_RCVD,
+				STATE_CONN_ESTABLISHED, rec.is_orig, false) :
+			$context.connection.transition(STATE_CLIENT_HELLO_RCVD,
+				STATE_V2_CL_MASTER_KEY_EXPECTED, rec.is_orig, false)) ||
+		$context.connection.lost_track();
+
+	session_id_hit : uint8 = rec.head3;
+	cert_type : uint8 = rec.head4;
 };
 
 
@@ -307,16 +472,16 @@ type X509Certificate = record {
 
 type CertificateList = X509Certificate[] &until($input.length() == 0);
 
-type Certificate = record {
+type Certificate(rec: SSLRecord) = record {
 	length : uint24;
 	certificates : CertificateList &length = to_int()(length);
 } &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_IN_SERVER_HELLO,
-					STATE_IN_SERVER_HELLO, false) ||
-		$context.analyzer.transition(STATE_SERVER_HELLO_DONE,
-					STATE_CLIENT_CERT, true) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_IN_SERVER_HELLO,
+					STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
+		$context.connection.transition(STATE_SERVER_HELLO_DONE,
+					STATE_CLIENT_CERT, rec.is_orig, true) ||
+		$context.connection.lost_track();
 };
 
 
@@ -325,13 +490,13 @@ type Certificate = record {
 ######################################################################
 
 # For now ignore details; just eat up complete message
-type ServerKeyExchange = record {
-	cont : bytestring &restofdata &transient;
+type ServerKeyExchange(rec: SSLRecord) = record {
+	key : bytestring &restofdata &transient;
 } &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_IN_SERVER_HELLO,
-				STATE_IN_SERVER_HELLO, false) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_IN_SERVER_HELLO,
+				STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
+		$context.connection.lost_track();
 };
 
 
@@ -340,13 +505,13 @@ type ServerKeyExchange = record {
 ######################################################################
 
 # For now, ignore Certificate Request Details; just eat up message.
-type CertificateRequest = record {
+type CertificateRequest(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
 } &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_IN_SERVER_HELLO,
-					STATE_IN_SERVER_HELLO, false) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_IN_SERVER_HELLO,
+					STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
+		$context.connection.lost_track();
 };
 
 
@@ -355,11 +520,11 @@ type CertificateRequest = record {
 ######################################################################
 
 # Server Hello Done is empty
-type ServerHelloDone = empty &let {
+type ServerHelloDone(rec: SSLRecord) = empty &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_IN_SERVER_HELLO,
-					STATE_SERVER_HELLO_DONE, false) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_IN_SERVER_HELLO,
+					STATE_SERVER_HELLO_DONE, rec.is_orig, false) ||
+		$context.connection.lost_track();
 };
 
 
@@ -377,34 +542,38 @@ type ServerHelloDone = empty &let {
 
 # For now ignore details of ClientKeyExchange (most of it is
 # encrypted anyway); just eat up message.
-type ClientKeyExchange = record {
-	cont : bytestring &restofdata &transient;
+type ClientKeyExchange(rec: SSLRecord) = record {
+	key : bytestring &restofdata &transient;
 } &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_SERVER_HELLO_DONE,
-					STATE_CLIENT_KEY_NO_CERT, true) ||
-		$context.analyzer.transition(STATE_CLIENT_CERT,
-					STATE_CLIENT_KEY_WITH_CERT, true) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_SERVER_HELLO_DONE,
+					STATE_CLIENT_KEY_NO_CERT, rec.is_orig, true) ||
+		$context.connection.transition(STATE_CLIENT_CERT,
+					STATE_CLIENT_KEY_WITH_CERT, rec.is_orig, true) ||
+		$context.connection.transition(STATE_CLIENT_CERT,
+					STATE_CLIENT_KEY_WITH_CERT, rec.is_orig, true) ||
+		$context.connection.lost_track();
 };
 
 ######################################################################
 # V2 Client Master Key (SSLv2 2.5.)
 ######################################################################
 
-type V2ClientMasterKey = record {
-	cipher_kind : uint24;
+type V2ClientMasterKey(rec: SSLRecord) = record {
+	cipher_kind_8 : uint8;
 	cl_key_len : uint16;
 	en_key_len : uint16;
 	key_arg_len : uint16;
 	cl_key_data : bytestring &length = cl_key_len &transient;
 	en_key_data : bytestring &length = en_key_len &transient;
 	key_arg_data : bytestring &length = key_arg_len &transient;
-} &length = 9 + cl_key_len + en_key_len + key_arg_len, &let {
+} &length = 7 + cl_key_len + en_key_len + key_arg_len, &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_V2_CL_MASTER_KEY_EXPECTED,
-					STATE_CONN_ESTABLISHED, true) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_V2_CL_MASTER_KEY_EXPECTED,
+					STATE_CONN_ESTABLISHED, rec.is_orig, true) ||
+		$context.connection.lost_track();
+
+	cipher_kind : int = (((rec.head3 << 16) | (rec.head4 << 8)) | cipher_kind_8);
 };
 
 
@@ -413,13 +582,13 @@ type V2ClientMasterKey = record {
 ######################################################################
 
 # For now, ignore Certificate Verify; just eat up the message.
-type CertificateVerify = record {
+type CertificateVerify(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
 } &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_CLIENT_KEY_WITH_CERT,
-					STATE_CLIENT_CERT_VERIFIED, true) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_CLIENT_KEY_WITH_CERT,
+					STATE_CLIENT_CERT_VERIFIED, rec.is_orig, true) ||
+		$context.connection.lost_track();
 };
 
 
@@ -427,78 +596,88 @@ type CertificateVerify = record {
 # V3 Finished (7.4.9.)
 ######################################################################
 
-# The Finished messages are always sent after encryption is in effect,
-# so we will not be able to read those message
+# The finished messages are always sent after encryption is in effect,
+# so we will not be able to read those messages.
+type Finished(rec: SSLRecord) = record {
+	cont : bytestring &restofdata &transient;
+} &let {
+	state_changed : bool =
+		$context.connection.transition(STATE_SERVER_HELLO_DONE,
+					STATE_COMM_ENCRYPTED, rec.is_orig, true) ||
+		$context.connection.transition(STATE_CLIENT_FINISHED,
+					STATE_COMM_ENCRYPTED, rec.is_orig, false) ||
+		$context.connection.lost_track();
+};
 
+type SessionTicketHandshake(rec: SSLRecord) = record {
+	ticket_lifetime_hint: uint32;
+	data:                 bytestring &restofdata;
+};
 
 ######################################################################
 # V3 Handshake Protocol (7.)
 ######################################################################
 
-type UnknownHandshake(msg_type : uint8) =  record {
-	cont : bytestring &restofdata &transient;
+type UnknownHandshake(hs: Handshake, is_orig: bool) =  record {
+	data : bytestring &restofdata &transient;
 } &let {
-	state_changed : bool = $context.analyzer.lost_track();
+	state_changed : bool = $context.connection.lost_track();
 };
 
-type Handshake = record {
+type Handshake(rec: SSLRecord) = record {
 	msg_type : uint8;
 	length : uint24;
 
 	body : case msg_type of {
-	HELLO_REQUEST ->	hello_request : HelloRequest;
-	CLIENT_HELLO ->		client_hello : ClientHello;
-	SERVER_HELLO ->		server_hello : ServerHello;
-	CERTIFICATE ->		certificate : Certificate;
-	SERVER_KEY_EXCHANGE ->	server_key_exchange : ServerKeyExchange;
-	CERTIFICATE_REQUEST ->	certificate_request : CertificateRequest;
-	SERVER_HELLO_DONE ->	server_hello_done : ServerHelloDone;
-	CERTIFICATE_VERIFY ->	certificate_verify : CertificateVerify;
-	CLIENT_KEY_EXCHANGE ->	client_key_exchange : ClientKeyExchange;
-	default ->		unknown_handshake : UnknownHandshake(msg_type);
-	};
-} &length = 4 + to_int()(length);
+		HELLO_REQUEST       -> hello_request       : HelloRequest(rec);
+		CLIENT_HELLO        -> client_hello        : ClientHello(rec);
+		SERVER_HELLO        -> server_hello        : ServerHello(rec);
+		SESSION_TICKET      -> session_ticket      : SessionTicketHandshake(rec);
+		CERTIFICATE         -> certificate         : Certificate(rec);
+		SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(rec);
+		CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(rec);
+		SERVER_HELLO_DONE   -> server_hello_done   : ServerHelloDone(rec);
+		CERTIFICATE_VERIFY  -> certificate_verify  : CertificateVerify(rec);
+		CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec);
+		FINISHED            -> finished            : Finished(rec);
+		CERTIFICATE_URL     -> certificate_url     : bytestring &restofdata &transient;
+		CERTIFICATE_STATUS  -> certificate_status  : bytestring &restofdata &transient;
+		default             -> unknown_handshake   : UnknownHandshake(this, rec.is_orig);
+	} &length = to_int()(length);
+};
 
 
 ######################################################################
 # Fragmentation (6.2.1.)
 ######################################################################
 
-type UnknownRecord =  record {
-	cont : empty;
+type UnknownRecord(rec: SSLRecord) =  record {
+	cont : bytestring &restofdata &transient;
 } &let {
-	discard : bool = $context.flow.discard_data();
-	state_changed : bool = $context.analyzer.lost_track();
+	state_changed : bool = $context.connection.lost_track();
 };
 
-type PlaintextRecord =  case $context.analyzer.current_record_type() of {
-	CHANGE_CIPHER_SPEC	-> ch_cipher : ChangeCipherSpec;
-	ALERT			-> alert : Alert;
-	HANDSHAKE		-> handshakes : Handshake;
-	APPLICATION_DATA	-> app_data : ApplicationData;
-	V2_ERROR		-> v2_error : V2Error;
-	V2_CLIENT_HELLO		-> v2_client_hello : V2ClientHello;
-	V2_CLIENT_MASTER_KEY	-> v2_client_master_key : V2ClientMasterKey;
-	V2_SERVER_HELLO		-> v2_server_hello : V2ServerHello;
-	UNKNOWN_OR_V2_ENCRYPTED	-> unknown_record : UnknownRecord;
-};
-
-type CiphertextRecord = empty &let {
-	discard : bool = $context.flow.discard_data();
+type CiphertextRecord(rec: SSLRecord) = record {
+	cont : bytestring &restofdata &transient;
+} &let {
 	state_changed : bool =
-		$context.analyzer.transition(STATE_ABBREV_SERVER_ENCRYPTED,
-					STATE_ABBREV_SERVER_FINISHED, false) ||
-		$context.analyzer.transition(STATE_CLIENT_ENCRYPTED,
-					STATE_CLIENT_FINISHED, true) ||
-		$context.analyzer.transition(STATE_COMM_ENCRYPTED,
-					STATE_CONN_ESTABLISHED, false) ||
-		$context.analyzer.transition(STATE_COMM_ENCRYPTED,
-					STATE_CONN_ESTABLISHED, true) ||
-		$context.analyzer.transition(STATE_CONN_ESTABLISHED,
-					STATE_CONN_ESTABLISHED, false) ||
-		$context.analyzer.transition(STATE_CONN_ESTABLISHED,
-					STATE_CONN_ESTABLISHED, true) ||
-		$context.analyzer.lost_track();
+		$context.connection.transition(STATE_CLIENT_FINISHED,
+					STATE_CLIENT_FINISHED, rec.is_orig, false) ||
+		$context.connection.transition(STATE_CLIENT_FINISHED,
+					STATE_CLIENT_FINISHED, rec.is_orig, true) ||
+		$context.connection.transition(STATE_ABBREV_SERVER_ENCRYPTED,
+					STATE_ABBREV_SERVER_FINISHED, rec.is_orig, false) ||
+		$context.connection.transition(STATE_CLIENT_ENCRYPTED,
+					STATE_CLIENT_FINISHED, rec.is_orig, true) ||
+		$context.connection.transition(STATE_COMM_ENCRYPTED,
+					STATE_CONN_ESTABLISHED, rec.is_orig, false) ||
+		$context.connection.transition(STATE_COMM_ENCRYPTED,
+					STATE_CONN_ESTABLISHED, rec.is_orig, true) ||
+		$context.connection.transition(STATE_CONN_ESTABLISHED,
+					STATE_CONN_ESTABLISHED, rec.is_orig, false) ||
+		$context.connection.transition(STATE_CONN_ESTABLISHED,
+					STATE_CONN_ESTABLISHED, rec.is_orig, true) ||
+		$context.connection.lost_track();
 };
 
 
@@ -506,80 +685,60 @@ type CiphertextRecord = empty &let {
 # initial datatype for binpac
 ######################################################################
 
-type SSLPDU = case $context.analyzer.state() of {
-	STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED,
-	STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED
-		-> ciphertext : CiphertextRecord;
-	default
-		-> plaintext : PlaintextRecord;
-} &byteorder = bigendian, &let {
-	consumed : bool = $context.flow.consume_data();
-};
+type SSLPDU(is_orig: bool) = record {
+	records : SSLRecord(is_orig)[] &transient &until($element <= 0);
+} &byteorder = bigendian;
 
 
 ######################################################################
 # binpac analyzer for SSL including
 ######################################################################
 
-analyzer SSLAnalyzer {
-	upflow = SSLFlow(true);
-	downflow = SSLFlow(false);
+refine connection SSL_Conn += {
 
 	%member{
-		int current_record_type_;
-		int current_record_version_;
-		int current_record_length_;
-		bool current_record_is_orig_;
 		int state_;
 		int old_state_;
 		bool hello_requested_;
 	%}
 
 	%init{
-		current_record_type_ = -1;
-		current_record_version_ = -1;
-		current_record_length_ = -1;
-		current_record_is_orig_ = false;
 		state_ = STATE_INITIAL;
 		old_state_ = STATE_INITIAL;
 		hello_requested_ = false;
 	%}
 
-	function current_record_type() : int
-					%{ return current_record_type_; %}
-	function current_record_version() : int
-					%{ return current_record_version_; %}
-	function current_record_length() : int
-					%{ return current_record_length_; %}
-	function current_record_is_orig() : bool
-					%{ return current_record_is_orig_; %}
-
-	function next_record(rec : const_bytestring, type : int,
-				version : int, is_orig : bool) : bool
+	function determine_ssl_version(head0 : uint8, head1 : uint8,
+					head2 : uint8) : int
 		%{
-		current_record_type_ = type;
-		current_record_version_ = version;
-		current_record_length_ = rec.length();
-		current_record_is_orig_ = is_orig;
+		if ( head0 >= 20 && head0 <= 23 &&
+		     head1 == 0x03 && head2 <  0x03 )
+			// This is most probably SSL version 3.
+			return (head1 << 8) | head2;
 
-		NewData(is_orig, rec.begin(), rec.end());
+		else if ( head0 >= 128 && head2 < 5 && head2 != 3 )
+			// Not very strong evidence, but we suspect
+			// this to be SSLv2.
+			return SSLv20;
 
-		return true;
+		else
+			return UNKNOWN_VERSION;
 		%}
 
 	function state() : int %{ return state_; %}
 	function old_state() : int %{ return old_state_; %}
 
 	function transition(olds : AnalyzerState, news : AnalyzerState,
-				is_orig : bool) : bool
+				current_record_is_orig : bool, is_orig : bool) : bool
 		%{
 		if ( (olds != STATE_ANY && olds != state_) ||
-		     current_record_is_orig_ != is_orig )
+		     current_record_is_orig != is_orig )
 			return false;
 
 		old_state_ = state_;
 		state_ = news;
 
+		//printf("transitioning from %s to %s\n", state_label(old_state()).c_str(), state_label(state()).c_str());
 		return true;
 		%}
 
@@ -602,29 +761,3 @@ analyzer SSLAnalyzer {
 		return val;
 		%}
 };
-
-
-######################################################################
-# binpac flow for SSL
-######################################################################
-
-flow SSLFlow(is_orig : bool) {
-	flowunit = SSLPDU withcontext(connection, this);
-
-	function discard_data() : bool
-		%{
-		flow_buffer_->DiscardData();
-		return true;
-		%}
-
-	function data_available() : bool
-		%{
-		return flow_buffer_->data_available();
-		%}
-
-	function consume_data() : bool
-		%{
-		flow_buffer_->NewFrame(0, false);
-		return true;
-		%}
-};
diff --git a/src/ssl-record-layer.pac b/src/ssl-record-layer.pac
deleted file mode 100644
index ad6c4ca260..0000000000
--- a/src/ssl-record-layer.pac
+++ /dev/null
@@ -1,141 +0,0 @@
-# $Id:$
-
-# binpac analyzer representing the SSLv3 record layer
-#
-# This additional layering in the analyzer hierarchy is necessary due to
-# fragmentation that can be introduced in the SSL record layer.
-
-%include binpac.pac
-%include bro.pac
-
-analyzer SSLRecordLayer withcontext {
-	analyzer : SSLRecordLayerAnalyzer;
-	flow : SSLRecordLayerFlow;
-};
-
-%include ssl-defs.pac
-
-%extern{
-#include "ssl_pac.h"
-using binpac::SSL::SSLAnalyzer;
-%}
-
-extern type const_bytestring;
-
-
-type SSLPDU = record {
-	head0 : uint8;
-	head1 : uint8;
-	head2 : uint8;
-	head3 : uint8;
-	head4 : uint8;
-	fragment : bytestring &restofdata;
-} &length = 5 + length, &byteorder = bigendian, &let {
-	version : int =
-		$context.analyzer.determine_ssl_version(head0, head1, head2);
-
-	length : int = case version of {
-		UNKNOWN_VERSION -> 0;
-		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
-		default -> (head3 << 8) | head4;
-	};
-
-	fw : bool = case version of {
-		UNKNOWN_VERSION ->
-			$context.analyzer.forward_record(const_bytestring(),
-				UNKNOWN_OR_V2_ENCRYPTED, UNKNOWN_VERSION,
-				$context.flow.is_orig)
-			&& $context.flow.discard_data();
-
-	SSLv20 -> $context.analyzer.forward_v2_record(head2, head3, head4,
-					fragment, $context.flow.is_orig);
-	default -> $context.analyzer.forward_record(fragment, head0,
-				(head1 << 8) | head2, $context.flow.is_orig);
-	};
-};
-
-# binpac-specific definitions
-
-analyzer SSLRecordLayerAnalyzer {
-	upflow = SSLRecordLayerFlow(true);
-	downflow = SSLRecordLayerFlow(false);
-
-	%member{
-		SSLAnalyzer* ssl_analyzer_;
-
-		int ssl_version_;
-		int record_length_;
-	%}
-
-	%init{
-		ssl_analyzer_ = 0;
-		ssl_version_ = UNKNOWN_VERSION;
-		record_length_ = 0;
-	%}
-
-	%eof{
-		ssl_analyzer_->FlowEOF(true);
-		ssl_analyzer_->FlowEOF(false);
-	%}
-
-	function set_ssl_analyzer(a : SSLAnalyzer) : void
-		%{ ssl_analyzer_ = a; %}
-
-	function ssl_version() : int %{ return ssl_version_; %}
-	function record_length() : int %{ return record_length_; %}
-
-	function determine_ssl_version(head0 : uint8, head1 : uint8,
-					head2 : uint8) : int
-		%{
-		if ( head0 >= 20 && head0 <= 23 &&
-		     head1 == 0x03 && head2 <  0x03 )
-			// This is most probably SSL version 3.
-			ssl_version_ = (head1 << 8) | head2;
-
-		else if ( head0 >= 128 && head2 < 5 && head2 != 3 )
-			// Not very strong evidence, but we suspect
-			// this to be SSLv2.
-			ssl_version_ = SSLv20;
-
-		else
-			ssl_version_ = UNKNOWN_VERSION;
-
-		return ssl_version_;
-		%}
-
-	function forward_record(fragment : const_bytestring, type : int,
-				version : uint16, is_orig : bool) : bool
-		%{
-		return ssl_analyzer_->next_record(fragment, type,
-							version, is_orig);
-		%}
-
-	function forward_v2_record(b1 : uint8, b2 : uint8, b3 : uint8,
-					fragment : const_bytestring,
-					is_orig : bool) : bool
-		%{
-		uint8* buffer = new uint8[2 + fragment.length()];
-
-		// Byte 1 is the record type.
-		buffer[0] = b2;
-		buffer[1] = b3;
-
-		memcpy(buffer + 2, fragment.begin(), fragment.length());
-		const_bytestring bs(buffer, 2 + fragment.length());
-
-		bool ret = ssl_analyzer_->next_record(bs, 300 + b1, SSLv20,
-							is_orig);
-		delete [] buffer;
-		return ret;
-		%}
-};
-
-flow SSLRecordLayerFlow(is_orig : bool) {
-	flowunit = SSLPDU withcontext(connection, this);
-
-	function discard_data() : bool
-		%{
-		flow_buffer_->DiscardData();
-		return true;
-		%}
-};
diff --git a/src/ssl.pac b/src/ssl.pac
index f2cd92eedf..25aed7a66f 100644
--- a/src/ssl.pac
+++ b/src/ssl.pac
@@ -1,5 +1,3 @@
-# $Id:$
-
 # binpac file for SSL analyzer
 
 # split in three parts:
@@ -11,12 +9,20 @@
 %include bro.pac
 
 analyzer SSL withcontext {
-	analyzer : SSLAnalyzer;
-	flow : SSLFlow;
+	connection: SSL_Conn;
+	flow:       SSL_Flow;
 };
 
-
-%include ssl-defs.pac
+connection SSL_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = SSL_Flow(true);
+	downflow = SSL_Flow(false);
+};
 
 %include ssl-protocol.pac
+
+flow SSL_Flow(is_orig: bool) {
+	flowunit = SSLPDU(is_orig) withcontext(connection, this);
+}
+
 %include ssl-analyzer.pac
+%include ssl-defs.pac
diff --git a/src/strings.bif b/src/strings.bif
index 44b0c57eb6..ebe16529ea 100644
--- a/src/strings.bif
+++ b/src/strings.bif
@@ -1,6 +1,5 @@
-# $Id: strings.bif 6920 2009-10-03 20:47:25Z vern $
-#
-# Definitions of Bro built-in functions related to strings.
+##! Definitions of built-in functions related to string processing and
+##! manipulation.
 
 
 %%{ // C segment
@@ -12,6 +11,14 @@ using namespace std;
 %%}
 
 
+## Concates all arguments into a single string. The function takes a variable
+## number of arguments of type string and stiches them together.
+##
+## Returns: The concatenation of all (string) arguments.
+##
+## .. bro:see:: cat cat_sep cat_string_array cat_string_array_n
+##              fmt
+##              join_string_vec join_string_array
 function string_cat%(...%): string
 	%{
 	int n = 0;
@@ -75,18 +82,53 @@ BroString* cat_string_array_n(TableVal* tbl, int start, int end)
 	}
 %%}
 
+## Concatenates all elements in an array of strings.
+##
+## a: The :bro:type:`string_array` (``table[count] of string``).
+##
+## Returns: The concatenation of all elements in *a*.
+##
+## .. bro:see:: cat cat_sep string_cat cat_string_array_n
+##              fmt
+##              join_string_vec join_string_array
 function cat_string_array%(a: string_array%): string
 	%{
 	TableVal* tbl = a->AsTableVal();
 	return new StringVal(cat_string_array_n(tbl, 1, a->AsTable()->Length()));
 	%}
 
+## Concatenates a specific range of elements in an array of strings.
+##
+## a: The :bro:type:`string_array` (``table[count] of string``).
+##
+## start: The array index of the first element of the range.
+##
+## end: The array index of the last element of the range.
+##
+## Returns: The concatenation of the range *[start, end]* in *a*.
+##
+## .. bro:see:: cat string_cat cat_string_array
+##              fmt
+##              join_string_vec join_string_array
 function cat_string_array_n%(a: string_array, start: count, end: count%): string
 	%{
 	TableVal* tbl = a->AsTableVal();
 	return new StringVal(cat_string_array_n(tbl, start, end));
 	%}
 
+## Joins all values in the given array of strings with a separator placed
+## between each element.
+##
+## sep: The separator to place between each element.
+##
+## a: The :bro:type:`string_array` (``table[count] of string``).
+##
+## Returns: The concatenation of all elements in *a*, with *sep* placed
+##          between each element.
+##
+## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n
+##              fmt
+##              join_string_vec
 function join_string_array%(sep: string, a: string_array%): string
 	%{
 	vector<const BroString*> vs;
@@ -110,6 +152,45 @@ function join_string_array%(sep: string, a: string_array%): string
 	return new StringVal(concatenate(vs));
 	%}
 
+## Joins all values in the given vector of strings with a separator placed
+## between each element.
+##
+## sep: The separator to place between each element.
+##
+## a: The :bro:type:`string_vec` (``vector of string``).
+##
+## Returns: The concatenation of all elements in *a*, with *sep* placed
+##          between each element.
+##
+## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n
+##              fmt
+##              join_string_array
+function join_string_vec%(vec: string_vec, sep: string%): string
+	%{
+	ODesc d;
+	VectorVal *v = vec->AsVectorVal();
+
+	for ( unsigned i = 0; i < v->Size(); ++i )
+		{
+		if ( i > 0 )
+			d.Add(sep->CheckString(), 0);
+
+		v->Lookup(i+1)->Describe(&d);
+		}
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
+	%}
+
+## Sorts an array of strings.
+##
+## a: The :bro:type:`string_array` (``table[count] of string``).
+##
+## Returns: A sorted copy of *a*.
+##
+## .. bro:see:: sort
 function sort_string_array%(a: string_array%): string_array
 	%{
 	TableVal* tbl = a->AsTableVal();
@@ -131,34 +212,52 @@ function sort_string_array%(a: string_array%): string_array
 		}
 	// sort(vs.begin(), vs.end(), Bstr_cmp);
 
-	TableVal* b = new TableVal(internal_type("string_array")->AsTableType());
+	TableVal* b = new TableVal(string_array);
 	vs_to_string_array(vs, b, 1, n);
 	return b;
 	%}
 
+## Returns an edited version of a string that applies a special
+## "backspace character" (usually ``\x08`` for backspace or ``\x7f`` for DEL).
+## For ## example, ``edit("hello there", "e")`` returns ``"llo t"``.
+##
+## arg_s: The string to edit.
+##
+## arg_edit_char: A string of exactly one character that represents the
+##                "backspace character". If it is longer than one character Bro
+##                generates a run-time error and uses the first character in
+##                the string.
+##
+## Returns: An edited version of *arg_s* where *arg_edit_char* triggers the
+##          deletetion of the last character.
+##
+## .. bro:see:: clean
+##              to_string_literal
+##              escape_string
+##              strip
 function edit%(arg_s: string, arg_edit_char: string%): string
 	%{
-	const char* s = arg_s->AsString()->CheckString();
-	const char* edit_s = arg_edit_char->AsString()->CheckString();
+	if ( arg_edit_char->Len() != 1 )
+		builtin_error("not exactly one edit character", @ARG@[1]);
 
-	if ( strlen(edit_s) != 1 )
-		builtin_run_time("not exactly one edit character", @ARG@[1]);
+	const u_char* s = arg_s->Bytes();
+	const u_char* edit_s = arg_edit_char->Bytes();
 
-	char edit_c = *edit_s;
+	u_char edit_c = *edit_s;
 
-	int n = strlen(s) + 1;
-	char* new_s = new char[n];
+	int n = arg_s->Len();
+	u_char* new_s = new u_char[n+1];
 	int ind = 0;
 
-	for ( ; *s; ++s )
+	for ( int i = 0; i < n; ++i )
 		{
-		if ( *s == edit_c )
+		if ( s[i] == edit_c )
 			{ // Delete last character
 			if ( --ind < 0 )
 				ind = 0;
 			}
 		else
-			new_s[ind++] = *s;
+			new_s[ind++] = s[i];
 		}
 
 	new_s[ind] = '\0';
@@ -166,11 +265,28 @@ function edit%(arg_s: string, arg_edit_char: string%): string
 	return new StringVal(new BroString(1, byte_vec(new_s), ind));
 	%}
 
+## Returns the number of characters (bytes) in the given string. The
+## length computation includes any embedded NULs, and also a trailing NUL,
+## if any (which is why the function isn't called ``strlen``; to remind
+## the user that Bro strings can include NULs).
+##
+## s: The string to compute the length for.
+##
+## Returns: The number of characters in *s*.
 function byte_len%(s: string%): count
 	%{
 	return new Val(s->Len(), TYPE_COUNT);
 	%}
 
+## Get a substring of from a string, given a starting position length.
+##
+## s: The string to obtain a substring from.
+##
+## start: The starting position of the substring in *s*
+##
+## n: The number of characters to extract, beginning at *start*.
+##
+## Returns: A substring of *s* of length *n* from position *start*.
 function sub_bytes%(s: string, start: count, n: int%): string
 	%{
 	if ( start > 0 )
@@ -198,77 +314,63 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t)
 Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep,
 		int incl_sep, int max_num_sep)
 	{
-	const BroString* str = str_val->AsString();
-	TableVal* a = new TableVal(internal_type("string_array")->AsTableType());
+	TableVal* a = new TableVal(string_array);
 	ListVal* other_strings = 0;
 
 	if ( other_sep && other_sep->Size() > 0 )
 		other_strings = other_sep->ConvertToPureList();
 
-	// Currently let us assume that str is NUL-terminated. In
-	// the future we expect to change this by giving RE_Matcher a
-	// const char* segment.
-
-	const char* s = str->CheckString();
-	int len = strlen(s);
-	const char* end_of_s = s + len;
+	const u_char* s = str_val->Bytes();
+	int n = str_val->Len();
+	const u_char* end_of_s = s + n;
 	int num = 0;
 	int num_sep = 0;
 
-	while ( 1 )
+	int offset = 0;
+	while ( n >= 0 )
 		{
-		int offset = 0;
-		const char* t;
-
-		if ( max_num_sep > 0 && num_sep >= max_num_sep )
-			t = end_of_s;
-		else
+		offset = 0;
+		// Find next match offset.
+		int end_of_match = 0;
+		while ( n > 0 &&
+		        (end_of_match = re->MatchPrefix(s + offset, n)) <= 0 )
 			{
-			for ( t = s; t < end_of_s; ++t )
-				{
-				offset = re->MatchPrefix(t);
+			// Move on to next byte.
+			++offset;
+			--n;
+			}
 
-				if ( other_strings )
-					{
-					val_list* vl = other_strings->Vals();
-					loop_over_list(*vl, i)
-						{
-						const BroString* sub =
-							(*vl)[i]->AsString();
-						if ( sub->Len() > offset &&
-						     match_prefix(end_of_s - t,
-								t, sub->Len(),
-								(const char*) (sub->Bytes())) )
-							{
-							offset = sub->Len();
-							}
-						}
-					}
-
-				if ( offset > 0 )
-					break;
-				}
+		if ( max_num_sep && num_sep >= max_num_sep )
+			{
+			offset = end_of_s - s;
+			n=0;
 			}
 
 		Val* ind = new Val(++num, TYPE_COUNT);
-		a->Assign(ind, new StringVal(t - s, s));
+		a->Assign(ind, new StringVal(offset, (const char*) s));
 		Unref(ind);
 
-		if ( t >= end_of_s )
+		// No more separators will be needed if this is the end of string.
+		if ( n <= 0 )
 			break;
 
-		++num_sep;
-
 		if ( incl_sep )
 			{ // including the part that matches the pattern
 			ind = new Val(++num, TYPE_COUNT);
-			a->Assign(ind, new StringVal(offset, t));
+			a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset));
 			Unref(ind);
 			}
 
-		s = t + offset;
+		if ( max_num_sep && num_sep >= max_num_sep )
+			break;
+
+		++num_sep;
+
+		n -= end_of_match;
+		s += offset + end_of_match;;
+
 		if ( s > end_of_s )
-			internal_error("RegMatch in split goes beyond the string");
+			reporter->InternalError("RegMatch in split goes beyond the string");
 		}
 
 	if ( other_strings )
@@ -364,42 +466,94 @@ Val* do_sub(StringVal* str_val, RE_Matcher* re, StringVal* repl, int do_all)
 	}
 %%}
 
-# Similar to split in awk.
-
+## Splits a string into an array of strings according to a pattern.
+##
+## str: The string to split.
+##
+## re: The pattern describing the element separator in *str*.
+##
+## Returns: An array of strings where each element corresponds to a substring
+##          in *str* separated by *re*.
+##
+## .. bro:see:: split1 split_all split_n str_split
+##
+## .. note:: The returned table starts at index 1. Note that conceptually the
+##           return value is meant to be a vector and this might change in the
+##           future.
+##
 function split%(str: string, re: pattern%): string_array
 	%{
 	return do_split(str, re, 0, 0, 0);
 	%}
 
-# split1(str, pattern, include_separator): table[count] of string
-#
-# Same as split, except that str is only split (if possible) at the
-# earliest position and an array of two strings is returned.
-# An array of one string is returned when str cannot be splitted.
-
+## Splits a string *once* into a a two-element array of strings according to a
+## pattern. This function is the same as :bro:id:`split`, but * is only split
+## once (if possible) at the earliest position and an array of two strings is
+## returned.
+##
+## str: The string to split.
+##
+## re: The pattern describing the separator to split *str* in two pieces.
+##
+## Returns: An array of strings with two elements in which the first represents
+##          the substring in *str* up to the first occurence of *re*, and the
+##          second everything after *re*. An array of one string is returned
+##          when *s* cannot be split.
+##
+## .. bro:see:: split split_all split_n str_split
 function split1%(str: string, re: pattern%): string_array
 	%{
 	return do_split(str, re, 0, 0, 1);
 	%}
 
-# Same as split, except that the array returned by split_all also
-# includes parts of string that match the pattern in the array.
-
-# For example, split_all("a-b--cd", /(\-)+/) returns {"a", "-", "b",
-# "--", "cd"}: odd-indexed elements do not match the pattern
-# and even-indexed ones do.
-
+## Splits a string into an array of strings according to a pattern. This
+## function is the same as :bro:id:`split`, except that the separators are
+## returned as well. For example, ``split_all("a-b--cd", /(\-)+/)`` returns
+## ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do not match the
+## pattern and even-indexed ones do.
+##
+## str: The string to split.
+##
+## re: The pattern describing the element separator in *str*.
+##
+## Returns: An array of strings where each two successive elements correspond
+##          to a substring in *str* of the part not matching *re* (odd-indexed)
+##          and thei part that matches *re* (even-indexed).
+##
+## .. bro:see:: split split1 split_n str_split
 function split_all%(str: string, re: pattern%): string_array
 	%{
 	return do_split(str, re, 0, 1, 0);
 	%}
 
+## Splits a string a given number of times into an array of strings according
+## to a pattern. This function is similar to :bro:id:`split1` and
+## :bro:id:`split_all`, but with customizable behavior with respect to
+## including separators in the result and the number of times to split.
+##
+## str: The string to split.
+##
+## re: The pattern describing the element separator in *str*.
+##
+## incl_sep: A flag indicating whether to include the separator matches in the
+##           result (as in :bro:id:`split_all`).
+##
+## max_num_sep: The number of times to split *str*.
+##
+## Returns: An array of strings where, if *incl_sep* is true, each two
+##          successive elements correspond to a substring in *str* of the part
+##          not matching *re* (odd-indexed) and the part that matches *re*
+##          (even-indexed).
+##
+## .. bro:see:: split split1 split_all str_split
 function split_n%(str: string, re: pattern,
 		incl_sep: bool, max_num_sep: count%): string_array
 	%{
 	return do_split(str, re, 0, incl_sep, max_num_sep);
 	%}
 
+## Deprecated. Will be removed.
+# Reason: the parameter ``other`` does nothing.
 function split_complete%(str: string,
 		re: pattern, other: string_set,
 		incl_sep: bool, max_num_sep: count%): string_array
@@ -407,22 +561,65 @@ function split_complete%(str: string,
 	return do_split(str, re, other->AsTableVal(), incl_sep, max_num_sep);
 	%}
 
+## Substitutes a given replacement string for the first occurrence of a pattern
+## in a given string.
+##
+## str: The string to perform the substitution in.
+##
+## re: The pattern being replaced with *repl*.
+##
+## repl: The string that replacs *re*.
+##
+## Returns: A copy of *str* with the first occurence of *re* replaced with
+##          *repl*.
+##
+## .. bro:see:: gsub subst_string
 function sub%(str: string, re: pattern, repl: string%): string
 	%{
 	return do_sub(str, re, repl, 0);
 	%}
 
+## Substitutes a given replacement string for the all occurrences of a pattern
+## in a given string.
+##
+## str: The string to perform the substitution in.
+##
+## re: The pattern being replaced with *repl*.
+##
+## repl: The string that replacs *re*.
+##
+## Returns: A copy of *str* with all occurences of *re* replaced with *repl*.
+##
+## .. bro:see:: sub subst_string
 function gsub%(str: string, re: pattern, repl: string%): string
 	%{
 	return do_sub(str, re, repl, 1);
 	%}
 
+
+## Lexicographically compares two string.
+##
+## s1: The first string.
+##
+## s2: The second string.
+##
+## Returns: An integer greater than, equal to, or less than 0 according as
+##          *s1* is greater than, equal to, or less than *s2*.
 function strcmp%(s1: string, s2: string%): int
 	%{
 	return new Val(Bstr_cmp(s1->AsString(), s2->AsString()), TYPE_INT);
 	%}
 
-# Returns 0 if $little is not found in $big.
+## Locates the first occurrence of one string in another.
+##
+## big: The string to look in.
+##
+## little: The (smaller) string to find inside *big*.
+##
+## Returns: The location of *little* in *big* or 0 if *little* is not found in
+##          *big*.
+##
+## .. bro:see:: find_all find_last
 function strstr%(big: string, little: string%): count
 	%{
 	return new Val(
@@ -430,8 +627,17 @@ function strstr%(big: string, little: string%): count
 		TYPE_COUNT);
 	%}
 
-# Substitute each (non-overlapping) appearance of $from in $s to $to,
-# and return the resulting string.
+## Substitutes each (non-overlapping) appearance of a string in another.
+##
+## s: The string in which to perform the substitution.
+##
+## from: The string to look for which is replaced with *to*.
+##
+## to: The string that replaces all occurrences of *from* in *s*.
+##
+## Returns: A copy of *s* where each occurrence of *from* is replaced with *to*.
+##
+## .. bro:see:: sub gsub
 function subst_string%(s: string, from: string, to: string%): string
 	%{
 	const int little_len = from->Len();
@@ -474,58 +680,112 @@ function subst_string%(s: string, from: string, to: string%): string
 	return new StringVal(concatenate(vs));
 	%}
 
+## Replaces all uppercase letters in a string with their lowercase counterpart.
+##
+## str: The string to convert to lowercase letters.
+##
+## Returns: A copy of the given string with the uppercase letters (as indicated
+##          by ``isascii`` and \verb|isupper|``) folded to lowercase
+##          (via ``tolower``).
+##
+## .. bro:see:: to_upper is_ascii
 function to_lower%(str: string%): string
 	%{
-	const char* s = str->CheckString();
-	int n = strlen(s) + 1;
-	char* lower_s = new char[n];
+	const u_char* s = str->Bytes();
+	int n = str->Len();
+	u_char* lower_s = new u_char[n + 1];
+	u_char* ls = lower_s;
 
-	char* ls;
-	for ( ls = lower_s; *s; ++s )
+	for ( int i = 0; i < n; ++i)
 		{
-		if ( isascii(*s) && isupper(*s) )
-			*ls++ = tolower(*s);
+		if ( isascii(s[i]) && isupper(s[i]) )
+			*ls++ = tolower(s[i]);
 		else
-			*ls++ = *s;
+			*ls++ = s[i];
 		}
 
-	*ls = '\0';
+    *ls++ = '\0';
 
-	return new StringVal(new BroString(1, byte_vec(lower_s), n-1));
+	return new StringVal(new BroString(1, lower_s, n));
 	%}
 
+## Replaces all lowercase letters in a string with their uppercase counterpart.
+##
+## str: The string to convert to uppercase letters.
+##
+## Returns: A copy of the given string with the lowercase letters (as indicated
+##          by ``isascii`` and \verb|islower|``) folded to uppercase
+##          (via ``toupper``).
+##
+## .. bro:see:: to_lower is_ascii
 function to_upper%(str: string%): string
 	%{
-	const char* s = str->CheckString();
-	int n = strlen(s) + 1;
-	char* upper_s = new char[n];
+	const u_char* s = str->Bytes();
+	int n = str->Len();
+	u_char* upper_s = new u_char[n + 1];
+	u_char* us = upper_s;
 
-	char* us;
-	for ( us = upper_s; *s; ++s )
+	for ( int i = 0; i < n; ++i)
 		{
-		if ( isascii(*s) && islower(*s) )
-			*us++ = toupper(*s);
+		if ( isascii(s[i]) && islower(s[i]) )
+			*us++ = toupper(s[i]);
 		else
-			*us++ = *s;
+			*us++ = s[i];
 		}
 
-	*us = '\0';
+    *us++ = '\0';
 
-	return new StringVal(new BroString(1, byte_vec(upper_s), n-1));
+	return new StringVal(new BroString(1, upper_s, n));
 	%}
 
+## Replaces non-printable characters in a string with escaped sequences. The
+## mappings are:
+##
+##     - ``NUL`` to ``\0``
+##     - ``DEL`` to ``^?``
+##     - values <= 26 to ``^[A-Z]``
+##     - values not in *[32, 126]** to ``%XX``
+##
+## If the string does not yet have a trailing NUL, one is added.
+##
+## str: The string to escape.
+##
+## Returns: The escaped string.
+##
+## .. bro:see:: to_string_literal escape_string
 function clean%(str: string%): string
 	%{
 	char* s = str->AsString()->Render();
 	return new StringVal(new BroString(1, byte_vec(s), strlen(s)));
 	%}
 
+## Replaces non-printable characters in a string with escaped sequences. The
+## mappings are:
+##
+##     - ``NUL`` to ``\0``
+##     - ``DEL`` to ``^?``
+##     - values <= 26 to ``^[A-Z]``
+##     - values not in *[32, 126]** to ``%XX``
+##
+## str: The string to escape.
+##
+## Returns: The escaped string.
+##
+## .. bro:see:: clean escape_string
 function to_string_literal%(str: string%): string
 	%{
 	char* s = str->AsString()->Render(BroString::BRO_STRING_LITERAL);
 	return new StringVal(new BroString(1, byte_vec(s), strlen(s)));
 	%}
 
+## Determines whether a given string contains only ASCII characters.
+##
+## str: The string to examine.
+##
+## Returns: False if any byte value of *str* is greater than 127, and true
+##          otherwise.
+##
+## .. bro:see:: to_upper to_lower
 function is_ascii%(str: string%): bool
 	%{
 	int n = str->Len();
@@ -538,7 +798,14 @@ function is_ascii%(str: string%): bool
 	return new Val(1, TYPE_BOOL);
 	%}
 
-# Make printable version of string.
+## Creates a printable version of a string. This function is the same as
+## :bro:id:`clean` except that non-printable characters are removed.
+##
+## s: The string to escape.
+##
+## Returns: The escaped string.
+##
+## .. bro:see:: clean to_string_literal
 function escape_string%(s: string%): string
 	%{
 	char* escstr = s->AsString()->Render();
@@ -547,7 +814,12 @@ function escape_string%(s: string%): string
 	return val;
 	%}
 
-# Returns an ASCII hexadecimal representation of a string.
+## Returns an ASCII hexadecimal representation of a string.
+##
+## s: The string to convert to hex.
+##
+## Returns: A copy of *s* where each byte is replaced with the corresponding
+##          hex nibble.
 function string_to_ascii_hex%(s: string%): string
 	%{
 	char* x = new char[s->Len() * 2 + 1];
@@ -559,8 +831,15 @@ function string_to_ascii_hex%(s: string%): string
 	return new StringVal(new BroString(1, (u_char*) x, s->Len() * 2));
 	%}
 
-function str_smith_waterman%(s1: string, s2: string, params: sw_params%)
-: sw_substring_vec
+## Uses the Smith Waterman algorithm to find similar/overlapping substrings.
+## See `Wikipedia <http://en.wikipedia.org/wiki/Smith%E2%80%93Waterman_algorithm>`_.
+##
+## s1: The first string.
+##
+## s2: The second string.
+##
+## Returns: The result of the Smit Waterman algorithm calculation.
+function str_smith_waterman%(s1: string, s2: string, params: sw_params%) : sw_substring_vec
 	%{
 	SWParams sw_params(params->AsRecordVal()->Lookup(0)->AsCount(),
 			   SWVariant(params->AsRecordVal()->Lookup(1)->AsCount()));
@@ -574,6 +853,16 @@ function str_smith_waterman%(s1: string, s2: string, params: sw_params%)
 	return result;
 	%}
 
+## Splits a string into substrings with the help of an index vector of cutting
+## points.
+##
+## s: The string to split.
+##
+## idx: The index vector (``vector of count``) with the cutting points.
+##
+## Returns: A vector of strings.
+##
+## .. bro:see:: split split1 split_all split_n
 function str_split%(s: string, idx: index_vec%): string_vec
 	%{
 	vector<Val*>* idx_v = idx->AsVector();
@@ -602,59 +891,75 @@ function str_split%(s: string, idx: index_vec%): string_vec
 	return result_v;
 	%}
 
+## Strips whitespace at both ends of a string.
+##
+## str: The string to strip the whitespace from.
+##
+## Returns: A copy of *str* with leading and trailing whitespace removed.
+##
+## .. bro:see:: sub gsub
 function strip%(str: string%): string
 	%{
-	const char* s = str->CheckString();
+	const u_char* s = str->Bytes();
+	int n = str->Len();
 
-	int n = strlen(s) + 1;
-	char* strip_s = new char[n];
-
-	if ( n == 1 )
+	if ( n == 0 )
 		// Empty string.
-		return new StringVal(new BroString(1, byte_vec(strip_s), 0));
+		return new StringVal(new BroString(s, n, 1));
 
-	while ( isspace(*s) )
-		++s;
+	const u_char* sp = s;
 
-	strncpy(strip_s, s, n);
-
-	char* s2 = strip_s;
-	char* e = &s2[strlen(s2) - 1];
-
-	while ( e > s2 && isspace(*e) )
+	// Move a pointer from the end of the string.
+	const u_char* e = sp + n - 1;
+	while ( e > sp && isspace(*e) )
 		--e;
 
-	e[1] = '\0';	// safe even if e hasn't changed, due to n = strlen + 1
+	// Move the pointer for the beginning of the string.
+	while ( isspace(*sp) && sp <= e )
+		++sp;
 
-	return new StringVal(new BroString(1, byte_vec(s2), (e-s2)+1));
+	return new StringVal(new BroString(sp, (e - sp + 1), 1));
 	%}
 
+## Generates a string of a given size and fills it with repetitions of a source
+## string.
+##
+## len: The length of the output string.
+##
+## source: The string to concatenate repeatedly until *len* has been reached.
+##
+## Returns: A string of length *len* filled with *source*.
 function string_fill%(len: int, source: string%): string
 	%{
-	const char* src = source->CheckString();
-
-	int sn = strlen(src);
+	const u_char* src = source->Bytes();
+	int64_t n = source->Len();
 	char* dst = new char[len];
 
-	for ( int i = 0; i < len; i += sn )
-		::memcpy((dst + i), src, min(sn, len - i));
+	for ( int i = 0; i < len; i += n )
+		::memcpy((dst + i), src, min(n, len - i));
 
 	dst[len - 1] = 0;
 
 	return new StringVal(new BroString(1, byte_vec(dst), len));
 	%}
 
-# Takes a string and escapes characters that would allow execution of commands
-# at the shell level.  Must be used before including strings in system() or
-# similar calls.
-#
+## Takes a string and escapes characters that would allow execution of
+## commands at the shell level. Must be used before including strings in
+## :bro:id:`system` or similar calls.
+##
+## source: The string to escape.
+##
+## Returns: A shell-escaped version of *source*.
+##
+## .. bro:see:: system
 function str_shell_escape%(source: string%): string
 	%{
 	unsigned j = 0;
-	const char* src = source->CheckString();
-	char* dst = new char[strlen(src) * 2 + 1];
+	const u_char* src = source->Bytes();
+	unsigned n = source->Len();
+	byte_vec dst = new u_char[n * 2 + 1];
 
-	for ( unsigned i = 0; i < strlen(src); ++i )
+	for ( unsigned i = 0; i < n; ++i )
 		{
 		switch ( src[i] ) {
 		case '`': case '"': case '\\': case '$':
@@ -672,14 +977,21 @@ function str_shell_escape%(source: string%): string
 		}
 
 	dst[j] = '\0';
-	return new StringVal(new BroString(1, byte_vec(dst), j));
+	return new StringVal(new BroString(1, dst, j));
 	%}
 
-# Returns all occurrences of the given pattern in the given string (an empty
-# empty set if none).
+## Finds all occurrences of a pattern in a string.
+##
+## str: The string to inspect.
+##
+## re: The pattern to look for in *str*.
+##
+## Returns: The set of strings in *str* that match *re*, or the empty set.
+##
+## .. bro:see: find_last strstr
 function find_all%(str: string, re: pattern%) : string_set
 	%{
-	TableVal* a = new TableVal(internal_type("string_set")->AsTableType());
+	TableVal* a = new TableVal(string_set);
 
 	const u_char* s = str->Bytes();
 	const u_char* e = s + str->Len();
@@ -697,11 +1009,18 @@ function find_all%(str: string, re: pattern%) : string_set
 	return a;
 	%}
 
-# Returns the last occurrence of the given pattern in the given string.
-# If not found, returns an empty string.  Note that this function returns
-# the match that starts at the largest index in the string, which is
-# not necessarily the longest match.  For example, a pattern of /.*/
-# will return the final character in the string.
+## Finds the last occurrence of a pattern in a string. This function returns
+## the match that starts at the largest index in the string, which is not
+## necessarily the longest match.  For example, a pattern of ``/.*/`` will
+## return the final character in the string.
+##
+## str: The string to inspect.
+##
+## re: The pattern to look for in *str*.
+##
+## Returns: The last string in *str* that matches *re*, or the empty string.
+##
+## .. bro:see: find_all strstr
 function find_last%(str: string, re: pattern%) : string
 	%{
 	const u_char* s = str->Bytes();
@@ -717,10 +1036,16 @@ function find_last%(str: string, re: pattern%) : string
 	return new StringVal("");
 	%}
 
-# Returns a hex dump for given input data.  The hex dump renders
-# 16 bytes per line, with hex on the left and ASCII (where printable)
-# on the right.  Based on Netdude's hex editor code.
-#
+## Returns a hex dump for given input data. The hex dump renders 16 bytes per
+## line, with hex on the left and ASCII (where printable)
+## on the right.
+##
+## data_str: The string to dump in hex format.
+##
+## .. bro:see:: string_to_ascii_hex bytestring_to_hexstr
+##
+## .. note:: Based on Netdude's hex editor code.
+##
 function hexdump%(data_str: string%) : string
 	%{
 
diff --git a/src/syslog-analyzer.pac b/src/syslog-analyzer.pac
new file mode 100644
index 0000000000..6657a63699
--- /dev/null
+++ b/src/syslog-analyzer.pac
@@ -0,0 +1,27 @@
+
+connection Syslog_Conn(bro_analyzer: BroAnalyzer)
+{
+	upflow = Syslog_Flow;
+	downflow = Syslog_Flow;
+};
+
+flow Syslog_Flow
+{
+	datagram = Syslog_Message withcontext(connection, this);
+
+	function process_syslog_message(m: Syslog_Message): bool
+		%{
+		BifEvent::generate_syslog_message(connection()->bro_analyzer(),
+		                                  connection()->bro_analyzer()->Conn(),
+		                                  ${m.PRI.facility},
+		                                  ${m.PRI.severity},
+		                                  new StringVal(${m.msg}.length(), (const char*) ${m.msg}.begin())
+		                                  );
+		return true;
+		%}
+
+};
+
+refine typeattr Syslog_Message += &let {
+	proc_syslog_message = $context.flow.process_syslog_message(this);
+};
diff --git a/src/syslog-protocol.pac b/src/syslog-protocol.pac
new file mode 100644
index 0000000000..a2bf8a31da
--- /dev/null
+++ b/src/syslog-protocol.pac
@@ -0,0 +1,15 @@
+type Syslog_Message = record {
+	PRI: Syslog_Priority;
+	msg: bytestring &restofdata;
+} &byteorder = littleendian;
+
+type Syslog_Priority = record {
+	lt    : uint8 &check(lt == "<");
+	val   : RE/[[:digit:]]+/;
+	gt    : uint8 &check(gt == ">");
+} &let {
+	val_length: int = sizeof(val) - 1;
+	int_val: int = bytestring_to_int(val, 10);
+	severity: int = (int_val & 0x07);
+	facility: int = (int_val & 0x03f8) >> 3;
+};
diff --git a/src/syslog.pac b/src/syslog.pac
new file mode 100644
index 0000000000..3c0ecfb10d
--- /dev/null
+++ b/src/syslog.pac
@@ -0,0 +1,10 @@
+%include binpac.pac
+%include bro.pac
+
+analyzer Syslog withcontext {
+	connection:	Syslog_Conn;
+	flow:		Syslog_Flow;
+};
+
+%include syslog-protocol.pac
+%include syslog-analyzer.pac
diff --git a/src/types.bif b/src/types.bif
new file mode 100644
index 0000000000..4657584a90
--- /dev/null
+++ b/src/types.bif
@@ -0,0 +1,171 @@
+##! Declaration of various types that the Bro core uses internally.
+
+enum dce_rpc_ptype %{
+	DCE_RPC_REQUEST,
+	DCE_RPC_PING,
+	DCE_RPC_RESPONSE,
+	DCE_RPC_FAULT,
+	DCE_RPC_WORKING,
+	DCE_RPC_NOCALL,
+	DCE_RPC_REJECT,
+	DCE_RPC_ACK,
+	DCE_RPC_CL_CANCEL,
+	DCE_RPC_FACK,
+	DCE_RPC_CANCEL_ACK,
+	DCE_RPC_BIND,
+	DCE_RPC_BIND_ACK,
+	DCE_RPC_BIND_NAK,
+	DCE_RPC_ALTER_CONTEXT,
+	DCE_RPC_ALTER_CONTEXT_RESP,
+	DCE_RPC_SHUTDOWN,
+	DCE_RPC_CO_CANCEL,
+	DCE_RPC_ORPHANED,
+%}
+
+enum dce_rpc_if_id %{
+	DCE_RPC_unknown_if,
+	DCE_RPC_epmapper,
+	DCE_RPC_lsarpc,
+	DCE_RPC_lsa_ds,
+	DCE_RPC_mgmt,
+	DCE_RPC_netlogon,
+	DCE_RPC_samr,
+	DCE_RPC_srvsvc,
+	DCE_RPC_spoolss,
+	DCE_RPC_drs,
+	DCE_RPC_winspipe,
+	DCE_RPC_wkssvc,
+	DCE_RPC_oxid,
+	DCE_RPC_ISCMActivator,
+%}
+
+enum rpc_status %{
+	RPC_SUCCESS,
+	RPC_PROG_UNAVAIL,
+	RPC_PROG_MISMATCH,
+	RPC_PROC_UNAVAIL,
+	RPC_GARBAGE_ARGS,
+	RPC_SYSTEM_ERR,
+	RPC_TIMEOUT,
+	RPC_VERS_MISMATCH,
+	RPC_AUTH_ERROR,
+	RPC_UNKNOWN_ERROR,
+%}
+
+module NFS3;
+
+enum proc_t %{	# NFSv3 procedures
+	PROC_NULL     = 0,	# done
+	PROC_GETATTR  = 1,	# done
+	PROC_SETATTR  = 2,	# not implemented
+	PROC_LOOKUP   = 3,	# done
+	PROC_ACCESS   = 4,	# not implemented
+	PROC_READLINK = 5,	# done
+	PROC_READ     = 6,	# done
+	PROC_WRITE    = 7,	# done
+	PROC_CREATE   = 8,	# partial
+	PROC_MKDIR    = 9,	# partial
+	PROC_SYMLINK  = 10,	# not implemented
+	PROC_MKNOD    = 11,	# not implemented
+	PROC_REMOVE   = 12,	# done
+	PROC_RMDIR    = 13,	# done
+	PROC_RENAME   = 14,	# not implemented
+	PROC_LINK     = 15,	# not implemented
+	PROC_READDIR  = 16,	# done
+	PROC_READDIRPLUS  = 17,	# done
+	PROC_FSSTAT   = 18,	# not implemented
+	PROC_FSINFO   = 19,	# not implemented
+	PROC_PATHCONF = 20,	# not implemented
+	PROC_COMMIT   = 21,	# not implemented
+	PROC_END_OF_PROCS = 22,	# not implemented
+%}
+
+enum status_t %{	# NFSv3 return status
+	NFS3ERR_OK          = 0,
+	NFS3ERR_PERM        = 1,
+	NFS3ERR_NOENT       = 2,
+	NFS3ERR_IO          = 5,
+	NFS3ERR_NXIO        = 6,
+	NFS3ERR_ACCES       = 13,
+	NFS3ERR_EXIST       = 17,
+	NFS3ERR_XDEV        = 18,
+	NFS3ERR_NODEV       = 19,
+	NFS3ERR_NOTDIR      = 20,
+	NFS3ERR_ISDIR       = 21,
+	NFS3ERR_INVAL       = 22,
+	NFS3ERR_FBIG        = 27,
+	NFS3ERR_NOSPC       = 28,
+	NFS3ERR_ROFS        = 30,
+	NFS3ERR_MLINK       = 31,
+	NFS3ERR_NAMETOOLONG = 63,
+	NFS3ERR_NOTEMPTY    = 66,
+	NFS3ERR_DQUOT       = 69,
+	NFS3ERR_STALE       = 70,
+	NFS3ERR_REMOTE      = 71,
+	NFS3ERR_BADHANDLE   = 10001,
+	NFS3ERR_NOT_SYNC    = 10002,
+	NFS3ERR_BAD_COOKIE  = 10003,
+	NFS3ERR_NOTSUPP     = 10004,
+	NFS3ERR_TOOSMALL    = 10005,
+	NFS3ERR_SERVERFAULT = 10006,
+	NFS3ERR_BADTYPE     = 10007,
+	NFS3ERR_JUKEBOX     = 10008,
+	NFS3ERR_UNKNOWN     = 0xffffffff,
+%}
+
+enum file_type_t %{
+	FTYPE_REG   = 1,
+	FTYPE_DIR   = 2,
+	FTYPE_BLK   = 3,
+	FTYPE_CHR   = 4,
+	FTYPE_LNK   = 5,
+	FTYPE_SOCK  = 6,
+	FTYPE_FIFO  = 7,
+%}
+
+enum stable_how_t %{
+	UNSTABLE = 0,
+	DATA_SYNC = 1,
+	FILE_SYNC = 2,
+%}
+
+enum createmode_t %{
+	UNCHECKED = 0,
+	GUARDED = 1,
+	EXCLUSIVE = 2,
+%}
+
+# Declare record types that we want to access from the event engine. These are
+# defined in init-bare.bro.
+type info_t: record;
+type fattr_t: record;
+type diropargs_t: record;
+type lookup_reply_t: record;
+type readargs_t: record;
+type read_reply_t: record;
+type readlink_reply_t: record;
+type writeargs_t: record;
+type wcc_attr_t: record;
+type write_reply_t: record;
+type newobj_reply_t: record;
+type delobj_reply_t: record;
+type readdirargs_t: record;
+type direntry_t: record;
+type direntry_vec_t: vector;
+type readdir_reply_t: record;
+
+type fsstat_t: record;
+
+module Log;
+
+enum Writer %{
+	WRITER_DEFAULT,
+	WRITER_NONE,
+	WRITER_ASCII,
+%}
+
+enum ID %{
+	Unknown,
+%}
+
+module GLOBAL;
diff --git a/src/util.cc b/src/util.cc
index d8390a866c..856e90d156 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -1,5 +1,3 @@
-// $Id: util.cc 6916 2009-09-24 20:48:36Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "config.h"
@@ -15,6 +13,8 @@
 # endif
 #endif
 
