From 9e0b0f918744f113cb5486863cd178ee0e2498a8 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Tue, 19 Nov 2013 20:20:36 -0500
Subject: [PATCH 001/136] Basic RADIUS support - checkpoint

---
 scripts/base/init-default.bro                 |   1 +
 scripts/base/protocols/radius/__load__.bro    |   3 +
 scripts/base/protocols/radius/consts.bro      | 537 ++++++++++++++++++
 scripts/base/protocols/radius/dpd.sig         |   7 +
 scripts/base/protocols/radius/main.bro        | 142 +++++
 scripts/base/utils/addrs.bro                  |  26 +-
 src/analyzer/protocol/CMakeLists.txt          |   5 +-
 src/analyzer/protocol/radius/CMakeLists.txt   |  11 +
 src/analyzer/protocol/radius/Plugin.cc        |  11 +
 src/analyzer/protocol/radius/RADIUS.cc        |  45 ++
 src/analyzer/protocol/radius/RADIUS.h         |  45 ++
 src/analyzer/protocol/radius/events.bif       |  23 +
 .../protocol/radius/radius-analyzer.pac       |  23 +
 .../protocol/radius/radius-protocol.pac       |  15 +
 src/analyzer/protocol/radius/radius.pac       |  37 ++
 15 files changed, 928 insertions(+), 3 deletions(-)
 create mode 100644 scripts/base/protocols/radius/__load__.bro
 create mode 100644 scripts/base/protocols/radius/consts.bro
 create mode 100644 scripts/base/protocols/radius/dpd.sig
 create mode 100644 scripts/base/protocols/radius/main.bro
 create mode 100644 src/analyzer/protocol/radius/CMakeLists.txt
 create mode 100644 src/analyzer/protocol/radius/Plugin.cc
 create mode 100644 src/analyzer/protocol/radius/RADIUS.cc
 create mode 100644 src/analyzer/protocol/radius/RADIUS.h
 create mode 100644 src/analyzer/protocol/radius/events.bif
 create mode 100644 src/analyzer/protocol/radius/radius-analyzer.pac
 create mode 100644 src/analyzer/protocol/radius/radius-protocol.pac
 create mode 100644 src/analyzer/protocol/radius/radius.pac

diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index d0120d930b..a732212335 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -47,6 +47,7 @@
 @load base/protocols/irc
 @load base/protocols/modbus
 @load base/protocols/pop3
+@load base/protocols/radius
 @load base/protocols/smtp
 @load base/protocols/socks
 @load base/protocols/ssh
diff --git a/scripts/base/protocols/radius/__load__.bro b/scripts/base/protocols/radius/__load__.bro
new file mode 100644
index 0000000000..96bf67a57f
--- /dev/null
+++ b/scripts/base/protocols/radius/__load__.bro
@@ -0,0 +1,3 @@
+# Generated by binpac_quickstart
+@load ./main
+#@load-sigs ./dpd.sig
\ No newline at end of file
diff --git a/scripts/base/protocols/radius/consts.bro b/scripts/base/protocols/radius/consts.bro
new file mode 100644
index 0000000000..6231a25631
--- /dev/null
+++ b/scripts/base/protocols/radius/consts.bro
@@ -0,0 +1,537 @@
+module RADIUS;
+
+const msg_types: table[count] of string = {
+	[1] = "Access-Request",
+	[2] = "Access-Accept",
+	[3] = "Access-Reject",
+	[4] = "Accounting-Request",
+	[5] = "Accounting-Response",
+	[11] = "Access-Challenge",
+	[12] = "Status-Server",
+	[13] = "Status-Client",
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const attr_types: table[count] of string = {
+	[1] = "User-Name",
+	[2] = "User-Password",
+	[3] = "CHAP-Password",
+	[4] = "NAS-IP-Address",
+	[5] = "NAS-Port",
+	[6] = "Service-Type",
+	[7] = "Framed-Protocol",
+	[8] = "Framed-IP-Address",
+	[9] = "Framed-IP-Netmask",
+	[10] = "Framed-Routing",
+	[11] = "Filter-Id",
+	[12] = "Framed-MTU",
+	[13] = "Framed-Compression",
+	[14] = "Login-IP-Host",
+	[15] = "Login-Service",
+	[16] = "Login-TCP-Port",
+	[18] = "Reply-Message",
+	[19] = "Callback-Number",
+	[20] = "Callback-Id",
+	[22] = "Framed-Route",
+	[23] = "Framed-IPX-Network",
+	[24] = "State",
+	[25] = "Class",
+	[26] = "Vendor-Specific",
+	[27] = "Session-Timeout",
+	[28] = "Idle-Timeout",
+	[29] = "Termination-Action",
+	[30] = "Called-Station-Id",
+	[31] = "Calling-Station-Id",
+	[32] = "NAS-Identifier",
+	[33] = "Proxy-State",
+	[34] = "Login-LAT-Service",
+	[35] = "Login-LAT-Node",
+	[36] = "Login-LAT-Group",
+	[37] = "Framed-AppleTalk-Link",
+	[38] = "Framed-AppleTalk-Network",
+	[39] = "Framed-AppleTalk-Zone",
+	[40] = "Acct-Status-Type",
+	[41] = "Acct-Delay-Time",
+	[42] = "Acct-Input-Octets",
+	[43] = "Acct-Output-Octets",
+	[44] = "Acct-Session-Id",
+	[45] = "Acct-Authentic",
+	[46] = "Acct-Session-Time",
+	[47] = "Acct-Input-Packets",
+	[48] = "Acct-Output-Packets",
+	[49] = "Acct-Terminate-Cause",
+	[50] = "Acct-Multi-Session-Id",
+	[51] = "Acct-Link-Count",
+	[52] = "Acct-Input-Gigawords",
+	[53] = "Acct-Output-Gigawords",
+	[55] = "Event-Timestamp",
+	[56] = "Egress-VLANID",
+	[57] = "Ingress-Filters",
+	[58] = "Egress-VLAN-Name",
+	[59] = "User-Priority-Table",
+	[60] = "CHAP-Challenge",
+	[61] = "NAS-Port-Type",
+	[62] = "Port-Limit",
+	[63] = "Login-LAT-Port",
+	[64] = "Tunnel-Type",
+	[65] = "Tunnel-Medium-Type",
+	[66] = "Tunnel-Client-EndPoint",
+	[67] = "Tunnel-Server-EndPoint",
+	[68] = "Acct-Tunnel-Connection",
+	[69] = "Tunnel-Password",
+	[70] = "ARAP-Password",
+	[71] = "ARAP-Features",
+	[72] = "ARAP-Zone-Access",
+	[73] = "ARAP-Security",
+	[74] = "ARAP-Security-Data",
+	[75] = "Password-Retry",
+	[76] = "Prompt",
+	[77] = "Connect-Info",
+	[78] = "Configuration-Token",
+	[79] = "EAP-Message",
+	[80] = "Message Authenticator",
+	[81] = "Tunnel-Private-Group-ID",
+	[82] = "Tunnel-Assignment-ID",
+	[83] = "Tunnel-Preference",
+	[84] = "ARAP-Challenge-Response",
+	[85] = "Acct-Interim-Interval",
+	[86] = "Acct-Tunnel-Packets-Lost",
+	[87] = "NAS-Port-Id",
+	[88] = "Framed-Pool",
+	[89] = "CUI",
+	[90] = "Tunnel-Client-Auth-ID",
+	[91] = "Tunnel-Server-Auth-ID",
+	[92] = "NAS-Filter-Rule",
+	[94] = "Originating-Line-Info",
+	[95] = "NAS-IPv6-Address",
+	[96] = "Framed-Interface-Id",
+	[97] = "Framed-IPv6-Prefix",
+	[98] = "Login-IPv6-Host",
+	[99] = "Framed-IPv6-Route",
+	[100] = "Framed-IPv6-Pool",
+	[101] = "Error-Cause",
+	[102] = "EAP-Key-Name",
+	[103] = "Digest-Response",
+	[104] = "Digest-Realm",
+	[105] = "Digest-Nonce",
+	[106] = "Digest-Response-Auth",
+	[107] = "Digest-Nextnonce",
+	[108] = "Digest-Method",
+	[109] = "Digest-URI",
+	[110] = "Digest-Qop",
+	[111] = "Digest-Algorithm",
+	[112] = "Digest-Entity-Body-Hash",
+	[113] = "Digest-CNonce",
+	[114] = "Digest-Nonce-Count",
+	[115] = "Digest-Username",
+	[116] = "Digest-Opaque",
+	[117] = "Digest-Auth-Param",
+	[118] = "Digest-AKA-Auts",
+	[119] = "Digest-Domain",
+	[120] = "Digest-Stale",
+	[121] = "Digest-HA1",
+	[122] = "SIP-AOR",
+	[123] = "Delegated-IPv6-Prefix",
+	[124] = "MIP6-Feature-Vector",
+	[125] = "MIP6-Home-Link-Prefix",
+	[126] = "Operator-Name",
+	[127] = "Location-Information",
+	[128] = "Location-Data",
+	[129] = "Basic-Location-Policy-Rules",
+	[130] = "Extended-Location-Policy-Rules",
+	[131] = "Location-Capable",
+	[132] = "Requested-Location-Info",
+	[133] = "Framed-Management-Protocol",
+	[134] = "Management-Transport-Protection",
+	[135] = "Management-Policy-Id",
+	[136] = "Management-Privilege-Level",
+	[137] = "PKM-SS-Cert",
+	[138] = "PKM-CA-Cert",
+	[139] = "PKM-Config-Settings",
+	[140] = "PKM-Cryptosuite-List",
+	[141] = "PKM-SAID",
+	[142] = "PKM-SA-Descriptor",
+	[143] = "PKM-Auth-Key",
+	[144] = "DS-Lite-Tunnel-Name",
+	[145] = "Mobile-Node-Identifier",
+	[146] = "Service-Selection",
+	[147] = "PMIP6-Home-LMA-IPv6-Address",
+	[148] = "PMIP6-Visited-LMA-IPv6-Address",
+	[149] = "PMIP6-Home-LMA-IPv4-Address",
+	[150] = "PMIP6-Visited-LMA-IPv4-Address",
+	[151] = "PMIP6-Home-HN-Prefix",
+	[152] = "PMIP6-Visited-HN-Prefix",
+	[153] = "PMIP6-Home-Interface-ID",
+	[154] = "PMIP6-Visited-Interface-ID",
+	[155] = "PMIP6-Home-IPv4-HoA",
+	[156] = "PMIP6-Visited-IPv4-HoA",
+	[157] = "PMIP6-Home-DHCP4-Server-Address",
+	[158] = "PMIP6-Visited-DHCP4-Server-Address",
+	[159] = "PMIP6-Home-DHCP6-Server-Address",
+	[160] = "PMIP6-Visited-DHCP6-Server-Address",
+	[161] = "PMIP6-Home-IPv4-Gateway",
+	[162] = "PMIP6-Visited-IPv4-Gateway",
+	[163] = "EAP-Lower-Layer",
+	[164] = "GSS-Acceptor-Service-Name",
+	[165] = "GSS-Acceptor-Host-Name",
+	[166] = "GSS-Acceptor-Service-Specifics",
+	[167] = "GSS-Acceptor-Realm-Name",
+	[168] = "Framed-IPv6-Address",
+	[169] = "DNS-Server-IPv6-Address",
+	[170] = "Route-IPv6-Information",
+	[171] = "Delegated-IPv6-Prefix-Pool",
+	[172] = "Stateful-IPv6-Address-Pool",
+	[173] = "IPv6-6rd-Configuration"
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const nas_port_types: table[count] of string = {
+	[0] = "Async",
+	[1] = "Sync",
+	[2] = "ISDN Sync",
+	[3] = "ISDN Async V.120",
+	[4] = "ISDN Async V.110",
+	[5] = "Virtual",
+	[6] = "PIAFS",
+	[7] = "HDLC Clear Channel",
+	[8] = "X.25",
+	[9] = "X.75",
+	[10] = "G.3 Fax",
+	[11] = "SDSL - Symmetric DSL",
+	[12] = "ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation",
+	[13] = "ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone",
+	[14] = "IDSL - ISDN Digital Subscriber Line",
+	[15] = "Ethernet",
+	[16] = "xDSL - Digital Subscriber Line of unknown type",
+	[17] = "Cable",
+	[18] = "Wireless - Other",
+	[19] = "Wireless - IEEE 802.11"
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const service_types: table[count] of string = {
+	[1] = "Login",
+	[2] = "Framed",
+	[3] = "Callback Login",
+	[4] = "Callback Framed",
+	[5] = "Outbound",
+	[6] = "Administrative",
+	[7] = "NAS Prompt",
+	[8] = "Authenticate Only",
+	[9] = "Callback NAS Prompt",
+	[10] = "Call Check",
+	[11] = "Callback Administrative",
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const framed_protocol_types: table[count] of string = {
+	[1] = "PPP",
+	[2] = "SLIP",
+	[3] = "AppleTalk Remote Access Protocol (ARAP)",
+	[4] = "Gandalf proprietary SingleLink/MultiLink protocol",
+	[5] = "Xylogics proprietary IPX/SLIP",
+	[6] = "X.75 Synchronous"
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const vendor_9_types: table[count] of string = {
+	[1] = "Cisco-AVPair",
+	[2] = "Cisco-NAS-Port",
+	[3] = "Cisco-Fax-Account-Id-Origin",
+	[4] = "Cisco-Fax-Msg-Id",
+	[5] = "Cisco-Fax-Pages",
+	[6] = "Cisco-Fax-Coverpage-Flag",
+	[7] = "Cisco-Fax-Modem-Time",
+	[8] = "Cisco-Fax-Connect-Speed",
+	[9] = "Cisco-Fax-Recipient-Count",
+	[10] = "Cisco-Fax-Process-Abort-Flag",
+	[11] = "Cisco-Fax-Dsn-Address",
+	[12] = "Cisco-Fax-Dsn-Flag",
+	[13] = "Cisco-Fax-Mdn-Address",
+	[14] = "Cisco-Fax-Mdn-Flag",
+	[15] = "Cisco-Fax-Auth-Status",
+	[16] = "Cisco-Email-Server-Address",
+	[17] = "Cisco-Email-Server-Ack-Flag",
+	[18] = "Cisco-Gateway-Id",
+	[19] = "Cisco-Call-Type",
+	[20] = "Cisco-Port-Used",
+	[21] = "Cisco-Abort-Cause",
+	[23] = "Cisco-h323-remote-address",
+	[24] = "Cisco-h323-conf-id",
+	[25] = "Cisco-h323-setup-time",
+	[26] = "Cisco-h323-call-origin",
+	[27] = "Cisco-h323-call-type",
+	[28] = "Cisco-h323-connect-time",
+	[29] = "Cisco-h323-disconnect-time",
+	[30] = "Cisco-h323-disconnect-cause",
+	[31] = "Cisco-h323-voice-quality",
+	[33] = "Cisco-h323-gw-id",
+	[35] = "Cisco-h323-incoming-conn-id",
+	[37] = "Cisco-Policy-Up",
+	[38] = "Cisco-Policy-Down",
+	[100] = "Cisco-sip-conf-id",
+	[101] = "Cisco-h323-credit-amount",
+	[102] = "Cisco-h323-credit-time",
+	[103] = "Cisco-h323-return-code",
+	[104] = "Cisco-h323-prompt-id",
+	[105] = "Cisco-h323-day-and-time",
+	[106] = "Cisco-h323-redirect-number",
+	[107] = "Cisco-h323-preferred-lang",
+	[108] = "Cisco-h323-redirect-ip-addr",
+	[109] = "Cisco-h323-billing-model",
+	[110] = "Cisco-h323-currency",
+	[111] = "Cisco-subscriber",
+	[112] = "Cisco-gw-rxd-cdn",
+	[113] = "Cisco-gw-final-xlated-cdn",
+	[114] = "Cisco-remote-media-address",
+	[115] = "Cisco-release-source",
+	[116] = "Cisco-gw-rxd-cgn",
+	[117] = "Cisco-gw-final-xlated-cgn",
+	[141] = "Cisco-call-id",
+	[142] = "Cisco-session-protocol",
+	[143] = "Cisco-method",
+	[144] = "Cisco-prev-hop-via",
+	[145] = "Cisco-prev-hop-ip",
+	[146] = "Cisco-incoming-req-uri",
+	[147] = "Cisco-outgoing-req-uri",
+	[148] = "Cisco-next-hop-ip",
+	[149] = "Cisco-next-hop-dn",
+	[150] = "Cisco-sip-hdr",
+	[187] = "Cisco-Multilink-ID",
+	[188] = "Cisco-Num-In-Multilink",
+	[190] = "Cisco-Pre-Input-Octets",
+	[191] = "Cisco-Pre-Output-Octets",
+	[192] = "Cisco-Pre-Input-Packets",
+	[193] = "Cisco-Pre-Output-Packets",
+	[194] = "Cisco-Maximum-Time",
+	[195] = "Cisco-Disconnect-Cause",
+	[197] = "Cisco-Data-Rate",
+	[198] = "Cisco-PreSession-Time",
+	[208] = "Cisco-PW-Lifetime",
+	[209] = "Cisco-IP-Direct",
+	[210] = "Cisco-PPP-VJ-Slot-Comp",
+	[212] = "Cisco-PPP-Async-Map",
+	[217] = "Cisco-IP-Pool-Definition",
+	[218] = "Cisco-Assign-IP-Pool",
+	[228] = "Cisco-Route-IP",
+	[233] = "Cisco-Link-Compression",
+	[234] = "Cisco-Target-Util",
+	[235] = "Cisco-Maximum-Channels",
+	[242] = "Cisco-Data-Filter",
+	[243] = "Cisco-Call-Filter",
+	[244] = "Cisco-Idle-Limit",
+	[249] = "Cisco-Subscriber-Password",
+	[250] = "Cisco-Account-Info",
+	[251] = "Cisco-Service-Info",
+	[252] = "Cisco-Command-Code",
+	[253] = "Cisco-Xmit-Rate"
+} &default=function(i: count): string { return fmt("Cisco-unknown-%d", i); };
+
+const vendor_255_types: table[count] of string = {
+	[1] = "CVPN5000-Tunnel-Throughput",
+	[2] = "CVPN5000-Client-Assigned-IP",
+	[3] = "CVPN5000-Client-Real-IP",
+	[4] = "CVPN5000-VPN-GroupInfo",
+	[5] = "CVPN5000-VPN-Password",
+	[6] = "CVPN5000-Echo",
+	[7] = "CVPN5000-Client-Assigned-IPX"
+} &default=function(i: count): string { return fmt("CVPN5000-unknown-%d", i); };
+
+const vendor_311_types: table[count] of string = {
+	[1] = "MS-CHAP-Response",
+	[2] = "MS-CHAP-Error",
+	[3] = "MS-CHAP-CPW-1",
+	[4] = "MS-CHAP-CPW-2",
+	[5] = "MS-CHAP-LM-Enc-PW",
+	[6] = "MS-CHAP-NT-Enc-PW",
+	[7] = "MS-MPPE-Encryption-Policy",
+	[8] = "MS-MPPE-Encryption-Types",
+	[9] = "MS-RAS-Vendor",
+	[10] = "MS-CHAP-Domain",
+	[11] = "MS-CHAP-Challenge",
+	[12] = "MS-CHAP-MPPE-Keys",
+	[13] = "MS-BAP-Usage",
+	[14] = "MS-Link-Utilization-Threshold",
+	[15] = "MS-Link-Drop-Time-Limit",
+	[16] = "MS-MPPE-Send-Key",
+	[17] = "MS-MPPE-Recv-Key",
+	[18] = "MS-RAS-Version",
+	[19] = "MS-Old-ARAP-Password",
+	[20] = "MS-New-ARAP-Password",
+	[21] = "MS-ARAP-PW-Change-Reason",
+	[22] = "MS-Filter",
+	[23] = "MS-Acct-Auth-Type",
+	[24] = "MS-Acct-EAP-Type",
+	[25] = "MS-CHAP2-Response",
+	[26] = "MS-CHAP2-Success",
+	[27] = "MS-CHAP2-CPW",
+	[28] = "MS-Primary-DNS-Server",
+	[29] = "MS-Secondary-DNS-Server",
+	[30] = "MS-Primary-NBNS-Server",
+	[31] = "MS-Secondary-NBNS-Server",
+	[34] = "MS-RAS-Client-Name",
+	[35] = "MS-RAS-Client-Version",
+	[36] = "MS-Quarantine-IPFilter",
+	[37] = "MS-Quarantine-Session-Timeout",
+	[40] = "MS-User-Security-Identity",
+	[41] = "MS-Identity-Type",
+	[42] = "MS-Service-Class",
+	[44] = "MS-Quarantine-User-Class",
+	[45] = "MS-Quarantine-State",
+	[46] = "MS-Quarantine-Grace-Time",
+	[47] = "MS-Network-Access-Server-Type",
+	[48] = "MS-AFW-Zone",
+	[49] = "MS-AFW-Protection-Level",
+	[50] = "MS-Machine-Name",
+	[51] = "MS-IPv6-Filter",
+	[52] = "MS-IPv4-Remediation-Servers",
+	[53] = "MS-IPv6-Remediation-Servers",
+	[54] = "MS-RNAP-Not-Quarantine-Capable",
+	[55] = "MS-Quarantine-SOH",
+	[56] = "MS-RAS-Correlation",
+	[57] = "MS-Extended-Quarantine-State",
+	[58] = "MS-HCAP-User-Groups",
+	[59] = "MS-HCAP-Location-Group-Name",
+	[60] = "MS-HCAP-User-Name",
+	[61] = "MS-User-IPv4-Address",
+	[62] = "MS-User-IPv6-Address",
+	[63] = "MS-TSG-Device-Redirection"
+} &default=function(i: count): string { return fmt("MS-unknown-%d", i); };
+
+const vendor_3076_types: table[count] of string = {
+	[1] = "CVPN3000-Access-Hours",
+	[2] = "CVPN3000-Simultaneous-Logins",
+	[3] = "CVPN3000-Min-Password-Length",
+	[4] = "CVPN3000-Allow-Alpha-Only-Passwords",
+	[5] = "CVPN3000-Primary-DNS",
+	[6] = "CVPN3000-Secondary-DNS",
+	[7] = "CVPN3000-Primary-WINS",
+	[8] = "CVPN3000-Secondary-WINS",
+	[9] = "CVPN3000-SEP-Card-Assignment",
+	[10] = "CVPN3000-Priority-On-SEP",
+	[11] = "CVPN3000-Tunneling-Protocols",
+	[12] = "CVPN3000-IPSec-Sec-Association",
+	[13] = "CVPN3000-IPSec-Authentication",
+	[15] = "CVPN3000-IPSec-Banner1",
+	[16] = "CVPN3000-IPSec-Allow-Passwd-Store",
+	[17] = "CVPN3000-Use-Client-Address",
+	[18] = "CVPN3000-PPTP-Min-Auth-Protocol",
+	[19] = "CVPN3000-L2TP-Min-Auth-Protocol",
+	[20] = "CVPN3000-PPTP-Encryption",
+	[21] = "CVPN3000-L2TP-Encryption",
+	[22] = "CVPN3000-Auth-Server-Type",
+	[23] = "CVPN3000-Auth-Server-Password",
+	[24] = "CVPN3000-Request-Auth-Vector",
+	[25] = "CVPN3000-IPSec-LTL-Keepalives",
+	[26] = "CVPN3000-IPSec-Group-Name",
+	[27] = "CVPN3000-IPSec-Split-Tunnel-List",
+	[28] = "CVPN3000-IPSec-Default-Domain",
+	[29] = "CVPN3000-IPSec-Split-DNS-Names",
+	[30] = "CVPN3000-IPSec-Tunnel-Type",
+	[31] = "CVPN3000-IPSec-Mode-Config",
+	[32] = "CVPN3000-Auth-Server-Priority",
+	[33] = "CVPN3000-IPSec-User-Group-Lock",
+	[34] = "CVPN3000-IPSec-Over-UDP",
+	[35] = "CVPN3000-IPSec-Over-UDP-Port",
+	[36] = "CVPN3000-IPSec-Banner2",
+	[37] = "CVPN3000-PPTP-MPPC-Compression",
+	[38] = "CVPN3000-L2TP-MPPC-Compression",
+	[39] = "CVPN3000-IPSec-IP-Compression",
+	[40] = "CVPN3000-IPSec-IKE-Peer-ID-Check",
+	[41] = "CVPN3000-IKE-Keep-Alives",
+	[42] = "CVPN3000-IPSec-Auth-On-Rekey",
+	[45] = "CVPN3000-Reqrd-Client-Fw-Vendor-Code",
+	[46] = "CVPN3000-Reqrd-Client-Fw-Product-Code",
+	[47] = "CVPN3000-Reqrd-Client-Fw-Description",
+	[48] = "CVPN3000-Require-HW-Client-Auth",
+	[49] = "CVPN3000-Require-Individual-User-Auth",
+	[50] = "CVPN3000-Authd-User-Idle-Timeout",
+	[51] = "CVPN3000-Cisco-IP-Phone-Bypass",
+	[52] = "CVPN3000-User-Auth-Server-Name",
+	[53] = "CVPN3000-User-Auth-Server-Port",
+	[54] = "CVPN3000-User-Auth-Server-Secret",
+	[55] = "CVPN3000-IPSec-Split-Tunneling-Policy",
+	[56] = "CVPN3000-IPSec-Reqrd-Client-Fw-Cap",
+	[57] = "CVPN3000-IPSec-Client-Fw-Filter-Name",
+	[58] = "CVPN3000-IPSec-Client-Fw-Filter-Opt",
+	[59] = "CVPN3000-IPSec-Backup-Servers",
+	[60] = "CVPN3000-IPSec-Backup-Server-List",
+	[61] = "CVPN3000-DHCP-Network-Scope",
+	[62] = "CVPN3000-MS-Client-Icpt-DHCP-Conf-Msg",
+	[63] = "CVPN3000-MS-Client-Subnet-Mask",
+	[64] = "CVPN3000-Allow-Network-Extension-Mode",
+	[65] = "CVPN3000-IPSec-Authorization-Type",
+	[66] = "CVPN3000-IPSec-Authorization-Required",
+	[67] = "CVPN3000-IPSec-DN-Field",
+	[68] = "CVPN3000-IPSec-Confidence-Level",
+	[69] = "CVPN3000-WebVPN-Content-Filter",
+	[70] = "CVPN3000-WebVPN-Enable-functions",
+	[74] = "CVPN3000-WebVPN-Exchange-Addr",
+	[75] = "CVPN3000-LEAP-Bypass",
+	[78] = "CVPN3000-WebVPN-Exchange-NETBIOS-name",
+	[79] = "CVPN3000-Port-Forwarding-Name",
+	[80] = "CVPN3000-IE-Proxy-Server",
+	[81] = "CVPN3000-IE-Proxy-Server-Policy",
+	[82] = "CVPN3000-IE-Proxy-Exception-List",
+	[83] = "CVPN3000-IE-Proxy-Bypass-Local",
+	[84] = "CVPN3000-IKE-Keepalive-Retry-Interval",
+	[88] = "CVPN3000-Perfect-Forward-Secrecy-Enable",
+	[89] = "CVPN3000-NAC-Enable",
+	[90] = "CVPN3000-NAC-Status-Query-Timer",
+	[91] = "CVPN3000-NAC-Revalidation-Timer",
+	[92] = "CVPN3000-NAC-Default-ACL",
+	[93] = "CVPN3000-WebVPN-URL-Entry-Enable",
+	[94] = "CVPN3000-WebVPN-File-Access-Enable",
+	[95] = "CVPN3000-WebVPN-File-Svr-Entry-Enable",
+	[96] = "CVPN3000-WebVPN-File-Svr-Brwsing-Enable",
+	[97] = "CVPN3000-WebVPN-Port-Forwarding-Enable",
+	[98] = "CVPN3000-WebVPN-Outlook-Exch-Proxy-Enb",
+	[99] = "CVPN3000-WebVPN-Port-Fwding-HTTP-Proxy",
+	[100] = "CVPN3000-WebVPN-Auto-Applet-Downld-Enb",
+	[101] = "CVPN3000-WebVPN-Citrix-Metaframe-Enable",
+	[102] = "CVPN3000-WebVPN-Apply-ACL",
+	[103] = "CVPN3000-WebVPN-SSL-VPN-Client-Enable",
+	[104] = "CVPN3000-WebVPN-SSL-VPN-Client-Required",
+	[105] = "CVPN3000-WebVPN-SSL-VPN-Client-Keep-Ins",
+	[128] = "CVPN3000-Partition-Primary-DHCP",
+	[129] = "CVPN3000-Partition-Secondary-DHCP",
+	[131] = "CVPN3000-Partition-Premise-Router",
+	[132] = "CVPN3000-Partition-Max-Sessions",
+	[133] = "CVPN3000-Partition-Mobile-IP-Key",
+	[134] = "CVPN3000-Partition-Mobile-IP-Address",
+	[135] = "CVPN3000-Partition-Mobile-IP-SPI",
+	[136] = "CVPN3000-Strip-Realm",
+	[137] = "CVPN3000-Group-Name"
+} &default=function(i: count): string { return fmt("CPNV3000-unknown-%d", i); };
+
+const vendor_14823_types: table[count] of string = {
+	[1] = "Aruba-User-Role",
+	[2] = "Aruba-User-Vlan",
+	[3] = "Aruba-Priv-Admin-User",
+	[4] = "Aruba-Admin-Role",
+	[5] = "Aruba-Essid-Name",
+	[6] = "Aruba-Location-Id",
+	[7] = "Aruba-Port-Identifier",
+	[8] = "Aruba-MMS-User-Template",
+	[9] = "Aruba-Named-User-Vlan",
+	[10] = "Aruba-AP-Group",
+	[11] = "Aruba-Framed-IPv6-Address",
+	[12] = "Aruba-Device-Type",
+	[13] = "Aruba-AP-Name",
+	[14] = "Aruba-No-DHCP-Fingerprint",
+	[15] = "Aruba-Mdps-Device-Udid",
+	[16] = "Aruba-Mdps-Device-Imei",
+	[17] = "Aruba-Mdps-Device-Iccid",
+	[18] = "Aruba-Mdps-Max-Devices",
+	[19] = "Aruba-Mdps-Device-Name",
+	[20] = "Aruba-Mdps-Device-Product",
+	[21] = "Aruba-Mdps-Device-Version",
+	[22] = "Aruba-Mdps-Device-Serial",
+	[23] = "Aruba-CPPM-Role",
+	[24] = "Aruba-AirGroup-User-Name",
+	[25] = "Aruba-AirGroup-Shared-User",
+	[26] = "Aruba-AirGroup-Shared-Role",
+	[27] = "Aruba-AirGroup-Device-Type",
+	[28] = "Aruba-Auth-Survivability",
+	[29] = "Aruba-AS-User-Name",
+	[30] = "Aruba-AS-Credential-Hash",
+	[31] = "Aruba-WorkSpace-App-Name",
+	[32] = "Aruba-Mdps-Provisioning-Settings",
+	[33] = "Aruba-Mdps-Device-Profile"
+} &default=function(i: count): string { return fmt("Aruba-unknown-%d", i); };
+
diff --git a/scripts/base/protocols/radius/dpd.sig b/scripts/base/protocols/radius/dpd.sig
new file mode 100644
index 0000000000..d32ba49771
--- /dev/null
+++ b/scripts/base/protocols/radius/dpd.sig
@@ -0,0 +1,7 @@
+# Generated by binpac_quickstart
+
+signature dpd_radius {
+	ip-proto == udp
+	# TODO: payload /^RADIUS/
+	enable "radius"
+}
\ No newline at end of file
diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro
new file mode 100644
index 0000000000..0d239dcb64
--- /dev/null
+++ b/scripts/base/protocols/radius/main.bro
@@ -0,0 +1,142 @@
+##! Implements base functionality for RADIUS analysis. Generates the radius.log file.
+
+# Generated by binpac_quickstart
+
+module RADIUS;
+
+@load ./consts.bro
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:     time    &log;
+		## Unique ID for the connection.
+		uid:    string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:     conn_id &log;
+		msg_type: string &log;
+	};
+
+	## Event that can be handled to access the RADIUS record as it is sent on
+	## to the loggin framework.
+	global log_radius: event(rec: Info);
+}
+
+const ports = { 1812/udp };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
+	}
+
+event radius_message(c: connection, msg_type: count, trans_id: count)
+	{
+	local info: Info;
+	info$ts  = network_time();
+	info$uid = c$uid;
+	info$id  = c$id;
+	info$msg_type = msg_types[msg_type];
+
+	Log::write(RADIUS::LOG, info);
+	}
+
+event radius_attribute(c: connection, attr_type: count, trans_id: count, value: string)
+	{
+	switch ( attr_types[attr_type] ) {
+#	case "Calling-Station-Id":
+#		tmp = normalize_mac(value);
+#		if ( tmp != "" )
+#			print cat(attr_types[attr_type], " ", tmp);
+#		else
+#			print cat(attr_types[attr_type], " ", value);
+#		break;
+#	case "Called-Station-Id":
+#		fallthrough;
+
+	## Strings:
+	case "Reply-Message":
+		fallthrough;
+	case "User-Name":
+		print cat(attr_types[attr_type], ": ", value);
+		break;
+		
+	## IPs:
+
+	case "Framed-IP-Address":
+		fallthrough;
+	case "Framed-IP-Netmask":
+		fallthrough;
+	case "NAS-IP-Address":
+		print cat(attr_types[attr_type], ": ", count_to_v4_addr(bytestring_to_count(value)));
+		break;
+
+	## Counts:
+		
+	case "Framed-MTU":
+		fallthrough;
+	case "NAS-Port":
+		fallthrough;
+	case "Session-Timeout":
+		print cat(attr_types[attr_type], ": ", bytestring_to_count(value));
+		break;
+
+	## Other:
+
+	case "NAS-Port-Type":
+		print cat(attr_types[attr_type], ": ", nas_port_types[bytestring_to_count(value)]);
+		break;
+	case "Service-Type":
+		print cat(attr_types[attr_type], ": ", service_types[bytestring_to_count(value)]);
+		break;
+	case "Framed-Protocol":
+		print cat(attr_types[attr_type], ": ", framed_protocol_types[bytestring_to_count(value)]);
+		break;
+	case "Vendor-Specific":
+		switch(bytestring_to_count(sub_bytes(value, 0, 4))) {
+		case 9:
+			# Cisco IOS/PIX 6.0
+			print cat(vendor_9_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 255:
+			# Cisco VPN 5000
+			print cat(vendor_255_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 311:
+			# Microsoft
+			print cat(vendor_311_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 3076:
+			# Cisco VPN 3000
+			print cat(vendor_3076_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 14823:
+			# Aruba
+			print cat(vendor_14823_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		default:
+			print cat("Unknown vendor: ", bytestring_to_count(sub_bytes(value, 0, 4)));
+			break;
+		}
+		break;
+	default:
+		print cat(attr_types[attr_type], ": ", value);
+		break;
+	}
+	}
+
+# Called-Station-Id: 
+# Calling-Station-Id: 
+# Class: 
+# NAS-Identifier: 
+# State: 
+# Vendor-Specific: 
+# unknown-185: 
+# unknown-66: 
+# unknown-77: 
+# unknown-79: 
+# unknown-80: 
+# unknown-87: 
+# unknown-95:
\ No newline at end of file
diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro
index e2031e3efa..54ef62695a 100644
--- a/scripts/base/utils/addrs.bro
+++ b/scripts/base/utils/addrs.bro
@@ -1,4 +1,4 @@
-##! Functions for parsing and manipulating IP addresses.
+##! Functions for parsing and manipulating IP and MAC addresses.
 
 # Regular expressions for matching IP addresses in strings.
 const ipv4_addr_regex = /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/;
@@ -119,3 +119,27 @@ function addr_to_uri(a: addr): string
 	else
 		return fmt("[%s]", a);
 	}
+
+## Given a string, extracts the hex digits and returns a MAC address in the
+## format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex digits,
+## an empty string is returned.
+##
+## a: the string to normalize
+##
+## Returns: a normalized MAC address, or an empty string in the case of an error.
+function normalize_mac(a: string): string
+	{
+	local result = to_lower(gsub(a, /[^A-Fa-f0-9]/, ""));
+	local octets: string_vec;
+	if ( |result| == 12 )
+		{
+		octets = str_split(result, vector(2, 4, 6, 8, 10));
+		return fmt("%s:%s:%s:%s:%s:%s", octets[1], octets[2], octets[3], octets[4], octets[5], octets[6]);
+		}
+	if ( |result| == 16 )
+		{
+		octets = str_split(result, vector(2, 4, 6, 8, 10, 12, 14));
+		return fmt("%s:%s:%s:%s:%s:%s:%s:%s", octets[1], octets[2], octets[3], octets[4], octets[5], octets[6], octets[7], octets[8]);
+		}
+	return "";
+	}
\ No newline at end of file
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index fc63aa4b66..a7bb43a470 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -19,14 +19,15 @@ add_subdirectory(ident)
 add_subdirectory(interconn)
 add_subdirectory(irc)
 add_subdirectory(login)
-add_subdirectory(modbus)
 add_subdirectory(mime)
+add_subdirectory(modbus)
 add_subdirectory(ncp)
-add_subdirectory(netflow)
 add_subdirectory(netbios)
+add_subdirectory(netflow)
 add_subdirectory(ntp)
 add_subdirectory(pia)
 add_subdirectory(pop3)
+add_subdirectory(radius)
 add_subdirectory(rpc)
 add_subdirectory(smb)
 add_subdirectory(smtp)
diff --git a/src/analyzer/protocol/radius/CMakeLists.txt b/src/analyzer/protocol/radius/CMakeLists.txt
new file mode 100644
index 0000000000..2d1cd0e024
--- /dev/null
+++ b/src/analyzer/protocol/radius/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Generated by binpac_quickstart
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro RADIUS)
+	bro_plugin_cc(RADIUS.cc Plugin.cc)
+	bro_plugin_bif(events.bif)
+	bro_plugin_pac(radius.pac radius-analyzer.pac radius-protocol.pac)
+bro_plugin_end()
\ No newline at end of file
diff --git a/src/analyzer/protocol/radius/Plugin.cc b/src/analyzer/protocol/radius/Plugin.cc
new file mode 100644
index 0000000000..22780c13c5
--- /dev/null
+++ b/src/analyzer/protocol/radius/Plugin.cc
@@ -0,0 +1,11 @@
+// Generated by binpac_quickstart
+
+#include "plugin/Plugin.h"
+
+#include "RADIUS.h"
+
+BRO_PLUGIN_BEGIN(Bro, RADIUS)
+	BRO_PLUGIN_DESCRIPTION("RADIUS analyzer");
+	BRO_PLUGIN_ANALYZER("RADIUS", RADIUS::RADIUS_Analyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END
\ No newline at end of file
diff --git a/src/analyzer/protocol/radius/RADIUS.cc b/src/analyzer/protocol/radius/RADIUS.cc
new file mode 100644
index 0000000000..e88bd40083
--- /dev/null
+++ b/src/analyzer/protocol/radius/RADIUS.cc
@@ -0,0 +1,45 @@
+// Generated by binpac_quickstart
+
+#include "RADIUS.h"
+
+#include "Reporter.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::RADIUS;
+
+RADIUS_Analyzer::RADIUS_Analyzer(Connection* c)
+
+: analyzer::Analyzer("RADIUS", c)
+
+	{
+	interp = new binpac::RADIUS::RADIUS_Conn(this);
+	
+	}
+
+RADIUS_Analyzer::~RADIUS_Analyzer()
+	{
+	delete interp;
+	}
+
+void RADIUS_Analyzer::Done()
+	{
+	
+	Analyzer::Done();
+	
+	}
+
+void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data,
+	 			  bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
diff --git a/src/analyzer/protocol/radius/RADIUS.h b/src/analyzer/protocol/radius/RADIUS.h
new file mode 100644
index 0000000000..85f8f197a6
--- /dev/null
+++ b/src/analyzer/protocol/radius/RADIUS.h
@@ -0,0 +1,45 @@
+// Generated by binpac_quickstart
+
+#ifndef ANALYZER_PROTOCOL_RADIUS_RADIUS_H
+#define ANALYZER_PROTOCOL_RADIUS_RADIUS_H
+
+#include "events.bif.h"
+
+
+#include "analyzer/protocol/udp/UDP.h"
+
+#include "radius_pac.h"
+
+namespace analyzer { namespace RADIUS {
+
+class RADIUS_Analyzer
+
+: public analyzer::Analyzer {
+
+public:
+	RADIUS_Analyzer(Connection* conn);
+	virtual ~RADIUS_Analyzer();
+
+	// Overriden from Analyzer.
+	virtual void Done();
+	
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	
+
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new RADIUS_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return ( radius_message );
+		}
+
+protected:
+	binpac::RADIUS::RADIUS_Conn* interp;
+	
+};
+
+} } // namespace analyzer::* 
+
+#endif
diff --git a/src/analyzer/protocol/radius/events.bif b/src/analyzer/protocol/radius/events.bif
new file mode 100644
index 0000000000..4ef93a8ca7
--- /dev/null
+++ b/src/analyzer/protocol/radius/events.bif
@@ -0,0 +1,23 @@
+# Generated by binpac_quickstart
+
+## Generated for RADIUS messages
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more information about RADIUS
+##
+## c: The connection
+## msg_type: The value of the code field (1 == Access-Request, 2 == Access-Accept, etc.)
+## trans_id: The RADIUS transaction identifier
+## authenticator: The value of the authenticator field
+##
+event radius_message%(c: connection, msg_type: count, trans_id: count%);
+
+## Generated for each RADIUS attribute
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more information about RADIUS
+##
+## c: The connection
+## attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.)
+## trans_id: The RADIUS transaction identifier
+## authenticator: The value of the authenticator field
+##
+event radius_attribute%(c: connection, attr_type: count, trans_id: count, value: string%);
\ No newline at end of file
diff --git a/src/analyzer/protocol/radius/radius-analyzer.pac b/src/analyzer/protocol/radius/radius-analyzer.pac
new file mode 100644
index 0000000000..9739970880
--- /dev/null
+++ b/src/analyzer/protocol/radius/radius-analyzer.pac
@@ -0,0 +1,23 @@
+# Generated by binpac_quickstart
+
+refine flow RADIUS_Flow += {
+	function proc_radius_message(code: uint8, trans_id: uint8): bool
+		%{
+		BifEvent::generate_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), code, trans_id);
+		return true;
+		%}
+
+	function proc_radius_attribute(code: uint8, trans_id: uint8, value: bytestring): bool
+		%{
+		BifEvent::generate_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), code, trans_id, bytestring_to_val(value));
+		return true;
+		%}
+};
+
+refine typeattr RADIUS_PDU += &let {
+	proc: bool = $context.flow.proc_radius_message(code, trans_id);
+};
+
+refine typeattr RADIUS_Attribute += &let {
+	proc: bool = $context.flow.proc_radius_attribute(code, trans_id, value);
+};
\ No newline at end of file
diff --git a/src/analyzer/protocol/radius/radius-protocol.pac b/src/analyzer/protocol/radius/radius-protocol.pac
new file mode 100644
index 0000000000..27d96bb3f6
--- /dev/null
+++ b/src/analyzer/protocol/radius/radius-protocol.pac
@@ -0,0 +1,15 @@
+# Generated by binpac_quickstart
+
+type RADIUS_PDU(is_orig: bool) = record {
+	code: uint8;
+	trans_id: uint8;
+	length: uint16;
+	authenticator: bytestring &length=16;
+	attributes: RADIUS_Attribute(trans_id)[] &until($input.length() == 0);
+} &byteorder=bigendian;
+
+type RADIUS_Attribute(trans_id: uint8) = record {
+	code: uint8;
+	length: uint8;
+	value: bytestring &length=length-2;
+};
\ No newline at end of file
diff --git a/src/analyzer/protocol/radius/radius.pac b/src/analyzer/protocol/radius/radius.pac
new file mode 100644
index 0000000000..a4c3e7dd5c
--- /dev/null
+++ b/src/analyzer/protocol/radius/radius.pac
@@ -0,0 +1,37 @@
+# Generated by binpac_quickstart
+
+# Analyzer for RADIUS
+#  - radius-protocol.pac: describes the RADIUS protocol messages
+#  - radius-analyzer.pac: describes the RADIUS analyzer code
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+	#include "events.bif.h"
+%}
+
+analyzer RADIUS withcontext {
+	connection: RADIUS_Conn;
+	flow:       RADIUS_Flow;
+};
+
+# Our connection consists of two flows, one in each direction.
+connection RADIUS_Conn(bro_analyzer: BroAnalyzer) {
+	upflow   = RADIUS_Flow(true);
+	downflow = RADIUS_Flow(false);
+};
+
+%include radius-protocol.pac
+
+# Now we define the flow:
+flow RADIUS_Flow(is_orig: bool) {
+	# There are two options here: flowunit or datagram.
+	# flowunit = RADIUS_PDU(is_orig) withcontext(connection, this);
+	datagram = RADIUS_PDU(is_orig) withcontext(connection, this);
+	# Using flowunit will cause the anlayzer to buffer incremental input.
+	# This is needed for &oneline and &length. If you don't need this, you'll
+	# get better performance with datagram.
+};
+
+%include radius-analyzer.pac
\ No newline at end of file

From f3c0d17541a56a844f532a111118344882e39a2f Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Tue, 10 Dec 2013 22:09:16 -0500
Subject: [PATCH 002/136] Basic RADIUS functionality implemented.

---
 scripts/base/init-bare.bro                    |  17 +
 scripts/base/protocols/radius/__load__.bro    |   1 -
 scripts/base/protocols/radius/consts.bro      | 306 ------------------
 scripts/base/protocols/radius/dpd.sig         |   7 -
 scripts/base/protocols/radius/main.bro        | 190 +++++------
 src/analyzer/protocol/radius/events.bif       |   9 +-
 .../protocol/radius/radius-analyzer.pac       |  39 ++-
 7 files changed, 140 insertions(+), 429 deletions(-)
 delete mode 100644 scripts/base/protocols/radius/dpd.sig

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 9f8c9f42ac..d956cf6a2d 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2762,6 +2762,23 @@ export {
 		name: string &optional;
 	} &log;
 }
+module RADIUS;
+
+export {
+	type RADIUS::AttributeList: vector of string;
+	type RADIUS::Attributes: table[count] of RADIUS::AttributeList;
+
+	type RADIUS::Message: record {
+		## The type of message (Access-Request, Access-Accept, etc.)
+		code          : count;
+		## The transaction ID
+		trans_id      : count;
+		## The "authenticator" string
+		authenticator : string;
+		## Any attributes
+		attributes    : RADIUS::Attributes &optional;
+	};
+}
 module GLOBAL;
 
 @load base/bif/event.bif
diff --git a/scripts/base/protocols/radius/__load__.bro b/scripts/base/protocols/radius/__load__.bro
index 96bf67a57f..fb802a40a5 100644
--- a/scripts/base/protocols/radius/__load__.bro
+++ b/scripts/base/protocols/radius/__load__.bro
@@ -1,3 +1,2 @@
 # Generated by binpac_quickstart
 @load ./main
-#@load-sigs ./dpd.sig
\ No newline at end of file
diff --git a/scripts/base/protocols/radius/consts.bro b/scripts/base/protocols/radius/consts.bro
index 6231a25631..d9c78f58ad 100644
--- a/scripts/base/protocols/radius/consts.bro
+++ b/scripts/base/protocols/radius/consts.bro
@@ -229,309 +229,3 @@ const framed_protocol_types: table[count] of string = {
 	[6] = "X.75 Synchronous"
 } &default=function(i: count): string { return fmt("unknown-%d", i); };
 
-const vendor_9_types: table[count] of string = {
-	[1] = "Cisco-AVPair",
-	[2] = "Cisco-NAS-Port",
-	[3] = "Cisco-Fax-Account-Id-Origin",
-	[4] = "Cisco-Fax-Msg-Id",
-	[5] = "Cisco-Fax-Pages",
-	[6] = "Cisco-Fax-Coverpage-Flag",
-	[7] = "Cisco-Fax-Modem-Time",
-	[8] = "Cisco-Fax-Connect-Speed",
-	[9] = "Cisco-Fax-Recipient-Count",
-	[10] = "Cisco-Fax-Process-Abort-Flag",
-	[11] = "Cisco-Fax-Dsn-Address",
-	[12] = "Cisco-Fax-Dsn-Flag",
-	[13] = "Cisco-Fax-Mdn-Address",
-	[14] = "Cisco-Fax-Mdn-Flag",
-	[15] = "Cisco-Fax-Auth-Status",
-	[16] = "Cisco-Email-Server-Address",
-	[17] = "Cisco-Email-Server-Ack-Flag",
-	[18] = "Cisco-Gateway-Id",
-	[19] = "Cisco-Call-Type",
-	[20] = "Cisco-Port-Used",
-	[21] = "Cisco-Abort-Cause",
-	[23] = "Cisco-h323-remote-address",
-	[24] = "Cisco-h323-conf-id",
-	[25] = "Cisco-h323-setup-time",
-	[26] = "Cisco-h323-call-origin",
-	[27] = "Cisco-h323-call-type",
-	[28] = "Cisco-h323-connect-time",
-	[29] = "Cisco-h323-disconnect-time",
-	[30] = "Cisco-h323-disconnect-cause",
-	[31] = "Cisco-h323-voice-quality",
-	[33] = "Cisco-h323-gw-id",
-	[35] = "Cisco-h323-incoming-conn-id",
-	[37] = "Cisco-Policy-Up",
-	[38] = "Cisco-Policy-Down",
-	[100] = "Cisco-sip-conf-id",
-	[101] = "Cisco-h323-credit-amount",
-	[102] = "Cisco-h323-credit-time",
-	[103] = "Cisco-h323-return-code",
-	[104] = "Cisco-h323-prompt-id",
-	[105] = "Cisco-h323-day-and-time",
-	[106] = "Cisco-h323-redirect-number",
-	[107] = "Cisco-h323-preferred-lang",
-	[108] = "Cisco-h323-redirect-ip-addr",
-	[109] = "Cisco-h323-billing-model",
-	[110] = "Cisco-h323-currency",
-	[111] = "Cisco-subscriber",
-	[112] = "Cisco-gw-rxd-cdn",
-	[113] = "Cisco-gw-final-xlated-cdn",
-	[114] = "Cisco-remote-media-address",
-	[115] = "Cisco-release-source",
-	[116] = "Cisco-gw-rxd-cgn",
-	[117] = "Cisco-gw-final-xlated-cgn",
-	[141] = "Cisco-call-id",
-	[142] = "Cisco-session-protocol",
-	[143] = "Cisco-method",
-	[144] = "Cisco-prev-hop-via",
-	[145] = "Cisco-prev-hop-ip",
-	[146] = "Cisco-incoming-req-uri",
-	[147] = "Cisco-outgoing-req-uri",
-	[148] = "Cisco-next-hop-ip",
-	[149] = "Cisco-next-hop-dn",
-	[150] = "Cisco-sip-hdr",
-	[187] = "Cisco-Multilink-ID",
-	[188] = "Cisco-Num-In-Multilink",
-	[190] = "Cisco-Pre-Input-Octets",
-	[191] = "Cisco-Pre-Output-Octets",
-	[192] = "Cisco-Pre-Input-Packets",
-	[193] = "Cisco-Pre-Output-Packets",
-	[194] = "Cisco-Maximum-Time",
-	[195] = "Cisco-Disconnect-Cause",
-	[197] = "Cisco-Data-Rate",
-	[198] = "Cisco-PreSession-Time",
-	[208] = "Cisco-PW-Lifetime",
-	[209] = "Cisco-IP-Direct",
-	[210] = "Cisco-PPP-VJ-Slot-Comp",
-	[212] = "Cisco-PPP-Async-Map",
-	[217] = "Cisco-IP-Pool-Definition",
-	[218] = "Cisco-Assign-IP-Pool",
-	[228] = "Cisco-Route-IP",
-	[233] = "Cisco-Link-Compression",
-	[234] = "Cisco-Target-Util",
-	[235] = "Cisco-Maximum-Channels",
-	[242] = "Cisco-Data-Filter",
-	[243] = "Cisco-Call-Filter",
-	[244] = "Cisco-Idle-Limit",
-	[249] = "Cisco-Subscriber-Password",
-	[250] = "Cisco-Account-Info",
-	[251] = "Cisco-Service-Info",
-	[252] = "Cisco-Command-Code",
-	[253] = "Cisco-Xmit-Rate"
-} &default=function(i: count): string { return fmt("Cisco-unknown-%d", i); };
-
-const vendor_255_types: table[count] of string = {
-	[1] = "CVPN5000-Tunnel-Throughput",
-	[2] = "CVPN5000-Client-Assigned-IP",
-	[3] = "CVPN5000-Client-Real-IP",
-	[4] = "CVPN5000-VPN-GroupInfo",
-	[5] = "CVPN5000-VPN-Password",
-	[6] = "CVPN5000-Echo",
-	[7] = "CVPN5000-Client-Assigned-IPX"
-} &default=function(i: count): string { return fmt("CVPN5000-unknown-%d", i); };
-
-const vendor_311_types: table[count] of string = {
-	[1] = "MS-CHAP-Response",
-	[2] = "MS-CHAP-Error",
-	[3] = "MS-CHAP-CPW-1",
-	[4] = "MS-CHAP-CPW-2",
-	[5] = "MS-CHAP-LM-Enc-PW",
-	[6] = "MS-CHAP-NT-Enc-PW",
-	[7] = "MS-MPPE-Encryption-Policy",
-	[8] = "MS-MPPE-Encryption-Types",
-	[9] = "MS-RAS-Vendor",
-	[10] = "MS-CHAP-Domain",
-	[11] = "MS-CHAP-Challenge",
-	[12] = "MS-CHAP-MPPE-Keys",
-	[13] = "MS-BAP-Usage",
-	[14] = "MS-Link-Utilization-Threshold",
-	[15] = "MS-Link-Drop-Time-Limit",
-	[16] = "MS-MPPE-Send-Key",
-	[17] = "MS-MPPE-Recv-Key",
-	[18] = "MS-RAS-Version",
-	[19] = "MS-Old-ARAP-Password",
-	[20] = "MS-New-ARAP-Password",
-	[21] = "MS-ARAP-PW-Change-Reason",
-	[22] = "MS-Filter",
-	[23] = "MS-Acct-Auth-Type",
-	[24] = "MS-Acct-EAP-Type",
-	[25] = "MS-CHAP2-Response",
-	[26] = "MS-CHAP2-Success",
-	[27] = "MS-CHAP2-CPW",
-	[28] = "MS-Primary-DNS-Server",
-	[29] = "MS-Secondary-DNS-Server",
-	[30] = "MS-Primary-NBNS-Server",
-	[31] = "MS-Secondary-NBNS-Server",
-	[34] = "MS-RAS-Client-Name",
-	[35] = "MS-RAS-Client-Version",
-	[36] = "MS-Quarantine-IPFilter",
-	[37] = "MS-Quarantine-Session-Timeout",
-	[40] = "MS-User-Security-Identity",
-	[41] = "MS-Identity-Type",
-	[42] = "MS-Service-Class",
-	[44] = "MS-Quarantine-User-Class",
-	[45] = "MS-Quarantine-State",
-	[46] = "MS-Quarantine-Grace-Time",
-	[47] = "MS-Network-Access-Server-Type",
-	[48] = "MS-AFW-Zone",
-	[49] = "MS-AFW-Protection-Level",
-	[50] = "MS-Machine-Name",
-	[51] = "MS-IPv6-Filter",
-	[52] = "MS-IPv4-Remediation-Servers",
-	[53] = "MS-IPv6-Remediation-Servers",
-	[54] = "MS-RNAP-Not-Quarantine-Capable",
-	[55] = "MS-Quarantine-SOH",
-	[56] = "MS-RAS-Correlation",
-	[57] = "MS-Extended-Quarantine-State",
-	[58] = "MS-HCAP-User-Groups",
-	[59] = "MS-HCAP-Location-Group-Name",
-	[60] = "MS-HCAP-User-Name",
-	[61] = "MS-User-IPv4-Address",
-	[62] = "MS-User-IPv6-Address",
-	[63] = "MS-TSG-Device-Redirection"
-} &default=function(i: count): string { return fmt("MS-unknown-%d", i); };
-
-const vendor_3076_types: table[count] of string = {
-	[1] = "CVPN3000-Access-Hours",
-	[2] = "CVPN3000-Simultaneous-Logins",
-	[3] = "CVPN3000-Min-Password-Length",
-	[4] = "CVPN3000-Allow-Alpha-Only-Passwords",
-	[5] = "CVPN3000-Primary-DNS",
-	[6] = "CVPN3000-Secondary-DNS",
-	[7] = "CVPN3000-Primary-WINS",
-	[8] = "CVPN3000-Secondary-WINS",
-	[9] = "CVPN3000-SEP-Card-Assignment",
-	[10] = "CVPN3000-Priority-On-SEP",
-	[11] = "CVPN3000-Tunneling-Protocols",
-	[12] = "CVPN3000-IPSec-Sec-Association",
-	[13] = "CVPN3000-IPSec-Authentication",
-	[15] = "CVPN3000-IPSec-Banner1",
-	[16] = "CVPN3000-IPSec-Allow-Passwd-Store",
-	[17] = "CVPN3000-Use-Client-Address",
-	[18] = "CVPN3000-PPTP-Min-Auth-Protocol",
-	[19] = "CVPN3000-L2TP-Min-Auth-Protocol",
-	[20] = "CVPN3000-PPTP-Encryption",
-	[21] = "CVPN3000-L2TP-Encryption",
-	[22] = "CVPN3000-Auth-Server-Type",
-	[23] = "CVPN3000-Auth-Server-Password",
-	[24] = "CVPN3000-Request-Auth-Vector",
-	[25] = "CVPN3000-IPSec-LTL-Keepalives",
-	[26] = "CVPN3000-IPSec-Group-Name",
-	[27] = "CVPN3000-IPSec-Split-Tunnel-List",
-	[28] = "CVPN3000-IPSec-Default-Domain",
-	[29] = "CVPN3000-IPSec-Split-DNS-Names",
-	[30] = "CVPN3000-IPSec-Tunnel-Type",
-	[31] = "CVPN3000-IPSec-Mode-Config",
-	[32] = "CVPN3000-Auth-Server-Priority",
-	[33] = "CVPN3000-IPSec-User-Group-Lock",
-	[34] = "CVPN3000-IPSec-Over-UDP",
-	[35] = "CVPN3000-IPSec-Over-UDP-Port",
-	[36] = "CVPN3000-IPSec-Banner2",
-	[37] = "CVPN3000-PPTP-MPPC-Compression",
-	[38] = "CVPN3000-L2TP-MPPC-Compression",
-	[39] = "CVPN3000-IPSec-IP-Compression",
-	[40] = "CVPN3000-IPSec-IKE-Peer-ID-Check",
-	[41] = "CVPN3000-IKE-Keep-Alives",
-	[42] = "CVPN3000-IPSec-Auth-On-Rekey",
-	[45] = "CVPN3000-Reqrd-Client-Fw-Vendor-Code",
-	[46] = "CVPN3000-Reqrd-Client-Fw-Product-Code",
-	[47] = "CVPN3000-Reqrd-Client-Fw-Description",
-	[48] = "CVPN3000-Require-HW-Client-Auth",
-	[49] = "CVPN3000-Require-Individual-User-Auth",
-	[50] = "CVPN3000-Authd-User-Idle-Timeout",
-	[51] = "CVPN3000-Cisco-IP-Phone-Bypass",
-	[52] = "CVPN3000-User-Auth-Server-Name",
-	[53] = "CVPN3000-User-Auth-Server-Port",
-	[54] = "CVPN3000-User-Auth-Server-Secret",
-	[55] = "CVPN3000-IPSec-Split-Tunneling-Policy",
-	[56] = "CVPN3000-IPSec-Reqrd-Client-Fw-Cap",
-	[57] = "CVPN3000-IPSec-Client-Fw-Filter-Name",
-	[58] = "CVPN3000-IPSec-Client-Fw-Filter-Opt",
-	[59] = "CVPN3000-IPSec-Backup-Servers",
-	[60] = "CVPN3000-IPSec-Backup-Server-List",
-	[61] = "CVPN3000-DHCP-Network-Scope",
-	[62] = "CVPN3000-MS-Client-Icpt-DHCP-Conf-Msg",
-	[63] = "CVPN3000-MS-Client-Subnet-Mask",
-	[64] = "CVPN3000-Allow-Network-Extension-Mode",
-	[65] = "CVPN3000-IPSec-Authorization-Type",
-	[66] = "CVPN3000-IPSec-Authorization-Required",
-	[67] = "CVPN3000-IPSec-DN-Field",
-	[68] = "CVPN3000-IPSec-Confidence-Level",
-	[69] = "CVPN3000-WebVPN-Content-Filter",
-	[70] = "CVPN3000-WebVPN-Enable-functions",
-	[74] = "CVPN3000-WebVPN-Exchange-Addr",
-	[75] = "CVPN3000-LEAP-Bypass",
-	[78] = "CVPN3000-WebVPN-Exchange-NETBIOS-name",
-	[79] = "CVPN3000-Port-Forwarding-Name",
-	[80] = "CVPN3000-IE-Proxy-Server",
-	[81] = "CVPN3000-IE-Proxy-Server-Policy",
-	[82] = "CVPN3000-IE-Proxy-Exception-List",
-	[83] = "CVPN3000-IE-Proxy-Bypass-Local",
-	[84] = "CVPN3000-IKE-Keepalive-Retry-Interval",
-	[88] = "CVPN3000-Perfect-Forward-Secrecy-Enable",
-	[89] = "CVPN3000-NAC-Enable",
-	[90] = "CVPN3000-NAC-Status-Query-Timer",
-	[91] = "CVPN3000-NAC-Revalidation-Timer",
-	[92] = "CVPN3000-NAC-Default-ACL",
-	[93] = "CVPN3000-WebVPN-URL-Entry-Enable",
-	[94] = "CVPN3000-WebVPN-File-Access-Enable",
-	[95] = "CVPN3000-WebVPN-File-Svr-Entry-Enable",
-	[96] = "CVPN3000-WebVPN-File-Svr-Brwsing-Enable",
-	[97] = "CVPN3000-WebVPN-Port-Forwarding-Enable",
-	[98] = "CVPN3000-WebVPN-Outlook-Exch-Proxy-Enb",
-	[99] = "CVPN3000-WebVPN-Port-Fwding-HTTP-Proxy",
-	[100] = "CVPN3000-WebVPN-Auto-Applet-Downld-Enb",
-	[101] = "CVPN3000-WebVPN-Citrix-Metaframe-Enable",
-	[102] = "CVPN3000-WebVPN-Apply-ACL",
-	[103] = "CVPN3000-WebVPN-SSL-VPN-Client-Enable",
-	[104] = "CVPN3000-WebVPN-SSL-VPN-Client-Required",
-	[105] = "CVPN3000-WebVPN-SSL-VPN-Client-Keep-Ins",
-	[128] = "CVPN3000-Partition-Primary-DHCP",
-	[129] = "CVPN3000-Partition-Secondary-DHCP",
-	[131] = "CVPN3000-Partition-Premise-Router",
-	[132] = "CVPN3000-Partition-Max-Sessions",
-	[133] = "CVPN3000-Partition-Mobile-IP-Key",
-	[134] = "CVPN3000-Partition-Mobile-IP-Address",
-	[135] = "CVPN3000-Partition-Mobile-IP-SPI",
-	[136] = "CVPN3000-Strip-Realm",
-	[137] = "CVPN3000-Group-Name"
-} &default=function(i: count): string { return fmt("CPNV3000-unknown-%d", i); };
-
-const vendor_14823_types: table[count] of string = {
-	[1] = "Aruba-User-Role",
-	[2] = "Aruba-User-Vlan",
-	[3] = "Aruba-Priv-Admin-User",
-	[4] = "Aruba-Admin-Role",
-	[5] = "Aruba-Essid-Name",
-	[6] = "Aruba-Location-Id",
-	[7] = "Aruba-Port-Identifier",
-	[8] = "Aruba-MMS-User-Template",
-	[9] = "Aruba-Named-User-Vlan",
-	[10] = "Aruba-AP-Group",
-	[11] = "Aruba-Framed-IPv6-Address",
-	[12] = "Aruba-Device-Type",
-	[13] = "Aruba-AP-Name",
-	[14] = "Aruba-No-DHCP-Fingerprint",
-	[15] = "Aruba-Mdps-Device-Udid",
-	[16] = "Aruba-Mdps-Device-Imei",
-	[17] = "Aruba-Mdps-Device-Iccid",
-	[18] = "Aruba-Mdps-Max-Devices",
-	[19] = "Aruba-Mdps-Device-Name",
-	[20] = "Aruba-Mdps-Device-Product",
-	[21] = "Aruba-Mdps-Device-Version",
-	[22] = "Aruba-Mdps-Device-Serial",
-	[23] = "Aruba-CPPM-Role",
-	[24] = "Aruba-AirGroup-User-Name",
-	[25] = "Aruba-AirGroup-Shared-User",
-	[26] = "Aruba-AirGroup-Shared-Role",
-	[27] = "Aruba-AirGroup-Device-Type",
-	[28] = "Aruba-Auth-Survivability",
-	[29] = "Aruba-AS-User-Name",
-	[30] = "Aruba-AS-Credential-Hash",
-	[31] = "Aruba-WorkSpace-App-Name",
-	[32] = "Aruba-Mdps-Provisioning-Settings",
-	[33] = "Aruba-Mdps-Device-Profile"
-} &default=function(i: count): string { return fmt("Aruba-unknown-%d", i); };
-
diff --git a/scripts/base/protocols/radius/dpd.sig b/scripts/base/protocols/radius/dpd.sig
deleted file mode 100644
index d32ba49771..0000000000
--- a/scripts/base/protocols/radius/dpd.sig
+++ /dev/null
@@ -1,7 +0,0 @@
-# Generated by binpac_quickstart
-
-signature dpd_radius {
-	ip-proto == udp
-	# TODO: payload /^RADIUS/
-	enable "radius"
-}
\ No newline at end of file
diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro
index 0d239dcb64..0b73ecc257 100644
--- a/scripts/base/protocols/radius/main.bro
+++ b/scripts/base/protocols/radius/main.bro
@@ -11,19 +11,51 @@ export {
 
 	type Info: record {
 		## Timestamp for when the event happened.
-		ts:     time    &log;
+		ts		: time    &log;
 		## Unique ID for the connection.
-		uid:    string  &log;
+		uid		: string  &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:     conn_id &log;
-		msg_type: string &log;
+		id		: conn_id &log;
+		## The username, if present
+		username	: string &log &optional;
+		## MAC address, if present
+		mac		: string &log &optional;
+		## Remote IP address, if present
+		remote_ip       : addr &log &optional;
+		## Connect info, if present
+		connect_info	: string &log &optional;
+		## Successful or failed authentication
+		result		: string &log &optional;
+		## Whether this has already been logged and can be ignored
+		logged		: bool &optional;
+		
 	};
 
+	## The amount of time we wait for an authentication response before
+	## expiring it.
+	const expiration_interval = 10secs &redef;
+
+	## Logs an authentication attempt if we didn't see a response in time
+	##
+	## t: A table of Info records.
+	##
+	## idx: The index of the connection$radius table corresponding to the
+	##      radius authentication about to expire.
+	##
+	## Returns: 0secs, which when this function is used as an
+	##          :bro:attr:`&expire_func`, indicates to remove the element at
+	##          *idx* immediately.	
+	global expire: function(t: table[count] of Info, idx: count): interval;
+
 	## Event that can be handled to access the RADIUS record as it is sent on
 	## to the loggin framework.
 	global log_radius: event(rec: Info);
 }
 
+redef record connection += {
+	radius: table[count] of Info &optional &write_expire=expiration_interval &expire_func=expire;
+};
+
 const ports = { 1812/udp };
 
 event bro_init() &priority=5
@@ -32,111 +64,57 @@ event bro_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
 	}
 
-event radius_message(c: connection, msg_type: count, trans_id: count)
+event radius_message(c: connection, result: RADIUS::Message)
 	{
 	local info: Info;
-	info$ts  = network_time();
-	info$uid = c$uid;
-	info$id  = c$id;
-	info$msg_type = msg_types[msg_type];
-
-	Log::write(RADIUS::LOG, info);
-	}
-
-event radius_attribute(c: connection, attr_type: count, trans_id: count, value: string)
-	{
-	switch ( attr_types[attr_type] ) {
-#	case "Calling-Station-Id":
-#		tmp = normalize_mac(value);
-#		if ( tmp != "" )
-#			print cat(attr_types[attr_type], " ", tmp);
-#		else
-#			print cat(attr_types[attr_type], " ", value);
-#		break;
-#	case "Called-Station-Id":
-#		fallthrough;
-
-	## Strings:
-	case "Reply-Message":
-		fallthrough;
-	case "User-Name":
-		print cat(attr_types[attr_type], ": ", value);
-		break;
-		
-	## IPs:
-
-	case "Framed-IP-Address":
-		fallthrough;
-	case "Framed-IP-Netmask":
-		fallthrough;
-	case "NAS-IP-Address":
-		print cat(attr_types[attr_type], ": ", count_to_v4_addr(bytestring_to_count(value)));
-		break;
-
-	## Counts:
-		
-	case "Framed-MTU":
-		fallthrough;
-	case "NAS-Port":
-		fallthrough;
-	case "Session-Timeout":
-		print cat(attr_types[attr_type], ": ", bytestring_to_count(value));
-		break;
-
-	## Other:
-
-	case "NAS-Port-Type":
-		print cat(attr_types[attr_type], ": ", nas_port_types[bytestring_to_count(value)]);
-		break;
-	case "Service-Type":
-		print cat(attr_types[attr_type], ": ", service_types[bytestring_to_count(value)]);
-		break;
-	case "Framed-Protocol":
-		print cat(attr_types[attr_type], ": ", framed_protocol_types[bytestring_to_count(value)]);
-		break;
-	case "Vendor-Specific":
-		switch(bytestring_to_count(sub_bytes(value, 0, 4))) {
-		case 9:
-			# Cisco IOS/PIX 6.0
-			print cat(vendor_9_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
-			break;
-		case 255:
-			# Cisco VPN 5000
-			print cat(vendor_255_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
-			break;
-		case 311:
-			# Microsoft
-			print cat(vendor_311_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
-			break;
-		case 3076:
-			# Cisco VPN 3000
-			print cat(vendor_3076_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
-			break;
-		case 14823:
-			# Aruba
-			print cat(vendor_14823_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
-			break;
-		default:
-			print cat("Unknown vendor: ", bytestring_to_count(sub_bytes(value, 0, 4)));
-			break;
+	if ( c?$radius && result$trans_id in c$radius )
+		info = c$radius[result$trans_id];
+	else 
+		{
+		c$radius = table();
+		info$ts  = network_time();
+		info$uid = c$uid;
+		info$id  = c$id;
 		}
-		break;
-	default:
-		print cat(attr_types[attr_type], ": ", value);
-		break;
+	
+	switch ( result$code ) {
+		case 1:
+		# Acess-Request
+			if ( result?$attributes ) {
+				# User-Name
+				if ( !info?$username && 1 in result$attributes )
+					info$username = result$attributes[1][0];
+				# Calling-Station-Id (we expect this to be a MAC)
+				if ( !info?$mac && 31 in result$attributes )
+					info$mac = normalize_mac(result$attributes[31][0]);
+				# Tunnel-Client-EndPoint (useful for VPNs)
+				if ( !info?$remote_ip && 66 in result$attributes )
+					info$remote_ip = to_addr(result$attributes[66][0]);
+				# Connect-Info
+				if ( !info?$connect_info && 77 in result$attributes )
+					info$connect_info = result$attributes[77][0];
+			}
+			break;
+		case 2:
+		# Access-Accept
+			info$result = "success";
+			break;
+		case 3:
+		# Access-Reject
+			info$result = "failed";
+			break;
 	}
+	if ( info?$result && !info?$logged )
+		{
+		info$logged = T;		
+		Log::write(RADIUS::LOG, info);
+		}
+	c$radius[result$trans_id] = info;
 	}
 
-# Called-Station-Id: 
-# Calling-Station-Id: 
-# Class: 
-# NAS-Identifier: 
-# State: 
-# Vendor-Specific: 
-# unknown-185: 
-# unknown-66: 
-# unknown-77: 
-# unknown-79: 
-# unknown-80: 
-# unknown-87: 
-# unknown-95:
\ No newline at end of file
+
+function expire(t: table[count] of Info, idx: count): interval
+	 {
+	 t[idx]$result = "unknown";
+	 return 0secs;
+	 }
\ No newline at end of file
diff --git a/src/analyzer/protocol/radius/events.bif b/src/analyzer/protocol/radius/events.bif
index 4ef93a8ca7..8885c2c6e6 100644
--- a/src/analyzer/protocol/radius/events.bif
+++ b/src/analyzer/protocol/radius/events.bif
@@ -9,7 +9,7 @@
 ## trans_id: The RADIUS transaction identifier
 ## authenticator: The value of the authenticator field
 ##
-event radius_message%(c: connection, msg_type: count, trans_id: count%);
+event radius_message%(c: connection, result: RADIUS::Message%);
 
 ## Generated for each RADIUS attribute
 ##
@@ -17,7 +17,10 @@ event radius_message%(c: connection, msg_type: count, trans_id: count%);
 ##
 ## c: The connection
 ## attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.)
-## trans_id: The RADIUS transaction identifier
 ## authenticator: The value of the authenticator field
 ##
-event radius_attribute%(c: connection, attr_type: count, trans_id: count, value: string%);
\ No newline at end of file
+event radius_attribute%(c: connection, attr_type: count, value: string%);
+
+type RADIUS::AttributeList: vector;
+type RADIUS::Attributes: table;
+type RADIUS::Message: record;
diff --git a/src/analyzer/protocol/radius/radius-analyzer.pac b/src/analyzer/protocol/radius/radius-analyzer.pac
index 9739970880..7f0239de1f 100644
--- a/src/analyzer/protocol/radius/radius-analyzer.pac
+++ b/src/analyzer/protocol/radius/radius-analyzer.pac
@@ -1,23 +1,50 @@
 # Generated by binpac_quickstart
 
 refine flow RADIUS_Flow += {
-	function proc_radius_message(code: uint8, trans_id: uint8): bool
+	function proc_radius_message(msg: RADIUS_PDU): bool
 		%{
-		BifEvent::generate_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), code, trans_id);
+		connection()->bro_analyzer()->ProtocolConfirmation();
+
+		if ( !radius_message ) return false;
+
+		RecordVal* result = new RecordVal(BifType::Record::RADIUS::Message);
+		result->Assign(0, new Val(${msg.code}, TYPE_COUNT));
+		result->Assign(1, new Val(${msg.trans_id}, TYPE_COUNT));
+		result->Assign(2, bytestring_to_val(${msg.authenticator}));
+		
+		TableVal* Attributes = new TableVal(BifType::Table::RADIUS::Attributes);
+
+		for ( uint i = 0; i < ${msg.attributes}->size(); ++i ) {
+			// Do we already have a vector of attributes for this type?
+			VectorVal* current = (VectorVal*) Attributes->Lookup(new Val(${msg.attributes[i].code}, TYPE_COUNT));
+			if ( current )
+				current->Assign((uint) current->Size(), bytestring_to_val(${msg.attributes[i].value}));
+			else {
+				VectorVal* AttributeList = new VectorVal(BifType::Vector::RADIUS::AttributeList);
+				AttributeList->Assign((uint) 0, bytestring_to_val(${msg.attributes[i].value}));
+				Attributes->Assign(new Val(${msg.attributes[i].code}, TYPE_COUNT), AttributeList);
+			}
+			
+		}
+		if ( ${msg.attributes}->size() )
+			result->Assign(3, Attributes);
+		BifEvent::generate_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
 		return true;
 		%}
 
-	function proc_radius_attribute(code: uint8, trans_id: uint8, value: bytestring): bool
+	function proc_radius_attribute(attr: RADIUS_Attribute): bool
 		%{
-		BifEvent::generate_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), code, trans_id, bytestring_to_val(value));
+		if ( !radius_attribute ) return false;
+
+		BifEvent::generate_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${attr.code}, bytestring_to_val(${attr.value}));
 		return true;
 		%}
 };
 
 refine typeattr RADIUS_PDU += &let {
-	proc: bool = $context.flow.proc_radius_message(code, trans_id);
+	proc: bool = $context.flow.proc_radius_message(this);
 };
 
 refine typeattr RADIUS_Attribute += &let {
-	proc: bool = $context.flow.proc_radius_attribute(code, trans_id, value);
+	proc: bool = $context.flow.proc_radius_attribute(this);
 };
\ No newline at end of file

From 8688c764a0c831c896595073abbe16777ed67b41 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Fri, 13 Dec 2013 15:04:43 -0500
Subject: [PATCH 003/136] Fix a couple memleaks.

---
 .../protocol/radius/radius-analyzer.pac       | 33 +++++++++++--------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/src/analyzer/protocol/radius/radius-analyzer.pac b/src/analyzer/protocol/radius/radius-analyzer.pac
index 7f0239de1f..f64d5ff105 100644
--- a/src/analyzer/protocol/radius/radius-analyzer.pac
+++ b/src/analyzer/protocol/radius/radius-analyzer.pac
@@ -12,22 +12,27 @@ refine flow RADIUS_Flow += {
 		result->Assign(1, new Val(${msg.trans_id}, TYPE_COUNT));
 		result->Assign(2, bytestring_to_val(${msg.authenticator}));
 		
-		TableVal* Attributes = new TableVal(BifType::Table::RADIUS::Attributes);
-
-		for ( uint i = 0; i < ${msg.attributes}->size(); ++i ) {
-			// Do we already have a vector of attributes for this type?
-			VectorVal* current = (VectorVal*) Attributes->Lookup(new Val(${msg.attributes[i].code}, TYPE_COUNT));
-			if ( current )
-				current->Assign((uint) current->Size(), bytestring_to_val(${msg.attributes[i].value}));
-			else {
-				VectorVal* AttributeList = new VectorVal(BifType::Vector::RADIUS::AttributeList);
-				AttributeList->Assign((uint) 0, bytestring_to_val(${msg.attributes[i].value}));
-				Attributes->Assign(new Val(${msg.attributes[i].code}, TYPE_COUNT), AttributeList);
-			}
-			
-		}
 		if ( ${msg.attributes}->size() )
+			{
+			TableVal* Attributes = new TableVal(BifType::Table::RADIUS::Attributes);
+		
+			for ( uint i = 0; i < ${msg.attributes}->size(); ++i ) {
+				Val* index = new Val(${msg.attributes[i].code}, TYPE_COUNT);
+				
+				// Do we already have a vector of attributes for this type?
+				VectorVal* current = (VectorVal*) Attributes->Lookup(index);
+				if ( current )
+					current->Assign((uint) current->Size(), bytestring_to_val(${msg.attributes[i].value}));
+				else {
+					VectorVal* AttributeList = new VectorVal(BifType::Vector::RADIUS::AttributeList);
+					AttributeList->Assign((uint) 0, bytestring_to_val(${msg.attributes[i].value}));
+					Attributes->Assign(index, AttributeList);
+				}
+				
+				Unref(index);
+			}
 			result->Assign(3, Attributes);
+		}
 		BifEvent::generate_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
 		return true;
 		%}

From ffd4711a41ba0e9ea0f8cfd3097aadbe68912eb4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 07:41:08 -0700
Subject: [PATCH 004/136] Throw new event for heartbeat messages.

Not tested.
---
 src/analyzer/protocol/ssl/events.bif       |  2 ++
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 17 +++++++++++++++++
 src/analyzer/protocol/ssl/ssl-defs.pac     |  1 +
 src/analyzer/protocol/ssl/ssl-protocol.pac | 11 +++++++++++
 4 files changed, 31 insertions(+)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 054d9c672f..c85e911ee8 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -138,3 +138,5 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
+
+event ssl_heartbeat%(c: connection, length: count%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 49104fa549..e6ea1628a1 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -306,6 +306,10 @@ refine connection SSL_Conn += {
 
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
+		if ( ${rec.content_type} == HEARTBEAT )
+			BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+				bro_analyzer()->Conn(), ${rec.length});
+
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
 				orig_label(${rec.is_orig}).c_str(),
@@ -320,6 +324,15 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_heartbeat(rec : SSLRecord) : bool
+		%{
+		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.length});
+
+		return true;
+		%}
+
 };
 
 refine typeattr ChangeCipherSpec += &let {
@@ -339,6 +352,10 @@ refine typeattr ApplicationData += &let {
 	proc : bool = $context.connection.proc_application_data(rec);
 };
 
+refine typeattr Heartbeat += &let {
+	proc : bool = $context.connection.proc_heartbeat(rec);
+};
+
 refine typeattr ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version,
 				gmt_unix_time, random_bytes,
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index c35fc56e85..23fa7abce5 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -12,6 +12,7 @@ enum ContentType {
 	ALERT = 21,
 	HANDSHAKE = 22,
 	APPLICATION_DATA = 23,
+	HEARTBEAT = 24,
 	V2_ERROR = 300,
 	V2_CLIENT_HELLO = 301,
 	V2_CLIENT_MASTER_KEY = 302,
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 9368122eaa..c12130abf8 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -63,6 +63,7 @@ type PlaintextRecord(rec: SSLRecord) = case rec.content_type of {
 	CHANGE_CIPHER_SPEC	-> ch_cipher : ChangeCipherSpec(rec);
 	ALERT			-> alert : Alert(rec);
 	HANDSHAKE		-> handshake : Handshake(rec);
+	HEARTBEAT -> heartbeat: Heartbeat(rec);
 	APPLICATION_DATA	-> app_data : ApplicationData(rec);
 	V2_ERROR		-> v2_error : V2Error(rec);
 	V2_CLIENT_HELLO		-> v2_client_hello : V2ClientHello(rec);
@@ -225,6 +226,16 @@ type ApplicationData(rec: SSLRecord) = record {
 	data : bytestring &restofdata &transient;
 };
 
+######################################################################
+# V3 Heartbeat
+######################################################################
+
+# Heartbeats should basically always be encrypted, so we should not
+# reach this point.
+type Heartbeat(rec: SSLRecord) = record {
+	data : bytestring &restofdata &transient;
+};
+
 ######################################################################
 # Handshake Protocol (7.4.)
 ######################################################################

From 902d52e261069addbf6647537b1a5db9a171f79d Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 08:43:38 -0700
Subject: [PATCH 005/136] add is_orig to heartbeat event

---
 src/analyzer/protocol/ssl/events.bif       | 2 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index c85e911ee8..3f780bdd60 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -139,4 +139,4 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
 
-event ssl_heartbeat%(c: connection, length: count%);
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index e6ea1628a1..1730ce8ce5 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -308,7 +308,7 @@ refine connection SSL_Conn += {
 		%{
 		if ( ${rec.content_type} == HEARTBEAT )
 			BifEvent::generate_ssl_heartbeat(bro_analyzer(),
-				bro_analyzer()->Conn(), ${rec.length});
+				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
 
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
@@ -328,7 +328,7 @@ refine connection SSL_Conn += {
 	function proc_heartbeat(rec : SSLRecord) : bool
 		%{
 		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.length});
+			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
 
 		return true;
 		%}

From 018735a5744d8a82bbd7cee48fd828b4018d257f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 09:49:00 -0700
Subject: [PATCH 006/136] default to TLS when not being able to determine
 version

---
 src/analyzer/protocol/ssl/ssl-protocol.pac | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index c12130abf8..944f081060 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -39,13 +39,13 @@ type SSLRecord(is_orig: bool) = record {
 		$context.connection.determine_ssl_version(head0, head1, head2);
 
 	content_type : int = case version of {
-		UNKNOWN_VERSION -> 0;
+		# UNKNOWN_VERSION -> 0; assume tls on unknown version
 		SSLv20 -> head2+300;
 		default -> head0;
 	};
 
 	length : int = case version of {
-		UNKNOWN_VERSION -> 0;
+		# UNKNOWN_VERSION -> 0; assume tls on unknown version
 		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
 		default -> (head3 << 8) | head4;
 	};

From 335a30b08f10ecc6243182d71f786ac104f31897 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:03:12 -0700
Subject: [PATCH 007/136] detect and alert on simple case of heartbleed

---
 scripts/policy/protocols/ssl/heartbleed.bro | 44 +++++++++++++++++++++
 src/analyzer/protocol/ssl/events.bif        |  4 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac  |  8 ++--
 src/analyzer/protocol/ssl/ssl-protocol.pac  |  4 +-
 4 files changed, 53 insertions(+), 7 deletions(-)
 create mode 100644 scripts/policy/protocols/ssl/heartbleed.bro

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
new file mode 100644
index 0000000000..b3f81034b0
--- /dev/null
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -0,0 +1,44 @@
+module Heartbleed;
+
+redef record SSL::Info += {
+#	last_originator_heartbeat_request_size: count &optional;
+#	originator_heartbeats: count &default=0;
+#	responder_heartbeats: count &default=0;
+  heartbleed_detected: bool &default=F;
+	};
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a host performing a heartbleed attack.
+		SSL_Heartbeat_Attack,
+    ## Indicates that a host performing a heartbleed attack was probably successful.
+    SSL_Heartbeat_Attack_Success,
+  };
+}
+
+event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count)
+  {
+  if ( heartbeat_type == 1 )
+    {
+
+    local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
+
+
+    if ( payload_length > checklength )
+      {
+      c$ssl$heartbleed_detected = T;
+      NOTICE([$note=SSL_Heartbeat_Attack,
+        $msg="An TLS heartbleed attack was detected!",
+        $conn=c
+        ]);
+      }
+    }
+
+  if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
+    {
+      NOTICE([$note=SSL_Heartbeat_Attack_Success,
+        $msg="An TLS heartbleed attack was detected and probably exploited",
+        $conn=c
+        ]);
+    }
+  }
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 3f780bdd60..e720089f45 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -139,4 +139,6 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
 
-event ssl_heartbeat%(c: connection, is_orig: bool, length: count%);
+event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
+
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 1730ce8ce5..d0ac88a5a1 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -307,7 +307,7 @@ refine connection SSL_Conn += {
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
 		if ( ${rec.content_type} == HEARTBEAT )
-			BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+			BifEvent::generate_ssl_encrypted_heartbeat(bro_analyzer(),
 				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
 
 		if ( state_ == STATE_TRACK_LOST )
@@ -325,10 +325,10 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_heartbeat(rec : SSLRecord) : bool
+	function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16) : bool
 		%{
 		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
+			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length);
 
 		return true;
 		%}
@@ -353,7 +353,7 @@ refine typeattr ApplicationData += &let {
 };
 
 refine typeattr Heartbeat += &let {
-	proc : bool = $context.connection.proc_heartbeat(rec);
+	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length);
 };
 
 refine typeattr ClientHello += &let {
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 944f081060..acded2dbf9 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -230,9 +230,9 @@ type ApplicationData(rec: SSLRecord) = record {
 # V3 Heartbeat
 ######################################################################
 
-# Heartbeats should basically always be encrypted, so we should not
-# reach this point.
 type Heartbeat(rec: SSLRecord) = record {
+  type : uint8;
+  payload_length : uint16;
 	data : bytestring &restofdata &transient;
 };
 

From c41810a33780b1263f2e8a1b6939d398a267fa0f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:19:30 -0700
Subject: [PATCH 008/136] polish script and probably detect encrypted attacks
 too.

---
 scripts/policy/protocols/ssl/heartbleed.bro | 65 +++++++++++++++++++--
 1 file changed, 60 insertions(+), 5 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index b3f81034b0..c9a9622e2c 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -1,9 +1,11 @@
 module Heartbleed;
 
 redef record SSL::Info += {
-#	last_originator_heartbeat_request_size: count &optional;
-#	originator_heartbeats: count &default=0;
-#	responder_heartbeats: count &default=0;
+	last_originator_heartbeat_request_size: count &optional;
+	last_responder_heartbeat_request_size: count &optional;
+	originator_heartbeats: count &default=0;
+	responder_heartbeats: count &default=0;
+
   heartbleed_detected: bool &default=F;
 	};
 
@@ -11,8 +13,14 @@ export {
 	redef enum Notice::Type += {
 		## Indicates that a host performing a heartbleed attack.
 		SSL_Heartbeat_Attack,
-    ## Indicates that a host performing a heartbleed attack was probably successful.
+    ## Indicates that a host performing a heartbleed attack was successful.
     SSL_Heartbeat_Attack_Success,
+    ## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
+    SSL_Heartbeat_Encrypted_Attack_Success,
+    ## Indicates we saw heartbeet requests with odd length. Probably an attack.
+    SSL_Heartbeat_Odd_Length,
+    ## Indicates we saw many heartbeat requests without an reply. Might be an attack.
+    SSL_Heartbeat_Many_Requests
   };
 }
 
@@ -20,7 +28,6 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
   {
   if ( heartbeat_type == 1 )
     {
-
     local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
 
 
@@ -42,3 +49,51 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
         ]);
     }
   }
+
+event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
+  {
+  if ( is_orig )
+    ++c$ssl$originator_heartbeats;
+  else
+    ++c$ssl$responder_heartbeats;
+
+  if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
+      NOTICE([$note=SSL_Heartbeat_Many_Requests,
+        $msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
+        $conn=c
+        ]);
+
+  if ( is_orig && length < 19 )
+      NOTICE([$note=SSL_Heartbeat_Odd_Length,
+        $msg="Heartbeat message smaller than minimum length. Probable attack.",
+        $conn=c
+        ]);
+
+  if ( is_orig )
+    {
+    if ( c$ssl?$last_responder_heartbeat_request_size )
+      {
+      # server originated heartbeat. Ignore & continue
+      delete c$ssl$last_responder_heartbeat_request_size;
+      }
+    else
+      c$ssl$last_originator_heartbeat_request_size = length;
+    }
+  else
+    {
+    if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
+      {
+      NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
+        $msg="An Encrypted TLS heartbleed attack was probably detected!",
+        $conn=c
+        ]);
+      }
+    else if ( ! c$ssl?$last_originator_heartbeat_request_size )
+      {
+      c$ssl$last_responder_heartbeat_request_size = length;
+      }
+
+    if ( c$ssl?$last_originator_heartbeat_request_size )
+      delete c$ssl$last_originator_heartbeat_request_size;
+    }
+  }

From 4d33bdbb1ebe531a238803ef612395d8a39fc6e8 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:28:13 -0700
Subject: [PATCH 009/136] fix tabs.

---
 scripts/policy/protocols/ssl/heartbleed.bro | 146 ++++++++++----------
 1 file changed, 73 insertions(+), 73 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index c9a9622e2c..7089758e93 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -6,94 +6,94 @@ redef record SSL::Info += {
 	originator_heartbeats: count &default=0;
 	responder_heartbeats: count &default=0;
 
-  heartbleed_detected: bool &default=F;
+	heartbleed_detected: bool &default=F;
 	};
 
 export {
 	redef enum Notice::Type += {
 		## Indicates that a host performing a heartbleed attack.
 		SSL_Heartbeat_Attack,
-    ## Indicates that a host performing a heartbleed attack was successful.
-    SSL_Heartbeat_Attack_Success,
-    ## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
-    SSL_Heartbeat_Encrypted_Attack_Success,
-    ## Indicates we saw heartbeet requests with odd length. Probably an attack.
-    SSL_Heartbeat_Odd_Length,
-    ## Indicates we saw many heartbeat requests without an reply. Might be an attack.
-    SSL_Heartbeat_Many_Requests
-  };
+		## Indicates that a host performing a heartbleed attack was successful.
+		SSL_Heartbeat_Attack_Success,
+		## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
+		SSL_Heartbeat_Encrypted_Attack_Success,
+		## Indicates we saw heartbeet requests with odd length. Probably an attack.
+		SSL_Heartbeat_Odd_Length,
+		## Indicates we saw many heartbeat requests without an reply. Might be an attack.
+		SSL_Heartbeat_Many_Requests
+	};
 }
 
 event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count)
-  {
-  if ( heartbeat_type == 1 )
-    {
-    local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
+	{
+	if ( heartbeat_type == 1 )
+		{
+		local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
 
 
-    if ( payload_length > checklength )
-      {
-      c$ssl$heartbleed_detected = T;
-      NOTICE([$note=SSL_Heartbeat_Attack,
-        $msg="An TLS heartbleed attack was detected!",
-        $conn=c
-        ]);
-      }
-    }
+		if ( payload_length > checklength )
+			{
+			c$ssl$heartbleed_detected = T;
+			NOTICE([$note=SSL_Heartbeat_Attack,
+				$msg="An TLS heartbleed attack was detected!",
+				$conn=c
+				]);
+			}
+		}
 
-  if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
-    {
-      NOTICE([$note=SSL_Heartbeat_Attack_Success,
-        $msg="An TLS heartbleed attack was detected and probably exploited",
-        $conn=c
-        ]);
-    }
-  }
+	if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
+		{
+			NOTICE([$note=SSL_Heartbeat_Attack_Success,
+				$msg="An TLS heartbleed attack was detected and probably exploited",
+				$conn=c
+				]);
+		}
+	}
 
 event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
-  {
-  if ( is_orig )
-    ++c$ssl$originator_heartbeats;
-  else
-    ++c$ssl$responder_heartbeats;
+	{
+	if ( is_orig )
+		++c$ssl$originator_heartbeats;
+	else
+		++c$ssl$responder_heartbeats;
 
-  if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
-      NOTICE([$note=SSL_Heartbeat_Many_Requests,
-        $msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
-        $conn=c
-        ]);
+	if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
+			NOTICE([$note=SSL_Heartbeat_Many_Requests,
+				$msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
+				$conn=c
+				]);
 
-  if ( is_orig && length < 19 )
-      NOTICE([$note=SSL_Heartbeat_Odd_Length,
-        $msg="Heartbeat message smaller than minimum length. Probable attack.",
-        $conn=c
-        ]);
+	if ( is_orig && length < 19 )
+			NOTICE([$note=SSL_Heartbeat_Odd_Length,
+				$msg="Heartbeat message smaller than minimum length. Probable attack.",
+				$conn=c
+				]);
 
-  if ( is_orig )
-    {
-    if ( c$ssl?$last_responder_heartbeat_request_size )
-      {
-      # server originated heartbeat. Ignore & continue
-      delete c$ssl$last_responder_heartbeat_request_size;
-      }
-    else
-      c$ssl$last_originator_heartbeat_request_size = length;
-    }
-  else
-    {
-    if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
-      {
-      NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
-        $msg="An Encrypted TLS heartbleed attack was probably detected!",
-        $conn=c
-        ]);
-      }
-    else if ( ! c$ssl?$last_originator_heartbeat_request_size )
-      {
-      c$ssl$last_responder_heartbeat_request_size = length;
-      }
+	if ( is_orig )
+		{
+		if ( c$ssl?$last_responder_heartbeat_request_size )
+			{
+			# server originated heartbeat. Ignore & continue
+			delete c$ssl$last_responder_heartbeat_request_size;
+			}
+		else
+			c$ssl$last_originator_heartbeat_request_size = length;
+		}
+	else
+		{
+		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
+			{
+			NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
+				$msg="An Encrypted TLS heartbleed attack was probably detected!",
+				$conn=c
+				]);
+			}
+		else if ( ! c$ssl?$last_originator_heartbeat_request_size )
+			{
+			c$ssl$last_responder_heartbeat_request_size = length;
+			}
 
-    if ( c$ssl?$last_originator_heartbeat_request_size )
-      delete c$ssl$last_originator_heartbeat_request_size;
-    }
-  }
+		if ( c$ssl?$last_originator_heartbeat_request_size )
+			delete c$ssl$last_originator_heartbeat_request_size;
+		}
+	}

From cb87f834f9360aae450f778b0a9b49cee4102a4e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:40:48 -0700
Subject: [PATCH 010/136] make tls heartbeat messages a bit better.

---
 scripts/policy/protocols/ssl/heartbleed.bro | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 7089758e93..0e5abc7ab3 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -30,12 +30,11 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 		{
 		local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
 
-
 		if ( payload_length > checklength )
 			{
 			c$ssl$heartbleed_detected = T;
 			NOTICE([$note=SSL_Heartbeat_Attack,
-				$msg="An TLS heartbleed attack was detected!",
+				$msg=fmt("An TLS heartbleed attack was detected! Record length %d, payload length %d", length, payload_length),
 				$conn=c
 				]);
 			}
@@ -60,13 +59,15 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 	if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
 				$msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
-				$conn=c
+				$conn=c,
+				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats)
 				]);
 
 	if ( is_orig && length < 19 )
 			NOTICE([$note=SSL_Heartbeat_Odd_Length,
 				$msg="Heartbeat message smaller than minimum length. Probable attack.",
-				$conn=c
+				$conn=c,
+				$n=length
 				]);
 
 	if ( is_orig )

From f2c2da92c6505a2a979051e553ff4043f1317a0e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:53:01 -0700
Subject: [PATCH 011/136] add to local.bro, add disclaimer

---
 scripts/policy/protocols/ssl/heartbleed.bro | 2 ++
 scripts/site/local.bro                      | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 0e5abc7ab3..d66ff4df2a 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -1,5 +1,7 @@
 module Heartbleed;
 
+# Please note - this is not well tested. Use at your own risk.
+
 redef record SSL::Info += {
 	last_originator_heartbeat_request_size: count &optional;
 	last_responder_heartbeat_request_size: count &optional;
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index e1a3574424..bb2cc73a53 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -81,3 +81,5 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
 @load frameworks/files/detect-MHR
 
+# Load heartbleed detection. Only superficially tested, might contain bugs.
+@load policy/protocols/ssl/heartbleed

From 2942a26280866c5ecad13ce8d7a63a706dc9e1af Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 12:44:51 -0700
Subject: [PATCH 012/136] also extract payload data in ssl_heartbeat

---
 scripts/policy/protocols/ssl/heartbleed.bro | 2 +-
 src/analyzer/protocol/ssl/events.bif        | 2 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac  | 8 ++++----
 src/analyzer/protocol/ssl/ssl-protocol.pac  | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index d66ff4df2a..19728b1d0c 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -26,7 +26,7 @@ export {
 	};
 }
 
-event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count)
+event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
 	{
 	if ( heartbeat_type == 1 )
 		{
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index e720089f45..a11e7bcc68 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -141,4 +141,4 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
-event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count%);
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index d0ac88a5a1..29240161d1 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -325,11 +325,11 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16) : bool
+	function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool
 		%{
 		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length);
-
+			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length,
+			new StringVal(data.length(), (const char*) data.data()));
 		return true;
 		%}
 
@@ -353,7 +353,7 @@ refine typeattr ApplicationData += &let {
 };
 
 refine typeattr Heartbeat += &let {
-	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length);
+	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length, data);
 };
 
 refine typeattr ClientHello += &let {
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index acded2dbf9..f8645410dc 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -233,7 +233,7 @@ type ApplicationData(rec: SSLRecord) = record {
 type Heartbeat(rec: SSLRecord) = record {
   type : uint8;
   payload_length : uint16;
-	data : bytestring &restofdata &transient;
+	data : bytestring &restofdata;
 };
 
 ######################################################################

From 2414aaf4bb9e1a9ba9aafbf748f2905311f8cd8e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 21:57:37 -0700
Subject: [PATCH 013/136] enable detection of encrypted heartbleeds.

---
 scripts/policy/protocols/ssl/heartbleed.bro | 2 +-
 src/analyzer/protocol/ssl/ssl-protocol.pac  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 19728b1d0c..0049c4c51f 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -84,7 +84,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		}
 	else
 		{
-		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
+		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
 			{
 			NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
 				$msg="An Encrypted TLS heartbleed attack was probably detected!",
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index f8645410dc..b8e5c9f624 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -52,7 +52,7 @@ type SSLRecord(is_orig: bool) = record {
 };
 
 type RecordText(rec: SSLRecord) = case $context.connection.state() of {
-	STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED,
+	STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED, STATE_CLIENT_FINISHED,
 	STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED
 		-> ciphertext : CiphertextRecord(rec);
 	default

From 2b3c2bd3940cd6883dc188abbc7aa5372cae7278 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 9 Apr 2014 13:03:24 -0500
Subject: [PATCH 014/136] Fix reassembly of data w/ sizes beyond 32-bit
 capacities (BIT-348).

The main change is that reassembly code (e.g. for TCP) now uses
int64/uint64 (signedness is situational) data types in place of int
types in order to support delivering data to analyzers that pass 2GB
thresholds.  There's also changes in logic that accompany the change in
data types, e.g. to fix TCP sequence space arithmetic inconsistencies.

Another significant change is in the Analyzer API: the *Packet and
*Undelivered methods now use a uint64 in place of an int for the
relative sequence space offset parameter.
---
 src/Frag.cc                                   |   12 +-
 src/Frag.h                                    |    6 +-
 src/Reassem.cc                                |   88 +-
 src/Reassem.h                                 |   32 +-
 src/Stats.cc                                  |    2 +-
 src/analyzer/Analyzer.cc                      |   20 +-
 src/analyzer/Analyzer.h                       |   20 +-
 src/analyzer/protocol/ayiya/AYIYA.cc          |    2 +-
 src/analyzer/protocol/ayiya/AYIYA.h           |    2 +-
 src/analyzer/protocol/backdoor/BackDoor.cc    |   41 +-
 src/analyzer/protocol/backdoor/BackDoor.h     |   34 +-
 .../protocol/bittorrent/BitTorrent.cc         |    2 +-
 src/analyzer/protocol/bittorrent/BitTorrent.h |    2 +-
 .../protocol/bittorrent/BitTorrentTracker.cc  |    2 +-
 .../protocol/bittorrent/BitTorrentTracker.h   |    2 +-
 src/analyzer/protocol/conn-size/ConnSize.cc   |    2 +-
 src/analyzer/protocol/conn-size/ConnSize.h    |    2 +-
 src/analyzer/protocol/dhcp/DHCP.cc            |    2 +-
 src/analyzer/protocol/dhcp/DHCP.h             |    2 +-
 src/analyzer/protocol/dnp3/DNP3.cc            |    2 +-
 src/analyzer/protocol/dnp3/DNP3.h             |    2 +-
 src/analyzer/protocol/dns/DNS.cc              |    2 +-
 src/analyzer/protocol/dns/DNS.h               |    2 +-
 src/analyzer/protocol/file/File.cc            |   10 +-
 src/analyzer/protocol/file/File.h             |    6 +-
 src/analyzer/protocol/gtpv1/GTPv1.cc          |    2 +-
 src/analyzer/protocol/gtpv1/GTPv1.h           |    2 +-
 src/analyzer/protocol/http/HTTP.cc            |    6 +-
 src/analyzer/protocol/http/HTTP.h             |    4 +-
 src/analyzer/protocol/icmp/ICMP.cc            |    2 +-
 src/analyzer/protocol/icmp/ICMP.h             |    2 +-
 src/analyzer/protocol/interconn/InterConn.cc  |   10 +-
 src/analyzer/protocol/interconn/InterConn.h   |    6 +-
 src/analyzer/protocol/modbus/Modbus.cc        |    2 +-
 src/analyzer/protocol/modbus/Modbus.h         |    2 +-
 src/analyzer/protocol/ncp/NCP.cc              |    2 +-
 src/analyzer/protocol/ncp/NCP.h               |    2 +-
 src/analyzer/protocol/netbios/NetbiosSSN.cc   |    2 +-
 src/analyzer/protocol/netbios/NetbiosSSN.h    |    2 +-
 src/analyzer/protocol/ntp/NTP.cc              |    2 +-
 src/analyzer/protocol/ntp/NTP.h               |    2 +-
 src/analyzer/protocol/pia/PIA.cc              |   10 +-
 src/analyzer/protocol/pia/PIA.h               |   12 +-
 src/analyzer/protocol/rpc/RPC.cc              |    4 +-
 src/analyzer/protocol/rpc/RPC.h               |    4 +-
 src/analyzer/protocol/smtp/SMTP.cc            |    4 +-
 src/analyzer/protocol/smtp/SMTP.h             |    2 +-
 src/analyzer/protocol/socks/SOCKS.cc          |    2 +-
 src/analyzer/protocol/socks/SOCKS.h           |    2 +-
 src/analyzer/protocol/ssl/SSL.cc              |    2 +-
 src/analyzer/protocol/ssl/SSL.h               |    2 +-
 .../protocol/stepping-stone/SteppingStone.cc  |    8 +-
 .../protocol/stepping-stone/SteppingStone.h   |    6 +-
 src/analyzer/protocol/syslog/Syslog.cc        |    4 +-
 src/analyzer/protocol/syslog/Syslog.h         |    4 +-
 src/analyzer/protocol/tcp/ContentLine.cc      |    2 +-
 src/analyzer/protocol/tcp/ContentLine.h       |   12 +-
 src/analyzer/protocol/tcp/TCP.cc              | 2234 +++++++++--------
 src/analyzer/protocol/tcp/TCP.h               |   84 +-
 src/analyzer/protocol/tcp/TCP_Endpoint.cc     |   29 +-
 src/analyzer/protocol/tcp/TCP_Endpoint.h      |   98 +-
 src/analyzer/protocol/tcp/TCP_Reassembler.cc  |  163 +-
 src/analyzer/protocol/tcp/TCP_Reassembler.h   |   49 +-
 src/analyzer/protocol/tcp/events.bif          |    5 +-
 src/analyzer/protocol/teredo/Teredo.cc        |    2 +-
 src/analyzer/protocol/teredo/Teredo.h         |    2 +-
 src/analyzer/protocol/udp/UDP.cc              |    2 +-
 src/analyzer/protocol/udp/UDP.h               |    2 +-
 src/net_util.h                                |    6 +-
 .../core.tcp.large-file-reassembly/conn.log   |   12 +
 .../core.tcp.large-file-reassembly/files.log  |   11 +
 .../core.tcp.large-file-reassembly/out        |   11 +
 .../weird.log                                 |    6 +-
 testing/btest/Traces/ftp/bigtransfer.pcap     |  Bin 0 -> 32127 bytes
 .../btest/core/tcp/large-file-reassembly.bro  |   22 +
 75 files changed, 1627 insertions(+), 1540 deletions(-)
 create mode 100644 testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
 create mode 100644 testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
 create mode 100644 testing/btest/Baseline/core.tcp.large-file-reassembly/out
 create mode 100644 testing/btest/Traces/ftp/bigtransfer.pcap
 create mode 100644 testing/btest/core/tcp/large-file-reassembly.bro

diff --git a/src/Frag.cc b/src/Frag.cc
index 30bec88af1..d0389c264a 100644
--- a/src/Frag.cc
+++ b/src/Frag.cc
@@ -97,9 +97,9 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt)
 		// Linux MTU discovery for UDP can do this, for example.
 		s->Weird("fragment_with_DF", ip);
 
-	int offset = ip->FragOffset();
-	int len = ip->TotalLen();
-	int hdr_len = ip->HdrLen();
+	uint16 offset = ip->FragOffset();
+	uint32 len = ip->TotalLen();
+	uint16 hdr_len = ip->HdrLen();
 
 	if ( len < hdr_len )
 		{
@@ -107,7 +107,7 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt)
 		return;
 		}
 
-	int upper_seq = offset + len - hdr_len;
+	uint64 upper_seq = offset + len - hdr_len;
 
 	if ( ! offset )
 		// Make sure to use the first fragment header's next field.
@@ -178,7 +178,7 @@ void FragReassembler::Weird(const char* name) const
 		}
 	}
 
-void FragReassembler::Overlap(const u_char* b1, const u_char* b2, int n)
+void FragReassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
 	{
 	if ( memcmp((const void*) b1, (const void*) b2, n) )
 		Weird("fragment_inconsistency");
@@ -231,7 +231,7 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
 		return;
 
 	// We have it all.  Compute the expected size of the fragment.
-	int n = proto_hdr_len + frag_size;
+	uint64 n = proto_hdr_len + frag_size;
 
 	// It's possible that we have blocks associated with this fragment
 	// that exceed this size, if we saw MF fragments (which don't lead
diff --git a/src/Frag.h b/src/Frag.h
index 0d2fbed5b3..7f3a0eec02 100644
--- a/src/Frag.h
+++ b/src/Frag.h
@@ -34,14 +34,14 @@ public:
 
 protected:
 	void BlockInserted(DataBlock* start_block);
-	void Overlap(const u_char* b1, const u_char* b2, int n);
+	void Overlap(const u_char* b1, const u_char* b2, uint64 n);
 	void Weird(const char* name) const;
 
 	u_char* proto_hdr;
 	IP_Hdr* reassembled_pkt;
-	int proto_hdr_len;
+	uint16 proto_hdr_len;
 	NetSessions* s;
-	int frag_size;	// size of fully reassembled fragment
+	uint64 frag_size;	// size of fully reassembled fragment
 	uint16 next_proto; // first IPv6 fragment header's next proto field
 	HashKey* key;
 
diff --git a/src/Reassem.cc b/src/Reassem.cc
index 19beaa0a16..27fb26561f 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -7,14 +7,9 @@
 #include "Reassem.h"
 #include "Serializer.h"
 
-const bool DEBUG_reassem = false;
+static const bool DEBUG_reassem = false;
 
-#ifdef DEBUG
-int reassem_seen_bytes = 0;
-int reassem_copied_bytes = 0;
-#endif
-
-DataBlock::DataBlock(const u_char* data, int size, int arg_seq,
+DataBlock::DataBlock(const u_char* data, uint64 size, uint64 arg_seq,
 			DataBlock* arg_prev, DataBlock* arg_next)
 	{
 	seq = arg_seq;
@@ -23,10 +18,6 @@ DataBlock::DataBlock(const u_char* data, int size, int arg_seq,
 
 	memcpy((void*) block, (const void*) data, size);
 
-#ifdef DEBUG
-	reassem_copied_bytes += size;
-#endif
-
 	prev = arg_prev;
 	next = arg_next;
 
@@ -38,9 +29,9 @@ DataBlock::DataBlock(const u_char* data, int size, int arg_seq,
 	Reassembler::total_size += pad_size(size) + padded_sizeof(DataBlock);
 	}
 
-unsigned int Reassembler::total_size = 0;
+uint64 Reassembler::total_size = 0;
 
-Reassembler::Reassembler(int init_seq, ReassemblerType arg_type)
+Reassembler::Reassembler(uint64 init_seq, ReassemblerType arg_type)
 	{
 	blocks = last_block = 0;
 	trim_seq = last_reassem_seq = init_seq;
@@ -51,24 +42,20 @@ Reassembler::~Reassembler()
 	ClearBlocks();
 	}
 
-void Reassembler::NewBlock(double t, int seq, int len, const u_char* data)
+void Reassembler::NewBlock(double t, uint64 seq, uint64 len, const u_char* data)
 	{
 	if ( len == 0 )
 		return;
 
-#ifdef DEBUG
-	reassem_seen_bytes += len;
-#endif
+	uint64 upper_seq = seq + len;
 
-	int upper_seq = seq + len;
-
-	if ( seq_delta(upper_seq, trim_seq) <= 0 )
+	if ( upper_seq <= trim_seq )
 		// Old data, don't do any work for it.
 		return;
 
-	if ( seq_delta(seq, trim_seq) < 0 )
+	if ( seq < trim_seq )
 		{ // Partially old data, just keep the good stuff.
-		int amount_old = seq_delta(trim_seq, seq);
+		uint64 amount_old = trim_seq - seq;
 
 		data += amount_old;
 		seq += amount_old;
@@ -86,42 +73,42 @@ void Reassembler::NewBlock(double t, int seq, int len, const u_char* data)
 	BlockInserted(start_block);
 	}
 
-int Reassembler::TrimToSeq(int seq)
+uint64 Reassembler::TrimToSeq(uint64 seq)
 	{
-	int num_missing = 0;
+	uint64 num_missing = 0;
 
 	// Do this accounting before looking for Undelivered data,
 	// since that will alter last_reassem_seq.
 
 	if ( blocks )
 		{
-		if ( seq_delta(blocks->seq, last_reassem_seq) > 0 )
+		if ( blocks->seq > last_reassem_seq )
 			// An initial hole.
-			num_missing += seq_delta(blocks->seq, last_reassem_seq);
+			num_missing += blocks->seq - last_reassem_seq;
 		}
 
-	else if ( seq_delta(seq, last_reassem_seq) > 0 )
+	else if ( seq > last_reassem_seq )
 		{ // Trimming data we never delivered.
 		if ( ! blocks )
 			// We won't have any accounting based on blocks
 			// for this hole.
-			num_missing += seq_delta(seq, last_reassem_seq);
+			num_missing += seq - last_reassem_seq;
 		}
 
-	if ( seq_delta(seq, last_reassem_seq) > 0 )
+	if ( seq > last_reassem_seq )
 		{
 		// We're trimming data we never delivered.
 		Undelivered(seq);
 		}
 
-	while ( blocks && seq_delta(blocks->upper, seq) <= 0 )
+	while ( blocks && blocks->upper <= seq )
 		{
 		DataBlock* b = blocks->next;
 
-		if ( b && seq_delta(b->seq, seq) <= 0 )
+		if ( b && b->seq <= seq )
 			{
 			if ( blocks->upper != b->seq )
-				num_missing += seq_delta(b->seq, blocks->upper);
+				num_missing += b->seq - blocks->upper;
 			}
 		else
 			{
@@ -129,7 +116,7 @@ int Reassembler::TrimToSeq(int seq)
 			// Second half of test is for acks of FINs, which
 			// don't get entered into the sequence space.
 			if ( blocks->upper != seq && blocks->upper != seq - 1 )
-				num_missing += seq_delta(seq, blocks->upper);
+				num_missing += seq - blocks->upper;
 			}
 
 		delete blocks;
@@ -150,7 +137,7 @@ int Reassembler::TrimToSeq(int seq)
 	else
 		last_block = 0;
 
-	if ( seq_delta(seq, trim_seq) > 0 )
+	if ( seq > trim_seq )
 		// seq is further ahead in the sequence space.
 		trim_seq = seq;
 
@@ -169,9 +156,9 @@ void Reassembler::ClearBlocks()
 	last_block = 0;
 	}
 
-int Reassembler::TotalSize() const
+uint64 Reassembler::TotalSize() const
 	{
-	int size = 0;
+	uint64 size = 0;
 
 	for ( DataBlock* b = blocks; b; b = b->next )
 		size += b->Size();
@@ -184,18 +171,18 @@ void Reassembler::Describe(ODesc* d) const
 	d->Add("reassembler");
 	}
 
-void Reassembler::Undelivered(int up_to_seq)
+void Reassembler::Undelivered(uint64 up_to_seq)
 	{
 	// TrimToSeq() expects this.
 	last_reassem_seq = up_to_seq;
 	}
 
-DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
+DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 					const u_char* data)
 	{
 	if ( DEBUG_reassem )
 		{
-		DEBUG_MSG("%.6f Reassembler::AddAndCheck seq=%d, upper=%d\n",
+		DEBUG_MSG("%.6f Reassembler::AddAndCheck seq=%"PRIu64", upper=%"PRIu64"\n",
 		          network_time, seq, upper);
 		}
 
@@ -209,10 +196,10 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 
 	// Find the first block that doesn't come completely before the
 	// new data.
-	while ( b->next && seq_delta(b->upper, seq) <= 0 )
+	while ( b->next && b->upper <= seq )
 		b = b->next;
 
-	if ( seq_delta(b->upper, seq) <= 0 )
+	if ( b->upper <= seq )
 		{
 		// b is the last block, and it comes completely before
 		// the new block.
@@ -222,21 +209,20 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 
 	DataBlock* new_b = 0;
 
-	if ( seq_delta(upper, b->seq) <= 0 )
+	if ( upper <= b->seq )
 		{
 		// The new block comes completely before b.
-		new_b = new DataBlock(data, seq_delta(upper, seq), seq,
-					b->prev, b);
+		new_b = new DataBlock(data, upper - seq, seq, b->prev, b);
 		if ( b == blocks )
 			blocks = new_b;
 		return new_b;
 		}
 
 	// The blocks overlap, complain.
-	if ( seq_delta(seq, b->seq) < 0 )
+	if ( seq < b->seq )
 		{
 		// The new block has a prefix that comes before b.
-		int prefix_len = seq_delta(b->seq, seq);
+		uint64 prefix_len = b->seq - seq;
 		new_b = new DataBlock(data, prefix_len, seq, b->prev, b);
 		if ( b == blocks )
 			blocks = new_b;
@@ -247,11 +233,11 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 	else
 		new_b = b;
 
-	int overlap_start = seq;
-	int overlap_offset = seq_delta(overlap_start, b->seq);
-	int new_b_len = seq_delta(upper, seq);
-	int b_len = seq_delta(b->upper, overlap_start);
-	int overlap_len = min(new_b_len, b_len);
+	uint64 overlap_start = seq;
+	uint64 overlap_offset = overlap_start - b->seq;
+	uint64 new_b_len = upper - seq;
+	uint64 b_len = b->upper - overlap_start;
+	uint64 overlap_len = min(new_b_len, b_len);
 
 	Overlap(&b->block[overlap_offset], data, overlap_len);
 
diff --git a/src/Reassem.h b/src/Reassem.h
index 1f65059e02..7b77a628d8 100644
--- a/src/Reassem.h
+++ b/src/Reassem.h
@@ -8,16 +8,16 @@
 
 class DataBlock {
 public:
-	DataBlock(const u_char* data, int size, int seq,
+	DataBlock(const u_char* data, uint64 size, uint64 seq,
 			DataBlock* prev, DataBlock* next);
 
 	~DataBlock();
 
-	int Size() const	{ return upper - seq; }
+	uint64 Size() const	{ return upper - seq; }
 
 	DataBlock* next;	// next block with higher seq #
 	DataBlock* prev;	// previous block with lower seq #
-	int seq, upper;
+	uint64 seq, upper;
 	u_char* block;
 };
 
@@ -26,22 +26,22 @@ enum ReassemblerType { REASSEM_IP, REASSEM_TCP };
 
 class Reassembler : public BroObj {
 public:
-	Reassembler(int init_seq, ReassemblerType arg_type);
+	Reassembler(uint64 init_seq, ReassemblerType arg_type);
 	virtual ~Reassembler();
 
-	void NewBlock(double t, int seq, int len, const u_char* data);
+	void NewBlock(double t, uint64 seq, uint64 len, const u_char* data);
 
 	// Throws away all blocks up to seq.  Returns number of bytes
 	// if not all in-sequence, 0 if they were.
-	int TrimToSeq(int seq);
+	uint64 TrimToSeq(uint64 seq);
 
 	// Delete all held blocks.
 	void ClearBlocks();
 
 	int HasBlocks() const		{ return blocks != 0; }
-	int LastReassemSeq() const	{ return last_reassem_seq; }
+	uint64 LastReassemSeq() const	{ return last_reassem_seq; }
 
-	int TotalSize() const;	// number of bytes buffered up
+	uint64 TotalSize() const;	// number of bytes buffered up
 
 	void Describe(ODesc* d) const;
 
@@ -49,7 +49,7 @@ public:
 	static Reassembler* Unserialize(UnserialInfo* info);
 
 	// Sum over all data buffered in some reassembler.
-	static unsigned int TotalMemoryAllocation()	{ return total_size; }
+	static uint64 TotalMemoryAllocation()	{ return total_size; }
 
 protected:
 	Reassembler()	{ }
@@ -58,20 +58,20 @@ protected:
 
 	friend class DataBlock;
 
-	virtual void Undelivered(int up_to_seq);
+	virtual void Undelivered(uint64 up_to_seq);
 
 	virtual void BlockInserted(DataBlock* b) = 0;
-	virtual void Overlap(const u_char* b1, const u_char* b2, int n) = 0;
+	virtual void Overlap(const u_char* b1, const u_char* b2, uint64 n) = 0;
 
-	DataBlock* AddAndCheck(DataBlock* b, int seq,
-				int upper, const u_char* data);
+	DataBlock* AddAndCheck(DataBlock* b, uint64 seq,
+				uint64 upper, const u_char* data);
 
 	DataBlock* blocks;
 	DataBlock* last_block;
-	int last_reassem_seq;
-	int trim_seq;	// how far we've trimmed
+	uint64 last_reassem_seq;
+	uint64 trim_seq;	// how far we've trimmed
 
-	static unsigned int total_size;
+	static uint64 total_size;
 };
 
 inline DataBlock::~DataBlock()
diff --git a/src/Stats.cc b/src/Stats.cc
index c4b0ed45b1..6cf9a622e1 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -160,7 +160,7 @@ void ProfileLogger::Log()
 	file->Write(fmt("%.06f Connections expired due to inactivity: %d\n",
 		network_time, killed_by_inactivity));
 
-	file->Write(fmt("%.06f Total reassembler data: %dK\n", network_time,
+	file->Write(fmt("%.06f Total reassembler data: %"PRIu64"K\n", network_time,
 		Reassembler::TotalMemoryAllocation() / 1024));
 
 	// Signature engine.
diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc
index b280cbb6f8..b840e1bbd4 100644
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@@ -203,7 +203,7 @@ void Analyzer::Done()
 	finished = true;
 	}
 
-void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, int seq,
+void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, uint64 seq,
 				const IP_Hdr* ip, int caplen)
 	{
 	if ( skip )
@@ -250,7 +250,7 @@ void Analyzer::NextStream(int len, const u_char* data, bool is_orig)
 		}
 	}
 
-void Analyzer::NextUndelivered(int seq, int len, bool is_orig)
+void Analyzer::NextUndelivered(uint64 seq, int len, bool is_orig)
 	{
 	if ( skip )
 		return;
@@ -287,7 +287,7 @@ void Analyzer::NextEndOfData(bool is_orig)
 	}
 
 void Analyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
-				int seq, const IP_Hdr* ip, int caplen)
+				uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	if ( output_handler )
 		output_handler->DeliverPacket(len, data, is_orig, seq,
@@ -335,7 +335,7 @@ void Analyzer::ForwardStream(int len, const u_char* data, bool is_orig)
 	AppendNewChildren();
 	}
 
-void Analyzer::ForwardUndelivered(int seq, int len, bool is_orig)
+void Analyzer::ForwardUndelivered(uint64 seq, int len, bool is_orig)
 	{
 	if ( output_handler )
 		output_handler->Undelivered(seq, len, is_orig);
@@ -595,9 +595,9 @@ SupportAnalyzer* Analyzer::FirstSupportAnalyzer(bool orig)
 	}
 
 void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
-				int seq, const IP_Hdr* ip, int caplen)
+				uint64 seq, const IP_Hdr* ip, int caplen)
 	{
-	DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %d, %p, %d) [%s%s]",
+	DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %"PRIu64", %p, %d) [%s%s]",
 			fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen,
 			fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
 	}
@@ -609,9 +609,9 @@ void Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 			fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
 	}
 
-void Analyzer::Undelivered(int seq, int len, bool is_orig)
+void Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
 	{
-	DBG_LOG(DBG_ANALYZER, "%s Undelivered(%d, %d, %s)",
+	DBG_LOG(DBG_ANALYZER, "%s Undelivered(%"PRIu64", %d, %s)",
 			fmt_analyzer(this).c_str(), seq, len, is_orig ? "T" : "F");
 	}
 
@@ -793,7 +793,7 @@ SupportAnalyzer* SupportAnalyzer::Sibling(bool only_active) const
 	}
 
 void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	// We do not call parent's method, as we're replacing the functionality.
 
