diff --git a/aux/broccoli b/aux/broccoli
index 54f3ff4e66..12c1f32d65 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 54f3ff4e6627d4a44d1e014e8e581e4e9dfed8c3
+Subproject commit 12c1f32d65fdf72d4af1450b0c9c5a5e398bba08
diff --git a/aux/broctl b/aux/broctl
index d9bfa3e7c2..e4e49c312a 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit d9bfa3e7c25aa0fdc27a1f8520f2bb474ecd44af
+Subproject commit e4e49c312a559886f7ec6d6f8efd582bbeb297ad
diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake
index f77dcc0fae..6d7cb3d76f 100644
--- a/cmake/ConfigurePackaging.cmake
+++ b/cmake/ConfigurePackaging.cmake
@@ -63,10 +63,7 @@ endmacro(SetPackageVersion)
 #
 # Darwin - PackageMaker
 # Linux - RPM if the platform has rpmbuild installed
-#         DEB is ommitted because CPack does not give enough
-#         control over how the package is created and lacks support
-#         for automatic dependency detection.
-#         
+#         DEB if the platform has dpkg-shlibdeps installed
 #
 # CPACK_GENERATOR is set by this macro
 # CPACK_SOURCE_GENERATOR is set by this macro
@@ -77,9 +74,14 @@ macro(SetPackageGenerators)
         list(APPEND CPACK_GENERATOR PackageMaker)
     elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
         find_program(RPMBUILD_EXE rpmbuild)
+        find_program(DPKGSHLIB_EXE dpkg-shlibdeps)
         if (RPMBUILD_EXE)
             set(CPACK_GENERATOR ${CPACK_GENERATOR} RPM)
         endif ()
+        if (DPKGSHLIB_EXE)
+            set(CPACK_GENERATOR ${CPACK_GENERATOR} DEB)
+            set(CPACK_DEBIAN_PACKAGE_SHLIBDEPS true)
+        endif ()
     endif ()
 endmacro(SetPackageGenerators)
 
@@ -159,11 +161,27 @@ macro(SetPackageInstallScripts VERSION)
     endif ()
 
     if (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
+        # DEB packages can automatically handle configuration files
+        # if provided in a "conffiles" file in the packaging
+        set(conffiles_file ${CMAKE_CURRENT_BINARY_DIR}/conffiles)
+        if (INSTALLED_CONFIG_FILES)
+            string(REPLACE " " ";" conffiles ${INSTALLED_CONFIG_FILES})
+        endif ()
+        file(WRITE ${conffiles_file} "")
+        foreach (_file ${conffiles})
+            file(APPEND ${conffiles_file} "${_file}\n")
+        endforeach ()
+
+        list(APPEND CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
+            ${CMAKE_CURRENT_BINARY_DIR}/conffiles)
+
+        # RPMs don't need any explicit direction regarding config files.
+
         # Leaving the set of installed config files empty will just
-        # bypass the logic in the pre/post install scripts and let
-        # the RPM do their own thing (regarding backups, etc.)
+        # bypass the logic in the default pre/post install scripts and let
+        # the RPMs/DEBs do their own thing (regarding backups, etc.)
         # when upgrading packages.
-        set (INSTALLED_CONFIG_FILES "")
+        set(INSTALLED_CONFIG_FILES "")
     endif ()
 
     if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in)
@@ -171,10 +189,16 @@ macro(SetPackageInstallScripts VERSION)
             ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in
             ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh
             @ONLY)
+        configure_file(
+            ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in
+            ${CMAKE_CURRENT_BINARY_DIR}/preinst
+            @ONLY)
         set(CPACK_PREFLIGHT_SCRIPT
             ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh)
         set(CPACK_RPM_PRE_INSTALL_SCRIPT_FILE
             ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh)
+        list(APPEND CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
+            ${CMAKE_CURRENT_BINARY_DIR}/preinst)
     endif ()
 