+#include <string>
+#include <vector>
 #include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -26,6 +26,7 @@
 #include <stdarg.h>
 #include <errno.h>
 #include <signal.h>
+#include <libgen.h>
 
 #ifdef HAVE_MALLINFO
 # include <malloc.h>
@@ -38,6 +39,38 @@
 #include "Val.h"
 #include "NetVar.h"
 #include "Net.h"
+#include "Reporter.h"
+
+/**
+ * Takes a string, escapes characters into equivalent hex codes (\x##), and
+ * returns a string containing all escaped values.
+ *
+ * @param str string to escape
+ * @param escape_all If true, all characters are escaped. If false, only
+ * characters are escaped that are either whitespace or not printable in
+ * ASCII.
+ * @return A std::string containing a list of escaped hex values of the form
+ * \x## */
+std::string get_escaped_string(const std::string& str, bool escape_all)
+{
+    char tbuf[16];
+    string esc = "";
+
+    for ( size_t i = 0; i < str.length(); ++i )
+        {
+	char c = str[i];
+
+	if ( escape_all || isspace(c) || ! isascii(c) || ! isprint(c) )
+		{
+		snprintf(tbuf, sizeof(tbuf), "\\x%02x", str[i]);
+		esc += tbuf;
+		}
+	else
+		esc += c;
+	}
+
+    return esc;
+}
 
 char* copy_string(const char* s)
 	{
@@ -83,7 +116,7 @@ int expand_escape(const char*& s)
 		int result;
 		if ( sscanf(start, "%3o", &result) != 1 )
 			{
-			warn("bad octal escape: ", start);
+			reporter->Warning("bad octal escape: %s ", start);
 			result = 0;
 			}
 
@@ -102,7 +135,7 @@ int expand_escape(const char*& s)
 		int result;
 		if ( sscanf(start, "%2x", &result) != 1 )
 			{
-			warn("bad hexadecimal escape: ", start);
+			reporter->Warning("bad hexadecimal escape: %s", start);
 			result = 0;
 			}
 
@@ -229,7 +262,7 @@ unsigned char encode_hex(int h)
 
 	if  ( h < 0 || h >= 16 )
 		{
-		internal_error("illegal value for encode_hex: %d", h);
+		reporter->InternalError("illegal value for encode_hex: %d", h);
 		return 'X';
 		}
 
@@ -295,9 +328,9 @@ char* strcasestr(const char* s, const char* find)
 	}
 #endif
 
-int atoi_n(int len, const char* s, const char** end, int base, int& result)
+template<class T> int atoi_n(int len, const char* s, const char** end, int base, T& result)
 	{
-	int n = 0;
+	T n = 0;
 	int neg = 0;
 
 	if ( len > 0 && *s == '-' )
@@ -340,6 +373,45 @@ int atoi_n(int len, const char* s, const char** end, int base, int& result)
 	return 1;
 	}
 
+// Instantiate the ones we need.
+template int atoi_n<int>(int len, const char* s, const char** end, int base, int& result);
+template int atoi_n<int64_t>(int len, const char* s, const char** end, int base, int64_t& result);
+template int atoi_n<uint64_t>(int len, const char* s, const char** end, int base, uint64_t& result);
+
+char* uitoa_n(uint64 value, char* str, int n, int base, const char* prefix)
+	{
+	static char dig[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+
+	assert(n);
+
+	int i = 0;
+	uint64 v;
+	char* p, *q;
+	char c;
+
+	if ( prefix )
+		{
+		strncpy(str, prefix, n);
+		str[n-1] = '\0';
+		i += strlen(prefix);
+		}
+
+	if ( i >= n - 1 )
+		return str;
+
+	v = value;
+
+	do {
+		str[i++] = dig[v % base];
+		v /= base;
+	} while ( v && i < n - 1 );
+
+	str[i] = '\0';
+
+	return str;
+	}
+
+
 int strstr_n(const int big_len, const u_char* big,
 		const int little_len, const u_char* little)
 	{
@@ -417,7 +489,7 @@ const char* fmt(const char* format, ...)
 		va_end(al);
 
 		if ( (unsigned int) n >= buf_len )
-			internal_error("confusion reformatting in fmt()");
+			reporter->InternalError("confusion reformatting in fmt()");
 		}
 
 	return buf;
@@ -438,22 +510,22 @@ bool ensure_dir(const char *dirname)
 		{
 		if ( errno != ENOENT )
 			{
-			warn(fmt("can't stat directory %s: %s",
-				dirname, strerror(errno)));
+			reporter->Warning("can't stat directory %s: %s",
+				dirname, strerror(errno));
 			return false;
 			}
 
 		if ( mkdir(dirname, 0700) < 0 )
 			{
-			warn(fmt("can't create directory %s: %s",
-				dirname, strerror(errno)));
+			reporter->Warning("can't create directory %s: %s",
+				dirname, strerror(errno));
 			return false;
 			}
 		}
 
 	else if ( ! S_ISDIR(st.st_mode) )
 		{
-		warn(fmt("%s exists but is not a directory", dirname));
+		reporter->Warning("%s exists but is not a directory", dirname);
 		return false;
 		}
 
@@ -466,7 +538,7 @@ bool is_dir(const char* path)
 	if ( stat(path, &st) < 0 )
 		{
 		if ( errno != ENOENT )
-			warn(fmt("can't stat %s: %s", path, strerror(errno)));
+			reporter->Warning("can't stat %s: %s", path, strerror(errno));
 
 		return false;
 		}
@@ -498,7 +570,7 @@ uint8 shared_hmac_md5_key[16];
 void hmac_md5(size_t size, const unsigned char* bytes, unsigned char digest[16])
 	{
 	if ( ! hmac_key_set )
-		internal_error("HMAC-MD5 invoked before the HMAC key is set");
+		reporter->InternalError("HMAC-MD5 invoked before the HMAC key is set");
 
 	hash_md5(size, bytes, digest);
 
@@ -516,15 +588,15 @@ static bool read_random_seeds(const char* read_file, uint32* seed,
 
 	if ( stat(read_file, &st) < 0 )
 		{
-		warn(fmt("Seed file '%s' does not exist: %s",
-				read_file, strerror(errno)));
+		reporter->Warning("Seed file '%s' does not exist: %s",
+				read_file, strerror(errno));
 		return false;
 		}
 
 	if ( ! (f = fopen(read_file, "r")) )
 		{
-		warn(fmt("Could not open seed file '%s': %s",
-				read_file, strerror(errno)));
+		reporter->Warning("Could not open seed file '%s': %s",
+				read_file, strerror(errno));
 		return false;
 		}
 
@@ -559,8 +631,8 @@ static bool write_random_seeds(const char* write_file, uint32 seed,
 
 	if ( ! (f = fopen(write_file, "w+")) )
 		{
-		warn(fmt("Could not create seed file '%s': %s",
-				write_file, strerror(errno)));
+		reporter->Warning("Could not create seed file '%s': %s",
+				write_file, strerror(errno));
 		return false;
 		}
 
@@ -573,6 +645,17 @@ static bool write_random_seeds(const char* write_file, uint32 seed,
 	return true;
 	}
 
+static bool bro_rand_determistic = false;
+static unsigned int bro_rand_state = 0;
+
+static void bro_srand(unsigned int seed, bool deterministic)
+	{
+	bro_rand_state = seed;
+	bro_rand_determistic = deterministic;
+
+	srand(seed);
+	}
+
 void init_random_seed(uint32 seed, const char* read_file, const char* write_file)
 	{
 	static const int bufsiz = 16;
@@ -583,7 +666,7 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
 	if ( read_file )
 		{
 		if ( ! read_random_seeds(read_file, &seed, buf, bufsiz) )
-			fprintf(stderr, "Could not load seeds from file '%s'.\n",
+			reporter->Error("Could not load seeds from file '%s'.\n",
 					read_file);
 		else
 			seeds_done = true;
@@ -633,9 +716,11 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
 				seed = (seed << 1) | (seed >> 31);
 				}
 			}
+		else
+			seeds_done = true;
 		}
 
-	srandom(seed);
+	bro_srand(seed, seeds_done);
 
 	if ( ! hmac_key_set )
 		{
@@ -644,10 +729,34 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
 		}
 
 	if ( write_file && ! write_random_seeds(write_file, seed, buf, bufsiz) )
-		fprintf(stderr, "Could not write seeds to file '%s'.\n",
+		reporter->Error("Could not write seeds to file '%s'.\n",
 				write_file);
 	}
 
+bool have_random_seed()
+	{
+	return bro_rand_determistic;
+	}
+
+long int bro_random()
+	{
+	if ( ! bro_rand_determistic )
+		return random(); // Use system PRNG.
+
+	// Use our own simple linear congruence PRNG to make sure we are
+	// predictable across platforms.
+	const long int m = 2147483647;
+	const long int a = 16807;
+	const long int q = m / a;
+	const long int r = m % a;
+
+	bro_rand_state = a * ( bro_rand_state % q ) - r * ( bro_rand_state / q );
+
+	if ( bro_rand_state <= 0 )
+		bro_rand_state += m;
+
+	return bro_rand_state;
+	}
 
 // Returns a 64-bit random string.
 uint64 rand64bit()
@@ -656,109 +765,10 @@ uint64 rand64bit()
 	int i;
 
 	for ( i = 1; i <= 4; ++i )
-		base = (base<<16) | random();
+		base = (base<<16) | bro_random();
 	return base;
 	}
 
-void message(const char* msg)
-	{
-	pinpoint();
-	fprintf(stderr, "%s\n", msg);
-	}
-
-void warn(const char* msg)
-	{
-	pinpoint();
-	fprintf(stderr, "warning: %s\n", msg);
-	++nwarn;
-	}
-
-void warn(const char* msg, const char* addl)
-	{
-	pinpoint();
-	fprintf(stderr, "warning: %s %s\n", msg, addl);
-	++nwarn;
-	}
-
-void error(const char* msg)
-	{
-	pinpoint();
-	fprintf(stderr, "error: %s\n", msg);
-	++nerr;
-	}
-
-void error(const char* msg, const char* addl)
-	{
-	pinpoint();
-	fprintf(stderr, "error: %s %s\n", msg, addl);
-	++nerr;
-	}
-
-void error(const char* msg, uint32 addl)
-	{
-	pinpoint();
-	fprintf(stderr, "error: %s - %u\n", msg, addl);
-	++nerr;
-	}
-
-void run_time(const char* msg)
-	{
-	pinpoint();
-	fprintf(stderr, "run-time error: %s\n", msg);
-	++nruntime;
-	}
-
-void run_time(const char* fmt, BroObj* obj)
-	{
-	ODesc d;
-	obj->Describe(&d);
-	run_time(fmt, d.Description());
-	}
-
-void run_time(const char* fmt, const char* arg)
-	{
-	pinpoint();
-	fprintf(stderr, "run-time error: ");
-	fprintf(stderr, fmt, arg);
-	fprintf(stderr, "\n");
-	++nruntime;
-	}
-
-void run_time(const char* fmt, const char* arg1, const char* arg2)
-	{
-	pinpoint();
-	fprintf(stderr, "run-time error: ");
-	fprintf(stderr, fmt, arg1, arg2);
-	fprintf(stderr, "\n");
-	++nruntime;
-	}
-
-void internal_error(const char* fmt, ...)
-	{
-	va_list al;
-
-	pinpoint();
-	fprintf(stderr, "internal error: ");
-	va_start(al, fmt);
-	vfprintf(stderr, fmt, al);
-	va_end(al);
-	fprintf(stderr, "\n");
-	set_processing_status("TERMINATED", "internal_error");
-	abort();
-	}
-
-void pinpoint()
-	{
-	if ( network_time > 0.0 )
-		fprintf(stderr, "%.6f ", network_time);
-	else
-		{
-		if ( filename )
-			fprintf(stderr, "%s, ", filename);
-		fprintf(stderr, "line %d: ", line_number);
-		}
-	}
-
 int int_list_cmp(const void* v1, const void* v2)
 	{
 	ptr_compat_int i1 = *(ptr_compat_int*) v1;
@@ -777,10 +787,9 @@ const char* bro_path()
 	const char* path = getenv("BROPATH");
 	if ( ! path )
 		path = ".:"
-			POLICYDEST ":"
-			POLICYDEST "/sigs:" 
-			POLICYDEST "/time-machine:"
-			POLICYDEST "/site";
+			BRO_SCRIPT_INSTALL_PATH ":"
+			BRO_SCRIPT_INSTALL_PATH "/policy" ":"
+			BRO_SCRIPT_INSTALL_PATH "/site";
 
 	return path;
 	}
@@ -805,24 +814,182 @@ const char* bro_prefixes()
 	return p;
 	}
 
-FILE* open_file(const char* filename, const char** full_filename)
+const char* PACKAGE_LOADER = "__load__.bro";
+
+// If filename is pointing to a directory that contains a file called
+// PACKAGE_LOADER, returns the files path. Otherwise returns filename itself.
+// In both cases, the returned string is newly allocated.
+static const char* check_for_dir(const char* filename, bool load_pkgs)
 	{
+	if ( load_pkgs && is_dir(filename) )
+		{
+		char init_filename_buf[1024];
+		safe_snprintf(init_filename_buf, sizeof(init_filename_buf),
+			      "%s/%s", filename, PACKAGE_LOADER);
+
+		if ( access(init_filename_buf, R_OK) == 0 )
+			return copy_string(init_filename_buf);
+		}
+
+	return copy_string(filename);
+	}
+
+FILE* open_file(const char* filename, const char** full_filename, bool load_pkgs)
+	{
+	filename = check_for_dir(filename, load_pkgs);
+
 	if ( full_filename )
 		*full_filename = copy_string(filename);
 
 	FILE* f = fopen(filename, "r");
 
+	delete [] filename;
+
 	return f;
 	}
 
-FILE* search_for_file(const char* filename, const char* ext,
-			const char** full_filename)
+// Canonicalizes a given 'file' that lives in 'path' into a flattened,
+// dotted format.  If the optional 'prefix' argument is given, it is
+// prepended to the dotted-format, separated by another dot.
+// If 'file' is __load__.bro, that part is discarded when constructing
+// the final dotted-format.
+string dot_canon(string path, string file, string prefix)
 	{
-	if ( filename[0] == '/' || filename[0] == '.' )
-		return open_file(filename, full_filename);
+	string dottedform(prefix);
+	if ( prefix != "" )
+		dottedform.append(".");
+	dottedform.append(path);
+	char* tmp = copy_string(file.c_str());
+	char* bname = basename(tmp);
+	if ( ! streq(bname, PACKAGE_LOADER) )
+		{
+		if ( path != "" )
+			dottedform.append(".");
+		dottedform.append(bname);
+		}
+	delete [] tmp;
+	size_t n;
+	while ( (n = dottedform.find("/")) != string::npos )
+		dottedform.replace(n, 1, ".");
+	return dottedform;
+	}
+
+// returns a normalized version of a path, removing duplicate slashes,
+// extraneous dots that refer to the current directory, and pops as many
+// parent directories referred to by "../" as possible
+const char* normalize_path(const char* path)
+	{
+	size_t n;
+	string p(path);
+	vector<string> components, final_components;
+	string new_path;
+
+	if ( p[0] == '/' )
+		new_path = "/";
+
+	while ( (n = p.find("/")) != string::npos )
+		{
+		components.push_back(p.substr(0, n));
+		p.erase(0, n + 1);
+		}
+	components.push_back(p);
+
+	vector<string>::const_iterator it;
+	for ( it = components.begin(); it != components.end(); ++it )
+		{
+		if ( *it == "" ) continue;
+		final_components.push_back(*it);
+
+		if ( *it == "." && it != components.begin() )
+			final_components.pop_back();
+		else if ( *it == ".." && final_components[0] != ".." )
+			{
+			final_components.pop_back();
+			final_components.pop_back();
+			}
+		}
+
+	for ( it = final_components.begin(); it != final_components.end(); ++it )
+		{
+		new_path.append(*it);
+		new_path.append("/");
+		}
+
+	if ( new_path.size() > 1 && new_path[new_path.size() - 1] == '/' )
+		new_path.erase(new_path.size() - 1);
+
+	return copy_string(new_path.c_str());
+	}
+
+// Returns the subpath of the root Bro script install/source/build directory in
+// which the loaded file is located.  If it's not under a subpath of that
+// directory (e.g. cwd or custom path) then the full path is returned.
+void get_script_subpath(const std::string& full_filename, const char** subpath)
+	{
+	size_t p;
+	std::string my_subpath(full_filename);
+
+	// get the parent directory of file (if not already a directory)
+	if ( ! is_dir(full_filename.c_str()) )
+		{
+		char* tmp = copy_string(full_filename.c_str());
+		my_subpath = dirname(tmp);
+		delete [] tmp;
+		}
+
+	// first check if this is some subpath of the installed scripts root path,
+	// if not check if it's a subpath of the script source root path,
+	// then check if it's a subpath of the build directory (where BIF scripts
+	// will get generated).
+	// If none of those, will just use the given directory.
+	if ( (p = my_subpath.find(BRO_SCRIPT_INSTALL_PATH)) != std::string::npos )
+		my_subpath.erase(0, strlen(BRO_SCRIPT_INSTALL_PATH));
+	else if ( (p = my_subpath.find(BRO_SCRIPT_SOURCE_PATH)) != std::string::npos )
+		my_subpath.erase(0, strlen(BRO_SCRIPT_SOURCE_PATH));
+	else if ( (p = my_subpath.find(BRO_BUILD_PATH)) != std::string::npos )
+		my_subpath.erase(0, strlen(BRO_BUILD_PATH));
+
+	// if root path found, remove path separators until next path component
+	if ( p != std::string::npos )
+		while ( my_subpath.size() && my_subpath[0] == '/' )
+			my_subpath.erase(0, 1);
+
+	*subpath = normalize_path(my_subpath.c_str());
+	}
+
+extern string current_scanned_file_path;
+
+FILE* search_for_file(const char* filename, const char* ext,
+			const char** full_filename, bool load_pkgs,
+			const char** bropath_subpath)
+	{
+	// If the file is a literal absolute path we don't have to search,
+	// just return the result of trying to open it.  If the file is
+	// might be a relative path, check first if it's a real file that
+	// can be referenced from cwd, else we'll try to search for it based
+	// on what path the currently-loading script is in as well as the
+	// standard BROPATH paths.
+	if ( filename[0] == '/' ||
+	    (filename[0] == '.' && access(filename, R_OK) == 0) )
+		{
+		if ( bropath_subpath )
+			{
+			char* tmp = copy_string(filename);
+			*bropath_subpath = copy_string(dirname(tmp));
+			delete [] tmp;
+			}
+		return open_file(filename, full_filename, load_pkgs);
+		}
 
 	char path[1024], full_filename_buf[1024];
-	safe_strncpy(path, bro_path(), sizeof(path));
+
+	// Prepend the currently loading script's path to BROPATH so that
+	// @loads can be referenced relatively.
+	if ( current_scanned_file_path != "" && filename[0] == '.' )
+		safe_snprintf(path, sizeof(path), "%s:%s",
+		              current_scanned_file_path.c_str(), bro_path());
+	else
+		safe_strncpy(path, bro_path(), sizeof(path));
 
 	char* dir_beginning = path;
 	char* dir_ending = path;
@@ -842,19 +1009,32 @@ FILE* search_for_file(const char* filename, const char* ext,
 				"%s/%s.%s", dir_beginning, filename, ext);
 		if ( access(full_filename_buf, R_OK) == 0 &&
 		     ! is_dir(full_filename_buf) )
-			return open_file(full_filename_buf, full_filename);
+			{
+			if ( bropath_subpath )
+				get_script_subpath(full_filename_buf, bropath_subpath);
+			return open_file(full_filename_buf, full_filename, load_pkgs);
+			}
 
 		safe_snprintf(full_filename_buf, sizeof(full_filename_buf),
 				"%s/%s", dir_beginning, filename);
-		if ( access(full_filename_buf, R_OK) == 0 &&
-		      ! is_dir(full_filename_buf) )
-			return open_file(full_filename_buf, full_filename);
+		if ( access(full_filename_buf, R_OK) == 0 )
+			{
+			if ( bropath_subpath )
+				get_script_subpath(full_filename_buf, bropath_subpath);
+			return open_file(full_filename_buf, full_filename, load_pkgs);
+			}
 
 		dir_beginning = ++dir_ending;
 		}
 
 	if ( full_filename )
 		*full_filename = copy_string(filename);
+	if ( bropath_subpath )
+			{
+			char* tmp = copy_string(filename);
+			*bropath_subpath = copy_string(dirname(tmp));
+			delete [] tmp;
+			}
 
 	return 0;
 	}
@@ -876,7 +1056,7 @@ FILE* rotate_file(const char* name, RecordVal* rotate_info)
 	FILE* newf = fopen(tmpname, "w");
 	if ( ! newf )
 		{
-		run_time(fmt("rotate_file: can't open %s: %s", tmpname, strerror(errno)));
+		reporter->Error("rotate_file: can't open %s: %s", tmpname, strerror(errno));
 		return 0;
 		}
 
@@ -885,7 +1065,7 @@ FILE* rotate_file(const char* name, RecordVal* rotate_info)
 	struct stat dummy;
 	if ( link(name, newname) < 0 || stat(newname, &dummy) < 0 )
 		{
-		run_time(fmt("rotate_file: can't move %s to %s: %s", name, newname, strerror(errno)));
+		reporter->Error("rotate_file: can't move %s to %s: %s", name, newname, strerror(errno));
 		fclose(newf);
 		unlink(newname);
 		unlink(tmpname);
@@ -895,7 +1075,7 @@ FILE* rotate_file(const char* name, RecordVal* rotate_info)
 	// Close current file, and move the tmp to its place.
 	if ( unlink(name) < 0 || link(tmpname, name) < 0 || unlink(tmpname) < 0 )
 		{
-		run_time(fmt("rotate_file: can't move %s to %s: %s", tmpname, name, strerror(errno)));
+		reporter->Error("rotate_file: can't move %s to %s: %s", tmpname, name, strerror(errno));
 		exit(1);	// hard to fix, but shouldn't happen anyway...
 		}
 
@@ -935,7 +1115,7 @@ double calc_next_rotate(double interval, const char* rotate_base_time)
 		{
 		struct tm t;
 		if ( ! strptime(rotate_base_time, "%H:%M", &t) )
-			run_time("calc_next_rotate(): can't parse rotation base time");
+			reporter->Error("calc_next_rotate(): can't parse rotation base time");
 		else
 			base = t.tm_min * 60 + t.tm_hour * 60 * 60;
 		}
@@ -998,7 +1178,7 @@ double current_time(bool real)
 	{
 	struct timeval tv;
 	if ( gettimeofday(&tv, 0) < 0 )
-		internal_error("gettimeofday failed in current_time()");
+		reporter->InternalError("gettimeofday failed in current_time()");
 
 	double t = double(tv.tv_sec) + double(tv.tv_usec) / 1e6;
 
@@ -1036,10 +1216,87 @@ int time_compare(struct timeval* tv_a, struct timeval* tv_b)
 		return tv_a->tv_sec - tv_b->tv_sec;
 	}
 
+struct UIDEntry {
+	UIDEntry() : key(0, 0), needs_init(true) { }
+	UIDEntry(const uint64 i) : key(i, 0), needs_init(false) { }
+
+	struct UIDKey {
+		UIDKey(uint64 i, uint64 c) : instance(i), counter(c) { }
+		uint64 instance;
+		uint64 counter;
+	} key;
+
+	bool needs_init;
+};
+
+static std::vector<UIDEntry> uid_pool;
+
+uint64 calculate_unique_id()
+	{
+	return calculate_unique_id(UID_POOL_DEFAULT_INTERNAL);
+	}
+
+uint64 calculate_unique_id(size_t pool)
+	{
+	uint64 uid_instance = 0;
+
+	if( pool >= uid_pool.size() )
+		{
+		if ( pool < 10000 )
+			uid_pool.resize(pool + 1);
+		else
+			{
+			reporter->Warning("pool passed to calculate_unique_id() too large, using default");
+			pool = UID_POOL_DEFAULT_INTERNAL;
+			}
+		}
+
+	if ( uid_pool[pool].needs_init )
+		{
+		// This is the first time we need a UID for this pool.
+		if ( ! have_random_seed() )
+			{
+			// If we don't need deterministic output (as
+			// indicated by a set seed), we calculate the
+			// instance ID by hashing something likely to be
+			// globally unique.
+			struct {
+				char hostname[120];
+				uint64 pool;
+				struct timeval time;
+				pid_t pid;
+				int rnd;
+			} unique;
+
+			memset(&unique, 0, sizeof(unique)); // Make valgrind happy.
+			gethostname(unique.hostname, 120);
+			unique.hostname[sizeof(unique.hostname)-1] = '\0';
+			gettimeofday(&unique.time, 0);
+			unique.pool = (uint64) pool;
+			unique.pid = getpid();
+			unique.rnd = bro_random();
+
+			uid_instance = HashKey::HashBytes(&unique, sizeof(unique));
+			++uid_instance; // Now it's larger than zero.
+			}
+		else
+			// Generate determistic UIDs for each individual pool.
+			uid_instance = pool;
+
+		// Our instance is unique.  Huzzah.
+		uid_pool[pool] = UIDEntry(uid_instance);
+		}
+
+	assert(!uid_pool[pool].needs_init);
+	assert(uid_pool[pool].key.instance != 0);
+
+	++uid_pool[pool].key.counter;
+	return HashKey::HashBytes(&(uid_pool[pool].key), sizeof(uid_pool[pool].key));
+	}
+
 void out_of_memory(const char* where)
 	{
-	fprintf( stderr, "bro: out of memory in %s.\n", where );
-	abort();
+	reporter->FatalError("out of memory in %s.\n", where);
 	}
 
 void get_memory_usage(unsigned int* total, unsigned int* malloced)
diff --git a/src/util.h b/src/util.h
index f4f007a27d..498bdf00e4 100644
--- a/src/util.h
+++ b/src/util.h
@@ -1,16 +1,20 @@
-// $Id: util.h 6782 2009-06-28 02:19:03Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef util_h
 #define util_h
 
+#include <string>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
 #include "config.h"
 
+// Expose C99 functionality from inttypes.h, which would otherwise not be
+// available in C++.
+#define __STDC_FORMAT_MACROS
+#include <inttypes.h>
+
 #if __STDC__
 #define myattribute __attribute__
 #else
@@ -39,24 +43,21 @@
 extern HeapLeakChecker* heap_checker;
 #endif
 
-typedef unsigned long long int uint64;
-typedef unsigned int uint32;
-typedef unsigned short uint16;
-typedef unsigned char uint8;
-typedef long long int int64;
+#include <stdint.h>
+
+typedef uint64_t uint64;
+typedef uint32_t uint32;
+typedef uint16_t uint16;
+typedef uint8_t uint8;
+
+typedef int64_t int64;
+typedef int32_t int32;
+typedef int16_t int16;
+typedef int8_t int8;
+
 typedef int64 bro_int_t;
 typedef uint64 bro_uint_t;
 
-#if SIZEOF_LONG_LONG == 8
-typedef unsigned long long uint64;
-typedef long long int64;
-#elif SIZEOF_LONG_INT == 8
-typedef unsigned long int uint64;
-typedef long int int64;
-#else
-# error "Couldn't reliably identify 64-bit type. Please report to bro@bro-ids.org."
-#endif
-
 // "ptr_compat_uint" and "ptr_compat_int" are (un)signed integers of
 // pointer size. They can be cast safely to a pointer, e.g. in Lists,
 // which represent their entities as void* pointers.
@@ -64,13 +65,22 @@ typedef long int int64;
 #if SIZEOF_VOID_P == 8
 typedef uint64 ptr_compat_uint;
 typedef int64 ptr_compat_int;
+#define PRI_PTR_COMPAT_INT PRId64 // Format to use with printf.
+#define PRI_PTR_COMPAT_UINT PRIu64
 #elif SIZEOF_VOID_P == 4
 typedef uint32 ptr_compat_uint;
-typedef int ptr_compat_int;
+typedef int32 ptr_compat_int;
+#define PRI_PTR_COMPAT_INT PRId32
+#define PRI_PTR_COMPAT_UINT PRIu32
 #else
 # error "Unusual pointer size. Please report to bro@bro-ids.org."
 #endif
 
+extern "C"
+	{
+	#include "modp_numtoa.h"
+	}
+
 template <class T>
 void delete_each(T* t)
 	{
@@ -79,6 +89,8 @@ void delete_each(T* t)
 		delete *it;
 	}
 
+std::string get_escaped_string(const std::string& str, bool escape_all);
+
 extern char* copy_string(const char* s);
 extern int streq(const char* s1, const char* s2);
 
@@ -104,8 +116,8 @@ extern int strcasecmp_n(int s_len, const char* s, const char* t);
 extern char* strcasestr(const char* s, const char* find);
 #endif
 extern const char* strpbrk_n(size_t len, const char* s, const char* charset);
-extern int atoi_n(int len, const char* s, const char** end,
-			int base, int& result);
+template<class T> int atoi_n(int len, const char* s, const char** end, int base, T& result);
+extern char* uitoa_n(uint64 value, char* str, int n, int base, const char* prefix=0);
 int strstr_n(const int big_len, const unsigned char* big,
 		const int little_len, const unsigned char* little);
 extern int fputs(int len, const char* s, FILE* fp);
@@ -134,7 +146,7 @@ extern void hmac_md5(size_t size, const unsigned char* bytes,
 
 extern const char* md5_digest_print(const unsigned char digest[16]);
 
-// Initializes RNGs for random() and MD5 usage.  If seed is given, then
+// Initializes RNGs for bro_random() and MD5 usage.  If seed is given, then
 // it is used (to provide determinism).  If load_file is given, the seeds
 // (both random & MD5) are loaded from that file.  This takes precedence
 // over the "seed" argument.  If write_file is given, the seeds are written
@@ -143,10 +155,15 @@ extern const char* md5_digest_print(const unsigned char digest[16]);
 extern void init_random_seed(uint32 seed, const char* load_file,
 				const char* write_file);
 
-extern uint64 rand64bit();
+// Returns true if the user explicitly set a seed via init_random_seed();
+extern bool have_random_seed();
 
-#define UHASH_KEY_SIZE	32
-extern uint8 uhash_key[UHASH_KEY_SIZE];
+// Replacement for the system random(), to which is normally falls back
+// except when a seed has been given. In that case, we use our own
+// predictable PRNG.
+long int bro_random();
+
+extern uint64 rand64bit();
 
 // Each event source that may generate events gets an internally unique ID.
 // This is always LOCAL for a local Bro. For remote event sources, it gets
@@ -157,28 +174,19 @@ extern uint8 uhash_key[UHASH_KEY_SIZE];
 // the obvious places (like Event.h or RemoteSerializer.h)
 
 typedef ptr_compat_uint SourceID;
+#define PRI_SOURCE_ID PRI_PTR_COMPAT_UINT
 static const SourceID SOURCE_LOCAL = 0;
 
-class BroObj;
-extern void message(const char* msg);
-extern void warn(const char* msg);
-extern void warn(const char* msg, const char* addl);
-extern void error(const char* msg);
-extern void error(const char* msg, const char* addl);
-extern void error(const char* msg, uint32 addl);
-extern void run_time(const char* msg);
-extern void run_time(const char* fmt, BroObj* obj);
-extern void run_time(const char* fmt, const char* arg);
-extern void run_time(const char* fmt, const char* arg1, const char* arg2);
-extern void internal_error(const char* fmt, ...)
-	myattribute((volatile, format (printf, 1, 2)));
 extern void pinpoint();
 extern int int_list_cmp(const void* v1, const void* v2);
 
 extern const char* bro_path();
 extern const char* bro_prefixes();
+std::string dot_canon(std::string path, std::string file, std::string prefix = "");
+const char* normalize_path(const char* path);
+void get_script_subpath(const std::string& full_filename, const char** subpath);
 extern FILE* search_for_file(const char* filename, const char* ext,
-	const char** full_filename);
+	const char** full_filename, bool load_pkgs, const char** bropath_subpath);
 
 // Renames the given file to a new temporary name, and opens a new file with
 // the original name. Returns new file or NULL on error. Inits rotate_info if
@@ -221,15 +229,15 @@ extern struct timeval double_to_timeval(double t);
 // Return > 0 if tv_a > tv_b, 0 if equal, < 0 if tv_a < tv_b.
 extern int time_compare(struct timeval* tv_a, struct timeval* tv_b);
 
-inline int min(int a, int b)
-	{
-	return a < b ? a : b;
-	}
-
-inline int max(int a, int b)
-	{
-	return a > b ? a : b;
-	}
+// Returns an integer that's very likely to be unique, even across Bro
+// instances. The integer can be drawn from different pools, which is helpful
+// when the randon number generator is seeded to be deterministic. In that
+// case, the same sequence of integers is generated per pool.
+#define UID_POOL_DEFAULT_INTERNAL 1
+#define UID_POOL_DEFAULT_SCRIPT   2
+#define UID_POOL_CUSTOM_SCRIPT    10 // First available custom script level pool.
+extern uint64 calculate_unique_id();
+extern uint64 calculate_unique_id(const size_t pool);
 
 // For now, don't use hash_maps - they're not fully portable.
 #if 0
diff --git a/testing/.gitignore b/testing/.gitignore
new file mode 100644
index 0000000000..a664c1d684
--- /dev/null
+++ b/testing/.gitignore
@@ -0,0 +1 @@
+coverage.log
diff --git a/testing/Makefile b/testing/Makefile
new file mode 100644
index 0000000000..f65d5a1fef
--- /dev/null
+++ b/testing/Makefile
@@ -0,0 +1,20 @@
+
+DIRS=btest external
+
+all: make-verbose coverage
+
+brief: make-brief coverage
+
+make-verbose:
+	@for repo in $(DIRS); do (cd $$repo && make ); done
+
+make-brief:
+	@for repo in $(DIRS); do (cd $$repo && make brief ); done
+
+coverage:
+	@test -f btest/coverage.log && cp btest/coverage.log `mktemp brocov.tmp.XXX` || true
+	@for f in external/*/coverage.log; do test -f $$f && cp $$f `mktemp brocov.tmp.XXX` || true; done
+	@echo "Complete test suite code coverage:"
+	@./scripts/coverage-calc "brocov.tmp.*" coverage.log `pwd`/../scripts
+	@rm -f brocov.tmp.*
+
diff --git a/testing/README b/testing/README
index 02c8d71ce7..ba407fcc67 100644
--- a/testing/README
+++ b/testing/README
@@ -1,10 +1,15 @@
-This directory contains some of the suites for testing for Bro's
-correct operation:
+This directory contains suites for testing for Bro's correct
+operation:
 
-istate/
-	Tests Bro's independent state facilities.  These include persistent
-	values and inter-process event/value communication.
+    btest/
+        An ever-growing set of small unit tests testing Bro's
+        functionality.
 