@@ -834,7 +834,7 @@ void SupportAnalyzer::ForwardStream(int len, const u_char* data, bool is_orig)
 		Parent()->DeliverStream(len, data, is_orig);
 	}
 
-void SupportAnalyzer::ForwardUndelivered(int seq, int len, bool is_orig)
+void SupportAnalyzer::ForwardUndelivered(uint64 seq, int len, bool is_orig)
 	{
 	// We do not call parent's method, as we're replacing the functionality.
 
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index 578020082b..f32181b9e7 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -44,7 +44,7 @@ public:
 	 * Analyzer::DeliverPacket().
 	 */
 	virtual void DeliverPacket(int len, const u_char* data,
-				   bool orig, int seq,
+				   bool orig, uint64 seq,
 				   const IP_Hdr* ip, int caplen)
 		{ }
 
@@ -59,7 +59,7 @@ public:
 	 * Hook for receiving notification of stream gaps. Parameters are the
 	 * same as for Analyzer::Undelivered().
 	 */
-	virtual void Undelivered(int seq, int len, bool orig)	{ }
+	virtual void Undelivered(uint64 seq, int len, bool orig)	{ }
 };
 
 /**
@@ -143,7 +143,7 @@ public:
 	 * @param caplen The packet's capture length, if available.
 	 */
 	void NextPacket(int len, const u_char* data, bool is_orig,
-			int seq = -1, const IP_Hdr* ip = 0, int caplen = 0);
+			uint64 seq = -1, const IP_Hdr* ip = 0, int caplen = 0);
 
 	/**
 	 * Passes stream input to the analyzer for processing. The analyzer
@@ -173,7 +173,7 @@ public:
 	 *
 	 * @param is_orig True if this is about originator-side input.
 	 */
-	void NextUndelivered(int seq, int len, bool is_orig);
+	void NextUndelivered(uint64 seq, int len, bool is_orig);
 
 	/**
 	 * Reports a message boundary.  This is a generic method that can be
@@ -195,7 +195,7 @@ public:
 	 * Parameters are the same as for NextPacket().
 	 */
 	virtual void ForwardPacket(int len, const u_char* data,
-					bool orig, int seq,
+					bool orig, uint64 seq,
 					const IP_Hdr* ip, int caplen);
 
 	/**
@@ -212,7 +212,7 @@ public:
 	 *
 	 * Parameters are the same as for NextUndelivered().
 	 */
-	virtual void ForwardUndelivered(int seq, int len, bool orig);
+	virtual void ForwardUndelivered(uint64 seq, int len, bool orig);
 
 	/**
 	 * Forwards an end-of-data notification on to all child analyzers.
@@ -227,7 +227,7 @@ public:
 	 * Parameters are the same.
 	 */
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	/**
 	 * Hook for accessing stream input for parsing. This is called by
@@ -241,7 +241,7 @@ public:
 	 * NextUndelivered() and can be overridden by derived classes.
 	 * Parameters are the same.
 	 */
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	/**
 	 * Hook for accessing end-of-data notifications. This is called by
@@ -749,7 +749,7 @@ public:
 	* Parameters same as for Analyzer::ForwardPacket.
 	*/
 	virtual void ForwardPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	/**
 	* Passes stream input to the next sibling SupportAnalyzer if any, or
@@ -769,7 +769,7 @@ public:
 	*
 	* Parameters same as for Analyzer::ForwardPacket.
 	*/
-	virtual void ForwardUndelivered(int seq, int len, bool orig);
+	virtual void ForwardUndelivered(uint64 seq, int len, bool orig);
 
 protected:
 	friend class Analyzer;
diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc
index 070a3ef3e1..a1e00e9b38 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.cc
+++ b/src/analyzer/protocol/ayiya/AYIYA.cc
@@ -22,7 +22,7 @@ void AYIYA_Analyzer::Done()
 	Event(udp_session_done);
 	}
 
-void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h
index f5bb379cf4..2739ff2bba 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.h
+++ b/src/analyzer/protocol/ayiya/AYIYA.h
@@ -12,7 +12,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new AYIYA_Analyzer(conn); }
diff --git a/src/analyzer/protocol/backdoor/BackDoor.cc b/src/analyzer/protocol/backdoor/BackDoor.cc
index a466938ff6..984b2a5dcf 100644
--- a/src/analyzer/protocol/backdoor/BackDoor.cc
+++ b/src/analyzer/protocol/backdoor/BackDoor.cc
@@ -46,7 +46,7 @@ void BackDoorEndpoint::FinalCheckForRlogin()
 		}
 	}
 
-int BackDoorEndpoint::DataSent(double /* t */, int seq,
+int BackDoorEndpoint::DataSent(double /* t */, uint64 seq,
 				int len, int caplen, const u_char* data,
 				const IP_Hdr* /* ip */,
 				const struct tcphdr* /* tp */)
@@ -60,8 +60,8 @@ int BackDoorEndpoint::DataSent(double /* t */, int seq,
 	if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
 		is_partial = 1;
 
-	int ack = endp->AckSeq() - endp->StartSeq();
-	int top_seq = seq + len;
+	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
+	uint64 top_seq = seq + len;
 
 	if ( top_seq <= ack || top_seq <= max_top_seq )
 		// There is no new data in this packet.
@@ -124,7 +124,7 @@ RecordVal* BackDoorEndpoint::BuildStats()
 	return stats;
 	}
 
-void BackDoorEndpoint::CheckForRlogin(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForRlogin(uint64 seq, int len, const u_char* data)
 	{
 	if ( rlogin_checking_done )
 		return;
@@ -177,7 +177,7 @@ void BackDoorEndpoint::CheckForRlogin(int seq, int len, const u_char* data)
 
 	if ( seq < max_top_seq )
 		{ // trim to just the new data
-		int delta = max_top_seq - seq;
+		int64 delta = max_top_seq - seq;
 		seq += delta;
 		data += delta;
 		len -= delta;
@@ -255,7 +255,7 @@ void BackDoorEndpoint::RloginSignatureFound(int len)
 	endp->TCP()->ConnectionEvent(rlogin_signature_found, vl);
 	}
 
-void BackDoorEndpoint::CheckForTelnet(int /* seq */, int len, const u_char* data)
+void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* data)
 	{
 	if ( len >= 3 &&
 	     data[0] == TELNET_IAC && IS_TELNET_NEGOTIATION_CMD(data[1]) )
@@ -346,7 +346,7 @@ void BackDoorEndpoint::TelnetSignatureFound(int len)
 	endp->TCP()->ConnectionEvent(telnet_signature_found, vl);
 	}
 
-void BackDoorEndpoint::CheckForSSH(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForSSH(uint64 seq, int len, const u_char* data)
 	{
 	if ( seq == 1 && CheckForString("SSH-", data, len) && len > 4 &&
 	     (data[4] == '1' || data[4] == '2') )
@@ -363,8 +363,9 @@ void BackDoorEndpoint::CheckForSSH(int seq, int len, const u_char* data)
 
 	if ( seq > max_top_seq )
 		{ // Estimate number of packets in the sequence gap
-		int gap = seq - max_top_seq;
-		num_pkts += int((gap + DEFAULT_MTU - 1) / DEFAULT_MTU);
+		int64 gap = seq - max_top_seq;
+		if ( gap > 0 )
+			num_pkts += uint64((gap + DEFAULT_MTU - 1) / DEFAULT_MTU);
 		}
 
 	++num_pkts;
@@ -388,7 +389,7 @@ void BackDoorEndpoint::CheckForSSH(int seq, int len, const u_char* data)
 		}
 	}
 
-void BackDoorEndpoint::CheckForRootBackdoor(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForRootBackdoor(uint64 seq, int len, const u_char* data)
 	{
 	// Check for root backdoor signature: an initial payload of
 	// exactly "# ".
@@ -397,7 +398,7 @@ void BackDoorEndpoint::CheckForRootBackdoor(int seq, int len, const u_char* data
 		SignatureFound(root_backdoor_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForFTP(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForFTP(uint64 seq, int len, const u_char* data)
 	{
 	// Check for FTP signature
 	//
@@ -429,7 +430,7 @@ void BackDoorEndpoint::CheckForFTP(int seq, int len, const u_char* data)
 		SignatureFound(ftp_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForNapster(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForNapster(uint64 seq, int len, const u_char* data)
 	{
 	// Check for Napster signature "GETfoobar" or "SENDfoobar" where
 	// "foobar" is the Napster handle associated with the request
@@ -449,7 +450,7 @@ void BackDoorEndpoint::CheckForNapster(int seq, int len, const u_char* data)
 		SignatureFound(napster_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForSMTP(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForSMTP(uint64 seq, int len, const u_char* data)
 	{
 	const char* smtp_handshake[] = { "HELO", "EHLO", 0 };
 
@@ -460,7 +461,7 @@ void BackDoorEndpoint::CheckForSMTP(int seq, int len, const u_char* data)
 		SignatureFound(smtp_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForIRC(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForIRC(uint64 seq, int len, const u_char* data)
 	{
 	if ( seq != 1 || is_partial )
 		return;
@@ -475,7 +476,7 @@ void BackDoorEndpoint::CheckForIRC(int seq, int len, const u_char* data)
 		SignatureFound(irc_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForGnutella(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForGnutella(uint64 seq, int len, const u_char* data)
 	{
 	// After connecting to the server, the connecting client says:
 	//
@@ -492,13 +493,13 @@ void BackDoorEndpoint::CheckForGnutella(int seq, int len, const u_char* data)
 		SignatureFound(gnutella_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForGaoBot(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForGaoBot(uint64 seq, int len, const u_char* data)
 	{
 	if ( seq == 1 && CheckForString("220 Bot Server (Win32)", data, len) )
 		SignatureFound(gaobot_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForKazaa(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForKazaa(uint64 seq, int len, const u_char* data)
 	{
 	// *Some*, though not all, KaZaa connections begin with:
 	//
@@ -565,7 +566,7 @@ int is_absolute_url(const u_char* data, int len)
 	return *abs_url_sig_pos == '\0';
 	}
 
-void BackDoorEndpoint::CheckForHTTP(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForHTTP(uint64 seq, int len, const u_char* data)
 	{
 	// According to the RFC, we should look for
 	// '<method> SP <url> SP HTTP/<version> CR LF'
@@ -629,7 +630,7 @@ void BackDoorEndpoint::CheckForHTTP(int seq, int len, const u_char* data)
 		}
 	}
 
-void BackDoorEndpoint::CheckForHTTPProxy(int /* seq */, int len,
+void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len,
 					const u_char* data)
 	{
 	// Proxy ONLY accepts absolute URI's: "The absoluteURI form is
@@ -713,7 +714,7 @@ void BackDoor_Analyzer::Init()
 	}
 
 void BackDoor_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/backdoor/BackDoor.h b/src/analyzer/protocol/backdoor/BackDoor.h
index 5bc8a67381..b1b95ca3f8 100644
--- a/src/analyzer/protocol/backdoor/BackDoor.h
+++ b/src/analyzer/protocol/backdoor/BackDoor.h
@@ -14,7 +14,7 @@ class BackDoorEndpoint {
 public:
 	BackDoorEndpoint(tcp::TCP_Endpoint* e);
 
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
 
 	RecordVal* BuildStats();
@@ -22,23 +22,23 @@ public:
 	void FinalCheckForRlogin();
 
 protected:
-	void CheckForRlogin(int seq, int len, const u_char* data);
+	void CheckForRlogin(uint64 seq, int len, const u_char* data);
 	void RloginSignatureFound(int len);
 
-	void CheckForTelnet(int seq, int len, const u_char* data);
+	void CheckForTelnet(uint64 seq, int len, const u_char* data);
 	void TelnetSignatureFound(int len);
 
-	void CheckForSSH(int seq, int len, const u_char* data);
-	void CheckForFTP(int seq, int len, const u_char* data);
-	void CheckForRootBackdoor(int seq, int len, const u_char* data);
-	void CheckForNapster(int seq, int len, const u_char* data);
-	void CheckForGnutella(int seq, int len, const u_char* data);
-	void CheckForKazaa(int seq, int len, const u_char* data);
-	void CheckForHTTP(int seq, int len, const u_char* data);
-	void CheckForHTTPProxy(int seq, int len, const u_char* data);
-	void CheckForSMTP(int seq, int len, const u_char* data);
-	void CheckForIRC(int seq, int len, const u_char* data);
-	void CheckForGaoBot(int seq, int len, const u_char* data);
+	void CheckForSSH(uint64 seq, int len, const u_char* data);
+	void CheckForFTP(uint64 seq, int len, const u_char* data);
+	void CheckForRootBackdoor(uint64 seq, int len, const u_char* data);
+	void CheckForNapster(uint64 seq, int len, const u_char* data);
+	void CheckForGnutella(uint64 seq, int len, const u_char* data);
+	void CheckForKazaa(uint64 seq, int len, const u_char* data);
+	void CheckForHTTP(uint64 seq, int len, const u_char* data);
+	void CheckForHTTPProxy(uint64 seq, int len, const u_char* data);
+	void CheckForSMTP(uint64 seq, int len, const u_char* data);
+	void CheckForIRC(uint64 seq, int len, const u_char* data);
+	void CheckForGaoBot(uint64 seq, int len, const u_char* data);
 
 	void SignatureFound(EventHandlerPtr e, int do_orig = 0);
 
@@ -48,11 +48,11 @@ protected:
 
 	tcp::TCP_Endpoint* endp;
 	int is_partial;
-	int max_top_seq;
+	uint64 max_top_seq;
 
 	int rlogin_checking_done;
 	int rlogin_num_null;
-	int rlogin_string_separator_pos;
+	uint64 rlogin_string_separator_pos;
 	int rlogin_slash_seen;
 
 	uint32 num_pkts;
@@ -80,7 +80,7 @@ protected:
 	// We support both packet and stream input, and can be instantiated
 	// even if the TCP analyzer is not yet reassembling.
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
 
 	void StatEvent();
diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc
index 99fd9dc132..cb6fc0945e 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrent.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc
@@ -68,7 +68,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	}
 
-void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig)
+void BitTorrent_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 
diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.h b/src/analyzer/protocol/bittorrent/BitTorrent.h
index 7739463052..2e303f4038 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrent.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.h
@@ -16,7 +16,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
index 98adcaa610..43ee6a2b21 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@@ -207,7 +207,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
 		}
 	}
 
-void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig)
+void BitTorrentTracker_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
index b041e556b7..2fa5d684cd 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
@@ -49,7 +49,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc
index 227a4b1be2..5bfeb2bf90 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.cc
+++ b/src/analyzer/protocol/conn-size/ConnSize.cc
@@ -36,7 +36,7 @@ void ConnSize_Analyzer::Done()
 	Analyzer::Done();
 	}
 
-void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/conn-size/ConnSize.h b/src/analyzer/protocol/conn-size/ConnSize.h
index 25f096dd32..ec3b85c0d9 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.h
+++ b/src/analyzer/protocol/conn-size/ConnSize.h
@@ -26,7 +26,7 @@ public:
 
 protected:
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 
 	uint64_t orig_bytes;
diff --git a/src/analyzer/protocol/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc
index 1fa8759fbf..78b1c6be69 100644
--- a/src/analyzer/protocol/dhcp/DHCP.cc
+++ b/src/analyzer/protocol/dhcp/DHCP.cc
@@ -21,7 +21,7 @@ void DHCP_Analyzer::Done()
 	}
 
 void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
-			bool orig, int seq, const IP_Hdr* ip, int caplen)
+			bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	interp->NewData(orig, data, data + len);
diff --git a/src/analyzer/protocol/dhcp/DHCP.h b/src/analyzer/protocol/dhcp/DHCP.h
index a1c06e8b85..7633d71351 100644
--- a/src/analyzer/protocol/dhcp/DHCP.h
+++ b/src/analyzer/protocol/dhcp/DHCP.h
@@ -14,7 +14,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new DHCP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc
index ee90a0c74d..9d9ddf0c35 100644
--- a/src/analyzer/protocol/dnp3/DNP3.cc
+++ b/src/analyzer/protocol/dnp3/DNP3.cc
@@ -153,7 +153,7 @@ void DNP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	}
 
-void DNP3_Analyzer::Undelivered(int seq, int len, bool orig)
+void DNP3_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h
index b84d3874b4..a0578808a8 100644
--- a/src/analyzer/protocol/dnp3/DNP3.h
+++ b/src/analyzer/protocol/dnp3/DNP3.h
@@ -14,7 +14,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index a97c7b8632..baa95f46de 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1146,7 +1146,7 @@ void DNS_Analyzer::Done()
 	}
 
 void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index af4b8de22f..2cc1615b04 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -258,7 +258,7 @@ public:
 	~DNS_Analyzer();
 
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	virtual void Init();
 	virtual void Done();
diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc
index 4476043721..7af16165e3 100644
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@@ -34,7 +34,7 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	return;
 	}
 
-void File_Analyzer::Undelivered(int seq, int len, bool orig)
+void File_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	}
@@ -79,10 +79,10 @@ void IRC_Data::DeliverStream(int len, const u_char* data, bool orig)
 	file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig);
 	}
 
-void IRC_Data::Undelivered(int seq, int len, bool orig)
+void IRC_Data::Undelivered(uint64 seq, int len, bool orig)
 	{
 	File_Analyzer::Undelivered(seq, len, orig);
-	file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig);
+	file_mgr->Gap(seq - 1, len, GetAnalyzerTag(), Conn(), orig);
 	}
 
 FTP_Data::FTP_Data(Connection* conn)
@@ -102,8 +102,8 @@ void FTP_Data::DeliverStream(int len, const u_char* data, bool orig)
 	file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig);
 	}
 
-void FTP_Data::Undelivered(int seq, int len, bool orig)
+void FTP_Data::Undelivered(uint64 seq, int len, bool orig)
 	{
 	File_Analyzer::Undelivered(seq, len, orig);
-	file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig);
+	file_mgr->Gap(seq - 1, len, GetAnalyzerTag(), Conn(), orig);
 	}
diff --git a/src/analyzer/protocol/file/File.h b/src/analyzer/protocol/file/File.h
index 7afbd569c4..f83ec82a49 100644
--- a/src/analyzer/protocol/file/File.h
+++ b/src/analyzer/protocol/file/File.h
@@ -17,7 +17,7 @@ public:
 
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 
-	void Undelivered(int seq, int len, bool orig);
+	void Undelivered(uint64 seq, int len, bool orig);
 
 //	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 //		{ return new File_Analyzer(conn); }
@@ -38,7 +38,7 @@ public:
 
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new IRC_Data(conn); }
@@ -52,7 +52,7 @@ public:
 
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new FTP_Data(conn); }
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.cc b/src/analyzer/protocol/gtpv1/GTPv1.cc
index 0a94a28554..361e602b5f 100644
--- a/src/analyzer/protocol/gtpv1/GTPv1.cc
+++ b/src/analyzer/protocol/gtpv1/GTPv1.cc
@@ -23,7 +23,7 @@ void GTPv1_Analyzer::Done()
 	Event(udp_session_done);
 	}
 
-void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	try
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h
index b58405ea7f..eebaf1d83e 100644
--- a/src/analyzer/protocol/gtpv1/GTPv1.h
+++ b/src/analyzer/protocol/gtpv1/GTPv1.h
@@ -12,7 +12,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new GTPv1_Analyzer(conn); }
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index f676643b7c..2eaff3f8c6 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1115,11 +1115,11 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 		}
 	}
 
-void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
+void HTTP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 
-	// DEBUG_MSG("Undelivered from %d: %d bytes\n", seq, length);
+	// DEBUG_MSG("Undelivered from %"PRIu64": %d bytes\n", seq, length);
 
 	HTTP_Message* msg =
 		is_orig ? request_message : reply_message;
@@ -1131,7 +1131,7 @@ void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
 		{
 		if ( msg )
 			msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP,
-				fmt("seq=%d, len=%d", seq, len));
+				fmt("seq=%"PRIu64", len=%d", seq, len));
 		}
 
 	// Check if the content gap falls completely within a message body
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index 48a611b63b..6b44130505 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -161,7 +161,7 @@ public:
 	HTTP_Analyzer(Connection* conn);
 	~HTTP_Analyzer();
 
-	void Undelivered(tcp::TCP_Endpoint* sender, int seq, int len);
+	void Undelivered(tcp::TCP_Endpoint* sender, uint64 seq, int len);
 
 	void HTTP_Header(int is_orig, mime::MIME_Header* h);
 	void HTTP_EntityData(int is_orig, const BroString* entity_data);
@@ -177,7 +177,7 @@ public:
 	// Overriden from Analyzer.
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer
 	virtual void EndpointEOF(bool is_orig);
diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc
index 510d3b3a80..393b5536e8 100644
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@@ -31,7 +31,7 @@ void ICMP_Analyzer::Done()
 	}
 
 void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
-			bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+			bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	assert(ip);
 
diff --git a/src/analyzer/protocol/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h
index e371f53889..116348cce6 100644
--- a/src/analyzer/protocol/icmp/ICMP.h
+++ b/src/analyzer/protocol/icmp/ICMP.h
@@ -29,7 +29,7 @@ protected:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual bool IsReuse(double t, const u_char* pkt);
 	virtual unsigned int MemoryAllocation() const;
 
diff --git a/src/analyzer/protocol/interconn/InterConn.cc b/src/analyzer/protocol/interconn/InterConn.cc
index 4b298eaa52..eb529cbb6d 100644
--- a/src/analyzer/protocol/interconn/InterConn.cc
+++ b/src/analyzer/protocol/interconn/InterConn.cc
@@ -24,7 +24,7 @@ InterConnEndpoint::InterConnEndpoint(tcp::TCP_Endpoint* e)
 
 #define NORMAL_LINE_LENGTH 80
 
-int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen,
+int InterConnEndpoint::DataSent(double t, uint64 seq, int len, int caplen,
 		const u_char* data, const IP_Hdr* /* ip */,
 		const struct tcphdr* /* tp */)
 	{
@@ -37,8 +37,8 @@ int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen,
 	if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
 		is_partial = 1;
 
-	int ack = endp->AckSeq() - endp->StartSeq();
-	int top_seq = seq + len;
+	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
+	uint64 top_seq = seq + len;
 
 	if ( top_seq <= ack || top_seq <= max_top_seq )
 		// There is no new data in this packet
@@ -46,7 +46,7 @@ int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen,
 
 	if ( seq < max_top_seq )
 		{ // Only consider new data
-		int amount_seen = max_top_seq - seq;
+		int64 amount_seen = max_top_seq - seq;
 		seq += amount_seen;
 		data += amount_seen;
 		len -= amount_seen;
@@ -184,7 +184,7 @@ void InterConn_Analyzer::Init()
 	}
 
 void InterConn_Analyzer::DeliverPacket(int len, const u_char* data,
-			bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+			bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig,
 						seq, ip, caplen);
diff --git a/src/analyzer/protocol/interconn/InterConn.h b/src/analyzer/protocol/interconn/InterConn.h
index b13abecab1..a485e05082 100644
--- a/src/analyzer/protocol/interconn/InterConn.h
+++ b/src/analyzer/protocol/interconn/InterConn.h
@@ -13,7 +13,7 @@ class InterConnEndpoint : public BroObj {
 public:
 	InterConnEndpoint(tcp::TCP_Endpoint* e);
 
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
 
 	RecordVal* BuildStats();
@@ -25,7 +25,7 @@ protected:
 
 	tcp::TCP_Endpoint* endp;
 	double last_keystroke_time;
-	int max_top_seq;
+	uint64 max_top_seq;
 	uint32 num_pkts;
 	uint32 num_keystrokes_two_in_a_row;
 	uint32 num_normal_interarrivals;
@@ -56,7 +56,7 @@ protected:
 	// We support both packet and stream input and can be put in place even
 	// if the TCP analyzer is not yet reassembling.
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
 
 	void StatEvent();
diff --git a/src/analyzer/protocol/modbus/Modbus.cc b/src/analyzer/protocol/modbus/Modbus.cc
index 9d216d356b..f003ad6cc5 100644
--- a/src/analyzer/protocol/modbus/Modbus.cc
+++ b/src/analyzer/protocol/modbus/Modbus.cc
@@ -31,7 +31,7 @@ void ModbusTCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	interp->NewData(orig, data, data + len);
 	}
 
-void ModbusTCP_Analyzer::Undelivered(int seq, int len, bool orig)
+void ModbusTCP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
diff --git a/src/analyzer/protocol/modbus/Modbus.h b/src/analyzer/protocol/modbus/Modbus.h
index 6f566be828..41448f69e3 100644
--- a/src/analyzer/protocol/modbus/Modbus.h
+++ b/src/analyzer/protocol/modbus/Modbus.h
@@ -14,7 +14,7 @@ public:
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc
index 75b6c9f4be..3858f0b2ad 100644
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@@ -211,7 +211,7 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 		}
 	}
 
-void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig)
+void Contents_NCP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
 
diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h
index 34174df74e..2e06babb8c 100644
--- a/src/analyzer/protocol/ncp/NCP.h
+++ b/src/analyzer/protocol/ncp/NCP.h
@@ -90,7 +90,7 @@ public:
 
 protected:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	NCP_FrameBuffer buffer;
 	NCP_Session* session;
diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc
index 4d6ed8e1f1..d65a152b2f 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@@ -513,7 +513,7 @@ void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint,
 	}
 
 void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h
index 7c2728ef9a..7fbe967841 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.h
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.h
@@ -146,7 +146,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new NetbiosSSN_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc
index b4b63d5634..5778da9a0e 100644
--- a/src/analyzer/protocol/ntp/NTP.cc
+++ b/src/analyzer/protocol/ntp/NTP.cc
@@ -25,7 +25,7 @@ void NTP_Analyzer::Done()
 	Event(udp_session_done);
 	}
 
-void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h
index 201c5a8774..87255fd2e4 100644
--- a/src/analyzer/protocol/ntp/NTP.h
+++ b/src/analyzer/protocol/ntp/NTP.h
@@ -46,7 +46,7 @@ public:
 protected:
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	int Request(const u_char* data, int len);
 	int Reply(const u_char* data, int len);
diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc
index 388d1d501d..24d4565ce1 100644
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@@ -30,7 +30,7 @@ void PIA::ClearBuffer(Buffer* buffer)
 	buffer->size = 0;
 	}
 
-void PIA::AddToBuffer(Buffer* buffer, int seq, int len, const u_char* data,
+void PIA::AddToBuffer(Buffer* buffer, uint64 seq, int len, const u_char* data,
 			bool is_orig)
 	{
 	u_char* tmp = 0;
@@ -77,7 +77,7 @@ void PIA::PIA_Done()
 	FinishEndpointMatcher();
 	}
 
-void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, int seq,
+void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq,
 				const IP_Hdr* ip, int caplen)
 	{
 	if ( pkt_buffer.state == SKIPPING )
@@ -256,7 +256,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
 	stream_buffer.state = new_state;
 	}
 
-void PIA_TCP::Undelivered(int seq, int len, bool is_orig)
+void PIA_TCP::Undelivered(uint64 seq, int len, bool is_orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 
@@ -337,8 +337,8 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
 		new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct,
 					tcp->Resp());
 
-	int orig_seq = 0;
-	int resp_seq = 0;
+	uint64 orig_seq = 0;
+	uint64 resp_seq = 0;
 
 	for ( DataBlock* b = pkt_buffer.head; b; b = b->next )
 		{
diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h
index d8c272d219..db387769e8 100644
--- a/src/analyzer/protocol/pia/PIA.h
+++ b/src/analyzer/protocol/pia/PIA.h
@@ -42,7 +42,7 @@ public:
 protected:
 	void PIA_Done();
 	void PIA_DeliverPacket(int len, const u_char* data, bool is_orig,
-				int seq, const IP_Hdr* ip, int caplen);
+				uint64 seq, const IP_Hdr* ip, int caplen);
 
 	enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state;
 
@@ -52,7 +52,7 @@ protected:
 		const u_char* data;
 		bool is_orig;
 		int len;
-		int seq;
+		uint64 seq;
 		DataBlock* next;
 	};
 
@@ -65,7 +65,7 @@ protected:
 		State state;
 	};
 
-	void AddToBuffer(Buffer* buffer, int seq, int len,
+	void AddToBuffer(Buffer* buffer, uint64 seq, int len,
 				const u_char* data, bool is_orig);
 	void AddToBuffer(Buffer* buffer, int len,
 				const u_char* data, bool is_orig);
@@ -105,7 +105,7 @@ protected:
 		}
 
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
@@ -150,14 +150,14 @@ protected:
 		}
 
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		}
 
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
-	virtual void Undelivered(int seq, int len, bool is_orig);
+	virtual void Undelivered(uint64 seq, int len, bool is_orig);
 
 	virtual void ActivateAnalyzer(analyzer::Tag tag,
 					const Rule* rule = 0);
diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc
index 1ffc7dd26e..38ed229a10 100644
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@@ -399,7 +399,7 @@ Contents_RPC::~Contents_RPC()
 	{
 	}
 
-void Contents_RPC::Undelivered(int seq, int len, bool orig)
+void Contents_RPC::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
 	NeedResync();
@@ -704,7 +704,7 @@ RPC_Analyzer::~RPC_Analyzer()
 	}
 
 void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	len = min(len, caplen);
diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h
index a705d272f6..e87f8afa95 100644
--- a/src/analyzer/protocol/rpc/RPC.h
+++ b/src/analyzer/protocol/rpc/RPC.h
@@ -203,7 +203,7 @@ protected:
 	virtual void Init();
 	virtual bool CheckResync(int& len, const u_char*& data, bool orig);
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	virtual void NeedResync() {
 		resync_state = NEED_RESYNC;
@@ -234,7 +234,7 @@ public:
 
 protected:
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	void ExpireTimer(double t);
 
diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc
index c3fb21b6a4..c0e34ce6f1 100644
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@@ -76,14 +76,14 @@ void SMTP_Analyzer::Done()
 		EndData();
 	}
 
-void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
+void SMTP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 
 	if ( len <= 0 )
 		return;
 
-	const char* buf = fmt("seq = %d, len = %d", seq, len);
+	const char* buf = fmt("seq = %"PRIu64", len = %d", seq, len);
 	int buf_len = strlen(buf);
 
 	Unexpected(is_orig, "content gap", buf_len, buf);
diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h
index cc12167d30..de9dc346ff 100644
--- a/src/analyzer/protocol/smtp/SMTP.h
+++ b/src/analyzer/protocol/smtp/SMTP.h
@@ -44,7 +44,7 @@ public:
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void ConnectionFinished(int half_finished);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	void SkipData()	{ skip_data = 1; }	// skip delivery of data lines
 
diff --git a/src/analyzer/protocol/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc
index 76212d822b..e678528f35 100644
--- a/src/analyzer/protocol/socks/SOCKS.cc
+++ b/src/analyzer/protocol/socks/SOCKS.cc
@@ -86,7 +86,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	}
 
-void SOCKS_Analyzer::Undelivered(int seq, int len, bool orig)
+void SOCKS_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
diff --git a/src/analyzer/protocol/socks/SOCKS.h b/src/analyzer/protocol/socks/SOCKS.h
index f005967fd8..2c72d507e6 100644
--- a/src/analyzer/protocol/socks/SOCKS.h
+++ b/src/analyzer/protocol/socks/SOCKS.h
@@ -23,7 +23,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc
index 6cd2fa59f8..5e5d24888a 100644
--- a/src/analyzer/protocol/ssl/SSL.cc
+++ b/src/analyzer/protocol/ssl/SSL.cc
@@ -57,7 +57,7 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	}
 
-void SSL_Analyzer::Undelivered(int seq, int len, bool orig)
+void SSL_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h
index f674d64fed..7748222dea 100644
--- a/src/analyzer/protocol/ssl/SSL.h
+++ b/src/analyzer/protocol/ssl/SSL.h
@@ -16,7 +16,7 @@ public:
 	// Overriden from Analyzer.
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
 	virtual void EndpointEOF(bool is_orig);
diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
index 09a7444213..b6473dcf6e 100644
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
@@ -63,7 +63,7 @@ void SteppingStoneEndpoint::Done()
 	Event(stp_remove_endp, stp_id);
 	}
 
-int SteppingStoneEndpoint::DataSent(double t, int seq, int len, int caplen,
+int SteppingStoneEndpoint::DataSent(double t, uint64 seq, int len, int caplen,
 		const u_char* data, const IP_Hdr* /* ip */,
 		const struct tcphdr* tp)
 	{
@@ -90,8 +90,8 @@ int SteppingStoneEndpoint::DataSent(double t, int seq, int len, int caplen,
 			break;
 		}
 
-	int ack = endp->AckSeq() - endp->StartSeq();
-	int top_seq = seq + len;
+	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
+	uint64 top_seq = seq + len;
 
 	if ( top_seq <= ack || top_seq <= stp_max_top_seq )
 		// There is no new data in this packet
@@ -179,7 +179,7 @@ void SteppingStone_Analyzer::Init()
 	}
 
 void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
-						bool is_orig, int seq,
+						bool is_orig, uint64 seq,
 						const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h
index 1471c08a3b..518cd64a21 100644
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.h
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h
@@ -22,7 +22,7 @@ public:
 	~SteppingStoneEndpoint();
 	void Done();
 
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
 
 protected:
@@ -30,7 +30,7 @@ protected:
 	void CreateEndpEvent(int is_orig);
 
 	tcp::TCP_Endpoint* endp;
-	int stp_max_top_seq;
+	uint64 stp_max_top_seq;
 	double stp_last_time;
 	double stp_resume_time;
 	SteppingStoneManager* stp_manager;
@@ -60,7 +60,7 @@ protected:
 	// We support both packet and stream input and can be put in place even
 	// if the TCP analyzer is not yet reassebmling.
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
 
 	int orig_stream_pos;
diff --git a/src/analyzer/protocol/syslog/Syslog.cc b/src/analyzer/protocol/syslog/Syslog.cc
index 2b783afc64..5e5ce907e6 100644
--- a/src/analyzer/protocol/syslog/Syslog.cc
+++ b/src/analyzer/protocol/syslog/Syslog.cc
@@ -28,7 +28,7 @@ void Syslog_Analyzer::Done()
 		Event(udp_session_done);
 	}
 
-void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	interp->NewData(orig, data, data + len);
@@ -88,7 +88,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int
 //	interp->NewData(orig, data, data + len);
 //	}
 
-//void Syslog_tcp::TCP_Analyzer::Undelivered(int seq, int len, bool orig)
+//void Syslog_tcp::TCP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 //	{
 //	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 //	interp->NewGap(orig, len);
diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h
index 355863e36e..619ddb39ba 100644
--- a/src/analyzer/protocol/syslog/Syslog.h
+++ b/src/analyzer/protocol/syslog/Syslog.h
@@ -16,7 +16,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Syslog_Analyzer(conn); }
@@ -38,7 +38,7 @@ protected:
 //
 //	virtual void Done();
 //	virtual void DeliverStream(int len, const u_char* data, bool orig);
-//	virtual void Undelivered(int seq, int len, bool orig);
+//	virtual void Undelivered(uint64 seq, int len, bool orig);
 //	virtual void EndpointEOF(tcp::TCP_Reassembler* endp);
 //
 //	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc
index 63a3c07f00..72314dd45d 100644
--- a/src/analyzer/protocol/tcp/ContentLine.cc
+++ b/src/analyzer/protocol/tcp/ContentLine.cc
@@ -109,7 +109,7 @@ void ContentLine_Analyzer::DeliverStream(int len, const u_char* data,
 	seq += len;
 	}
 
-void ContentLine_Analyzer::Undelivered(int seq, int len, bool orig)
+void ContentLine_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	ForwardUndelivered(seq, len, orig);
 	}
diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h
index ecc1347984..93c473c47c 100644
--- a/src/analyzer/protocol/tcp/ContentLine.h
+++ b/src/analyzer/protocol/tcp/ContentLine.h
@@ -53,14 +53,14 @@ public:
 	void SkipBytesAfterThisLine(int64_t length);
 	void SkipBytes(int64_t length);
 
-	bool IsSkippedContents(int64_t seq, int64_t length)
+	bool IsSkippedContents(uint64_t seq, int64_t length)
 		{ return seq + length <= seq_to_skip; }
 
 protected:
 	ContentLine_Analyzer(const char* name, Connection* conn, bool orig);
 
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	class State;
@@ -71,19 +71,19 @@ protected:
 	void CheckNUL();
 
 	// Returns the sequence number delivered so far.
-	int64_t SeqDelivered() const	{ return seq_delivered_in_lines; }
+	uint64_t SeqDelivered() const	{ return seq_delivered_in_lines; }
 
 	u_char* buf;	// where we build up the body of the request
 	int offset;	// where we are in buf
 	int buf_len;	// how big buf is, total
 	unsigned int last_char;	// last (non-option) character scanned
 
-	int64_t seq;	// last seq number
-	int64_t seq_to_skip;
+	uint64_t seq;	// last seq number
+	uint64_t seq_to_skip;
 
 	// Seq delivered up to through NewLine() -- it is adjusted
 	// *before* NewLine() is called.
-	int64_t seq_delivered_in_lines;
+	uint64_t seq_delivered_in_lines;
 
 	// Number of bytes to be skipped after this line. See
 	// comments in SkipBytesAfterThisLine().
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index c422d01f32..552a73b7ea 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -36,1088 +36,8 @@ namespace { // local namespace
 static const int ORIG = 1;
 static const int RESP = 2;
 
-TCP_Analyzer::TCP_Analyzer(Connection* conn)
-: TransportLayerAnalyzer("TCP", conn)
-	{
-	// Set a timer to eventually time out this connection.
-	ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer,
-				network_time + tcp_SYN_timeout, 0,
-				TIMER_TCP_EXPIRE);
-
-	deferred_gen_event = close_deferred = 0;
-
-	seen_first_ACK = 0;
-	is_active = 1;
-	finished = 0;
-	reassembling = 0;
-	first_packet_seen = 0;
-	is_partial = 0;
-
-	orig = new TCP_Endpoint(this, 1);
-	resp = new TCP_Endpoint(this, 0);
-
-	orig->SetPeer(resp);
-	resp->SetPeer(orig);
-	}
-
-TCP_Analyzer::~TCP_Analyzer()
-	{
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		delete *i;
-
-	delete orig;
-	delete resp;
-	}
-
-void TCP_Analyzer::Init()
-	{
-	Analyzer::Init();
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->Init();
-	}
-
-void TCP_Analyzer::Done()
-	{
-	Analyzer::Done();
-
-	if ( connection_pending && is_active && ! BothClosed() )
-		Event(connection_pending);
-
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->Done();
-
-	orig->Done();
-	resp->Done();
-
-	finished = 1;
-	}
-
-void TCP_Analyzer::EnableReassembly()
-	{
-	SetReassembler(new TCP_Reassembler(this, this,
-	                                   TCP_Reassembler::Forward, orig),
-	               new TCP_Reassembler(this, this,
-	                                   TCP_Reassembler::Forward, resp));
-
-	reassembling = 1;
-
-	if ( new_connection_contents )
-		Event(new_connection_contents);
-	}
-
-void TCP_Analyzer::SetReassembler(TCP_Reassembler* rorig,
-					TCP_Reassembler* rresp)
-	{
-	orig->AddReassembler(rorig);
-	rorig->SetDstAnalyzer(this);
-	resp->AddReassembler(rresp);
-	rresp->SetDstAnalyzer(this);
-
-	reassembling = 1;
-
-	if ( new_connection_contents )
-		Event(new_connection_contents);
-	}
-
-const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data, 
-							int& len, int& caplen)
-	{
-	const struct tcphdr* tp = (const struct tcphdr*) data;
-	uint32 tcp_hdr_len = tp->th_off * 4;
-
-	if ( tcp_hdr_len < sizeof(struct tcphdr) )
-		{
-		Weird("bad_TCP_header_len");
-		return 0;
-		}
-
-	if ( tcp_hdr_len > uint32(len) ||
-	     sizeof(struct tcphdr) > uint32(caplen) )
-		{
-		// This can happen even with the above test, due to TCP
-		// options.
-		Weird("truncated_header");
-		return 0;
-		}
-
-	len -= tcp_hdr_len;	// remove TCP header
-	caplen -= tcp_hdr_len;
-	data += tcp_hdr_len;
-
-	return tp;
-	}
-
-bool TCP_Analyzer::ValidateChecksum(const struct tcphdr* tp,
-				TCP_Endpoint* endpoint, int len, int caplen)
-	{
-	if ( ! ignore_checksums && caplen >= len &&
-	     ! endpoint->ValidChecksum(tp, len) )
-		{
-		Weird("bad_TCP_checksum");
-		endpoint->CheckHistory(HIST_CORRUPT_PKT, 'C');
-		return false;
-		}
-	else
-		return true;
-	}
-
-void TCP_Analyzer::CheckFlagCombos(TCP_Flags flags, TCP_Endpoint* endpoint,
-					uint32 base_seq, int len, int dst_port)
-	{
-	bool is_orig = endpoint->IsOrig();
-
-	if ( is_orig && ! (first_packet_seen & ORIG) )
-		is_partial = ! flags.SYN() || flags.ACK();
-
-	if ( ! is_orig && ! (first_packet_seen & RESP) && ! is_partial )
-		is_partial = ! flags.SYN();
-
-	int bits_set = (flags.SYN() ? 1 : 0) + (flags.FIN() ? 1 : 0) +
-			(flags.RST() ? 1 : 0);
-	if ( bits_set > 1 )
-		{
-		if ( flags.FIN() && flags.RST() )
-			endpoint->CheckHistory(HIST_FIN_RST_PKT, 'I');
-		else
-			endpoint->CheckHistory(HIST_MULTI_FLAG_PKT, 'Q');
-		}
-
-	else if ( bits_set == 1 )
-		{
-		if ( flags.SYN() )
-			{
-			char code = flags.ACK() ? 'H' : 'S';
-
-			if ( endpoint->CheckHistory(HIST_SYN_PKT, code) &&
-			     base_seq != endpoint->hist_last_SYN )
-				endpoint->AddHistory(code);
-
-			endpoint->hist_last_SYN = base_seq;
-			}
-
-		if ( flags.FIN() )
-			{
-			// For FIN's, the sequence number comes at the
-			// end of (any data in) the packet, not the
-			// beginning as for SYNs and RSTs.
-			if ( endpoint->CheckHistory(HIST_FIN_PKT, 'F') &&
-			     base_seq + len != endpoint->hist_last_FIN )
-				endpoint->AddHistory('F');
-
-			endpoint->hist_last_FIN = base_seq + len;
-			}
-
-		if ( flags.RST() )
-			{
-			if ( endpoint->CheckHistory(HIST_RST_PKT, 'R') &&
-			     base_seq != endpoint->hist_last_RST )
-				endpoint->AddHistory('R');
-
-			endpoint->hist_last_RST = base_seq;
-			}
-		}
-
-	else
-		{ // bits_set == 0
-		if ( len )
-			endpoint->CheckHistory(HIST_DATA_PKT, 'D');
-
-		else if ( flags.ACK() )
-			endpoint->CheckHistory(HIST_ACK_PKT, 'A');
-		}
-	}
-
-void TCP_Analyzer::UpdateWindow(TCP_Endpoint* endpoint, unsigned int window,
-				uint32 base_seq, uint32 ack_seq,
-				TCP_Flags flags)
-	{
-	// Note, the offered window on an initial SYN is unscaled, even
-	// if the SYN includes scaling, so we need to do the following
-	// test *before* updating the scaling information below.  (Hmmm,
-	// how does this work for windows on SYN/ACKs? ###)
-	int scale = endpoint->window_scale;
-	window = window << scale;
-
-	// Don't analyze window values off of SYNs, they're sometimes
-	// immediately rescinded.
-	if ( ! flags.SYN() )
-		{
-		// ### Decide whether to accept new window based on Active
-		// Mapping policy.
-		if ( int(base_seq - endpoint->window_seq) >= 0 &&
-		     int(ack_seq - endpoint->window_ack_seq) >= 0 )
-			{
-			uint32 new_edge = ack_seq + window;
-			uint32 old_edge = endpoint->window_ack_seq + endpoint->window;
-			int advance = new_edge - old_edge;
-
-			if ( advance < 0 )
-				{
-				// A window recision.  We don't report these
-				// for FINs or RSTs, or if the connection
-				// has already been partially closed, since
-				// such recisions occur frequently in practice,
-				// probably as the receiver loses buffer memory
-				// due to its process going away.
-				//
-				// We also, for window scaling, allow a bit
-				// of slop ###.  This is because sometimes
-				// there will be an apparent recision due
-				// to the granularity of the scaling.
-				if ( ! flags.FIN() && ! flags.RST() &&
-				     endpoint->state != TCP_ENDPOINT_CLOSED &&
-				     endpoint->state != TCP_ENDPOINT_RESET &&
-				     (-advance) >= (1 << scale) )
-					Weird("window_recision");
-				}
-
-			endpoint->window = window;
-			endpoint->window_ack_seq = ack_seq;
-			endpoint->window_seq = base_seq;
-			}
-		}
-	}
-
-void TCP_Analyzer::ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
-				uint32 tcp_hdr_len, int& seq_len,
-				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 base_seq, uint32 ack_seq,
-				const IPAddr& orig_addr,
-				int is_orig, TCP_Flags flags)
-	{
-	int len = seq_len;
-
-	++seq_len;	// SYN consumes a byte of sequence space
-
-	if ( flags.RST() )
-		Weird("TCP_christmas");
-
-	if ( flags.URG() )
-		Weird("baroque_SYN");
-
-	if ( len > 0 )
-		// T/TCP definitely complicates this.
-		Weird("SYN_with_data");
-
-	RecordVal* SYN_vals = BuildSYNPacketVal(is_orig, ip, tp)->AsRecordVal();
-
-	// ### In the following, we could be fooled by an
-	// inconsistent SYN retransmission.  Where's a normalizer
-	// when you need one?
-
-	// ### We know that field 5 is the window scaling ....
-	int scale = int(SYN_vals->Lookup(5)->CoerceToInt());
-
-	if ( scale < 0 )
-		{ // no window scaling option
-		if ( flags.ACK() )
-			{ // window scaling not negotiated
-			endpoint->window_scale = 0;
-			peer->window_scale = 0;
-			}
-		else
-			// We're not offering window scaling.
-			// Ideally, we'd remember this fact so that
-			// if the SYN/ACK *does* include window
-			// scaling, we know it won't be negotiated.
-			// But it's a pain to track that, and hard
-			// to see how an adversarial responder could
-			// use it to evade.  Also, if we *do* want
-			// to track it, we could do so using
-			// connection_SYN_packet.
-			endpoint->window_scale = 0;
-		}
-	else
-		{
-		endpoint->window_scale = scale;
-		endpoint->window_seq = base_seq;
-		endpoint->window_ack_seq = ack_seq;
-
-		peer->window_seq = ack_seq;
-		peer->window_ack_seq = base_seq;
-		}
-
-	if ( connection_SYN_packet )
-		{
-		val_list* vl = new val_list;
-		vl->append(BuildConnVal());
-		vl->append(SYN_vals);
-		ConnectionEvent(connection_SYN_packet, vl);
-		}
-	else
-		Unref(SYN_vals);
-
-	// Passive fingerprinting.
-	//
-	// is_orig will be removed once we can do SYN-ACK fingerprinting.
-	if ( OS_version_found && is_orig )
-		{
-		AddrVal src_addr_val(orig_addr);
-		if ( generate_OS_version_event->Size() == 0 ||
-		     generate_OS_version_event->Lookup(&src_addr_val) )
-			{
-			RecordVal* OS_val =
-				BuildOSVal(is_orig, ip, tp, tcp_hdr_len);
-			if ( OS_val )
-				{ // found new OS version
-				val_list* vl = new val_list;
-				vl->append(BuildConnVal());
-				vl->append(new AddrVal(orig_addr));
-				vl->append(OS_val);
-				ConnectionEvent(OS_version_found, vl);
-				}
-			}
-		}
-	}
-
-void TCP_Analyzer::ProcessFIN(double t, TCP_Endpoint* endpoint,
-				int& seq_len, uint32 base_seq)
-	{
-	++seq_len;  // FIN consumes a byte of sequence space.
-	++endpoint->FIN_cnt;  // remember that we've seen a FIN
-
-	if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
-	     endpoint->FIN_cnt == tcp_storm_thresh )
-		Weird("FIN_storm");
-
-	// Remember the relative seq in FIN_seq.
-	endpoint->FIN_seq = base_seq - endpoint->StartSeq() + seq_len;
-	}
-
-void TCP_Analyzer::ProcessRST(double t, TCP_Endpoint* endpoint,
-				const IP_Hdr* ip, uint32 base_seq,
-				int len, int& seq_len)
-	{
-	if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
-	     ++endpoint->RST_cnt == tcp_storm_thresh )
-		Weird("RST_storm");
-
-	else if ( endpoint->RST_cnt == 0 )
-		++endpoint->RST_cnt;	// Remember we've seen a RST
-
-	if ( len > 0 )
-		{
-		// This now happens often enough that it's
-		// not in the least interesting.
-		// Weird("RST_with_data");
-
-		// Don't include the data in the computation of
-		// the sequence space for this connection, as
-		// it's not in fact part of the TCP stream.
-		seq_len = 0;
-		}
-
-	PacketWithRST();
-	}
-
-void TCP_Analyzer::ProcessFlags(double t,
-				const IP_Hdr* ip, const struct tcphdr* tp,
-				uint32 tcp_hdr_len, int len, int& seq_len,
-				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 base_seq, uint32 ack_seq,
-				const IPAddr& orig_addr,
-				int is_orig, TCP_Flags flags)
-	{
-	if ( flags.SYN() )
-		ProcessSYN(ip, tp, tcp_hdr_len, seq_len, endpoint, peer,
-				base_seq, ack_seq, orig_addr, is_orig, flags);
-
-	if ( flags.FIN() )
-		ProcessFIN(t, endpoint, seq_len, base_seq);
-
-	if ( flags.RST() )
-		ProcessRST(t, endpoint, ip, base_seq, len, seq_len);
-
-	if ( flags.ACK() )
-		ProcessACK(endpoint, peer, ack_seq, is_orig, flags);
-	}
-
-void TCP_Analyzer::TransitionFromInactive(double t, TCP_Endpoint* endpoint,
-						uint32 base_seq,
-						uint32 last_seq, int SYN)
-	{
-	if ( SYN )
-		{
-		// ## endpoint->AckSeq() = endpoint->start_seq = base_seq;
-		endpoint->InitAckSeq(base_seq);
-		endpoint->InitStartSeq(base_seq);
-		}
-	else
-		{
-		// This is a partial connection - set up the
-		// initial sequence numbers as though we saw
-		// a SYN, to keep the relative byte numbering
-		// consistent.
-		// ## endpoint->AckSeq() = endpoint->start_seq = base_seq - 1;
-		endpoint->InitAckSeq(base_seq - 1);
-		endpoint->InitStartSeq(base_seq - 1);
-		}
-
-	// ## endpoint->last_seq = last_seq;
-	endpoint->InitLastSeq(last_seq);
-	endpoint->start_time = t;
-	}
-
-int TCP_Analyzer::UpdateLastSeq(TCP_Endpoint* endpoint, uint32 last_seq,
-					TCP_Flags flags)
-	{
-	int delta_last = seq_delta(last_seq, endpoint->LastSeq());
-
-	if ( (flags.SYN() || flags.RST()) &&
-	     (delta_last > TOO_LARGE_SEQ_DELTA ||
-	      delta_last < -TOO_LARGE_SEQ_DELTA) )
-		// ### perhaps trust RST seq #'s if initial and not too
-		// outlandish, but not if they're coming after the other
-		// side has sent a FIN - trust the FIN ack instead
-		;
-
-	else if ( flags.FIN() &&
-		  endpoint->LastSeq() == endpoint->StartSeq() + 1 )
-		// Update last_seq based on the FIN even if delta_last < 0.
-		// This is to accommodate > 2 GB connections for which
-		// we've only seen the SYN and the FIN (hence the check
-		// for last_seq == start_seq + 1).
-		endpoint->UpdateLastSeq(last_seq);
-
-	else if ( endpoint->state == TCP_ENDPOINT_RESET )
-		// don't trust any subsequent sequence numbers
-		;
-
-	else if ( delta_last > 0 )
-		// ### check for large jumps here.
-		// ## endpoint->last_seq = last_seq;
-		endpoint->UpdateLastSeq(last_seq);
-
-	else if ( delta_last <= 0 )
-		{ // ### ++retransmit, unless this is a pure ack
-		}
-
-	return delta_last;
-	}
-
-void TCP_Analyzer::ProcessACK(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 ack_seq, int is_orig,
-				TCP_Flags flags)
-	{
-	if ( is_orig && ! seen_first_ACK &&
-	     (endpoint->state == TCP_ENDPOINT_ESTABLISHED ||
-	      endpoint->state == TCP_ENDPOINT_SYN_SENT) )
-		{
-		seen_first_ACK = 1;
-		Event(connection_first_ACK);
-		}
-
-	if ( peer->state == TCP_ENDPOINT_INACTIVE )
-		{
-		if ( ! flags.SYN() && ! flags.FIN() && ! flags.RST() )
-			{
-			if ( endpoint->state == TCP_ENDPOINT_SYN_SENT ||
-			     endpoint->state == TCP_ENDPOINT_SYN_ACK_SENT ||
-			     endpoint->state == TCP_ENDPOINT_ESTABLISHED )
-				{
-				// We've already sent a SYN, but that
-				// hasn't roused the other end, yet we're
-				// ack'ing their data.
-
-				if ( ! Conn()->DidWeird() )
-					Weird("possible_split_routing");
-				}
-			}
-
-		// Start the sequence numbering as if there was an initial
-		// SYN, so the relative numbering of subsequent data packets
-		// stays consistent.
-		// ## peer->start_seq = peer->AckSeq() = peer->last_seq =
-		// ## 	ack_seq - 1;
-		peer->InitStartSeq(ack_seq - 1);
-		peer->InitAckSeq(ack_seq - 1);
-		peer->InitLastSeq(ack_seq - 1);
-		}
-
-	else if ( ! flags.RST() )
-		{ // don't trust ack's in RST packets
-		int delta_ack = seq_delta(ack_seq, peer->AckSeq());
-		if ( ack_seq == 0 && delta_ack > TOO_LARGE_SEQ_DELTA )
-			// More likely that this is a broken ack than a
-			// large connection that happens to land on 0 in the
-			// sequence space.
-			;
-
-		else if ( delta_ack > 0 )
-			peer->UpdateAckSeq(ack_seq);
-		}
-
-	peer->AckReceived(ack_seq - peer->StartSeq());
-	}
-
-void TCP_Analyzer::UpdateInactiveState(double t,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq,
-			int len, int is_orig, TCP_Flags flags,
-			int& do_close, int& gen_event)
-	{
-	if ( flags.SYN() )
-		{
-		if ( is_orig )
-			{
-			if ( flags.ACK() )
-				{
-				Weird("connection_originator_SYN_ack");
-				endpoint->SetState(TCP_ENDPOINT_SYN_ACK_SENT);
-				}
-			else
-				endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
-
-			if ( tcp_attempt_delay )
-				ADD_ANALYZER_TIMER(&TCP_Analyzer::AttemptTimer,
-					t + tcp_attempt_delay, 1,
-					TIMER_TCP_ATTEMPT);
-			}
-		else
-			{
-			if ( flags.ACK() )
-				{
-				if ( peer->state != TCP_ENDPOINT_INACTIVE &&
-				     peer->state != TCP_ENDPOINT_PARTIAL &&
-				     ! seq_between(ack_seq, peer->StartSeq(), peer->LastSeq()) )
-					Weird("bad_SYN_ack");
-				}
-
-			else if ( peer->state == TCP_ENDPOINT_SYN_ACK_SENT &&
-				  base_seq == endpoint->StartSeq() )
-				{
-				// This is a SYN/SYN-ACK reversal,
-				// per the discussion in IsReuse.
-				// Flip the endpoints and establish
-				// the connection.
-				is_partial = 0;
-				Conn()->FlipRoles();
-				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
-				}
-
-			else
-				Weird("simultaneous_open");
-
-			if ( peer->state == TCP_ENDPOINT_SYN_SENT )
-				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
-			else if ( peer->state == TCP_ENDPOINT_INACTIVE )
-				{
-				// If we were to ignore SYNs and
-				// only instantiate state on SYN
-				// acks, then we'd do:
-				//    peer->SetState(TCP_ENDPOINT_ESTABLISHED);
-				// here.
-				Weird("unsolicited_SYN_response");
-				}
-
-			endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
-
-			if ( peer->state != TCP_ENDPOINT_PARTIAL )
-				{
-				Event(connection_established);
-				Conn()->EnableStatusUpdateTimer();
-				}
-			}
-		}
-
-	if ( flags.FIN() )
-		{
-		endpoint->SetState(TCP_ENDPOINT_CLOSED);
-		do_close = gen_event = 1;
-		if ( peer->state != TCP_ENDPOINT_PARTIAL && ! flags.SYN() )
-			Weird("spontaneous_FIN");
-		}
-
-	if ( flags.RST() )
-		{
-		endpoint->SetState(TCP_ENDPOINT_RESET);
-
-		int is_reject = 0;
-
-		if ( is_orig )
-			{
-			// If our peer is established then we saw
-			// a SYN-ack but not SYN - so a reverse
-			// scan, and we should treat this as a
-			// reject.
-			if ( peer->state == TCP_ENDPOINT_ESTABLISHED )
-				is_reject = 1;
-			}
-
-		else if ( peer->state == TCP_ENDPOINT_SYN_SENT ||
-			  peer->state == TCP_ENDPOINT_SYN_ACK_SENT )
-			// We're rejecting an initial SYN.
-			is_reject = 1;
-
-		do_close = 1;
-		gen_event = ! is_reject;
-
-		if ( is_reject )
-			Event(connection_rejected);
-
-		else if ( peer->state == TCP_ENDPOINT_INACTIVE )
-			Weird("spontaneous_RST");
-		}
-
-	if ( endpoint->state == TCP_ENDPOINT_INACTIVE )
-		{ // No control flags to change the state.
-		if ( ! is_orig && len == 0 &&
-		     orig->state == TCP_ENDPOINT_SYN_SENT )
-			// Some eccentric TCP's will ack an initial
-			// SYN prior to sending a SYN reply (hello,
-			// ftp.microsoft.com).  For those, don't
-			// consider the ack as forming a partial
-			// connection.
-			;
-		else
-			{
-			endpoint->SetState(TCP_ENDPOINT_PARTIAL);
-			Conn()->EnableStatusUpdateTimer();
-
-			if ( peer->state == TCP_ENDPOINT_PARTIAL )
-				// We've seen both sides of a partial
-				// connection, report it.
-				Event(partial_connection);
-			}
-		}
-	}
-
-void TCP_Analyzer::UpdateSYN_SentState(double t,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 last_seq,
-			int len, int is_orig, TCP_Flags flags,
-			int& do_close, int& gen_event)
-	{
-	if ( flags.SYN() )
-		{
-		if ( is_orig )
-			{
-			if ( flags.ACK() && ! flags.FIN() && ! flags.RST() &&
-			     endpoint->state != TCP_ENDPOINT_SYN_ACK_SENT )
-				Weird("repeated_SYN_with_ack");
-			}
-		else
-			{
-			if ( ! flags.ACK() &&
-			     endpoint->state != TCP_ENDPOINT_SYN_SENT )
-				Weird("repeated_SYN_reply_wo_ack");
-			}
-
-		if ( base_seq != endpoint->StartSeq() )
-			{
-			Weird("SYN_seq_jump");
-			// ## endpoint->AckSeq() = endpoint->start_seq = base_seq;
-			// ## endpoint->last_seq = last_seq;
-			endpoint->InitStartSeq(base_seq);
-			endpoint->InitAckSeq(base_seq);
-			endpoint->InitLastSeq(last_seq);
-			}
-		}
-
-	if ( flags.FIN() )
-		{
-		if ( peer->state == TCP_ENDPOINT_INACTIVE ||
-		     peer->state == TCP_ENDPOINT_SYN_SENT )
-			Weird("inappropriate_FIN");
-
-		endpoint->SetState(TCP_ENDPOINT_CLOSED);
-		do_close = gen_event = 1;
-		}
-
-	if ( flags.RST() )
-		{
-		endpoint->SetState(TCP_ENDPOINT_RESET);
-		ConnectionReset();
-		do_close = 1;
-		}
-
-	else if ( len > 0 )
-		Weird("data_before_established");
-	}
-
-void TCP_Analyzer::UpdateEstablishedState(double t,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 last_seq,
-			int is_orig, TCP_Flags flags,
-			int& do_close, int& gen_event)
-	{
-	if ( flags.SYN() )
-		{
-		if ( endpoint->state == TCP_ENDPOINT_PARTIAL &&
-		     peer->state == TCP_ENDPOINT_INACTIVE && ! flags.ACK() )
-			{
-			Weird("SYN_after_partial");
-			endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
-			}
-
-		if ( endpoint->Size() > 0 )
-			Weird("SYN_inside_connection");
-
-		if ( base_seq != endpoint->StartSeq() )
-			Weird("SYN_seq_jump");
-
-		// Make a guess that somehow the connection didn't
-		// get established, and this SYN will be the
-		// one that actually sets it up.
-		// ## endpoint->AckSeq() = endpoint->start_seq = base_seq;
-		// ## endpoint->last_seq = last_seq;
-		endpoint->InitStartSeq(base_seq);
-		endpoint->InitAckSeq(base_seq);
-		endpoint->InitLastSeq(last_seq);
-		}
-
-	if ( flags.FIN() && ! flags.RST() )	// ###
-		{ // should check sequence/ack numbers here ###
-		endpoint->SetState(TCP_ENDPOINT_CLOSED);
-
-		if ( peer->state == TCP_ENDPOINT_RESET &&
-		     peer->prev_state == TCP_ENDPOINT_CLOSED )
-			// The peer sent a FIN followed by a RST.
-			// Turn it back into CLOSED state, because
-			// this was actually normal termination.
-			peer->SetState(TCP_ENDPOINT_CLOSED);
-
-		do_close = gen_event = 1;
-		}
-
-	if ( flags.RST() )
-		{
-		endpoint->SetState(TCP_ENDPOINT_RESET);
-		do_close = 1;
-
-		if ( peer->state != TCP_ENDPOINT_RESET ||
-		     peer->prev_state != TCP_ENDPOINT_ESTABLISHED )
-			ConnectionReset();
-		}
-	}
-
-void TCP_Analyzer::UpdateClosedState(double t, TCP_Endpoint* endpoint,
-				int delta_last, TCP_Flags flags, int& do_close)
-	{
-	if ( flags.SYN() )
-		Weird("SYN_after_close");
-
-	if ( flags.FIN() && delta_last > 0 )
-		// Probably should also complain on FIN recision.
-		// That requires an extra state variable to avoid
-		// generating slews of weird's when a TCP gets
-		// seriously confused (this from experience).
-		Weird("FIN_advanced_last_seq");
-
-	// Previously, our state was CLOSED, since we sent a FIN.
-	// If our peer was also closed, then don't change our state
-	// now on a RST, since this connection has already seen a FIN
-	// exchange.
-	if ( flags.RST() && endpoint->peer->state != TCP_ENDPOINT_CLOSED )
-		{
-		endpoint->SetState(TCP_ENDPOINT_RESET);
-
-		if ( ! endpoint->did_close )
-			// RST after FIN.
-			do_close = 1;
-
-		if ( connection_reset )
-			ADD_ANALYZER_TIMER(&TCP_Analyzer::ResetTimer,
-					t + tcp_reset_delay, 1,
-					TIMER_TCP_RESET);
-		}
-	}
-
-void TCP_Analyzer::UpdateResetState(int len, TCP_Flags flags,
-                                    TCP_Endpoint* endpoint, uint32 base_seq,
-                                    uint32 last_seq)
-	{
-	if ( flags.SYN() )
-		{
-		Weird("SYN_after_reset");
-
-		if ( endpoint->prev_state == TCP_ENDPOINT_INACTIVE )
-			{
-			// Seq. numbers were initialized by a RST packet from this endpoint,
-			// but now that a SYN is seen from it, that could mean the earlier
-			// RST was spoofed/injected, so re-initialize.  This mostly just
-			// helps prevent misrepresentations of payload sizes that are based
-			// on bad initial sequence values.
-			endpoint->InitStartSeq(base_seq);
-			endpoint->InitAckSeq(base_seq);
-			endpoint->InitLastSeq(last_seq);
-			}
-		}
-
-	if ( flags.FIN() )
-		Weird("FIN_after_reset");
-
-	if ( len > 0 && ! flags.RST() )
-		Weird("data_after_reset");
-	}
-
-void TCP_Analyzer::UpdateStateMachine(double t,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq, uint32 last_seq,
-			int len, int delta_last, int is_orig, TCP_Flags flags,
-			int& do_close, int& gen_event)
-	{
-	do_close = 0;	// whether to report the connection as closed
-	gen_event = 0;	// if so, whether to generate an event
-
-	switch ( endpoint->state ) {
-
-	case TCP_ENDPOINT_INACTIVE:
-		UpdateInactiveState(t, endpoint, peer, base_seq, ack_seq,
-					len, is_orig, flags,
-					do_close, gen_event);
-		break;
-
-	case TCP_ENDPOINT_SYN_SENT:
-	case TCP_ENDPOINT_SYN_ACK_SENT:
-		UpdateSYN_SentState(t, endpoint, peer, base_seq, last_seq,
-					len, is_orig, flags,
-					do_close, gen_event);
-		break;
-
-	case TCP_ENDPOINT_ESTABLISHED:
-	case TCP_ENDPOINT_PARTIAL:
-		UpdateEstablishedState(t, endpoint, peer, base_seq, last_seq,
-					is_orig, flags, do_close, gen_event);
-		break;
-
-	case TCP_ENDPOINT_CLOSED:
-		UpdateClosedState(t, endpoint, delta_last, flags, do_close);
-		break;
-
-	case TCP_ENDPOINT_RESET:
-		UpdateResetState(len, flags, endpoint, base_seq, last_seq);
-		break;
-	}
-	}
-
-void TCP_Analyzer::GeneratePacketEvent(TCP_Endpoint* endpoint,
-					TCP_Endpoint* peer,
-					uint32 base_seq, uint32 ack_seq,
-					const u_char* data, int len, int caplen,
-					int is_orig, TCP_Flags flags)
-	{
-	char tcp_flags[256];
-	int tcp_flag_len = 0;
-
-	if ( flags.SYN() ) tcp_flags[tcp_flag_len++] = 'S';
-	if ( flags.FIN() ) tcp_flags[tcp_flag_len++] = 'F';
-	if ( flags.RST() ) tcp_flags[tcp_flag_len++] = 'R';
-	if ( flags.ACK() ) tcp_flags[tcp_flag_len++] = 'A';
-	if ( flags.PUSH() ) tcp_flags[tcp_flag_len++] = 'P';
-	if ( flags.URG() ) tcp_flags[tcp_flag_len++] = 'U';
-
-	tcp_flags[tcp_flag_len] = '\0';
-
-	val_list* vl = new val_list();
-
-	vl->append(BuildConnVal());
-	vl->append(new Val(is_orig, TYPE_BOOL));
-	vl->append(new StringVal(tcp_flags));
-	vl->append(new Val(base_seq - endpoint->StartSeq(), TYPE_COUNT));
-	vl->append(new Val(flags.ACK() ?
-			ack_seq - peer->StartSeq() : 0, TYPE_COUNT));
-	vl->append(new Val(len, TYPE_COUNT));
-
-	// We need the min() here because Ethernet padding can lead to
-	// caplen > len.
-	vl->append(new StringVal(min(caplen, len), (const char*) data));
-
-	ConnectionEvent(tcp_packet, vl);
-	}
-
-int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
-				const IP_Hdr* ip, const struct tcphdr* tp,
-				TCP_Endpoint* endpoint, uint32 base_seq,
-				int is_orig, TCP_Flags flags)
-	{
-	int data_seq = base_seq - endpoint->StartSeq();
-	if ( flags.SYN() )
-		++data_seq;	// skip over SYN octet
-
-	int need_contents = endpoint->DataSent(t, data_seq,
-					len, caplen, data, ip, tp);
-
-	return need_contents;
-	}
-
-void TCP_Analyzer::CheckRecording(int need_contents, TCP_Flags flags)
-	{
-	bool record_current_content = need_contents || Conn()->RecordContents();
-	bool record_current_packet =
-		Conn()->RecordPackets() ||
-		flags.SYN() || flags.FIN() || flags.RST();
-
-	Conn()->SetRecordCurrentContent(record_current_content);
-	Conn()->SetRecordCurrentPacket(record_current_packet);
-	}
-
-void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip)
-	{
-	if ( is_orig && ! (first_packet_seen & ORIG) )
-		{
-		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
-		if ( pia )
-			pia->FirstPacket(is_orig, ip);
-		first_packet_seen |= ORIG;
-		}
-
-	if ( ! is_orig && ! (first_packet_seen & RESP) )
-		{
-		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
-		if ( pia )
-			pia->FirstPacket(is_orig, ip);
-		first_packet_seen |= RESP;
-		}
-	}
-
-void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
-	{
-	TransportLayerAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-
-	const struct tcphdr* tp = ExtractTCP_Header(data, len, caplen);
-	if ( ! tp )
-		return;
-
-	// We need the min() here because Ethernet frame padding can lead to
-	// caplen > len.
-	if ( packet_contents )
-		PacketContents(data, min(len, caplen));
-
-	TCP_Endpoint* endpoint = is_orig ? orig : resp;
-	TCP_Endpoint* peer = endpoint->peer;
-
-	if ( ! ValidateChecksum(tp, endpoint, len, caplen) )
-		return;
-
-	TCP_Flags flags(tp);
-
-	uint32 base_seq = ntohl(tp->th_seq);
-	uint32 ack_seq = ntohl(tp->th_ack);
-
-	CheckFlagCombos(flags, endpoint, base_seq, len, ntohs(tp->th_dport));
-
-	UpdateWindow(endpoint, ntohs(tp->th_win), base_seq, ack_seq, flags);
-
-	double t = current_timestamp;
-
-	if ( ! orig->did_close || ! resp->did_close )
-		Conn()->SetLastTime(t);
-
-	const IPAddr orig_addr = Conn()->OrigAddr();
-
-	uint32 tcp_hdr_len = data - (const u_char*) tp;
-
-	int seq_len = len;	// length in terms of sequence space
-
-	ProcessFlags(t, ip, tp, tcp_hdr_len, len, seq_len, endpoint, peer, base_seq,
-	             ack_seq, orig_addr, is_orig, flags);
-
-	uint32 last_seq = base_seq + seq_len;
-
-	if ( endpoint->state == TCP_ENDPOINT_INACTIVE )
-		TransitionFromInactive(t, endpoint, base_seq, last_seq,
-					flags.SYN());
-
-	int delta_last = UpdateLastSeq(endpoint, last_seq, flags);
-
-	endpoint->last_time = t;
-
-	int do_close;
-	int gen_event;
-	UpdateStateMachine(t, endpoint, peer, base_seq, ack_seq, last_seq,
-				len, delta_last, is_orig, flags,
-				do_close, gen_event);
-
-	if ( tcp_packet )
-		GeneratePacketEvent(endpoint, peer, base_seq, ack_seq,
-					data, len, caplen, is_orig, flags);
-
-	if ( tcp_option && tcp_hdr_len > sizeof(*tp) &&
-	     tcp_hdr_len <= uint32(caplen) )
-		ParseTCPOptions(tp, TCPOptionEvent, this, is_orig, 0);
-
-	if ( DEBUG_tcp_data_sent )
-		{
-		DEBUG_MSG("%.6f before DataSent: len=%d caplen=%d skip=%d\n",
-			  network_time, len, caplen, Skipping());
-		}
-
-	int need_contents = 0;
-	if ( len > 0 && (caplen >= len || packet_children.size()) &&
-	     ! flags.RST() && ! Skipping() )
-		need_contents = DeliverData(t, data, len, caplen, ip, tp,
-						endpoint, base_seq,
-						is_orig, flags);
-
-	endpoint->CheckEOF();
-
-	if ( do_close )
-		{
-		// We need to postpone doing this until after we process
-		// DataSent, so we don't generate a connection_finished event
-		// until after data perhaps included with the FIN is processed.
-		ConnectionClosed(endpoint, peer, gen_event);
-		}
-
-	CheckRecording(need_contents, flags);
-
-	// Handle child_packet analyzers.  Note: This happens *after* the
-	// packet has been processed and the TCP state updated.
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->NextPacket(len, data, is_orig,
-				base_seq - endpoint->StartSeq(), ip, caplen);
-
-	if ( ! reassembling )
-		ForwardPacket(len, data, is_orig,
-				base_seq - endpoint->StartSeq(), ip, caplen);
-
-	CheckPIA_FirstPacket(is_orig, ip);
-	}
-
-void TCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
-	{
-	Analyzer::DeliverStream(len, data, orig);
-	}
-
-void TCP_Analyzer::Undelivered(int seq, int len, bool is_orig)
-	{
-	Analyzer::Undelivered(seq, len, orig);
-	}
-
-void TCP_Analyzer::FlipRoles()
-	{
-	Analyzer::FlipRoles();
-
-	sessions->tcp_stats.FlipState(orig->state, resp->state);
-	TCP_Endpoint* tmp_ep = resp;
-	resp = orig;
-	orig = tmp_ep;
-	orig->is_orig = !orig->is_orig;
-	resp->is_orig = !resp->is_orig;
-	}
-
-void TCP_Analyzer::UpdateConnVal(RecordVal *conn_val)
-	{
-	RecordVal *orig_endp_val = conn_val->Lookup("orig")->AsRecordVal();
-	RecordVal *resp_endp_val = conn_val->Lookup("resp")->AsRecordVal();
-
-	orig_endp_val->Assign(0, new Val(orig->Size(), TYPE_COUNT));
-	orig_endp_val->Assign(1, new Val(int(orig->state), TYPE_COUNT));
-	resp_endp_val->Assign(0, new Val(resp->Size(), TYPE_COUNT));
-	resp_endp_val->Assign(1, new Val(int(resp->state), TYPE_COUNT));
-
-	// Call children's UpdateConnVal
-	Analyzer::UpdateConnVal(conn_val);
-
-	// Have to do packet_children ourselves.
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->UpdateConnVal(conn_val);
-	}
-
-Val* TCP_Analyzer::BuildSYNPacketVal(int is_orig, const IP_Hdr* ip,
-					const struct tcphdr* tcp)
+static RecordVal* build_syn_packet_val(int is_orig, const IP_Hdr* ip,
+                                       const struct tcphdr* tcp)
 	{
 	int winscale = -1;
 	int MSS = 0;
@@ -1195,8 +115,8 @@ Val* TCP_Analyzer::BuildSYNPacketVal(int is_orig, const IP_Hdr* ip,
 	return v;
 	}
 
-RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
-			const struct tcphdr* tcp, uint32 tcp_hdr_len)
+static RecordVal* build_os_val(int is_orig, const IP_Hdr* ip,
+                               const struct tcphdr* tcp, uint32 tcp_hdr_len)
 	{
 	if ( ! is_orig )
 		// Later we might use SYN-ACK fingerprinting here.
@@ -1361,6 +281,1134 @@ RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
 	return 0;
 	}
 
+
+static void passive_fingerprint(TCP_Analyzer* tcp, bool is_orig,
+                                const IP_Hdr* ip, const struct tcphdr* tp,
+                                uint32 tcp_hdr_len)
+	{
+	// is_orig will be removed once we can do SYN-ACK fingerprinting
+	if ( OS_version_found && is_orig )
+		{
+		const IPAddr& orig_addr = tcp->Conn()->OrigAddr();
+		AddrVal* src_addr_val = new AddrVal(orig_addr);
+
+		if ( generate_OS_version_event->Size() == 0 ||
+		     generate_OS_version_event->Lookup(src_addr_val) )
+			{
+			RecordVal* OS_val = build_os_val(is_orig, ip, tp, tcp_hdr_len);
+
+			if ( OS_val )
+				{ // found new OS version
+				val_list* vl = new val_list;
+				vl->append(tcp->BuildConnVal());
+				vl->append(src_addr_val->Ref());
+				vl->append(OS_val);
+				tcp->ConnectionEvent(OS_version_found, vl);
+				}
+			}
+
+		Unref(src_addr_val);
+		}
+	}
+
+TCP_Analyzer::TCP_Analyzer(Connection* conn)
+: TransportLayerAnalyzer("TCP", conn)
+	{
+	// Set a timer to eventually time out this connection.
+	ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer,
+				network_time + tcp_SYN_timeout, 0,
+				TIMER_TCP_EXPIRE);
+
+	deferred_gen_event = close_deferred = 0;
+
+	seen_first_ACK = 0;
+	is_active = 1;
+	finished = 0;
+	reassembling = 0;
+	first_packet_seen = 0;
+	is_partial = 0;
+
+	orig = new TCP_Endpoint(this, 1);
+	resp = new TCP_Endpoint(this, 0);
+
+	orig->SetPeer(resp);
+	resp->SetPeer(orig);
+	}
+
+TCP_Analyzer::~TCP_Analyzer()
+	{
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		delete *i;
+
+	delete orig;
+	delete resp;
+	}
+
+void TCP_Analyzer::Init()
+	{
+	Analyzer::Init();
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->Init();
+	}
+
+void TCP_Analyzer::Done()
+	{
+	Analyzer::Done();
+
+	if ( connection_pending && is_active && ! BothClosed() )
+		Event(connection_pending);
+
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->Done();
+
+	orig->Done();
+	resp->Done();
+
+	finished = 1;
+	}
+
+void TCP_Analyzer::EnableReassembly()
+	{
+	SetReassembler(new TCP_Reassembler(this, this,
+	                                   TCP_Reassembler::Forward, orig),
+	               new TCP_Reassembler(this, this,
+	                                   TCP_Reassembler::Forward, resp));
+
+	reassembling = 1;
+
+	if ( new_connection_contents )
+		Event(new_connection_contents);
+	}
+
+void TCP_Analyzer::SetReassembler(TCP_Reassembler* rorig,
+					TCP_Reassembler* rresp)
+	{
+	orig->AddReassembler(rorig);
+	rorig->SetDstAnalyzer(this);
+	resp->AddReassembler(rresp);
+	rresp->SetDstAnalyzer(this);
+
+	reassembling = 1;
+
+	if ( new_connection_contents )
+		Event(new_connection_contents);
+	}
+
+const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data, 
+							int& len, int& caplen)
+	{
+	const struct tcphdr* tp = (const struct tcphdr*) data;
+	uint32 tcp_hdr_len = tp->th_off * 4;
+
+	if ( tcp_hdr_len < sizeof(struct tcphdr) )
+		{
+		Weird("bad_TCP_header_len");
+		return 0;
+		}
+
+	if ( tcp_hdr_len > uint32(len) ||
+	     sizeof(struct tcphdr) > uint32(caplen) )
+		{
+		// This can happen even with the above test, due to TCP
+		// options.
+		Weird("truncated_header");
+		return 0;
+		}
+
+	len -= tcp_hdr_len;	// remove TCP header
+	caplen -= tcp_hdr_len;
+	data += tcp_hdr_len;
+
+	return tp;
+	}
+
+bool TCP_Analyzer::ValidateChecksum(const struct tcphdr* tp,
+				TCP_Endpoint* endpoint, int len, int caplen)
+	{
+	if ( ! ignore_checksums && caplen >= len &&
+	     ! endpoint->ValidChecksum(tp, len) )
+		{
+		Weird("bad_TCP_checksum");
+		endpoint->CheckHistory(HIST_CORRUPT_PKT, 'C');
+		return false;
+		}
+	else
+		return true;
+	}
+
+void TCP_Analyzer::SetPartialStatus(TCP_Flags flags, bool is_orig)
+	{
+	if ( is_orig )
+		{
+		if ( ! (first_packet_seen & ORIG) )
+			is_partial = ! flags.SYN() || flags.ACK();
+		}
+	else
+		{
+		if ( ! (first_packet_seen & RESP) && ! is_partial )
+			is_partial = ! flags.SYN();
+		}
+	}
+
+static void update_history(TCP_Flags flags, TCP_Endpoint* endpoint,
+                          uint64 rel_seq, int len)
+	{
+	int bits_set = (flags.SYN() ? 1 : 0) + (flags.FIN() ? 1 : 0) +
+			(flags.RST() ? 1 : 0);
+	if ( bits_set > 1 )
+		{
+		if ( flags.FIN() && flags.RST() )
+			endpoint->CheckHistory(HIST_FIN_RST_PKT, 'I');
+		else
+			endpoint->CheckHistory(HIST_MULTI_FLAG_PKT, 'Q');
+		}
+
+	else if ( bits_set == 1 )
+		{
+		if ( flags.SYN() )
+			{
+			char code = flags.ACK() ? 'H' : 'S';
+
+			if ( endpoint->CheckHistory(HIST_SYN_PKT, code) &&
+			     rel_seq != endpoint->hist_last_SYN )
+				endpoint->AddHistory(code);
+
+			endpoint->hist_last_SYN = rel_seq;
+			}
+
+		if ( flags.FIN() )
+			{
+			// For FIN's, the sequence number comes at the
+			// end of (any data in) the packet, not the
+			// beginning as for SYNs and RSTs.
+			if ( endpoint->CheckHistory(HIST_FIN_PKT, 'F') &&
+			     rel_seq + len != endpoint->hist_last_FIN )
+				endpoint->AddHistory('F');
+
+			endpoint->hist_last_FIN = rel_seq + len;
+			}
+
+		if ( flags.RST() )
+			{
+			if ( endpoint->CheckHistory(HIST_RST_PKT, 'R') &&
+			     rel_seq != endpoint->hist_last_RST )
+				endpoint->AddHistory('R');
+
+			endpoint->hist_last_RST = rel_seq;
+			}
+		}
+
+	else
+		{ // bits_set == 0
+		if ( len )
+			endpoint->CheckHistory(HIST_DATA_PKT, 'D');
+
+		else if ( flags.ACK() )
+			endpoint->CheckHistory(HIST_ACK_PKT, 'A');
+		}
+	}
+
+static void init_window(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+                        TCP_Flags flags, bro_int_t scale, uint32 base_seq,
+                        uint32 ack_seq)
+	{
+	// ### In the following, we could be fooled by an
+	// inconsistent SYN retransmission.  Where's a normalizer
+	// when you need one?
+
+	if ( scale < 0 )
+		{ // no window scaling option
+		if ( flags.ACK() )
+			{ // window scaling not negotiated
+			endpoint->window_scale = 0;
+			peer->window_scale = 0;
+			}
+		else
+			// We're not offering window scaling.
+			// Ideally, we'd remember this fact so that
+			// if the SYN/ACK *does* include window
+			// scaling, we know it won't be negotiated.
+			// But it's a pain to track that, and hard
+			// to see how an adversarial responder could
+			// use it to evade.  Also, if we *do* want
+			// to track it, we could do so using
+			// connection_SYN_packet.
+			endpoint->window_scale = 0;
+		}
+	else
+		{
+		endpoint->window_scale = scale;
+		endpoint->window_seq = base_seq;
+		endpoint->window_ack_seq = ack_seq;
+
+		peer->window_seq = ack_seq;
+		peer->window_ack_seq = base_seq;
+		}
+	}
+
+static void update_window(TCP_Endpoint* endpoint, unsigned int window,
+                          uint32 base_seq, uint32 ack_seq, TCP_Flags flags)
+	{
+	// Note, the offered window on an initial SYN is unscaled, even
+	// if the SYN includes scaling, so we need to do the following
+	// test *before* updating the scaling information below.  (Hmmm,
+	// how does this work for windows on SYN/ACKs? ###)
+	int scale = endpoint->window_scale;
+	window = window << scale;
+
+	// Don't analyze window values off of SYNs, they're sometimes
+	// immediately rescinded.
+	if ( ! flags.SYN() )
+		{
+		// ### Decide whether to accept new window based on Active
+		// Mapping policy.
+		if ( seq_delta(base_seq, endpoint->window_seq) >= 0 &&
+		     seq_delta(ack_seq, endpoint->window_ack_seq) >= 0 )
+			{
+			uint32 new_edge = ack_seq + window;
+			uint32 old_edge = endpoint->window_ack_seq + endpoint->window;
+			int32 advance = seq_delta(new_edge, old_edge);
+
+			if ( advance < 0 )
+				{
+				// A window recision.  We don't report these
+				// for FINs or RSTs, or if the connection
+				// has already been partially closed, since
+				// such recisions occur frequently in practice,
+				// probably as the receiver loses buffer memory
+				// due to its process going away.
+				//
+				// We also, for window scaling, allow a bit
+				// of slop ###.  This is because sometimes
+				// there will be an apparent recision due
+				// to the granularity of the scaling.
+				if ( ! flags.FIN() && ! flags.RST() &&
+				     endpoint->state != TCP_ENDPOINT_CLOSED &&
+				     endpoint->state != TCP_ENDPOINT_RESET &&
+				     (-advance) >= (1 << scale) )
+					endpoint->Conn()->Weird("window_recision");
+				}
+
+			endpoint->window = window;
+			endpoint->window_ack_seq = ack_seq;
+			endpoint->window_seq = base_seq;
+			}
+		}
+	}
+
+static void syn_weirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len)
+	{
+	if ( flags.RST() )
+		endpoint->Conn()->Weird("TCP_christmas");
+
+	if ( flags.URG() )
+		endpoint->Conn()->Weird("baroque_SYN");
+
+	if ( data_len > 0 )
+		// Not technically wrong according to RFC 793, but the other side
+		// would be forced to buffer data until the handshake succeeds, and
+		// that could be bad in some cases, e.g. SYN floods.
+		// T/TCP definitely complicates this.
+		endpoint->Conn()->Weird("SYN_with_data");
+	}
+
+void TCP_Analyzer::UpdateInactiveState(double t,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 ack_seq,
+			int len, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	if ( flags.SYN() )
+		{
+		if ( is_orig )
+			{
+			if ( flags.ACK() )
+				{
+				Weird("connection_originator_SYN_ack");
+				endpoint->SetState(TCP_ENDPOINT_SYN_ACK_SENT);
+				}
+			else
+				endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
+
+			if ( tcp_attempt_delay )
+				ADD_ANALYZER_TIMER(&TCP_Analyzer::AttemptTimer,
+					t + tcp_attempt_delay, 1,
+					TIMER_TCP_ATTEMPT);
+			}
+		else
+			{
+			if ( flags.ACK() )
+				{
+				if ( peer->state != TCP_ENDPOINT_INACTIVE &&
+				     peer->state != TCP_ENDPOINT_PARTIAL &&
+				     ! seq_between(ack_seq, peer->StartSeq(), peer->LastSeq()) )
+					Weird("bad_SYN_ack");
+				}
+
+			else if ( peer->state == TCP_ENDPOINT_SYN_ACK_SENT &&
+				  base_seq == endpoint->StartSeq() )
+				{
+				// This is a SYN/SYN-ACK reversal,
+				// per the discussion in IsReuse.
+				// Flip the endpoints and establish
+				// the connection.
+				is_partial = 0;
+				Conn()->FlipRoles();
+				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
+				}
+
+			else
+				Weird("simultaneous_open");
+
+			if ( peer->state == TCP_ENDPOINT_SYN_SENT )
+				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
+			else if ( peer->state == TCP_ENDPOINT_INACTIVE )
+				{
+				// If we were to ignore SYNs and
+				// only instantiate state on SYN
+				// acks, then we'd do:
+				//    peer->SetState(TCP_ENDPOINT_ESTABLISHED);
+				// here.
+				Weird("unsolicited_SYN_response");
+				}
+
+			endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
+
+			if ( peer->state != TCP_ENDPOINT_PARTIAL )
+				{
+				Event(connection_established);
+				Conn()->EnableStatusUpdateTimer();
+				}
+			}
+		}
+
+	if ( flags.FIN() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_CLOSED);
+		do_close = gen_event = 1;
+		if ( peer->state != TCP_ENDPOINT_PARTIAL && ! flags.SYN() )
+			Weird("spontaneous_FIN");
+		}
+
+	if ( flags.RST() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+
+		int is_reject = 0;
+
+		if ( is_orig )
+			{
+			// If our peer is established then we saw
+			// a SYN-ack but not SYN - so a reverse
+			// scan, and we should treat this as a
+			// reject.
+			if ( peer->state == TCP_ENDPOINT_ESTABLISHED )
+				is_reject = 1;
+			}
+
+		else if ( peer->state == TCP_ENDPOINT_SYN_SENT ||
+			  peer->state == TCP_ENDPOINT_SYN_ACK_SENT )
+			// We're rejecting an initial SYN.
+			is_reject = 1;
+
+		do_close = 1;
+		gen_event = ! is_reject;
+
+		if ( is_reject )
+			Event(connection_rejected);
+
+		else if ( peer->state == TCP_ENDPOINT_INACTIVE )
+			Weird("spontaneous_RST");
+		}
+
+	if ( endpoint->state == TCP_ENDPOINT_INACTIVE )
+		{ // No control flags to change the state.
+		if ( ! is_orig && len == 0 &&
+		     orig->state == TCP_ENDPOINT_SYN_SENT )
+			// Some eccentric TCP's will ack an initial
+			// SYN prior to sending a SYN reply (hello,
+			// ftp.microsoft.com).  For those, don't
+			// consider the ack as forming a partial
+			// connection.
+			;
+		else
+			{
+			endpoint->SetState(TCP_ENDPOINT_PARTIAL);
+			Conn()->EnableStatusUpdateTimer();
+
+			if ( peer->state == TCP_ENDPOINT_PARTIAL )
+				// We've seen both sides of a partial
+				// connection, report it.
+				Event(partial_connection);
+			}
+		}
+	}
+
+void TCP_Analyzer::UpdateSYN_SentState(
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			int len, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	if ( flags.SYN() )
+		{
+		if ( is_orig )
+			{
+			if ( flags.ACK() && ! flags.FIN() && ! flags.RST() &&
+			     endpoint->state != TCP_ENDPOINT_SYN_ACK_SENT )
+				Weird("repeated_SYN_with_ack");
+			}
+		else
+			{
+			if ( ! flags.ACK() &&
+			     endpoint->state != TCP_ENDPOINT_SYN_SENT )
+				Weird("repeated_SYN_reply_wo_ack");
+			}
+		}
+
+	if ( flags.FIN() )
+		{
+		if ( peer->state == TCP_ENDPOINT_INACTIVE ||
+		     peer->state == TCP_ENDPOINT_SYN_SENT )
+			Weird("inappropriate_FIN");
+
+		endpoint->SetState(TCP_ENDPOINT_CLOSED);
+		do_close = gen_event = 1;
+		}
+
+	if ( flags.RST() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+		ConnectionReset();
+		do_close = 1;
+		}
+
+	else if ( len > 0 )
+		Weird("data_before_established");
+	}
+
+void TCP_Analyzer::UpdateEstablishedState(
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			TCP_Flags flags, int& do_close, int& gen_event)
+	{
+	if ( flags.SYN() )
+		{
+		if ( endpoint->state == TCP_ENDPOINT_PARTIAL &&
+		     peer->state == TCP_ENDPOINT_INACTIVE && ! flags.ACK() )
+			{
+			Weird("SYN_after_partial");
+			endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
+			}
+		}
+
+	if ( flags.FIN() && ! flags.RST() )	// ###
+		{ // should check sequence/ack numbers here ###
+		endpoint->SetState(TCP_ENDPOINT_CLOSED);
+
+		if ( peer->state == TCP_ENDPOINT_RESET &&
+		     peer->prev_state == TCP_ENDPOINT_CLOSED )
+			// The peer sent a FIN followed by a RST.
+			// Turn it back into CLOSED state, because
+			// this was actually normal termination.
+			peer->SetState(TCP_ENDPOINT_CLOSED);
+
+		do_close = gen_event = 1;
+		}
+
+	if ( flags.RST() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+		do_close = 1;
+
+		if ( peer->state != TCP_ENDPOINT_RESET ||
+		     peer->prev_state != TCP_ENDPOINT_ESTABLISHED )
+			ConnectionReset();
+		}
+	}
+
+void TCP_Analyzer::UpdateClosedState(double t, TCP_Endpoint* endpoint,
+				int32 delta_last, TCP_Flags flags, int& do_close)
+	{
+	if ( flags.SYN() )
+		Weird("SYN_after_close");
+
+	if ( flags.FIN() && delta_last > 0 )
+		// Probably should also complain on FIN recision.
+		// That requires an extra state variable to avoid
+		// generating slews of weird's when a TCP gets
+		// seriously confused (this from experience).
+		Weird("FIN_advanced_last_seq");
+
+	// Previously, our state was CLOSED, since we sent a FIN.
+	// If our peer was also closed, then don't change our state
+	// now on a RST, since this connection has already seen a FIN
+	// exchange.
+	if ( flags.RST() && endpoint->peer->state != TCP_ENDPOINT_CLOSED )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+
+		if ( ! endpoint->did_close )
+			// RST after FIN.
+			do_close = 1;
+
+		if ( connection_reset )
+			ADD_ANALYZER_TIMER(&TCP_Analyzer::ResetTimer,
+					t + tcp_reset_delay, 1,
+					TIMER_TCP_RESET);
+		}
+	}
+
+void TCP_Analyzer::UpdateResetState(int len, TCP_Flags flags)
+	{
+	if ( flags.SYN() )
+		Weird("SYN_after_reset");
+
+	if ( flags.FIN() )
+		Weird("FIN_after_reset");
+
+	if ( len > 0 && ! flags.RST() )
+		Weird("data_after_reset");
+	}
+
+void TCP_Analyzer::UpdateStateMachine(double t,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 ack_seq,
+			int len, int32 delta_last, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	do_close = 0;	// whether to report the connection as closed
+	gen_event = 0;	// if so, whether to generate an event
+
+	switch ( endpoint->state ) {
+
+	case TCP_ENDPOINT_INACTIVE:
+		UpdateInactiveState(t, endpoint, peer, base_seq, ack_seq,
+					len, is_orig, flags,
+					do_close, gen_event);
+		break;
+
+	case TCP_ENDPOINT_SYN_SENT:
+	case TCP_ENDPOINT_SYN_ACK_SENT:
+		UpdateSYN_SentState(endpoint, peer, len, is_orig, flags, do_close,
+		                    gen_event);
+		break;
+
+	case TCP_ENDPOINT_ESTABLISHED:
+	case TCP_ENDPOINT_PARTIAL:
+		UpdateEstablishedState(endpoint, peer, flags, do_close, gen_event);
+		break;
+
+	case TCP_ENDPOINT_CLOSED:
+		UpdateClosedState(t, endpoint, delta_last, flags, do_close);
+		break;
+
+	case TCP_ENDPOINT_RESET:
+		UpdateResetState(len, flags);
+		break;
+	}
+	}
+
+void TCP_Analyzer::GeneratePacketEvent(
+					uint64 rel_seq, uint64 rel_ack,
+					const u_char* data, int len, int caplen,
+					int is_orig, TCP_Flags flags)
+	{
+	char tcp_flags[256];
+	int tcp_flag_len = 0;
+
+	if ( flags.SYN() ) tcp_flags[tcp_flag_len++] = 'S';
+	if ( flags.FIN() ) tcp_flags[tcp_flag_len++] = 'F';
+	if ( flags.RST() ) tcp_flags[tcp_flag_len++] = 'R';
+	if ( flags.ACK() ) tcp_flags[tcp_flag_len++] = 'A';
+	if ( flags.PUSH() ) tcp_flags[tcp_flag_len++] = 'P';
+	if ( flags.URG() ) tcp_flags[tcp_flag_len++] = 'U';
+
+	tcp_flags[tcp_flag_len] = '\0';
+
+	val_list* vl = new val_list();
+
+	vl->append(BuildConnVal());
+	vl->append(new Val(is_orig, TYPE_BOOL));
+	vl->append(new StringVal(tcp_flags));
+	vl->append(new Val(rel_seq, TYPE_COUNT));
+	vl->append(new Val(flags.ACK() ? rel_ack : 0, TYPE_COUNT));
+	vl->append(new Val(len, TYPE_COUNT));
+
+	// We need the min() here because Ethernet padding can lead to
+	// caplen > len.
+	vl->append(new StringVal(min(caplen, len), (const char*) data));
+
+	ConnectionEvent(tcp_packet, vl);
+	}
+
+int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
+				const IP_Hdr* ip, const struct tcphdr* tp,
+				TCP_Endpoint* endpoint, uint64 rel_data_seq,
+				int is_orig, TCP_Flags flags)
+	{
+	return endpoint->DataSent(t, rel_data_seq, len, caplen, data, ip, tp);
+	}
+
+void TCP_Analyzer::CheckRecording(int need_contents, TCP_Flags flags)
+	{
+	bool record_current_content = need_contents || Conn()->RecordContents();
+	bool record_current_packet =
+		Conn()->RecordPackets() ||
+		flags.SYN() || flags.FIN() || flags.RST();
+
+	Conn()->SetRecordCurrentContent(record_current_content);
+	Conn()->SetRecordCurrentPacket(record_current_packet);
+	}
+
+void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip)
+	{
+	if ( is_orig && ! (first_packet_seen & ORIG) )
+		{
+		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
+		if ( pia )
+			pia->FirstPacket(is_orig, ip);
+		first_packet_seen |= ORIG;
+		}
+
+	if ( ! is_orig && ! (first_packet_seen & RESP) )
+		{
+		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
+		if ( pia )
+			pia->FirstPacket(is_orig, ip);
+		first_packet_seen |= RESP;
+		}
+	}
+
+static uint64 get_relative_seq(const TCP_Endpoint* endpoint,
+                               uint32 cur_base, uint32 last, uint32 wraps,
+                               bool* underflow = 0)
+	{
+	int32 delta = seq_delta(cur_base, last);
+
+	if ( delta < 0 )
+		{
+		if ( wraps && cur_base > last )
+			// Seems to be a part of a previous 32-bit sequence space.
+			--wraps;
+		}
+	else if ( delta > 0 )
+		{
+		if ( cur_base < last )
+			// The sequence space wrapped around.
+			++wraps;
+		}
+
+	if ( wraps == 0 )
+		{
+		delta = seq_delta(cur_base, endpoint->StartSeq());
+
+		if ( underflow && delta < 0 )
+			*underflow = true;
+
+		return delta;
+		}
+
+	return endpoint->ToRelativeSeqSpace(cur_base, wraps);
+	}
+
+static int get_segment_len(int payload_len, TCP_Flags flags)
+	{
+	int seg_len = payload_len;
+
+	if ( flags.SYN() )
+		// SYN consumes a byte of sequence space.
+		++seg_len;
+
+	if ( flags.FIN() )
+		// FIN consumes a bytes of sequence space.
+		++seg_len;
+
+	if ( flags.RST() )
+		// Don't include the data in the computation of
+		// the sequence space for this connection, as
+		// it's not in fact part of the TCP stream.
+		seg_len -= payload_len;
+
+	return seg_len;
+	}
+
+static void init_endpoint(TCP_Endpoint* endpoint, TCP_Flags flags,
+                          uint32 first_seg_seq, uint32 last_seq, double t)
+	{
+	switch ( endpoint->state ) {
+	case TCP_ENDPOINT_INACTIVE:
+		if ( flags.SYN() )
+			{
+			endpoint->InitAckSeq(first_seg_seq);
+			endpoint->InitStartSeq(first_seg_seq);
+			}
+		else
+			{
+			// This is a partial connection - set up the initial sequence
+			// numbers as though we saw a SYN, to keep the relative byte
+			// numbering consistent.
+			endpoint->InitAckSeq(first_seg_seq - 1);
+			endpoint->InitStartSeq(first_seg_seq - 1);
+			}
+
+		endpoint->InitLastSeq(last_seq);
+		endpoint->start_time = t;
+		break;
+
+	case TCP_ENDPOINT_SYN_SENT:
+	case TCP_ENDPOINT_SYN_ACK_SENT:
+		if ( flags.SYN() && first_seg_seq != endpoint->StartSeq() )
+			{
+			endpoint->Conn()->Weird("SYN_seq_jump");
+			endpoint->InitStartSeq(first_seg_seq);
+			endpoint->InitAckSeq(first_seg_seq);
+			endpoint->InitLastSeq(last_seq);
+			}
+		break;
+
+	case TCP_ENDPOINT_ESTABLISHED:
+	case TCP_ENDPOINT_PARTIAL:
+		if ( flags.SYN() )
+			{
+			if ( endpoint->Size() > 0 )
+				endpoint->Conn()->Weird("SYN_inside_connection");
+
+			if ( first_seg_seq != endpoint->StartSeq() )
+				endpoint->Conn()->Weird("SYN_seq_jump");
+
+			// Make a guess that somehow the connection didn't get established,
+			// and this SYN will be the one that actually sets it up.
+			endpoint->InitStartSeq(first_seg_seq);
+			endpoint->InitAckSeq(first_seg_seq);
+			endpoint->InitLastSeq(last_seq);
+			}
+		break;
+
+	case TCP_ENDPOINT_RESET:
+		if ( flags.SYN() )
+			{
+			if ( endpoint->prev_state == TCP_ENDPOINT_INACTIVE )
+				{
+				// Seq. numbers were initialized by a RST packet from this
+				// endpoint, but now that a SYN is seen from it, that could mean
+				// the earlier RST was spoofed/injected, so re-initialize.  This
+				// mostly just helps prevent misrepresentations of payload sizes
+				// that are based on bad initial sequence values.
+				endpoint->InitStartSeq(first_seg_seq);
+				endpoint->InitAckSeq(first_seg_seq);
+				endpoint->InitLastSeq(last_seq);
+				}
+			}
+		break;
+
+	default:
+		break;
+	}
+	}
+
+static void init_peer(TCP_Endpoint* peer, TCP_Endpoint* endpoint,
+                      TCP_Flags flags, uint32 ack_seq)
+	{
+	if ( ! flags.SYN() && ! flags.FIN() && ! flags.RST() )
+		{
+		if ( endpoint->state == TCP_ENDPOINT_SYN_SENT ||
+			 endpoint->state == TCP_ENDPOINT_SYN_ACK_SENT ||
+			 endpoint->state == TCP_ENDPOINT_ESTABLISHED )
+			{
+			// We've already sent a SYN, but that
+			// hasn't roused the other end, yet we're
+			// ack'ing their data.
+
+			if ( ! endpoint->Conn()->DidWeird() )
+				endpoint->Conn()->Weird("possible_split_routing");
+			}
+		}
+
+	// Start the sequence numbering as if there was an initial
+	// SYN, so the relative numbering of subsequent data packets
+	// stays consistent.
+	peer->InitStartSeq(ack_seq - 1);
+	peer->InitAckSeq(ack_seq - 1);
+	peer->InitLastSeq(ack_seq - 1);
+	}
+
+static void update_ack_seq(TCP_Endpoint* endpoint, uint32 ack_seq)
+	{
+	int32 delta_ack = seq_delta(ack_seq, endpoint->AckSeq());
+
+	if ( ack_seq == 0 && delta_ack > TOO_LARGE_SEQ_DELTA )
+		// More likely that this is a broken ack than a
+		// large connection that happens to land on 0 in the
+		// sequence space.
+		;
+	else if ( delta_ack > 0 )
+		endpoint->UpdateAckSeq(ack_seq);
+	}
+
+// Returns the difference between last_seq and the last sequence
+// seen by the endpoint (may be negative).
+static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
+                             TCP_Flags flags)
+	{
+	int32 delta_last = seq_delta(last_seq, endpoint->LastSeq());
+
+	if ( (flags.SYN() || flags.RST()) &&
+	     (delta_last > TOO_LARGE_SEQ_DELTA ||
+	      delta_last < -TOO_LARGE_SEQ_DELTA) )
+		// ### perhaps trust RST seq #'s if initial and not too
+		// outlandish, but not if they're coming after the other
+		// side has sent a FIN - trust the FIN ack instead
+		;
+
+	else if ( flags.FIN() &&
+		  endpoint->LastSeq() == endpoint->StartSeq() + 1 )
+		// Update last_seq based on the FIN even if delta_last < 0.
+		// This is to accommodate > 2 GB connections for which
+		// we've only seen the SYN and the FIN (hence the check
+		// for last_seq == start_seq + 1).
+		endpoint->UpdateLastSeq(last_seq);
+
+	else if ( endpoint->state == TCP_ENDPOINT_RESET )
+		// don't trust any subsequent sequence numbers
+		;
+
+	else if ( delta_last > 0 )
+		// ### check for large jumps here.
+		// ## endpoint->last_seq = last_seq;
+		endpoint->UpdateLastSeq(last_seq);
+
+	else if ( delta_last <= 0 )
+		{ // ### ++retransmit, unless this is a pure ack
+		}
+
+	return delta_last;
+	}
+
+void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen)
+	{
+	TransportLayerAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	const struct tcphdr* tp = ExtractTCP_Header(data, len, caplen);
+	if ( ! tp )
+		return;
+
+	// We need the min() here because Ethernet frame padding can lead to
+	// caplen > len.
+	if ( packet_contents )
+		PacketContents(data, min(len, caplen));
+
+	TCP_Endpoint* endpoint = is_orig ? orig : resp;
+	TCP_Endpoint* peer = endpoint->peer;
+
+	if ( ! ValidateChecksum(tp, endpoint, len, caplen) )
+		return;
+
+	uint32 tcp_hdr_len = data - (const u_char*) tp;
+	TCP_Flags flags(tp);
+	SetPartialStatus(flags, endpoint->IsOrig());
+
+	uint32 base_seq = ntohl(tp->th_seq);
+	uint32 ack_seq = ntohl(tp->th_ack);
+
+	int seg_len = get_segment_len(len, flags);
+	uint32 seq_one_past_segment = base_seq + seg_len;
+
+	init_endpoint(endpoint, flags, base_seq, seq_one_past_segment,
+	              current_timestamp);
+
+	bool seq_underflow = false;
+	uint64 rel_seq = get_relative_seq(endpoint, base_seq, endpoint->LastSeq(),
+	                                  endpoint->SeqWraps(), &seq_underflow);
+
+	if ( seq_underflow && ! flags.RST() )
+		// Can't tell if if this is a retransmit/out-of-order or something
+		// before the sequence Bro initialized the endpoint at or the TCP is
+		// just broken and sending garbage sequences.  In either case, some
+		// standard analysis doesn't apply (e.g. reassembly).
+		Weird("TCP_seq_underflow_or_misorder");
+
+	update_history(flags, endpoint, rel_seq, len);
+	update_window(endpoint, ntohs(tp->th_win), base_seq, ack_seq, flags);
+
+	if ( ! orig->did_close || ! resp->did_close )
+		Conn()->SetLastTime(current_timestamp);
+
+	if ( flags.SYN() )
+		{
+		syn_weirds(flags, endpoint, len);
+		RecordVal* SYN_vals = build_syn_packet_val(is_orig, ip, tp);
+		init_window(endpoint, peer, flags, SYN_vals->Lookup(5)->CoerceToInt(),
+		            base_seq, ack_seq);
+
+		if ( connection_SYN_packet )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(SYN_vals->Ref());
+			ConnectionEvent(connection_SYN_packet, vl);
+			}
+
+		passive_fingerprint(this, is_orig, ip, tp, tcp_hdr_len);
+
+		Unref(SYN_vals);
+		}
+
+	if ( flags.FIN() )
+		{
+		++endpoint->FIN_cnt;
+
+		if ( endpoint->FIN_cnt >= tcp_storm_thresh && current_timestamp <
+		     endpoint->last_time + tcp_storm_interarrival_thresh )
+			Weird("FIN_storm");
+
+		endpoint->FIN_seq = rel_seq + seg_len;
+		}
+
+	if ( flags.RST() )
+		{
+		++endpoint->RST_cnt;
+
+		if ( endpoint->RST_cnt >= tcp_storm_thresh && current_timestamp <
+		     endpoint->last_time + tcp_storm_interarrival_thresh )
+			Weird("RST_storm");
+
+		// This now happens often enough that it's
+		// not in the least interesting.
+		//if ( len > 0 )
+		//	Weird("RST_with_data");
+
+		PacketWithRST();
+		}
+
+	uint64 rel_ack = 0;
+
+	if ( flags.ACK() )
+		{
+		if ( is_orig && ! seen_first_ACK &&
+		     (endpoint->state == TCP_ENDPOINT_ESTABLISHED ||
+		      endpoint->state == TCP_ENDPOINT_SYN_SENT) )
+			{
+			seen_first_ACK = 1;
+			Event(connection_first_ACK);
+			}
+
+		if ( peer->state == TCP_ENDPOINT_INACTIVE )
+			{
+			rel_ack = 1;
+			init_peer(peer, endpoint, flags, ack_seq);
+			}
+		else
+			{
+			bool ack_underflow = false;
+			rel_ack = get_relative_seq(peer, ack_seq, peer->AckSeq(),
+			                           peer->AckWraps(), &ack_underflow);
+
+			if ( ack_underflow )
+				{
+				rel_ack = 0;
+				Weird("TCP_ack_underflow_or_misorder");
+				}
+			else if ( ! flags.RST() )
+				// Don't trust ack's in RSt packets.
+				update_ack_seq(peer, ack_seq);
+			}
+
+		peer->AckReceived(rel_ack);
+		}
+
+	int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags);
+	endpoint->last_time = current_timestamp;
+
+	int do_close;
+	int gen_event;
+	UpdateStateMachine(current_timestamp, endpoint, peer, base_seq, ack_seq,
+	                   len, delta_last, is_orig, flags, do_close, gen_event);
+
+	if ( tcp_packet )
+		GeneratePacketEvent(rel_seq, rel_ack, data, len, caplen, is_orig,
+		                    flags);
+
+	if ( tcp_option && tcp_hdr_len > sizeof(*tp) &&
+	     tcp_hdr_len <= uint32(caplen) )
+		ParseTCPOptions(tp, TCPOptionEvent, this, is_orig, 0);
+
+	if ( DEBUG_tcp_data_sent )
+		{
+		DEBUG_MSG("%.6f before DataSent: len=%d caplen=%d skip=%d\n",
+			  network_time, len, caplen, Skipping());
+		}
+
+	uint64 rel_data_seq = flags.SYN() ? rel_seq + 1 : rel_seq;
+
+	int need_contents = 0;
+	if ( len > 0 && (caplen >= len || packet_children.size()) &&
+	     ! flags.RST() && ! Skipping() && ! seq_underflow )
+		need_contents = DeliverData(current_timestamp, data, len, caplen, ip,
+		                            tp, endpoint, rel_data_seq, is_orig, flags);
+
+	endpoint->CheckEOF();
+
+	if ( do_close )
+		{
+		// We need to postpone doing this until after we process
+		// DataSent, so we don't generate a connection_finished event
+		// until after data perhaps included with the FIN is processed.
+		ConnectionClosed(endpoint, peer, gen_event);
+		}
+
+	CheckRecording(need_contents, flags);
+
+	// Handle child_packet analyzers.  Note: This happens *after* the
+	// packet has been processed and the TCP state updated.
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->NextPacket(len, data, is_orig, rel_data_seq, ip, caplen);
+
+	if ( ! reassembling )
+		ForwardPacket(len, data, is_orig, rel_data_seq, ip, caplen);
+
+	CheckPIA_FirstPacket(is_orig, ip);
+	}
+
+void TCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	Analyzer::DeliverStream(len, data, orig);
+	}
+
+void TCP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
+	{
+	Analyzer::Undelivered(seq, len, orig);
+	}
+
+void TCP_Analyzer::FlipRoles()
+	{
+	Analyzer::FlipRoles();
+
+	sessions->tcp_stats.FlipState(orig->state, resp->state);
+	TCP_Endpoint* tmp_ep = resp;
+	resp = orig;
+	orig = tmp_ep;
+	orig->is_orig = !orig->is_orig;
+	resp->is_orig = !resp->is_orig;
+	}
+
+void TCP_Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	RecordVal *orig_endp_val = conn_val->Lookup("orig")->AsRecordVal();
+	RecordVal *resp_endp_val = conn_val->Lookup("resp")->AsRecordVal();
+
+	orig_endp_val->Assign(0, new Val(orig->Size(), TYPE_COUNT));
+	orig_endp_val->Assign(1, new Val(int(orig->state), TYPE_COUNT));
+	resp_endp_val->Assign(0, new Val(resp->Size(), TYPE_COUNT));
+	resp_endp_val->Assign(1, new Val(int(resp->state), TYPE_COUNT));
+
+	// Call children's UpdateConnVal
+	Analyzer::UpdateConnVal(conn_val);
+
+	// Have to do packet_children ourselves.
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->UpdateConnVal(conn_val);
+	}
+
 int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp,
 					proc_tcp_option_t proc,
 					TCP_Analyzer* analyzer,
@@ -1849,11 +1897,11 @@ void TCP_ApplicationAnalyzer::ProtocolViolation(const char* reason,
 	}
 
 void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data,
-						bool is_orig, int seq,
+						bool is_orig, uint64 seq,
 						const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
-	DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %d, %p, %d) [%s%s]",
+	DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %"PRIu64", %p, %d) [%s%s]",
 			len, is_orig ? "T" : "F", seq, ip, caplen,
 			fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
 	}
@@ -1930,7 +1978,7 @@ int endian_flip(int n)
 	return ((n & 0xff) << 8) | ((n & 0xff00) >> 8);
 	}
 