     if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in)
@@ -182,10 +206,16 @@ macro(SetPackageInstallScripts VERSION)
             ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in
             ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh
             @ONLY)
+        configure_file(
+            ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in
+            ${CMAKE_CURRENT_BINARY_DIR}/postinst
+            @ONLY)
         set(CPACK_POSTUPGRADE_SCRIPT
             ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh)
         set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE
             ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh)
+        list(APPEND CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
+            ${CMAKE_CURRENT_BINARY_DIR}/postinst)
     endif ()
 endmacro(SetPackageInstallScripts)
 
diff --git a/cmake/package_postupgrade.sh.in b/cmake/package_postupgrade.sh.in
index 0ef78413c3..4e199d005c 100755
--- a/cmake/package_postupgrade.sh.in
+++ b/cmake/package_postupgrade.sh.in
@@ -48,21 +48,13 @@ if [ -n "${sampleFiles}" ]; then
 EOF
 fi
 
-# make sure that world-writeable dirs have the sticky bit set
-# so that unprivileged can't rename/remove files within
-
-if [ -d /var/opt/bro/spool ]; then
-    chmod +t /var/opt/bro/spool
-fi
-
-if [ -d /var/opt/bro/spool/tmp ]; then
-    chmod +t /var/opt/bro/spool/tmp
-fi
-
-if [ -d /var/opt/bro/spool/policy ]; then
-    chmod +t /var/opt/bro/spool/policy
-fi
-
-if [ -d /var/opt/bro/logs ]; then
-    chmod +t /var/opt/bro/logs
+# Set up world writeable spool and logs directory for broctl, making sure
+# to set the sticky bit so that unprivileged users can't rename/remove files.
+# (CMake/CPack is supposed to install them, but has problems with empty dirs)
+if [ -n "@EMPTY_WORLD_DIRS@" ]; then
+    for dir in "@EMPTY_WORLD_DIRS@"; do
+        mkdir -p ${dir}
+        chmod 777 ${dir}
+        chmod +t ${dir}
+    done
 fi
diff --git a/make-deb-packages b/make-deb-packages
new file mode 100755
index 0000000000..c8d501198b
--- /dev/null
+++ b/make-deb-packages
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+# This script generates binary DEB packages.
+# They can be found in build/ after running.
+
+prefix=/opt/bro
+
+# CMake/CPack versions before 2.8.2 have bugs that can create bad packages
+CMAKE_PACK_REQ=2.8.2
+CMAKE_VER=`cmake -version`
+
+if [ "${CMAKE_VER}" \< "${CMAKE_PACK_REQ}" ]; then
+    echo "Package creation requires CMake > 2.8.2" >&2
+    exit 1
+fi
+
+# The DEB CPack generator depends on `dpkg-shlibdeps` to automatically
+# determine what dependencies to set for the packages
+type dpkg-shlibdeps > /dev/null 2>&1 || {
+    echo "\
+Creating DEB packages requires the `dpkg-shlibs` command, usually provided by
+the 'dpkg-dev' package, please install it first.
+" >&2;
+    exit 1;
+}
+
+# During the packaging process, `dpkg-shlibs` will fail if used on a library
+# that links to other internal/project libraries unless an RPATH is used or
+# we set LD_LIBRARY_PATH such that it can find the internal/project library
+# in the temporary packaging tree.
+export LD_LIBRARY_PATH=./${prefix}/lib
+
+# Minimum Bro
+./configure --prefix=${prefix} --disable-broccoli --disable-broctl \
+            --pkg-name-prefix=Bro --binary-package
+( cd build && make package )
+
+# Full Bro package
+./configure --prefix=${prefix} --pkg-name-prefix=Bro-all --binary-package
+( cd build && make package )
+
+# Broccoli
+cd aux/broccoli
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv Broccoli*.deb ../../../build/ )
+cd ../..
+
+# Broctl
+cd aux/broctl
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv Broctl*.deb ../../../build/ )
+cd ../..