-(Note that the Bro developers maintain a separate test suite for
- Bro's trace analysis capabilities.  This is kept private as it uses
- sensitive raw traces for input.)
+    external/
+        A framework for downloading additional test sets that run more
+        complex Bro configuration on larger traces files. Due to their
+        size, these are not included directly. See the README for more
+        information. 
+
+    scripts/
+        Helpers scripts used by some tests.
diff --git a/testing/btest/.gitignore b/testing/btest/.gitignore
new file mode 100644
index 0000000000..5282177d90
--- /dev/null
+++ b/testing/btest/.gitignore
@@ -0,0 +1,3 @@
+.tmp
+diag.log
+coverage.log
diff --git a/testing/btest/Baseline/BiFs.count_to_addr/out b/testing/btest/Baseline/BiFs.count_to_addr/out
new file mode 100644
index 0000000000..1254fd94f1
--- /dev/null
+++ b/testing/btest/Baseline/BiFs.count_to_addr/out
@@ -0,0 +1,4 @@
+0.0.0.1
+48.21.133.122
+255.255.255.255
+0.0.0.0
diff --git a/testing/btest/Baseline/analyzers.conn-size-cc/conn.log b/testing/btest/Baseline/analyzers.conn-size-cc/conn.log
new file mode 100644
index 0000000000..2f703cbcd6
--- /dev/null
+++ b/testing/btest/Baseline/analyzers.conn-size-cc/conn.log
@@ -0,0 +1,5 @@
+1128727430.350788 ? 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? S0 X 1 60 0 0 cc=1
+1144876538.705610 5.921003 169.229.147.203 239.255.255.253 other 49370 427 udp 147 ? S0 X 3 231 0 0
+1144876599.397603 0.815763 192.150.186.169 194.64.249.244 http 53063 80 tcp 377 445 SF X 6 677 5 713
+1144876709.032670 9.000191 169.229.147.43 239.255.255.253 other 49370 427 udp 196 ? S0 X 4 308 0 0
+1144876697.068273 0.000650 192.150.186.169 192.150.186.15 icmp-unreach 3 3 icmp 56 ? OTH X 2 112 0 0
diff --git a/testing/btest/Baseline/analyzers.conn-size/conn.log b/testing/btest/Baseline/analyzers.conn-size/conn.log
new file mode 100644
index 0000000000..8129bc37f8
--- /dev/null
+++ b/testing/btest/Baseline/analyzers.conn-size/conn.log
@@ -0,0 +1,5 @@
+1128727430.350788 ? 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? S0 X 1 60 0 0
+1144876538.705610 5.921003 169.229.147.203 239.255.255.253 other 49370 427 udp 147 ? S0 X 3 231 0 0
+1144876599.397603 0.815763 192.150.186.169 194.64.249.244 http 53063 80 tcp 377 445 SF X 6 697 5 713
+1144876709.032670 9.000191 169.229.147.43 239.255.255.253 other 49370 427 udp 196 ? S0 X 4 308 0 0
+1144876697.068273 0.000650 192.150.186.169 192.150.186.15 icmp-unreach 3 3 icmp 56 ? OTH X 2 112 0 0
diff --git a/testing/btest/Baseline/bifs.count_to_addr/out b/testing/btest/Baseline/bifs.count_to_addr/out
new file mode 100644
index 0000000000..1254fd94f1
--- /dev/null
+++ b/testing/btest/Baseline/bifs.count_to_addr/out
@@ -0,0 +1,4 @@
+0.0.0.1
+48.21.133.122
+255.255.255.255
+0.0.0.0
diff --git a/testing/btest/Baseline/bifs.decode_base64/out b/testing/btest/Baseline/bifs.decode_base64/out
new file mode 100644
index 0000000000..af0d32fbb8
--- /dev/null
+++ b/testing/btest/Baseline/bifs.decode_base64/out
@@ -0,0 +1,6 @@
+bro
+bro
+bro
+bro
+bro
+bro
diff --git a/testing/btest/Baseline/bifs.enable_raw_output/output b/testing/btest/Baseline/bifs.enable_raw_output/output
new file mode 100644
index 0000000000..bff6a72fd2
--- /dev/null
+++ b/testing/btest/Baseline/bifs.enable_raw_output/output
@@ -0,0 +1 @@
+helloXworldhi
\ No newline at end of file
diff --git a/testing/btest/Baseline/bifs.mask_addr/output b/testing/btest/Baseline/bifs.mask_addr/output
new file mode 100644
index 0000000000..73ad62f40a
--- /dev/null
+++ b/testing/btest/Baseline/bifs.mask_addr/output
@@ -0,0 +1,32 @@
+128.0.0.0/1
+192.0.0.0/2
+224.0.0.0/3
+240.0.0.0/4
+248.0.0.0/5
+252.0.0.0/6
+254.0.0.0/7
+255.0.0.0/8
+255.128.0.0/9
+255.192.0.0/10
+255.224.0.0/11
+255.240.0.0/12
+255.248.0.0/13
+255.252.0.0/14
+255.254.0.0/15
+255.255.0.0/16
+255.255.128.0/17
+255.255.192.0/18
+255.255.224.0/19
+255.255.240.0/20
+255.255.248.0/21
+255.255.252.0/22
+255.255.254.0/23
+255.255.255.0/24
+255.255.255.128/25
+255.255.255.192/26
+255.255.255.224/27
+255.255.255.240/28
+255.255.255.248/29
+255.255.255.252/30
+255.255.255.254/31
+255.255.255.255/32
diff --git a/testing/btest/Baseline/bifs.net_stats_trace/output b/testing/btest/Baseline/bifs.net_stats_trace/output
new file mode 100644
index 0000000000..a2e25e03a7
--- /dev/null
+++ b/testing/btest/Baseline/bifs.net_stats_trace/output
@@ -0,0 +1 @@
+[pkts_recvd=131, pkts_dropped=0, pkts_link=0]
diff --git a/testing/btest/Baseline/bifs.netbios-functions/out b/testing/btest/Baseline/bifs.netbios-functions/out
new file mode 100644
index 0000000000..d849dbff71
--- /dev/null
+++ b/testing/btest/Baseline/bifs.netbios-functions/out
@@ -0,0 +1,8 @@
+MARTIN
+3
+WORKGROUP
+27
+ISATAP
+0
+^A^B__MSBROWSE__^B
+1
diff --git a/testing/btest/Baseline/bifs.piped_exec/output b/testing/btest/Baseline/bifs.piped_exec/output
new file mode 100644
index 0000000000..0d3fba25fe
--- /dev/null
+++ b/testing/btest/Baseline/bifs.piped_exec/output
@@ -0,0 +1,2 @@
+hello world
+foobar
diff --git a/testing/btest/Baseline/bifs.piped_exec/test.txt b/testing/btest/Baseline/bifs.piped_exec/test.txt
new file mode 100644
index 0000000000..a23f66ba7e
Binary files /dev/null and b/testing/btest/Baseline/bifs.piped_exec/test.txt differ
diff --git a/testing/btest/Baseline/bifs.records_fields/out b/testing/btest/Baseline/bifs.records_fields/out
new file mode 100644
index 0000000000..0d52e64255
--- /dev/null
+++ b/testing/btest/Baseline/bifs.records_fields/out
@@ -0,0 +1,8 @@
+[a=42, b=Foo, c=<uninitialized>, d=Bar]
+{
+[b] = [type_name=record, log=F, value=Foo, default_val=Foo],
+[d] = [type_name=record, log=T, value=Bar, default_val=<uninitialized>],
+[c] = [type_name=record, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[a] = [type_name=record, log=F, value=42, default_val=<uninitialized>]
+}
+F
diff --git a/testing/btest/Baseline/bifs.string_splitting/out b/testing/btest/Baseline/bifs.string_splitting/out
new file mode 100644
index 0000000000..8514916834
--- /dev/null
+++ b/testing/btest/Baseline/bifs.string_splitting/out
@@ -0,0 +1,13 @@
+{
+[2] = Testing Test (http://www.example.com),
+[1] = X-Mailer
+}
+{
+[2] = =,
+[4] = =,
+[6] = =,
+[7] =  D,
+[1] = A ,
+[5] =  C ,
+[3] =  B 
+}
diff --git a/testing/btest/Baseline/bifs.unique_id-rnd/count b/testing/btest/Baseline/bifs.unique_id-rnd/count
new file mode 100644
index 0000000000..48082f72f0
--- /dev/null
+++ b/testing/btest/Baseline/bifs.unique_id-rnd/count
@@ -0,0 +1 @@
+12
diff --git a/testing/btest/Baseline/bifs.unique_id/out b/testing/btest/Baseline/bifs.unique_id/out
new file mode 100644
index 0000000000..a538697057
--- /dev/null
+++ b/testing/btest/Baseline/bifs.unique_id/out
@@ -0,0 +1,6 @@
+A-56gKBmhBBB6
+B-PjbroujOxH4
+C-N4zgPFAv3J
+D-R8BqVlcp23e
+E-duYdXg7bTa3
+F-FSX5JvMaA88
diff --git a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr
new file mode 100644
index 0000000000..8d8bf1a85b
--- /dev/null
+++ b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr
@@ -0,0 +1 @@
+warning in <params>, line 1: event handler never invoked: this_is_never_used
diff --git a/testing/btest/Baseline/core.conn-uid/counts b/testing/btest/Baseline/core.conn-uid/counts
new file mode 100644
index 0000000000..a8fa06e1be
--- /dev/null
+++ b/testing/btest/Baseline/core.conn-uid/counts
@@ -0,0 +1 @@
+62
diff --git a/testing/btest/Baseline/core.conn-uid/output b/testing/btest/Baseline/core.conn-uid/output
new file mode 100644
index 0000000000..6f58e7c10c
--- /dev/null
+++ b/testing/btest/Baseline/core.conn-uid/output
@@ -0,0 +1,40 @@
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], arKYeMETxOg
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], k6kgXLOoSKl
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], j4u32Pc5bif
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], TEfuqmmG4bh
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], FrJExwHcSal
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], VW0XPVINV8a
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], fRFu0wcOle6
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], qSsw6ESzHV4
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], GSxOnSLghOa
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], qCaWGmzFtM5
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], 70MGiRM1Qf4
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], Tw8jXtpTGu6
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], c4Zw9TmAE05
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], EAr0uf4mhq
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], 0Q4FH8sESw5
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], slFea8xwSmb
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 2cx26uAvUPl
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], BWaU4aSuwkc
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], 10XodEwRycf
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], zno26fFZkrh
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], v5rgkJBig5l
diff --git a/testing/btest/Baseline/core.conn-uid/output.cc b/testing/btest/Baseline/core.conn-uid/output.cc
new file mode 100644
index 0000000000..6f58e7c10c
--- /dev/null
+++ b/testing/btest/Baseline/core.conn-uid/output.cc
@@ -0,0 +1,40 @@
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], arKYeMETxOg
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], k6kgXLOoSKl
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], j4u32Pc5bif
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], TEfuqmmG4bh
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], FrJExwHcSal
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], VW0XPVINV8a
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], fRFu0wcOle6
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], qSsw6ESzHV4
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], GSxOnSLghOa
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], qCaWGmzFtM5
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], 70MGiRM1Qf4
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], Tw8jXtpTGu6
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], c4Zw9TmAE05
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], EAr0uf4mhq
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], 0Q4FH8sESw5
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], slFea8xwSmb
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 2cx26uAvUPl
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], BWaU4aSuwkc
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], 10XodEwRycf
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], zno26fFZkrh
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], v5rgkJBig5l
diff --git a/testing/btest/Baseline/core.conn-uid/output.cc2 b/testing/btest/Baseline/core.conn-uid/output.cc2
new file mode 100644
index 0000000000..6f58e7c10c
--- /dev/null
+++ b/testing/btest/Baseline/core.conn-uid/output.cc2
@@ -0,0 +1,40 @@
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], arKYeMETxOg
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], k6kgXLOoSKl
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], j4u32Pc5bif
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], TEfuqmmG4bh
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], FrJExwHcSal
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], VW0XPVINV8a
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], fRFu0wcOle6
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], qSsw6ESzHV4
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], GSxOnSLghOa
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], qCaWGmzFtM5
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], 70MGiRM1Qf4
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], Tw8jXtpTGu6
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], c4Zw9TmAE05
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], EAr0uf4mhq
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], 0Q4FH8sESw5
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], slFea8xwSmb
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 2cx26uAvUPl
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], BWaU4aSuwkc
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], 10XodEwRycf
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], zno26fFZkrh
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], v5rgkJBig5l
diff --git a/testing/istate/base/broccoli-ping/stderr.log b/testing/btest/Baseline/core.dns-init/output
similarity index 100%
rename from testing/istate/base/broccoli-ping/stderr.log
rename to testing/btest/Baseline/core.dns-init/output
diff --git a/testing/btest/Baseline/core.expr-exception/reporter.log b/testing/btest/Baseline/core.expr-exception/reporter.log
new file mode 100644
index 0000000000..3767de37d8
--- /dev/null
+++ b/testing/btest/Baseline/core.expr-exception/reporter.log
@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	reporter
+#fields	ts	level	message	location
+#types	time	enum	string	string
+1300475168.783842	Reporter::ERROR	field value missing [c$ftp]	/Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
+1300475168.915940	Reporter::ERROR	field value missing [c$ftp]	/Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
+1300475168.916118	Reporter::ERROR	field value missing [c$ftp]	/Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
+1300475168.918295	Reporter::ERROR	field value missing [c$ftp]	/Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
+1300475168.952193	Reporter::ERROR	field value missing [c$ftp]	/Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
+1300475168.952228	Reporter::ERROR	field value missing [c$ftp]	/Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
+1300475168.954761	Reporter::ERROR	field value missing [c$ftp]	/Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
+1300475168.962628	Reporter::ERROR	field value missing [c$ftp]	/Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
+1300475169.780331	Reporter::ERROR	field value missing [c$ftp]	/Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
diff --git a/testing/btest/Baseline/core.load-pkg/output b/testing/btest/Baseline/core.load-pkg/output
new file mode 100644
index 0000000000..119b2f9a18
--- /dev/null
+++ b/testing/btest/Baseline/core.load-pkg/output
@@ -0,0 +1 @@
+Foo loaded
diff --git a/testing/btest/Baseline/core.load-prefixes/output b/testing/btest/Baseline/core.load-prefixes/output
new file mode 100644
index 0000000000..ea35b3a8c0
--- /dev/null
+++ b/testing/btest/Baseline/core.load-prefixes/output
@@ -0,0 +1,4 @@
+loaded lcl2.base.utils.site.bro
+loaded lcl.base.utils.site.bro
+loaded lcl2.base.protocols.http.bro
+loaded lcl.base.protocols.http.bro
diff --git a/testing/btest/Baseline/core.load-relative/output b/testing/btest/Baseline/core.load-relative/output
new file mode 100644
index 0000000000..daff17a4e1
--- /dev/null
+++ b/testing/btest/Baseline/core.load-relative/output
@@ -0,0 +1,3 @@
+bar loaded
+baz loaded
+foo loaded
diff --git a/testing/istate/base/events-rcv/stdout.log b/testing/btest/Baseline/core.load-unload/output
similarity index 100%
rename from testing/istate/base/events-rcv/stdout.log
rename to testing/btest/Baseline/core.load-unload/output
diff --git a/testing/istate/base/events-send/stderr.log b/testing/btest/Baseline/core.nop/output
similarity index 100%
rename from testing/istate/base/events-send/stderr.log
rename to testing/btest/Baseline/core.nop/output
diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log
new file mode 100644
index 0000000000..5ce968d5e6
--- /dev/null
+++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count
+1128727435.450898	UWkUyAuUGXf	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	0	ShADdFaf	12	730	10	9945
diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output
new file mode 100644
index 0000000000..d7ff523927
--- /dev/null
+++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output
@@ -0,0 +1,32 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	packet_filter
+#fields	ts	node	filter	init	success
+#types	time	string	string	bool	bool
+1324314285.981347	-	not ip6	T	T
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	packet_filter
+#fields	ts	node	filter	init	success
+#types	time	string	string	bool	bool
+1324314286.168294	-	(((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6)	T	T
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	packet_filter
+#fields	ts	node	filter	init	success
+#types	time	string	string	bool	bool
+1324314286.350780	-	port 42	T	T
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	packet_filter
+#fields	ts	node	filter	init	success
+#types	time	string	string	bool	bool
+1324314286.530768	-	port 56730	T	T
diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv6/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv6/conn.log
new file mode 100644
index 0000000000..e71eff9d57
--- /dev/null
+++ b/testing/btest/Baseline/core.print-bpf-filters-ipv6/conn.log
@@ -0,0 +1,2 @@
+# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	notice_tags
+1128727435.4509	UWkUyAuUGXf	141.42.64.125	56730	125.190.109.199	80	tcp	-	1.73330307006836	98	9417	SF	-	0	ShADdFaf	-
diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv6/output b/testing/btest/Baseline/core.print-bpf-filters-ipv6/output
new file mode 100644
index 0000000000..0065fabfd3
--- /dev/null
+++ b/testing/btest/Baseline/core.print-bpf-filters-ipv6/output
@@ -0,0 +1,8 @@
+# ts	node	filter	init	success
+1308603220.46822	-	ip or not ip	F	T
+# ts	node	filter	init	success
+1308603220.51607	-	tcp port 22	F	T
+# ts	node	filter	init	success
+1308603220.55432	-	port 42	F	T
+# ts	node	filter	init	success
+1308603220.59452	-	port 56730	T	T
diff --git a/testing/btest/Baseline/core.reporter-error-in-handler/output b/testing/btest/Baseline/core.reporter-error-in-handler/output
new file mode 100644
index 0000000000..3d8aa6ff54
--- /dev/null
+++ b/testing/btest/Baseline/core.reporter-error-in-handler/output
@@ -0,0 +1,2 @@
+error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.bro, line 22: no such index (a[2])
+1st error printed on script level
diff --git a/testing/btest/Baseline/core.reporter-fmt-strings/output b/testing/btest/Baseline/core.reporter-fmt-strings/output
new file mode 100644
index 0000000000..4842dd9fc5
--- /dev/null
+++ b/testing/btest/Baseline/core.reporter-fmt-strings/output
@@ -0,0 +1 @@
+error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-fmt-strings/reporter-fmt-strings.bro, line 9: not an event (dont_interpret_this(%s))
diff --git a/testing/btest/Baseline/core.reporter-parse-error/output b/testing/btest/Baseline/core.reporter-parse-error/output
new file mode 100644
index 0000000000..7606fe5667
--- /dev/null
+++ b/testing/btest/Baseline/core.reporter-parse-error/output
@@ -0,0 +1 @@
+error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-parse-error/reporter-parse-error.bro, line 7: unknown identifier TESTFAILURE, at or near "TESTFAILURE"
diff --git a/testing/btest/Baseline/core.reporter-runtime-error/output b/testing/btest/Baseline/core.reporter-runtime-error/output
new file mode 100644
index 0000000000..3a96954101
--- /dev/null
+++ b/testing/btest/Baseline/core.reporter-runtime-error/output
@@ -0,0 +1 @@
+error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 12: no such index (a[1])
diff --git a/testing/btest/Baseline/core.reporter-type-mismatch/output b/testing/btest/Baseline/core.reporter-type-mismatch/output
new file mode 100644
index 0000000000..4c038ea8c5
--- /dev/null
+++ b/testing/btest/Baseline/core.reporter-type-mismatch/output
@@ -0,0 +1,3 @@
+error in string and /Users/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: arithmetic mixed with non-arithmetic (string and 42)
+error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11 and string: type mismatch (42 and string)
+error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: argument type mismatch in event invocation (foo(42))
diff --git a/testing/btest/Baseline/core.reporter/logger-test.log b/testing/btest/Baseline/core.reporter/logger-test.log
new file mode 100644
index 0000000000..bc2abd142a
--- /dev/null
+++ b/testing/btest/Baseline/core.reporter/logger-test.log
@@ -0,0 +1,6 @@
+reporter_info|init test-info|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 8|0.000000
+reporter_warning|init test-warning|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 9|0.000000
+reporter_error|init test-error|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 10|0.000000
+reporter_info|done test-info|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 15|0.000000
+reporter_warning|done test-warning|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 16|0.000000
+reporter_error|done test-error|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 17|0.000000
diff --git a/testing/btest/Baseline/core.reporter/output b/testing/btest/Baseline/core.reporter/output
new file mode 100644
index 0000000000..185cabb1eb
--- /dev/null
+++ b/testing/btest/Baseline/core.reporter/output
@@ -0,0 +1,3 @@
+/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 52: pre test-info
+warning in /Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 53: pre test-warning
+error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 54: pre test-error
diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log
new file mode 100644
index 0000000000..f3c958ea99
--- /dev/null
+++ b/testing/btest/Baseline/core.vlan-mpls/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count
+952109346.874907	UWkUyAuUGXf	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	0	SADF	11	470	0	0
+1128727435.450898	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	0	ShADdFaf	12	730	10	9945
+1278600802.069419	k6kgXLOoSKl	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	0	ShADadfF	7	381	7	3801
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
new file mode 100644
index 0000000000..d43367f300
--- /dev/null
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -0,0 +1,22 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	loaded_scripts
+#fields	name
+#types	string
+scripts/base/init-bare.bro
+  build/src/base/const.bif.bro
+  build/src/base/types.bif.bro
+  build/src/base/strings.bif.bro
+  build/src/base/bro.bif.bro
+  build/src/base/reporter.bif.bro
+  build/src/base/event.bif.bro
+  scripts/base/frameworks/logging/__load__.bro
+    scripts/base/frameworks/logging/./main.bro
+      build/src/base/logging.bif.bro
+    scripts/base/frameworks/logging/./postprocessors/__load__.bro
+      scripts/base/frameworks/logging/./postprocessors/./scp.bro
+      scripts/base/frameworks/logging/./postprocessors/./sftp.bro
+    scripts/base/frameworks/logging/./writers/ascii.bro
+scripts/policy/misc/loaded-scripts.bro
diff --git a/testing/istate/base/events-send/stdout.log b/testing/btest/Baseline/coverage.bare-mode-errors/unique_errors
similarity index 100%
rename from testing/istate/base/events-send/stdout.log
rename to testing/btest/Baseline/coverage.bare-mode-errors/unique_errors
diff --git a/testing/btest/Baseline/coverage.coverage-blacklist/output b/testing/btest/Baseline/coverage.coverage-blacklist/output
new file mode 100644
index 0000000000..6d3d243220
--- /dev/null
+++ b/testing/btest/Baseline/coverage.coverage-blacklist/output
@@ -0,0 +1,5 @@
+1	/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 13	print cover me;
+1	/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 17	print always executed;
+0	/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 26	print also impossible, but included in code coverage analysis;
+1	/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 29	print success;
+1	/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 5	print first;
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
new file mode 100644
index 0000000000..92deb62edb
--- /dev/null
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -0,0 +1,97 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	loaded_scripts
+#fields	name
+#types	string
+scripts/base/init-bare.bro
+  build/src/base/const.bif.bro
+  build/src/base/types.bif.bro
+  build/src/base/strings.bif.bro
+  build/src/base/bro.bif.bro
+  build/src/base/reporter.bif.bro
+  build/src/base/event.bif.bro
+  scripts/base/frameworks/logging/__load__.bro
+    scripts/base/frameworks/logging/./main.bro
+      build/src/base/logging.bif.bro
+    scripts/base/frameworks/logging/./postprocessors/__load__.bro
+      scripts/base/frameworks/logging/./postprocessors/./scp.bro
+      scripts/base/frameworks/logging/./postprocessors/./sftp.bro
+    scripts/base/frameworks/logging/./writers/ascii.bro
+scripts/base/init-default.bro
+  scripts/base/utils/site.bro
+    scripts/base/utils/./patterns.bro
+  scripts/base/utils/addrs.bro
+  scripts/base/utils/conn-ids.bro
+  scripts/base/utils/directions-and-hosts.bro
+  scripts/base/utils/files.bro
+  scripts/base/utils/numbers.bro
+  scripts/base/utils/paths.bro
+  scripts/base/utils/strings.bro
+  scripts/base/utils/thresholds.bro
+  scripts/base/frameworks/notice/__load__.bro
+    scripts/base/frameworks/notice/./main.bro
+    scripts/base/frameworks/notice/./weird.bro
+    scripts/base/frameworks/notice/./actions/drop.bro
+    scripts/base/frameworks/notice/./actions/email_admin.bro
+    scripts/base/frameworks/notice/./actions/page.bro
+    scripts/base/frameworks/notice/./actions/add-geodata.bro
+    scripts/base/frameworks/notice/./extend-email/hostnames.bro
+    scripts/base/frameworks/cluster/__load__.bro
+      scripts/base/frameworks/cluster/./main.bro
+        scripts/base/frameworks/control/__load__.bro
+          scripts/base/frameworks/control/./main.bro
+    scripts/base/frameworks/notice/./actions/pp-alarms.bro
+  scripts/base/frameworks/dpd/__load__.bro
+    scripts/base/frameworks/dpd/./main.bro
+  scripts/base/frameworks/signatures/__load__.bro
+    scripts/base/frameworks/signatures/./main.bro
+  scripts/base/frameworks/packet-filter/__load__.bro
+    scripts/base/frameworks/packet-filter/./main.bro
+    scripts/base/frameworks/packet-filter/./netstats.bro
+  scripts/base/frameworks/software/__load__.bro
+    scripts/base/frameworks/software/./main.bro
+  scripts/base/frameworks/communication/__load__.bro
+    scripts/base/frameworks/communication/./main.bro
+  scripts/base/frameworks/metrics/__load__.bro
+    scripts/base/frameworks/metrics/./main.bro
+    scripts/base/frameworks/metrics/./non-cluster.bro
+  scripts/base/frameworks/intel/__load__.bro
+    scripts/base/frameworks/intel/./main.bro
+  scripts/base/frameworks/reporter/__load__.bro
+    scripts/base/frameworks/reporter/./main.bro
+  scripts/base/protocols/conn/__load__.bro
+    scripts/base/protocols/conn/./main.bro
+    scripts/base/protocols/conn/./contents.bro
+    scripts/base/protocols/conn/./inactivity.bro
+  scripts/base/protocols/dns/__load__.bro
+    scripts/base/protocols/dns/./consts.bro
+    scripts/base/protocols/dns/./main.bro
+  scripts/base/protocols/ftp/__load__.bro
+    scripts/base/protocols/ftp/./utils-commands.bro
+    scripts/base/protocols/ftp/./main.bro
+    scripts/base/protocols/ftp/./file-extract.bro
+  scripts/base/protocols/http/__load__.bro
+    scripts/base/protocols/http/./main.bro
+    scripts/base/protocols/http/./utils.bro
+    scripts/base/protocols/http/./file-ident.bro
+    scripts/base/protocols/http/./file-hash.bro
+    scripts/base/protocols/http/./file-extract.bro
+  scripts/base/protocols/irc/__load__.bro
+    scripts/base/protocols/irc/./main.bro
+    scripts/base/protocols/irc/./dcc-send.bro
+  scripts/base/protocols/smtp/__load__.bro
+    scripts/base/protocols/smtp/./main.bro
+    scripts/base/protocols/smtp/./entities.bro
+    scripts/base/protocols/smtp/./entities-excerpt.bro
+  scripts/base/protocols/ssh/__load__.bro
+    scripts/base/protocols/ssh/./main.bro
+  scripts/base/protocols/ssl/__load__.bro
+    scripts/base/protocols/ssl/./consts.bro
+    scripts/base/protocols/ssl/./main.bro
+    scripts/base/protocols/ssl/./mozilla-ca-list.bro
+  scripts/base/protocols/syslog/__load__.bro
+    scripts/base/protocols/syslog/./consts.bro
+    scripts/base/protocols/syslog/./main.bro
+scripts/policy/misc/loaded-scripts.bro
diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads
new file mode 100644
index 0000000000..4497bbd185
--- /dev/null
+++ b/testing/btest/Baseline/coverage.init-default/missing_loads
@@ -0,0 +1,6 @@
+-./frameworks/cluster/nodes/manager.bro
+-./frameworks/cluster/nodes/proxy.bro
+-./frameworks/cluster/nodes/worker.bro
+-./frameworks/cluster/setup-connections.bro
+-./frameworks/metrics/cluster.bro
+-./frameworks/notice/cluster.bro
diff --git a/testing/btest/Baseline/doc.autogen-reST-enums/autogen-reST-enums.rst b/testing/btest/Baseline/doc.autogen-reST-enums/autogen-reST-enums.rst
new file mode 100644
index 0000000000..8bd6286c24
--- /dev/null
+++ b/testing/btest/Baseline/doc.autogen-reST-enums/autogen-reST-enums.rst
@@ -0,0 +1,100 @@
+.. Automatically generated.  Do not edit.
+
+:tocdepth: 3
+
+autogen-reST-enums.bro
+======================
+
+
+
+
+:Source File: :download:`autogen-reST-enums.bro`
+
+Summary
+~~~~~~~
+Types
+#####
+======================================= ======================================
+:bro:type:`TestEnum1`: :bro:type:`enum` There's tons of ways an enum can look.
+
+:bro:type:`TestEnum2`: :bro:type:`enum` The final comma is optional
+======================================= ======================================
+
+Redefinitions
+#############
+======================================= =======================
+:bro:type:`TestEnum1`: :bro:type:`enum` redefs should also work
+
+:bro:type:`TestEnum1`: :bro:type:`enum` now with a comma
+======================================= =======================
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. bro:type:: TestEnum1
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: ONE TestEnum1
+
+         like this
+
+      .. bro:enum:: TWO TestEnum1
+
+         or like this
+
+      .. bro:enum:: THREE TestEnum1
+
+         multiple
+         comments
+         and even
+         more comments
+
+   There's tons of ways an enum can look...
+
+.. bro:type:: TestEnum2
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: A TestEnum2
+
+         like this
+
+      .. bro:enum:: B TestEnum2
+
+         or like this
+
+      .. bro:enum:: C TestEnum2
+
+         multiple
+         comments
+         and even
+         more comments
+
+   The final comma is optional
+
+Redefinitions
+#############
+:bro:type:`TestEnum1`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: FOUR TestEnum1
+
+         adding another
+         value
+
+   redefs should also work
+
+:bro:type:`TestEnum1`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: FIVE TestEnum1
+
+         adding another
+         value
+
+   now with a comma
+
diff --git a/testing/btest/Baseline/doc.autogen-reST-example/example.rst b/testing/btest/Baseline/doc.autogen-reST-example/example.rst
new file mode 100644
index 0000000000..bee8658e14
--- /dev/null
+++ b/testing/btest/Baseline/doc.autogen-reST-example/example.rst
@@ -0,0 +1,303 @@
+.. Automatically generated.  Do not edit.
+
+:tocdepth: 3
+
+example.bro
+===========
+.. bro:namespace:: Example
+
+This is an example script that demonstrates documentation features.
+Comments of the form ``##!`` are for the script summary.  The contents of
+these comments are transferred directly into the auto-generated
+`reStructuredText <http://docutils.sourceforge.net/rst.html>`_
+(reST) document's summary section.
+
+.. tip:: You can embed directives and roles within ``##``-stylized comments.
+
+There's also a custom role to reference any identifier node in
+the Bro Sphinx domain that's good for "see alsos", e.g.
+
+See also: :bro:see:`Example::a_var`, :bro:see:`Example::ONE`,
+:bro:see:`SSH::Info`
+
+And a custom directive does the equivalent references:
+
+.. bro:see:: Example::a_var Example::ONE SSH::Info
+
+:Namespace: ``Example``
+:Imports: :doc:`policy/frameworks/software/vulnerable </scripts/policy/frameworks/software/vulnerable>`
+:Source File: :download:`example.bro`
+
+Summary
+~~~~~~~
+Options
+#######
+============================================================================ ======================================
+:bro:id:`Example::an_option`: :bro:type:`set` :bro:attr:`&redef`             add documentation for "an_option" here
+
+:bro:id:`Example::option_with_init`: :bro:type:`interval` :bro:attr:`&redef` More docs can be added here.
+============================================================================ ======================================
+
+State Variables
+###############
+=========================================================================== =======================================
+:bro:id:`Example::a_var`: :bro:type:`bool`                                  put some documentation for "a_var" here
+
+:bro:id:`Example::var_with_attr`: :bro:type:`count` :bro:attr:`&persistent`
+
+:bro:id:`Example::var_without_explicit_type`: :bro:type:`string`
+=========================================================================== =======================================
+
+Types
+#####
+====================================================== ==========================================================
+:bro:type:`Example::SimpleEnum`: :bro:type:`enum`      documentation for "SimpleEnum"
+                                                       goes here.
+
+:bro:type:`Example::SimpleRecord`: :bro:type:`record`  general documentation for a type "SimpleRecord"
+                                                       goes here.
+
+:bro:type:`Example::ComplexRecord`: :bro:type:`record` general documentation for a type "ComplexRecord" goes here
+
+:bro:type:`Example::Info`: :bro:type:`record`          An example record to be used with a logging stream.
+====================================================== ==========================================================
+
+Events
+######
+================================================= =============================================================
+:bro:id:`Example::an_event`: :bro:type:`event`    Summarize "an_event" here.
+
+:bro:id:`Example::log_example`: :bro:type:`event` This is a declaration of an example event that can be used in
+                                                  logging streams and is raised once for each log entry.
+================================================= =============================================================
+
+Functions
+#########
+=============================================== =======================================
+:bro:id:`Example::a_function`: :bro:type:`func` Summarize purpose of "a_function" here.
+=============================================== =======================================
+
+Redefinitions
+#############
+===================================================== ========================================
+:bro:type:`Log::ID`: :bro:type:`enum`
+
+:bro:type:`Example::SimpleEnum`: :bro:type:`enum`     document the "SimpleEnum" redef here
+
+:bro:type:`Example::SimpleRecord`: :bro:type:`record` document the record extension redef here
+===================================================== ========================================
+
+Notices
+#######
+:bro:type:`Notice::Type`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::Notice_One Notice::Type
+
+         any number of this type of comment
+         will document "Notice_One"
+
+      .. bro:enum:: Example::Notice_Two Notice::Type
+
+         any number of this type of comment
+         will document "Notice_Two"
+
+      .. bro:enum:: Example::Notice_Three Notice::Type
+
+      .. bro:enum:: Example::Notice_Four Notice::Type
+
+Configuration Changes
+#####################
+Port Analysis
+^^^^^^^^^^^^^
+Loading this script makes the following changes to :bro:see:`dpd_config`.
+
+SSL::
+
+    [ports={
+        443/tcp,
+        562/tcp
+    }]
+
+Packet Filter
+^^^^^^^^^^^^^
+Loading this script makes the following changes to :bro:see:`capture_filters`.
+
+Filters added::
+
+    [ssl] = tcp port 443,
+    [nntps] = tcp port 562
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Options
+#######
+.. bro:id:: Example::an_option
+
+   :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`]
+   :Attributes: :bro:attr:`&redef`
+   :Default: ``{}``
+
+   add documentation for "an_option" here
+
+.. bro:id:: Example::option_with_init
+
+   :Type: :bro:type:`interval`
+   :Attributes: :bro:attr:`&redef`
+   :Default: ``10.0 msecs``
+
+   More docs can be added here.
+
+State Variables
+###############
+.. bro:id:: Example::a_var
+
+   :Type: :bro:type:`bool`
+
+   put some documentation for "a_var" here
+
+.. bro:id:: Example::var_with_attr
+
+   :Type: :bro:type:`count`
+   :Attributes: :bro:attr:`&persistent`
+
+.. bro:id:: Example::var_without_explicit_type
+
+   :Type: :bro:type:`string`
+   :Default: ``"this works"``
+
+Types
+#####
+.. bro:type:: Example::SimpleEnum
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::ONE Example::SimpleEnum
+
+         and more specific info for "ONE"
+         can span multiple lines
+
+      .. bro:enum:: Example::TWO Example::SimpleEnum
+
+         or more info like this for "TWO"
+         can span multiple lines
+
+      .. bro:enum:: Example::THREE Example::SimpleEnum
+
+   documentation for "SimpleEnum"
+   goes here.
+
+.. bro:type:: Example::SimpleRecord
+
+   :Type: :bro:type:`record`
+
+      field1: :bro:type:`count`
+         counts something
+
+      field2: :bro:type:`bool`
+         toggles something
+
+   general documentation for a type "SimpleRecord"
+   goes here.
+
+.. bro:type:: Example::ComplexRecord
+
+   :Type: :bro:type:`record`
+
+      field1: :bro:type:`count`
+         counts something
+
+      field2: :bro:type:`bool`
+         toggles something
+
+      field3: :bro:type:`Example::SimpleRecord`
+
+      msg: :bro:type:`string` :bro:attr:`&default` = ``"blah"`` :bro:attr:`&optional`
+         attributes are self-documenting
+
+   general documentation for a type "ComplexRecord" goes here
+
+.. bro:type:: Example::Info
+
+   :Type: :bro:type:`record`
+
+      ts: :bro:type:`time` :bro:attr:`&log`
+
+      uid: :bro:type:`string` :bro:attr:`&log`
+
+      status: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
+
+   An example record to be used with a logging stream.
+
+Events
+######
+.. bro:id:: Example::an_event
+
+   :Type: :bro:type:`event` (name: :bro:type:`string`)
+
+   Summarize "an_event" here.
+   Give more details about "an_event" here.
+   Example::an_event should not be confused as a parameter.
+   
+   :param name: describe the argument here
+
+.. bro:id:: Example::log_example
+
+   :Type: :bro:type:`event` (rec: :bro:type:`Example::Info`)
+
+   This is a declaration of an example event that can be used in
+   logging streams and is raised once for each log entry.
+
+Functions
+#########
+.. bro:id:: Example::a_function
+
+   :Type: :bro:type:`function` (tag: :bro:type:`string`, msg: :bro:type:`string`) : :bro:type:`string`
+
+   Summarize purpose of "a_function" here.
+   Give more details about "a_function" here.
+   Separating the documentation of the params/return values with
+   empty comments is optional, but improves readability of script.
+   
+   
+   :param tag: function arguments can be described
+        like this
+   
+   :param msg: another param
+   
+   
+   :returns: describe the return type here
+
+Redefinitions
+#############
+:bro:type:`Log::ID`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::LOG Log::ID
+
+:bro:type:`Example::SimpleEnum`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::FOUR Example::SimpleEnum
+
+         and some documentation for "FOUR"
+
+      .. bro:enum:: Example::FIVE Example::SimpleEnum
+
+         also "FIVE" for good measure
+
+   document the "SimpleEnum" redef here
+
+:bro:type:`Example::SimpleRecord`
+
+   :Type: :bro:type:`record`
+
+      field_ext: :bro:type:`string` :bro:attr:`&optional`
+         document the extending field here
+         (or here)
+
+   document the record extension redef here
+
diff --git a/testing/btest/Baseline/doc.autogen-reST-func-params/autogen-reST-func-params.rst b/testing/btest/Baseline/doc.autogen-reST-func-params/autogen-reST-func-params.rst
new file mode 100644
index 0000000000..15526f12c7
--- /dev/null
+++ b/testing/btest/Baseline/doc.autogen-reST-func-params/autogen-reST-func-params.rst
@@ -0,0 +1,58 @@
+.. Automatically generated.  Do not edit.
+
+:tocdepth: 3
+
+autogen-reST-func-params.bro
+============================
+
+
+
+
+:Source File: :download:`autogen-reST-func-params.bro`
+
+Summary
+~~~~~~~
+Types
+#####
+======================================== =
+:bro:type:`test_rec`: :bro:type:`record`
+======================================== =
+
+Functions
+#########
+===================================== ======================================
+:bro:id:`test_func`: :bro:type:`func` This is a global function declaration.
+===================================== ======================================
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. bro:type:: test_rec
+
+   :Type: :bro:type:`record`
+
+      field_func: :bro:type:`function` (i: :bro:type:`int`, j: :bro:type:`int`) : :bro:type:`string`
+         This is a record field function.
+         
+         :param i: First param.
+         :param j: Second param.
+         
+         :returns: A string.
+
+Functions
+#########
+.. bro:id:: test_func
+
+   :Type: :bro:type:`function` (i: :bro:type:`int`, j: :bro:type:`int`) : :bro:type:`string`
+
+   This is a global function declaration.
+   
+   
+   :param i: First param.
+   
+   :param j: Second param.
+   
+   
+   :returns: A string.
+
diff --git a/testing/btest/Baseline/doc.autogen-reST-records/autogen-reST-records.rst b/testing/btest/Baseline/doc.autogen-reST-records/autogen-reST-records.rst
new file mode 100644
index 0000000000..0344fa265c
--- /dev/null
+++ b/testing/btest/Baseline/doc.autogen-reST-records/autogen-reST-records.rst
@@ -0,0 +1,53 @@
+.. Automatically generated.  Do not edit.
+
+:tocdepth: 3
+
+autogen-reST-records.bro
+========================
+
+
+
+
+:Source File: :download:`autogen-reST-records.bro`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================ ============================================================
+:bro:type:`SimpleRecord`: :bro:type:`record`
+
+:bro:type:`TestRecord`: :bro:type:`record`   Here's the ways records and record fields can be documented.
+============================================ ============================================================
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. bro:type:: SimpleRecord
+
+   :Type: :bro:type:`record`
+
+      field1: :bro:type:`bool`
+
+      field2: :bro:type:`count`
+
+.. bro:type:: TestRecord
+
+   :Type: :bro:type:`record`
+
+      A: :bro:type:`count`
+         document ``A``
+
+      B: :bro:type:`bool`
+         document ``B``
+
+      C: :bro:type:`SimpleRecord`
+         and now ``C``
+         is a declared type
+
+      D: :bro:type:`set` [:bro:type:`count`, :bro:type:`bool`]
+         sets/tables should show the index types
+
+   Here's the ways records and record fields can be documented.
+
diff --git a/testing/btest/Baseline/doc.autogen-reST-type-aliases/autogen-reST-type-aliases.rst b/testing/btest/Baseline/doc.autogen-reST-type-aliases/autogen-reST-type-aliases.rst
new file mode 100644
index 0000000000..96a3b9377d
--- /dev/null
+++ b/testing/btest/Baseline/doc.autogen-reST-type-aliases/autogen-reST-type-aliases.rst
@@ -0,0 +1,62 @@
+.. Automatically generated.  Do not edit.
+
+:tocdepth: 3
+
+autogen-reST-type-aliases.bro
+=============================
+
+
+
+
+:Source File: :download:`autogen-reST-type-aliases.bro`
+
+Summary
+~~~~~~~
+State Variables
+###############
+======================================= =======================================================
+:bro:id:`a`: :bro:type:`TypeAlias`      But this should reference a type of ``TypeAlias``.
+
+:bro:id:`b`: :bro:type:`OtherTypeAlias` And this should reference a type of ``OtherTypeAlias``.
+======================================= =======================================================
+
+Types
+#####
+============================================ ==========================================================================
+:bro:type:`TypeAlias`: :bro:type:`bool`      This is just an alias for a builtin type ``bool``.
+
+:bro:type:`OtherTypeAlias`: :bro:type:`bool` We decided that creating alias "chains" might not be so useful to document
+                                             so this type just creates a cross reference to ``bool``.
+============================================ ==========================================================================
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+State Variables
+###############
+.. bro:id:: a
+
+   :Type: :bro:type:`TypeAlias`
+
+   But this should reference a type of ``TypeAlias``.
+
+.. bro:id:: b
+
+   :Type: :bro:type:`OtherTypeAlias`
+
+   And this should reference a type of ``OtherTypeAlias``.
+
+Types
+#####
+.. bro:type:: TypeAlias
+
+   :Type: :bro:type:`bool`
+
+   This is just an alias for a builtin type ``bool``.
+
+.. bro:type:: OtherTypeAlias
+
+   :Type: :bro:type:`bool`
+
+   We decided that creating alias "chains" might not be so useful to document
+   so this type just creates a cross reference to ``bool``.
+
diff --git a/testing/btest/Baseline/istate.base/events b/testing/btest/Baseline/istate.base/events
new file mode 100644
index 0000000000..fbb3c23f28
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/events
@@ -0,0 +1,33 @@
+Event [1301452424.097552] connection_pending([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=1301452418.93139, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
+Event [1301452424.097552] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=1301452418.93139, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
+Event [1301452424.099251] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=1], resp=[size=0, state=0], start_time=1301452424.0315, duration=0.0, service={}, addl="cc=1", hot=0, history=""])
+Event [1301452424.280556] connection_established([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.182510137557983, service={}, addl="", hot=0, history="Sh"])
+Event [1301452424.280556] protocol_confirmation([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]165)
+Event [1301452424.282557] http_request([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]"GET""/""/""1.0")
+Event [1301452424.282557] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1", hot=0, history="ShAD"]T)
+Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"USER-AGENT""Wget/1.10")
+Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"ACCEPT""*/*")
+Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"HOST""www.icir.org")
+Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"CONNECTION""Keep-Alive")
+Event [1301452424.284421] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"TEXT""PLAIN")
+Event [1301452424.284421] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T)
+Event [1301452424.284421] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T[start=1301452424.21479, interrupted=F, finish_msg="message ends normally", body_length=0, content_gap_length=0, header_length=86])
+Event [1301452424.465561] http_reply([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1", hot=0, history="ShADd"]"1.1"200"OK")
+Event [1301452424.465561] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"DATE""Fri, 07 Oct 2005 23:23:55 GMT")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"SERVER""Apache/1.3.33 (Unix)")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"LAST-MODIFIED""Fri, 07 Oct 2005 16:23:01 GMT")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ETAG"""2c96c-23aa-4346a0e5"")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ACCEPT-RANGES""bytes")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-LENGTH""9130")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"KEEP-ALIVE""timeout=15, max=100")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONNECTION""Keep-Alive")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-TYPE""text/html")
+Event [1301452424.465561] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"TEXT""HTML")
+Event [1301452424.648565] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=5792, state=4], start_time=1301452424.0315, duration=0.551820039749146, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"^J"http://www.w3.org/TR/REC-html40/loose.dtd">^J<HEAD><TITLE>ICIR</TITLE></HEAD>^J<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">^J<img src=icir.gif alt="ICIR"><br>^J<p>^JICIR (The ICSI Center for Internet Research)^Jis a ^Jnon-profit^Jresearch institute at^J<a href="http://www.icsi.berkeley.edu">ICSI</a>^Jin ^J<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, ^JCalifornia.<br>^JFor the three years from 1999 to 2001 we were named^JACIRI, the AT&T Center for Internet Research at ICSI, ^Jand were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>^J^JThe goals of ICIR are to:^J<ul>^J<li>Pursue research on the Internet architecture and related networking issues,^J<li>^JParticipate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and^Jstandards (<a href="http://www.ietf.org/">IETF</a>) communities,^J<li> Bridge the gap between the Internet research community and commercial ^Jinterests by providing a neutral forum where topics of mutual technical ^Jinterest can be addressed.^J</ul>^J<p>^J<!--^JICIR is now ^J<a href="jobs.html">^Jhiring</a> for both postdoctoral positions and summer interns.^J-->^J<hr>^J^J<DIV ALIGN="CENTER">^J^J<table width="100%" cellspacing=16 cellpadding=0>^J^J<tr>^J<td width="35%" valign=top>^J^J<h2>^JPeople^J</h2>^J<ul>^J<li>^J<a href="./shenker/">^JScott Shenker</a>, Group Leader<br> ^J<li><a href="http://www.icir.org/mallman/">Mark Allman</a>^J<li>^J<a href="./floyd/">Sally Floyd</a>^J<!--^J<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>^J-->^J<li>^J<a href="./karp/papers.html">^JRichard Karp</a>  ^J<!-- (also with the ^J<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, ^J<a href="http://www.msri.org/">MSRI</a>, and^J<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->^J<li>^J<a href="./vern/">^JVern Paxson</a>  ^J<li>^J<a href="http://www.icir.org/robin/">^JRobin Sommer</a>^J<li>^J<a href="http://www.cs.berkeley.edu/~nweaver/">^JNicholas Weaver</a>^J<li>^J<a href="http://www.icsi.berkeley.edu/~zhao/">^JJerry Zhao</a>^J<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->^J<li><b><a href="pastvisitors.html">Past Group Members</a></b>,^J<br>including:^J<ul>^J<li>^J<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">^JMark Handley</a> (UCL)^J<li><a href="./kohler/">Eddie Kohler</a> (UCLA)^J</ul>^J<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>^JResearchers</b>:^J  <ul>^J  <li><a href="./jcardona/">Javier Cardona</a>^J  <li><a href="./atanu/">Atanu Ghosh</a> ^J  <li><a href="./hodson/">Orion Hodson</a>^J  <li><a href="./pavlin/">Pavlin Radoslavov</a> ^J  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>^J  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>^J</ul>^J<li><b>Affiliated UCB Researchers</b>:^J  <ul>^J  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>^J  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>^J  </ul>^J<li><b>Visitors</b>:^J  <ul>^J  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>^J<!--^J  from Shanghai Jiaotong University^J-->^J  <li>Teemu Koponen^J<!--^J  , Helsinki Institute for Information Technology^J-->^J  </ul>^J<!--^J<li><a href="pastvisitors.html">Other researchers</a>^J-->^J<a name=Visitors></a>^J<li><b>Interns:</b>^J<ul>^J<li>Juan Caballero^J<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>^J<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>^J<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>^J<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>^J<li>Halldor Isak Gylfason^J<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>^J<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>^J<!--^J<li><a href="newinterns.html">New Interns:</a> ^J-->^J</ul>^J<li><b>Undergraduate Interns:</b>^J<ul>^J<li>Michael Hoisie^J<li>Arthur Wayne Liao^J<li>Christopher Portka^J</ul>^J<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>^J</ul>^J^J</td>^J<td width="30%" vali")
+Event [1301452424.689566] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=8688, state=4], start_time=1301452424.0315, duration=0.552114009857178, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<li><a href="./rfcs.html">^JRFCs</a> with ICIR authors.^J<li>^J<a href="./internetdrafts.html">^JInternet drafts</a> with ICIR authors, 3/2004 ^J(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>^Jthe current list).^J<!--^Jfor "Shenker OR Floyd OR Allman OR Paxson".^J(or the ^J<a^Jhref="^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)^J^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).^J-->^J<!--^Jfrom the ^J<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">^JInternet-Drafts Search Engine</a>).^J-->^J<li>Papers by ^J<a href="./shenker/papers.html">Scott Shenker</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),^J^J<a href="./mallman/papers/">Mark Allman</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),^J^J<a href="./floyd/papers.html">Sally Floyd</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),^J^J<a href="./karp/papers.html">Richard Karp</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),^J<a href="./kohler/pubs/">Eddie Kohler</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),^J<a href="./vern/papers.html">Vern Paxson</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).^J<li>The <a href="http://citeseer.ist.psu.edu/">^JResearchIndex</a> (RI) and the ^J<a href="http://citeseer.ist.psu.edu/cs">Search</a>^Jand ^J<a href="http://citeseer.ist.psu.edu/Networking/">^JNetworking</a> pages. ^J</ul>^J^J<h2>^JProjects ^J</h2>^J<ul>^J<li>^J<a href="./vern/bro-info.html">Bro</a>^J(detecting network intruders). ^J<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:^JFuture-Generation Internet Architecture.^J<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>^Jnetwork simulator.^J<li> <a href="./tbit/">TBIT</a>^J(TCP Behavior Identification Tool).^J<li> <a href="http://www.xorp.org/">Xorp</a>^J(Extensible Open Router Platform).^J<li>^J<a href="./funded_projects.html">^JOther Funded Projects</a>.^J<li>^J<a href="./research.html">^JAdditional Research Links</a>.^J</ul>^J^J^J</td>^J^J<td width="35%" valign=top>^J    ^J<h2>Research</h2>^J&nbsp; &nbsp;<b>Transport and Congestion</b>^J<ul>^J<li>^J<a href="./kohler/dcp/">DCCP</a>^J(Datagram Congestion Control Protocol).^J<li>^J<a href="./floyd/ecn.html">ECN</a>^J(Explicit Congestion Notification).^J<li>^J<a href="http://www.ietf.org/html.charters/intserv-charter.html">^JIntegrated services</a>.^J<li>^J<a href="./floyd/red.html">RED</a> ^Jqueue management, and^J<a href="./red-pd/">RED-PD</a>.^J<li>^J<a href="./floyd/hstcp.html">HighSpeed TCP</a>.^J<li>^J<a^Jhref="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">^JTCP Implementation</a>.^J<li>^JReordering-Robust TCP ^J(<a href="./bkarp/RR-TCP/">RR-TCP</a>).^J<li>TCP^J<a href="./floyd/sacks.html">SACK</a> ^J(Selective Acknowledgment).^J<li>^J<a href="./tfrc/">TFRC</a> ^J(TCP-Friendly Rate Control).^J</ul>^J^J&nbsp; &nbsp;<b>Traffic and Topology</b>^J<ul>^J<LI>^J<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> ^J(Internet Distance Mapping).^J<LI>The <a href="http://www.acm.org/sigcomm/ITA/">^JInternet Traffic Archive</a>.^J<li>^J<a href="http://www-net.cs.umass.edu/minc/">MINC</a>^J(Multicast-based Inference of Network-internal Characteristics).^J<li>^J<a href="http://www.psc.edu/networking/nimi/">NIMI</a>^J(N")
+Event [1301452424.832570] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1", hot=0, history="ShADd"]F938"ational Internet Measurement Infrastructure).^J</ul>^J^J<h2>^J<a href="./collaborators.html">^JCollaborators</a>^J</h2>^J^J<!--^J&nbsp; &nbsp;<b>Multicast and Multimedia</b>^J<ul>^J<LI><A href="/malloc/">MALLOC</a>^J(Multicast Address Allocation).^J<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>^J(Session Initiation Protocol).^J<li> <a href="yoid"> Yoid</a> (host-based content distribution). ^J</ul>^J-->^J^J</td>^J^J</tr>^J</table>^J</DIV>^J^J<hr>^J<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>^J<hr>^JLast modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.^J<a href="http://web.archive.org/web/*/http://www.aciri.org/">^JOlder versions</a> of this web page, in its ACIRI incarnation..^J<BR>^JFor more information about this server, mail <I>www@aciri.org</I>.  ^J<BR>^JTo report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.^J</BODY>^J")
+Event [1301452424.832570] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
+Event [1301452424.832570] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F[start=1301452424.39883, interrupted=F, finish_msg="message ends normally", body_length=9130, content_gap_length=0, header_length=265])
+Event [1301452424.990539] net_done(1301452424.99054)
+Event [1301452424.990539] bro_done()
diff --git a/testing/btest/Baseline/istate.base/receiver.conn.log b/testing/btest/Baseline/istate.base/receiver.conn.log
new file mode 100644
index 0000000000..6827ed1fee
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/receiver.conn.log
@@ -0,0 +1 @@
+1301452418.931393 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
diff --git a/testing/btest/Baseline/istate.base/receiver.http.log b/testing/btest/Baseline/istate.base/receiver.http.log
new file mode 100644
index 0000000000..74400b15d5
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/receiver.http.log
@@ -0,0 +1,18 @@
+1301452424.282557 %events-rcv-1 start 141.42.64.125:56730 > 125.190.109.199:80
+1301452424.284421 %events-rcv-1 > USER-AGENT: Wget/1.10
+1301452424.284421 %events-rcv-1 > ACCEPT: */*
+1301452424.284421 %events-rcv-1 > HOST: www.icir.org
+1301452424.284421 %events-rcv-1 > CONNECTION: Keep-Alive
+1301452424.465561 %events-rcv-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
+1301452424.465561 %events-rcv-1 < SERVER: Apache/1.3.33 (Unix)
+1301452424.465561 %events-rcv-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
+1301452424.465561 %events-rcv-1 < ETAG: "2c96c-23aa-4346a0e5"
+1301452424.465561 %events-rcv-1 < ACCEPT-RANGES: bytes
+1301452424.465561 %events-rcv-1 < CONTENT-LENGTH: 9130
+1301452424.465561 %events-rcv-1 < KEEP-ALIVE: timeout=15, max=100
+1301452424.465561 %events-rcv-1 < CONNECTION: Keep-Alive
+1301452424.465561 %events-rcv-1 < CONTENT-TYPE: text/html
+1301452424.648565 %events-rcv-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
+1301452424.689566 %events-rcv-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
+1301452424.832570 %events-rcv-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
+1301452424.832570 %events-rcv-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/btest/Baseline/istate.base/sender.conn.log b/testing/btest/Baseline/istate.base/sender.conn.log
new file mode 100644
index 0000000000..1735dbd63e
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/sender.conn.log
@@ -0,0 +1,2 @@
+1301452418.931393 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
+1301452424.031503 ? 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 S1 X %events-send-1
diff --git a/testing/btest/Baseline/istate.base/sender.http.log b/testing/btest/Baseline/istate.base/sender.http.log
new file mode 100644
index 0000000000..b5aed6501a
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/sender.http.log
@@ -0,0 +1,18 @@
+1301452424.214794 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
+1301452424.214794 %events-send-1 > USER-AGENT: Wget/1.10
+1301452424.214794 %events-send-1 > ACCEPT: */*
+1301452424.214794 %events-send-1 > HOST: www.icir.org
+1301452424.214794 %events-send-1 > CONNECTION: Keep-Alive
+1301452424.398834 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
+1301452424.398834 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
+1301452424.398834 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
+1301452424.398834 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
+1301452424.398834 %events-send-1 < ACCEPT-RANGES: bytes
+1301452424.398834 %events-send-1 < CONTENT-LENGTH: 9130
+1301452424.398834 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
+1301452424.398834 %events-send-1 < CONNECTION: Keep-Alive
+1301452424.398834 %events-send-1 < CONTENT-TYPE: text/html
+1301452424.583323 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
+1301452424.583617 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
+1301452424.767141 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
+1301452424.767141 %events-send-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/btest/Baseline/istate.broccoli/bro.log b/testing/btest/Baseline/istate.broccoli/bro.log
new file mode 100644
index 0000000000..4fbbfc81ae
--- /dev/null
+++ b/testing/btest/Baseline/istate.broccoli/bro.log
@@ -0,0 +1,3 @@
+ping received, seq 0, 1324314397.698781 at src, 1324314397.699240 at dest, 
+ping received, seq 1, 1324314398.698905 at src, 1324314398.699094 at dest, 
+ping received, seq 2, 1324314399.699012 at src, 1324314399.699231 at dest, 
diff --git a/testing/istate/base/broccoli-ping/stdout.log b/testing/btest/Baseline/istate.broccoli/broccoli.log
similarity index 60%
rename from testing/istate/base/broccoli-ping/stdout.log
rename to testing/btest/Baseline/istate.broccoli/broccoli.log
index 6174e6cce8..faa3960273 100644
--- a/testing/istate/base/broccoli-ping/stdout.log
+++ b/testing/btest/Baseline/istate.broccoli/broccoli.log
@@ -1,5 +1,3 @@
 pong event from 127.0.0.1: seq=0, 
 pong event from 127.0.0.1: seq=1, 
 pong event from 127.0.0.1: seq=2, 
-pong event from 127.0.0.1: seq=3, 
-pong event from 127.0.0.1: seq=4, 
diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log
new file mode 100644
index 0000000000..1601f8ad3c
--- /dev/null
+++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1324314406.995958	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log