-int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
+int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen,
 			const u_char* /* data */,
 			const IP_Hdr* ip, const struct tcphdr* /* tp */)
 	{
@@ -1990,14 +2038,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
 
 	++num_in_order;
 
-	int top_seq = seq + len;
+	uint64 top_seq = seq + len;
 
-	int data_in_flight = endp->LastSeq() - endp->AckSeq();
+	int32 data_in_flight = seq_delta(endp->LastSeq(), endp->AckSeq());
 	if ( data_in_flight < 0 )
 		data_in_flight = 0;
 
-	int seq_delta = top_seq - max_top_seq;
-	if ( seq_delta <= 0 )
+	int64 sequence_delta = top_seq - max_top_seq;
+	if ( sequence_delta <= 0 )
 		{
 		if ( ! BifConst::ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
 			{
@@ -2005,7 +2053,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
 			num_rxmit_bytes += len;
 			}
 
-		DEBUG_MSG("%.6f rexmit %d + %d <= %d data_in_flight = %d\n",
+		DEBUG_MSG("%.6f rexmit %"PRIu64" + %d <= %"PRIu64" data_in_flight = %d\n",
 		 	network_time, seq, len, max_top_seq, data_in_flight);
 
 		if ( tcp_rexmit )
@@ -2073,7 +2121,7 @@ void TCPStats_Analyzer::Done()
 	ConnectionEvent(conn_stats, vl);
 	}
 
-void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h
index b2649b4ab8..b00e73d348 100644
--- a/src/analyzer/protocol/tcp/TCP.h
+++ b/src/analyzer/protocol/tcp/TCP.h
@@ -102,9 +102,9 @@ protected:
 	// Analyzer interface.
 	virtual void Init();
 	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen);
+	virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void FlipRoles();
 	virtual bool IsReuse(double t, const u_char* pkt);
 
@@ -119,42 +119,7 @@ protected:
 	bool ValidateChecksum(const struct tcphdr* tp, TCP_Endpoint* endpoint,
 				int len, int caplen);
 
-	// Update analysis based on flag combinations.  The endpoint, base_seq
-	// and len are needed for tracking various history information.
-	// dst_port is needed for trimming of FIN packets.
-	void CheckFlagCombos(TCP_Flags flags, TCP_Endpoint* endpoint,
-				uint32 base_seq, int len, int dst_port);
-
-	void UpdateWindow(TCP_Endpoint* endpoint, unsigned int window,
-					uint32 base_seq, uint32 ack_seq,
-					TCP_Flags flags);
-
-	void ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
-			uint32 tcp_hdr_len, int& seq_len,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq,
-			const IPAddr& orig_addr,
-			int is_orig, TCP_Flags flags);
-
-	void ProcessFIN(double t, TCP_Endpoint* endpoint, int& seq_len,
-			uint32 base_seq);
-
-	void ProcessRST(double t, TCP_Endpoint* endpoint, const IP_Hdr* ip,
-			uint32 base_seq, int len, int& seq_len);
-
-	void ProcessACK(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 ack_seq, int is_orig, TCP_Flags flags);
-
-	void ProcessFlags(double t, const IP_Hdr* ip, const struct tcphdr* tp,
-			uint32 tcp_hdr_len, int len, int& seq_len,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq,
-			const IPAddr& orig_addr,
-			int is_orig, TCP_Flags flags);
-
-	void TransitionFromInactive(double t, TCP_Endpoint* endpoint,
-					uint32 base_seq, uint32 last_seq,
-					int SYN);
+	void SetPartialStatus(TCP_Flags flags, bool is_orig);
 
 	// Update the state machine of the TCPs based on the activity.  This
 	// includes our pseudo-states such as TCP_ENDPOINT_PARTIAL.
@@ -164,8 +129,8 @@ protected:
 	// this fact.
 	void UpdateStateMachine(double t,
 			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq, uint32 last_seq,
-			int len, int delta_last, int is_orig, TCP_Flags flags,
+			uint32 base_seq, uint32 ack_seq,
+			int len, int32 delta_last, int is_orig, TCP_Flags flags,
 			int& do_close, int& gen_event);
 
 	void UpdateInactiveState(double t,
@@ -174,43 +139,34 @@ protected:
 				int len, int is_orig, TCP_Flags flags,
 				int& do_close, int& gen_event);
 
-	void UpdateSYN_SentState(double t,
+	void UpdateSYN_SentState(
 				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 base_seq, uint32 last_seq,
 				int len, int is_orig, TCP_Flags flags,
 				int& do_close, int& gen_event);
 
-	void UpdateEstablishedState(double t,
+	void UpdateEstablishedState(
 				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 base_seq, uint32 last_seq,
-				int is_orig, TCP_Flags flags,
-				int& do_close, int& gen_event);
+				TCP_Flags flags, int& do_close, int& gen_event);
 
 	void UpdateClosedState(double t, TCP_Endpoint* endpoint,
-				int delta_last, TCP_Flags flags,
+				int32 delta_last, TCP_Flags flags,
 				int& do_close);
 
-	void UpdateResetState(int len, TCP_Flags flags, TCP_Endpoint* endpoint,
-				uint32 base_seq, uint32 last_seq);
+	void UpdateResetState(int len, TCP_Flags flags);
 
-	void GeneratePacketEvent(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-					uint32 base_seq, uint32 ack_seq,
+	void GeneratePacketEvent(
+					uint64 rel_seq, uint64 rel_ack,
 					const u_char* data, int len, int caplen,
 					int is_orig, TCP_Flags flags);
 
 	int DeliverData(double t, const u_char* data, int len, int caplen,
 			const IP_Hdr* ip, const struct tcphdr* tp,
-			TCP_Endpoint* endpoint, uint32 base_seq,
+			TCP_Endpoint* endpoint, uint64 rel_data_seq,
 			int is_orig, TCP_Flags flags);
 
 	void CheckRecording(int need_contents, TCP_Flags flags);
 	void CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip);
 
-	// Returns the difference between last_seq and the last sequence
-	// seen by the endpoint (may be negative).
-	int UpdateLastSeq(TCP_Endpoint* endpoint, uint32 last_seq,
-				TCP_Flags flags);
-
 	friend class ConnectionTimer;
 	void AttemptTimer(double t);
 	void PartialCloseTimer(double t);
@@ -228,12 +184,6 @@ protected:
 
 	void SetReassembler(tcp::TCP_Reassembler* rorig, tcp::TCP_Reassembler* rresp);
 
-	Val* BuildSYNPacketVal(int is_orig,
-				const IP_Hdr* ip, const struct tcphdr* tcp);
-
-	RecordVal* BuildOSVal(int is_orig, const IP_Hdr* ip,
-				const struct tcphdr* tcp, uint32 tcp_hdr_len);
-
 	// Needs to be static because it's passed as a pointer-to-function
 	// rather than pointer-to-member-function.
 	static int TCPOptionEvent(unsigned int opt, unsigned int optlen,
@@ -304,7 +254,7 @@ public:
 	virtual void PacketWithRST();
 
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void Init();
 
 	// This suppresses violations if the TCP connection wasn't
@@ -341,7 +291,7 @@ class TCPStats_Endpoint {
 public:
 	TCPStats_Endpoint(TCP_Endpoint* endp);
 
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 			const IP_Hdr* ip, const struct tcphdr* tp);
 
 	RecordVal* BuildStats();
@@ -354,7 +304,7 @@ protected:
 	int num_in_order;
 	int num_OO;
 	int num_repl;
-	int max_top_seq;
+	uint64 max_top_seq;
 	int last_id;
 	int endian_type;
 };
@@ -372,7 +322,7 @@ public:
 
 protected:
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	TCPStats_Endpoint* orig_stats;
 	TCPStats_Endpoint* resp_stats;
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index ad642a46e3..2e8d6e593b 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -20,7 +20,7 @@ TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig)
 	peer = 0;
 	start_time = last_time = 0.0;
 	start_seq = last_seq = ack_seq = 0;
-	last_seq_high = ack_seq_high = 0;
+	seq_wraps = ack_wraps = 0;
 	window = 0;
 	window_scale = 0;
 	window_seq = window_ack_seq = 0;
@@ -108,7 +108,8 @@ void TCP_Endpoint::CheckEOF()
 		contents_processor->CheckEOF();
 	}
 
-void TCP_Endpoint::SizeBufferedData(int& waiting_on_hole, int& waiting_on_ack)
+void TCP_Endpoint::SizeBufferedData(uint64& waiting_on_hole,
+                                    uint64& waiting_on_ack)
 	{
 	if ( contents_processor )
 		contents_processor->SizeBufferedData(waiting_on_hole, waiting_on_ack);
@@ -159,7 +160,7 @@ void TCP_Endpoint::SetState(EndpointState new_state)
 		}
 	}
 
-bro_int_t TCP_Endpoint::Size() const
+uint64 TCP_Endpoint::Size() const
 	{
 	if ( prev_state == TCP_ENDPOINT_SYN_SENT && state == TCP_ENDPOINT_RESET &&
 	     peer->state == TCP_ENDPOINT_INACTIVE && ! NoDataAcked() )
@@ -168,14 +169,18 @@ bro_int_t TCP_Endpoint::Size() const
 		// and there was never a chance for this endpoint to send data anyway.
 		return 0;
 
-	bro_int_t size;
+	uint64 size;
+	uint64 last_seq_64 = ToFullSeqSpace(LastSeq(), SeqWraps());
+	uint64 ack_seq_64 = ToFullSeqSpace(AckSeq(), AckWraps());
 
-	uint64 last_seq_64 = (uint64(last_seq_high) << 32) | last_seq;
-	uint64 ack_seq_64 = (uint64(ack_seq_high) << 32) | ack_seq;
+	// Going straight to relative sequence numbers and comparing those might
+	// make more sense, but there's some cases (e.g. due to RSTs) where
+	// last_seq might not be initialized to a trustworthy value such that
+	// rel_seq > rel_ack, but last_seq_64 < start_seq, which is obviously wrong.
 	if ( last_seq_64 > ack_seq_64 )
-		size = last_seq_64 - start_seq;
+		size = last_seq_64 - StartSeqI64();
 	else
-		size = ack_seq_64 - start_seq;
+		size = ack_seq_64 - StartSeqI64();
 
 	// Don't include SYN octet in sequence space.  For partial connections
 	// (no SYN seen), we're still careful to adjust start_seq as though
@@ -190,7 +195,7 @@ bro_int_t TCP_Endpoint::Size() const
 	return size;
 	}
 
-int TCP_Endpoint::DataSent(double t, int seq, int len, int caplen,
+int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen,
 				const u_char* data,
 				const IP_Hdr* ip, const struct tcphdr* tp)
 	{
@@ -205,7 +210,7 @@ int TCP_Endpoint::DataSent(double t, int seq, int len, int caplen,
 	if ( contents_file && ! contents_processor && 
 	     seq + len > contents_start_seq )
 		{
-		int under_seq = contents_start_seq - seq;
+		int64 under_seq = contents_start_seq - seq;
 		if ( under_seq > 0 )
 			{
 			seq += under_seq;
@@ -236,7 +241,7 @@ int TCP_Endpoint::DataSent(double t, int seq, int len, int caplen,
 	return status;
 	}
 
-void TCP_Endpoint::AckReceived(int seq)
+void TCP_Endpoint::AckReceived(uint64 seq)
 	{
 	if ( contents_processor )
 		contents_processor->AckReceived(seq);
@@ -246,7 +251,7 @@ void TCP_Endpoint::SetContentsFile(BroFile* f)
 	{
 	Ref(f);
 	contents_file = f;
-	contents_start_seq = last_seq - start_seq;
+	contents_start_seq = ToRelativeSeqSpace(last_seq, seq_wraps);
 
 	if ( contents_start_seq == 0 )
 		contents_start_seq = 1;	// skip SYN
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h
index 31e239225b..471b9b9535 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.h
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h
@@ -38,32 +38,92 @@ public:
 
 	EndpointState State() const 	{ return state; }
 	void SetState(EndpointState new_state);
-	bro_int_t Size() const;
+	uint64 Size() const;
 	int IsActive() const
 		{ return state != TCP_ENDPOINT_INACTIVE && ! did_close; }
 
 	double StartTime() const	{ return start_time; }
 	double LastTime() const		{ return last_time; }
 
-	uint32 StartSeq() const		{ return start_seq; }
+	/**
+	 * @return The starting TCP sequence number for this endpoint.
+	 */
+	uint32 StartSeq() const		{ return static_cast<uint32>(start_seq); }
+
+	/**
+	 * @return The starting TCP sequence number for this endpoint, in terms
+	 *         of a signed sequence space, which may account for initial
+	 *         sequence space wraparounds (underflow/overflow).
+	 */
+	int64 StartSeqI64() const { return start_seq; }
+
+	/**
+	 * @return The sequence number after the last TCP sequence number seen
+	 *         from this endpoint.
+	 */
 	uint32 LastSeq() const		{ return last_seq; }
+
+	/**
+	 * @return The last TCP acknowledgement number seen from this endpoint.
+	 */
 	uint32 AckSeq() const		{ return ack_seq; }
 
-	void InitStartSeq(uint32 seq) 	{ start_seq = seq; }
+	/**
+	 * @return The number of times the TCP sequence has wrapped around
+	 *         for this endpoint (i.e. overflowed a uint32).
+	 */
+	uint32 SeqWraps() const		{ return seq_wraps; }
+
+	/**
+	 * @return The number of times the TCP acknowledgement sequence has
+	 *         wrapped around for this endpoint (i.e. overflowed a uint32).
+	 */
+	uint32 AckWraps() const		{ return ack_wraps; }
+
+	/**
+	 * @param wraps Number of times a 32-bit sequence space has wrapped.
+	 * @return A 64-bit sequence space number it would take to overflow
+	 *         a 32-bit sequence space \a wraps number of times.
+	 */
+	static uint64 ToFullSeqSpace(uint32 wraps)
+		{ return (uint64(wraps) << 32); }
+
+	/**
+	 * @param tcp_seq_num A 32-bit TCP sequence space number.
+	 * @param wraparounds Number of times a 32-bit sequence space has wrapped.
+	 * @return \a tcp_seq_num expanded out in to a 64-bit sequence space,
+	 *         accounting for the number of times the 32-bit space overflowed.
+	 */
+	static uint64 ToFullSeqSpace(uint32 tcp_seq_num, uint32 wraparounds)
+		{ return ToFullSeqSpace(wraparounds) + tcp_seq_num; }
+
+	/**
+	 * @param tcp_seq_num A 32-bit TCP sequence space number.
+	 * @param wraparounds Number of times a 32-bit sequence space has wrapped.
+	 * @return \a tcp_seq_num expanded out in to a 64-bit sequence space,
+	 *         accounting for the number of times the 32-bit space overflowed
+	 *         and relative the the starting sequence number for this endpoint.
+	 */
+	uint64 ToRelativeSeqSpace(uint32 tcp_seq_num, uint32 wraparounds) const
+		{
+		return ToFullSeqSpace(tcp_seq_num, wraparounds) - StartSeqI64();
+		}
+
+	void InitStartSeq(int64 seq) 	{ start_seq = seq; }
 	void InitLastSeq(uint32 seq) 	{ last_seq = seq; }
 	void InitAckSeq(uint32 seq) 	{ ack_seq = seq; }
 
 	void UpdateLastSeq(uint32 seq)
 		{
 		if ( seq < last_seq )
-			++last_seq_high;
+			++seq_wraps;
 		last_seq = seq;
 		}
 
 	void UpdateAckSeq(uint32 seq)
 		{
 		if ( seq < ack_seq )
-			++ack_seq_high;
+			++ack_wraps;
 		ack_seq = seq;
 		}
 
@@ -71,7 +131,10 @@ public:
 	// We allow for possibly one octet being ack'd in the case of
 	// an initial SYN exchange.
 	int NoDataAcked() const
-		{ return ack_seq == start_seq || ack_seq == start_seq + 1; }
+		{
+		uint64 ack = ToFullSeqSpace(ack_seq, ack_wraps);
+		return ack == StartSeqI64() || ack == StartSeqI64() + 1;
+		}
 
 	Connection* Conn() const;
 
@@ -96,16 +159,16 @@ public:
 	//
 	// If we're not processing contents, then naturally each of
 	// these is empty.
-	void SizeBufferedData(int& waiting_on_hole, int& waiting_on_ack);
+	void SizeBufferedData(uint64& waiting_on_hole, uint64& waiting_on_ack);
 
 	int ValidChecksum(const struct tcphdr* tp, int len) const;
 
 	// Returns true if the data was used (and hence should be recorded
 	// in the save file), false otherwise.
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 			const IP_Hdr* ip, const struct tcphdr* tp);
 
-	void AckReceived(int seq);
+	void AckReceived(uint64 seq);
 
 	void SetContentsFile(BroFile* f);
 	BroFile* GetContentsFile() const	{ return contents_file; }
@@ -139,20 +202,25 @@ public:
 	int window_scale;  // from the TCP option
 	uint32 window_ack_seq; // at which ack_seq number did we record 'window'
 	uint32 window_seq; // at which sending sequence number did we record 'window'
-	int contents_start_seq;	// relative seq # where contents file starts
-	int FIN_seq;		// relative seq # to start_seq
+	uint64 contents_start_seq;	// relative seq # where contents file starts
+	uint64 FIN_seq;		// relative seq # to start_seq
 	int SYN_cnt, FIN_cnt, RST_cnt;
 	int did_close;		// whether we've reported it closing
 	int is_orig;
 
-	// Sequence numbers associated with last control packets.
+	// Relative sequence numbers associated with last control packets.
 	// Used to determine whether ones seen again are interesting,
 	// for tracking history.
-	uint32 hist_last_SYN, hist_last_FIN, hist_last_RST;
+	uint64 hist_last_SYN, hist_last_FIN, hist_last_RST;
 
 protected:
-	uint32 start_seq, last_seq, ack_seq;	// in host order
-	uint32 last_seq_high, ack_seq_high;
+	int64 start_seq;  // Initial TCP sequence number in host order.
+	                  // Signed 64-bit to detect initial sequence wrapping.
+	                  // Use StartSeq() accessor if need it in terms of
+	                  // an absolute TCP sequence number.
+	uint32 last_seq, ack_seq;	 // in host order
+	uint32 seq_wraps, ack_wraps; // Number of times 32-bit TCP sequence space
+	                             // has wrapped around (overflowed).
 };
 
 #define ENDIAN_UNKNOWN 0
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index da8dd857fd..1fabfc5d73 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -14,11 +14,6 @@ using namespace analyzer::tcp;
 
 // Note, sequence numbers are relative. I.e., they start with 1.
 
-// TODO: The Reassembler should start using 64 bit ints for keeping track of
-// sequence numbers; currently they become negative once 2GB are exceeded.
-//
-// See #348 for more information.
-
 const bool DEBUG_tcp_contents = false;
 const bool DEBUG_tcp_connection_close = false;
 const bool DEBUG_tcp_match_undelivered = false;
@@ -44,9 +39,7 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
 	deliver_tcp_contents = 0;
 	skip_deliveries = 0;
 	did_EOF = 0;
-#ifdef ENABLE_SEQ_TO_SKIP
 	seq_to_skip = 0;
-#endif
 	in_delivery = false;
 
 	if ( tcp_contents )
@@ -73,12 +66,11 @@ TCP_Reassembler::~TCP_Reassembler()
 
 void TCP_Reassembler::Done()
 	{
-	MatchUndelivered(-1);
+	MatchUndelivered(-1, true);
 
 	if ( record_contents_file )
 		{ // Record any undelivered data.
-		if ( blocks &&
-		     seq_delta(last_reassem_seq, last_block->upper) < 0 )
+		if ( blocks && last_reassem_seq < last_block->upper )
 			RecordToSeq(last_reassem_seq, last_block->upper,
 					record_contents_file);
 
@@ -86,13 +78,13 @@ void TCP_Reassembler::Done()
 		}
 	}
 
-void TCP_Reassembler::SizeBufferedData(int& waiting_on_hole,
-					int& waiting_on_ack) const
+void TCP_Reassembler::SizeBufferedData(uint64& waiting_on_hole,
+					uint64& waiting_on_ack) const
 	{
 	waiting_on_hole = waiting_on_ack = 0;
 	for ( DataBlock* b = blocks; b; b = b->next )
 		{
-		if ( seq_delta(b->seq, last_reassem_seq) <= 0 )
+		if ( b->seq <= last_reassem_seq )
 			// We must have delivered this block, but
 			// haven't yet trimmed it.
 			waiting_on_ack += b->Size();
@@ -126,7 +118,7 @@ void TCP_Reassembler::SetContentsFile(BroFile* f)
 	}
 
 
-void TCP_Reassembler::Undelivered(int up_to_seq)
+void TCP_Reassembler::Undelivered(uint64 up_to_seq)
 	{
 	TCP_Endpoint* endpoint = endp;
 	TCP_Endpoint* peer = endpoint->peer;
@@ -142,13 +134,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		// was a keep-alive.  So, in either case, just ignore it.
 
 		// TODO: Don't we need to update last_reassm_seq ????
-		if ( up_to_seq >=0 )
-			// Since seq are currently only 32 bit signed
-			// integers, they will become negative if a
-			// connection has more than 2GB of data. Remove the
-			// above if and always return here, once we're using
-			// 64 bit ints
-			return;
+		return;
 	}
 
 #if 0
@@ -156,15 +142,14 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		{
 		// Make sure we're not worrying about undelivered
 		// FIN control octets!
-		int FIN_seq = endpoint->FIN_seq - endpoint->start_seq;
-		if ( seq_delta(up_to_seq, FIN_seq) >= 0 )
-			up_to_seq = FIN_seq - 1;
+		if ( up_to_seq >= endpoint->FIN_seq )
+			up_to_seq = endpoint->FIN_seq - 1;
 		}
 #endif
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f Undelivered: IsOrig()=%d up_to_seq=%d, last_reassm=%d, "
+		DEBUG_MSG("%.6f Undelivered: IsOrig()=%d up_to_seq=%"PRIu64", last_reassm=%"PRIu64", "
 		          "endp: FIN_cnt=%d, RST_cnt=%d, "
 		          "peer: FIN_cnt=%d, RST_cnt=%d\n",
 		          network_time, IsOrig(), up_to_seq, last_reassem_seq,
@@ -172,7 +157,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		          peer->FIN_cnt, peer->RST_cnt);
 		}
 
-	if ( seq_delta(up_to_seq, last_reassem_seq) <= 0 )
+	if ( up_to_seq <= last_reassem_seq )
 		// This should never happen. (Reassembler::TrimToSeq has the only call
 		// to this method and only if this condition is not true).
 		reporter->InternalError("Calling Undelivered for data that has already been delivered (or has already been marked as undelivered");
@@ -195,10 +180,10 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		{
 		if ( DEBUG_tcp_contents )
 			{
-			DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%d, len=%d, "
+			DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%"PRIu64", len=%"PRIu64", "
 					  "skip_deliveries=%d\n",
 					  network_time, IsOrig(), last_reassem_seq,
-					  seq_delta(up_to_seq, last_reassem_seq),
+					  up_to_seq - last_reassem_seq,
 					  skip_deliveries);
 			}
 
@@ -210,8 +195,8 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 			// packet, but it's undelievered because it's out of
 			// sequence.
 
-			int seq = last_reassem_seq;
-			int len = seq_delta(up_to_seq, last_reassem_seq);
+			uint64 seq = last_reassem_seq;
+			uint64 len = up_to_seq - last_reassem_seq;
 
 			// Only report on content gaps for connections that
 			// are in a cleanly established state.  In other
@@ -255,19 +240,19 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		RecordToSeq(last_reassem_seq, up_to_seq, record_contents_file);
 
 	if ( tcp_match_undelivered )
-		MatchUndelivered(up_to_seq);
+		MatchUndelivered(up_to_seq, false);
 
 	// But we need to re-adjust last_reassem_seq in either case.
 	last_reassem_seq = up_to_seq;	// we've done our best ...
 	}
 
-void TCP_Reassembler::MatchUndelivered(int up_to_seq)
+void TCP_Reassembler::MatchUndelivered(uint64 up_to_seq, bool use_last_upper)
 	{
 	if ( ! blocks || ! rule_matcher )
 		return;
 
 	ASSERT(last_block);
-	if ( up_to_seq == -1 )
+	if ( use_last_upper )
 		up_to_seq = last_block->upper;
 
 	// ### Note: the original code did not check whether blocks have
@@ -277,36 +262,35 @@ void TCP_Reassembler::MatchUndelivered(int up_to_seq)
 	// We are to match any undelivered data, from last_reassem_seq to
 	// min(last_block->upper, up_to_seq).
 	// Is there such data?
-	if ( seq_delta(up_to_seq, last_reassem_seq) <= 0 ||
-	     seq_delta(last_block->upper, last_reassem_seq) <= 0 )
+	if ( up_to_seq <= last_reassem_seq ||
+	     last_block->upper <= last_reassem_seq )
 		return;
 
 	// Skip blocks that are already delivered (but not ACK'ed).
 	// Question: shall we instead keep a pointer to the first undelivered
 	// block?
 	DataBlock* b;
-	for ( b = blocks; b && seq_delta(b->upper, last_reassem_seq) <= 0;
-	      b = b->next )
+	for ( b = blocks; b && b->upper <= last_reassem_seq; b = b->next )
 	      tcp_analyzer->Conn()->Match(Rule::PAYLOAD, b->block, b->Size(),
 						false, false, IsOrig(), false);
 
 	ASSERT(b);
 	}
 
-void TCP_Reassembler::RecordToSeq(int start_seq, int stop_seq, BroFile* f)
+void TCP_Reassembler::RecordToSeq(uint64 start_seq, uint64 stop_seq, BroFile* f)
 	{
 	DataBlock* b = blocks;
 	// Skip over blocks up to the start seq.
-	while ( b && seq_delta(b->upper, start_seq) <= 0 )
+	while ( b && b->upper <= start_seq )
 		b = b->next;
 
 	if ( ! b )
 		return;
 
-	int last_seq = start_seq;
-	while ( b && seq_delta(b->upper, stop_seq) <= 0 )
+	uint64 last_seq = start_seq;
+	while ( b && b->upper <= stop_seq )
 		{
-		if ( seq_delta(b->seq, last_seq) > 0 )
+		if ( b->seq > last_seq )
 			RecordGap(last_seq, b->seq, f);
 
 		RecordBlock(b, f);
@@ -316,7 +300,7 @@ void TCP_Reassembler::RecordToSeq(int start_seq, int stop_seq, BroFile* f)
 
 	if ( b )
 		// Check for final gap.
-		if ( seq_delta(last_seq, stop_seq) < 0 )
+		if ( last_seq < stop_seq )
 			RecordGap(last_seq, stop_seq, f);
 	}
 
@@ -337,9 +321,9 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f)
 		}
 	}
 
-void TCP_Reassembler::RecordGap(int start_seq, int upper_seq, BroFile* f)
+void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f)
 	{
-	if ( f->Write(fmt("\n<<gap %d>>\n", seq_delta(upper_seq, start_seq))) )
+	if ( f->Write(fmt("\n<<gap %"PRIu64">>\n", upper_seq - start_seq)) )
 		return;
 
 	reporter->Error("TCP_Reassembler contents gap write failed");
@@ -356,8 +340,8 @@ void TCP_Reassembler::RecordGap(int start_seq, int upper_seq, BroFile* f)
 
 void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 	{
-	if ( seq_delta(start_block->seq, last_reassem_seq) > 0 ||
-	     seq_delta(start_block->upper, last_reassem_seq) <= 0 )
+	if ( start_block->seq > last_reassem_seq ||
+	     start_block->upper <= last_reassem_seq )
 		return;
 
 	// We've filled a leading hole.  Deliver as much as possible.
@@ -367,12 +351,12 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 	// loop we have to take care not to deliver already-delivered
 	// data.
 	for ( DataBlock* b = start_block;
-	      b && seq_delta(b->seq, last_reassem_seq) <= 0; b = b->next )
+	      b && b->seq <= last_reassem_seq; b = b->next )
 		{
 		if ( b->seq == last_reassem_seq )
 			{ // New stuff.
-			int len = b->Size();
-			int seq = last_reassem_seq;
+			uint64 len = b->Size();
+			uint64 seq = last_reassem_seq;
 
 			last_reassem_seq += len;
 
@@ -406,10 +390,10 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 	// TCP_Connection::NextPacket.
 	}
 
-void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, int n)
+void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
 	{
 	if ( DEBUG_tcp_contents )
-		DEBUG_MSG("%.6f TCP contents overlap: %d IsOrig()=%d\n", network_time,  n, IsOrig());
+		DEBUG_MSG("%.6f TCP contents overlap: %"PRIu64" IsOrig()=%d\n", network_time,  n, IsOrig());
 
 	if ( rexmit_inconsistency &&
 	     memcmp((const void*) b1, (const void*) b2, n) &&
@@ -438,7 +422,7 @@ bool TCP_Reassembler::DoUnserialize(UnserialInfo* info)
 	return false; // Cannot be reached.
 	}
 
-void TCP_Reassembler::Deliver(int seq, int len, const u_char* data)
+void TCP_Reassembler::Deliver(uint64 seq, int len, const u_char* data)
 	{
 	if ( type == Direct )
 		dst_analyzer->NextStream(len, data, IsOrig());
@@ -446,24 +430,24 @@ void TCP_Reassembler::Deliver(int seq, int len, const u_char* data)
 		dst_analyzer->ForwardStream(len, data, IsOrig());
 	}
 
-int TCP_Reassembler::DataSent(double t, int seq, int len,
+int TCP_Reassembler::DataSent(double t, uint64 seq, int len,
 				const u_char* data, bool replaying)
 	{
-	int ack = seq_delta(endp->AckSeq(), endp->StartSeq());
-	int upper_seq = seq + len;
+	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
+	uint64 upper_seq = seq + len;
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%d upper=%d ack=%d\n",
+		DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%"PRIu64" upper=%"PRIu64" ack=%"PRIu64"\n",
 		          network_time, IsOrig(), seq, upper_seq, ack);
 		}
 
 	if ( skip_deliveries )
 		return 0;
 
-	if ( seq_delta(seq, ack) < 0 && ! replaying )
+	if ( seq < ack && ! replaying )
 		{
-		if ( seq_delta(upper_seq, ack) <= 0 )
+		if ( upper_seq <= ack )
 			// We've already delivered this and it's been acked.
 			return 0;
 
@@ -472,7 +456,7 @@ int TCP_Reassembler::DataSent(double t, int seq, int len,
 		// packet held [a, a+b) and this packet holds [a, a+c) for c>b
 		// (which some TCP's will do when retransmitting).  Trim the
 		// packet to just the unacked data.
-		int amount_acked = seq_delta(ack, seq);
+		uint64 amount_acked = ack - seq;
 		seq += amount_acked;
 		data += amount_acked;
 		len -= amount_acked;
@@ -500,16 +484,13 @@ int TCP_Reassembler::DataSent(double t, int seq, int len,
 	}
 
 
-void TCP_Reassembler::AckReceived(int seq)
+void TCP_Reassembler::AckReceived(uint64 seq)
 	{
-	if ( endp->FIN_cnt > 0 && seq_delta(seq, endp->FIN_seq) >= 0 )
-		// TrimToSeq: FIN_seq - 1
+	if ( endp->FIN_cnt > 0 && seq >= endp->FIN_seq )
 		seq = endp->FIN_seq - 1;
 
-	int bytes_covered = seq_delta(seq, trim_seq);
-
-	if ( bytes_covered <= 0 )
-		// Zero, or negative in sequence-space terms.  Nothing to do.
+	if ( seq <= trim_seq )
+		// Nothing to do.
 		return;
 
 	bool test_active = ! skip_deliveries && ! tcp_analyzer->Skipping() &&
@@ -517,12 +498,12 @@ void TCP_Reassembler::AckReceived(int seq)
 			(endp->state == TCP_ENDPOINT_ESTABLISHED &&
 				endp->peer->state == TCP_ENDPOINT_ESTABLISHED ) );
 
-	int num_missing = TrimToSeq(seq);
+	uint64 num_missing = TrimToSeq(seq);
 
 	if ( test_active )
 		{
 		++tot_ack_events;
-		tot_ack_bytes += bytes_covered;
+		tot_ack_bytes += seq - trim_seq;
 
 		if ( num_missing > 0 )
 			{
@@ -602,20 +583,18 @@ void TCP_Reassembler::CheckEOF()
 // Deliver, DeliverBlock is not virtual, and this allows us to insert
 // operations that apply to all connections using TCP_Contents.
 
-void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
+void TCP_Reassembler::DeliverBlock(uint64 seq, int len, const u_char* data)
 	{
-#ifdef ENABLE_SEQ_TO_SKIP
-	if ( seq_delta(seq + len, seq_to_skip) <= 0 )
+	if ( seq + len <= seq_to_skip )
 		return;
 
-	if ( seq_delta(seq, seq_to_skip) < 0 )
+	if ( seq < seq_to_skip )
 		{
-		int to_skip = seq_delta(seq_to_skip, seq);
+		uint64 to_skip = seq_to_skip - seq;
 		len -= to_skip;
 		data += to_skip;
 		seq = seq_to_skip;
 		}
-#endif
 
 	if ( deliver_tcp_contents )
 		{
@@ -640,23 +619,21 @@ void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 	in_delivery = true;
 	Deliver(seq, len, data);
 	in_delivery = false;
-#ifdef ENABLE_SEQ_TO_SKIP
-	if ( seq_delta(seq + len, seq_to_skip) < 0 )
+
+	if ( seq + len < seq_to_skip )
 		SkipToSeq(seq_to_skip);
-#endif
+
 	}
 
-#ifdef ENABLE_SEQ_TO_SKIP
-void TCP_Reassembler::SkipToSeq(int seq)
+void TCP_Reassembler::SkipToSeq(uint64 seq)
 	{
-	if ( seq_delta(seq, seq_to_skip) > 0 )
+	if ( seq > seq_to_skip )
 		{
 		seq_to_skip = seq;
 		if ( ! in_delivery )
 			TrimToSeq(seq);
 		}
 	}
-#endif
 
 int TCP_Reassembler::DataPending() const
 	{
@@ -665,20 +642,28 @@ int TCP_Reassembler::DataPending() const
 	if ( skip_deliveries )
 		return 0;
 
-	uint32 delivered_seq = Endpoint()->StartSeq() + DataSeq();
+	uint64 delivered_seq = Endpoint()->StartSeqI64() + DataSeq();
+	uint64 last_seq = TCP_Endpoint::ToFullSeqSpace(Endpoint()->LastSeq(),
+	                                               Endpoint()->SeqWraps());
+
+	if ( last_seq < delivered_seq )
+		return 0;
 
 	// Q. Can we say that?
-	// ASSERT(delivered_seq <= Endpoint()->LastSeq());
+	// ASSERT(delivered_seq <= last_seq);
 	//
-	// A. Yes, but only if we express it with 64-bit comparison
-	// to handle sequence wrapping around.  (Or perhaps seq_delta
-	// is enough here?)
+	// A. That should be true if endpoints are always initialized w/
+	//    trustworthy sequence numbers, though it seems that may not currently
+	//    be the case.  e.g. a RST packet may end up initializing the endpoint.
+	//    In that case, maybe there's not any "right" way to initialize it, so
+	//    the check for last_seq < delivered_seq sort of serves as a check for
+	//    endpoints that weren't initialized w/ meaningful sequence numbers.
 
 	// We've delivered everything if we're up to the penultimate
 	// sequence number (since a FIN consumes an octet in the
 	// sequence space), or right at it (because a RST does not).
-	if ( delivered_seq != Endpoint()->LastSeq() - 1 &&
-	     delivered_seq != Endpoint()->LastSeq() )
+	if ( delivered_seq != last_seq - 1 &&
+	     delivered_seq != last_seq )
 		return 1;
 
 	// If we've sent RST, then we can't send ACKs any more.
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h
index e3dcf82a1b..3dfe75bf10 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.h
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h
@@ -4,13 +4,6 @@
 #include "Reassem.h"
 #include "TCP_Endpoint.h"
 
-// The skip_to_seq feature does not work correctly with connections >2GB due
-// to use of 32 bit signed ints (see comments in TCP_Reassembler.cc) Since
-// it's not used by any analyzer or policy script we disable it. Could be
-// added back in once we start using 64bit integers.
-//
-// #define ENABLE_SEQ_TO_SKIP
-
 class BroFile;
 class Connection;
 
@@ -48,12 +41,12 @@ public:
 	//
 	// If we're not processing contents, then naturally each of
 	// these is empty.
-	void SizeBufferedData(int& waiting_on_hole, int& waiting_on_ack) const;
+	void SizeBufferedData(uint64& waiting_on_hole, uint64& waiting_on_ack) const;
 
 	// How much data is pending delivery since it's not yet reassembled.
 	// Includes the data due to holes (so this value is a bit different
 	// from waiting_on_hole above; and is computed in a different fashion).
-	int NumUndeliveredBytes() const
+	uint64 NumUndeliveredBytes() const
 		{
 		if ( last_block )
 			return last_block->upper - last_reassem_seq;
@@ -64,19 +57,15 @@ public:
 	void SetContentsFile(BroFile* f);
 	BroFile* GetContentsFile() const	{ return record_contents_file; }
 
-	void MatchUndelivered(int up_to_seq = -1);
+	void MatchUndelivered(uint64 up_to_seq, bool use_last_upper);
 
-#ifdef ENABLE_SEQ_TO_SKIP
 	// Skip up to seq, as if there's a content gap.
 	// Can be used to skip HTTP data for performance considerations.
-	void SkipToSeq(int seq);
-} } // namespace analyzer::* 
+	void SkipToSeq(uint64 seq);
 
-#endif
-
-	int DataSent(double t, int seq, int len, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, const u_char* data,
 			bool replaying=true);
-	void AckReceived(int seq);
+	void AckReceived(uint64 seq);
 
 	// Checks if we have delivered all contents that we can possibly
 	// deliver for this endpoint.  Calls TCP_Analyzer::EndpointEOF()
@@ -86,35 +75,32 @@ public:
 	int HasUndeliveredData() const	{ return HasBlocks(); }
 	int HadGap() const	{ return had_gap; }
 	int DataPending() const;
-	int DataSeq() const		{ return LastReassemSeq(); }
+	uint64 DataSeq() const		{ return LastReassemSeq(); }
 
-	void DeliverBlock(int seq, int len, const u_char* data);
-	virtual void Deliver(int seq, int len, const u_char* data);
+	void DeliverBlock(uint64 seq, int len, const u_char* data);
+	virtual void Deliver(uint64 seq, int len, const u_char* data);
 
 	TCP_Endpoint* Endpoint()		{ return endp; }
 	const TCP_Endpoint* Endpoint() const	{ return endp; }
 
 	int IsOrig() const	{ return endp->IsOrig(); }
-#ifdef ENABLE_SEQ_TO_SKIP
-	bool IsSkippedContents(int seq, int length) const
-		{ return seq + length <= seq_to_skip; }
-} } // namespace analyzer::* 
 
-#endif
+	bool IsSkippedContents(uint64 seq, int length) const
+		{ return seq + length <= seq_to_skip; }
 
 private:
 	TCP_Reassembler()	{ }
 
 	DECLARE_SERIAL(TCP_Reassembler);
 
-	void Undelivered(int up_to_seq);
+	void Undelivered(uint64 up_to_seq);
 
-	void RecordToSeq(int start_seq, int stop_seq, BroFile* f);
+	void RecordToSeq(uint64 start_seq, uint64 stop_seq, BroFile* f);
 	void RecordBlock(DataBlock* b, BroFile* f);
-	void RecordGap(int start_seq, int upper_seq, BroFile* f);
+	void RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f);
 
 	void BlockInserted(DataBlock* b);
-	void Overlap(const u_char* b1, const u_char* b2, int n);
+	void Overlap(const u_char* b1, const u_char* b2, uint64 n);
 
 	TCP_Endpoint* endp;
 
@@ -123,9 +109,8 @@ private:
 	unsigned int did_EOF:1;
 	unsigned int skip_deliveries:1;
 
-#ifdef ENABLE_SEQ_TO_SKIP
-	int seq_to_skip;
-#endif
+	uint64 seq_to_skip;
+
 	bool in_delivery;
 
 	BroFile* record_contents_file;	// file on which to reassemble contents
diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif
index cac18bfa3e..f52fadaebb 100644
--- a/src/analyzer/protocol/tcp/events.bif
+++ b/src/analyzer/protocol/tcp/events.bif
@@ -223,9 +223,10 @@ event connection_EOF%(c: connection, is_orig: bool%);
 ##        corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN;
 ##        ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH.
 ##
-## seq: The packet's TCP sequence number.
+## seq: The packet's relative TCP sequence number.
 ##
-## ack: The packet's ACK number.
+## ack: If the ACK flag is set for the packet, the packet's relative ACK
+##      number, else zero.
 ##
 ## len: The length of the TCP payload, as specified in the packet header.
 ##
diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc
index d81f90d840..400f38839e 100644
--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ b/src/analyzer/protocol/teredo/Teredo.cc
@@ -140,7 +140,7 @@ RecordVal* TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
 	}
 
 void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-                                    int seq, const IP_Hdr* ip, int caplen)
+                                    uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h
index 0da007187d..68dfb8bb73 100644
--- a/src/analyzer/protocol/teredo/Teredo.h
+++ b/src/analyzer/protocol/teredo/Teredo.h
@@ -19,7 +19,7 @@ public:
 	virtual void Done();
 
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Teredo_Analyzer(conn); }
diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc
index 4c26ae5d99..36d5831a6a 100644
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@@ -38,7 +38,7 @@ void UDP_Analyzer::Done()
 	}
 
 void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	assert(ip);
 
diff --git a/src/analyzer/protocol/udp/UDP.h b/src/analyzer/protocol/udp/UDP.h
index bcfee401b0..792f83de8a 100644
--- a/src/analyzer/protocol/udp/UDP.h
+++ b/src/analyzer/protocol/udp/UDP.h
@@ -28,7 +28,7 @@ public:
 protected:
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual bool IsReuse(double t, const u_char* pkt);
 	virtual unsigned int MemoryAllocation() const;
 
diff --git a/src/net_util.h b/src/net_util.h
index e5dbbcdae2..0f34335267 100644
--- a/src/net_util.h
+++ b/src/net_util.h
@@ -119,7 +119,7 @@ struct ip6_rthdr {
 
 // True if sequence # a is between b and c (b <= a <= c).  It must be true
 // that b <= c in the sequence space.
-inline int seq_between(uint32 a, uint32 b, uint32 c)
+inline bool seq_between(uint32 a, uint32 b, uint32 c)
 	{
 	if ( b <= c )
 		return a >= b && a <= c;
@@ -128,9 +128,9 @@ inline int seq_between(uint32 a, uint32 b, uint32 c)
 	}
 
 // Returns a - b, adjusted for sequence wraparound.
-inline int seq_delta(uint32 a, uint32 b)
+inline int32 seq_delta(uint32 a, uint32 b)
 	{
-	return int(a-b);
+	return a - b;
 	}
 