new file mode 100644
index 0000000000..1601f8ad3c
--- /dev/null
+++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1324314406.995958	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log
new file mode 100644
index 0000000000..25a7f289c0
--- /dev/null
+++ b/testing/btest/Baseline/istate.events/receiver.http.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1324314415.616486	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log
new file mode 100644
index 0000000000..25a7f289c0
--- /dev/null
+++ b/testing/btest/Baseline/istate.events/sender.http.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1324314415.616486	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/istate/base/persistence-read/vars.log b/testing/btest/Baseline/istate.persistence/vars.read.log
similarity index 74%
rename from testing/istate/base/persistence-read/vars.log
rename to testing/btest/Baseline/istate.persistence/vars.read.log
index 9a7d2c771e..f52791dfb1 100644
--- a/testing/istate/base/persistence-read/vars.log
+++ b/testing/btest/Baseline/istate.persistence/vars.read.log
@@ -4,29 +4,28 @@ Hallihallo
 1.2.3.4
 1.2.0.0/16
 3.14
-131.159
 42.0 secs
 {
-[1] = qwerty,
-[2] = uiop
+[2] = uiop,
+[1] = qwerty
 }
 file "test" of string
 /^?(12345)$?/
 {
-3,
-5,
+2,
 4,
 1,
-2
+5,
+3
 }
 {
-[3, GHI] = 103,
 [2, DEF] = 102,
+[3, GHI] = 103,
 [1, ABC] = 101
 }
 {
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
+[12346] = /^?(12345)$?/,
+[12345] = /^?(12345)$?/
 }
 42/udp
 [1, 2, 3]
diff --git a/testing/istate/base/persistence-write/vars.log b/testing/btest/Baseline/istate.persistence/vars.write.log
similarity index 74%
rename from testing/istate/base/persistence-write/vars.log
rename to testing/btest/Baseline/istate.persistence/vars.write.log
index 9a7d2c771e..f52791dfb1 100644
--- a/testing/istate/base/persistence-write/vars.log
+++ b/testing/btest/Baseline/istate.persistence/vars.write.log
@@ -4,29 +4,28 @@ Hallihallo
 1.2.3.4
 1.2.0.0/16
 3.14
-131.159
 42.0 secs
 {
-[1] = qwerty,
-[2] = uiop
+[2] = uiop,
+[1] = qwerty
 }
 file "test" of string
 /^?(12345)$?/
 {
-3,
-5,
+2,
 4,
 1,
-2
+5,
+3
 }
 {
-[3, GHI] = 103,
 [2, DEF] = 102,
+[3, GHI] = 103,
 [1, ABC] = 101
 }
 {
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
+[12346] = /^?(12345)$?/,
+[12345] = /^?(12345)$?/
 }
 42/udp
 [1, 2, 3]
diff --git a/testing/btest/Baseline/istate.pybroccoli/bro..stdout b/testing/btest/Baseline/istate.pybroccoli/bro..stdout
new file mode 100644
index 0000000000..1e70711932
--- /dev/null
+++ b/testing/btest/Baseline/istate.pybroccoli/bro..stdout
@@ -0,0 +1,18 @@
+==== atomic
+-10
+2
+1313624487.48817
+2.0 mins
+F
+1.5
+Servus
+5555/tcp
+6.7.6.5
+192.168.0.0/16
+==== record
+[a=42, b=6.6.7.7]
+42, 6.6.7.7
+==== coerced record
+[one=<uninitialized>, a=13, b=<uninitialized>, c=helloworld, d=<uninitialized>]
+13
+helloworld
diff --git a/testing/istate/base/python-script/stdout.log b/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
similarity index 58%
rename from testing/istate/base/python-script/stdout.log
rename to testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
index 5af3e6a47e..864a4eb627 100644
--- a/testing/istate/base/python-script/stdout.log
+++ b/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
@@ -1,44 +1,41 @@
 ==== atomic a 1 ====
--4 -4
+-4L -4
 42 42
-xxxxxxxxxx.xxxxxx xxxxxxxxxx.xxxxxx
-60.0 60.0
+1313624487.4889
+60.0
 True True
-3.1400000000000001 3.14
+3.14
 'Hurz' Hurz
 '12345/udp' 12345/udp
 '1.2.3.4' 1.2.3.4
-'X.X.X' X.X.X
-'X.X.X' 22.33.44.0/24
+'22.33.44.0/24' 22.33.44.0/24
 ==== atomic a 2 ====
--10 -10
+-10L -10
 2 2
-xxxxxxxxxx.xxxxxx xxxxxxxxxx.xxxxxx
-120.0 120.0
+1313624487.4882
+120.0
 False False
-1.5 1.5
+1.5
 'Servus' Servus
 '5555/tcp' 5555/tcp
 '6.7.6.5' 6.7.6.5
-'X.X.X' X.X.X
-'X.X.X' 192.168.0.0/16
+'192.168.0.0/16' 192.168.0.0/16
 ==== atomic b 2 ====
--10 -10
+-10L -10
 <broccoli.count instance at > 2
-<broccoli.time instance at > xxxxxxxxxx.xxxxxx
+<broccoli.time instance at > 1313624487.4882
 <broccoli.interval instance at > 120.0
 False False
-1.5 1.5
+1.5
 'Servus' Servus
 <broccoli.port instance at > 5555/tcp
 <broccoli.addr instance at > 6.7.6.5
-<broccoli.net instance at > X.X.X
-<broccoli.net instance at > 192.168.0.0/16
+<broccoli.subnet instance at > 192.168.0.0/16
 ==== record 1 ====
 <broccoli.record instance at >
-42 42
+42L 42
 '6.6.7.7' 6.6.7.7
 ==== record 2 ====
 <broccoli.record instance at >
-99 99
+99L 99
 '3.4.5.1' 3.4.5.1
diff --git a/testing/istate/base/sync-send/vars.log b/testing/btest/Baseline/istate.sync/receiver.vars.log
similarity index 63%
rename from testing/istate/base/sync-send/vars.log
rename to testing/btest/Baseline/istate.sync/receiver.vars.log
index 428ac7929d..b28cfbd5c9 100644
--- a/testing/istate/base/sync-send/vars.log
+++ b/testing/btest/Baseline/istate.sync/receiver.vars.log
@@ -4,31 +4,30 @@ Jodel
 4.3.2.1
 4.0.0.0/8
 21.0
-192.150.186
 42.0 secs
 {
-[3] = asdfg1,
-[1] = asdfg2
+[1] = asdfg2,
+[3] = asdfg1
 }
 file "test2" of string
 /^?(abbcdefgh)$?/
 {
-3,
-5,
-6,
+2,
 4,
-2
+6,
+5,
+3
 }
 {
+[2, DEF] = 103,
 [3, GHI] = 103,
-[4, JKL] = 104,
-[2, DEF] = 103
+[4, JKL] = 104
 }
 {
-[12345] = /^?(12345)$?/,
+[12346] = /^?(12345)$?/,
 [6767] = /^?(QWERTZ)$?/,
-[12346] = /^?(12345)$?/
+[12345] = /^?(12345)$?/
 }
 6667/tcp
 [2, 20, 3, 4]
-[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666]
+[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
diff --git a/testing/istate/base/sync-rcv/vars.log b/testing/btest/Baseline/istate.sync/sender.vars.log
similarity index 63%
rename from testing/istate/base/sync-rcv/vars.log
rename to testing/btest/Baseline/istate.sync/sender.vars.log
index 428ac7929d..b28cfbd5c9 100644
--- a/testing/istate/base/sync-rcv/vars.log
+++ b/testing/btest/Baseline/istate.sync/sender.vars.log
@@ -4,31 +4,30 @@ Jodel
 4.3.2.1
 4.0.0.0/8
 21.0
-192.150.186
 42.0 secs
 {
-[3] = asdfg1,
-[1] = asdfg2
+[1] = asdfg2,
+[3] = asdfg1
 }
 file "test2" of string
 /^?(abbcdefgh)$?/
 {
-3,
-5,
-6,
+2,
 4,
-2
+6,
+5,
+3
 }
 {
+[2, DEF] = 103,
 [3, GHI] = 103,
-[4, JKL] = 104,
-[2, DEF] = 103
+[4, JKL] = 104
 }
 {
-[12345] = /^?(12345)$?/,
+[12346] = /^?(12345)$?/,
 [6767] = /^?(QWERTZ)$?/,
-[12346] = /^?(12345)$?/
+[12345] = /^?(12345)$?/
 }
 6667/tcp
 [2, 20, 3, 4]
-[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666]
+[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
diff --git a/testing/btest/Baseline/language.cross-product-init/output b/testing/btest/Baseline/language.cross-product-init/output
new file mode 100644
index 0000000000..95794f9179
--- /dev/null
+++ b/testing/btest/Baseline/language.cross-product-init/output
@@ -0,0 +1,6 @@
+{
+[bar, 1.2.0.0/19] ,
+[foo, 5.6.0.0/21] ,
+[bar, 5.6.0.0/21] ,
+[foo, 1.2.0.0/19] 
+}
diff --git a/testing/btest/Baseline/language.delete-field-set/output b/testing/btest/Baseline/language.delete-field-set/output
new file mode 100644
index 0000000000..ccf6dbc793
--- /dev/null
+++ b/testing/btest/Baseline/language.delete-field-set/output
@@ -0,0 +1 @@
+[a=<uninitialized>, b=<uninitialized>, c=<uninitialized>]
diff --git a/testing/btest/Baseline/language.delete-field/output b/testing/btest/Baseline/language.delete-field/output
new file mode 100644
index 0000000000..12d04d02d3
--- /dev/null
+++ b/testing/btest/Baseline/language.delete-field/output
@@ -0,0 +1,4 @@
+a: 20
+20
+a: not set
+5
diff --git a/testing/btest/Baseline/language.enum-desc/output b/testing/btest/Baseline/language.enum-desc/output
new file mode 100644
index 0000000000..f46cc71693
--- /dev/null
+++ b/testing/btest/Baseline/language.enum-desc/output
@@ -0,0 +1,4 @@
+ONE
+ONE
+TEST::TWO
+TEST::TWO
diff --git a/testing/btest/Baseline/language.enum-scope/output b/testing/btest/Baseline/language.enum-scope/output
new file mode 100644
index 0000000000..84705950d9
--- /dev/null
+++ b/testing/btest/Baseline/language.enum-scope/output
@@ -0,0 +1 @@
+test::c
diff --git a/testing/btest/Baseline/language.match-test/output b/testing/btest/Baseline/language.match-test/output
new file mode 100644
index 0000000000..5ee7ba029d
--- /dev/null
+++ b/testing/btest/Baseline/language.match-test/output
@@ -0,0 +1,3 @@
+default
+it's big
+it's really big
diff --git a/testing/btest/Baseline/language.match-test2/output b/testing/btest/Baseline/language.match-test2/output
new file mode 100644
index 0000000000..0cfbf08886
--- /dev/null
+++ b/testing/btest/Baseline/language.match-test2/output
@@ -0,0 +1 @@
+2
diff --git a/testing/btest/Baseline/language.next-test/output b/testing/btest/Baseline/language.next-test/output
new file mode 100644
index 0000000000..db9ce4efa4
--- /dev/null
+++ b/testing/btest/Baseline/language.next-test/output
@@ -0,0 +1,8 @@
+0
+1
+1
+MIDDLE
+0
+0
+1
+THE END
diff --git a/testing/btest/Baseline/language.raw_output_attr-2/output b/testing/btest/Baseline/language.raw_output_attr-2/output
new file mode 100644
index 0000000000..bff6a72fd2
--- /dev/null
+++ b/testing/btest/Baseline/language.raw_output_attr-2/output
@@ -0,0 +1 @@
+helloXworldhi
\ No newline at end of file
diff --git a/testing/btest/Baseline/language.raw_output_attr/output b/testing/btest/Baseline/language.raw_output_attr/output
new file mode 100644
index 0000000000..bff6a72fd2
--- /dev/null
+++ b/testing/btest/Baseline/language.raw_output_attr/output
@@ -0,0 +1 @@
+helloXworldhi
\ No newline at end of file
diff --git a/testing/btest/Baseline/language.rec-comp-init/output b/testing/btest/Baseline/language.rec-comp-init/output
new file mode 100644
index 0000000000..fedb9177c7
--- /dev/null
+++ b/testing/btest/Baseline/language.rec-comp-init/output
@@ -0,0 +1,5 @@
+[a={
+
+}, b={
+
+}, c=[]]
diff --git a/testing/btest/Baseline/language.rec-nested-opt/output b/testing/btest/Baseline/language.rec-nested-opt/output
new file mode 100644
index 0000000000..e41358b71d
--- /dev/null
+++ b/testing/btest/Baseline/language.rec-nested-opt/output
@@ -0,0 +1,3 @@
+{
+[Wget/1.9+cvs-stable (Red Hat modified)] = [name=Wget, version=[major=1, minor=9, addl=+cvs], host=0.0.0.0, ts=0.0]
+}
diff --git a/testing/btest/Baseline/language.rec-of-tbl/output b/testing/btest/Baseline/language.rec-of-tbl/output
new file mode 100644
index 0000000000..f7c06f0b63
--- /dev/null
+++ b/testing/btest/Baseline/language.rec-of-tbl/output
@@ -0,0 +1,3 @@
+[a={
+[5] = 3
+}]
diff --git a/testing/btest/Baseline/language.rec-table-default/output b/testing/btest/Baseline/language.rec-table-default/output
new file mode 100644
index 0000000000..a1531d06ee
--- /dev/null
+++ b/testing/btest/Baseline/language.rec-table-default/output
@@ -0,0 +1,14 @@
+{
+[foo] = T
+}
+{
+
+}
+{
+A,
+B,
+C
+}
+{
+
+}
diff --git a/testing/btest/Baseline/language.record-default-coercion/out b/testing/btest/Baseline/language.record-default-coercion/out
new file mode 100644
index 0000000000..2f0e6cd17d
--- /dev/null
+++ b/testing/btest/Baseline/language.record-default-coercion/out
@@ -0,0 +1,4 @@
+[a=13, c=13, v=[]]
+0
+[a=13, c=13, v=[test]]
+1
diff --git a/testing/btest/Baseline/language.record-extension/output b/testing/btest/Baseline/language.record-extension/output
new file mode 100644
index 0000000000..b60b1c93b6
--- /dev/null
+++ b/testing/btest/Baseline/language.record-extension/output
@@ -0,0 +1,10 @@
+[a=21, b=<uninitialized>, myset={
+
+}, c=42, d=<uninitialized>, anotherset={
+
+}]
+[a=21, b=<uninitialized>, myset={
+
+}, c=42, d=XXX, anotherset={
+
+}]
diff --git a/testing/btest/Baseline/language.record-index-complex-fields/output b/testing/btest/Baseline/language.record-index-complex-fields/output
new file mode 100644
index 0000000000..21591bc210
--- /dev/null
+++ b/testing/btest/Baseline/language.record-index-complex-fields/output
@@ -0,0 +1,27 @@
+{
+[1.2.3.4] = {
+[a=4, tags_v=[0, 1], tags_t={
+[two] = 2,
+[one] = 1
+}, tags_s={
+b,
+a
+}]
+}
+}
+{
+[a=13, tags_v=[, , 2, 3], tags_t={
+[four] = 4,
+[five] = 5
+}, tags_s={
+d,
+c
+}],
+[a=4, tags_v=[0, 1], tags_t={
+[two] = 2,
+[one] = 1
+}, tags_s={
+b,
+a
+}]
+}
diff --git a/testing/btest/Baseline/language.record-recursive-coercion/output b/testing/btest/Baseline/language.record-recursive-coercion/output
new file mode 100644
index 0000000000..5c4dea621c
--- /dev/null
+++ b/testing/btest/Baseline/language.record-recursive-coercion/output
@@ -0,0 +1,2 @@
+[major=4, minor=4, minor2=<uninitialized>, addl=<uninitialized>]
+[c=1, f=[i=2.0 hrs, s=<uninitialized>]]
diff --git a/testing/btest/Baseline/language.record-ref-assign/output b/testing/btest/Baseline/language.record-ref-assign/output
new file mode 100644
index 0000000000..4caf2f8fa8
--- /dev/null
+++ b/testing/btest/Baseline/language.record-ref-assign/output
@@ -0,0 +1 @@
+XXX, XXX
diff --git a/testing/btest/Baseline/language.set-opt-record-index/output b/testing/btest/Baseline/language.set-opt-record-index/output
new file mode 100644
index 0000000000..fdc6f9d723
--- /dev/null
+++ b/testing/btest/Baseline/language.set-opt-record-index/output
@@ -0,0 +1,16 @@
+{
+[a=1, b=<uninitialized>],
+[a=4, b=5],
+[a=3, b=<uninitialized>]
+}
+
+[a=1, b=<uninitialized>]
+[a=4, b=5]
+[a=3, b=<uninitialized>]
+
+T
+F
+
+T
+F
+T
diff --git a/testing/btest/Baseline/language.sizeof/output b/testing/btest/Baseline/language.sizeof/output
new file mode 100644
index 0000000000..737a999292
--- /dev/null
+++ b/testing/btest/Baseline/language.sizeof/output
@@ -0,0 +1,16 @@
+Address 1.2.3.4: 16909060
+Boolean T: 1
+Count 10: 10
+Double -1.23: 1.230000
+Enum ENUM3: 2
+File 21.000000
+Function add_interface: 2
+Integer -10: 10
+Interval -5.0 secs: 5.000000
+Port 80/tcp: 65616
+Record [i=10, j=<uninitialized>, k=<uninitialized>]: 3
+Set: 3
+String 'Hello': 5
+Subnet 192.168.0.0/24: 256.000000
+Table 2
+Vector [Hello, , , , World]: 5
diff --git a/testing/btest/Baseline/language.smith-waterman-test/output b/testing/btest/Baseline/language.smith-waterman-test/output
new file mode 100644
index 0000000000..b0d0d33526
--- /dev/null
+++ b/testing/btest/Baseline/language.smith-waterman-test/output
@@ -0,0 +1,32 @@
+abcdefgh - ijklmnop:
+AAAabcefghij - lmnopAAAqrst:
+tok 1: AAA (0/5, T)
+abcAAAefghij - lmnopAAAqrst:
+tok 1: AAA (3/5, T)
+abcefghijAAA - lmnopAAAqrst:
+tok 1: AAA (9/5, T)
+xxxAAAyyy - AAAaAAAbAAA:
+tok 1: AAA (3/0, T)
+tok 2: AAA (3/4, T)
+tok 3: AAA (3/8, T)
+AAAaAAAbAAA - xxxAAAyyy:
+tok 1: AAA (0/3, T)
+tok 2: AAA (4/3, T)
+tok 3: AAA (8/3, T)
+xxCDyABzCDyABzz - ABCD:
+tok 1: CD (2/2, T)
+tok 2: AB (5/0, T)
+tok 3: CD (8/2, F)
+tok 4: AB (11/0, T)
+ABCD - xxCDyABzCDyABzz:
+tok 1: CD (2/2, T)
+tok 2: AB (0/5, T)
+tok 3: CD (2/8, F)
+tok 4: AB (0/11, T)
+Cache-control: no-cache^M^JAccept: - Accept-: deflate^M^JAccept-: Accept-:
+tok 1: Accept (27/0, T)
+tok 2: e^M^JAccept (22/15, T)
+tok 3: Accept (27/29, T)
+xxAAxxAAxx - yyyyyAAyyyyy:
+tok 1: AA (2/5, T)
+tok 2: AA (6/5, T)
diff --git a/testing/btest/Baseline/language.strings/output b/testing/btest/Baseline/language.strings/output
new file mode 100644
index 0000000000..525ce64916
--- /dev/null
+++ b/testing/btest/Baseline/language.strings/output
@@ -0,0 +1,25 @@
+Input string: broisaveryneatids
+
+String splitting
+----------------
+Splitting 'broisaveryneatids' at 6 points...
+bro
+is
+a
+very
+neat
+ids
+
+Substrings
+----------
+3@0: bro
+5@2: roisa
+7@4: isavery
+10@10: yneatids
+
+Finding strings
+---------------
+isa: 4
+very: 7
+ids: 15
+nono: 0
diff --git a/testing/btest/Baseline/language.table-init/output b/testing/btest/Baseline/language.table-init/output
new file mode 100644
index 0000000000..0272e12319
--- /dev/null
+++ b/testing/btest/Baseline/language.table-init/output
@@ -0,0 +1,10 @@
+{
+[2] = two,
+[1] = one
+}
+global table default
+{
+[4] = four,
+[3] = three
+}
+local table default
diff --git a/testing/btest/Baseline/language.vector-coerce-expr/output b/testing/btest/Baseline/language.vector-coerce-expr/output
new file mode 100644
index 0000000000..baabf9d89d
--- /dev/null
+++ b/testing/btest/Baseline/language.vector-coerce-expr/output
@@ -0,0 +1,4 @@
+[]
+[1, 2, 3]
+[T, F, T]
+[]
diff --git a/testing/btest/Baseline/language.vector-list-init-records/output b/testing/btest/Baseline/language.vector-list-init-records/output
new file mode 100644
index 0000000000..eccb029b4a
--- /dev/null
+++ b/testing/btest/Baseline/language.vector-list-init-records/output
@@ -0,0 +1,3 @@
+element 0 = [s=bar, o=check]
+element 1 = [s=baz, o=<uninitialized>]
+[[s=bar, o=check], [s=baz, o=<uninitialized>]]
diff --git a/testing/btest/Baseline/language.wrong-delete-field/output b/testing/btest/Baseline/language.wrong-delete-field/output
new file mode 100644
index 0000000000..c2aae8aae3
--- /dev/null
+++ b/testing/btest/Baseline/language.wrong-delete-field/output
@@ -0,0 +1 @@
+error in /Users/robin/bro/master/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.bro, line 10: illegal delete statement (delete x$a)
diff --git a/testing/btest/Baseline/language.wrong-record-extension/output b/testing/btest/Baseline/language.wrong-record-extension/output
new file mode 100644
index 0000000000..9d7b1fd5e0
--- /dev/null
+++ b/testing/btest/Baseline/language.wrong-record-extension/output
@@ -0,0 +1 @@
+ extension field must be &optional or have &default (Foo)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout
new file mode 100644
index 0000000000..7c8eb5ee83
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout
@@ -0,0 +1,4 @@
+Connected to a peer
+Connected to a peer
+Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout
new file mode 100644
index 0000000000..4e70653647
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout
@@ -0,0 +1,2 @@
+Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout
new file mode 100644
index 0000000000..4e70653647
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout
@@ -0,0 +1,2 @@
+Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout
new file mode 100644
index 0000000000..4e70653647
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout
@@ -0,0 +1,2 @@
+Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout
new file mode 100644
index 0000000000..4e70653647
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout
@@ -0,0 +1,2 @@
+Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
new file mode 100644
index 0000000000..d3c14c8603
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
@@ -0,0 +1,21 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	communication
+#fields	ts	peer	src_name	connected_peer_desc	connected_peer_addr	connected_peer_port	level	message
+#types	time	string	string	string	addr	port	string	string
+1326492291.485390	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] added peer
+1326492291.491731	bro	child	-	-	-	info	[#1/127.0.0.1:47757] connected
+1326492291.492024	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer connected
+1326492291.492024	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: version
+1326492291.492740	bro	script	-	-	-	info	connection established
+1326492291.492740	bro	script	-	-	-	info	requesting events matching /^?(NOTHING)$?/
+1326492291.492740	bro	script	-	-	-	info	accepting state
+1326492291.493800	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: handshake
+1326492291.493800	bro	parent	-	-	-	info	warning: no events to request
+1326492291.494161	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer_description is bro
+1326492291.494404	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer supports keep-in-cache; using that
+1326492291.494404	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: running
+1326492291.494404	bro	parent	-	-	-	info	terminating...
+1326492291.494404	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] closing connection
diff --git a/testing/btest/Baseline/scripts.base.frameworks.control.configuration_update/controllee..stdout b/testing/btest/Baseline/scripts.base.frameworks.control.configuration_update/controllee..stdout
new file mode 100644
index 0000000000..494d01b3cd
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.control.configuration_update/controllee..stdout
@@ -0,0 +1,2 @@
+ORIGINAL VALUE (this should be printed out first)
+NEW VALUE (this should be printed out second)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.control.id_value/controller..stdout b/testing/btest/Baseline/scripts.base.frameworks.control.id_value/controller..stdout
new file mode 100644
index 0000000000..ba00dd6c17
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.control.id_value/controller..stdout
@@ -0,0 +1 @@
+Got an id_value_response(test_var, This is the value from the controllee) event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.insert-and-matcher/out b/testing/btest/Baseline/scripts.base.frameworks.intel.insert-and-matcher/out
new file mode 100644
index 0000000000..71fec4e23c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.insert-and-matcher/out
@@ -0,0 +1,3 @@
+VALID
+VALID
+VALID
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log b/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log
new file mode 100644
index 0000000000..485bfe3eba
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh-new-default
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314313.140603	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1324314313.140603	1.2.3.4	1234	2.3.4.5	80	failure	US
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log
new file mode 100644
index 0000000000..144a7a6426
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log
@@ -0,0 +1,10 @@
+#separator |
+#set_separator|,
+#empty_field|(empty)
+#unset_field|-
+#path|ssh
+#fields|data|data2
+#types|string|string
+abc\x0a\xffdef|DATA2
+abc\x7c\xffdef|DATA2
+abc\xff\x7cdef|DATA2
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log
new file mode 100644
index 0000000000..10275205a5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log
@@ -0,0 +1,12 @@
+PREFIX<>separator |
+PREFIX<>set_separator|,
+PREFIX<>empty_field|EMPTY
+PREFIX<>unset_field|NOT-SET
+PREFIX<>path|ssh
+PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
+PREFIX<>types|time|addr|port|addr|port|string|string|bool
+1324314313.345323|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
+1324314313.345323|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
+1324314313.345323|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
+1324314313.345323|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
+1324314313.345323|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-notset-str/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-notset-str/test.log
new file mode 100644
index 0000000000..c9e69994fc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-notset-str/test.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	x	y	z
+#types	string	string	string
+\x2d	-	(empty)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
new file mode 100644
index 0000000000..97744b7df8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1315799856.264750	UWkUyAuUGXf	10.0.1.104	64216	193.40.5.162	80	1	GET	lepo.it.da.ut.ee	/~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf	-	Wget/1.12 (darwin10.8.0)	0	346	404	Not Found	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-set-separator/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-set-separator/test.log
new file mode 100644
index 0000000000..b88627c806
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-set-separator/test.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	ss
+#types	table[string]
+CC,AA,\x2c,\x2c\x2c
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log
new file mode 100644
index 0000000000..0ef81128d3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log
@@ -0,0 +1,12 @@
+#separator ||
+#set_separator||,
+#empty_field||(empty)
+#unset_field||-
+#path||ssh
+#fields||t||id.orig_h||id.orig_p||id.resp_h||id.resp_p||status||country
+#types||time||addr||port||addr||port||string||string
+1324314313.899736||1.2.3.4||1234||2.3.4.5||80||success||unknown
+1324314313.899736||1.2.3.4||1234||2.3.4.5||80||failure||US
+1324314313.899736||1.2.3.4||1234||2.3.4.5||80||fa\x7c\x7cure||UK
+1324314313.899736||1.2.3.4||1234||2.3.4.5||80||su\x7c\x7cess||BR
+1324314313.899736||1.2.3.4||1234||2.3.4.5||80||failure||MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log
new file mode 100644
index 0000000000..f66dec7160
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log
@@ -0,0 +1,5 @@
+1324314313.990741|1.2.3.4|1234|2.3.4.5|80|success|unknown
+1324314313.990741|1.2.3.4|1234|2.3.4.5|80|failure|US
+1324314313.990741|1.2.3.4|1234|2.3.4.5|80|failure|UK
+1324314313.990741|1.2.3.4|1234|2.3.4.5|80|success|BR
+1324314313.990741|1.2.3.4|1234|2.3.4.5|80|failure|MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log
new file mode 100644
index 0000000000..00ab6c8ca0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	data
+#types	time
+1234567890.000000
+1234567890.000000
+1234567890.010000
+1234567890.001000
+1234567890.000100
+1234567890.000010
+1234567890.000001
+1234567890.000000
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log
new file mode 100644
index 0000000000..5acaa7b2fc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#fields	status	country	a1	b1	b2
+#types	string	string	count	count	count
+success	unknown	1	3	4
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log
new file mode 100644
index 0000000000..086a4836fe
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#fields	status	country
+#types	string	string
+success	unknown
+failure	US
+failure	UK
+success	BR
+failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log
new file mode 100644
index 0000000000..16ba17c62c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314314.443785	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1324314314.443785	1.2.3.4	1234	2.3.4.5	80	failure	US
+1324314314.443785	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1324314314.443785	1.2.3.4	1234	2.3.4.5	80	success	BR
+1324314314.443785	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.events/output b/testing/btest/Baseline/scripts.base.frameworks.logging.events/output
new file mode 100644
index 0000000000..5da27764a5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.events/output
@@ -0,0 +1,2 @@
+[t=1324314314.738385, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=success, country=unknown]
+[t=1324314314.738385, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=failure, country=US]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log
new file mode 100644
index 0000000000..4ccf4c836a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#fields	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	port	addr	port	string	string
+1234	2.3.4.5	80	success	unknown
+1234	2.3.4.5	80	failure	US
+1234	2.3.4.5	80	failure	UK
+1234	2.3.4.5	80	success	BR
+1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log
new file mode 100644
index 0000000000..4aa3d8f0a7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#fields	t	f
+#types	time	file
+1324314314.940195	Foo.log
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log
new file mode 100644
index 0000000000..00242d65c1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#fields	t	id.orig_h
+#types	time	addr
+1324314315.040480	1.2.3.4
+1324314315.040480	1.2.3.4
+1324314315.040480	1.2.3.4
+1324314315.040480	1.2.3.4
+1324314315.040480	1.2.3.4
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/local.log b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/local.log
new file mode 100644
index 0000000000..e2b3da6efd
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/local.log
@@ -0,0 +1,37 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	local
+#fields	ts	id.orig_h
+#types	time	addr
+1300475168.652003	141.142.220.118
+1300475168.724007	141.142.220.118
+1300475168.859163	141.142.220.118
+1300475168.902635	141.142.220.118
+1300475168.892936	141.142.220.118
+1300475168.892913	141.142.220.118
+1300475168.855305	141.142.220.118
+1300475168.855330	141.142.220.118
+1300475168.895267	141.142.220.118
+1300475168.853899	141.142.220.118
+1300475168.893988	141.142.220.118
+1300475168.894787	141.142.220.118
+1300475173.117362	141.142.220.226
+1300475173.153679	141.142.220.238
+1300475168.857956	141.142.220.118
+1300475168.854378	141.142.220.118
+1300475168.854837	141.142.220.118
+1300475167.099816	141.142.220.50
+1300475168.891644	141.142.220.118
+1300475168.892037	141.142.220.118
+1300475171.677081	141.142.220.226
+1300475168.894422	141.142.220.118
+1300475167.096535	141.142.220.202
+1300475168.858713	141.142.220.118
+1300475168.902195	141.142.220.118
+1300475169.899438	141.142.220.44
+1300475168.892414	141.142.220.118
+1300475168.858306	141.142.220.118
+1300475168.901749	141.142.220.118
+1300475170.862384	141.142.220.226
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/remote.log b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/remote.log
new file mode 100644
index 0000000000..1ac18ff5f7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/remote.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	remote
+#fields	ts	id.orig_h
+#types	time	addr
+1300475169.780331	173.192.163.128
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output
new file mode 100644
index 0000000000..a6b8a4e090
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output
@@ -0,0 +1,63 @@
+static-prefix-0-BR.log
+static-prefix-0-MX3.log
+static-prefix-0-unknown.log
+static-prefix-1-MX.log
+static-prefix-1-US.log
+static-prefix-2-MX2.log
+static-prefix-2-UK.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	static-prefix-0-BR
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314315.385189	1.2.3.4	1234	2.3.4.5	80	success	BR
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	static-prefix-0-MX3
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314315.385189	1.2.3.4	1234	2.3.4.5	80	failure	MX3
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	static-prefix-0-unknown
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314315.385189	1.2.3.4	1234	2.3.4.5	80	success	unknown
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	static-prefix-1-MX
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314315.385189	1.2.3.4	1234	2.3.4.5	80	failure	MX
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	static-prefix-1-US
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314315.385189	1.2.3.4	1234	2.3.4.5	80	failure	US
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	static-prefix-2-MX2
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314315.385189	1.2.3.4	1234	2.3.4.5	80	failure	MX2
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	static-prefix-2-UK
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314315.385189	1.2.3.4	1234	2.3.4.5	80	failure	UK
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log
new file mode 100644
index 0000000000..733bb02847
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test.failure
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314315.498365	1.2.3.4	1234	2.3.4.5	80	failure	US
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.success.log
new file mode 100644
index 0000000000..0261caeb06
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.success.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test.success
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314315.498365	1.2.3.4	1234	2.3.4.5	80	success	unknown
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
new file mode 100644
index 0000000000..d9bd34309a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	EMPTY
+#unset_field	-
+#path	test
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table[count]	table[string]	table[string]	vector[count]	vector[string]
+T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1324314315.880694	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log
new file mode 100644
index 0000000000..6cb58bf4ac
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test.failure
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	failure	US
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log
new file mode 100644
index 0000000000..f5b79ee2c4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	failure	US
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	success	BR
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log
new file mode 100644
index 0000000000..c40e56af93
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test.success
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1324314321.061516	1.2.3.4	1234	2.3.4.5	80	success	BR
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log
new file mode 100644
index 0000000000..cb3d4aafb8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh.failure
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314328.196443	1.2.3.4	1234	2.3.4.5	80	failure	US
+1324314328.196443	1.2.3.4	1234	2.3.4.5	80	failure	UK
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log
new file mode 100644
index 0000000000..38a5bb660c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314328.196443	1.2.3.4	1234	2.3.4.5	80	failure	US
+1324314328.196443	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1324314328.196443	1.2.3.4	1234	2.3.4.5	80	failure	BR
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/.stderr b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/.stderr
new file mode 100644
index 0000000000..0954137b7e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/.stderr
@@ -0,0 +1,10 @@
+1st test.2011-03-07-03-00-05.log test 11-03-07_03.00.05 11-03-07_04.00.05 0
+1st test.2011-03-07-04-00-05.log test 11-03-07_04.00.05 11-03-07_05.00.05 0
+1st test.2011-03-07-05-00-05.log test 11-03-07_05.00.05 11-03-07_06.00.05 0
+1st test.2011-03-07-06-00-05.log test 11-03-07_06.00.05 11-03-07_07.00.05 0
+1st test.2011-03-07-07-00-05.log test 11-03-07_07.00.05 11-03-07_08.00.05 0
+1st test.2011-03-07-08-00-05.log test 11-03-07_08.00.05 11-03-07_09.00.05 0
+1st test.2011-03-07-09-00-05.log test 11-03-07_09.00.05 11-03-07_10.00.05 0
+1st test.2011-03-07-10-00-05.log test 11-03-07_10.00.05 11-03-07_11.00.05 0
+1st test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0
+1st test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out
new file mode 100644
index 0000000000..915915f43e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out
@@ -0,0 +1,78 @@
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_03.00.05.log, path=test2, open=1299466805.0, close=1299470395.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_03.59.55.log, path=test2, open=1299470395.0, close=1299470405.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_04.00.05.log, path=test2, open=1299470405.0, close=1299473995.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_04.59.55.log, path=test2, open=1299473995.0, close=1299474005.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_05.00.05.log, path=test2, open=1299474005.0, close=1299477595.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_05.59.55.log, path=test2, open=1299477595.0, close=1299477605.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_06.00.05.log, path=test2, open=1299477605.0, close=1299481195.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_06.59.55.log, path=test2, open=1299481195.0, close=1299481205.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_07.00.05.log, path=test2, open=1299481205.0, close=1299484795.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_07.59.55.log, path=test2, open=1299484795.0, close=1299484805.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_08.00.05.log, path=test2, open=1299484805.0, close=1299488395.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_08.59.55.log, path=test2, open=1299488395.0, close=1299488405.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_09.00.05.log, path=test2, open=1299488405.0, close=1299491995.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_09.59.55.log, path=test2, open=1299491995.0, close=1299492005.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_10.00.05.log, path=test2, open=1299492005.0, close=1299495595.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_10.59.55.log, path=test2, open=1299495595.0, close=1299495605.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, path=test2, open=1299495605.0, close=1299499195.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F]
+custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T]
+#empty_field	(empty)
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#path	test
+#path	test2
+#separator \x09
+#set_separator	,
+#types	time	addr	port	addr	port
+#unset_field	-
+1299466805.000000	10.0.0.1	20	10.0.0.2	1024
+1299470395.000000	10.0.0.2	20	10.0.0.3	0
+1299470405.000000	10.0.0.1	20	10.0.0.2	1025
+1299473995.000000	10.0.0.2	20	10.0.0.3	1
+1299474005.000000	10.0.0.1	20	10.0.0.2	1026
+1299477595.000000	10.0.0.2	20	10.0.0.3	2
+1299477605.000000	10.0.0.1	20	10.0.0.2	1027
+1299481195.000000	10.0.0.2	20	10.0.0.3	3
+1299481205.000000	10.0.0.1	20	10.0.0.2	1028
+1299484795.000000	10.0.0.2	20	10.0.0.3	4
+1299484805.000000	10.0.0.1	20	10.0.0.2	1029
+1299488395.000000	10.0.0.2	20	10.0.0.3	5
+1299488405.000000	10.0.0.1	20	10.0.0.2	1030
+1299491995.000000	10.0.0.2	20	10.0.0.3	6
+1299492005.000000	10.0.0.1	20	10.0.0.2	1031
+1299495595.000000	10.0.0.2	20	10.0.0.3	7
+1299495605.000000	10.0.0.1	20	10.0.0.2	1032
+1299499195.000000	10.0.0.2	20	10.0.0.3	8
+1299499205.000000	10.0.0.1	20	10.0.0.2	1033
+1299502795.000000	10.0.0.2	20	10.0.0.3	9
+> test.2011-03-07-03-00-05.log
+> test.2011-03-07-04-00-05.log
+> test.2011-03-07-05-00-05.log
+> test.2011-03-07-06-00-05.log
+> test.2011-03-07-07-00-05.log
+> test.2011-03-07-08-00-05.log
+> test.2011-03-07-09-00-05.log
+> test.2011-03-07-10-00-05.log
+> test.2011-03-07-11-00-05.log
+> test.2011-03-07-12-00-05.log
+> test2-11-03-07_03.00.05.log
+> test2-11-03-07_03.59.55.log
+> test2-11-03-07_04.00.05.log
+> test2-11-03-07_04.59.55.log
+> test2-11-03-07_05.00.05.log
+> test2-11-03-07_05.59.55.log
+> test2-11-03-07_06.00.05.log
+> test2-11-03-07_06.59.55.log
+> test2-11-03-07_07.00.05.log
+> test2-11-03-07_07.59.55.log
+> test2-11-03-07_08.00.05.log
+> test2-11-03-07_08.59.55.log
+> test2-11-03-07_09.00.05.log
+> test2-11-03-07_09.59.55.log
+> test2-11-03-07_10.00.05.log
+> test2-11-03-07_10.59.55.log
+> test2-11-03-07_11.00.05.log
+> test2-11-03-07_11.59.55.log
+> test2-11-03-07_12.00.05.log
+> test2-11-03-07_12.59.55.log
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out
new file mode 100644
index 0000000000..d31783edc4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out
@@ -0,0 +1,110 @@
+test.2011-03-07-03-00-05.log test 11-03-07_03.00.05 11-03-07_04.00.05 0
+test.2011-03-07-04-00-05.log test 11-03-07_04.00.05 11-03-07_05.00.05 0
+test.2011-03-07-05-00-05.log test 11-03-07_05.00.05 11-03-07_06.00.05 0
+test.2011-03-07-06-00-05.log test 11-03-07_06.00.05 11-03-07_07.00.05 0
+test.2011-03-07-07-00-05.log test 11-03-07_07.00.05 11-03-07_08.00.05 0
+test.2011-03-07-08-00-05.log test 11-03-07_08.00.05 11-03-07_09.00.05 0
+test.2011-03-07-09-00-05.log test 11-03-07_09.00.05 11-03-07_10.00.05 0
+test.2011-03-07-10-00-05.log test 11-03-07_10.00.05 11-03-07_11.00.05 0
+test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0
+test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
+> test.2011-03-07-03-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299466805.000000	10.0.0.1	20	10.0.0.2	1024
+1299470395.000000	10.0.0.2	20	10.0.0.3	0
+> test.2011-03-07-04-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299470405.000000	10.0.0.1	20	10.0.0.2	1025
+1299473995.000000	10.0.0.2	20	10.0.0.3	1
+> test.2011-03-07-05-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299474005.000000	10.0.0.1	20	10.0.0.2	1026
+1299477595.000000	10.0.0.2	20	10.0.0.3	2
+> test.2011-03-07-06-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299477605.000000	10.0.0.1	20	10.0.0.2	1027
+1299481195.000000	10.0.0.2	20	10.0.0.3	3
+> test.2011-03-07-07-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299481205.000000	10.0.0.1	20	10.0.0.2	1028
+1299484795.000000	10.0.0.2	20	10.0.0.3	4
+> test.2011-03-07-08-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299484805.000000	10.0.0.1	20	10.0.0.2	1029
+1299488395.000000	10.0.0.2	20	10.0.0.3	5
+> test.2011-03-07-09-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299488405.000000	10.0.0.1	20	10.0.0.2	1030
+1299491995.000000	10.0.0.2	20	10.0.0.3	6
+> test.2011-03-07-10-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299492005.000000	10.0.0.1	20	10.0.0.2	1031
+1299495595.000000	10.0.0.2	20	10.0.0.3	7
+> test.2011-03-07-11-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299495605.000000	10.0.0.1	20	10.0.0.2	1032
+1299499195.000000	10.0.0.2	20	10.0.0.3	8
+> test.2011-03-07-12-00-05.log
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+#types	time	addr	port	addr	port
+1299499205.000000	10.0.0.1	20	10.0.0.2	1033
+1299502795.000000	10.0.0.2	20	10.0.0.3	9
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output b/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output
new file mode 100644
index 0000000000..09afe2031c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	/dev/stdout
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314328.844271	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1324314328.844271	1.2.3.4	1234	2.3.4.5	80	failure	US
+1324314328.844271	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1324314328.844271	1.2.3.4	1234	2.3.4.5	80	success	BR
+1324314328.844271	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log
new file mode 100644
index 0000000000..53292324af
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1324314328.950525	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1324314328.950525	1.2.3.4	1234	2.3.4.5	80	failure	US
+1324314328.950525	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1324314328.950525	1.2.3.4	1234	2.3.4.5	80	success	BR
+1324314328.950525	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log
new file mode 100644
index 0000000000..74aa0312a1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	EMPTY
+#unset_field	-
+#path	ssh
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table[count]	table[string]	table[string]	vector[count]	vector[string]	func
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1324314329.051618	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log b/testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log
new file mode 100644
index 0000000000..7956ad11a0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	testing
+#fields	a.val1	a.val2	b
+#types	count	count	count
+-	-	6
+1	2	3
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log
new file mode 100644
index 0000000000..65ab5592bf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#fields	vec
+#types	vector[string]
+-,2,-,-,5
diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log
new file mode 100644
index 0000000000..a278bdc56a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	metrics
+#fields	ts	metric_id	filter_name	index.host	index.str	index.network	value
+#types	time	enum	string	addr	string	subnet	count
+1324314335.570789	TEST_METRIC	foo-bar	6.5.4.3	-	-	4
+1324314335.570789	TEST_METRIC	foo-bar	1.2.3.4	-	-	6
+1324314335.570789	TEST_METRIC	foo-bar	7.2.1.5	-	-	2
diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log
new file mode 100644
index 0000000000..8ee19c255b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	metrics
+#fields	ts	metric_id	filter_name	index.host	index.str	index.network	value
+#types	time	enum	string	addr	string	subnet	count
+1324314344.807073	TEST_METRIC	foo-bar	6.5.4.3	-	-	2
+1324314344.807073	TEST_METRIC	foo-bar	1.2.3.4	-	-	3
+1324314344.807073	TEST_METRIC	foo-bar	7.2.1.5	-	-	1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log
new file mode 100644
index 0000000000..59d70896fb
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double	addr	string	subnet
+1325633225.777902	-	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=1.2.3.4) 100/100	-	1.2.3.4	-	-	100	manager-1	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	1.2.3.4	-	-
diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log
new file mode 100644
index 0000000000..58346b79e6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double	addr	string	subnet
+1325633274.875473	-	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=1.2.3.4) 3/2	-	1.2.3.4	-	-	3	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	1.2.3.4	-	-
+1325633274.875473	-	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=6.5.4.3) 2/2	-	6.5.4.3	-	-	2	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	6.5.4.3	-	-
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
new file mode 100644
index 0000000000..10888b21ec
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double	addr	string	subnet
+1325633122.490990	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-1	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	-	-	-
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt b/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt
new file mode 100644
index 0000000000..e2cd51edd1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt
@@ -0,0 +1,4 @@
+>  2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid arKYeMETxOg)
+   test
+   # 141.42.64.125 = <skipped>  125.190.109.199 = <skipped>
+
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
new file mode 100644
index 0000000000..5deac88071
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double	addr	string	subnet
+1325633150.723248	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-2	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	-	-	-
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
new file mode 100644
index 0000000000..1d168d7613
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double
+1325633207.922993	-	-	-	-	-	-	Test_Notice	test	-	-	-	-	-	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-
diff --git a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
new file mode 100644
index 0000000000..f172268aa6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
@@ -0,0 +1,46 @@
+success on: Apache/1.3.19 (Unix)
+success on: Python-urllib/3.1
+success on: Apache
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)
+success on: Java/1.6.0_13
+success on: Wget/1.11.4 (Red Hat modified)
+success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18
+success on: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5
+success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01
+success on: (vsFTPd 2.0.5)
+success on: OpenSSH_4.4
+success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00
+success on: The Bat! (3.0.1 RC3) Professional
+success on: Apple Mail (2.1084)
+success on: libwww-perl/5.820
+success on: Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4
+success on: iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9
+success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
+success on: Wget/1.9+cvs-stable (Red Hat modified)
+success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
+success on: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
+success on: The Bat! (v2.00.9) Personal
+success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
+success on: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
+success on: ProFTPD 1.2.5rc1 Server (Debian)
+success on: Java1.2.2-JDeveloper
+success on: Total Commander
+success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4
+success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54
+success on: wu-2.4.2-academ[BETA-18-VR14](1)
+success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown
+success on: Java1.3.1_04
+success on: Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00
+success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
+success on: OpenSSH_5.2
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)
+success on: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
+success on: wu-2.6.2(1)
+success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15
+success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)
+success on: Flash/10,2,153,1
+success on: CacheFlyServe v26b
+success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5
+success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2
+success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731
+success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log
new file mode 100644
index 0000000000..ddcea2e9c7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1237440095.634312	UWkUyAuUGXf	192.168.3.103	54102	128.146.216.51	80	1	POST	www.osu.edu	/	-	curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3	2001	60731	200	OK	100	Continue	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
new file mode 100644
index 0000000000..73c369dd14
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
@@ -0,0 +1,304 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
+"http://www.w3.org/TR/REC-html40/loose.dtd">
+<HEAD><TITLE>ICIR</TITLE></HEAD>
+<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">
+<img src=icir.gif alt="ICIR"><br>
+<p>
+ICIR (The ICSI Center for Internet Research)
+is a 
+non-profit
+research institute at
+<a href="http://www.icsi.berkeley.edu">ICSI</a>
+in 
+<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, 
+California.<br>
+For the three years from 1999 to 2001 we were named
+ACIRI, the AT&T Center for Internet Research at ICSI, 
+and were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>
+
+The goals of ICIR are to:
+<ul>
+<li>Pursue research on the Internet architecture and related networking issues,
+<li>
+Participate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and
+standards (<a href="http://www.ietf.org/">IETF</a>) communities,
+<li> Bridge the gap between the Internet research community and commercial 
+interests by providing a neutral forum where topics of mutual technical 
+interest can be addressed.
+</ul>
+<p>
+<!--
+ICIR is now 
+<a href="jobs.html">
+hiring</a> for both postdoctoral positions and summer interns.
+-->
+<hr>
+
+<DIV ALIGN="CENTER">
+
+<table width="100%" cellspacing=16 cellpadding=0>
+
+<tr>
+<td width="35%" valign=top>
+
+<h2>
+People
+</h2>
+<ul>
+<li>
+<a href="./shenker/">
+Scott Shenker</a>, Group Leader<br> 
+<li><a href="http://www.icir.org/mallman/">Mark Allman</a>
+<li>
+<a href="./floyd/">Sally Floyd</a>
+<!--
+<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>
+-->
+<li>
+<a href="./karp/papers.html">
+Richard Karp</a>  
+<!-- (also with the 
+<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, 
+<a href="http://www.msri.org/">MSRI</a>, and
+<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->
+<li>
+<a href="./vern/">
+Vern Paxson</a>  
+<li>
+<a href="http://www.icir.org/robin/">
+Robin Sommer</a>
+<li>
+<a href="http://www.cs.berkeley.edu/~nweaver/">
+Nicholas Weaver</a>
+<li>
+<a href="http://www.icsi.berkeley.edu/~zhao/">
+Jerry Zhao</a>
+<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->
+<li><b><a href="pastvisitors.html">Past Group Members</a></b>,
+<br>including:
+<ul>
+<li>
+<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">
+Mark Handley</a> (UCL)
+<li><a href="./kohler/">Eddie Kohler</a> (UCLA)
+</ul>
+<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>
+Researchers</b>:
+  <ul>
+  <li><a href="./jcardona/">Javier Cardona</a>
+  <li><a href="./atanu/">Atanu Ghosh</a> 
+  <li><a href="./hodson/">Orion Hodson</a>
+  <li><a href="./pavlin/">Pavlin Radoslavov</a> 
+  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>
+  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>
+</ul>
+<li><b>Affiliated UCB Researchers</b>:
+  <ul>
+  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>
+  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>
+  </ul>
+<li><b>Visitors</b>:
+  <ul>
+  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>
+<!--
+  from Shanghai Jiaotong University
+-->
+  <li>Teemu Koponen
+<!--
+  , Helsinki Institute for Information Technology
+-->
+  </ul>
+<!--
+<li><a href="pastvisitors.html">Other researchers</a>
+-->
+<a name=Visitors></a>
+<li><b>Interns:</b>
+<ul>
+<li>Juan Caballero
+<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>
+<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>
+<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>
+<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>
+<li>Halldor Isak Gylfason
+<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>
+<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>
+<!--
+<li><a href="newinterns.html">New Interns:</a> 
+-->
+</ul>
+<li><b>Undergraduate Interns:</b>
+<ul>
+<li>Michael Hoisie
+<li>Arthur Wayne Liao
+<li>Christopher Portka
+</ul>
+<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>
+</ul>
+
+</td>
+<td width="30%" valign=top>
+
+<h2>
+Publications
+</h2>
+<ul>
+<li><a href="./rfcs.html">
+RFCs</a> with ICIR authors.
+<li>
+<a href="./internetdrafts.html">
+Internet drafts</a> with ICIR authors, 3/2004 
+(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>
+the current list).
+<!--
+for "Shenker OR Floyd OR Allman OR Paxson".
+(or the 
+<a
+href="
+http://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)
+
+http://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).
+-->
+<!--
+from the 
+<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">
+Internet-Drafts Search Engine</a>).
+-->
+<li>Papers by 
+<a href="./shenker/papers.html">Scott Shenker</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),
+
+<a href="./mallman/papers/">Mark Allman</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),
+
+<a href="./floyd/papers.html">Sally Floyd</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),
+
+<a href="./karp/papers.html">Richard Karp</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),
+<a href="./kohler/pubs/">Eddie Kohler</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),
+<a href="./vern/papers.html">Vern Paxson</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).
+<li>The <a href="http://citeseer.ist.psu.edu/">
+ResearchIndex</a> (RI) and the 
+<a href="http://citeseer.ist.psu.edu/cs">Search</a>
+and 
+<a href="http://citeseer.ist.psu.edu/Networking/">
+Networking</a> pages. 
+</ul>
+
+<h2>
+Projects 
+</h2>
+<ul>
+<li>
+<a href="./vern/bro-info.html">Bro</a>
+(detecting network intruders). 
+<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:
+Future-Generation Internet Architecture.
+<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>
+network simulator.
+<li> <a href="./tbit/">TBIT</a>
+(TCP Behavior Identification Tool).
+<li> <a href="http://www.xorp.org/">Xorp</a>
+(Extensible Open Router Platform).
+<li>
+<a href="./funded_projects.html">
+Other Funded Projects</a>.
+<li>
+<a href="./research.html">
+Additional Research Links</a>.
+</ul>
+
+
+</td>
+
+<td width="35%" valign=top>
+    
+<h2>Research</h2>
+&nbsp; &nbsp;<b>Transport and Congestion</b>
+<ul>
+<li>
+<a href="./kohler/dcp/">DCCP</a>
+(Datagram Congestion Control Protocol).
+<li>
+<a href="./floyd/ecn.html">ECN</a>
+(Explicit Congestion Notification).
+<li>
+<a href="http://www.ietf.org/html.charters/intserv-charter.html">
+Integrated services</a>.
+<li>
+<a href="./floyd/red.html">RED</a> 
+queue management, and
+<a href="./red-pd/">RED-PD</a>.
+<li>
+<a href="./floyd/hstcp.html">HighSpeed TCP</a>.
+<li>
+<a
+href="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">
+TCP Implementation</a>.
+<li>
+Reordering-Robust TCP 
+(<a href="./bkarp/RR-TCP/">RR-TCP</a>).
+<li>TCP
+<a href="./floyd/sacks.html">SACK</a> 
+(Selective Acknowledgment).
+<li>
+<a href="./tfrc/">TFRC</a> 
+(TCP-Friendly Rate Control).
+</ul>
+
+&nbsp; &nbsp;<b>Traffic and Topology</b>
+<ul>
+<LI>
+<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> 
+(Internet Distance Mapping).
+<LI>The <a href="http://www.acm.org/sigcomm/ITA/">
+Internet Traffic Archive</a>.
+<li>
+<a href="http://www-net.cs.umass.edu/minc/">MINC</a>
+(Multicast-based Inference of Network-internal Characteristics).
+<li>
+<a href="http://www.psc.edu/networking/nimi/">NIMI</a>
+(National Internet Measurement Infrastructure).
+</ul>
+
+<h2>
+<a href="./collaborators.html">
+Collaborators</a>
+</h2>
+
+<!--
+&nbsp; &nbsp;<b>Multicast and Multimedia</b>
+<ul>
+<LI><A href="/malloc/">MALLOC</a>
+(Multicast Address Allocation).
+<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>
+(Session Initiation Protocol).
+<li> <a href="yoid"> Yoid</a> (host-based content distribution). 
+</ul>
+-->
+
+</td>
+
+</tr>
+</table>
+</DIV>
+
+<hr>
+<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>
+<hr>
+Last modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.
+<a href="http://web.archive.org/web/*/http://www.aciri.org/">
+Older versions</a> of this web page, in its ACIRI incarnation..
+<BR>
+For more information about this server, mail <I>www@aciri.org</I>.  
+<BR>
+To report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.
+</BODY>
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
new file mode 100644
index 0000000000..cec098a50b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1128727435.634189	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log
new file mode 100644
index 0000000000..d4e5679da1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1258577884.844956	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	1	GET	www.mozilla.org	/style/enhanced.css	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2675	200	OK	-	-	-	(empty)	-	-	-	FAKE_MIME	-	-
+1258577884.960135	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	2	GET	www.mozilla.org	/script/urchin.js	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	21421	200	OK	-	-	-	(empty)	-	-	-	FAKE_MIME	-	-
+1258577885.317160	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	3	GET	www.mozilla.org	/images/template/screen/bullet_utility.png	http://www.mozilla.org/style/screen.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	94	200	OK	-	-	-	(empty)	-	-	-	FAKE_MIME	-	-
+1258577885.349639	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	4	GET	www.mozilla.org	/images/template/screen/key-point-top.png	http://www.mozilla.org/style/screen.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2349	200	OK	-	-	-	(empty)	-	-	-	image/png	e0029eea80812e9a8e57b8d05d52938a	-
+1258577885.394612	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	5	GET	www.mozilla.org	/projects/calendar/images/header-sunbird.png	http://www.mozilla.org/projects/calendar/calendar.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	27579	200	OK	-	-	-	(empty)	-	-	-	image/png	30aa926344f58019d047e85ba049ca1e	-
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log
new file mode 100644
index 0000000000..dfaf34acbf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	file
+1258577884.844956	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	1	GET	www.mozilla.org	/style/enhanced.css	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2675	200	OK	-	-	-	(empty)	-	-	-	-	-
+1258577884.960135	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	2	GET	www.mozilla.org	/script/urchin.js	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	21421	200	OK	-	-	-	(empty)	-	-	-	-	-
+1258577885.317160	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	3	GET	www.mozilla.org	/images/template/screen/bullet_utility.png	http://www.mozilla.org/style/screen.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	94	200	OK	-	-	-	(empty)	-	-	-	-	-
+1258577885.349639	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	4	GET	www.mozilla.org	/images/template/screen/key-point-top.png	http://www.mozilla.org/style/screen.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2349	200	OK	-	-	-	(empty)	-	-	-	-	-
+1258577885.394612	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	5	GET	www.mozilla.org	/projects/calendar/images/header-sunbird.png	http://www.mozilla.org/projects/calendar/calendar.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	27579	200	OK	-	-	-	(empty)	-	-	-	-	-
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log
new file mode 100644
index 0000000000..b5c137bcf8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	irc
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	command	value	addl	dcc_file_name	dcc_file_size	extraction_file
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	count	file
+1311189164.119437	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	-	-	NICK	bloed	-	-	-	-
+1311189164.119437	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	-	USER	sdkfje	sdkfje Montreal.QC.CA.Undernet.org dkdkrwq	-	-	-
+1311189174.474127	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	JOIN	#easymovies	(empty)	-	-	-
+1311189316.326025	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	DCC	#easymovies	(empty)	ladyvampress-default(2011-07-07)-OS.zip	42208	-
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat
new file mode 100644
index 0000000000..d4ec9e374b
Binary files /dev/null and b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat differ
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log
new file mode 100644
index 0000000000..7513bfb9b8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	irc
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	command	value	addl	dcc_file_name	dcc_file_size	dcc_mime_type	extraction_file
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	count	string	file
+1311189164.119437	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	-	-	NICK	bloed	-	-	-	-	-
+1311189164.119437	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	-	USER	sdkfje	sdkfje Montreal.QC.CA.Undernet.org dkdkrwq	-	-	-	-
+1311189174.474127	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	JOIN	#easymovies	(empty)	-	-	-	-
+1311189316.326025	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	DCC	#easymovies	(empty)	ladyvampress-default(2011-07-07)-OS.zip	42208	FAKE_MIME	irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
new file mode 100644
index 0000000000..2c1380cb44
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent
+#types	time	string	addr	port	addr	port	count	string	string	table[string]	string	string	table[string]	string	string	string	string	addr	string	string	string	vector[addr]	string
+1254722768.219663	arKYeMETxOg	10.10.1.4	1470	74.53.140.153	25	1	GP	<gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	Mon, 5 Oct 2009 11:36:07 +0530	"Gurpartap Singh" <gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	-	<000301ca4581$ef9e57f0$cedb07d0$@in>	-	SMTP	-	-	-	250 OK id=1Mugho-0003Dg-Un	74.53.140.153,10.10.1.4	Microsoft Office Outlook 12.0
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat
new file mode 100644
index 0000000000..f4dd7d22f4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat
@@ -0,0 +1,13 @@
+Hello
+
+ 
+
+I send u smtp pcap file 
+
+Find the attachment
+
+ 
+
+GPS
+
+
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat
new file mode 100644
index 0000000000..9eb3055735
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat
@@ -0,0 +1,264 @@
+Version 4.9.9.1
+* Many bug fixes
+* Improved editor
+
+Version 4.9.9.0
+* Support for latest Mingw compiler system builds
+* Bug fixes
+
+Version 4.9.8.9
+* New code tooltip display
+* Improved Indent/Unindent and Remove Comment
+* Improved automatic indent
+* Added support for the "interface" keyword
+* WebUpdate should now report installation problems from PackMan
+* New splash screen and association icons
+* Improved installer
+* Many bug fixes
+
+Version 4.9.8.7
+* Added support for GCC > 3.2
+* Debug variables are now resent during next debug session
+* Watched Variables not in correct context are now kept and updated when it is needed
+* Added new compiler/linker options: 20
+  - Strip executable
+  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20
+    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)
+  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)
+* "Default" button in Compiler Options is back
+* Error messages parsing improved
+* Bug fixes
+
+Version 4.9.8.5
+* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")
+* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.
+* Many bug fixes
+
+Version 4.9.8.4
+* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup
+* Improved code completion cache
+* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP
+* Big speed up in function parameters listing while editing
+* Bug fixes
+
+Version 4.9.8.3
+* On Dev-C++ first time configuration dialog, a code completion cache of all the standard 20
+  include files can now be generated.
+* Improved WebUpdate module
+* Many bug fixes
+
+Version 4.9.8.2
+* New debug feature for DLLs: attach to a running process
+* New project option: Use custom Makefile. 20
+* New WebUpdater module.
+* Allow user to specify an alternate configuration file in Environment Options 20
+  (still can be overriden by using "-c" command line parameter).
+* Lots of bug fixes.
+
+Version 4.9.8.1
+* When creating a DLL, the created static lib respects now the project-defined output directory
+
+Version 4.9.8.0
+* Changed position of compiler/linker parameters in Project Options.
+* Improved help file
+* Bug fixes
+
+Version 4.9.7.9
+* Resource errors are now reported in the Resource sheet
+* Many bug fixes
+
+Version 4.9.7.8
+* Made whole bottom report control floating instead of only debug output.
+* Many bug fixes
+
+Version 4.9.7.7
+* Printing settings are now saved
+* New environment options : "watch variable under mouse" and "Report watch errors"
+* Bug fixes
+
+Version 4.9.7.6
+* Debug variable browser
+* Added possibility to include in a Template the Project's directories (include, libs and ressources)
+* Changed tint of Class browser pictures colors to match the New Look style
+* Bug fixes
+
+Version 4.9.7.5
+* Bug fixes
+
+Version 4.9.7.4
+* When compiling with debugging symbols, an extra definition is passed to the
+  compiler: -D__DEBUG__
+* Each project creates a <project_name>_private.h file containing version
+  information definitions
+* When compiling the current file only, no dependency checks are performed
+* ~300% Speed-up in class parser
+* Added "External programs" in Tools/Environment Options (for units "Open with")
+* Added "Open with" in project units context menu
+* Added "Classes" toolbar
+* Fixed pre-compilation dependency checks to work correctly
+* Added new file menu entry: Save Project As
+* Bug-fix for double quotes in devcpp.cfg file read by vUpdate
+* Other bug fixes
+
+Version 4.9.7.3
+* When adding debugging symbols on request, remove "-s" option from linker
+* Compiling progress window
+* Environment options : "Show progress window" and "Auto-close progress window"
+* Bug fixes
+
+Version 4.9.7.2
+* Bug fixes
+
+Version 4.9.7.1
+* "Build priority" per-unit
+* "Include file in linking process" per-unit
+* New feature: compile current file only
+* Separated C++ compiler options from C compiler options in Makefile (see bug report #654744)
+* Separated C++ include dirs from C include dirs in Makefile (see bug report #654744)
+* Necessary UI changes in Project Options
+* Added display of project filename, project output and a summary of the project files in Project Options General tab.
+* Fixed the "compiler-dirs-with-spaces" bug that crept-in in 4.9.7.0
+* Multi-select files in project-view (when "double-click to open" is configured in Environment Settings)
+* Resource files are treated as ordinary files now
+* Updates in "Project Options/Files" code
+* MSVC import now creates the folders structure of the original VC project
+* Bug fixes
+
+Version 4.9.7.0
+* Allow customizing of per-unit compile command in projects
+* Added two new macros: <DATE> and <DATETIME>
+* Added support for macros in the "default source code" (Tools/Editor Options/Code)
+* Separated layout info from project file. It is now kept in a different file
+  (the same filename as the project's but with extension ".layout"). If you
+  have your project under CVS control, you ''ll know why this had to happen...
+* Compiler settings per-project
+* Compiler set per-project
+* Implemented new compiler settings framework
+* "Compile as C++" per-unit
+* "Include file in compilation process" per-unit
+* Project version info (creates the relevant VERSIONINFO struct in the private
+  resource)
+* Support XP Themes (creates the CommonControls 6.0 manifest file and includes
+  it in the private resource)
+* Added CVS "login" and "logout" commands
+* Project manager and debugging window (in Debug tab) can now be trasnformed into floating windows.
+* Added "Add Library" button in Project Options
+* Bug fixes
+
+Version 4.9.6.9
+* Implemented search in help files for the word at cursor (context sensitive help)
+* Implemented "compiler sets" infrastructure to switch between different compilers easily (e.g. gcc-2.95 and gcc-3.2)
+* Added "Files" tab in CVS form to allow selection of more than one file for
+  the requested CVS action
+  20
+Version 4.9.6.8
+* support for DLL application hosting, for debugging and executing DLLs under Dev-C++.
+* New class browser option: "Show inherited members"
+* Added support for the '::' member access operator in code-completion
+* Added *working* function arguments hint
+* Added bracket highlighting. When the caret is on a bracket, that bracket and
+  its counterpart are highlighted
+* Nested folders in project view
+
+Version 4.9.6.7
+* XP Theme support
+* Added CVS commands "Add" and "Remove"
+* Added configuration option for "Templates Directory" in "Environment Options"
+* Code-completion updates
+* Bug fixes
+
+Version 4.9.6.6
+* Editor colors are initialized properly on Dev-C++ first-run
+* Added doxygen-style comments in NewClass, NewMemberFunction and NewMemberVariable wizards
+* Added file's date/time stamp in File/Properties window
+* Current windows listing in Window menu
+* Bug fixes
+
+Version 4.9.6.5
+* CVS support
+* Window list (in Window menu)
+* bug fixes
+
+version 4.9.6.4
+* added ENTER key for opening file in project browser, DEL to delete from the project.
+* bug fixes
+
+version 4.9.6.3
+* Bug fixes
+
+version 4.9.6.2
+* Bug fixes
+
+version 4.9.6.1
+* New "Abort compilation" button
+* Bug fixes
+* Now checks for vRoach existance when sending a crash report
+
+Version 4.9.5.5
+* New option in Editor Options: Show editor hints. User can disable the hints
+  displayed in the editor when the mouse moves over a word. Since this was the
+  cause of many errors (although it should be fixed by now), we are giving the
+  user the option to disable this feature.
+* New option in Editor Options (code-completion): Use code-completion cache.
+  Well, it adds caching to code-completion. Depending on the cache size,
+  the program may take a bit longer to start-up, but provides very fast
+  code-completion and the user has all the commands (belonging to the files
+  he added in the cache) at his fingertips. If, for example, the user adds
+  "windows.h", he gets all the WinAPI! If he adds "wx/wx.h", he gets all of
+  wxWindows! You get the picture...
+* Removed "Only show classes from current file" option in class browser settings.
+  It used to be a checkbox, allowing only two states (on or off), but there is
+  a third relevant option now: "Project classes" so it didn't fit the purpose...
+  The user can define this in the class browser's context menu under "View mode".
+* Fixed the dreaded "Clock skew detected" compiler warning!
+* Fixed many class browser bugs, including some that had to do with class folders.
+
+Version 4.9.5.4
+* Under NT, 2000 and XP, user application data directory will be used to store config files (i.e : C:\Documents and Settings\Username\Local Settings\Application Data)
+
+Version 4.9.5.3
+* Added ExceptionsAnalyzer. If the devcpp.map file is in the devcpp.exe directory
+  then we even get a stack trace in the bug report!
+* Added new WebUpdate module (inactive temporarily).
+* Added new code for code-completion caching of files (disabled - work in progress).
+
+Version 4.9.5.2
+* Added new option in class-browser: Use colors
+  (available when right-clicking the class-browser
+  and selecting "View mode").
+* Dev-C++ now traps access violation of your programs (and of itself too ;)
+
+Version 4.9.5.1
+* Implemented the "File/Export/Project to HTML" function.
+* Added "Tip of the day" system.
+* When running a source file in explorer, don't spawn new instance.
+  Instead open the file in an already launched Dev-C++.
+* Class-parser speed-up (50% to 85% improvement timed!!!)
+* Many code-completion updates. Now takes into account context,
+  class inheritance and visibility (shows items only from files
+  #included directly or indirectly)!
+* Caching of result set of code-completion for speed-up.
+* New option "Execution/Parameters" (and "Debug/Parameters").
+
+Version 4.9.5.0 (5.0 beta 5):
+* CPU Window (still in development)
+* ToDo  list
+* Backtrace in debugging
+* Run to cursor
+* Folders in Project and Class Browser
+* Send custom commands to GDB
+* Makefile can now be customized.
+* Modified the behaviour of the -c param : 20
+  -c <config file directory>
+* Saving of custom syntax parameter group
+* Possibility of changing compilers and tools filename.
+* Many bug fixes
+
+
+Version 4.9.4.1 (5.0 beta 4.1):
+
+* back to gcc 2.95.3
+* Profiling support
+* new update/packages checker (vUpdate)
+* Lots of bugfixes
+
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log
new file mode 100644
index 0000000000..453b55932e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp_entities
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	filename	content_len	mime_type	md5	extraction_file	excerpt
+#types	time	string	addr	port	addr	port	count	string	count	string	string	file	string
+1254722770.692743	arKYeMETxOg	10.10.1.4	1470	74.53.140.153	25	1	-	79	FAKE_MIME	-	smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat	(empty)
+1254722770.692743	arKYeMETxOg	10.10.1.4	1470	74.53.140.153	25	1	-	1918	FAKE_MIME	-	-	(empty)
+1254722770.692804	arKYeMETxOg	10.10.1.4	1470	74.53.140.153	25	1	NEWS.txt	10823	FAKE_MIME	-	smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat	(empty)
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime/smtp_entities.log
new file mode 100644
index 0000000000..2b471782d5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mime/smtp_entities.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp_entities
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	filename	content_len	mime_type	md5	extraction_file	excerpt
+#types	time	string	addr	port	addr	port	count	string	count	string	string	file	string
+1254722770.692743	arKYeMETxOg	10.10.1.4	1470	74.53.140.153	25	1	-	79	FAKE_MIME	92bca2e6cdcde73647125da7dccbdd07	-	(empty)
+1254722770.692743	arKYeMETxOg	10.10.1.4	1470	74.53.140.153	25	1	-	1918	FAKE_MIME	-	-	(empty)
+1254722770.692804	arKYeMETxOg	10.10.1.4	1470	74.53.140.153	25	1	NEWS.txt	10823	FAKE_MIME	a968bb0f9f9d95835b2e74c845877e87	-	(empty)
diff --git a/testing/btest/Baseline/scripts.base.utils.addrs/output b/testing/btest/Baseline/scripts.base.utils.addrs/output
new file mode 100644
index 0000000000..d93268a565
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.addrs/output
@@ -0,0 +1,43 @@
+============ test ipv4 regex
+T
+T
+T
+T
+T
+T
+T
+F
+F
+F
+T
+T
+============ test ipv6 regex
+T
+T
+T
+T
+T
+F
+F
+F
+F
+F
+T
+T
+============ test ipv6-ipv4 hybrid regexes
+T
+T
+F
+F
+F
+============ test find_ip_addresses()
+{
+[0] = 1.1.1.1,
+[2] = 3.3.3.3,
+[1] = 2.2.2.2
+}
+{
+[0] = 1.1.1.1,
+[2] = 3.3.3.3,
+[1] = 0:0:0:0:0:0:0:0
+}
diff --git a/testing/btest/Baseline/scripts.base.utils.conn-ids/output b/testing/btest/Baseline/scripts.base.utils.conn-ids/output
new file mode 100644
index 0000000000..bf6f803264
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.conn-ids/output
@@ -0,0 +1,6 @@
+10.0.0.100:10000 > 10.0.0.200:20000
+10.0.0.100:10000 < 10.0.0.200:20000
+10.0.0.100:10000 > 10.0.0.200:20000
+10.0.0.100:10000 < 10.0.0.200:20000
+T
+T
diff --git a/testing/btest/Baseline/scripts.base.utils.directions-and-hosts/output b/testing/btest/Baseline/scripts.base.utils.directions-and-hosts/output
new file mode 100644
index 0000000000..051ac02a67
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.directions-and-hosts/output
@@ -0,0 +1,24 @@
+LOCAL_HOSTS(10.0.0.100) == T: SUCCESS
+REMOTE_HOSTS(10.0.0.100) == F: SUCCESS
+ALL_HOSTS(10.0.0.100) == T: SUCCESS
+NO_HOSTS(10.0.0.100) == F: SUCCESS
+LOCAL_HOSTS(192.168.1.100) == F: SUCCESS
+REMOTE_HOSTS(192.168.1.100) == T: SUCCESS
+ALL_HOSTS(192.168.1.100) == T: SUCCESS
+NO_HOSTS(192.168.1.100) == F: SUCCESS
+INBOUND(o: 10.0.0.100, r: 10.0.0.200) == F: SUCCESS
+INBOUND(o: 10.0.0.100, r: 192.168.1.100) == F: SUCCESS
+INBOUND(o: 192.168.1.100, r: 10.0.0.100) == T: SUCCESS
+INBOUND(o: 192.168.1.100, r: 192.168.1.200) == F: SUCCESS
+OUTBOUND(o: 10.0.0.100, r: 10.0.0.200) == F: SUCCESS
+OUTBOUND(o: 10.0.0.100, r: 192.168.1.100) == T: SUCCESS
+OUTBOUND(o: 192.168.1.100, r: 10.0.0.100) == F: SUCCESS
+OUTBOUND(o: 192.168.1.100, r: 192.168.1.200) == F: SUCCESS
+BIDIRECTIONAL(o: 10.0.0.100, r: 10.0.0.200) == F: SUCCESS
+BIDIRECTIONAL(o: 10.0.0.100, r: 192.168.1.100) == T: SUCCESS
+BIDIRECTIONAL(o: 192.168.1.100, r: 10.0.0.100) == T: SUCCESS
+BIDIRECTIONAL(o: 192.168.1.100, r: 192.168.1.200) == F: SUCCESS
+NO_DIRECTION(o: 10.0.0.100, r: 10.0.0.200) == F: SUCCESS
+NO_DIRECTION(o: 10.0.0.100, r: 192.168.1.100) == F: SUCCESS
+NO_DIRECTION(o: 192.168.1.100, r: 10.0.0.100) == F: SUCCESS
+NO_DIRECTION(o: 192.168.1.100, r: 192.168.1.200) == F: SUCCESS
diff --git a/testing/btest/Baseline/scripts.base.utils.files/output b/testing/btest/Baseline/scripts.base.utils.files/output
new file mode 100644
index 0000000000..ab92c3a624
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.files/output
@@ -0,0 +1,36 @@
+test-prefix_141.142.220.118:48649-208.80.152.118:80_test-suffix
+test-prefix_141.142.220.118:48649-208.80.152.118:80
+141.142.220.118:48649-208.80.152.118:80_test-suffix
+141.142.220.118:48649-208.80.152.118:80
+test-prefix_141.142.220.118:49997-208.80.152.3:80_test-suffix
+test-prefix_141.142.220.118:49997-208.80.152.3:80
+141.142.220.118:49997-208.80.152.3:80_test-suffix
+141.142.220.118:49997-208.80.152.3:80
+test-prefix_141.142.220.118:49996-208.80.152.3:80_test-suffix
+test-prefix_141.142.220.118:49996-208.80.152.3:80
+141.142.220.118:49996-208.80.152.3:80_test-suffix
+141.142.220.118:49996-208.80.152.3:80
+test-prefix_141.142.220.118:49998-208.80.152.3:80_test-suffix
+test-prefix_141.142.220.118:49998-208.80.152.3:80
+141.142.220.118:49998-208.80.152.3:80_test-suffix
+141.142.220.118:49998-208.80.152.3:80
+test-prefix_141.142.220.118:50000-208.80.152.3:80_test-suffix
+test-prefix_141.142.220.118:50000-208.80.152.3:80
+141.142.220.118:50000-208.80.152.3:80_test-suffix
+141.142.220.118:50000-208.80.152.3:80
+test-prefix_141.142.220.118:49999-208.80.152.3:80_test-suffix
+test-prefix_141.142.220.118:49999-208.80.152.3:80
+141.142.220.118:49999-208.80.152.3:80_test-suffix
+141.142.220.118:49999-208.80.152.3:80
+test-prefix_141.142.220.118:50001-208.80.152.3:80_test-suffix
+test-prefix_141.142.220.118:50001-208.80.152.3:80
+141.142.220.118:50001-208.80.152.3:80_test-suffix
+141.142.220.118:50001-208.80.152.3:80
+test-prefix_141.142.220.118:35642-208.80.152.2:80_test-suffix
+test-prefix_141.142.220.118:35642-208.80.152.2:80
+141.142.220.118:35642-208.80.152.2:80_test-suffix
+141.142.220.118:35642-208.80.152.2:80
+test-prefix_141.142.220.235:6705-173.192.163.128:80_test-suffix
+test-prefix_141.142.220.235:6705-173.192.163.128:80
+141.142.220.235:6705-173.192.163.128:80_test-suffix
+141.142.220.235:6705-173.192.163.128:80
diff --git a/testing/btest/Baseline/scripts.base.utils.numbers/output b/testing/btest/Baseline/scripts.base.utils.numbers/output
new file mode 100644
index 0000000000..42cf027bb9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.numbers/output
@@ -0,0 +1,7 @@
+0
+13
+13
+13
+13
+13
+1
diff --git a/testing/btest/Baseline/scripts.base.utils.paths/output b/testing/btest/Baseline/scripts.base.utils.paths/output
new file mode 100644
index 0000000000..e5693546da
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.paths/output
@@ -0,0 +1,84 @@
+test compress_path()
+===============================
+Given : foo//bar
+Expect: foo/bar
+Result: foo/bar
+Result: SUCCESS
+===============================
+Given : foo//bar/..
+Expect: foo
+Result: foo
+Result: SUCCESS
+===============================
+Given : foo/bar/../..
+Expect: 
+Result: 
+Result: SUCCESS
+===============================
+Given : foo//bar/../..
+Expect: 
+Result: 
+Result: SUCCESS
+===============================
+Given : /foo/../bar
+Expect: /bar
+Result: /bar
+Result: SUCCESS
+===============================
+Given : /foo/../bar/..
+Expect: /
+Result: /
+Result: SUCCESS
+===============================
+Given : /foo/baz/../..
+Expect: /
+Result: /
+Result: SUCCESS
+===============================
+Given : ../..
+Expect: ../..
+Result: ../..
+Result: SUCCESS
+===============================
+Given : foo/../../..
+Expect: ../..
+Result: ../..
+Result: SUCCESS
+===============================
+test extract_path()
+===============================
+Given : "/this/is/a/dir" is current directory
+Expect: /this/is/a/dir
+Result: /this/is/a/dir
+Result: SUCCESS
+===============================
+Given : /this/is/a/dir is current directory
+Expect: /this/is/a/dir
+Result: /this/is/a/dir
+Result: SUCCESS
+===============================
+Given : /this/is/a/dir\ is\ current\ directory
+Expect: /this/is/a/dir\ is\ current\ directory
+Result: /this/is/a/dir\ is\ current\ directory
+Result: SUCCESS
+===============================
+Given : hey, /foo/bar/baz.bro is a cool script
+Expect: /foo/bar/baz.bro
+Result: /foo/bar/baz.bro
+Result: SUCCESS
+===============================
+Given : here's two dirs: /foo/bar and /foo/baz
+Expect: /foo/bar
+Result: /foo/bar
+Result: SUCCESS
+===============================
+test build_path_compressed()
+===============================
+/home/bro/policy/somefile.bro
+/usr/local/bro/share/bro/somefile.bro
+/usr/local/bro/somefile.bro
+===============================
+test build_full_path()
+===============================
+/home/bro//policy/somefile.bro
+/usr/local/bro/share/bro/somefile.bro
diff --git a/testing/btest/Baseline/scripts.base.utils.pattern/output b/testing/btest/Baseline/scripts.base.utils.pattern/output
new file mode 100644
index 0000000000..9400dc37ec
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.pattern/output
@@ -0,0 +1,6 @@
+/^?((blarg|blah|bleh))$?/
+T
+/^?(foo(blarg|blah|bleh)bar)$?/
+T
+[matched=T, str=blah, off=4]
+[matched=F, str=, off=0]
diff --git a/testing/btest/Baseline/scripts.base.utils.site/output b/testing/btest/Baseline/scripts.base.utils.site/output
new file mode 100644
index 0000000000..a372d19669
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.site/output
@@ -0,0 +1,2 @@
+other-site-admin@example.com, site-admin@example.com
+other-site-admin@example.com, net-admin@example.com, site-admin@example.com
diff --git a/testing/btest/Baseline/scripts.base.utils.strings/output b/testing/btest/Baseline/scripts.base.utils.strings/output
new file mode 100644
index 0000000000..4f5f06eca1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.strings/output
@@ -0,0 +1,13 @@
+'hello' is NOT considered binary
+'\xff\xff\xff\0' IS considered binary
+'\0\0\xff\0' IS considered binary
+'\0\0\0\0' is NOT considered binary
+two, one, three
+one
+hell\o w\orl\d
+\\hello world\\
+hello world
+hello worl
+hello
+
+
diff --git a/testing/btest/Baseline/scripts.base.utils.thresholds/output b/testing/btest/Baseline/scripts.base.utils.thresholds/output
new file mode 100644
index 0000000000..0fa85cc81b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.thresholds/output
@@ -0,0 +1,45 @@
+Iteration: 0, threshold check: F
+[n=0, index=0]
+Iteration: 1, threshold check: F
+[n=1, index=0]
+Iteration: 2, threshold check: T
+[n=2, index=1]
+Iteration: 3, threshold check: F
+[n=3, index=1]
+Iteration: 4, threshold check: T
+[n=4, index=2]
+Iteration: 5, threshold check: F
+[n=5, index=2]
+Iteration: 6, threshold check: T
+[n=6, index=3]
+Iteration: 7, threshold check: F
+[n=7, index=3]
+Iteration: 8, threshold check: T
+[n=8, index=4]
+Iteration: 9, threshold check: F
+[n=9, index=4]
+Iteration: 10, threshold check: T
+[n=10, index=5]
+====================================
+Iteration: 0, threshold check: F
+[n=0, index=0]
+Iteration: 1, threshold check: F
+[n=1, index=0]
+Iteration: 2, threshold check: T
+[n=2, index=1]
+Iteration: 3, threshold check: F
+[n=3, index=1]
+Iteration: 4, threshold check: T
+[n=4, index=2]
+Iteration: 5, threshold check: F
+[n=5, index=2]
+Iteration: 6, threshold check: T
+[n=6, index=3]
+Iteration: 7, threshold check: F
+[n=7, index=3]
+Iteration: 8, threshold check: T
+[n=8, index=4]
+Iteration: 9, threshold check: F
+[n=9, index=4]
+Iteration: 10, threshold check: T
+[n=10, index=5]
diff --git a/testing/btest/Baseline/scripts.check-test-all-policy/output b/testing/btest/Baseline/scripts.check-test-all-policy/output
new file mode 100644
index 0000000000..bfc3c033df
--- /dev/null
+++ b/testing/btest/Baseline/scripts.check-test-all-policy/output
@@ -0,0 +1 @@
+WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log
new file mode 100644
index 0000000000..0799292857
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	known_hosts
+#fields	ts	host
+#types	time	addr
+1300475168.783842	141.142.220.118
+1300475168.783842	208.80.152.118
+1300475168.915940	208.80.152.3
+1300475168.962628	208.80.152.2
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log
new file mode 100644
index 0000000000..6fdba24d39
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	known_hosts
+#fields	ts	host
+#types	time	addr
+1300475168.783842	141.142.220.118
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log
new file mode 100644
index 0000000000..9ef6ee47b7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	known_hosts
+#fields	ts	host
+#types	time	addr
+1300475168.783842	208.80.152.118
+1300475168.915940	208.80.152.3
+1300475168.962628	208.80.152.2
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log
new file mode 100644
index 0000000000..d53da6f693
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	known_services
+#fields	ts	host	port_num	port_proto	service
+#types	time	addr	port	enum	table[string]
+1308930691.049431	172.16.238.131	22	tcp	SSH
+1308930694.550308	172.16.238.131	80	tcp	HTTP
+1308930716.462556	74.125.225.81	80	tcp	HTTP
+1308930718.361665	172.16.238.131	21	tcp	FTP
+1308930726.872485	141.142.192.39	22	tcp	SSH
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log
new file mode 100644
index 0000000000..ef1722d6a1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	known_services
+#fields	ts	host	port_num	port_proto	service
+#types	time	addr	port	enum	table[string]
+1308930691.049431	172.16.238.131	22	tcp	SSH
+1308930694.550308	172.16.238.131	80	tcp	HTTP
+1308930718.361665	172.16.238.131	21	tcp	FTP
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log
new file mode 100644
index 0000000000..3fc68cdb91
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	known_services
+#fields	ts	host	port_num	port_proto	service
+#types	time	addr	port	enum	table[string]
+1308930716.462556	74.125.225.81	80	tcp	HTTP
+1308930726.872485	141.142.192.39	22	tcp	SSH
diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log
new file mode 100644
index 0000000000..9d80898e0f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	QR	AA	TC	RD	RA	Z	answers	TTLs	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	bool	count	vector[string]	vector[interval]	table[string]	table[string]
+930613226.529070	UWkUyAuUGXf	212.180.42.100	25000	131.243.64.3	53	tcp	34798	-	-	-	-	-	0	NOERROR	F	F	F	F	T	0	4.3.2.1	31337.000000	-	-
diff --git a/testing/btest/Baseline/scripts.policy.protocols.http.test-sql-injection-regex/output b/testing/btest/Baseline/scripts.policy.protocols.http.test-sql-injection-regex/output
new file mode 100644
index 0000000000..6d427174e5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.http.test-sql-injection-regex/output
@@ -0,0 +1,2 @@
+If anything besides this line prints out, there is a problem.
+
diff --git a/testing/btest/Makefile b/testing/btest/Makefile
new file mode 100644
index 0000000000..a2ca30609a
--- /dev/null
+++ b/testing/btest/Makefile
@@ -0,0 +1,17 @@
+
+DIAG=diag.log
+BTEST=../../aux/btest/btest
+
+all: cleanup
+    # Showing all tests.
+	@$(BTEST) -f $(DIAG)
+	@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts
+
+brief: cleanup
+    # Brief output showing only failed tests.
+	@$(BTEST) -b -f $(DIAG)
+	@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts
+
+cleanup:
+	@rm -f $(DIAG)
+	@rm -f .tmp/script-coverage*
diff --git a/testing/btest/README b/testing/btest/README
new file mode 100644
index 0000000000..6e8abd24ed
--- /dev/null
+++ b/testing/btest/README
@@ -0,0 +1,85 @@
+This a test suite of small "unit tests" that verify individual pieces of Bro
+functionality.  They all utilize BTest, a simple framework/driver for
+writing unit tests.  More information about BTest can be found at
+http://www.bro-ids.org/development/btest.html
+
+The test suite's BTest configuration is handled through the
+``btest.cfg`` file.  Of particular interest is the "TestDirs" settings,
+which specifies which directories BTest will recursively search for
+test files.
+
+Significant Subdirectories
+==========================
+
+* Baseline/
+	Validated baselines for comparison against the output of each
+	test on future runs. If the new output differs from the Baseline
+	output, then the test fails.
+
+* Traces/
+	Packet captures utilized by the various BTest tests.
+
+* scripts/
+    This hierarchy of tests emulates the hierarchy of the Bro scripts/
+    directory.
+
+* coverage/
+    This collection of tests relates to checking whether we're covering
+    everything we want to in terms of tests, documentation, and which
+    scripts get loaded in different Bro configurations.  These tests are
+    more prone to fail as new Bro scripts are developed and added to the
+    distribution -- checking the individual test's comments is the best
+    place to check for more details on what exactly the test is checking
+    and hints on how to fix it when it fails.
+
+Running Tests
+=============
+
+Either use the ``make all`` or ``make brief`` ``Makefile`` targets, or
+run ``btest`` directly with desired options/arguments.  Examples:
+
+* btest <no arguments>
+	If you simply execute btest in this directory with no arguments,
+	then all directories listed as "TestDirs" in btest.cfg will be
+	searched recursively for test files.
+
+
+* btest <btest options> test_directory
+	You can specify a directory on the command line to run just the
+	tests contained in that directory. This is useful if you wish to
+	run all of a given type of test, without running all the tests
+	there are. For example, "btest scripts" will run all of the Bro
+	script unit tests.
+
+
+* btest <btest options> test_directory/test_file
+	You can specify a single test file to run just that test. This
+	is useful when testing a single failing test or when developing
+	a new test.
+
+Adding Tests
+=============
+
+See either the `BTest documentation
+<http://www.bro-ids.org/development/btest.html>`_ or the existing unit
+tests for examples of what they actually look like.  The essential
+components of a new test include:
+
+* A test file in one of the subdirectories listed in the ``TestDirs``
+  of the ``btest.cfg`` file.
+
+* If the unit test requires a known-good baseline output against which
+  future tests will be compared (via ``btest-diff``), then that baseline
+  output will need to live in the ``Baseline`` directory.  Manually
+  adding that is possible, but it's easier to just use the ``-u`` or
+  ``-U`` options of ``btest`` to do it for you (using ``btest -d`` on a
+  test for which no baseline exists will show you the output so it can
+  be verified first before adding/updating the baseline output).
+
+If you create a new top-level testing directory for collecting related
+tests, then you'll need to add it to the list of ``TestDirs`` in
+``btest.cfg``. Do this only if your test really doesn't fit logically in
+any of the extant directories.
+
+Note that any new test you add this way will automatically be included
+in the testing done in the NMI automated build & test environment.
diff --git a/testing/btest/Traces/conn-size.trace b/testing/btest/Traces/conn-size.trace
new file mode 100644
index 0000000000..8b03d7a67f
Binary files /dev/null and b/testing/btest/Traces/conn-size.trace differ
diff --git a/testing/btest/Traces/dns-session.trace b/testing/btest/Traces/dns-session.trace
new file mode 100644
index 0000000000..2ce7892a2d
Binary files /dev/null and b/testing/btest/Traces/dns-session.trace differ
diff --git a/testing/istate/traces/empty.trace b/testing/btest/Traces/empty.trace
similarity index 100%
rename from testing/istate/traces/empty.trace
rename to testing/btest/Traces/empty.trace
diff --git a/testing/btest/Traces/http-100-continue.trace b/testing/btest/Traces/http-100-continue.trace
new file mode 100644
index 0000000000..3ff38fa5c5
Binary files /dev/null and b/testing/btest/Traces/http-100-continue.trace differ
diff --git a/testing/btest/Traces/http-byteranges.trace b/testing/btest/Traces/http-byteranges.trace
new file mode 100644
index 0000000000..7de35e0eb2
Binary files /dev/null and b/testing/btest/Traces/http-byteranges.trace differ
diff --git a/testing/btest/Traces/http-pipelined-requests.trace b/testing/btest/Traces/http-pipelined-requests.trace
new file mode 100644
index 0000000000..6d13b68828
Binary files /dev/null and b/testing/btest/Traces/http-pipelined-requests.trace differ
diff --git a/testing/btest/Traces/irc-dcc-send.trace b/testing/btest/Traces/irc-dcc-send.trace
new file mode 100644
index 0000000000..88735b92c3
Binary files /dev/null and b/testing/btest/Traces/irc-dcc-send.trace differ
diff --git a/testing/btest/Traces/mixed-vlan-mpls.trace b/testing/btest/Traces/mixed-vlan-mpls.trace
new file mode 100644
index 0000000000..ff9c68d5ed
Binary files /dev/null and b/testing/btest/Traces/mixed-vlan-mpls.trace differ
diff --git a/testing/btest/Traces/smtp.trace b/testing/btest/Traces/smtp.trace
new file mode 100644
index 0000000000..931b43b3b8
Binary files /dev/null and b/testing/btest/Traces/smtp.trace differ
diff --git a/testing/btest/Traces/var-services-std-ports.trace b/testing/btest/Traces/var-services-std-ports.trace
new file mode 100644
index 0000000000..b124fb77fe
Binary files /dev/null and b/testing/btest/Traces/var-services-std-ports.trace differ
diff --git a/testing/istate/traces/web.trace b/testing/btest/Traces/web.trace
similarity index 100%
rename from testing/istate/traces/web.trace
rename to testing/btest/Traces/web.trace
diff --git a/testing/btest/Traces/wikipedia.trace b/testing/btest/Traces/wikipedia.trace
new file mode 100644
index 0000000000..68d85e0190
Binary files /dev/null and b/testing/btest/Traces/wikipedia.trace differ
diff --git a/testing/btest/Traces/www-odd-url.trace b/testing/btest/Traces/www-odd-url.trace
new file mode 100644
index 0000000000..2fd86c50c2
Binary files /dev/null and b/testing/btest/Traces/www-odd-url.trace differ
diff --git a/testing/btest/analyzers/conn-size-cc.bro b/testing/btest/analyzers/conn-size-cc.bro
new file mode 100644
index 0000000000..0ba7977cf5
--- /dev/null
+++ b/testing/btest/analyzers/conn-size-cc.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r ${TRACES}/conn-size.trace tcp udp icmp report_conn_size_analyzer=T
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/analyzers/conn-size.bro b/testing/btest/analyzers/conn-size.bro
new file mode 100644
index 0000000000..0e413cc554
--- /dev/null
+++ b/testing/btest/analyzers/conn-size.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r ${TRACES}/conn-size.trace tcp udp icmp report_conn_size_analyzer=T use_connection_compressor=F
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/bifs/count_to_addr.bro b/testing/btest/bifs/count_to_addr.bro
new file mode 100644
index 0000000000..ffb2d975bf
--- /dev/null
+++ b/testing/btest/bifs/count_to_addr.bro
@@ -0,0 +1,20 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	local a = "1";
+	print count_to_v4_addr(to_count(a));
+	
+	a = "806716794";
+	print count_to_v4_addr(to_count(a));
+	
+	a = "4294967295";
+	print count_to_v4_addr(to_count(a));
+	
+	# This *should* fail and return 0.0.0.0 since it's 255.255.255.255 + 1
+	# Note: How do I check for runtime errors?
+	a = "4294967296";
+	print count_to_v4_addr(to_count(a));
+	}
diff --git a/testing/btest/bifs/decode_base64.bro b/testing/btest/bifs/decode_base64.bro
new file mode 100644
index 0000000000..d4cbd2f37d
--- /dev/null
+++ b/testing/btest/bifs/decode_base64.bro
@@ -0,0 +1,14 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+global default_alphabet: string = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+global my_alphabet: string = "!#$%&/(),-.:;<>@[]^ `_{|}~abcdefghijklmnopqrstuvwxyz0123456789+?";
+
+print decode_base64("YnJv");
+print decode_base64_custom("YnJv", default_alphabet);
+print decode_base64_custom("}n-v", my_alphabet);
+
+print decode_base64("YnJv");
+print decode_base64_custom("YnJv", default_alphabet);
+print decode_base64_custom("}n-v", my_alphabet);
diff --git a/testing/btest/bifs/enable_raw_output.test b/testing/btest/bifs/enable_raw_output.test
new file mode 100644
index 0000000000..92e0037a04
--- /dev/null
+++ b/testing/btest/bifs/enable_raw_output.test
@@ -0,0 +1,23 @@
+# Files which enable raw output via the BiF shouldn't interpret NUL characters
+# in strings that are `print`ed to it.
+
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: tr '\000' 'X' <myfile >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cmp myfile hookfile
+
+event bro_init()
+    {
+    local myfile: file;
+    myfile = open("myfile");
+    enable_raw_output(myfile);
+    print myfile, "hello\x00world", "hi";
+    close(myfile);
+    }
+
+event print_hook(f: file, s: string)
+    {
+    local hookfile = open("hookfile");
+    write_file(hookfile, s);
+    close(hookfile);
+    }
diff --git a/testing/btest/bifs/mask_addr.bro b/testing/btest/bifs/mask_addr.bro
new file mode 100644
index 0000000000..e1e3bccfb6
--- /dev/null
+++ b/testing/btest/bifs/mask_addr.bro
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+const one_to_32: vector of count = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32};
+
+for ( i in one_to_32 )
+	{
+	print mask_addr(255.255.255.255, one_to_32[i]);
+	}
diff --git a/testing/btest/bifs/net_stats_trace.test b/testing/btest/bifs/net_stats_trace.test
new file mode 100644
index 0000000000..fcf3e9ba0d
--- /dev/null
+++ b/testing/btest/bifs/net_stats_trace.test
@@ -0,0 +1,8 @@
+# Checks that accurate stats are returned when reading from a trace file.
+# @TEST-EXEC: bro -r $TRACES/wikipedia.trace >output %INPUT
+# @TEST-EXEC: btest-diff output
+
+event bro_done()
+	{
+	print net_stats();
+	}
diff --git a/testing/btest/bifs/netbios-functions.bro b/testing/btest/bifs/netbios-functions.bro
new file mode 100644
index 0000000000..1fd033dd59
--- /dev/null
+++ b/testing/btest/bifs/netbios-functions.bro
@@ -0,0 +1,18 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	local names_to_decode = set(
+		"ejfdebfeebfacacacacacacacacacaaa", # ISATAP
+		"fhepfcelehfcepfffacacacacacacabl", # WORKGROUP
+		"abacfpfpenfdecfcepfhfdeffpfpacab", # \001\002__MSBROWSE__\002
+		"enebfcfeejeocacacacacacacacacaad"); # MARTIN
+
+	for ( name in names_to_decode )
+		{
+		print decode_netbios_name(name);
+		print decode_netbios_name_type(name);
+		}
+	}
diff --git a/testing/btest/bifs/piped_exec.bro b/testing/btest/bifs/piped_exec.bro
new file mode 100644
index 0000000000..32fd5c5f80
--- /dev/null
+++ b/testing/btest/bifs/piped_exec.bro
@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff test.txt
+
+
+global cmds = "print \"hello world\";";
+cmds = string_cat(cmds, "\nprint \"foobar\";");
+piped_exec("bro", cmds);
+
+# Test null output.
+piped_exec("cat > test.txt", "\x00\x00hello\x00\x00");
+
diff --git a/testing/btest/bifs/records_fields.bro b/testing/btest/bifs/records_fields.bro
new file mode 100644
index 0000000000..4f8cc0538a
--- /dev/null
+++ b/testing/btest/bifs/records_fields.bro
@@ -0,0 +1,20 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+type r: record {
+	a: count;
+	b: string &default="Foo";
+	c: double &optional;
+	d: string &log;
+};
+
+event bro_init()
+{
+    local x: r = [$a=42, $d="Bar"];
+    print x;
+    local t: record_field_table;
+    t = record_fields(x);
+    print t;
+    print t["c"]?$value;
+}
diff --git a/testing/btest/bifs/string_splitting.bro b/testing/btest/bifs/string_splitting.bro
new file mode 100644
index 0000000000..44068fe510
--- /dev/null
+++ b/testing/btest/bifs/string_splitting.bro
@@ -0,0 +1,12 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	local a = "X-Mailer: Testing Test (http://www.example.com)";
+	print split1(a, /:[[:blank:]]*/);
+
+	a = "A = B = C = D";
+	print split_all(a, /=/);
+	}
diff --git a/testing/btest/bifs/unique_id-pools.bro b/testing/btest/bifs/unique_id-pools.bro
new file mode 100644
index 0000000000..abdc4b22ba
--- /dev/null
+++ b/testing/btest/bifs/unique_id-pools.bro
@@ -0,0 +1,27 @@
+#
+# @TEST-EXEC: bro order_rand | sort >out.1
+# @TEST-EXEC: bro order_base | sort >out.2
+# @TEST-EXEC: cmp out.1 out.2
+
+@TEST-START-FILE order_rand.bro
+
+print unique_id("A-");
+print unique_id_from(5, "E-");
+print unique_id("B-");
+print unique_id_from(4, "D-");
+print unique_id("C-");
+print unique_id_from(5, "F-");
+
+@TEST-END-FILE
+
+@TEST-START-FILE order_base.bro
+
+print unique_id("A-");
+print unique_id("B-");
+print unique_id("C-");
+print unique_id_from(4, "D-");
+print unique_id_from(5, "E-");
+print unique_id_from(5, "F-");
+
+@TEST-END-FILE
+
diff --git a/testing/btest/bifs/unique_id-rnd.bro b/testing/btest/bifs/unique_id-rnd.bro
new file mode 100644
index 0000000000..4188725373
--- /dev/null
+++ b/testing/btest/bifs/unique_id-rnd.bro
@@ -0,0 +1,12 @@
+#
+# @TEST-EXEC: BRO_SEED_FILE= bro %INPUT >out
+# @TEST-EXEC: BRO_SEED_FILE= bro %INPUT >>out
+# @TEST-EXEC: cat out | sort | uniq | wc -l | sed 's/ //g' >count
+# @TEST-EXEC: btest-diff count
+
+print unique_id("A-");
+print unique_id("B-");
+print unique_id("C-");
+print unique_id_from(4, "D-");
+print unique_id_from(5, "E-");
+print unique_id_from(5, "F-");
diff --git a/testing/btest/bifs/unique_id.bro b/testing/btest/bifs/unique_id.bro
new file mode 100644
index 0000000000..097f5d490d
--- /dev/null
+++ b/testing/btest/bifs/unique_id.bro
@@ -0,0 +1,10 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+print unique_id("A-");
+print unique_id("B-");
+print unique_id("C-");
+print unique_id_from(4, "D-");
+print unique_id_from(5, "E-");
+print unique_id_from(5, "F-");
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
new file mode 100644
index 0000000000..2126e733e7
--- /dev/null
+++ b/testing/btest/btest.cfg
@@ -0,0 +1,21 @@
+[btest]
+TestDirs    = doc bifs language core scripts istate coverage
+TmpDir      = %(testbase)s/.tmp
+BaselineDir = %(testbase)s/Baseline
+IgnoreDirs  = .svn CVS .tmp
+IgnoreFiles = *.tmp *.swp #* *.trace
+
+[environment]
+BROPATH=`bash -c %(testbase)s/../../build/bro-path-dev`
+BRO_SEED_FILE=%(testbase)s/random.seed
+TZ=UTC
+LC_ALL=C
+BTEST_PATH=%(testbase)s/../../aux/btest
+PATH=%(testbase)s/../../build/src:%(testbase)s/../scripts:%(testbase)s/../../aux/btest:%(default_path)s
+TRACES=%(testbase)s/Traces
+SCRIPTS=%(testbase)s/../scripts
+DIST=%(testbase)s/../..
+BUILD=%(testbase)s/../../build
+TEST_DIFF_CANONIFIER=$SCRIPTS/diff-canonifier
+TMPDIR=%(testbase)s/.tmp
+BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage
diff --git a/testing/btest/core/check-unused-event-handlers.test b/testing/btest/core/check-unused-event-handlers.test
new file mode 100644
index 0000000000..f9ad105ff6
--- /dev/null
+++ b/testing/btest/core/check-unused-event-handlers.test
@@ -0,0 +1,8 @@
+# This test should print a warning that the event handler is never invoked.
+# @TEST-EXEC: bro -b %INPUT check_for_unused_event_handlers=T
+# @TEST-EXEC: btest-diff .stderr
+
+event this_is_never_used()
+	{
+	print "not even once";
+	}
diff --git a/testing/btest/core/conn-uid.bro b/testing/btest/core/conn-uid.bro
new file mode 100644
index 0000000000..b2078bc9f5
--- /dev/null
+++ b/testing/btest/core/conn-uid.bro
@@ -0,0 +1,32 @@
+#
+# In "normal" test mode, connection uids should be determistic.
+#
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output
+# @TEST-EXEC: btest-diff output
+#
+# Without a seed, they should differ each time:
+#
+# @TEST-EXEC: unset BRO_SEED_FILE &&  bro -C -r $TRACES/wikipedia.trace %INPUT >output2
+# @TEST-EXEC: cat output output2 | sort | uniq -c | wc -l | sed 's/ //g' >counts
+# @TEST-EXEC: btest-diff counts
+#
+# Make sure it works without the connection compressor as well.
+#
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT use_connection_compressor=F >output.cc
+# @TEST-EXEC: btest-diff output.cc
+#
+# Make sure it works with the full connection compressor as well.
+#
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT cc_handle_only_syns=F >output.cc2
+# @TEST-EXEC: btest-diff output.cc2
+
+
+event new_connection(c: connection)
+	{
+	print c$id, c$uid;
+	}
+
+event connection_established(c: connection)
+	{
+	print c$id, c$uid;
+	}
diff --git a/testing/btest/core/dns-init.bro b/testing/btest/core/dns-init.bro
new file mode 100644
index 0000000000..5a7efff6fb
--- /dev/null
+++ b/testing/btest/core/dns-init.bro
@@ -0,0 +1,9 @@
+# We once had a bug where DNS lookups at init time lead to an immediate crash. 
+#
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+const foo: set[addr] = {
+     google.com
+};
+
diff --git a/testing/btest/core/expr-exception.bro b/testing/btest/core/expr-exception.bro
new file mode 100644
index 0000000000..5225f092ba
--- /dev/null
+++ b/testing/btest/core/expr-exception.bro
@@ -0,0 +1,9 @@
+# Bro shouldn't crash when doing nothing, nor outputting anything.
+#
+# @TEST-EXEC: cat /dev/null | bro -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff reporter.log
+
+event connection_established(c: connection)
+	{
+	print c$ftp;
+	}
diff --git a/testing/btest/core/leaks/dns.bro b/testing/btest/core/leaks/dns.bro
new file mode 100644
index 0000000000..3d3fdc6f09
--- /dev/null
+++ b/testing/btest/core/leaks/dns.bro
@@ -0,0 +1,52 @@
+# Needs perftools support.
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/wikipedia.trace %INPUT
+
+const foo: set[addr] = {
+     google.com
+};
+
+# Add the state tracking information variable to the connection record
+
+event connection_established(c: connection)
+	{
+	when ( local addrs = lookup_hostname("localhost") )
+		{
+		print "1a", c$id$resp_h, addrs;
+		}
+	timeout 100secs
+		{
+		print "1b", c$id$resp_h;
+		}
+
+	when ( local addrs2 = lookup_hostname("qq.ww.ee.rrrrr") )
+		{
+		print "2a", c$id$resp_h, addrs2;
+		}
+	timeout 100secs
+		{
+		print "2b", c$id$resp_h;
+		}
+
+	when ( local a = lookup_addr(c$id$resp_h) )
+		{
+		print "3a", c$id$resp_h, a;
+		}
+	timeout 100secs
+		{
+		print "3b", c$id$resp_h;
+		}
+
+	when ( local a2 = lookup_addr(1.2.3.4) )
+		{
+		print "4a", c$id$resp_h, a2;
+		}
+	timeout 100secs
+		{
+		print "4b", c$id$resp_h;
+		}
+		
+	}
+
diff --git a/testing/btest/core/leaks/test-all.bro b/testing/btest/core/leaks/test-all.bro
new file mode 100644
index 0000000000..6e605372c9
--- /dev/null
+++ b/testing/btest/core/leaks/test-all.bro
@@ -0,0 +1,5 @@
+# Needs perftools support.
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/wikipedia.trace test-all-policy
diff --git a/testing/btest/core/load-duplicates.bro b/testing/btest/core/load-duplicates.bro
new file mode 100644
index 0000000000..e5dd365838
--- /dev/null
+++ b/testing/btest/core/load-duplicates.bro
@@ -0,0 +1,14 @@
+# This tests bro's mechanism to prevent duplicate script loading.
+#
+# @TEST-EXEC: mkdir -p foo/bar
+# @TEST-EXEC: echo "@load bar/test" >loader.bro
+# @TEST-EXEC: cp %INPUT foo/bar/test.bro
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader bar/test
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader bar/test.bro
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader foo/bar/test
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader foo/bar/test.bro
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader `pwd`/foo/bar/test.bro
+
+type Test: enum {
+    TEST,
+};
diff --git a/testing/btest/core/load-pkg.bro b/testing/btest/core/load-pkg.bro
new file mode 100644
index 0000000000..26e190a14c
--- /dev/null
+++ b/testing/btest/core/load-pkg.bro
@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro foo >output
+# @TEST-EXEC: btest-diff output
+
+@TEST-START-FILE foo/__load__.bro
+@load ./test.bro
+@TEST-END-FILE
+
+@TEST-START-FILE foo/test.bro
+print "Foo loaded";
+@TEST-END-FILE
diff --git a/testing/btest/core/load-prefixes.bro b/testing/btest/core/load-prefixes.bro
new file mode 100644
index 0000000000..1dfc3ac5dd
--- /dev/null
+++ b/testing/btest/core/load-prefixes.bro
@@ -0,0 +1,25 @@
+# A test of prefix-based @load'ing
+
+# @TEST-EXEC: bro addprefixes >output
+# @TEST-EXEC: btest-diff output
+
+@TEST-START-FILE addprefixes.bro
+@prefixes += lcl
+@prefixes += lcl2
+@TEST-END-FILE
+
+@TEST-START-FILE lcl.base.utils.site.bro
+print "loaded lcl.base.utils.site.bro";
+@TEST-END-FILE
+
+@TEST-START-FILE lcl2.base.utils.site.bro
+print "loaded lcl2.base.utils.site.bro";
+@TEST-END-FILE
+
+@TEST-START-FILE lcl.base.protocols.http.bro
+print "loaded lcl.base.protocols.http.bro";
+@TEST-END-FILE
+
+@TEST-START-FILE lcl2.base.protocols.http.bro
+print "loaded lcl2.base.protocols.http.bro";
+@TEST-END-FILE
diff --git a/testing/btest/core/load-relative.bro b/testing/btest/core/load-relative.bro
new file mode 100644
index 0000000000..4050150d93
--- /dev/null
+++ b/testing/btest/core/load-relative.bro
@@ -0,0 +1,18 @@
+# A test of relative-path-based @load'ing
+
+# @TEST-EXEC: bro foo/foo >output
+# @TEST-EXEC: btest-diff output
+
+@TEST-START-FILE foo/foo.bro
+@load ./bar
+@load ../baz
+print "foo loaded";
+@TEST-END-FILE
+
+@TEST-START-FILE foo/bar.bro
+print "bar loaded";
+@TEST-END-FILE
+
+@TEST-START-FILE baz.bro
+print "baz loaded";
+@TEST-END-FILE
diff --git a/testing/btest/core/load-unload.bro b/testing/btest/core/load-unload.bro
new file mode 100644
index 0000000000..f76e9e337d
--- /dev/null
+++ b/testing/btest/core/load-unload.bro
@@ -0,0 +1,11 @@
+# This tests the @unload directive
+#
+# @TEST-EXEC: bro %INPUT misc/loaded-scripts dontloadmebro > output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: grep -q dontloadmebro loaded_scripts.log && exit 1 || exit 0
+
+@unload dontloadmebro
+
+@TEST-START-FILE dontloadmebro.bro
+print "FAIL";
+@TEST-END-FILE
diff --git a/testing/btest/core/nop.bro b/testing/btest/core/nop.bro
new file mode 100644
index 0000000000..e42b5a7821
--- /dev/null
+++ b/testing/btest/core/nop.bro
@@ -0,0 +1,4 @@
+# Bro shouldn't crash when doing nothing, nor outputting anything.
+#
+# @TEST-EXEC: cat /dev/null | bro >output 2>&1
+# @TEST-EXEC: btest-diff output
diff --git a/testing/btest/core/print-bpf-filters-ipv4.bro b/testing/btest/core/print-bpf-filters-ipv4.bro
new file mode 100644
index 0000000000..5a3b0cf7ce
--- /dev/null
+++ b/testing/btest/core/print-bpf-filters-ipv4.bro
@@ -0,0 +1,12 @@
+# @TEST-REQUIRES: bro -e 'print bro_has_ipv6()' | grep -q F
+#
+# @TEST-EXEC: bro -r $TRACES/empty.trace -e '' >output
+# @TEST-EXEC: cat packet_filter.log >>output
+# @TEST-EXEC: bro -r $TRACES/empty.trace PacketFilter::all_packets=F >>output
+# @TEST-EXEC: cat packet_filter.log >>output
+# @TEST-EXEC: bro -r $TRACES/empty.trace -f "port 42" -e '' >>output
+# @TEST-EXEC: cat packet_filter.log >>output
+# @TEST-EXEC: bro -r $TRACES/empty.trace -C -f "port 56730" -r $TRACES/mixed-vlan-mpls.trace >>output
+# @TEST-EXEC: cat packet_filter.log >>output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/core/print-bpf-filters-ipv6.bro b/testing/btest/core/print-bpf-filters-ipv6.bro
new file mode 100644
index 0000000000..824c979d70
--- /dev/null
+++ b/testing/btest/core/print-bpf-filters-ipv6.bro
@@ -0,0 +1,12 @@
+# @TEST-REQUIRES: bro -e 'print bro_has_ipv6()' | grep -q T
+#
+# @TEST-EXEC: bro -r $TRACES/empty.trace -e '' >output
+# @TEST-EXEC: cat packet_filter.log >>output
+# @TEST-EXEC: bro -r $TRACES/empty.trace PacketFilter::all_packets=F >>output
+# @TEST-EXEC: cat packet_filter.log >>output
+# @TEST-EXEC: bro -r $TRACES/empty.trace -f "port 42" -e '' >>output
+# @TEST-EXEC: cat packet_filter.log >>output
+# @TEST-EXEC: bro -r $TRACES/empty.trace -C -f "port 56730" -r $TRACES/mixed-vlan-mpls.trace >>output
+# @TEST-EXEC: cat packet_filter.log >>output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/core/reporter-error-in-handler.bro b/testing/btest/core/reporter-error-in-handler.bro
new file mode 100644
index 0000000000..c4a21d5902
--- /dev/null
+++ b/testing/btest/core/reporter-error-in-handler.bro
@@ -0,0 +1,29 @@
+#
+# This test procudes a recursive error: the error handler is itself broken. Rather
+# than looping indefinitly, the error inside the handler should reported to stderr.
+#
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+global a: table[count] of count;
+
+global c = 0;
+
+event reporter_error(t: time, msg: string, location: string)
+{
+    c += 1;
+
+    if ( c > 1 )
+        print "FAILED: 2nd error reported to script as well.";
+    
+    else
+    	{
+        print "1st error printed on script level";
+        print a[2];
+        }
+}
+
+event bro_init()
+{
+    print a[1];
+}
diff --git a/testing/btest/core/reporter-fmt-strings.bro b/testing/btest/core/reporter-fmt-strings.bro
new file mode 100644
index 0000000000..0e0be77844
--- /dev/null
+++ b/testing/btest/core/reporter-fmt-strings.bro
@@ -0,0 +1,10 @@
+# The format string below should end up as a literal part of the reporter's
+# error message to stderr and shouldn't be replaced internally.
+#
+# @TEST-EXEC-FAIL: bro %INPUT >output 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+event bro_init()
+{
+    event dont_interpret_this("%s");
+}
diff --git a/testing/btest/core/reporter-parse-error.bro b/testing/btest/core/reporter-parse-error.bro
new file mode 100644
index 0000000000..25f33e2785
--- /dev/null
+++ b/testing/btest/core/reporter-parse-error.bro
@@ -0,0 +1,8 @@
+#
+# @TEST-EXEC-FAIL: bro %INPUT >output 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+event bro_init()
+{
+    print TESTFAILURE;
+}
diff --git a/testing/btest/core/reporter-runtime-error.bro b/testing/btest/core/reporter-runtime-error.bro
new file mode 100644
index 0000000000..330e2a7e5c
--- /dev/null
+++ b/testing/btest/core/reporter-runtime-error.bro
@@ -0,0 +1,13 @@
+#
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+global a: table[count] of count;
+
+event bro_init()
+{
+    print a[2];
+}
+
+print a[1];
+
diff --git a/testing/btest/core/reporter-type-mismatch.bro b/testing/btest/core/reporter-type-mismatch.bro
new file mode 100644
index 0000000000..0faa9b85e2
--- /dev/null
+++ b/testing/btest/core/reporter-type-mismatch.bro
@@ -0,0 +1,12 @@
+#
+# @TEST-EXEC-FAIL: bro %INPUT >output 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+event foo(a: string)
+{
+}
+
+event bro_init()
+{
+    event foo(42);
+}
diff --git a/testing/btest/core/reporter.bro b/testing/btest/core/reporter.bro
new file mode 100644
index 0000000000..aa660ef495
--- /dev/null
+++ b/testing/btest/core/reporter.bro
@@ -0,0 +1,55 @@
+#
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff logger-test.log
+
+event bro_init()
+{
+    Reporter::info("init test-info");
+    Reporter::warning("init test-warning");
+    Reporter::error("init test-error");
+}
+
+event bro_done()
+{
+    Reporter::info("done test-info");
+    Reporter::warning("done test-warning");
+    Reporter::error("done test-error");
+}
+
+global first = 1;
+
+event connection_established(c: connection)
+{
+    if ( ! first )
+        return;
+
+    print "established";
+    
+    Reporter::info("processing test-info");
+    Reporter::warning("processing test-warning");
+    Reporter::error("processing test-error");
+    first = 0;
+}
+
+global f = open_log_file("logger-test");
+
+event reporter_info(t: time, msg: string, location: string)
+	{
+    print f, fmt("reporter_info|%s|%s|%.6f", msg, location, t);
+    }
+
+event reporter_warning(t: time, msg: string, location: string)
+	{
+    print f, fmt("reporter_warning|%s|%s|%.6f", msg, location, t);
+    }
+
+event reporter_error(t: time, msg: string, location: string)
+	{
+    print f, fmt("reporter_error|%s|%s|%.6f", msg, location, t);
+    }
+
+Reporter::info("pre test-info");
+Reporter::warning("pre test-warning");
+Reporter::error("pre test-error");
+
diff --git a/testing/btest/core/vlan-mpls.bro b/testing/btest/core/vlan-mpls.bro
new file mode 100644
index 0000000000..b7a7a351cb
--- /dev/null
+++ b/testing/btest/core/vlan-mpls.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/mixed-vlan-mpls.trace
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/coverage/bare-load-baseline.test b/testing/btest/coverage/bare-load-baseline.test
new file mode 100644
index 0000000000..52393afb7c
--- /dev/null
+++ b/testing/btest/coverage/bare-load-baseline.test
@@ -0,0 +1,14 @@
+# This test is meant to cover whether the set of scripts that get loaded by
+# default in bare mode matches a baseline of known defaults.  The baseline
+# should only need updating if something new is @load'd from init-bare.bro
+# (or from an @load'd descendent of it).
+#
+# As the output has absolute paths in it, we need to remove the common
+# prefix to make the test work everywhere. That's what the sed magic
+# below does. Don't ask. :-)
+
+# @TEST-EXEC: bro -b misc/loaded-scripts
+# @TEST-EXEC: test -e loaded_scripts.log
+# @TEST-EXEC: cat loaded_scripts.log | egrep -v '#' | awk 'NR>0{print $1}' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
+# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
+# @TEST-EXEC: btest-diff canonified_loaded_scripts.log
diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test
new file mode 100644
index 0000000000..9fd18308ce
--- /dev/null
+++ b/testing/btest/coverage/bare-mode-errors.test
@@ -0,0 +1,11 @@
+# Makes sure any given bro script in the scripts/ tree can be loaded in
+# bare mode without error.  btest-bg-run/btest-bg-wait are used to kill off
+# scripts that block after loading, e.g. start listening on a socket.
+#
+# Commonly, this test may fail if one forgets to @load some base/ scripts
+# when writing a new bro scripts.
+#
+# @TEST-EXEC: test -d $DIST/scripts
+# @TEST-EXEC: for script in `find $DIST/scripts -name \*\.bro -not -path '*/site/*'`; do echo $script; if echo "$script" | egrep -q 'communication/listen|controllee'; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0
+# @TEST-EXEC: cat allerrors | grep -v "received termination signal" | sort | uniq > unique_errors
+# @TEST-EXEC: btest-diff unique_errors
diff --git a/testing/btest/coverage/coverage-blacklist.bro b/testing/btest/coverage/coverage-blacklist.bro
new file mode 100644
index 0000000000..30a5f86efa
--- /dev/null
+++ b/testing/btest/coverage/coverage-blacklist.bro
@@ -0,0 +1,29 @@
+# @TEST-EXEC: BRO_PROFILER_FILE=coverage bro -b %INPUT
+# @TEST-EXEC: grep %INPUT coverage | sort -k2 >output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+print "first";
+
+if ( F )
+	{ # @no-test
+	print "hello";
+	print "world";
+	}
+
+print "cover me";
+
+if ( T )
+	{
+	print "always executed";
+	}
+
+print "don't cover me"; # @no-test
+
+if ( 0 + 0 == 1 ) print "impossible"; # @no-test
+
+if ( 1 == 0 )
+	{
+	print "also impossible, but included in code coverage analysis";
+	}
+
+print "success";
diff --git a/testing/btest/coverage/default-load-baseline.test b/testing/btest/coverage/default-load-baseline.test
new file mode 100644
index 0000000000..669b465083
--- /dev/null
+++ b/testing/btest/coverage/default-load-baseline.test
@@ -0,0 +1,14 @@
+# This test is meant to cover whether the set of scripts that get loaded by
+# default matches a baseline of known defaults.  When new scripts are
+# added to the scripts/base/ directory, the baseline will usually just need
+# to be updated.
+#
+# As the output has absolute paths in it, we need to remove the common
+# prefix to make the test work everywhere. That's what the sed magic
+# below does. Don't ask. :-)
+
+# @TEST-EXEC: bro misc/loaded-scripts
+# @TEST-EXEC: test -e loaded_scripts.log
+# @TEST-EXEC: cat loaded_scripts.log | egrep -v '#' | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
+# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
+# @TEST-EXEC: btest-diff canonified_loaded_scripts.log
diff --git a/testing/btest/coverage/doc.test b/testing/btest/coverage/doc.test
new file mode 100644
index 0000000000..18ed13e6fa
--- /dev/null
+++ b/testing/btest/coverage/doc.test
@@ -0,0 +1,7 @@
+# This tests that we're generating bro script documentation for all the
+# available bro scripts.  If this fails, then the genDocSources.sh needs
+# to be run to produce a new DocSourcesList.cmake or genDocSources.sh needs
+# to be updated to blacklist undesired scripts.
+#
+# @TEST-EXEC: $DIST/doc/scripts/genDocSourcesList.sh
+# @TEST-EXEC: cmp $DIST/doc/scripts/DocSourcesList.cmake ./DocSourcesList.cmake
diff --git a/testing/btest/coverage/init-default.test b/testing/btest/coverage/init-default.test
new file mode 100644
index 0000000000..6877159c62
--- /dev/null
+++ b/testing/btest/coverage/init-default.test
@@ -0,0 +1,18 @@
+# Makes sure that all base/* scripts are loaded by default via init-default.bro;
+# and that all scripts loaded there in there actually exist.
+#
+# This test will fail if a new bro script is added under the scripts/base/
+# directory and it is not also added as an @load in base/init-default.bro.
+# In some cases, a script in base is loaded based on the bro configuration
+# (e.g. cluster operation), and in such cases, the missing_loads baseline
+# can be adjusted to tolerate that.
+
+#@TEST-EXEC: test -d $DIST/scripts/base
+#@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro
+#@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found"
+#@TEST-EXEC: bro misc/loaded-scripts
+#@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/|/loaded-scripts.bro|#' | sed 's#/./#/#g'  >loaded_scripts.log.tmp
+#@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
+#@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.bro
+#@TEST-EXEC: diff -u "all scripts found" init-default.bro | egrep "^-[^-]" > missing_loads
+#@TEST-EXEC: btest-diff missing_loads
diff --git a/testing/btest/coverage/test-all-policy.test b/testing/btest/coverage/test-all-policy.test
new file mode 100644
index 0000000000..3a545a02af
--- /dev/null
+++ b/testing/btest/coverage/test-all-policy.test
@@ -0,0 +1,12 @@
+# Makes sure that all policy/* scripts are loaded in
+# scripts/test-all-policy.bro and that all scripts loaded there actually exist.
+#
+# This test will fail if new bro scripts are added to the scripts/policy/
+# directory.  Correcting that just involves updating scripts/test-all-policy.bro
+# to @load the new bro scripts.
+
+@TEST-EXEC: test -e $DIST/scripts/test-all-policy.bro
+@TEST-EXEC: test -d $DIST/scripts
+@TEST-EXEC: ( cd $DIST/scripts/policy && find . -name '*.bro' ) | sort >"all scripts found"
+@TEST-EXEC: cat $DIST/scripts/test-all-policy.bro | grep '@load' | sed 'sm^\( *# *\)\{0,\}@load *m./mg' | sort >test-all-policy.bro
+@TEST-EXEC: diff -u "all scripts found" test-all-policy.bro 1>&2
diff --git a/testing/btest/doc/autogen-reST-all b/testing/btest/doc/autogen-reST-all
new file mode 100644
index 0000000000..d6326c7042
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-all
@@ -0,0 +1 @@
+@TEST-EXEC: cd $BUILD && make restdoc
diff --git a/testing/btest/doc/autogen-reST-enums.bro b/testing/btest/doc/autogen-reST-enums.bro
new file mode 100644
index 0000000000..fc01bed243
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-enums.bro
@@ -0,0 +1,36 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+# @TEST-EXEC: btest-diff autogen-reST-enums.rst
+
+## There's tons of ways an enum can look...
+type TestEnum1: enum {
+    ## like this
+    ONE,
+    TWO, ##< or like this