 class IPAddr;
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
new file mode 100644
index 0000000000..c76f4dd03b
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-04-09-16-44-53
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
+1395939406.175845	CjhGID4nQcgTWjvg4c	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	0	ShAdfFa	5	272	4	486	(empty)
+1395939411.361078	CCvvfg3TEfuqmmG4bh	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	4675708816	ShAdfFa	13	688	12	24454	(empty)
+1395939399.984671	CXWv6p3arKYeMETxOg	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	0	ShAdDaFf	31	1728	18	1985	(empty)
+#close	2014-04-09-16-44-54
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
new file mode 100644
index 0000000000..b8b9bf9db1
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	files
+#open	2014-04-09-16-44-53
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
+1395939406.177079	FAb5m22Dhe2Zi95anf	192.168.56.101	192.168.56.1	CjhGID4nQcgTWjvg4c	FTP_DATA	0	DATA_EVENT	text/plain	-	0.000000	-	F	270	-	0	0	F	-	-	-	-	-
+1395939411.364462	FhI0ao2FNTjabdfSBd	192.168.56.101	192.168.56.1	CCvvfg3TEfuqmmG4bh	FTP_DATA	0	DATA_EVENT	text/plain	-	150.490904	-	F	23822	-	5416642848	0	F	-	-	-	-	-
+#close	2014-04-09-16-44-54
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/out b/testing/btest/Baseline/core.tcp.large-file-reassembly/out
new file mode 100644
index 0000000000..dd3960bdb7
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/out
@@ -0,0 +1,11 @@
+file_chunk, 270, 0, drwxr-xr-x    3 0          0                4096 Mar 27 11:55 .^M^Jdrwxr-xr-x    3 0          0                4096 Mar 27 11:55 ..^M^Jdrwxr-xr-x    2 0          0                4096 Mar 27 11:43 pub^M^J-rw-rw-r--    1 1000       1000       5416666670 Mar 27 11:52 rand.txt^M^J
+file_chunk, 14480, 0, TCf8ZQLH67eBQks8SjFaumquAt7f9eg6GNvyLgvdbRl4QShP5o47kdBupR8IxbCz^JZ1sR200ZDSWX1TeH7UVjxBg+eQ8YpmUbnjqePKMUBbb0uq6tDGYGauJiZnSHVNez^JVZmm+pCPVdIGyWe27Xgub9s8PyDBjVD3amDxvoFb8ad86eTDcrzuPZ0/iFP4CnDY^JHFLAvEbvgBVuKTmveyUjmis9nRgvjaeoHhBV7/XtC6fP9ayGCHqJIYs7pGHEm0hi^Ji95bgfyFCEB2hBvwGGNQStTigpE89eURtsmxnK+I3Hxk+dyBQjQ6hTxQlwmqZuto^J/ZMEv8KCfrZUtTh4s3l621DN7wRiUbgltFXAIoaWwc5YACR65582L9aEX86XVNXt^J8IfLL0klmNgaRO49b1He7exMUA0UCUY9DFdFfqyt2hMoPJqEfm4nRH0x/xQs5x/G^Jq5K+JPJtkyxvqI7AwMSRaN+k7ez12fZCwzpPIU8taS++y0op+kmXsPaTSJpPe8Ev^Js1XyutkfH5OPmrt413q80e4UTlV73zGs8XMBO+VL+Jb+0IUNnmiyWzqIuYokI9RS^JCdLbWCdLGGb6+k76rY4oIDnUbAP7YCDdr2s3QZ9aLMNaSpuyKY19WNzNbw8cI81O^JIuTY6C3NzXMItjWriqAzmMl2AXztrPZZ2GFhyUy1Hwf4DufBEVeDMvhVd+WlfzVn^JlRdy8Os5X0ULPhFDmej+1igX/AD9a2Yf26vqak8AUvLbJciJWFZp17sZYXus6zos^JR17iUaq63Mfl0dk6wnktVLIGt6EHBYb/oJ65ZGLMuFSDqv+NvVhuyNd/IIR4tUKO^JqNVH/+FHHqjbpZQvFHSTqOGA62rb1AecBRnliYKjRTsg7u4/HI+v/jwPnp89pntJ^JkztVIkc7VVG0GhvgnKFjmV+bVddG3UpB3juIVMJwcFOFnQNzF0hm7oDdfEYXEUht^JW/TCpIox9O+VQknCTo4iZcZOOXGkEYRc11C+P2WPk46b2OER/l8agJPG9qS6Yf35^J+ljLAVFNgW12iqiqCYmfQM6z1l+6RIo/DlDSALbhYjTV9CG02WwyQiG4WpkAHnx+^JiaSwwrKYCklvFoUtisVGfV19rTo1HGGG2FFo5oCY4BPmbIQWidTXJtA1JkHsni5R^JPlG8elgJkTJJKkzdwAh5V0UL+m1y2zH+NyQHFzj9zunB0g5QEmuYMt18TvXy7D/W^JkgJbWGvDCKY36ZKVhWTTqsgQ2xecH+vKBaCF4IofA0joodZzBv9GH6UOSkhTML57^J5BRbLoPr3IqbTAx7PFlixb+fIur2UeUo+RYZeDudo7HmvLBnsGFw0K9rBVNg1D8C^JwcO4lpwxZEPsLeqKChpHpQugpkfSnC9B2/Oywoep2FAI2OL4zL9nOWb+QnE8kibe^JmZVCAm6p2qnr1nfKMUP2YWKbTeyowi6dlS9SfQdzc5+a1Asg/+S8ZWOPDJGauS6h^JNrfV2HRoHwYmpqvxN3/8A7vkF+rPgx1yeGHK0mDVn4F2ke1E+r5e1F9IZzM90EkR^JFX1hEcNcqzPX/rerGjD6WNBDdoAvmsth8mrcsIf0iq/yvNblB9R4Vg1+bxHYOXYf^JE70vkvtaSmWCQ5gi19SYK01XR42Jnu+cnUtuCr3P2relXC5TjBqz3V2CO3St9tX/^J8sdKZWDc/kHAQ5uVZAIonoVp6Ffeu2Zz3B0NFjJj9hyJtLIJ+Qg2Bru0YeplIIQz^Jw8WXZ3xHw7nN2pIMRMkef8pAoonGsrUySUhhSjEMZCYDXvWpTSrOwm+LRsyJ9czy^J4kUBxgoiCdxGi0NpljEzvrj27ElBmqa2E/bOoK39ff89GSBvXeHw6NVrrDZhEFrU^JfnALNwjCGdxCrkPm2sw03cdsPRVO0yQppyYbT8MhWuzlq31VGps+EiwfpU+jHsw2^J7CuI4qC/n6yui5irPTV+GJmS900rfqCDab+PW6XJ82rGAN1lvV7+lz/x3lGcFCux^JUudDhQANxzHwTQGmwJeR4Fk+PGTAvQoWfgN+21hgPgIW4Yug1uKtL5IOK2rRVMTf^JljjxQ8FlEfZLdLZgiOOHnpioRz4n/SbcSMw15i9GHMmHE3wOmV7En11vBFPmUcYb^J+d2UaodnxE6psPmSfawBFI6TNT9fKaZchANali9OdFieh79e/7mox79DrzX4tuQT^JNLs1nj0jb+4Tm+LNqkJ5cvDkyFds0FbBd3CblDHNtdkIcSVj3TpkYz1wwYYogt7r^JV6wVmRQ09dhDmRSM8kVinGhVudTpBRH6+F922anxF9exYYKfYi7M/ODjuQLRCK7R^JwSNg7BDBVXt/Q31ryukAzcE5UtCk0LSlci02B1taq2Bp1ChFDpSzaqeshwgCQvYJ^JVLBPFdy21eqa8IQwXZ3wU2TEiGgJIv3k6M07uSDMCJF8/IPf7KmmOy/dotWXWSCe^J9FqYiGMYW5KRrTZnknhS2JYhC4iIHqlGYFYd5cSm3dtx6m1Y4hmqE4+JWRDK2I/s^JCkDbfOvU8UwES3k4tHORdqDn/b54EdEbnG06hfcg2B5FEg7cr90Qjdh838ldIcwG^JI0k9UewaVjjPL1dG585WFMQa3bZChzNN25kRGMQP24BGvA8wuKDseza7rn1dmrYw^JCRSsA2U7gNy96DKQFQX6Ga9uT9OCW+Ukvq2sejhL5cgiqZ6xZpV3WCFlFEjHEZDU^J/Jcaes5cbbkWLHe9PXwlLeCArWkwsrwhM/zS2vWN9xnvPzyYAaDqSlOPNeyBYW0t^JwEca4eu9Kg7dLNrZ8S6tEECdpor+9EAU6T8o60s20nUzmqG96yWhdl1mns+IHW8N^JwJ9u1uYlEKoAHPVdYY6MnWToAxH5KI1OaEfJ4He929/QGkIso6gRRyWlF2shqR+W^Jx74nIGsLeou4Ao8WGVjV0aa1qZiNw5KSB5QB5UuKlmTWG/gdk1APdsmudyg+Vc1T^JAXLdMwj7uvngrIZxFxqipXnWB7FPC4yzeiPu8qOoestmuqkhkD0FPCW5QFhk965F^Jxm9fqwgJPsjBTC5YTB2LOfTO5ZYdJiPYQmETOOe4a9ztL6HwQ2Y/zxc7GD4AbwQp^JM/AbXtIaCYgNkeG9vkJaLn6byDwdmJUZGHHNVjZca8wV6+YlboGrAYrJbX+ndyqH^JKquD7o1PkJTO+4H04lDmYquf/fRembQ51YGyVQaNqbLF1mbyfVd/lc+JJICTVT/o^Ju4+9yTKOhJG2Gb1DmBG+jOIuZkGv6m9CqZYfKTtDv9zwkUeNHMGcAX6n+TPc2WPI^JsBSKIdYnzlvRCMI9BJAWoNej5yQzzfCPlXd15Og+SK0mfM8+44iDRv/051rLVhcI^JCxQpRjq/NdINYF+WwwDoN4VlpPXLZkw1+qYoSHdstDiHv7uhRgP+cEbZXH8mDpe1^Jkj47aUHCLiGP8u1UgRXGH8A0jFp5yPEFU3SBePIehSZZynNB8u04mRpXc1kIlubA^JqnhGKpscdIZnO7KB7pQA2qF+s1I45amehPIBDBzbaGkMJe2Esqphgh3Rk695uPDm^JQM7JjrfhBTlNXxoxC48WdbI9+xzhTavuwP4BhUNADgDel9vxs+HkT1rLR907NaN1^JxWJdo2bsRFNdftSKf2XCthor9VHwOmyU0XI2yeVSxu9hdA1jK4M4C7fmRrQrwuoO^JS6fTlgbMeTey2ZHrJO/iDT+9sGfgT/oGDXYzZrbaFbiBRj5HLweXE+rAyIG77yUY^JZEqkeh1BA1KHSxqhXmkrYr+ambErzrQHIr6fTujmPVc5W1kIZEAhMdLDJ8U/C1dL^JjqjEA/VyjJr8A2gELABBiATb5ro485x/GdUHgOam0sYpHqG4wmsxnM8iVuxbwlS5^JC9z/MjVvBoLl83/YZjG1jfRLkaX6wzWXuSeybIDk7TilDwAdeFAbUfgEqH5xnXND^JPHnSaA8yOxba7kpuRDWJebGb2GPxiP6u0Wk8iXd3jnSJdE3+b69SXzgM82Wht6NH^JFkBEQWf8hDu0pAhxxU32yPCrLoRxCpl/K/p1cL01xtzDbj5Ncfhg5TbYYUyRw2UN^JSHQ46bN/ozKIQ02T+bhA7Z4BVjVw3Fens8jbZX+Z5ClnEiY5q4g+hR6estFTli3z^J0bQBij3OB0yseeOCcyLt9ZpepxQwgO6BNvecNuNtBwEq/xCx7ESzX3N7dVZAjWKE^JdyjbFMIPKMfIMlfU7wvuaxiyWkbVsBcPDPcyLja3qzO85GZgh0Uln+mCModfqZc/^JcplyVPYQBIFXAViGIFZONpAOWC29fy4j0uRsNYKKhRv6fSZzVNbVgeljKFwTCAXu^J8CtcxnpNOTYXuGZbgISo6oHxCy+fIK1Q14eaZepMWWYT22kWR7FlN4BOLcj50K/Z^JBxpcOexNb0QreketOWPWfHflY9YxB07ykX6djOH9ZOlITbZ0c2BMxfJxOaaNbidn^JX1Vka0i06Sk2iFw2MmxHJm5zwN6Ln4S9hCrwaPCDkmXOCoN0pr1jt9teBBA/LkDG^Jn+rp2U4CwSAtJy690+HlZ+Ni/m5QkchnSsGuYXeBE7feao+dBTJ5hyFpMKjjyOS3^Jf+vZkyNxOzgugBnQ5e0suK46y5GhpbrmNIbP8lJn04B6CFe/lidABVS50GK5LqCD^JtdtAyr+6LD0PCJU2pJeqwePqlbQmA5XZxOW1vJVNQJ4EEJfcJj8Ha2hynAOQaiT/^JAXtlD22EXutFfFgFBgkFJZ35+nO4TuSIawad8xkIBnpMX87wpp4nVi3aWd4sMr0o^JyXWSHcd3Y+izqfXH/6BqlUeXNGQjLlj7biMCosz3iFBRhOvUK1a5r90ZcVy+8+Ty^J4qT52tO7+bQOngxBiwqpnvKAONsxFFHWgR7/LjYbYKtgtq+1ibACiaSzQg+IVFP3^J1V7aZb9fZP0YBvbhv4JxdTXxFfJ4knugi+5mmm1PIyznXWnsWOEbYEnZV4dZIq5M^JQqBIYxrS+aWnUyE8DTsXqDUwVL/rBjbhK/1RxNT+mzHG7Q/phD3y2d8ysHlmAWfl^JDGZbZ8+Plpm7uhj/fK6b6FqYO9qJYoTSesyEsZ0Pfjb7uMrYjSbRyRg6yTuV3Qe+^Jjz+g9Nj63cFMlXVlvaBZgwu8giF/SmdkTM48IVc8BkeMJlPg0fnqcEbEgnMrYBsG^Jv8FdEUWTWvzoDFCiQRFrSnPF8GIBcwgrxN7wGqWexfQlzQsQ9XbJlACIwKMLzh2t^JQTr0zs9g8yAk9SQMahWtYJG4IPdAI0mH9dBSYzt0ATxtBe3NpAhrewtcNqTBnII5^JhUcSoygg4JGCBjxZpxle7/anr4CBduMHcAiL9JFCcWb/cg8uwFPm8p+Ddsz+e3ir^J5WZPHa8uXRupG0ZIY3kQXebizwq6aULjDSFy+ggEWHlkGHIAUYpvKXmCiQAWiKiP^JeBSIUBicoJSDOkf0xo1pvC+yKnjlYXhJob3YxuiKoYH6guAz/OSu0Yr/Y+w8fY2r^JmvpnxCwaLbjmYG/ihbaXtiic6xXYjb+OQKfrRywvDQ28UKoLj7lZ0rZfBPPjqGvv^J/qFSiqKvgDua36DPiFy6UO4D2747V7uZoXtWJQEmSEJZOC1NEbyhztzIksHVcT8Z^JKVIHWPyVa69yvmKpIGgEqE92sEvgrKpbeH3xJEekHPkDpCtojjVGJ1Vm2/OrNitV^JMWha/HsUn6obKV7MYIgSIH2BQfs01araaHR54nKL1PmwHvTnYKo7BY3IKxFsDVq/^J/QQWyib6DNqYagd8+jz8tgG3m8/RX0ZO3V8wLgpPNXgXruBIdaqimwPYu6Msstuc^Jj9tPBWiX8XVhrrtoTg7bV2L9rlOdVY10amL4qfcFFjtlbce25vXRwr+DO2En/lqR^JDUngzYLwMTCCb5fEQPPIh/3/paYE+4T1eYQE5WoIO7OLaryzHXqWR1TfWEKAm2gx^JZvlf1Gtwlnuy+Qi8s7TG2/uGg6GqlS3DnL1ryzntYO+7J41qJw3u3Kiv+AhO23eZ^JgUhR5E9InJ4kPQ+g5TyB0l/nAIS4ztOXvAgXDOa0YnkJYlHEJry/UlRGCijyrDr+^Jlumbv8YtfhzX3Px3ufUYVxhW+utGUI24AVKpUf4FjlX7ClDulSGVdE8AxHNZHK00^JpjAPL1SigMdn7Y8xym+NG7XIcHadTc0HW4U45wAZBICwE5Q60vzCbNIEqy8luyAJ^JaTMiI9W9rL0Pf7mkoSZhmfdzdQ2+CV+m0I4EapkS2kBUGOUdyVm51lmsFLGsAtnb^JRlKhBOnSB9tnLy7u2bXqju6c+BW97DLB1mApXC149/KBbsVpxxC8B/WKmDMnFwgk^JGuRP7bMBxZTamnBUFoFazFFUf/JvhG/8ZRn3bn9zcpBVmK65p/6aua5oIEF8lHQJ^Jj69dCO2JnECvpuuLmPzX0KITgnsXec0jKMbkujHsSB1q0WzO4roQCP33d7QhWbb9^J93xNd8S7vWs+jENQ/d+Sab4bIsEAZzjzRhBd6Z2Y+2e0lL4225SjTlQV0rTK4hbI^JV26RP3ooaA2cl0dMZ4n7L+kMKh83wRvHxV0oD218YzsVZZk7azUr+6L4KvzOU6Xf^JFQDP05ykX6k3Ix7Xg+aoIUvThAU0hyYxn2aEcZtQqVtJ45FYym9/8mdeBbNlmI++^JZK1fC7vylUhO9comEAUWcAeIETXwnb2O0syp6ArLVPuTPF07OdpqY9g5ooje/vGA^JCOCF3OCghSfV4HmgHaMDbxV040bMyUrFwX+33QKg6H8tZr9H3FHoKSrn6D8viKyf^Jw1iA2H8fb8HSN2hHjlUFJZEvaYTnUWWmXTzwcNsAJGwpdilBZCB+kfTpHuc0j7TS^JbzbMh7eZRLBrPH/B8PGv3s+vG02KwKrBPRN8saDMRFlp3Y+dfYlycpVLkbYTiP0D^JdadaY/6GaX4dYrGNhHS0uZwcwUjSmaOniwgmEPyjwPmAN9DdNYR/d9cd3eRYEXor^JyJYEPiSt3OLT3Qn5+L9+dKnIaJs0CqjItKgoNAvmEACxdGui2T1G+TOVSupPlHwX^JYJaiMo99b0u5WfPefYXPLAO6yBXu1lKvLSPbyyd8epZY2i5Y+/arhEp99fJPt8Ja^Jfy9Kl1XWi2nDaDFhuV+26wGK/hasMdgkl4MpFR1SaZOTIHnjOI8j7DqqdZ3yE3xz^Jzvh+NYohCU4K6WD7nkkQydb3ddMHd12fdJvI0YRw/QmsRQ5N3BLMVhPYFhHuVHan^JHeyfnIKzmS9uaDiuSkx7c7or7fyLP93uDjs1w7DoMn1/oWWV8A+k/wNcw+TCybkd^J9ZZbX/5hBy+jdc4UuRt57B2cm/HWuVaM3zZngz9k01iy8R3xik+D8Kd4bfpO3Rfx^J/u3qB973X46IX9YkRi0nfRM+PGYvC62FaUArk7h5vxEuSuG6hDF2AtIfdsWSQv31^J5hL6I9IxT5vbhRK+h15V3rdTDcN6MlF6mwN72cLPsylxfR9jpUVW2ab+gL6/v7rn^JHgZeyYV9CpIBEelHIY9TMqCY8GeGQno8K9vvwugx2ky1yGoZ8fCrLZy4umRd9wGE^JIoqdDAlWqIpvqf675V4Db5s/y7uv5p7CMNCWh/APdpWvzlWQ2XgVQtecl6sAhB6J^Jh9XbFWh4dVAC/ftbzd1nxuqDNUBDZYR6WniWIuPZIDsv+mcxrqA/8uSDAKfCT+VQ^JZIy9aMLfli23hZOlayfOTzBrl4/cDgnw3fWMVB8WZEdj2GQqeGZu3upC4QdR0c2Y^JKDdkAh2ekhJEiNA9L2DnZXtxXcgKA4x6Ok1AXY2SIRpTN4UED2CWnqqA54Cg0s66^JpIWUZZrK2t+wKumRXkszD8+s0tpgqjCCjHLagzIB2jphatxseHVe/RE+Sp+Ooo6t^JKqJn7fFIL81GA4SB/qwinU0jV2pyW9naCTO7clu1d4BTAE2Kz9q54zp37BlKmcTF^JloBrygICa/NvtyinA4nqkGJKO75Q15eDEXhzW8PUMxZkNJzqUHY8QkifKkVmYp2k^J4VSZ7VObaui3sH8mc+uh0i2vlXNHJMOrt4taJ0SyWbryPXP3wxDxzo2gbyTlqPDF^J2JBSRPIGTTf4WeeN51j7ZrQK8zYktg1urhtBYABHdeSz3aIoE2qTR9U5lvNB/bCN^JwPN5Elb/grlAyD/d4k+d8Vy9GgKNq1nqtjI2uGqf4x69CSn7HH2Bfe6MUx0L70da^Jd07M4tkaFBMbOwen7rnP2T3nqmrikYWyyS1GXjW9Ts6UPF3O4UpL0ZaUsTwv2+F5^Jzc/IFns7Udyys8+sJnRg0EaFN/VnOk943VTWidbN6ezorOF5dBAPloXhcBaRs5jB^JeDta11oVC4PmOo55lwKMAMG8kyTps+tFFLJl+uXiYTj+pTayYPEk6d/zWp/wB/3S^J40VLs00fF+OeaguQ2bElfnXK9+HP0Hyusa77YpetVmIYAoOuySVcjsa5xS6MncIU^JEQdNnDhiN/MWKikaLzcaF7KTKtkaYzrs/Wx29n/eb+53xKKU5qwPCFQuGzwbcUST^JbbnMA0ucEYthm2//t2drRFQJc5vdUjr5wyjrAH00c1OLovXW+jsdvpQjYOBwG/OI^JlWOdt+aDoxwdz4mn9QXG3+9UjDpIYPj4XehovH++hWJj0fdiySNKaacOoNwVV6ty^Jl6MkknvVhYIPG5l29n2voBSYzMoBZmOvU1D9wG7y4rwPDC9K+5cIGk1Q7U3FzvBG^J2oOBgdrBa8VXwAZkC+PIHhgmEqRHvzAIhRLfzgNTwSXeeu8gHck8CD+lBWkayV1g^JKvsGRgQ8h89RRHo6Ky0L8XoCsOsEyb+m4Zsq6YeCceNV7DFCFw+GEzVvtLSYtFtr^JF08tKhpYZOEMSqPv9SUbcL/HtVl1+FRnTUe5UxDXrwVX16RvPaqFs15nJfFLqgDm^J3WFjmi7W4aIgSQUBUlEue34hTWPRpauluaAuKStu3xNoNm9aKfo24cPJsQdCIiMD^JuRL3FqyjNfZKo82X/OKqt0EYfK3w9ys7t0ewAO59Bm4eokdARepljfbHXy4X8+/O^JF5aguc6m74jgVoEPxdffprU4T7vXwVO8k3FmZ7+JrBsPRI4hTwVqRevgIoPYBpxe^JngSfxNNFscFYjbRIPcMlauvnwkrVnD48VZnsOpNszl/FbCNfolM19WCdLHCiIUPB^JiJA+ozEbiijt92F4hv+ALQksEzrgbrr48t1/YOK3WvZJrFNhKoQKpQ3JTWMnMoke^JOHel5uQez/iUSwNLxlnFaBRptfUgugdb6i5NkWxudWYAWJSoxHwQMUuE9NpTG3ha^JiFEPCIzX1FqXkZCnGyTdWc1WQwthefC3atUR2dSR0MeGhAbVpDputwB6gJB263mX^Jh0J9Gd1G8/6g93fM7AXHC3K67phaLmLHG2NkNH6Q2HnOw7BkRuhYuWhG9/v15ih1^JuhoMnEHvgnDke4C5FxpV6A3T0XaGJjfqre/4MAHELmXfSd+RlF5FR7ZnWNjPTL9l^JlnsqEXQ+DpsHFWfo0SU5tC5PBM//ZwozP45FOVxKEjk4z59tGZwg7wgJEZfEzjTb^JQotqYrFWpa8LwueJPbsPnFTOGDtIVPzg12Gg0s5mNTXv3LgyZjJ5Ot1aQUOeoMEd^JaYK3G9a92Hq/6ugfvlqtOe7uV2NJp3K6Kav5RI7di1K+4Hl6T6ohq0BEo1JU+BHT^JyWPSVqkrNIAYA/ShG3ipO8cV6MUcnlRzBgYvn7/fWpeAbDkXDNxYxmfmTIgUwMm1^JzUgAj8KNEjGc7NRIkIhD/taYl/H0dbBbGdlhzGQMu9a1xQ2w+3wQBo2cLywAAf+A^JsbQvkP3L7+8DJ8Ai76GSuA238Coj/k2WFLvGJCG53kNxydjZT9Q9NhP0/bwUObaI^J0Hw2mXfxhBn6+qNJN+hwktzS4zrgq8nbdLtPRvBYYbubYASw1ZUWfJy6GxmiT3OA^JOuGA4C+siVqQRpTAW4AyzNEwNgjw5Apxq790EwMC8lZhdmSbAdRvI4LUgZFKU7sq^JOGKF46fAxsgVcJI7JgpRB4LX7jOrSiqHj6BptA1fHndIrQ/6XTOzsC3JTnKKIXBC^JXAp3HO9zAas7llLvSRDmVR0NfBpjNwCeIFxp4bY3eYHKxruGylwelY87G73UoTmp^J7BpfYuOtdFXi+MfWzSd4hQsoxBiLbDbXL+OSMI2aegXGtMJMGt7NL0QYqqO0d+z+^JnvezoFA7xnqZou/M3Zjo/VABy/m1HBMdTU5g6G4WD+8aw+TDfvPK+Op4Lb7MuyxE^JSmPBxPaHEQYmCKMzOwGQEI/AH0mM5UTOLpfurfQ/FaQthUuPfL1sraZBV1uxWWZ+^JunTkttIUWlX1CF7AqN6o92QF4MpjZwn6dtU/WLmDm/j64CjlRifNP3hPL7xDXR4O^JfFU3aFO1AjB0Md0d4OnbtiBHd3xVtg9o2noglEdSEoboBz8ikZa1kq5vu3kgqAVQ^Jz/w+zhw49o9GDo583jLECbxOIrfMgxnv2RND/Etoc9XOY3U6d2C55GTzN5CwvG8y^JmObnT77IkD8PHKb7B4+zO40GWfsGdc1JwJ8VuetrEZKqxpyf3TtgPQ8gWkJt7zt5^JWjoZhrHI7opFo3uFDC23dOmVBPQkXzC8IyYcRT1B/Wh7um3X+ZXdUTyq1e60sC8A^JRNRy+Nd2OQkEH5BiCmunb+kvfdx739i5dLQWrIgvDFJPmfbUhyuyqDboxTMedNpn^JbebTEbrFJFxCwOLREtTWMaXorDnEd9X0YrxkkljwYUweiZIgOZu7QALj4G0an8EZ^J+i88NMdD+KONWySuZL8UGpuWMqOG5qpt8oMAXuNZgjnGu+dPmQ7PiTIftkIldgA0^J/mzOt31RkN/+YuL9sEHXfZPCATwqRJoWfTHYKRLjyvnKK8UclTAiwkgehUD8dpJK^J/f0kzIA0AaNotwMIY2S8h+2wAsDpTUmg+47izIoAiylX2Ek0kMLY/cMQp/pZJII+^JnSqLkbbJC1iJTkzzkA4Sq9BEwYHX+AQACfR1XSi5fQ1cwFl4oIftsFhUnrW1yIkD^JkqnvkFP21puNq/Cb8uKJD+qRTpePrke3+Q5cndY0nPI9S2PABdmPOPABA380EjtN^Jva499Dxgcuozj7C42DVdthSiedF1V/MZgWTG6CCdDZijf0/dEkxpMFDrdCm9gr9/^J0BzznU1hXXrug0xIlZ81W935KgcSwzT62vp1EAT5L8vZN57Oog8VTVTmTPKnOSo4^J/1YPJnTYkvBoW1YeHBSvJaik6g9lqtqUsb+aup5QoY2SKM/WMZIpHz0OUsidZywA^JX2GgunrW8R2jgYqi7icCt6soC0a/M1AeT2g6zAaGD8TI5gRZWmrGvqKZXFK1zkP1^J+1ri6w2Bothzg8tz1eG7Uuyu/jHP0ENz4DlfTawIRot55VHPh4dNiv2akdza0LUs^J7rdoa+ZIevf2jyvC7YZP46i3V4OHhdh8u8DLJFTpK4yzSSaFNpFJ0hurpyqwAtf5^JoB70MY69lVZwhuCn7249QbGZ7vc9aCBtWP9sx2kUHQG9l/WQ5VSrrsfcJqnw9AzY^JePk/Yv0O0LFIuHL8ZjkSNVfvaC59Fi7cRqJ7PKZDbFQz3cMfyaGs9NBE73EDv7lF^JOCCh8G/Ocg3EWzBkin6mnrvOy1hu4EDD7yQqeVS0+xHQPZICr9X0SKGXXUyvn4eL^J89+8cIACBlOecMs3pnrhlLIla790gySCmCybrwXtAfN1byomJL2wsQqcLeXiLAwJ^JgGXKTjJZXgRTq8qFjrqw1JBuqYo/BMuOAO8P175zbX97Nn5uy4YE15aBG/5GsDhn^JhhVhncMJUyJNyhj//PSDPvXWbDWD5TG58PZih6mhadE3Do6eRPfVVx8OlOsfLiHg^JHa7+s1aX/bX9+Ibng4khoSjNGYIIg3dmF+EZ0MUEfxmV2OxItlPCcxvK7850S3C5^JcOuJHqzzbJdz7J1/hAFs8z0w2ndIFNdf23jWZ/BsfaHhyjel2KEnrTpSVqSiOi3Z^JYxIiHk2EH+0VAlcmtbfFSreDi+1E+Mi1O3DMUoNZJpiPwJxGjPaBdM6yRACrByy8^JY4YRH1VBJ6zZcIiKjjP08csRizu1nfKOsalhmaMpPGCvPkDvKFIp2BJxDcpMU/Cc^JyyDmV57jx7BH3txuyIw/TQIDuQ/As0+37GW1t+n0hyuaG3LjjZRPM1oqR0svvmU2^JiuXx2lkuwcKcrvKcXYiueacKdkizP3SirDTsDsTejrbGLkIoFWg11vNl/AZ7KW8F^J3s6EwVAdSaVTn6kb9TE0045O1bTuu8DHbDbGJnA7u+4am7ToX0iSo1yaOOIEzhA7^JYvVoTDFsfKSdLtHNEO/wlXoYHBuOAQw093Z+2GAyWfq5y/qT7vh5FYL2WbF6g8xc^Jta6ebB9Rqno1xC2BTwgwJ6VPzpFS3r8ArWdelq/0GCHIj/6x/2AfXQX+mvbE77gE^JMEHB2Qo+tZQCIqAnNNuaAjbBHuvLSy3c+sNYnvJoyzQ5yK8+gdtbJethaaWXk7jI^J4PU0t1LamlEWGZMKISK3zn8pfQAdh+ozYprnaQsqYjSBUsb3SAsI1CgVMSd/p4iW^JZdeA2vt35dsm3JaJNIrbk82AP12PH1DQW84zEee4+ljsUmnNnocNAyTqfkjTdRCZ^Jm5m2kTijKb+72KH5qnMRIMJHOZJ1etLLWGxGPwQ6ZcIW1qSkisv3HjjTkKGaHiyQ^JCBViKUVCZ70DAtEhdxnt4We4AqkHLF/HQKkKixTiQyYmmuHGr0NqOaNxcG05tPZ+^J4mBbI97OnVszlYi3XYIvd2gll/+KCrun3yURvzVML6RrnqPwnGeLyGoFpqvvUSji^JVi0S6tgNKEA1644bmTuWP9zszpKVNRH8mbgVMpxNN+830CbqiBZosE4TuP36D2Ug^JLq265sflRY62rzGEI/EsJ2L47t7waTIQk3sxIzR70mZlJqchH6VhnfTk6S2Xgrv9^J6cMZxvVtAeSCsXAi5J9wgdso8z07jgRvzPG5Lzx6ILVEKE2sJQdxaleHFAjY/fXG^Jdb4vLk3NELU4zh4iNgB77XshiNeeCoYp3a9TipOrHCPj5txwICaUeaE42auHkdjb^JQSBABJwLOd+bXZWuQpFqZ8j9OjXC6q1HZi13VVreLhsD2yiUjhQn00V3d8gEfPFv^J045cUboZlWsU110UV/7OLDke2Vvd/gTp9EAb62EPAR7W8kRA2gfYbxoa0LqB1zK4^J9H6Dbir4dd7WOx+CfQD/LbRVWUBgL8E5Kt3WhAFkb1Rtnzs0fVAijk/bauFIadLT^J5wKK6nfjv73wYAKbwkw6+Rmo5Ki86YjF5VgFbjtYwcUvN9xabNl7xh9rtdtyq/4b^JkhzC/jwyg5pvg7p8v/q8Mbm7wY9Xv0fZxYaLin+tcq150yNycwmxoO4oyEXLx8NK^JTrmZKIGbJ1MiFmh/AuB1kMoZbDy37kvOs0yJjl0fA2SuSlulkFzWekmuLnVfbZJF^JvhLRPdpM5OY55IY62ICkRAnCX+j9/i5jx0BSSfmB4Yhh63szrF6slKZfITssSAkp^JhdaAyfAhBTu/APBF2GgEh4BiL2fpK8a4LFZtSZWIqwHa4bmWjyjRJBuvK7GjbLeg^JDnCuPPdNOwfPeuhW2B8h7FM8rEhwtJIysP62lpNuIeD876yB2uCsYYvnIx6Sx3qX^JhX+2xkF5p5vh6sM8WnnZqbVN9lI/5ru/sghlopPt/mUMuYcR73ja9odPtYCYbZTa^JK/oCCS3lu6BFmyCsHOUgn7Dn8mGsorOdzfa/W6/Es4AgtqPS3VynrTgt/nKUULi0^Jez0yIkIOHqYkl6DrmJIOXrwwxqMgSrTe0vvrOdTifQaDF/MTgfHp1+xuEpi3Xgzz^J8gKRAPIgMJkm44YPlBRRfYTzrFYPGJxeMe4CnL6NgcN6TCE7Y0aOvpbgBw6/JZd9^JqC1sLRbKuUkkRzzN0T6LcHX95RCcL/9Lp1RKqaoQnX0wZhskLkGz3/L9rDDtLeAM^JhTYExb6VAciL9a9oeOTJDXjJ2MQGjUVAHjouLLtFJLdmrqpc+tUFB2L5IW/ZgP1u^JHcmlIa2m5lxxcFHdYRo8FVtM8avDhunvmtMaYL0LBP1HmHr8xl42ICSqASRPUw8t^JE0siS+GwIdM/F2X2NH0sz/leTvVVl2iD7suRUHVk0vHa5+lypZcCSQ9qvp7mXIfs^JmOfwRNn8VT4UHRi1gjsEwXEUyLXPxOAq7MlO714gWtZYWiXJXnDVPL88Tai1eMz3^JVrzkpFUTW5DtNiRRM4DbZMtjcv0J+tunLbrHvVRaVYKnuwZlFL+6X+Cr0BzmkOoL^Jxm+8Gf8+Iih859+rRj8/T7lPV+S87zQAUcXXTiEvJrl86DJ9Kl
+file_chunk, 752, 380370192, GsvqfXiJ4np0khHUmapJNPmJQKa0luEG6FpCzgp0Dyl47QbUHksinrhMu^Jo8584ANcgv0sVUAruYbHZKqWHF1iaF33J5moGutRzOir5TpCwsYtUJTItLPqAigi^JUZIpKxPbO1Qu7ogRR+m96RRQWPGMM0gtauwU8a4i920bBrETqumRuEBs11GgfVBH^JZAc44gk8Dg0YmuX2XnxxWHxqQkVbpHoDLGzeFh/3DkQ9xmAFWktrZHoefkUFgJ68^J1JG8ovCJUheKpSkhI7xcm/OLvfXpVZMatajQGo+4pCA28fQ7SlO0NJuQQUB1Dl9H^JYKuqg6sXuXE3n2BtmQW3LMUG4EIA7bplb0Njb2sCxh/XjApgMVQXzzAmhwuz4o4k^JiaecwnEheh8CLnv8JWMshGw1zDgidP5HbJ3siVD1QhFGmMvkX/ZM7bo7zMZfpRbE^JMdVIb5jJBGUXl1lCol3qbMnSoHNhOo7doGEFhTuVvXK8lP/bmlssoH8aGc52bjws^JYZXn2kVUhUV7d4TJzPhByjKFHg1mY4WZVwRUG2TbgOiy74z5brEhU5/he3helhy8^JqXMSQKGZlMqbHByHDEjBYpR2PqebUuuDPNpkmZ2nNG4NAVOa0gvDcrocMsCEbW8F^JXp2Bmrxj4idyuqruml/tmhYEm1JSPqnAtJCvldK/Ksu7WSMXDYZSitG+2Q4n0L6V^Ju62Pt8j5vMU0RRCbqq3ETqSUEqasL96nHQys/ppzaraC
+file_chunk, 752, 380763408, gXdxRZzzH8TAPLeCpKo4lkFco7^JVvkx0JG2M4OVAYmaExT9D1KAHw2PxHnIgNUBq1jHnyj9VEq9r4q3ImdsoysEswws^JNzUDy0dboVl7ZetTP6iOLaeghpKUezHDfHFdgQJK0M7l0GTps9dKqumA6vb8zElx^Jf7tgGXKbPgGXirMekktHzJmb0egVOxwdxRihS5KggKG4u8uNGqq/0vcIZuQCBvVZ^JDCUdJG8s0L9aqifuzQ+3y/4v0l+qQ3daY20plf/KWhbp9T3QBCiutmbMSnIQoK/H^JZ7yqa1h2w1aSgSOStv2tWtCcjjgmBI8acLZ/D6/LZAgF9ZdEfSnK9+39yw9vHg9W^J2IpsFzmtD+CyQ1eVrarHiGL0cDd9kKPE45czXjT96cjk40+SgN/08efxvRvOZpV4^JMvW3fHpSFS8UQecdE+NKyPqf9zEMd/8UBwzKD6PQHJ8HpCLIFdy+wsbwU4+yRJBC^JTdEOlDT8j+laAmErlQw8Mgf5KcPx1hBIqecPaZqfpz5r6LmCXYbZQVW8E318CJfF^J7vGlrZLQh/x6/0oOICTUqd/CaPGhXDrrS2MRGbCEG5N/n/qIQUyyBJoXbPp1AAwG^J8OlwvOcAQWh0AJoXwI4bFF3lqIsBvLwVOL20uRIqsAfmxle6nfwSKAT8FDnqyAng^JBsPh4X3wUmOKuqG9cZhc5544WG1Ec8WRKmEB8ru24k3Lw0GsFPYNLpmbrYPofVlh^JXbH69HCe18
+file_chunk, 752, 2293234960, bE5SAPMll^Jaib84k6IRyHiKCbCiaAZVHGn7mK06uxYUbD7bZSfWLRVOrJpAwF7KCprFfMglIo0^JwCSYXGRoYX87FbYLtOCxuc/rFQE3JjNQMmNbTjxQv69xmpCQ6VWs8ePj3n9hDuAC^JBLq/iJ2h6hKeLUfcpblaJ4+2hHO+Bfr1PX6juuATkCex1QMCAr0ykNuXrirTvGm9^JHFjQyOKV1Mk5srxRXf0o9CZDnw0h02cDV1Zm/MzpnmA1uRy4mNBGXmR4tXn6Jype^JCwrONyUP6jDaRQDeqLnniEKnZrPvu+33rAdFK+1TRzr//gnudo2nj6ehzw5GavxS^JOYOjpXTQKo3sXtDuO0XKtGlQMN7cdV95tkXEpyatfdjFs57BBXyih/w50WfNRlJ9^JvDcC21ht9AuYP/7/N1sSAZ8O5icTEqiLox1gm/s7CJR38nN695+0aGRrI2zdnZJD^JffR7ha8uqFsfJbJSIBrqHXsSleF8hjqlVTXyGpd/yo96KsYk1qKsIdgkMVT+cMuf^JjFwxhTW+BH8s+K00eNzpjIUzJY8fUOusUYbWNlvRHZVzs1zKUzJiWNmKSEQkAVnx^Jp+wWj5yQKPJyIwJUR2DcGzkXES8udDbfstiPqRHeAUcm3otjWQzn78jdQ/trYq03^Jh/yu+wuWsMazmSoDY5kEXCYLovRX8zBfPsT0/yx4Jk9eTdo1AY10E7mMFOufZ31O^JNSZ5clGw/3oyPNw0Dthl6RJGRMl
+file_chunk, 752, 2338716944, rKkq7+/L7WcTv1pXM2kK^JARYWqoQyfEpftTMC+UdQgVQxklO0zOYQwIOF3I50JNSycpqO6QWEVCr/yNarcSQC^JALVtH/fJKp76r/825GduosjDFDlYyohREwQqqvYlnXszy6DeIVN3Fpb+ChkwvNmw^J1XVj74VT8QQH2g1fbwQsjL4QOw/xLqgZtq/3SiDLvOsnrpvuN5oQcUdV+1g12I1N^JJCznvVYVUTBnNWV1wNFecvuBxGYRETJE1aRHFimjFAezAVSW+FcwwHhcXY/8mpNN^JJieshkOjYKeUjhla2fDXH7OY1aS0T/bqBUqkdVTjkm0C3E6NlUGUA5t31I4jqEb5^JbNwrKpLJqCjpr/uRs+e9ef1mais77rMwxMxu3zOgI0+Wl7oEt4HXPMbLw7FlXByH^JPm3D3f0Vm/rsfABU7nPH8EOfR0Ad5WY4Ul+K8HGgFL5EpWgagrAxIm8ZMba0G37O^Jyt0CBAy0FJvTMCaIuFlL1VshcatltJqKgVoClur2gn8mnsMEKMsgLNE57G/v75aa^JK2G1EuFFg8F27Ry8WPFJhdnMBno5NIlBlp4a+GNnoyYypvSiyCH6ep0mmHCkInjI^Js25AU8PJzVK5fgJgZITJcS2ID4bQCFy4mVn4MtlPAQOGbZ4f1mNHWKXEj/arz9jx^J2LnF9I9OfP2SIUNuGr6EnZ1JO1ycPFh5Pmd7Cpl1MO9APB2RpwZ7FwAuwfNzRtHv^Jsgutwr6ceMsddeT9
+file_chunk, 752, 4260756752, 4Qr21M3p5vrxpuLqal1FrU4X8z1+r05kDvqcs1RzecdzoBp/FCMU^JykfOgs1BNZU6UypSW2vwOxaQFJSTb90OAdX6hpyTSRT+k1RaGwGdWgn7OdFgdizP^J4Qo6W9abCfi+6BnzHkxxSFTQfd9AFWZ1LlPw5+NjUXfxdi/jGLtDIopnKAE8LshA^J108MLfjjWwlcqs4v1XJHGfjCaauVsrRdes8uhXfiCZgUL0KOKvwHvBy2TKLDb3ZY^JAeJxEBZlgadEjxXjyQZ4BcvU1Gwa2TaIfKsM/2mCTiCIqBo3Mw5tVHkDvEBGKUdS^JvY8E9bpKp26Y2ejYdVk8JSt58wDHzNBeO7ocmzBn3s2fQNbiwX3I+eeJjkogqKTa^JjQSAGi+bUGKWE9dZyDkMZd7NnvLhxO2gEoRlYYjVuDDeDbXvBtLHDa6puLcO1p0Q^JHIkzRmtMTV5SVPhXjQCJyps/bp5v/HzViCLRfXiL0+nDDVesaVbhko71aICGI9Pn^JsvSR7E4qvDdzOppjmWKkau8QcuhLKlzUpyEI1SNAGzrSqL2OuHqdUK5ypuL8RZmm^JXGGDmJ27yMYNjgr3aTJ13eJLH/MQvLAIBys7GKM9BZ0UJW8W4KpbDFRRJieo/62U^JWtkGoNw6dRiCdkuHkWRs40aKc1yhDaoMxY9BHpMtUuxid9Qu9MCiAs33JHLzc+so^JBeFtAtKFW1VSSe31oO9fUfgGucj9BP3QpaqFA0t30TazwxUj3
+file_chunk, 2896, 4303090112, yZg/LJ/GpmwgXe+ESFWIDa^JxR4TdIMTekg4qqCL5PpNJ6DHfkkdsjsQ9zqkWNtrc/GpqBPClN8IwD4qThUGd+tI^JTe38v0hZWuuNnOjY9eJO747wIiPqy15oBYpstGeIdESgUFr9/xg82fGjalkY2ZVQ^JJAlH0xNX+TF5QIn9BUMnxn6OCA0DkQYqybz2eq82jB7ZEnGLdDvB8WeaQIjxBuVx^JDAiCwzjC2jpO+wNYCorVym4VFti4AgGYghyLmyAicit9NqPTMsaD2BbRpb/qHg0P^JdX53dFZe0qlqsrA15n3KCuLiw5YXEFUmUQuAN0dAOqlzOTOPpNmJakHF3TqIXvw6^JV/qERQeuiNPwnBZWrZvpTjO50VatjcUizhJRwTiQjbQ7+mqgHxiEa9abpzqlTN2I^JW/uUssi0jaVeFdL3MHZYHltusyTx0F4iH+KGJ1n7YRefPAI5klNZu3XmTQsQafkF^J1DMVbqcJT+aLdlz2hWMy1R0BfV2XMrO2/XhG2nOScnRzS8Z7EmAgqZmzFfF+nqyP^J9UCd39Si6aUrss3N0oCJ/44F3T55uSHYf2LCgoaaiR5IML5tk9mHVRyTile5iF3P^JNPwMnlSeka31pzsqLRiWIAvKqk5yZJ1v290/Aff0SSIxKggtVMBq3YmJeRb6LrkJ^JjkYC41zT+lvvvMRBJCFOOXBgesIBHq7pOKBKPY/xAcN/e+AQqHLlY/OGMT6+GK9v^JGXN4TvdRLBYHZQqyk2ITYWD5iQqweeZ2UmjB3Is3lDKtnlO6qbWvvYmYPoXDrNI5^JhRX0gaiVC5LyZZ9NheeAgb5ZTqYUcvNCxM7BFV7gJMFXc8gT7A0FG3YbkV9Y4D7v^J3NduhJG8kgS814/l3Il9K3jc12uv8V25orXa4lDXTbTu8WanSYUkg4cLjqfKD5Vh^Jly0ZTpYeNx1NdO8FoSGJhqI0BC/p2NyjzmTh3mrGk6tnfHuqXAMH5tIt/EC10MmP^JE2WTu0XrNk7I9bWBRRNWx+ysP1CJUd5GbYOcQpFHBfG+9ApIf3LjxSLU00/b7Ui2^Jz/92JI8T6X4TdKxA7DY10IJg6KJBsUAUJ9Co6Fxr9+9OIo0bdj1IcD5+w/qB7xzJ^JNC3dgXc86uEDpvICZS2vIeCZTrc9vgxBxpftsdVNn1nDYlalXZeNsAmDiy3QJ/wO^JPS3Li40x0KtDWbxMzgflfzuyMZQBFSNeQ7CXFh9mJMJQkuAtHN+yAEqJJKaYV1bt^JJM2jAeKb64mN31lIzTnkJEGWcvLNS0uiZKJQrm0lqsentMitzc/+U0gSxzsfbqmW^J187RzZAsNlfWnLN7miAPsdxas2JGGrmHzjaUkL7U+YJdAToYlxjMTnZgztt9LJxA^JSprIv68hyNVF+4+fpL7QER9EOmgQOIxjlxCx75SDd5g3CWJkVbXl8uU6G+j02j+Y^JcOXNTTwX2ptbc/79Kw9iDMV9YkAZtP8BD0Any1Fqh/IMx4QcMXEx46yDV2ji7umH^J1SO686Lv9zGXYb+ApuY6PVuICTJrWLIZBE48otTKBXTJ27wGiEf28Z7bh74P06Qv^JXMTUryBMDg9JrcCGTvelIZO+DbMMMN72Mh/lXBAOLIkfh9WvgqyMIH1kfg0H3AwN^JB9b689RpbK0N+xhfV/aIqGp3a1KbXqPA/h85vUI1aLXPreBN9gyTKe5K0HXw3Edo^JqMcB6m//PN72r6epmEMgdthZs5GtNcQBx2GbOonY1sot6ZA41GR4hfl+EJPc81uY^J55uCcANhvaaIl+V7GCjV414dNq89TzNFHF1sG3ifM5ePRhFHVnsE8HgoE3hsMhqH^J87vMDghqNZi7+tGPNjZvZGVtB+RL8ltGhUSuoE9OjU9S96T14TZT8ksIo2jb6+Tq^J6Vo3Y3vKc6krHH93OKiXN0hwqPupBD6xo/23Ivnk1qu4xAZ2fnR1Ob0BKcPCrNdi^JREI++RJzxugNvbGOf2LIdoI/2yChB5i4tg3qYRRRagUpNohIxW5eJy5ugiCwOH6d^JuPmvLXUzs3J0HWdCVpmgURIP4omxgUkLYeJNp4CmeTAUr6uVrqzRCDYPOYrCT4tB^JYL6uyxhmOfwL5/YuVtsCcKjX8nGvOIHdtiMolPpeH8qdv0zp9kY+h8eTE/WGh5HF^JA4VLUCH5d8qok38Q2Xvtiji0QrKr4j+P5Vhp8YbKLwFEqs3+NvA1iEx/RQhTvPO+^JHCdnaCc0vIaAp3jR88OrMDhHyKePPMk6shiWiFM4atdQesswq11pHaUrUoATZGm+^JG4IsH5+DZVk+ztcDnA2+f1+FKDFHloA7VWMiuccer4ZHFqaB1WGpTOMTBF0xhBYo^JmhRBLM+O3SJ3+I3FwbmE4mPnh8PMalte/qm9IFtDIhVdoo5+lS4tarJTPwazW+cs^JAIxETVWHanH/QOtyEdrnufA+kcj9DLRA0IUQLySOYCGQ3ZZsHyyEDV/9IWOjpARW^JDObwlGFQk2mWcH4/CdOl0ZQajrk2hWbwDuFx+RVy84JapHNIAFgH48u+bn+hgf3V^JVX1bUYtRpwrBEEBwD9rQJ6iMmeqg2B/Ih9RxPBq3wyvbhzk/VVCaUq3c+XLz+6B/^JwaUQeYEQ32U8XkaKbWsXxrcKZvZ70oYLGU1+mHLV/Lc/vwch4nAJmtRYRrZ8hXgx^J7CRciM9baxlkZ8zAaRXcGW2Gbl8m//oHERz8/8j7YpbkY3Y0qfeIqNoQyHieLPc+^JWwUfKskpxIgL7MhKlDs1fmJe6X6o3KW11JZqldPwKL6WGK5P4OS2fULClB9MD605^JNpjTRR0NBoNpKKr6UApGAqwfZmc+7oGZHVBw41tiCKuAavQydcOtOg7Xj84i26J1^JBppraxJIvxoJ3
+file_chunk, 752, 4675468560, +DcPcn4qO^JffnlMfb0kLM2x5RyTcNksyV29GDPpFDXWpehoJ56Wt8CMltAlRzSEEPAjWTISMvB^JgYHW2wKs9VHgQ4x2pxmnLTGmMKS49QFadEaILpCb7Vbi+EnWeDwitcBjWI2GrSMq^JYvex9t0vSEt1BrebNcumhwZ4fEjJ8+aci+ZW/r6ZVd7NMrSKMYpMTp1YxTqbp4xJ^JoogVMhE9enlaPiI39lS6mcjK9PZoY2nxTAjxD+vmsFrToCFtxp0aMcJzLsbjhQ7E^JTJX+jYH9mwJiX+mjghmb1npCkjCCZkl04m2cQwYN6xtyXRniEQwpKNK5KCcbfIPb^JYXDXWKvy61KJQli/DtUjh9rhBLVGrn70CCuoCHxnYSlmq6Np3BBDt1PIGYxnhCak^J31ueqgP7CVDs+2/Hh7t4syiABQmA+Xvw3E+Zd9zPp+TjZoux7nPxFUx/rm3YFj5T^JvjlF+AruGVrzTVRmpKSY01wo1Nxv+pSpHg0GukvDnRqFHGSamlyxDrgx3orpqj3e^JD4Pg4voGdHLoVkTF+HXNjUZq8UGKz95B4Tvrpy5Ll9NwX3DD0wDG1RDJLw618W6U^JLThJEdnZcI6460SCpiqKhVXZo9vL0f2dYc+nswEjtgkFnUPQMvp2fK9XVEozQNiQ^JKAjg0dXTDJ2K4mSxc6UlXqLpYgomE9vX0dEq1i6b9IktZi9WckHR4nfV9F4Zd9bI^JgQbfa6KTmdmTrHM4+jtC5dZBDtV
+file_chunk, 752, 4675730704, QvDDMBnvKD^Jf6O7XhaaVuulyRhTZPY7oJjJJXSEq/UK6XMmMRzTuPVwjK5hL8H8MvA9T5NPDNDN^J6awIHAtx9vRxa+fNXhfoE8roipZABMXCD510gRsS/yxmYat/2XSUVuwVcVfmLcUB^JGEIYmzbGTxPB9TfPccJVsKAD35jzeyTGsQjaW4B9I1cykWedRhvEd8AeL0O+vBCJ^JxUIWFEHet3dbQvasUZ30o0hMbgOiserhgO4tQ56U66e+Vl/VZUX+DpmxtTYTiVn5^JpVZfYQaoTUpzjAi9t8Iy3YJRwlQRgZHcnzmcDYNuvo4InrEHS1xZC6WcbenTIpSW^JkCGI7fhCLMabTW0FQ5AaSTFKXP7O9+nxdqdup0XJT8Twtuz8l6Mn4PkgqOn0A+bc^JQbtonpY5uIQwVCiAcYjpKAhGV+D1B3TDI5q2+Aj6WPQ9Bfi/pqfv3fBK5ihgY9LS^JW8jZEJCJduoEdsDyatqtSK3UOtftqPWVptW5JfuajYR3CPl84Xk4K1/cQxx5nAKi^JRGpvr0SVoJsS9HRSsoMlJB42Md0SVY0nwp3MO1gcOvKCA5SBI/KXIu0HQ3YpxT39^JV/sR/QjJZvj3u0hFehggRQVo25pQhq4RdCt2edeBwYoxmcJDhnOZD+nEYax8GRUu^JfrkPGVECNPqfzEePAZSv/8nW7ZHXz2+Cted/eRd0Y6qKO4KysL+kjDy2SX8ayrmA^JGlc8VABynj/sshoQi5/nz8nq7S
+file_chunk, 1182, 5416665488, w7c/SP4xbc2p6HIRdJLpymJYcB8aLuc^JltM7qmD7UWqSwePzdNZkOYSY0/p2PiZikeQ4wn1fZW+24gY3Dr+oghOLSyl9RIc1^JgO1jwi/vDVySgarwx2QcGsqac32ow212k0FzWuHSsI5SY3e9Cxb279S79PH23+NC^Jrs3mJw0arb7RYD4ZYIrtnnrSHncN944NEmooPcHD/y10bpQFlvIDO5dPX5SC7ryP^JAHOAkFGnlbNJasU9jjuGbl5KfwAG+lm/WyBS3Qzs/jZKEm8xcba1t+4Tmy4HPfIH^JQycTiGZvabxgg34ZrUkRS/VRyNs5DYEl08BsJFJ4ErXqMxqIgqndmqmFCMWRbqm3^JW1SyJLU1BpESS7O/WtdE0h52qeMibJCuMmSLZ6Ji3ObkDuWnJyQOD6DiywAOd4MK^JRAKw6c/G6daqMCLAR8iYNbKv5vizBN0xq38jnjN78n2L+Q0cHigtBVYOb6g/tOod^JsLW0MZnv2UQ+GkD7mz0FgctEtk7LnEGwwFrOOHFTZWJ69Z670dS9KVIVNLVom+wU^JM2bjpD82xE3kLHtZ/VZ/p5UzZkhFZTMqHisrXqcE2hs3StrJj50t49UK+JeBmNSV^JH9rY7uihuKU1BQrSxgXtgW6HZ2st2VMNWsAFyXDtWAO6PrmSF6L+D811cXHCGZx2^JqmEH4/fh3Qyz4wWp+2qJgdfqlvIR9glBAvF/612vO7ig4LN3+g7LLaXy/gtujFki^J9Dnfq/yKN4IzQspkrRJEd/Zitw4HMnO40iTvk/qmfq0lvfCaJkLNlVqD19XJCPrt^J4gvtRiwNs9QfQht7lhUp/Wnt++6jJ7xrHqmqOMvd7oBX9H7VtZwAN/5tOhznLs9a^JqcBtokxx9c2lWCtgLnOHdNssIC5WcBfQqCnfCPrnq2A1QVGFoIkFin+RmvgdpC0x^JTJHK1ceRTrnNb6VBcmXnraSn5QZTIZ5F+SQ2rgqTNfofokJtEKAt8fUVrHZ81emS^Jf3sbH8UPfa9Xj0jmZmcjRRggrJ1yu0RsxUlxg5siQ2Fy5i3vAb0ZZ5ItWdIt8Jwt^JJFX0FWYGmphyo0Nwj/XP27NaqTwSOmo6xAfoyU7z/28U3k/qEbtLpn5xzVHk6Dny^JP0XGw4JttE7CmvwEi057FGGBu4pUYERfRNu7o+THlsQ=^J
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log
index 57fa59a1ef..d387f9682b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log
@@ -3,9 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-36-36
+#open	2014-04-07-19-37-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1153491909.414066	-	-	-	-	-	truncated_IP	-	F	bro
 1153491912.529443	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	binpac exception: out_of_bound: WriteSingleRegisterRequest: 4 > 0	-	F	bro
-#close	2013-08-26-19-36-36
+1153491920.661039	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	TCP_ack_underflow_or_misorder	-	F	bro
+1153491929.715910	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	TCP_seq_underflow_or_misorder	-	F	bro
+#close	2014-04-07-19-37-09
diff --git a/testing/btest/Traces/ftp/bigtransfer.pcap b/testing/btest/Traces/ftp/bigtransfer.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f08f051c5357593dff181c5ff48a3531301d6536
GIT binary patch
literal 32127
zcmbrm3-J8feHZq>*ESeY7snlnhXnFVNE#gVMvs+NT9X*-Ev<I7+Fh-*Qoux7z2DE(
zgAC&`Ez?e!hO`X>#LNT+N@>C)1RBzzlu6=}rlqAMg(gg#PBRH)2FSp;6q|6}v;V*E
zweSD>-j?akU;o|xY4>x^`JC_hp6~1IPyg6o`V+4{d+)P19$)yvvuCe>H`0|j|DIp-
z8=h(4_2YW~vu{#={zK5SZ+iY(c=qh$>+kvavycCp59NR3zocIQSMba2v)}knKk<Fv
z2R`uZFTVPPFZ_`|{p{JR?|t82e&s#ydCx1aydU})`_KOO$G!Ky`U3qw1n67v{&Bs5
z`)K3+&j9+jf(8J(^1cW1qlIU`@t50A{p8>OSD=MI@qHg^p8g2<&;$Lwuf89875>I=
zeV~Jue(j^*)UW*w&sc!^xZc)p;@`bKkiX`yywvYM0nlIn<Oe@){og+e82Dm;AIJ~H
z_k7)Ncy<7^Jg%4e`oUM2*MIbRUtfEvudhG)`pFMJ`-QLm>KBLrjeYbJ$I;i`d^}k}
zeyfV$sjr^&p$%RW4c&kG_PR~(T~Pn-r*AiQ=imMG=Eq<A0QC5}T@6oe8$1nN&_0zz
z;ejXYsS2M+^vTWhY7G2udGX0zb#wElJ^?Kx-BVeOPZ;)5a{Vn&=b*iVZ`D=XfAk5*
zzW8xPzptNeRapkNKB>y?c`I(-RZrs=`&pGweGH&L%i#MjzV`I!&zR)-lNUVsN%uv7
zz<+YX{?Rq^sYuG954uMmlhOs?_oSb}w;%MnfZlhQun#^X{=xtCpx6DiZ=bNA`}JVL
z$bbHSzByq(|Dbpa5dW9eE6;Xd`XARzBJjayAA22nAZ~x`D<XdQ<K$mL-$4BQ=N^cc
zvv7I}`}zaW1N+wyue{mYmxbXO@%oQF$KJeE7=G^817Z07Pk!*(FMQ)Kzab2-r5|HI
z|G5X^Pg<`$`wr04$MrVE)9XL}9Pu}QMMNN8zwU3piP%06@fG^SlvOzw)zH0=ki3c_
zFd0etVg!G~`O*m9#t!kPKJsYqPyN(O?0o;He)8u&0{F&$DSd;TfBBwQ;n&*72!0MA
z%Aog;>urc1{i}cff%u2M`YR%S_~RH3RK<%W_X6>3pN$ti{gdDR%Cif=d|Yp1Mtc3z
z&zbp#mzeno;Q9w23-7N3CGo%oz3e~6{>%5^Kn^dOa(y!9I{4_*j(*X|&;G7=qvN|j
z_GsjX|N2Xv|3N^<w*oqlUpl^}^ZkR4e+&@cnU3G|p$8)Ni(e7(!yiYE-}hETQDDAE
z$L)8&@(cz#=yAPF$1A_(_5c2XtL$H*<68k8Km4G>oZh5kctHpDnlSZ2**#zB-B3T2
zLEwM%1JIM8pFo>W3cnM;)1Ei>;OVS5&)<pr$GwwqHlEJLNnjrL_B-&d2fTjs@92`{
z#sB^{|Bj;alW_j#-|?XRTfiG|<N3=W0XLt&iXN|qGHC{I?*$MKo|uavKLOnbUh3@G
zc|4sCk7h512<GhxG|oK!$ehi`JN^07`Nb2srvvSWVNXK&(1VXD*?!{PCi(N<@t{uo
z)Js$H!=L)e&wL}8<PZJg?|aLX3=hO_`8}^ZlYm@4uD8kjhX3Cli0}PvUlH-cAODc_
zZ@h{4ULc=?Zh=uhU~>TL1IWkq@*F=iU;mpA*zLdd);a#nH-b6-YmYhp-q+qT$M3~S
z>gnr|uYc(Nxf<H1+t9W_*+1oATX-n=7j6C@pv`wyz}tWFX!G@d^QEEuH9(F8$oar8
ze*0U8qJdHTN8kVIyR3lkh8~DN{ExmO;)g%}0p!nq5s`!b#e<v|)BC{vQ$O(Pvm7w<
zxZcLjCtm-F=j=c)u_FO?e)PeP_BC&?^KI$J05*<qo}RA&A81G2?YiV1JUyiJ>7YLS
z_V4`8?_94oH2s|)`2h52JNa|3z6(o#;Pz<yNB`(cWBO6RQUh3e|EGbRJXdnh$MkLK
z1MwIC{HyO`VSUqcJ@IwF@+M;UxzGNY-}h606b${jh4sh(<CiQffc&`ku&^HJzxgk`
z`mbSOeeScr-2Hd&{qf%nTKHoR3u^&N`AZhow`C8$9v0RE`LF)PcVyz(Gh%q(gNdL1
z(uVz_-+v6Ce>Gsj`q|B!On~k6+p-7Z&jQ4E)|h|fw>=R5;>%mo3vNIB@%MlDyWfJC
z?v%#{^1%J{55D?tTkHSuTwZ?TOY+hHdHIQly!;mUO?k<|_&<jM^NP9Mf*NSaC*SSe
zFEf>1wD%AH(mOH(OqpN#<B#_2-}B~-zOb2p0?5dB0cPI&>2G+;IP%8`e)xx8eWn9_
z|F~X~`1ilUey)BXYJcF35qxnLzxpwYj}g53D{mcv-;PuJ+T-67c&wh#$J2|)m%V)P
z2Lj!!pZ0G1gj3IrM)C>h(*K_TZ$rTUb-F;Tp6bE-0Q6crKL7XHYmc5{PZ)~6(fcoZ
zNfOxl@u1Kz9|iu@x?or6r~bu^eaByZ#~FM7GvbFo_~7@uKl|p4y(!C|ei%dK&!}(C
z*yn*PKcBH5`ZC0qXY3jAx#od*_|M)tW1s%W^BMc9XTR{_KmL{(`}{)&;=l54ef*}M
zejt7w_7(d0&CmM?T&yo@o;Um0yes1G`mY{{|H%1@h+hRpt-KxaTmS1X_3<l=x_v(C
z|MaC%e=`{M_dd+x4}b5Qqb|Todp_!a3=rQ%*Z<@Lar^!^5MOwRpZTsg*6t^N@GXd+
z!}0ZNhx)lw^U<f*+^5&_r-z5Mej=U<x4*@}H|eY1&0k2x*Z<Wojpl8eJMo2|dbF*4
z<V}9Qw2pt|lOOz@U-<EV^%j1LGnm7F@q6F*rZ#>X;<vt!eIRl_^c4|5{PAa>`CD%w
ze(g5_IV%iX7oL<4Ko8`9_?_>2Hy!ssKIiFWi{VEAPk;NNA%3-egQw&7e~kOuZ^FS+
zdXD}@caeV0OZq1dIBo6xqP=hVeeZjheXx2S7x<azrIGw?pyU1?;O199RekwLj^F<n
z0Rs?$8U6fv8#i1<JVx*{Kk^k30XP3P_7Wm6Q@?DHKN|QM(7*{a@VH(Q&JRB0U;m$;
zQ}hHH__AQbXZ{|b=;t34ec}-mdG1Giks@sM^d;r;f|RfM<hzmbBhS^ycfD-z{5&A#
z9{^Hb|J44?A^i4N;TNR51`ywQOZ?DpdGvYxvoDeI0uhk%&;Q_C5nq^44=(;Lz<rlx
z^|zjL@lxRBGyec^@rw^Ge%t5Y<l+Z_xcv72R}*SQfnD=qLOt64xqt87So+!L+kE*m
zFOBIJKlPJ8|5bpc&wuLaEo1tD2jczrzwcd4sNvaTG(Y|9O~n4Yf9nr@+b{hX5QFC?
z)K3AU>@7hmFrvr3hY9sS{~mx2wCDfFAk}yO)?e;_`S_>52ek0x4-@JSUBBFfIzH#?
zVM0BSe+VGIgUJm{sNd8*`i=dum-_wV0R0a?OsHS^$8Trif%wjg=xhJV1Mwq|xWt!-
z>t1jR<mGGr?wg1o0TTEFC&4(qw21zbfB${Yem@}NalLI3^{@ZWj|P-~0vh<TMfCGu
z1qA1_55f8DFT5!@e+~%FM}Snk_RhA{!_p#gdP8BWZy}#DZ+^s%K#0t*#xk#5|AjcU
z|G_(w2&^rhe)Q<QpMGh`p9SJ{1mg5BzW0B9%aH%vV_N?FcfIe~-=Uv9zg`;S`{^J5
z>_;DnU-Qv7#`whv|HF?7f9zuJPrNzCzwlTb1{c!KaVM{-fIVg%eNIJpD4K!ksc;iS
zYe~D$yXfwFr<^#RW1XxBD)ZT)KGDkLaSP;N-3cgUhd*0a%m`%aVx|)t!NHNX>*C^-
zX%pz`{=#}5IyCE^mu$%$wuw`oWm5|l$aIPVt~uTG6=}8toVrGXx9Mno=GoNbS8l;i
z_e%6=*QeKk!Qa|t&>a*>M4jMD-iBmx$J_<)9<k=28pS=BFKLl<oAMOhQ#YvOm^CTn
z+H>nr-?+2H$<0==JF1psp+MsVN;aeyg|o;BEFQD>QIfRdxi^xi7U)fIIrUvJl`5>P
z<SB#wnLVb*b!<$>d@LGg=qm_u_QIW3xv+IEy%7`LDqrImuTkSExp-0Di&sXeTx-0M
zHp89PBuV4DjVoN~_0`m_Jwz+vZii-hp+)ZLKx{lr4ya(-Ul{blUF;1n`eNA3Js$5X
zecK3OL6j#Mosj9+krN_84XMIgecNaAbZ-=j8TaRttHBu+EEpa-+_==ba-n<o48t>8
z)o@l^JKZ(T+gcB3;SP1!bsqXGl*xl$v^{~X8X66Vi;<huYLPnnx@Qltxr4VJj4Btc
zERxw;8fCDnOxc{y5a;ha3;ZWZ-Ws&KZf&Ac`10a0I%RXb-{Rfs=xp5GUUSd&FsnAU
zv9v|=M*61E*a1=o!(MYMZMp81KDFAUVU}W_<IHvGTitPRNsQ;qjLBn2@I%N7X29?7
zvFXEB9xi4H<tKlp4;^_$FFQRJ`65VREQziN!*5*N4)OK9aWk5^+;`sgmTWE2sWGZ^
z?Ca32m#TwK7?oVyX1&^nIqGNYvCMjNr%3%;kXhS9s_mL|q}_fH&wO)-wYwP)v*sg;
zaw7VRdVm_ulo42z<tFuN=Xe+8v(X$RW{tNV#soL^ROX4TrYEC|sDVIa1->KcsFyXp
zsmp!~WlL`=*^M$y36<h|RH|ZHn6PL1zO=g3>?$1;bH5#L;z2Br+9INHK~=mT3iegF
z#64so23IT9v;lK<%u3Fvh{U-$hr?CM1p9QuFb>vnOV5b4haZF!lGARq)ul~yUfbb{
zgy1~gF{Y?R7KSHH(r|VW9{1}7%i;A&sSrNr&&<w??bI+goP^@mI3E*<u<DGF%L#@O
z_dJfRYI9kB7pqI3bfy%V*rqiqOqL`G7sZOKIGbSg!c&e`;v3g(&tTh3?#hHbL3%FH
zK^|>0W4l$e#UGiNG{Ka@1vcZ03~TdI7MFCh3?++3<WVRFd*5TUalg(Kk62I^Z9Pl6
z^PFn0){bh%mSHqqbi}9NCc}4?bvcnxs*pj`s`8zMy>BFWeL0-7*x2t#3L@E)x2yDa
zr8J(wOq4F>$>hPIGPL+5xK!}Tb^?CzD@rczJGSg3aYWTk%bHq*@iYgGw*!&a<Kzf>
zw+kATi)*<)4pE(j=aSp7IC7ZBDyVUhQSif#SazH8V0rMd6zDAR0;q6Ijw#kP-jpp?
zhCqGlxNWJP5zN(?to{7FIfqAoxskAoF<pefXWFq2I==<F^}LQDtqo0FK2`E)7j<)=
zv=u@#)IAg7R*xoZ4kTGc3*IaV5zhilfLk)a#Es%C`wc2&CrG?vv2fFF&7xnCHfW`k
zUt1c>`xSF9x<00h_SPvOnl#9K*SwtFoCq_*U~iJ`!_^KUfkN-u9Vnc_;*MmLV4Jh8
zqS*CB;M;P5Z{?*QxOS!EZIE9%(n#56S(!L@Se^S#e?=g=^Hs;<Z%8IHM{+P7phC;a
ztk+@~47jtbSX2|!ZMuo)ZNF2t@G-*Kc0lc*&K2djKqGBkoz*0dRH@;$vOn#!Af#)i
zs!FMAFZ1~l$LCboJDkm5?^bP`+rwDEyHhuBH@9Vmi0r~nQI&B1BqgX;=c%yV+Z3mS
zoGls`7ZC4IsjE#G(i`c_-mif?t~Il5c_$Xc_5y_^v(v_ull+NmGrhpO5nbK<PCuCk
zbUxPgY<mX1kF8<Jn-ykCbq5Q{7}gg!mAes#C~i=QhC|BrJS1e&>V^qR+v2=I(Kc*2
z-t}PJT3@#`-b##y<#&^U^97k!xpWh`VS+A$&&Nkbn-+OAj#4phgA*ZUur3+Q{a9IH
zq`^2AM|z}Kggr#qp!PdbIjDGhGWSLZ<!L${X)zZ<XXo#nC^;PDvQDbgLX^nayPfwV
zMkZhZ?F(60jfcXdgc8H<tf&{4o9#ick6+x%FDGGLcY1LS-H{cQwV@fCP<5SK%xG?&
zY!1Gd1TnP<5UQvqYQwk7mFS0~0cpDqD^oP}V8Q^iqcz!<yxsY17X1ztJ=R}wUe3!}
z?`O*GY^E!t&g=ynN87HVo@ya;J(|Voh;ICtFHYw@ota4~#pd7}HG7iRu(-i-x17XH
zFxj>m+6lEs4tzQscPCDzPSAMPB8uf%^V%cF71qu}#w<61y!2d#?#}rwL2(xA-3DiC
zi~~DQeO}xq=;ATrj(2+tnLAb&{TauC#-)|x2*h%{;D(S$(N?*yvh^ONhBLqCwjzxv
zdPu27ahMUm>aDAF<^pIVHg+QIZHrV-t>Khe8K3d39dksY$W1QUqV1EnbFuRKX<cA8
z5f_a>z+3CYtGI%65SQ^@c(`Ba%P5>z8PUs!li%<q;*o^l3tlOq>o~lD6-0_cMBUmA
zdQAP8UeUR)+(rpf&}?%FM%PSJeTVrHNt2eiKe{W=;o?Qpa56hd`=gE%taNASaZvd#
zSX`<tF~4Z-5#mngj=?Wfq|KW(uO7wYbuGD@!Pp!)3%+Fc2JeD2-jTN`X`J=s)aJ_K
z#9S0oS#bCZgluna(2+OK%dDLoZ1n4x?*fi#t!(VtG2SD~8NXZFW-9OcGTV&HH|PAI
zYr)Lg7TQCjaC3=Z*r*ZZ@3hvT&+A?gI3J{x;Eljs)&^az(GEw;%ThGbW<6W6pJPSY
z!HR6r8Z>S<12)*XpjM0w>{Z)d?@P<5m`Ns81v|JxxFtZ(@C|a5GNr55(djf>xrldh
zbAl~sqKHzFz?M)A1XIzLWTqzSx>(~R+DNKrmOQfLWl;0Nup}h%GmO#wt{D6|g3TLd
zK+JXL@5huH?q$>}&LmDvQeR7pr9_=0<|Rn<fo={}(DlX8WO2r$;D$vW#W>rnNfDZg
zP1uZJ$L~_s;7HqG@!cUb4y0rI+eEjIg<u>G0pV_zez%s#BW@$hbfYAmV7&2ILwkhr
zuD#-NcBEy2w7F+ncUP{xnIHXPdvPRL*38tox%6nRVLSIKsb%bT>s{f}pBoucn}Me)
zOwYE)0VZUW$oax<h7bu)LE#-q%$8>J=xU9(6S2aZL(@m{8@$~roM9SB1q}qenGN+2
zZzWvvFuq_VI6WwXlS%h=vEdrW4ppP)@0(@JE`cWRr5kfym$0GVfaRk=9eY+4-!7N@
ze&Y7ZhTSq&r3EQDAD1QM^!(~$<ROC3V22F%G)xc)f4U<miM2a3z9|ql9qUutAeyge
zwg_9}$X6O+=Cyv^IoXK8ja{8(zw7x#zEeYdigfrUc+OR(3%(98C`$>-y~x}yk#u^%
zF45^K$uzJ>#G0ISLA<QaY@jPae0H3<)L42ziQ-gWZ&;?}gU3Kk8B1#2-F(F<50uJM
z^^w6F5$-UBAl)K}bp`0F#dD=>zYTDqYw9?PSEp>fAqSl=pyQs}rfnFr28ahw)x;6B
z<$KBoo|f2f@587QY<$reKH`IXbDug`&I~aA(*~t9SHqym+WHmlbth5t!~U#>_?7G9
zs@<3}*aYSadR6c_FwfJliG2o3Rbo$YR9KwaV>=Gj0XnZkBagg&0BjoEk=yM7Nq7U^
zbW#|BX_ok_y*RDsieAE=Qc~WH!4;S(%&bThHD7GV5t=NBF_ytp`8+l8wa8k#h26pv
z+NC|pN()*T(n2?Hqy>m`1Sa15JAO-F5DxQqP}-ydgP3!=ZD|INgdM}O31fI<TM_ib
ztMV^$bZ`r_vunALh_UFVa!)7bFnMEsCLwOKAp6w3v(+xASBUMT5|)OiUFKfb<6>Qh
zb1-`fpHW7V^CRO2BI8}cNN8koDz6$3>2i5?8G1fUo=au*aN@0P;7J}X=~JSw2h_^w
z<m#`|^1Sth73{4y=j#&fY21qYwI)Mi#tKI(q+@<SYbKti%L<=$uH99qiK}x&MQZG}
zL$Rq}crPWjTNp>A;o0_OK8^TAgU<31cmf(yEvj-vaRc^ZhH?lND5h~Gg1kGO0=b19
zlFLgWvB`#r;P|u#`b9MIWVJx3cVv@vbzsrC3xWf8n|J-jse^htj?rPwYWLu#4O-8R
zLW4})L<#5Ry3!~g*mJ3+3Xngip14;)h#*w<d3d45``}K%xy(GXV{baI1IW}}HOqk}
zB`1o}OJ2eSx3B!Lac&57tMl0enu}F{mu)7JB02}HW)2pIZ^D^K(c#o-wyMUb`#L;3
zi>Y~L6y&KYjt0kE2Z-kS+f>%t!2q71<am*CuGW=2aWgRaRqTinf$IeI-m+{1$203h
ziMd9whutkDQ5A6@cB*fOVA4GF*alh9A1vJp<uJE5_QaypoL$#`dXP8HAy*8~L2o#_
zpTg~Qa9zzy{1UoiX6B*^x;|%kB98dJnB;9iE~B>ImBe`ybM5Hr91ooK16OHi-C`*)
zk^`1ykX^=0Pzkp+ej&K=%=FuNy+L6)cVI0+3i6oU;_}={gMAHHfeHh+f_>K5lJP9o
zdo@kx!+8aT@ZHH~Z8|K`5V7Tv4A5>+iS<lMaqYE*rg%D?Z%dS5*PIw2dEzsyc_vXw
zC3nCOg?hhd<`!P>cvR=M7rfpE%^2uS?i~w;ygJjt!tPsBJ8lU<*oL=lO3N-D&n0s>
zx`}~+t*y^_92c%bFNR_yvQZ{(ofQd}2f`T6iaUb%&y*=_S?{kjHP$szn#szwe4^X8
zXa&u{RFZH0%7&Ar39mA;W}EyHTs7&K?(&rKl08>-%PJAsQw&TY6>~{o<~TQVhH2OU
z=6++4cz>W^?|3MqiA~0)F7GOH(7H(!Wh**S$S$=#TkWI10igwt;efZh93xmUMSTTf
zCgnQbCUkVvX765nC$<ytZYL3#1z9;n2}~A6f$7S;lvk_ltb^d$Lg|=<?<ftqhmH-a
z*i(CkU8}sz0?ixUwc#(LxkFku^<ovlPLpQ9#Ue}85vgN-HRC=#cXD1ZR+vLP5MPIe
z^}H^?zLO%My7tz<c06pFtz8-CpqquxLG>{8sA1pQ>DfEYr)WJJgSk2eFqAHEw9(S_
z>L%{<tC`<j)``Y}juH_$7k*~!30g64G@AwcZLUXXST<m56QUBJv7H3nY0(!hmSNqO
ziWj-$coN%lsf)Cvu(vU4ClC~q8Y`H>W4;`_<L2sZbB0q!b-!C;yoZiPi!R+JqGu-C
zoR51qwt9Oj5sL0J3R=h;pFP`4k21#8v%w0i^tcVi{-!ksTPg|(#h2T;nxlx=N*tR4
zJ95ec3USMp;8=gy%Qq(3ZMGtJvpnP$(ZdKl6}pCbzgys7m9!9PIlAo9!}T=O66z@S
zDmz{SFImQB?Ot{%e->vriUdo}Gf7sMi(TK<YXQc}Sc#hGP{5v*3!B`k?U_GhAv#r9
zedpj=Ez{h-#@otU+0&4yl`XHMfmx8l8Mv)2V#6aH+IR~U_qv?8(cO7zVM|C7d+xPQ
zlG}Q^+Q1Jw9M!Nr&EuUv;`BwWb}5xRXzPTmuBVN3ze7kPo|8tsNBrQf*1VpGGYD`H
zJWdgmNexbQ?X4|{oScQNbKo#d@aA~w7bWXt^JdTvq?*9w)o0UPZ{~ZU)`|qSEn$Oq
z!aZu$+6&~>v=xF()-%55`YKILX^WW!h-|c4(worUid{tRF6FxNRFm4<N_19aoIQpe
zin*=p$|sU2)g7i6qkK0?TdgS8UMcD%cD&gj5OO?PbK<Ret+Cz6r{Q#=`$$?9G;+G4
z&S7QJ<1VUo?HXO%fmM9BNs3XohxNYe`r!tpn_g$F<Vs)7xNZB&h$znlVb?Z4_@<4a
zZm}bp@Ft3BpL@3eC-2wO*uwk)7fK{=P7r@7qs88hdxPUVG8B%wuEfX+sa;zDz9<&h
zM}f2|<v<;FAoIA$*Ty<wMra8tQ{d4AIrluoq<+lHVTO+h-BE^wBZCB@>P>!L@#PNq
zl1tg!2bkItShF2h!%9u=FcTl}Rp3C;B|eeDMk#^*(2p?Kx@Q*6k&;o)#L^$GcP6^>
z2N$)=Y-{JTux)4LlAk0lN#~YtVJHW6w|Cm^!x(J3`m`Fti)~J^1rNP+QE-AW)%p?=
zVwztmF6W2*ESbJQ1BXU)K!6B^>XZTQ-Z_c(eo5K%G#9WYQCH<AyS{NlWsA5F<j6Rz
z!i@rXT%-4e^E5?hW;!2cW(&E-K2bK-rriOpLls$dcH$!R7ypREoCz1GLI`f1o$-vl
zNQa9*n+1vGMJMj0j_FGeI^}B29?CPj>C4?r4Y+r0(qVmrS!+Y_I~FUL`pRL%22okB
zGwW&MXcn>5g5Q_o7-f(&oOH_Dvy)@EMaf>oN^}=dyoAX19!m)AoXV9~ZkAiknuWS1
zYh>*XE?FspNayl#3#IFg&mBP2O5pDGFzgC_xuU9KL}hmkZfL6Ry=(ySnlp<vsI?r3
zwmNe9YUNYM*z&v$v{_A>PoJr~)xoKt9T6WsyB^^woxnItx}0LxUpu%B;{lrQ2plKR
zsgWN|v^7*B_7up(*C%~dRW5_yKxBIF5GA#Pv%Lx&^zn3;CljrB9HZ@}GaV<R+~xAv
ziV5|;94_l?2#H5tN6CjFlC6{pWLRLgQZ9ERW-e$v+f#|V!p-TAjoEJrQncq{gV2Q^
zu%4C|3JgPziiI3?pYuz6*nnbi;4WJ?CQt<9I+h@kjCOOqW`KXB4~8zH)WNSCdlQjW
zl?KRNVj%9oiK_z_#plo@<RX&YJ@0{j6R5YJFReIU;nnJ>Mr)bwopvLyM7dJWZMo*@
zd!o)EG-3&Z%XH|`@>#=UIn6J?J`nD%ZIl<wDz3&d-n5R{N@MLOIqPsNoP|a$4`7NY
z;|zI=w~wj7Iqle1ml2lMrTeOb?;wV)j%v&5Cynl0et#148W<6NXy@~-Hg}n48;Oqc
zknj4gjewxVmGJFW(qj3H4$gQRFX_2(4`nh&g`m$Mo?kH9hW9o5g!mg^kpw4OxK=GR
zZ*4(O&i(4JGgilvgm)X*S4+j+b|}}RO0Pzh2EwZX!%e<4B)EY|uyHWYL#^lXc!lh(
zo9wI224vDmE7XI~zUn*Xu%6lLfaU6ach<dm_UWK@Y&;=t7;)QJs5hH%tM~NQg~EBG
z=GfIr@RE0VF&<19UyqWC#BR6uqbw)(wRpnLu5&OHxdd)Col<<$_|9q;R?`A4_ZZgf
zD&{VPy0&<#%(CO`dn@1H%Rb07`P;jK+NTjY7TxJcYAbfPH)GuvV|g%Tw}j+i4ogK{
zKn!zm`D8d}6Lq7imI~*czF7@?+F>KbSNjq}D$6oy2F{RCyN$5H&0gk18^`gk2pO|8
zoccH7GMsvnV)0vn$kt%G`_<wAwY|wuESc%kYDzMgr&XWu!uqf}g%gAftA^cBt1Gcq
zt{Xc$C1@F*_8=r`-?=p|x)-L+sF=J@!f+m>b<B%6(<`ChS?A+@g+XMzTPqu7GDu+K
zom4o+NORTtATz10_qn((MvcO6JH4CpDLie``eIr*h}1^AHF5_5F-VS_V75W}q*hoV
z$YsUe7<-Uup`}1NmKCjT?)PzsCOn(5S*jd51Rk9;6GL(GH=`s#O4ay0lUt2a-<xnv
zktV@=WQPFtcqeO$+iRQ^BOrEE12ZhQj`%e)k9}~<*BukH>n#)mvrDvM!Z#TX343qx
zv2q$3Uc0coW1rSmnOF+QvMPLchl|_PHVi_82qmM2oB=XRkfY2ScfSks1YgC#uW{$_
zU@UB#6UdE^%5fE1dy}OtNAOczIyQmi46C8$h@*c3{*Mi*yq_^K9%S)WNHk`%!}-#=
z_S5wisSGi#4<Pn+wehoZstt{}2t3YNWz#Su!9{4dUPHBFT^y%X@g5#kz|1x47M_MX
zw6CKk<+xPdxzVDqcv{D9KXrj@2FOW(&oz9gs&x+nQQMLVMP)~05<{F>q#2X)f~F>3
z&(@}NIpaXx@&WS+)?fr&T{aC#EcJ?FbG5h`B9vEbJ4XuVBHF#5lae9ICX=@6fg+C>
z8Suh2UMyO_>?bGFwo7x7ZTgrcp_-Y6UE>)<m}iGF51u<Ds}975ZtxJJ34YJ7n!Mc~
zKo+)lx9EAcymr>F`f8l`X{qqYn~l8Dc@e_5?D?cCl3|2|6$BcIrIgbiReG_r9>nt7
zxMyvKmHptntX!oM@Wwc8E@Xb!Sj6K%L{ryDA@`7|&6$};d;;XRX>;C4k*YOV+4QM`
z4^k6?3E6Pxl9GW17Y6J7WkPop>bsDSQhTD$T#?;-hcPIDc<Z>aDx0EBGTWNxGbUYA
zYh!fliw-sb;!^KW$GvpMc*kLpgq9nkh-F8Coqz7Y^ld@b9u-_sL(KA!ZHSd=fE1yp
zt%Id%4<hNajGkB5_{O@Yj!ao7;CmOtDw8Ah;!u%f4m=5FFVWd-fNV-Hio0zN57)#t
zQn)tU8C0cZYadyx8W~w+b%qGk+;u1#itr(Dqv42qLLQb^bpy*fD$hgbQj}c>y;&$W
zQyqr+Y~Iq&C8slp{@#=eBpiLM<l{s`_LiDt?ryocBBdHC;Kg3r4zVVDQzC%}ldDNp
zFJv?7oOm3hW%O>BvjKTtxo6PfCfI!pENG<1{q`gtw>R?cU(%Kw=d@*H6un`GU3I@&
zaN7Cz`k2}Wc9f8V0_E1h?_rm(rqN%BqTC#>(hA;OQodGfJteL|T-{|Dj;(EqhJG@i
zHPv-*he{hwbKTESzTRh93G&&tqDy2Bx{Kedho7~tSf>EaGR6bNL(N1x>O8kmVe+O(
z8Fr*DD{;BA5`<R=Hu786rOhia2Q!dmR^%A$hs{a8FN_kOcHt6f#(2I40dObfTSjv{
zoU>Nu&L$Q?>b;Xr(UFen&FLgpYjs9<^tIx;Lnq80To6vztnGli1)50#$5I?&Nm$H#
zzdPH#*td{~(!CnjwsR2n=SIJ8&KK{tL*(AfF<3m6#w8#x6Mt<-^NOuccinBo4kOEL
zDDIjFghW>s$h9YwMYzCKIbPUHE)2nnhz(0W)$WiFE;Fd-egMW?r4<`j4J(|u>D%t;
zb4s%3q2aV!iOrm9p`%tbenk#y)1v~2Mz6-r+)+ImjLd=DumurRna`X+qB0FV`8pF<
z8b%I~NCNr0tqY1sBeN3p$q&Q2y$}X<zmDdC&Q@aKQ1G^8K?YF)JsZvD6x<`F(rvb$
z0;r76;iPF|cN2l1cvAG+K6gQ`V9Z*x<O$kz%I;8W-I60BSpH#^??Dj;DB6&@M7iiJ
zlx!KeS_CgiKzs=oi5U1IJ5UxREN$eqEkXAfVjt9%b$7O{sKsh^RO{nvYgqeoUu6Mw
zkb|5Yj=_Q?m-DFYro0qg_Eh)b1q7CSZ=H}@W=(@{*^IS4S0Fok++PM^qt%AAid`rX
z1)WotD<(GA%;8FDHhk-bS;w)DgOFRf{pE!F=M%aQq?qx{ny-g`WY^J_#n-Fi3dQJl
zBl(y_BkO3h3ilLqmARF=roc9^D|WJkYndjmkGNbOMvBc&Lu?OLENzfGNMyzsG{nI8
z5M)q%!Dj)%k>XUFYi4DjS6AAmVbcZ(v1epqS6suh51(?86i<{>T3V_byG;(|W!DJT
zBh1&GELvfOo-bt2kvh9a5NE6w9az{0b5eygBNlSgOU@WkASWX@p|GTe2OX=vv0Krq
zU3xbT!B+P=y%ddu#P^D+FA;`IU=Jh<&A8rIyJ&XOEqUlM_jox3)n4!+*H%~3#@*m@
zgRF-ryys1S2&lotwQUW!P~AIuQYb&cRFHzn*T%Yv8<Z6)Y<q!O*??vX98+qtR#O<8
zLC&$XO6miBGlAy6mHBC5Bl})bNNCjo<MG***Cu-^!opCZ%eXHvXt_j8N~@ZXN;gV7
zDVY-UNblM?BBQ>?dXk^Vi*(!%8yB07_z17YBU=HhX&xCSgc+#wj`vJo?I@TA5ql<~
z*3x-k@D<HfDU#uqxVuYRP9j&CHqCzO7@Olpi**$7#tYa{6$q6_9L&%Zv*j9Yw5<lm
zW7aRgac-lAE<JzO>!&+w+uq>W%z4C|ixq;{sWcUdu{to&VE|?U2X~3t9DxzSSOhaK
znlNfnI+9F1H590n8222VJF#D!J;p!X6=HXZ98tYcT>~8?RV3CSGj)-9+bYyHs!uGj
zyHe?)1<@HfU9&YPd<o^!SK1@8z8Z(6<G^AnRaLpN9CT&sm3-JNjN4IpzPq1Kd|{qY
zEoAFd8@WIMqDgr6DzIgBY6oe~!3kKKrX*^0sf?nAD7Fsm;n4fyHG%h`wVZt-K6Vv|
zZSFkYyYAq_d9UDZ5M8ByzuikcrR~t8-82W(hZh(s?_k>%8EPsUry7v`%1JB4WY`%g
zFqz%^#)SmI48r1J+65LmAKrBpKGej{qxQo*3DCLF*-3Y0;b<3}x?c{XbQBZ>>}JKD
zycmaF9S&`HL`3)4$Cp75cUafD4r^k=WLXXj4W*Iwy>hYgE5?Zw(`f5zgC9lUsHDzV
zuKoUkSi6ERkaSIOX?{vVO<%?Ojsm*=L>!<HWYb*nfH5hH?tRoJ4yD&8z$RKvW*==T
zysV;J@Xtc!RqR41nd4$vL*9o~7Bvhobr)oWmv|&L)kfkgl3t}df%B$=(uVs8<eKr5
z#v?*s-8R>Qy}GP@oFhreSTvFw?-D&j#lb5Lic&J3)@9YBSONw?0#vfXPV#TqcHGkD
z5cI9!sLfQ*;mYVE{YXbvw(Y5<Cm}1XoVb-0s;b3mHHbWiuY6Ex!Rp8Cx^T2I+qaW}
zfv87J4aEwiYp(vqm>Vnr>1>W>pp$l*Va>-6$4rn(HsOk)^x*6s`V+O<B&5GPTCEb@
zd2y>3p?8VrVQzS@nv8wmYjp{EfoBL_D{e&)mOSiELJu^)3w&C>6#UH<1TUv7%hS=m
zj6vck(ZLz0BeP2h33W?aa3DCLX>ITGuzJv}`8+r~`XbeXwFl*KWK;KawFjvf&56=d
z8em^9j+CAlO4x&hrynsWgcQr6Uty<ALtuN@Z8|}|f<QaR7-MtVf<hKUw$;-vo$p}v
z(3e|oFv*xjL44t9zuu}45~A6nFeu|{RX^?(;9Jl!jE_vm*T$uYV1h~(rDBpfzv4oM
zX8WCu-1f&BshzE&fVFULKrF!9a#*r8vSrDD)6i^KVYKBd%p4gmJYm;!LWW1|Hi|i@
zehm9gj4x$tVKbO~C~HbkfTiPDJ!lQWdGw%edAK<lb)dIdu!4`|t@LfQ)RoN{*BRC?
z^aFTeRx~Q4y$0P~Vzc3==r&YKN^u0vn|>dklfV}-6WKeFWk_p|^LZypLlp6aY^wJn
z-}+p!iP{YUq3p7h7c9Plh-rjQO775@wONsBbUTlWvBvK;22S#lJNoWuBz34F+5}1W
z!qC<7aIOdl!EAk78g>S9o)%^YGJC#*m_!D)TCl}5m(GLTp(c+NU{~EE*4|NSc|i}C
zF7X|p+Mz4hx(2`qeZteoZW1cFas9fhIMhY<phVKZqczZX5>Fcn8J!%fXr+6jI#*G}
zmQ2SW7;BUDh_h86FA?1@SRhfCVIGhaSnGne5PTjQ?x>uqo+M3K2R^Qr+;KPa7Z=@K
zI*4lh%7q;zxQ9597LKwVomeL;lQ_sRsCXG@ezz5kS_S14=QD6bYH^FkLtD?y$n+rz
zRV;<>?e!)%oiQG`lER72(UTnNe%rVl+gtjk1Fri;K1!P$v5us9ZrcuIyqa>{FpCWZ
zdWP6{^nmU}WsrBYlV)el4DT*SZp4JTotiDBs}App$7OZfhqEhn8x7>{Rsw&gauGUk
zTucMQ{}!zTYhkmbTo+|~Kg?J>5CYFrGjO=gGYU`g5%}<23s&e^m9EzdSRF*LgXj$m
zif$Q>%@4tC->vGhjq{z7yI@O;<}+7-P)j>rdnVK{Z?1~%4j;Q?bK3>iWXFtKD3Y$K
zk#3!9bTS&c5!1FAu`N4*!Uu%i4+rKz>lj5Y-gQH1B{|H5EnuX}N(d=+d|X0tY{unn
zzrD;`Z3c-dL_hO7aBV!^;z<Kk7wJwCuZ!3PX>Yz-2PZu=&51tbhc4VDas<gP1*#p~
zD*~E;6|anlEUwO}CfSM-t^7iS1qa<<gm5ZM{4gnfu5-8Pu2M9Ko>v?R-44T6ZkEN{
z`U|zikeCrWdO=4V?8c9p27HxT4#IY!E5~yh<hUx7tx*HB=$ssql>^z6lE@h@$S`U$
z`K{=^P&~H*pTMA;a-U#_6~Dh!nzOAFecVn`s=KVeU(Y9oYuS0GA)ByIGG?;d_2S%=
z1f*hhl)iPRWEmbcpNG!P<HFt7y2RZ<n&qyFN{zGIiNDo*P{MG7<{8)nB$ZASE3f)#
zn3WMRjtV~<5vD`o6(w0%50@aqJGjznm!{51-(yvCLc9CDxZqGSTqiuwhViD}+PiwY
z+Q|^OH`ULQMPHqh79=3~&Ir=hlXjU>iB<$k`?MTk97?rl5n6R?VKf>4?3zZo&b*Bw
zpeR8eFwYpkLXv@zA#F>B8eqaLD5JWf$+^O2_i#{z1ymY9_T8)uUhG2k3=A?^6As9j
zUqNDw1wwQj(ap+%afz9&upwup0iI9{!qYq4^2BvSPdBJ{*MSF$Pn)vBCJtwfF&ejP
zU?tb$c?Ie^TFVde20=m9zmg*B3Bj50dc4BL-4iG(5}-Y(?Z%H4+&f23X_!*efTNds
ztUQ2l>b$zapm?CXZ>xDZlCw&~k>7jUppRYGx@J_WK!koldu-<xxnN1oURBQOYANYD
zJTiU^yeYeGOZV6{Alb?S1-Uvioq}<Zxj*|zO(YiN_yL38`xOaFy;fUyt0}FQ(Kw@H
zxGrP-(V~e(2m%6>W_OpO)XM6nF|*NxS!(zv&VdTDz%wIBRS%|cRVJHqe^T~a`QU7^
zpx^B*X_EBuxCT;YVa+*9y8B8_QzKI)S5D?5#Ia_gUQEuRP@d_9*q_QC1e6G-$>g1g
z$VW9(lgUVqvt1N}EVZcC99(U>NhsOtz)B+u78DOrhtdSTrJby<wsQCJD9;gC<=UZK
z&6m@CG55RmsVy6QETv!vBAX&8O}<~wX#$xE3aarUO%)hyO%PsT3_y=A-BPQjb^@_6
z4-i%Z-xj7<DCac^>r|Zp3IlYI-o!5vv}^D+*@gMZ2F3P^1Z+&9+u}Qd>Z#E+lw-E)
zCS^HMXyN4B<`&CqpnyUnTc1I2w7qYj^=<D=ce7`LGuK_2gxqe%$nPqk6R0!-y$6Aj
z-7>9}ohhgS-ffTm<mQ1aGO3M(R|)bx;=apPny|YNOH3qM#8T9?1971s;3~Ubxf=s`
zQLW7BDcMgW2pnDlS0HeAkTX98Zr_<@*zLGG_^@|%tl?OTjYFrKLwe=b4JJDYwld8&
z*u@=>&&ef?k0pwlE1!;pP#5nISb4XLS2?-WT`&y2m<Y&B0w)$X?>-V4H7IiQ*0`WE
zC(5F;6R3F#ZEvc;zSywXq7u+XUh`hk624DahY9AwBaiI7lWASpXh#dA+OI62Co>N_
z_2tr`p~)m^hJXO3sJQ;lfXGo**JYUAsnuvRsyAli8a@>jsV4N=PDRp;L@({_@pid`
zLQNN>m#8V;w4i!qZV<wQvUuUZiHJEO>w84i^c`vFy;o49y}91e(3xy^my~dSYryfV
zS(|TTF;xemnuY6bqBRvV+QLy4$=hQ4L@YoMd|<I`UpXE>uc+*P=+Jqa=4i;^=i!_W
zc_uDakQKwOG(*qXiqJjYoj~AxPabTNRDd)o9H6S?u5h|R5;C1o_IwTtmayY^z3P@$
zTz9$Zgo@F1XC|wm*ms#Z1aWp_03mo*1Qw4F6Tsub!&;?XVkbKN*|C&nlwBa`RywCA
zuyum1NlLw45J7y&4Z7}YhY_TBhS<VcI;O-u-3sy8Z<V>z*LYrQgA(vG1#&<5z;!n8
z$CYV)o>mPAfm~sH%0#jz@A10Z(^gqJjc00`TtUcoK)NW-t6J}o;<6ur>p-nicT@R#
zZ*#T>vZRoTR2+9+<-?j4i<#@>!zC&yzN8DO15sFi30=fmgB3<Fpb|zuugn?jjZu%3
z>gBRaP$*bXVDc&lxv{f+&9}u?Ie^I9I5qp|+!_ITzXKQ}36CHPh3t(elxqy02B8MJ
zBU%=Sj?@#QE75+N6$D}HIeR*VwgK3-b!j^Vdk~o^cWW&IITwQyC>wPT_u7ltagA&p
ze*-lf*6mK7I$W~sv@9BGtams0x*<;-hzf3YHFi=Pw>p+rbadh_+hx+SLO^u@&-c54
z*+a2m3zN4tnHwk<0rUh1W6NLDExtcW>BVH^v>JB1Ufk|LeREUa;Qk_lVp>wM5GT^H
z0g`V;uDEzX=F@Z&W#2wkv}pEw+P(AfP~MAv@7g;Ql!jw+A-D9D6F}C^4Ff{@myzxv
z0qv4AERBl4M@0OJYckp`NFEq>)6DUNr@G;Ek<ARf%PtA$bM4%?^KsMMYpS>^VFw(~
za6D-xu;Gb|d`hq=?Sv7W6PkBdeL64=wa*U}MnqQc*q~5ido6iW-_f+;CRngvR*=~)
zSuI`+i{yJPIi2<(&E)L+^ma$La6gngua)oS$u(`Y97ZP>ckucOb1m>QitJGBps9dq
zDWqW~iD_~Jx2Kdw3@X=6a9)L4j?CqDy&8#d-?llu=C>d@`8eSye$P9enFPOg@H>C$
zal-M}eeIiPCSM$w1qV+*^Y47}gB#(mM{k~)d<`5E{R^J}h#&f=uRg=y^X&Qc@|nr^
ze8a!|vk$~=_T^_LzwodA<bUz}%p^D$`geji&P@K^U;P*-o}><B-LA=&C~Gu}<xAn#
zTTL&vN7Y61L6FvB%`H)l@^em5NADtMT>>oZ{Qy-oNfV5Ai|%M=f;{73dou9)Em_18
zS6r>OWKl^&e_9SnOByvdc6NW+8cM&@8zzYo=mH!nb<({9b{wb*l$XQBW_>yxEnV90
z(WrNa@d9*AvcXZ0Z3UwNnXy4&I}DSe&}3!EVQvHwWi%h5b}?M>YdKApJT=G6^lG`{
zchVAwpvr~Mj+?1qL@VoCN3Mb}yNJ<tO+(mLqN_V7@rwhs21lk8Y67{}!|onlYtz|-
zUmQt~QUwz=$KZ5$q(BKis%?iOh^S+HzL6nY9hzv}U5Bf%Dsi?ij@D|ozet3jFqBv4
z9;&4t-f>fmTvMiw_U7@rEKCuP!$MR<22Pj-x3LuBAf~xpd8fD5zKf+1TX^t8O*$!i
z+Z71f@z^mIrDA{2uHbkk<yF+Ocf$JQ0h7-+6^~4}taQ2NSk6`Xs`2*axstW`P*Hv*
z31SQ?;_g?K&UM5q@~*37+Ldl3?xkY~+0M1ZGxHK(Ov)#W?V^KpG$<&QBdo9q%Q45(
zMZyg)IwUg%V!R$u-4_yxgH;^lF);m`>;8OHB`4oEp3KfNFQlwppK!eiyvs1~x>jd}
zgO{2_Xp9Led_ZjG)>gn*;{@+vcwd1hP_$D@B>p@!?NH=MU&OXhVB53al%NWfyXU@&
zsNFzW=lzwpopaJlFn%OTbhkF4VU2^5fRw!NFX-t6EUIP&q~&}O8n@eR)}?%$JEX1`
zP^!f}R?vU@&))IZCcv8f&wuc-g8uUP<u&<OMW6iO$NumioZeWI;^|fR_x|bw@o#?J
zd*11IIY9h}-}^xPj^t&;XYctU;v2u{#EGAH75>imKM=p+>)-P(tNd60n+Kxu_{EUt
zr@tR3qaSE*tnxpzys^r^^Zj6ze<Hg2)5%#DnKnQTRKV40MF4Z*R#A|7&n6TcKiCro
zld%g|n2ZgNsSF4?>yun65y+!ASo;6;_3g3K>}Or4hbnZiDF!Qw#x#bYGCiH^&dwxo
z;@t1EJNKP2A@0uZ%<k;Y?A&&CW(i4Ag9;dIgQAg3fd5PY1BQY%ikKE8f(QXg|G)}~
ziZQW3BtfP4>}lV_>05gK*f)7^&(1#kd%oZ2^7(uot)5FRl3T8$TS~7WnVfsMzrzoZ
z^9ZFG8sXRIvP=&{ux3txAv+Yu#taV+P0BT8U$};e+sg~C!XT5|18<_@nQ_NH<jaKQ
zOTfZy%-tG(J$3fsd>*uiQSI<U5v^bfIC-a|4}G1&ROuUgbJP}UpfS_an=1-qlp>NC
z?je$U94@!^l;0jMO3fHO;uo}aDFC{Vcyq}yGd}Jb4$vxsc)AVM&h~5Fy_y&tB+I$o
z5=Zh*Z2iJt`NK#K@gQbpSyY0~ZZj*zBnGomzEHSyF9Y)tMyeDy-?>pMxELYzrdJ--
zAfe*y5{IbUcG^j`@J!lsXLBt>GW*z+0mo!8C&5v_a4?)b<kRSlD<B8ah&{#><PE;!
zv!Q#)_A=_2^SaHshivaLHWcm;Q)1SxX0Tc#S~@VW(0dQ_0UDhl;}VfzFRw0Az?SG`
z%U5!Daqp~M<O?%fPsCBs+e5bArfuFl79C?%;s&xKH;P%AB3KdThRAYMFI{T6M{Hs+
z{JH{)O4#l(al2NJ8>#Dj()QGyD60zxtFcyh!+92r>t?rZ2%ZO46*M&N<0|9b_=xlH
z7k8cBDGGII^<Ee)nE6>Gz}NM*=kp3+tdLsYeUlGZMXKAGuL}ewfk%1+Y_e(v$EwO@
z=`mX@XgXF2Ib&nbtYm@hZX|uCtUIpu$~tkZrrLGM`kF_VBeL0P45x_)g8dLg&^L$g
ze4Cj3nt%3;puZ5l9FyHUJ`<DQ^`$SO{P+LTtM3=T{b}*r{@Od=CMIA1pHGWl{8XuV
zGbW$bUc}@_zUi|u3D#a0fB&m@^1|oW_T_?XPdk=AGrBixCsW)35SvdUO|6%ei8Hq;
z33t+Rm-=~Z0oSrK8vYI=d9mpfXxd-&D~{YnKiR0>H32ZWvP-OCB~G^t>l9a}jM8!K
z%Gm|LeH<CM2OH64qPS-d>yoNDU|aAaB3LbUGRPxyG!IsoXU*=iHE0x|X)9F7J7T?I
z%G-?(&f;MrTpNgL_<VM5o9@&FqgrvGTTr_5%8Us6yy&~h+vNC_6H}?a<42s#q=-l>
z%ziX=#S=GgrYlEKHx*FLH#K8`j3FZ4yOlGCYo?U8o+}+%tFBM7S*P84yaAl9<M)b*
z5`p*VFs!J7uuRq^b2vWk3w1kAKC((yWwQxf^GfxbLAtH*jX9_n*LIfKKH?U`c_TOT
zcF6ao(gVs$*vzLRc3<Fe?syl2L*P~tfj&BL{4H5yOUxml21?o0;*<q)d$O(*QB+vJ
z6b+AJYX{gzD85y_PA4DxIyEFD&%Nalu+}h(&yAho>q6IRo8G@16!uuQmnhiGYO}}Y
zE6139awb}{*8!+zM**7Iw;U;z`vfC;m|C(u3W(K%^Jq#vd>9FvhpSs3CcD@HqL-FN
zj~<F#_?uJgRHiSxXFjSYq(SfTllo<@4d|a4FkO~1^#LE;XMsDr%lqN91`xvma@C5u
zf-r&msF!THcd?;MTAV_T*nC6px45^rfNHx+$>J<;!~~EU-iCb$`MM8qY@TT2%pHRL
zmEZw;EH5itS>5uKB36jwr;F^O-ZAPrubn$C4aW=P8LDSrJ`54`f$#s4w~3&C@paD#
z`quyS)(9Ft@`n-h&R=~ILE492m)`MHoq2ATC}u6=EEtJqW0PkS;k_houkM`7O+Ey+
zh=zL?5M$FBa<|7Saqs#{q4WiAI6gok+ZE%+awK-x>}<QtcSVG^qCvxQ!)!qK0b|L9
zy1!lfQc|Q#GGC9Le0SS+OfL1Nf6R<@&?ARZnjI=0&-c-(?g+7o$|W5Itm|rILFB+S
z>`RMwS9fdzct$$30M$8378LMx*Niu3adoqBAE5+H!*#+z4DkW@l_Uy*1>nRHad(tM
zHr|9uO+Y8ckcq9QDW|Gb_``#b{1{cT`&~Oi%M*aEjROWwK-fL6%EUZCXXUabb7`Y3
zR|#Bic!2F%A#Bh4C@9YrE>be%TtYSE7ci32>9Un~3uNbj>_KB0tynf42BahOz#Vd;
z+MfF5va|1#J>96ss?c!|tXN*<fz~!_duQE&PPBm>5Ls80MCEu?VK6S>g>YG~HCA5b
z9?tI<aYBa|)MPcaP^^XA#KpGg_(`wW)ZT4zm0GTldB8=1pK-+);Y-}=H|1gxQGWy-
z&C6i4CV)!B3uqV=P{`N4Et_^<SdP3{s(?#eY@zNa;o7(<O2I1R(wo_Mtr*9BZ432v
z;pi9P($HH}g$CrD%+2VZW>I4f4PI56c-Cv^h4$ov581Wxh|EP^7)7cFM&^^cMDJWt
zfg=nA2W)7?^X^LBr8IcQ(PDEWmjG0KaOH%MRt+iy+$vuK^e=R7YR3RUhA>vdoUN7P
zVqNW*Kx`xI6$iZ)(rfPNQn~ZDd+t2EK?5C=0^lGWlO61Szdr=rGlKs14}8hn+-lyB
zJtOFMotJO5XB0hi*Khyv&)#YfJ+HoB`_NB=#ees~FQ`Tex$95;@YCWqf8IU$-_)nY
zuf2cg3+*-OqrdX%Yw!Ko)8e1|rgywel>h1Pcv{51>8(-zwD#hjWWV>bQU2O{KmNM(
z(O;(BjwEaf8bICD+^lwcArt@-!FfcW9ln5JLYwu3_kgVFaTOX&5$zC}&-tq83BgH2
zCY&2TCdd0~+PaG22Rja5@%s&PZ05lC0`yFHTlKE)W9SP3b-&odzyP7$D-(0uotU3c
zMyMa!d76ABaPvI}g=9)tm-T&tI%Np3jQt5KRcny+Yg3!N%v$}CM+lq+Oleuh_e<9H
z^hj(BP0dSjyS+ty=j{(YdpmCOlb9Bvg_|pL1n!71lYwbTJ1R{O{$Nb9kX{Oy8<o?h
zoL%5DW&mGP?^`n1>bcq57+HzI33~m)m9p=PA=1DdvY?vb-bcoSmAPGGHYAgfhcekm
zXV&nC1$&pYha((T%WGCWgqrHf+y(O9eM9N!;b4^KYtfp}IxAhDS5N3JRLxlCVCX5G
z?Q{=Au+chBD`1&ky-Sjm(M^&LfWR1q!P2BH17A|MA{yL9H2wVWpf?mm3qM*PH>E4W
zW#3~v_%bo=5uHTKgXV*UqqQVOhkhIFj_2!=*y^IHbL$%E0VlGQ>2{R%k5$u@RcxNO
zH`dK=N6WlC!e*9r!gqM}(ZNKUT-~&GADW999)a~hiwW7Ns#F=|a<&tvEIMi%7zA}N
zEDf{W(c*OhuxzSnb3%%TM$E=E@PQ=7^WX%%VhkA~@o-iFTFC4@kj^+mcRTia8sC~3
zF(0Mv)t(Yg&>DLPZ_{bdxi`)hPkayE4-KG`Xn#e7gEH`gsl-I&`v;1+uDBeCv+6A?
zIblt?4Pf_pe4y}P`?ybGN&O5&(Cr)l*ef4~4D|VWxySRRf9vmN&j|YG?pq`1H-GLs
zqc<W5bg|z1jV~hTD}VHL=_iFbEilW#)TX)@n*%EQN~}v;Wb)`>uiL@lT+nSRT8nk#
z7>uOl=kvZVfzI}5&#^Of8T`*ySc?~j)$bB83y-0?M+Y4V4ir1$M`-WgoEmN$?qIBd
zly%o3%b1D971{v(pdR$S>=&T|L;I;<$y_bBmvcg<07o(S3kW|s8#GWBu3mFOXxCHC
ztVAA%o=wuuy9aq_S+W$Csa&hpUK#<1eb~A>$a3AH36b~{$U&7N0Hasv-ATl27tIwN
zDZ>fcxoT1zXRDg|Q+66Sr(Fj&kRnK7=QTU5)e3x#>^BQ)ucQaOy|jJD1BQ|^#hZ1y
zFF=Gy39Hb(@eaP{SMBAo3Rd8u%GjPYg$i1IGu{~_!dlsL54V#8lOQ3DyL4=Va<#yt
zE%X+{)8lA(cbGPnJ9mjzZJ|vkc?;)C^Jp)DL+YS%bPGWV885fdLD^fBt)+=}8E*X?
zOt?ayG}Ht(8W5JeL%!zq#rfg@{CradKsemyX9Xc7JKD9G5ujUZe|eC{*q#Xw7eF*;
zV|ObO+Z<IAAP-sXJwRD!DOY^arqu(OsVG!lYlI8MJ;nJaAOv=OPdWHiG%%Wm&$w9J
zd=12=EU~z5w<m9*gQn1M<|-}nW*~we7AJ*TBk<Af`r;qXTZ(8NeQSAuxaUW+JuhY$
z+l?fLV|<?DzOPSE#t)G#v{X`oe9Mlpx-+nn&WT79j{v=l<7j(=Au6EqBov2U7qoWS
ztW3dNC)mVi4t4;1N~>9y1Y4<gz@REH3}CH+LkHs?=rD<vy6t=>^&o-i`^g33?ja?^
zsuU<4q|799s4pv~-NoaWR8TlVY3n?RmcYX+wx>v3SaX^J`tESxi`^m(+9b?IN1W`X
zphU~Uu$4{57QvFo6_rYM=ZH&aX*nX4v%i6g1A8ufmY}f<rC&IcDl>w-jci0NuH9w}
z@(`N<rpau)t^Fi~u*<Bn%}r?$9g)k7r$Lh(oQZJuD^|Jss&Q;}ToAE_bmsC=1xE@H
zBxh!*bM4k{cw1Wx`hdwIf!oy@k;yo?;hWAmFLiDg!;ry=Cln?u1T;AJ3w4*QG8n^Y
zLaw45-{?6^(I?*ualjca!xIVMFpe~IHefbzE|?R)lpwp;je;=^p%3}c;KVDVOdW@E
zE2uhm`;yQzX@TCcR#;9C193!ZUx0g<n=Cb>E~Y*?>IX3mx{Movggik;-tQx)CP3=$
zvb}851CX35=`>TWf!$XKOkb=MjZe5aNbzp6A4LvwXt&u;T|x1kgS!+r%8{!K+i=ey
z>!&&B%*!okYi*N=*bRtblO=yJcMKGm6miiX0k8>WHO@xM0fN&hH4V3`aENtKWw%cQ
zAokG^FZ}7z=exFw5rSQMkCgA7OCHyjv#d`1x`*LtPa3M)RobK6hG%OTqKUERgKKh`
zN;|02;xP=IWlTKcH=RB*>~VG?1*Orvv6imvaq_Av+?76+m#1#P!k6}of)Zl`I@OyC
zdkY!R{lLi*O#sWWaf0B!A)8^BVN1@ub0>&!AouX;ux14b=j#~|#YarHC)&;IjXVLj
zU5d!^1c*5eA^a7?G8RaNsL<p=`R0}|>*xmk9HWaZJr!h{y$*pXYy!9#@9Ig;NjMgE
z$0fbS8FxfBb`W;6U`qvObeX6I<Kd#GD^%LqHdNE3eZ(Ni=U0|~&W~I?7VT{78gb4G
zT%-8Ag9zM?0qA?PGjRu<j(LP_^;U(UF<}DXam`~eKp8`w*uw0lI|vR}fCkE8VdC26
zPRaW#(%PB8Q~;!bck3W4uVfpb3dgixsDqQa!USR|t81MQ{dHhco+ea}KIRuxHr5#n
zsx}B5Tw=yM$8o#WFKDz>#WJD^fKRn72WUnGW)wZ(fOC6sSbIlBi|Srxwc;vM$KF1I
zvJ1N$;qxC`Cp|6EL0vm#I;Ltg2&iYVmq9&-{_QHmI6LHgjtK}lNCWoV>sPV_$-tmR
znCMC+6yQ*pbEjz>wK7i|2S481^{o*kX1Zb|rH?f<0dDlfr(|Ax#A=5N(619aXMaLG
z8Mum`@tAIfGw#$CoWlD4s$=9V9)-n;9tx^WJkQ$}VdGqn`V=n?#=HP#KA;*kW{=#~
zAn3LUA3bFNw{<T@O;v<|qo=RcRKO2$axk2R7OO+RhaGc^y7u9TQnFqpofy!AfFu?J
zxYy%z@@6ft<Q5IRn3?5<t<`a*Yx@ECdzW={(AaiA;*W+qC+Lwq1Tq$@$AzXKJRMn~
zs4ezvdp%PuP`Ae6RGvUt!tCf0UBj{0u*uG}?uy*@6o?S=#7Uko&pig?dW9mIxCic1
zhL8Fd;KQZIva8OPj@oP<)@%FB03abgDK@<w_U@tY?=3+z8r)*xl@C(2LJ^?a_u2xL
z(&&snhD@q?63u}^VM>a2x$?^>wof-unD6LRQ`)US#A*|)>_AX(09z+lq&j-Q`a?m;
z&7eRuQ@QUdnXcCLkzL!{%W%NjiqjQH{Xx6&dWFfQ4?L&N2-f%QBSy0x;q^%lq8R9c
z8s@HsS>AW`Ee9eXq<@m-@t{BHTC=}OMAfCzwAbcYmLiPPV`yjbUW`a95NJ^q_e@rC
zrqP(VUtRFj-Im=MuKL|wx+xRtMKenq+eQPByHaR0dqa0MdMt7(LVzN&3zGrL%TADG
z;VyBVYcMCfI<z2>h3QAmo7Qk4-)EozKF(Ma0hpr&u+YYOK<R@a_bs%f6WOK6klmcO
z<}U6xQ<s?#5lj4<SZYY1m1aelm0{yOJJL08RD+jzAWL=J0C#*TdfCb5cH8N4PFa9N
zdYep*A%-t31o>5yy$6c{IWuW?=Y&e|Hb3aC13et=bg<SLip2L2s-1H)>4mklkLE?{
zi5&6=X2V=5GbRWlZ7=)v-L#k(L_F5?$|v*C5<$t&mKc12I87ON9_|QNr!mcr3He6l
z+k2h@Pi=WsQ!NtiG%=h+^TuySV1Z_<VO1<QB}<=3#vl-(X}awM0%z0Jcq2pq`Y)`?
z4OR0G-k%xzKlytv*Wu4B{exfjb?^U&Z`R>IDZKjHSN`ZPL(c!nzmL34W&hz{e_H&p
zzxcAnKlp>sRQB)5UsU#=`i@s$bAI}1G5ZkmHg)(ny#HzOXaD<KtB9wy7j^g<M48`^
z;eO5enb)OHeFrLK>#U|*fT8F0#m;y5*|N!L0hwUtoclQ<0aLzi6lnuYisRK-F!8{O
z_GRFKWZ}yI)hXjZ_w7+YibRXayV--lQsL4Q*-TY!1u)<=eZZe8Q1EVbs}Xn0Xm>*8
zIzCAE(~t>etdnZz+buxt4ih)vqc0DH&>eP8c7vHJG-2e@V9{-MLem)Qm^6ZF)$Rbk
zn>2RN5Xls@yM~?&<az}R)=}mT^<}$0=@fVInJOzyZk+<&x1IvNoFo*~Ar;X26qR9W
z@U5L053An+RB0(AfdL?zMB_k(@B|3FvN%>dqHe@9&^6QZ1vIY6%)KWLGY#{`gI2bC
zZ%oHrm}0ie_4N)(HsC08oEZXglFJE`258lB-BGY2wX2u7DBiB3Hr0uLsanQqC_#`0
z&|6V~;eHgiXM`ed5W(xE7)d=!V%l*z(EWVk1rVu0p*Epp6u={ob%O>a5FRFI!A(jy
zVO>QfO1TJ-vAifK%<WZxMg);pHKw27#QjP*(}*^H0|k<LJC9QBwTh<t01BKZsVgSx
z+BI!S9T16L7xZ{l_nLK$&Vhnz8)%56Ex_S{VY(0?B?qYS!n$w{^cExuze_6NNrrW2
z2sUOy#0r2h3(fOPXJ`iZ#Rhafj?pH)a-)Uk<UYyJy1xTn9Q1SQaP8V-L*^#8iRA0U
zbxtl~@@0YVH-Ti3CSCbc#)OwmYc)v$w0>^f;Cs0xPRx$e&qI3R;_R$>be%_>LW6HW
zji7LM`IZ5t<$V=&noXl6u$%TNxH@`9Q24LjE+&tMX9RundtZ*p7jxbBypWlfKJ`5i
zlfU$|_+4P}3!^u_;f*N&S@Nwh`PRAaC%*N~nEWM($?tJTNrH~%Xu|Y?SuHn!<cw~&
z%j_M4be$}(MrjxuAJnQsliApn?L7cx7~M+~c;BqX+9S^e3ui4kl7ldSG}riH;zn=U
zqPep<=2w~RuBRsD1$!e(3j!~^-iQ8wm23x$-1uR1yGL1+S5_7Z2mlq6>akM;xK6kr
zUuT&S^(HS-i}G=p1GRU{ZA=TCPGs{rKJ2~YDDPSRVBsrt6hs4=LOoVw?J!V#U`%cM
zFs1M-ezc$11K59eELQa3E|`#E4rp}2qBPt9F|C@008|a4dVv6FBTwAzH3*wW$)C6Z
z=p<AE1^C7Fid4($N0mv5a~rR;UU#zQ6H_WOake|ufeuYV<P3eMWquSbd%Fu_TyYot
z)(;eOvtF(^w4V0u{?_0dBVdF3aC@-8HLdA2kZV>o&ZD~wad*SDZj!|flrbad1Z7Ft
znEX+VP>B$zK++d2iSi{AuU$^aPgv9DBb5s#u=R?BvwS3G%TzW*17;5LzL#KN)q)}&
z6|ROH&}nhh4DrIqZ`(5QD3JGK>CKro2`qD`X;Jeg<c(@GcDNs1jo#-p5URY|7ek;)
z;0yT?5Hju!Wv_@LTaBj3FML7A%#D7-HJ3`7DWEv$X!IWD0w8`YsT+P&4#%SK+~`U!
z8u!@J-d-HY1ITIIlj~Gv1|Z;9sf5;YvYlAf3vWmc@~~<oiw?}M0qncxQ-8$RI$oyQ
z<^f76u+0ZMczZlyT60C4a}V+#r8JZNhTYCx#Utt^W1qyVy2Seacy&(;tbVX{yYzn(
zBIx`l-u=oa-}%ZLua|pc@BGDZ@r=p;_1w<#<`nk*uN7bY#;x{eU-^wM|B4q8^xfa`
zy1e|zeVJkYnx1wU*)W>!?G3A$D<jDSc58w1&SkKdZ6z(kxb;B;?6G&!^D2RZ5~}j`
zDLtJJE`6_wJdIJ3E)oiqYOcj`1#s&N=jj=N6f2^<pRiGiX200NJ|NP~)V|$j6nVXq
z1bM~*wRzM0USIe?f8)eyM=m*k$*naKQeqM5da5$+__o_Ey+oqZMDK>W?tHDz9FC?P
zxw>B0nI>T~f$thuxs1BBTI|=Gg)c6FY>)8Tia#rAec3q%1Ql17H%Pq}W`5^Y^ipB*
zEclfB=&>?2<qCl4yDdQNL7;Y~wRNs*h&yM&NlnM?ZYm0jPP_2z`53f-oPHrC@&#vw
z-cUdct=qKr)apfB@2j?gMttl+RZSr=;m?K@5<(;U{&I!I!(PUZ3$i`fCm<o+?8>)N
z#yC-{-C4TDwK2OZiGjWVaE$k~Z6Y3T-WljaGN6oPix%&(r^MNr<6=BL1P7m5iY@EX
zS+X^0p)Q_jr(zJIWVK@oY*=0QNN>fsodUrvbW!yzEvpBv6xkpT=cQH4>iw>CAO@@i
zX>2fD3OkJUJ_ou{kz+;I3cZJj4QQ!GV#!IS&XzW$aQa})B7CIhqmqK+g?8%U(`Pby
z>?wcf43N_sXf6aL`-4z9euQXTmn?6m<IMy=xSc;0o1usqEhYPbjBF?Fd1c;6Lkt=y
z>#p(@#saYqg2;gKtELl)w3Q6$e}1Ig`9a^~1|?gg0Np_NzCEtE2>hsE3_*^o<*A@8
zheC^`Wo<VzRt&dNIiC<ts&i1dHXT|AwX){id2sn+>1nvrnhnZy_$e6AP|)Npei?Id
zYn(0T615V+Z47bU4G3L~gLk?+J?G}`aadlCVS~l>fTB!kET>Lut9E6N`{h;GaN05&
z(mU^9i(z$q)K<@Jkv0>CD-2S&jJ(9+P+0X!+dF-)i;FlDa<>(0&@2U1J;@Vpq$*ea
ztN=pVtHxsAi1-9qmu3>#!3(<D0X(aaRhzoo`t`z113g_RsPB?Mi4A}bo?n4-2<lY>
z%+8}u19sS<@{yeCcN!b6^DVal9p(xOfYS4dqBDs3hI{=KUZ!HvpIlOz7bj}ucX*mE
z^da8sAUbo04wJIMl{itW<~Uz*5X8ndYZ7EcTaW`-Raa)>^XnWg9~h{aQQ%E^H&{)*
zm>w{iVWfIS*7!!f)5b8!OR*a7@(Euo6;%~(bQ31BmwOI?A<;m)^zPRo&+|@s_q*Sw
zE|{3-dG`xH|8frUJoBCtzrXWh>xR7i@mF8_?r(WoT>h!Iv-ro~@w6zu^Ybm9KlZ^t
z`Bz{08z28{r6DhW;)TWLEf!xslV737^l9-I|LNzR$>)#3nf$Tm9*=+XU*0^EzYWgh
zpLjmwpa0Hxzw!gH`Q-U}$>Nv2@((`!AD$NVfB(YbD{t&8{?G1<?I-cyeAD6&J-44c
zw^1q3uYO<utoHjpzg;f#`vzD|*5?OU(FhApp1Y|4hyMYZBVpMttkm82@B7QuVcWx&
z;QjlKhwkuK-v2&|{s2Y2&;HDQlm=Gqe&%1k`;9N^YyZ&~bStb!`KtBvk-zE(-*jvD
z%5#D9b3MwBz<QM5VgB`-Zv6zf^@pBL_&Kong?G&S&hWGt&VQsu*fH}jhtIY6Tr2vP
z9W&22c<mp*`;`bh{Cs_$m$gs-!t)J`Kl758f8@8m{`<b@xnt)0f9)+^mY1I(VNnx_
z6EsedOM+RDH1!$B{9AaJFR*+E9K(IZ^IhKaUqAO_eBT#=V?GX!`F-ZYpZhU>3!eM?
z|N6V$W?9p3{L<6n;iYAupS1{%X+HA8V)&`2tKCqC{e@4vKe2t+E0AKp@%lV}eB-D8
z<I}GG>o57^<KT~XJ^k^@&%f};M?dkp9Da%<iPuzE%dnddA9!PD^R0O<(}5o+SQ}l#
zO2f}?*MUFy%<>)jv#WPtZ6EyK_gUBCdK=(3&qw=;>|Jl;#K?X=+He2xOHO>(cm3=q
z-vdtk-T(8&Z~e$0{lwGaSHG>rcYOKNqWVAnNQ-a`{NDfje2c%@{^2uzp8M!e|Kii4
z@im|8zE8df+=qM+R`GG~ebarv_H^I#8GohwLyMocs*G0u@6+NtUVZ5q5%|<!278-c
S`MuwM^BMp5tFL|Z*Zx0~Xu8q>

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tcp/large-file-reassembly.bro b/testing/btest/core/tcp/large-file-reassembly.bro
new file mode 100644
index 0000000000..655d030d96
--- /dev/null
+++ b/testing/btest/core/tcp/large-file-reassembly.bro
@@ -0,0 +1,22 @@
+# @TEST-EXEC: bro -r $TRACES/ftp/bigtransfer.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff files.log
+# @TEST-EXEC: btest-diff conn.log
+
+# The pcap has been truncated on purpose, so there's going to be large
+# gaps that are there by design and shouldn't trigger the "skip
+# deliveries" code paths because this test still needs to know about the
+# payloads being delivered around critical boundaries (e.g. 32-bit TCP
+# sequence wraparound and 32-bit data offsets).
+redef tcp_excessive_data_without_further_acks=0;
+
+event file_chunk(f: fa_file, data: string, off: count)
+	{
+	print "file_chunk", |data|, off, data;
+	}
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
+	                    [$chunk_event=file_chunk]);
+	}

From 04344d09eb708c23fa22288d718ce5059c168eeb Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 9 Apr 2014 13:36:44 -0500
Subject: [PATCH 015/136] Update SNMP analyzer's DeliverPacket method
 signature.

---
 src/analyzer/protocol/snmp/SNMP.cc | 2 +-
 src/analyzer/protocol/snmp/SNMP.h  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/snmp/SNMP.cc b/src/analyzer/protocol/snmp/SNMP.cc
index bed2e3c12d..36282087fa 100644
--- a/src/analyzer/protocol/snmp/SNMP.cc
+++ b/src/analyzer/protocol/snmp/SNMP.cc
@@ -25,7 +25,7 @@ void SNMP_Analyzer::Done()
 	}
 
 void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-                                  int seq, const IP_Hdr* ip, int caplen)
+                                  uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/snmp/SNMP.h b/src/analyzer/protocol/snmp/SNMP.h
index 31f4450d9b..d01704d2ae 100644
--- a/src/analyzer/protocol/snmp/SNMP.h
+++ b/src/analyzer/protocol/snmp/SNMP.h
@@ -16,7 +16,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-	                           int seq, const IP_Hdr* ip, int caplen);
+	                           uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new SNMP_Analyzer(conn); }

From cc838c6b2e1d20bb8ae07bec91840eca13285dc6 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 10 Apr 2014 15:11:43 -0700
Subject: [PATCH 016/136] rip out state handline from ssl analyzer.

still seems to work, but basically untested.
---
 src/analyzer/protocol/ssl/ssl-analyzer.pac |  79 ++-----
 src/analyzer/protocol/ssl/ssl-protocol.pac | 249 ++++-----------------
 2 files changed, 55 insertions(+), 273 deletions(-)

diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 49104fa549..39388c448e 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -107,25 +107,6 @@ refine connection SSL_Conn += {
 	%cleanup{
 	%}
 
-	function proc_change_cipher_spec(rec: SSLRecord) : bool
-		%{
-		if ( state_ == STATE_TRACK_LOST )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected ChangeCipherSpec from %s at state %s",
-				orig_label(${rec.is_orig}).c_str(),
-				state_label(old_state_).c_str()));
-		return true;
-		%}
-
-	function proc_application_data(rec: SSLRecord) : bool
-		%{
-		if ( state_ != STATE_CONN_ESTABLISHED &&
-		     (state_ != STATE_CLIENT_FINISHED && ! ${rec.is_orig}) )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected ApplicationData from %s at state %s",
-				orig_label(${rec.is_orig}).c_str(),
-				state_label(old_state_).c_str()));
-		return true;
-		%}
-
 	function proc_alert(rec: SSLRecord, level : int, desc : int) : bool
 		%{
 		BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
@@ -267,11 +248,6 @@ refine connection SSL_Conn += {
 
 	function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool
 		%{
-		if ( state_ == STATE_TRACK_LOST )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected v2 client master key message from %s in state %s",
-				orig_label(${rec.is_orig}).c_str(),
-				state_label(old_state_).c_str()));
-
 		BifEvent::generate_ssl_established(bro_analyzer(),
 				bro_analyzer()->Conn());
 
@@ -285,17 +261,6 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_handshake(hs: Handshake, is_orig: bool) : bool
-		%{
-		if ( state_ == STATE_TRACK_LOST )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected Handshake message %s from %s in state %s",
-				handshake_type_label(${hs.msg_type}).c_str(),
-				orig_label(is_orig).c_str(),
-				state_label(old_state_).c_str()));
-
-		return true;
-		%}
-
 	function proc_unknown_record(rec: SSLRecord) : bool
 		%{
 		bro_analyzer()->ProtocolViolation(fmt("unknown SSL record type (%d) from %s",
@@ -306,13 +271,8 @@ refine connection SSL_Conn += {
 
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
-		if ( state_ == STATE_TRACK_LOST )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
-				orig_label(${rec.is_orig}).c_str(),
-				state_label(old_state_).c_str()));
-
-		else if ( state_ == STATE_CONN_ESTABLISHED &&
-		          old_state_ == STATE_COMM_ENCRYPTED )
+		 if ( client_state_ == STATE_ENCRYPTED &&
+		          server_state_ == STATE_ENCRYPTED )
 			{
 			BifEvent::generate_ssl_established(bro_analyzer(),
 							bro_analyzer()->Conn());
@@ -322,10 +282,10 @@ refine connection SSL_Conn += {
 		%}
 };
 
-refine typeattr ChangeCipherSpec += &let {
-	proc : bool = $context.connection.proc_change_cipher_spec(rec)
-		&requires(state_changed);
-};
+#refine typeattr ChangeCipherSpec += &let {
+#	proc : bool = $context.connection.proc_change_cipher_spec(rec)
+#		&requires(state_changed);
+#};
 
 refine typeattr Alert += &let {
 	proc : bool = $context.connection.proc_alert(rec, level, description);
@@ -335,42 +295,37 @@ refine typeattr V2Error += &let {
 	proc : bool = $context.connection.proc_alert(rec, -1, error_code);
 };
 
-refine typeattr ApplicationData += &let {
-	proc : bool = $context.connection.proc_application_data(rec);
-};
+#refine typeattr ApplicationData += &let {
+#	proc : bool = $context.connection.proc_application_data(rec);
+#};
 
 refine typeattr ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version,
 				gmt_unix_time, random_bytes,
-				session_id, csuits, 0)
-		&requires(state_changed);
+				session_id, csuits, 0);
 };
 
 refine typeattr V2ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version, 0,
-				challenge, session_id, 0, ciphers)
-		&requires(state_changed);
+				challenge, session_id, 0, ciphers);
 };
 
 refine typeattr ServerHello += &let {
 	proc : bool = $context.connection.proc_server_hello(rec, server_version,
 			gmt_unix_time, random_bytes, session_id, cipher_suite, 0,
-			compression_method)
-		&requires(state_changed);
+			compression_method);
 };
 
 refine typeattr V2ServerHello += &let {
 	proc : bool = $context.connection.proc_server_hello(rec, server_version, 0,
-				conn_id_data, 0, 0, ciphers, 0)
-		&requires(state_changed);
+				conn_id_data, 0, 0, ciphers, 0);
 
 	cert : bool = $context.connection.proc_v2_certificate(rec, cert_data)
 		&requires(proc);
 };
 
 refine typeattr Certificate += &let {
-	proc : bool = $context.connection.proc_v3_certificate(rec, certificates)
-		&requires(state_changed);
+	proc : bool = $context.connection.proc_v3_certificate(rec, certificates);
 };
 
 refine typeattr V2ClientMasterKey += &let {
@@ -382,9 +337,9 @@ refine typeattr UnknownHandshake += &let {
 	proc : bool = $context.connection.proc_unknown_handshake(hs, is_orig);
 };
 
-refine typeattr Handshake += &let {
-	proc : bool = $context.connection.proc_handshake(this, rec.is_orig);
-};
+#refine typeattr Handshake += &let {
+#	proc : bool = $context.connection.proc_handshake(this, rec.is_orig);
+#};
 
 refine typeattr SessionTicketHandshake += &let {
 	proc : bool = $context.connection.proc_session_ticket_handshake(this, rec.is_orig);
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 9368122eaa..7ee71df352 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -34,7 +34,7 @@ type SSLRecord(is_orig: bool) = record {
 	head4 : uint8;
 	rec : RecordText(this)[] &length=length, &requires(content_type);
 } &length = length+5, &byteorder=bigendian,
-  &let {
+	&let {
 	version : int =
 		$context.connection.determine_ssl_version(head0, head1, head2);
 
@@ -51,9 +51,8 @@ type SSLRecord(is_orig: bool) = record {
 	};
 };
 
-type RecordText(rec: SSLRecord) = case $context.connection.state() of {
-	STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED,
-	STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED
+type RecordText(rec: SSLRecord) = case $context.connection.state(rec.is_orig) of {
+	STATE_ENCRYPTED
 		-> ciphertext : CiphertextRecord(rec);
 	default
 		-> plaintext : PlaintextRecord(rec);
@@ -82,64 +81,18 @@ type SSLExtension(rec: SSLRecord) = record {
 ######################################################################
 
 enum AnalyzerState {
-	STATE_INITIAL,
-	STATE_CLIENT_HELLO_RCVD,
-	STATE_IN_SERVER_HELLO,
-	STATE_SERVER_HELLO_DONE,
-	STATE_CLIENT_CERT,
-	STATE_CLIENT_KEY_WITH_CERT,
-	STATE_CLIENT_KEY_NO_CERT,
-	STATE_CLIENT_CERT_VERIFIED,
-	STATE_CLIENT_ENCRYPTED,
-	STATE_CLIENT_FINISHED,
-	STATE_ABBREV_SERVER_ENCRYPTED,
-	STATE_ABBREV_SERVER_FINISHED,
-	STATE_COMM_ENCRYPTED,
-	STATE_CONN_ESTABLISHED,
-	STATE_V2_CL_MASTER_KEY_EXPECTED,
-
-	STATE_TRACK_LOST,
-	STATE_ANY
+	STATE_CLEAR,
+	STATE_ENCRYPTED
 };
 
 %code{
 	string state_label(int state_nr)
 		{
 		switch ( state_nr ) {
-		case STATE_INITIAL:
-			return string("INITIAL");
-		case STATE_CLIENT_HELLO_RCVD:
-			return string("CLIENT_HELLO_RCVD");
-		case STATE_IN_SERVER_HELLO:
-			return string("IN_SERVER_HELLO");
-		case STATE_SERVER_HELLO_DONE:
-			return string("SERVER_HELLO_DONE");
-		case STATE_CLIENT_CERT:
-			return string("CLIENT_CERT");
-		case STATE_CLIENT_KEY_WITH_CERT:
-			return string("CLIENT_KEY_WITH_CERT");
-		case STATE_CLIENT_KEY_NO_CERT:
-			return string("CLIENT_KEY_NO_CERT");
-		case STATE_CLIENT_CERT_VERIFIED:
-			return string("CLIENT_CERT_VERIFIED");
-		case STATE_CLIENT_ENCRYPTED:
-			return string("CLIENT_ENCRYPTED");
-		case STATE_CLIENT_FINISHED:
-			return string("CLIENT_FINISHED");
-		case STATE_ABBREV_SERVER_ENCRYPTED:
-			return string("ABBREV_SERVER_ENCRYPTED");
-		case STATE_ABBREV_SERVER_FINISHED:
-			return string("ABBREV_SERVER_FINISHED");
-		case STATE_COMM_ENCRYPTED:
-			return string("COMM_ENCRYPTED");
-		case STATE_CONN_ESTABLISHED:
-			return string("CONN_ESTABLISHED");
-		case STATE_V2_CL_MASTER_KEY_EXPECTED:
-			return string("STATE_V2_CL_MASTER_KEY_EXPECTED");
-		case STATE_TRACK_LOST:
-			return string("TRACK_LOST");
-		case STATE_ANY:
-			return string("ANY");
+		case STATE_CLEAR:
+			return string("CLEAR");
+		case STATE_ENCRYPTED:
+			return string("ENCRYPTED");
 
 		default:
 			return string(fmt("UNKNOWN (%d)", state_nr));
@@ -176,21 +129,7 @@ type ChangeCipherSpec(rec: SSLRecord) = record {
 	type : uint8;
 } &length = 1, &let {
 	state_changed : bool =
-		$context.connection.transition(STATE_CLIENT_FINISHED,
-					 STATE_COMM_ENCRYPTED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-					 STATE_ABBREV_SERVER_ENCRYPTED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_CLIENT_KEY_NO_CERT,
-					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_CERT_VERIFIED,
-					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_CERT,
-					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_KEY_WITH_CERT,
-					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_ABBREV_SERVER_FINISHED,
-					 STATE_COMM_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.lost_track();
+		$context.connection.startEncryption(rec.is_orig);
 };
 
 
@@ -209,7 +148,7 @@ type Alert(rec: SSLRecord) = record {
 ######################################################################
 
 type V2Error(rec: SSLRecord) = record {
-	data:   bytestring &restofdata &transient;
+	data : bytestring &restofdata &transient;
 } &let {
 	error_code : uint16 = ((rec.head3 << 8) | rec.head4);
 };
@@ -234,9 +173,7 @@ type ApplicationData(rec: SSLRecord) = record {
 ######################################################################
 
 # Hello Request is empty
-type HelloRequest(rec: SSLRecord) = empty &let {
-	hr: bool = $context.connection.set_hello_requested(true);
-};
+type HelloRequest(rec: SSLRecord) = empty;
 
 
 ######################################################################
@@ -257,13 +194,6 @@ type ClientHello(rec: SSLRecord) = record {
 	# of the following fields.
 	ext_len: uint16[] &until($element == 0 || $element != 0);
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_INITIAL,
-				STATE_CLIENT_HELLO_RCVD, rec.is_orig, true) ||
-		($context.connection.hello_requested() &&
-		 $context.connection.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, rec.is_orig, true)) ||
-		$context.connection.lost_track();
 };
 
 
@@ -279,13 +209,6 @@ type V2ClientHello(rec: SSLRecord) = record {
 	session_id : uint8[session_len];
 	challenge : bytestring &length = chal_len;
 } &length = 6 + csuit_len + session_len + chal_len, &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_INITIAL,
-			STATE_CLIENT_HELLO_RCVD, rec.is_orig, true) ||
-		($context.connection.hello_requested() &&
-		 $context.connection.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, rec.is_orig, true)) ||
-		$context.connection.lost_track();
-
 	client_version : int = rec.version;
 };
 
@@ -306,11 +229,6 @@ type ServerHello(rec: SSLRecord) = record {
 	# of the following fields.
 	ext_len: uint16[] &until($element == 0 || $element != 0);
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_CLIENT_HELLO_RCVD,
-					   STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
-		$context.connection.lost_track();
 };
 
 
@@ -329,14 +247,6 @@ type V2ServerHello(rec: SSLRecord) = record {
 	ciphers : uint24[ciph_len/3];
 	conn_id_data : bytestring &length = conn_id_len;
 } &let {
-	state_changed : bool =
-		(session_id_hit > 0 ?
-			$context.connection.transition(STATE_CLIENT_HELLO_RCVD,
-				STATE_CONN_ESTABLISHED, rec.is_orig, false) :
-			$context.connection.transition(STATE_CLIENT_HELLO_RCVD,
-				STATE_V2_CL_MASTER_KEY_EXPECTED, rec.is_orig, false)) ||
-		$context.connection.lost_track();
-
 	session_id_hit : uint8 = rec.head3;
 	cert_type : uint8 = rec.head4;
 };
@@ -357,12 +267,10 @@ type Certificate(rec: SSLRecord) = record {
 	length : uint24;
 	certificates : CertificateList &length = to_int()(length);
 } &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-					STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
-		$context.connection.transition(STATE_SERVER_HELLO_DONE,
-					STATE_CLIENT_CERT, rec.is_orig, true) ||
-		$context.connection.lost_track();
+	state_changed_client : bool =
+		$context.connection.startEncryption(true);
+	state_changed_server : bool =
+		$context.connection.startEncryption(false);
 };
 
 
@@ -373,11 +281,6 @@ type Certificate(rec: SSLRecord) = record {
 # For now ignore details; just eat up complete message
 type ServerKeyExchange(rec: SSLRecord) = record {
 	key : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-				STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
-		$context.connection.lost_track();
 };
 
 
@@ -388,11 +291,6 @@ type ServerKeyExchange(rec: SSLRecord) = record {
 # For now, ignore Certificate Request Details; just eat up message.
 type CertificateRequest(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-					STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
-		$context.connection.lost_track();
 };
 
 
@@ -401,12 +299,7 @@ type CertificateRequest(rec: SSLRecord) = record {
 ######################################################################
 
 # Server Hello Done is empty
-type ServerHelloDone(rec: SSLRecord) = empty &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-					STATE_SERVER_HELLO_DONE, rec.is_orig, false) ||
-		$context.connection.lost_track();
-};
+type ServerHelloDone(rec: SSLRecord) = empty;
 
 
 ######################################################################
@@ -425,15 +318,6 @@ type ServerHelloDone(rec: SSLRecord) = empty &let {
 # encrypted anyway); just eat up message.
 type ClientKeyExchange(rec: SSLRecord) = record {
 	key : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_SERVER_HELLO_DONE,
-					STATE_CLIENT_KEY_NO_CERT, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_CERT,
-					STATE_CLIENT_KEY_WITH_CERT, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_CERT,
-					STATE_CLIENT_KEY_WITH_CERT, rec.is_orig, true) ||
-		$context.connection.lost_track();
 };
 
 ######################################################################
@@ -449,11 +333,6 @@ type V2ClientMasterKey(rec: SSLRecord) = record {
 	en_key_data : bytestring &length = en_key_len &transient;
 	key_arg_data : bytestring &length = key_arg_len &transient;
 } &length = 7 + cl_key_len + en_key_len + key_arg_len, &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_V2_CL_MASTER_KEY_EXPECTED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, true) ||
-		$context.connection.lost_track();
-
 	cipher_kind : int = (((rec.head3 << 16) | (rec.head4 << 8)) | cipher_kind_8);
 };
 
@@ -465,11 +344,6 @@ type V2ClientMasterKey(rec: SSLRecord) = record {
 # For now, ignore Certificate Verify; just eat up the message.
 type CertificateVerify(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_CLIENT_KEY_WITH_CERT,
-					STATE_CLIENT_CERT_VERIFIED, rec.is_orig, true) ||
-		$context.connection.lost_track();
 };
 
 
@@ -481,13 +355,6 @@ type CertificateVerify(rec: SSLRecord) = record {
 # so we will not be able to read those messages.
 type Finished(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_SERVER_HELLO_DONE,
-					STATE_COMM_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_FINISHED,
-					STATE_COMM_ENCRYPTED, rec.is_orig, false) ||
-		$context.connection.lost_track();
 };
 
 type SessionTicketHandshake(rec: SSLRecord) = record {
@@ -499,10 +366,8 @@ type SessionTicketHandshake(rec: SSLRecord) = record {
 # V3 Handshake Protocol (7.)
 ######################################################################
 
-type UnknownHandshake(hs: Handshake, is_orig: bool) =  record {
+type UnknownHandshake(hs: Handshake, is_orig: bool) = record {
 	data : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool = $context.connection.lost_track();
 };
 
 type Handshake(rec: SSLRecord) = record {
@@ -532,33 +397,12 @@ type Handshake(rec: SSLRecord) = record {
 # Fragmentation (6.2.1.)
 ######################################################################
 
-type UnknownRecord(rec: SSLRecord) =  record {
+type UnknownRecord(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool = $context.connection.lost_track();
 };
 
 type CiphertextRecord(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_CLIENT_FINISHED,
-					STATE_CLIENT_FINISHED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_CLIENT_FINISHED,
-					STATE_CLIENT_FINISHED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_ABBREV_SERVER_ENCRYPTED,
-					STATE_ABBREV_SERVER_FINISHED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_CLIENT_ENCRYPTED,
-					STATE_CLIENT_FINISHED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_COMM_ENCRYPTED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_COMM_ENCRYPTED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CONN_ESTABLISHED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_CONN_ESTABLISHED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, true) ||
-		$context.connection.lost_track();
 };
 
 
@@ -578,22 +422,22 @@ type SSLPDU(is_orig: bool) = record {
 refine connection SSL_Conn += {
 
 	%member{
-		int state_;
+		int client_state_;
+		int server_state_;
 		int old_state_;
 		bool hello_requested_;
 	%}
 
 	%init{
-		state_ = STATE_INITIAL;
-		old_state_ = STATE_INITIAL;
-		hello_requested_ = false;
+		server_state_ = STATE_CLEAR;
+		client_state_ = STATE_CLEAR;
 	%}
 
 	function determine_ssl_version(head0 : uint8, head1 : uint8,
 					head2 : uint8) : int
 		%{
 		if ( head0 >= 20 && head0 <= 23 &&
-		     head1 == 0x03 && head2 <= 0x03 )
+				 head1 == 0x03 && head2 <= 0x03 )
 			// This is most probably SSL version 3.
 			return (head1 << 8) | head2;
 
@@ -606,39 +450,22 @@ refine connection SSL_Conn += {
 			return UNKNOWN_VERSION;
 		%}
 
-	function state() : int %{ return state_; %}
-	function old_state() : int %{ return old_state_; %}
+	function client_state() : int %{ return client_state_; %}
+	function server_state() : int %{ return client_state_; %}
+	function state(is_orig: bool) : int
+	%{
+	if ( is_orig )
+		return client_state_;
+	else
+		return server_state_;
+	%}
 
-	function transition(olds : AnalyzerState, news : AnalyzerState,
-				current_record_is_orig : bool, is_orig : bool) : bool
+	function startEncryption(is_orig: bool) : bool
 		%{
-		if ( (olds != STATE_ANY && olds != state_) ||
-		     current_record_is_orig != is_orig )
-			return false;
-
-		old_state_ = state_;
-		state_ = news;
-
-		//printf("transitioning from %s to %s\n", state_label(old_state()).c_str(), state_label(state()).c_str());
+		if ( is_orig )
+			client_state_ = STATE_ENCRYPTED;
+		else
+			server_state_ = STATE_ENCRYPTED;
 		return true;
 		%}
-
-	function lost_track() : bool
-		%{
-		state_ = STATE_TRACK_LOST;
-		return false;
-		%}
-
-	function hello_requested() : bool
-		%{
-		bool ret = hello_requested_;
-		hello_requested_ = false;
-		return ret;
-		%}
-
-	function set_hello_requested(val : bool) : bool
-		%{
-		hello_requested_ = val;
-		return val;
-		%}
 };

From db80947b5f285a49d8bf8c60f816aad9ab4b0b98 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 14 Apr 2014 15:58:37 -0400
Subject: [PATCH 017/136] Updated snmp script.  Feedback would be welcome!

---
 scripts/base/protocols/snmp/main.bro | 157 ++++++++++++++++++++++++++-
 1 file changed, 156 insertions(+), 1 deletion(-)

diff --git a/scripts/base/protocols/snmp/main.bro b/scripts/base/protocols/snmp/main.bro
index a2fbb23713..1c92e73ce0 100644
--- a/scripts/base/protocols/snmp/main.bro
+++ b/scripts/base/protocols/snmp/main.bro
@@ -3,13 +3,168 @@
 module SNMP;
 
 export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		ts: time &log;
+		uid: string &log;
+		id: conn_id &log;
+		duration: interval &log &default=0secs;
+
+		version: string &log;
+		community: string &log &optional;
+
+		get_requests:      count &log &default=0;
+		get_bulk_requests: count &log &default=0;
+		get_responses:     count &log &default=0;
+
+		set_requests: count &log &default=0;
+
+		display_string: string &log &optional;
+		up_since: time &log &optional;
+	};
+
+	redef record connection += {
+		snmp: SNMP::Info &optional;
+	};
+
+	global log_snmp: event(rec: Info);
 }
 
 const ports = { 161/udp, 162/udp };
-
 redef likely_server_ports += { ports };
 
+const version_map = {
+	[0] = "1",
+	[1] = "2c",
+	[3] = "3",
+};
+
 event bro_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
+	Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp]);
+	}
+
+function init_state(c: connection, h: SNMP::Header): Info
+	{
+	if ( ! c?$snmp )
+		{
+		c$snmp = Info($ts=network_time(), 
+		              $uid=c$uid, $id=c$id,
+		              $version=version_map[h$version]);
+		}
+
+	local s = c$snmp;
+	if ( ! s?$community )
+		{
+		if ( h?$v1 )
+			s$community = h$v1$community;
+		if ( h?$v2 )
+			s$community = h$v2$community;
+		}
+
+	s$duration = network_time() - s$ts;
+	return s;
+	}
+
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$snmp )
+		Log::write(LOG, c$snmp);
+	}
+
+event snmp_get_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	local s = init_state(c, header);
+	for ( i in pdu$bindings )
+		{
+		++s$get_requests;
+		}
+	}
+
+event snmp_get_bulk_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::BulkPDU) &priority=5
+	{
+	local s = init_state(c, header);
+	for ( i in pdu$bindings )
+		{
+		++s$get_bulk_requests;
+		}
+	}
+
+event snmp_get_next_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	local s = init_state(c, header);
+	for ( i in pdu$bindings )
+		{
+		++s$get_requests;
+		}
+	}
+
+event snmp_response(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	local s = init_state(c, header);
+
+	for ( i in pdu$bindings )
+		{
+		++s$get_responses;
+
+		local binding = pdu$bindings[i];
+		if ( binding$oid == "1.3.6.1.2.1.1.1.0" && binding$value?$octets )
+			c$snmp$display_string = binding$value$octets;
+		else if ( binding$oid == "1.3.6.1.2.1.1.3.0" && binding$value?$unsigned )
+			{
+			local up_seconds = binding$value$unsigned / 100.0;
+			s$up_since = network_time() - double_to_interval(up_seconds);
+			}
+		}
+	}
+
+event snmp_set_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	local s = init_state(c, header);
+	for ( i in pdu$bindings )
+		{
+		++s$set_requests;
+		}
+	}
+
+event snmp_trap(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::TrapPDU) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_inform_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_trapV2(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_report(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_unknown_pdu(c: connection, is_orig: bool, header: SNMP::Header, tag: count) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_unknown_scoped_pdu(c: connection, is_orig: bool, header: SNMP::Header, tag: count) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_encrypted_pdu(c: connection, is_orig: bool, header: SNMP::Header) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_unknown_header_version(c: connection, is_orig: bool, version: count) &priority=5
+	{
 	}

From 2dbca1ccd93da3b949e90f76a236060d0b04bdae Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Tue, 15 Apr 2014 09:07:21 -0400
Subject: [PATCH 018/136] Add Intel::ADDR lookup to host field

IP addresses are often seen in the HTTP host field; this change checks if the value in the host field is a valid IP address and processes the Intel::seen event to check for an Intel::ADDR indicator.
---
 .../frameworks/intel/seen/http-headers.bro     | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index 2a74548023..b9393c93a6 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -8,12 +8,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
 		{
 		switch ( name ) 
 			{
-			case "HOST": 
-			Intel::seen([$indicator=value,
-			             $indicator_type=Intel::DOMAIN,
-			             $conn=c,
-			             $where=HTTP::IN_HOST_HEADER]);
-			break;
+                        case "HOST":
+                                if (  is_valid_ip(value) )
+                                        Intel::seen([$host=to_addr(value),
+                                                     $conn=c,
+                                                     $where=HTTP::IN_HOST_HEADER]);
+                                else
+                                        Intel::seen([$indicator=value,
+                                                     $indicator_type=Intel::DOMAIN,
+                                                     $conn=c,
+                                                     $where=HTTP::IN_HOST_HEADER]);
+                        break;
+
 
 			case "REFERER":
 			Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),

From 85bbc391949240e80780a586f2d5957cff5eb900 Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Tue, 15 Apr 2014 09:10:38 -0400
Subject: [PATCH 019/136] Update http-headers.bro

---
 scripts/policy/frameworks/intel/seen/http-headers.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index b9393c93a6..b736946bfa 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -9,7 +9,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
 		switch ( name ) 
 			{
                         case "HOST":
-                                if (  is_valid_ip(value) )
+                                if ( is_valid_ip(value) )
                                         Intel::seen([$host=to_addr(value),
                                                      $conn=c,
                                                      $where=HTTP::IN_HOST_HEADER]);

From 9083b03bd6e26d82b0a701919004cf1a62c5e9e3 Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Tue, 15 Apr 2014 09:12:09 -0400
Subject: [PATCH 020/136] Update http-headers.bro

---
 scripts/policy/frameworks/intel/seen/http-headers.bro | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index b736946bfa..c2e2160f57 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -11,6 +11,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
                         case "HOST":
                                 if ( is_valid_ip(value) )
                                         Intel::seen([$host=to_addr(value),
+                                        	     $indicator_type=Intel::ADDR,
                                                      $conn=c,
                                                      $where=HTTP::IN_HOST_HEADER]);
                                 else

From b43c2c347b1761cfeb9dd433c574d78089392df7 Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Tue, 15 Apr 2014 09:15:57 -0400
Subject: [PATCH 021/136] Update http-headers.bro

---
 scripts/policy/frameworks/intel/seen/http-headers.bro | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index c2e2160f57..3746ec9def 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -21,7 +21,6 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
                                                      $where=HTTP::IN_HOST_HEADER]);
                         break;
 
-
 			case "REFERER":
 			Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
 			             $indicator_type=Intel::URL,

From ef41cc7189cf199d8d229aa47acd58b37e6d0eb4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 16 Apr 2014 10:48:22 -0700
Subject: [PATCH 022/136] Nicer notices for heartbleed.

Duplicates are now excluded and the notice texts contain a bit more useful information.
---
 scripts/policy/protocols/ssl/heartbleed.bro | 40 +++++++++++++--------
 1 file changed, 26 insertions(+), 14 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 0049c4c51f..dc38c66f73 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -15,11 +15,9 @@ export {
 	redef enum Notice::Type += {
 		## Indicates that a host performing a heartbleed attack.
 		SSL_Heartbeat_Attack,
-		## Indicates that a host performing a heartbleed attack was successful.
+		## Indicates that a host performing a heartbleed attack was probably successful.
 		SSL_Heartbeat_Attack_Success,
-		## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
-		SSL_Heartbeat_Encrypted_Attack_Success,
-		## Indicates we saw heartbeet requests with odd length. Probably an attack.
+		## Indicates we saw heartbeat requests with odd length. Probably an attack.
 		SSL_Heartbeat_Odd_Length,
 		## Indicates we saw many heartbeat requests without an reply. Might be an attack.
 		SSL_Heartbeat_Many_Requests
@@ -37,7 +35,8 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 			c$ssl$heartbleed_detected = T;
 			NOTICE([$note=SSL_Heartbeat_Attack,
 				$msg=fmt("An TLS heartbleed attack was detected! Record length %d, payload length %d", length, payload_length),
-				$conn=c
+				$conn=c,
+				$identifier=cat(c$uid, length, payload_length)
 				]);
 			}
 		}
@@ -45,8 +44,9 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 	if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
 		{
 			NOTICE([$note=SSL_Heartbeat_Attack_Success,
-				$msg="An TLS heartbleed attack was detected and probably exploited",
-				$conn=c
+				$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: %d", payload_length),
+				$conn=c,
+				$identifier=c$uid
 				]);
 		}
 	}
@@ -60,16 +60,26 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 	if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
-				$msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
+				$msg=fmt("Seeing more than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
 				$conn=c,
-				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats)
+				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
+				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
+				]);
+
+	if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 )
+			NOTICE([$note=SSL_Heartbeat_Many_Requests,
+				$msg=fmt("Server is sending more heartbleed responsed than requests were seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
+				$conn=c,
+				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
+				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
 				]);
 
 	if ( is_orig && length < 19 )
 			NOTICE([$note=SSL_Heartbeat_Odd_Length,
-				$msg="Heartbeat message smaller than minimum length. Probable attack.",
+				$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d", length),
 				$conn=c,
-				$n=length
+				$n=length,
+				$identifier=cat(c$uid, length)
 				]);
 
 	if ( is_orig )
@@ -86,9 +96,11 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		{
 		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
 			{
-			NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
-				$msg="An Encrypted TLS heartbleed attack was probably detected!",
-				$conn=c
+			NOTICE([$note=SSL_Heartbeat_Attack_Success,
+				$msg=fmt("An Encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d",
+					c$ssl?$last_originator_heartbeat_request_size, c$ssl$last_originator_heartbeat_request_size),
+				$conn=c,
+				$identifier=c$uid # only throw once per connection
 				]);
 			}
 		else if ( ! c$ssl?$last_originator_heartbeat_request_size )

From e8a5ea88446d3e648349b54e514b33651be20aa7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 18 Apr 2014 13:19:50 -0500
Subject: [PATCH 023/136] Refactor various hex escaping code.

---
 src/Desc.cc                       | 68 +++++++++++++++++--------------
 src/Desc.h                        | 26 ++++++++----
 src/logging/writers/Ascii.cc      |  6 +--
 src/threading/formatters/Ascii.cc |  6 +--
 src/threading/formatters/JSON.cc  |  7 ++--
 src/util.cc                       | 30 +++++++++-----
 src/util.h                        | 19 ++++++++-
 7 files changed, 102 insertions(+), 60 deletions(-)

diff --git a/src/Desc.cc b/src/Desc.cc
index 62c6130f40..f636a028b5 100644
--- a/src/Desc.cc
+++ b/src/Desc.cc
@@ -216,18 +216,32 @@ void ODesc::Indent()
 		}
 	}
 
-static const char hex_chars[] = "0123456789abcdef";
-
-static const char* find_first_unprintable(ODesc* d, const char* bytes, unsigned int n)
+static bool starts_with(const char* str1, const char* str2, size_t len)
 	{
-	if ( d->IsBinary() )
+	for ( size_t i = 0; i < len; ++i )
+		if ( str1[i] != str2[i] )
+			return false;
+
+	return true;
+	}
+
+size_t ODesc::StartsWithEscapeSequence(const char* start, const char* end)
+	{
+	if ( escape_sequences.empty() )
 		return 0;
 
-	while ( n-- )
+	escape_set::const_iterator it;
+
+	for ( it = escape_sequences.begin(); it != escape_sequences.end(); ++it )
 		{
-		if ( ! isprint(*bytes) )
-			return bytes;
-		++bytes;
+		const string& esc_str = *it;
+		size_t esc_len = esc_str.length();
+
+		if ( start + esc_len > end )
+			continue;
+
+		if ( starts_with(start, esc_str.c_str(), esc_len) )
+			return esc_len;
 		}
 
 	return 0;
@@ -235,21 +249,23 @@ static const char* find_first_unprintable(ODesc* d, const char* bytes, unsigned
 
 pair<const char*, size_t> ODesc::FirstEscapeLoc(const char* bytes, size_t n)
 	{
-	pair<const char*, size_t> p(find_first_unprintable(this, bytes, n), 1);
+	typedef pair<const char*, size_t> escape_pos;
 
-	string str(bytes, n);
-	list<string>::const_iterator it;
-	for ( it = escape_sequences.begin(); it != escape_sequences.end(); ++it )
+	if ( IsBinary() )
+		return escape_pos(0, 0);
+
+	for ( size_t i = 0; i < n; ++i )
 		{
-		size_t pos = str.find(*it);
-		if ( pos != string::npos && (p.first == 0 || bytes + pos < p.first) )
-			{
-			p.first = bytes + pos;
-			p.second = it->size();
-			}
+		if ( ! isprint(bytes[i]) )
+			return escape_pos(bytes + i, 1);
+
+		size_t len = StartsWithEscapeSequence(bytes + i, bytes + n);
+
+		if ( len )
+			return escape_pos(bytes + i, len);
 		}
 
-	return p;
+	return escape_pos(0, 0);
 	}
 
 void ODesc::AddBytes(const void* bytes, unsigned int n)
@@ -266,21 +282,11 @@ void ODesc::AddBytes(const void* bytes, unsigned int n)
 	while ( s < e )
 		{
 		pair<const char*, size_t> p = FirstEscapeLoc(s, e - s);
+
 		if ( p.first )
 			{
 			AddBytesRaw(s, p.first - s);
-			if ( p.second == 1 )
-				{
-				char hex[6] = "\\x00";
-				hex[2] = hex_chars[((*p.first) & 0xf0) >> 4];
-				hex[3] = hex_chars[(*p.first) & 0x0f];
-				AddBytesRaw(hex, 4);
-				}
-			else
-				{
-				string esc_str = get_escaped_string(string(p.first, p.second), true);
-				AddBytesRaw(esc_str.c_str(), esc_str.size());
-				}
+			get_escaped_string(this, p.first, p.second, true);
 			s = p.first + p.second;
 			}
 		else
diff --git a/src/Desc.h b/src/Desc.h
index 27dc326ff0..b7df7d75f7 100644
--- a/src/Desc.h
+++ b/src/Desc.h
@@ -4,7 +4,7 @@
 #define descriptor_h
 
 #include <stdio.h>
-#include <list>
+#include <set>
 #include <utility>
 
 #include "BroString.h"
@@ -54,16 +54,16 @@ public:
 	void SetFlush(int arg_do_flush)	{ do_flush = arg_do_flush; }
 
 	void EnableEscaping();
-	void AddEscapeSequence(const char* s) { escape_sequences.push_back(s); }
+	void AddEscapeSequence(const char* s) { escape_sequences.insert(s); }
 	void AddEscapeSequence(const char* s, size_t n)
-	    { escape_sequences.push_back(string(s, n)); }
+	    { escape_sequences.insert(string(s, n)); }
 	void AddEscapeSequence(const string & s)
-	    { escape_sequences.push_back(s); }
-	void RemoveEscapeSequence(const char* s) { escape_sequences.remove(s); }
+	    { escape_sequences.insert(s); }
+	void RemoveEscapeSequence(const char* s) { escape_sequences.erase(s); }
 	void RemoveEscapeSequence(const char* s, size_t n)
-	    { escape_sequences.remove(string(s, n)); }
+	    { escape_sequences.erase(string(s, n)); }
 	void RemoveEscapeSequence(const string & s)
-	    { escape_sequences.remove(s); }
+	    { escape_sequences.erase(s); }
 
 	void PushIndent();
 	void PopIndent();
@@ -163,6 +163,15 @@ protected:
 	 */
 	pair<const char*, size_t> FirstEscapeLoc(const char* bytes, size_t n);
 
+	/**
+	 * @param start start of string to check for starting with an espace
+	 *              sequence.
+	 * @param end one byte past the last character in the string.
+	 * @return The number of bytes in the escape sequence that the string
+	 *         starts with.
+	 */
+	size_t StartsWithEscapeSequence(const char* start, const char* end);
+
 	desc_type type;
 	desc_style style;
 
@@ -171,7 +180,8 @@ protected:
 	unsigned int size;	// size of buffer in bytes
 
 	bool escape;	// escape unprintable characters in output?
-	list<string> escape_sequences; // additional sequences of chars to escape
+	typedef set<string> escape_set;
+	escape_set escape_sequences; // additional sequences of chars to escape
 
 	BroFile* f;	// or the file we're using.
 
diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc
index 43ffe47308..fe79089b04 100644
--- a/src/logging/writers/Ascii.cc
+++ b/src/logging/writers/Ascii.cc
@@ -335,10 +335,10 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields,
 	if ( strncmp(bytes, meta_prefix.data(), meta_prefix.size()) == 0 )
 		{
 		// It would so escape the first character.
-		char buf[16];
-		snprintf(buf, sizeof(buf), "\\x%02x", bytes[0]);
+		char hex[4] = {'\\', 'x', '0', '0'};
+		bytetohex(bytes[0], hex + 2);
 
-		if ( ! safe_write(fd, buf, strlen(buf)) )
+		if ( ! safe_write(fd, hex, 4) )
 			goto write_error;
 
 		++bytes;
diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index 3120549f13..6c114ff3fd 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -122,10 +122,8 @@ bool Ascii::Describe(ODesc* desc, threading::Value* val, const string& name) con
 			// place-holder we use for unset optional fields. We
 			// escape the first character so that the output
 			// won't be ambigious.
-			static const char hex_chars[] = "0123456789abcdef";
-			char hex[6] = "\\x00";
-			hex[2] = hex_chars[((*data) & 0xf0) >> 4];
-			hex[3] = hex_chars[(*data) & 0x0f];
+			char hex[4] = {'\\', 'x', '0', '0'};
+			bytetohex(*data, hex + 2);
 			desc->AddRaw(hex, 4);
 
 			++data;
diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index 17712e8d53..472023e0f8 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -160,10 +160,11 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const
 				// 2byte Unicode escape special characters.
 				if ( c < 32 || c > 126 || c == '\n' || c == '"' || c == '\'' || c == '\\' || c == '&' )
 					{
-					static const char hex_chars[] = "0123456789abcdef";
 					desc->AddRaw("\\u00", 4);
-					desc->AddRaw(&hex_chars[(c & 0xf0) >> 4], 1);
-					desc->AddRaw(&hex_chars[c & 0x0f], 1);
+					char hex[2] = {'0', '0'};
+					bytetohex(c, hex);
+					desc->AddRaw(hex, 1);
+					desc->AddRaw(hex + 1, 1);
 					}
 				else
 					desc->AddRaw(&c, 1);
diff --git a/src/util.cc b/src/util.cc
index 434783a340..6190067aa6 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -120,31 +120,41 @@ std::string get_unescaped_string(const std::string& arg_str)
  * Takes a string, escapes characters into equivalent hex codes (\x##), and
  * returns a string containing all escaped values.
  *
+ * @param d an ODesc object to store the escaped hex version of the string,
+ *          if null one will be allocated and returned from the function.
  * @param str string to escape
  * @param escape_all If true, all characters are escaped. If false, only
  * characters are escaped that are either whitespace or not printable in
  * ASCII.
- * @return A std::string containing a list of escaped hex values of the form
- * \x## */
-std::string get_escaped_string(const std::string& str, bool escape_all)
+ * @return A ODesc object containing a list of escaped hex values of the form
+ *         \x##, which may be newly allocated if \a d was a null pointer. */
+ODesc* get_escaped_string(ODesc* d, const char* str, size_t len,
+                          bool escape_all)
 	{
-	char tbuf[16];
-	string esc = "";
+	if ( ! d )
+		d = new ODesc();
 
-	for ( size_t i = 0; i < str.length(); ++i )
+	for ( size_t i = 0; i < len; ++i )
 		{
 		char c = str[i];
 
 		if ( escape_all || isspace(c) || ! isascii(c) || ! isprint(c) )
 			{
-			snprintf(tbuf, sizeof(tbuf), "\\x%02x", str[i]);
-			esc += tbuf;
+			char hex[4] = {'\\', 'x', '0', '0' };
+			bytetohex(c, hex + 2);
+			d->AddRaw(hex, 4);
 			}
 		else
-			esc += c;
+			d->AddRaw(&c, 1);
 		}
 
-	return esc;
+	return d;
+	}
+
+std::string get_escaped_string(const char* str, size_t len, bool escape_all)
+	{
+	ODesc d;
+	return get_escaped_string(&d, str, len, escape_all)->Description();
 	}
 
 char* copy_string(const char* s)
diff --git a/src/util.h b/src/util.h
index aebc8bbc43..c6b657b7a8 100644
--- a/src/util.h
+++ b/src/util.h
@@ -102,8 +102,25 @@ void delete_each(T* t)
 std::string extract_ip(const std::string& i);
 std::string extract_ip_and_len(const std::string& i, int* len);
 
+inline void bytetohex(unsigned char byte, char* hex_out)
+	{
+	static const char hex_chars[] = "0123456789abcdef";
+	hex_out[0] = hex_chars[(byte & 0xf0) >> 4];
+	hex_out[1] = hex_chars[byte & 0x0f];
+	}
+
 std::string get_unescaped_string(const std::string& str);
-std::string get_escaped_string(const std::string& str, bool escape_all);
+
+class ODesc;
+
+ODesc* get_escaped_string(ODesc* d, const char* str, size_t len,
+                          bool escape_all);
+std::string get_escaped_string(const char* str, size_t len, bool escape_all);
+
+inline std::string get_escaped_string(const std::string& str, bool escape_all)
+	{
+	return get_escaped_string(str.data(), str.length(), escape_all);
+	}
 
 std::vector<std::string>* tokenize_string(std::string input,
 					  const std::string& delim,

From bc5c02cb745189c6672b88fde48b3fff338a1c5c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 18 Apr 2014 16:35:43 -0500
Subject: [PATCH 024/136] Refactor file analysis file ID lookup.

Now using a dictionary instead of std::map as order doesn't matter and
lookup time shouldn't increase as more files are in process of being
analyzed.
---
 src/file_analysis/Manager.cc | 44 ++++++++++++++++++------------------
 src/file_analysis/Manager.h  | 14 +++++++-----
 2 files changed, 30 insertions(+), 28 deletions(-)

diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 5ff7bd7186..3f04ebfc2b 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -54,8 +54,11 @@ void Manager::Terminate()
 	{
 	vector<string> keys;
 
-	for ( IDMap::iterator it = id_map.begin(); it != id_map.end(); ++it )
-		keys.push_back(it->first);
+	IterCookie* it = id_map.InitForIteration();
+	HashKey* key;
+
+	while ( id_map.NextEntry(key, it) )
+		keys.push_back(static_cast<const char*>(key->Key()));
 
 	for ( size_t i = 0; i < keys.size(); ++i )
 		Timeout(keys[i], true);
@@ -249,11 +252,12 @@ File* Manager::GetFile(const string& file_id, Connection* conn,
 	if ( IsIgnored(file_id) )
 		return 0;
 
-	File* rval = id_map[file_id];
+	File* rval = id_map.Lookup(file_id.c_str());
 
 	if ( ! rval )
 		{
-		rval = id_map[file_id] = new File(file_id, conn, tag, is_orig);
+		rval = new File(file_id, conn, tag, is_orig);
+		id_map.Insert(file_id.c_str(), rval);
 		rval->ScheduleInactivityTimer();
 
 		if ( IsIgnored(file_id) )
@@ -272,12 +276,7 @@ File* Manager::GetFile(const string& file_id, Connection* conn,
 
 File* Manager::LookupFile(const string& file_id) const
 	{
-	IDMap::const_iterator it = id_map.find(file_id);
-
-	if ( it == id_map.end() )
-		return 0;
-
-	return it->second;
+	return id_map.Lookup(file_id.c_str());
 	}
 
 void Manager::Timeout(const string& file_id, bool is_terminating)
@@ -308,37 +307,38 @@ void Manager::Timeout(const string& file_id, bool is_terminating)
 
 bool Manager::IgnoreFile(const string& file_id)
 	{
-	if ( id_map.find(file_id) == id_map.end() )
+	if ( ! id_map.Lookup(file_id.c_str()) )
 		return false;
 
 	DBG_LOG(DBG_FILE_ANALYSIS, "Ignore FileID %s", file_id.c_str());
 
-	ignored.insert(file_id);
-
+	delete ignored.Insert(file_id.c_str(), new bool);
 	return true;
 	}
 
 bool Manager::RemoveFile(const string& file_id)
 	{
-	IDMap::iterator it = id_map.find(file_id);
+	HashKey key(file_id.c_str());
+	// Can't remove from the dictionary/map right away as invoking EndOfFile
+	// may cause some events to be executed which actually depend on the file
+	// still being in the dictionary/map.
+	File* f = static_cast<File*>(id_map.Lookup(&key));
 
-	if ( it == id_map.end() )
+	if ( ! f )
 		return false;
 
 	DBG_LOG(DBG_FILE_ANALYSIS, "Remove FileID %s", file_id.c_str());
 
-	it->second->EndOfFile();
-
-	delete it->second;
-	id_map.erase(file_id);
-	ignored.erase(file_id);
-
+	f->EndOfFile();
+	delete f;
+	id_map.Remove(&key);
+	delete static_cast<bool*>(ignored.Remove(&key));
 	return true;
 	}
 
 bool Manager::IsIgnored(const string& file_id)
 	{
-	return ignored.find(file_id) != ignored.end();
+	return ignored.Lookup(file_id.c_str()) != 0;
 	}
 
 string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig)
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index bb6aaab971..2137e81389 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -4,10 +4,9 @@
 #define FILE_ANALYSIS_MANAGER_H
 
 #include <string>
-#include <map>
-#include <set>
 #include <queue>
 
+#include "Dict.h"
 #include "Net.h"
 #include "Conn.h"
 #include "Val.h"
@@ -27,6 +26,9 @@
 
 namespace file_analysis {
 
+declare(PDict,bool);
+declare(PDict,File);
+
 /**
  * Main entry point for interacting with file analysis.
  */
@@ -288,8 +290,8 @@ public:
 protected:
 	friend class FileTimer;
 
-	typedef set<string> IDSet;
-	typedef map<string, File*> IDMap;
+	typedef PDict(bool) IDSet;
+	typedef PDict(File) IDMap;
 
 	/**
 	 * Create a new file to be analyzed or retrieve an existing one.
@@ -361,8 +363,8 @@ protected:
 
 private:
 
-	IDMap id_map;	/**< Map file ID to file_analysis::File records. */
-	IDSet ignored;	/**< Ignored files.  Will be finally removed on EOF. */
+	PDict(File) id_map;  /**< Map file ID to file_analysis::File records. */
+	PDict(bool) ignored; /**< Ignored files.  Will be finally removed on EOF. */
 	string current_file_id;	/**< Hash of what get_file_handle event sets. */
 	RuleFileMagicState* magic_state;	/**< File magic signature match state. */
 

From b283883997c4ea6e1213768fb3112686a1d19b0f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 18 Apr 2014 16:29:51 -0700
Subject: [PATCH 025/136] define empty request_key method for sumstats in
 cluster mode.