+    ## multiple
+    ## comments
+    THREE, ##< and even
+           ##< more comments
+};
+
+## The final comma is optional
+type TestEnum2: enum {
+    ## like this
+    A,
+    B, ##< or like this
+    ## multiple
+    ## comments
+    C  ##< and even
+           ##< more comments
+};
+
+## redefs should also work
+redef enum TestEnum1 += {
+    ## adding another
+    FOUR ##< value
+};
+
+## now with a comma
+redef enum TestEnum1 += {
+    ## adding another
+    FIVE, ##< value
+};
diff --git a/testing/btest/doc/autogen-reST-example b/testing/btest/doc/autogen-reST-example
new file mode 100644
index 0000000000..ecd314eba6
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-example
@@ -0,0 +1,2 @@
+@TEST-EXEC: bro --doc-scripts $DIST/doc/scripts/example.bro
+@TEST-EXEC: btest-diff example.rst
diff --git a/testing/btest/doc/autogen-reST-func-params.bro b/testing/btest/doc/autogen-reST-func-params.bro
new file mode 100644
index 0000000000..89cf90ef5a
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-func-params.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+# @TEST-EXEC: btest-diff autogen-reST-func-params.rst
+
+## This is a global function declaration.
+##
+## i: First param.
+## j: Second param.
+##
+## Returns: A string.
+global test_func: function(i: int, j: int): string;
+
+type test_rec: record {
+	## This is a record field function.
+	##
+	## i: First param.
+	## j: Second param.
+	##
+	## Returns: A string.
+	field_func: function(i: int, j: int): string;
+};
diff --git a/testing/btest/doc/autogen-reST-records.bro b/testing/btest/doc/autogen-reST-records.bro
new file mode 100644
index 0000000000..fc6bb9f2c0
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-records.bro
@@ -0,0 +1,22 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+# @TEST-EXEC: btest-diff autogen-reST-records.rst
+
+# undocumented record
+type SimpleRecord: record {
+    field1: bool;
+    field2: count;
+};
+
+## Here's the ways records and record fields can be documented.
+type TestRecord: record {
+    ## document ``A``
+    A: count;
+
+    B: bool;  ##< document ``B``
+
+    ## and now ``C``
+    C: SimpleRecord; ##< is a declared type
+
+    ## sets/tables should show the index types
+    D: set[count, bool];
+};
diff --git a/testing/btest/doc/autogen-reST-type-aliases.bro b/testing/btest/doc/autogen-reST-type-aliases.bro
new file mode 100644
index 0000000000..ce8986f8be
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-type-aliases.bro
@@ -0,0 +1,15 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+# @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst
+
+## This is just an alias for a builtin type ``bool``.
+type TypeAlias: bool;
+
+## We decided that creating alias "chains" might not be so useful to document
+## so this type just creates a cross reference to ``bool``.
+type OtherTypeAlias: TypeAlias;
+
+## But this should reference a type of ``TypeAlias``.
+global a: TypeAlias;
+
+## And this should reference a type of ``OtherTypeAlias``.
+global b: OtherTypeAlias;
diff --git a/testing/btest/doc/record-add.bro b/testing/btest/doc/record-add.bro
new file mode 100644
index 0000000000..a326314093
--- /dev/null
+++ b/testing/btest/doc/record-add.bro
@@ -0,0 +1,36 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+
+# When in doc mode, bro will clone declared types (see add_type() in Var.cc)
+# in order to keep track of the identifier name associated with the new type.
+# This test makes sure that the cloning is done in a way that's compatible
+# with adding fields to a record type -- we want to be sure that cloning
+# a type that contains record types will correctly see field additions to
+# those contained-records.
+
+type my_record: record {
+    field1: bool;
+    field2: string;
+};
+
+type super_record: record {
+    rec: my_record;
+};
+type my_table: table[count] of my_record;
+type my_vector: vector of my_record;
+
+redef record my_record += {
+    field3: count &optional;
+};
+
+global a: my_record;
+global b: super_record;
+global c: my_table;
+global d: my_vector;
+
+function test_func()
+    {
+    a?$field3;
+    b$rec?$field3;
+    c[0]$field3;
+    d[0]$field3;
+    }
diff --git a/testing/btest/doc/record-attr-check.bro b/testing/btest/doc/record-attr-check.bro
new file mode 100644
index 0000000000..33ada44bfd
--- /dev/null
+++ b/testing/btest/doc/record-attr-check.bro
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+
+type Tag: enum {
+    SOMETHING
+};
+
+type R: record {
+    field1: set[Tag] &default=set();
+};
diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro
new file mode 100644
index 0000000000..7f97f40585
--- /dev/null
+++ b/testing/btest/istate/broccoli.bro
@@ -0,0 +1,16 @@
+# @TEST-REQUIRES: grep -vq '#define BROv6' $BUILD/config.h
+# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
+#
+# @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -r -c 3 127.0.0.1
+# @TEST-EXEC: btest-bg-wait -k 20
+# @TEST-EXEC: cat bro/ping.log | sed 's/one-way.*//g' >bro.log
+# @TEST-EXEC: cat broccoli/.stdout | sed 's/time=.*//g' >broccoli.log
+# @TEST-EXEC: btest-diff bro.log
+# @TEST-EXEC: btest-diff broccoli.log
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
diff --git a/testing/btest/istate/events-ssl.bro b/testing/btest/istate/events-ssl.bro
new file mode 100644
index 0000000000..5a41e1683b
--- /dev/null
+++ b/testing/btest/istate/events-ssl.bro
@@ -0,0 +1,116 @@
+# 
+# @TEST-EXEC: btest-bg-run sender   bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
+# @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro
+# @TEST-EXEC: btest-bg-wait -k 20
+# 
+# @TEST-EXEC: btest-diff sender/http.log
+# @TEST-EXEC: btest-diff receiver/http.log
+# @TEST-EXEC: cmp sender/http.log receiver/http.log
+# 
+# @TEST-EXEC: bro -x sender/events.bst http/base   | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.snd.log
+# @TEST-EXEC: bro -x receiver/events.bst http/base | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.rec.log
+# @TEST-EXEC: cmp events.rec.log events.snd.log
+# 
+# We don't compare the transmitted event paramerters anymore. With the dynamic
+# state in there since 1.6, they don't match reliably.
+
+@TEST-START-FILE sender.bro
+
+@load frameworks/communication/listen
+redef Communication::listen_ssl=T;
+
+event bro_init()
+    {
+    capture_events("events.bst");
+    }
+
+redef peer_description = "events-send";
+
+# Make sure the HTTP connection really gets out.
+# (We still miss one final connection event because we shutdown before
+# it gets propagated but that's ok.)
+redef tcp_close_delay = 0secs;
+
+redef ssl_ca_certificate = "../ca_cert.pem";
+redef ssl_private_key = "../bro.pem";
+redef ssl_passphrase = "my-password";
+                                                                                                                                    
+@TEST-END-FILE
+
+#############
+
+@TEST-START-FILE receiver.bro
+
+event bro_init()
+    {
+    capture_events("events.bst");
+    }
+
+redef peer_description = "events-rcv";
+
+redef Communication::nodes += {
+    ["foo"] = [$host = 127.0.0.1, $events = /http_.*|signature_match/, $connect=T, $ssl=T]
+};
+
+redef ssl_ca_certificate = "../ca_cert.pem";
+redef ssl_private_key = "../bro.pem";
+redef ssl_passphrase = "my-password";
+                                                                                                                                    
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE bro.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQD17FE8UVaO224Y8UL2bH1okCYxr5dVytTQ93uE5J9caGADzPZe
+qYPuvtPt9ivhBtf2L9odK7unQU60v6RsO3bb9bQktQbEdh0FEjnso2UHe/nLreYn
+VyLCEp9Sh1OFQnMhJNYuzNwVzWOqH/TYNy3ODueZTS4YBsRyEkpEfgeoaQIDAQAB
+AoGAJ/S1Xi94+Mz+Hl9UmeUWmx6QlhIJbI7/9NPA5d6fZcwvjW6HuOmh3fBzTn5o
+sq8B96Xesk6gtpQNzaA1fsBKlzDSpGRDVg2odN9vIT3jd0Dub2F47JHdFCqtMUIV
+rCsO+fpGtavv1zJ/rzlJz7rx4cRP+/Gwd5YlH0q5cFuHhAECQQD9q328Ye4A7o2e
+cLOhzuWUZszqdIY7ZTgDtk06F57VrjLVERrZjrtAwbs77m+ybw4pDKKU7H5inhQQ
+03PU40ARAkEA+C6cCM6E4hRwuR+QyIqpNC4CzgPaKlF+VONZLYYvHEwFvx2/EPtX
+zOZdE4HdJwnXBYx7+AGFeq8uHhrN2Tq62QJBAMory2JAinejqKsGF6R2SPMlm1ug
+0vqziRksShBqkuSqmUjHASczYnoR7S+usMb9S8PblhgrA++FHWjrnf2lwIECQQCj
++/AfpY2J8GWW/HNm/q/UiX5S75qskZI+tsXK3bmtIdI+OIJxzxFxktj3NbyRud+4
+i92xvhebO7rmK2HOYg7pAkEA2wrwY1E237twoYXuUInv9F9kShKLQs19nup/dfmF
+xfoVqYjJwidzPfgngowJZij7SoTaIBKv/fKp5Tq6xW3AEg==
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
+BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
+MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
+9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
+ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
+HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
+c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
+b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
+AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
+UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
+3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE ca_cert.pem
+-----BEGIN CERTIFICATE-----
+MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
+BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
+MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
+9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
+ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
+HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
+c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
+b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
+AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
+UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
+3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
diff --git a/testing/btest/istate/events.bro b/testing/btest/istate/events.bro
new file mode 100644
index 0000000000..a0dc494ced
--- /dev/null
+++ b/testing/btest/istate/events.bro
@@ -0,0 +1,55 @@
+# 
+# @TEST-EXEC: btest-bg-run sender   bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
+# @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro
+# @TEST-EXEC: btest-bg-wait -k 20
+# 
+# @TEST-EXEC: btest-diff sender/http.log
+# @TEST-EXEC: btest-diff receiver/http.log
+# @TEST-EXEC: cmp sender/http.log receiver/http.log
+# 
+# @TEST-EXEC: bro -x sender/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.snd.log
+# @TEST-EXEC: bro -x receiver/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.rec.log
+# @TEST-EXEC: cmp events.rec.log events.snd.log
+# 
+# We don't compare the transmitted event paramerters anymore. With the dynamic
+# state in there since 1.6, they don't match reliably.
+
+@TEST-START-FILE sender.bro
+
+@load frameworks/communication/listen
+
+event bro_init()
+    {
+    capture_events("events.bst");
+    }
+
+redef peer_description = "events-send";
+
+# Make sure the HTTP connection really gets out.
+# (We still miss one final connection event because we shutdown before
+# it gets propagated but that's ok.)
+redef tcp_close_delay = 0secs;
+
+@TEST-END-FILE
+
+#############
+
+@TEST-START-FILE receiver.bro
+
+event bro_init()
+    {
+    capture_events("events.bst");
+    }
+
+redef peer_description = "events-rcv";
+
+redef Communication::nodes += {
+    ["foo"] = [$host = 127.0.0.1, $events = /http_.*|signature_match/, $connect=T]
+};
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/istate/persistence.bro b/testing/btest/istate/persistence.bro
new file mode 100644
index 0000000000..ea2a5368ba
--- /dev/null
+++ b/testing/btest/istate/persistence.bro
@@ -0,0 +1,110 @@
+#
+# @TEST-EXEC: bro -r $TRACES/empty.trace write.bro %INPUT 
+# @TEST-EXEC: cp vars.log vars.write.log
+# @TEST-EXEC: bro read.bro %INPUT 
+# @TEST-EXEC: cp vars.log vars.read.log
+# @TEST-EXEC: btest-diff vars.read.log
+# @TEST-EXEC: btest-diff vars.write.log
+# @TEST-EXEC: cmp vars.read.log vars.write.log
+
+### Common code for reader and writer.
+
+event bro_done()
+	{
+	local out = open("vars.log");
+	print out, foo1;
+	print out, foo2;
+	print out, foo3;
+	print out, foo4;
+	print out, foo5;
+	print out, foo6;
+	print out, foo8;
+	print out, foo9;
+	print out, foo10;
+	print out, foo11;
+	print out, foo12;
+	print out, foo13;
+	print out, foo14;
+	print out, foo15;
+	print out, foo16;
+	print out, foo17;
+	}
+
+	
+	
+	
+
+@TEST-START-FILE read.bro
+
+global foo1: count &persistent &synchronized;
+global foo2: int &persistent &synchronized;
+global foo3: string &persistent &synchronized; 
+global foo4: addr &persistent &synchronized; 
+global foo5: subnet &persistent &synchronized; 
+global foo6: double &persistent &synchronized; 
+global foo8: interval &persistent &synchronized; 
+global foo9: table[count] of string &persistent &synchronized;
+global foo10: file &persistent &synchronized; 
+global foo11: pattern &persistent &synchronized; 
+global foo12: set[count] &persistent &synchronized; 
+global foo13: table[count, string] of count &persistent &synchronized;
+global foo14: table[count] of pattern &persistent &synchronized;
+global foo15: port &persistent &synchronized;
+global foo16: vector of count &persistent &synchronized;
+
+type type1: record {
+    a: string;
+    b: count &default=42;
+    c: double &optional;
+    };
+
+type type2: record {
+    a: string;
+    b: type1;
+    c: type1;
+    d: double;
+    };
+
+global foo17: type2  &persistent &synchronized;
+
+@TEST-END-FILE
+
+@TEST-START-FILE write.bro
+
+global foo1 = 42 &persistent &synchronized;
+global foo2 = -42 &persistent &synchronized;
+global foo3 = "Hallihallo" &persistent &synchronized; 
+global foo4 = 1.2.3.4 &persistent &synchronized; 
+global foo5 = 1.2.0.0/16 &persistent &synchronized; 
+global foo6 = 3.14 &persistent &synchronized; 
+global foo8 = 42 secs &persistent &synchronized; 
+global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
+global foo10 = open("test") &persistent &synchronized; 
+global foo11 = /12345/ &persistent &synchronized; 
+global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
+global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
+global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
+global foo15 = 42/udp &persistent &synchronized;
+global foo16: vector of count = [1,2,3] &persistent &synchronized;
+ 
+type type1: record {
+    a: string;
+    b: count &default=42;
+    c: double &optional;
+    };
+
+type type2: record {
+    a: string;
+    b: type1;
+    c: type1;
+    d: double;
+    };
+
+global foo17: type2 = [
+	$a = "yuyuyu",
+    $b = [$a="rec1", $b=100, $c=1.24],
+    $c = [$a="rec2", $b=200, $c=2.24],
+   	$d = 7.77				   
+	] &persistent &synchronized;
+
+@TEST-END-FILE
diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py
new file mode 100644
index 0000000000..b7fb53a955
--- /dev/null
+++ b/testing/btest/istate/pybroccoli.py
@@ -0,0 +1,18 @@
+# @TEST-REQUIRES: grep -vq '#define BROv6' $BUILD/config.h
+# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
+# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so
+#
+# @TEST-EXEC: btest-bg-run bro    bro %INPUT $DIST/aux/broccoli/bindings/broccoli-python/tests/test.bro
+# @TEST-EXEC: btest-bg-run python PYTHONPATH=$DIST/aux/broccoli/bindings/broccoli-python/:$BUILD/aux/broccoli/bindings/broccoli-python python $DIST/aux/broccoli/bindings/broccoli-python/tests/test.py
+# @TEST-EXEC: btest-bg-wait -k 20
+# @TEST-EXEC: btest-diff bro/.stdout
+#
+# @TEST-EXEC: sed 's/instance at [^>]*>/instance at >/' <python/.stdout >python/.stdout.filtered
+# @TEST-EXEC: btest-diff python/.stdout.filtered
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+
diff --git a/testing/btest/istate/sync.bro b/testing/btest/istate/sync.bro
new file mode 100644
index 0000000000..1ccdc5538c
--- /dev/null
+++ b/testing/btest/istate/sync.bro
@@ -0,0 +1,164 @@
+#
+# @TEST-EXEC: btest-bg-run sender   bro %INPUT ../sender.bro
+# @TEST-EXEC: btest-bg-run receiver bro %INPUT ../receiver.bro
+# @TEST-EXEC: btest-bg-wait 20
+#
+# @TEST-EXEC: btest-diff sender/vars.log
+# @TEST-EXEC: btest-diff receiver/vars.log
+# @TEST-EXEC: cmp sender/vars.log receiver/vars.log
+
+### Common code for sender and receiver.
+
+# Instantiate variables.
+
+global foo1 = 42 &persistent &synchronized;
+global foo2 = -42 &persistent &synchronized;
+global foo3 = "Hallihallo" &persistent &synchronized; 
+global foo4 = 1.2.3.4 &persistent &synchronized; 
+global foo5 = 1.2.0.0/16 &persistent &synchronized; 
+global foo6 = 3.14 &persistent &synchronized; 
+global foo8 = 42 secs &persistent &synchronized; 
+global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
+global foo10 = open("test") &persistent &synchronized; 
+global foo11 = /12345/ &persistent &synchronized; 
+global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
+global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
+global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
+global foo15 = 42/udp &persistent &synchronized;
+global foo16: vector of count = [1,2,3] &persistent &synchronized;
+ 
+type type1: record {
+    a: string;
+    b: count &default=42;
+    c: double &optional;
+    };
+
+type type2: record {
+    a: string;
+    b: type1;
+    c: type1;
+    d: double;
+    e: double &optional;
+    };
+
+global foo17: type2 = [
+	$a = "yuyuyu",
+	$b = [$a="rec1", $b=100, $c=1.24],
+	$c = [$a="rec2", $b=200, $c=2.24],
+	$d = 7.77, $e=100.0
+	] &persistent &synchronized;
+
+# Print variables.
+
+event bro_done()
+	{
+	local out = open("vars.log");
+	print out, foo1;
+	print out, foo2;
+	print out, foo3;
+	print out, foo4;
+	print out, foo5;
+	print out, foo6;
+	print out, foo8;
+	print out, foo9;
+	print out, foo10;
+	print out, foo11;
+	print out, foo12;
+	print out, foo13;
+	print out, foo14;
+	print out, foo15;
+	print out, foo16;
+	print out, foo17;
+	}
+
+
+@TEST-START-FILE sender.bro
+
+# Perform modifications on variables.
+
+function modify()
+	{
+	foo1 = 420;
+	++foo1;
+	
+	--foo2;
+	
+	foo3 = "Jodel";
+	
+	foo4 = 4.3.2.1; 
+	
+	foo5 = 4.0.0.0/8; 
+	
+	foo6 = 21;
+	
+	foo9[3] = "asdfg1";
+	foo9[1] = "asdfg2";
+	delete foo9[2];
+	
+	foo10 = open("test2");
+	
+	foo11 = /abbcdefgh/;
+	
+	add foo12[6];
+	delete foo12[1];
+	
+	foo13[4,"JKL"] = 104;
+	delete foo13[1,"ABC"];
+	++foo13[2,"DEF"];
+	
+	foo14[6767] = /QWERTZ/;
+	
+	foo15 = 6667/tcp;
+	
+	foo16[3] = 4;
+	foo16[1] = 20;
+	++foo16[0];
+	
+	local x: type1;
+	x$a = "pop";
+	++x$b;
+	x$c = 9.999;
+	foo17$a = "zxzxzx";
+	foo17$b = x;
+	foo17$c$a = "IOIOI";
+	++foo17$c$b;
+	foo17$c$c = 612.2;
+	foo17$d = 6.6666;
+	delete foo17$e;
+	
+	foo2 = 1234567;
+}
+
+@load frameworks/communication/listen
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	modify();
+	terminate_communication();
+	}
+			 
+redef Communication::nodes += {
+    ["foo"] = [$host = 127.0.0.1, $sync=T]
+};
+
+@TEST-END-FILE
+
+#############
+
+@TEST-START-FILE receiver.bro
+
+event bro_init()
+    {
+    capture_events("events.bst");
+    }
+	
+redef Communication::nodes += {
+    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T, $sync=T]
+};
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/language/cross-product-init.bro b/testing/btest/language/cross-product-init.bro
new file mode 100644
index 0000000000..c12f9eb0bd
--- /dev/null
+++ b/testing/btest/language/cross-product-init.bro
@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+global my_subs = { 1.2.3.4/19, 5.6.7.8/21 };
+
+global x: set[string, subnet] &redef;
+
+redef x += { [["foo", "bar"], my_subs] };
+
+print x;
diff --git a/testing/btest/language/delete-field-set.bro b/testing/btest/language/delete-field-set.bro
new file mode 100644
index 0000000000..ad7cf6e9fb
--- /dev/null
+++ b/testing/btest/language/delete-field-set.bro
@@ -0,0 +1,16 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type FooBar: record {
+        a: set[string] &default=set();
+        b: table[string] of count &default=table();
+        c: vector of string &default=vector();
+};
+
+global test: FooBar;
+
+delete test$a;
+delete test$b;
+delete test$c;
+
+print test;
diff --git a/testing/btest/language/delete-field.bro b/testing/btest/language/delete-field.bro
new file mode 100644
index 0000000000..477466b76a
--- /dev/null
+++ b/testing/btest/language/delete-field.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type X: record {
+     a: count &optional;
+     b: count &default=5;
+};
+
+function p(x: X)
+	{
+	print x?$a ? fmt("a: %d", x$a) : "a: not set";
+	print x$b;
+	}
+
+
+global x: X = [$a=20, $b=20];
+p(x);
+delete x$a;
+delete x$b;
+p(x);
diff --git a/testing/btest/language/enum-desc.bro b/testing/btest/language/enum-desc.bro
new file mode 100644
index 0000000000..86466e2fc2
--- /dev/null
+++ b/testing/btest/language/enum-desc.bro
@@ -0,0 +1,15 @@
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type test_enum1: enum { ONE };
+
+module TEST;
+
+type test_enum2: enum { TWO };
+
+print ONE;
+print fmt("%s", ONE);
+
+
+print TWO;
+print fmt("%s", TWO);
diff --git a/testing/btest/language/enum-scope.bro b/testing/btest/language/enum-scope.bro
new file mode 100644
index 0000000000..c8667bfada
--- /dev/null
+++ b/testing/btest/language/enum-scope.bro
@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type foo: enum { a, b } &redef;
+
+module test;
+
+redef enum foo += { c };
+
+print c;
diff --git a/testing/btest/language/match-test.bro b/testing/btest/language/match-test.bro
new file mode 100644
index 0000000000..9352d0f39f
--- /dev/null
+++ b/testing/btest/language/match-test.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+global match_stuff = {
+	[$pred(a: count) = { return a > 5; },
+	 $result = "it's big",
+	 $priority = 2],
+
+	[$pred(a: count) = { return a > 15; },
+	 $result = "it's really big",
+	 $priority = 3],
+
+	[$pred(a: count) = { return T; },
+	 $result = "default",
+	 $priority = 0],
+};
+
+print match 0 using match_stuff;
+print match 10 using match_stuff;
+print match 20 using match_stuff;
diff --git a/testing/btest/language/match-test2.bro b/testing/btest/language/match-test2.bro
new file mode 100644
index 0000000000..f1c120adf2
--- /dev/null
+++ b/testing/btest/language/match-test2.bro
@@ -0,0 +1,51 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type fakealert : record {
+     alert: string;
+};
+
+
+type match_rec : record {
+     result : count;
+     pred : function(rec : fakealert) : bool;
+     priority: count;
+};
+
+
+#global test_set : set[int] = 
+#{
+#1, 2, 3
+#};
+
+global match_set : set[match_rec] = 
+{
+  [$result = 1, $pred(a: fakealert) = { return T; }, $priority = 8 ],
+  [$result = 2, $pred(a: fakealert) = { return T; }, $priority = 9 ]
+};
+
+global al : fakealert;
+
+#global testset : set[fakealert] = 
+#{
+#       [$alert="hithere"]
+#};
+
+
+type nonalert: record {
+     alert : string;
+     pred : function(a : int) : int;
+};
+
+#global na : nonalert;
+#na$alert = "5";
+
+#al$alert = "hithere2";
+#if (al in testset)
+#   print 1;
+#else
+#   print 0;
+
+
+al$alert = "hi";
+print (match al using match_set);
diff --git a/testing/btest/language/next-test.bro b/testing/btest/language/next-test.bro
new file mode 100644
index 0000000000..7e9626a62c
--- /dev/null
+++ b/testing/btest/language/next-test.bro
@@ -0,0 +1,36 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# This script tests "next" being called during the last iteration of a
+# for loop
+
+event bro_done()
+  {
+
+        local number_set: set[count];
+        local i: count;
+
+        add number_set[0];
+        add number_set[1];
+
+
+        for ( i in number_set )
+                {
+                print fmt ("%d", i);
+                if ( i == 0 )
+                        next;
+                print fmt ("%d", i);
+                }
+        print fmt ("MIDDLE");
+
+
+        for ( i in number_set )
+                {
+                print fmt ("%d", i);
+                if ( i == 1 )
+                        next;
+                print fmt ("%d", i);
+                }
+        print fmt ("THE END");
+
+        }
diff --git a/testing/btest/language/raw_output_attr.test b/testing/btest/language/raw_output_attr.test
new file mode 100644
index 0000000000..22e565e4b4
--- /dev/null
+++ b/testing/btest/language/raw_output_attr.test
@@ -0,0 +1,25 @@
+# Files with the &raw_output attribute shouldn't interpret NUL characters
+# in strings that are `print`ed to it.
+
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: tr '\000' 'X' <myfile >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cmp myfile hookfile
+
+# first check local variable of file type w/ &raw_output
+
+event bro_init()
+    {
+    local myfile: file;
+    myfile = open("myfile");
+    enable_raw_output(myfile);
+    print myfile, "hello\x00world", "hi";
+    close(myfile);
+    }
+
+event print_hook(f: file, s: string)
+    {
+    local hookfile = open("hookfile");
+    write_file(hookfile, s);
+    close(hookfile);
+    }
diff --git a/testing/btest/language/rec-comp-init.bro b/testing/btest/language/rec-comp-init.bro
new file mode 100644
index 0000000000..598c0cf3bd
--- /dev/null
+++ b/testing/btest/language/rec-comp-init.bro
@@ -0,0 +1,14 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# Make sure composit types in records are initialized.
+
+type Foo: record {
+	a: set[count];
+	b: table[count] of string;
+	c: vector of string;
+};
+
+global f: Foo;
+
+print f;
diff --git a/testing/btest/language/rec-nested-opt.bro b/testing/btest/language/rec-nested-opt.bro
new file mode 100644
index 0000000000..ab1a64dffd
--- /dev/null
+++ b/testing/btest/language/rec-nested-opt.bro
@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type Version: record {
+        major:  count &optional;    ##< Major version number
+        minor:  count &optional;    ##< Minor version number
+        addl:   string &optional;  ##< Additional version string (e.g. "beta42")
+} &log;
+
+type Info: record {
+	name: string;
+	version: Version;
+	host: addr;
+	ts: time;
+};
+
+
+# Important thing to note here is that $minor2 is not include in the $version field.
+global matched_software: table[string] of Info = {
+        ["Wget/1.9+cvs-stable (Red Hat modified)"] =
+                [$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $host=0.0.0.0, $ts=network_time()],
+};
+
+print matched_software;
diff --git a/testing/btest/language/rec-of-tbl.bro b/testing/btest/language/rec-of-tbl.bro
new file mode 100644
index 0000000000..59d770bb30
--- /dev/null
+++ b/testing/btest/language/rec-of-tbl.bro
@@ -0,0 +1,16 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type x: record {
+	a: table[int] of count;
+};
+
+global y: x;
+
+global yy: table[int] of count;
+
+y$a = yy;
+
+y$a[+5] = 3;
+
+print y;
diff --git a/testing/btest/language/rec-table-default.bro b/testing/btest/language/rec-table-default.bro
new file mode 100644
index 0000000000..ee4a0e25ee
--- /dev/null
+++ b/testing/btest/language/rec-table-default.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type X: record {
+     a: table[string] of bool &default=table( ["foo"] = T );
+     b: table[string] of bool &default=table();
+     c: set[string] &default=set("A", "B", "C");
+     d: set[string] &default=set();
+};
+
+global x: X;
+global y: table[string] of bool &default=T;
+
+print x$a;
+print x$b;
+print x$c;
+print x$d;
+
diff --git a/testing/btest/language/record-default-coercion.bro b/testing/btest/language/record-default-coercion.bro
new file mode 100644
index 0000000000..7e717c39e2
--- /dev/null
+++ b/testing/btest/language/record-default-coercion.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+type MyRecord: record {
+	a: count &default=13;
+	c: count;
+	v: vector of string &default=vector();
+};
+
+event bro_init()
+	{
+	local r: MyRecord = [$c=13];
+	print r;
+	print |r$v|;
+	r$v[|r$v|] = "test";
+	print r;
+	print |r$v|;
+	}
diff --git a/testing/btest/language/record-extension.bro b/testing/btest/language/record-extension.bro
new file mode 100644
index 0000000000..21b704ca7a
--- /dev/null
+++ b/testing/btest/language/record-extension.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type Foo: record {
+        a: count;
+        b: count &optional;
+        myset: set[count] &default=set();
+};
+
+redef record Foo += {
+        c: count &default=42;
+        d: count &optional;
+        anotherset: set[count] &default=set();
+};
+
+global f1: Foo = [$a=21];
+global f2: Foo = [$a=21, $d="XXX"];
+
+print f1;
+print f2;
+
diff --git a/testing/btest/language/record-index-complex-fields.bro b/testing/btest/language/record-index-complex-fields.bro
new file mode 100644
index 0000000000..ae45648728
--- /dev/null
+++ b/testing/btest/language/record-index-complex-fields.bro
@@ -0,0 +1,38 @@
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# This test checks whether records with complex fields (tables, sets, vectors)
+# can be used as table/set indices.
+
+type MetaData: record {
+	a: count;
+	tags_v: vector of count;
+	tags_t: table[string] of count;
+	tags_s: set[string];
+};
+
+global ip_data: table[addr] of set[MetaData] = table();
+
+global t1_t: table[string] of count = { ["one"] = 1, ["two"] = 2 };
+global t2_t: table[string] of count = { ["four"] = 4, ["five"] = 5 };
+
+global t1_v: vector of count = vector();
+global t2_v: vector of count = vector();
+t1_v[0] = 0;
+t1_v[1] = 1;
+t2_v[2] = 2;
+t2_v[3] = 3;
+
+local m: MetaData = [$a=4, $tags_v=t1_v, $tags_t=t1_t, $tags_s=set("a", "b")];
+local n: MetaData = [$a=13, $tags_v=t2_v, $tags_t=t2_t, $tags_s=set("c", "d")];
+
+if ( 1.2.3.4 !in ip_data )
+	ip_data[1.2.3.4] = set(m);
+else
+	add ip_data[1.2.3.4][m];
+
+print ip_data;
+
+add ip_data[1.2.3.4][n];
+
+print ip_data[1.2.3.4];
diff --git a/testing/btest/language/record-recursive-coercion.bro b/testing/btest/language/record-recursive-coercion.bro
new file mode 100644
index 0000000000..ad9e41bd3a
--- /dev/null
+++ b/testing/btest/language/record-recursive-coercion.bro
@@ -0,0 +1,40 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type Version: record {
+        major:  count  &optional;
+        minor:  count  &optional;
+        minor2: count  &optional;
+        addl:   string &optional;
+};
+
+type Info: record {
+        name:    string;
+        version: Version;
+};
+
+global matched_software: table[string] of Info = {
+        ["OpenSSH_4.4"] = [$name="OpenSSH", $version=[$major=4,$minor=4]],
+};
+
+type Foo: record {
+        i: interval &default=1hr;
+        s: string &optional;
+};
+
+type FooContainer: record {
+        c: count;
+        f: Foo &optional;
+};
+
+function foo_func(fc: FooContainer)
+        {
+        print fc;
+        }
+
+event bro_init()
+        {
+        for ( sw in matched_software )
+                print matched_software[sw]$version;
+        foo_func([$c=1, $f=[$i=2hrs]]);
+        }
diff --git a/testing/btest/language/record-ref-assign.bro b/testing/btest/language/record-ref-assign.bro
new file mode 100644
index 0000000000..f71bc3890c
--- /dev/null
+++ b/testing/btest/language/record-ref-assign.bro
@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type State: record {
+	host: string &default="NOT SET";
+};
+
+global session: State;
+global s: State;
+s = session;
+s$host = "XXX";
+print s$host, session$host;
diff --git a/testing/btest/language/set-opt-record-index.bro b/testing/btest/language/set-opt-record-index.bro
new file mode 100644
index 0000000000..18ec963809
--- /dev/null
+++ b/testing/btest/language/set-opt-record-index.bro
@@ -0,0 +1,55 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# Make sure a set can be indexed with a record that has optional fields
+
+type FOO: record {
+        a: count;
+        b: count &optional;
+};
+
+event bro_init()
+        {
+        local set_of_foo: set[FOO] = set();
+
+        local f: FOO;
+        f$a = 1;
+
+        add set_of_foo[f];
+        add set_of_foo[[$a=3]];
+
+        local f3: FOO; # = [$a=4, $b=5];
+        f3$a = 4;
+        f3$b = 5;
+
+        add set_of_foo[f3];
+
+        add set_of_foo[[$a=4, $b=5]];
+
+        print set_of_foo;
+
+        print "";
+
+        for ( i in set_of_foo )
+            print i;
+
+        print "";
+
+        local f2: FOO;
+        f2$a = 2;
+
+        print f in set_of_foo;
+        print f2 in set_of_foo;
+
+        print "";
+
+        f3$a = 4;
+        print f3 in set_of_foo;
+
+        f3$b = 4;
+        print f3 in set_of_foo;
+
+        f3$b = 5;
+        print f3 in set_of_foo;
+
+        }
diff --git a/testing/btest/language/sizeof.bro b/testing/btest/language/sizeof.bro
new file mode 100644
index 0000000000..3457f895c9
--- /dev/null
+++ b/testing/btest/language/sizeof.bro
@@ -0,0 +1,114 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# Demo policy for the sizeof operator "|x|".
+# ------------------------------------------
+#
+# This script creates various types and values and shows the result of the
+# sizeof operator on these values.
+#
+# For any types not covered in this script, the sizeof operator's semantics
+# are not defined and its application returns a count of 0. At the moment
+# the only type where this should happen is string patterns.
+
+type example_enum: enum { ENUM1, ENUM2, ENUM3 };
+
+type example_record: record {
+	i: int &optional;
+	j: int &optional;
+	k: int &optional;
+};
+
+global a:  addr = 1.2.3.4;
+global b:  bool = T;
+global c:  count = 10;
+global d:  double = -1.23;
+global f:  file = open_log_file("sizeof_demo");
+global i:  int = -10;
+global iv: interval = -5sec;
+global p:  port = 80/tcp;
+global r:  example_record [ $i = 10 ];
+global si: set[int];
+global s:  string = "Hello";
+global sn: subnet = 192.168.0.0/24;
+global t:  table[string] of string;
+global ti: time = current_time();
+global v:  vector of string;
+
+# Additional initialization
+#
+print f, "12345678901234567890";
+
+add si[1];
+add si[10];
+add si[100];
+
+t["foo"] = "Hello";
+t["bar"] = "World";
+
+v[0] = "Hello";
+v[4] = "World";
+
+# Print out the sizes of the various vals:
+#-----------------------------------------
+
+# Size of addr: returns integer representation for IPv4, 0 for IPv6.
+print fmt("Address %s: %d", a, |a|);
+
+# Size of boolean: returns 1 or 0.
+print fmt("Boolean %s: %d", b, |b|);
+
+# Size of count: identity.
+print fmt("Count %s: %d", c, |c|);
+
+# Size of double: returns absolute value.
+print fmt("Double %s: %f", d, |d|);
+
+# Size of enum: returns numeric value of enum constant.
+print fmt("Enum %s: %d", ENUM3, |ENUM3|);
+
+# Size of file: returns current file size.
+# Note that this is a double so that file sizes >> 4GB
+# can be expressed.
+print fmt("File %f", |f|);
+
+# Size of function: returns number of arguments.
+print fmt("Function add_interface: %d", |add_interface|);
+
+# Size of integer: returns absolute value.
+print fmt("Integer %s: %d", i, |i|);
+
+# Size of interval: returns double representation of the interval
+print fmt("Interval %s: %f", iv, |iv|);
+
+# Size of port: returns port number as a count.
+print fmt("Port %s: %d", p, |p|);
+
+# Size of record: returns number of fields (assigned + unassigned)
+print fmt("Record %s: %d", r, |r|);
+
+# Size of set: returns number of elements in set.
+# Don't print the set, as its order depends on the seeding of the hash
+# fnction, and it's not worth the trouble to normalize it.
+print fmt("Set: %d", |si|);
+
+# Size of string: returns string length.
+print fmt("String '%s': %d", s, |s|);
+
+# Size of subnet: returns size of net as a double 
+# (so that 2^32 can be expressed too).
+print fmt("Subnet %s: %f", sn, |sn|);
+
+# Size of table: returns number of elements in table
+print fmt("Table %d", |t|);
+
+# Size of time: returns double representation of the time
+# print fmt("Time %s: %f", ti, |ti|);
+
+# Size of vector: returns largest assigned index.
+# Note that this is not the number of assigned values.
+# The following prints "5":
+#
+print fmt("Vector %s: %d", v, |v|);
+
+close(f);
diff --git a/testing/btest/language/smith-waterman-test.bro b/testing/btest/language/smith-waterman-test.bro
new file mode 100644
index 0000000000..50f5c1dae1
--- /dev/null
+++ b/testing/btest/language/smith-waterman-test.bro
@@ -0,0 +1,88 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+global params: sw_params = [ $min_strlen = 2, $sw_variant = 0 ];
+
+global min: vector of count;
+global mode: vector of count;
+global c: count = 0;
+
+# Alignment pairs:
+global s1: string_vec;
+global s2: string_vec;
+
+# Single alignment, no matches:
+s1[++c] = "abcdefgh";
+s2[c] = "ijklmnop";
+min[c] = 2;;
+mode[c] = 0;
+
+# Simple single match, beginning:
+s1[++c] = "AAAabcefghij";
+s2[c] = "lmnopAAAqrst";
+min[c] = 2;;
+mode[c] = 0;
+
+# Simple single match, middle:
+s1[++c] = "abcAAAefghij";
+s2[c] = "lmnopAAAqrst";
+min[c] = 2;;
+mode[c] = 0;
+
+# Simple single match, end:
+s1[++c] = "abcefghijAAA";
+s2[c] = "lmnopAAAqrst";
+min[c] = 2;;
+mode[c] = 0;
+
+# Repeated alignment:
+s1[++c] = "xxxAAAyyy";
+s2[c] = "AAAaAAAbAAA";
+min[c] = 2;;
+mode[c] = 1;
+
+# Repeated alignment, swapped input:
+s1[++c] = "AAAaAAAbAAA";
+s2[c] = "xxxAAAyyy";
+min[c] = 2;;
+mode[c] = 1;
+
+# Repeated alignment, split:
+s1[++c] = "xxCDyABzCDyABzz";
+s2[c] = "ABCD";
+min[c] = 2;;
+mode[c] = 1;
+
+# Repeated alignment, split, swapped:
+s1[++c] = "ABCD";
+s2[c] = "xxCDyABzCDyABzz";
+min[c] = 2;;
+mode[c] = 1;
+
+# Used to cause problems
+s1[++c] = "Cache-control: no-cache^M^JAccept:";
+s2[c] = "Accept-: deflate^M^JAccept-: Accept-";
+min[c] = 6;
+mode[c] = 1;
+
+# Repeated occurrences in shorter string
+s1[++c] = "xxAAxxAAxx";
+s2[c]   = "yyyyyAAyyyyy";
+min[c] = 2;
+mode[c] = 1;
+
+for ( i in s1 )
+	{
+	local ss: sw_substring_vec;
+
+	params$min_strlen = min[i];
+	params$sw_variant = mode[i];
+	ss = str_smith_waterman(s1[i], s2[i], params);
+
+	print fmt("%s - %s:", s1[i], s2[i]);
+
+	for ( j in ss )
+		print fmt("tok %d: %s (%d/%d, %s)",
+				j, ss[j]$str, ss[j]$aligns[1]$index,
+				ss[j]$aligns[2]$index, ss[j]$new);
+	}
diff --git a/testing/btest/language/strings.bro b/testing/btest/language/strings.bro
new file mode 100644
index 0000000000..8e9eef43bf
--- /dev/null
+++ b/testing/btest/language/strings.bro
@@ -0,0 +1,48 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# Demo policy for string functions
+#
+
+event bro_init()
+{
+	local s1: string = "broisaveryneatids";
+
+	print fmt("Input string: %s", s1);
+	print fmt();
+	print fmt("String splitting");
+	print fmt("----------------");
+
+	local idx1: index_vec;
+
+	idx1[0] =  0; # We really need initializers for vectors ...
+	idx1[1] =  3;
+	idx1[2] =  5;
+	idx1[3] =  6;
+	idx1[4] = 10;
+	idx1[5] = 14;
+
+	print fmt("Splitting '%s' at %d points...", s1, |idx1|);
+	local res_split: string_vec = str_split(s1, idx1);
+
+	for ( i in res_split )
+		print res_split[i];
+
+	print fmt();
+	print fmt("Substrings");
+	print fmt("----------");
+	print fmt("3@0: %s", sub_bytes(s1, 0, 3));
+	print fmt("5@2: %s", sub_bytes(s1, 2, 5));
+	print fmt("7@4: %s", sub_bytes(s1, 4, 7));
+	print fmt("10@10: %s", sub_bytes(s1, 10, 10));
+	print fmt();
+
+
+	print fmt("Finding strings");
+	print fmt("---------------");
+	print fmt("isa: %d", strstr(s1, "isa"));
+	print fmt("very: %d", strstr(s1, "very"));
+	print fmt("ids: %d", strstr(s1, "ids"));
+	print fmt("nono: %d", strstr(s1, "nono"));
+}
+
diff --git a/testing/btest/language/table-init.bro b/testing/btest/language/table-init.bro
new file mode 100644
index 0000000000..5df682c5d2
--- /dev/null
+++ b/testing/btest/language/table-init.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+global global_table: table[count] of string = {
+    [1] = "one",
+	[2] = "two"
+} &default = "global table default";
+
+event bro_init()
+    {
+    local local_table: table[count] of string = {
+         [3] = "three",
+		 [4] = "four"
+    } &default = "local table default";
+
+    print global_table;
+    print global_table[0];
+    print local_table;
+    print local_table[0];
+    }
diff --git a/testing/btest/language/vector-coerce-expr.bro b/testing/btest/language/vector-coerce-expr.bro
new file mode 100644
index 0000000000..d58417f226
--- /dev/null
+++ b/testing/btest/language/vector-coerce-expr.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type X: record {
+     a: vector of bool &default=vector(T, F, T);
+     b: vector of bool &default=vector();
+};
+
+global x: X;
+
+global a: vector of count;
+
+a = vector();
+print a;
+
+a = vector(1,2,3);
+print a;
+
+print x$a;
+print x$b;
diff --git a/testing/btest/language/vector-list-init-records.bro b/testing/btest/language/vector-list-init-records.bro
new file mode 100644
index 0000000000..ee2b78c4a5
--- /dev/null
+++ b/testing/btest/language/vector-list-init-records.bro
@@ -0,0 +1,20 @@
+# Initializing a vector with a list of records should promote elements as
+# necessary to match the vector's yield type.
+
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type Foo: record {
+	s: string;
+	o: string &optional;
+};
+
+const v: vector of Foo = {
+	[$s="bar", $o="check"],
+	[$s="baz"]
+};
+
+for ( i in v )
+	print fmt("element %d = %s", i, v[i]);
+
+print v;
diff --git a/testing/btest/language/wrong-delete-field.bro b/testing/btest/language/wrong-delete-field.bro
new file mode 100644
index 0000000000..e0d0093258
--- /dev/null
+++ b/testing/btest/language/wrong-delete-field.bro
@@ -0,0 +1,10 @@
+# @TEST-EXEC-FAIL: bro %INPUT  >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record {
+     a: count;
+};
+
+global x: X = [$a=20];
+
+delete x$a;
diff --git a/testing/btest/language/wrong-record-extension.bro b/testing/btest/language/wrong-record-extension.bro
new file mode 100644
index 0000000000..4e0210546a
--- /dev/null
+++ b/testing/btest/language/wrong-record-extension.bro
@@ -0,0 +1,14 @@
+# @TEST-EXEC-FAIL: bro %INPUT  >output.tmp 2>&1 
+# @TEST-EXEC: sed 's#^.*:##g' <output.tmp >output
+# @TEST-EXEC: btest-diff output
+
+type Foo: record {
+        a: count;
+        b: count &optional;
+};
+
+redef record Foo += {
+        c: count;
+        d: string &optional;
+};
+
diff --git a/testing/btest/random.seed b/testing/btest/random.seed
new file mode 100644
index 0000000000..e70c8f85ef
--- /dev/null
+++ b/testing/btest/random.seed
@@ -0,0 +1,17 @@
+2983378351
+1299727368
+0
+310447
+0
+1409073626
+3975311262
+34130240
+1450515018
+1466150520
+1342286698
+1193956778
+2188527278
+3361989254
+3912865238
+3596260151
+517973768
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
new file mode 100644
index 0000000000..b8ee4c33e8
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
@@ -0,0 +1,26 @@
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff proxy-1/.stdout
+# @TEST-EXEC: btest-diff proxy-2/.stdout
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1")],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1", $workers=set("worker-2")],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-2", $interface="eth1"],
+};
+@TEST-END-FILE
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	print "Connected to a peer";
+	}
diff --git a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
new file mode 100644
index 0000000000..dc3b43ad67
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
@@ -0,0 +1,38 @@
+# 
+# @TEST-EXEC: btest-bg-run receiver bro -b ../receiver.bro
+# @TEST-EXEC: btest-bg-run sender   bro -b ../sender.bro
+# @TEST-EXEC: btest-bg-wait -k 10
+#
+# Don't diff the receiver log just because port is always going to change
+# @TEST-EXEC: egrep -v 'pid|socket buffer size' sender/communication.log >send.log
+# @TEST-EXEC: btest-diff send.log
+
+@TEST-START-FILE sender.bro
+
+@load base/frameworks/communication/main
+
+redef Communication::nodes += {
+    ["foo"] = [$host = 127.0.0.1, $events = /NOTHING/, $connect=T]
+};
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	terminate_communication();
+	terminate();
+	}
+
+@TEST-END-FILE
+
+#############
+
+@TEST-START-FILE receiver.bro
+
+@load frameworks/communication/listen
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	terminate_communication();
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
new file mode 100644
index 0000000000..9b16faee69
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
@@ -0,0 +1,26 @@
+# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port=65531/tcp 
+# @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update
+# @TEST-EXEC: btest-bg-run controller2 BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=shutdown
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff controllee/.stdout
+
+redef Communication::nodes = {
+	# We're waiting for connections from this host for control.
+	["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
+};
+
+const test_var = "ORIGINAL VALUE (this should be printed out first)" &redef;
+
+@TEST-START-FILE test-redef.bro
+redef test_var = "NEW VALUE (this should be printed out second)";
+@TEST-END-FILE
+
+event bro_init()
+	{
+	print test_var;
+	}
+	
+event bro_done()
+	{
+	print test_var;
+	}
diff --git a/testing/btest/scripts/base/frameworks/control/id_value.bro b/testing/btest/scripts/base/frameworks/control/id_value.bro
new file mode 100644
index 0000000000..e06fa46e74
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/control/id_value.bro
@@ -0,0 +1,23 @@
+# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT only-for-controllee frameworks/control/controllee Communication::listen_port=65532/tcp 
+# @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65532/tcp Control::cmd=id_value Control::arg=test_var
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff controller/.stdout
+
+redef Communication::nodes = {
+	# We're waiting for connections from this host for control.
+	["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
+};
+
+# This value shouldn't ever be printed to the controllers stdout.
+const test_var = "Original value" &redef;
+
+@TEST-START-FILE only-for-controllee.bro
+# This is only loaded on the controllee, but it's sent to the controller 
+# and should be printed there.
+redef test_var = "This is the value from the controllee";
+@TEST-END-FILE
+
+event Control::id_value_response(id: string, val: string)
+	{
+	print fmt("Got an id_value_response(%s, %s) event", id, val);
+	}
diff --git a/testing/btest/scripts/base/frameworks/control/shutdown.bro b/testing/btest/scripts/base/frameworks/control/shutdown.bro
new file mode 100644
index 0000000000..9953a8382a
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/control/shutdown.bro
@@ -0,0 +1,8 @@
+# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port=65530/tcp 
+# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65530/tcp Control::cmd=shutdown
+# @TEST-EXEC: btest-bg-wait 10
+
+redef Communication::nodes = {
+	# We're waiting for connections from this host for control.
+	["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
+};
diff --git a/testing/btest/scripts/base/frameworks/intel/insert-and-matcher.bro b/testing/btest/scripts/base/frameworks/intel/insert-and-matcher.bro
new file mode 100644
index 0000000000..67e539c176
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/intel/insert-and-matcher.bro
@@ -0,0 +1,34 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	Intel::insert([$ip=1.2.3.4, $tags=set("zeustracker.abuse.ch", "malicious")]);
+	Intel::insert([$str="http://www.google.com/", $subtype="url", $tags=set("infrastructure", "google")]);
+	Intel::insert([$str="Ab439G32F...", $subtype="x509_cert", $tags=set("bad")]);
+	Intel::insert([$str="Ab439G32F...", $tags=set("bad")]);
+	}
+
+event bro_done()
+	{
+	local orig_h = 1.2.3.4;
+	
+	if ( Intel::matcher([$ip=orig_h, $and_tags=set("malicious")]) )
+		print "VALID";
+	
+	if ( Intel::matcher([$ip=orig_h, $and_tags=set("don't match")]) )
+		print "INVALID";
+	
+	if ( Intel::matcher([$ip=orig_h, $pred=function(meta: Intel::MetaData): bool { return T; } ]) )
+		print "VALID";
+		
+	if ( Intel::matcher([$ip=orig_h, $pred=function(meta: Intel::MetaData): bool { return F; } ]) )
+		print "INVALID";
+		
+	if ( Intel::matcher([$str="http://www.google.com/", $subtype="url", $tags=set("google")]) )
+		print "VALID";
+		
+	if ( Intel::matcher([$str="http://www.example.com", $subtype="url"]) )
+		print "INVALID";
+	}
diff --git a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
new file mode 100644
index 0000000000..53cfdd1655
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
@@ -0,0 +1,33 @@
+
+# @TEST-EXEC: bro -b %INPUT 
+# @TEST-EXEC: btest-diff ssh-new-default.log
+# @TEST-EXEC: test '!' -e ssh.log
+
+module SSH;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Info: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Info]);
+
+	local filter = Log::get_filter(SSH::LOG, "default");
+	filter$path= "ssh-new-default";
+	Log::add_filter(SSH::LOG, filter);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+}
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro
new file mode 100644
index 0000000000..fcbac3be58
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro
@@ -0,0 +1,25 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		data: string;
+		data2: string;
+	} &log;
+}
+
+redef LogAscii::separator = "|";
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Info]);
+	Log::write(SSH::LOG, [$data="abc\n\xffdef", $data2="DATA2"]);
+	Log::write(SSH::LOG, [$data="abc|\xffdef", $data2="DATA2"]);
+	Log::write(SSH::LOG, [$data="abc\xff|def", $data2="DATA2"]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro b/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro
new file mode 100644
index 0000000000..9dace5d52a
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro
@@ -0,0 +1,38 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+redef LogAscii::output_to_stdout = F;
+redef LogAscii::separator = "|";
+redef LogAscii::empty_field = "EMPTY";
+redef LogAscii::unset_field = "NOT-SET";
+redef LogAscii::header_prefix = "PREFIX<>";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+		b: bool &optional;
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $b=T, $status="failure", $country=""]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro
new file mode 100644
index 0000000000..8c1401b179
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro
@@ -0,0 +1,23 @@
+#
+# @TEST-EXEC: bro -b %INPUT 
+# @TEST-EXEC: btest-diff test.log
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		x: string &optional;
+		y: string &optional;
+		z: string &optional;
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+	Log::write(Test::LOG, [$x=LogAscii::unset_field, $z=""]);
+}
+
+
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.bro
new file mode 100644
index 0000000000..9df48edbb6
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.bro
@@ -0,0 +1,4 @@
+#
+# @TEST-EXEC: bro -C -r $TRACES/www-odd-url.trace
+# @TEST-EXEC: btest-diff http.log
+
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro
new file mode 100644
index 0000000000..f5fb7a6259
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff test.log
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		ss: set[string];
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+
+
+	Log::write(Test::LOG, [$ss=set("AA", ",", ",,", "CC")]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro
new file mode 100644
index 0000000000..f2c370a27a
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro
@@ -0,0 +1,32 @@
+#
+# @TEST-EXEC: bro -b %INPUT 
+# @TEST-EXEC: btest-diff ssh.log
+
+redef LogAscii::separator = "||";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="fa||ure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="su||ess", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-options.bro b/testing/btest/scripts/base/frameworks/logging/ascii-options.bro
new file mode 100644
index 0000000000..8c228c1384
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-options.bro
@@ -0,0 +1,35 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+redef LogAscii::output_to_stdout = F;
+redef LogAscii::separator = "|";
+redef LogAscii::include_header = F;
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro
new file mode 100644
index 0000000000..e63e30f6c6
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro
@@ -0,0 +1,27 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff test.log
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		data: time &log;
+	};
+}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Info]);
+	Log::write(Test::LOG, [$data=double_to_time(1234567890)]);
+	Log::write(Test::LOG, [$data=double_to_time(1234567890.0)]);
+	Log::write(Test::LOG, [$data=double_to_time(1234567890.01)]);
+	Log::write(Test::LOG, [$data=double_to_time(1234567890.001)]);
+	Log::write(Test::LOG, [$data=double_to_time(1234567890.0001)]);
+	Log::write(Test::LOG, [$data=double_to_time(1234567890.00001)]);
+	Log::write(Test::LOG, [$data=double_to_time(1234567890.000001)]);
+	Log::write(Test::LOG, [$data=double_to_time(1234567890.0000001)]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/attr-extend.bro b/testing/btest/scripts/base/frameworks/logging/attr-extend.bro
new file mode 100644
index 0000000000..7f58f3f8c1
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/attr-extend.bro
@@ -0,0 +1,37 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id;
+		status: string &optional &log;
+		country: string &default="unknown" &log;
+	};
+}
+
+redef record Log += {
+	a1: count &log &optional;
+	a2: count &optional;
+};
+
+redef record Log += {
+	b1: count &optional;
+	b2: count &optional;
+} &log;
+
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $a1=1, $a2=2, $b1=3, $b2=4]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/attr.bro b/testing/btest/scripts/base/frameworks/logging/attr.bro
new file mode 100644
index 0000000000..8ec3d1c385
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/attr.bro
@@ -0,0 +1,31 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id;
+		status: string &optional &log;
+		country: string &default="unknown" &log;
+	};
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
new file mode 100644
index 0000000000..6799f7ca2f
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
@@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: test '!' -e ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	Log::disable_stream(SSH::LOG);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/empty-event.bro b/testing/btest/scripts/base/frameworks/logging/empty-event.bro
new file mode 100644
index 0000000000..6aa867220f
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/empty-event.bro
@@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+global log_ssh: event(rec: Log);
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log, $ev=log_ssh]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/env-ext.test b/testing/btest/scripts/base/frameworks/logging/env-ext.test
new file mode 100644
index 0000000000..e9f690caa4
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/env-ext.test
@@ -0,0 +1,2 @@
+# @TEST-EXEC: BRO_LOG_SUFFIX=txt bro -r $TRACES/wikipedia.trace
+# @TEST-EXEC: test -f conn.txt
diff --git a/testing/btest/scripts/base/frameworks/logging/events.bro b/testing/btest/scripts/base/frameworks/logging/events.bro
new file mode 100644
index 0000000000..bf156e6d60
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/events.bro
@@ -0,0 +1,37 @@
+
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+module SSH;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+global ssh_log: event(rec: Log);
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log, $ev=ssh_log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local r: Log = [$t=network_time(), $id=cid, $status="success"];
+	Log::write(SSH::LOG, r);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	
+}
+
+event ssh_log(rec: Log)
+	{
+	print rec;
+	}
diff --git a/testing/btest/scripts/base/frameworks/logging/exclude.bro b/testing/btest/scripts/base/frameworks/logging/exclude.bro
new file mode 100644
index 0000000000..7b245541ab
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/exclude.bro
@@ -0,0 +1,34 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	Log::remove_default_filter(SSH::LOG);
+	Log::add_filter(SSH::LOG, [$name="f1", $exclude=set("t", "id.orig_h")]);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/file.bro b/testing/btest/scripts/base/frameworks/logging/file.bro
new file mode 100644
index 0000000000..94bdad6b1b
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/file.bro
@@ -0,0 +1,23 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		f: file;
+	} &log;
+}
+
+const foo_log = open_log_file("Foo") &redef;
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+	Log::write(SSH::LOG, [$t=network_time(), $f=foo_log]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/include.bro b/testing/btest/scripts/base/frameworks/logging/include.bro
new file mode 100644
index 0000000000..d0fea93c99
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/include.bro
@@ -0,0 +1,34 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	Log::remove_default_filter(SSH::LOG);
+	Log::add_filter(SSH::LOG, [$name="default", $include=set("t", "id.orig_h")]);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/no-local.bro b/testing/btest/scripts/base/frameworks/logging/no-local.bro
new file mode 100644
index 0000000000..9ae7d32d61
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/no-local.bro
@@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: test '!' -e ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+redef Log::enable_local_logging = F;
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro b/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro
new file mode 100644
index 0000000000..aff886c2f4
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro
@@ -0,0 +1,26 @@
+# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-diff local.log
+# @TEST-EXEC: btest-diff remote.log
+#
+# The record value passed into the path_func should be allowed to contain a
+# subset of the fields in the stream's columns.
+
+@load base/utils/site
+@load base/protocols/conn
+@load base/frameworks/notice
+
+redef Site::local_nets = {141.142.0.0/16};
+
+function split_log(id: Log::ID, path: string, rec: record {id:conn_id;}): string
+{
+	return Site::is_local_addr(rec$id$orig_h) ? "local" : "remote";
+}
+
+event bro_init()
+{
+	# Add a new filter to the Conn::LOG stream that logs only
+	# timestamp and originator address.
+	local filter: Log::Filter = [$name="dst-only", $path_func=split_log,
+	                             $include=set("ts", "id.orig_h")];
+	Log::add_filter(Conn::LOG, filter);
+}
diff --git a/testing/btest/scripts/base/frameworks/logging/path-func.bro b/testing/btest/scripts/base/frameworks/logging/path-func.bro
new file mode 100644
index 0000000000..684aa03ed6
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/path-func.bro
@@ -0,0 +1,48 @@
+
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: ( ls static-*; cat static-* ) >output
+# @TEST-EXEC: btest-diff output
+
+module SSH;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+global c = -1;
+
+function path_func(id: Log::ID, path: string, rec: Log) : string
+	{
+	c = (c + 1) % 3;
+
+	return fmt("%s-%d-%s", path, c, rec$country);
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+	Log::remove_default_filter(SSH::LOG);
+
+	Log::add_filter(SSH::LOG, [$name="dyn", $path="static-prefix", $path_func=path_func]);
+
+	Log::set_buf(SSH::LOG, F);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX2"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX3"]);
+}
diff --git a/testing/btest/scripts/base/frameworks/logging/pred.bro b/testing/btest/scripts/base/frameworks/logging/pred.bro
new file mode 100644
index 0000000000..e13c726656
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/pred.bro
@@ -0,0 +1,39 @@
+
+# @TEST-EXEC: bro -b %INPUT 
+# @TEST-EXEC: btest-diff test.success.log
+# @TEST-EXEC: btest-diff test.failure.log
+
+module Test;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+function fail(rec: Log): bool
+	{
+	return rec$status != "success";
+	}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+	Log::remove_default_filter(Test::LOG);
+	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
+	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local r: Log = [$t=network_time(), $id=cid, $status="success"];
+	Log::write(Test::LOG, r);
+	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	
+}
diff --git a/testing/btest/scripts/base/frameworks/logging/remote-types.bro b/testing/btest/scripts/base/frameworks/logging/remote-types.bro
new file mode 100644
index 0000000000..4e866cc985
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/remote-types.bro
@@ -0,0 +1,88 @@
+#
+# @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro
+# @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff receiver/test.log
+# @TEST-EXEC: cmp receiver/test.log sender/test.log
+
+# Remote version testing all types.
+
+# This is the common part loaded by both sender and receiver.
+
+redef LogAscii::empty_field = "EMPTY";
+
+module Test;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+}
+
+#####
+
+@TEST-START-FILE sender.bro
+
+module Test;
+
+@load frameworks/communication/listen
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	Log::write(Test::LOG, [
+		$b=T,
+		$i=-42,
+		$e=Test::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=network_time(),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1,2,3,4),
+		$ss=set("AA", "BB", "CC"),
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector
+		]);
+	disconnect(p);
+	}
+@TEST-END-FILE
+
+@TEST-START-FILE receiver.bro
+
+#####
+
+redef Communication::nodes += {
+    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
+};
+
+@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/logging/remote.bro b/testing/btest/scripts/base/frameworks/logging/remote.bro
new file mode 100644
index 0000000000..8ed3405aed
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/remote.bro
@@ -0,0 +1,76 @@
+#
+# @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff sender/test.log
+# @TEST-EXEC: btest-diff sender/test.failure.log
+# @TEST-EXEC: btest-diff sender/test.success.log
+# @TEST-EXEC: cmp receiver/test.log sender/test.log
+# @TEST-EXEC: cmp receiver/test.failure.log sender/test.failure.log
+# @TEST-EXEC: cmp receiver/test.success.log sender/test.success.log
+