This prevents the worker nodes from crashing, when request_key is used
in cluster mode and called on the worker and the manager nodes (i.e. when
a non-cluster-aware script is used).

Addresses BIT-1177
---
 scripts/base/frameworks/sumstats/cluster.bro  | 28 +++++++----
 .../frameworks/sumstats/on-demand-cluster.bro | 47 +++++++------------
 2 files changed, 35 insertions(+), 40 deletions(-)

diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro
index 67c59a8728..b609abf472 100644
--- a/scripts/base/frameworks/sumstats/cluster.bro
+++ b/scripts/base/frameworks/sumstats/cluster.bro
@@ -28,10 +28,6 @@ export {
 	## values for a sumstat.
 	global cluster_ss_request: event(uid: string, ss_name: string, cleanup: bool);
 
-	# Event sent by nodes that are collecting sumstats after receiving a
-	# request for the sumstat from the manager.
-	#global cluster_ss_response: event(uid: string, ss_name: string, data: ResultTable, done: bool, cleanup: bool);
-
 	## This event is sent by the manager in a cluster to initiate the
 	## collection of a single key value from a sumstat.  It's typically used
 	## to get intermediate updates before the break interval triggers to
@@ -144,7 +140,7 @@ event SumStats::cluster_ss_request(uid: string, ss_name: string, cleanup: bool)
 	sending_results[uid] = (ss_name in result_store) ? result_store[ss_name] : table();
 
 	# Lookup the actual sumstats and reset it, the reference to the data
-	# currently stored will be maintained internally from the 
+	# currently stored will be maintained internally from the
 	# sending_results table.
 	if ( cleanup && ss_name in stats_store )
 		reset(stats_store[ss_name]);
@@ -159,7 +155,7 @@ event SumStats::cluster_get_result(uid: string, ss_name: string, key: Key, clean
 		if ( uid in sending_results && key in sending_results[uid] )
 			{
 			# Note: copy is needed to compensate serialization caching issue. This should be
-			# changed to something else later. 
+			# changed to something else later.
 			event SumStats::cluster_send_result(uid, ss_name, key, copy(sending_results[uid][key]), cleanup);
 			delete sending_results[uid][key];
 			}
@@ -170,12 +166,12 @@ event SumStats::cluster_get_result(uid: string, ss_name: string, key: Key, clean
 			event SumStats::cluster_send_result(uid, ss_name, key, table(), cleanup);
 			}
 		}
-	else 
+	else
 		{
 		if ( ss_name in result_store && key in result_store[ss_name] )
 			{
 			# Note: copy is needed to compensate serialization caching issue. This should be
-			# changed to something else later. 
+			# changed to something else later.
 			event SumStats::cluster_send_result(uid, ss_name, key, copy(result_store[ss_name][key]), cleanup);
 			}
 		else
@@ -195,6 +191,19 @@ event SumStats::cluster_threshold_crossed(ss_name: string, key: SumStats::Key, t
 	threshold_tracker[ss_name][key] = thold_index;
 	}
 
+# request-key is a non-op on the workers.
+# It only should be called by the manager. Due to the fact that we usually run the same scripts on the
+# workers and the manager, it might also be called by the workers, so we just ignore it here.
+#
+# There is a small chance that people will try running it on events that are just thrown on the workers.
+# This does not work at the moment and we cannot throw an error message, because we cannot distinguish it
+# from the "script is running it everywhere" case. But - people should notice that they do not get results.
+# Not entirely pretty, sorry :(
+function request_key(ss_name: string, key: Key): Result
+	{
+	return Result();
+	}
+
 @endif
 
 
@@ -215,7 +224,6 @@ global stats_keys: table[string] of set[Key] &read_expire=1min
 # matches the number of peer nodes that results should be coming from, the
 # result is written out and deleted from here.
 # Indexed on a uid.
-# TODO: add an &expire_func in case not all results are received.
 global done_with: table[string] of count &read_expire=1min &default=0;
 
 # This variable is maintained by managers to track intermediate responses as
@@ -414,7 +422,7 @@ event SumStats::cluster_send_result(uid: string, ss_name: string, key: Key, resu
 	# Mark that a worker is done.
 	if ( uid !in done_with )
 		done_with[uid] = 0;
-	
+
 	#print fmt("MANAGER: got a result for %s %s from %s", uid, key, get_event_peer()$descr);
 	++done_with[uid];
 
diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
index 48068d8cfe..4e3e765500 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
@@ -7,6 +7,7 @@
 # @TEST-EXEC: btest-bg-wait 15
 
 # @TEST-EXEC: btest-diff manager-1/.stdout
+#
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
@@ -36,6 +37,20 @@ event remote_connection_closed(p: event_peer)
 global ready_for_data: event();
 redef Cluster::manager2worker_events += /^ready_for_data$/;
 
+event on_demand()
+	{
+	local host = 7.2.1.5;
+	when ( local result = SumStats::request_key("test sumstat", [$host=host]) )
+		{
+		print "SumStat key request";
+		if ( "test" in result )
+			print fmt("    Host: %s -> %.0f", host, result["test"]$sum);
+
+		if ( Cluster::node == "manager-1" )
+		  terminate();
+		}
+	}
+
 event ready_for_data()
 	{
 	if ( Cluster::node == "worker-1" )
@@ -52,33 +67,8 @@ event ready_for_data()
 		SumStats::observe("test", [$host=7.2.1.5], [$num=91]);
 		SumStats::observe("test", [$host=10.10.10.10], [$num=5]);
 		}
-	}
 
-
-event on_demand2()
-	{
-	local host = 7.2.1.5;
-	when ( local result = SumStats::request_key("test sumstat", [$host=host]) )
-		{
-		print "SumStat key request";
-		if ( "test" in result )
-			print fmt("    Host: %s -> %.0f", host, result["test"]$sum);
-		terminate();
-		}
-	}
-
-event on_demand()
-	{
-	#when ( local results = SumStats::request("test sumstat") )
-	#	{
-	#	print "Complete SumStat request";
-	#	print fmt("    Host: %s -> %.0f", 6.5.4.3, results[[$host=6.5.4.3]]["test"]$sum);
-	#	print fmt("    Host: %s -> %.0f", 10.10.10.10, results[[$host=10.10.10.10]]["test"]$sum);
-	#	print fmt("    Host: %s -> %.0f", 1.2.3.4, results[[$host=1.2.3.4]]["test"]$sum);
-	#	print fmt("    Host: %s -> %.0f", 7.2.1.5, results[[$host=7.2.1.5]]["test"]$sum);
-
-		event on_demand2();
-	#	}
+	schedule 1sec { on_demand() };
 	}
 
 global peer_count = 0;
@@ -87,10 +77,7 @@ event remote_connection_handshake_done(p: event_peer) &priority=-5
 	++peer_count;
 	if ( peer_count == 2 )
 		{
-		if ( Cluster::local_node_type() == Cluster::MANAGER )
-			event ready_for_data();
-
-		schedule 1sec { on_demand() };
+		event ready_for_data();
 		}
 	}
 

From 594975c93d88d3a176fd5ab967cf2d35a883747f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 21 Apr 2014 11:23:12 -0700
Subject: [PATCH 026/136] Make SSL/TLS version detection less brittle.

This still cannot deal with v2 hellos that use the long length.
On the other hand - OpenSSL also cannot deal with these and we should
not see many sslv2 connections in any case - so... they probably
would not work in practice in any case.
---
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 13 +++-
 src/analyzer/protocol/ssl/ssl-protocol.pac | 84 +++++++++++++++-------
 2 files changed, 68 insertions(+), 29 deletions(-)

diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 997faf0436..b6422584e3 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -293,6 +293,14 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
+	function proc_check_v2_server_hello_version(version: uint16) : bool
+		%{
+		if ( version != SSLv20 )
+			bro_analyzer()->ProtocolViolation(fmt("Invalid version in SSL server hello. Version: %d", version));
+
+		return true;
+		%}
+
 };
 
 #refine typeattr ChangeCipherSpec += &let {
@@ -337,6 +345,8 @@ refine typeattr V2ServerHello += &let {
 	proc : bool = $context.connection.proc_server_hello(rec, server_version, 0,
 				conn_id_data, 0, 0, ciphers, 0);
 
+	check_v2 : bool = $context.connection.proc_check_v2_server_hello_version(server_version);
+
 	cert : bool = $context.connection.proc_v2_certificate(rec, cert_data)
 		&requires(proc);
 };
@@ -346,8 +356,7 @@ refine typeattr Certificate += &let {
 };
 
 refine typeattr V2ClientMasterKey += &let {
-	proc : bool = $context.connection.proc_v2_client_master_key(rec, cipher_kind)
-		&requires(state_changed);
+	proc : bool = $context.connection.proc_v2_client_master_key(rec, cipher_kind);
 };
 
 refine typeattr UnknownHandshake += &let {
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index f72f34e9cc..d32d926f65 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -36,16 +36,14 @@ type SSLRecord(is_orig: bool) = record {
 } &length = length+5, &byteorder=bigendian,
 	&let {
 	version : int =
-		$context.connection.determine_ssl_version(head0, head1, head2);
+		$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4);
 
 	content_type : int = case version of {
-		# UNKNOWN_VERSION -> 0; assume tls on unknown version
 		SSLv20 -> head2+300;
 		default -> head0;
 	};
 
 	length : int = case version of {
-		# UNKNOWN_VERSION -> 0; assume tls on unknown version
 		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
 		default -> (head3 << 8) | head4;
 	};
@@ -277,11 +275,6 @@ type CertificateList = X509Certificate[] &until($input.length() == 0);
 type Certificate(rec: SSLRecord) = record {
 	length : uint24;
 	certificates : CertificateList &length = to_int()(length);
-} &let {
-	state_changed_client : bool =
-		$context.connection.startEncryption(true);
-	state_changed_server : bool =
-		$context.connection.startEncryption(false);
 };
 
 
@@ -345,6 +338,9 @@ type V2ClientMasterKey(rec: SSLRecord) = record {
 	key_arg_data : bytestring &length = key_arg_len &transient;
 } &length = 7 + cl_key_len + en_key_len + key_arg_len, &let {
 	cipher_kind : int = (((rec.head3 << 16) | (rec.head4 << 8)) | cipher_kind_8);
+	# encryption starts for both sides after this message.
+	state_changed_client : bool = $context.connection.startEncryption(true);
+	state_changed_server : bool = $context.connection.startEncryption(false);
 };
 
 
@@ -435,41 +431,75 @@ refine connection SSL_Conn += {
 	%member{
 		int client_state_;
 		int server_state_;
-		int old_state_;
-		bool hello_requested_;
+		int record_layer_version_;
 	%}
 
 	%init{
 		server_state_ = STATE_CLEAR;
 		client_state_ = STATE_CLEAR;
+		record_layer_version_ = UNKNOWN_VERSION;
 	%}
 
-	function determine_ssl_version(head0 : uint8, head1 : uint8,
-					head2 : uint8) : int
+	function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
+					head2 : uint8, head3: uint8, head4: uint8) : int
 		%{
-		if ( head0 >= 20 && head0 <= 23 &&
-				 head1 == 0x03 && head2 <= 0x03 )
-			// This is most probably SSL version 3.
-			return (head1 << 8) | head2;
+		if ( record_layer_version_ != UNKNOWN_VERSION )
+			return record_layer_version_;
 
-		else if ( head0 >= 128 && head2 < 5 && head2 != 3 )
-			// Not very strong evidence, but we suspect
-			// this to be SSLv2.
-			return SSLv20;
+		if ( head0 & 0x80 )
+			{
+			if ( head2 == 0x01 ) // SSLv2 client hello.
+				{
+				uint16 version = (head3<<8) | head4;
+				if ( version != SSLv20 && version != SSLv30 && version != TLSv10
+					&& version != TLSv11 && version != TLSv12 )
+					{
+					bro_analyzer()->ProtocolViolation(fmt("Invalid version in SSL client hello. Version: %d", version));
+					return UNKNOWN_VERSION;
+					}
+				else
+					return SSLv20;
+				}
 
-		else
+			else if ( head2 == 0x04 ) // SSLv2 server hello. This connection will continue using SSLv2.
+				{
+				record_layer_version_ = SSLv20;
+				return SSLv20;
+				}
+			else // this is not SSL or TLS.
+				{
+				bro_analyzer()->ProtocolViolation(fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3));
+				return UNKNOWN_VERSION;
+				}
+			}
+
+		uint16 version = (head1<<8) | head2;
+		if ( version != SSLv30 && version != TLSv10
+		  && version != TLSv11 && version != TLSv12 )
+			{
+			bro_analyzer()->ProtocolViolation(fmt("Invalid version in TLS connection. Version: %d", version));
 			return UNKNOWN_VERSION;
+			}
+
+		if ( head0 >=20 && head0 <= 30 )
+			{ // ok, set record layer version, this never can be downgraded to v2
+			record_layer_version_ = version;
+			return version;
+			}
+
+		bro_analyzer()->ProtocolViolation(fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0));
+		return UNKNOWN_VERSION;
 		%}
 
 	function client_state() : int %{ return client_state_; %}
 	function server_state() : int %{ return client_state_; %}
 	function state(is_orig: bool) : int
-	%{
-	if ( is_orig )
-		return client_state_;
-	else
-		return server_state_;
-	%}
+		%{
+		if ( is_orig )
+			return client_state_;
+		else
+			return server_state_;
+		%}
 
 	function startEncryption(is_orig: bool) : bool
 		%{

From 8126f06ffb3402d380a80774a11f7df4b3f1b774 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 21 Apr 2014 16:43:33 -0500
Subject: [PATCH 027/136] Enforce data size limit when checking files for MIME
 matches.

The value of *bof_buffer_size* in the *fa_file* record was supposed to
always limit the amount of data used by the signature matching engine,
but some corner cases would cause matching to be performed on data
beyond that.
---
 src/file_analysis/File.cc                                 | 1 +
 .../doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1     | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index e8a7ea15ee..2772b55418 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -283,6 +283,7 @@ bool File::BufferBOF(const u_char* data, uint64 len)
 bool File::DetectMIME(const u_char* data, uint64 len)
 	{
 	RuleMatcher::MIME_Matches matches;
+	len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
 	file_mgr->DetectMIME(data, len, &matches);
 
 	if ( matches.empty() )
diff --git a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
index 3cd6a49e11..3d6b9dffad 100644
--- a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
+++ b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
@@ -16,15 +16,15 @@
       #empty_field	(empty)
       #unset_field	-
       #path	mime_metrics
-      #open	2014-03-06-17-30-44
+      #open	2014-04-21-21-34-08
       #fields	ts	ts_delta	mtype	uniq_hosts	hits	bytes
       #types	time	interval	string	count	count	count
-      1389719059.311698	300.000000	text/html	1	4	53070
+      1389719059.311698	300.000000	text/html	1	3	47335
       1389719059.311698	300.000000	image/jpeg	1	1	186859
       1389719059.311698	300.000000	application/pgp-signature	1	1	836
-      1389719059.311698	300.000000	text/plain	1	12	113982
+      1389719059.311698	300.000000	text/plain	1	13	119717
       1389719059.311698	300.000000	image/gif	1	1	172
       1389719059.311698	300.000000	image/png	1	9	82176
       1389719059.311698	300.000000	image/x-icon	1	2	2300
-      #close	2014-03-06-17-30-44
+      #close	2014-04-21-21-34-08
 

From 171c6ce86bfc53bed837458d946f9cd097f4c463 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 21 Apr 2014 16:55:51 -0500
Subject: [PATCH 028/136] Refactor regex/signature AcceptingSet data structure
 and usages.

Several parts of that code would do membership checks and that's going
to be more efficient with a set instead of a list data structure.
---
 src/DFA.cc         |  28 +++-------
 src/RE.cc          |  42 +++++++--------
 src/RE.h           |  20 ++++---
 src/RuleMatcher.cc | 130 +++++++++++++++++++--------------------------
 src/RuleMatcher.h  |   3 ++
 5 files changed, 99 insertions(+), 124 deletions(-)

diff --git a/src/DFA.cc b/src/DFA.cc
index ad9521709e..dbfed71ba3 100644
--- a/src/DFA.cc
+++ b/src/DFA.cc
@@ -211,9 +211,10 @@ void DFA_State::Dump(FILE* f, DFA_Machine* m)
 
 	if ( accept )
 		{
-		for ( int i = 0; i < accept->length(); ++i )
-			fprintf(f, "%s accept #%d",
-				i > 0 ? "," : "", int((*accept)[i]));
+		AcceptingSet::const_iterator it;
+
+		for ( it = accept->begin(); it != accept->end(); ++it )
+			fprintf(f, "%s accept #%d", it == accept->begin() ? "" : ",", *it);
 		}
 
 	fprintf(f, "\n");
@@ -285,7 +286,7 @@ unsigned int DFA_State::Size()
 	{
 	return sizeof(*this)
 		+ pad_size(sizeof(DFA_State*) * num_sym)
-		+ (accept ? pad_size(sizeof(int) * accept->length()) : 0)
+		+ (accept ? pad_size(sizeof(int) * accept->size()) : 0)
 		+ (nfa_states ? pad_size(sizeof(NFA_State*) * nfa_states->length()) : 0)
 		+ (meta_ec ? meta_ec->Size() : 0)
 		+ (centry ? padded_sizeof(CacheEntry) : 0);
@@ -470,33 +471,20 @@ int DFA_Machine::StateSetToDFA_State(NFA_state_list* state_set,
 		return 0;
 
 	AcceptingSet* accept = new AcceptingSet;
+
 	for ( int i = 0; i < state_set->length(); ++i )
 		{
 		int acc = (*state_set)[i]->Accept();
 
 		if ( acc != NO_ACCEPT )
-			{
-			int j;
-			for ( j = 0; j < accept->length(); ++j )
-				if ( (*accept)[j] == acc )
-					break;
-
-			if ( j >= accept->length() )
-				// It's not already present.
-				accept->append(acc);
-			}
+			accept->insert(acc);
 		}
 
-	if ( accept->length() == 0 )
+	if ( accept->empty() )
 		{
 		delete accept;
 		accept = 0;
 		}
-	else
-		{
-		accept->sort(int_list_cmp);
-		accept->resize(0);
-		}
 
 	DFA_State* ds = new DFA_State(state_count++, ec, state_set, accept);
 	d = dfa_state_cache->Insert(ds, hash);
diff --git a/src/RE.cc b/src/RE.cc
index 87117c1c3a..4855b0e39a 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -3,6 +3,7 @@
 #include "config.h"
 
 #include <stdlib.h>
+#include <utility>
 
 #include "RE.h"
 #include "DFA.h"
@@ -266,6 +267,15 @@ void Specific_RE_Matcher::Dump(FILE* f)
 	dfa->Dump(f);
 	}
 
+inline void RE_Match_State::AddMatches(const AcceptingSet& as,
+                                       MatchPos position)
+	{
+	typedef std::pair<AcceptIdx, MatchPos> am_idx;
+
+	for ( AcceptingSet::const_iterator it = as.begin(); it != as.end(); ++it )
+		accepted_matches.insert(am_idx(*it, position));
+	}
+
 bool RE_Match_State::Match(const u_char* bv, int n,
 				bool bol, bool eol, bool clear)
 	{
@@ -283,14 +293,9 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 		current_state = dfa->StartState();
 
 		const AcceptingSet* ac = current_state->Accept();
+
 		if ( ac )
-			{
-			loop_over_list(*ac, i)
-				{
-				accepted.append((*ac)[i]);
-				match_pos.append(0);
-				}
-			}
+			AddMatches(*ac, 0);
 		}
 
 	else if ( clear )
@@ -301,7 +306,7 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 
 	current_pos = 0;
 
-	int old_matches = accepted.length();
+	size_t old_matches = accepted_matches.size();
 
 	int ec;
 	int m = bol ? n + 1 : n;
@@ -324,25 +329,17 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 			break;
 			}
 
-		if ( next_state->Accept() )
-			{
-			const AcceptingSet* ac = next_state->Accept();
-			loop_over_list(*ac, i)
-				{
-				if ( ! accepted.is_member((*ac)[i]) )
-					{
-					accepted.append((*ac)[i]);
-					match_pos.append(current_pos);
-					}
-				}
-			}
+		const AcceptingSet* ac = next_state->Accept();
+
+		if ( ac )
+			AddMatches(*ac, current_pos);
 
 		++current_pos;
 
 		current_state = next_state;
 		}
 
-	return accepted.length() != old_matches;
+	return accepted_matches.size() != old_matches;
 	}
 
 int Specific_RE_Matcher::LongestMatch(const u_char* bv, int n)
@@ -399,7 +396,8 @@ unsigned int Specific_RE_Matcher::MemoryAllocation() const
 		+ equiv_class.Size() - padded_sizeof(EquivClass)
 		+ (dfa ? dfa->MemoryAllocation() : 0) // this is ref counted; consider the bytes here?
 		+ padded_sizeof(*any_ccl)
-		+ accepted->MemoryAllocation();
+		+ padded_sizeof(*accepted)
+		+ accepted->size() * padded_sizeof(AcceptingSet::key_type);
 	}
 
 RE_Matcher::RE_Matcher()
diff --git a/src/RE.h b/src/RE.h
index a2fc709c88..7437dbb8b8 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -9,6 +9,9 @@
 #include "CCL.h"
 #include "EquivClass.h"
 
+#include <set>
+#include <map>
+
 #include <ctype.h>
 typedef int (*cce_func)(int);
 
@@ -33,7 +36,10 @@ extern int re_lex(void);
 extern int clower(int);
 extern void synerr(const char str[]);
 
-typedef int_list AcceptingSet;
+typedef int AcceptIdx;
+typedef std::set<AcceptIdx> AcceptingSet;
+typedef uint64 MatchPos;
+typedef std::map<AcceptIdx, MatchPos> AcceptingMatchSet;
 typedef name_list string_list;
 
 typedef enum { MATCH_ANYWHERE, MATCH_EXACTLY, } match_type;
@@ -135,8 +141,8 @@ public:
 		current_state = 0;
 		}
 
-	const AcceptingSet* Accepted() const	{ return &accepted; }
-	const int_list* MatchPositions() const	{ return &match_pos; }
+	const AcceptingMatchSet& AcceptedMatches() const
+		{ return accepted_matches; }
 
 	// Returns the number of bytes feeded into the matcher so far
 	int Length()	{ return current_pos; }
@@ -149,16 +155,16 @@ public:
 		{
 		current_pos = -1;
 		current_state = 0;
-		accepted.clear();
-		match_pos.clear();
+		accepted_matches.clear();
 		}
 
+	void AddMatches(const AcceptingSet& as, MatchPos position);
+
 protected:
 	DFA_Machine* dfa;
 	int* ecs;
 
-	AcceptingSet accepted;
-	int_list match_pos;
+	AcceptingMatchSet accepted_matches;
 	DFA_State* current_state;
 	int current_pos;
 };
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index 5e9dff0a1f..5cea843c8d 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -594,6 +594,29 @@ RuleFileMagicState* RuleMatcher::InitFileMagic() const
 	return state;
 	}
 
+bool RuleMatcher::AllRulePatternsMatched(const Rule* r, MatchPos matchpos,
+                                         const AcceptingMatchSet& ams)
+	{
+	DBG_LOG(DBG_RULES, "Checking rule: %s", r->id);
+
+	// Check whether all patterns of the rule have matched.
+	loop_over_list(r->patterns, j)
+		{
+		if ( ams.find(r->patterns[j]->id) == ams.end() )
+			return false;
+
+		// See if depth is satisfied.
+		if ( matchpos > r->patterns[j]->offset + r->patterns[j]->depth )
+			return false;
+
+		// FIXME: How to check for offset ??? ###
+		}
+
+	DBG_LOG(DBG_RULES, "All patterns of rule satisfied");
+
+	return true;
+	}
+
 RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
                                               const u_char* data, uint64 len,
                                               MIME_Matches* rval) const
@@ -636,56 +659,39 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
 
 	DBG_LOG(DBG_RULES, "New pattern match found");
 
-	AcceptingSet accepted;
-	int_list matchpos;
+	AcceptingMatchSet accepted_matches;
 
 	loop_over_list(state->matchers, y)
 		{
 		RuleFileMagicState::Matcher* m = state->matchers[y];
-		const AcceptingSet* ac = m->state->Accepted();
-
-		loop_over_list(*ac, k)
-			{
-			if ( ! accepted.is_member((*ac)[k]) )
-				{
-				accepted.append((*ac)[k]);
-				matchpos.append((*m->state->MatchPositions())[k]);
-				}
-			}
+		const AcceptingMatchSet& ams = m->state->AcceptedMatches();
+		accepted_matches.insert(ams.begin(), ams.end());
 		}
 
 	// Find rules for which patterns have matched.
-	rule_list matched;
+	set<Rule*> rule_matches;
 
-	loop_over_list(accepted, i)
+	for ( AcceptingMatchSet::const_iterator it = accepted_matches.begin();
+	      it != accepted_matches.end(); ++it )
 		{
-		Rule* r = Rule::rule_table[accepted[i] - 1];
+		AcceptIdx aidx = it->first;
+		MatchPos mpos = it->second;
 
-		DBG_LOG(DBG_RULES, "Checking rule: %v", r->id);
+		Rule* r = Rule::rule_table[aidx - 1];
 
-		loop_over_list(r->patterns, j)
-			{
-			if ( ! accepted.is_member(r->patterns[j]->id) )
-				continue;
-
-			if ( (unsigned int) matchpos[i] >
-			     r->patterns[j]->offset + r->patterns[j]->depth )
-				continue;
-
-			DBG_LOG(DBG_RULES, "All patterns of rule satisfied");
-			}
-
-		if ( ! matched.is_member(r) )
-			matched.append(r);
+		if ( AllRulePatternsMatched(r, mpos, accepted_matches) )
+			rule_matches.insert(r);
 		}
 
-	loop_over_list(matched, j)
+	for ( set<Rule*>::const_iterator it = rule_matches.begin();
+	      it != rule_matches.end(); ++it )
 		{
-		Rule* r = matched[j];
+		Rule* r = *it;
 
 		loop_over_list(r->actions, rai)
 			{
-			const RuleActionMIME* ram = dynamic_cast<const RuleActionMIME*>(r->actions[rai]);
+			const RuleActionMIME* ram =
+			       dynamic_cast<const RuleActionMIME*>(r->actions[rai]);
 
 			if ( ! ram )
 				continue;
@@ -876,66 +882,40 @@ void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type,
 
 	DBG_LOG(DBG_RULES, "New pattern match found");
 
-	// Build a joined AcceptingSet.
-	AcceptingSet accepted;
-	int_list matchpos;
+	AcceptingMatchSet accepted_matches;
 
-	loop_over_list(state->matchers, y)
+	loop_over_list(state->matchers, y )
 		{
 		RuleEndpointState::Matcher* m = state->matchers[y];
-		const AcceptingSet* ac = m->state->Accepted();
-
-		loop_over_list(*ac, k)
-			{
-			if ( ! accepted.is_member((*ac)[k]) )
-				{
-				accepted.append((*ac)[k]);
-				matchpos.append((*m->state->MatchPositions())[k]);
-				}
-			}
+		const AcceptingMatchSet& ams = m->state->AcceptedMatches();
+		accepted_matches.insert(ams.begin(), ams.end());
 		}
 
 	// Determine the rules for which all patterns have matched.
 	// This code should be fast enough as long as there are only very few
 	// matched patterns per connection (which is a plausible assumption).
 
-	rule_list matched;
+	// Find rules for which patterns have matched.
+	set<Rule*> rule_matches;
 
-	loop_over_list(accepted, i)
+	for ( AcceptingMatchSet::const_iterator it = accepted_matches.begin();
+	      it != accepted_matches.end(); ++it )
 		{
-		Rule* r = Rule::rule_table[accepted[i] - 1];
+		AcceptIdx aidx = it->first;
+		MatchPos mpos = it->second;
 
-		DBG_LOG(DBG_RULES, "Checking rule: %s", r->id);
+		Rule* r = Rule::rule_table[aidx - 1];
 
-		// Check whether all patterns of the rule have matched.
-		loop_over_list(r->patterns, j)
-			{
-			if ( ! accepted.is_member(r->patterns[j]->id) )
-				goto next_pattern;
-
-			// See if depth is satisfied.
-			if ( (unsigned int) matchpos[i] >
-			     r->patterns[j]->offset + r->patterns[j]->depth )
-				goto next_pattern;
-
-			DBG_LOG(DBG_RULES, "All patterns of rule satisfied");
-
-			// FIXME: How to check for offset ??? ###
-			}
-
-		// If not already in the list of matching rules, add it.
-		if ( ! matched.is_member(r) )
-			matched.append(r);
-
-next_pattern:
-		continue;
+		if ( AllRulePatternsMatched(r, mpos, accepted_matches) )
+			rule_matches.insert(r);
 		}
 
 	// Check which of the matching rules really belong to any of our nodes.
 
-	loop_over_list(matched, j)
+	for ( set<Rule*>::const_iterator it = rule_matches.begin();
+	      it != rule_matches.end(); ++it )
 		{
-		Rule* r = matched[j];
+		Rule* r = *it;
 
 		DBG_LOG(DBG_RULES, "Accepted rule: %s", r->id);
 
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
index 52e00f6bad..da2838cb6d 100644
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@@ -361,6 +361,9 @@ private:
 
 	void DumpStateStats(BroFile* f, RuleHdrTest* hdr_test);
 
+	static bool AllRulePatternsMatched(const Rule* r, MatchPos matchpos,
+	                                   const AcceptingMatchSet& ams);
+
 	int RE_level;
 	bool parse_error;
 	RuleHdrTest* root;

From e24f3f5fd514832ecb26c9b606b9dbfed56792f2 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 22 Apr 2014 16:32:22 -0700
Subject: [PATCH 029/136] Updating CHANGES and VERSION.

---
 CHANGES                             | 4 ++++
 aux/broctl                          | 2 +-
 scripts/base/protocols/dns/main.bro | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index d91a2e4700..aad47320de 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-341 | 2014-04-17 18:01:41 -0500
+
+  * Fix duplicate DNS log entries. (Robin Sommer)
+
 2.2-341 | 2014-04-17 18:01:01 -0500
 
   * Refactor initialization of ASCII log writer options. (Jon Siwek)
diff --git a/aux/broctl b/aux/broctl
index d99150801b..f249570e3f 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit d99150801b7844e082b5421d1efe4050702d350e
+Subproject commit f249570e3fb4c83e532cc0813786f0ff60c4dea9
diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index fe371de2a8..d7280602e6 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -183,7 +183,7 @@ function log_unmatched_msgs(msgs: PendingMessages)
 	for ( trans_id in msgs )
 		log_unmatched_msgs_queue(msgs[trans_id]);
 
-	msgs = PendingMessages();
+	clear_table(msgs);
 	}
 
 function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)

From b9e956176e83cbc28ff785fb598c980e6e26c8ff Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 22 Apr 2014 21:35:30 -0700
Subject: [PATCH 030/136] Updating submodule(s).

 [nomail]
---
 aux/bro-aux | 2 +-
 aux/broctl  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 3f86e2d5db..5c0043d587 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 3f86e2d5db2a0c5f2f104b15f359f4b752bb4558
+Subproject commit 5c0043d587314c57070e5362762e3e0f6408c2be
diff --git a/aux/broctl b/aux/broctl
index f249570e3f..d99150801b 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f249570e3fb4c83e532cc0813786f0ff60c4dea9
+Subproject commit d99150801b7844e082b5421d1efe4050702d350e

From 782615e9ddea93c5ea46d21f7001e48fa7e8ef00 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 23 Apr 2014 10:44:47 -0500
Subject: [PATCH 031/136] Remove unused Val::attribs member.

---
 src/Serializer.h |  2 +-
 src/Val.cc       |  7 -------
 src/Val.h        | 13 -------------
 3 files changed, 1 insertion(+), 21 deletions(-)

diff --git a/src/Serializer.h b/src/Serializer.h
index af4878ccf5..543797a7af 100644
--- a/src/Serializer.h
+++ b/src/Serializer.h
@@ -125,7 +125,7 @@ protected:
 
 	// This will be increased whenever there is an incompatible change
 	// in the data format.
-	static const uint32 DATA_FORMAT_VERSION = 24;
+	static const uint32 DATA_FORMAT_VERSION = 25;
 
 	ChunkedIO* io;
 
diff --git a/src/Val.cc b/src/Val.cc
index aa9c888d49..2d75680182 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -32,7 +32,6 @@ Val::Val(Func* f)
 	val.func_val = f;
 	::Ref(val.func_val);
 	type = f->FType()->Ref();
-	attribs = 0;
 #ifdef DEBUG
 	bound_id = 0;
 #endif
@@ -49,7 +48,6 @@ Val::Val(BroFile* f)
 	assert(f->FType()->Tag() == TYPE_STRING);
 	type = string_file_type->Ref();
 
-	attribs = 0;
 #ifdef DEBUG
 	bound_id = 0;
 #endif
@@ -190,8 +188,6 @@ bool Val::DoSerialize(SerialInfo* info) const
 	if ( ! type->Serialize(info) )
 		return false;
 
-	SERIALIZE_OPTIONAL(attribs);
-
 	switch ( type->InternalType() ) {
 	case TYPE_INTERNAL_VOID:
 		info->s->Error("type is void");
@@ -251,9 +247,6 @@ bool Val::DoUnserialize(UnserialInfo* info)
 	if ( ! (type = BroType::Unserialize(info)) )
 		return false;
 
-	UNSERIALIZE_OPTIONAL(attribs,
-		(RecordVal*) Val::Unserialize(info, TYPE_RECORD));
-
 	switch ( type->InternalType() ) {
 	case TYPE_INTERNAL_VOID:
 		info->s->Error("type is void");
diff --git a/src/Val.h b/src/Val.h
index b94cb2d621..58b24a3e5d 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -80,7 +80,6 @@ public:
 		{
 		val.int_val = b;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -90,7 +89,6 @@ public:
 		{
 		val.int_val = bro_int_t(i);
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -100,7 +98,6 @@ public:
 		{
 		val.uint_val = bro_uint_t(u);
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -110,7 +107,6 @@ public:
 		{
 		val.int_val = i;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -120,7 +116,6 @@ public:
 		{
 		val.uint_val = u;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -130,7 +125,6 @@ public:
 		{
 		val.double_val = d;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -145,7 +139,6 @@ public:
 	Val(BroType* t, bool type_type) // Extra arg to differentiate from protected version.
 		{
 		type = new TypeType(t->Ref());
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -155,7 +148,6 @@ public:
 		{
 		val.int_val = 0;
 		type = base_type(TYPE_ERROR);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -364,7 +356,6 @@ protected:
 		{
 		val.string_val = s;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -376,7 +367,6 @@ protected:
 	Val(TypeTag t)
 		{
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -385,7 +375,6 @@ protected:
 	Val(BroType* t)
 		{
 		type = t->Ref();
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -400,7 +389,6 @@ protected:
 
 	BroValUnion val;
 	BroType* type;
-	RecordVal* attribs;
 
 #ifdef DEBUG
 	// For debugging, we keep the name of the ID to which a Val is bound.
@@ -944,7 +932,6 @@ public:
 		{
 		val.int_val = i;
 		type = t;
-		attribs = 0;
 		}
 
 	Val* SizeVal() const	{ return new Val(val.int_val, TYPE_INT); }

From 02504897306075c2b9a42603e0f776fbe4688590 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 23 Apr 2014 16:14:13 -0500
Subject: [PATCH 032/136] Adapt IRC/FTP analyzers to cache file analysis IDs.

---
 src/analyzer/protocol/file/File.cc | 71 ++++++++++--------------------
 src/analyzer/protocol/file/File.h  | 22 ++++-----
 2 files changed, 32 insertions(+), 61 deletions(-)

diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc
index 4476043721..4ea8dffaa8 100644
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@@ -31,12 +31,25 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		if ( buffer_len == BUFFER_SIZE )
 			Identify();
 		}
-	return;
+
+	if ( orig )
+		file_id_orig = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
+		                                orig, file_id_orig);
+	else
+		file_id_resp = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
+		                                orig, file_id_resp);
 	}
 
 void File_Analyzer::Undelivered(int seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+
+	if ( orig )
+		file_id_orig = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
+		                             file_id_orig);
+	else
+		file_id_resp = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
+		                             file_id_resp);
 	}
 
 void File_Analyzer::Done()
@@ -45,6 +58,16 @@ void File_Analyzer::Done()
 
 	if ( buffer_len && buffer_len != BUFFER_SIZE )
 		Identify();
+
+	if ( ! file_id_orig.empty() )
+		file_mgr->EndOfFile(file_id_orig);
+	else
+		file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
+
+	if ( ! file_id_resp.empty() )
+		file_mgr->EndOfFile(file_id_resp);
+	else
+		file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
 	}
 
 void File_Analyzer::Identify()
@@ -61,49 +84,3 @@ void File_Analyzer::Identify()
 	vl->append(new StringVal(match));
 	ConnectionEvent(file_transferred, vl);
 	}
-
-IRC_Data::IRC_Data(Connection* conn)
-	: File_Analyzer("IRC_Data", conn)
-	{
-	}
-
-void IRC_Data::Done()
-	{
-	File_Analyzer::Done();
-	file_mgr->EndOfFile(GetAnalyzerTag(), Conn());
-	}
-
-void IRC_Data::DeliverStream(int len, const u_char* data, bool orig)
-	{
-	File_Analyzer::DeliverStream(len, data, orig);
-	file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig);
-	}
-
-void IRC_Data::Undelivered(int seq, int len, bool orig)
-	{
-	File_Analyzer::Undelivered(seq, len, orig);
-	file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig);
-	}
-
-FTP_Data::FTP_Data(Connection* conn)
-	: File_Analyzer("FTP_Data", conn)
-	{
-	}
-
-void FTP_Data::Done()
-	{
-	File_Analyzer::Done();
-	file_mgr->EndOfFile(GetAnalyzerTag(), Conn());
-	}
-
-void FTP_Data::DeliverStream(int len, const u_char* data, bool orig)
-	{
-	File_Analyzer::DeliverStream(len, data, orig);
-	file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig);
-	}
-
-void FTP_Data::Undelivered(int seq, int len, bool orig)
-	{
-	File_Analyzer::Undelivered(seq, len, orig);
-	file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig);
-	}
diff --git a/src/analyzer/protocol/file/File.h b/src/analyzer/protocol/file/File.h
index 7afbd569c4..9376dcc7c3 100644
--- a/src/analyzer/protocol/file/File.h
+++ b/src/analyzer/protocol/file/File.h
@@ -28,17 +28,15 @@ protected:
 	static const int BUFFER_SIZE = 1024;
 	char buffer[BUFFER_SIZE];
 	int buffer_len;
+	string file_id_orig;
+	string file_id_resp;
 };
 
 class IRC_Data : public File_Analyzer {
 public:
-	IRC_Data(Connection* conn);
-
-	virtual void Done();
-
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-
-	virtual void Undelivered(int seq, int len, bool orig);
+	IRC_Data(Connection* conn)
+		: File_Analyzer("IRC_Data", conn)
+		{ }
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new IRC_Data(conn); }
@@ -46,13 +44,9 @@ public:
 
 class FTP_Data : public File_Analyzer {
 public:
-	FTP_Data(Connection* conn);
-
-	virtual void Done();
-
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-
-	virtual void Undelivered(int seq, int len, bool orig);
+	FTP_Data(Connection* conn)
+		: File_Analyzer("FTP_Data", conn)
+		{ }
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new FTP_Data(conn); }

From de8f8f87b69b562d8afb71b1dd19d8ae41478256 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 23 Apr 2014 16:26:18 -0500
Subject: [PATCH 033/136] Adapt more of HTTP analyzer to use cached file
 analysis IDs.

Some EndOfFile calls can re-use a cached file ID.
---
 src/analyzer/protocol/http/HTTP.cc | 24 +++++++++++++++++++-----
 src/analyzer/protocol/http/HTTP.h  |  1 +
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index f676643b7c..bc0081ab52 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -583,9 +583,16 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
 	top_level->EndOfData();
 
 	if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
-		// multipart/byteranges may span multiple connections
-		file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
-		                    MyHTTP_Analyzer()->Conn(), is_orig);
+		{
+		// multipart/byteranges may span multiple connections, so don't EOF.
+		HTTP_Entity* he = dynamic_cast<HTTP_Entity*>(top_level);
+
+		if ( he && ! he->FileID().empty() )
+			file_mgr->EndOfFile(he->FileID());
+		else
+			file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
+			                    MyHTTP_Analyzer()->Conn(), is_orig);
+		}
 
 	if ( http_message_done )
 		{
@@ -663,8 +670,15 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 		Done();
 
 	else if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
-		file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
-		                    MyHTTP_Analyzer()->Conn(), is_orig);
+		{
+		HTTP_Entity* he = dynamic_cast<HTTP_Entity*>(entity);
+
+		if ( he && ! he->FileID().empty() )
+			file_mgr->EndOfFile(he->FileID());
+		else
+			file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
+			                    MyHTTP_Analyzer()->Conn(), is_orig);
+		}
 	}
 
 void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index 48a611b63b..0318dc9601 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -46,6 +46,7 @@ public:
 	int64_t BodyLength() const 		{ return body_length; }
 	int64_t HeaderLength() const 	{ return header_length; }
 	void SkipBody() 		{ deliver_body = 0; }
+	const string& FileID() const  { return precomputed_file_id; }
 
 protected:
 	class UncompressedOutput;

From 4ae52d9e1c0153282a012ec38d910a106bc77117 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 23 Apr 2014 14:34:06 -0700
Subject: [PATCH 034/136] Support parsing of several TLS extensions.

At the moment, we have support for:
elliptic_curves: client supported elliptic curves
ec_point_formats: list of client supported EC point formats
application_layer_protocol_negotiation: list of supported application layer protocols (used for spdy/http2 negotiation)
server_name: server name sent by client. This was supported before, but... a bit brittle.
---
 scripts/base/frameworks/notice/weird.bro   |   1 +
 scripts/base/protocols/ssl/main.bro        |  10 +-
 src/analyzer/protocol/ssl/events.bif       |   8 +
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 161 ++++++++++++++++-----
 src/analyzer/protocol/ssl/ssl-defs.pac     |  32 ++++
 src/analyzer/protocol/ssl/ssl-protocol.pac |  90 ++++++++++--
 6 files changed, 252 insertions(+), 50 deletions(-)

diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro
index e7faf38df4..474f021cef 100644
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@@ -185,6 +185,7 @@ export {
 		["RPC_underflow"]                       = ACTION_LOG,
 		["RST_storm"]                           = ACTION_LOG,
 		["RST_with_data"]                       = ACTION_LOG,
+		["SSL_many_server_names"]               = ACTION_LOG,
 		["simultaneous_open"]                   = ACTION_LOG_PER_CONN,
 		["spontaneous_FIN"]                     = ACTION_IGNORE,
 		["spontaneous_RST"]                     = ACTION_IGNORE,
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 5b974222a1..eb128483a4 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -159,12 +159,16 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	c$ssl$cipher = cipher_desc[cipher];
 	}
 
-event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5
+event tls_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
 	{
 	set_session(c);
 
-	if ( is_orig && extensions[code] == "server_name" )
-		c$ssl$server_name = sub_bytes(val, 6, |val|);
+	if ( is_orig && |names| > 0 )
+		{
+		c$ssl$server_name = names[0];
+		if ( |names| > 1 )
+			event conn_weird("SSL_many_server_names", c, cat(names));
+		}
 	}
 
 event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index a11e7bcc68..457d18ea39 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -80,6 +80,14 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ##    ssl_session_ticket_handshake
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
+event tls_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
+
+event tls_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
+
+event tls_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
+
+event tls_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
+
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index b6422584e3..043b2271ec 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -86,23 +86,19 @@ function version_ok(vers : uint16) : bool
 
 refine connection SSL_Conn += {
 
-	%member{
-		int eof;
-	%}
-
-	%init{
-		eof=0;
-	%}
-
-	#%eof{
-	#	if ( ! eof &&
-	#	     state_ != STATE_CONN_ESTABLISHED &&
-	#	     state_ != STATE_TRACK_LOST &&
-	#	     state_ != STATE_INITIAL )
-	#		bro_analyzer()->ProtocolViolation(fmt("unexpected end of connection in state %s",
-	#			state_label(state_).c_str()));
-	#	++eof;
-	#%}
+#	%member{
+#		int eof;
+#	%}
+#
+#	%init{
+#		eof=0;
+#	%}
+#
+#	%eof{
+#		if ( ! eof  )
+#			bro_analyzer()->ProtocolViolation(fmt("unexpected end of connection"));
+#		++eof;
+#	%}
 
 	%cleanup{
 	%}
@@ -198,12 +194,104 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_ssl_extension(rec: SSLRecord, type: int, data: bytestring) : bool
+	function proc_ssl_extension(rec: SSLRecord, type: int, sourcedata: const_bytestring) : bool
 		%{
+		// we cheat a little bit here. We want to throw this event for every extension we encounter,
+		// even those that are handled by more specialized events later.
+		// To access the parsed data, we use sourcedata, which contains the whole data blob of
+		// the extension, including headers. We skip over those (4 bytes).
+		size_t length = sourcedata.length();
+		if ( length < 4 )
+			{
+			// this should be impossible due to the binpac parser and protocol description
+			bro_analyzer()->ProtocolViolation(fmt("Impossible extension length: %lu", length));
+			return true;
+			}
+		length -= 4;
+		const unsigned char* data = sourcedata.begin() + 4;
+
 		if ( ssl_extension )
 			BifEvent::generate_ssl_extension(bro_analyzer(),
 						bro_analyzer()->Conn(), ${rec.is_orig}, type,
-						new StringVal(data.length(), (const char*) data.data()));
+						new StringVal(length, reinterpret_cast<const char*>(data)));
+		return true;
+		%}
+
+	function proc_ec_point_formats(rec: SSLRecord, point_format_list: uint8[]) : bool
+		%{
+		VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType());
+		if ( point_format_list )
+			{
+			for ( unsigned int i = 0; i < point_format_list->size(); ++i )
+				{
+				points->Assign(i, new Val((*point_format_list)[i], TYPE_COUNT));
+				}
+			}
+
+		BifEvent::generate_tls_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
+		   ${rec.is_orig}, points);
+
+		return true;
+		%}
+
+	function proc_elliptic_curves(rec: SSLRecord, list: uint16[]) : bool
+		%{
+		VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType());
+		if ( list )
+			{
+			for ( unsigned int i = 0; i < list->size(); ++i )
+				{
+				curves->Assign(i, new Val((*list)[i], TYPE_COUNT));
+				}
+			}
+
+		BifEvent::generate_tls_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
+		   ${rec.is_orig}, curves);
+
+		return true;
+		%}
+
+	function proc_apnl(rec: SSLRecord, protocols: ProtocolName[]) : bool
+		%{
+		VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType());
+		if ( protocols )
+			{
+			for ( unsigned int i = 0; i < protocols->size(); ++i )
+				{
+				plist->Assign(i, new StringVal((*protocols)[i]->name().length(), (const char*) (*protocols)[i]->name().data()));
+				}
+			}
+
+		BifEvent::generate_tls_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
+		   ${rec.is_orig}, plist);
+
+		return true;
+		%}
+
+	function proc_server_name(rec: SSLRecord, list: ServerName[]) : bool
+		%{
+		VectorVal* servers = new VectorVal(internal_type("string_vec")->AsVectorType());
+		if ( list )
+			{
+			for ( unsigned int i = 0, j=0; i < list->size(); ++i )
+				{
+				ServerName* servername = (*list)[i];
+				if ( servername->name_type() != 0 )
+					{
+					bro_analyzer()->Weird(fmt("Encountered unknown type in server name tls extension: %d", servername->name_type()));
+					continue;
+					}
+
+				if ( servername->host_name() )
+					servers->Assign(j++, new StringVal(servername->host_name()->host_name().length(), (const char*) servername->host_name()->host_name().data()));
+				else
+					bro_analyzer()->Weird("Empty server_name extension in tls connection");
+				}
+			}
+
+		BifEvent::generate_tls_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
+		   ${rec.is_orig}, servers);
+
 		return true;
 		%}
 
@@ -233,9 +321,9 @@ refine connection SSL_Conn += {
 		return ret;
 		%}
 
-	function proc_v3_certificate(rec: SSLRecord, cl : CertificateList) : bool
+	function proc_v3_certificate(rec: SSLRecord, cl : X509Certificate[]) : bool
 		%{
-		vector<X509Certificate*>* certs = cl->val();
+		vector<X509Certificate*>* certs = cl;
 		vector<bytestring>* cert_list = new vector<bytestring>();
 
 		std::transform(certs->begin(), certs->end(),
@@ -303,11 +391,6 @@ refine connection SSL_Conn += {
 
 };
 
-#refine typeattr ChangeCipherSpec += &let {
-#	proc : bool = $context.connection.proc_change_cipher_spec(rec)
-#		&requires(state_changed);
-#};
-
 refine typeattr Alert += &let {
 	proc : bool = $context.connection.proc_alert(rec, level, description);
 };
@@ -316,10 +399,6 @@ refine typeattr V2Error += &let {
 	proc : bool = $context.connection.proc_alert(rec, -1, error_code);
 };
 
-#refine typeattr ApplicationData += &let {
-#	proc : bool = $context.connection.proc_application_data(rec);
-#};
-
 refine typeattr Heartbeat += &let {
 	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length, data);
 };
@@ -363,10 +442,6 @@ refine typeattr UnknownHandshake += &let {
 	proc : bool = $context.connection.proc_unknown_handshake(hs, is_orig);
 };
 
-#refine typeattr Handshake += &let {
-#	proc : bool = $context.connection.proc_handshake(this, rec.is_orig);
-#};
-
 refine typeattr SessionTicketHandshake += &let {
 	proc : bool = $context.connection.proc_session_ticket_handshake(this, rec.is_orig);
 }
@@ -380,5 +455,21 @@ refine typeattr CiphertextRecord += &let {
 }
 
 refine typeattr SSLExtension += &let {
-	proc : bool = $context.connection.proc_ssl_extension(rec, type, data);
+	proc : bool = $context.connection.proc_ssl_extension(rec, type, sourcedata);
+};
+
+refine typeattr EcPointFormats += &let {
+	proc : bool = $context.connection.proc_ec_point_formats(rec, point_format_list);
+};
+
+refine typeattr EllipticCurves += &let {
+	proc : bool = $context.connection.proc_elliptic_curves(rec, elliptic_curve_list);
+};
+
+refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
+	proc : bool = $context.connection.proc_apnl(rec, protocol_name_list);
+};
+
+refine typeattr ServerNameExt += &let {
+	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 23fa7abce5..24827d3621 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -20,6 +20,7 @@ enum ContentType {
 	UNKNOWN_OR_V2_ENCRYPTED = 400
 };
 
+# If you add a new TLS version here, do not forget to also adjust the DPD signature.
 enum SSLVersions {
 	UNKNOWN_VERSION	= 0x0000,
 	SSLv20		= 0x0002,
@@ -28,3 +29,34 @@ enum SSLVersions {
 	TLSv11		= 0x0302,
 	TLSv12		= 0x0303
 };
+
+enum SSLExtensions {
+	EXT_SERVER_NAME = 0,
+	EXT_MAX_FRAGMENT_LENGTH = 1,
+	EXT_CLIENT_CERTIFICATE_URL = 2,
+	EXT_TRUSTED_CA_KEYS = 3,
+	EXT_TRUNCATED_HMAC = 4,
+	EXT_STATUS_REQUEST = 5,
+	EXT_USER_MAPPING = 6,
+	EXT_CLIENT_AUTHZ = 7,
+	EXT_SERVER_AUTHZ = 8,
+	EXT_CERT_TYPE = 9,
+	EXT_ELLIPTIC_CURVES = 10,
+	EXT_EC_POINT_FORMATS = 11,
+	EXT_SRP = 12,
+	EXT_SIGNATURE_ALGORITHMS = 13,
+	EXT_USE_SRTP = 14,
+	EXT_HEARTBEAT = 15,
+	EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION = 16,
+	EXT_STATUS_REQUEST_V2 = 17,
+	EXT_SIGNED_CERTIFICATE_TIMESTAMP = 18,
+	EXT_SESSIONTICKET_TLS = 35,
+	EXT_EXTENDED_RANDOM = 40,
+	EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
+	EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
+	EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
+	EXT_CHANNEL_ID = 30031,
+	EXT_CHANNEL_ID_NEW = 30032,
+	EXT_PADDING = 35655,
+	EXT_RENEGOTIATION_INFO = 65281
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index d32d926f65..857bd01f26 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -69,14 +69,81 @@ type PlaintextRecord(rec: SSLRecord) = case rec.content_type of {
 	default			-> unknown_record : UnknownRecord(rec);
 };
 
+######################################################################
+# TLS Extensions
+######################################################################
+
 type SSLExtension(rec: SSLRecord) = record {
 	type: uint16;
 	data_len: uint16;
-	data: bytestring &length=data_len;
+
+	# Pretty code ahead. Deal with the fact that perhaps extensions are not really present and we do not want to fail because of that.
+	ext: case type of {
+		EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION -> apnl: ApplicationLayerProtocolNegotiationExtension(rec)[] &until($element == 0 || $element != 0);
+		EXT_ELLIPTIC_CURVES -> elliptic_curves: EllipticCurves(rec)[] &until($element == 0 || $element != 0);
+		EXT_EC_POINT_FORMATS -> ec_point_formats: EcPointFormats(rec)[] &until($element == 0 || $element != 0);
+#		EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0);
+		EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
+		default -> data: bytestring &restofdata;
+	};
+} &length=data_len+4 &exportsourcedata;
+
+type ServerNameHostName() = record {
+	length: uint16;
+	host_name: bytestring &length=length;
 };
 
+type ServerName() = record {
+	name_type: uint8; # has to be 0 for host-name
+	name: case name_type of {
+		0 -> host_name: ServerNameHostName;
+		default -> data : bytestring &restofdata; # unknown name
+	};
+};
+
+type ServerNameExt(rec: SSLRecord) = record {
+	length: uint16;
+	server_names: ServerName[] &until($input.length() == 0);
+} &length=length+2;
+
+# Do not parse for now. Structure is correct, but only contains asn.1 data that we would not use further.
+#type OcspStatusRequest(rec: SSLRecord) = record {
+#	responder_id_list_length: uint16;
+#	responder_id_list: bytestring &length=responder_id_list_length;
+#	request_extensions_length: uint16;
+#	request_extensions: bytestring &length=request_extensions_length;
+#};
+#
+#type StatusRequest(rec: SSLRecord) = record {
+#	status_type: uint8; # 1 -> ocsp
+#	req: case status_type of {
+#		1 -> ocsp_status_request: OcspStatusRequest(rec);
+#		default -> data : bytestring &restofdata; # unknown
+#	};
+#};
+
+type EcPointFormats(rec: SSLRecord) = record {
+	length: uint8;
+	point_format_list: uint8[length];
+};
+
+type EllipticCurves(rec: SSLRecord) = record {
+	length: uint16;
+	elliptic_curve_list: uint16[length/2];
+};
+
+type ProtocolName() = record {
+  length: uint8;
+	name: bytestring &length=length;
+};
+
+type ApplicationLayerProtocolNegotiationExtension(rec: SSLRecord) = record {
+	length: uint16;
+	protocol_name_list: ProtocolName[] &until($input.length() == 0);
+} &length=length+2;
+
 ######################################################################
-# state management according to Section 7.3. in spec
+# Encryption Tracking
 ######################################################################
 
 enum AnalyzerState {
@@ -173,10 +240,6 @@ type Heartbeat(rec: SSLRecord) = record {
 	data : bytestring &restofdata;
 };
 
-######################################################################
-# Handshake Protocol (7.4.)
-######################################################################
-
 ######################################################################
 # V3 Hello Request (7.4.1.1.)
 ######################################################################
@@ -205,7 +268,6 @@ type ClientHello(rec: SSLRecord) = record {
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
 };
 
-
 ######################################################################
 # V2 Client Hello (SSLv2 2.5.)
 ######################################################################
@@ -270,13 +332,17 @@ type X509Certificate = record {
 	certificate : bytestring &length = to_int()(length);
 };
 
-type CertificateList = X509Certificate[] &until($input.length() == 0);
-
 type Certificate(rec: SSLRecord) = record {
 	length : uint24;
-	certificates : CertificateList &length = to_int()(length);
-};
+	certificates : X509Certificate[] &until($input.length() == 0);
+} &length = to_int()(length)+3;
 
+# OCSP Stapling
+
+type CertificateStatus(rec: SSLRecord) = record {
+	status_type: uint8; # 1 = ocsp, everything else is undefined
+	response: bytestring &restofdata;
+};
 
 ######################################################################
 # V3 Server Key Exchange Message (7.4.3.)
@@ -394,7 +460,7 @@ type Handshake(rec: SSLRecord) = record {
 		CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec);
 		FINISHED            -> finished            : Finished(rec);
 		CERTIFICATE_URL     -> certificate_url     : bytestring &restofdata &transient;
-		CERTIFICATE_STATUS  -> certificate_status  : bytestring &restofdata &transient;
+		CERTIFICATE_STATUS  -> certificate_status  : CertificateStatus(rec);
 		default             -> unknown_handshake   : UnknownHandshake(this, rec.is_orig);
 	} &length = to_int()(length);
 };

From 58efa09426d330901adf6f11aeaa6041b06210d1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 23 Apr 2014 16:57:19 -0500
Subject: [PATCH 035/136] Adapt SSL analyzer to generate file analysis handles
 itself.

---
 scripts/base/protocols/ssl/files.bro       | 18 ++----------------
 src/Conn.cc                                | 11 +++++++++++
 src/Conn.h                                 |  1 +
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 19 +++++++++++++++----
 4 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index 6b33c0f87b..fbdd6e454e 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -52,22 +52,8 @@ export {
 
 function get_file_handle(c: connection, is_orig: bool): string
 	{
-	set_session(c);
-
-	local depth: count;
-
-	if ( is_orig )
-		{
-		depth = c$ssl$client_depth;
-		++c$ssl$client_depth;
-		}
-	else
-		{
-		depth = c$ssl$server_depth;
-		++c$ssl$server_depth;
-		}
-
-	return cat(Analyzer::ANALYZER_SSL, c$start_time, is_orig, id_string(c$id), depth);
+	# Unused.  File handles are generated in the analyzer.
+	return "";
 	}
 
 function describe_file(f: fa_file): string
diff --git a/src/Conn.cc b/src/Conn.cc
index fa89f26d35..bc62902421 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -811,6 +811,17 @@ void Connection::Describe(ODesc* d) const
 	d->NL();
 	}
 
+void Connection::IDString(ODesc* d) const
+	{
+	d->Add(orig_addr);
+	d->AddRaw(":", 1);
+	d->Add(ntohs(orig_port));
+	d->AddRaw(" > ", 3);
+	d->Add(resp_addr);
+	d->AddRaw(":", 1);
+	d->Add(ntohs(resp_port));
+	}
+
 bool Connection::Serialize(SerialInfo* info) const
 	{
 	return SerialObj::Serialize(info);
diff --git a/src/Conn.h b/src/Conn.h
index d982d3879d..966c77a9f8 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -204,6 +204,7 @@ public:
 	bool IsPersistent()	{ return persistent; }
 
 	void Describe(ODesc* d) const;
+	void IDString(ODesc* d) const;
 
 	TimerMgr* GetTimerMgr() const;
 
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 49104fa549..5f9d092440 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -231,15 +231,26 @@ refine connection SSL_Conn += {
 		if ( certificates->size() == 0 )
 			return true;
 
+		ODesc common;
+		common.AddRaw("Analyzer::ANALYZER_SSL");
+		common.Add(bro_analyzer()->Conn()->StartTime());
+		common.AddRaw(${rec.is_orig} ? "T" : "F", 1);
+		bro_analyzer()->Conn()->IDString(&common);
+
 		for ( unsigned int i = 0; i < certificates->size(); ++i )
 			{
 			const bytestring& cert = (*certificates)[i];
 
-			string fid = file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), cert.length(),
-						      bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(),
-						      ${rec.is_orig});
+			ODesc file_handle;
+			file_handle.Add(common.Description());
+			file_handle.Add(i);
 
-			file_mgr->EndOfFile(fid);
+			string file_id = file_mgr->HashHandle(file_handle.Description());
+
+			file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
+			                 cert.length(), bro_analyzer()->GetAnalyzerTag(),
+			                 bro_analyzer()->Conn(), ${rec.is_orig}, file_id);
+			file_mgr->EndOfFile(file_id);
 			}
 		return true;
 		%}

From d3972afa97c86dedf2977caa03c1b9374eb43773 Mon Sep 17 00:00:00 2001
From: Mareq <mareq@balint.eu>
Date: Thu, 24 Apr 2014 16:40:57 +0100
Subject: [PATCH 036/136] Do not repeat hex-code of decoded quoted-printable.

---
 src/analyzer/protocol/mime/MIME.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc
index f4e7d3981f..6f992c9256 100644
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@@ -1044,6 +1044,7 @@ void MIME_Entity::DecodeQuotedPrintable(int len, const char* data)
 						{
 						DataOctet((a << 4) + b);
 						legal = 1;
+						i += 2;
 						}
 					}
 

From d3b27eb0c1329f7def8e49dde6d2048d62fdd777 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 24 Apr 2014 10:47:57 -0500
Subject: [PATCH 037/136] Adapt HTTP partial content to cache file analysis
 IDs.

The initial file ID I think is still ambiguous and/or depends on
script-layer state tracking enough that it still needs to request a file
ID via an event at first, but once that is assigned to an HTTP (MIME)
entity, it never makes sense that it can change (so re-using a cached ID
works).
---
 src/analyzer/protocol/http/HTTP.cc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index bc0081ab52..feddeb00a9 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -243,10 +243,10 @@ int HTTP_Entity::Undelivered(int64_t len)
 		return 0;
 
 	if ( is_partial_content )
-		file_mgr->Gap(body_length, len,
+		precomputed_file_id = file_mgr->Gap(body_length, len,
 		              http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 		              http_message->MyHTTP_Analyzer()->Conn(),
-		              http_message->IsOrig());
+		              http_message->IsOrig(), precomputed_file_id);
 	else
 		precomputed_file_id = file_mgr->Gap(body_length, len,
 		                  http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
@@ -306,15 +306,15 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
 	if ( is_partial_content )
 		{
 		if ( send_size && instance_length > 0 )
-			file_mgr->SetSize(instance_length,
+			precomputed_file_id = file_mgr->SetSize(instance_length,
 			                  http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 			                  http_message->MyHTTP_Analyzer()->Conn(),
-			                  http_message->IsOrig());
+			                  http_message->IsOrig(), precomputed_file_id);
 
-		file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, offset,
+		precomputed_file_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, offset,
 		                 http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 		                 http_message->MyHTTP_Analyzer()->Conn(),
-		                 http_message->IsOrig());
+		                 http_message->IsOrig(), precomputed_file_id);
 
 		offset += len;
 		}

From 9b7eb293f1aaee78a10b21dfd5b581ec268b9e80 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 24 Apr 2014 12:05:21 -0700
Subject: [PATCH 038/136] Add documentation, consts and tests for the new
 events.

This also fixes the heartbleed detector to work for encrypted attacks in this
branch again. It stopped working, because the SSL analyzer now successfully detects
established connections, and the scripts usually disable analyzing after that.

(The heartbeat branch should not have been affected)
---
 scripts/base/protocols/ssl/consts.bro         |  97 ++++++++--------
 scripts/base/protocols/ssl/main.bro           |   4 +-
 scripts/policy/protocols/ssl/heartbleed.bro   |   5 +-
 src/analyzer/protocol/ssl/events.bif          | 104 +++++++++++++++++-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  12 +-
 .../.stdout                                   |  13 +++
 .../notice-encrypted.log                      |  10 ++
 .../notice-heartbleed-success.log             |  11 ++
 .../notice-heartbleed.log                     |  10 ++
 .../btest/Traces/tls/chrome-34-google.trace   | Bin 0 -> 11582 bytes
 .../tls/heartbleed-encrypted-success.pcap     | Bin 0 -> 64480 bytes
 .../btest/Traces/tls/heartbleed-success.pcap  | Bin 0 -> 39524 bytes
 testing/btest/Traces/tls/heartbleed.pcap      | Bin 0 -> 22223 bytes
 .../protocols/ssl/tls-extension-events.test   |  26 +++++
 .../policy/protocols/ssl/heartbleed.bro       |  13 +++
 15 files changed, 244 insertions(+), 61 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log
 create mode 100644 testing/btest/Traces/tls/chrome-34-google.trace
 create mode 100644 testing/btest/Traces/tls/heartbleed-encrypted-success.pcap
 create mode 100644 testing/btest/Traces/tls/heartbleed-success.pcap
 create mode 100644 testing/btest/Traces/tls/heartbleed.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/heartbleed.bro

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 1ccace102c..e60363e14c 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -14,15 +14,15 @@ export {
 		[TLSv11] = "TLSv11",
 		[TLSv12] = "TLSv12",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
-	## Mapping between numeric codes and human readable strings for alert 
+
+	## Mapping between numeric codes and human readable strings for alert
 	## levels.
 	const alert_levels: table[count] of string = {
 		[1] = "warning",
 		[2] = "fatal",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
-	## Mapping between numeric codes and human readable strings for alert 
+
+	## Mapping between numeric codes and human readable strings for alert
 	## descriptions.
 	const alert_descriptions: table[count] of string = {
 		[0] = "close_notify",
@@ -58,7 +58,7 @@ export {
 		[115] = "unknown_psk_identity",
 		[120] = "no_application_protocol",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
+
 	## Mapping between numeric codes and human readable strings for SSL/TLS
 	## extensions.
 	# More information can be found here:
@@ -93,7 +93,50 @@ export {
 		[35655] = "padding",
 		[65281] = "renegotiation_info"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
+
+	## Mapping between numeric codes and human readable string for SSL/TLS elliptic curves.
+	# See http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+	const ec_curves: table[count] of string = {
+		[1] = "sect163k1",
+		[2] = "sect163r1",
+		[3] = "sect163r2",
+		[4] = "sect193r1",
+		[5] = "sect193r2",
+		[6] = "sect233k1",
+		[7] = "sect233r1",
+		[8] = "sect239k1",
+		[9] = "sect283k1",
+		[10] = "sect283r1",
+		[11] = "sect409k1",
+		[12] = "sect409r1",
+		[13] = "sect571k1",
+		[14] = "sect571r1",
+		[15] = "secp160k1",
+		[16] = "secp160r1",
+		[17] = "secp160r2",
+		[18] = "secp192k1",
+		[19] = "secp192r1",
+		[20] = "secp224k1",
+		[21] = "secp224r1",
+		[22] = "secp256k1",
+		[23] = "secp256r1",
+		[24] = "secp384r1",
+		[25] = "secp521r1",
+		[26] = "brainpoolP256r1",
+		[27] = "brainpoolP384r1",
+		[28] = "brainpoolP512r1",
+		[0xFF01] = "arbitrary_explicit_prime_curves",
+		[0xFF02] = "arbitrary_explicit_char2_curves"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	## Mapping between numeric codes and human readable string for SSL/TLC EC point formats.
+	# See http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-9
+	const ec_point_formats: table[count] of string = {
+		[0] = "uncompressed",
+		[1] = "ansiX962_compressed_prime",
+		[2] = "ansiX962_compressed_char2"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
 	# SSLv2
 	const SSLv20_CK_RC4_128_WITH_MD5 = 0x010080;
 	const SSLv20_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080;
@@ -458,8 +501,8 @@ export {
 	const SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82;
 	const SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83;
 	const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF;
-	
-	## This is a table of all known cipher specs.  It can be used for 
+
+	## This is a table of all known cipher specs.  It can be used for
 	## detecting unknown ciphers and for converting the cipher spec
 	## constants into a human readable format.
 	const cipher_desc: table[count] of string = {
@@ -820,43 +863,5 @@ export {
 		[SSL_RSA_WITH_3DES_EDE_CBC_MD5] = "SSL_RSA_WITH_3DES_EDE_CBC_MD5",
 		[TLS_EMPTY_RENEGOTIATION_INFO_SCSV] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
-	## Mapping between the constants and string values for SSL/TLS errors.
-	const x509_errors: table[count] of string = {
-		[0]  = "ok",
-		[1]  = "unable to get issuer cert",
-		[2]  = "unable to get crl",
-		[3]  = "unable to decrypt cert signature",
-		[4]  = "unable to decrypt crl signature",
-		[5]  = "unable to decode issuer public key",
-		[6]  = "cert signature failure",
-		[7]  = "crl signature failure",
-		[8]  = "cert not yet valid",
-		[9]  = "cert has expired",
-		[10] = "crl not yet valid",
-		[11] = "crl has expired",
-		[12] = "error in cert not before field",
-		[13] = "error in cert not after field",
-		[14] = "error in crl last update field",
-		[15] = "error in crl next update field",
-		[16] = "out of mem",
-		[17] = "depth zero self signed cert",
-		[18] = "self signed cert in chain",
-		[19] = "unable to get issuer cert locally",
-		[20] = "unable to verify leaf signature",
-		[21] = "cert chain too long",
-		[22] = "cert revoked",
-		[23] = "invalid ca",
-		[24] = "path length exceeded",
-		[25] = "invalid purpose",
-		[26] = "cert untrusted",
-		[27] = "cert rejected",
-		[28] = "subject issuer mismatch",
-		[29] = "akid skid mismatch",
-		[30] = "akid issuer serial mismatch",
-		[31] = "keyusage no certsign",
-		[32] = "unable to get crl issuer",
-		[33] = "unhandled critical extension",
-	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 }
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index eb128483a4..e3c3320f74 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -159,7 +159,7 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	c$ssl$cipher = cipher_desc[cipher];
 	}
 
-event tls_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
+event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
 	{
 	set_session(c);
 
@@ -198,7 +198,7 @@ event connection_state_remove(c: connection) &priority=-5
 
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
 	{
-	if ( atype == Analyzer::ANALYZER_SSL ) 
+	if ( atype == Analyzer::ANALYZER_SSL )
 		{
 		set_session(c);
 		c$ssl$analyzer_id = aid;
diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index dc38c66f73..dbf27ec63e 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -1,6 +1,9 @@
 module Heartbleed;
 
-# Please note - this is not well tested. Use at your own risk.
+# Detect the TLS heartbleed attack. See http://heartbleed.com/
+
+# Do not disable analyzers after detection - otherwhise we will not notice encrypted attacks
+redef SSL::disable_analyzer_after_detection=F;
 
 redef record SSL::Info += {
 	last_originator_heartbeat_request_size: count &optional;
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 457d18ea39..5106552740 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -66,6 +66,8 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ## information out of that as it can. This event provides access to any
 ## extensions either side sends as part of an extended *hello* message.
 ##
+## Note that Bro offers a few more specialized events for a few extensions.
+##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
@@ -77,16 +79,75 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ## val: The raw extension value that was sent in the message.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake
+##    ssl_session_ticket_handshake ssl_extension_ec_point_formats
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
-event tls_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
+## This TLS extension is defined in :rfc:`4492` and sent by the client in the initial
+## handshake. It gives the list of elliptic curves supported by the client.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## curves: List of supported elliptic curves.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
-event tls_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
+## This TLS extension is defined in :rfc:`4492` and sent by the client and/or server in the initial
+## handshake. It gives the list of elliptic curve point formats supported by the client.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## point_formats: List of supported point formats.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
-event tls_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
+## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent
+## in the initial handshake. It contains the list of client supported application protocols
+## by the client or the server, respectovely.
+##
+## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## protocols: List of supported application layer protocols.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_server_name
+event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
 
-event tls_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
+## This SSL/TLS extension is defined in :rfc:`3546` and sent by the client
+## in the initial handshake. It contains the name of the server it is contacting.
+## This information can be used by the server to choose the correct certificate for
+## the host the client wants to contact.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## protocols: List of supported application layer protocols.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
@@ -147,6 +208,37 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
 
+## Generated for SSL/TLS heartbeat messages that are sent before session encryption
+## starts. Generally heartbeat messages should rarely be seen in normal TLS traffic.
+## Heartbeats are described in :rfc:`6520`.
+##
+## c: The connection.
+##
+## length: length of the entire heartbeat message.
+##
+## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
+##
+## payload_length: length of the payload of the heartbeat message, according to packet field
+##
+## payload: payload contained in the heartbeat message. Size can differ from payload_length,
+##          if payload_length and actual packet length disagree.
+##
+## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+##    ssl_alert ssl_encrypted_heartbeat
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
+
+## Generated for SSL/TLS heartbeat messages that are sent after session encryption
+## started. Generally heartbeat messages should rarely be seen in normal TLS traffic.
+## Heartbeats are described in :rfc:`6520`.
+##
+## Note that :bro:id:`SSL::disable_analyzer_after_detection` has to be set to false.
+## Otherwhise this event will never be thrown.
+##
+## c: The connection.
+##
+## length: length of the entire heartbeat message.
+##
+## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
-event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 043b2271ec..66224bf45a 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -228,7 +228,7 @@ refine connection SSL_Conn += {
 				}
 			}
 
-		BifEvent::generate_tls_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, points);
 
 		return true;
@@ -245,7 +245,7 @@ refine connection SSL_Conn += {
 				}
 			}
 
-		BifEvent::generate_tls_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, curves);
 
 		return true;
@@ -262,7 +262,7 @@ refine connection SSL_Conn += {
 				}
 			}
 
-		BifEvent::generate_tls_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, plist);
 
 		return true;
@@ -278,18 +278,18 @@ refine connection SSL_Conn += {
 				ServerName* servername = (*list)[i];
 				if ( servername->name_type() != 0 )
 					{
-					bro_analyzer()->Weird(fmt("Encountered unknown type in server name tls extension: %d", servername->name_type()));
+					bro_analyzer()->Weird(fmt("Encountered unknown type in server name ssl extension: %d", servername->name_type()));
 					continue;
 					}
 
 				if ( servername->host_name() )
 					servers->Assign(j++, new StringVal(servername->host_name()->host_name().length(), (const char*) servername->host_name()->host_name().data()));
 				else
-					bro_analyzer()->Weird("Empty server_name extension in tls connection");
+					bro_analyzer()->Weird("Empty server_name extension in ssl connection");
 				}
 			}
 
-		BifEvent::generate_tls_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, servers);
 
 		return true;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
new file mode 100644
index 0000000000..8305175edb
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
@@ -0,0 +1,13 @@
+server_name, 192.168.4.149, 74.125.239.152, [google.de]
+Curves, 192.168.4.149, 74.125.239.152
+secp256r1
+secp384r1
+secp521r1
+Point formats, 192.168.4.149, 74.125.239.152, T
+uncompressed
+ALPN, 192.168.4.149, 74.125.239.152, [spdy/3, spdy/3.1, http/1.1]
+Point formats, 192.168.4.149, 74.125.239.152, F
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+ALPN, 192.168.4.149, 74.125.239.152, [spdy/3.1]
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
new file mode 100644
index 0000000000..863d8dd9c0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-19-05-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 1, first packet server record length 32	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-19-05-00
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
new file mode 100644
index 0000000000..9722e20655
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-18-30-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396976220.863714	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1396976220.918017	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-18-30-54
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log
new file mode 100644
index 0000000000..da376c79a0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-18-29-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396973486.753913	CXWv6p3arKYeMETxOg	173.203.79.216	46592	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	162.219.2.166	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-18-29-46
diff --git a/testing/btest/Traces/tls/chrome-34-google.trace b/testing/btest/Traces/tls/chrome-34-google.trace
new file mode 100644
index 0000000000000000000000000000000000000000..e02d35a5f1f37a6f2525fe7b7465dc9c4f4cf36c
GIT binary patch
literal 11582
zcmb_?2RK%5`2TsAy<eHh&gL~E+1c59XYVaDGczd^8pujQij1;_>_|2VAsR->EdJ+c
zebe|||LgaAx}K}|ocEm1eczw^c|OnmJg<S~vTQhj1irVuJph1#7Zf^1Ith7rfI9dY
z>cG+1*9qYT40cMLS~!3_07y%8N(0hZ0MJ-~Oi>A5zB;B1tFh`(VTK;Q58vC{ivj>R
z5>*aEAdoN^4jzNFtPS)X68;sPqz(^I0k5I{75A%+ee@H_ApjtZ_3;ga3|WBHj499Y
zGG%}kShC3Sxn~3R(NmFd96UokFEa=ow1fru?E)gpf~Zjc&2J$Qtv~wB0-|SzkuV7C
zfym$db%Kx~MBREk01eUt^@E5o6p6+^5UCgh0M!GC2pG@}BDEtBOH}0K-MTgd;v@>|
zv8=^wuE}-+as6AUciRpjQBHe>0KneJ)yM~Ac9VCb8}S-(8_|vAjo6K(fFK|Mhym#U
zA0Q0i0Vn_o0{Vg85dj1MfNSsWZtr5tYh$|ygVKoy-~d<vB|rsG1NZ<OyaT35&<A{+
z1fT_|vAjKO0{8@RzW&F{kK^Fu<H5(z%YQ}_d;|rcz!$(q2#^6JNEiwRhanLt1RQ~c
z!{Ok){lVfg^po`8(kYZ2x}VO~1L@2J)A=ck1fE$j@|7ZxaBDD?P7vvNFYthF6tLe9
zBBJV(!y&{a+rJ_9Z2myB*+)bm09|nCX(A9HHic8Vme=^17kec5<=sv+o8%^CK{Lqv
zlQHT^N!I|7aDW|(_$zz(01^Sf;1Fl~gphz7;{G6u0)Zf)!UqV*0RmD08H$NO24Nx)
z)>#NR3=YS!pjbR|F<MF)Lx_dT8Lbq(K?sAPPyj}mA0LB@h0sG{q2YQu{Adg*bb*J)
zQ{2xSgR+}7KP!eAx`{v^{&CaC*2~S-he76ykAu6HqfY>Xq5$RyB_Y2MMhGLuFMv5F
zBy7BYc?=_p*>A=e+drDZA;6QfbaAwE_i}Tz<fp)pL#D6^2-V!rxcOK*x-sZG+WP(Q
zi{QV0kz>gA{UX5U<oz+wFcC1O{{{&|0f-0~F#z7jgGaz%K)7N!D?ZI$?}=e&JiDsi
zg+w!spjYK>8!xp|PWBJoVXBHN86L(Gg15?A_e^(^;P22A3l?%~89JYn>MU{fV^Hqk
zsrDls(HR%4ZJ1EMENr@@SGQ+b^tQ07S8LfhnfhgyzukFV^>?l(vbAoEOc<t=<d;v6
zR87d=En6@em{fIMTkHzcB|H@6G<cyoRY8tR)xA5xexa~Yp_1h^W-6mC`<_`}tKKL>
ze4<H@;M%;DwR&a9he^_|TpV$?a1=gw;+IT$`s?Ts-D^(RzWkFI$J-h+S)?q<6HMn*
zmmO3;eHNU=j#S}&JdN!)in|#ncoQ$%JmOx)XSI+IYQ3+%z`<D$%Z-33gN(>y=s*VP
zSdkF#I9yoZkibU3etd#s7@@C8ku(^pi2srt@pEEh9KJsegCR{Z#u%>e*BE#-Jv4!j
z^YM8&JATiQwYw{yqOy#l0I#)|&wn0<{dm~g#nINy$D9AZZ@61~dwlhk2uXn?M;WRb
z&WuM2-;TeuDo-OB|F~7l9YX;5iiW}VkZ=rup@*)RkyIFpFmja_SQNCi>kbvZpTa9^
ztZ1r@!}&0j&;txe5)2XeCLS0&5;hb7N5L={=nHxz2Zjy9n#G*O_`|WkMB(z^;Renr
zaJaz$^|Sm(DAP*_To5d0-c4kVVfaK%PvVP&>k*<I8mM2Jw!|%54f_ygBfW85MOSdG
zBATbGzEwi-%=>mX5|3B@QYM6hrFfb{+4Q+dHTVQc)`vw21}L7$PA^u#y}0i@v%hk}
zuZKjtqc@B_|GHL;2exl7b!Ppn8h&-47p3a-7m6c6Qrz9toZ6MT4A;=aNA-v02rclR
zOxWrnMFcEfhIkigvRF{}Mx@0Dmx~4Nd8n54MteRT^~xsWMBJO8QL{T$car9=G)d%2
zvF)dEb56Cc>mM>r%FQpf*7uX0b>opBq#V;*Ng%Pitu48knvh#lEX%B38d66jK*jyS
zK@7VAK;nQ3gv3O^-+fge1pK(;0irOnzbeAF$&ZI7RJ3*1^*ZD21IZ6BKP`qDObMtz
zWIygJy0}|ex-iJe?5mC-s5-*@;6LGg)e#0Sg}z<>L*O87FZ{Q*N9=36&9B<d&i;M1
z&<_4p+yB2M^MBH+bWWt7>4;|1aje{ksS!=3+Bm6IY7d%Ng^;OBt*dcQ8JCQAEeWdx
zPR3>V;Ol7U<voqCN?CeqWbtGg6-L%#enqO*L`if_XM<&aCu#9eOYfQv;hM_lo4S+1
z^;ypDF^zqi^z0af^caq}mP_c~@e{X?VO^|KB}KjsW|^Gd`poaSb7k=KM_!eCvi)6e
zTAXOgx^-S0QjMo?r?#Z;$taMt=86<{w2f@1ZdG8~)Jds-6{bS+g!5f>8UtyY*fkPl
z){13d3hM=R?K3l#?{PZGKR;!1dZ6B`fJjS2gfx~;2Hlev?5&pcteRY7WqnL29G8)?
zLqr-7cjQ>>y^CIsU$rWH2NS;e%Y<$Wyy}n;w^M|&As`Jd47PpP*{%K`dHCaeht`U(
z@_>WE0#yR6J}^YkJz_{Qkl-?jg*pCp>I-7{F??A(SzOT^-vrFs%Z1n8*4+mhl)R9H
zfj7MQ?0xL_#~~<XE*OdLx(DhY_&SE?`!xm@&G-%G`wKjfp8W#&cRBiX!QK}akzuSb
zQntIC<Tph99x!K}F{~*KIVW4~HFjj=q6k*n)Jlr@u`jf;hPzDd&UK>Z&%{~X$ljXU
z`zlB$j*++f6TVNe8@m|o9+q9LFOU*FG2zsSykHW#-q7tHg)nS(&_efoY2OHtxF)=!
zpIbL&^j_m6Zf>S%;JU&yI<gFn`abE;db?QWC&muz*QII&xf^hf=M<(+T=03EQorJs
zg5INCIZ<3jlF;qFvv3LiWMxP2L5ldR$6XGF-s1%<R^nK~8H9HP>--Ukyr=xlG>?Z5
zEM>KOh)$Gk*>A^4n^`t$U2;C>+=DvaIei=D|G9JQN*_0lL<mJddzK~xi>{z2fCvXm
zn_y5}=D&#xS<U=GaZ&$OTtJ<NL<A3wE$?~8(azGJp9frhz&rS8mTz|$bZo89c-b<@
z*?Rdn+BsTV`q=)ga3G<<2w;Q-_(6368&uwiVnlyj{-221|D*?F-Bi|?FKd*{H2NVX
zFHg9L&U#k)Ck@nQkDS^pkgG&2sxe~Y#Eu#A*@<z~q5R`BL>Ew1P9dIo^DU?I?=OeV
z#<3G;vJSmJ_wjCiQrp!ISt?=jjJsDAl6f^cS7YRwC{he~G?(Le!U7HMeps?_?gtVc
zk#CY85*}?-$PMypPipAU<Lc>4lT1Hq)BW=4Icm>N_4$FppgYt(dXw$%`prdk=1es%
z@a$?bi+r}5@4A>LMh#S@z{QgAiFQSKpV6VNud7MA6Jyie<34ifwAjqHhz?q8!2BrJ
zxI_VYoxocv1iLoUbFN5GVp_BYTO`sdJ>U%mX3e6JYr)fbcI%rStYE_5|Dp#<^A1~F
z{beb`iX+SnBpQNOA#J}4YWp5oX+!;B-40((-q-e3{$I77r)*!_so<Gy=D%ut;?05o
zD9j%Ph!|3j{Q?AqL4cz2zm*s7{o!bBxi2s35I6%;5hIV0!$N`|0gO0C?7POmVH7-&
z#(0CpmY<*BFVe#2W$W#J#>?8)8~o(q?(OK~?iFxgwjjd80pDpdH+5ACvS<ueSvXGb
z3Qk*_XNcX><M#vN^m{8S?dn5vqW2$Rf~orS&gD3DiIAo*DB0z@hCW0ODDK7^n|gmP
z8Ko7V7A;B>A}>tsf17)l97nmbW-e*@oXA@`efQ3>T5s#b+0Y<KrY;HW_ZFf)>8}u)
z>e=_ME?Itvlp+H+FfcU&0H%xpC}oi5meX9=O#)5*Z^|$0DoS2Cr}B7kL|SLcZ4u*!
zEM$(2x)~ycA7YbmOY_yECB~2i11mY!3qemDo>SkT)46XD2JZC%eBQOzwi|{|-nNel
z3+G;`I)R;ToNwd1-Y%uebW>#tzv~<&eBf|g?8vM#=Zy*%!$n}sT#O<v+@!y4`)!%=
zvm=6r3cyyHe?!@ujU(jGxVaZR<mNotQ**kbJ$z);GmSjQNtZ?l-%&BbZ+pq@aocEB
zez48Ga8iSYA%q04p}sl3V1=*drQ6lZ)uTvZ(fb*_<4iT17K_W9Bp#QW2%P+>T{E{I
z^{zZ(efniR3Eli2hHGw1-L9@H=uaUkfg3E{H(f4v?}>QM-Lw)h^m40_!Zk&b``Pc^
zZ#7eCvqiZi%94gSh8L>_4BOB#-y_yHTcapa;nhhkI((sZh>N%xWE4OWf%`{jI<QUt
z+!!A`I{<{jivD<Z@M(^hr!0(wKI}iI5uV`Y*akx6{3qfe^S>ct+(AUWKOuUo;{i(G
zCLihteS{sq;P($iDh2=u`#NR8ZMNUOk6`!;B;fgr4AL(H&fRy@ELYK^_1Yl|D_hGq
zUEw})&qit@<ZX}OaNuvfk|bug4Y4i6puA$4+-!3LPMgh+UKi5rM9*-YQ8-HuLcw4V
zpZ7t}_M0${b?z{hZyn*hz0m01vh$;&VWaAF;Zm2<?5oGqlNWR1o(^bOTkl9=Rb^dO
z&GA+`8N!^9)s|P+y~bW3GA;wZG~!1PG9GSJ?Du*i>&kmg6<V|EV0xS#N9RwmMl3-t
zZJ~Kc5rQ%0@q`eO{KUOcHOW^#e9h<}wX2&P&!;v@w}?F1FlMyxifz0TXd+=P6@x)2
zXIRWOTJv3BD5gc5l|F|-6ZIO(l*}P~z!2mV>IbC|rjmRPDsw*!|0;zTcdHK7oiI=e
zt--?&=p+i{)C=MkqG1v|sv84fagD&hGlS|8_-F}JUfBg1(#Wml+OXQ|9`=pRox9R}
zsU6Z=uY~LMx}1kE&xO+|lV}peh`!0tZs@1DEwa=1C2LwYcEH|I=fmh&+?27nzh-?C
zOgGp;<|5t;id;s~4Oam%fxV;CGpCzI-PVpqsxL==)EN@xYNb}e)ys-F7MEqVNU}_M
zhJvi!Jn>}-zUNM8fw<djVt}q9#-M@?yRfWDV}tKQu8aK`(ChM~&3E*e^>)dmB*tu_
z+8}I%W4?jGr&^wd9&rVG=+a7=AS-$9=Mk-ljb}gey?_1!B|LGWQYw+f`uw8bM0=~R
zko-*9<0CoTtYSAyEEf8*rI;X|WkH^Uz-OU;kY~U(IdcE->A|l&^GAK>S)ut?o+&||
zg&@;lgNcvYL||*baY?OizVpV-$l=l5lZ4N1t6Sqos<;+^u@2HfO{`sP&PP($rr<%Y
z$bqi7gD*n;H&-l^!9!8-ShN0sEA`)9VZ#31mG4ZzXY}AJqjpqI{^{C^>2*~E!)&y|
z-YRDf8HOmG&-7P30hx~g&C7zOp?+{C140Sif11gvJ9E7JQJ^*~{YM)@piu`QM*S19
z%IL3%^&sNgKOrXm6S1=EuZV9!#Dza0%G3SK|8G&db`Jdm5!A1}vah6rb1W2!`j`CU
zrzLwe>IqjVoS4?h$+_TuUEumdo0tLDTgf?(mMMAHkBHoGIIZFr)twaL4$)-{y7E2$
zzqw-hj^$6ToDu>P@HPx`CI5F<e&pXiWpIs@mt}?ibF(s9q>juSs6HL3vgDJ0_Q6QI
zJL5KF-U~GE4W=IIznQl!)%l}&%OB>!1LtpN-#?h(hLFI9kVes=B2HsT;`uG#cyWuI
z*Ybk7=6f;L$2?)RtKd=gXoKyXDCC0P5qzKm6g;RObOCldQ}&N8B!71Sc>kLVFgM6P
z*pRVx^Pyg4mnMjaI!q~Rg&hthX+P3xdR3a*aY8G6p!Fj5WW0}bZkfQ7<{%-<$K22C
z5%gQJJk<*PMZ>rT3qkeFy~Qq1di{u%a!Q7Y751Fs(Z=H}6o?1fX!WTw@x({ciiC2g
zqE{LQC8pO9hiXcUPhO?nt1r)_3Ze}v^Pvp1O<vo4TVSj*v=ZA?Tu1W39nK!+&APh<
zBU`gN^YFONQZt8E2e7dtrBXb-6XF1S8q*cChCO(%tH6LsiK1ONHs<JS;`JH3NV2t;
zl;YNDk<&u*IMMjk?*{S6H<ZKZGMjuevZPvBlOrq2e042aUbv#>E9-@Cw9z~}eJt44
zi6j&u5q=)CO19&4=u@go<cfZo>BYjP98AErOp5Ov_Q;9EnEBE!%spdOFP#;u%a+B}
zOc^hMhdXcrq@&RYd}KOUq?>DpsMDj?d*pmpyR6XYO&m`r-sQ8+eS6Yb@oh&K&nMDB
zN&I~5r;hw4V?xQ%`!aUm*BSn|Rvo93q2v6#rmsl^XHyU~s~|)ZaeSZ^Od`~OL##@U
z*+;ZHAdDcQItp3~2Yr7ao`n#hIST$nwBHbT6&viy*UCm%2#BQ*C!C?Xda}#D+~@uW
zf9craMCr=Y6UuxaNoN&8Cl?;QNI90rPX`;ec6CU7low6LluYi(5a;@ME|fQeB)b!_
zF3W&?T9+q)d}hCK1HiufC~uo_ZB?z(?0N5nNBp-4Iyi!9X|JSjO5YQJg0csLss@*7
zs2>apRh%3P1-0byYfu7i--G(-|65R~{fP^Ph0HqcnytnyT<mSPmcVIOSC+OqR5NzQ
znceS+(-JPh3Hq25_dPu=8NV3snWZN*m4$6Tw_v<R_+rZ?vfxl{_i}&}+lu~EY-ZIO
zhLjG<rx}iFSe?Bk787msUx-{9<0bnNxc6*gGmQuw<Z>U9e7@DV*_iw!`q+#uZl+S-
ztZq5OgfG=ig0$P+1>zUz>F!h!>DFt0c-kxALqf`dem`a97lm9Gs#}bsid&6AS79Ar
zkt%mDu{a#pn3K7Z+AyirH9O3uJ<B;-TB>!H14UXM{k(#d-52d+y0+*Y&=YW)eSGbO
zS)d{*D{R+&wGN+mOVxfk&}sD<4{37A<Evb+XxHS{s}y=VZ^l`{>MRW_sIntcRMgr}
z?{ufGBytKmvm+xjMTf|@7VSDE!?&W^*eUO;wg-mCsL*jqTQuQr^`Bz!H99sGgB$j7
zXN7(bD_h@cV|v?O%X6*8_Z(%OMhcgDY4w6z^SXCg#wBDgvQ-a@+VI-h=Cclro*{c@
zkpedO^ir@;Uh0zC#3patfnBP2IHfQzA)8%o!fv86$KwR+bt*mGb<f$+P(}rhQQ1ms
zTALdG_ivlga~$LGj4|gb?WStCX13Zd96O%Imh~((tc$VBRVUBfTQ|h-wfuQzILu4?
z(&w3xrJRc;ixTX-eWneUA7*f^@zvR7+`yD#9D!~vf=;f?XMz*4r`=iaggsy*bbUZ6
zAsu&;hAmXaLxTKWa+eq@?>%XeMK=l>(ePm9(daS#&^~>6UJ(N7D#mR4Xg7i_wRJNN
zrM$5e#gry#I2qSa6y6X}(JaEodbILmPn$N6CC};P#H<;t%YGgmZ?)SG)g#`GOEjU|
zj9Vx(J_azQzv+-{ZP=iXBjjtX`$9LeE!9F_z56im&IR+`{LZ_4A5sYt;hMH|BtabQ
z`BvTm`0c!nLdUh2BCnXbg{shWU}<VIM>OYry4P)hEu7DiDtb6C?);09qpzov8aIcy
zJ~wz$BG`@SHP2KTI0z{jykl-aoQ<+F2yfV&n?B57FeWu_${;-`ZyuL+R(4s{WMpvy
zKOnM|{_&x4Qyz1!m^l&eq4=|FJcAB(U6b2>^xCD7#+L5~xzq=)HTsRuBrJ^29qBxp
zu*#eueCZ>L*_#|;0@lkW+>yTIpI>{oy}8n@zR|N4=AXx+zLk>PDKAkSG;YjbdVx)y
z{dxV%OmwcT5F=tf=!WO3c^+ak+t|66x6aKVIw@7fSFwz4sZ$VG&Za%=O0Xr5Z?C;U
z*TXE=dKyb2Ga)8kjCI!oxp0R*5q~8{h5NNtLqhr0>^p$X!&FqM95pcxcKD=c<9*t|
zj@R$_hZJv#+GnTW8b7(FIZS>lTfAn2^i`8e;p}we&}Dz7B`K0AYxWrZyPY3;jw@Vk
zmw&Lwnkr18p-d#isde%KtR&*r$+{k~(A#u`XU`XO*(8<*o|0>}XTBMd^?`ZYRH*%#
zp4}pss!7r``SpClKv&aG0}92*@17i_HJe~O$yQq+IsSgvC`#t&^<vcUm0nHJ&U3^Y
zQlDitk`>d7)a_4LVOIstv3RJOP|R${)xF(tl*pQ+9ytX&!N2EF`X$bFWPG!OKg5Hv
zLdo7iw0I)Yutb?`d#lF?W}~_>zL_{)@>u<WU=Hrbd1HP9<?sn}s{xbg@?E~EODSPq
zEiD>}!A^2CkF+8_(VNZ)v;b(yGLG8pi5oJ}j+okQ=50n4N99TBW#>B?zPgfw9e%ld
zu{a^RRILv_^>Y`OF^C2Fajj4<$(g=vd-@2@dUcI1d$s3zU>|i&Qev>hYXWbg{#D0%
z4#K|KV*8H)Xn6!RI$>yT+8rmlUk87I;b~lmW}ytE<j$ay-vo6R>Ian^NJ@^|U!KnY
zs^rJ!zbpB1rQehsFx+39z~9eB7FjE3g)H=5)Q45K6I$8uS03WOojJZKWveAzz;U=Y
zZ!mkl;|+F717fbXp}0b8YYdmBnoh^Kk+i6DT`}P_`RlAJt1CLSv#VkQBsQ)4Rk;V~
zt}|!=>c6>bmVAES-MU}h6_xw$ZgAJ{?y`Jy7b_Au6lv3oPA^$})B)3MG(z0f(LUMk
zCflLG$_Ftu3!47>7Gpi(PxYNTYK~XH4J_X`{!_k3gXO_l2=Vnl5ph@lhIniqM9lgV
z;@f{BVlDp-QB)2@-2M~d`acm%Z2yYr^0%nnC4Q#xV4Vz@<<a~D5!xx_d`%%(48=e^
zLIu(H6ryG|3Om*vU95vKF;y2jnZuO`gXP|k+ihnocMU>>-~aeCg};p+q2&1e(KB~o
z^tgbdhZm~u(p`Rxo+8LRggAAZ5O@xbAgKQqOsmBFAA{kY;}vy*wmsk<RD9ca$Q=QL
zDT0Ez03m@5YewAUO(NdvN1rjDB(l`HNz9eQd6issStlbDG-N&b9tW~-F40~vASqkh
z<K)nK)KosYyg*T9f|8*wpbvDTnA-M+^99a`O=;&ICt|g?`t&S^drG;mjo6P+Gww;b
zY)h2Vmi{T?=X4+R?;p!^Se{Qb_3<8;QNVTd`O-h?J6~rb6>AEG_`Hem$GHCkX`sL0
z&VKd}q%}aKUGMo$nl}@JwA>L0@iqw&zzOb>pneb$b~rf!Lj17vM?|nBR{!_|Q3OJS
zNPG2_Gq7;&(3yRD;}B2A<%!3pl&|a*CUwinkmV*Xx4J^(Dfk9?ckq>j*>;WP<u1#u
ztG~0~HI%XKQ(4o<NTPe{@8H~STS@mY-JDD&hh`>NLzS%MveJ9=n){&|1&g;_J!+S_
z*oKEt<kz~Y?Mfc6YOr-R5SCRL5RH`wKGEVcRI@z3H=9#xLYDlzl!g6LjBr?1?j}+6
zrB?Fm(%duR^dpX2`6r{#zDEjLM7d~ov`FvpczLchnB@1KR$cWLPCM5&{<v?W^z2m`
z1X@y{+KyYGLicbY_PMSs?E-wo{Xg-#12QLp1orzu=8$~J7a``BU;oOSm@YVg8=%bu
z9VlO457xZDGly9J#vIPZt*!F&zG*83`5JTnKCc|4j$TWTN-)C0p^YjYzG-%uJvFQK
zc56k=jg!cnmw2Z(<edTu?9ieMyU{n4D)@mS(ZXC~E@q-^IMre`Zv};${YHi&W}SM#
zpp>ljDqQ}CwoyP~C*r7Rx8a1E8@<0E_GH>lahKB2=cLsNelGr_lf^^;mgpx$hB2nL
zP_+22i<e`d3RSy_y;Xk4iCu&fhn_(xp?w%DBkxYZCeMaswvf4Goi(#zz`81#ET0R@
zj>*y`2B(2HZ32RIoEc7>@q((=>bTR?l}nwQfqS*K_x%&fZ@!?G>e0aGeqFxvENel;
z0ylIc56gG53z=&E=@!L~RI(MBnrGrYUJvnWe&g3AcoXaf*fA5@nmHrRIky#9N>osj
zt+?qFnC=#m>^L#gcOC{$s@R0aFU{8~7ZAqwlb!bNea$>@H&xUP`-qoLH+9aDQfr46
zH|E97x##gW%FG-oOr+E({coEDPUh`wh^#NGUNfW&ZSl8A8Li&rkMDM{yV+!oFYCb+
zs=s}7Q*a>qZfLSg*{%G_p4Vjf%6Pc>XRQx?@LvO_clO+rJi0iXZ-ld9NBN&)erynX
zrRZ4D`K7{^+<32ZQ8Rc!TOVj!FA<8b(g!rLnDf}+oNXDr{+c*q^#OfwMDXpj$NCES
z?&~sP4;}lY`v=i!#&^PbK8Y<fzQuo)_e5iYjq_;O?VLlbin}z|i%V~hkwhxFdm}2p
zbUU9Z2J&488RU|hDai|SUFd^OINCnBb1|8RBJw`2vId92qSWfpOF@!*IGXfEH(pM}
zouK2^7?5I?vze#~<Bc9t^n7Y?Y1V$czvX%7i_pEh3vss;1k|x$=<{P@?-`%F(DoZJ
zD!wviKjr5n&w>bCFdR?xQc(Utt<_wmp2g6@!Y_-Q52~A87!-}VzJPBU&7r_+^frl@
zLuQ?q;Q51QLhW3GSV`tG2inaGrO8a4%vx*u(<>Jn)l+;$<JW@dRQry<%t0r5u$t{P
zY;X?qb8nvr53Ty_tnW$1ZPHr4ROG1Ym2oRRbberRO_MQ~(uu<ceJ*ss&9M1Fid@pl
z(@bA_l$hno?Qz${ia|}I3g%A_I4r!P=J|Ne;uTIsk=0*2LcyUVLUpQ9g7cz5(a`wE
z{#mPJ?YvMTCE@~7!eny0m8qgP7FW`Ji~UX|O59t&zQ;~Tym*4JRpHH-9=VKl?^`%V
zwdo2D40L1lmlQ5j(1tJh5~#6s-$-d_eCm=TGhDeF#?4wN6o%2UC@WPy#>>K1H2la!
z;b@Hw<$6x$<Nz*(qV^f%*Vkn4lcjLA_K1=d<<aN#FvK0!XT5i8a%quP16@V~$#5|!
zCQuy(^@Cypm?dA@7xst0iiw2AcQKKk`b|uJEX26S*QwjxI$7y*Ik6Vyf}V;sDi5*S
z2-&N}N(j0_rdL7Jf3Kx7CI7f=Hq7yg>4H_o>d!hwPSjA(TLeP<^iM>hV}C=G&;St|
z|Ae^xPsDKhzasjBh;@HL)F=B%_;1C6*$mr15PzwBzDE7u$_IM{KQq|P8U3+hLHG2z
zW4&T&<XX&zf{FQh4D(A6Jth4=3I8qELdl8yxt=<ZYkx4;3(z8-BK{-Sw&0R0`u_l4
CjAE4l

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/heartbleed-encrypted-success.pcap b/testing/btest/Traces/tls/heartbleed-encrypted-success.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..36584582d064a6d2ea46e92c41b19448cbab74af
GIT binary patch
literal 64480
zcmd42Wl){VwgtKt?(S~EW#R7b39iB2HMqM337+6iAb4;K?h=ASu;32C<t?($K6mHb
zv-ho6^?tlmb%k!aNB1}9>@k>geQUbACKmz#1^Dyd(-Qyy1b1SIrB&~VkpW8JpPw6m
zI$}FEu!PK9X6O|hKoS5Df$S3jh`;~<oh4AoHf5(ayF|bi!rfzu=gCzNPfrwK000CO
zbR7^95()@}L%`^M@PGat6vQ9seH_RDIdK2E{ek<(9>359z#9PAVP050BR}r|Y}qAB
z%4@3u?;x3j!4n@X{RcV}1RMhX=CQ~#I(R3z=W|1IA_K(0sL$<xotvW|>%X2`5{zCO
zfJVkZ;RUw9ALk8uMt(+o#f1!@2Ak!%{U;(250&d55b?+uC}01Mhyw`(d<P>fLIN#~
zbwK=1g-YYs+tJovx@%U&Qg7H$W~jVH22PZA=QsfX%TBCLgieZ1asV%Y2M_@W??ml{
z25<sGIx#xoI*B?70XP86PUKEV0755bCwwPqCkcQZzy`<wq=Vfg(TUOt1z-WB07L<>
zo#>sgok*P!0BEqou>lwWcmNgv9RLS_0YCztAiyV*1t0>TAOS!K00Mvm41xkc2H=Co
zkN|k#$q3-BaDPpQ1uw(~gFu5pFv0Nx0R}(?pn<_C!3IJF+wa+GH*){uhyUea4wchq
z4^R33hlgtkcTea7&;Wv`K7UvZ>;o~dcSD{L3p9`cd(ePi?LQHrmsHN45l3eJ4l$7Z
zcf@Buh=HR~2ok6&O&nW+Y;Qe^*DEpEN`Ja)hkUY`(XUT!LC3biG^Pyb!~y_to`BDH
z<4+U)`KVwRq!6%;0su(902pCV5DY&k2%0hn5&{ST0g2=i0YZj>rw@|}yFvy65upK~
zz!+9U5IhW|Iur~hgscK94hZYHgMf*w>T2ZdD(+xMrr>JI%*p_wdmcx`q);_8adS2!
zld!U|ay7Cg6E|~qwKBIdF>*B{Q?;_Nx3afj<pFU$Plm)~`8SBTt&xih87tXKXDd4+
zXHPO&dsj1OJ2O+OU+c`A-OZfI#6>|QxX7&RtRPlS5DzCe2d@se%kkW0V`JrI<<bEu
z{pGaks;qb*oIf@~ee>oGv#ph_(Hk>cS7uW)))yeke?KTZ5C_N6!Nt|i$OXKq$X}*`
zf`Al%wFnRz02u^C1%Ss9AcBBEK!b#NcbROPx?$Pq@Q(}xc%+~?E6{RV#?gGhk_<0B
zpWQmqQ^%cJB!h_NG0i)@o|L|_!A1<U0_@P~UBA#$i`cTwP$nzGeLwzvo?DfW6~JsW
zPeN$S`!y!cBsCm`Ps6OvJb3NYa34JS8MKBEF!Q$uFj*gZ?!%<}&&klKS6-S_3*PDY
zhk6p$lMTEfGS+rKA!Hys<7&=_+go59GPW5nW_lY8UkZHiRvz8DaZ6p$j^b3AE_3@~
zAO=ITNi1Fv(PL)oO9<Cywoma?+o$kyXBHGoCqJqw581(_zL@U4hBesGI6Xgbr=Jx`
z!|B>wO~`!NqKaAg!IQ6Q^9=+zEP?q!5Nn_yh~-~#LW~Io0Rn&!!FDG`g@S^FfGh!F
zK6hR~A%PHJ;22<l(9p1uKoIfsAPN)?6jo)Zl@>fa`S)e$$D!T<Q^~ZV?kN!I^RFqP
zz#a_1+85)PNUQpoeL-jgcQs<le2l^<38HzPfDT0lA_@9W?*<|M?n8~|sbo+=Kt-_Q
zWI=E+FcyJGKnNhX#}9)DJ`of!u$~(T0SO+U2QmM7NC+Sfg{7;jBOeRPbNIMC2fT}m
zEwhP(9gCxbt(A!<v!kgwDDdjv3m`y&dmtJdvi}L|e@DNSgFTt3o2#XRvz4nS2z=jw
z1cB{pmR2rgCjXveM)t<Yh0Myu#m&r=%*e#V!PyjiUC3M=$XqSW$o{+{8b-EOrbe#M
zfX-%4ZdT4_c4qdjE@Teozoz}q-lAlGoRSed&(_Mw-o%W|!QR%B%-q5G*Gwz$9kVwD
zZ{_Ib432*@GAnyB@UuDoIrk4d@LJF3Q#gX3-jmG1*w)J8*XAzFAkJsIl0q?q7(w(o
zv^msaRR1!UiL>qR<}z`1Wo3FE1vgOO+dmBk1VRM{g8V_ee-40vVNCzRa4>Ok{2j!_
z&6vgHnI~9TTz)YEi-{3P?B7cv!nppm)X2){_m$5kc3}apXZ~Y7^B?P(O^m<?as^WX
z_&G43h(H8kcz@^cztRAh7{N3E1Yq&;JFvv83=wC$8=DMAzRdQXe`bDI&3|P6^Iy#W
z?RVzy*8NjUlz4w<{;8r3buyB7#@bY0;8DbGQdNqNFYL=#d?R2k1wPo17Z2#G5LVhi
ztRdL@O}`>hap7LRmavgvq07x5`tDKbx^qRnbgJr!;R@-xn1U~2kMv_vGW(=FX`Y(j
zASyJZXD(0Oz>F5@B@A@e8!5GoPjm~YH{u>qRpDGAS^;hAHJozJ3WIx$Q4*bG_DLbD
zSrIeSFCf#^vFrGLaEKAB66XuHNqZHMH%lawaERYzZ`;|R8AoHs{CvG`c07$>sS($~
zFk(l7kh(ux?VlMnceuB<)%4wki=a}5*zSlBt+N!XMJ(aE*<=M<(AJI>0K)^;Bo0sz
z6wx1=1jPHR;i18b<og$j|Nlym=zg&YSdjkjn+sMT5H~A`je`xu$-&C~tU!P5{{Kxd
z|1Sai9NAZX46ot=Tb^h#aUp?+7ZRXBn(%2Y{Fd!y-B)RtlPy>SM-;Rx;?6NNE{;$g
z)Wq`OzH%)U;bxwl`|V<?b&(=C_s&H7EP6XdVS6JoghlO@DPNOXA*sh(@>h7XqoATg
zSbKiQ@VcAZ{i7fOXotkBf+YkH$vc-v*r8d2fJ_Q4l}|7W(czR<Rh#s4d%;s}=T3``
zI<%;jIy{b&7{VaMQT|HYAE?7QrTQ{u)kZIeIYtHax)FEKI%D3SKtdWn*4PR;qZ|>5
z(+|p^X!7>3k`JJDF@`^?C99CC2(V(j_uuZ!Db)V99w&72tz>Q1k+rm^cD&L~l?CRa
z_+J7BtN>GgDG2qM2rz-bCn#tTB=|oN%JTr~^8i@MfG~d%t^cY?e-$ky#AAX25#2&u
zt8mZ|ho$(0=%+J~`JZeBW<DK|7C7wwC5T|+Bm7(91JfMSzb8V3k^db>xtP2Bi_vud
zU}iOt3Wz4>MGocvy~g%GCjKu9{}UX{-vQ6)WKf=<Hz2pa>L(Cn{{LD%IsSYwu-el8
z-Ge<V)t`S2{?gpP{FMsk1jrz8LO>2LD^wU^zls<wv%sntccr13xAxUobGKgOJXF$+
z|Hn&GsOYU69ieT&r_hPJCo)LW;R=Ygz69s%e8riSoe|;OsJsmy?&3b>IL?`i8G9J-
zW%BuPji+G{h3sP_)OqNSveRwS9k+PJ<r}FhF^(%qEhKd0kgC1~eW4p**7h^=Q-hiR
z@3Xm(pZ_iQI-yI-8-xr%BQ5+(HW&SzNjxLEf)NQJ0l(URW)YCcDi_aMGM@jtmJCAv
z(h@v?ptJSwTC%pFp4{$A<bAJ*rCjc(F74}mQHU%{lDu<;(KYhqUi3nG;@pk1J+(m#
zXTMC(!{I;`RJjMGI8q9+aq<}o;}TSjE*P(*VLH1cAa3Bodn{iWzJK{>86n}kHwD{g
zRn?UneT*wRYg8>MW57>FzN=d^axuHh`V$e`h~Fz|V}HKYKk1Y8hOu!<iK$Ox_<1^;
zUt*q0d&{-i_~04nKDz5mQOc}A<eDBwz|S~oSeCkkj_N!=19_bZ-E68b=vO*ckY?ht
zPQ9xRNgOtpgma};3Vy2laWdbB*z09(x#S2`i`bDSB1dJhM<ZDU;yayZ&E!=$qomL!
zngrj{niUCoX6eC6&{b4%qBD~#HBN1#3F(If*LHu|oa%dkmv@C<KCS(VFBE{Bhlqc|
zv)%ipa-DL~XgyQUo-9(9nbNw(xJ$AwyE3}?l!E`-cRhZ>3;#||VPneIKrR^akY<K5
z%O<u?J8%BjHi&N74PQW50WJ2p#f@g_Q*d#~m~JsR{Q}A(0f5qw09;Y1)+@tM?+^4p
zHHI9WLdFr#QI9Q^ohCI@bs934yeFwy#YRq@iLb7lw{?kx`cTkC$zT{>9JFb{E+?_>
z|Ln-B00LO-6yhLmyFQ4Xt1m=xn`B1`mE~f6b&$<8E}D@awU%12Bl63K<DQ2<RB%k_
zZKsL9u_%jw8yPZt?~DQadFyix4iDG${?7%*iSfZs!I$Z0ac*3DdmQJ3C1Y*z@rxgd
zm-HezfpBHXuT{=F)62`M!W`GA5L4k<Y)FIh%GWN;vTiyQ4CYkd5i07$o4(pqpe(XX
z5Z)}-_A;9Z?Y@vW;+e*#X`-Gt(Mmh5B_=4Bs!^ishSz@s(|+WfCaSp}0C_Q`%=R{;
zFwdR%gXP)7om9;a<vSroLw!O5%18guZQVAutA|%6Q1k|SELwbNE##;6P!W@eUBrpX
z2<i(A&si}P3OJ2_zAEwmc=;Ib|L*b)FM%)L)PK8tgZjvT0WkV=`_EDepqU!t9}w}#
zew7#gRh)@=zRu5wl|loTdPJd$8yPMahC&{vx7*8~uynFcPW<A~KgeNQN6xLy*q()y
zlRvHnFFU@SbjVhj9zjbfNJhQ~hF~R0#&j%yEGWvvdQQ85&w!v^osc>zO7iymp5${Q
zlZ}J&H-2AWhJuu&`;$qB-U1hG0}Kkv5{eTMTmxk!^SN4|ErsZg3}6IT2cFx1k_wPS
z1x!=yFp~+tlgjWCm{ckQ@BpF(S^p*#NpP_v=J^<9;Hq2^c$g88Q=K1X0cd1?Vf|jn
zA<O>|38tj;{gl4hS0hNyi#x*Jjc{chHhzQeh`Cz*h?|<rB~&`M1jN?JWC6wR_30nG
zYU*}NH#%e}26fr%RO#>er?zW(U5nsQGkw0!$&1&gCSNKNMLbg0vOCE!ID~4Z_z0v_
zYHsVX35U*=@ZYX1G?UHh5xW_tE6v`_H4JBZ)G(B#11F1&yIA4E9QYPZCjMf(Ifpre
zjRzV2H*y)oT%#B4g2G){=h-gkAWKFp{_-ad18B|>OV{bsIJtN)0PSG+v+WeYw)=aE
z_h|pGF;SV6H_``=veUmrSt2+lB%cv)z=#&$0DEr#E6TK;xBmeV9Ay;Qe|Q7ziC>6#
zU~iE5$PmA*i;p+&kf`aWHp={7H6!9ZpLNTmY~&*{FM8Jhye(?{KV~VHzp|96--BSJ
z4;%#3;EI>%y2HPNK<asG@U|jkHu1Qr1aVeR<0)*xp%~$F9~+}92dqiP>)E^r&u6@i
zA=SL`C?j)pi!@m_8U~r=s_PZr*%%sA?61?<dfZhxPp?Q=bTv01e>pWw!wRX1D8?bs
zcKi`@r|Ncl@#1Jd#2FedFf1}Qcs7)Yl&`sE9gDut1HG}&`28nnahg|ahdOAvvonG)
z!RqaS5X(WXM%65qaZj^>pUcBWUPxay!@HAqiy#NI|7fPkM5gbjevy5I3nTjdO4mVa
zA!k@;#stfN4SknDQr&8uWApoh9)<v4gPlqaiINK<sd$inkB>N<OHM@(E_MXV&ST)x
zpv4tPGGotpQuFO)7ELj2RP(?{fA{gr(HFAOum*TPCI!et7|CNTf^sG?JS&voP!=eb
z6;Z7}s#i(bFW(F=XnuYTRgDS}y?J%syfaZzm9(>#>Pp1HFU}_E0{|LYr0phL<8{*-
z11+$&%j)7veHsqiT{PMF?aTsgZClp~V2(mL2Oo5zuGSe;r)W{u9XvbDDj<nGP=;Jt
z{H!C1+NluPv#N<#4fJcF$!8ykk+w3eJc~^_)(kFQnTQopF?XJ&<9K#DwpcEcojiQv
zuak=!7KJr3iXeOx*GQD&RnzqCYBIr&KxKCF#W*4C)tJY}SJx=^L9nV^hpLn@QfO}9
zr(o@Pa;B=N_V#^2QoQ|+lR5=8_;}9A0mc2}0>*uQOUYSsF}=DkV;MQ_a4{=(R(eCg
zOO8UR9xbE~l%oEZM{EdnF9ol$_&)<wenR(F<7IjgATpz1Bqs%H$kr8=P`ZmB9iv}b
zi*SLUeCW@KrP{M_rM!^ecR`u}ospo4J$u&g-&Go2@pdckcMDS+%AKP$h*b#bM`3H)
zPqngIG~{lLdKbx=cfXeb#Xlxe&%X=d)o{UaYvt1v%S866M@y6ED&>XOW*l2~)AvuV
ze3<s)v};2?r#>J$?@j*7z9Pg&q%p28DZ=mb0z;=Ffg#gV`;OrN`ONSNRfyd2%ls;0
z^?d4lKipP9^e5n#6L~A41`AD2((nX7aWV)O#Z_a%+mXX@ZP;(#y-F_#raFkvrKNSQ
z*5HCv1dd6qz_&7r=h}5a$tR{yjdpik1J<uok(4xhB5V%E>LJv~<0_rq<0dUOoH;)`
z#OToj^?K|blRLl?V<-*4{?zCm<-=k9;}Z&t_J_)vvc{yAcv%~5?J8r+X72n|L%35{
z&bo|&UA0@nmHC7iR^9>6@ohk|u9ok&kcRZ3BdF#`D*rVQj2S11H6k>g9VztK^>@(?
zm?Wg=ePQNVCM2nfi^qACyej{5`la^;YV)vK*F<<V11lealiFd3Ry6|pta5nyRSZOh
zO=%S<i7Yyd;Ro&5(7_rcsSh`iL`$(tRLb{@h?OgcJUqU<v|aputpmm^X07>T8d><#
z=WCm{J<BRCUIz7bgT?6`v{X|J#-&+{_l*N=%lswp(tkj9nIbm_E*(i;`O)dW6(TD7
zR>Qr(rIcv3?nx$Zy-`I&Zdy94H2t#vy_&i*HNwVF#5vs5qjAX_<MfIeqndEQtu-WJ
zJ0tQ_)dm{*>i2{WjI_-P3MrJX9VGLb7{Y3VPaQ1u+1CN9z`8rTORKXvi{c0-hVr1O
zf-9oo#+S*WUO(uumvW$oW-@uQFhQ5c^#Xh0!(<^*Gm;?$I!n7_*K-AoMop#sVlRYN
z==Zbjoxkp($$Y}@%Rx2%@qLL<eD2Ga(ec*ydlJ15n-7;WF1mh1=`rXIT8m_7guTtj
zwgHz^sT|u@0e3lU+rhGes-G-i&9bg&Fkg+cXvo7d=veX0w#0mlPAQmNxN$02q|wgk
z0YajaG(&cvo;CIvSRukulUiG!Y0sIp`8u`xv|hIFV;OsQ=XXTKF)!`D-Bsycp=#WR
zPA-M1J#_a;RSJQl+Iwbxf`4ZIt6$7N`8)GZ+5gG>llQ+f|2qDRqEQA9*2L7TUgkmO
z;fKZ^#P}&+dpE>-YsX{A2tlYs2IVi*B_T5iPcg~O_Np(28&#+&G(6Bt$efOGI?(37
z$r<_IUIcAzIrZc|w5^^it~0SwG)p!eKQ07*pX*}@fL#iVJ+kh;ZSI*0oq2WQk93W8
z1+U~(6?mQDn6k8LN78N4-!lyeBn7EX&g7#U))!tG7Avtk&XH<l0t<T1flFj;yB0I}
z1}%Yk`4Apu8uw#5b_ObBwRalyT1gbbG}^&xNU=Ba1gUVstY>a%+g+v-YMS&D?viNj
z3wj6N$S+f<UcgpN(4nj|!m*cLm6n7Of6s$gaXg;ok%lRRTA6dieA&JPS(Qgpu5apI
zA>yuyH%$K(XJ)%;4oHit$U5`W!R-w7Sgxyyq6SuSp4@-@ZROKD8odv23L-m%{#Qxu
zL23d7{*^juYOZ$dKLwE9_|m0diKL6rrI3u1x}CVCk(dJIF6LO;%5YkkmRWQy0=ZDW
z3wuO}@hqwV5Qnca?Ckye!}os%hw3V9nbN}@ov19r)W0#YYWYg?9-!7lGEv7s*=`<%
zllb)vrqvXXMqpzUKPl|)+e<8<j^m%s=P`&Nxu3X4Lt7@`mL@A<*@4_ulrf(VtY$4o
zvTv?mv7t$$-!yNq&_5APO;}PL{vh`db^_8lpV_i))c+R#i2V6uyvA9?PI9@^CEZk#
zr#1_}{Rzh&TxUqv6!+WY9mrxUc2JZ4z78`r-wcw;)zx-jbkz?L<EKQjCJx*c6*w}Y
zw8pQK0Xbi)ao~*~&mqLxF`@`A*9mh!TGB;A>OA=ZE8#mpv--gGR4FoI*0N-1+U=4l
zk3~fdD~fl7#{5Qm)&1e7s>Zsa-$3y9-Rh=v{k=(_Wrn{<4Eon5r_4`N**Cb_X(HKa
z`?}L!<|=#*hGGRkDXe=MR3E<M9U;oW(BsUZ`U;)I+kTJcK)Q#3bnq}2o&sany@S}H
zP$rWbRPm~vM592S1F_&h-^(T^z?18Nv}yHHr(cQt=*M;}{{iBY^XslRl?TCzMz9pG
zEr>e@pZt>O8}<6xDg^UbPZTL-zrB82la;xUp|LGg(|?x)yxP2Wg4L)s(Oh*WhTnI2
z**$AkF6kEp5B)Z*Yv()po01;BY5mUY`13SZ$@eSBO9B(lj$cJ%RY~yfOx(LpF?4D3
zMs2qWoGSM{uC1I{$BJVJe9hjBVKNx@dZ6J@LYpk@(o79;wu2-?%U5hzT<Wom+ShI{
z*mXE&_K^Jo^!--IM#O{1V3;=T*mj}(IAnH;NLBp><Ahkl1@ku^ilUH)Ap80uT&&#=
zaYrp{m<}$dWXV$&CCuJ-SA-CQaD{j<20c;a`%RQ0W}gl`g6PH12_zYb^|xGTO&=;p
z9l7yT<T@>U(jGVP_qS+6A<KPJrAHBkz9|%om2$whz!WQ>r0tNlR3*@TUCFk*c4*Z4
z3J3>8@+Nq;c~~IihQGb0>K)i-vFHU!qRHtx7q#4ED8XWP(1TFaB<<;nd}YbA0-WFs
zB|l~Xbv`HTca0>mtI#=};4Xi>(+e9F(v&78A)gt1z3-p-PII(J&6Vg#P>l!0@n#?4
z1$u7N-jFZmF4O5<OjHStLdw%oMiw7ZT~+i6x?TNw^mW;!+M8L~_d{`*C=YT`T+-eC
zsu1L>$R_Lj*!;cLMT|7*fNDu5H1gOjn%q#Lo_Rk}w=4*+!tY*n2{R4vO<yc5z`i%m
zHG$@%Kz^@a#))~1oQ#p}M2Q)p*Zt+kgmQ(1$_w;6A0>(bG}O6ly-A>$Wt?)voAtx(
z*_9TLCilMmbXYrNZpWp9#W}h)BioTqV~MfhJ!!Si`YptA>2wor<xOhaNm&35uNTFl
z7*|6|8gn>8{k|}_BL4iEuWIBE%UHYxyXF|PA91AemqcWqncp1D{C}UkAQ=7ERAV|R
zZw?2XyvYA0c}W8&FH+BlHvg<8*T1x6;&&~X!}(K7Ji$57bBg?o_MAnii>;UE8Z6vB
zZWsnGZ-1NUcF3dSboW#5xIk?kT74+dC8I-hSYB7xNcvF36wjKc`8}>@OBViz>YKYM
zn8BDgLhiIawDiD?Zr&iwS19ZDkybdVeV@uDg;sZS1;0&?MKA9}xtD_)w+8O3mQtAq
zCdEQ;o8D!%SG+&iuakI9#Ip7ngN?AYMM(xh+Nr%8(^w@GLZv`#^2&5|ncIpKOjDve
z?_XM^1*g_CIBdk%N7ZfYVMlH*g@1!*x8#(ZE_Mv!>jh~;#H~YDX5FFYMKfc|N0jGw
zlLF%rKU>-=QwtWkpV69!RqLNlz!%=Ux1a2nFbG%s?7)XfM7gD6Sy)x>;o-`v@>yp+
zU6EQ+{wMd=%NP`%6*A8CwEj0f{OvyhfTf@$4k}YDbX;63fr+6WTNY5u)JZ4*W8Vp(
zCZ;)eZlUX1<6HCjhR-`MoM(GpJG~v}Q5pM)k9SjasY_fWfKYg_IF0kd<bs*kfz*8l
zi-Y{zyVbeK@Jh!vrwg^r^<huQ__Nez^PTtYyspNAC+n#3UC7IOQEGF-6$3z7JT>di
z`_LqGfc=UYwP7cxtSGgMKD+-71OCr#7QL`q374;^hot7oJG25D_lkZ659g8}sqmX%
z9^yqHX-&GcBYEI_w`1a9>4IXzWu533HAXS47uqtQV}f0>&14m1mMiQUoy_*fx4D-s
zzS_0Wub9v9Q|(NAw1OyPi;64#j-*FadB23U5BH9#%a*AoTOde8XNZUMxbASRWsG&&
zwMZHvAAZs;qC)45h0j&#Kw{cRfVWB+ZHiNEaTP2;Jlu2um_#vt>R%ZeX7l+p`?W>s
z{Ck0Q24vWGv)Anjek@E-nBI3rnzRm!B4fh3>u+r9^Ac~)qTi|CXtcL)=q7ku#zrxP
zuK&=}=_w^%yNFut_xsowIq_`^&EHcK18K&V?Sji0CH`}Ly+(AOAw${Kkg!t6d*0;p
zpMzPb0tpukfjgO}Gh9NuuNCcDmD}P3DB_7|OoZCx_n}Kzr?AsZ`q(bBIiyvVbv(A=
zMtxmGg%b+h_dSy(476lRKU0Mf|0uS5N>q}!MSE!y(jNS7p_;z6OE%l}v7piZgN6+j
zuIIO%jt&-`jQqE<4#=?!#ru}Mp0joej?(t(u=_|G@^huN-L!suf|emRwT2N_xR%In
zOemW3{@b6@Vrsd9n|k8;5h7Kr%4&in!;d6pq1!V1{NDS?LLU$=#<Gz2`8QVI27a0+
zq~q@6u6dPc-j`{ccQqOKiXG|a4}~>C`%g!%jyX=l2AU8M0n-LNC)k;jT!$$n9~&ld
zb32u7GN?Upl57Zg)kn|rNtl_@1nl=b;?^#S$`v$13`_ZMXF)?M^P*o%A^O5+QdHd1
zx=pUsCuW8Qp^kc+`6W^mI~P%9gSp-*N+Ecp#fuY+!hO^+4*#*S^w{ldGk1+xgv35^
ziMIB19E2)}{IyUgh)Oi;Rlnf}C0;zoI;_C}<#Ana{M8@k%TwiS`I8qkkdat0<JPF3
zZyp0CWBX$F@=D<QTwu<P9OKcC55+v9kI2gOMvSBz!a(1G5wf$M)-hy`c<`_Hwc%J%
zEdBHbvzhP-*N8NNI-6Kaf*;W{U>c%w)@drK8cGE9Pq#TM6wg{-zki&AN!O?zZJ9Va
z^z#}rVq)MI%kQ?5;&lA*Wn>K22%j?QV1aD*I}SG={wMWLV?{|STx-~X;CQKJA9k5e
zrH&0h#tyYcE?O*0KcD3*huf1GFIHmsk_?y!>|3Oi${0Sznt)nZgOWPQ*F&H&o7LNU
z<ZUHS!D}dqZH;7gAJsH8xXj5r-mQj`k+ho|a%dSE@lXXKPfjm4yyLslZ!DxPG?5K7
zy(*}?UnnI8t?vW@_1{kY?p|`VR-<ux*^u&RxV*x!Nf?>x<s%5JH)v#d`^@|m|EMLv
zsK3*a<#zC!Yk>czC5Qj4B{#pcWc+t6S#JMROYV(-*OIpik^ybahC?|F90F&q_SVd0
z&arIbavX)DG{X>paqC38&O1)NiNHoe;|0_T0!tyaMtO0r3hw$Z8HofBA4}qG(PFMC
z${&eq$FUtsRTTzJ3VhriOI0l{%Z!|yLcHpI6^FYzI(NTKeWM0i9g@7(I#Qf<`^rH)
zD0%vBSH|`m!mw2M&K1eI&e-JGV}wUPul`<<aW}dt598pNv)tz*@36SUiVGS3gn;aG
zdoiwcsNJYg{Zb45<r~FO-mHa#1`PT++GvfDA)KlWsxKaVW*#9Q&3Ae5#)92<i!0rv
z=hFszL??-9Q&{Ob47KmL;8CN*&=ey&=xaEYaPW=&)u`ISbgQP{J2^TQWI9E}e~j0W
zEn(1Hy~e288@8C0+Mx4NoLGe|p1G0NMjH7Ul~0YIG`6s72dhSnaqd?xLrWoyyV~A>
zNy{+xNNV0O+~{{$Ffgsy`5<0mDJ_ipaP#z@u~<`pN4J*-u?Gkpu$i&(+TD)%wO}?B
zrF$}*`^GNHreWloW!z@o3bf&;OjeP^8nc6d4}%E-1CVgQC7l}_py7N4#E!y*zR-LZ
zf0zDiK?6S#=#PQ)w%tYD<mN~sQg6<O)FSMI1sEAbR=)|Pg}XzDKi$n0>>zPTYwJaL
z2#8-F!F~);U{pVNgtGMhScG~>T|l**Yp>rLNUfb;*k8sdp6}<o5FHIOj_Bk_W;k4l
zfXL3oW&|Zi`0B)rQ!DVmw`!`QdtO*xvV7{%z{vW2ip<UOdDNw5q}unNBM{<eKLU9%
z<Mx!V(8I{;x^HQQ!gybM86~4#)+~HaDH{MbYY`x-i8WZGjJsBE+5~8sUO4rBlOLfi
zyMiTTTd@bWWw|xLJluCL8*;0UTw1;rRfyYBQ12f)h;xt{&narptsrf_A5}1htIf>t
z#R+OX^KBfpP%Ae)j<*ziH|l)S^CF5@9)nvG0_|0(D0UrIBUVemu3!mzXvdSCN1Ojm
zz{=NlRP0G=EtNgc_;;t4yqsF3$Gfw1!b}mFPH;g8A$L0|nb#6<`q;KqUm^VB>k&f>
z{MTV-Xn*97_?AYeSWK8jL&6Xtvde`Am865s7u12~?<~wYGDKZXd+WbDCZ7Q)P%}l_
z7&WJOj!|*qh}56hai~8~v9Kp;5mZ<Qxl4>0Nu;l|*eqeq6KZhj7qx}&lV#SET)jt_
z3zgWW3Hw$|bLv=*tO(PRG#jE`gg+pQHB$ewd3%aOWYE@d-)fDf8J4g4K(+cb6~eHT
zgkYzupQyklXHE0Y@=Hf~RIkheg|lwOyrqoVP9HpcBD2`#I~>VXHn#_)5Ol<F))|B;
zDe3Lk#ufNgyi>5}=r+sd{9XmEa1)SdxnXDhr&3JIrOrWbF$;;b+lVb)0bCr;G&yCB
z?p+P_-k)#8J2y=_EdzkOonLCoQ%B5>X)6lSzQMwL_YhO&hD=qxW+n*fETx$x8)-1E
zM_G=2U347aS?**9Z!C|0SM}-G6^6CoUi<zi;baa{g-?1PsAmHHG&L3U&BZmizLhdW
zBXaD@ze94n-Ih>Zhwe;GJRYi_k+P$%eSIdk@10LxE^Tj8ejoa)xF@g4hclaKlR7I`
zc@#k@{s|a7oA`+V?(BjDruYlex_8t_H<}kRRy`!NrnoHj7Bve|4PBevU)n&tY8%=P
zFa)s5!``g@Tgj|>^?8fLmeBres9qTQcIK3nJuPkh=i+XV%6RYD%n=OMtD!#hw0!bB
zR*0wO4S3hhE}0~ksK~529&b5(8j|H6@@69q6g%ssR%&~3<gj!GEne{LUGY5Cr@5es
z^|@AxEmy@ns4c1CkmM7xaQ;mdm^anp<@<+rL5^RGJl91_d`_Ef>QJY}6vURN7ZLRx
za)Epw$PnaOQq!Z9sP}6)TddZ#NLluHix!0r7fjqae|>Ilmhg|CMcn>k{;}Vgf5ZGw
z<`@3_JM#w>@?MCgu!V?-x$d9%jnJAX!ou&q&uY|befi_&1*J?#qL$uQ)Y3$ER;`#p
z!R@@p=$~gZ)PYzLF<0LhAna^|8tU4P`9(;f@HszA-}=zO2V4nylV&bTNgqI+?nv&V
z!JsKgwUOOV%JHu1W9Q<5AdaY#)FV+FvoJmdo4=+tD!Daq97HUANW-r=mPB@4{A|%(
z$>rUoogM4|(W%>_PkzuK{~@L)5->2QO&$a58a~rE`9*~aS{{F6E4KXY{2W%8nF0b1
za5LMPUSB$<6Eb0c_Z(jYqV?Jk)TKlH3ejsvkwof?^4t5efb<!+^|2J?PO~T(ygKca
zFFPryw5e+$+24K3ciFNN7&$f&-hFXWkM2-2R26|+YBf-8Eng8p!oeT7xGT|dty#h7
z%fZ^NDg(Yqhp`eb5WG?Rf`wEvZrZ%brX|NnXt3zRSx1~FFOIaMtzML|TS2uiB?O$T
zk4>re3v6I$ikqJpllp{`T(|xaP6pdgc}L@_5k@SW9{#Jgh$ZKnDhe(0_fV*cSts}&
z7V-!0&HOK$C`(NeZOFzq6wg-TCGhfeKD5Di;w-E1gt=Z`hQ_R+6c3B7*2TAY7<Qm{
zst7dH{Fva-KM)gaIFfT1&7jDAIK+UvvF5HHxB~KSS3-wn1~I<%z7=>y7=xJM6)%9_
zRPyAA_qJSZBNH8uPMa&J#?Zc460PCtaH7?DG{r{WjSouBj8}STo1<PQZ`E_EcQ{9y
z3IeOa%6_}rEBUzPWXyjyLK$5Ny*e-Vg+ryGbxw5V6DcCovR{&BQ#L@SvpS<-4V$=N
zi#V4fjfb8sax`&U>($CE-BB{q6b(tTYkfi_Mwrb)$W?JT^7uqG?c%@~jyDHHWU<*p
z9c^9HvWD2_bZn$e=DRf~nEuehJr>8GdYXIw;S_0k&_aWRG-D+v!r|8Py0%sKm;xh1
z+fcosq&K)-`0L5lS$ykTgN3g_EI-h)%ui*VsT)lmxjzo`8|Tc!>Aw;7+`_GUul5;r
zgI5$$7MF;nF)_PWSS$8Y&f)z;lj%o3*mZ9{=ol0tdTjFCs&(#|W5W_Dp+;R1NR@9R
zWE*H7GZqhl%TdKNECZx`u--e~kqJ@i^90<}Z84P*n4hc_a)ajYlFQjkQ=`3K&zST6
zFvEx))x+nNVbSmXNVFh%lE)wh8N58B_o4yzrdH=mUz(}02@d_~AP=vUra9UB%cFi6
z5sm{wzv&--ZrLR*Eeu4mjBwQEQ*bPD3kTovAOa`e(z~h*R*Z-g=gc}K=c0a+99PZP
zttC>l^LX2(iwf`@a~7MP`l3hWqY)dG&NiCXB{N2ue=J~Bdyqx<Q`ThL_o?$+ljm$Z
z;h-ZntRJRV(CjH2Hv}+LbdfKY>7u1YGHQvqyEXIaD6O_3RDp*6%-#?!1f=oOx{9gs
z<kobJTNTFwBJR5>c7T&|o#x2;#mWOy1HnOyd4lcfZfGsHVoHX{6!9fSrQ#OW;0Oqx
zkD+`GWB-u#st1pP$kipz<jL=~l|BQHJSZ;$#Qw_vzE=OI<V)T;+_fu3R_>dpm+n5^
z!7tN9JEWLvWfkFG9CLKXqC5T!@;I__?U|#yfuM}u%rdKabvZc9cU1>)#x8V10#Ov-
zFtd+UeW8*mpe^NPNUFcQOy<Xh9Gvp-<~rbn60@Jgl)4PK<$?Q5EBIqp*{yU#0bX$7
zGl@K6Dg7kbv3>qv#E5<C-bUpzU&&!l2Y$Xils4L@NfXI6W*zcgRQdp2gYmsY!Y}rv
z?rEZM)LbC}rg{B{8rNA<y%Vvo$Qrw5a8K<Rf_anPW=J}o@XMPpuz6<+q(Q6Z=Hx4|
zDUPThXa1<4DVc(A;wyF?ERs{4kHN$V?w3$?TSr(9c<l^_M<Ve=lX^zmhy3k<5&kjK
z*J{b3l;!a`iwFZV|KC@n!sq@ji`Yd0SET;>#?-$nQfP_)s3mv5v}E*mE!jo+Q%fXC
zf7cSauP}UrrO}>g+%fEKGPG*Dr4hbNhhIS}X!h$<o*2r=E~R!abr)*NHh<nxwv~Vw
ztVlwz*-7WQdAvjx-Zoy>zW*4cyP{tIS%Dkb;6mi5AH|h3;(IO`)LQy0$hMF3FGU5z
z8T(sF4*`$*$%G3ZJ2DVN3%YWgK|>CQZ}zC}@h;wUj)cmx0@glpdpt>nPrZLFZLdF{
z5A!o|6^ny4eE}CSB%q76UxRUT0GcyYDaQSXD;!{uvdO;Bo$JWkg;BP8V+}*;y<|N{
zn?dqQosFY2ho+`w`XHGzy~!fqvSd!uC*P9Tp1cDnjYSeUb`ZozbD@Xb@^D#ZGS1|o
zd+=qj^#>elbL!`5#7D_0fdY|cxZ=>vnYY1nKiOyDhU#H5J0_2XRK(pOdquzB)v80f
z69mr%8u$pGXEMb!_+(>|UGL}dye2H}wSj;q`QjKKoJXp_t9tdqy3M^{m7`U933YP#
zMeo3Au4GLYH?q8yPo0uc&bqY3h?Y)jWA5@5iSDacSR9X03Xl{YKAFt4a!(#rfRLJH
zD_oY!7*f_8$O07FS<iuU?)P_4)t8)YG(>`ouf$;73ou<LOc<2WS#o<=W#;I@C1NrM
z4VolAI4+_`JKm~orDp(kzT|AkSTV-E*_Tft90!0>&pz6&ZI2aKw5PsfULlK;)f+at
z;rRktA%#g(!^hC{`umU3<Z$wQ`?f0cK@N9`bDXZoflZyHneaf8mo`86vDybs*-5-=
zoP)vNJ=ztOt>}<eO-{ZK_FB!>=k_}Gj(an-V({~x5s6at{$@KLqVY8qkI3G=@J29M
zlbO4pz~@e+JDRvm_Fk<p{q*kix^E5I=}FoIHXtGkd%7%ls)k!ym}}>jx-*+woEyD&
zbm?^~`6Rd;9EQmPD@ZA_!2-_7p#$|=Z+?i`h9&V-EJ^u)2$h#8*_fO=qAiFhOX;nC
z$;gULVU0zsmGC-{J$?JF_?3}~9BIfQjKIr2vNYVAC-`%^CItGnIMU|3tav)!>)Z*B
z5FeWGqk2K5%Ofp3=2s59yHiN{NLg(dvLhH&2B5Cg?8pIv?xKhi>9MAq`iS%9!O-uk
z#@q8tJlDdgk%blLZksP;<=s;aNXPm<8S>zKGu*?z7F|J_F13Jp?0MXNR69kv=B90E
zH@r_SJx-pcoD{Fw_)%J3Dm!9>%XL0r#p7aK;jj2b(}?~xkrBC-SL=fxT<jt|Vq)KS
z^d4TVl3|LhSl936!Xh&#4f8Qd+eLQH;ph7SSwD?^sRkOi*eYl@w8x#6sS3m91sV<R
zF*UBMV5-GRQ+ha7bE&^03KC@@3aWIxgRvTR{{)2vwX%yFQtiE(>(=z8ZkJ>R0_N=l
z6xA4M^0~s63hJWFg}_TWL=qpRXmb}l)=%q9IXQP9L?XBQb?x-jb#?*hucj80bSiMJ
zA$Eg);`MkL`+qVXb13@Bvl+s$=K^*N$2-bz^CuzjH*m5Y*pm8r{&0hD6QjK`=t#{V
zln3jRzVb#*UIMTw?aMp)-fKFY=rAr3F-*_D?s}5kV=Sw?YWhyr%xM8ldK8v=yGl8?
z{E@nCdQ{E2*K77?dEpm5l>MXOS;1AcbDP|Al+wh+5LsVL{@TR$Br7G&b~So5P3;&g
z0p6nT_p#%0HA#fyiv^UafLu8Gg+WfZeaPu}>w-PFajpr4x38V*_Fj_;Xo=A9&%wc4
zH`R~-lpj(2iJVA*NX#utz}~jdA1EJAJFarSyY2M&u#RjBxyZyraCPqKEw5|<x$1X7
zjG@L$pd}~_DaCORoWL*_JC^Pi<A+Lb!w$!;zHpZGB&Jdlt08-UtPmlB@|C7vZPB-?
z^P)q#X=`yJQC;|sOALwdmdCJ~xa)HqbnZ^g4#U`YjE5x0m-NM{VQ?@x_%ZgQEnei)
z1D@O#Z=SV87|i^CuO+waf2So!pZ~5R)$-3;0)C|s{2jiL-?ilE^PgH`==-~t2$*{!
zs4+0Yei~baNO~p8h6oiJ7{zP-PWrSX4_O@}JMCjvlsS_^f;cr#nwU_u*gTZ4>SWG$
z>La8Ub=%DzN4}g<lai{{@usquOX2l4pK{J-*;VbePZ>XTZ(dh7WK|-~$|=|Kw6J)0
zFLrBuXtwXL_m*~Ur(k}Wp&8LrNE1<pDg0GDn}}ysyc?fqCHvzR&#o8lgS}+`{TzF4
zjp9_HmYHo@xt7IB*P0IG(<iN+a~z)j)ex_;BWc1O$ekPte))ZamFk)=LBlOQW?FG^
z*6zLKAb2Jop{$>Q=Ws>R;nWPYo#-m}FZGj&NEb6Xd(8njFpQPi@sFX0YI5q4vY_T1
zKfx2;wQL@{pWxR@3vQ&^7?E}%Xc*McsLxsse+H5jzs!9wnB574_1|1jv!;x7d!0DO
z%|@BGh&T0Z`S{93f0*3Pr#tU1Ok^slzwF3!vK^Ziu+Do660B4z7%4{j24xB1HFz`V
zQZ?*H6y%{+h{L}eL-(R^wP-BC2WKyC6$(3?v}==4BU5>_nmu2ZEMQ0J$IMt{Q3YQ*
zYl{QYeXMxJr%Bs_e7a@eT_YO{mbSO!Ydh3axt>I24Q5@G8KGjs3AUX@9)rQwqn+N7
zHr>Z_A!9KZ5l}^7%qa8EIhvrF!@8WWGhsc+4Vyg-ccEG}@F#IJn6oruWip>?!nKkU
zJsUl|EM8U#mxeXvuyn_5*7l}P{+LEmH?*_B>H}05rYPnQC_;wSR3=Vd!FLBg$WHEP
z_nyK(m?ahrBHl#?H_(@gilN`8cIWE%_QA?~s+`uv_lc=e9f>#`*Ic=w)ild4U+?3z
zOs3>HCj;AOFDf=^_=J}t;Jw*P4EE1Pn0+%c*aK6vVe1#+RAx*~1$6J2M&Z$<_4cg~
z4bKA)lea$#)3s?gC45>iC=9XxigFHqS4=Nh^3}$T!kaD^RBYL>knWeboBK1IxZ+H`
z6*UNu6oFq<B12~=n?4niyoTPgUdK3;;Nz^Od$EW^3fCuLj)K$LiJ#Son;r{Gm}eQ1
z_{HeQs;7WMk)*?3LW-jfs%fM+9(h?R9j3jt>}QFIK%|e#-RtZms)CtX1`Oo~7j3<c
zeR;vzwr8pO(&{wx%1UjynBR(9b!t-WzX@!Oz9mr>Y~cy0kQ>Zq?EIwHPZsS3yw}LO
zh9BV-ZpD*DSxPMD&<tHR>nuEAL&6OS-(C*8SQA*Y9w6@8+J77BJnyor!jv2A;3~+g
z`?dI(D#xR|*1gD+^zC{S<dtt^Mggvm@Ka^xRAEx`z<oL!f<BI3@@WZ|WqG|bMqw-6
zqOzg!<H6B(hcX9*SKSA6`&M4nGvl99v`&3ZupEcMNx>G{eRnJ9<N%>hR26a`Jj(GZ
zQkaBsQa<Mp-iF%t8MNOqYHl;XJe3@rQ#lRUndVYDdivf)CU!a+q!1dkb{CLyXlxBt
zeQYA%y)NV07vLTnOK-T25QgLkCzT!wQ^Bq#mt;Pmkksv`-iZz~NQdv3WC)8p!a3fl
zPB7R007)tYx8Y<`nnl+3>2W89h*NND_5}l5QDR{2l5_#3gsWz{ZaL&p0$rd#+Y^os
zH`R_ZOpdbbEB5{G3LdT_bP{YCT7o^{ea;YGG_{nmA-+YN$|wu{>qxXkb+rXpMd+PO
z<#CAXQ6m->Pg{XgI&vyUeF;GMYVENbw5N_Y<EBzD&SRydN1n9!F$S*A3}W91T<LAa
zb3kV5m?6~C`(h7AF$sC{tSLL+DYuRt+9mnBYF-n%OcU40h9@G)_K3{37pILa4ys>t
z1JhqEgUYrBHqdk)Gk1s7>#OBT9Xu`Lt=cyBt>NwvX?fPSd9&>j55`3T*G!!5Vk}?@
zpgMF@WTvrU_82>}G3nm#)?OBRN8}`Dwkk0pzQiQR3E$ek^jgy%kxpPIZIr-!){<}k
z%={0(n1A?p=D&FTC-cj>{LcKZikzRiJYLo*UaPEc&Ed-G!4D|E_9N5qd0=Rv2|Gtp
zdh<X^YS6g%q_9v9?<V{0XDY-gz1q0*<?`Cw=4cEXO72)tAPI*4*XtYihp$rx{)<vC
z>pWpgxSz5z03TyF8$6X3H&&soHUN>_{I`o-vd#M)%TN#Gdkt%(slpolmD3fiw)ZnP
zcVWB04N6wfPh!vHIgph}uLbSi8PU6G1unA@o=K9r#t)hgG!iyCa@|Drd!z^Lj9q6^
z)Uv{oFfAHf-*06<e7(07BOn2F<?(5}_v!3I%-W39b+<%#Cp2w2NBSUeR+~m@TTx9E
z%mA}s<XW=2OEX|Z6PU(}ZTe!UkIpj8$>G)_$Ok*Y9Ar1VD+hfM>|2{`D9_JLSt+&q
zc1oyqce}VIZ!$)VleIM=Og~Na1kl#o58Yv?)7^OJ#IO@C70k=Y14D~KMJ0LaKh~q%
z8K}AQlx>}@oaqT{bg_dul-@WcsNTc_BqPf=#~Gp8j4pSiR4x$P+KbX1X6t>D=OfU9
zGVk2A?6O5?`S}nEIeScidUvL9)G_@HUJdVqxBWEB`wG)bUgS-}&>x4xaGpU&O$cuY
zoZDmV1Iv_!MNQxo)m^r|8DWp!eyIPpSv9lKiQ^?>8{A{v-3@=nx;^ybXmxL=o&5Fo
z&oH(Y4@ldT-0KpwG5I3Yce6%4k@aJwq|i*^u6RpS)3{?1dW_EX0k5IILonf$4C0T|
zx)+dwZV9_8?^38=M6;M7-Id%nAMx0Kbf{%zl3zynxGynj%}UFpLoIu3LYB{V$ygvA
zfg*}@sbgoN|D*+z&K)wP*IIFt0DXAAP>_y;ckGHWaf?R=sa)toKhtiW5YZP6c#$?~
ztQfBzfTT_cYsliyPF$$f_~NtYLub-0zi}{eq=P1Xt7hxKVRRtJUWguvjjt??S+<K-
zbIyXUYF9i3Aun&?3Y&K-NzJfe(y|tUe^D*?O@90O<yF(z!7(hFO_z6$zyO5svmrl8
zXs@4;)(f=xr@}H$<PB)qTWvp;&)L<wu4M~wLiJsuXb5xQ%8ylW#SJF>4HY<6QIh4V
z8n@FVnbM$%L#}GmwfgLYt|p<@#Zc#~q|PfTnEE+p4_i=-FXvJkRuEMTt0`;}wG}Jm
z_dHzrnoi%9NSi9fbOv6Jz^hzYT(TUiOo!?kEFSngx`;8uq{)<i<|#jL(}5Tp5rtk>
zA@nwHGfvR<J{ox8EFKn5_l2O@0Erj{+UhgNIKs)oADUP~v~vp<j~A})b;g<(M{Nz0
z29|yg2Z}g-yZh?A?a3io6wHadOhlszWvPR73!7;2grc}O{Wc0swccwijRPmA4XV9p
zquehJOJ!QNX&Nin<>ZqOqt+)b8N3|k{HGDtNw#ir<*_9CA0iT<9hZEYAn$9h7G`)o
zcbrnxINKGga&X1N-W<!g%GK*uI4K$nnLm2Ien;nvqeFr0Z@6HfFc~i>H)OevYIr@S
ztRDmK*ZVc%du#o5xrU@0gL_4)_C|(WTK!v(YOGAq_~Nk@oP}`l)t)pHinp!kfbf+0
zrTC<lz1*X4j<#@;F6+njR$_#!1Q+lZ!>?~FQ*;kSPe^WoO-=6Hy3~xrEixKq6maOM
zN&Ywa+>1(~e86b9(EMpK?RLmRXRHh2oxBPEIzwX>3>@q#kBA#6)ZyKTY4wn)hDs$E
z{2x)7+XReF+b%KbVqrtH`JA8J5URdbase^bey9e<(lZY=Xn)2$kRO9o#u{MC=wm2*
zLN{O2uB_NEtB)Bll7YB<g-8<aJQ4TCDEq@XM50*94Ew0ImSx(Dj<Re@e+gYHm+|wL
z;^Zg~frYJWIdABrn3WfxX<rSD6OIPGdy5`MK=0o;9npRl18?JZO0XzVL()PXjjWMn
zeB1ic)><UHf$sZu!}%~UG*|eU`M3Wui$EOtyDZ`s=I<&}R`33?BK7!7ONM^el3SQR
zwIuxMcP*KLmb%;hgiDQs(q>`hnfc~h%mT)Gl4PIeVx@4=$A-@q3c5)F*#gbtuLwPi
z%MIA4Qf8WjXbG)B=LZ>#(;wgAO>#kcWi702j<^3DOfEbg=<a&M*dUB6e#uTZ+t|M#
zGjkG+<%<!=1(nseo=DVZ^(eY*aP%Yh`u6aLE)8BTT=7p#wbL=Pw<4HMQJO>QyZ0tR
zNg<8So2le6G>E|B4}@bx=wI!04X6q)%0~Lsl(K8ms_5Qae|$R%8Pk~pWPp+12nmDh
zTn3pgxHv&8xgp{kn9AJ3yu~S?N9bX&+lrUVk*T?{-e}OjhHtuZS?0b|<s>*2{UBsr
zY+n1L0NT!ceEZ!M(+f)AT+f*`?i0r8Zgf|ynIhyWGHe-@sE*!lY*pNb*IC<~Q?0Yb
z_pb|r<RwI9`MT$i0C?;&hITuD#I^T;ZR0-k61C`!!U5Zc0In8ulvq7DL}&EK?swZ(
zh_C!yX+U<)pIvcLxfa+hBsd-J2&dMZ`Y=YmCcXJ7=rLvi|GjEfrODRP40dGu-QZUU
zphF+^bhvjyVUT*IQJvC}PfaELD30Rm2t12#@r+vYe)Y#v##(O_adqxiRRsui)k<!^
z?rFxlVNV8xHHz}*3*`+ushx9By!zPs7^M8&>rL?I$|vnT9S<ggL!e9EGSYRAbCitj
zMXBDNjCa+ocpK9G-W7-B-EH!q*)2+~W!IPVQIQ7MF{L)&zF9=Ag-8+-F}8A`sCGrM
zY@4YEjU|HrR4y7rHRvsU34WRz_Bej)F<b8t8bu4$6P0=`CDjOFg%>F?r3J;toIua9
z9)@`;mP7w|sG7&M1cX*UgCO_gBpSDoaJw}>w-vf1BS4{U@vF=QFyHAX0#j7mYpBkb
zj@*?@B7(Ukn&$Kc8!+ur8Q#p-IhRUAEH8XD100Xmr3*{wx5gY?zSvKOHR@vB@QZex
z1{3D_d_HaLz_R#wFsuE^2j2y|kVvG84t7F0hTZ&3BH9Fh1(ua8=7B<VZwAW<Dnh*4
zG+qYNhhDiH3mxVmtXwuEDAiG5YL5e{Q7>yUeB+|xvS!$tp8pHWVs6&n4nOubBlF{C
z0IOj(ePCIg>K)v>U088hA!sIzo4Pissp=DolaP;Np&9Jl^&(7PbcW^C?)~HpY!5sG
zqEkgELhzGW+#T8BGIF2zy_mgYh{`9RUVLv(RvhkZU)hWZ;(Py%*}@AcF;Xe`11>V>
zNAi#vzwj@gmKgG|%laa$VUclhwA_H{%BVRNhH-PvRWtIRo#ZH2S@e$%nF<ygOjS{8
z@okQb5x9cQ$X77*TX^qt`4@iJqlNSM6=eO)Z0DUGn@U&85WRn~)iI4x=wUk|-i2Q-
zeiQStf}J7^b{K#p1cy4L1bAXox4Dow*j<B(r5lL<P!YQbc%Vxi7z{Rg_~9STsqI)V
zTkttN4A4m1mu-=Df80CKF7<{Uy1SomeoY2RZ9@=!3zik#vQ`*VH7Cw29T~Twwu3+m
zcT_gY>4=N4Bnl!5S?EMn7e^>^o|#)gHMNtg)8+r+>z$%3O_;FDv~AnAZQHhO+p0=u
zrEOH&wr$(Cr@CkLzouvA>x*-D)_Zl<-Y4RXcp?P(s0x`RCs-;*qK0L@vFmElbGRns
z%4MrIbnvj*KwOW}b%pSI^u&=Cf+W#<iN)&>A~R5%si0xY*gka<)y}q8Du820eaKDK
z)I8JsNk=ZJybZ8WWw31<?0cs0p`3R=pQs)&QfF%eXA#I2EhSAqdZ0T#zPjY+p_y=;
zI$ZIGDP@zk&cQk#D-Y&UZ>cc<{G~jfOz-n4n=%8*A}RJolHl*U%-^89g4Cub`}0wH
zN47kT0y%2oHw93<bc<aodbxg(-}M+PWRa{w1yiaC`ynsRPSJgj7Sp|Eq=yVR@&r1Q
zFL;atSUq<k2R{J<={fx%jO+JwAsm9t?#b3~G_$s)sC!XwjFi&?{VHqk<MD{RdzNsK
zTw~9N-qZeaN!%au|L=~JM%w>!$#?bt>PU6`w@beNcFE|!UGiQ1k4q>A{_T>^!r^Er
zw-FOxk*i;Pfx@ly3xmu{`D~POV-`tv#3ge`vp5BK5mdQXX&qI)ZH#jE%wgA8dAj0u
z$s750mH6qRV*qP0HdIb=R~R^6Kp@;j(=p@?GT4GbCL(xfTz~$|W!sxvZjZbMdRq(b
zQsk>O3JQ_Qj*-$V^OV0ARiXhW^g3>#NAm-hsZYfYLiB|f)^HzL1TBlQSGh5!b}?GC
zG4fJU-ks;d4AL<y;R(k?A;PRjQx>+X^XDXmfus|xI&@|GA((vk+)U`k!;WDKm<Zj0
z5dKMF8bq9X@pHtc#=WXWi3(b~)L7#nI=D`r#<}!ym&{@<O&cYU<T^hIj8EQ4L1A0u
z4=svAY=nn7O$qv-nVkvlUDq^G8ziH4ejscs(((Z}T;4YtO1V6f?`+Y_oL~z_L_(F!
zC|13z#wSOn;PW9bKYo)Vq;HIWvn#@xG%@dNG`!M6-lmOgr$eBiq3aRK-w}QScW=sg
za%bQ#m}BJu-5KDde1U=S<+58$G;{+IulI{J>i_m7-p#=;3Pss<KY<ZGvw+LJi1x+f
zfw8V)9L|MkUJo>aPRLsUR~Xq?idK3%culu<8=rVf^H%2+6Mkhm;bR`5;07Rr+m4NV
z>37?|S<lh{m8K0>@Da+TpRoh+8%G;Dj=7^%;@c+9Gax|KNkS<2yc%<|$`kt4rhrN<
zNpyYnBYFp@E@y5_@IGNP<|K2q`N-PPEwsDLs-tKK=cmN&Cq#lFVLWfVoaJ0*%Y|gm
zG=WNTax$x)$LT|?mZa2rN2+Qus6p@72^u{&QmPG6hy(TGJ3tCng8<`?-~*l*CJCR;
zU!aV956{HQlrUp(*`Nfe@R%jciDsm|d&-^%MUee35o?<{(WrK=YWC>RZAorYceJPw
zP{39xbWfjA7)}YKMa;*MM4Sy<rCYeS8N%^N1l+OL_ix!4BZ<%K9%C*UWAtz<FM2av
z?s}n$>fB-+ZaH|9oH`DR^xWEtRVaOyv(&eB(S}<3EM84KdxUsW9VaZMg~|cL>cg8X
z(Mjquag+|<=4;amn!(=KSm<cWshGiJ5*L&|JMz;l@h-N@!ZEXpFkV*OT37Y$0iDsy
zZ%C<_R2<bi`SJnQ8{Nd^Z+A)n(DfKLFy$TGOtYB~lh2uJ4AqPKfPeDiR#b+dbT}tp
zJ<l0@r%^rE;7PtCbl8eue=oe5b}5}fWGRg=(XiPj4BKPrcadyYi(2XV34a&F_Y}{R
z?{~_-9w8G7gj|3c?NM7O$ajvEZ_LH}6<O+XWXy17TEFhYTY$m2&Hk!i)_M_alNV@u
zf(f^`d$7^;=OichPqKdTJ#%Fq;v(Y}LKUl^|2YHgn+K$7&fKVq<|vhi?`A&Wtl#s4
zQ>)Nu-2=zwaL;1}oM5yhdA1+P&7krM1;?|4m01-=DizcG#&M-JqwqY@%O+RFljZpR
z?V|mi9kr5w2PsHWw;XdA0-}^`ph>o2maxfniN9Un2VY8x<d~m>bWlYL)Qh4!^jfX1
z;qogqRb^GO*mRT_YNLD|YuVmTIfAs!HMC1I5tX1)(9FJlOJ3B-reK!%4OJ~|H>AfG
z5|4b*VFnL=NeJ7MF3#>}JR=z~Cn5%6joUD{&^U?-?k_52mYGsA;#lWn4VjVV5o&23
z!TwWY0;EYj;~rfYM>{a{kIfbj2RU`<Msk&Rl_eF9HzA+=Wq)O&1f8LWrOa;iZKp5L
zAp0yN3C=u4F24tD+upW3PrbLWMa*wM7@W~nTA}fI8s(9ICaiL?UjCd{b=7bvYAzSd
z3Bp`3%BAW4dRsG&u(_Dml72Gt7z&oRF3R;?sS|rV#q~~;Z5|!4eHdWuj~0yz*6y^r
z<T^P+drqT5l-|iM&WIN%e(t_cb$!3q?j3@eG&#n)d%|<hOK_rFr@vexT>4*CgfhV2
z<RAGL`3peR{vm(E#Q!0`#Gg%zwCozIwg-ovPv}HE&RV1Nm{K5Z;dXJo;xX$Vxzh@C
z(q3~ID$p-@KyvF9E*Pn&t@YvfoIkb+IQ!&1g9cw4nPNSpM0zz9@3Xvaq-wya?VX$a
zippeS6LRnnB(l!aSI+q#%)xlmEe*&jA^e>`Kv&#Fij)K<87)HOY+eWS?R9{u+&@x~
z4RmjmIxBgDVf{d;e7Xfr(Ls<I+d@?8<M+{K@_WCH^-m{^*EBtYrVP;_4X@UDg)_xK
zkWTrc?A`_s6*qoVZo=FYgn4Yi*Tj)GOxzB6Xe;YNk|@p}A+pI-vJbS^T`gpG&YxYa
zhmm)TA+wWIDyPh6$a2Ic?(3R=T#$V7WeRF;fFwHczYu2FQUjZu(T9s7Fo&kBXmNta
z0kv4aL~4Eo^{8nrEA`|180EZNdO1v+*@X4t_UhDl(*cqrv|-WF*6CD-1)3)(!K5AY
z87U($q;I>lc%yt<)bQxPmk`Gx?WK2C0U9T{MHFnJyr^tMPQM=Y;<1?Jw36gE!|~Ul
zwf4I`EoJ%MiQ?0ag}04jDXEtIx<Y?kxv`)Kz$d$|RMv+8m}=jCMSsy}O#0o6cn(PI
zPOyVz_U6GiWxKMyzwc4$MVgjfN;4{>k~;olJ?iv)LDoCdmuQB0v_$_hg^837nl=m=
zveF;;t;946gWTTo2$%@^nes_M)~kw%x#F^e2qBitvt#x5=(lec+i8X~ub_93^&&lV
zX~HOUNACnw0D%$?)r@;VCs;fCES6<Grd&7=+QX!>4whRiHnJ1#K9S{Rp6|f063DQR
zS*V6-9qKW=$(SkSAug{XGBGKH?0e%g6T!eO`4db3-ZyRP>crd5H_^q3aB~Ak0$aK)
z4W?VN(Ls)c@MW1ejLlvTE;l|Xd(LQ1n{0B5wGKM#l8^daSS<GH2H{VTiPQJUvyd?w
zFEB>rJXv_B{@%7e=m@r7ku%5XzT6`};J5i>!%DtGlyCv8Rdg>fB!WVgD7f`~^d$;8
zfjQ$g05>lq2XdRK9!ZF0Wnhs=GDnBE!_r3S(?flojZOPS7IvfkV6bM$U(13Lu3eWx
z@J&86<TR#K#6>;q7JJgk@*3EY-iH|?RpSniFbHGW5^NNp6SD3_pDc@25{QYsj{Aa6
zE2Zj)C0Nh8%{D)8c92o3C-VjKlT<m^o}K5`5TgArzc&TshPZxxkNP;Cd3scl((7kP
zhPaKY>DX^(o&@Mi7FNd-4SyC1<lUG~16FMFYwB3nRlBgF)z?VP@FNS~V*mr&5~&s@
zO=r451H43D7f*HSX;fut5cc%kK2HdOy`#=++PpX`7M-Sn5GqO@7RQGMY@Xb7Ru0Co
zt&Wg|<U3?YoBIHm`NbqQF!Uav(-NxqTFEC}aR<l};kEi=!qP@o`huuqxfQc(z5_T3
z%IL-7g<MjqWIH?hZx9N0J0f+W(o%YCcd=H`@GD^~kBD0HL3h8UR?jabG=IPnDQ_6&
zmy)PD4&`;i_h|Ikk={2nJxOKRad{}cd51+cf<(}j=@1wP^4W8v^Im_(nVF0PP;_As
zR3zqOV|Q+cVajS*`TL8E!A;oePg_;3mGG=*_n0<Nh3>f20+(+F*#`yig<!0GHubey
zr^p!;?>N&HyJ1320#X5l`w&9oex4cGz4-Ya(Lh+t0{ZOXY9q@#pRA!L&!~&dY(1z#
zsl9^U&A>O_rj+}zmYKDNq{8QD7Zj_$1slj*h>mn(9b(@GzjA60K{A~Jx~#@xiw0<U
z2DYXdS??DV`C3&Ss-73t70q;DRnrS9u(;+78TlB`=3q7p`tUwWD}(yoYd)}U+H{^u
z4@1y;q6k>|?7R5CK?Cg-*`>t@j1_z>pSAhD#>JeO*_dV7E_Si+YmGoFQNnSkr5NpX
zoq?_rVJ(B5U#i=FPdfZXe#QSLKj7cwAO1J_p}zhh{};u-$=|-0(jFh)LV_k#`zZI2
zV(t<~D1cBHFt-sMO?4Z`-GW&xi*k%bDbFi*hdz|Z;{8PvJlLSO`_AICLvJdzca8ju
z>3(zKCPcerKWsDPiV_@21}*{+AG=-=pLS1sUKwP#%=z63nt^tV8Pd>VcA|9Y+X{Xt
zszPC$jC<lb)FaxZ|HKPS1)8gP(*u_CCCAJ|Y0Q>o7&R{gYXGu7bIZSQ>zzXMWbNQt
znL$MDHbN1=08HWVCXwwWw={@;`J24d)551*1M+t}7bbKkcOTf!oJJdM*r4kI493$%
z#WP8^5lvGN)KPu~@(WFAsChz#*~|EY6aObM%!AhAKqSHeLtt6xE@o}d2D~72tF&zN
z#u|VdNe5*nzWo>mq($2Yw3(_OLW-y7gY{QIy7$`C?})z3vJ`*?KNL7r8K_}yray^P
zk&a!5iy4cTh$sl-6fqa12%Uj_zeyQ|^x{wyCy8J8YY*&*?*JpbLpk_zQ=|8;bXA{@
zU-WuJ%a2#B)=l!6=kg+HX>$OllbJHY_2qx-KV*GHN7TZtTO=2qxv}HQ66`?5t2T~^
zc>`n6c(DQiby1Q_Y)M!XkrP%AM904NGxGv&?~C3!K){Fim|G3(C8H*YGksFBqo6&w
z^WTN7=Ahu}C_OU$9m|5W)_T&SQNAOMn`*eL3S)F1fO2PdP|dwa`WQIGNXO~)+-iMH
z;o@wjf)OdNA<Nd(aR8Gwa#<u{dp!6q%G-x$?$YjG?8b(4=}*)i+UG6okGcL7eNF`S
zv@Ei=BbwlTzrdlG0Nyjj>P!b!bF)!uHWLy4@H<?JggE^$$a3$}G8x>?_|*nXgm~{x
z%%;c3j%rN8%QDJ_PFi>90C@Sm&a+q>W5gXcgE%BLwW2G=BQy+Ust%ofSD=4?%B#MY
z3GMVO)Nq!#8wVoe>npnTP}(#E5=i<A?>kNvC!mUN4WZdFvOzE{h^fkdC2mxn?@xMc
zvypT>&$4w%0BB1KhFEwFE7K=pzc!)AEwr$rH;ZN_4-rnrRd)wx3R!i@!Q|ANW9_{A
zfOK8_9K8EU_I`e=TpBtY3OQ&3ENLhplko3%uWN<$!TYYUe9d2h&ks|sqIIo~^w5e-
z@sIm1tcZLjr?S?0Ay%f4DCBvYJEZrKJz;gW*(9A$VJbX0ZWvm4BApRj!-!JvQru!O
z6(`xkpn-Io1`3{Zh_tWlPM{4}+q;AiU~Yk>CTF1L`C+&0Sz#gxIbMDa_m>Co*qRfT
zA=sOz<m5MYWxKVd!q7+s8xiXmc2XXVQooT?^f70guHk=%bRGNq#M)Ublz#@eGBPLl
z1>Zw}Y$bmTcZp}a+x9p%cVTK7YOJ=cJwP<!F4X_@?4;-2Rk>v>xd-oE#WMwLjA2XE
zV@KH0zP9nK+Nl#oPa{^86SBKCi4&?^aEb}(x|Uy{cj+u)(EHjj{bowqQahzST&(#(
zyy!UH0JXz$h)hBgai6B3LxIy-7CY4f8fH;*5HGQBZ`_$+fuiIJ->{WuA808~t7=AZ
zky>)ADuh^=>{;FcJc5pByRY{3)-Z37P?}<fLl^vRet?^2>p0)7b?|csZ}><txcBvh
zc_w9d__L)wbC;e=(0**IQ+r5D<4Rtnd|uk8=ijl@HpztR?Huhoi5d6?Wg=tN2HI33
z3v#Pt@g8hbL(XxaYR+y}DckT2R*aziDRYyV_*N-Lnqf92%L}NciAYc_=h$IH=wNtm
zQ1dDI<BN>VtC%SZF`x5ml&Ejy{vF3If_$0!ZJ%!r_M%KzafTk_xDrgro%bi|V3=Pj
zARtwX{|%O<2moxuF~j!#ifO~~O?!6^0!x%h{C((vh#DolEVLN~&{vp{+-f&kl*zOF
zMG%#Z3fp@_mAqIge41|ysgT1f82#RqA|j+bY}a4pANWK5|J^_8gZLl)qXMX}|JS>S
z?0@#PFaFyle<IEPOf(Js+a(Ca|F{Gu_1`YRAa&G+m(#q|qaMg5Fz@*QI;P(m@}$r}
zNRO+wynbv*^@Qz82{Q9dTyOxLGXvAcU@z9E3b<C8hOFyAY_G!3$09YnEV;&OF0TF^
zXwV_D?9zNdq>;4fDle|$NdPN2Oo_B@#2^TwVl7hpXAhP=@6aa{<dX-z7xEkO6UTzJ
zMrWO#&cwkNN66y?XI<E<0QpX}*Tn&4%AEnb3(qXFFtQt+!=~e|mvc4Dj~;f=i|D98
zKm5`n%T5%z`!i4~KKriZj86vO=$byojMJ?g2&nU1;i}8q@{AaZStM#m^yjb!QB*u7
zv|1gSlqvH7`tvdtpEOJr$Legbf6#h&exQ(1HH4vy-J?zp5_TLkcPv;kR?A^YByEdx
zhgQHUh}QNt%M2Jv!`3PaLSn+(p{X|FZRckRW~P%nZv!#q@;Ly>%Rce`xH614GwAPM
z@8EKorL#Y`%gV3`%SNV*2K%+tYGS$>T_O%hC{_cFrixvA61ZihyS$OodVxoV&}`JN
z{E#rA(-tEV!kNV7;8pK)#1Hm<-m(PC*h&?=eaLi&Z0S?!z|ds?Os07fa~8M5rJh(i
z5Sdctp17BSf%8VAdIpu>p*c`Jv{!S9nmu`bMj&6@&2Xw7*J`y&e(bBMUFT>n`-M!j
zFbT>NgN4(|eX`oF(y5IUGA_>jU?jTP#r|oZ#pW^5R!OR)%QazB)o=7Bt7YaqrrUo3
zWw|^{SZ$Mg#v)(4aB$=<l^tWFLpw{Z4J#$EgHt;n2OC_rq)=-&R%nY%rY)^(K&KBY
z@0F=vr*z5bK<FWb2=ag{pNh6INs9m8d;%N~1Wst7X*8jQQDV;pO%aF0?|l01L{t#J
zPvkcds>CF8=p7LRIf&hI2U}2Tf4vNoVb&4dKC#okeY@mjf)mgeK-yi|VutmWdhLvk
zFCSU2pX5M2{!3X0BtGX|!pCCbHqD#<q9UwF;$tBX91?*zr54o{vVOdo>5z@D=-qID
z(^0GY<VC((?6h@BD}Hxr7Do`E3!y*VA1KMY6h4gGeNwh(y9oqr1cJL5vVC<72}FRh
z%1FjD5Y;uJ!_NuUhTw9P^UT^lW2x~wBbKbi#`m=1cN$^c+da&z(vp|7)Pqr(D&9`H
z6J}7TE=m{3glpW-#Cp|nK;Ft=k4C}>l0`p^Y<j3B!L<ceu@?gx+#)WHF4m{_ijhuQ
zr^@=3PJba#0m40btmM$KX`Ep}Y1{i9yf5rRoBsTo(g+qwTqrxs-;=qdW?vpLV=?G8
zrqi7jzTvLCg6bj`g*F-i`r%Km-`NVkEnxsN87^GmYA8rH@jaIoAl$6c#GWMXR2LH2
z3%#^MmjuP?uWd{&i%t&mcy2h@?-0x!W1@0~xYW;cdqbc@ez&5rzoVJ-;<fpl##Mj^
ze$wOVHLxM%0U_EI28uyf0n{xfqtjLnBUm@W(hU1(!UiZm(XY*4?;rAd=7?rh?=!mK
zJ+()r%Vw;TXtv+_+-{i7+;KnEfneW|6?}i=_H7;3zUoZ57^RBdm5MJmQQh~T6?A|R
zK<AQ<;-2_&fM<S}8z+E4ND?ohG)At>@ix9{y$qWK-K@@KD>;Z3-NRXqv$e(>eZ`m7
zA|UE_ORyqI7yM2*cbN?vBk~|}H*#ayw+D9iJScTOY)SvP)8LUawfnsPI<QK!swW?W
zdVxg7TF!e3(Fh7eo&IW;(8Jf~jH(J=10MeD;{X@N1a@-|IBT9}{Vu<iteTR(RW-@J
zT?!Eks1s5dObJSFV(^}=h#iidy0m1#code~1^JC+E&kBzp3wyzM!`mKlwiVZKk(MN
zjOUyx*Q+_RwfR1%@yNa?N%pjWB*&p{y|tvm$y^FaiL^uERl4iU9wmUfW*jGpTc(%f
zT6tMblOQa(9+<yVRhcD5hb=IglKGcQkjnncC0`x?%Oz-Xe_Ueu|Jc|5%O!uOi75Yh
z;{U#Ip$z=DO9ub#5;VDgT(aW&Z<k0TQ(0Ybw>45$X;kTzQh1}KPRpWLT2K6hyLd7q
zPo%^{d!Qe{Oi^}WZf$Ka&4KO{N&pddIL8r1UhMmMY|J)!*bgbDsIM1JW5-%+kI*~=
z_j%f~c9meu1@NPHZn}bH@9xb%z4~l(=&NCrCdK#aJ93}iCYzb}@y}b>lq2bkX8KXU
zSX6Q_i~dU})^-#F&SdoM7ky(jcxm}SQ@z09T`B9#1Xl0gOGAia<i^6n!uFjY0LCE!
zRQS=a2=-wd^{L6!pO>46Ij4|F9*li{aDyo!Va4ZZ8jQKSh2L``?}{r0(Pi@9Og?be
z*`$zyROoRFQH+9^dMZ}2y6c>zX6J~^>5OR5;ZIHwaBgUMk8nLSFd-L}$kSA;szT&u
z{GPH8OAaTBCR1{bW~UmyldH{J%_VpT&RkuP>=?637ZrE`3~E*-!;f_w9)nzIdAAH_
zt5V`eJ;GRd%tq@gT4w4OLL)lcgV$xfM@iLc{t@Y_@xNr?SpsxmtbhaZB9z@Pc)H_5
zUpL%4LYJ*6NMHq|sjC_ei3N6nN^8bcA$DS%X(F6vFlD=&<^nZr=%8_94`qVL^r)dC
z^sji|It{$b5Hj#2>5|*mDmwMN(+JwPFfsHI(^U%%f;M0w)vZOzik&OnmlYdmv<)*z
zSQ^4I*{_Q#ysYAv*P~#s$Fn}=Z;YtZ;YrK9o}Sg`XaXDy+{?JF@dpA`Sjd_p^s`7=
z5LOXwFc6|@{;cwER2Ieh4cC)KCOBR}$6~kd4IX*T|LU0)kGd_6z7bKxgzP8bjxP79
zCr?8C)zoFtPQuxly2m1ym7>-guGA=SX*$09X?vc)CyL~=J-KV_&0ea9<+`xEg-EfJ
zdR&s3J;?=B0hLh7+%zrND~&S1&SDWf$bip&Q>&wC&E)b!pQU>9*9YQuS(DvX0a5*i
zr>2sNSkNnYZNARo(kA!GZw2Zjvh~DAR66zWRc&Ggg!179{AG{$1z33no${0}aFch*
zwQdjR2nl0)Q9F~wg91=WddOw>%2^Rm_4wtk9Va(QHxzTd3=Zdel!>2eM$DX$;k5Ru
z+sU(O3d2w|sNqV^t&^dTk`wF^awO%rRk~C_L{#R88j8Ci#PLpjyt|RV^n09#Lgci&
zN6)9t^XoV8Ve}1=nmG7b7O159ZnN3DRVqX&;dB(_6>-s<V%^W>gSV@XXfI5_%*<i}
ziKP^rYS{RF3d$UM=)?}tKz!st#xf6KV1B$+kW;lwQAlSJK}$H{S(4?E`u0W(3YX7R
z2jau+9&lOd$`gXnW%WwIJTL{ROE8c7#3_eY_f#E5(U$!1aS2@CRRu4w(e&yQ%$vFl
z`$fe`<%kHefSkyIt`OnNHEzp$#@q&xLp5wF=&QS!Pp*uMFmzrQh%~h0#XmSj-ymR^
zv!+G$JL?x%BN`}P`0f?0J7u7yW&9JZLkWI>dNIzQ6frm~;IXmc?`)JBalZcPS`icR
zTpH|aOO)NG>DXSlldPW+_g?D|<lqnA-=_QfC@8iF0xAnfKXW|f%Q5Vsp@HHdtC7*r
zO%yC7e!2Y8Zm7sPG>9HCdsC1PCT9qPQ4iHx$h_mv+ZWe>S-Gk+g7qZvnEy4b2@cqg
zPXs_oq=oVH23CI9DNt&@Gg!T(kLf4sZQP#mXGYUK07}gL@TYM0j-@jnyJb?`PdtyW
zb%1*yri;$*pwqH8FaP(ji%#OeaY1b6L2Wrf)xp_JQ|?Pjbi13AuJ8TAa7u7wi0R{T
zI<cM$TYlSZ?HYTr8ajT1Ik-Zesly(?`hHs<G!YLE>2>%z{}eVT(f1nZ!z=uy3p*6r
zcjGiMTs^?e@gFCur9=-;a2oU7N|R>4`(`ZAmZAByej`7jrkN0q7cIg<cE2BmT0Y9P
zkUKXM>9+6)ciLG7#;4UPqe1=UlJWm0Kgi$YANV)<v7i1S|LWeq$*&(-70Exn%y}<z
zW(7%RuNAel5K4d}T7|u9OXTucx?w8)&LSRUpvFzkd}B5yA)3!_u!?Aa*iXXJiL#(d
zja>X)O%42k4w9fw0gH|v<qH)ysj==HAT2IY7!szVr>hX4(eN`JTGAldLW|RojWv9q
ztQo|T7KHMU5#Cpmg{-c%w`KmR-?a`<CxM%vJ^OWy6d0^N6o%dCSC|s&)m1iaB2&|w
z4g+97=d$DPJT0oq6E0JXBa>+V=6K^u9{Bwy5dinl_Usd6vr0u7&O1i595l&*0wre*
zL~17(aCQFU9Dh_`1Cjjgk!)9M>azlc_WO;ll(BmzSny_o=7eDZXTyXoKxj!wLvR!T
zu6RHZ{LAa7fV~8=NTX&5Eb8}3D3W<ty;e+6`;ngt$<CUg_`M&XPGk}3a>cPsx*3#4
z^2sn~CFjp*-8ec(>3uqA<dVge(2vdc2TCQ}Q_JmLfL;*~+2ETV(x1hq5%>|@V=s=2
zXrw+xnxQxW`<@<IZ&1pxyzsG<N7+h<Wf$+pduSqNL%G_`LqV%l&!rIB3gDn4D0s_`
ze||k5@zhZVA>KDF8Iq9vxp0OaZV(lxR8ih};&>Mj*_ytS*kaTgs?#=r{NdUMW@Uvq
zZJ@)5U%tSS_Fsk~hMdY8p9{^y_E}gYB<G_SfEtfE0_?{0gQPM@^fXWV5g&<5s^U>u
zUo3AA-lp}*gnKtd+kCa=c)-741io*0rNtFts1&|28;T(lt1AZ>I)wpJuiinK+Ay$C
zQ+Mmrp|W-37{`iR;ow=W<3D5Bm&#OE))IB5y_yTfz?m!+>%UFn#8QSPYE#-)_O@U%
zTauIsgqLeueN-lzZp81QTXzOc#6IrTy7b7hq%USMnvAQ@UQTrkED3zBDp2FG$Ev**
zbQBF@M<}<kMNnJy$S8~2nOdHV23gfp*>;g07!iju&kRbGc-&N=g6KD0(axeIr+1H$
z<8(xlYHg0;ENF;&d()3_3wFcE1SvIw!t-KtiEPSsp{{n^(csPE)d^HnG(jyZU>($F
zG|8R$mZoVe*TcnVTrJ4Olrk5NS@7P(xpY>IV&Sb`oL7C)6n!&%ZFzUnxX4Jtu(}JY
z^_O9kzG0QFf)uodp_^vvtKH=ZCn{iXotP<urGZ5;Q@Aznb+fVPHUzG(t}twNh&&q$
z^G<qeT*z*Wsyz9mWgC!Z0P5viqx16*REw$_wnxv&2ha~c-J-KmU&E{NaRtK-!0p`Q
zTghS$Exa@`#7Z!&6Wz2alSn~4fIBk8_HKUHGk%>gdpz|U`E(e5-$<f6y@LCbsu~o+
zG&J&y$`NAe%1|`h`C_+{I~}-AH3|9kY@Lf>TAssu`^dS-o2a+f)r;dHhXeyDaEE6{
z5QAlPDx&B-076F%Et9a<iGmh?upIrk8C#?f4b6DOPjDReL5Nc*_kfL)aVcD^EO~sl
zqf&|%FEv@GTe1lc6IE5OLfz&@^EZI!qNw)*-O`xK3mo&i&|57EZMVUR;Vw_h=mf8M
z4@U2Q)p_`~zyof(qU?6Jf{{s~Kh0_xn{uW59gvN~fk^1x7*Ah6f7d9O2q`Ud6DeUd
zzxyMFu0NVHRa&!}$jt=>+84ytu|7`GSB{0$bJw%|*gKkyaMjEV(X<lvZd+2fYRW(5
zYpL>unB*|TlKdHQ|KL3;je^cGFB`Tcc~8y2HY;%@Xd_qe4qid-PryrCd!&YB`kBkG
z%a7VR0ziv5H`RBw#Ao#yf_qC^wR&;Juf0w9o*9*UU>dO%RfiGbR=IuGQYeNcG~-CF
z3U``aw4^7&n)%bR3h%N3P`|MII=pDZOh;+&o~#HbuU-?Dq8UE-i+~V#+Pof30N#rB
z#YX<S23$%b(Q`4WSaS!i23}IEs7||!WeG)bwqM;%<LefGk^lHVtBA9d|5Zi&32H>Z
zYxw`GBBaazvx)%y+a>+~b_rqjKQ77mf4$wv9ml{@s?EW<!ryjrfA*)V!$>QohU`N}
z^!8#1#S8&}pNx5V7M&pLnFC$~XCWgQEygQ2Y7_ciQ>$_G7g?b?jcf9#+(R@;RA-ff
z5pRGMHXj!a7(q%qeZD`NTMo^tMEJO?s3mGV0~>uZuQ>Q|orzOGqriH=2dlRL=VRN)
z_aO7A;-&9sEAYe00jJ4e2Rz8%dQs$iehwC}4;?p&tG4v`fV?|xF^@poF286+)dF65
z4|c&dm|5%VF<gc5K_w`h<OkqIZu*}Dj$9)WQISwUPl6c0E0aLcZbn`QF_;B!`3{CZ
zi(<!_P$8ftL5#WsfZn4JCUg|ZFIZAsPEND(*hAOoq=O}<0n6#z?YSb75O;5S-}cEi
z(K4KlaG9W+vWo|g>o9@t#mAvf5@)uA8iPDVMcDqNDHk6gl6Iplx+IQ^`JXm0oYZJa
ztP>td6AnLG9)HA5-0IDCX;eA?z+&Sl{^1<=zL?!AEV^Bb3pOG`QxLtRTEV}U)b(V-
z&3|>kpB`>otu}e16AtSf&WP|8@hX#-Dov~yP2+7sl+v^aXc$WyBA4Lw6?`{h2``50
zkHL5>2_d-XCUxUV)%~DyD+pCtw33&`?J%iof~~po+)U44;|fCzAXKBiPLhH^n4w+#
zt@*Vp%ZYOO(`YJ}{~mHn%pXL<+fG+q{DPFaSJS$6URF`y$_MNB&SW3xE{~wOYNssu
zC<&?NYFm&*RX}fs(E=o(sKAxpEK7Z#PLU31eiL#~fR0ZQJ5Ay6#<d-X_XO=D%`JOu
zvW;@*JqszCmXXZ2uGmCBL)mR>@$%JCGP`0_<K`3|)LKPKhnh*QBCVg<ZvP0uE^eTc
zm|SnSbWcjckTm|q8<@TBSLlfZK0D2@Lz*HQ&7I)H9+e(ze5D~=zyA^?dHu!6z)_F@
zur5zfr@_SM=cs#4hQIQo+U=s(uYes}n*2JjWy?A_AF0TOuUuLJw~>bEJ)onFEUAq8
z>ePVoi61`cYb2}E@~l@&4kDJSzC*ffys!;6<%qCmn!s9CfUM|3VZ;!(jmL-hE*56`
zC&5%sk2w6oc|KI}{dR)-TaLQ|k`y!T6?izPs6j_6VM<&?OQm7Q1PP|0Fh~X9h>Dky
zV$<T+HTuw%rJ2>zpSJT{$p<oU>o7@AEwf*wJZgB7*l^~)kQcq(WuqScN>KPrlo5U)
zuaWsTakGzVZ%c~qQg=~P4ld)aZ3)M@Z2IxgxGS{a_x2ExClgz++l-N!`+c~~@wfmQ
z!|;Lx(Uid^6xvD>mZIO$No`O*q!#J|{Y`pNgBs`hqR;f-7Epb>nx#!uxxw{Tq$2tk
zN{X^hT}P#Bgtc5J7v4{al4Jvo+qHtIZA#A#eXbg=lTnL@;AvFeZxngU%GA3Jms-6l
zMOi1dsedMGNlDiU7byq)v52&1KQ7Eftt7A@ZWzCSxXX_Tp4QrxUW>rp;lS7K1m?$s
z%N0x6DulH2U93VjCG%6)U(qio%@Ke;lyGLUAGEFGRZixl0p6);7rHcrDbILkPi_h&
zyovAVo27SqjnFgu0aTjv=CnfCb?+e>7S{lu5^Y7qFgPN{XVzu?^<j05I^nkRG>mlB
zUyG)(1;#3#TUy~7Xugu>3|!|XdS>ObR&sXFRdst5HqCsVuGCxIUk7M1snr<AQ-{WB
z#yhbuDOI5>Cy5G0H8kJ521G1T?4ypuzxLjcu^8dA`P@WivmV(ZJYR=*z%p6(mCwHa
zG-`RdAq+cNy1gLqd1Hbsz3#-YBY23^Cu&YW^}&BNkImhKdY9)rR}U8ek`iCvg4Q@B
z;gTgC)msGw*I<e1!D(%QaPz{ZiN?2zcm&LUV&ksAw!MDjH7)Q-=O2`EZ4$fFY!x(&
zIlvY%?_W)azfQwb{}zAgFkpTn(*4UNSQY=(kz(!sUoIgR3qbr=g5dw@Na6f>;(v6c
z!2Whg-@jc#F7}U0B)b1ymzbFzx(S211K^d`5piBBWQNy2>jHfk>h`<roGP#Xxervt
zVEv?)!h-7UV6ARD7b4f=R>L~)yv6D5J@XT0Y{8cLq&{%su>#gc{v+y_J>2oQd}Atg
zRSD`j$HV-D8<fhefX46X0&<VL?bnWTK#Lt)(we}@+TD@5tqHs_I`Kr5U5>ikO-evH
zA99Tv6X!vL2~uxLOETxL?ouIIvjr#^&ZKS<A`3EkAPHA6*PwW~*XvA@C^5>I4=lBh
zt(hx7E+St~TM>V@+-M|4WwH2{6X%Qa26=0=FUqY|nc8Rz3cSFq0JQF;Re<MwUN6Po
zJJ6Pj023h$rPrW4wal8_#T+tH44-Q7%s-n#h5%y=uOLswRA&POz;4d35u?L-#x2HA
zprn3E1l+U-j8}`lvIWPFmA5pV7L}m;#+{#>*osZ3PXJbA0;{UXt5~m^Nbns51*Lw}
zVKqa$G_ienfyS*C+g>)!FO8C>HD8E#sQ&sIw>=b3OzcbHX>Cca4La54P^Su^>&A$#
zO$xIr@W%8nRqe6c>y2QOha@mxL*f9(-m3FfggyTeah;(M|1tAkcj3FZ(euEkN?%ng
z8rAryLJSF)_VZK5hxxkly4?^n{Ng#PJRWAMmSI9uawpQDfdrgG>q*i6m*E#J%n_ht
zkR#A;A1?OAWe;F_Dti^xQKCul!t>IpT88RU*~ExoDtrrq8W8}zS9EP3Hh!7k6N)`b
zV1I;JpNpgIa6B8}FQ!dfz%l^*`vmRvyH*=&P=-uHt6jJdFEo}0e{OGPx(Cy$vzg_f
zJr}@9jGAkXi|$PAy_SLYrw64{Ul@*<mV8H}jX}~Y8)?$bdFCQ`v7Em32uQ<onC3YI
zPTsouH*d~)hLL89HDow9k)ve_)|lKt4m?37@Li>ko^xtIIn~;&vc>S;C@1&&>z0wK
z9Z`wS+o4#9A+a(Bwol^flcz=(o+`$l5d$`S(379#+jk)_<(5o=kve>OcT-Bt6R>bA
zVFGyj#vwq}8B@~O9nqJ9zZ|6wpeFHYNk8k}z2V!P7z|-vGE4iX1HxX<;rPR^E_a=m
zNjX*TipK4ja&Qj6z$~1HV=IReq?rODKG^WooQm7l)0<M4e_rk+_!oda`m})Vc?nEW
zeZ3juAEY^^5}-&v0M8-IG2z?C1l1}IZbkJvQaTe4x)yGl{Xk;-v_NMQfNNf@HFg!q
z_qF_-K7&GC@Cf&Clz}{_EOF{h1D5B4%lV25XzhfA&{u+mTzLWKMM!*1^;b)arP~!T
zQK>Q%)B-Gp+_opPx&gx6S&`&sr#815SzK%;JzjTC4MdVFB16h7Q~4Us<SDQtf{dF3
zFRimo&gBmyQ#c_B=J7+HvVw+*r^fmDU<PQk1x^EB*-f?9vR;xf8r?g?+C+Jz9p9v>
zEmDA(CX)Ps3P;agw;u0LhsflJTIA=uFZM7?D#i`9yIoHCfpa-tMu>|Q*?xZWJv*c`
z5-0NmIjp&0vnNtZcnyKl`aPA5QLpb%T0;dgr5?vDgszr~(E<Vv3lU>r<uqeHreC`-
z3%<Xp+X;F0m7aZ+ABO&E`Pv*X)W<w2TMwD2zn=x;hurkqDr*4;&}*q02g%X7uDg$@
zjhe3y@yggGQR!ErG=KpJa|IAw_C2qqc*{pxU$vL}V+Sr{NB{;#&wysrdWYvYrv@up
z{}HXg=sU7`lyOB`RUzj>sYx_MHtLNlD}v_s>^0G03c|zhp{DFNCO)`rClOtE2{<03
z3{dCy3WHyKrM4(G&~r~l5>x?H?DcbzhRlV8xA!9)*FD7CRg<<1mE$t@WQ+&=;tE5Y
zN38>IG7D;AEx<4eh}wMO>`L{f1;nB!RgAryM0;Q|Ap9?pF_<8<!c%T;Eii9s72`Jt
z?s?y9THc&xTfG~Ff4PM35Bb^t+)w)J^Zz-bMA3`%|L>B&zO3-)bQO`^|9wJC^uPT9
z{<lAR|LqT&tAG5Fcl&RDl<K}Q=>&M7kU+EF1Rv;0q9b0cj)`*-8zc9cqWyY{$>#>B
zU{?6Si#2gh2&I)2{+{yO(KJuZOl~uHK(LJue2{IuQ8-f9kt!B<@>&bmPt%x;&leo*
zb<9O;GpCTcnq5u|{Dy!V&ycK~A`>%sDr`jA6r#DZ+pjV4r~fV>GV`Ir!8+B`*b%Mo
zqf<{D1S*Td4+kLA<R*n^*90}Fk#ngr#3vX@`xJ~-Pp*KK#V5Ced;rh8i#l-!ea9X3
zEP$73z&AtUU9q8gz7PZH#^c_I%6NL^YU{qO#8Vrcne#O`SCdb?v_na3@lMloi)Ph+
zafx?CIg!BSgrND@(gOCa_tAa0bM<6Ulb+z9G&*LFPA&4yet3zYL3odni-1)V!kl^J
zK(od91KJHC5ox@HicU)EQ_xCUQBSmpzOz451q$%(7?uj?5Alu_%FLqQOU_e+v$7PM
zR0(;OAIQ4Csj44wJ^E^)pkZSU0BAeC2C1amom=USvJ9dRCCZHEwsk=khtlNkcxajk
z-&FB_k0ZRQ=$R&7Fyid#>s0v|AA8I0)0&5a45KCUHYW(?0tqWnQst=I4VJ5w<d6ER
zvZzg$+Q0e*#=Xwef49|<zSkDH+u5FBp@Dd@wM6qM5P_mrq~-d-E}-&FgY0~IwAL9^
zr=iauBe-DC$VDdA*gyarYLp*>7gwi!etE3o|NOG7IEW$5!n|`3;R9-9GC0xtIHVgG
zb6*mkhtVDpn@@bA<|LX%UQwBXM{&_t+FtQVOW^RPbqE0Xja+Jk!8@#D$If|==c{`v
z0!?Q};=i1e+Oi+qJrzig3RS_9Lh+Cjl!qx0i1R*=7;d7X{QWcn*O@Ey#^+vNtzsDn
z{3_ciW#1<|Y*GBW{m>dyxZfqfBn&3#!Ax^mbYJBEpibjj30?~FCs*ectM9j7KCu%y
zYfjUpP+HDFC1yLfn@BQCcTRA9bN`R*W0zSnCCi@ZE%-K(SUb5tS8rxhN@<!vMkeWc
zB>Z<oj<;jXnkL><hZa$31#C`bTKYiuGNJ?ha^?ng?hv84U^HE=qjmU1659##HC<To
zim9m><tQ+v7TB`z`{Z;g%c`y{;4`J1uWgC&5l%#!gFz`W1HyDvspTIi?uAi|3t5|&
z9azI3W?Z_i{UjnlrVtFGoU82bmmUX{hVX}B&vUn_AHh-)@5xoiOsCs5BS5<EzvVcs
z$+2!8FX#anlZ^-6(ZJhcmg;!Rtd;|xqj9vaIY%YbTUhxF_q}A1^Ha~SLzO}II~92x
zqL}O*Sh;whuP9W<TTm@22>dT(Y<c=jAaR^V80L_1iHf#2m|Wl)R2t6r0+B+wmJ$?!
zKbsd8v?YY63syQjSaP6LXxX!YJSyin2FAHTXvG}p8`qIelsBN}D})(0&U5Is-rU`w
zt7%axxrJ%GGk-3bE5;zpBVcjV@mHC#({l)!!rilx<noj~xN*>XjKOg_4u)~lTg0UD
zNp?BcYyY+!Hhb+I<aCT`gJBPLQtmeSQ!s4EXpEZCE8LkP=UFH8r{;H_xI*4)y5@K_
zJ4Dh*#g45r!Y}&AG)DRKJJawyTI2V`(T->DrP5Ik=ca$;JWu4690s;hOQg)efTcm}
z8@`b&IIf5>keQm}N^%9xZDd7Re#zlviIyMGO=Vi~5v^%x_tOzgnwv>VsZ8ODV%2G+
z%xDVTpKe$rX_-@SE!%)n`PM=ZKjP$2VQAmlR2?gb(LCRT;1Wn4NU>)=f$BRiXY=bd
zANMX|W#AIh-rj${x))!`>#*?c%tCb6O*a!Uw}_D!a_9C<gYnJPj3mK~eRe8MYBGmP
z-zMw!NVX3S(CYM!?)aCBwQ-M+dTyvOKQGzg#1b+~cK+Vm;JzX8C=f8_#zE(B9a_A3
zWrd3$x!Gr3mHW#d+?D@XIsBQl`ZE{R^KbGqrTjzw7NCEV-;5N|N}x)l$n&v>QKzkw
z-H<hiuI|?dlpQJnAy~o~ptE5N2CP*CmClRgo1-8c__)<e9j|~?CWm;r`Lmh@vCEO%
zDmzn>XP{?nF5$$ldGgAbVSyK_;<_haW%9gXP^jV$|BB+{v7=I>RlOL;f%u`uFdhY?
zHbR00A|@-JBoWl5)^{?x<s*UQS*;;A))oB}cM4ENq?yU#nhI$6SRiIp2oib=zB)fO
zO7}iLQ*s}b+2c2P)r5jejkp8Ef+~;-0W|@ir>Ylx-bZKnl_A4%c4U;u_sYh|I5F)^
zg8nZ@Uq}%XqHsSgPVTeB^gW@Z5v=R-{w!)Jq0A`&Ztu4v&QE|ZS4%L~F|84J$v*5@
zO)kFa^P?K<nHSiZZ}IKeQq0g(7#DI7kwJUW+%8R}V@tRU0A~Z|4R=9`+FwebJ!}Je
z(m;3D$5?6jpWb7fJRE#A4tW0d%0J5QGL=Fj6~H|qjpa5is8-B}@Jfs;>#?)!B>=px
zNV()~Vp4W3mR}Y=^cHIbhEGCTVN4FtE4OG;Q}iQ*#eQOj4Cz)9Rh=c)&N~5Fiz-X2
zQYy&wbp$M62hWRk(8Dbf@UvOb3Ew?ON`^0VL5Lvh?3SYv2JqX`wtv9F<tk$hNU+ej
z0EXJ*_{%txd+q}&zp6|z`xPSF4^R^3^bSVFVmT=obm#l9y8YOQC24GFOAt`!3qW{P
z#!{=&GtE0|ot&WKS#;!C;bL((K7WIhM8#@@#>Y>I-b!8Tvc)hGl#i5*iW>cKhU;_4
zBi)=4m$<vkMENF4Ox>ZBRNaS9Yr$Koh$i6_V~>(td*<0g$1ou$=S~GZXBLn6Zo52A
zL8g8Mt+AYtqcbgQa8fsY6Y5eU<{gs9OjBP}3?ipjrd}2$NICT38j*qp-;)v}B(b>4
zxh9qj?^aE7)VGtImN`JrF?2G<iK;qrJ5?N9{2lROb`vD8OGezWxqifn%Y>Gr@26)+
zolHP=TKMh-?v{w$B+rm#USc>Pq3b9LTedM#V%P{0*vfA2Gq3AN4B;a!?s(5WZ1p~z
z4t5R4n=r#>1tWE7ucy29ealf;Qj1aNNF4FTu$hk#N7g&UED;bBIzZaVwMn)WM&4?V
z_>FRF8VxpnYru7Vl<usAGVDnc5As<w)>zZ{VY{o{AqX;Ng+_1M+$U`|n{1W`a>FXq
zXHS0R%)?igsmRS!U-m?-B1xHA16y`BusRL;id+hti_yK<T`(&AsN6j@8C?#{av3HU
zv>cVn2`kK9+9qZ39FB1LXXBh?F%1U;`1Qaq04NeD72pJa&zz_<Ja8l1_g8b4Cx+B<
zUM+BXMktC5u3idH%9Tcm4RmS&=NFYbFpXnO?@m_tpUFW!pPG|#zd)}<V$Lpo!vh?k
z(w0&{U+f`eK^JBM>O5}a#sznkL;IBZb@~{?#)*NU8k}jBCn|bLU2uemb}R;}X~(!^
zq2*1Tq6hSF`!A>iR{59>Z{@nTaQQ303!1L?&}ezjn9YoBeTkT43}5@<n)G$Mkg0Zf
z8+uA%MIf?Xy>yv@Cc;5<z7ifrT}WV9se+yIo(6DL8r}31a$_fwdP>yTx9Ol9`C_f#
zK~kt~`t9`|o+ns9p_pg#DX|u~2tnILF2x%i?Xh%jm$T=LDh=*pguQ4t6~Fl-hhs7o
z5Z2u1`-C&K8%X3De0O2xJo%??9VEei-H%pKE9xm-O&vA-Sn(C8BySvu7)Iw7y{Jqd
z!QJG;cgCo>Batx0PyU_dAtj8)E-a}rq6B(mxC|TuMXk1-j8~N<ISdX%Xs$HKuK3YW
z#+6@sximM5ZOIJQyYe$8D`1tKJ<+$S?Rlp7`fZcUawT<?Ec>}&)Vw;ZyfxfBEwU$E
zi0FhYP<D$Q)|7gcAa9w9kVdLoE)w6XT%HA#hCku&E>zWjk{|MK@^}B6{2YA$kbi*g
z-{f!8PH&+jf9rq{`#B&em;Gg!+N>9DZ#1}7q;ah7+>{Gz6o}IGl!GLq^{d)TkggFM
zw-^CIWq3oqN;m&uP&?{zz<#+~`1%(MUN$>{Qp)j%Euym4D4A`w5Z*YBs=a<?-b0}7
zyo$jx^i$S*f+p~g11kDywrNz<Dx|Bwpdk(B1y$L@?EO*~+qPtLGPSl}S8!hPH!oI|
z2?6?~YMPbElEVx?14FZ<wks2%-grji4Dm_psX;$}?UnWH${@s~yjS@T-Era49y8@y
z`(RC}dk0f>(hwN;lH8c+5N5OI`Bs_RXPsp(*pPDy?m-UMJhZ`2`dQl4B5!Ty%e5L4
z*@5hUXjvIcI2RDooF04?bArlM;vDSVCF!||>CMa$3N7?XxclP)PPwFDVJfw?>dFiJ
zr0ZB5TT2t0%ACQ-l$uS76UQD*z=3T(T$t0yP59H(Xog~Bkco!~<!6lvx!WCwVSwug
z__VQ9?&Xb;>|J(wi}pZZIbO>zw=v(L-!CR$17pHg&^&7ArQ1TSt7ac~6$+U;)w?g;
zjDem0r>TjREc+JX9oO-j*!cFC1EdXH08O7M*h<O$+?car=$J~LmKwYS;rUxnwO2z<
zLXG<Bg+XmN?&zB5ZStFqm<LTHoc3B0?pPDNZo2OcmvFyOQkUEKoXi2+P5fO}G>K;q
z_z&~FAGHb^S=ljs^xDMt$TGo_7wa-$+F$z%PK8wHv?|HYmzaxxff$VnPr1e&4Vhb?
z+?uao9|)fi%VQB^j}B9x%a@<5RA)KrZkMFhfKnK%!QfGREfkt4T?O;uyr95GZBJVW
zu-uOIKUK`|IHt!7o#`51OaJs)1;}ePICBzZs@U}p6y2HUDN2|)<|{eNU2STzpvn*N
zPYCib>dgnL)H=pAzlZMV0_xg~yu0kplJ$=~9c~Dm+cq&>Ix#5k>weXJ5u~zsSYsGz
zXg>{e1p#e2_II%xS6gpU!Lbq7iT0PDncOPt=ccQ<lL#asD<t(hPi!SYW=zNFa}4+%
zH3~D94-_LsyhuABhU_V@J%$RXN<~s?kXDVg7SSrOepCp5Z@TEmcVz$WLdIl+k9w&y
z(V%T}60itggQo1Ecb`X@oLh(gK6~evdIXuG2Y9uW$mM3>cF^43rc;~qZk_+J6c6vd
zD-0E7R+*#?2%kS9Ws>8ltT}PZY{!DZDv7xcKf|{+lWTCPotY@TgmSrgZ7hr#F$DS;
z6u`nzyE<K%bvpg5c&ng9%ZdzaPjY4g9v7m={zBTk){UWXU&g0pq{|-->w*URJ|QC;
z@49M_`$%pEj%cHJ(GrfXMlpeBlI}_e0p?mjX13&>fx#qUr|<WezfZy^Cr5L~UPf3&
zGUwinRe0S2^=R5%vxC4KSPHr_ELQ!QOKIvE%rD~43)>!9ZY_vtBFepJyreWLU&8Ds
z7PZngUy;opRVUlQI+}v@Be0p>!(6kNp)UAOa@gV-_Q>Qw6;ug#9^<|v`S3@B;$A0m
z;FcJ0O=Y>-S4b@X*^I38cY*}7HH-%N3t#vh#h;mx3X;`9yvqbpi0!AkRvs@sU(=T{
z12pyOZLL^KN^~Hwu{A9XUU%grVb<^L3>GHaDd}(|pXxI!&`=H@njlSq^I2Xb#aqeI
zi%Rg-(Af8FP<ohw*WzQ`pIBIeNC9Pu5~-ekcOB7oy?~nJ6G9TdbuR@pB%LxofITS9
z=-7|)K(KAkhPR?jch`G7qa1_8wd+HD*}Ef6H#&sxdy^A#(f04(yJ|Cz-rYifVA_=j
z$%I@JXO)9vTNF$tt5ma|Y*H|wXdo-5SNbXZewW8!k?VE#Ycs)XrvPeDDc0CgJuJQ5
z+(z(i4~?tPY3FtEaY<wKbmy1B>=kb;bggWnyQKXxyOB0T!!+B*e99KPrG6rt`M>zO
zr{+x8ZVSM%ZL?!19otFAwr$(CZQHhO+eXKBcCS_S?W#Um|KL5kYCiWn$C&@f|JM7T
z@<aVAfA`<=b07atejKa+mtXu(qB{FFq7;t3fR~k}20m)GTlJl|BMb>L>Qe1>>w1{x
z_iXMdzUN8TJ7x=6D=sDCFMxxONAvDp9R^ad%)uSi<3r~sC0OHTvP>c9(B$xeg8t6y
zqQbz#A8>I=aLh~Df)#62vgcn#=bnxHEI7cI3oqe*LDY{kWfSn^a*yj4BIPxGU=^$~
z>--t(EK=faznQo`iU(wu?LS>J<&XxgA3ZIlRz3)%?HS}#xd8=6W7G2;5Ios_h0F^<
zmEl$G`uaP|_eG7gTld>h67aoRZ}rtr!qf+IzB6I=)bZeIsht3&0v;xZC+C^GSDWc@
zG6|vz8o`A%|7NSEH(?oMu4RHRkXq5WUJi@fV(3kF4~@J%-v7MB%oSG+;mBb%9Pt&O
z6KlZW=hkHF`u<_ES8j^*ErwuM?Dw$@x+#@A;J^&0$;;cfuI}vpy+@gdBfQ7xs`0UD
zzu^>Y52fsME`~Z7p*NeXi5+ctOpleJK_?THwqB~%mW8@y?5!o=R#a{O?S`e;Jr>Iu
zC=otkM%Ul-486i(!~oRXyFU|@<%zd7@A*=#rXc%*U!>7;`-KNQpQ3hldyllEE@jn_
zvmn1{D>_7nn`sSYm5fH3%921uC;EDET=rF~2thmx5=V4RD)RL<@9W(spmbU3#CPpt
zuySs$k=7Q$pc4mE-or;o`~XMUL>v4fvGPQ9^e3+CP4|gSvy^R7`q|6ex(jbqS{p9{
zyR@%4Ig=5Nm0fJf3p8RD9`b0AS@lugmPSZkewY1hUqH&y_-j<<ec{NX&5ez0ceyc0
zD-0=FG7N*V>SMfM_0|YKZ2QcIyV$NmczVU)ZeH&K5SQgMV0_GW)s%SQFvU7_X2@<Z
zB?udkSbGf;vD1o)Mi-E#3%0NIOix<*xnQXdxs#^D#dT1j^&@Fc1z|xf$?YkXJ?yZQ
zJMHuFkubHw7j4jcDu}O!73!M*ip7@6bgYrU9Pl*x1N*hnNlxtCe4IYq8!~b5BAZmu
zSrPb(-i#106_Lgts9cBtEk-;Se_^`L61#WDdXe%p?M1;<DDShti(+x`Dpkm^PVaV!
z8-I~Chz^Jje^+Y?YDUhUcWMNLk>|QLOjAcSBDXf3-Z0Q{(Qw~mYp_%Fh9{};U?iUO
zt0R~ym{+C7?>fP$K5>g*oBBtZOicsS358#dM(&WcUdD+R9~~gHdhtm1u=$4g4e|aY
zVelw|_3oczBM%uV8{p@YLL6Qsg=bFVHlYHM<~-`JDz9jT$Vf}@UMXG5d>;F}btn{w
zt*U{G$H3G3JJ7FRH0knbyf<farX7ckG0*gV4U!Zw0{oR}VpDhQ8kc|arE>@$GoKnw
zD?xCsoJ?-Hb=sIY3#DbbLe8xfQC!4eaoXu;n5nM7F9w5kno1)o9ck~SDGhi*iUsrX
z5xFLGAb%n*jz02aTgcY<{%##i4y@mWb%@}V8nBm%>=pGCjK&{1ours78D3fLaMhuS
ztW<d@*L1@%G86Q=MSvL^M<O^(q5)dvUs+(#n85?7CkyuecnJcfrYMF&w5V@|*llMZ
zi;K#A{Dh^{)cB7YL!1Wix8V1MDiH6Y-vy`L`sw#rp@|f8`?eLKRq(5y+|9N+Qd?M+
z^s}WmjpPElxcb#!>v#HFH++2g)xb!|0>fta4x*97Aixu%{6~{l^G(Jq4&_R?>%y>x
zozOOL=wkrUW`hP@a+ti2B#d|LFGptINhFWX!Ef{RrI(9Fz}p*Ey$#$RTStYu3Bhg2
zA@wOTrTf5GZ_*~WV@h9B5>NSO8dc5f_~G%Jd+PfrydJV?ovwq`i7f;vhS6v&N7<_Y
zKvs`v{Q(=+X`9_WHT%A9__@8t^ghQoh6_`!Vp^C~+B;LQu+JN`?x_3{ooUtcq1FPM
z{Y&GqtFmB0aN^WU_f(?g|Hu!}_n-1Z|0{pj-|`Da|4;t?iNEC+OdznS5%DLYc6T3{
z^rES>y0{G3<`?FIuYFftDF`M({2q#GC%s@Cy#?9idE}(GB|$+J_ql_qewIk(oOrgK
zXASc<EfXe2I6z%k13uk&`tkGWow8@~S2pWYhzV`U5LYG1D;^w8Xs&1Qgi-aMHb{3=
zGP@!eP+KjP9>1V8!xg-1^jwjrAB9VUeTd}UbUn%+ChoLUJrM6SIl|kf$sO!AH~Mz-
zAPdn@sG=*H1OOVw{Rjxp`?4-#SEl{O{WZU<q^?+$A_&EkOXz6<RKYs+Z}v~MISC{R
zru&Y`qJ)SFUK#~9RIdz{zJn(Al<gJ>nupgToa^dnAC8s|&MMXlK)-3I+lk8@yCp5r
zsCUu)6G<g&5;Ht1PT}(M`kn#H;C@hsZy>YnR}Cqr+!hK!X3Vt|Mr+#M_|}@}AP25~
z?#7`Pk$39e0;y~VhwF~XY{`v%5gd4ULC@j`83kiDmsW}x!S-2wyO}GJy&xB$cIQOl
zZO3~3smr*oqwPKCp^sAB6nh^3Y}9-%v}3QH6l53M7m0cOQ~65<d7l5miUWG1B9)^q
z?C@t>Z{FS_mczP&gFIBipr1lr_<b6XW0I?EbGA>?I5Nw&X>L>L>!Jr_xs*QaGsXLd
z>H==)aSOx>$<z0Fe5*?K*PZ4~Zc3&QX43+HL;Rl4yd<QPqc(+tTV(&)=ta7SkYT}W
zZlH(D-dyvn3T`!^Ce5Mds~^?9R|6-*xu^Nir*;_WN|$a%5^k9!l}*<L<Z;%!1e0<x
z2tVOhYQKQ~;m`N4#C<OaLngw&8R|l{BY#f@;6cZT@e2H0Dc85mD{wi4Na^%1s3Fh@
z!9<gN`YgYPmu`V}>gkFSQS3?oWy}T3=QZuc@rSUPiJ2I|&qi1svD+%{6zu$*D8P=%
zR(Nb6Le{q(<bH8DvDq1MnP9YWhCE=P{S8U1&qFZMkHz{zlc9mO<>@5Ou+e~ChlGu1
ze{!oU^F1xNujTTaUq?uIbzHymyi;+I9zNM&CoF<$IV>({(F;a-V?+etlwzQVD^VCP
zOYIt&sGuxUAiP|6aNd+BVw8k~kZmL1;)5_EFBYaii3O6BV;`Num^;ldzNbU%NdW_@
z3A<d=6i}LJ^n^3DYcM=2JB%5yU~4|Bz>|_ysAEhve?JpEcD)xHyR?yGet!5AKjrHG
zZgrg9oL#`Es=Xw2R>Bmw)*(YYXwC{i({O{uQyeFJt&Y1xC=KtP%PE6OjrvTq{IzsT
zjRCfWcJe$w51N*3f!!&t$RMj*S#!gc!EF#-GC5CzSTYWIExpCRS%$WKfofus&;hbE
zKgk;x@+JFylPM9z!P;beK?&#FW$@yJVt}E|8y4gYhUi1<%_{T;v{9Cjb6Q0<>#<Vx
zKKS{|$d>FP1XJo7(X_o+zZix=gy(gWdkx?7lF-*av8KPN=8YPuJ#YKeu(X-_j1nCh
zQP6L~$61+9ZdEP$R2C`t_FE^JDefu~caRu(uJ0{A4#-|JnNm#S=cUC!`)=96DVD`)
ze&L}}xVxV}-()T%%yZ$IhUkKjfXvk`S0ukZ1V!gwjSWL@+BD87>#%wW=D0^&COkxz
zAe&3nY&J(LpX%Fle5)c6?$CS00*%UAgi3qgJ@5`#s5C0Ih>ildqOw~a4BOD$sM#)k
zupOO_jJxiOd!_H9f>81gY6H5i3%E)oM)9ptGySQFj4ljUCbli6APQI0VnQ~|^%5u*
zX?M!5y#<Fm;(%K1+NSB?SOwHs?YTB=G)a#3C|A{((tI}Z&%4gv#tGg+tTJOeOK*gO
zaNzHLXqIurxg1gy!B<&GE~H*u-j->Nz{^1~dX&2&iHAhzK44o^iE!ZgVnoc2mz4^%
z!s98HpWb`qqpiYM5Ir~O(x9~$GlmzyYr~r=kyJODlX(Bg5A)yh!~83M=il;+v;0r~
z0D`~ePncWjat{N1M*z~x`7~Bf8g_w6sS7O@74HAMSE*S-rK+<oidx@52FNaqq|17-
zxF_@b;Gk<thqJ3w1aOnApomAka_eX0rex&yDX!rK+J#smxpy{HJR0xtW*EIE{Dsy{
zFtLSKtvVp%;sWQdyD$ct&aXa-H#zqrZ~OA6hPVJcAfCG&uXS7+E6f|p&j!lYe@!O*
zAlLX~@E&=~Z;rTrasn}5nkibFecRj8fc=zLMKhkc)`6nPRZP7uz#fYJboHdk*r;ju
z&+j~Q8U>sT5yu!w1>yNt(aZOMalnq0BKfQ!8s&&%^An~HEeo4(-ccA{`qAm_U4t$j
zt^NZ|YS7R{8_4NP5vt_wk@CqBZg>9oyccus<S{JXeVHAq(DdsQh#w0TX@mx99KT!f
z)d0q}Vg%qugap<;PMHW-4#OKdKRj`>{i+ylq<Y9Ne(0XHdjub51(^+3TWq(vrPa&p
z9lOU#x>Rwb5oGn^g4y#k|EKIcf*D34KEK~8aVk=b?VVTczMK0OL%g;pjLm&+<K4rd
z@grjVDA60CsZpqy*E_lwk57t5*i}?$A=xd{xV}9A;3R8z;AbALwTYyqs<&~$E)S$V
zcV%hslrVupBx-Dp>Jif<Om9yOirrureWqO;po%Kc3kcg3fvp~@3Vz$us2n4X)vPt{
zt54I*zNk0%_5d4Q4UatJ-$gdh_ygiZ`xImMA!#+}lK%U_7O{lwMji}&0$mlTumWan
zZ3n!5!Vg?u&ti6&?VlxcN?I8!2Lbm$F7Y`9Q(QB3`TJ%;IFieLr=xn%deVSu3}KQ1
zo=_xGNT97X!oi1AMq0HP$odZCJqAGnPDXmMMxkk#_fLWt%=4*EgQVj-(_Vz6l!}oy
zK_@6RLKk@YPFK_iALy?GM0U}m!FnsQ+jnC7<S9Dv^a!Jb@HS7o_(gA9A?Z5_ls@@q
zg`vff<>bMDJJ%QCc`N;wl@8F;^2_8-0uOtoBtFhRRN;1(3nx_s>C9e~+thISM*<*r
z!Y_fU?aR=s0!b0m1|)IA5~q-^v3p%F=<sFwgVE{3#a##bfYWLO==@W2PNo#b1(e*n
zI2a^?H>rYmQqgvngWzhE0->eWV)FVyqG}z*c%wJdjoaAz7%K4#+$x8!vMV#b88<Be
zi}E|++}Z;cD*3jKu#osRq{3uY>ECZAEYnS2_luQL5@S)7Yzg)8jO+osv_yI++cEp)
z2JF@+Wk_G?sn;o8jk8v<jR-hqdA!`_`apBHJ3&v~CN2@XbOvi&Lfl_;JDBsc<BQhq
z`O6RgEl#nM@M1sq2e%dxyNIjm&<hAwA6Q?j^|(wcRFt$-2o;Qky$la_qcGGDlbI?i
zdkc?oo?G~7udah_rJL4cU!9t&BE@0+K5ysup#icSyig8TgN)Y`VFE{5ycpU)j(-8U
z8Xa;RPR&W&n<d*T*Ts9cM+ypa+YI6L6%@T8IEc9@lSOB|N_b*}3SbhwMI?&|Z`pBo
z17NJ0hFb}_*ay5~cY@CCVaIFku|1Ip-`+f`rgx9S*4Ym<{`LfVipFN9_2n3HF?AWL
z|6}G3qP6DsWUlHn=fV_aKjZ#Y06EF~%Mw$xzp%K4y6i!@Y?h>+;W5g7=#{qu7IHN3
zkZFp5ec|`LJflQiT&A<hUbGw8;R&;mez35B{=VR^#O*Sv>Fv+2EMmh`;v3sGf@H>X
zC)GfaU|(9Lv-%STeny9emQrk*u#<4=i-TyLhINGle^?y78$VY`rlyRC{WIkyi4z7*
zf2WpJy+oIvNd^$^IozVxjMibf`xQjw#@|npg9%X@$TjdQj+JIS4T3?1JyI#LjGJqe
z%gu#&8SCE7D9Ss4iZ32$<*;;6+;~7igz{oC;Ki9_k;}I3acqI@{((sl!6yRG|HzNp
z|DQ8I?7#AN{4Kxq_W$IU;{03w+B1g!&kb?A<SQ|Hd-#kN;HYHDoIwiym|L%KlpbRB
zHNP-V&16qt%}@;-+xpCl#M<LDTqWGgGWdYdm8$qY@K_GaeVrx#tksGGI6178#BkTZ
z0nEB{2=xS4(~F}>gYh>9PH8vRp0>T_%j@8V^k`jv#Uy25Fq#f0PNNWFB&cO`X?J*+
z#?|xWh9KY>WBaTob6n77H9Ls`eZW82Ga%Gf$aBba^Dn_MZ6A!}8k0V=2b8rB{T?hW
z4(VEIyMt6SW<u(ZagL>D6K-g4i$?t?hgchXHiL8b+QbI@d<Am>u%8tc8i_((Fv^m%
z`dsaAnF2DyKdSXLT6p!>XkjxGDi%&1K0%!DPb$79rxA2`I(Nt%mkO}UhnX@arjs}*
zClbO%UXFL0o^kk_PPn^74V2SE`O$r1b9?POA~BzFsSU!+%2xQ%7oj0zCrJWDTUoF;
z=^3)n%)tc0H~D%b#<c^PL!U>f-}3H{Ar;lKdYo#akE3vW@@)^0KqeB<kZE8{4Oj0A
z)U)T;$3qiuYWg#vf2z6>(=T35CA^#w0+=9~%kMY*lAMQW%6LLNG+g!$R$L#5$UKYr
z5c|vuZE2^8q^F3^F0yvH!y6+1;%+Io=&249+l|2yhwc}h-@*?USB7sC!S_}ThA@AC
zn`iGoGhd{3>f)pLJn>2t&{mRyzX;90G%;h0r@BxQStBM8QI-haWpq47b?iXlI__>m
zR+8^K<_IPvLLT#2Hbx(sJ{eE<YBrfwGUyE)pz5E;&x?}D`<0~Y_IM1WQs!9GgnU}R
z|J*lqnw%rrW^BJuSN){yJP<`RcS1|^{2@Tk2-o&4v`9RRzH=nVzUow&5B3Q@Z8h=I
zW{Ww3Md0AW{a7$_9qzdN!@T#E1NZ*MKx=Mj;auh&gF}zQ_ZYaJ^B60wkgEh3OF2~@
z+1O2l4hMp=zTA5x2NvEiln$PdeEA3NhF%;wy5c0NYb}lOy&O1mW6}w^(6WbD=yfn>
z>yKRri(b#963hUOA=%U1*Rt@^jQl_tc#UZWr`NzNGu-MNut2%)habw`E0$LHc2{1=
z+Qn1cAkgidNMXW`fSWVuFeaa_Vo=xsY>)CmfO-$9E}TD%bR+M~5Y}jKT`RQQ^c-63
zwZ{CXG>@mB=IFHu3zoJ)2*9@dq@ZQ;_W~KBmTFLrsVus$1W(WLN(Z&+z9Bgprr!Cp
ziA6(@tHkd*OLgAOk7!Jx<2wDfF*n5ago<PAG)LQ;UBW`TjkxHGtFzc{=nNxBnE1O3
z6&p`!g*cXLN_lX0IhyFXEqUI`%TC*kDY^YSqPOIOobr}57|bCgX{tvf-4cz)<b#+)
zp&{<Ri@El(<J?l>M9Dk7spM2E6P0X6@|%dEcC3)KjUmHy^*P*y_2@!j3bdC9@bsJo
zadqmI*@x^8m)O*uzUY#K9gl^M*HU-;L+!%s{pv7xwS5VS=5O68_ErM84Fd#(D-s#k
zYTSp2&vHMFPK%1`xZKlUA4h?dUqHwFYAm8wVOTYcG6O})Ml>OEuQ|hx!0rY!X{&yJ
zyS-R*5{VYIRU~MzcXsB40eALBONZ|V-B&|hg8EURqW&r-I>)s!mlwAHpNbWh>20ag
zzVmx%K1`>_|8wzHjmX1XzwF3f0)3^X>fD4E$Mi&`>8JNKoKulO?ij#1^=<G~BI$HF
zgT}n4{@o1=GN7&AZ9O@XHy8{U@$gXO2ZnXl>ACN3RMS+j!>VGOgTO3A$n@@Ey$-A~
z(@jJM<LELFGJfp|YU)SLz_`UfFA*p;9?90&KkMqtptmcKWspz^@+D8J9~%!}#tYrN
zI(Uv6?>R{$ewZivxi8NbfI1FObZo4Dc`HKOjhMIsJJrNw*;9+SB+c()a{A`bMF%l=
zHy&THJRHLdU9ggao-F?(Kh}TC5BIP9?SIR!82mr^$AbTsKWlT$TWQ)bD5?`)N!_(9
z<|d$*->-#lVn_{LFqKrf-I#BykFH>-R)4Ir{{9u^IP>j_A-$QK33)0c)uA!SBUemV
z0SjbCU#@e(j$M=8eF{P-DE~Vsd-+05BY?kUbQC_T&xK!M@Z3T``RUO?JO)o=&1rbd
z<+8unK(SQT0Xg4vjl!A_#g9gS$IvRpaUCQ{5ODPy6~fn$Axs~&gw|bz9r0^{+_D_G
z%<8gnW0#OPg=#hKoFi|;-e8YbVu656YxL(Nk%<lo71RWTa4l1`{U%UmjIzGBxVl36
z0{<Oc8@J-EkN{HfW(RMM?`Olb8EMQ<0S}K)<YYZ#OdGhUOKKaM;#4Q9x82?7-cQqI
z_)|tG=y7F_>1KB0fTv7jH==aYnqZ{MOH`qr%fs0$2GyRW!f6B*GG6)ivxPPG4ce(x
zc<D;w+lfu_U#^6-32pRt%YF=qg?D>L5p^=`$*xLja^*m$DDHJVtyUa_FI}32RG8{}
z6lel1O^VHFLFJ&IJ9ZD(4%{VD+Ltm;U`NB44e`2xf|=YrbRAvN`%65T*`|3@F9q40
zxkp#afbEC85nDPMkL4(Hh*0G<sW2f95QxCn=t$uOV)=HlY3(?ibfd2{2Wt$DH|9Gl
zx^-@eA7q^M_YnAY(CvCg>K)T3{O=k*R$cOV$;;aauJWfB+xJCfkaVrdS9ztT;r#59
zVr`KSAx)-<SazD6@QUD2y`8t`2b3ilZ=ml+O%d@4>mY_BWM|W(UD?{Dy&A6i1wf}u
z--V~%nEro`k;o<nY@KqN2H$|49xWlrMT=@A44txAl+{mu?{K37Ex_;X2a_?4^zGv<
zGp$IyuYbK}z|@GDvVhPPpSUFbOqjQYHyHAW0!iYWur-Sch!DmoLVB>mY8uUBQ>a&@
zp%{|r^JJc|<g~lHPQ$3W4^`f?HU6G}=cD%5y<~d7Sm3#Ya+Xjd>KhvycLv$&Th8Sd
z?kBO@u>qw##g?J3mvL>Lk%oZdIu-t$8_o62hT!Zmubz*?VcyT&I_vxubrRJ{eIyPl
zmBG=sSWEYfV`Xeq?2Min=mv5U8}a>^)Gp&T&k%vcXD2h*XUW1y|EgP!+>+lG^hE{N
zt8*8cSrl6NK%pa^jTt>=l<%$fA@CGc*UEzqkKxc$TT;sqry(BlAu~VvyAQk^LxiKo
z@}hSly;X+=P^R=3I+mJcsT|Vi@Jq#tjjy1TK2?4A8dZc;rI~*bry$$_j2KY0BSm8g
zqstp%-<n0#b}1gm<Q4zf4f-NHLZM|MO_y6GP#GwoMd2&3T;0w<yPXO1+zu2!Cly~p
zMwkq*x5^<SACFUQnL5@nRBD*3W880@t(=l*xPq<_CYPUYcY`hus+6tkCiajxWH-z6
z(aw;Bfkm_aOn~~3tT|827HY^Wmv41fCwB0{kO$K%s9}e`gtYzO@CtuARVM;ZTb3D(
zUroVne55@#F*uA2e`Nq78d#VIY^YxBSj+<C2vSmVQ&w|Ralrah4sQ=Leow&Bg182?
zF`v=OEMhsB(i9OjcRoY~A;<OH>}%+RKaS5m5MP&=X+``rXMkR$k7z2)^~5iDyO8UC
z3_{HVsAt`Y3gy=>vx5a~nk%{I!S&LeALUkfH3NXmkJ{i*p>d2U6NGioO9oVHPh&7M
z<6_~dYTaxiC-jCIK=ByY@>9aN*mCXQ^W>+x*E?ntz_8%ZCc*4-{9#G!{`RBqF0nKy
zghw~@x-L&32x$K6+2MkRXS;Vw90FK(z_#>A62_R%8-4SrVYlDxtPh2Y?=|e}iMb;^
z@VT7BS~*zCtf4kJSWJavb=H{=!zb9jcRLPT9uowDup8uA$voV|P3MK^Og;hu_*fgD
zbP0r4*P&zOdJ)m-dWdAP+0?U=@SEav`cDt2d2Y);@=yG?{P6$E-}bls>a_op-^lTA
z`6VhPh+D<-y?B_Gcic!Ab3hC#naS9Fb)L5f<~|CtY-nnBS5<t;#RE1#?M)1-x#|t_
zdXU5SlH+NG-r+X&N-^Os#W_B4o>y0VWJ~-$v2(sqLFd8EbTrH2;k5d@U1srhPcH1f
zN;E7Qyju&Nf(yiJ9B@1v8aN$n#n$nj=cNor7BfO`Qew%V@Ms4|>?ojjPY2#p%-Z~F
z%COlS&HpT{{JbajHBfuvBX)x|LJ$}Y6$i5^=*R3z$2k2N=WSXWR_7V2%p5d`Dab9M
zhZC;XAL<fWh8I{DFqc|S68pnIDAKsE=-U94#lLZvbZ!~yb>ANAL=OU-SP<Z<79;Fc
zcHZ4gEw0So_x|Vg9W*85>}=+%zkfz@rZ4i9F^W|RRgI-8Z@~_uJizcW@9P0(`iG{T
z%uX`o4wtQ&Hf%x7F+j&a9`bSOwtli9PGd%B!<1J90obms_YcYOBV7!;d%*ZGA)Pci
z*z|eHSE%_C7q~7elOK6A2sGfAh4{m&ZX3|+rV65dw;uV*@(cIDvyc*u6zPfyi3NT>
z-L5P`Ra2XO7WTOy+xvDS+2EIS21xn-JY@Re3i(bu^y%b{*nqnXj9n^|{y!&ZqMYVD
zFK?;=r5-)^VbNySx*nSKEf2?{Y5LEodmyoVP%tnp$>74Vw(R4YTqym+$$Zj0$5Q9z
z9%j{7&!Gr=&NMV|cI9e(Pog_OOu@V3&VaqK-_NoAFz;gb=GTaNX}XHIJ7;t+486F8
zsPy%OJnqz++z%`Z3TE*wRjUmGEAShltOR2kDeI2Ga&0;gsgry9_TzG0%&sl~4h%_V
zgkhstjlW5^pBZ6SpPLANxYX}-F&+fMY~tHiLSrNQyC8b^!^DyT@1NqJC^ecttv$9r
za*BBLgB+S^X&4@^k~7izOG5Vy8&#){f#!$LIA6W!$M1|M=s>GkNM0&Zb~H6T^#oP!
zh7&>W$g^p_G}r%bB9^EUwDDr0^~l4@YqX7{$qv+K3TRl|B|HW<+~GW`z*hK0Bv@Ok
zcn;JKkN>cFomo#Fva;s45BD+pk*&j1R{9bz&8P4rV>a<_h;POfz}CyqP|C`_M@w$W
z#v{}NDV6L}n^W_YGcS3wvXjq{=A!}-{yW{=#d}0hmU4i%SDDQ0yEeAdVm3m<Awd|`
z0M<5=EJq>i5IA@}OX)3lP08}qJD;BIC@j-_52R|A(e~t)!gEqojjN$qK|n<S$aOnv
z%N})(iIVSjem&IB#ItY@JXUos^mv44c?Im~yavG-)5pzxpUl23)J<vs{X6UXPJ`&k
zE|=FyM3zBQN`e8Ljw|xki;w7wc0&3Y5Wu{LEv>KP1nPbS?hHT+q%_%4tGo4`AZ1AZ
z>fD6`?lA~URkJ{v$&{-J?JTcdIDQObz*aL>VGXz!3+e{aeWiB#trF{695?iNW4c;F
zgmRefcSHs#eiTEUIMuhf6~Ih1U4c>*yBT&cHSq8ZlQ@Kd4#3iSwd7@wzkTK9rVw`&
zi;L&r=IM4Fu8D)HWfilh1K^9XJa4C=7y65#cxgF?&O4=)M<)a%S4YcUdL%=9)RyMO
zyt?VT-z>2A%){o!VgJx?7bM>&DR$iggijVHg>z4@aK7=J_La24DD|}2Ja#gwyVkw?
zR6x!msTGGlD2MITnZOV>J}SD6LWR}2c7QMSvG6_nK@fvdXvb{{IyuK6l69*#x2CTG
z-Z0Bcg2>dL#nYfJ<FQlD<&7fzTJhXIZ4TF(tQHQ_e1}WHQ_v!_+T+l-6g7fN8^upu
z0Nq(qU{zxmXSSY$xjXa5E`xn)MSAY!GNAIe#~1XBHz3j^4E|K9`@iR)<(84H&KKa%
zW-X1=Q2;8&E7f-fwuK}TWSNb-F!S{K!&b~JiEL1S+qQqvmq>Ms9sq?>SBKyJBR}ZC
zf4=r0{40O!-}37$|4;ruA0_~RfDllBn(qGH?ZMW2m~hwPCuj--$<-(r85_<(ylALx
z%VxZJ^Ja&-wn;867#k1gi$X6g7V)~q&!v*yHjJP&qnYGbws@IXDw8PDZhaX_E#_F)
z#QNkwI)KjeY%ZaiYcrS^ibI*3GA66051`_P3pDwLz<wc^bk+`Z6nyb^=wn#audG@j
zEWkFuhBncu*j=ZlTe0IQp)Tw?s$U!<-nAXpVp~AG@!lML&i?jXIkC|4Maq#VffM+x
z#NYqI(;Rw6!}@3Y0g;+2^Ul2}4eJYI$bZ>Q8(4EDN9!G=Q^rc#2L|gI2$xriX}Sq<
ztGWnm#_!m?hTdege^z&y8k+p7FTIl+IMIbx;H{@Wte=)*kiX}F_S+Z-W9J0REinZl
z{etk8g!)M&R%X%s(Yhf^i{wi@<7;0*Vbb^XpnHaSCfJ7QXT^oM#OLu#OKhec9W6QM
z#!BNt+<3da$ayqe<0^-^LFC+^lShwCY$uuE&c0S1uvOXV7wLj<>#>TI55y$X%`mNy
zJ4MiN&af-OBS13<EwLNZbmh4Im9!;P1nW5cpMx&hEahAyS$Q^bZRNHx5Br_IEZ?&I
z<x<K&**{f;f$V-u5*M}3mdhiCEXfY8LsFwY9^NAhw?g~BUz=+`wCE1^(Tno1+5IF@
zML56H&U<1XM&fdCCXVwfeG$&RexE5m|D-#bHs;UgyEg^!dQ;l6xKM{<%cM)hy$_@K
zbKA_OCi{tvcks-_${No|>?T&R7J<!_KWDSK!H1!q3kMuBbxU8{&@Zy;GymqXf(4LI
zWTru4k}Dn`yC=>4E>;GAdsve4Hw@<EEv*srqKfpe|4Tr}N!WafdNs{cx;BM8i$biA
z)2V3<3)2QOdYjM8r?o_|iBBjj;Fmk;HaUz=w|sOtU(S=M0rHiR5&-yN<YQMoX``13
zAV=jOg{h}!_?9<sj%!@$gc{kD&BLTEEmV~ab*Rx3hmT{)heMdrT6r=v-cZqWNDuY>
z-nQ-u|AO<Yy4dzuDEY#ok@Y}gAZmQ=G}%5B1b$4<SV7B*YeVtu(f4xR3sCpPOB2&V
zs*qXn0^_T0Ru3GV_^2CtkNb8fQ{N#>-KbQd8DJ@hStwBa4^uj+n`yRHalM64#7f4o
zNf8NLVdbud5@zDUh~##_)7y4G?S|F|?Yg<Qvcz+>!Z$Yi<~LDyq$}34Z2|bzAnQ-Q
zqjSRMGkW3ucGWC%;E*$V?U?rU<zB|}g&x<rR{mMj7c7j!T+ib2U)`UBNA_tp!V@x^
z;qC{&W>o8Mh$#z)6jHZnwkjj3nt(rC!{TacYc({qP!KT9>QG`=KXK0$9kcU`rS0ED
z<Kqyy&~pN!dZe1}%9CZbURZw+*jqZy+*)>`{UXk^%^C!yS&KBcBpKhj{DCd?Wfizw
z^&MNevH{2s;5!FfWf~ht&jT6eW#Qj&Txd$E<MI1q02ea5FLy9vrdm^oUwB<w&Ug|v
zdK~9el7w!@XT|teed`1D-IyI=O?1;0HaV`dRf%FU-C{Q~#Vc@fO%e(jFz<^Ab^(ya
zJ3e2>SI?7fspwO&`4}0SS=4f8<+cdc$+370{S?x9kSb#%)pkj+v9xKY7@-k7AGcue
zX9y@qm&_u&{clU15=lF~rx~_WvJ9k75?tVJY2>@pcF?8k<L4%pJMK1uKIM*GS9qjx
zimL}a18x0;yiu5}B!1_IpGN$Cr<tm^KFFHKA)aI!v4j*_qTW0hP96SiJ0ynOThvq1
zr2w5=`A^WAahk0ktHIhw6_Wasax6*J$=8SLrLd#jBFXDh03;X7^a#Uv4p%?y!6>yM
z8nVO?uFFIUW=&naD?}v}D3Hn*YI3y`tE(YiYd@wvfKqF_9sJPY9v33`uSON?nVrLp
zaE05}H^4><l15?B%t#OGtSKSz;k1GO?K#c-Z}}1bmA~b0`Hj5)Cx7kz-||;C|8Sbv
z*uEDznse_|tm=%A1;eF(Z4Dxxt=ePnR(0SdDm8s;7Tc?$K<#tH_BYQ_U*n`Zdgc-Q
z6cCvFt^-{47T-?}^(~t2qW=AKOS53yi$~l%fvGkUdAm+{7EE=VeDzk9H8%2+TD;5w
zuraOGGnIcn5CWwvsY*DtPdKQ~;0S0#viDW41bc4vCumE^Ip%e6*CZhvYw@G7Qe&eG
zipm(E6S0JEtu9st;UJQ9ERz<c070Pal8yuT`D$#SQ#u^N5(jlw_Z>;al*n0&*Ni}~
zcqjT%%exH%D?p*$#?=?_5$V(vhNy41mM*<SuIwW~$V5l*sl)WjS$kWxK@ARKuF=ig
zx;Ie>M^_hgC)Ig;5e>;KM!lj7VEpIOSgAO3msnzn*%@LjnY6$MOULxy*X#%qI?A6_
zAXgm1?#`<_4?sozmhraB@rl?a(XpfIm;?D>I9i<-E84j@i)R-;9)?d{?o+hx87DK3
z6No62-d)18&=U=0UEVhVse-leI6OI~;ybnt&uN{b9E!5qt4lAqCl2fhpz$7p@w0g5
zcfXv#RG%9Rjow)BjWW+P6smA*!Rwxc*KG`dc!5h)47qMyd6j_y?Q|bqGPkPc{@gZn
zJ2h)rDn>_N$w4x8-boAhA~DliE&BV3Q5`;bq@3yMPIgFp<i@V91O{~L#leEzN;mzl
zhrHRITIp)VJr&~${g45(ZVfhMs5{<GSHCf&unja^{&Ww;FWIPSZjZu}_LTz|;?xM*
z5a)qEpMx!;i`u2e6n+jmN`wjE%2Hus361i@ns$M5fh@W@UaC)UZbB|bRl|u;u<?{a
zfN@|;u3AA1@olw<$#@YI6wE@bw}{WnDQejJd;nrliG+-P7eR(LY}4xdDRLhhgU?34
zsxp#6Y&S9;sy~HhYN)?q(3wMJ(7Ei0ehdRzM*C`)K@IavB-Yh3?D%#-NN5NL!2h&$
z(BJb1St+ii3&8A1OgkK-zJd7jEI0G&?1t@}>b3N_>f&QR@mN`>Ip<wA7GUmInt^s%
z6BCApet?HsWq(SRs&AmyrePpnDuHXTIdq6Si?8B&j|j=9Gd&H-vJx$Xp=-H?*i3T7
z1QV|f-$H(VVB4d{tb1TqwJ|QOX<8xueZK}9#!i}B5CL>v?_DRydL0Mku_=yJkW2Q2
zXHyM>30XV2^$BIgwo^x+(JPR8pJB_qn|3i|uf?AyhK;Dic(#NCj1)T3@|i!M%LOs0
z_i3@79=%U`Kd#U~)Ee-q5b&hj1M=&BdLmfS>QYVbXn>S|YE@6`u|~LU&SoUN74!s5
zewro4PhE#acS{v#e@upBM`|K<cUp12Iqc7$^u9GZj_<CL<-eYaHNZblJnrg6?bput
zjKAy&%Q&8YY2xS#;wXIE{fPx6F+INlF9fTa@6?<~07|Bm-5j1B5dS^~>B24~&7q;<
zOtu>%1h#E;O#e09YL#b4#!F6Ej(K@bhHLq{X02|3h+yAiwc3x5c{knJ1vBZacmXVy
zyz>LLIe<44-sYM;wF!k^NqR75g<}y<P{5K(c>CvgyyFO?!)gfWM<l*_3eRjPJ_tX1
zsrJnxIJd+tT+m|#RXa<9`@O}H2coZ=7$21AdgmE%)VVM)ZWQ$n+>V9Z&^4mgi2vmk
zP*Qdj1S^*u-<G;~XHyZu6ikBZ1i${OO!?DP@`Y&$Im+%6o#!`GSDK-cw<e5*?9SJx
zFGMnm11yrj*?H`~eew4Oa`Z=@SYfA`?;#`Fn4wY@P!-z^iVlw2NBm~JL}%@AC|?G&
zJ|B7p<-`Yh{L*Bb>}4t!q!**l$)ulMwGqc-3yEt#hr3G&^(-)E?j69uYfDFB`s<-<
z$7b@_?Lhv}om&T(8$VWfp5_%DyM4%QqFWaRdc6N&bd@kFXmd36+CMWt!r*_-{C_$i
z{$zNY|CZl^^pE^Yz6b#PUc!INul5u81NG1|vc_ath8}4>LVjw7)5<6*@`t2sYiJ?f
zg{5v>GJ=}XI>r9Tl8Hspkw)f-u@eEdbakYfQB}>G9%JrGZ_40ZbKNg{(du;PTRfet
zAbaCW!S+z8ghRdl6656o`0Tvr%F}M_U;1K>J{v6DH%3du*^lVSlua?x+#~+#C^x5f
z-Oe^#tW>Y@knp%3{-X@zbHe$t=lakL`@z;JRT_dpoRUGBN<67Q6>qpInYh(j3I+7o
zVqI7_q1bv=HcwD)Quce~s3lb^y%Z~Mj?uywd>FROnoD(l#cKtnA?$#2Ej7HH&hARL
zA$`Uh@oA$!>@+cIw4fpeFGmaF{pzJ1J@?do_#GyG60ud*t2}XS(CwO*IvWP$)}|4k
zz+5B$s2(_GsRxB7%$gMh5(){1px44O?-GZ+_v8~&7GY-4aWpfb$OpLeOHya=cehu*
zGwon+dkG4ZuZ3!P+lW>awmSB{Z7&S!;>$3xcd+<5oxyo>gbuA|k{BxO<T%62Q^qlA
zT3);+zFj0e0$!|NxO4mQ8=xNN%CMof;@e3F0j=GiSH*#G43M931V1-eYlfF&STXqO
z++J6%19<RImKb>CepjV};C1Du{-m=cqZjWfa?G+Gy(1|6epVcM@-S@4A6y0>Rv2ex
zS>zhXvQGhY_ZB@Mjo>?VG9Y$|yl7VI@ND-Jt+T|1NBV4|<4U69YXFZH1h`lj!_G^s
z9cZF5_Xic@JS7tVeVwv?Obn=CLy17dEH9JVX4A6ujX1)q0mpZ~Nf{6uSYJ-4;y~c=
z2I9~9DW%%COoZKe-v^lMDFi&wNA^1%D1Pe_58Szav`}SyADy`nB!8)=VMoxQJ&#G7
zEkBvXROl{nQg+eJeMO8S%c$+dZ?>fuAt&|gnwCt@<|pZ_m$XJ@jOM3o-u|VsOB9z2
zE6b@)WeVad?^nKb=<Hbv(Z<O_sMBX<@{vF+CIto#kKpDHd*5N3oc4$czi4@r@wye1
zDWDFUh4;y1^LD1e<`7{JpLa9q=^^ebgi&fn8SP>BVa24@boPzvCWJwK_TajPV)&kR
z(vVJaiBc3XzpU1pojeZ#Y0Ml;LCz&Rz?8)oc(UN9+TY`>Io}N%^hb_*9P4`|`JJBK
z!t-k<ibVQFq@D14k?SuqTMqMoBDI>DO4}mb&1-Ai)sqUQ5BG{H3&q&=e+~tOs)N54
z@vW+kz9pGiowQ)dB-3y6vl)AjBg&N5-mH`~bDt9OG+9VCz0b>P0FMs5*~#*2^-xDw
z7v_5B>-CWoSjMtw!}qLzC8Ix0l{2cie@7oA-*jEOIP&()YnPo!056@H8(+$~2nbbT
zp)6pY8OZda`FQnFawf^YjMN5u#_-WaHm|HzaRYbzKAV?I$_uR`MB$VEjMgrW5_sBH
z+Xw5|bmfB9_ihXAqe_vj{O0+Uq=A#6FRAvK26nmI!*A%<;Nv%WHH<peFh#C8@LF>L
z@^&^apP8At+3y=f5y>9U5jzpJE`_W>C?C`7<_5;W`BJ>*LcTS3k`%*Y9htlkS}V;b
z<3RcayRs6mP1Y*K;a^6#tROUo4vH~qYTu?)2#E>`)(Lb#4l|ja`Rg=f5^qOYj|M<q
zzIuM7lG2r&$;fFA#Wz0yx?ddHY+M^;0s8EU&zgFvSs-m2VAmv9`&vH3k@zk^e-^{4
zSEVp<0ANgmMuaC;f!iPRSDGW0PPNK}bH~x88`xv?*cxFCuSh<*%;iQYP7no)3DGyM
znRdApsJP>Bni6}p`i{aSmF?TeGDna4)}SDA4G8i?OwdhOjHsoJ?Q37M7S;MkT;E%q
zwtn0Sh`)puz^E70T4pH|-^^x3lD5`k@;4m%GVSsmav1QSZ#Hgr9k?sLPuDNkR8CpI
z8U;mNcLDTavFo7db;x_{f8=-nZ~2k`mA~n4`E95FCqH%M-|}BHRgToNN#`y%|EzUv
zOey_3NA#Zf)ud+^qXJ{snvEe#R?<qMSeS=3CS^fh2GNxhGLV!TBr~!Uh%*>nH|(y8
zC25>c+7vrJ4<^%7=+#;ATYMt{ACys6;JMR$x#-$z29s1;n=1_+o9~I5TZ-RjX`xso
zxHRZ1{isrj*bTB3v~S#m*5#WWw@E@@(jBxOFj?IYL)(x~Xv*#>;9C7HnN1@VX_UcU
z$q9Ett95+pB}hejeq+xoV#h2Ep|1pyT)GQ3O2zn8EC7d5v97Du;-ChiK-Cz91Zci3
zHo3#fKZWco&(f7)_-#d52+BLB&Ip@LQksV|iDn7RTgP`pJvmOWD#SKszUKtgXK{0%
zRuqB_3nq%`xM!_jaQ~XRQonE*0!!PjD3oB%FL4O*61I~WYnf={xgr;B349htMa4X~
z&b@YBO`sIL24<jsz)k4&Rq8VRxJ7KztGdJY^P_*T6KPj2n!up#l=b))2k}!hc;QX!
z_aaCqM`aW^-z3ULC0G$u5cdk)LPb}Z(MG&5(ee5(N(CH7);dO(7<)666>U5x#MmTd
z_I2Nof%_C7>arwyWDYa`0!dyBi@dKM&BAC~sw((k)rhZk8ev}1=G6Yz?@KnG#?+Fr
zs<^=<1k{R5yR5Lalck95<-sMO@5LCg@DI9*@qT027I1z@IPbhk0n+ZGkm8i0&)G6c
zW`<H0$ysl?qyVyJ6zu6j>Fd+OmxGXLlVn0Oxve>VaVaao>YvbYIYm-M2SyRxX@RmO
z0;M-sDOt0CEG8PGo2gAEL>UMN5*y*=_G)zDaWINa7Z;7Z(HJJV+YwMj6LF{Ig@D_*
zr4>sx{e@5@N1482`*DxBpd*sh(&?a|Ls<r&-n-<pEwb!2r+8WcZOA4a*4oJtm6leu
z7BBbc6B68%^!%#FI}JbP84nE|o1>wHsYp#SV!YoH1eTcN+9HW6s_st87|v<gqR|E{
z+#E+L(YvgYE8#`@D3$(P3C*oi_m|%~m{FoMOvwaTDS8Pj8q|;&NVFs*#41Hgq~+Sy
zhNTo{08B<7@h4*$D5nV{nB4lHAb0bbq59z`^HsPcUDB5Ij1!Yk=@Br@MmV$m;?eBE
zO|yiC>2rsIZZnY2B@r4=yy<P0AKK;6A@Xn#L}KC^^$x@R!5$0;S!sDHal-p2z3Ygr
z_HlGG*fa6c@1orPgp{f#^8~3T8f@lV#7TSZ@z`>i(?<9_Sps`x;?`YPn2P9RKKH`9
zfhy;tl4CwG|5{R;171=_DyZMy#<htF|DahEh$l|6T7>^RTvbKQAu>VixD0ss_~E6|
zfkptEW;=Y`$0LzkOpYkI$A!Gm6CPB{Ovja5wB5*m)-z6Jq-qS7AQR+kx1i|-?y=~B
z76{T77m?r$1Y$}JF^W7tp5Im#@y7O?tbS=avTu->?6-QGfK1^Ju*6$jm9J+3qk`Q4
zUwZcBI%usT@HwAj=L>*5IZLBz%xEiB`8NBro#xEdAl%(YVgawSKmE{e!>K-kp<<E{
zrW#06|7Y#W`?q+Q`cez|l3Tjd&PMluWm%L@H9$}08JEN{atf{LByclhi&+BThTmxc
z8`@Yz>U`(K-misN*Mjo2w><PXh2=X6o9kmELcxu2dEGu441j|lMxlb7wTIGL%;cS^
zv~VeR`->HRg~4~??*bQ+q;w;A5T~bs1SI7j4)qP`gsKabLjxkf6g4V__v=AJXb|qZ
zYvQR`!c_EwfGV26N7$<E8J;M9mSl9K`yd^|I%BM_`JRn8genkNM3>Qtrk~JYn$$^e
z7eV{>CPR{{9&BW<)8YZW7w;(F<Sfhl+$s^O+*y0h$c?vAqIM+<<dH2mLgSN4T&>lO
z8<6t+=6oklqUQ*(O<64vJ2E+_g@^4t;+GpUkp)7N|H#iU^q(_7%D?hA{w=?=^Z(?>
z*ZEt1x!;)D5%kt@7YXjloE#KJjP!c4mz12JIWxCU`=#4-Zf-p<aRc>}iA3yunMjwp
z(B6HX2%QZyng{t_&oN4k3n;aYWJ|;(&^J(PXd06TZS1n$r>H=i7}Ht(?L>nj`h8PG
zD-~11CGxr~l_)dGb~>uNp$!RFSdr8LEP)dy%j6Bnjj^#5{Gv*v_M55!Hd{>cJdse*
zsW8`QMkgr5u8_V9vaU_$EB@vlIn*O$<1ZEiXj$WF;L8~sz0S?e^gh=)?~7~lP2Xki
zQF(Ib5I_!(icbqBCG$I1!i`e^#d})w$%Wb1jC_pu$Uk3jbD#0hA0rTHi(bICblnc%
zX)QF%it36Ib`iw9{K}K-q~jVUH^U+@_HeN;K@1CWm)uhiRqY74hE69J`Bh4<O)~Ah
zt$Sp|kQ9-WIbMo7U2)<{F4CDBeTDqzb%Jr93+|-gF6BZ*7LZ;vo)VH!pU`fF<}WOb
zm`!V;e^{Dyr*Ymkrc}^20f>Bo#P{nTmldj(FUJd+sM+q^gtM-9Bv)h9jDZM$St*u|
z5pAzmP14YF$dbeBD?U3l-sBiF!Xy|;I#?47|5k~9neP(*oQ~WIGmiF^4gT3e{_XKw
z$2Y>WW<y62#_8dj8t6yzbG93f;3IhH4Up*rkkcX^@flPMErr8RE<5|p+m9$s)F0-w
zuATyQ{i}8vb2j^C3#UbQ(7#&k7#U}*r!#`~{9VDFQF3#Qy^~Ha)~EROtV62}gi8%8
zg_nT~CTSNsFcb?)fo8UuSQb^9-Xi$Ts7o<oVZObjW2Ths-bd%FbqEp0{i7-%Bivu{
z^DuWTD`-$fNn-BAn*0_(S1p12u^T6W&}>if{JjjrodGIxob5?@oL9AKr8ZiN9?WvH
z0+2Vs$t4s{Z)$@bA6oO`!-XYLO=)Z|zxEh{vSK=2Ev8)Ua3!Tir?afT52kQguw&fC
z2#;V&fsw}pev0<|k|EzF1ZAq%Hc21}phr}-NFMW^0BwzaaUX2U-DD^}JQit(4^7oH
z(hw*)|7F8aTOrJ))JlZLcCEa0mTm`Y(Upr;y>*y)G6(gZrJ1Pv1mAv}nC+Dntag_0
z8{cT?tXG|=(qcR%Xt{HX4adG^5SJdoT2H-0N5*!u$+B&)J3&<y&*7{y({x#ZzI;n+
z<a<gyi}o9sNr2Pw;ZWCB|MZ4jhzq9Y&x+qxX8|hmTp)RZ>3RP80vXg#lGsWyYz1Si
z3g1ZMOu5jfprnEB_TrXK7*;SbdXv|48M|6YzYQ>H;dEEI`c|OewhtRnpg$W0svXGl
zip9z$YpIR5WHUTFv6GQC4?yI|63}c*ww65wE4665>jLggeg^5<YJ2hLH59y@?F{{9
zL~Ml7d*OY8(D}SjR8z*6q%-Ef0kNpb22ylp+qGJ}LqB-eu3H-enqDR{mS>OHgmvWP
ziMdF#bQ0<&{n%ZZn8jAt@$wZqZ*3F}NMELb$x?N0iM3Qnox>^V1`5MY(pEO=i(r)~
z(DcHt6%hm&au6k?cO5!)OB1M$Ml<NABKYmTQp#~e-Rc+FoADJ&C5}2iW8)pbF%Mzi
za1~QaSx<b3#6=hZ4w>5v{S^q-1p&5@>ZJDaj!SnyP}qv4p56v`i4gPAfDShxRI|Ss
z(`Tg~w^Wi!C{nsG?I3)BI_T<Y1Esq%cH#)*qsz#~@*6zOP(163T`_q&EG#SXB}qIv
zvqaG(?K&|d)EznUhJ|4~5T0a~z}{76$Mr>yom@N8DfgF!Q4B0aR40d?W%8Q(P?X<q
zV>u1lk-b1eu4{JP3HoZ?O1g+>1;mR<0d}=5tv71*u4_w{3cN};4LWQDR0Hl7<n#6b
zK7Dh&Vh%nwyWFNcW2DuJ)x>kGufAq7jzRmXw~r_j`kO2iz4MnK_T#?4xr2|5QS<+i
zfAPQNNBvj+hQH<a#QUH8PKkfZ4^60^YZN|tcgz<bmP3vb_)Qe;=QHk=GPy?vam=fV
zqO!?qDs>Or%Q=URoT!&NW~zJhETl@1l-R#Cn+)8TG%>5h9PwwU#_5)C;-@eJruK3L
z8O`<F8$?0zTU-oQ!>+!yz^56^!@mYtzaHK=8P0ojt7Gvwn=Koc7Em@YWR=22@ALC{
z>#7CwKI`R1{awA3PlPSSh=(SbiIkoDxn{HK^gtK6bz3K_EK&i!s5Ul70=pbkr(YDb
zg4mTP%q8;rn+xd(yTZ^~>s#OL2i)0unW8LpBsu|-7eGT^bnI`tg&3fy1akwgrLpv%
zqvG+JCRmc2{T%&v<BRiCTvS6SnMc22iVOe;V8S)N-}smjICL-te39dkirV<L#a!mA
z5SBQ2cZl``;<&D@NVxO+uY<OxgCVOKsvKF!@9}an%_cqSqRuQ<nl%XJYT`A-F$NK(
zd>myh*oKygn`8d3y}N#jdhh!<4pJhubl1|c(zy~6f|R6mNO$)xEgdf1Al+TU64FRW
zxHL$EfOJaUo-=b@Gv}VU&(HS{{tr8k`OJLZ`+9z7(knUgA#m*Cej%V@&y{*OeqfC0
z<#>XQm!{N+m2FzCns3k#JpuZT#*t_i$Rn!P?uQWOniz<wi)8WqrgF8u#2S`>sZMQd
zUSo0J!O5@saIv9LAy+>Ut~feQKV`AkLzZaw{?O;Qo`hxDR|HS=Nwr#JN&WomrNc8$
zmc+*#J~G@izxB~M78M*Muvy~H(}(S;dY6fcv~m_m44rD5ME6`uwb&_fjtu|c7dz~(
z6J<|W{UN|s81X)iAo@Y|y2VbDoG46mvg@E47H!rCLGj4W{6*PciH-fl&_<8?nOjtZ
zN(3k&n0g0pw#9bRZm(cviu!7VBcW$iQe*0Yvf^g>^E>$sR`3p>M(zp0{?qC@W9Y5!
zKFgDM#r-;20193ZaPHBa4VYw1-#T*v>MX`^m=}u#K+6rS;vyxmI*4xD>{8eo?iKai
zN=@QtK5+!vqq0XJIv>3g6kUx~->ouC1l!B{G;Ac?^IIi?47uhUuwsfYVC-Kw#k1w2
z*^x{%KdFchuX^4$eKF=jjrS1WPpA4}l{qw=V_cE%P?=R+{sdy-Q$}G_7R<lJ?+avk
z2ZDM_L6uEl{nwh9n=qt@=5Z)&Vd2}Q27xHz46B|?mnDS-i})D|$1cy1+AQ6V)4`YR
zd4d8a^%V2>!mrybwk^so<Lo32d5H?ORIxS&(-&oo5ahr*ryA4r*~?GOibw(RS!n|X
z4MT!0kD+hW1BDQR@LdY?Ef>Cp4K;K*jKdw{ugM?OYaI789jgtmc(O7DB9<NKkC@Mr
zH+T>=T($O>fFS?X#~cFDsq$($7w>$!4=6DP!j|^G&uBPgryUG=Nsew6YExug1X_*w
z?q~RE4p`&TtSxN!&I~>iLTXp%u^DcgO;Wt$8G|W7>tc9Aa;{s2Vjb4jiYz$}6+Yh&
z>38p^7d0|Fsl^QGrXD|*fXw7f%a4?io)r^hqN4;OKkS0!4uV{%9nrH25$>^gjBVVV
zHTi_cA%1BLc5m2NrHdygBgTmp=Tx^+Tk-wLh)9|AE-TrL)$C9W-d&UNZqX3awNK3N
z^G9`VTKJ!vTXM*(vHG(Y_;2bH>1m&7{HVI3UF(EqJe*B!S3`v>AiiHwi0Yd=0Q!S+
zoYF#=r)^XjJyLgZ)kQjYL8B&4U0Dy`oz!ZY>Ve*@MKnskZH*f(`VtN4W>7Y{@=W)`
z>5L%4B7#g8EZ-VZg;C4AI{Ure@ACWCLA)Rt7?ny9(W(*F2vIx)U92D*t)t5C+^`_*
z6;x}A(Wq-lo`&$(tPCi(@>V!a)Df6JZcn~wftm2)y=B%-EIkp>3b%-c;>h+$=(e%s
zQ1b5oaO!4)j}9Ot`CD{hsLtnKF&*P1-VdU)|GW@Yxdvi|($nYKEHhwvhE7ur=>SjU
zE18m>b8>gK#H5Tc2}^={Xntg_AWaAt=uzhnz%qge{*qs6;9uYTB!A0a|4;dY2L2=e
z;s5%=>vOQrpC^;JPK)xbE1GRD_SGpzdNQ2LtmN#)=j*uT#+7TUN&<WjXGWSyo!h`j
zS<uYXS{y#6a;A7dWe`^P<_TTwV~l{{nygI?#H3=!=?k$gZjbyf>4e=Ex8ZDr3R^s<
zXMpftxin#2Ti_WTfmE<QI!GlSDgp=vLm3F)jq1rV2hjVFkRQYj`b-M}>>!n8s@C5<
zWkx8k<yzc{c2|}+09S;2)+`ieIIrY1oP0OkUMJAJ+$Jvf6@CsFJ4>*5_)doXnLT!#
z;Rg%;O66C1P;ny79kLIcILu5*O20KjMyMcgDZQmYJP{asomx0=15S2(>^BQ0Jq#M7
z=4<r#u&Pj?mi0?5Y1EMn{e-K?-ky8*gkL8icPkA}456UcZxsTPqwjieO13$J90E{L
zsWqk!yS}oHtE0;qM=&5b<2X^TgiBAaAIeWBPY5(eUy(IAzMpP7^m=5|Rgmqgz(I4S
zXwv4zZ&+>CA-EeF9uUkc4=U@{!>+040$O%0w>N72Y6!v5*Rn#*XU$gkhTh2=7|z))
zNW_jMt463+MmqSSHfLW!r&4fyCzTu|HQ~LMZ(qACPHkl&#=+UNrB}7~ygc1^S;B;^
z6LJOujjtsNE*`$OMIR9F<T(D=puxK0+tvl17YG!=*9V*cev@z#w8hg$q%;24WiC6D
zLtAA;Blmi=^$F6+9u%2SLU-w=!?fXFKg^@^5^BkO%>?Al+e9;ybs-IxSbC4G-4dkF
z3XMKn^e;{zoyAuH>NNYA3_n;mfc$+Kg@$#~4|qht?FTP6#cf18I3hN)0-B{RKiD1b
z@Ms+7QT8G8zL*{MAzJgcJZIA#DUAk+{;>T96m3p|qqZ1<-MyVS%~pO^4*Bw|_fZIn
z-r`{Lv3{hWK-g7>G|=$gcPBo@*cg7<k^t=V(l${sP80?OsJ1M&dWQkFa;b)AB92OH
z&Vx>Akm((+(B{(US*R_>5fTOKV=h$K<4t8-XdzOXF}Bc|rGzrk^w-MiB(q9r9~r&I
z$U+g&6WF{gX!B#MM9!|dm*RjrAqtT{=?4i0GP?>TWZX#*Pn^N<$gS_qV<BaUsS(lu
z>@Kh2v(Vu5i!ZpOTGkNv349c{DOa5n4V!i0_n`N$l)|+PCvz^F!3p<ft0=SM>q4tR
z+kH0;nqzFr<;%ITCJ0o_h)VEsL())#Snizlumz{*-a2a3A|igw4o+G|WMPCU-d*ss
zO42C3!(C%yHcl_`Z8J@SLf0@oh=j2l%76D!gl83FN%2!x7}g%MzOB`#S&#kC1L$89
za9sJ7K%R!MLx##VSa{z0GyQcS)5oac?^AC0zn617NLO)kgq2rgluk~OyQ0UJvClp}
z;p0pyFXua!dl6VzC)4gOqw!5+47$XP5QrjGIdr}Mu<m$}S?=G#EzDMbIhm0%>ss*k
zt*j4&HmXzO;vOa2yCi_wjdYjE23*EyYTPW`cn<6Wm5mH!q9~wKIfcy+ESDY-TjRg|
zQh^mzHH~~Qc!sm9+|5{8={b9+_IvDt9#@Kitg6v93wRDgjz4nkwEY%X#yEhJY42=R
zpQQh5!(cE=FqAo$>0Gh2>Q}C6=vfE*Wn=y%Uem4m{z9dtgWSGaq>%H_H$Uz!E&tR?
zw4OR)GI7tes%2CE#-oQ(oAb*L8{fgoEc{=eOWL{|_YgFEdi<q<{x*Xse9n)rXjq9Y
zPE^AWYF$vTpN6wQNP4VtvEp-|EkAeePk~3VQNgtDHB-?fS%1GU=1CF|sl3AUZeHo_
z*_>gxhM5r8*Fds`el3xyg81w{_8Sbg%X~#^pp8MYUrGOgz8)X+b)IB`ViZEq^1ihp
zK&-L$L@BBwe_|%f*(wh=q0v#NxNYZwKygl`FvTp<=7QGt22HqaoN>2N>PYfbUgR(N
z)Bjz5(!b@e`=|Wjj{lLLrs1D&ek+4c)^zyx{D+mnfNxyT@r^PHh+DJ0TO??sE)oTX
zgKJfz`^)GVS0r~vQNI8?D2hH{(F(;5laNJQSM<|K5G4vn_1xERQ8N$cJ0vg``I5V)
z<qQ$@eM!6`O4$9X$%rGfC7MUeLjEWfE;h?8wNm!D^0g$Mv!lWdx3$1D^-4cUn$>s-
zDG}WBK}$E!&4n#EjJOtoFsW^vkm!Gl-j<n<VtZ>`=}+XR3cU^>Upth!!!J?oI(mAL
zZSup3&+e&UyD;X?{c?Li0x7sh+v`RSw*!?I7pi^yI-5Ag!gng}1vJld1=H!qd{S2!
zX@_BYG)Ro{!E3UMSM>#Z>;*-5-m5#EV6)Y>x@oR&i?J)fE~4g0TJnCm*{2#T?!evE
z;uF98OPrp#VC>O+Wa?UpwoGL-Cnp(xfbIO|tF80*dJ8B`T(5J}-jP{%c>wtodKjda
z&3KaMh{m}3-t=S)-y}+c-?ft>m3SPs*fMMohFVZ7s=u6L;&~lgqF_0KYwnfOi$7ny
z6g&-Vzn|Z~iCMKN#IDBBdc}cU;_)Ir0YYTiy;ScZ_`?+IjXz=@4=yrczNSDh6@eFO
zJdUkq#~=HoAgr={JnKU24e?y)rLbW_)R4OE*3!(2J2V0=hUP{%!m2PTHoH~_w%`Ni
zv_kVFJiksfGDuou7T1T<YaVD&g*I#Z5*`!GO`6MD!02#*vWGp+J=tyu)1$Ss_n{6m
zS%{x&;Q5o-i)W~k<ZD8=k|-T#_>28X;(212$b_?EPhFS&5<^+*hZ?-qWJ;4`pCG3M
z#nUUes&n5-k+S4G&gCsD=A@RAni2;dOxXzG^29C72;SD1mYQ7bMn4sfZc_M^7z9j4
zK}6-!unu6*O~dgM<E%cF#$%Ljr(S<<8oBz8tBHoLkzQU*XbTu4i&Ofxo;cjAETr_3
zdy0ff+KZuH<;;mZGlNb&^VrkRgkAjSBmM>Emau%2Ux%ohGE3Xg$Y75z4ju-?xi_ox
z%fO4Y&<X&@ytvMT$aTci_*OYLv_vv+WUQ?a^dTR~o4xRHJj-nB*TjVycwdOXdQU%V
z%)Qv7P_|p;jdYmH$a?>?&$W=+XL-qO))<<1T<@$_a1-GtKj-$aQ_{<JJBvIBV}21T
zMlnTVYM+Pb7c}CXAC)R=^Ive)d}7AdDFpY4M!px&)$39@{;*pu{OK(X0Ys<LFgnxA
z6zanSx(A64rpxAzq~<Jq4AqslDWci8FIVau5#tqILdG~xz|1nG$rwSLsABuOs^3Uf
zFremc!iZ3hCx`2`hNC|$pJR#lfg5e)==^u|#-_=`zENpKfjz?!Uu5P7N@s(fv3h79
z<m&}h%6?=D)%a$HFWzA>XKj75)>)G1v~zf{C@!~dmX2ak)WJF5h{4!SB+gX5WJq%G
zBkakH^js9uy!Et8&YdV{Hdj?EqjJ~aS@!Ir>q$tn<;G}EFpK#c90u&O^*cSMH*C&#
zRnbqLxzBnZSkJLX9|yT72Vx&-?|Ml{;6||5d<kfq&&4>rgx-u_0;#aYNW*0dtUq{;
z(?7JYA9`13dE^Q6Za%2F7i2e%s5nPtu(sSR8#5&^4##!ZPY4%P<CL9l2S<OwCkagh
z13rp06G(llf-;O4<AF|%L~<Hsn}%_ejX(O+KuVN}GR&|@-%J~>_bzkTxVuY{U)cCI
zkg=Z`R`n5VrOEJIax51g82*UY9^59v9DeaL8Ou!F-<bcKA`PDPybT}KZWYBiO!nrP
z=I46|j6O|#%<OF$ZM}~9kpO9^wD(av^lh<wrE@6cyZ*t?<brNBN$eR*3zW2PJIzpC
z%+U*UPOdbdq2DoQ)KxN@(Sx+=q3O6hriuqFCgvR@Rh)U7oZfSnU*a>V6YYo3v$Wqm
z?MB7iLhc4BNjJTd^=>Qf{!4!9!GC@8ll?7!?LXy@CHas1nyvqozh2n$+xpaKc!RZy
zxtg=-vPKK33g7#LJWQtoxuN2uzsEm1Q}Vu(HQM+G?4g{^>C=vkYTcDC)^)cPmui;3
zNSrPsxo6d`HvCFk-rde?_3SOL+EWz80jsszc*fqVDSuPB?h4VLQq~NpBL$fX%NTqw
zs<=IWHvqS=CaOK7kqPrukZ$`{O7=Arf65;}#w(gTwL+e(9Om*o8SG1WQhKAa9De2b
zf{@)e7Dq59%Y>MZpex9>)}E#cj{{3k3*F0~LW|)%<Vf&ikgrBa-)qo&(fR;&V^!8l
z*>iKv@sC`^Hm^KRFsbg6>Spb=iQ$_F11ps`Ne+~jZCTjxAa>LqXV@>KzWaQ9>O9)d
zg?V(FtN6qX$CiUBKi_G$a8AF;-P1LpQAs{k-#YfEtHI189T*wjC#};o3bl^Y@XrRi
z3HD1SalSOU0?C}L@})VT3qH_)8SCZlJ$j6x$2v#DvV17Ak_s?8JTYuHu?8Ufo}!oh
zzMS7uBAIuP{oYW7f^?sjt>~}Js{+SeDfuvW9}^RpYpl2i8E9WfF3))e(Scn}xUzT^
zS;WmGigqI%;@KUzLwv3U)eo<QKPt)Hyim9+Q{%RJqv)GKCo}NLH;o{P7VwI6iXfZB
zA)mYNM^6xrfIp7$>VE&~8GwF3+kd|>o_(eSL2Ez+sjVFzo8hu_m7(Wi3ZBm#FDq)E
z(GoK!gXcrjQD&MXaT=sZmKbu@0fI&VY5aiH&jDhx$GtZDze1Z;&^YNNk>3b5wQVZL
zNzLx6Zw9EqWw`Ggh<#wrz80*+8C3;l8;7`@66|Ud6Znr%RO;W?HLEyvS<YD+pam<6
zMvjQL%nW<t>ejq8b8@d<N_BV3+7A54n6F|u;fiS#^q1+7dM;94zD`03=qzwWwm8il
z5lkhP)TRjgNF|`n`RIaJ;$;3g-)qjAJ+|c;5}Y%&pPs&0%?-qioLF1i#0f<j9Dl}F
zS&f-GZPP+4G5sqLCR`A}@A$@DoS8sNmB!2DIkudqr($ogzfjC*%UW~a$2qLo;PxZp
zd99M?S3obysyg0g8&LCe0_ZtQKkJo7*f?DaN*CZ-pGvhbFX(k~t4i%cNt%<pH{py6
z3#WmuLBuJM#d1n&q?LjN@5?GpPhylvXR0gOTXGDWH)B~fP3NTsIf;*S;3dr3XM)$}
zPAt|t5C9eghrvJ#R(mBH{+Z+Z@4rC7FG`783Wc{piX}@*o~%1|9rYsR%Hz#z>ke;X
z@JwQue>Jw%MiK{LkOdlDYhCED%bJ(^V3N!z5;qUCegBk_fJJ1!X2`I{Bta&BZ@V5G
zCQtL_QHTo<{XlobS-`x)YyRTBdkrgMJi+1?jCr@-J~|Ihm)<g3J{6sz*Xxr0`s$J`
zLxixePYxoh<&e=$+qBN62At=YEl5;Ga_#GBqyj89y}UAX%VEB|5)nBG8-w+WEz0^B
zO<KF6w_n+s=`g>S5v&Af&UAK}rg@&~zN+ONo_P^g0(pM!`H8=Sh0#E%0u1L)=_aXK
z;l#@qvvJR~>NSC={?vL7=3nIIl`wOSYB@7ou*RMT$3b+5OBT|ET*+N<HTTUuOSXHS
z&FSu!w&~(k<#3f_OSeDWVIHiyGt1`ZMixnSoOgBvVN5FO#<}8GDuK%ujJmE(l&_4v
z=o}nX7Xg8}A9^ymR2G@##pc}mH554Yn9eyb@EM9vWXu-kQulZ6inlM!5&aZPW(sQ&
zRwKz40a3pfh+%xV&?sB0YMt+1V!JCg7cHKI39azn&EkZRIFBMCuW}JPl425AN=^5#
zty(AdPET}I(F%0(f`MF~iKIYVesE?^-^{@EaDzDs$2-*{Pw@Vx;|#)bdltP0C@6oU
z!%YX$1!~BcoXX*_3{6q>_-~geg3!P<7Ng?s3^iVP5`W46{@>*%|6Bf=f6AZG`5*Z)
zto|v#$S?cGG};G>F@Dm>d0h|2JDvzxJt}K9tM67vFc%g<)|qeIbdN_wk8sJw0xBLB
z6PC#sh;AEGZwC^d-cz;$anrBdKGxCCS2r<{)EaDKfZPRAAIWn3%_A(wl^VeK3i6Hs
zkS!H29pbIJY+_w1zcLSGT^Z+$6gglC`&*t;t03pgX>o%hdExi=iRb{9&yxPwZt6C1
zsjUt{j1k*da)3ZxW2V;yai}dZ`sj&oe*%^0d7U)Srs?)QHPUsSFGVvMBa%uiXUW8H
z3kRi#nAJt;8012p-!n?~7p-2+kxp}S_B!fc;5cMlK3BDo$SY?_i`OUKSCVM^qEAQ%
z@ej=p)a}du5}Dv0%g=8(#~-CExD_bvn9D|+=f*q=#%_%HJu$^?+gG0V=qykD^67*0
zBFCG)z5d&Q=GLjR9Cea0630`&+a!B^a;Ay(lkv%Rf*RLFzDzsz1{JK*B?*k?R%F5S
zXE+MQD4qguz7rHEjt~~R1=v)I@b9f?VR^uKNJQ16bEsuEZ$vda>mD|EB5qO#Qw56f
zI3DTrfKpWU9%vm3GY^rK6S40UqnAa)52p0pwn$?GRCDS8mXa>QioOY2m~Nbl%HbMk
z9Ap_Ez^%3!dmURo3kfgbnp>nmYdc^&0eastE|^FD@}7sBf7(SkH8NJ)LpCL&CZjH+
z3lU+vz2Y0IH~1sJfAdnAvI;W(`Ir~rRMyVb?=nUC%6i`FUCJ)ZfqEp=t=P#tq|pw}
zkbgNf<#CZ%<!zI_%_E2^x8gh8+6O2F1TOPy3L1#?kT8<Ra;A!yZL6#cl!MGGGthw>
zv4ajf0#R*BLBWNNH$O2MzM#DqT<TczDA+&)DB^%IE*gEUEaMd@qnh4r5N&ybbDtxP
z6gV}Ac@0NzZl#6~eWhD6fCs=2oM`CMzSWpFVpMEqy{7;^nv!ygPB`V9uADP|dQ^R!
z!^x&BRt7X!q%>-k^}s_^cElph>F!~9QP)!+E|S)8OfVFBAA;1G0eV`FhdW<7F>LHK
zOi*dUxFNZ%-F-6`hdKk0Eke5=Faf%89hiQTm=k-05knIt-{j=hlIi=`dl+7T9z(9c
z(0e}jTWaah=~e=Ps1F0GsYazwlq5E@MZJxi88p^mRY;P<I~`xllg`2lWjAtPF0ha$
zp&Ply%Y+AO+Ps)_hug7x8&uf2!?N?-L(XYz_9PADE$z>y7a+G}?M@D{BRV=I!2B{=
z2ebSByyBP^!lMC#o~55A5gz0+DKF+8qiB8b73=6w=yk_TTsVdr-mO=a!I{0WWj6(A
zP2~2ztBQ4)hke|kT-`qqb1r?rnW5{OI(VHw=QE?Un5Dnh50Z=cKu21n#?(3(kS9d5
zSD0um^DDTfa?W7;V%DyJN;<_$$tbg58V;8fqlwYj84|#@t#W|krM81&Mtaq+#3*_X
zQc_u^t-C9~er}hR!7`V|#sxp#PiIpyYugGoP%P~6SQuP{J>)Vpj994@9b_o|QWRB*
zMD-ZHtXu>y6rbS}>~VdjQ2}5@^3+{gZo^n8U$r-jr#~yx6LGP|AhBDwIfmpxgY9o4
zT$Dmyg+&E&z9P`BNr$UCC!{?=uv^kJF62=KQ1H&J8ml8M_&mNQImfOdUU$Qv{R$$-
zc%|)ReTTJZpweQOeWIe^GeHgrCMmu`KgB`wJ2c+j_e~skf0{2?p%ZudFwXSk(6wu$
z*Kbm$`K0-(ghbZrd5;sHCYGOe2Mt>vMT^gK#-QBY_5*ri1+AYWnb^bhJAsbl&ZstO
z*%Ey;yG50KUdO0m$$J*GpYC(L#tXM6<ZXjqBC1(RxD$z`J7mO<Et1{sH`Q{|vU;<|
z%U!w9lVwH+@H`Ygn}#6U<a9ds^?r!1Q$-VAW_FP(_so^n43U9oy$#nzcChmfVTt=K
ze<BR|-)g=Tf6HI}Px=3@`Tl*+FaQ3(@<adH=l@gl{ZsS(Q}g{(^Zirv{r_F_{Y(DT
oVT^y1pYm_{tNu^<Y5pt!`XBlKblm@R-2Zgk|8(5{|99N~2W?-o%>V!Z