+# This is the common part loaded by both sender and receiver.
+module Test;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
+}
+
+#####
+
+@TEST-START-FILE sender.bro
+
+module Test;
+
+@load frameworks/communication/listen
+
+function fail(rec: Log): bool
+	{
+	return rec$status != "success";
+	}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	local r: Log = [$t=network_time(), $id=cid, $status="success"];
+
+	# Log something.
+	Log::write(Test::LOG, r);
+	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	disconnect(p);
+	}
+@TEST-END-FILE
+
+@TEST-START-FILE receiver.bro
+
+#####
+
+redef Communication::nodes += {
+    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
+};
+
+@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.bro
new file mode 100644
index 0000000000..bb7c302942
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/remove.bro
@@ -0,0 +1,41 @@
+#
+# @TEST-EXEC: bro -b -B logging %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff ssh.failure.log
+
+module SSH;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+	Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	# Log something.
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+
+	Log::remove_filter(SSH::LOG, "f1");
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
+
+	Log::remove_filter(SSH::LOG, "default");
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+
+	Log::remove_filter(SSH::LOG, "doesn-not-exist");
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro
new file mode 100644
index 0000000000..7c06ff9248
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro
@@ -0,0 +1,39 @@
+#
+# @TEST-EXEC: bro -b -r %DIR/rotation.trace %INPUT | egrep "test|test2" | sort >out
+# @TEST-EXEC: for i in `ls test*.log | sort`; do printf '> %s\n' $i; cat $i; done | sort | uniq >>out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff .stderr
+
+module Test;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+	} &log;
+}
+
+redef Log::default_rotation_interval = 1hr;
+redef Log::default_rotation_postprocessor_cmd = "echo 1st";
+
+function custom_rotate(info: Log::RotationInfo) : bool
+{
+    print "custom rotate", info;
+    return T;
+}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+	Log::add_filter(Test::LOG, [$name="2nd", $path="test2", $interv=30mins, $postprocessor=custom_rotate]);
+}
+
+event new_connection(c: connection)
+	{
+	Log::write(Test::LOG, [$t=network_time(), $id=c$id]);
+	}
diff --git a/testing/btest/scripts/base/frameworks/logging/rotate.bro b/testing/btest/scripts/base/frameworks/logging/rotate.bro
new file mode 100644
index 0000000000..14123c56c6
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/rotate.bro
@@ -0,0 +1,31 @@
+#
+# @TEST-EXEC: bro -b -r %DIR/rotation.trace %INPUT 2>&1 | grep "test" >out
+# @TEST-EXEC: for i in test.*.log; do printf '> %s\n' $i; cat $i; done >>out
+# @TEST-EXEC: btest-diff out
+
+module Test;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+	} &log;
+}
+
+redef Log::default_rotation_interval = 1hr;
+redef Log::default_rotation_postprocessor_cmd = "echo";
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+}
+
+event new_connection(c: connection)
+	{
+	Log::write(Test::LOG, [$t=network_time(), $id=c$id]);
+	}
diff --git a/testing/btest/scripts/base/frameworks/logging/rotation.trace b/testing/btest/scripts/base/frameworks/logging/rotation.trace
new file mode 100644
index 0000000000..9954b22e15
Binary files /dev/null and b/testing/btest/scripts/base/frameworks/logging/rotation.trace differ
diff --git a/testing/btest/scripts/base/frameworks/logging/stdout.bro b/testing/btest/scripts/base/frameworks/logging/stdout.bro
new file mode 100644
index 0000000000..f431a5b6c9
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/stdout.bro
@@ -0,0 +1,36 @@
+#
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: test '!' -e ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	local filter = Log::get_filter(SSH::LOG, "default");
+	filter$path= "/dev/stdout";
+	Log::add_filter(SSH::LOG, filter);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/test-logging.bro b/testing/btest/scripts/base/frameworks/logging/test-logging.bro
new file mode 100644
index 0000000000..9f90d515fb
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/test-logging.bro
@@ -0,0 +1,31 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/types.bro b/testing/btest/scripts/base/frameworks/logging/types.bro
new file mode 100644
index 0000000000..d79c667e50
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/types.bro
@@ -0,0 +1,70 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+#
+# Testing all possible types.
+
+redef LogAscii::empty_field = "EMPTY";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	Log::write(SSH::LOG, [
+		$b=T,
+		$i=-42,
+		$e=SSH::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=network_time(),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1,2,3,4),
+		$ss=set("AA", "BB", "CC"),
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector,
+		$f=foo
+		]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/unset-record.bro b/testing/btest/scripts/base/frameworks/logging/unset-record.bro
new file mode 100644
index 0000000000..bb922dc9c8
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/unset-record.bro
@@ -0,0 +1,28 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff testing.log
+
+redef enum Log::ID += { TESTING };
+
+type Foo: record {
+	val1: count;
+	val2: count;
+} &log;
+
+type Bar: record {
+	a: Foo   &log &optional;
+	b: count &log;
+};
+
+event bro_init()
+{
+    Log::create_stream(TESTING, [$columns=Bar]);
+
+    local x: Bar;
+
+    x = [$b=6];
+    Log::write(TESTING, x);
+
+    x = [$a=[$val1=1,$val2=2], $b=3];
+    Log::write(TESTING, x);
+}
diff --git a/testing/btest/scripts/base/frameworks/logging/vec.bro b/testing/btest/scripts/base/frameworks/logging/vec.bro
new file mode 100644
index 0000000000..00c5ff5117
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/vec.bro
@@ -0,0 +1,27 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+        vec: vector of string &log;
+	};
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+    local v: vector of string;
+
+	v[1] = "2";
+	v[4] = "5";
+
+	Log::write(SSH::LOG, [$vec=v]);
+}
+
+
diff --git a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro
new file mode 100644
index 0000000000..23b87053ab
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro
@@ -0,0 +1,36 @@
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff manager-1/metrics.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1")],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+redef enum Metrics::ID += {
+	TEST_METRIC,
+};
+
+event bro_init() &priority=5
+	{
+	Metrics::add_filter(TEST_METRIC, 
+		[$name="foo-bar",
+		 $break_interval=3secs]);
+		
+	if ( Cluster::local_node_type() == Cluster::WORKER )
+		{
+		Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3);
+		Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2);
+		Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1);
+		}
+	}
diff --git a/testing/btest/scripts/base/frameworks/metrics/basic.bro b/testing/btest/scripts/base/frameworks/metrics/basic.bro
new file mode 100644
index 0000000000..43e7ac28ef
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/metrics/basic.bro
@@ -0,0 +1,16 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff metrics.log
+
+redef enum Metrics::ID += {
+	TEST_METRIC,
+};
+
+event bro_init() &priority=5
+	{
+	Metrics::add_filter(TEST_METRIC, 
+		[$name="foo-bar",
+		 $break_interval=3secs]);
+	Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3);
+	Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2);
+	Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1);
+	}
diff --git a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro
new file mode 100644
index 0000000000..45d44898aa
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro
@@ -0,0 +1,56 @@
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT 
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff manager-1/notice.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1")],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+redef enum Metrics::ID += {
+	TEST_METRIC,
+};
+
+event bro_init() &priority=5
+	{
+	Metrics::add_filter(TEST_METRIC,
+		[$name="foo-bar",
+		 $break_interval=1hr,
+		 $note=Test_Notice,
+		 $notice_threshold=100,
+		 $log=T]);
+	}
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+
+event do_metrics(i: count)
+	{
+	# Worker-1 will trigger an intermediate update and then if everything
+	# works correctly, the data from worker-2 will hit the threshold and
+	# should trigger the notice.
+	Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], i);
+	}
+
+event bro_init()
+	{
+	if ( Cluster::node == "worker-1" )
+		schedule 2sec { do_metrics(99) };
+	if ( Cluster::node == "worker-2" )
+		event do_metrics(1);
+	}
+
+@endif
diff --git a/testing/btest/scripts/base/frameworks/metrics/notice.bro b/testing/btest/scripts/base/frameworks/metrics/notice.bro
new file mode 100644
index 0000000000..0ac9faa956
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/metrics/notice.bro
@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff notice.log
+
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+redef enum Metrics::ID += {
+	TEST_METRIC,
+};
+
+event bro_init() &priority=5
+	{
+	Metrics::add_filter(TEST_METRIC, 
+		[$name="foo-bar",
+		 $break_interval=3secs,
+		 $note=Test_Notice,
+		 $notice_threshold=2,
+		 $log=F]);
+	Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3);
+	Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2);
+	Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1);
+	}
diff --git a/testing/btest/scripts/base/frameworks/notice/cluster.bro b/testing/btest/scripts/base/frameworks/notice/cluster.bro
new file mode 100644
index 0000000000..125d021d82
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/notice/cluster.bro
@@ -0,0 +1,31 @@
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff manager-1/notice.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp, $workers=set("worker-1")],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1", $workers=set("worker-1")],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event delayed_notice()
+	{
+	if ( Cluster::node == "worker-1" )
+		NOTICE([$note=Test_Notice, $msg="test notice!"]);
+	}
+
+event bro_init()
+	{
+	schedule 1secs { delayed_notice() };
+	}
diff --git a/testing/btest/scripts/base/frameworks/notice/default-policy-order.test b/testing/btest/scripts/base/frameworks/notice/default-policy-order.test
new file mode 100644
index 0000000000..6e53bd3b54
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/notice/default-policy-order.test
@@ -0,0 +1,10 @@
+# This test checks that the default notice policy ordering does not
+# change from run to run.
+# @TEST-EXEC: bro -e ''
+# @TEST-EXEC: mv notice_policy.log notice_policy.log.1
+# @TEST-EXEC: bro -e ''
+# @TEST-EXEC: mv notice_policy.log notice_policy.log.2
+# @TEST-EXEC: bro -e ''
+# @TEST-EXEC: mv notice_policy.log notice_policy.log.3
+# @TEST-EXEC: diff notice_policy.log.1 notice_policy.log.2
+# @TEST-EXEC: diff notice_policy.log.1 notice_policy.log.3
diff --git a/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro b/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro
new file mode 100644
index 0000000000..3116b1025a
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro
@@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
+# @TEST-EXEC: btest-diff alarm-mail.txt
+
+redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 1 ] };
+redef Notice::force_email_summaries = T;
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event connection_established(c: connection)
+	{
+	NOTICE([$note=Test_Notice, $conn=c, $msg="test", $identifier="static"]);
+	}
+
+
+
diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
new file mode 100644
index 0000000000..e084fb74e0
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
@@ -0,0 +1,37 @@
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff manager-1/notice.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp, $workers=set("worker-1", "worker-2")],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1", $proxy="proxy-1"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27761/tcp, $manager="manager-1", $proxy="proxy-1"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event delayed_notice()
+	{
+	NOTICE([$note=Test_Notice,
+	        $msg="test notice!",
+	        $identifier="this identifier is static"]);
+	}
+
+event bro_init() &priority=5
+	{
+	if ( Cluster::node == "worker-1" )
+		schedule 4secs { delayed_notice() };
+	if ( Cluster::node == "worker-2" )
+		schedule 1secs { delayed_notice() };
+	}
diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro b/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro
new file mode 100644
index 0000000000..96b932caf8
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro
@@ -0,0 +1,25 @@
+# @TEST-EXEC: bro -b %INPUT
+# The "Test_Notice" should be logged twice
+# @TEST-EXEC: test `grep Test_Notice notice.log | wc -l` -eq 2
+
+@load base/frameworks/notice
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+redef Notice::not_suppressed_types += { Test_Notice };
+
+# The second notice needs to be scheduled due to how the notice framework
+# uses the event queue.
+
+event second_notice()
+	{
+	NOTICE([$note=Test_Notice, $msg="another test", $identifier="static"]);
+	}
+
+event bro_init()
+	{
+	NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]);
+	schedule 1msec { second_notice() };
+	}
diff --git a/testing/btest/scripts/base/frameworks/notice/suppression.bro b/testing/btest/scripts/base/frameworks/notice/suppression.bro
new file mode 100644
index 0000000000..87ce3672b6
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/notice/suppression.bro
@@ -0,0 +1,23 @@
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff notice.log
+
+@load base/frameworks/notice
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+# The second notice needs to be scheduled due to how the notice framework
+# uses the event queue.
+
+event second_notice()
+	{
+	NOTICE([$note=Test_Notice, $msg="another test", $identifier="static"]);
+	}
+
+event bro_init()
+	{
+	NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]);
+	schedule 1msec { second_notice() };
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/packet-filter/bad-filter.test b/testing/btest/scripts/base/frameworks/packet-filter/bad-filter.test
new file mode 100644
index 0000000000..a3e2a54c57
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/packet-filter/bad-filter.test
@@ -0,0 +1,2 @@
+# @TEST-EXEC-FAIL: bro -r $TRACES/web.trace -f "bad filter"
+# @TEST-EXEC: test -s .stderr
diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
new file mode 100644
index 0000000000..03327a25cd
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
@@ -0,0 +1,125 @@
+# @TEST-EXEC: bro %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+module Software;
+
+global matched_software: table[string] of Software::Description = {
+	["OpenSSH_4.4"] = 
+		[$name="OpenSSH", $version=[$major=4,$minor=4], $unparsed_version=""],
+	["OpenSSH_5.2"] = 
+		[$name="OpenSSH", $version=[$major=5,$minor=2], $unparsed_version=""],
+	["Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2"] =
+		[$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $unparsed_version=""],
+	["Apache/1.3.19 (Unix)"] =
+		[$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $unparsed_version=""],
+	["ProFTPD 1.2.5rc1 Server (Debian)"] =
+		[$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc1"], $unparsed_version=""],
+	["wu-2.4.2-academ[BETA-18-VR14](1)"] = 
+		[$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $unparsed_version=""],
+	["wu-2.6.2(1)"] =
+		[$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $unparsed_version=""],
+	["Java1.2.2-JDeveloper"] =
+		[$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $unparsed_version=""],
+	["Java/1.6.0_13"] = 
+		[$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $unparsed_version=""],
+	["Python-urllib/3.1"] = 
+		[$name="Python-urllib", $version=[$major=3,$minor=1], $unparsed_version=""],
+	["libwww-perl/5.820"] = 
+		[$name="libwww-perl", $version=[$major=5,$minor=820], $unparsed_version=""],
+	["Wget/1.9+cvs-stable (Red Hat modified)"] = 
+		[$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $unparsed_version=""],
+	["Wget/1.11.4 (Red Hat modified)"] = 
+		[$name="Wget", $version=[$major=1,$minor=11,$minor2=4,$addl="Red Hat modified"], $unparsed_version=""],
+	["curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18"] =
+		[$name="curl", $version=[$major=7,$minor=15,$minor2=1,$addl="i486-pc-linux-gnu"], $unparsed_version=""],
+	["Apache"] = 
+		[$name="Apache", $unparsed_version=""],
+	["Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown"] =
+		[$name="Zope/(Zope", $version=[$major=2,$minor=7,$minor2=8,$addl="final"], $unparsed_version=""],
+	["The Bat! (v2.00.9) Personal"] =
+		[$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $unparsed_version=""],
+	["Flash/10,2,153,1"] =
+		[$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$addl="1"], $unparsed_version=""],
+	["mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731"] = 
+		[$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$addl="967"], $unparsed_version=""],
+	["CacheFlyServe v26b"] =
+		[$name="CacheFlyServe", $version=[$major=26,$addl="b"], $unparsed_version=""],
+	["Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4"] =
+		[$name="Apache", $version=[$major=2,$minor=0,$minor2=46,$addl="Win32"], $unparsed_version=""],
+	# I have no clue how I'd support this without a special case.
+	#["Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635"] =
+	#	[$name="Apache", $version=[], $unparsed_version=""],
+	["Apple iPhone v4.3.1 Weather v1.0.0.8G4"] =
+		[$name="Apple iPhone", $version=[$major=4,$minor=3,$minor2=1,$addl="Weather"], $unparsed_version=""],
+	["Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5"] =
+		[$name="Safari", $version=[$major=5,$minor=0,$minor2=2,$addl="Mobile"], $unparsed_version=""],
+	["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16"] = 
+		[$name="Chrome", $version=[$major=10,$minor=0,$minor2=648,$addl="205"], $unparsed_version=""],
+	["Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01"] =
+		[$name="Opera", $version=[$major=11,$minor=1], $unparsed_version=""],
+	["Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5"] =
+		[$name="Thunderbird", $version=[$major=3,$minor=1,$minor2=5], $unparsed_version=""],
+	["iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9"] = 
+		[$name="iTunes", $version=[$major=9,$minor=0,$addl="Macintosh"], $unparsed_version=""],
+	["Java1.3.1_04"] =
+		[$name="Java", $version=[$major=1,$minor=3,$minor2=1,$addl="04"], $unparsed_version=""],
+	["Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"] = 
+		[$name="Safari", $version=[$major=4,$minor=0,$addl="Mobile"], $unparsed_version=""],
+	["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"] =
+		[$name="Safari", $version=[$major=5,$minor=0,$minor2=4], $unparsed_version=""],
+	["Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7"] = 
+		[$name="Safari", $version=[$major=4,$minor=0,$minor2=5,$addl="Mobile"], $unparsed_version=""],
+	["Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54"] = 
+		[$name="Opera Mini", $version=[$major=10,$minor=54], $unparsed_version=""],
+	["Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15"] =
+		[$name="Opera Mini", $version=[$major=5,$minor=0,$minor2=18741], $unparsed_version=""],
+	["Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00"] =
+		[$name="Opera Mobi", $version=[$major=10,$minor=0], $unparsed_version=""],
+	["Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00"] =
+		[$name="Opera", $version=[$major=11,$minor=0], $unparsed_version=""],
+	["Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)"] =
+		[$name="Netscape", $version=[$major=7,$minor=2], $unparsed_version=""],
+	["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"] =
+		[$name="MSIE", $version=[$major=7,$minor=0], $unparsed_version=""],
+	["Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"] =
+		[$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $unparsed_version=""],
+	["Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)"] =
+		[$name="MSIE", $version=[$major=8,$minor=0], $unparsed_version=""],
+	["Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"] =
+		[$name="MSIE", $version=[$major=9,$minor=0], $unparsed_version=""],
+	["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)"] =
+		[$name="MSIE", $version=[$major=9,$minor=0], $unparsed_version=""],
+	["Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"] =
+		[$name="MSIE", $version=[$major=10,$minor=0], $unparsed_version=""],
+	["The Bat! (3.0.1 RC3) Professional"] =
+		[$name="The Bat!", $version=[$major=3,$minor=0,$minor2=1,$addl="RC3"], $unparsed_version=""],
+	# This is an FTP client (found with CLNT command)
+	["Total Commander"] =
+		[$name="Total Commander", $version=[], $unparsed_version=""],
+	["(vsFTPd 2.0.5)"] =
+		[$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $unparsed_version=""],
+	["Apple Mail (2.1084)"] = 
+		[$name="Apple Mail", $version=[$major=2,$minor=1084], $unparsed_version=""],
+};
+
+event bro_init()
+	{
+	for ( sw in matched_software )
+		{
+		local output = Software::parse(sw);
+		local baseline = matched_software[sw];
+		
+		if ( baseline$name == output$name &&
+		     sw == output$unparsed_version &&
+		     Software::cmp_versions(baseline$version,output$version) == 0 )
+			print fmt("success on: %s", sw);
+		else
+			{
+			print fmt("failure on: %s", sw);
+			print fmt("    test name:        %s", output$name);
+			print fmt("    test version:     %s", output$version);
+			print fmt("    baseline name:    %s", baseline$name);
+			print fmt("    baseline version: %s", baseline$version);
+			}
+        }
+	}
diff --git a/testing/btest/scripts/base/protocols/http/100-continue.bro b/testing/btest/scripts/base/protocols/http/100-continue.bro
new file mode 100644
index 0000000000..d1d34c1abe
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/100-continue.bro
@@ -0,0 +1,12 @@
+# This tests that the HTTP analyzer does not generate an unmatched_HTTP_reply
+# weird as a result of seeing both a 1xx response and the real response to
+# a given request.  The http scripts should also be able log such replies
+# in a way that correlates the final response with the request.
+#
+# @TEST-EXEC: bro -r $TRACES/http-100-continue.trace %INPUT
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: btest-diff http.log
+
+# The base analysis scripts are loaded by default.
+#@load base/protocols/http
+
diff --git a/testing/btest/scripts/base/protocols/http/http-extract-files.bro b/testing/btest/scripts/base/protocols/http/http-extract-files.bro
new file mode 100644
index 0000000000..4338cddb47
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-extract-files.bro
@@ -0,0 +1,5 @@
+# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
+
+redef HTTP::extract_file_types += /text\/html/;
\ No newline at end of file
diff --git a/testing/btest/scripts/base/protocols/http/http-header-crlf.bro b/testing/btest/scripts/base/protocols/http/http-header-crlf.bro
new file mode 100644
index 0000000000..06081d94e5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-header-crlf.bro
@@ -0,0 +1,10 @@
+# This tests for what looks like a problem in the HTTP parser:
+# it gets confused whether it's in a header or not; it shouldn't report
+# the http_no_crlf_in_header_list wierd.
+#
+# @TEST-EXEC: bro -r $TRACES/http-byteranges.trace %INPUT
+# @TEST-EXEC: test ! -f weird.log
+
+# The base analysis scripts are loaded by default.
+#@load base/protocols/http
+
diff --git a/testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro b/testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro
new file mode 100644
index 0000000000..dd01e62413
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro
@@ -0,0 +1,21 @@
+# This tests md5 calculation for a specified mime type.  The http.log
+# will normalize mime types other than the target type to prevent sensitivity
+# to varying versions of libmagic.
+
+# @TEST-EXEC: bro -r $TRACES/http-pipelined-requests.trace %INPUT > output
+# @TEST-EXEC: btest-diff http.log
+
+redef HTTP::generate_md5 += /image\/png/;
+
+event bro_init()
+	{
+	Log::remove_default_filter(HTTP::LOG);
+	Log::add_filter(HTTP::LOG, [$name="normalized-mime-types",
+	                             $pred=function(rec: HTTP::Info): bool
+		{
+		if ( rec?$mime_type && HTTP::generate_md5 != rec$mime_type )
+				rec$mime_type = "FAKE_MIME";
+		return T;
+		}
+	]);
+	}
diff --git a/testing/btest/scripts/base/protocols/http/http-pipelining.bro b/testing/btest/scripts/base/protocols/http/http-pipelining.bro
new file mode 100644
index 0000000000..9875683269
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-pipelining.bro
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -r $TRACES/http-pipelined-requests.trace %INPUT > output
+# @TEST-EXEC: btest-diff http.log
+
+# mime type is irrelevant to this test, so filter it out
+event bro_init()
+	{
+	Log::remove_default_filter(HTTP::LOG);
+	Log::add_filter(HTTP::LOG, [$name="less-mime-types", $exclude=set("mime_type")]);
+	}
diff --git a/testing/btest/scripts/base/protocols/irc/basic.test b/testing/btest/scripts/base/protocols/irc/basic.test
new file mode 100644
index 0000000000..32358d12a4
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/irc/basic.test
@@ -0,0 +1,12 @@
+# This tests that basic IRC commands (NICK, USER, JOIN, DCC SEND)
+# are logged for a client.
+
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: btest-diff irc.log
+
+# dcc mime types are irrelevant to this test, so filter it out
+event bro_init()
+	{
+	Log::remove_default_filter(IRC::LOG);
+	Log::add_filter(IRC::LOG, [$name="remove-mime", $exclude=set("dcc_mime_type")]);
+	}
diff --git a/testing/btest/scripts/base/protocols/irc/dcc-extract.test b/testing/btest/scripts/base/protocols/irc/dcc-extract.test
new file mode 100644
index 0000000000..b6bf43ac50
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/irc/dcc-extract.test
@@ -0,0 +1,26 @@
+# This tests that the contents of a DCC transfer negotiated with IRC can be
+# correctly extracted.  The mime type of the file transferred is normalized
+# to prevent sensitivity to libmagic version being used.
+
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: btest-diff irc.log
+# @TEST-EXEC: btest-diff irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT IRC::extraction_prefix="test"
+# @TEST-EXEC: test -e test_192.168.1.77:57655-209.197.168.151:1024_1.dat
+
+redef IRC::extract_file_types=/.*/;
+
+event bro_init()
+	{
+	Log::remove_default_filter(IRC::LOG);
+	Log::add_filter(IRC::LOG, [$name="normalized-mime-types",
+	                           $pred=function(rec: IRC::Info): bool
+		{
+		if ( rec?$dcc_mime_type )
+			{
+			rec$dcc_mime_type = "FAKE_MIME";
+			}
+		return T;
+		}
+	]);
+	}
diff --git a/testing/btest/scripts/base/protocols/smtp/basic.test b/testing/btest/scripts/base/protocols/smtp/basic.test
new file mode 100644
index 0000000000..6be512a255
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smtp/basic.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff smtp.log
+
+@load base/protocols/smtp
diff --git a/testing/btest/scripts/base/protocols/smtp/mime-extract.test b/testing/btest/scripts/base/protocols/smtp/mime-extract.test
new file mode 100644
index 0000000000..8dc8bc9e31
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smtp/mime-extract.test
@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff smtp_entities.log
+# @TEST-EXEC: btest-diff smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat
+# @TEST-EXEC: btest-diff smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT SMTP::extraction_prefix="test"
+# @TEST-EXEC: test -e test_10.10.1.4:1470-74.53.140.153:25_1.dat
+# @TEST-EXEC: test -e test_10.10.1.4:1470-74.53.140.153:25_2.dat
+
+@load base/protocols/smtp
+
+redef SMTP::extract_file_types=/text\/plain/;
+
+event bro_init()
+	{
+	Log::remove_default_filter(SMTP::ENTITIES_LOG);
+	Log::add_filter(SMTP::ENTITIES_LOG, [$name="normalized-mime-types",
+									  	$pred=function(rec: SMTP::EntityInfo): bool
+		{
+		if ( rec?$mime_type )
+			rec$mime_type = "FAKE_MIME";
+		return T;
+		}
+	]);
+	}
diff --git a/testing/btest/scripts/base/protocols/smtp/mime.test b/testing/btest/scripts/base/protocols/smtp/mime.test
new file mode 100644
index 0000000000..2b80e148ff
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smtp/mime.test
@@ -0,0 +1,22 @@
+# Checks logging of mime types and md5 calculation.  Mime type in the log
+# is normalized to prevent sensitivity to libmagic version.
+
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff smtp_entities.log
+
+@load base/protocols/smtp
+
+redef SMTP::generate_md5=/text\/plain/;
+
+event bro_init()
+	{
+	Log::remove_default_filter(SMTP::ENTITIES_LOG);
+	Log::add_filter(SMTP::ENTITIES_LOG, [$name="normalized-mime-types",
+									  $pred=function(rec: SMTP::EntityInfo): bool
+		{
+		if ( rec?$mime_type )
+			rec$mime_type = "FAKE_MIME";
+		return T;
+		}
+	]);
+	}
diff --git a/testing/btest/scripts/base/utils/addrs.test b/testing/btest/scripts/base/utils/addrs.test
new file mode 100644
index 0000000000..08bce5f35f
--- /dev/null
+++ b/testing/btest/scripts/base/utils/addrs.test
@@ -0,0 +1,105 @@
+# @TEST-EXEC: bro %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+# This is loaded by default
+#@load base/utils/addrs
+
+event bro_init()
+	{
+	local ip = "0.0.0.0";
+
+	print "============ test ipv4 regex";
+	print ip == ipv4_addr_regex;
+	print is_valid_ip(ip);
+	ip = "1.1.1.1";
+	print ip == ipv4_addr_regex;
+	print is_valid_ip(ip);
+	ip = "255.255.255.255";
+	print ip == ipv4_addr_regex;
+	print is_valid_ip(ip);
+	ip = "255.255.255.256";
+	print ip == ipv4_addr_regex; # the regex doesn't check for 0-255
+	print is_valid_ip(ip);       # but is_valid_ip() will
+	ip = "255.255.255.255.255";
+	print ip == ipv4_addr_regex;
+	print is_valid_ip(ip);
+	ip = "192.168.1.100";
+	print ip == ipv4_addr_regex;
+	print is_valid_ip(ip);
+
+	print "============ test ipv6 regex";
+
+	ip = "2001:0db8:85a3:0000:0000:8a2e:0370:7334";
+	print is_valid_ip(ip);
+
+	# test for case insensitivity
+	ip = "2001:0DB8:85A3:0000:0000:8A2E:0370:7334";
+	print is_valid_ip(ip);
+
+	# any case mixture is allowed
+	ip = "2001:0dB8:85a3:0000:0000:8A2E:0370:7334";
+	print is_valid_ip(ip);
+
+	# leading zeroes of a 16-bit group may be omitted
+	ip = "2001:db8:85a3:0:0:8a2e:370:7334";
+	print is_valid_ip(ip);
+
+	# a single occurrence of consecutive groups of zeroes may be replaced by ::
+	ip = "2001:db8:85a3::8a2e:370:7334";
+	print is_valid_ip(ip);
+
+	# this should fail because we don't have enough 16-bit groups
+	ip = "2001:db8:85a3:8a2e:370:7334";
+	print is_valid_ip(ip);
+
+	# this should fail because of an invalid hex digit
+	ip = "2001:gb8:85a3::8a2e:370:7334";
+	print is_valid_ip(ip);
+
+	# this should fail because we have too many 16-bit groups
+	ip = "2001:0db8:85a3:0000:0000:8a2e:0370:7334:1111";
+	print is_valid_ip(ip);
+
+	# this should fail because one group isn't 16-bits
+	ip = "2001:0db8:85a3:0000:0000:8a2e00:0370:7334";
+	print is_valid_ip(ip);
+
+	# this should fail because we can't have more than one ::
+	ip = "2001::85a3::7334";
+	print is_valid_ip(ip);
+
+	# all zeroes should work
+	ip = "0:0:0:0:0:0:0:0";
+	print is_valid_ip(ip);
+
+	# all zeroes condensed should work
+	ip = "::";
+	print is_valid_ip(ip);
+
+	print "============ test ipv6-ipv4 hybrid regexes";
+
+	# hybrid ipv6-ipv4 address should work
+	ip = "2001:db8:0:0:0:FFFF:192.168.0.5";
+	print is_valid_ip(ip);
+
+	# hybrid ipv6-ipv4 address with zero ommission should work
+	ip = "2001:db8::FFFF:192.168.0.5";
+	print is_valid_ip(ip);
+
+	# hybrid format with more than six 16-bit groups should fail
+	ip = "2001:db8:0:0:0:0:FFFF:192.168.0.5";
+	print is_valid_ip(ip);
+
+	# hybrid format without a 4 octet ipv4 part should fail
+	ip = "2001:db8:0:0:0:FFFF:192.168.0";
+	print is_valid_ip(ip);
+
+	# hybrid format's ipv4 part should test that all octet's are 0-255
+	ip = "2001:db8:0:0:0:FFFF:192.168.0.256";
+	print is_valid_ip(ip);
+
+	print "============ test find_ip_addresses()";
+	print find_ip_addresses("this is 1.1.1.1 a test 2.2.2.2 string with ip addresses 3.3.3.3");
+	print find_ip_addresses("this is 1.1.1.1 a test 0:0:0:0:0:0:0:0 string with ip addresses 3.3.3.3");
+
+	}
diff --git a/testing/btest/scripts/base/utils/conn-ids.test b/testing/btest/scripts/base/utils/conn-ids.test
new file mode 100644
index 0000000000..a7d2ce0939
--- /dev/null
+++ b/testing/btest/scripts/base/utils/conn-ids.test
@@ -0,0 +1,15 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# This is loaded by default.
+#@load base/utils/conn-ids
+
+global c: conn_id = [ $orig_h = 10.0.0.100, $orig_p = 10000,
+                      $resp_h = 10.0.0.200, $resp_p = 20000 ];
+
+print id_string(c);
+print reverse_id_string(c);
+print directed_id_string(c, T);
+print directed_id_string(c, F);
+print id_string(c) == directed_id_string(c, T);
+print reverse_id_string(c) == directed_id_string(c, F);
diff --git a/testing/btest/scripts/base/utils/directions-and-hosts.test b/testing/btest/scripts/base/utils/directions-and-hosts.test
new file mode 100644
index 0000000000..6f4f781c72
--- /dev/null
+++ b/testing/btest/scripts/base/utils/directions-and-hosts.test
@@ -0,0 +1,73 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# These are loaded by default.
+#@load base/utils/site
+#@load base/utils/directions-and-hosts
+
+redef Site::local_nets += { 10.0.0.0/8 };
+
+global local_ip = 10.0.0.100;
+global remote_ip = 192.168.1.100;
+
+global local2local: conn_id = [
+    $orig_h = 10.0.0.100, $orig_p = 10000,
+    $resp_h = 10.0.0.200, $resp_p = 20000 ];
+
+global local2remote: conn_id = [
+    $orig_h = 10.0.0.100,    $orig_p = 10000,
+    $resp_h = 192.168.1.100, $resp_p = 20000 ];
+
+global remote2local: conn_id = [
+    $orig_h = 192.168.1.100,    $orig_p = 10000,
+    $resp_h = 10.0.0.100,       $resp_p = 20000 ];
+
+global remote2remote: conn_id = [
+    $orig_h = 192.168.1.100, $orig_p = 10000,
+    $resp_h = 192.168.1.200, $resp_p = 20000 ];
+
+function test_host(ip: addr, h: Host, expect: bool)
+	{
+	local result = addr_matches_host(ip, h);
+	print fmt("%s(%s) == %s: %s", h, ip, expect,
+	          result == expect ? "SUCCESS" : "FAIL");
+	}
+
+function test_dir(id: conn_id, d: Direction, expect: bool)
+	{
+	local result = id_matches_direction(id, d);
+	print fmt("%s(o: %s, r: %s) == %s: %s", d, id$orig_h, id$resp_h, expect,
+	          result == expect ? "SUCCESS" : "FAIL");
+	}
+
+event bro_init()
+	{
+	test_host(local_ip,  LOCAL_HOSTS,  T);
+	test_host(local_ip,  REMOTE_HOSTS, F);
+	test_host(local_ip,  ALL_HOSTS,    T);
+	test_host(local_ip,  NO_HOSTS,     F);
+	test_host(remote_ip, LOCAL_HOSTS,  F);
+	test_host(remote_ip, REMOTE_HOSTS, T);
+	test_host(remote_ip, ALL_HOSTS,    T);
+	test_host(remote_ip, NO_HOSTS,     F);
+
+	test_dir(local2local,   INBOUND,       F);
+	test_dir(local2remote,  INBOUND,       F);
+	test_dir(remote2local,  INBOUND,       T);
+	test_dir(remote2remote, INBOUND,       F);
+
+	test_dir(local2local,   OUTBOUND,      F);
+	test_dir(local2remote,  OUTBOUND,      T);
+	test_dir(remote2local,  OUTBOUND,      F);
+	test_dir(remote2remote, OUTBOUND,      F);
+
+	test_dir(local2local,   BIDIRECTIONAL, F);
+	test_dir(local2remote,  BIDIRECTIONAL, T);
+	test_dir(remote2local,  BIDIRECTIONAL, T);
+	test_dir(remote2remote, BIDIRECTIONAL, F);
+
+	test_dir(local2local,   NO_DIRECTION,  F);
+	test_dir(local2remote,  NO_DIRECTION,  F);
+	test_dir(remote2local,  NO_DIRECTION,  F);
+	test_dir(remote2remote, NO_DIRECTION,  F);
+	}
diff --git a/testing/btest/scripts/base/utils/files.test b/testing/btest/scripts/base/utils/files.test
new file mode 100644
index 0000000000..84eff13187
--- /dev/null
+++ b/testing/btest/scripts/base/utils/files.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# This is loaded by default.
+#@load base/utils/files
+
+event connection_established(c: connection)
+	{
+	print generate_extraction_filename("test-prefix", c, "test-suffix");
+	print generate_extraction_filename("test-prefix", c, "");
+	print generate_extraction_filename("", c, "test-suffix");
+	print generate_extraction_filename("", c, "");
+	}
diff --git a/testing/btest/scripts/base/utils/numbers.test b/testing/btest/scripts/base/utils/numbers.test
new file mode 100644
index 0000000000..c1a2fff8c8
--- /dev/null
+++ b/testing/btest/scripts/base/utils/numbers.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# This is loaded by default.
+#@load base/utils/numbers
+
+print extract_count("These aren't the numbers you're looking for.");
+print extract_count("13These aren't the numbers you're looking for.");
+print extract_count("13 These aren't the numbers you're looking for.");
+print extract_count("These aren't the 13 numbers you're looking for.");
+print extract_count("These aren't the numbers you're looking for.13");
+print extract_count("These aren't the numbers you're looking for. 13");
+print extract_count("These aren't the 1abc3 numbers you're looking for.");
diff --git a/testing/btest/scripts/base/utils/paths.test b/testing/btest/scripts/base/utils/paths.test
new file mode 100644
index 0000000000..8436d37b8b
--- /dev/null
+++ b/testing/btest/scripts/base/utils/paths.test
@@ -0,0 +1,58 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# This is loaded by default.
+#@load base/utils/paths
+
+function test_extract(str: string, expect: string)
+	{
+	local result = extract_path(str);
+	print fmt("Given : %s", str);
+	print fmt("Expect: %s", expect);
+	print fmt("Result: %s", result);
+	print fmt("Result: %s", result == expect ? "SUCCESS" : "FAIL");
+	print "===============================";
+	}
+
+function test_compress(str: string, expect: string)
+	{
+	local result = compress_path(str);
+	print fmt("Given : %s", str);
+	print fmt("Expect: %s", expect);
+	print fmt("Result: %s", result);
+	print fmt("Result: %s", result == expect ? "SUCCESS" : "FAIL");
+	print "===============================";
+	}
+
+print "test compress_path()";
+print "===============================";
+test_compress("foo//bar", "foo/bar");
+test_compress("foo//bar/..", "foo");
+test_compress("foo/bar/../..", "");
+test_compress("foo//bar/../..", "");
+test_compress("/foo/../bar", "/bar");
+test_compress("/foo/../bar/..", "/");
+test_compress("/foo/baz/../..", "/");
+test_compress("../..", "../..");
+test_compress("foo/../../..", "../..");
+
+print "test extract_path()";
+print "===============================";
+test_extract("\"/this/is/a/dir\" is current directory", "/this/is/a/dir");
+test_extract("/this/is/a/dir is current directory", "/this/is/a/dir");
+test_extract("/this/is/a/dir\\ is\\ current\\ directory", "/this/is/a/dir\\ is\\ current\\ directory");
+test_extract("hey, /foo/bar/baz.bro is a cool script", "/foo/bar/baz.bro");
+test_extract("here's two dirs: /foo/bar and /foo/baz", "/foo/bar");
+
+print "test build_path_compressed()";
+print "===============================";
+print build_path_compressed("/home/bro/", "policy/somefile.bro");
+print build_path_compressed("/home/bro/", "/usr/local/bro/share/bro/somefile.bro");
+print build_path_compressed("/home/bro/", "/usr/local/bro/share/../../bro/somefile.bro");
+
+print "===============================";
+print "test build_full_path()";
+print "===============================";
+print build_path("/home/bro/", "policy/somefile.bro");
+print build_path("/home/bro/", "/usr/local/bro/share/bro/somefile.bro");
+
diff --git a/testing/btest/scripts/base/utils/pattern.test b/testing/btest/scripts/base/utils/pattern.test
new file mode 100644
index 0000000000..1cf5c49100
--- /dev/null
+++ b/testing/btest/scripts/base/utils/pattern.test
@@ -0,0 +1,17 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# This is loaded by default.
+#@load base/utils/pattern
+
+global r1 = set_to_regex(set("blah", "bleh", "blarg"), "(~~)");
+global r2 = set_to_regex(set("blah", "bleh", "blarg"), "foo(~~)bar");
+
+print r1;
+print "blah" == r1;
+
+print r2;
+print "fooblargbar" == r2;
+
+print match_pattern("123blah123", r1);
+print match_pattern("no match here", r1);
diff --git a/testing/btest/scripts/base/utils/site.test b/testing/btest/scripts/base/utils/site.test
new file mode 100644
index 0000000000..cfd7dd2ceb
--- /dev/null
+++ b/testing/btest/scripts/base/utils/site.test
@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+# This is loaded by default.
+#@load base/utils/site
+
+global a = { "site-admin@example.com", "other-site-admin@example.com" };
+global b = { "net-admin@example.com" };
+
+redef Site::local_admins += {
+    [141.142.0.0/16] = a,
+    [141.142.100.0/24] = b,
+};
+
+event bro_init()
+    {
+    print Site::get_emails(141.142.1.1);
+    print Site::get_emails(141.142.100.100);
+    }
diff --git a/testing/btest/scripts/base/utils/strings.test b/testing/btest/scripts/base/utils/strings.test
new file mode 100644
index 0000000000..77fe715def
--- /dev/null
+++ b/testing/btest/scripts/base/utils/strings.test
@@ -0,0 +1,30 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# This is loaded by default.
+#@load base/utils/strings
+
+function test_binary_string(s: string)
+	{
+	if ( is_string_binary(s) )
+		print fmt("'%s' IS considered binary", s);
+	else
+		print fmt("'%s' is NOT considered binary", s);
+	}
+
+test_binary_string("\x68\x65\x6C\x6C\x6F");
+test_binary_string("\xFF\xFF\xFF\x00");
+test_binary_string("\x00\x00\xFF\x00");
+test_binary_string("\x00\x00\x00\x00");
+
+print join_string_set(set("one", "two", "three"), ", ");
+print join_string_set(set("one"), ", ");
+
+print string_escape("hello world", "od");
+print string_escape("\\hello world\\", "");
+
+print cut_tail("hello world", 0);
+print cut_tail("hello world", 1);
+print cut_tail("hello world", 6);
+print cut_tail("hello world", 11);
+print cut_tail("hello world", 12);
diff --git a/testing/btest/scripts/base/utils/thresholds.test b/testing/btest/scripts/base/utils/thresholds.test
new file mode 100644
index 0000000000..2e18cc3b63
--- /dev/null
+++ b/testing/btest/scripts/base/utils/thresholds.test
@@ -0,0 +1,29 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# This is loaded by default.
+#@load base/utils/thresholds
+
+redef default_notice_thresholds = { 2, 4, 6, 8, 10 };
+const my_thresholds: vector of count = { 2, 4, 6, 8, 10 };
+const loop_v: vector of count = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
+global track_count: TrackCount;
+
+for ( i in loop_v )
+	{
+	print fmt("Iteration: %s, threshold check: %s", i,
+	          check_threshold(my_thresholds, track_count));
+	print track_count;
+	++track_count$n;
+	}
+
+track_count$n = 0; track_count$index = 0;
+
+print "====================================";
+for ( i in loop_v )
+	{
+	print fmt("Iteration: %s, threshold check: %s", i,
+	          default_check_threshold(track_count));
+	print track_count;
+	++track_count$n;
+	}
diff --git a/testing/btest/scripts/check-test-all-policy.bro b/testing/btest/scripts/check-test-all-policy.bro
new file mode 100644
index 0000000000..9a9d120e6d
--- /dev/null
+++ b/testing/btest/scripts/check-test-all-policy.bro
@@ -0,0 +1,6 @@
+# Makes sures test-all-policy.bro (which loads *all* other policy scripts) compiles correctly.
+# 
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+@load test-all-policy
diff --git a/testing/btest/scripts/policy/protocols/conn/known-hosts.bro b/testing/btest/scripts/policy/protocols/conn/known-hosts.bro
new file mode 100644
index 0000000000..677cfa9f3d
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/conn/known-hosts.bro
@@ -0,0 +1,20 @@
+# A basic test of the known-hosts script's logging and asset_tracking options
+
+# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=LOCAL_HOSTS
+# @TEST-EXEC: mv known_hosts.log knownhosts-local.log
+# @TEST-EXEC: btest-diff knownhosts-local.log
+
+# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=REMOTE_HOSTS
+# @TEST-EXEC: mv known_hosts.log knownhosts-remote.log
+# @TEST-EXEC: btest-diff knownhosts-remote.log
+
+# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=ALL_HOSTS
+# @TEST-EXEC: mv known_hosts.log knownhosts-all.log
+# @TEST-EXEC: btest-diff knownhosts-all.log
+
+# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=NO_HOSTS
+# @TEST-EXEC: test '!' -e known_hosts.log
+
+@load protocols/conn/known-hosts
+
+redef Site::local_nets += {141.142.0.0/16};
diff --git a/testing/btest/scripts/policy/protocols/conn/known-services.bro b/testing/btest/scripts/policy/protocols/conn/known-services.bro
new file mode 100644
index 0000000000..ab787b6bd4
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/conn/known-services.bro
@@ -0,0 +1,20 @@
+# A basic test of the known-services script's logging and asset_tracking options
+
+# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=LOCAL_HOSTS
+# @TEST-EXEC: mv known_services.log knownservices-local.log
+# @TEST-EXEC: btest-diff knownservices-local.log
+
+# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=REMOTE_HOSTS
+# @TEST-EXEC: mv known_services.log knownservices-remote.log
+# @TEST-EXEC: btest-diff knownservices-remote.log
+
+# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=ALL_HOSTS
+# @TEST-EXEC: mv known_services.log knownservices-all.log
+# @TEST-EXEC: btest-diff knownservices-all.log
+
+# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=NO_HOSTS
+# @TEST-EXEC: test '!' -e known_services.log
+
+@load protocols/conn/known-services
+
+redef Site::local_nets += {172.16.238.0/24};
diff --git a/testing/btest/scripts/policy/protocols/dns/event-priority.bro b/testing/btest/scripts/policy/protocols/dns/event-priority.bro
new file mode 100644
index 0000000000..2165b102e8
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/dns/event-priority.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/dns-session.trace %INPUT 
+# @TEST-EXEC: btest-diff dns.log
+
+@load protocols/dns/auth-addl
diff --git a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro
new file mode 100644
index 0000000000..2e82eb9dfb
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro
@@ -0,0 +1,113 @@
+# @TEST-EXEC: bro %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load protocols/http/detect-sqli
+
+event bro_init () 
+{
+	local positive_matches: set[string];
+	local negative_matches: set[string];
+
+	add positive_matches["/index.asp?ID='+convert(int,convert(varchar,0x7b5d))+'"];
+	add positive_matches["/index.asp?ID='+cASt(somefield as int)+'"];
+	add positive_matches["/index.asp?ID=1'+139+'0"];
+	add positive_matches["/index.asp?ID='+139+'0"];
+	add positive_matches["/index.php?blah=123'/*blooblah*/;select * from something;--"];
+	add positive_matches["/index.cfm?ID=3%' and '%'='"];
+	add positive_matches["/index.php?mac=\" OR whatever LIKE \"%"];
+	add positive_matches["/index.cfm?ID=3;declare @d int;--"];
+	add positive_matches["/index.cfm?subjID=12;create table t_jiaozhu(jiaozhu varchar(200))"];
+	add positive_matches["/index.cfm?subjID=12%' and(char(94)+user+char(94))>0 and '%'='"];
+	add positive_matches["/index.cgi?cgi_state=view&ARF_ID=1+(642*truncate(log10(10),0))"];
+	add positive_matches["/index.cgi?view=1 regexp IF((ascii(substring(version(),6,1))>>(0)&1),char(42),1) AND 1=1"];
+	add positive_matches["/index.cfm?News=203 and char(124)+db_name()+char(124)=0 --"];
+	add positive_matches["/index.php?action=&type=view&s=&id=-1' UNION SELECT 0,252381211,0,0,0,0,0/*"];
+	add positive_matches["/index.php?x=browse&category='UNION SELECT '1','2','pixelpost_category_sql_injection.nasl','1183412908','5'/*"];
+	add positive_matches["/index.php?id='UNION/**/SELECT/**/0,0,1648909705,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*"];
+	add positive_matches["/index.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,0x7430705038755A7A20616E64207870726F67206F776E616765,convert(concat((SELECT/**/svalue/**/from/**/sconfig/**/where/**/soption=0x61646D696E5F6E616D65),0x3a,(SELECT/**/svalue/**/from/**/sconfig/**/where/**/soption=0x61646D696E5F70617373))/**/using/**/latin1),4,5,6,7,8,9/*"];
+	add positive_matches["/index.jsp?arfID=5 AND ascii(lower(substring((SELECT TOP 1 name from sysobjects WHERE xtype=â™Uâ™), 1,1)))>109"];
+	add positive_matches["/?main_menu=10&sub_menu=2&id=-1 union select aes_decrypt(aes_encrypt(LOAD_FILE('/etc/passwd'),0x70),0x70)/*"];
+	add positive_matches["/index.asp?file=50' and 1=1 and ''='"];
+	add positive_matches["/index.php?cat=999 UNION SELECT null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null FROM wp_users where id=1/*"];
+	add positive_matches["/index.asp?authornumber=1);insert into SubjectTable(Sub_id, SubjectName, display) values (666, 'ChkQualysRprt', 1); --"];
+	add positive_matches["/index.php?ID=60 and (select unicode(substring(isNull(cast(db_name() as varchar(8000)),char(32)),29,1)))"];
+	add positive_matches["/index.php?sort=all&&active=NO' union select 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/* and '1'='1"];
+	add positive_matches["/index.php?sort=all&&active=no' and 1=2 union select 1,'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/* and '1'='1"];
+	add positive_matches["/index.php?sort=all&&active=no' and (select count(table_name) from user_tables)>0 and '1'='1"];
+	add positive_matches["/index.php?id=22 /*!49999 and 1=2*/-- and 1=1"];
+	add positive_matches["/index.php?ID=59 and (select count(table_name) from user_tables)>0 and 1=1"];
+	add positive_matches["/index.php?ID=60 and exists (select * from [news])"];
+
+	# These are not detected currently.
+	#add positive_matches["/index.asp?ARF_ID=(1/(1-(asc(mid(now(),18,1))\(2^7) mod 2)))"];
+	#add positive_matches["/index.php' and 1=convert(int,(select top 1 table_name from information_schema.tables))--sp_password"];
+	#add positive_matches["/index.php?id=873 and user=0--"];
+	#add positive_matches["?id=1;+if+(1=1)+waitfor+delay+'00:00:01'--9"];
+	#add positive_matches["?id=1+and+if(1=1,BENCHMARK(728000,MD5(0x41)),0)9"];
+
+	# The positive_matches below are from the mod_security evasion challenge.
+	# All supported attacks are uncommented.
+	# http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html
+	add positive_matches["/index.asp?id=100&arftype=46'	XoR	'8'='8"];
+	#add positive_matches[unescape_URI("/testphp.vulnweb.com/artists.php?artist=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user")];
+	#add positive_matches[unescape_URI("/index.php?hUserId=22768&FromDate=a1%27+or&ToDate=%3C%3Eamount+and%27&sendbutton1=Get+Statement")];
+	#add positive_matches["after=1 AND (select DCount(last(username)&after=1&after=1) from users where username='ad1min')&before=d"];
+	#add positive_matches["hUserId=22768&FromDate=1&ToDate=1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-&sendbutton1=Get+Statement"];
+	add positive_matches[unescape_URI("/test.php?artist=-2%20div%201%20union%20all%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaafv%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%0Aselect%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_schema.tables%20limit%201")];	;
+	#add positive_matches[unescape_URI("/test.php?artist=%40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29 ")];
+	add positive_matches[unescape_URI("/test.php?artist=-2%20div%201%20union%20all%23hack%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%23%0A%23fabuloso%23great%23%0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201")];
+	add positive_matches[unescape_URI("/test.php?artist=1%0bAND(SELECT%0b1%20FROM%20mysql.x)")];
+
+	add negative_matches["/index.asp?db=a9h&jid=JHE&scope=site"];
+	add negative_matches["/blah/?q=?q=archive+title=Read the older content in our archive"];
+	add negative_matches["/blah/?q=?q= title=Return to the main page"];
+	add negative_matches["/index.pl?http://search.ebscohost.com.proxy.lib.ohio-state.edu/direct.asp?db=s3h&jid=22EG&scope=site"];
+	add negative_matches["/search?q=eugene svirsky&spell=1&access=p&output=xml_no_dtd&ie=UTF-8&client=default_frontend&site=default_collection&proxystylesheet=default_frontend"];
+	add negative_matches["/index.htm?List=<ows:ListProperty Select='Name'"];
+	add negative_matches["/index.aspx?TreeviewPk=67&startat=f&filter=tree_pk='f502530'&stopat=b"];
+	add negative_matches["/index.asp?A0=23&A1=||17||=0&A2=||7|| desc&A3=||6||=62512 AND ||_System_||=0&A4=1,7,16,5,9&A5=2&A6=1&A7=0&A8=0&A9=0&A10="];
+	add negative_matches["/?q=?q= title=Return to the main page"];
+	add negative_matches["/index.swf?MMredirectURL='+MMredirectURL+'&MMplayerType=PlugIn"];
+	add negative_matches["/search?q=Drop-a-GEC Course&btnG=Search Ohio State&entqr=0&output=xml_no_dtd&sort=date:D:L:d1&ie=UTF-8&client=default_frontend&ud=1&y=15&oe=UTF-8&proxystylesheet=default_frontend&x=77&site=default_collection"];
+	add negative_matches["/index?config=joe&restrict=&exclude=&matchesperpage=8&method=and&format=long&sort=score&words=organizational change policy"];
+	add negative_matches["/index.swf?clickTag=http://xads.zedo.com//ads2/c?a=309530;x=3613;g=0,0;c=162000122,162000122;i=0;n=162;s=94;;i=0;u=FFFFFFFFFFFFFFFFF;e=i;s=94;g=172;w=38;m=69;p=6;f=351860;h=265048;k=http://ad.doubleclick.net/jump/N1057.Und/B2331434.43;sz=1x1;ord=0.8798379284729?"];
+	add negative_matches["/blah/?q=?q=\" title=\"Return to the main page."];
+	add negative_matches["/blah?pg=thread;sz=160x600;tile=2;pos=1;bl=n;comp=;is_guest=1;ord=38872342341?"];
+	add negative_matches["/index/a.b.com/ros;sect=ros;sz=728x90,468x60;click=http://a.b.com/servlet/click/media?zid=0&cid=0&mid=1104&pid=0&default=false&random=449290001&timestamp=20110426084929&test=false&referrer=http://b.com/darryl+worley-lyrics-964.html&redirect=;tile=1;ord=1309979795.5?"];
+	add negative_matches["/index/?keywordCharEnc=latin1&cb=' + dartDate + '"];
+	add negative_matches["/search/searchresult.jsp?op2=and&query3=&scope3=metadata&queryText=(+((yu)<in>metadata+)+<and>+((munson)<in>metadata+)+)"];
+	add negative_matches["/index?Z=300x250&s=299359&_salt=523454521`54&B=10&u=http://ad.doubleclick.net/adi/answ.science/;dcopt=ist;kw=biased+sample;tid=2735125;scat=health;scat=business;pcat=science;pos=1;tile=1;sz=300x250;csrc=2451;csrc=2191;csrc=2665;csrc=2750;or&r=0"];
+	add negative_matches["/index.php?sid=FirstSearch:AveryIndex&genre=article&issn=1590-1394&isbn=&atitle=Paesaggio+artificiale:+una+cava+diventa+parco+urbano+=++Artificial+landscape:+a+quarry+becomes+an+urban+park&title=Metamorfosi&issue=66&spage=58&epage=60&date=2007-05&sici=1590-1394(200705/06)66<58:PAUCDP>2.0.TX;2-C&id=doi:&pid=<accession+number>858994226+858994226</accession+number><fssessid>fsapp13-52547-fhscgzal-jqsb44</fssessid>&url_ver=Z39.88-2004&rfr_id=info:sid/firstsearch.oclc.org:AveryIndex&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&req_dat=<sessionid>fsapp13-52547-fhscgzal-jqsb44</sessionid>&rfe_dat=<accessionnumber>858994226+858994226</accessionnumber>&rft_id=urn:ISSN:1590-1394&rft.atitle=Paesaggio+artificiale:+una+cava+diventa+parco+urbano+=++Artificial+landscape:+a+quarry+becomes+an+urban+park&rft.jtitle=Metamorfosi&rft.date=2007-05&rft.issue=66&rft.spage=58&rft.epage=60&rft.issn=1590-1394&rft.genre=article&rft.sici=1590-1394(200705/06)66<58:PAUCDP>2.0.TX;2-C"];
+	add negative_matches["/index?body=linker&reqidx=00012345(2005)L.349"];
+	add negative_matches["/index.jsp?SortField=Score&SortOrder=desc&ResultCount=25&maxdoc=100&coll1=&coll2=ieeecnfs&coll3=ieecnfs&coll4=&coll5=&coll6=&coll7=&coll8=&srchres=0&history=yes&queryText=((curran)<IN>metadata)&oldqrytext=(~~simon+curran~~+<in>+metadata)+<and>+(4389466+<in>+punumber)&radiobutton=cit"];
+	add negative_matches["/index.php?action=uid=32651(makessc) gid=32652(makessc) groups=32652(makessc)"];
+	add negative_matches["/index.cgi?t=event&id=3947&year=2007&week=13&wday=3&rt=n&hour=13&min=30&lengthmin=90&title=771 (4) Biomedical Instrumentation - J. Liu&data=&startyear=2007&startweek=13&startwday=3&duration=1&alval=&altype=&alchk=&strike=0&todo=0&mail=0&lock=0&priv=0"];
+	add negative_matches["/index.php?site=EagleTribunePublishingCompany&adSpace=ROS&size=468x60&type=horiz&requestID='+((new Date()).getTime()  2147483648) + Math.random()+'"];
+	add negative_matches["/blah?callback=google.language.callbacks.id100&context=22&q=) or articles from the online magazine archive will need to log in, in order to access the content they have purchased.&langpair=|en&key=notsupplied&v=1.0"];
+	add negative_matches["/blah?hl=en&rlz=1T4DDWQ_enUS432US432&q=\"andrew+foobar\""];
+	add negative_matches["/index.cfm?filename=32423411.GP4&ip=1.2.3.4&id_num=0063&proj_num=2906&sheet_name=2 AND 3 FLR&sheet_num=2E&path=L:\ARF\DATA\13000\95013889.GP4"];
+	add negative_matches["/index.pl\?supersite=stations&station=ABCD&path='+location.pathname+'&'+location.search.substring(1)+'\\\"\\"];
+	add negative_matches["/ntpagetag.gif?js=1&ts=123412341234.568&lc=http://a.b.org/default.aspx?mode=js#&rs=1440x900&cd=32&ln=en&tz=GMT -04:00&jv=1&ets=123412341234.623&select_challenge_from_gallery=1&ci=RCC00000000"];
+	
+	# These are still being matched accidentally.
+	#add negative_matches["/A-B-C-D/inc/foobar.php?img=1179681280a b c d arf union.jpg"];
+	#add negative_matches["/test,+soviet+union&searchscope=7&SORT=DZ/test,+soviet+union&foobar=7"];
+	#add negative_matches["/search?hl=en&q=fee union western"];
+	#add negative_matches["/search?hl=en&q=ceiling drop tile"];
+	#add negative_matches["/index/hmm.gif?utmdt=Record > Create a Graph"];
+	#add negative_matches["/index.php?test='||\x0aTO_CHAR(foo_bar.Foo_Bar_ID)||"];
+
+	print "If anything besides this line prints out, there is a problem.";
+	for ( test in positive_matches )
+	{
+		if ( HTTP::match_sql_injection_uri !in test )
+			print fmt("Missed: %s", test );
+	}
+	print "";
+	for ( test in negative_matches )
+	{
+		if ( HTTP::match_sql_injection_uri in test )
+			print fmt("False Positive: %s", test);
+	}
+
+}
diff --git a/testing/btest/scripts/site/local.test b/testing/btest/scripts/site/local.test
new file mode 100644
index 0000000000..e2058417cd
--- /dev/null
+++ b/testing/btest/scripts/site/local.test
@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro %INPUT
+
+@load local
\ No newline at end of file
diff --git a/testing/external/.gitignore b/testing/external/.gitignore
new file mode 100644
index 0000000000..9b7a29b755
--- /dev/null
+++ b/testing/external/.gitignore
@@ -0,0 +1,4 @@
+*.git
+diag.log
+bro-testing*
+.proxy
diff --git a/testing/istate/base/persistence-read/stderr.log b/testing/external/Baseline/.gitignore
similarity index 100%
rename from testing/istate/base/persistence-read/stderr.log
rename to testing/external/Baseline/.gitignore
diff --git a/testing/external/Makefile b/testing/external/Makefile
new file mode 100644
index 0000000000..994d8962c0
--- /dev/null
+++ b/testing/external/Makefile
@@ -0,0 +1,26 @@
+
+PUBLIC_REPO=git://git.bro-ids.org/bro-testing
+REPOS=`./scripts/find-git-repos `
+
+DIAG=diag.log
+
+all:
+	@rm -f $(DIAG)
+	@for repo in $(REPOS); do (cd $$repo && make ); done
+
+brief:
+	@rm -f $(DIAG)
+	@for repo in $(REPOS); do (cd $$repo && make brief ); done
+
+init:
+	git clone $(PUBLIC_REPO)
+
+pull:
+	@for repo in $(REPOS); do ( cd $$repo && git pull ); done
+
+push:
+	@for repo in $(REPOS); do ( cd $$repo && git push origin HEAD ); done
+
+status:
+	@for repo in $(REPOS); do ( cd $$repo && echo '>>' $$repo && git status -bs && echo ); done
+
diff --git a/testing/external/README b/testing/external/README
new file mode 100644
index 0000000000..345c7a81ae
--- /dev/null
+++ b/testing/external/README
@@ -0,0 +1,99 @@
+
+Test Suite for Large Trace Files
+================================
+
+This test-suite runs more complex Bro configurations on larger trace
+files, and compares the results to a pre-established baseline. Due to
+their size, both traces and baseline are not part of the main Bro
+repository but kept externally. In addition to the publically provided
+files, one can also add a local set to the test-suite for running on
+private traces.
+
+Initialization
+--------------
+
+Before the test-suite can be run, one needs to download the necessary
+files. Test and baselines are kept in git repositories, while any
+traces are download directly. A ``Makefile`` is provided to get
+everything that's needed initially:
+
+.. console:
+
+    > make init
+
+If you need a proxy to download the traces, enter it into a file
+``.proxy`` either in the top-level directory or inside one of the
+repositories.
+
+To later update to upstream changes:
+
+.. console:
+
+    > make pull
+
+This updates the tests and the traces as necessary.
+
+
+Running Tests
+-------------
+
+The easiest way to run all tests is simply typing ``make``. Doing so
+will iterate through all git repositories found in the current
+directory and run the tests in there. Output for failed tests will be
+in files ``diag.log`` in the top-level repository directories.
+
+Alternatively, one can also manually run all tests inside a single
+test repository:
+
+.. console:
+
+    > cd bro-testing
+    > btest
+
+All the standard ``btest`` options can be used to run individual
+tests, get diagnostic output, etc.
+
+Updating Baseline
+-----------------
+
+To update a test's baseline, first run ``btest`` in update mode:
+
+.. console:
+
+    > cd bro-testing
+    > btest -u tests/test-you-want-to-update
+
+Then use ``git`` to commit the changes and push the changes upstream
+as usual.
+
+Adding a Local Repository
+-------------------------
+
+One can add local non-public set of tests (potentially using private
+traces) by creating a git repository of a similar structure as the
+public one.
+
+If you already have such a private test repository that you want to
+include into the test suite, clone it directly into ``<repo-name>``.
+
+If you want to create a new private repository, there's a helper
+script to set that up:
+
+.. console:
+
+    > ./scripts/create-new-repo <repo-name> <repo-url>
+
+The first argument is the local name of the repository (it will be
+cloned into ``<repo-name>``); and the second is the URL of the git
+repository. The repository will be initialized with a few standard
+directories as well as a skeleton test in ``<name>/tests``. You can
+then edit files as needed. You add trace files by editing
+``Traces/traces.cfg``; see the comments in there. For each trace, you
+also need to calculate a checksum with ``md5sum`` and put it into
+``<url>.md5sum``. The scripts use this to decide if they need to
+redownload the trace. Accordingly, if you update a trace, make sure to
+also recalculate its checksum. Note that the traces will be downloaded
+to ``Traces/`` but must not be added to the git repostiory; there's a
+``.gitignore`` installed to prevent that.
+
+
diff --git a/testing/external/random.seed b/testing/external/random.seed
new file mode 100644
index 0000000000..e70c8f85ef
--- /dev/null
+++ b/testing/external/random.seed
@@ -0,0 +1,17 @@
+2983378351
+1299727368
+0
+310447
+0
+1409073626
+3975311262
+34130240
+1450515018
+1466150520
+1342286698
+1193956778
+2188527278
+3361989254
+3912865238
+3596260151
+517973768
diff --git a/testing/external/scripts/create-new-repo b/testing/external/scripts/create-new-repo
new file mode 100755
index 0000000000..8d64d73ca3
--- /dev/null
+++ b/testing/external/scripts/create-new-repo
@@ -0,0 +1,45 @@
+#! /usr/bin/env bash
+
+cwd=`pwd`
+
+if [ $# != 2 ]; then
+    echo "usage: $0 <name> <dst-repo-dir>"
+    exit 1
+fi
+
+name=`pwd`/$1
+repo=$2
+
+if [ -e $repo ]; then
+    echo "$repo already exists, aborting."
+    exit 1
+fi
+
+if [ -e $name ]; then
+    echo "$name already exists, aborting."
+    exit 1
+fi
+
+mkdir $repo
+( cd $repo && git init --bare )
+
+git clone $repo $name
+
+cd $name
+
+for dir in tests Baseline; do
+    mkdir $dir
+    touch $dir/.gitignore
+done
+
+ln -s ../subdir-btest.cfg ./btest.cfg
+
+cp $cwd/`dirname $0`/skel/test.skeleton tests
+cp $cwd/`dirname $0`/skel/traces.cfg .
+cp $cwd/`dirname $0`/skel/Makefile .
+cp $cwd/`dirname $0`/skel/.gitignore .
+
+git add * .gitignore
+
+git commit -m "Repository initialized."
+git push origin master
diff --git a/testing/external/scripts/diff-all b/testing/external/scripts/diff-all
new file mode 100755
index 0000000000..e84416c088
--- /dev/null
+++ b/testing/external/scripts/diff-all
@@ -0,0 +1,45 @@
+#! /usr/bin/env bash
+#
+# Runs btest-diff on $@ and fails if any fails. If $@ contains globs, we expand
+# them relative to *both* the current directory and the test's baseline
+# directory so that we spot missing files. Note that you will need to quote
+# the globals in the TEST-EXEC line as otherwise they will have been expanded relative
+# to the current directory already when this scripts runs.
+
+diag=$TEST_DIAGNOSTICS
+
+export TEST_DIAGNOSTICS=$diag.tmp
+
+if [ "$diag" = "" ]; then
+    diag=/dev/stdout
+else
+    rm -f $diag
+fi
+
+rc=0;
+
+files_cwd=`ls $@`
+files_baseline=`cd $TEST_BASELINE && ls $@`
+
+for i in `echo $files_cwd $files_baseline | sort | uniq`; do
+    if [[ "$i" != "loaded_scripts.log" && "$i" != "prof.log" && "$i" != "debug.log" && "$i" != "stats.log" ]]; then
+
+        if [[ "$i" == "reporter.log" ]]; then
+            # Do not diff the reporter.log if it only complains about missing
+            # GeoIP support.
+            if ! egrep -v "^#|Bro was not configured for GeoIP support" $i; then
+                continue
+            fi
+        fi
+
+        if ! btest-diff $i; then
+           echo "" >>$diag
+           echo "#### btest-diff $i" >>$diag
+           echo "" >>$diag
+           cat $diag.tmp >>$diag
+           rc=1
+        fi
+    fi
+done
+
+exit $rc
diff --git a/testing/external/scripts/find-git-repos b/testing/external/scripts/find-git-repos
new file mode 100755
index 0000000000..5efd3346d6
--- /dev/null
+++ b/testing/external/scripts/find-git-repos
@@ -0,0 +1,8 @@
+#! /usr/bin/env bash
+#
+# Returns a list of git repositories found in subdirs of the
+# current directory.
+
+for i in `find . -type d`; do
+    test -e $i/.git && echo $i
+done
diff --git a/testing/external/scripts/perftools-adapt-paths b/testing/external/scripts/perftools-adapt-paths
new file mode 100755
index 0000000000..2eda2477c7
--- /dev/null
+++ b/testing/external/scripts/perftools-adapt-paths
@@ -0,0 +1,10 @@
+#! /usr/bin/env bash
+#
+# Adapts relative paths in perftools stderr output to work
+# directly from the top-level test directory.
+#
+# Returns an exit code > 0 if there's a leak.
+
+cat $1 | sed "s#bro *\"\./#../../../build/src/bro \".tmp/$TEST_NAME/#g" | sed 's/ *--gv//g' >$1.tmp && mv $1.tmp $1
+
+grep -q "No leaks found" $1
diff --git a/testing/external/scripts/skel/.gitignore b/testing/external/scripts/skel/.gitignore
new file mode 100644
index 0000000000..91bbaf9ec2
--- /dev/null
+++ b/testing/external/scripts/skel/.gitignore
@@ -0,0 +1,3 @@
+Traces
+diag.log
+.proxy
diff --git a/testing/external/scripts/skel/Makefile b/testing/external/scripts/skel/Makefile
new file mode 100644
index 0000000000..7926c51532
--- /dev/null
+++ b/testing/external/scripts/skel/Makefile
@@ -0,0 +1,14 @@
+
+DIAG=diag.log
+BTEST=../../../aux/btest/btest
+
+all: update-traces
+	@rm -f $(DIAG)
+	@$(BTEST) -f $(DIAG)
+
+brief: update-traces
+	@rm -f $(DIAG)
+	@$(BTEST) -b -f $(DIAG)
+
+update-traces:
+	../scripts/update-traces Traces
diff --git a/testing/external/scripts/skel/test.skeleton b/testing/external/scripts/skel/test.skeleton
new file mode 100644
index 0000000000..a76f3d4d09
--- /dev/null
+++ b/testing/external/scripts/skel/test.skeleton
@@ -0,0 +1,6 @@
+# @TEST-EXEC: zcat $TRACES/trace.gz | bro -r - %INPUT
+# @TEST-EXEC: $SCRIPTS/diff-all '*.log'
+
+@load testing-setup
+@load test-all-policy
+
diff --git a/testing/external/scripts/skel/traces.cfg b/testing/external/scripts/skel/traces.cfg
new file mode 100644
index 0000000000..705207c151
--- /dev/null
+++ b/testing/external/scripts/skel/traces.cfg
@@ -0,0 +1,4 @@
+#
+# Format:
+#
+# <url> [<http-user>[:<http-password>]]
diff --git a/testing/external/scripts/testing-setup.bro b/testing/external/scripts/testing-setup.bro
new file mode 100644
index 0000000000..fa5664a877
--- /dev/null
+++ b/testing/external/scripts/testing-setup.bro
@@ -0,0 +1,6 @@
+# Sets some testing specific options.
+
+@ifdef ( SMTP::never_calc_md5 )
+        # MDD5s can depend on libmagic output.
+	redef SMTP::never_calc_md5 = T;
+@endif
diff --git a/testing/external/scripts/update-traces b/testing/external/scripts/update-traces
new file mode 100755
index 0000000000..8c27fb055e
--- /dev/null
+++ b/testing/external/scripts/update-traces
@@ -0,0 +1,80 @@
+#! /usr/bin/env bash
+#
+# Downloads all traces as specified in <cwd>/traces.cfg to directory $1.
+#
+# traces.cfg must consist of lines of the form "<url> <md5sum>"
+
+if [ "$1" == "" ]; then
+    echo "usage: `basename $0` <traces-directory>"
+    exit 1
+fi
+
+if [ ! -e $cfg ]; then
+    echo "No $cfg found."
+    exit 1
+fi
+
+cfg=traces.cfg
+
+for p in .proxy ../.proxy; do
+    if [ -e $p ]; then
+        proxy=`cat $p | head -1 | awk '{print $1}'`
+        echo Using proxy $proxy ...
+        proxy="ALL_PROXY=$proxy"
+        break
+    fi
+done
+
+mkdir -p $1
+
+cat $cfg | while read line; do
+
+    if echo $line | grep -q '^[ \t]*$'; then
+        continue
+    fi
+
+    if echo $line | grep -q '^[ \t]*#'; then
+        continue
+    fi
+
+    url=`echo $line | awk '{print $1}'`
+    auth=`echo $line | awk '{print $2}'`
+
+    file=$1/`echo $url | sed 's#^.*/##g'`
+    fp=$file.md5sum
+
+    if [ "$auth" != "" ]; then
+        auth="-u $auth"
+    fi
+
+    # Get the fingerprint file.
+    if ! eval "$proxy curl $auth -fsS --anyauth $url.md5sum -o $fp.tmp"; then
+        echo "Error: Could not get $url.md5sum, skipping download."
+        continue
+    fi
+
+    download=0
+
+    if [ -e $fp ]; then
+        if ! cmp -s $fp $fp.tmp; then
+            download=1
+        fi
+    else
+       download=1
+    fi
+
+    if [ "$download" = "1" ]; then
+        echo Getting $url ...
+        echo
+        eval "$proxy curl $auth -f --anyauth $url -o $file"
+        echo
+        mv $fp.tmp $fp
+    else
+        echo "`basename $file` already available."
+    fi
+
+    rm -f $fp.tmp
+
+done
+
+
diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg
new file mode 100644
index 0000000000..7b1d59cb07
--- /dev/null
+++ b/testing/external/subdir-btest.cfg
@@ -0,0 +1,20 @@
+[btest]
+TestDirs    = tests
+TmpDir      = %(testbase)s/.tmp
+BaselineDir = %(testbase)s/Baseline
+IgnoreDirs  = .svn CVS .tmp
+IgnoreFiles = *.tmp *.swp #* *.trace .gitignore *.skeleton
+
+[environment]
+BROPATH=`bash -c %(testbase)s/../../../build/bro-path-dev`:%(testbase)s/../scripts
+BRO_SEED_FILE=%(testbase)s/../random.seed
+TZ=UTC
+LC_ALL=C
+PATH=%(testbase)s/../../../build/src:%(testbase)s/../../../aux/btest:%(default_path)s
+TEST_DIFF_CANONIFIER=%(testbase)s/../../scripts/diff-canonifier-external
+TEST_DIFF_BRIEF=1
+TRACES=%(testbase)s/Traces
+SCRIPTS=%(testbase)s/../scripts
+DIST=%(testbase)s/../../..
+BUILD=%(testbase)s/../../../build
+BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage
diff --git a/testing/istate/README b/testing/istate/README
deleted file mode 100644
index 78e855074f..0000000000
--- a/testing/istate/README
+++ /dev/null
@@ -1,11 +0,0 @@
-To run these tests, invoke:
-
-	./istate.py
-
-To see differences leading to test failures, invoke:
-
-	./istate.py -s
-
-Build a new test baseline using:
-
-	./istate.py -b
diff --git a/testing/istate/base/bro-ping/remote.log b/testing/istate/base/bro-ping/remote.log
deleted file mode 100644
index 4f86bd62d6..0000000000
--- a/testing/istate/base/bro-ping/remote.log
+++ /dev/null
@@ -1,17 +0,0 @@
-xxxxxxxxxx.xxxxxx [info]  [parent] pipe's socket buffer size is 8192, setting to 1048576
-xxxxxxxxxx.xxxxxx [info]  [parent] communication started, parent 
-xxxxxxxxxx.xxxxxx [info]  [child]  listening on 0.0.0.0:47758 (clear)
-xxxxxxxxxx.xxxxxx [info]  [child]  [#10000/] accepted clear connection
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] added peer
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] peer connected
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: version
-xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] connection established
-xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] requesting events matching /^?(ping)$?/
-xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] accepting state
-xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] requesting synchronized state
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: handshake
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] registered for event pong
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] peer does not support 64bit PIDs; using compatibility mode
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: sync (receiver)
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: running
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] closing connection
diff --git a/testing/istate/base/bro-ping/stderr.log b/testing/istate/base/bro-ping/stderr.log
deleted file mode 100644
index bb611b7eb0..0000000000
--- a/testing/istate/base/bro-ping/stderr.log
+++ /dev/null
@@ -1,3 +0,0 @@
-xxxxxxxxxx.xxxxxx processing suspended
-xxxxxxxxxx.xxxxxx processing continued
-xxxxxxxxxx.xxxxxx received termination signal
diff --git a/testing/istate/base/events-display/stdout.log b/testing/istate/base/events-display/stdout.log
deleted file mode 100644
index a68f969a3c..0000000000
--- a/testing/istate/base/events-display/stdout.log
+++ /dev/null
@@ -1,36 +0,0 @@
-Event [xxxxxxxxxx.xxxxxx] bro_done()
-Event [xxxxxxxxxx.xxxxxx] connection_established([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.182510137557983, service={}, addl="", hot=0, history="Sh"])
-Event [xxxxxxxxxx.xxxxxx] connection_finished([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=5], resp=[size=9417, state=5], start_time=xxxxxxxxxx.xxxxxx, duration=1.73330307006836, service={}, addl="%events-send-1", hot=0, history="ShADdFaf"])
-Event [xxxxxxxxxx.xxxxxx] connection_pending([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=xxxxxxxxxx.xxxxxx, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
-Event [xxxxxxxxxx.xxxxxx] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=xxxxxxxxxx.xxxxxx, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
-Event [xxxxxxxxxx.xxxxxx] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=5], resp=[size=9417, state=5], start_time=xxxxxxxxxx.xxxxxx, duration=1.73330307006836, service={}, addl="%events-send-1", hot=0, history="ShADdFaf"])
-Event [xxxxxxxxxx.xxxxxx] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1", hot=0, history="ShAD"]T)
-Event [xxxxxxxxxx.xxxxxx] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
-Event [xxxxxxxxxx.xxxxxx] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"TEXT""PLAIN")
-Event [xxxxxxxxxx.xxxxxx] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"TEXT""HTML")
-Event [xxxxxxxxxx.xxxxxx] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T)
-Event [xxxxxxxxxx.xxxxxx] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
-Event [xxxxxxxxxx.xxxxxx] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=5792, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.551820039749146, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"^J"http://www.w3.org/TR/REC-html40/loose.dtd">^J<HEAD><TITLE>ICIR</TITLE></HEAD>^J<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">^J<img src=icir.gif alt="ICIR"><br>^J<p>^JICIR (The ICSI Center for Internet Research)^Jis a ^Jnon-profit^Jresearch institute at^J<a href="http://www.icsi.berkeley.edu">ICSI</a>^Jin ^J<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, ^JCalifornia.<br>^JFor the three years from 1999 to 2001 we were named^JACIRI, the AT&T Center for Internet Research at ICSI, ^Jand were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>^J^JThe goals of ICIR are to:^J<ul>^J<li>Pursue research on the Internet architecture and related networking issues,^J<li>^JParticipate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and^Jstandards (<a href="http://www.ietf.org/">IETF</a>) communities,^J<li> Bridge the gap between the Internet research community and commercial ^Jinterests by providing a neutral forum where topics of mutual technical ^Jinterest can be addressed.^J</ul>^J<p>^J<!--^JICIR is now ^J<a href="jobs.html">^Jhiring</a> for both postdoctoral positions and summer interns.^J-->^J<hr>^J^J<DIV ALIGN="CENTER">^J^J<table width="100%" cellspacing=16 cellpadding=0>^J^J<tr>^J<td width="35%" valign=top>^J^J<h2>^JPeople^J</h2>^J<ul>^J<li>^J<a href="./shenker/">^JScott Shenker</a>, Group Leader<br> ^J<li><a href="http://www.icir.org/mallman/">Mark Allman</a>^J<li>^J<a href="./floyd/">Sally Floyd</a>^J<!--^J<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>^J-->^J<li>^J<a href="./karp/papers.html">^JRichard Karp</a>  ^J<!-- (also with the ^J<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, ^J<a href="http://www.msri.org/">MSRI</a>, and^J<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->^J<li>^J<a href="./vern/">^JVern Paxson</a>  ^J<li>^J<a href="http://www.icir.org/robin/">^JRobin Sommer</a>^J<li>^J<a href="http://www.cs.berkeley.edu/~nweaver/">^JNicholas Weaver</a>^J<li>^J<a href="http://www.icsi.berkeley.edu/~zhao/">^JJerry Zhao</a>^J<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->^J<li><b><a href="pastvisitors.html">Past Group Members</a></b>,^J<br>including:^J<ul>^J<li>^J<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">^JMark Handley</a> (UCL)^J<li><a href="./kohler/">Eddie Kohler</a> (UCLA)^J</ul>^J<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>^JResearchers</b>:^J  <ul>^J  <li><a href="./jcardona/">Javier Cardona</a>^J  <li><a href="./atanu/">Atanu Ghosh</a> ^J  <li><a href="./hodson/">Orion Hodson</a>^J  <li><a href="./pavlin/">Pavlin Radoslavov</a> ^J  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>^J  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>^J</ul>^J<li><b>Affiliated UCB Researchers</b>:^J  <ul>^J  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>^J  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>^J  </ul>^J<li><b>Visitors</b>:^J  <ul>^J  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>^J<!--^J  from Shanghai Jiaotong University^J-->^J  <li>Teemu Koponen^J<!--^J  , Helsinki Institute for Information Technology^J-->^J  </ul>^J<!--^J<li><a href="pastvisitors.html">Other researchers</a>^J-->^J<a name=Visitors></a>^J<li><b>Interns:</b>^J<ul>^J<li>Juan Caballero^J<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>^J<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>^J<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>^J<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>^J<li>Halldor Isak Gylfason^J<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>^J<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>^J<!--^J<li><a href="newinterns.html">New Interns:</a> ^J-->^J</ul>^J<li><b>Undergraduate Interns:</b>^J<ul>^J<li>Michael Hoisie^J<li>Arthur Wayne Liao^J<li>Christopher Portka^J</ul>^J<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>^J</ul>^J^J</td>^J<td width="30%" vali")
-Event [xxxxxxxxxx.xxxxxx] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=8688, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.552114009857178, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<li><a href="./rfcs.html">^JRFCs</a> with ICIR authors.^J<li>^J<a href="./internetdrafts.html">^JInternet drafts</a> with ICIR authors, 3/2004 ^J(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>^Jthe current list).^J<!--^Jfor "Shenker OR Floyd OR Allman OR Paxson".^J(or the ^J<a^Jhref="^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)^J^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).^J-->^J<!--^Jfrom the ^J<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">^JInternet-Drafts Search Engine</a>).^J-->^J<li>Papers by ^J<a href="./shenker/papers.html">Scott Shenker</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),^J^J<a href="./mallman/papers/">Mark Allman</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),^J^J<a href="./floyd/papers.html">Sally Floyd</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),^J^J<a href="./karp/papers.html">Richard Karp</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),^J<a href="./kohler/pubs/">Eddie Kohler</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),^J<a href="./vern/papers.html">Vern Paxson</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).^J<li>The <a href="http://citeseer.ist.psu.edu/">^JResearchIndex</a> (RI) and the ^J<a href="http://citeseer.ist.psu.edu/cs">Search</a>^Jand ^J<a href="http://citeseer.ist.psu.edu/Networking/">^JNetworking</a> pages. ^J</ul>^J^J<h2>^JProjects ^J</h2>^J<ul>^J<li>^J<a href="./vern/bro-info.html">Bro</a>^J(detecting network intruders). ^J<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:^JFuture-Generation Internet Architecture.^J<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>^Jnetwork simulator.^J<li> <a href="./tbit/">TBIT</a>^J(TCP Behavior Identification Tool).^J<li> <a href="http://www.xorp.org/">Xorp</a>^J(Extensible Open Router Platform).^J<li>^J<a href="./funded_projects.html">^JOther Funded Projects</a>.^J<li>^J<a href="./research.html">^JAdditional Research Links</a>.^J</ul>^J^J^J</td>^J^J<td width="35%" valign=top>^J    ^J<h2>Research</h2>^J&nbsp; &nbsp;<b>Transport and Congestion</b>^J<ul>^J<li>^J<a href="./kohler/dcp/">DCCP</a>^J(Datagram Congestion Control Protocol).^J<li>^J<a href="./floyd/ecn.html">ECN</a>^J(Explicit Congestion Notification).^J<li>^J<a href="http://www.ietf.org/html.charters/intserv-charter.html">^JIntegrated services</a>.^J<li>^J<a href="./floyd/red.html">RED</a> ^Jqueue management, and^J<a href="./red-pd/">RED-PD</a>.^J<li>^J<a href="./floyd/hstcp.html">HighSpeed TCP</a>.^J<li>^J<a^Jhref="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">^JTCP Implementation</a>.^J<li>^JReordering-Robust TCP ^J(<a href="./bkarp/RR-TCP/">RR-TCP</a>).^J<li>TCP^J<a href="./floyd/sacks.html">SACK</a> ^J(Selective Acknowledgment).^J<li>^J<a href="./tfrc/">TFRC</a> ^J(TCP-Friendly Rate Control).^J</ul>^J^J&nbsp; &nbsp;<b>Traffic and Topology</b>^J<ul>^J<LI>^J<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> ^J(Internet Distance Mapping).^J<LI>The <a href="http://www.acm.org/sigcomm/ITA/">^JInternet Traffic Archive</a>.^J<li>^J<a href="http://www-net.cs.umass.edu/minc/">MINC</a>^J(Multicast-based Inference of Network-internal Characteristics).^J<li>^J<a href="http://www.psc.edu/networking/nimi/">NIMI</a>^J(N")
-Event [xxxxxxxxxx.xxxxxx] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.73563814163208, service={}, addl="%events-send-1", hot=0, history="ShADd"]F938"ational Internet Measurement Infrastructure).^J</ul>^J^J<h2>^J<a href="./collaborators.html">^JCollaborators</a>^J</h2>^J^J<!--^J&nbsp; &nbsp;<b>Multicast and Multimedia</b>^J<ul>^J<LI><A href="/malloc/">MALLOC</a>^J(Multicast Address Allocation).^J<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>^J(Session Initiation Protocol).^J<li> <a href="yoid"> Yoid</a> (host-based content distribution). ^J</ul>^J-->^J^J</td>^J^J</tr>^J</table>^J</DIV>^J^J<hr>^J<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>^J<hr>^JLast modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.^J<a href="http://web.archive.org/web/*/http://www.aciri.org/">^JOlder versions</a> of this web page, in its ACIRI incarnation..^J<BR>^JFor more information about this server, mail <I>www@aciri.org</I>.  ^J<BR>^JTo report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.^J</BODY>^J")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"ACCEPT""*/*")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"CONNECTION""Keep-Alive")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"HOST""www.icir.org")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"USER-AGENT""Wget/1.10")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ACCEPT-RANGES""bytes")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONNECTION""Keep-Alive")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-LENGTH""9130")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-TYPE""text/html")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"DATE""Fri, 07 Oct 2005 23:23:55 GMT")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ETAG"""2c96c-23aa-4346a0e5"")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"KEEP-ALIVE""timeout=15, max=100")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"LAST-MODIFIED""Fri, 07 Oct 2005 16:23:01 GMT")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"SERVER""Apache/1.3.33 (Unix)")
-Event [xxxxxxxxxx.xxxxxx] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T[start=xxxxxxxxxx.xxxxxx, interrupted=F, finish_msg="message ends normally", body_length=0, content_gap_length=0, header_length=86])
-Event [xxxxxxxxxx.xxxxxx] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F[start=xxxxxxxxxx.xxxxxx, interrupted=F, finish_msg="message ends normally", body_length=9130, content_gap_length=0, header_length=265])
-Event [xxxxxxxxxx.xxxxxx] http_reply([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1", hot=0, history="ShADd"]"1.1"200"OK")
-Event [xxxxxxxxxx.xxxxxx] http_request([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]"GET""/""/""1.0")
-Event [xxxxxxxxxx.xxxxxx] net_done(xxxxxxxxxx.xxxxxx)
-Event [xxxxxxxxxx.xxxxxx] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=0], resp=[size=0, state=0], start_time=xxxxxxxxxx.xxxxxx, duration=0.0, service={}, addl="", hot=0, history=""])
-Event [xxxxxxxxxx.xxxxxx] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=1], resp=[size=0, state=0], start_time=xxxxxxxxxx.xxxxxx, duration=0.0, service={}, addl="cc=1", hot=0, history=""])
-Event [xxxxxxxxxx.xxxxxx] protocol_confirmation([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]165)
diff --git a/testing/istate/base/events-rcv/conn.log b/testing/istate/base/events-rcv/conn.log
deleted file mode 100644
index b38c0a2e70..0000000000
--- a/testing/istate/base/events-rcv/conn.log
+++ /dev/null
@@ -1,2 +0,0 @@
-xxxxxxxxxx.xxxxxx 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
-xxxxxxxxxx.xxxxxx 1.733303 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 SF X %events-send-1
diff --git a/testing/istate/base/events-rcv/http.log b/testing/istate/base/events-rcv/http.log
deleted file mode 100644
index db049772d8..0000000000
--- a/testing/istate/base/events-rcv/http.log
+++ /dev/null
@@ -1,18 +0,0 @@
-xxxxxxxxxx.xxxxxx %events-rcv-1 start 141.42.64.125:56730 > 125.190.109.199:80
-xxxxxxxxxx.xxxxxx %events-rcv-1 > USER-AGENT: Wget/1.10
-xxxxxxxxxx.xxxxxx %events-rcv-1 > ACCEPT: */*
-xxxxxxxxxx.xxxxxx %events-rcv-1 > HOST: www.icir.org
-xxxxxxxxxx.xxxxxx %events-rcv-1 > CONNECTION: Keep-Alive
-xxxxxxxxxx.xxxxxx %events-rcv-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
-xxxxxxxxxx.xxxxxx %events-rcv-1 < SERVER: Apache/1.3.33 (Unix)
-xxxxxxxxxx.xxxxxx %events-rcv-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
-xxxxxxxxxx.xxxxxx %events-rcv-1 < ETAG: "2c96c-23aa-4346a0e5"
-xxxxxxxxxx.xxxxxx %events-rcv-1 < ACCEPT-RANGES: bytes
-xxxxxxxxxx.xxxxxx %events-rcv-1 < CONTENT-LENGTH: 9130
-xxxxxxxxxx.xxxxxx %events-rcv-1 < KEEP-ALIVE: timeout=15, max=100
-xxxxxxxxxx.xxxxxx %events-rcv-1 < CONNECTION: Keep-Alive
-xxxxxxxxxx.xxxxxx %events-rcv-1 < CONTENT-TYPE: text/html
-xxxxxxxxxx.xxxxxx %events-rcv-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
-xxxxxxxxxx.xxxxxx %events-rcv-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
-xxxxxxxxxx.xxxxxx %events-rcv-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
-xxxxxxxxxx.xxxxxx %events-rcv-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/istate/base/events-rcv/stderr.log b/testing/istate/base/events-rcv/stderr.log
deleted file mode 100644
index bb611b7eb0..0000000000
--- a/testing/istate/base/events-rcv/stderr.log
+++ /dev/null
@@ -1,3 +0,0 @@
-xxxxxxxxxx.xxxxxx processing suspended
-xxxxxxxxxx.xxxxxx processing continued
-xxxxxxxxxx.xxxxxx received termination signal
diff --git a/testing/istate/base/events-send/conn.log b/testing/istate/base/events-send/conn.log
deleted file mode 100644
index 3ac12d6d4b..0000000000
--- a/testing/istate/base/events-send/conn.log
+++ /dev/null
@@ -1,3 +0,0 @@
-xxxxxxxxxx.xxxxxx 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
-xxxxxxxxxx.xxxxxx 1.733303 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 SF X %events-send-1
-xxxxxxxxxx.xxxxxx ? 141.42.64.125 125.190.109.199 http 56730 80 tcp ? ? OTH X
diff --git a/testing/istate/base/events-send/http.log b/testing/istate/base/events-send/http.log
deleted file mode 100644
index 2ffab6810e..0000000000
--- a/testing/istate/base/events-send/http.log
+++ /dev/null
@@ -1,18 +0,0 @@
-xxxxxxxxxx.xxxxxx %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
-xxxxxxxxxx.xxxxxx %events-send-1 > USER-AGENT: Wget/1.10
-xxxxxxxxxx.xxxxxx %events-send-1 > ACCEPT: */*
-xxxxxxxxxx.xxxxxx %events-send-1 > HOST: www.icir.org
-xxxxxxxxxx.xxxxxx %events-send-1 > CONNECTION: Keep-Alive
-xxxxxxxxxx.xxxxxx %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
-xxxxxxxxxx.xxxxxx %events-send-1 < SERVER: Apache/1.3.33 (Unix)
-xxxxxxxxxx.xxxxxx %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
-xxxxxxxxxx.xxxxxx %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
-xxxxxxxxxx.xxxxxx %events-send-1 < ACCEPT-RANGES: bytes
-xxxxxxxxxx.xxxxxx %events-send-1 < CONTENT-LENGTH: 9130
-xxxxxxxxxx.xxxxxx %events-send-1 < KEEP-ALIVE: timeout=15, max=100
-xxxxxxxxxx.xxxxxx %events-send-1 < CONNECTION: Keep-Alive
-xxxxxxxxxx.xxxxxx %events-send-1 < CONTENT-TYPE: text/html
-xxxxxxxxxx.xxxxxx %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
-xxxxxxxxxx.xxxxxx %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
-xxxxxxxxxx.xxxxxx %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
-xxxxxxxxxx.xxxxxx %events-send-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/istate/base/persistence-read/stdout.log b/testing/istate/base/persistence-read/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/persistence-write/stderr.log b/testing/istate/base/persistence-write/stderr.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/persistence-write/stdout.log b/testing/istate/base/persistence-write/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/python-bro/stdout.log b/testing/istate/base/python-bro/stdout.log
deleted file mode 100644
index bdfea5e4d7..0000000000
--- a/testing/istate/base/python-bro/stdout.log
+++ /dev/null
@@ -1,14 +0,0 @@
-==== atomic
--10
-2
-xxxxxxxxxx.xxxxxx
-2.0 mins
-F
-1.5
-Servus
-5555/tcp
-6.7.6.5
-0.0
-192.168.0.0/16
-==== record
-42, 6.6.7.7
diff --git a/testing/istate/base/sync-rcv/remote.log b/testing/istate/base/sync-rcv/remote.log
deleted file mode 100644
index 4feea4ccc3..0000000000
--- a/testing/istate/base/sync-rcv/remote.log
+++ /dev/null
@@ -1,21 +0,0 @@
-xxxxxxxxxx.xxxxxx [info]  [parent] pipe's socket buffer size is 8192, setting to 1048576
-xxxxxxxxxx.xxxxxx [info]  [parent] communication started, parent 
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] added peer
-xxxxxxxxxx.xxxxxx [info]  [child]  [#1/127.0.0.1:47757] connected
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer connected
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: version
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] connection established
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] requesting events matching /^?(.*)$?/
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] accepting state
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] requesting synchronized state
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: handshake
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer_description is not set
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer supports keep-in-cache; using that
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: sync (sender)
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] starting to send full state
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] done sending full state
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: running
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] connection closed
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer disconnected
-xxxxxxxxxx.xxxxxx [info]  [child]  [#1/127.0.0.1:47757] connection closed
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] closing connection
diff --git a/testing/istate/base/sync-rcv/stderr.log b/testing/istate/base/sync-rcv/stderr.log
deleted file mode 100644
index 788f8009fe..0000000000
--- a/testing/istate/base/sync-rcv/stderr.log
+++ /dev/null
@@ -1 +0,0 @@
-xxxxxxxxxx.xxxxxx received termination signal
diff --git a/testing/istate/base/sync-rcv/stdout.log b/testing/istate/base/sync-rcv/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/sync-send/stderr.log b/testing/istate/base/sync-send/stderr.log
deleted file mode 100644
index 4f2df4e549..0000000000
--- a/testing/istate/base/sync-send/stderr.log
+++ /dev/null
@@ -1,2 +0,0 @@
-xxxxxxxxxx.xxxxxx processing suspended
-xxxxxxxxxx.xxxxxx processing continued
diff --git a/testing/istate/base/sync-send/stdout.log b/testing/istate/base/sync-send/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/istate.py b/testing/istate/istate.py
deleted file mode 100755
index 8c7b28fe4a..0000000000
--- a/testing/istate/istate.py
+++ /dev/null
@@ -1,174 +0,0 @@
-#! /usr/bin/env python
-# 
-# Tests persistence.
-#
-# $Id: istate.py,v 1.1.2.4 2005/10/11 22:31:42 sommer Exp $
-
-import time
-import os
-import os.path
-import optparse
-import sys
-import subprocess
-
-import tests
-
-optparser = optparse.OptionParser( usage = "%prog [options]", version = "0.1" )
-optparser.add_option( "-s", "--show-diff", action = "store_true", dest = "showdiff", 
-                    default = False, help = "show diffs of mismatches" )
-optparser.add_option( "-b", "--new-base", action = "store_true", dest = "newbase", 
-                    default = False, help = "create new baseline" )
-optparser.add_option( "-d", "--debug", action = "store_true", dest = "debug", 
-                    default = False, help = "enable debug output" )
-optparser.add_option( "-t", "--set", action = "store", type = "string", dest = "set", 
-                    default = None, help = "only do given test set" )
-
-                    
-( tests.Options, args ) = optparser.parse_args()
-
-if len(args) != 0:
-    optparser.error( "Wrong number of arguments" )
-
-##########################################    
-# Write persistent data and read it back.
-##########################################
-
-if tests.testSet("persistence"):
-
-    tests.spawnBro("persistence-write", 
-               ["-r", os.path.join(tests.Traces, "empty.trace"), 
-                os.path.join(tests.Scripts, "vars-init.bro"),
-                os.path.join(tests.Scripts, "vars-print.bro")])
-    tests.waitProc("persistence-write")
-    tests.finishTest("persistence-write", ["stdout.log", "stderr.log", "vars.log"])
-
-    tests.spawnBro("persistence-read", 
-               [os.path.join(tests.Scripts, "vars-declare.bro"),
-                os.path.join(tests.Scripts, "vars-print.bro")], 
-                copy=[os.path.join(tests.workDir("persistence-write"), ".state")])
-    tests.waitProc("persistence-read")
-    tests.finishTest("persistence-read", ["stdout.log", "stderr.log", "vars.log"])
-
-    tests.compareFiles("persistence-write", "persistence-read", ["vars.log"])
-
-##########################################    
-# Exchange events (clear-text).
-#
-# The used trace contains two connections separated by a silence of a 
-# couple of seconds. We start the processes so that the events for the 
-# *second* one (which is a full HTTP connection) are exchanged.
-##########################################    
-
-if tests.testSet("events"):
-
-    tests.spawnBro("events-send", 
-               ["-r", os.path.join(tests.Scripts, os.path.join(tests.Traces, "web.trace")), 
-                "--pseudo-realtime", 
-                "-C",
-               os.path.join(tests.Scripts, "events-send.bro")])
-    time.sleep(2)
-    tests.spawnBro("events-rcv", 
-               [os.path.join(tests.Scripts, "events-rcv.bro")])
-    tests.waitProc("events-send")
-    tests.killProc("events-rcv")
-    tests.finishTest("events-send", ["stdout.log", "stderr.log", "http.log", "conn.log"], ignoreTime=True)
-    tests.finishTest("events-rcv", ["stdout.log", "stderr.log", "http.log", "conn.log"], ignoreTime=True)
-
-    tests.spawnBro("events-display", 
-               ["-x", os.path.join(tests.workDir("events-rcv"), "events.bst")])
-    tests.waitProc("events-display")
-    tests.finishTest("events-display", ["stdout.log"], ignoreTime=True, sort=True, delete=['127.0.0.1:[0-9]*',"Event.*remote_.*"])
-
-    tests.compareFiles("events-send", "events-rcv", ["http.log"], ignoreTime=True, ignoreSessionID=True)
-
-##########################################    
-# Exchange synchronized state
-##########################################    
-
-if tests.testSet("sync"):
-
-    tests.spawnBro("sync-send", 
-               [os.path.join(tests.Scripts, "vars-sync-send.bro")])
-    tests.spawnBro("sync-rcv", 
-               [os.path.join(tests.Scripts, "vars-sync-rcv.bro")])
-    tests.waitProc("sync-send")
-    time.sleep(1)
-    tests.killProc("sync-rcv")
-    tests.finishTest("sync-send", ["stdout.log", "stderr.log", "vars.log"], ignoreTime=True)
-    tests.finishTest("sync-rcv", ["stdout.log", "stderr.log", "vars.log", "remote.log"], ignoreTime=True, delete=["pid.*pid.*", "temporarily unavailable \\[..\\]"])
-
-    tests.compareFiles("sync-send", "sync-rcv", ["vars.log"], ignoreTime=True)
-
-# Old version    
-#    tests.spawnBro("sync-send", 
-#               ["-r", os.path.join(tests.Scripts, os.path.join(tests.Traces, "web.trace")), 
-#       	        "--pseudo-realtime", 
-#                "-C",
-#               os.path.join(tests.Scripts, "vars-sync-send.bro")])
-
-##########################################
-# Test Broccoli with bro-ping
-##########################################
-
-
-if tests.testSet("broccoli"):
-
-    broctest = os.path.join(tests.Bro, "aux/broccoli/test")    
-    broclib = os.path.join(tests.Bro, "aux/broccoli/src/.libs")
-    broping = os.path.join(broctest, "broping")
-
-    brocpy = os.path.join(tests.Bro, "aux/broccoli/bindings/python")    
-
-    broccoli = True
-    
-    # Test if Broccoli was compiled.
-    if not os.path.exists(broping):
-        print "    Broccoli was not compiled, skipping tests."
-        broccoli = False
-        
-    # Test if this is a IPv6 Bro. 
-    if broccoli:
-        v6 = subprocess.call(["grep", "-q", "#define BROv6", os.path.join(tests.Bro, "config.h")])
-        if v6 == 0:
-            print "    Bro built with IPv6 support not compatible with Broccoli, skipping tests."
-            broccoli = False
-
-    if broccoli:
-        tests.spawnBro("bro-ping", [os.path.join(broctest, "broping-record.bro")])
-        time.sleep(1)
-        tests.spawnProc("broccoli-ping", 
-                        [broping, 
-                        "-r", 
-                        "-c", "5", 
-                        "127.0.0.1"])
-        tests.waitProc("broccoli-ping")
-        tests.killProc("bro-ping")
-    
-        tests.finishTest("bro-ping", ["stdout.log", "stderr.log", "remote.log"], 
-                         ignoreTime=True, delete=["127.0.0.1:[0-9]*", "pid.*pid.*", 
-                         ".*Resource temporarily unavailable.*", ".*connection closed.*", 
-                         ".*peer disconnected.*"])
-        tests.finishTest("broccoli-ping", ["stdout.log", "stderr.log"],
-                         delete=["time=.* s$"])
-                         
-        # Test if Python binding are installed.
-        sopath = subprocess.Popen(["find", brocpy, "-name", "_broccoli_intern.so"], stdout=subprocess.PIPE).communicate()[0]
-        if sopath != "":
-
-            os.environ["LD_LIBRARY_PATH"] = broclib
-            os.environ["DYLD_LIBRARY_PATH"] = broclib
-            os.environ["PYTHONPATH"] = os.path.dirname(sopath)
-            
-            tests.spawnBro("python-bro", [os.path.join(brocpy, "tests/test.bro")])
-            time.sleep(1)
-            tests.spawnProc("python-script", [os.path.join(brocpy, "tests/test.py")])
-            tests.waitProc("python-script")
-            tests.killProc("python-bro")
-            tests.finishTest("python-bro", ["stdout.log"], ignoreTime=True)
-            tests.finishTest("python-script", ["stdout.log"], ignoreTime=True, delete=["0x[^>]*", ".[0-9]{2}"])
-        else:
-            print "    Python bindings not built, skipping test."
-            print "       (To build: cd %s && python setup.py build)" % brocpy
-                         
-
-    
diff --git a/testing/istate/rndseed.dat b/testing/istate/rndseed.dat
deleted file mode 100644
index 3bc70c899b..0000000000
--- a/testing/istate/rndseed.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-1971283154
-1128552575
-26676
-875311974
-790730425
-1553617948
-3593004090
-2070230499
-1420669195
-754343139
-2906181924
-542878596
-2459738795
-924396623
-743111462
-3363354015
-198575356
diff --git a/testing/istate/scripts/events-rcv.bro b/testing/istate/scripts/events-rcv.bro
deleted file mode 100644
index a345e3fa49..0000000000
--- a/testing/istate/scripts/events-rcv.bro
+++ /dev/null
@@ -1,18 +0,0 @@
-# $Id: events-rcv.bro,v 1.1.2.1 2005/10/07 01:59:12 sommer Exp $
-
-@load tcp
-@load http-request
-@load http-reply
-@load http-header
-@load http-body
-@load http-abstract
-	
-@load capture-events	
-@load remote
-	
-redef peer_description = "events-rcv";
-	
-redef Remote::destinations += {
-    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T]
-};
-
diff --git a/testing/istate/scripts/events-send.bro b/testing/istate/scripts/events-send.bro
deleted file mode 100644
index 00975fd723..0000000000
--- a/testing/istate/scripts/events-send.bro
+++ /dev/null
@@ -1,21 +0,0 @@
-# $Id: events-send.bro,v 1.1.2.1 2005/10/07 01:59:12 sommer Exp $
-
-@load tcp
-@load http-request
-@load http-reply
-@load http-header
-@load http-body
-@load http-abstract
-@load listen-clear
-	
-@load capture-events	
-	
-redef peer_description = "events-send";
-
-# Make sure the HTTP connection really gets out.
-# (We still miss one final connection event because we shutdown before
-# it gets propagated but that's ok.)
-redef tcp_close_delay = 0secs;
-
-	
-	
diff --git a/testing/istate/scripts/vars-declare.bro b/testing/istate/scripts/vars-declare.bro
deleted file mode 100644
index 871e518109..0000000000
--- a/testing/istate/scripts/vars-declare.bro
+++ /dev/null
@@ -1,36 +0,0 @@
-# $Id: vars-declare.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
-#
-# Declares variables.
-
-global foo1: count &persistent &synchronized;
-global foo2: int &persistent &synchronized;
-global foo3: string &persistent &synchronized; 
-global foo4: addr &persistent &synchronized; 
-global foo5: subnet &persistent &synchronized; 
-global foo6: double &persistent &synchronized; 
-global foo7: net &persistent &synchronized; 
-global foo8: interval &persistent &synchronized; 
-global foo9: table[count] of string &persistent &synchronized;
-global foo10: file &persistent &synchronized; 
-global foo11: pattern &persistent &synchronized; 
-global foo12: set[count] &persistent &synchronized; 
-global foo13: table[count, string] of count &persistent &synchronized;
-global foo14: table[count] of pattern &persistent &synchronized;
-global foo15: port &persistent &synchronized;
-global foo16: vector of count &persistent &synchronized;
-
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    };
-
-global foo17: type2  &persistent &synchronized;
-
diff --git a/testing/istate/scripts/vars-init.bro b/testing/istate/scripts/vars-init.bro
deleted file mode 100644
index 79b1345f31..0000000000
--- a/testing/istate/scripts/vars-init.bro
+++ /dev/null
@@ -1,42 +0,0 @@
-# $Id: vars-init.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
-# 
-# Instantiates variables.
-
-global foo1 = 42 &persistent &synchronized;
-global foo2 = -42 &persistent &synchronized;
-global foo3 = "Hallihallo" &persistent &synchronized; 
-global foo4 = 1.2.3.4 &persistent &synchronized; 
-global foo5 = 1.2.0.0/16 &persistent &synchronized; 
-global foo6 = 3.14 &persistent &synchronized; 
-global foo7 = 131.159. &persistent &synchronized; 
-global foo8 = 42 secs &persistent &synchronized; 
-global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
-global foo10 = open("test") &persistent &synchronized; 
-global foo11 = /12345/ &persistent &synchronized; 
-global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
-global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
-global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
-global foo15 = 42/udp &persistent &synchronized;
-global foo16: vector of count = [1,2,3] &persistent &synchronized;
- 
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    };
-
-global foo17: type2 = [
-	$a = "yuyuyu",
-    $b = [$a="rec1", $b=100, $c=1.24],
-    $c = [$a="rec2", $b=200, $c=2.24],
-   	$d = 7.77				   
-	] &persistent &synchronized;
-
-
diff --git a/testing/istate/scripts/vars-modify.bro b/testing/istate/scripts/vars-modify.bro
deleted file mode 100644
index 51f723f90d..0000000000
--- a/testing/istate/scripts/vars-modify.bro
+++ /dev/null
@@ -1,61 +0,0 @@
-# $Id: vars-modify.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
-#
-# Performs modifications on variables.
-
-function modify()
-	{
-	foo1 = 420;
-	++foo1;
-	
-	--foo2;
-	
-	foo3 = "Jodel";
-	
-	foo4 = 4.3.2.1; 
-	
-	foo5 = 4.0.0.0/8; 
-	
-	foo6 = 21;
-	
-	foo7 = 192.150.186; 
-	
-	foo9[3] = "asdfg1";
-	foo9[1] = "asdfg2";
-	delete foo9[2];
-	
-	foo10 = open("test2");
-	
-	foo11 = /abbcdefgh/;
-	
-	add foo12[6];
-	delete foo12[1];
-	
-	foo13[4,"JKL"] = 104;
-	delete foo13[1,"ABC"];
-	++foo13[2,"DEF"];
-	
-	foo14[6767] = /QWERTZ/;
-	
-	foo15 = 6667/tcp;
-	
-	foo16[4] = 4;
-	foo16[2] = 20;
-	++foo16[1];
-	
-	local x: type1;
-	x$a = "pop";
-	++x$b;
-	x$c = 9.999;
-	foo17$a = "zxzxzx";
-	foo17$b = x;
-	foo17$c$a = "IOIOI";
-	++foo17$c$b;
-	foo17$c$c = 612.2;
-	foo17$d = 6.6666;
-	
-	foo2 = 1234567;
-	}
-
-
-
-
diff --git a/testing/istate/scripts/vars-print.bro b/testing/istate/scripts/vars-print.bro
deleted file mode 100644
index 26d846c9cc..0000000000
--- a/testing/istate/scripts/vars-print.bro
+++ /dev/null
@@ -1,29 +0,0 @@
-# $Id: vars-print.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
-#
-# Print variables.
-
-event bro_done()
-	{
-	local out = open("vars.log");
-	print out, foo1;
-	print out, foo2;
-	print out, foo3;
-	print out, foo4;
-	print out, foo5;
-	print out, foo6;
-	print out, foo7;
-	print out, foo8;
-	print out, foo9;
-	print out, foo10;
-	print out, foo11;
-	print out, foo12;
-	print out, foo13;
-	print out, foo14;
-	print out, foo15;
-	print out, foo16;
-	print out, foo17;
-	}
-
-	
-	
-	
diff --git a/testing/istate/scripts/vars-sync-rcv.bro b/testing/istate/scripts/vars-sync-rcv.bro
deleted file mode 100644
index 145afd6ff6..0000000000
--- a/testing/istate/scripts/vars-sync-rcv.bro
+++ /dev/null
@@ -1,13 +0,0 @@
-# $Id: vars-sync-rcv.bro,v 1.1.2.1 2005/10/11 21:15:05 sommer Exp $
-
-@load vars-init
-@load vars-print
-
-@load capture-events	
-@load remote
-
-	
-redef Remote::destinations += {
-    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T, $sync=T]
-};
-
diff --git a/testing/istate/scripts/vars-sync-send.bro b/testing/istate/scripts/vars-sync-send.bro
deleted file mode 100644
index 655c8a36ea..0000000000
--- a/testing/istate/scripts/vars-sync-send.bro
+++ /dev/null
@@ -1,20 +0,0 @@
-# $Id: vars-sync-send.bro,v 1.1.2.1 2005/10/11 21:15:05 sommer Exp $
-#
-
-@load vars-init
-@load vars-print
-@load vars-modify
-
-@load listen-clear
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	modify();
-	terminate_communication();
-	}
-			 
-redef Remote::destinations += {
-    ["foo"] = [$host = 127.0.0.1, $sync=T]
-};
-
-	
diff --git a/testing/istate/tests.py b/testing/istate/tests.py
deleted file mode 100644
index a8bbb5172a..0000000000
--- a/testing/istate/tests.py
+++ /dev/null
@@ -1,297 +0,0 @@
-# $Id: tests.py,v 1.1.2.5 2005/10/11 22:31:42 sommer Exp $
-#
-# Various helper functions.
-
-import sys
-import os
-import copy
-import errno
-import signal
-import subprocess
-
-# Path to our files.
-Testing = os.path.abspath(".")
-
-# Path to top-level Bro directory.
-if os.path.exists("../../src/bro"):
-    Bro = os.path.abspath("../..")
-else:
-    Bro = os.path.abspath("../../bro")
-    
-# Path where tmp files are created.
-Tmp = os.path.join(Testing, "tmp")
-
-# Path to seed file.
-BroSeed = os.path.join(Testing, "rndseed.dat")
-
-# Path to our test scripts.
-Scripts = os.path.join(Testing, "scripts")
-
-# Path to our test traces.
-Traces = os.path.join(Testing, "traces")
-
-# Where the base files to compare against are stored.
-Base = os.path.join(os.getcwd(), "./base")
- 
-# Process ID of all processes we've spawned, indexed by textual tag *and* pid.
-Running = {}
-
-# Set to true when at least one check failed.
-Failed = False
-
-# getopt options
-Options = None
-
-def error(str):
-    print >>sys.stderr, "Error:", str
-    sys.exit(1)
-
-def debug(str):    
-    if Options.debug:
-        print >>sys.stderr, "Debug:", str
-
-def log(str):    
-    print >>sys.stderr, str
-
-# Returns full path of given process' working directory.
-def workDir(tag):     
-    return os.path.join(Tmp, tag)
-
-# Intializes work dir for given process.
-def initWorkDir(tag):
-    
-    try:
-        os.mkdir(Tmp)
-    except OSError, e:
-        if e.errno != errno.EEXIST:
-            raise
-        
-    os.system("rm -rf " + workDir(tag))
-    os.mkdir(workDir(tag))
-
-# Spawns process identified by the given tag. Enters process into RunningBro.
-def spawnProc(tag, cmdline, copy=[]):    
-    initWorkDir(tag)
-    os.chdir(workDir(tag))
-
-    for i in copy:
-        debug("Copying %s into workdir of %s" % (i, tag))
-        os.system("cp -r %s %s" % (i, workDir(tag)))
-    
-    debug("Spawning '%s' as %s" % (" ".join(cmdline), tag))
-    
-    saved_stdin = os.dup(0)
-    saved_stdout = os.dup(1)
-    saved_stderr = os.dup(2)
-    child_stdin = open("/dev/null", "r")
-    child_stdout = open("stdout.log", "w")
-    child_stderr = open("stderr.log", "w")
-    os.dup2(child_stdin.fileno(), 0)
-    os.dup2(child_stdout.fileno(), 1)
-    os.dup2(child_stderr.fileno(), 2)
-    pid = os.spawnvp(os.P_NOWAIT, cmdline[0], cmdline)
-    os.dup2(saved_stdin, 0)
-    os.dup2(saved_stdout, 1)
-    os.dup2(saved_stderr, 2)
-    
-    Running[tag] = pid
-    Running[pid] = tag
-
-# Spaws a Bro process.    
-def spawnBro(tag, args, copy=[]):
-    os.putenv("BROPATH", os.path.join(Bro, "policy") + ":" + Scripts)
-    os.unsetenv("BRO_LOG_SUFFIX")
-    args += ["--load-seeds", BroSeed, "-B", "state,comm"]
-    spawnProc(tag, [os.path.join(Bro, "src/bro")] + args, copy=copy)
-    
-# Examines a process' exit code.    
-def parseExitCode(tag, result):    
-    if os.WCOREDUMP(result):
-        error("process %s core dumped." % tag)
-
-    if os.WIFSIGNALED(result):
-        error("process %s got signal %d." % (tag, os.WTERMSIG(result)))
-        
-    if not os.WIFEXITED(result):
-        error("process %s exited abnormally (%d)." % (tag, result))
-
-    result = os.WEXITSTATUS(result)
-    debug("process %s exited with %d" % (tag, result)) 
-        
-    return result
-
-# Waits for process to finish.
-def waitProc(tag):
-    (pid, result) = os.waitpid(Running[tag], 0)
-    result = parseExitCode(tag, result)
-    if result != 0:
-	error("Execution of %s failed." % tag)
-	
-    del Running[pid]
-    del Running[tag]
-
-# Waits for all of our processes to terminte.
-def waitProcs():
-    while Running:
-        (pid, result) = os.waitpid(0, 0)
-        parseExitCode(Running[pid], result)
-        del Running[Running[pid]]
-        del Running[pid]
-
-# Kills the process and waits for its termination.
-def killProc(tag):
-    pid = Running[tag]
-    debug("Killing %s..." % tag)
-    os.kill(pid, signal.SIGTERM)
-    (pid, result) = os.waitpid(pid, 0)
-    parseExitCode(tag, result)
-    del Running[pid]
-    del Running[tag]
-	
-# Cleans up temporary stuff
-def cleanup():
-    os.system("rm -rf " + Tmp)
-
-# Canonicalizes file content for diffing.
-def canonicalizeFile(file, ignoreTime, ignoreSessionID, sort, delete):
-    
-    cmd = []
-    
-    if delete:
-        for i in delete:
-            cmd += ["sed 's/%s//g' | grep -v '^$'" % i]
-        
-    if ignoreTime:
-        cmd += ["sed 's/[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]\.[0-9][0-9]\{0,6\}/xxxxxxxxxx.xxxxxx/g'"]
-
-    if ignoreSessionID:
-        # A session is either "%1" or "%my-peer-description-1"
-        cmd += ["sed 's/%\([^ ]*-\)\{0,1\}[0-9][0-9]*/%XXX/g'"]
-        
-    if sort:
-        cmd += ["LC_ALL=c sort"]
-        
-    if not cmd:
-        return
-        
-    tmp = file + ".tmp"
-    cmd = "cat %s | %s >%s" % (file, " | ".join(cmd), tmp) 
-
-    debug("Canonicalizing '%s'" % cmd)
-    os.system(cmd)
-    os.system("mv %s %s" % (tmp, file))
-
-# Diffs the two files, If mismatch, prints "FAILED" and returns true.    
-def diff(file1, file2):
-    
-    quiet = ">/dev/null"
-    if Options.showdiff:
-        quiet = ""
-
-    for f in (file1, file2):
-        if not os.path.exists(f):
-            print "FAILED (%s does not exist)" % f
-            return False
-        
-    diff = "diff -u %s %s %s" % (file1, file2, quiet)
-        
-    debug("Executing '%s'" % diff)
-    result = os.system(diff)
-        
-    if os.WEXITSTATUS(result) != 0:
-        print "FAILED"
-        return False
-    
-    return True
-    
-# Compares files of process against base version. Returns false if mismatch found.
-def checkFiles(tag, files, ignoreTime, sort, delete):
-    base = os.path.join(Base, tag)
-    work = workDir(tag)
-    
-    print "    Checking %s..." % tag,
-    
-    failed = False
-    
-    for file in files:
-        oldfile = os.path.join(base, file)
-        newfile = os.path.join(work, file)
-
-        canonicalizeFile(newfile, ignoreTime, False, sort, delete)
-	
-        if not diff(oldfile, newfile):
-            failed = True
-            break
-    
-    if not failed:
-        print "ok"
-    else:
-        Failed = failed
-
-# Compares files of two processes. Return false if mismatch found.
-def compareFiles(tag1, tag2, files, ignoreTime=False, ignoreSessionID=False, sort=False, delete=None):
-    work1 = workDir(tag1)
-    work2 = workDir(tag2)
-
-    print "    Comparing %s with %s..." % (tag1, tag2),
-    
-    failed = False
-    
-    for file in files:
-        file1 = os.path.join(work1, file)
-        file2 = os.path.join(work2, file)
-
-        canonicalizeFile(file1, ignoreTime, ignoreSessionID, sort, delete)
-        canonicalizeFile(file2, ignoreTime, ignoreSessionID, sort, delete)
-	
-        if not diff(file1, file2):
-            failed = True
-            break
-    
-    if not failed:
-        print "ok"
-    else:
-        Failed = failed
-        
-# Make the result of process new baseline.
-def makeNewBase(tag, files, ignoreTime, sort, delete):
-
-    try:
-        os.mkdir(Base)
-    except OSError, e:
-        if e.errno != errno.EEXIST:
-            raise
-        
-    base = os.path.join(Base, tag)
-    work = workDir(tag)
-
-    print "    Copying files for %s..." % tag
-    
-    try:
-        os.mkdir(base)
-    except OSError, e:
-        if e.errno != errno.EEXIST:
-            raise
-        
-    # Delete all files but those belonging to CVS.
-    os.system("find %s -type f -not -path '*/CVS/*' -not -path '*/.svn/*' -exec rm '{}' ';'" % base)
-    
-    for file in files:
-        oldfile = os.path.join(work, file)
-        newfile = os.path.join(base, file)
-	os.system("cp %s %s" % (oldfile, newfile))
-        canonicalizeFile(newfile, ignoreTime, False, sort, delete)
-
-def testSet(set):
-    if Options.set and set != Options.set:
-        return False
-    
-    print "Running set '%s' ..." % set
-    return True
-        
-# Either check given files or make it new baseline, depending on options.
-def finishTest(tag, files, ignoreTime=False, sort=False, delete=None):
-    if Options.newbase:
-	makeNewBase(tag, files, ignoreTime, sort, delete)
-    else:
-	checkFiles(tag, files, ignoreTime, sort, delete)    
diff --git a/testing/scripts/btest-bg-run b/testing/scripts/btest-bg-run
new file mode 100755
index 0000000000..64a38b9759
--- /dev/null
+++ b/testing/scripts/btest-bg-run
@@ -0,0 +1,7 @@
+#! /usr/bin/env bash
+
+# This is a wrapper script to btest's real btest-bg-run.  It's used
+# when collecting Bro script coverage statistics so that two independent
+# Bro processing don't try to write those usage statistics to the same file.
+
+BRO_PROFILER_FILE=`mktemp $TMPDIR/script-coverage.XXXX` $BTEST_PATH/btest-bg-run $@
diff --git a/testing/scripts/coverage-calc b/testing/scripts/coverage-calc
new file mode 100755
index 0000000000..cc5253c75c
--- /dev/null
+++ b/testing/scripts/coverage-calc
@@ -0,0 +1,59 @@
+#! /usr/bin/env python
+
+# This script aggregates many files containing Bro script coverage information
+# into a single file and reports the overall coverage information. Usage:
+#
+#   coverage-calc <quoted glob of filenames> <output file> <script dir>
+#
+# The last argument is used to point to a root directory containing all
+# the Bro distribution's scripts.  It's used to cull out test scripts
+# that are not part of the distribution and which should not count towards
+# the coverage calculation.
+
+import os
+import sys
+import glob
+
+stats = {}
+inputglob = sys.argv[1]
+outputfile = sys.argv[2]
+scriptdir = os.path.abspath(sys.argv[3])
+
+for filename in glob.glob(inputglob):
+    with open(filename, 'r') as f:
+        for line in f.read().splitlines():
+            parts = line.split("\t")
+            exec_count = int(parts[0])
+            # grab file path and line numbers separately
+            filepath, srclines = parts[1].rsplit(",", 1)
+            filepath = os.path.normpath(filepath)
+            # ignore scripts that don't appear to be part of Bro distribution
+            if not filepath.startswith(scriptdir):
+                continue
+            # keep only the line number (or line number range)
+            srclines = srclines.split()[1]
+            # For sorting purposes (so that line numbers get sorted correctly),
+            # construct a specially-formatted key string.
+            sortkey = filepath + ", line " + ("%6s" % srclines.split("-")[0])
+            location = filepath + ", line " + srclines
+            desc = parts[2]
+            # Keying by location + desc may result in duplicate data
+            # as some descs change as a result of differing configurations
+            # producing record (re)definitions
+            key = location
+            if key in stats:
+                stats[key][0] += exec_count
+            else:
+                stats[key] = [exec_count, location, desc, sortkey]
+
+with open(outputfile, 'w') as f:
+    for k in sorted(stats, key=lambda i: stats[i][3]):
+        f.write("%s\t%s\t%s\n" % (stats[k][0], stats[k][1], stats[k][2]))
+
+num_covered = 0
+for k in stats:
+    if stats[k][0] > 0:
+        num_covered += 1
+
+if len(stats) > 0:
+    print "%s/%s (%.1f%%) Bro script statements covered." % (num_covered, len(stats), float(num_covered)/len(stats)*100)
diff --git a/testing/scripts/diff-canonifier b/testing/scripts/diff-canonifier
new file mode 100755
index 0000000000..3cb213a3f7
--- /dev/null
+++ b/testing/scripts/diff-canonifier
@@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+#
+# Default canonifier used with the tests in testing/btest/*.
+
+`dirname $0`/diff-remove-timestamps
diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external
new file mode 100755
index 0000000000..1f953183d3
--- /dev/null
+++ b/testing/scripts/diff-canonifier-external
@@ -0,0 +1,8 @@
+#! /usr/bin/env bash
+#
+# Default canonifier used with the trace-based tests in testing/external/*.
+
+`dirname $0`/diff-remove-timestamps \
+    | `dirname $0`/diff-remove-uids \
+    | `dirname $0`/diff-remove-mime-types \
+    | `dirname $0`/diff-remove-x509-names \
diff --git a/testing/scripts/diff-remove-abspath b/testing/scripts/diff-remove-abspath
new file mode 100755
index 0000000000..361ad3fa6d
--- /dev/null
+++ b/testing/scripts/diff-remove-abspath
@@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+#
+# Replace absolute paths with the basename.
+
+sed 's#/\([^/]\{1,\}/\)\{1,\}\([^/]\{1,\}\)#<...>/\2#g'
diff --git a/testing/scripts/diff-remove-mime-types b/testing/scripts/diff-remove-mime-types
new file mode 100755
index 0000000000..fb447a9989
--- /dev/null
+++ b/testing/scripts/diff-remove-mime-types
@@ -0,0 +1,22 @@
+#! /usr/bin/awk -f
+#
+# A diff canonifier that removes all MIME types because libmagic output
+# can differ between installations.
+
+BEGIN { FS="\t"; OFS="\t"; column = -1; }
+
+/^#fields/ {
+    for ( i = 2; i < NF; ++i )
+        if ( $i == "mime_type" )
+            column = i-1;
+}
+
+column >= 0 {
+    if ( $column != "-" )
+        # Mark that it's set, but ignore content.
+        $column = "+";
+}
+
+{
+    print;
+}
diff --git a/testing/scripts/diff-remove-timestamps b/testing/scripts/diff-remove-timestamps
new file mode 100755
index 0000000000..063f1e4900
--- /dev/null
+++ b/testing/scripts/diff-remove-timestamps
@@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+#
+# Replace anything which looks like timestamps with XXXs.
+
+sed 's/[0-9]\{10\}\.[0-9]\{2,8\}/XXXXXXXXXX.XXXXXX/g'
diff --git a/testing/scripts/diff-remove-uids b/testing/scripts/diff-remove-uids
new file mode 100755
index 0000000000..8e12b7abe5
--- /dev/null
+++ b/testing/scripts/diff-remove-uids
@@ -0,0 +1,21 @@
+#! /usr/bin/awk -f
+#
+# A diff canonifier that removes all connection UIDs.
+
+BEGIN { FS="\t"; OFS="\t"; }
+
+column > 0 {
+    $column = "XXXXXXXXXXX";
+    }
+
+/^#/ {
+    for ( i = 0; i < NF; ++i ) {
+        if ( $i == "uid" )
+            column = i - 1;
+        }
+    }
+
+{ print }
+
+
+
diff --git a/testing/scripts/diff-remove-x509-names b/testing/scripts/diff-remove-x509-names
new file mode 100755
index 0000000000..6209edfc65
--- /dev/null
+++ b/testing/scripts/diff-remove-x509-names
@@ -0,0 +1,32 @@
+#! /usr/bin/awk -f
+#
+# A diff canonifier that removes all X.509 Distinguished Name subject fields
+# because that output can differ depending on installed OpenSSL version.
+
+BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1 }
+
+/^#fields/ {
+    for ( i = 2; i < NF; ++i )
+        {
+        if ( $i == "subject" )
+            s_col = i-1;
+        if ( $i == "issuer_subject" )
+            i_col = i-1;
+        }
+}
+
+s_col >= 0 {
+    if ( $s_col != "-" )
+        # Mark that it's set, but ignore content.
+        $s_col = "+";
+}
+
+i_col >= 0 {
+    if ( $i_col != "-" )
+        # Mark that it's set, but ignore content.
+        $i_col = "+";
+}
+
+{
+    print;
+}
diff --git a/testing/scripts/doc/example-diff-canonifier.py b/testing/scripts/doc/example-diff-canonifier.py
new file mode 100755
index 0000000000..e0b8c110cc
--- /dev/null
+++ b/testing/scripts/doc/example-diff-canonifier.py
@@ -0,0 +1,15 @@
+#!/usr/bin/python
+
+import sys
+import re
+
+# MutableVal derivatives (e.g. sets/tables) don't always generate the same
+# ordering in the reST documentation, so just don't bother diffing
+# the places where example.bro uses them.
+
+RE1 = "\d*/tcp"
+RE2 = "tcp port \d*"
+
+for line in sys.stdin.readlines():
+    if re.search(RE1, line) is None and re.search(RE2, line) is None:
+        print line