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/heartbleed-success.pcap b/testing/btest/Traces/tls/heartbleed-success.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..47a2bac1a3e69860dcff61ba86d805f26e5e9562
GIT binary patch
literal 39524
zcmeI52~-nF8po@1K?30xK@fwWC@6F^C<p>_D5$6df`}*+AV>rfOoGTbDj>+Aj<++8
z7hWK)3f``cPP`bol*J<;UWkZ-ir0v!16$n~hJZ3}-<y5w>=f_S!)~hoUG=N#@B6B%
zyS#S(&~^%-0p(9y8vqzQ2(k9`Z@9q(<Ke%FM8gcIuQ2DV0=D?MI`9I(x%HeIa9})k
z-Cr`fGJ5Ze=<TntQ*7yjQkWTJQw+=BI{-kT(T~t5>MWZveYA-47?r9<D6<v6D+4eK
zV1jo2c4YwEfE(i;g-|8bu~XY$DfCXwf$C-1dJe0CAN{V}n>trQs6%CSLb+`Z3%J8O
z5vg05d9CNkGLP+2<}#=roumV72W)|5#K`g*5XyvNcpeM*LL@}$s))I^ULX`7jrydb
z5wIP)LRHa_O2rr$z$jFzzo&Hw0p;^QNw8t)fCbn<2j~MsU<Yu(1;fB_U=K!sk-z~s
z0%tH9xByp(Yz**(4HF4wgD4;bb3imm1?eCIYyg|V7O)j;18s7OoGPcu>2fu>x|}Iz
z$u;F{xt3g8t}EA*>&p$~7II6umE1-?L~bYN%7?)!PX`)+0)Mjr58hb|mc<yJ(F8_-
z3C|gV-as8NfEq9Wy~xt)!IENt0;oV6mRc9)*8@5<jE+$-8kJ6EP$^Uj1^x}g2)J`0
zTxD~0>j=DJ1EM4JdefyNM6;!Jm9V)+2j6Rl3!7>&>;wjcqUB*0Sfc^R)KyU<wYV3d
z$lCom#YntEF^N!w%>`yr00?exu0cj20hi0|cOLPsJ**Yde_mmY-vO8GsBNADF?G%}
zi^!-`2`6m)3fv8ZajA*(SWcTS1uH5wrb`#vjMsFP+X0~02HPG$fHW%X10)7`3(ZtW
zGzn-f1PoU^h2ey!&@Hm56pTWlYDzP3HiK!s)O%?&8^bi{08d`d)xenyY5<L)Pw|<^
zHN*{w1C~D9U&fcnJjAh_iLwY=t_?nzIIp4K-(L_OFA;D&g|me+ehkM$Adv|ph2eae
zfa5QmEfR`ma~<#zL}seKU5AKA3|}hca5+;X!dSi}k>ewh2_&(C2qAf$Kr&At;dqR}
z&3d!B!?`%u9(S-G$#V>bhdknN*f6dmcSJBgsZ(hK{JBQBVf&4=6A}_^V}vpM1VN0<
zHbTH1fLnA_l!+M{#)+k}SiThA)U8uCJO%6DnFvM))D%n`!1F9h3WkB>o{{JG`kW5<
zdT&`t-H$A$W=f?HzkT}0XH`kJydAAa#ojk<`}zIUOdGdpO;&3|E^H{=TXaHCXIHPZ
zYmXPD<;`BP_d(iF;n$6eoEjb8`K8_gijxkj)0S_l8EU_7s^P=~C0vPv(V2njo9F*x
z6IAj<e`ozAeeQ1;J}e#g%PWrVz&lgI4~~8xyf`h<<S6G-f@#?FdCyI3I4?(>+^ODh
zb4YPm^p)J9-z{P0VZSYyT=uXf{`;HLv+Vt@?TxPsb!S*T=<Bg7<ANY&p^5rwL1X{6
z!-W&4JW}8*22UuPHi7!{(17ZV3u+9Cj-R+zb?N=gt(jK#vXci*Y~P&n*WbN4aa6&B
z1PT>)v7ITD8a#z^o9rij^=T9w;2My7Uu_x<K7o61ed1sMO%rD^)NL3Tovud3@V>-J
zEt(<CAU{nQ#AKS^y-jZ|zIZ9Z>xZ246?i}5&lWV;f=LFA?!59J3jVR}wMn#kb7_Qa
zlhzO~+=|GcOXJ{XDP3DPMMJd>1Bt90S_<Y18_ow;XE0_bYeE|VkDM49utYR0`RGV!
zCgBNd+*Vmg3TD_pN+ydNWoJipA1Tq{rP3JNaB-|%oH#}po@g5v5s4=^cU(ZhlN)d=
zL(cErx}*0C#Ujp_cv+NKB9tZK@Oi`fB%hfYC6sc)JMsuP34AF>D3!(wA~^i;aIqu;
zJ}w-Ym?Mi4aFmZoAU{SJ!Iu$&62aVfp+pcX5Xqz*aU_}T_j`}ww3l)S%oii%i^2sQ
zu_z{y6DgLEIfd{U6GgyV#l=ft{}*tCA`YxuoHB2_9=tY@C`BBseIiF379*TZ-dt*n
z+Y?;-(QNS{xOMiR?14)yKjI3P#Hiv5m&mw7iL)@_$=@k~VHhnr8DES$Do^0p(xD$U
z#NpC7RS{`?m|ZwwC%AS}(jwS}^Kti%ODRi7e7uw|<f~puAeP#}>uuYww{5@PHk=O&
zB!i{^)<chGiuYM+^tlG_YzClVgk}H(2BVzBcFXS+_uV!xEW9Lh%C-en6*;v59J94y
z(=E?2wcK02_sea1E!uZyVFu%k^JdYN+)Fe4O!A{CH7wDhYhRi9Nk`s(>ly87H+cKb
z;=A+nWsjN%-g@Dms3)V!sy7(Bi8Sk~y|z8yx2|fSQ)pIN>V?W30il9Hno}6`vk7CT
z)*cvqQ@h1uepW&Hh}58@)AtYAkC#j=Y8aB`Dd&jRrQX|`apT$m>c)UxM@H50-23|X
z-8uU7xNmaIPkOF5<9W1ftB;M=30u}{`LDC?3!1L6q5@a`Y*QL*#`?Zdad7dLtjebi
zH4p!JS306kzIWf)XC^xGJcCp2tKXgsztd}UOe_~L9H0l`;VCrJb`OFXb;d-8{$pV$
zgZyW?kHO@#58cNfKWETi;3K*CFy1iSp2r<Y_>0bmUz&USBX@Hwvv6M%({H}ozBS?H
zuRV>7Qj-Gvtv*nb{%+WmBUi^Uo<CFzjnmR;?km5nGlG{Eti5L6lEQsKey%4S9(}0K
zwY=|^qdrf*MzqyB*4I_U=dh}$->Fy_e%NJf>pSzWj1*;f&Qmp!Q(XFymUoTMQk?1H
zHO;$jv2e4s(pI%%MQGBN{y}~R7&n)tTL=ptSXVYIsW|;=ZgpJnAnp8Mhd3`iSKPPE
zDZh7}c1d>LOz*u1`BO@GWzHezH6H26mv4GbrG~X0igA%>Ju~&NF7noz=6Hc?eo5!-
zko4B6>;3xqIdk<kEv}bm@1B1B{z{kU*Z0&Y;<$Mi4qwTS^|xcZ&i&|au>H_b=i%DK
zW2=v0Z8SPgg}-nu;)FJF0{R_{(aFVp(t~t%F_Sc!`s{L>vAef09WUlZd6bVi@Dh(y
z+7@W1g7F~O?LN9MXr@d)Yo?%48rqSOvef)@7DXB<{b+w?wA<0CxF2qnJs{iSkFSa8
zlChh?Rf<Dvn?$H{Xo+|N9^cv9VR+<!?CW^Sib3Bv=yMe#{E9MmBRyoNm=f9qY6=YT
z&6z$fyE8=hG?sba<od2`4xF~5=4#lq$43KSrFq3W)lKO~TlO$J*rgsENGpHe#-T=(
z?5ETeu9m#r>3ieOqf*!HSvzXK9hqA=d8Pf0*Ed9r1-H$st^~G~;Qf7CGik5V>h``M
zBJ?;Ip*vCmnYu>kRGZ@7M1-#QK{Y}zghNXh^BaNDGZm^4dVRk~@vD4qw~TFe=QVo;
zY3j053kq+}bZNo1*4Nw&Sbs)ly5NJa!Q_350>&*|@On4f$87zhX1%keZS!&lj4OW?
zZ-3_d<3Wavdqd`npZMeX4K&}<JWB2JV>G=t_(9##t0o0TC~i4>gi0NoCgi6#zG;oh
z@RT%Es1*te&Te1U)Z0hFKj`Hh>claBJmXO5YsF*kuNuAhPT#DnZLIof@wx+ZYQw@d
z?1}jHMEa|Z!xpXC;dkcLTfvp0m-vTeXV2wqP=sdIgz%DnT{%w8?#Sw&5AIkLIw81x
z#x~2P^sj=2RDp-j+>7_b>v+*`Oe*sVCNA=CT<Lwcc=%E8cO%C4@y{8qS)N(u)2l3#
z>%2-XQ3xjZ*=LQ__5A1P?*<8SToSj2sCy3HUtq6mYd+~jMZJ#8%+w`^&!2lxQTQ8k
zf{c0l#o?>QE=lYi8ph8Z>Mx$lzi&~^zrQ6!#L4urwU~1#?5x+3ZTZV`U-Wl+yYT+1
z@^6gakDpjuu`qP}66#Z{8x~umR~(tXqpB$;W$^8IV`tZiIxCt^#amSzSdzQv@{C+!
zu<NS{Fdr)DJ%;A_I4mVoQ?v9$1ykXC^{44Cmwo%{=`%ZvdLv`)CXaZWZB?GU)A<T7
zw$SNcmi>cTHZ{=ujH<4a;F*hNn1HDpXwbbc-e~3pKBQus*wtCn-g7Q{NCH!<OC8hZ
zF&AB3k=GCxBf0VL&0L}T-TVc0@xg=dQtquiU8#AL?Z0Sv!>u2t`o^6Yt9zmM46$2n
z1iLEKe{@k>#4m0x*Q>T%{!wgNYQk|@9sHAIsOVVvtc1`LXYQ@MJeBVqy8eozdb0aH
zz2mpG82+}}EMq|J1*Xl6jODq@?$AnCI#zwPX^`hFs!xt$kNTmAb1N(l29-tKc|By;
z-X{+awp8e{etT?u*<_f}+xHa#D}PF-=pM4!{iJ+xZl9xb|1n%#mD?Ps?`bhNCVTRu
zP5p0L<hGf58V2<7O2?ZicC+)q#`oO7dA~LXwM3^gAKWL#qcmbFg?NxIrfGBxp1aOW
z0AA}wa<0Qub!MWjQlWQN9}b?q%;X(26UJ}=okS?s^sHD&DtdHREIb7jXBfkQ^2gbe
z4#m2j6@MWW-McFm9fFFIUaz|=W@TuA209>9*ILtWwO%3=Yd3yQar9bMMI$QJ^*QGH
zbPW1I1P}p401@~i2@u|CGqn7pbOD*VT7KOjtwn_8uk=>6{EbNpy>?#`U8!pMzsPE$
zLLmZ(03v`0AOeU0B7g`W0*C-2fCwN0hyWt+ClDZJQgY!;N)NBy8IiBuy;NO-D>}rM
zewYtu<>z#I?QR8pNzRy1d=sqM)2w_cIV-<jb#CUveC6CstY*jDOh335vEomtCXzq|
z5CKF05%@0>AS{3H8JZn0Tz8$7*GO$GBP{>zCn}a-M&T$ezw(7^=tq#{|1Y)_l12m&
z0Ym^1Km-s0L;w-^dk`QZbaNP?_b}UIOwRVa=r-FUW5>bSp5>ipdo~eKI-$sgiaor8
zd4-(qS)&^Bv*VO8e~1B^?fHB3K2%FY01^0qAwXDu5YnUNFDEVkYE{dxZ$w&tBOnQk
zK$idir8l5@AOeWM--7^Q`I*r2_b`g+LyjVzcOOL<$>AvChfj?niiWa#8b$nz^d+lQ
zeTk7=If|Hau)~*F!ZqVfe~*?xwL}CE0Yu=hOMvht_o3y_RRd(|x@N4lv9*G*{52J-
zmftK&If@8_+s}Rc&KOz#zivlBB}W7h0Ym^1_!0@YcljaQ_Iz7*PeVWxatPSeeF!+9
z3=RQzb{YcifeT5NgklL)%rXUJ>be(@>9@tEgknpV-8$im$g+0DghB0r03802if}Uz
zH$Xv~d3=fe36%*EKm-s0L;w*$1P}p401-e05CKF05kLeG0Ym^1Km-s0L;w*$1P}p4
z01^0K5g=A3U-Y~(X-=+8W~;7s*1aQFCXK+(t}B!OtD2zuA_9m2B7g`W0*C-2fCwN0
zhyWsh2p|H803v`0AOeU0B7g`W0*C-2fCwN0h`^UifLNI<!n8WR!tA<v0{m~^uMwLk
zJhoTeJYhhYLhm{SeucTM*t=u%1Z(2ENkXx{XT|HJBCosRJwK>edZwhi;!CKg+#s~;
zcb)WG#RG}eQypiO)l+?nyYjovuQNKn>pTX(6t(_x+XIyh5kLeG0YrcxK==}jq6M@m
zfJ|L2KLsncA}qgwp{nIqYf!#76S5y!{=aNr>at^myO&)x*YH3?nBU8`rNy%xHxk{0
z1-plG7r{>iFE_|gV|e#aqj3ieHQpWe?H+23>RC}iDh}(e_~vDj4rY~G-d)kNXT?fV
zk=soX1~5=@>Sq7$iW9DBfk^<6savhxTB}G!%TFm5K*bzUhoT)3vSApVrO;PvQ0Oy{
u6HFtadJjx*lInKd)tSd(d85}IQBgleC=R~Sqhd9wX!}V;1E^S_s`zhG8eDMz

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/heartbleed.pcap b/testing/btest/Traces/tls/heartbleed.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..46e7935d18109d31e681d0037c8b0cb1a93fb57b
GIT binary patch
literal 22223
zcmeI42~ZQs8pnGwNw{z15Rm{PiWnvk5CsVc2&kwK7dccmgaFYH*d&0s>vE_d-nuBe
zo*aszoPvs?Y}6-j6%W7z1yNB~JXXOKLGj@A1VN6KtylHx)s{7>nu2M%|MT^)d%myx
zn<3ZE9?l{GGU)wucLRXHlR_gmwsN#0m;rys4=~p+P3Q(j=-Q?6<$*f@j<rl@z@*lN
z6jaZ-ncYarJqnNt)7h*dymBT<rzT(-03<S{j7*YOoZ$Fk2VRb#s2r|5zP~b91dya2
z{T^iioPjenBLi2()sc#$K=k&=L8xAwscF9{hy7WZ{OFP;t`3z^TzPY`BA5oRgdam}
zX4cxuY~~NLxfrS+N>m5*y`!Oxh|JzyxH7JI8Y+52B=|8{5n<KZ;fl2j|58y8&;#@b
zD(avpLPY>VLQ%Gxkqj1Y>0f^m;lNOUB2WS9Knv&qD}Vt8um(237TAGFz#dEnj$kTq
z0xXEk1-QY12?OCE0`S3Numr3GsbDqO26lp7U^mzUx}_v3DkV!PQaP!-R6(jJRhFtq
zRi$cD4XLJ7OR6n3m5z~`OD9MzrB+gg)Eag<04M<x{HX|-@XD&t7JXQv4D^5kEYktH
zKps$m9MA?MWY%gzOA$Z<C{Tk|Yry)NK%I<G5E4R0DJT^sp(GOg8-n0)Yx)n@;EBLo
zx&xmGM&v;g;gIQU=ZZvixu0`p_P~Whg~3U%3s)RfsR*_x0oeftDJrd8x)WE_D*cjT
zA)Kc81b~VRToDczSVRIKP&QnJA#)t(xggKY3k3PMId<#DYFZZYO*g#WRL~H(n8pY=
zuF5VQpE0KT-#L>e>TT9o82-!6mOl=sI*uK?xc2fHsTBa4-Eiyy1V~2V9FSpvmrzcD
zM3aGX0-(BJ$<(P>GQ}(tB_Sjdsuo|3sZbRxQan>SRS-mp0<ffY3?)o~ihe_;YLUEV
zF?29({6tYpg)QNTB(71Bv{{l+I%5Jh9xqqYGGX($F(Mw#jUUdJa0E10o=CzE<8wI@
z9*xZp7xIPS413HDuZ(J0^@+F&IASr4L7OY$M{-2*G%ulqCyL~S@@4IKqFA1Y=IVlt
z)>UCJF&i5Un`}LqVH*ffZQ&^co5ZlSwGPB)_p|mJHbWoN?YWS8TwEMoz!z}hcmfGs
z$dfR}U?zP%RX}t`gz|*Y$k5104qxER5pknL^iUp_jF|K%f=~dOjHm%vu1HEo5KuVH
zKI4yb=(gtY+cxuzFJ$aDA9XHU;XrE|Tbn&&N_^WRg|hX#5lvRGO;qaR!ZCFb(>3m%
zF4G9VeWY?4^WTf+#F}*8IBbD9?R;3<G3x&Oov$xX`ekQK)~+tr>aH9t!E3Ak)uyNK
z&F&fa{G@XuX_@zW;rg}dP7(WrX>mT*^G!~MjkecDO>|GKJ8#!Du0hw^VZT*mgO*lk
ztK<BoS=jXiWwXj}FOO_IyN0dj&00e3U|KBNvtZ@*EqgA0@OZk$e^J>&vMD?L2<7=v
zPUX7P3vn-k8xJ`zd6v^*y7$@-H$>@e{&(K9Hee;53z8Bun|5-wj@7mXyLCj=i`2{Y
zQ%dfVP&mbMl1UG+WYS&PJTcTFlQ4iOLGFfXWHP)14`5pOi5XcLQ>4mIpdu8C9ExCu
zc%dp;hphc)bL_H$yo3--r~4kw8c4FvB9R|vg#X!;tcU3&YCoICtogb4(4KaKCGwpY
zL+P!mmhQ6oW~f0n!Dz`tMmJfx|5(G(^260=<YdGfo_JyMRBCvVGV~Jg%z>%|Z6YH{
zM<zi>2@5PRdas!zM8_mTB8i@2Wra^5F+SzRVga2S6=@Y6CE#=8>CvHKSW;(S0}__>
z6f@VMeV*8T^Pe9jq`AaMBBDfmNjwJcIAml}<-7>Kn8xj^!=uG<#5BHG9K#Exaky|6
zhQb?$CW)d+B6zgko5YVJ;D>S~xS)vlT?}8ui{uF<Vp>#~tlH;myU=>9w1o8pe2$RI
zqeTe?@wBigk*p>k-etm2c&X?ZQFN4;N8<}=uy4`5b$j$++j!iHXxRIBT2zRDA1=GN
zn2y=vT#d+d%o4N69G5vZWy~jBT#;ZPF0M$zn249c154V_3k*TXNl91&Ho3O|LsBMw
z(um@UqX&wJV?wOBxTj!PiDf>)ip#;K^))4>*nMis;d2JI#1V_FV0(H`dwNfMI+p_t
zl3=EIKQzgsu#qWxUmEcKjsUtw=m-!H6yB))^Sqp`>=X1bgFK^d?!i3n6m|K)5Pd<=
zQaY<)mEZ`LXXai2Zu)1riuRg%zbp^D7|<A;n;PqFB3eJ9c!gzVu*2o*tCc2sdMWy~
zj|6Yi^xvFPHe2A&S|^w8(6~J||FYlxM-7P{h9;#OjSKv|*Im^-nH{U>$=17*H)nGe
zWzG9?=M8Ri8tzS{oGmzZ>Vw&dgl&h)s_G19-hKF@VylZ@y5ANR_tg`<W_0eurXRPN
zh}xgu&dpbDn#7q9bmsi8ZH*>7&UAT_w#yw`Lb6RKj~+j-1?=+u;W>|$%nH9{%kX|+
z|0H6Oa$C^2Ca<(g1NmIR_lqO+9_ktfz1{?<_ArJpv1Ib7o*07Y^~Xek5oCEkm;Ap9
zAmcG}IAAb<{QZ3fBL)l(m^ITHvt=?S;Sr<%=|3&N{awI0npTzHs^Gg+E`JNRrrk|X
zZ)KvN(dNSD)Gq6}Wmi3@ZI9%FqgB;A4W*aW?U<_q)wblXsLJ>EWu35p{Jv%XnETGT
z^0Cq_!rc~;-Yg-9rq~#8r*1j7)M@(1E@L0P`b${ub2*_ybZXh#u4gZj9Vt;;I``gI
z#76%l{wQ~$J~(lgiN9|lwP9_lDZluk#m%QH>Q24-t}!}roLW(!eYCqK3-i9@P^A02
zT6JdLLeGOGoVnG^OO6Z9Dm_-0uG`Uuq9Gp-3!Fr%FGjgqocC0nKlxt_<KNUzTc&=T
zx7F9k*O8&QBcVl_xi8@Q{f$m-*AFz;M>F#NReGf;l5It8-~TD#AO+A-=V5C2ZL5VK
z-DC=e!XKC_UZ92-z{rD8`vsZ5j3NDl%xtCBk$atk_UZCdu?x%y*BY0?Ke4c0-va$q
zAm$IJ-KPKs-IT!>-4t|66Z<NXQjEXkQN&^5PyQzex7&z35A(&$GtDwh|Gtf2P{kn*
zw^tl`+eBQQMvlkgu$cbQ4#C3y>sZI^?HG)W<G$1}Jg)Sv-eeK7->MS&1T+~g@{JX|
zoc662-cwrZ*}(AL*y%SvyZLI!{3l2JUafMEark|%5qa&S%s{6WP`Ik*T{jI4tu7!n
zS8W!($??8%=kY~W)|%`GKTO(RHD{ykjrJQt>i12?x32hgS7Rn#AJfRMR{f5z(5J!`
zx&sPi$KVw@I&tZ4e1$$re&7mS`cAgy*OU7>*KObm{ou<MqsK9uyqn%m@0`Z$boW=*
zP+3`A)v(a%Ewa0%x#63wm6B24zxURjlmFv49?QRP->2d=dh6p(&C?gVV{^?sYF@?I
zR%RUY*Liku!P2Nd*jUk1viHS2(u206WX%q&L}Tiv*?yt*w;f%B#gkiS7NtJx_!zO;
zP4u)*u8LoLI%{pKu2(&$#N9L4foA+9=<vn%`X`LnN+UQ9%hDe_yLB=ly>Rh^kdSQ$
zLVqYvef5j=k6W^RD=XgcuAKi9d%yPdncQvl!D-D4n2E19ddOLoZT__+`^Vs!fi*#U
z#-vbu0{JM<)$6-+_oC97OF9g0<`vKSk^O9==iLi7M?AaiW{hO#+9=ngUGf@nDUIQ{
zNh+%6&GfZhGhM^&_|y&Kc)3pTyBEm2jV~y+)u0>CF0X4*cUrh|Md{fy59_KvD9n^7
zG`%dns_&GjlC7lQX5Vt|OwoPQM$Y|R3xu>ZFS_aC!y%{L%k~tl-T%_W;mz{<n`)Nn
zznd}ZLEZA;87t7|<~K}tFIis}kbSFFkUYLAM&FS&OMQK7MT~h};fnnSE(h($x4YiT
z0P#YBt_wMRz5QLU57+Y_#9axoq~AVbV_Vqllb><-r_89|=6=vO4bPsDb|)c(xjIAB
z=r%7vFupxSG4@+jzhonAtHZd8bTSO@J33-Z(73a_TYA@<Ty?{r*I#|I`s8-~nVUtg
z9BhBdS^lfyDvv@#Qq{EE`HDNQCGH;aYCQE!<QTf8<Dpu5fDvO)@S*C?R+h$wWA70w
z>$_^S(g{uc-12yP?0&+NsWDeCkHl_WX-g@u;2seunU6UeY@D%sD>tiSLb7@2dt~Lh
z>7C;3E8d98=^5nXT1YICRH`|_(4fu2fJwP`({10$-!5Ej-~Q)g6SIzMatoA4&0c&k
z^i5T|wZ#ecwvy`dmnUrBDxQ+lZ7Z79(lz#CXQxlcx#x=v)F>W7tZ!QdD>m=7Kb~OF
zb<g|5BBQS2&C$+lUfBp2mpx>qt~ytICq=UIGQJ}vtHOK%ek&Pu51Z|nB+GV$56n$C
zSBTzLuwk~teV2F7tpqo^d+-e}u4q5JqP<KpY^b929aId;*f><tad^eaGDY4{#k1{D
zQIwuARB=9{1g2;J*)cdHqhVP)1y?*R_>y9o>p(?46lJv`tmiJohaf-@AP5iy2m%BF
zf&f8)AV3fx2oMAa0t5kqz*j~9&-QR(CZ+FfnL#g00Ory?vez%bz*OwncGKBDrHSfF
zH~PJPVTb3Ca79g$5_n1hvSV;=hH|@hDxRCUczj@P#-~*DwkO;3(sy8P<|{)^bcY~7
z5FiMAbp&wFKgDHO&+jDj{N)2Z|NNj{&;M+1pXbkn&m!!;Iz&W=2m%BFg1}cs0QdYp
z(DM(oi^#-x5u>|@?jjbViR!8c`|Tp8^zI^FLB(O7@Umo2cn3Y#UWoR_l73HkiCFTL
z%{QVu1Ob8oL4Y7Y5FiK;1PB5I0fGQQfFM8+AP5X3fahjD44<3HlI3PT4$aL(!uR<#
z9}mjSWa5fViNogkr^)jCWdrm4k?&-=89gAn*3p;e&xU#aDFZDg&Ikeo0fGQQ;GaeS
z_xx|6=bxhjWXIrldsJL%U2)HUZuUUWFV5-p{Kfu+=l`dTDq#;nfFM8+AP5iy2m%BF
zf&f8)An<=6Fm2EW-(Dd}!@fq9ElbsX7@Dd}EKXF{+Se~t=LBD)%03De=Y^o3U(6c(
z1+L86>G+1N&VS&BEfIbhD*R^*4IuK_(7R!KxgMtKoN&eV{)$8YVI)Up<NLp`u_RGL
t+xN4L*U~09zFdzhF3TF$Mh}^d^9R{j0&RSae?7<ymp&UekRM%3`wuGq6MX;x

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
new file mode 100644
index 0000000000..a2db2afe95
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
@@ -0,0 +1,26 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
+	{
+	print "Curves", c$id$orig_h, c$id$resp_h;
+	for ( i in curves )
+		print SSL::ec_curves[curves[i]];
+	}
+
+event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
+	{
+	print "Point formats", c$id$orig_h, c$id$resp_h, is_orig;
+	for ( i in point_formats )
+		print SSL::ec_point_formats[point_formats[i]];
+	}
+
+event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec)
+	{
+	print "ALPN", c$id$orig_h, c$id$resp_h, protocols;
+	}
+
+event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
+	{
+	print "server_name", c$id$orig_h, c$id$resp_h, names;
+	}
diff --git a/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro b/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
new file mode 100644
index 0000000000..4a980bb895
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
@@ -0,0 +1,13 @@
+# TEST-EXEC: bro -C -r $TRACES/tls/heartbleed.pcap %INPUT
+# TEST-EXEC: mv notice.log notice-heartbleed.log
+# TEST-EXEC: btest-diff notice-heartbleed.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-heartbleed-success.log
+# @TEST-EXEC: btest-diff notice-heartbleed-success.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-encrypted.log
+# @TEST-EXEC: btest-diff notice-encrypted.log
+
+@load protocols/ssl/heartbleed

From c24629abf4490a59a60e0579ce0eb6d6fc5855d8 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 24 Apr 2014 12:36:05 -0700
Subject: [PATCH 039/136] Add very basic ocsp stapling support.

This only allows access to the ocsp stapling response data. No verification
or anything else at the moment.
---
 scripts/site/local.bro                           |   5 +++--
 src/analyzer/protocol/ssl/events.bif             |  14 ++++++++++++++
 src/analyzer/protocol/ssl/ssl-analyzer.pac       |  15 +++++++++++++++
 src/analyzer/protocol/ssl/ssl-protocol.pac       |   1 +
 .../.stdout                                      |   1 +
 testing/btest/Traces/tls/ocsp-stapling.trace     | Bin 0 -> 9427 bytes
 .../base/protocols/ssl/ocsp-stapling.test        |   7 +++++++
 7 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
 create mode 100644 testing/btest/Traces/tls/ocsp-stapling.trace
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test

diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index bb2cc73a53..afe1d9d4f2 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -81,5 +81,6 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
 @load frameworks/files/detect-MHR
 
-# Load heartbleed detection. Only superficially tested, might contain bugs.
-@load policy/protocols/ssl/heartbleed
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 5106552740..f32649403b 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -214,6 +214,8 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
@@ -236,9 +238,21 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
+## This event contains the OCSP response contained in a Certificate Status Request
+## message, when the client requested OCSP stapling and the server supports it. See
+## description in :rfc:`6066`
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## response: OCSP data.
+event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 66224bf45a..e9d29675c3 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -389,6 +389,17 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
+	function proc_certificate_status(rec : SSLRecord, status_type: uint8, response: bytestring) : bool
+		%{
+		 if ( status_type == 1 ) // ocsp
+			{
+			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
+			  bro_analyzer()->Conn(), ${rec.is_orig},
+			  new StringVal(response.length(), (const char*) response.data()));
+			}
+
+		return true;
+		%}
 };
 
 refine typeattr Alert += &let {
@@ -473,3 +484,7 @@ refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
 refine typeattr ServerNameExt += &let {
 	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
+
+refine typeattr CertificateStatus += &let {
+	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 857bd01f26..a8b9975eb5 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -341,6 +341,7 @@ type Certificate(rec: SSLRecord) = record {
 
 type CertificateStatus(rec: SSLRecord) = record {
 	status_type: uint8; # 1 = ocsp, everything else is undefined
+	length : uint24;
 	response: bytestring &restofdata;
 };
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
new file mode 100644
index 0000000000..a8735f6d41
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
@@ -0,0 +1 @@
+F, 1995
diff --git a/testing/btest/Traces/tls/ocsp-stapling.trace b/testing/btest/Traces/tls/ocsp-stapling.trace
new file mode 100644
index 0000000000000000000000000000000000000000..8b66f7288d11316bcea20d3ca91066cf167391c4
GIT binary patch
literal 9427
zcmds72~-o=wyjD+2s0sJkTEFu6eLt2D5xl-fGD8IWP=hQK$I~FvrM5G1rZ0F70~WR
z#i`Lo6g5ICsEDE<2!e_@gEF<K2>e^YpbXFV-hc0}zy5cvyG-4xyYIQ@+}it|Q#4fl
zUWkEkknrE=C<MXa!rb4(xuj7Xasa>42F=cRnUh>h@wdIXiU3(dkeRZX8DxfsAbv4!
zXUeeY>efr}#aU7NU!xD7#*B`pU4bABPUI|%#o}O?AWq5ZBck_km@)M8Qj*YeaE-Px
z+_5<X=!<P%nn84Ylr4&k&H!I*z2s3I-UMcNQy@oyl4gyg6L1)UI5c!*F**Zkw}Z4K
zWC2joHpOl_Pib1a-vIRHBw31XS}E|rn7s@X6-Dfkk%aVtThKNc5!NhO^8-XBif($r
zL_`HF47~zKomkjGyEHbZ^0d>*Txa+6t}JY;m4wEz!x<|5yc&gd$s6xMP#~Yo7w6C9
zYeFWFF_ZzN^JVxVkP-AVUye`UtMXMK1&G9#;$tCkK8Y{J*Wjx|hL8cY7uo~DWW|@}
z;~;$~A2NqT`9!`bUy_f3L_omhAvs74B11%o0O27lG>QQht%f8Z92SBxkT^sKAkvT&
zGz0WWLQ3FaaWIvl;BiqfP#%DY01y(`FBkwI1IYp~5EjrYg8B&pT`-Kg?-*MOdLse}
z+T>7+JhI!4hC1xaq)<1{iaOAgBn#tCRgbw31j8DHm;v0U;sG|%DlF{m;cvdhH)gBr
zfcW{^bx~KiDxX4L9>1E_@FveDENst9N&^A7*=%@E&q2G!ruDG>&)y*ntG8?8rT4DY
z=x9qV=93|?Fksp!43;4Q5idi;ix9pA;o%=3Jdw)<SPYE8$ogPCp{NZEhf|i48$4Y*
zE+JBQF`YEqv_UBt77>Av<jXV(L=2C0!Qn|57iXFxB9C5(lcZglY?d=CAY>lJF2t8g
z(?HbF8xkZ1;SI_fb_9n@abR+zLfIQ>ix88s2MpFQ*})u2s6Qow!=x~{lt3;wjI&T*
zKPoDU8VOK20F~++8m!L_V^HS!&PC?ajFI{1U@S?09NjXA!QoI0Db~?kW{4ltkK)P*
zV)-$+tk4jOv-1jyvyCOi(i~A&l%g5Z5CcO*@NX@+q@$MxhDIhvCTkHMEKVaKM7)G9
z9>&4E1&c8-R<KePWXAWM7?QXfgA>RK3E+l?(9{qW)E*fU*@?}HWN?`jM|J=sgcU28
zpC*UMqPImzV)GG%PBWw%8%=bhG$M&UKqQNp7$Zgo0t>)3VZtP`h&1|;C|Pth(=RwQ
z#E+(gD4;!JWEmP|CCir`$_e%7Qrs9ZG<8H3y(3PR|JH9A$_@)<k69#%h@<x<$k>(6
z=E5jq$<jfg0jv;e5G#_2dK`FT=Jz`Q7J;xlSO!A9gyF$3bljk>c(~N=XjyD&0Vc8a
z*8cP^$~#NhLuETkn%i8yv_Ep#H}|Z@x?a6ggOZDu9M;W*pGRMM5)d4Ej+xs0+N+Di
z^7<oXsMhmKxp%2S;nOeoj~-ZpP!7gxkzzb$wZ0(FV?Bo+66HcIw!U_+d1Y!bP!rn5
zO8H&uimJbiSNP-npG@-{eAX7%2X)VrO4%=|cx7M+(fDMAKY&k)8}yBVL-MQ=q>tWj
z@<tTzUJna9aQ8YgYu?(#jqH}Ex0oYyS$d3kb?RefvpJzp9DjKqsC>Mn&vJeH2K{-<
z8jc4k6(#<p;*vMK*d)R`>Vz9Uo4&r=f^Xt)ovYO5Q^I)r`)&ygAUOCi50i-SFmXuo
zYv5BgA};wUlHAUd7x*%S$)$#Yoe4b8MP14x2XjJL4C+Kj^C)2)E;U#fLg4^TM3`V4
z0O83o!dR0>O$rx}%nc0<;!J)@E;=}9N?!;wI)XFNGPyCEgp&)bRTNk|^@e~0)JQlC
z0tt4dnhXq&;&51uNC84ey`YWLLv-;3@D_=Ph+^UKUl_cYcbYAn_R#_d<Hf(eWa3yX
zVug;P;7k#e7$nA?v4%wz@rVvGM>re<E2#cmdhiY72uMdw8mE9GbKmxPt86M-_1P+o
zBH1i;n@h64hiIUa%)){9CW-7|S)&&Det~nWW1oBIj(+2g#!HWpCFlbhxCMw2Vpu>c
z&`;AtrvqeU?P?do4bt;v2TkN8v>#>u@*gw*4gvEIO=SM4Bq8(Pu9?XE+#mx4nNJ0?
zA(6th!!T|G68O!j2%M%d(YR1wPS^zNfG5930KrUN2?K1x3G6zy!m)Xo?C)QDK>Xmf
zhaux@>9&Plu^S3Y8g^=`yyvfU?3doqkg}^|aofU-?!&)zIG(pl%T{oU{=l>k*i-3T
zsr<xY`Mr@X0TqG7fwI$;!+CF?eOVoU<z0<*O<=_eV#2MH$`8)W+gn;W|M$<LSxe}W
zjGezRb{23h9UqbPvdGfnj?~X5nba(}VyIi!>2^vbzeYD>i@VleqFRZI1Fp6ypII&L
z>Ubohn<IBG^8L%sbe*cEyd789X}afbDz(<GexW<?>$|P>9^y3?7R8M6lGh{FU1n;V
z>uvRv4`?*x&z^C7W3Nh=mDSd)>->@M^N%=NGGw-Qt;yH={2{gLRluxc>n^``T2S$(
zfSSH&2h?#J!b=0W6i0ZtzOQmg)PaH*JeLi9aC1}D`wO*7le~r`-<-(v|9!b!h!}&d
z3G|c(6p(^Oi6WG~F~z0mQI>_WDU1kiU?`gv3j`3A)6kHh7@9R=iH^mR77K?^glg#&
z;S<F2r2y3mX0T%@mP|I6<<IgRlTGt6EN%?IwlPAb6G$%&G5#i<=;Z>TbpD?|8~h`+
zyX2a2A%pJccjxxa)9+r+;9O%ryl7o<u6Q)%vMRQ<JF|=`tE^q&a?`x<ki?xC>%z*{
znb;qssjg2ysdKDYw@77??5y>qGi`)y2XaeF^0RZ<&jP!(0_t4<DA~u!w`$GGE`87w
zzI{t;_?qQ!IUXBw!&c419@<r3ON_1Xk=m(qLp8$f^<UL*F8pkCt2%XULg&h-#9i^y
z6uNb5Z;{yBx26Zr=Uc9$+Y_|aEtQKNmSw?o)2ffpPdR3f-e&g9a=5mu)U#!)Dlb(E
zFLib1A8~VzV5?R**SlA+D+nfE3L=Y(U)zUdm_93|X=iih+DaS5;JZyN2R?MZ{t|zA
z3!zcttJ=W>K>vHbquObiR1RfQ5~>OW1P}fLr*6a)?W5r4BXq<7j{`rUe~H`$!!^c+
z7a#@Hw0YzF=gjntU^A!EbC@r~P%pqpz@!v(c5U1YL~()!38jVrPgF7(4~~ICu>#}^
z#0_)>3mFxb#4!+*`B!qJevpJc@|!MYI?&`%9zQ2ZRwMGeB&-5G_oIjrCDK30B9<oz
zw1hZOOXBAUwWPjzTuWAhETUq4p;y6AhzH_^xG0E$*F1o!AHecQG!YF%6fdGHjm0SA
z$hpt&E2ov@Y}r_KCuu{2t<t=>8B|1DVb)g%g9AY5M74<I2>MW@xu{=>xS0s$2sn1q
zlo2J+0oaBpAQ?kTa|48KtVh$M8-oq-RgZu_X^1|eC%gt?ra3v7Q|0V?`A)pg{H?OB
z>tYWg)^BO@8FR{zW;ls{1){aK=**S3ISt0eN$ko;#?+GE!awOAzG!nXm=!8Je|L7Z
zEA?W<@#XtsAN29IKOv7~)uoiBv~Ev7Uc!vA8+JQ-rcO-bf~@?XV$wd(K8b5L`t9!N
zE0&2gNXUDk^seG%%Uy?@=!+c(_#V3ax}8#5lI)xGbzw6zb(f#+4NUKUXO%O@EXpLr
zmTgV*+Grx3hI!+^XFE;iaX|a8hq4c>s0$BWsQICszVuT_^WMQFE&a*sV?Bd&H+|T{
zEgS7r^y+4;J8pY1KgZwN<gA?dhp^ZCBWK!szt&Nq+YJ^q1n|$yK0&(h@Mrky@uypY
z!xR=pmE`TcsI1ZA{#&QxRmRDRq7i!tcM}NKb<p&`ik8tXT6%x_LQ#W+I(Nx^2`!Vn
zhOGZ5H47Y)&_GL&sQ;RpOd}))v<X7;|4B9fk*J)~A`s@r8XfeOJoeIlk;9`+6^pG^
zFX}!SnTz@4MmX%3D*v~?dQa5QGQDQL(mD34MQQHGa+k6*W%i{bxe20fUGFVh{e9#a
zcf6&JG`D|zQsqN1T|;_nchh4{>g?ybxhjX={#BS)X=vAM>APXI{k_~*VXIcwXR_j|
z!#<QglH<0<dD*+(&%YucRd{-!NW1Tp>b3x-=L2}$`>o}jP-ol1b2COU7X}u;d$RfM
zg3Vn6O(lIFdQ4BXMdTUIP*XL##nqajx&0w|q(o<Rb#5cht~1BiCSx%x<<^MJCEWza
zYdcR$A84qz<Ogt`kqHUUmmcDrHx$3)wUnNopY_i9mA1T4RPunR<RCIAmk3lt1i=E;
zKxk-(1`gx^$m{~Gf|+T8@&GuHPdSOBR4?FpG)o@OM*wC2o2rA>F~(AgX({KsY)2>-
zXlC<GRfH7xeG)WDMg$a%GJo!mnLkm${IV07pLbWt{Aa&RWd8q2(x(fT1(+O!2GJ5;
z114Ac%H&fCd}1{To16^EXrHw0RxwOnA$hK{X=LStlsPNRnck2@lx;X~B(Zg^G^O_5
z8=DG03x*Y)izFw{&RRZb<&{8BDn6gmA=VT;t1Yv84&jpTTA~}_&x0);fpbo^IW6wu
zX*NTZE>=!q<|k4VV=fT-b=$k?YE}pD;kFOl5>eC>)6?^P|6#U7oB||z2Zls%Aw1D)
zaTqG#iSohE3cT1@=8Ayj@kCF6uA^Xo{)93pRG57GKX|bJx9VV4hy~c4Kx-FGIobcH
z4(4d->_l131Vsr@DPt?i7$7t{LN`E<_MjNH7U3Y_h#g4r$4&>Jh)Om&rF2#mqhTVO
z?>c<_zWaM_>gGMTX;bK_HN+%n$_xd>@h)TGq?7grns6GWcP9kisFip7G_-V3&Us1v
z+{P8r2}Md38=rr=-?1+(O|Ly&J>8vC<m*>uv;DK$k*%Y}YQ1+=qFrj;R%mVA_{-U<
z#*KP+)P|@>j5fr)_^XL^Ohqlu$UP?5S3cij#PQZPIdRGDwuRyC3(Bd3_YbUa4R%O;
zyiI<&0pgzJs1sfD2%F*Ox{S2woJH}AkX)^<LQ|VfzT0tXM`x@@a_5;!&6T|Oi|&!9
z!PQ5G{p7CN(s$pF<R<<pafPtA_n`W=9#1E$VLW$};lkPl@lOZs^J*fD!}DuWUmfz7
z={MgNptDQYV}GY(0G~COAEVZDxv$>1#r5eQCmEx7t2v+VK2a;+i5P(5EEO~zAmDOe
z1stlgx~biuSkBCquU+!-jpAeh|39CIp+#CcVn|!?Ez_if)YE7@)BKMe5dQbyK0qrd
z^KS>tkCx}rHu=i|u5WpgfcZa7Wd4k30rM-txWM*_%>U!6?TJ@QUbt!2-ECJ|^3anP
zr_{5|kD&0UWurp_dw%1~4D2!u^GEGx%OOfe)2KQrCcXE_IzMOfqkFq-uI2rKY|-DB
z)FT^Eu|AuxvS_zqWPn_^;les`|B`#<%`OjYl+%lJ)N3`kS%ncAdA+vVFFMN`&!f!T
zuUt`o*u(mjS&gNoU1tqWsSM|r5xIHzh=>JA>2cEBmSkP6KDUOEk_YEC$lRSXtgi1}
zSMS}repGU2zgyC%=w6++y2R|Wu60_+Jg-^0eaUWLSN9^mx_-^FuyX1pq6*(x?oq?i
zgiUR?hhJ&BZOeUJ`|-K){Br9a^LFAFmza?ztszV4KxnT?$J1)zk%J6;FZ+EZGr0uS
zdI~Q22$EcgBp>{~4v9sQxBQcZNJ}SY#7C%y7!2Zy$SX|xK7s%tft5{#to=6*1q`CF
zLVQ7uo=WkFp|F|$Og1ybmq`g?F?^_$Ag&)3{rF+BV7%^wkWg#2acC`HSZEbPB+yP7
zG+Px-0>`Ow9TUM}!1o(X^ezzxa<n4~2wC`H0!tEGW8<o4p=ShMxoLQK$G}`-R9e+M
zy@0r_wy_D!hdsNCjihu+=!wS%U-_nb?+)zUX7{|$@Nsn{(WB;uZ%@&-$W(S=k8e+D
zob?<@r~8_ixHMCLtz+k$DHbkXy}X64i$*L&BtLIl=}I$Wnv<AxRebco=&JAyyYKXc
z7!52v)Oou}yhDSV`F@VkV<%mUvo8s;e>-9B7;K%j*7b(EzZX2)q*CqXiG+*?G25)&
z{o~H+n!VIqel_;qKA*~u9f1`|n}_RPEF@9Lo5P=X#*NyL=kW?R8sxO>xLFyw<w?JK
z!s*Y42h=47JlFH2pKE@+v3dW@pB!!PcV!;cIVtkAIVtR|kL+&06Z#Dd?=lrh2oAtP
zN(>zJGv2h?DOSH~$+BB3%8sl&|FX=owq)mDzbuvN*cYw;^vS*z90ykdzd1Q*NWIJq
zeu@dF4KS&8o}_3iKk-XLr|UCCv%{?q*3oPEw<VXxiw%dkNd;?f2=&?ZP{n%bQW!d>
z@#n6`H$Lw+p!~%<7Pw0FmkmF2MEbAK_^r@?)3$n-e3hf7xdjiRpSbiUu`n%Ga~rh0
zqz(_sdWLvkUX?RXVd&nrRd+1H7U=gW`5%k^(&KWEEwN~LRnNoC_RteOzRP|4fg1(s
zthxdj-u|C+nk7>o#cE|1vSofHh+P*qE@$u3-DGkh_NvjZ%c|DrJi!<EiOM>f8JfK8
z5s`R0dq_T3;@VY-kiq3k`A7u+x9+<S+s`fg9OZN+ySGv4xiMMcegEEBS~)7a^S94G
z{N$Ly)x{laLazh`EA3?;Wi%p**9z0q2saiJu$rFX9@|#EV-F5pTIyjy%wCc-Sgs6v
zuG>feEGYOSpLs(12UV4<*uPg*$%qD375i^hm3|3ORauEL?7kl&?q~f7kpfMJc;JVK
zk~V)2F=sxo@$7Vnq*`g{74QJsCVzg1S{5z+0iqHGO7|F30ZLZC9J*@s^Si$+1o<#<
zMcGAEnGYCAY2!nk9xbz1G+&FS`I2L)`}+GWPu|tCXjOgH_4vl1ZODeekGh`HN`nsu
ze2O*sacgtrR=3Z#4~%s=s;YiHdGHrW53@gJCz*><(=?hZ_x&={tXGQIcCeF-eh7on
z36ae<bI)l%Yu%;8R=c#Qim{~1)?y>odvhhh+Rva%UB2Uey|F3#%gq&9dCH|^|EKmA
zAU3o{2#N<wM%!fdgF@{iQ1#=cPgK90`Lm)9#wRJk*tXPh^>ann{+%&80lCR(72fcT
z#xom_{=6q($4vJ8>&r~8Wjf{7Tcwo6u1-v;HQ_)DpIPTUYdXKs3^j)MVC*j{ET#(r
z{bS>FK{y!iQJxbH!usXAurfgqTrB~jb2|)W12nWv32VZApC2HCu%-<Q!#bFWA}Rte
zQyx31ytO-Psjb~HThr<TZ|2USH-zxDFG|~sl+A}X#l8?cv{W>MZ_w*_L9}Dd*}aXc
zDsO0v?pd%#d*PnP_*9)0iK(b<-SXJ+7j25`>24=c*9T@!a(y^(eRUEM#vThFcl`}Y
z)?g-zSf%g{ams4x+tjCBZ8h*88~jzucQ4vtGg$2n6!C*17775aL)#QY4~J_%Kt%ob
zwIB-Y6Clc?{u2{nUbUCL;vVF*qt)m5t&~;99h*Ky$0g*`0;8$-jvAuV4ufgYO)&jN
waQ$Q2X}bgqAx^)LCI{R&;#6n5XQ0jwI5o-HY~bu}@b@9uqXXm4u16R1Uo6+Q(*OVf

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
new file mode 100644
index 0000000000..b50f04a92e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+	{
+	print is_orig, |response|;
+	}

From de0ce6deedd388de612365c085a1e4f427fbc2e0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 24 Apr 2014 16:20:01 -0500
Subject: [PATCH 040/136] BIT-1156: Fix parsing of DNS TXT RRs w/ multiple
 character-strings.

The "dns_TXT_reply" event now uses a "vector of strings" as the final
parameter instead of just a "string" in order to support DNS TXT
resource records that contain multiple character-strings.

The format in which the TXT answers are logged by default is now changed
to be a list of strings of the form `fmt("TXT %d %s", |str|, str)`, one
for each character-string in the RR and delimited by a space (' ')
character.
---
 scripts/base/protocols/dns/main.bro           | 14 +++-
 src/analyzer/protocol/dns/DNS.cc              | 65 +++++++++++++------
 src/analyzer/protocol/dns/events.bif          |  2 +-
 testing/btest/Baseline/core.ipv6-frag/dns.log |  8 +--
 4 files changed, 62 insertions(+), 27 deletions(-)

diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index d7280602e6..83c9682e8c 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -382,9 +382,19 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
 	hook DNS::do_reply(c, msg, ans, fmt("%s", a));
 	}
 
-event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, str: string) &priority=5
+event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec) &priority=5
 	{
-	hook DNS::do_reply(c, msg, ans, str);
+	local txt_strings: string = "";
+
+	for ( i in strs )
+		{
+		if ( i > 0 )
+			txt_strings += " ";
+
+		txt_strings += fmt("TXT %d %s", |strs[i]|, strs[i]);
+		}
+
+	hook DNS::do_reply(c, msg, ans, txt_strings);
 	}
 
 event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index a97c7b8632..aee1e1b213 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -835,34 +835,59 @@ int DNS_Interpreter::ParseRR_HINFO(DNS_MsgInfo* msg,
 	return 1;
 	}
 
+static StringVal* extract_char_string(analyzer::Analyzer* analyzer,
+                                      const u_char*& data, int& len, int& rdlen)
+	{
+	if ( rdlen <= 0 )
+		return 0;
+
+	uint8 str_size = data[0];
+	--rdlen;
+	--len;
+	++data;
+
+	if ( str_size > rdlen )
+		{
+		analyzer->Weird("DNS_TXT_char_str_past_rdlen");
+		return 0;
+		}
+
+	StringVal* rval = new StringVal(str_size,
+	                                reinterpret_cast<const char*>(data));
+
+	rdlen -= str_size;
+	len -= str_size;
+	data += str_size;
+	return rval;
+	}
+
 int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start)
 	{
-	int name_len = data[0];
-
-	char* name = new char[name_len];
-
-	memcpy(name, data+1, name_len);
-
-	data += rdlength;
-	len -= rdlength;
-
-	if ( dns_TXT_reply && ! msg->skip_event )
+	if ( ! dns_TXT_reply || msg->skip_event )
 		{
-		val_list* vl = new val_list;
-
-		vl->append(analyzer->BuildConnVal());
-		vl->append(msg->BuildHdrVal());
-		vl->append(msg->BuildAnswerVal());
-		vl->append(new StringVal(name_len, name));
-
-		analyzer->ConnectionEvent(dns_TXT_reply, vl);
+		data += rdlength;
+		len -= rdlength;
+		return 1;
 		}
 
-	delete [] name;
+	VectorVal* char_strings = new VectorVal(string_vec);
+	StringVal* char_string;
 
-	return 1;
+	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
+		char_strings->Assign(char_strings->Size(), char_string);
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(msg->BuildAnswerVal());
+	vl->append(char_strings);
+
+	analyzer->ConnectionEvent(dns_TXT_reply, vl);
+
+	return rdlength == 0;
 	}
 
 void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index 520e32fe6d..efa0807fd1 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -376,7 +376,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%);
+event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec%);
 
 ## Generated for DNS replies of type *SRV*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
diff --git a/testing/btest/Baseline/core.ipv6-frag/dns.log b/testing/btest/Baseline/core.ipv6-frag/dns.log
index 69aec7e222..5eede0a0e4 100644
--- a/testing/btest/Baseline/core.ipv6-frag/dns.log
+++ b/testing/btest/Baseline/core.ipv6-frag/dns.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2013-08-26-19-02-10
+#open	2014-04-24-20-25-19
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1331084278.438444	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	This TXT record should be ignored	1.000000	F
-1331084293.592245	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	This TXT record should be ignored	1.000000	F
+1331084278.438444	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
+1331084293.592245	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
 1331084298.593081	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	-	-	F	F	T	F	0	-	-	F
-#close	2013-08-26-19-02-10
+#close	2014-04-24-20-25-20

From 3d22692b6e897c1935cb60a8890de8bb76ef2b47 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 24 Apr 2014 14:45:06 -0700
Subject: [PATCH 041/136] Fix a few failing tests

---
 scripts/policy/protocols/ssl/heartbleed.bro | 7 +++++--
 scripts/test-all-policy.bro                 | 1 +
 testing/btest/core/leaks/http-connect.bro   | 2 +-
 testing/btest/core/leaks/x509_verify.bro    | 2 +-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index dbf27ec63e..1e0fdcd98b 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -1,6 +1,9 @@
-module Heartbleed;
+# Detect the TLS heartbleed attack. See http://heartbleed.com
 
-# Detect the TLS heartbleed attack. See http://heartbleed.com/
+@load base/protocols/ssl
+@load base/frameworks/notice
+
+module Heartbleed;
 
 # Do not disable analyzers after detection - otherwhise we will not notice encrypted attacks
 redef SSL::disable_analyzer_after_detection=F;
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 895a9a8901..5c6ed286fb 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -85,6 +85,7 @@
 @load protocols/ssh/software.bro
 @load protocols/ssl/expiring-certs.bro
 @load protocols/ssl/extract-certs-pem.bro
+@load protocols/ssl/heartbleed.bro
 @load protocols/ssl/known-certs.bro
 @load protocols/ssl/log-hostcerts-only.bro
 #@load protocols/ssl/notary.bro
diff --git a/testing/btest/core/leaks/http-connect.bro b/testing/btest/core/leaks/http-connect.bro
index e9a47d00a2..fe42f3ec0a 100644
--- a/testing/btest/core/leaks/http-connect.bro
+++ b/testing/btest/core/leaks/http-connect.bro
@@ -5,7 +5,7 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/http/connect-with-smtp.trace %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 @load base/protocols/conn
 @load base/protocols/http
diff --git a/testing/btest/core/leaks/x509_verify.bro b/testing/btest/core/leaks/x509_verify.bro
index 426a95d2c2..f4a5ddc7d1 100644
--- a/testing/btest/core/leaks/x509_verify.bro
+++ b/testing/btest/core/leaks/x509_verify.bro
@@ -5,7 +5,7 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/tls-expired-cert.trace %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 @load base/protocols/ssl
 

From 9e6643e9d428ce0c9e0a2ba336013b9a56297036 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 24 Apr 2014 17:07:04 -0700
Subject: [PATCH 042/136] Updating submodule(s).

 [nomail]
---
 aux/broccoli | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broccoli b/aux/broccoli
index 04e6a7f591..561ccdd6ed 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 04e6a7f591817f060a781f21c12e1afce7eb1e16
+Subproject commit 561ccdd6edec4ac5540f3d5565aefb59e7510634

From 988ba2e897a5256defac18b32d1cde4ce2721116 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 24 Apr 2014 17:08:45 -0700
Subject: [PATCH 043/136] Add Java version to software framework

BIT-1168 #merged
---
 CHANGES                                   | 4 ++++
 VERSION                                   | 2 +-
 scripts/base/frameworks/software/main.bro | 7 +++++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 37cfb13a64..b8f537e914 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-381 | 2014-04-24 17:08:45 -0700
+
+  * Add Java version to software framework. (Brian Little)
+    
 2.2-379 | 2014-04-24 17:06:21 -0700
 
   * Remove unused Val::attribs member. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 523b625f56..ba398d78a0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-379
+2.2-381
diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro
index c8f413a8f2..f5c9927126 100644
--- a/scripts/base/frameworks/software/main.bro
+++ b/scripts/base/frameworks/software/main.bro
@@ -287,6 +287,13 @@ function parse_mozilla(unparsed_version: string): Description
 		if ( 2 in parts )
 			v = parse(parts[2])$version;
 		}
+	else if ( / Java\/[0-9]\./ in unparsed_version )
+		{
+		software_name = "Java";
+		parts = split_all(unparsed_version, /Java\/[0-9\._]*/);
+		if ( 2 in parts )
+			v = parse(parts[2])$version;
+		}
 
 	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
 	}

From bd64e52782eaf6a7f006d029a61f24f19a2ac9fa Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 24 Apr 2014 18:14:18 -0700
Subject: [PATCH 044/136] Fixing compiler warnings.

---
 src/analyzer/protocol/tcp/TCP_Endpoint.h     | 3 ++-
 src/analyzer/protocol/tcp/TCP_Reassembler.cc | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h
index 95186c583a..96cc497421 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.h
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h
@@ -135,7 +135,8 @@ public:
 	int NoDataAcked() const
 		{
 		uint64 ack = ToFullSeqSpace(ack_seq, ack_wraps);
-		return ack == StartSeqI64() || ack == StartSeqI64() + 1;
+		uint64 start = static_cast<uint64>(StartSeqI64());
+		return ack == start || ack == start + 1;
 		}
 
 	Connection* Conn() const;
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index 1fabfc5d73..053e8c8f60 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -376,7 +376,7 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 		TrimToSeq(last_reassem_seq);
 
 	else if ( e->NoDataAcked() && tcp_max_initial_window &&
-		  e->Size() > tcp_max_initial_window )
+		  e->Size() > static_cast<uint64>(tcp_max_initial_window) )
 		// We've sent quite a bit of data, yet none of it has
 		// been acked.  Presume that we're not seeing the peer's
 		// acks (perhaps due to filtering or split routing) and
@@ -465,7 +465,7 @@ int TCP_Reassembler::DataSent(double t, uint64 seq, int len,
 	NewBlock(t, seq, len, data);
 
 	if ( Endpoint()->NoDataAcked() && tcp_max_above_hole_without_any_acks &&
-	     NumUndeliveredBytes() > tcp_max_above_hole_without_any_acks )
+	     NumUndeliveredBytes() > static_cast<uint64>(tcp_max_above_hole_without_any_acks) )
 		{
 		tcp_analyzer->Weird("above_hole_data_without_any_acks");
 		ClearBlocks();
@@ -473,7 +473,7 @@ int TCP_Reassembler::DataSent(double t, uint64 seq, int len,
 		}
 
 	if ( tcp_excessive_data_without_further_acks &&
-	     NumUndeliveredBytes() > tcp_excessive_data_without_further_acks )
+	     NumUndeliveredBytes() > static_cast<uint64>(tcp_excessive_data_without_further_acks) )
 		{
 		tcp_analyzer->Weird("excessive_data_without_further_acks");
 		ClearBlocks();

From 597c373fa0b947ee2da2c5e4a65dcdf5f0c5b40e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sat, 26 Apr 2014 09:48:36 -0700
Subject: [PATCH 045/136] Log chosen curve when using ec cipher suite in TLS.

---
 scripts/base/protocols/ssl/main.bro           |   9 +
 src/analyzer/protocol/ssl/events.bif          |  20 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  13 +
 src/analyzer/protocol/ssl/ssl-defs.pac        | 352 ++++++++++++++++++
 src/analyzer/protocol/ssl/ssl-protocol.pac    |  60 ++-
 .../ssl.log                                   |  12 +-
 .../scripts.base.protocols.ssl.basic/ssl.log  |  10 +-
 .../scripts.base.protocols.ssl.ecdhe/ssl.log  |  10 +
 .../scripts.base.protocols.ssl.ecdhe/x509.log |  12 +
 .../ssl.log                                   |  10 +-
 .../ssl.log                                   |  10 +-
 .../ssl.log                                   |  12 +-
 .../ssl.log                                   |  12 +-
 testing/btest/Traces/tls/ecdhe.pcap           | Bin 0 -> 7510 bytes
 .../scripts/base/protocols/ssl/ecdhe.test     |   3 +
 15 files changed, 505 insertions(+), 40 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/x509.log
 create mode 100644 testing/btest/Traces/tls/ecdhe.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ecdhe.test

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index e3c3320f74..f1315f8c85 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -19,6 +19,8 @@ export {
 		version:          string           &log &optional;
 		## SSL/TLS cipher suite that the server chose.
 		cipher:           string           &log &optional;
+		## Elliptic curve the server chose when using ECDH/ECDHE.
+		curve:            string           &log &optional;
 		## Value of the Server Name Indicator SSL/TLS extension.  It
 		## indicates the server name that the client was requesting.
 		server_name:      string           &log &optional;
@@ -159,6 +161,13 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	c$ssl$cipher = cipher_desc[cipher];
 	}
 
+event ssl_server_curve(c: connection, curve: count) &priority=5
+	{
+	set_session(c);
+
+	c$ssl$curve = ec_curves[curve];
+	}
+
 event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
 	{
 	set_session(c);
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 555168e82f..54bb0715d2 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -58,7 +58,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##              standardized as part of the SSL/TLS protocol.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
-##    ssl_session_ticket_handshake x509_certificate
+##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -97,7 +97,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
-##    ssl_extension_server_name
+##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -114,9 +114,23 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
-##    ssl_extension_server_name
+##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
+## Generated a named curve is chosen by the server for the SSL/TLS connection. The
+## curve is sent by the server in the ServerKeyExchange message as defined in
+## :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
+##
+## c: The connection.
+##
+## point_formats: List of supported point formats.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+event ssl_server_curve%(c: connection, curve: count%);
+
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
 ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
 ## the initial handshake. It contains the list of client supported application
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 62300557da..071edf2eac 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -400,6 +400,15 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_ec_server_key_exchange(rec: SSLRecord, curve_type: uint8, curve: uint16) : bool
+		%{
+		if ( curve_type == NAMED_CURVE )
+			BifEvent::generate_ssl_server_curve(bro_analyzer(),
+			  bro_analyzer()->Conn(), curve);
+
+		return true;
+		%}
 };
 
 refine typeattr Alert += &let {
@@ -488,3 +497,7 @@ refine typeattr ServerNameExt += &let {
 refine typeattr CertificateStatus += &let {
 	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
 };
+
+refine typeattr EcServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve);
+};
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 24827d3621..2b55e53b25 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -60,3 +60,355 @@ enum SSLExtensions {
 	EXT_PADDING = 35655,
 	EXT_RENEGOTIATION_INFO = 65281
 };
+
+enum ECCurveType {
+  EXPLICIT_PRIME = 1,
+	EXPLICIT_CHAR = 2,
+	NAMED_CURVE = 3
+};
+
+enum TLSCiphers {
+	NO_CHOSEN_CIPHER = 0xFFFFFF,
+	TLS_NULL_WITH_NULL_NULL = 0x0000,
+	TLS_RSA_WITH_NULL_MD5 = 0x0001,
+	TLS_RSA_WITH_NULL_SHA = 0x0002,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
+	TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
+	TLS_RSA_WITH_RC4_128_SHA = 0x0005,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006,
+	TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008,
+	TLS_RSA_WITH_DES_CBC_SHA = 0x0009,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B,
+	TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E,
+	TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017,
+	TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019,
+	TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B,
+	TLS_KRB5_WITH_DES_CBC_SHA = 0x001E,
+	TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F,
+	TLS_KRB5_WITH_RC4_128_SHA = 0x0020,
+	TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021,
+	TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022,
+	TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023,
+	TLS_KRB5_WITH_RC4_128_MD5 = 0x0024,
+	TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027,
+	TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A,
+	TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B,
+	TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034,
+	TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A,
+	TLS_RSA_WITH_NULL_SHA256 = 0x003B,
+	TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
+	TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060,
+	TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061,
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065,
+	TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D,
+	# draft-ietf-tls-openpgp-keys-06
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD = 0x0072,
+	TLS_DHE_DSS_WITH_AES_128_CBC_RMD = 0x0073,
+	TLS_DHE_DSS_WITH_AES_256_CBC_RMD = 0x0074,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD = 0x0077,
+	TLS_DHE_RSA_WITH_AES_128_CBC_RMD = 0x0078,
+	TLS_DHE_RSA_WITH_AES_256_CBC_RMD = 0x0079,
+	TLS_RSA_WITH_3DES_EDE_CBC_RMD = 0x007C,
+	TLS_RSA_WITH_AES_128_CBC_RMD = 0x007D,
+	TLS_RSA_WITH_AES_256_CBC_RMD = 0x007E,
+	# draft-chudov-cryptopro-cptls-04
+	TLS_GOSTR341094_WITH_28147_CNT_IMIT = 0x0080,
+	TLS_GOSTR341001_WITH_28147_CNT_IMIT = 0x0081,
+	TLS_GOSTR341094_WITH_NULL_GOSTR3411 = 0x0082,
+	TLS_GOSTR341001_WITH_NULL_GOSTR3411 = 0x0083,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089,
+	TLS_PSK_WITH_RC4_128_SHA = 0x008A,
+	TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B,
+	TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C,
+	TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D,
+	TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091,
+	TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095,
+	TLS_RSA_WITH_SEED_CBC_SHA = 0x0096,
+	TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097,
+	TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A,
+	TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B,
+	TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C,
+	TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F,
+	TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0,
+	TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3,
+	TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4,
+	TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5,
+	TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6,
+	TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7,
+	TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8,
+	TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB,
+	TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC,
+	TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD,
+	TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE,
+	TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF,
+	TLS_PSK_WITH_NULL_SHA256 = 0x00B0,
+	TLS_PSK_WITH_NULL_SHA384 = 0x00B1,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3,
+	TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4,
+	TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7,
+	TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8,
+	TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5,
+	# draft-bmoeller-tls-downgrade-scsv-01
+	TLS_FALLBACK_SCSV = 0x5600,
+	# RFC 4492
+	TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
+	TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F,
+	TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
+	TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015,
+	TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016,
+	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017,
+	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018,
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019,
+	TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A,
+	TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B,
+	TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C,
+	TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D,
+	TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E,
+	TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F,
+	TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020,
+	TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021,
+	TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038,
+	TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B,
+	# RFC 6209
+	TLS_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC03C,
+	TLS_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC03D,
+	TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC03E,
+	TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC03F,
+	TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC040,
+	TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC041,
+	TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC042,
+	TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC043,
+	TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC044,
+	TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC045,
+	TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 = 0xC046,
+	TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 = 0xC047,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC048,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC049,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC04A,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC04B,
+	TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04C,
+	TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04D,
+	TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04E,
+	TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04F,
+	TLS_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC050,
+	TLS_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC051,
+	TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC052,
+	TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC053,
+	TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC054,
+	TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC055,
+	TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC056,
+	TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC057,
+	TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC058,
+	TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC059,
+	TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 = 0xC05A,
+	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 = 0xC05B,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05C,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05D,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05E,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05F,
+	TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC060,
+	TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC061,
+	TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC062,
+	TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC063,
+	TLS_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC064,
+	TLS_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC065,
+	TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC066,
+	TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC067,
+	TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC068,
+	TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC069,
+	TLS_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06A,
+	TLS_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06B,
+	TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06C,
+	TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06D,
+	TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06E,
+	TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06F,
+	TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC070,
+	TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC071,
+	# RFC 6367
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC072,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC073,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC074,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC075,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC076,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC077,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC078,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC079,
+	TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07A,
+	TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07B,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07C,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07D,
+	TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07E,
+	TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07F,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC080,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC081,
+	TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC082,
+	TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC083,
+	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256 = 0xC084,
+	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 = 0xC085,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC086,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC087,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC088,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC089,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08A,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08B,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08C,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08D,
+	TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08E,
+	TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08F,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC090,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC091,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC092,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC093,
+	TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC094,
+	TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC095,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC096,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC097,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC098,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC099,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC09A,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC09B,
+	# RFC 6655
+	TLS_RSA_WITH_AES_128_CCM = 0xC09C,
+	TLS_RSA_WITH_AES_256_CCM = 0xC09D,
+	TLS_DHE_RSA_WITH_AES_128_CCM = 0xC09E,
+	TLS_DHE_RSA_WITH_AES_256_CCM = 0xC09F,
+	TLS_RSA_WITH_AES_128_CCM_8 = 0xC0A0,
+	TLS_RSA_WITH_AES_256_CCM_8 = 0xC0A1,
+	TLS_DHE_RSA_WITH_AES_128_CCM_8 = 0xC0A2,
+	TLS_DHE_RSA_WITH_AES_256_CCM_8 = 0xC0A3,
+	TLS_PSK_WITH_AES_128_CCM = 0xC0A4,
+	TLS_PSK_WITH_AES_256_CCM = 0xC0A5,
+	TLS_DHE_PSK_WITH_AES_128_CCM = 0xC0A6,
+	TLS_DHE_PSK_WITH_AES_256_CCM = 0xC0A7,
+	TLS_PSK_WITH_AES_128_CCM_8 = 0xC0A8,
+	TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9,
+	TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA,
+	TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB,
+	# draft-agl-tls-chacha20poly1305-02
+	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13,
+	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14,
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index a3729826c4..a44516dc6b 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -302,9 +302,11 @@ type ServerHello(rec: SSLRecord) = record {
 	# of the following fields.
 	ext_len: uint16[] &until($element == 0 || $element != 0);
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
+} &let {
+	cipher_set : bool =
+		$context.connection.set_cipher(cipher_suite[0]);
 };
 
-
 ######################################################################
 # V2 Server Hello (SSLv2 2.6.)
 ######################################################################
@@ -351,11 +353,51 @@ type CertificateStatus(rec: SSLRecord) = record {
 # V3 Server Key Exchange Message (7.4.3.)
 ######################################################################
 
-# For now ignore details; just eat up complete message
-type ServerKeyExchange(rec: SSLRecord) = record {
-	key : bytestring &restofdata &transient;
+# Usually, the server key exchange does not contain any information
+# that we are interested in.
+#
+# The one exception is when we are using an elliptic curve cipher suite.
+# In this case, we can extract the final chosen cipher from here.
+type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher() of {
+	TLS_ECDH_ECDSA_WITH_NULL_SHA,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDH_RSA_WITH_NULL_SHA,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_NULL_SHA,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDH_ANON_WITH_NULL_SHA,
+	TLS_ECDH_ANON_WITH_RC4_128_SHA,
+	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
+		-> ec_server_key_exchange : EcServerKeyExchange(rec);
+
+	default
+		-> key : bytestring &restofdata &transient;
 };
 
+# For the moment, we really only are interested in the curve name. If it
+# is not set (if the server sends explicit parameters), we do not bother.
+# We also do not parse the actual signature data following the named curve.
+type EcServerKeyExchange(rec: SSLRecord) = record {
+	curve_type: uint8;
+	curve: uint16; # only if curve_type = 3
+	data: bytestring &restofdata &transient;
+};
 
 ######################################################################
 # V3 Certificate Request (7.4.4.)
@@ -501,14 +543,24 @@ refine connection SSL_Conn += {
 		int client_state_;
 		int server_state_;
 		int record_layer_version_;
+		uint32 chosen_cipher_;
 	%}
 
 	%init{
 		server_state_ = STATE_CLEAR;
 		client_state_ = STATE_CLEAR;
 		record_layer_version_ = UNKNOWN_VERSION;
+		chosen_cipher_ = NO_CHOSEN_CIPHER;
 	%}
 
+	function chosen_cipher() : int %{ return chosen_cipher_; %}
+
+	function set_cipher(cipher: int64) : bool
+		%{
+		chosen_cipher_ = cipher;
+		return true;
+		%}
+
 	function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
 					head2 : uint8, head3: uint8, head4: uint8) : int
 		%{
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
index 3b04596f6f..5fb15d53ae 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-45-24
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k	FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	-	T	F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3	FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-#close	2014-03-13-20-45-24
+#open	2014-04-26-16-44-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	-	T	FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k	FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
+1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	-	-	T	F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3	FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
+#close	2014-04-26-16-44-47
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
index 455d8606e8..7834e74868 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-45-46
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	ssl.gstatic.com	-	-	T	F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h	(empty)	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	-	-
-#close	2014-03-13-20-45-46
+#open	2014-04-26-16-45-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	secp256r1	ssl.gstatic.com	-	-	T	F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h	(empty)	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	-	-
+#close	2014-04-26-16-45-01
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log
new file mode 100644
index 0000000000..66ea42be70
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-04-26-16-39-57
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1398529018.678827	CXWv6p3arKYeMETxOg	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-04-26-16-39-57
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/x509.log
new file mode 100644
index 0000000000..e8813fb60a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-04-26-16-39-57
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1398529018.711296	FDy6ve1m58lwPRfhE9	3	1E58FDC12DE4C703	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1397045108.000000	1404777600.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1398529018.711296	FnGjwc1EVGk5x0WZk5	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1398529018.711296	F2T07R1XZFCmeWafv2	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2014-04-26-16-39-57
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
index 88f3c2126e..082106e89e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-46-30
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	handshake_failure	F	-	-	-	-	-	-
-#close	2014-03-13-20-46-30
+#open	2014-04-26-16-45-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	-	handshake_failure	F	-	-	-	-	-	-
+#close	2014-04-26-16-45-16
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
index 0bb8b5810d..ab1345d0cc 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-46-09
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	-	T	FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh	(empty)	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-
-#close	2014-03-13-20-46-09
+#open	2014-04-26-16-45-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	-	-	T	FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh	(empty)	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-
+#close	2014-04-26-16-45-09
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
index ec0a90929b..da805fd35d 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-21-47-24
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-#close	2014-03-13-21-47-24
+#open	2014-04-26-16-45-23
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-04-26-16-45-23
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
index 16fcee9111..7965e3be89 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-21-53-03
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
-1394745602.951961	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl	(empty)	CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated	CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	certificate has expired
-1394745618.791420	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h	(empty)	CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP	CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	ok
-#close	2014-03-13-21-53-03
+#open	2014-04-26-16-45-32
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
+1394745602.951961	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	-	-	-	T	F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl	(empty)	CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated	CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	certificate has expired
+1394745618.791420	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	-	T	F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h	(empty)	CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP	CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	ok
+#close	2014-04-26-16-45-32
diff --git a/testing/btest/Traces/tls/ecdhe.pcap b/testing/btest/Traces/tls/ecdhe.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e37df374e0271a643d49fea1c67e03e00a158a63
GIT binary patch
literal 7510
zcmb_h2{@G9+ka*?#?II)Q<jSGShKWPvb2drMX50c!!XQ@tqns-i<G1dBa)JOORG|f
zkR{8jl1gcjmx%I~EcwneB7^#0-}n7zu5(?_eb0G*=RWs+pWl7XnTF!a8E6O#jedrQ
zAqWM8{^#z_L;b>#19(Q7mv_F%0j_UOfC62d0NFs0h0l-$WPvY573E0lFWdf!(wvOC
z<tiEzjUfGn9v;592ZGR8+!YiCgGHeTL}m5U*O1?^=n?eT^+aeHkdZcmJ2D19CqoNt
z1|i4@um1r-Mn*v0YECxrzdaX>z~xD2&wF3RM?Zo^6NsLbZ!8dWFcKcId%7DDvI3|`
zn`F14;zh)6(uN6ka{;<$lq6aI_y*vC5qlpY$OvMtI}vIHXh@rc*eLV@K~&#6C87dZ
zU%OKfQ4WKG(t(ptU@)H)LR0I4c=kN?Lu(>>PO~Wlr@x6Ri&#D}bp43!pOS&Qib&8f
z8uSi;L?A2%LZKldWC-a);*c1m2y~*50wfG{a*#YkfbftIM1o{NL~)QbBm-iJhA@x>
zBne4Ds=#_Nhz!lZqwr`v28Y6-aUeEWG!}zFVbB;18ihuqk=`g2GHX=jFF#I-kfF^G
zKSEs-BBbdm8mkc{iB7w&J2GqF!;K(1j}XKgkBLwf4&t|oh`2j8Aoq;$+Md5dRFxV-
z^gs~hFc@ed$R<+^#@YS(_YIc@>fhh{vUz=MqsGS!rJbJn#Q`co{YwgTSqmWGMM!EG
zh2-|A8-Y6jg7^y&NW2jee+&s(!(5@oFc&|Y$M*zb#=4<<+V9FRuozxgbC><DZ(=AE
z4hO+Y^+aG{JjMl!mqEKY>&d`Uh(MGf+A*0v3>tZ9AXQHtRz;K;nQ3E64viH^<B%;w
zIKE64ofAQ}(}!osi|HA{hOnugK5PV=xbemLunElnxWV324n+_pT2mNwZzd~{PSKNt
zNytz_qGBtVA%PqUJ&^25r-hB#B|6?NSy+Z|m#C<wjt}2l9V#;b=AveepCt+hVYny>
z2<VAuE(!(Jgy)|omima4eX_E+BigjQ&A~A~_(jqZ?})JIrv+^Z;TOm)>q%!moH7dW
zlGQD$v45k=V+k!W?pKUYbh&7?o44{#+z$o%smRD&WhYDRyiBz9k<#?}HXZTB{iHBf
zJ9q6)v8#>^_ihhl<MVD<tkXNi9Q>A4cc|dzfsXJkXHO)qJk)VhNa>cf)X6s|9&U1;
zGdT3}Y5SHYiD2Uhk86#Ki(4`ELv>dp_Wq5c1;v`xbPxCP#P-IvpSW@+uB}eq^^K|N
z{Va-=d)odBtPD$n^S5xft-7}p3CfASgi@o*hp!oPvPE-eDhI!={cd$C6Bd#w(zqHW
z<YUo$?Bj#k)n#a~WKo%1tSHRI65#2;h11osh~o)bc#so97}VGk8s?(kARVNzT=X*_
zJmw1cnk%NMLkaX^G3j22>$!433<{zJ`p^Su<3hrf*3_Xgm?2){b)fG^(6lLm6h;Jx
zPG$2kL`L;GR0?;Tz~GAi`h}@O4-}OBf&}Fdf3C#1{sB4^)<i|f1cm3s9#rOp9s%JK
z6r72#ga(eY*^4$#ps~jZ-mGzgZ^$@-&KV~JGR6r(0s`lkC6pjKa9tpmG&)}piU1mm
zO5^)eYE&Ca_o6ZRDiAdvHirUS&KHS54CUzYpFwy-SX5tnAYYP1B*uiOMKD7+A)Ykt
zKqi&R^rw%E0w90t`7eUt{uF6mAyhCDa|95?6GS?|hu=wLeCl8k9TyK$LdS=}B~6(c
z#9ynND?RcoFje9>(+T|Xbv!``#v4YO$}HG-G~-byEW+*UpZ<y4Z9(k;+)feX_Ip=G
ztHtN-g516Vc7wG>M}X10RD3y{ATwRvAb<Ke*Xr6WwY1aMp|UvRI-|xqQyFwxAcw6t
z{tYIT9W=6l#j$c&Qb`KgI5vAtKusN&Yg4Ma+jZb{BP@z6Ul|l?7>kA>SOt+(u?nzU
z6lvK@yqxmwufA79|Bb$O%TuYqEm{|rM>>$PlCU^<lL!a_i+U1)#-U&s`9TFc7oH8P
z^Hg~=#|-<;EEwZC7*ra-!6?YdIr#b0Hk`{&jcW4>&y!JFS{E2DQXg~A_c~IUgxolV
zyK#O-^eSO1R(+quir~n;A@c)j9~_{0gR4tEbjDg3wpeN<e$=s0DS7F7>6_+<-9oaw
zqVnO$Fv-Nc;BDuPO0Sf4_XOV4IaFv*c$R_oj`wG*{$b*jTwT0X^{_?7p%t#0x2yXr
zLeFlwvsv`+<CfZrR=MH*6>K=ed)^_X>XM$Cf9xgw8Ddgr+XL5qb2d7NZF`;mA>h8M
zsj=JJ#Z_%3-v;Y)d*hcK|KJxpBjo6@E{dt=JyK{a^u^XIeTlzRm7JVo!pcrzOM_|h
zTc^u>se5^XPS4Xg5<Pe6iek?rWC##07mEc%`f;Q#W6);w366rT1ncC_l1P*hv!gNB
zutL}zq$um?DZ`2&B%mrwkLm3gOiv1fY;DP}#Ri}j8|i_skr7ghjeuzQQ~Yn1{r^;M
zPikVrHZ(dOG{a|dUpG41-;Q70qZp*L+jht60}p!QAI<D?`#}-AuD>Ln#}RQ}<&yP?
z>zUluv3^r&3oc5!#N+Vd+wS%zz0Tj%S_cmPBU@6_>nzs0Y%qOI^Y%MDe`Z`!t)t2u
z7-P{yU^_7)hs_q8nU7B>TrP#}*sj*x`h8F@c;N8k&0lnuU9_sNY%lRsx?JV_Qg-=X
zm2yRjN_A?^BC1xb5uFxWuK2)qR-be7owrfTBuh0v7Nn4+%1n<*VtL(^Ey?Qp99D<C
zxz<UjAPqj6<(KbJV~a^i!R#oy)V%egjX_PpqTuVzz3S@s#f;)pQwPMQBI0Mve{eB@
zMIR}*(F1UFpTP1f+H%x)fBZl$&P!Bk`?>A38x>U!;}-Ljt5X_Tg#5)!fbn2WgS|8?
zj_4$i1&#$<Jv?kSvQQ0RJy@5g&C}X7_b1&@5hkZGIY<g2{HqHTY+WCY4?k-F@i5?p
zqbvn@5WEg+kIFD=*UX<Vqc3P9>>~j9d-4$6bn>ad_$fY0YIdF`>4ZsGzA7(d-K|SI
zVyp^SO*0x3jPWV2yOYi54=G!%`!TEBztF^^&RjiEy2HaK)Yc-giBujg)|u?xl(35#
zl~LfTpS<hE3%?5NKKID4cdM8?G3$zbon)$q%D+V{JZ9AGnpyaIednqr!kK9Zx0eBK
z|NV(7p$9qtq$>)Ze_}NZ{L2<aNvfPl_&j$0=>(?%4+Jr)i3sU{lK|2todn1~tHrQj
zwJ2M}uNDgEwAK>AYGJbFt8LwM>C{zsYAps`e&9V8G);3YJmR#KxmNS}sdGnO?Bm=|
zzSA9;EHf<Mz2N+1$^BLAfwlwa((VC+{ABaD_bYwZv7hItd79&mQpL_16oz9GbykFL
zbTo@@=;D<JnY_6C-KRg!Vk4!<>41NXe>KjmqU8)Oe6XVFaP2(8!X0uE<vd5S+8Tpk
z2onu+G1~!Mwf>|l>07N6>B>Qnu0Z8LXo)BzWD^`h_ojsFX@hzOG$Jx;KQ&}$8a0GP
zBU{s09J)6hY!7I^P7(-p!QcR)uLt-Fd=Tm~flbE5{|Y_+C(dfBQlP>^z4EF`t~=ac
zEnt|u3%(wHu;F$_<BGl<>uZ>QR?ZY6>~318>uox>5Es5T)uat~-ET*5R%^-T?7u!m
zy^EhCk*5BnGv-TP_QA5F53Ll8NU3>8Z4c?Js_2Qcz9*NwR@?DYymr)<wRxYrHu={>
z`)`u^NU}!Hifl8tvdRzMedwZ9U7ND#q=r}3t4A@4!4(dz4Ue~;RjhVtF8^5XVdDIL
z!>WDSKO9w!2fbS>6S7Pdq3g+L(}N=7KTLG$rsIx(UAc%UAvFEsycq{Jo4)Bcc9t=1
z@X*kDzA%SWsNbQ0nX?)j{65!UVT;KvA>&xjlM(H5aPOuft+rtQci(?<RyQ2oDZp9w
zt-jy2>MtihwQE!*ORh3FnwZ`&j<cquGzo-{_?(4<F@UE2zl6o+Cl8gvCoBg9oQ$=D
zZD4CW7Cb_*Icz%0T4<D<Ho{tLu-OU=3lktKT^5ba1p7rA8$1Ou*>nz*6)_>VG11Xb
zXp3~9!*V(4T`>M~G@+)OP*xVa!@KK#XM?%QaCdjP!xL+hziz_Y6>42#PWe?DOPy@9
z_s$H6ydl$I_hYZy2KL~EXUh7DCb=nwq;p5=J2Iz{2urWsdVla!jB&?wS7t@iZ8kOW
zUF6n9vnm$~b#5}@oP3LMbjY}Pw2SgNcCj=#)}vO6La3z}NZt~AFDzGnai_xmSeMI%
z;_YSk1`U>POf_kBx|TVuFzd`U&1JLHl7eUWeGEygXB{el#aMGJD^^ErIPHEyqi!~Q
zLkJWN=vKm$qdDmY##=tys0NT??pI{tzbXY9n`YZDNcg)T@1nxpSI>OtTj~#|yo{6^
zYPs5&WX{~kYF#WYHe~6uGqcO=>9r>w!KK?~rdY6ylV!Zaf1Kw%-!!e3s5{SHNhC%%
zA;SNf^9g%z(_Hka-L>6!eWmrBtam8ue3iT?f6PpBOHJkcgS8@#$5#ixMA$PQuxAn2
zQ6p_4dqS6O!6gT{J7Wm4XVu8f3}8>vHbM5R*_^LTRu3*>wEwFd>nG7Sw6jL}VLJC#
zlK%yI#^PvJBtdcx2A_M=YAEXU(04PZ53h~y2U;CUKDYTT4WBFT*^s6utBo!UcN{#Y
zF0GjVvTercK}t!f`C$~f-`B3HWN{u*^ZsgC{WS$VbCC<T0&X13d*^{%-eARn{m6WD
zpZ}@8><vNc%c<na^`#2j*r{BK9~i4IU8D5{{v+b~Gz2l4F$H1{Kx~g+G8s{=jR-XY
zdyzKj4zMCA2|+y8G9{t{8H$e`L+n9pM5b>m3GOH@v1hfYBI>;sE2!EvCwte_)%dz4
z_dYFlQ0`P)Dd|*tH@#_fXKlHKr%1r72+QwXdo*IZ?kTy=)Z=BEq|R6>t;Qk&C=?0-
zv=~?uUVz)VaCXC<tLo=v+2*U*xc*9$yl}e{Kjx);y^?<;RVw#x7$YlkkJ=IA>A@ZO
z#d>`={T9X6Tb>H>>QLT{#NvUq$XKnPlv{?j;Jyvy);|++D+g5O+sLio>1SiPwGG_S
z^&p6GHh)CK@DbboH;9sMB9H~ha->bP5v6a7MG*C-wh`n%#zoLZ#B~?IJLe!&d=ZrO
z*=}EupTng@`EQ5cDyGeu-86jd9WS*0SlhGitBTf#rfVJ@v?QG8iMNIF#DxPZaP{6_
z9=ga><OvsggxXzYWu<m+!xYyM^kdBCrgl6E=lO}h^X+W3-uGdjPJtNeK<$oMPn3IR
zz7Xn>402b|IWKX7wl?Nl=jU$i{M3!<N$M`jE?-&wU7qiFHS_LUImC7)VUGK>w8iBl
zct%~%Eqpz{{ne7C<6`d9@Rpky&``PJZ!6o4&)vLUEGD`K$34ivwFEGN;4mlUFBY8I
z!UgWI$I9TYXM2qPVXtsW@(S<0FjwQj49mtFNQAtBKYzc!v;KtScDwR~+`et#U!4tB
zOLttrXl`eVf!y9U2oO8GQBW9IDM*{NTIgH+5yX7IDG|YHsaQ9Pn7bT7lm`)lyDu*N
zw@z3(yZ41l?&>_9&uitIt7~_M*8PpjNk1bMWAHL@*wcUCzWhR8lWD8%-5(-m;LA{u
z5J(cFO-vN%yDiv!f@Gd4n0nROAenojK%zYOI+`dSnw8aamm_8rwf7nBXNIS-i`QJw
zSYP^eAAS2di@3P5#)4kUIc17n@j3^47P`Kj?K{8Rk*W4EfV8ai$%CZ@5j@2MMK+rX
z<`*mVheqj3WU$5Z+PscwFxNbdFwDO4`W4S;=VMRz@~p_Dq(O1n1J8>iqU~<jMm2wd
zbNudxoV{~kN&B4kt~#^C@^vLC-|?rEKJI0>%U$B!Wx2v3r<`*3_HK@(Q6$gNBpaXa
z-_YZ`_TQy5--_LBxOXhFV&2z1m1nzdvM;q@j}IYkxeVMg8t+MNF|@_=-SS@0Esy;9
zZjnN#9a9r@3xZfS4slYv4YezgctaKw;@xB5|HvO?(3h<@#^O!&to+c7Aj0LpY@Cd!
zWriT4>!v_tfPZnIt>-2qrUAs?=j0JR1TiIRN<@&8%_4$`vPe!osazeT@B?R9Q_A3$
zZRqQJx0ZM`+efONeKPG?YgA`OU6dHFNn`rwfbWub$cyA$k%{H}abjlQ5Hr5W2%51I
z9Ht&IqNKpYID%&IT{RCq_D9{Ma9Y?3@x$3TA)E{(oPPnzKK~ODIKB^LITifLL39<}
zsR7z-1U(C&|K4r7UWmOvf(7l3MMBGnQY1q!pN`qP4H@D8?6!kCf1D(NKgp+)C%JPr
kf0Bzv%=q0TgShBFtq5U0`kSfHk*aqzdlbD*9C6|Q0AR(M9{>OV

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/ecdhe.test b/testing/btest/scripts/base/protocols/ssl/ecdhe.test
new file mode 100644
index 0000000000..bd1bd2cb96
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ecdhe.test
@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log

From 24b63f5fc8f9526d902137813fabb692a5fd9478 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sat, 26 Apr 2014 09:53:18 -0700
Subject: [PATCH 046/136] Forgot a few ciphers in the EC list...

---
 src/analyzer/protocol/ssl/ssl-protocol.pac | 69 +++++++++++++++++++++-
 1 file changed, 66 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index a44516dc6b..f84befe695 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -98,7 +98,7 @@ type ServerName() = record {
 	name_type: uint8; # has to be 0 for host-name
 	name: case name_type of {
 		0 -> host_name: ServerNameHostName;
-		default -> data : bytestring &restofdata; # unknown name
+		default -> data : bytestring &restofdata &transient; # unknown name
 	};
 };
 
@@ -119,7 +119,7 @@ type ServerNameExt(rec: SSLRecord) = record {
 #	status_type: uint8; # 1 -> ocsp
 #	req: case status_type of {
 #		1 -> ocsp_status_request: OcspStatusRequest(rec);
-#		default -> data : bytestring &restofdata; # unknown
+#		default -> data : bytestring &restofdata &transient; # unknown
 #	};
 #};
 
@@ -383,7 +383,70 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 	TLS_ECDH_ANON_WITH_RC4_128_SHA,
 	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
 	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
-	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_PSK_WITH_NULL_SHA,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 		-> ec_server_key_exchange : EcServerKeyExchange(rec);
 
 	default

From b1a2bccdc747750a94c396b07119bb14fcb800c9 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sat, 26 Apr 2014 14:51:08 -0700
Subject: [PATCH 047/136] Add a few more ciphers Bro did not know at all so
 far.

---
 scripts/base/protocols/ssl/consts.bro      | 8 ++++++++
 src/analyzer/protocol/ssl/ssl-defs.pac     | 4 ++++
 src/analyzer/protocol/ssl/ssl-protocol.pac | 4 ++++
 3 files changed, 16 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index e60363e14c..e1b366130f 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -487,6 +487,10 @@ export {
 	const TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9;
 	const TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA;
 	const TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB;
+	const TLS_ECDHE_ECDSA_WITH_AES_128_CCM = 0xC0AC;
+	const TLS_ECDHE_ECDSA_WITH_AES_256_CCM = 0xC0AD;
+	const TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE;
+	const TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF;
 	# draft-agl-tls-chacha20poly1305-02
 	const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13;
 	const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14;
@@ -850,6 +854,10 @@ export {
 		[TLS_PSK_WITH_AES_256_CCM_8] = "TLS_PSK_WITH_AES_256_CCM_8",
 		[TLS_PSK_DHE_WITH_AES_128_CCM_8] = "TLS_PSK_DHE_WITH_AES_128_CCM_8",
 		[TLS_PSK_DHE_WITH_AES_256_CCM_8] = "TLS_PSK_DHE_WITH_AES_256_CCM_8",
+		[TLS_ECDHE_ECDSA_WITH_AES_128_CCM] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
+		[TLS_ECDHE_ECDSA_WITH_AES_256_CCM] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
+		[TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
+		[TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
 		[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 2b55e53b25..a4074443b9 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -407,6 +407,10 @@ enum TLSCiphers {
 	TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9,
 	TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA,
 	TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM = 0xC0AC,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM = 0xC0AD,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF,
 	# draft-agl-tls-chacha20poly1305-02
 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13,
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14,
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index f84befe695..e19fdb6aac 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -445,6 +445,10 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 	TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
 	TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
 	TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 		-> ec_server_key_exchange : EcServerKeyExchange(rec);

From fb56b22cffdf8603404da367fac097b71b3bf36f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sat, 26 Apr 2014 23:48:47 -0700
Subject: [PATCH 048/136] Add DH support to SSL analyzer.

When using DHE or DH-Anon, sever key parameters are now available
in scriptland.

Also add script to alert on weak certificate keys or weak dh-params.
---
 scripts/policy/protocols/ssl/weak-keys.bro    |  90 +++++++++++++
 scripts/test-all-policy.bro                   |   1 +
 src/analyzer/protocol/ssl/events.bif          |  19 ++-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  17 +++
 src/analyzer/protocol/ssl/ssl-protocol.pac    | 121 +++++++++++++++++-
 .../scripts.base.protocols.ssl.dhe/.stdout    |   1 +
 .../scripts.base.protocols.ssl.dhe/ssl.log    |  10 ++
 .../ssl.log                                   |   8 +-
 .../notice-1.log                              |  12 ++
 testing/btest/Traces/tls/dhe.pcap             | Bin 0 -> 6929 bytes
 .../btest/scripts/base/protocols/ssl/dhe.test |   8 ++
 .../policy/protocols/ssl/weak-keys.bro        |   8 ++
 12 files changed, 288 insertions(+), 7 deletions(-)
 create mode 100644 scripts/policy/protocols/ssl/weak-keys.bro
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
 create mode 100644 testing/btest/Traces/tls/dhe.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/dhe.test
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/weak-keys.bro

diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
new file mode 100644
index 0000000000..27cfb31554
--- /dev/null
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -0,0 +1,90 @@
+##! Generate notices when SSL/TLS connections use certificates or DH parameters
+##! that have potentially unsafe key lengths.
+
+@load base/protocols/ssl
+@load base/frameworks/notice
+@load base/utils/directions-and-hosts
+
+module SSL;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a server is using a potentially unsafe key.
+		SSL_Weak_Key,
+	};
+
+	## The category of hosts you would like to be notified about which have
+	## certificates that are going to be expiring soon.  By default, these
+	## notices will be suppressed by the notice framework for 1 day after
+	## a particular certificate has had a notice generated.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	const notify_weak_keys = LOCAL_HOSTS &redef;
+
+	## The minimal key length in bits that is considered to be safe. Any
+	## shorter (non-EC) key lengths will trigger the notice.
+	const notify_minimal_key_length = 1024 &redef;
+
+	## Warn if the DH key length is smaller than the certificate key length.
+	## This is potentially unsafe, because it gives a wrong impression of safety
+	## due to the certificate key length.
+	## However, it is very common and cannot be avoided in some settings (e.g. with
+	## old jave clients).
+	const notify_dh_length_shorter_cert_length = T &redef;
+}
+
+## We check key lengths only for DSA or RSA certificates. For others, we do
+## not know what is safe (e.g. EC is safe even with very short key lengths).
+
+event ssl_established(c: connection) &priority=3
+	{
+	# If there are no certificates or we are not interested in the server, just return.
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	  ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
+		return;
+
+	local fuid = c$ssl$cert_chain_fuids[0];
+	local cert = c$ssl$cert_chain[0]$x509$certificate;
+	if ( !cert?$key_type || !cert?$key_length )
+		return;
+	if ( cert$key_type != "dsa" && cert$key_type != "rsa" )
+		return;
+
+	local key_length = cert$key_length;
+
+	if ( key_length < notify_minimal_key_length )
+		NOTICE([$note=SSL_Weak_Key,
+		  $msg=fmt("Host uses weak certificate with %d bit key", key_length),
+			$conn=c, $suppress_for=1day,
+			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		]);
+	}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=3
+	{
+	if ( ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
+		return;
+
+	local key_length = |Ys|*8; # key length in bits
+	if ( key_length < notify_minimal_key_length )
+		NOTICE([$note=SSL_Weak_Key,
+			$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
+			$conn=c, $suppress_for=1day,
+			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		]);
+
+	if ( notify_dh_length_shorter_cert_length &&
+	  c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 &&
+	  c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$key_type &&
+		( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
+		  c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
+		{
+		if ( c$ssl$cert_chain[0]$x509$certificate?$key_length &&
+		  c$ssl$cert_chain[0]$x509$certificate$key_length > key_length )
+			NOTICE([$note=SSL_Weak_Key,
+				$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
+				key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
+				$conn=c, $suppress_for=1day,
+				$identifier=cat(c$id$orig_h, c$id$orig_p)
+			]);
+		}
+	}
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 5c6ed286fb..43dc6b9dce 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -90,6 +90,7 @@
 @load protocols/ssl/log-hostcerts-only.bro
 #@load protocols/ssl/notary.bro
 @load protocols/ssl/validate-certs.bro
+@load protocols/ssl/weak-keys.bro
 @load tuning/__load__.bro
 @load tuning/defaults/__load__.bro
 @load tuning/defaults/extracted_file_limits.bro
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 54bb0715d2..46747ecb58 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -59,6 +59,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
+##    ssl_dh_server_params
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -117,7 +118,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
-## Generated a named curve is chosen by the server for the SSL/TLS connection. The
+## Generated if a named curve is chosen by the server for the SSL/TLS connection. The
 ## curve is sent by the server in the ServerKeyExchange message as defined in
 ## :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
 ##
@@ -131,6 +132,22 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##    ssl_extension_server_name
 event ssl_server_curve%(c: connection, curve: count%);
 
+## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
+## the server DH parameters, which are sent in the ServerKeyExchange message as
+## defined in :rfc:`5246`.
+##
+## c: The connection.
+##
+## p: The DH prime modulus.
+##
+## q: The DH generator.
+##
+## Ys: The server's DH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve
+event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
+
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
 ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
 ## the initial handshake. It contains the list of client supported application
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 071edf2eac..ef1d862b87 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -409,6 +409,19 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_dh_server_key_exchange(rec: SSLRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
+		%{
+		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
+			bro_analyzer()->Conn(),
+		  new StringVal(p.length(), (const char*) p.data()),
+		  new StringVal(g.length(), (const char*) g.data()),
+		  new StringVal(Ys.length(), (const char*) Ys.data())
+		  );
+
+		return true;
+		%}
+
 };
 
 refine typeattr Alert += &let {
@@ -501,3 +514,7 @@ refine typeattr CertificateStatus += &let {
 refine typeattr EcServerKeyExchange += &let {
 	proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve);
 };
+
+refine typeattr DhServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index e19fdb6aac..840aca4b84 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -356,8 +356,9 @@ type CertificateStatus(rec: SSLRecord) = record {
 # Usually, the server key exchange does not contain any information
 # that we are interested in.
 #
-# The one exception is when we are using an elliptic curve cipher suite.
-# In this case, we can extract the final chosen cipher from here.
+# The exception is when we are using an ECDHE, DHE or DH-Anon suite.
+# In this case, we can extract information about the chosen cipher from
+# here.
 type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher() of {
 	TLS_ECDH_ECDSA_WITH_NULL_SHA,
 	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
@@ -453,6 +454,109 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 		-> ec_server_key_exchange : EcServerKeyExchange(rec);
 
+	# DHE suites
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_DHE_DSS_WITH_RC4_128_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_128_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_256_CBC_RMD,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_128_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_256_CBC_RMD,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_PSK_WITH_RC4_128_SHA,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_NULL_SHA256,
+	TLS_DHE_PSK_WITH_NULL_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_AES_128_CCM,
+	TLS_DHE_RSA_WITH_AES_256_CCM,
+	TLS_DHE_RSA_WITH_AES_128_CCM_8,
+	TLS_DHE_RSA_WITH_AES_256_CCM_8,
+	TLS_DHE_PSK_WITH_AES_128_CCM,
+	TLS_DHE_PSK_WITH_AES_256_CCM,
+	TLS_PSK_DHE_WITH_AES_128_CCM_8,
+	TLS_PSK_DHE_WITH_AES_256_CCM_8,
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	# DH-anon suites
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	TLS_DH_ANON_WITH_RC4_128_MD5,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_ANON_WITH_DES_CBC_SHA,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DH_ANON_WITH_SEED_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_AES_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384,
+	TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
+	# DH non-anon suites do not send a ServerKeyExchange
+		-> dh_server_key_exchange : DhServerKeyExchange(rec);
+
 	default
 		-> key : bytestring &restofdata &transient;
 };
@@ -466,6 +570,19 @@ type EcServerKeyExchange(rec: SSLRecord) = record {
 	data: bytestring &restofdata &transient;
 };
 
+# For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams
+# structure. After that, they start to differ, but we do not care about that.
+type DhServerKeyExchange(rec: SSLRecord) = record {
+	dh_p_length: uint16;
+	dh_p: bytestring &length=dh_p_length;
+	dh_g_length: uint16;
+	dh_g: bytestring &length=dh_g_length;
+	dh_Ys_length: uint16;
+	dh_Ys: bytestring &length=dh_Ys_length;
+	data: bytestring &restofdata &transient;
+};
+
+
 ######################################################################
 # V3 Certificate Request (7.4.4.)
 ######################################################################
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout
new file mode 100644
index 0000000000..c2cc676ec1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout
@@ -0,0 +1 @@
+key length in bits, 1024
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
new file mode 100644
index 0000000000..652f3b3df7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-04-27-00-52-03
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1398558136.319509	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-
+#close	2014-04-27-00-52-03
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
index da805fd35d..b09bd04350 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-04-26-16-45-23
+#open	2014-04-27-06-48-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-#close	2014-04-26-16-45-23
+1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-04-27-06-48-05
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
new file mode 100644
index 0000000000..a8784bd8c8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-27-06-41-50
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2014-04-27-06-41-50
diff --git a/testing/btest/Traces/tls/dhe.pcap b/testing/btest/Traces/tls/dhe.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d5e034ef849d9b23bd713a69d6bcb69600ac3560
GIT binary patch
literal 6929
zcmd5=dpML^`+nb<G06FlQx4<YrlxnwsR$)GM@ACL9%EuMhCMS#2gXz+DaoOtLeA$R
z>7ZS7*hwXdB9#cGq9n14Z@t8q?Aq7wy1qYtu4`Rpy|dQ6?sc!{xu18|gW5A07zhVV
z{f&=95DYq14xZ!(Z5U_`_>4B6&E-M|d472Ta&%Dv$P$9g6G`TfIi9F{B~Nm3W*a7F
z&=S5FuBCYcMJmILk4FF`434h?#$s_WEHFngHAVsb4u_dU4{gUmwxEx;N!-ab06GCO
z0SiEj@J;3@GP(kManKUepTP%KxS1|#6h9y_iH^ev%)!5|W~1m}B`nI@>nRRe2~g2C
zi?^Pe9?E-*-VeNQ0(3lAoS<t^4HTH<n}#Bzh;yIgpd5gPwpoZrzJ{WR*Y^J-q8vfD
zTz)2^3>JpGfXE(L?50+3l1jwBu1D>bgUXE^ZbKvQeEoNvxuv=1(W#D_)^H#fv=<u3
zfYA#fb+Eb!M1Yj>Fdl=)^1*x<KA<fQgTrEBEC!3kz!(e$3yA^#C~N01{Im|U6xLHr
zKozd6{6S%SxR#bKSDatc(P@%3&>#t@n>L}t0X+1Y51ME{BJw>^Jd7fq7Wo-sW#Kep
zGKwgJ#X`$KG#Fs9WKV~3PlMlgAD@>cpq%DLeXr=FZi3tBW+Zy*aCIG74FW1aqT?_c
zo2U%v7QuAkC?QCg2MI?&_!S5bzZ~K5X{JxefE5e7jfmg{b)u}JhDBglhz~*{_mhMW
zK|FRH4ljkVu_wtO(r9Onln9waVR0-10|@pUA0kN?`3-$8B&9~CQG;1D!YaBiokL*|
zENCnaeKVa(;m`<Vx-XN?^d%V~2Iyd{)S_t+3kHSFCXfhDEP4Qi6-KaOa%ijonh$+q
z9*q@3V-YM?Aj+~LBt2xw5(HVgcqvKW9dz|UmxLIS^z|3JBWu26yN*nfM`R}#5)Tax
zB{Jv?N+^xNAu?$kk_MtSy;DJ0X08v72}t?`1W@P<a|(+Z$RhgC5FV`dy&^Clgyq3v
z5O_WZ!-HX{WTjEco9o!*4&NtBTvY2)a<vt&XA0)^$B?DTw#&i>x&<rZPQa38UP}U_
zdrLGL{Z>mnyILXP`{eB9m3lWfIfkeWH=oggP1CyWe^Pw0K5gi(;nB3<jN_wbdq+<p
z5jII~P3^D0Xg;5}_OMKI<Ti&mW?XEdsb4lTCUouM^=g+kD;r5;)nu#p-!d4T-zw{1
zoVzHXRZ7aI-(>yP4CG;iu;%68?<%y_?jy@NnEB&B>FI1b>ACx1!pZutR<HNDZK~La
zQzs{$<$GI6xx7ERF7%yOTcNps->FaPSr2wJvl0i~o_;YqfSk7WjO3=br%|QO-S78W
z^~tY=C0->Tb@~|wq$PZchv`Ikm}e7lq9ldGAP^!1bXO9?;XsPzAyQ~Z6DN$!!3*f(
zVLm>7EQ~0j4@Ge@IOz`^A=`@cBfJ-wzOd?$fO#^TSgwc)`n5Vv4w2zX_pQ`xI8s)4
z^5Z;zf#G@|V!!AD%ZYeXlEA4U1m3LE<q3a(*5I^UQ8WUM2Rnd{4I+TY`$h`G7#Q@7
z@j`$T4vsu)2xG9|feu2PqKScJ)ciP{pk<2|p#j83L!QlM5UGIyi-H0fbZQte$Y(PW
zIXpc9gG9bYv}FkY4eaUorw1|#D}p(Gfh;;F3;`JjD@0y)@uRZ|)afxaLMVkzptIS*
zG#>(m3Zl>lBn*KQNZ|O<2vbSoN@37_C>#`!Mf)R|&Y}g-m>f1CaP!2l|E|4)Fv)TO
z7{{Pfm{b}ekjV%mYz|~ijHH7sWBP!lf`VB=fovLq&Ln`n1x<~e!~=7~P!>U8_hE!U
zZwB3WVsSPR(MNSv!4Z)Kh)(+abgd|jZ*oytjG1y#Ssc<r^eJda<bf%{U>Fw}i9{ev
zryd}1)WUBVfmC+TOb~Xk_aZ9l6r@G$2~Su=r64P(r(&WEzD=djDKlrH60;Y9`NYZj
z#L4+YDg_YYAnNEoByoy}LX_Ok4*Yu~0M-bM0ERq#+oX@UoJt~JAa0(QuQE<8$fqt7
z7jXARonQ9QFP%Se!uf?~I)6^dR4u8#IMey%86I1SX03Y|XOVnO%VOw}TZRQIOWomp
zm3#e$Hm{uM5C=6@+}yHV3(~!e@7`{@td=hqC4ax0F%l#HxmsA$)6Hx@f1+{Qv5=y>
zt}nV<xmHSQ<p))ZT^;r}NnXkfnPW|sdz$ZfD1&d`mn!oEs~lUOFXyW*K3Dx!^Fl;&
zVa1I`CA()`?=B{-kV|w;5V735(8hK+8(DpR$wI8rtz*<8;dVocu1C$SKL^^>Qfo%7
zF~|7N`D64Gamv5B^gzd*cf6&U@yvW5>ysQhjb8a}5+3lF-)<9gd7eNHWBV3Axh`2H
zkD+)7Zv?869>T*ZPF5vY?t9_+Kuy~Doyq^NO44tLHV6SwlKwq&K@9@s23f4P7}3`w
z8KO1l`|kg@lKF2XtTN_CQNN(`R{o*{YQx7>a&o)5t}2I0I-*AxJ5@AU;Rm|;y@Eu=
zhn23}6*th^<1Us^wChHZo3q&kquwt)xf(Cba|A-JBrs3t1UQ&6DTFy~8=f}qq?Vhm
z9vf9%E7x)d$$87qG!BZc7#Zz*$1~vzOc>63G6zvU%pT*fYw_Y9S95bN!MDantJBN6
zbRNCl)mT0FM_Z8le6dn@qaaI3GsNMJajEP}vD@kS8?6gYQ=D$=-7)d373vkgvOjeI
zi}fBm!!TuuzEiZ&xn(W7e(5!m>R;kl7etS_Bsr@%n~)?^BYLi+XK#4;;-Klk!@Q1`
zAX5Id@_VHL<VE<8x!+0{Tnwx~9}z>1KnjM(aeN3C{6j?12V&?0P|INacV+7ztJ3#n
zYmHF9LYBElwk$mwsnhebXjoD50ogp|R>1k(5jPNa-%27dzIi`2K45bTrw3x9RDb4C
z?9J?Nj^=^#R>8R-&WLupX1e;n&td#9aF&Hnfdl{MqUZ!%7!ryEe_uagWb^;Idg@JW
z3{>0sKie2usixisCu;6@@2S8Ousra(uPSI`n!T6#TqxGMmE>@6*mZqoN0ayZS7%)Z
z_gDrSzjRW;#dfE=oAy8@dm8>8Ct!VU7h^hZ9AbSw<<R`Jx85vcUuNeH!`vH=2lbmj
zHZ$?t+f^Uma~;2psM(Cg;0E`+EO_6e(i<G_&_1$yc%|O3rJJyX$nLTmts6~8;1fL^
zt?QC5b5Q4B3!MKk7Mf^3zVl;mD<+}NU#>XQ`HNg9oL`P#684(u{EFMZI7mAdg|D;P
zx&33dh>dbm@37?6`tgt)O{<2%VExM}=iFra3Ou(4z9A!}uW=6b`IyduN}S{;<g~={
z_%*IREl*4=yx2?o?MkEjK8^Y9UB!Cc$bW-gb~PimU)H9Da@x|`%b1}0%HvG^$Cg*5
zA)&bx<86tZeUC3iB$jOH^!859^Vv}qJ$Q6+ctWQ0<%^$b_ilYazQkUw$w_YUis|sw
z;|?9P;$Kv8=+D!c;a+y`4IU>oqWIRj)3G!Qn?J5U4@}ha|1|GWewlqZx$mI$v$`c`
ztw#-P705YDgd1Y+*v!2XLo$iK!fK(}IqUCREwSqS@&of}Ii_JJJOx($R$QhpK~!B+
z)z~9$x^efe^4glN#v5M+?Kpz%@5`IyO}QeOLh=JfJ=beWU#PcHUL5yi5@KwK>RZlu
zU$v|_SsI)BUd{OP&KL0w+vNYYweM`)>1DeM`&PSI{e*v9#fHqs{S4l3?ZNUUX7=K7
z{TG9^8%uWO=H2zk1wWTCV!{wc2;yG6w6N~cYEJwPi!VdmSNGZ;yPX>Ht5|3!@a{pM
zSh<ru1B(gi5$6hf-oB8Rpe23%@|$d0_Sg4~(V3TUsokO6-(M*t<gV|;9rP;;8E#_y
z^&vI;S>%%ixtedfy@TqHIq5&Td$<2Yy0$H~P}yzttIghqPaCCu*SGR34Orgm@K1$c
z48$$nWdD@0?OL&!_sBC|_o=NJe~Hz9*m9{_N)o#?XnR2i>xz*=b&tvN-*-p{`BxP>
z2(~Z1o~)clk*<yK=jyv8xSQJhTwinlf~>OhNJQo{;_ypt%^O<!UA2YY?r`jA@R`l4
z0yV0hUtM0W8CUM%-22wO-LKB&X*@Xzu^;SsSA++zJaS)2ksIyFGL6RVl?tu$Jl1&b
zma?p2Cl4KURj2B(XxkI+g)N=O`uEqj6ECEF>1W*By7FfEhM3fpz{8@xN{0n%)5H6i
zrP2~vw-of%yYjN?ht!|x20aYOmNkvivM7#OmGs^=u{u}6^KEPNL&8gq5n1`2Z@j%m
zC3oF-?L4`#z-FcG%EHX&4PB<y<OsdEb3tQ_cm-LD1v~HOOK%}8t=;wEaNXH5`%3Z>
z4VS%3lB1SCkgqhftf&2Xi|@*ojVpHzjW5Y~n6#UMIh;`zm!GrO{(!IVI=>gS>&qL=
z_3?>+oxW*r*TD>VJyzA<ef&B+*RhFe)!_I=n0d@~bw<1n`U@N<3Vu(ci9QGt{pZ&v
zCn5BbL)~xYC5M(SroYIQE3T5QGd7v%imCh13z=jT@#8NMk26t3jnUbNrEdWuLpyyo
zqH`7=k^^@DX#4RZ2A=ch7>Wod{v)Cs0V?U6MifOkqT7!Whaeurb@9x2nV)iCg@XF<
zU1O)lLuuz)7k;%*x!+D`OVV%F5c0EHTejEof!$VqCqqRqwWHX38&v)8UDn*#88ngy
z%SNQPOW+k?_MM2X7W2+r`|F8$HETt%*h5-I(MZirlk_&P*2YYX@`-fKs(>pOqD!*9
z6IN&46Fb5Ryp#Xe@m0H|0hNg>4aoc~lQJ&7bp05$t0C;cn^^n~V&>Ar$=!NU0Y{A9
z_>EQ*@3!Q3MYqo9zgLbF-KctVx;b0E`Qi~iuYu_F8-9NTpvo6p2|y-5BeeZ!+AvWu
z88z**RWnVy^liA7Hq4ddKa#g=+O*5Td5WSs6@WWJaQy`@fYR%wa0}P%>tc@lJ$kgL
zxn-olgJCG(VKTNtL1l}a|D8ddokYEwHe01^tD)m9=ld>gUpcf~wb-L2?cuW41@eT9
z3a9q;cd>Ors`p4oE**!<M$P|l%(vUas7zj>9r7e>WBkJn2M&kFroSn@6&4g4V)*D?
zlz@z(k!+Kl$hgg5mVnjbO(`WB43VSbbHXj0qGP2sKA*WGzqgyT^t@92H7Uk-T5c1u
zaP76W&g0vhSYXwJQP)j26C8=?unTo&y|<US)xWi=y-s}W7F6~jO0sFqxJ+p^?u(2r
zcmCei*yf$rY7$T_Q>+Dkkrxt;Xv~!*&x|>37}H<Y1EP39<H~f*g@KqWzX%X*FJPf)
zkacMLF^ZwE$8jiPZ_+;^f+!9+H-(t^8AX%@r(=H1Ok!Y!By9Sz#Cc<ItJ~`Ao=n4c
zm9px?MzwanLb$Ig8rAosRtzQM1=ZhVKE1AB8+MdY-;+Cho>OUXK)&c4N^AFXVdxT|
zgtl3<N`{Z3wCY@bMl1ID6s?ps|1(<X-Vo>Kod#-;BL6VrxO01TkN9o7a7WxkC{K5M
z?0k`~!TvO1Z~TM7ZVHoag|9YYkW$gTkV8eG^&t4sHY)*a6jLS=AZ=y>l=XlF*p4Q^
zc+=!w@UO4p6;o5z02;73S!z%?o?y5-Pdl5N+P4ZT=()^<F4qz4pnPEN@WAEeS4w34
z&V^r0*f7d#JF>t&<K)wW7Fi+7>m2p9MjF(p!N&sE6_DlZ*qsYKIvbs8BJ(PiWA863
zB3c_syfyZDrfVv6;V+#UnG~%TQE~9aXzu*pc!MyJ<F>W>TQ5*#UH2c1_k8l&<#p9u
z<AYgyOpX^PL!B5G$2DFXRQ~L0`n^cW(c3P%_xEd`{f7dzw!d8=f5xLR_rc%e1;n|{
z&0~i?TW6nbKAfLu5W%yya1+v6nvZ=Z*hN-X&3hczO}ko0lF?ZCN=@fhxO1D3wo&iu
zb8LOv+sRZVvpvOeRa)MWX|}u?pFbP)a|*Wx7A_X$^(Ue-<F<-Ip&(q)_M^-YUGWGi
zbLIA#GN1l3A+tRHk<)TBWuA+kHqJn`IoQ+U-pl#9hmlsBOhpG%E=|lmRMlTqvnVX(
zHsRFyinYAYDn0@flao(Bg`qT-0~$XsT}D}G<i=e4A#%54`cHoWDf&+G)O6%lq9=|b
zGJlC^XNn?*>dZzwvlt-uNe0bEj1T*-RI{>+uConAOgaCLh#={GYiA-(NcDNU1uP$Q
zGODo-Ql&ikP2uHvpEvF6-S|{4aF&qd2doPBH=M^AIadWa&fV2^AXOFJSOTE&bE)hm
zXoS4`fkqjoA8bs507+`jq;Ux#-o6X2@WJ_`ZB`7-=g&i9;C9i>7&x;S42GOQO^Ndc
eh67MU8h(kAKY>#CZz%nZzeFjRKq>eY%6|Z?SPkO<

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/dhe.test b/testing/btest/scripts/base/protocols/ssl/dhe.test
new file mode 100644
index 0000000000..f41cb70fab
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/dhe.test
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff ssl.log
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
+  {
+  print "key length in bits", |Ys|*8;
+  }
diff --git a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
new file mode 100644
index 0000000000..ba07b6e647
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-1.log
+# @TEST-EXEC: btest-diff notice-1.log
+
+@load protocols/ssl/weak-keys
+
+redef SSL::notify_weak_keys = ALL_HOSTS;
+redef SSL::notify_minimal_key_length = 4096;

From ef5b021e77c04bcb1921b39dbffa975fc9722a4c Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sun, 27 Apr 2014 00:09:00 -0700
Subject: [PATCH 049/136] Polish changes for ecdhe/dhe

---
 scripts/policy/protocols/ssl/weak-keys.bro    | 30 +++++++++----------
 src/analyzer/protocol/ssl/ssl-defs.pac        |  2 +-
 src/analyzer/protocol/ssl/ssl-protocol.pac    |  4 +--
 .../{notice-1.log => notice.log}              | 10 +++----
 .../policy/protocols/ssl/weak-keys.bro        |  3 +-
 5 files changed, 24 insertions(+), 25 deletions(-)
 rename testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/{notice-1.log => notice.log} (55%)

diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
index 27cfb31554..f8a7b504b3 100644
--- a/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -10,7 +10,7 @@ module SSL;
 export {
 	redef enum Notice::Type += {
 		## Indicates that a server is using a potentially unsafe key.
-		SSL_Weak_Key,
+		Weak_Key,
 	};
 
 	## The category of hosts you would like to be notified about which have
@@ -52,10 +52,10 @@ event ssl_established(c: connection) &priority=3
 	local key_length = cert$key_length;
 
 	if ( key_length < notify_minimal_key_length )
-		NOTICE([$note=SSL_Weak_Key,
+		NOTICE([$note=Weak_Key,
 		  $msg=fmt("Host uses weak certificate with %d bit key", key_length),
-			$conn=c, $suppress_for=1day,
-			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		  $conn=c, $suppress_for=1day,
+		  $identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
 		]);
 	}
 
@@ -66,25 +66,25 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
 
 	local key_length = |Ys|*8; # key length in bits
 	if ( key_length < notify_minimal_key_length )
-		NOTICE([$note=SSL_Weak_Key,
-			$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
-			$conn=c, $suppress_for=1day,
-			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		NOTICE([$note=Weak_Key,
+		  $msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
+		  $conn=c, $suppress_for=1day,
+		  $identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
 		]);
 
 	if ( notify_dh_length_shorter_cert_length &&
 	  c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 &&
 	  c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$key_type &&
-		( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
-		  c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
+	  ( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
+	    c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
 		{
 		if ( c$ssl$cert_chain[0]$x509$certificate?$key_length &&
 		  c$ssl$cert_chain[0]$x509$certificate$key_length > key_length )
-			NOTICE([$note=SSL_Weak_Key,
-				$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
-				key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
-				$conn=c, $suppress_for=1day,
-				$identifier=cat(c$id$orig_h, c$id$orig_p)
+			NOTICE([$note=Weak_Key,
+			  $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
+			  key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
+			  $conn=c, $suppress_for=1day,
+			  $identifier=cat(c$id$orig_h, c$id$orig_p)
 			]);
 		}
 	}
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index a4074443b9..29eb1d1fb9 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -62,7 +62,7 @@ enum SSLExtensions {
 };
 
 enum ECCurveType {
-  EXPLICIT_PRIME = 1,
+	EXPLICIT_PRIME = 1,
 	EXPLICIT_CHAR = 2,
 	NAMED_CURVE = 3
 };
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 840aca4b84..af220f39de 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -566,7 +566,7 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 # We also do not parse the actual signature data following the named curve.
 type EcServerKeyExchange(rec: SSLRecord) = record {
 	curve_type: uint8;
-	curve: uint16; # only if curve_type = 3
+	curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
 	data: bytestring &restofdata &transient;
 };
 
@@ -739,7 +739,7 @@ refine connection SSL_Conn += {
 
 	function chosen_cipher() : int %{ return chosen_cipher_; %}
 
-	function set_cipher(cipher: int64) : bool
+	function set_cipher(cipher: uint32) : bool
 		%{
 		chosen_cipher_ = cipher;
 		return true;
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log
similarity index 55%
rename from testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
rename to testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log
index a8784bd8c8..b44fb54b70 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-27-06-41-50
+#open	2014-04-27-07-15-32
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2014-04-27-06-41-50
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2014-04-27-07-15-32
diff --git a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
index ba07b6e647..42ef2ecc16 100644
--- a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
@@ -1,6 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
-# @TEST-EXEC: mv notice.log notice-1.log
-# @TEST-EXEC: btest-diff notice-1.log
+# @TEST-EXEC: btest-diff notice.log
 
 @load protocols/ssl/weak-keys
 

From 7d0e5067c76ce5f3719cb203a1b692f78b64eecf Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sun, 27 Apr 2014 16:25:32 -0700
Subject: [PATCH 050/136] fix broxygen errors

---
 scripts/policy/protocols/ssl/weak-keys.bro | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
index f8a7b504b3..a6f96bfd53 100644
--- a/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -32,9 +32,9 @@ export {
 	const notify_dh_length_shorter_cert_length = T &redef;
 }
 
-## We check key lengths only for DSA or RSA certificates. For others, we do
-## not know what is safe (e.g. EC is safe even with very short key lengths).
-
+# We check key lengths only for DSA or RSA certificates. For others, we do
+# not know what is safe (e.g. EC is safe even with very short key lengths).
+#
 event ssl_established(c: connection) &priority=3
 	{
 	# If there are no certificates or we are not interested in the server, just return.

From 4b059ea15ac6bba0c5189532bc1c749ec066b1c6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 29 Apr 2014 12:44:53 -0500
Subject: [PATCH 051/136] Improve file analysis manager shutdown/cleanup.

file_analysis::Manager's dtor now doesn't assume any more analysis
progress can be made because too many of Bro's other subsystems
are shutdown by that point.  Any file analysis requests made after
Terminate cannot be reliably processed.
---
 src/file_analysis/Manager.cc | 22 +++++++++++++++++++++-
 src/main.cc                  |  2 +-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 3f04ebfc2b..393dadfdc7 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -27,7 +27,22 @@ Manager::Manager()
 
 Manager::~Manager()
 	{
-	Terminate();
+	// Have to assume that too much of Bro has been shutdown by this point
+	// to do anything more than reclaim memory.
+
+	File* f;
+	bool* b;
+
+	IterCookie* it = id_map.InitForIteration();
+
+	while ( (f = id_map.NextEntry(it)) )
+		delete f;
+
+	it = ignored.InitForIteration();
+
+	while( (b = ignored.NextEntry(it)) )
+		delete b;
+
 	delete magic_state;
 	}
 
@@ -58,10 +73,15 @@ void Manager::Terminate()
 	HashKey* key;
 
 	while ( id_map.NextEntry(key, it) )
+		{
 		keys.push_back(static_cast<const char*>(key->Key()));
+		delete key;
+		}
 
 	for ( size_t i = 0; i < keys.size(); ++i )
 		Timeout(keys[i], true);
+
+	mgr.Drain();
 	}
 
 string Manager::HashHandle(const string& handle) const
diff --git a/src/main.cc b/src/main.cc
index cf1f82b1eb..10b66083a8 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -379,10 +379,10 @@ void terminate_bro()
 	delete secondary_path;
 	delete remote_serializer;
 	delete analyzer_mgr;
+	delete file_mgr;
 	delete log_mgr;
 	delete plugin_mgr;
 	delete thread_mgr;
-	delete file_mgr;
 	delete reporter;
 
 	reporter = 0;

From d7d5497436f8b3bf6101adca4e1d2aa2c1113aa0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 29 Apr 2014 15:26:19 -0500
Subject: [PATCH 052/136] Improve/standardize some malloc/realloc return val
 checks.

---
 src/file_analysis/analyzer/x509/X509.cc       |  4 ++++
 src/file_analysis/analyzer/x509/functions.bif |  4 ++++
 src/logging/Manager.cc                        | 10 ++++++----
 src/threading/BasicThread.cc                  |  2 +-
 src/util.cc                                   |  4 ++--
 5 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 86f13f8760..c036fca7ed 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -184,6 +184,10 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	// Use OPENSSL_malloc here. Using new or anything else can lead
 	// to interesting, hard to debug segfaults.
 	char *buffer = (char*) OPENSSL_malloc(length);
+
+	if ( ! buffer )
+		out_of_memory("X509::ParseExtension");
+
 	BIO_read(bio, (void*)buffer, length);
 	StringVal* ext_val = new StringVal(length, buffer);
 	OPENSSL_free(buffer);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 00042d860a..e6ed138c74 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -82,6 +82,10 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 	int length = BIO_pending(bio);
 	// use OPENSS_malloc here. Otherwhise, interesting problems will happen.
 	char *buffer = (char*) OPENSSL_malloc(length);
+
+	if ( ! buffer )
+		out_of_memory("x509_get_certificate_string");
+
 	BIO_read(bio, (void*) buffer, length);
 	StringVal* ext_val = new StringVal(length, buffer);
 	OPENSSL_free(buffer);
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 8d833ddbc6..55e0fddb5a 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -537,17 +537,19 @@ bool Manager::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
 
 		filter->indices.push_back(new_indices);
 
-		filter->fields = (threading::Field**)
+		void* tmp =
 			realloc(filter->fields,
-				sizeof(threading::Field*) * ++filter->num_fields);
+				sizeof(threading::Field*) * (filter->num_fields + 1));
 
-		if ( ! filter->fields )
+		if ( ! tmp )
 			{
-			--filter->num_fields;
 			reporter->Error("out of memory in add_filter");
 			return false;
 			}
 
+		++filter->num_fields;
+		filter->fields = (threading::Field**) tmp;
+
 		TypeTag st = TYPE_VOID;
 
 		if ( t->Tag() == TYPE_TABLE )
diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc
index 7f5dbfc56b..ffee21bc16 100644
--- a/src/threading/BasicThread.cc
+++ b/src/threading/BasicThread.cc
@@ -24,7 +24,7 @@ BasicThread::BasicThread()
 	pthread = 0;
 
 	buf_len = STD_FMT_BUF_LEN;
-	buf = (char*) malloc(buf_len);
+	buf = (char*) safe_malloc(buf_len);
 
 	strerr_buffer = 0;
 
diff --git a/src/util.cc b/src/util.cc
index 6190067aa6..f5bbe9cf96 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -568,7 +568,7 @@ const char* fmt(const char* format, ...)
 	static unsigned int buf_len = 1024;
 
 	if ( ! buf )
-		buf = (char*) malloc(buf_len);
+		buf = (char*) safe_malloc(buf_len);
 
 	va_list al;
 	va_start(al, format);
@@ -578,7 +578,7 @@ const char* fmt(const char* format, ...)
 	if ( (unsigned int) n >= buf_len )
 		{ // Not enough room, grow the buffer.
 		buf_len = n + 32;
-		buf = (char*) realloc(buf, buf_len);
+		buf = (char*) safe_realloc(buf, buf_len);
 
 		// Is it portable to restart?
 		va_start(al, format);

From 636262d86591251e08110074074b04331854bef9 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 30 Apr 2014 12:35:09 -0700
Subject: [PATCH 053/136] Correct a notice for heartbleed. The notice is thrown
 correctly, just the message conteined wrong values.

---
 scripts/policy/protocols/ssl/heartbleed.bro                 | 2 +-
 .../notice-encrypted.log                                    | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index c4842d6a0a..543430e156 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -106,7 +106,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 			{
 			NOTICE([$note=SSL_Heartbeat_Attack_Success,
 				$msg=fmt("An Encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d",
-					c$ssl?$last_originator_heartbeat_request_size, c$ssl$last_originator_heartbeat_request_size),
+					c$ssl$last_originator_heartbeat_request_size, length),
 				$conn=c,
 				$identifier=c$uid # only throw once per connection
 				]);
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
index 863d8dd9c0..dfe9dcec74 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-24-19-05-00
+#open	2014-04-30-19-34-39
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 1, first packet server record length 32	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-24-19-05-00
+1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-30-19-34-39

From 385438d47c6ca263f664fe85fc41584ff4ade085 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 1 May 2014 13:04:34 -0500
Subject: [PATCH 054/136] Change X509 extension value parsing to not abort on
 malloc failures.

Also comes with factoring that out in to it's own function and
additional error check before using a return value from BIO_pending.
---
 src/file_analysis/analyzer/x509/X509.cc       | 59 +++++++++++++++----
 src/file_analysis/analyzer/x509/X509.h        |  8 +++
 src/file_analysis/analyzer/x509/functions.bif | 14 +----
 3 files changed, 57 insertions(+), 24 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index c036fca7ed..162e154df9 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -159,6 +159,49 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 	return pX509Cert;
 	}
 
+StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
+	{
+	BIO_flush(bio);
+	ERR_clear_error();
+	int length = BIO_pending(bio);
+
+	if ( ERR_peek_error() != 0 )
+		{
+		char tmp[120];
+		ERR_error_string(ERR_get_error(), tmp);
+		reporter->Error("X509::GetExtensionFromBIO: %s", tmp);
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	if ( length == 0 )
+		{
+		BIO_free_all(bio);
+		return new StringVal("");
+		}
+
+	// TODO: see about using regular malloc here, there were unknown problems
+	// using anything other than OPENSSL_malloc that need investigation.
+	char* buffer = (char*) OPENSSL_malloc(length);
+
+	if ( ! buffer )
+		{
+		// Just emit an error here and try to continue instead of aborting
+		// because it's unclear the length value is very reliable.
+		reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	BIO_read(bio, (void*) buffer, length);
+	StringVal* ext_val = new StringVal(length, buffer);
+
+	OPENSSL_free(buffer);
+	BIO_free_all(bio);
+
+	return ext_val;
+	}
+
 void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	{
 	char name[256];
@@ -178,20 +221,10 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	if( ! X509V3_EXT_print(bio, ex, 0, 0))
 		M_ASN1_OCTET_STRING_print(bio,ex->value);
 
-	BIO_flush(bio);
-	int length = BIO_pending(bio);
+	StringVal* ext_val = GetExtensionFromBIO(bio);
 
-	// Use OPENSSL_malloc here. Using new or anything else can lead
-	// to interesting, hard to debug segfaults.
-	char *buffer = (char*) OPENSSL_malloc(length);
-
-	if ( ! buffer )
-		out_of_memory("X509::ParseExtension");
-
-	BIO_read(bio, (void*)buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
-	OPENSSL_free(buffer);
-	BIO_free_all(bio);
+	if ( ! ext_val )
+		ext_val = new StringVal(0, "");
 
 	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
 	pX509Ext->Assign(0, new StringVal(name));
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index 8667d870b1..6a3e6393a3 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -37,6 +37,14 @@ public:
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
 		{ return new X509(args, file); }
 
+	/**
+	 * Retrieve an X509 extension value from an OpenSSL BIO to which it was
+	 * written.
+	 * @param bio the OpenSSL BIO to read.
+	 * @return The X509 extension value.
+	 */
+	static StringVal* GetExtensionFromBIO(BIO* bio);
+
 protected:
 	X509(RecordVal* args, File* file);
 
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index e6ed138c74..176df53bdb 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -78,18 +78,10 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 	else
 		i2d_X509_bio(bio, h->GetCertificate());
 
-	BIO_flush(bio);
-	int length = BIO_pending(bio);
-	// use OPENSS_malloc here. Otherwhise, interesting problems will happen.
-	char *buffer = (char*) OPENSSL_malloc(length);
+	StringVal* ext_val = file_analysis::X509::GetExtensionFromBIO(bio);
 
-	if ( ! buffer )
-		out_of_memory("x509_get_certificate_string");
-
-	BIO_read(bio, (void*) buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
-	OPENSSL_free(buffer);
-	BIO_free_all(bio);
+	if ( ! ext_val )
+		ext_val = new StringVal("");
 
 	return ext_val;
 	%}

From 5b9d190f2c3b7a7c91d877aa98044c59cce16385 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 1 May 2014 14:08:07 -0500
Subject: [PATCH 055/136] Fix missing "irc-dcc-data" service field from IRC DCC
 connections.

---
 scripts/base/protocols/irc/dcc-send.bro               |  2 +-
 .../scripts.base.protocols.irc.basic/conn.log         | 11 +++++++++++
 testing/btest/scripts/base/protocols/irc/basic.test   |  1 +
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log

diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro
index d95eb97517..437724004a 100644
--- a/scripts/base/protocols/irc/dcc-send.bro
+++ b/scripts/base/protocols/irc/dcc-send.bro
@@ -76,7 +76,7 @@ event irc_dcc_message(c: connection, is_orig: bool,
 	dcc_expected_transfers[address, p] = c$irc;
 	}
 
-event expected_connection_seen(c: connection, a: Analyzer::Tag) &priority=10
+event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
 	{
 	local id = c$id;
 	if ( [id$resp_h, id$resp_p] in dcc_expected_transfers )
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
new file mode 100644
index 0000000000..411e57f8ee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-05-01-19-07-07
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
+1311189318.898709	CjhGID4nQcgTWjvg4c	192.168.1.77	57655	209.197.168.151	1024	tcp	irc-dcc-data	2.256935	124	42208	SF	-	0	ShAdDaFf	28	1592	43	44452	(empty)
+1311189164.064603	CXWv6p3arKYeMETxOg	192.168.1.77	57640	66.198.80.67	6667	tcp	irc	178.237017	453	25404	S3	-	0	ShADdaf	63	3761	52	28194	(empty)
+#close	2014-05-01-19-07-07
diff --git a/testing/btest/scripts/base/protocols/irc/basic.test b/testing/btest/scripts/base/protocols/irc/basic.test
index 32358d12a4..618f4d9079 100644
--- a/testing/btest/scripts/base/protocols/irc/basic.test
+++ b/testing/btest/scripts/base/protocols/irc/basic.test
@@ -3,6 +3,7 @@
 
 # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
 # @TEST-EXEC: btest-diff irc.log
+# @TEST-EXEC: btest-diff conn.log
 
 # dcc mime types are irrelevant to this test, so filter it out
 event bro_init()

From 8b7d5a68b2e774aa83056889d6ed6814e8d6b1ec Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 1 May 2014 15:00:03 -0500
Subject: [PATCH 056/136] Fix reference counting for lookup_ID() usages.

That function refs the ID before returning it, but callers were never
assuming responsibility for that reference.
---
 src/Debug.cc        |  6 ++++++
 src/EventHandler.cc |  5 ++++-
 src/Func.cc         |  1 +
 src/RuleMatcher.cc  |  5 ++++-
 src/Type.cc         |  1 +
 src/Var.cc          | 20 ++++++++++++++++----
 src/scan.l          | 12 ++++++++++--
 7 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/src/Debug.cc b/src/Debug.cc
index 94b8abf952..09e8810edb 100644
--- a/src/Debug.cc
+++ b/src/Debug.cc
@@ -192,6 +192,7 @@ static void parse_function_name(vector<ParseLocationRec>& result,
 		string fullname = make_full_var_name(current_module.c_str(), s.c_str());
 		debug_msg("Function %s not defined.\n", fullname.c_str());
 		plr.type = plrUnknown;
+		Unref(id);
 		return;
 		}
 
@@ -199,6 +200,7 @@ static void parse_function_name(vector<ParseLocationRec>& result,
 		{
 		debug_msg("Function %s not declared.\n", id->Name());
 		plr.type = plrUnknown;
+		Unref(id);
 		return;
 		}
 
@@ -206,6 +208,7 @@ static void parse_function_name(vector<ParseLocationRec>& result,
 		{
 		debug_msg("Function %s declared but not defined.\n", id->Name());
 		plr.type = plrUnknown;
+		Unref(id);
 		return;
 		}
 
@@ -216,9 +219,12 @@ static void parse_function_name(vector<ParseLocationRec>& result,
 		{
 		debug_msg("Function %s is a built-in function\n", id->Name());
 		plr.type = plrUnknown;
+		Unref(id);
 		return;
 		}
 
+	Unref(id);
+
 	Stmt* body = 0;	// the particular body we care about; 0 = all
 
 	if ( bodies.size() == 1 )
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index a5dc62148a..2f0a19ccc0 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -39,7 +39,10 @@ FuncType* EventHandler::FType()
 	if ( id->Type()->Tag() != TYPE_FUNC )
 		return 0;
 
-	return type = id->Type()->AsFuncType();
+	type = id->Type()->AsFuncType();
+	Unref(id);
+
+	return type;
 	}
 
 void EventHandler::SetLocalHandler(Func* f)
diff --git a/src/Func.cc b/src/Func.cc
index 11749a8a9c..1f3ac6f93c 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -475,6 +475,7 @@ BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
 
 	type = id->Type()->Ref();
 	id->SetVal(new Val(this));
+	Unref(id);
 	}
 
 BuiltinFunc::~BuiltinFunc()
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index 5cea843c8d..ca08388b10 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -1286,7 +1286,10 @@ static Val* get_bro_val(const char* label)
 		return 0;
 		}
 
-	return id->ID_Val();
+	Val* rval = id->ID_Val();
+	Unref(id);
+
+	return rval;
 	}
 
 
diff --git a/src/Type.cc b/src/Type.cc
index 672153d957..b840fa98e3 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1449,6 +1449,7 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name,
 		}
 	else
 		{
+		Unref(id);
 		reporter->Error("identifier or enumerator value in enumerated type definition already exists");
 		SetError();
 		return;
diff --git a/src/Var.cc b/src/Var.cc
index 52754e3265..a34a0142eb 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -385,6 +385,7 @@ void begin_func(ID* id, const char* module_name, function_flavor flavor,
 		if ( arg_id && ! arg_id->IsGlobal() )
 			arg_id->Error("argument name used twice");
 
+		Unref(arg_id);
 		arg_id = install_ID(arg_i->id, module_name, false, false);
 		arg_id->SetType(arg_i->type->Ref());
 		}
@@ -442,10 +443,13 @@ void end_func(Stmt* body, attr_list* attrs)
 Val* internal_val(const char* name)
 	{
 	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
+
 	if ( ! id )
 		reporter->InternalError("internal variable %s missing", name);
 
-	return id->ID_Val();
+	Val* rval = id->ID_Val();
+	Unref(id);
+	return rval;
 	}
 
 Val* internal_const_val(const char* name)
@@ -457,13 +461,17 @@ Val* internal_const_val(const char* name)
 	if ( ! id->IsConst() )
 		reporter->InternalError("internal variable %s is not constant", name);
 
-	return id->ID_Val();
+	Val* rval = id->ID_Val();
+	Unref(id);
+	return rval;
 	}
 
 Val* opt_internal_val(const char* name)
 	{
 	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
-	return id ? id->ID_Val() : 0;
+	Val* rval = id ? id->ID_Val() : 0;
+	Unref(id);
+	return rval;
 	}
 
 double opt_internal_double(const char* name)
@@ -503,6 +511,8 @@ ListVal* internal_list_val(const char* name)
 		return 0;
 
 	Val* v = id->ID_Val();
+	Unref(id);
+
 	if ( v )
 		{
 		if ( v->Type()->Tag() == TYPE_LIST )
@@ -528,7 +538,9 @@ BroType* internal_type(const char* name)
 	if ( ! id )
 		reporter->InternalError("internal type %s missing", name);
 
-	return id->Type();
+	BroType* rval = id->Type();
+	Unref(id);
+	return rval;
 	}
 
 Func* internal_func(const char* name)
diff --git a/src/scan.l b/src/scan.l
index 18233fb58a..7de38cbfbc 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -606,22 +606,30 @@ void do_atifdef(const char* id)
 	{
 	++current_depth;
 
-	if ( ! lookup_ID(id, current_module.c_str()) )
+	ID* i;
+
+	if ( ! (i = lookup_ID(id, current_module.c_str())) )
 		{
 		if_stack.append(current_depth);
 		BEGIN(IGNORE);
 		}
+
+	Unref(i);
 	}
 
 void do_atifndef(const char *id)
 	{
 	++current_depth;
 
-	if ( lookup_ID(id, current_module.c_str()) )
+	ID* i;
+
+	if ( (i = lookup_ID(id, current_module.c_str())) )
 		{
 		if_stack.append(current_depth);
 		BEGIN(IGNORE);
 		}
+
+	Unref(i);
 	}
 
 void do_atelse()

From 83a15886a732e34219f594ffd9539e3999f213e7 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 1 May 2014 20:45:35 -0700
Subject: [PATCH 057/136] Updating CHANGES and NEWS for earlier X509 updates.

BIT-1150 #merged
---
 CHANGES | 15 +++++++++++++--
 NEWS    |  3 +++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 631e781d9a..e7a1cc9bef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -207,8 +207,19 @@
 
 2.2-294 | 2014-03-30 22:08:25 +0200
 
-  * TODO: x509 changes. (Bernhard Amann)
-    
+  * Rework and move X509 certificate processing from the SSL protocol
+    analyzer to a dedicated file analyzer. This will allow us to
+    examine X509 certificates from sources other than SSL in the
+    future. Furthermore, Bro now parses more fields and extensions
+    from the certificates (e.g. elliptic curve information, subject
+    alternative names, basic constraints). Certificate validation also
+    was improved, should be easier to use and exposes information like
+    the full verified certificate chain. (Bernhard Amann)
+
+    This update changes the format of ssl.log and adds a new x509.log
+    with certificate information. Furthermore all x509 events and
+    handling functions have changed.
+
 2.2-271 | 2014-03-30 20:25:17 +0200
 
   * Add unit tests covering vector/set/table ctors/inits. (Jon Siwek)
diff --git a/NEWS b/NEWS
index 9de61a2dc4..ac12931819 100644
--- a/NEWS
+++ b/NEWS
@@ -62,6 +62,9 @@ Changed Functionality
 
       event x509_extension(c: connection, is_orig: bool, cert: X509, ext: X509_extension_info);
 
+- Generally, all x509 events and handling functions have changed their
+  signatures.
+
 - Bro no longer special-cases SYN/FIN/RST-filtered traces by not
   reporting missing data. The old behavior can be reverted by
   redef'ing "detect_filtered_trace".

From bf9bddd4fc8dce1053e0ec7f021c00effd5dc814 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 1 May 2014 21:05:17 -0700
Subject: [PATCH 058/136] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 5266f45a68..c44ec9c13d 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 5266f45a6839ea9b6f1825ba0fd448a721cb42be
+Subproject commit c44ec9c13d87b8589d6f1549b9c523130fcc2a39

From 3905b6fc70fe2c1948efdaf04e7154d83756de42 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 2 May 2014 12:09:06 -0500
Subject: [PATCH 059/136] Clean up base SNMP script.  Mostly docs, some logic
 refactors.

---
 CHANGES                              | 14 +++++
 VERSION                              |  2 +-
 scripts/base/protocols/snmp/main.bro | 82 ++++++++++++++++------------
 3 files changed, 62 insertions(+), 36 deletions(-)

diff --git a/CHANGES b/CHANGES
index e7a1cc9bef..b49fa5239c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,18 @@
 
+2.2-409 | 2014-05-02 12:09:06 -0500
+
+  * Clean up and documentation for base SNMP script. (Jon Siwek)
+
+  * Update base SNMP script to now produce a snmp.log. (Seth Hall)
+
+  * Add DH support to SSL analyzer.  When using DHE or DH-Anon, sever
+    key parameters are now available in scriptland.  Also add script to
+    alert on weak certificate keys or weak dh-params. (Bernhard Amann)
+
+  * Add a few more ciphers Bro did not know at all so far. (Bernhard Amann)
+
+  * Log chosen curve when using ec cipher suite in TLS. (Bernhard Amann)
+
 2.2-397 | 2014-05-01 20:29:20 -0700
 
   * Fix reference counting for lookup_ID() usages. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 720c163a49..12e210c885 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-397
+2.2-409
diff --git a/scripts/base/protocols/snmp/main.bro b/scripts/base/protocols/snmp/main.bro
index 1c92e73ce0..4921794408 100644
--- a/scripts/base/protocols/snmp/main.bro
+++ b/scripts/base/protocols/snmp/main.bro
@@ -1,45 +1,68 @@
-##! Enables analysis of SNMP datagrams.
+##! Enables analysis and logging of SNMP datagrams.
 
 module SNMP;
 
 export {
 	redef enum Log::ID += { LOG };
 
+	## Information tracked per SNMP session.
 	type Info: record {
+		## Timestamp of first packet belonging to the SNMP session.
 		ts: time &log;
+		## The unique ID for the connection.
 		uid: string &log;
+		## The connection's 5-tuple of addresses/ports (ports inherently
+		## include transport protocol information)
 		id: conn_id &log;
+		## The amount of time between the first packet beloning to
+		## the SNMP session and the latest one seen.
 		duration: interval &log &default=0secs;
-
+		## The version of SNMP being used.
 		version: string &log;
+		## The community string of the first SNMP packet associated with
+		## the session.  This is used as part of SNMP's (v1 and v2c)
+		## administrative/security framework.  See :rfc:`1157` or :rfc:`1901`.
 		community: string &log &optional;
 
+		## The number of variable bindings in GetRequest/GetNextRequest PDUs
+		## seen for the session.
 		get_requests:      count &log &default=0;
+		## The number of variable bindings in GetBulkRequest PDUs seen for
+		## the session.
 		get_bulk_requests: count &log &default=0;
+		## The number of variable bindings in GetResponse/Response PDUs seen
+		## for the session.
 		get_responses:     count &log &default=0;
-
+		## The number of variable bindings in SetRequest PDUs seen for
+		## the session.
 		set_requests: count &log &default=0;
 
+		## A system description of the SNMP responder endpoint.
 		display_string: string &log &optional;
+		## The time at which the SNMP responder endpoint claims it's been
+		## up since.
 		up_since: time &log &optional;
 	};
 
-	redef record connection += {
-		snmp: SNMP::Info &optional;
-	};
+	## Maps an SNMP version integer to a human readable string.
+	const version_map: table[count] of string = {
+		[0] = "1",
+		[1] = "2c",
+		[3] = "3",
+	} &redef &default="unknown";
 
+	## Event that can be handled to access the SNMP record as it is sent on
+	## to the logging framework.
 	global log_snmp: event(rec: Info);
 }
 
+redef record connection += {
+	snmp: SNMP::Info &optional;
+};
+
 const ports = { 161/udp, 162/udp };
 redef likely_server_ports += { ports };
 
-const version_map = {
-	[0] = "1",
-	[1] = "2c",
-	[3] = "3",
-};
-
 event bro_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
@@ -50,17 +73,18 @@ function init_state(c: connection, h: SNMP::Header): Info
 	{
 	if ( ! c?$snmp )
 		{
-		c$snmp = Info($ts=network_time(), 
+		c$snmp = Info($ts=network_time(),
 		              $uid=c$uid, $id=c$id,
 		              $version=version_map[h$version]);
 		}
 
 	local s = c$snmp;
+
 	if ( ! s?$community )
 		{
 		if ( h?$v1 )
 			s$community = h$v1$community;
-		if ( h?$v2 )
+		else if ( h?$v2 )
 			s$community = h$v2$community;
 		}
 
@@ -78,39 +102,30 @@ event connection_state_remove(c: connection) &priority=-5
 event snmp_get_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
 	{
 	local s = init_state(c, header);
-	for ( i in pdu$bindings )
-		{
-		++s$get_requests;
-		}
+	s$get_requests += |pdu$bindings|;
 	}
 
 event snmp_get_bulk_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::BulkPDU) &priority=5
 	{
 	local s = init_state(c, header);
-	for ( i in pdu$bindings )
-		{
-		++s$get_bulk_requests;
-		}
+	s$get_bulk_requests += |pdu$bindings|;
 	}
 
 event snmp_get_next_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
 	{
 	local s = init_state(c, header);
-	for ( i in pdu$bindings )
-		{
-		++s$get_requests;
-		}
+	s$get_requests += |pdu$bindings|;
 	}
 
 event snmp_response(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
 	{
 	local s = init_state(c, header);
+	s$get_responses += |pdu$bindings|;
 
 	for ( i in pdu$bindings )
 		{
-		++s$get_responses;
-
 		local binding = pdu$bindings[i];
+
 		if ( binding$oid == "1.3.6.1.2.1.1.1.0" && binding$value?$octets )
 			c$snmp$display_string = binding$value$octets;
 		else if ( binding$oid == "1.3.6.1.2.1.1.3.0" && binding$value?$unsigned )
@@ -124,10 +139,7 @@ event snmp_response(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNM
 event snmp_set_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
 	{
 	local s = init_state(c, header);
-	for ( i in pdu$bindings )
-		{
-		++s$set_requests;
-		}
+	s$set_requests += |pdu$bindings|;
 	}
 
 event snmp_trap(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::TrapPDU) &priority=5
@@ -165,6 +177,6 @@ event snmp_encrypted_pdu(c: connection, is_orig: bool, header: SNMP::Header) &pr
 	init_state(c, header);
 	}
 
-event snmp_unknown_header_version(c: connection, is_orig: bool, version: count) &priority=5
-	{
-	}
+#event snmp_unknown_header_version(c: connection, is_orig: bool, version: count) &priority=5
+#	{
+#	}

From b15bbf4f333662374e5316af0b70ecc149f8ec65 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 2 May 2014 12:49:53 -0500
Subject: [PATCH 060/136] Replace an unneeded OPENSSL_malloc call.

---
 CHANGES                                 | 4 ++++
 VERSION                                 | 2 +-
 src/file_analysis/analyzer/x509/X509.cc | 6 ++----
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index b49fa5239c..9bb4bf6a70 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-410 | 2014-05-02 12:49:53 -0500
+
+  * Replace an unneeded OPENSSL_malloc call. (Jon Siwek)
+
 2.2-409 | 2014-05-02 12:09:06 -0500
 
   * Clean up and documentation for base SNMP script. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 12e210c885..861e91890f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-409
+2.2-410
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 3cd886657b..debe38deaa 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -180,9 +180,7 @@ StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
 		return new StringVal("");
 		}
 
-	// TODO: see about using regular malloc here, there were unknown problems
-	// using anything other than OPENSSL_malloc that need investigation.
-	char* buffer = (char*) OPENSSL_malloc(length);
+	char* buffer = (char*) malloc(length);
 
 	if ( ! buffer )
 		{
@@ -196,7 +194,7 @@ StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
 	BIO_read(bio, (void*) buffer, length);
 	StringVal* ext_val = new StringVal(length, buffer);
 
-	OPENSSL_free(buffer);
+	free(buffer);
 	BIO_free_all(bio);
 
 	return ext_val;

From 99b13d3cfdd18e6d7b1df5507a3441af027d194a Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 2 May 2014 16:57:55 -0500
Subject: [PATCH 061/136] Add a new section "Cluster Configuration" to the docs

Added a new section that is intended as a how-to for configuring a Bro
cluster (this section does not discuss cluster architecture or theory)
that is aimed at beginners to Bro.  Most of this content was moved here
from the BroControl doc (which is now intended as more of a reference guide
for more experienced users) and the load balancing FAQ on the website.
---
 doc/configuration/index.rst | 289 ++++++++++++++++++++++++++++++++++++
 doc/index.rst               |   1 +
 doc/quickstart/index.rst    |   4 +-
 3 files changed, 292 insertions(+), 2 deletions(-)
 create mode 100644 doc/configuration/index.rst

diff --git a/doc/configuration/index.rst b/doc/configuration/index.rst
new file mode 100644
index 0000000000..07b46c9d0d
--- /dev/null
+++ b/doc/configuration/index.rst
@@ -0,0 +1,289 @@
+
+.. _configuration:
+
+=====================
+Cluster Configuration
+=====================
+
+.. contents::
+
+A *Bro Cluster* is a set of systems jointly analyzing the traffic of
+a network link in a coordinated fashion.  You can operate such a setup from
+a central manager system easily using BroControl, because BroControl
+hides much of the complexity of the multi-machine installation.
+
+This section gives examples of how to setup common cluster configurations
+using BroControl (for a full reference on BroControl, see the
+:doc:`BroControl <../components/broctl/README>` documentation).
+
+
+Preparing to Setup a Cluster
+============================
+
+When setting up a cluster, the same user account (in this document, we refer
+to this user as the "Bro user") must be set up on all hosts, and this user
+must have ssh access from the manager to all machines in the cluster,
+and it must work without being prompted for a password/passphrase (for
+example, using ssh public key authentication). Finally, on the worker nodes,
+this user must have access to the target network interface in promiscuous mode.
+
+Additionally, you need to have some storage available on all
+hosts under the same path, which we will call the cluster's *prefix* path.
+In this document, we refer to this directory as ``<prefix>`` (if you build
+Bro from source, then ``<prefix>`` is the directory specified
+with the ``--prefix`` configure option, or ``/usr/local/bro`` by default).
+The Bro user must be able to either create this directory or, where it
+already exists, must have write permission inside this directory
+on all hosts.
+
+When trying to decide how to configure the Bro nodes, keep in mind that
+there can be multiple Bro instances running on the same host.  For example,
+it's possible to run a proxy and the manager on the same host.  However, it is
+recommended to run workers on a different machine than the manager (because
+workers can consume a lot of CPU resources).  The maximum recommended
+number of workers to run on a machine should be one or two less than
+the number of CPU cores available on that machine.  Using a load-balancing
+method (such as PF_RING) along with CPU pinning can decrease the load on
+the worker machines.
+
+
+Basic Cluster Configuration
+===========================
+
+With all prerequisites in place, perform the following steps to setup
+a Bro cluster (do this as the Bro user on the manager host only):
+
+- Edit the BroControl configuration file, ``<prefix>/etc/broctl.cfg``,
+  and adjust any BroControl options that are needed for your environment.
+  Most likely you may want to adjust the value of the ``MailTo`` and
+  ``LogRotationInterval`` options.  A complete reference of all BroControl
+  options can be found in the :doc:`BroControl <../components/broctl/README>`
+  documentation.
+
+- Edit the BroControl node configuration file, ``<prefix>/etc/node.cfg``
+  to define where manager, proxies, and workers are to run.  For a cluster
+  configuration, you must comment-out (or remove) the standalone node
+  in that file, and either uncomment or add node entries for each node
+  in your cluster (manager, proxy, and workers).  For example, if you wanted
+  to run four Bro nodes (two workers, one proxy, and a manager) on a cluster
+  consisting of three machines, your cluster configuration would look like
+  this::
+
+    [manager]
+    type=manager
+    host=10.0.0.10
+
+    [proxy-1]
+    type=proxy
+    host=10.0.0.10
+
+    [worker-1]
+    type=worker
+    host=10.0.0.11
+    interface=eth0
+
+    [worker-2]
+    type=worker
+    host=10.0.0.12
+    interface=eth0
+
+  For a complete reference of all options that are allowed in the ``node.cfg``
+  file, see the :doc:`BroControl <../components/broctl/README>` documentation.
+
+- Edit the network configuration file ``<prefix>/etc/networks.cfg``.  This
+  file lists all of the networks which the cluster should consider as local
+  to the monitored environment.
+
+- Install workers and proxies using BroControl::
+
+    > broctl install
+
+- Some tasks need to be run on a regular basis. On the manager node,
+  insert a line like this into the crontab of the user running the
+  cluster::
+
+      0-59/5 * * * * <prefix>/bin/broctl cron
+
+  (Note: if you are editing the system crontab instead of a user's own
+  crontab, then you need to also specify the user which the command
+  will be run as. The username must be placed after the time fields
+  and before the broctl command.)
+
+  Note that on some systems (FreeBSD in particular), the default PATH
+  for cron jobs does not include the directories where bash and python
+  are installed (the symptoms of this problem would be that "broctl cron"
+  works when run directly by the user, but does not work from a cron job).
+  To solve this problem, you would either need to create symlinks
+  to bash and python in a directory that is in the default PATH for
+  cron jobs, or specify a new PATH in the crontab.
+
+
+PF_RING Cluster Configuration
+=============================
+
+`PF_RING <http://www.ntop.org/products/pf_ring/>`_ allows speeding up the
+packet capture process by installing a new type of socket in Linux systems.
+It supports 10Gbit hardware packet filtering using standard network adapters,
+and user-space DNA (Direct NIC Access) for fast packet capture/transmission.
+
+Installing PF_RING
+^^^^^^^^^^^^^^^^^^
+1. Download and install PF_RING for your system following the instructions
+   `here <http://www.ntop.org/get-started/download/#PF_RING>`_.  The following
+   commands will install the PF_RING libraries and kernel module (replace
+   the version number 5.6.2 in this example with the version that you
+   downloaded)::
+
+     cd /usr/src
+     tar xvzf PF_RING-5.6.2.tar.gz
+     cd PF_RING-5.6.2/userland/lib
+     ./configure --prefix=/opt/pfring
+     make install
+
+     cd ../libpcap
+     ./configure --prefix=/opt/pfring
+     make install
+
+     cd ../tcpdump-4.1.1
+     ./configure --prefix=/opt/pfring
+     make install
+
+     cd ../../kernel
+     make install
+
+     modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
+
+   Refer to the documentation for your Linux distribution on how to load the
+   pf_ring module at boot time.  You will need to install the PF_RING
+   library files and kernel module on all of the workers in your cluster.
+
+2. Download the Bro source code.
+3. Configure and install Bro using the following commands::
+
+     ./configure --with-pcap=/opt/pfring
+     make
+     make install
+
+4. Make sure Bro is correctly linked to the PF_RING libpcap libraries::
+
+     ldd /usr/local/bro/bin/bro | grep pcap
+           libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007fa6d7d24000)
+
+5. Configure BroControl to use PF_RING (explained below).
+6. Run "broctl install" on the manager.  This command will install Bro and
+   all required scripts to the other machines in your cluster.
+
+Using PF_RING
+^^^^^^^^^^^^^
+
+In order to use PF_RING, you need to specify the correct configuration
+options for your worker nodes in BroControl's node configuration file.
+Edit the ``node.cfg`` file and specify ``lb_method=pf_ring`` for each of
+your worker nodes.  Next, use the ``lb_procs`` node option to specify how
+many Bro processes you'd like that worker node to run, and optionally pin
+those processes to certain CPU cores with the ``pin_cpus`` option (CPU
+numbering starts at zero).  The correct ``pin_cpus`` setting to use is
+dependent on your CPU architecture (Intel and AMD systems enumerate
+processors in different ways).  Using the wrong ``pin_cpus`` setting
+can cause poor performance.  Here is what a worker node entry should
+look like when using PF_RING and CPU pinning::
+
+   [worker-1]
+   type=worker
+   host=10.0.0.50
+   interface=eth0
+   lb_method=pf_ring
+   lb_procs=10
+   pin_cpus=2,3,4,5,6,7,8,9,10,11
+
+
+Using PF_RING+DNA with symmetric RSS
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You must have a PF_RING+DNA license in order to do this.  You can sniff
+each packet only once.
+
+1. Load the DNA NIC driver (i.e. ixgbe) on each worker host.
+2. Run "ethtool -L dna0 combined 10" (this will establish 10 RSS queues
+   on your NIC) on each worker host.  You must make sure that you set the
+   number of RSS queues to the same as the number you specify for the
+   lb_procs option in the node.cfg file.
+3. On the manager, configure your worker(s) in node.cfg::
+
+       [worker-1]
+       type=worker
+       host=10.0.0.50
+       interface=dna0
+       lb_method=pf_ring
+       lb_procs=10
+
+
+Using PF_RING+DNA with pfdnacluster_master
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You must have a PF_RING+DNA license and a libzero license in order to do
+this.  You can load balance between multiple applications and sniff the
+same packets multiple times with different tools.
+
+1. Load the DNA NIC driver (i.e. ixgbe) on each worker host.
+2. Run "ethtool -L dna0 1" (this will establish 1 RSS queues on your NIC)
+   on each worker host.
+3. Run the pfdnacluster_master command on each worker host.  For example::
+
+       pfdnacluster_master -c 21 -i dna0 -n 10
+
+   Make sure that your cluster ID (21 in this example) matches the interface
+   name you specify in the node.cfg file.  Also make sure that the number
+   of processes you're balancing across (10 in this example) matches
+   the lb_procs option in the node.cfg file.
+4. If you are load balancing to other processes, you can use the
+   pfringdnafirstappinstance variable in broctl.cfg to set the first
+   application instance that Bro should use.  For example, if you are running
+   pfdnacluster_master with "-n 10,4" you would set
+   pfringdnafirstappinstance=4.  Unfortunately that's still a global setting
+   in broctl.cfg at the moment but we may change that to something you can
+   set in node.cfg eventually.
+5. On the manager, configure your worker(s) in node.cfg::
+
+       [worker-1]
+       type=worker
+       host=10.0.0.50
+       interface=dnacluster:21
+       lb_method=pf_ring
+       lb_procs=10
+
+
+Using PF_RING ZC with zbalance_ipc
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You must have a license for the ZC PF_RING-aware driver in order to do this.
+You can load balance between multiple applications and sniff the
+same packets multiple times with different tools.
+
+1. Load the ZC PF_RING-aware NIC driver (i.e. ixgbe) on each worker host.
+2. Run "ethtool -L zc:eth0 1" (this will establish 1 RSS queues on your NIC)
+   on each worker host.
+3. Run the zbalance_ipc command on each worker host.  For example::
+
+       zbalance_ipc -c 21 -i zc:eth0 -n 10
+
+   Make sure that your cluster ID (21 in this example) matches the interface
+   name you specify in the node.cfg file.  Also make sure that the number
+   of processes you're balancing across (10 in this example) matches
+   the lb_procs option in the node.cfg file.
+4. If you are load balancing to other processes, you can use the
+   pfringdnafirstappinstance variable in broctl.cfg to set the first
+   application instance that Bro should use.  For example, if you are running
+   zbalance_ipc with "-n 10,4" you would set
+   pfringdnafirstappinstance=4.  Unfortunately that's still a global setting
+   in broctl.cfg at the moment but we may change that to something you can
+   set in node.cfg eventually.
+5. On the manager, configure your worker(s) in node.cfg::
+
+       [worker-1]
+       type=worker
+       host=10.0.0.50
+       interface=zc:eth0
+       lb_method=pf_ring
+       lb_procs=10
+
diff --git a/doc/index.rst b/doc/index.rst
index bab3d49204..8d479d2a25 100644
--- a/doc/index.rst
+++ b/doc/index.rst
@@ -15,6 +15,7 @@ Introduction Section
    cluster/index.rst
    install/index.rst
    quickstart/index.rst
+   configuration/index.rst
 
 .. 
 
diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index a61d0cc71d..19add23bd4 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -25,8 +25,8 @@ BroControl is an interactive shell for easily operating/managing Bro
 installations on a single system or even across multiple systems in a
 traffic-monitoring cluster.  This section explains how to use BroControl
 to manage a stand-alone Bro installation.  For instructions on how to
-configure a Bro cluster, see the documentation for :doc:`BroControl
-<../components/broctl/README>`.
+configure a Bro cluster, see the :doc:`Cluster Configuration
+<../configuration/index>` documentation.
 
 A Minimal Starting Configuration
 --------------------------------

From 713fd2fbafde195a7aa508e145760990e0988977 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 12:07:23 -0500
Subject: [PATCH 062/136] Fix new []/delete mismatch in ~Base64Converter.

---
 src/Base64.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Base64.cc b/src/Base64.cc
index 50732534ab..e76621e634 100644
--- a/src/Base64.cc
+++ b/src/Base64.cc
@@ -104,7 +104,7 @@ Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string&
 Base64Converter::~Base64Converter()
 	{
 	if ( base64_table != default_base64_table )
-		delete base64_table;
+		delete [] base64_table;
 	}
 
 int Base64Converter::Decode(int len, const char* data, int* pblen, char** pbuf)

From 965e4d421d66b79d9c8fa363b65f63955e93f583 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 12:13:43 -0500
Subject: [PATCH 063/136] Fix buffer overlows in IP address masking logic.

That could occur either in taking a zero-length mask on an IPv6 address
(e.g. [fe80::]/0) or a reverse mask of length 128 on any address (e.g.
via the remask_addr BuiltIn Function).
---
 src/IPAddr.cc | 58 +++++++++++++++++++++++++--------------------------
 1 file changed, 28 insertions(+), 30 deletions(-)

diff --git a/src/IPAddr.cc b/src/IPAddr.cc
index 7fd3755042..7ccc3dce07 100644
--- a/src/IPAddr.cc
+++ b/src/IPAddr.cc
@@ -1,5 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <cstdlib>
 #include <string>
 #include <vector>
 #include "IPAddr.h"
@@ -45,6 +46,14 @@ HashKey* BuildConnIDHashKey(const ConnID& id)
 	return new HashKey(&key, sizeof(key));
 	}
 
+static inline uint32_t bit_mask32(int bottom_bits)
+	{
+	if ( bottom_bits >= 32 )
+		return 0xffffffff;
+
+	return (((uint32_t) 1) << bottom_bits) - 1;
+	}
+
 void IPAddr::Mask(int top_bits_to_keep)
 	{
 	if ( top_bits_to_keep < 0 || top_bits_to_keep > 128 )
@@ -53,25 +62,20 @@ void IPAddr::Mask(int top_bits_to_keep)
 		return;
 		}
 
-	uint32_t tmp[4];
-	memcpy(tmp, in6.s6_addr, sizeof(in6.s6_addr));
+	uint32_t mask_bits[4] = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff };
+	std::ldiv_t res = std::ldiv(top_bits_to_keep, 32);
 
-	int word = 3;
-	int bits_to_chop = 128 - top_bits_to_keep;
+	if ( res.quot < 4 )
+		mask_bits[res.quot] =
+		        htonl(mask_bits[res.quot] & ~bit_mask32(32 - res.rem));
 
-	while ( bits_to_chop >= 32 )
-		{
-		tmp[word] = 0;
-		--word;
-		bits_to_chop -= 32;
-		}
+	for ( unsigned int i = res.quot + 1; i < 4; ++i )
+		mask_bits[i] = 0;
 
-	uint32_t w = ntohl(tmp[word]);
-	w >>= bits_to_chop;
-	w <<= bits_to_chop;
-	tmp[word] = htonl(w);
+	uint32_t* p = reinterpret_cast<uint32_t*>(in6.s6_addr);
 
-	memcpy(in6.s6_addr, tmp, sizeof(in6.s6_addr));
+	for ( unsigned int i = 0; i < 4; ++i )
+		p[i] &= mask_bits[i];
 	}
 
 void IPAddr::ReverseMask(int top_bits_to_chop)
@@ -82,25 +86,19 @@ void IPAddr::ReverseMask(int top_bits_to_chop)
 		return;
 		}
 
-	uint32_t tmp[4];
-	memcpy(tmp, in6.s6_addr, sizeof(in6.s6_addr));
+	uint32_t mask_bits[4] = { 0, 0, 0, 0 };
+	std::ldiv_t res = std::ldiv(top_bits_to_chop, 32);
 
-	int word = 0;
-	int bits_to_chop = top_bits_to_chop;
+	if ( res.quot < 4 )
+		mask_bits[res.quot] = htonl(bit_mask32(32 - res.rem));
 
-	while ( bits_to_chop >= 32 )
-		{
-		tmp[word] = 0;
-		++word;
-		bits_to_chop -= 32;
-		}
+	for ( unsigned int i = res.quot + 1; i < 4; ++i )
+		mask_bits[i] = 0xffffffff;
 
-	uint32_t w = ntohl(tmp[word]);
-	w <<= bits_to_chop;
-	w >>= bits_to_chop;
-	tmp[word] = htonl(w);
+	uint32_t* p = reinterpret_cast<uint32_t*>(in6.s6_addr);
 
-	memcpy(in6.s6_addr, tmp, sizeof(in6.s6_addr));
+	for ( unsigned int i = 0; i < 4; ++i )
+		p[i] &= mask_bits[i];
 	}
 
 void IPAddr::Init(const std::string& s)

From af3b87e100a89d29773f7c20cf7a6a4a632108d2 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 12:36:02 -0500
Subject: [PATCH 064/136] Fix buffer over-reads in
 file_analysis::Manager::Terminate()

---
 src/file_analysis/Manager.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 393dadfdc7..3a7b799094 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -74,7 +74,8 @@ void Manager::Terminate()
 
 	while ( id_map.NextEntry(key, it) )
 		{
-		keys.push_back(static_cast<const char*>(key->Key()));
+		keys.push_back(string(static_cast<const char*>(key->Key()),
+		                      key->Size()));
 		delete key;
 		}
 

From 37b860d3252525d278943d83d46d874e55da39e3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 12:55:50 -0500
Subject: [PATCH 065/136] Fix new []/delete mismatch in
 input::reader::Raw::DoClose().

---
 src/input/readers/Raw.cc | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc
index 53469335a2..11976e2a11 100644
--- a/src/input/readers/Raw.cc
+++ b/src/input/readers/Raw.cc
@@ -67,12 +67,9 @@ void Raw::DoClose()
 	if ( file != 0 )
 		CloseInput();
 
-	if ( buf != 0 )
-		{
-		// we still have output that has not been flushed. Throw away.
-		delete buf;
-		buf = 0;
-		}
+	// Just throw away output that has not been flushed.
+	delete [] buf;
+	buf = 0;
 
 	if ( execute && childpid > 0 && kill(childpid, 0) == 0 )
 		{

From 6277be6e606334263f18f5d86489564a6ff84dc3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 20:50:37 -0500
Subject: [PATCH 066/136] Fix memory leaks in X509 certificate
 parsing/verification.

---
 src/file_analysis/analyzer/x509/X509.cc       | 11 +++++++++++
 src/file_analysis/analyzer/x509/functions.bif | 18 +++++++++---------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index debe38deaa..6e0f37e9c9 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -153,6 +153,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 		unsigned int length = KeyLength(pkey);
 		if ( length > 0 )
 			pX509Cert->Assign(9, new Val(length, TYPE_COUNT));
+
+		EVP_PKEY_free(pkey);
 		}
 
 
@@ -273,6 +275,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		vl->append(pBasicConstraint);
 
 		mgr.QueueEvent(x509_ext_basic_constraints, vl);
+		BASIC_CONSTRAINTS_free(constr);
 		}
 
 	else
@@ -387,6 +390,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 		vl->append(GetFile()->GetVal()->Ref());
 		vl->append(sanExt);
 		mgr.QueueEvent(x509_ext_subject_alternative_name, vl);
+	GENERAL_NAMES_free(altname);
 	}
 
 StringVal* file_analysis::X509::KeyCurve(EVP_PKEY *key)
@@ -442,13 +446,20 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 			return 0;
 
 		const EC_GROUP *group = EC_KEY_get0_group(key->pkey.ec);
+
 		if ( ! group )
+			{
 			// unknown ex-group
+			BN_free(ec_order);
 			return 0;
+			}
 
 		if ( ! EC_GROUP_get_order(group, ec_order, NULL) )
+			{
 			// could not get ec-group-order
+			BN_free(ec_order);
 			return 0;
+			}
 
 		unsigned int length = BN_num_bits(ec_order);
 		BN_free(ec_order);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 176df53bdb..5d9242026e 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -179,7 +179,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		X509* x = ((file_analysis::X509Val*) sv)->GetCertificate();
 		if ( ! x )
 			{
-			sk_X509_pop(untrusted_certs);
+			sk_X509_free(untrusted_certs);
 			builtin_error(fmt("No certificate in opaque in stack"));
 			return x509_error_record(-1, "No certificate in opaque");
 			}
@@ -203,6 +203,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		if ( ! chain )
 			{
 			reporter->Error("Encountered valid chain that could not be resolved");
+			sk_X509_pop_free(chain, X509_free);
 			goto x509_verify_chainerror;
 			}
 
@@ -212,22 +213,21 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		for ( int i = 0; i < num_certs; i++ )
 			{
 			X509* currcert = sk_X509_value(chain, i);
-			if ( !currcert )
-				{
-				reporter->InternalError("OpenSSL returned null certificate");
-				goto x509_verify_chainerror;
-				}
 
-			chainVector->Assign(i, new file_analysis::X509Val(currcert)); // X509Val takes ownership
+			if ( currcert )
+				chainVector->Assign(i, new file_analysis::X509Val(currcert)); // X509Val takes ownership
+			else
+				reporter->InternalWarning("OpenSSL returned null certificate");
 			}
+
+		sk_X509_free(chain);
 		}
 
 x509_verify_chainerror:
 
 	X509_STORE_CTX_cleanup(&csc);
 
-	if ( untrusted_certs )
-		sk_X509_pop(untrusted_certs);
+	sk_X509_free(untrusted_certs);
 
 	RecordVal* rrecord = new RecordVal(BifType::Record::X509::Result);
 

From 4ea8a4e8ef451f4599f173a14103d8e9e9ade5d6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 7 May 2014 10:45:00 -0500
Subject: [PATCH 067/136] Change handling of atypical OpenSSL error case in
 x509 verification.

---
 src/file_analysis/analyzer/x509/functions.bif | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 5d9242026e..1fa81a0fd0 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -215,9 +215,17 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 			X509* currcert = sk_X509_value(chain, i);
 
 			if ( currcert )
-				chainVector->Assign(i, new file_analysis::X509Val(currcert)); // X509Val takes ownership
+				// X509Val takes ownership of currcert.
+				chainVector->Assign(i, new file_analysis::X509Val(currcert));
 			else
+				{
 				reporter->InternalWarning("OpenSSL returned null certificate");
+
+				for ( int j = i + 1; i < num_certs; ++j )
+					X509_free(sk_X509_value(chain, j));
+
+				break;
+				}
 			}
 
 		sk_X509_free(chain);

From 9014629a7d17b5c0b7f13108f349f3a3b0656c1b Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 8 May 2014 11:32:52 -0700
Subject: [PATCH 068/136] Let TLS analyzer fail better when no longer in sync
 with the data stream. The version field in each record-layer packet is now
 re-checked.

---
 src/analyzer/protocol/ssl/events.bif       |  9 +++++----
 src/analyzer/protocol/ssl/ssl-analyzer.pac |  5 ++---
 src/analyzer/protocol/ssl/ssl-protocol.pac | 15 +++++++++++++++
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 6f44165be4..e17d5ec477 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -265,9 +265,8 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##    ssl_alert ssl_encrypted_heartbeat
 event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
 
-## Generated for SSL/TLS heartbeat messages that are sent after session encryption
-## started. Generally heartbeat messages should rarely be seen in normal TLS traffic.
-## Heartbeats are described in :rfc:`6520`.
+## Generated for SSL/TLS messages that are sent after session encryption
+## started.
 ##
 ## Note that :bro:id:`SSL::disable_analyzer_after_detection` has to be set to false.
 ## Otherwhise this event will never be thrown.
@@ -276,11 +275,13 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
+## content type: message type as reported by TLS session layer
+##
 ## length: length of the entire heartbeat message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
-event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
+event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, length: count%);
 
 ## This event contains the OCSP response contained in a Certificate Status Request
 ## message, when the client requested OCSP stapling and the server supports it. See
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index ef1d862b87..8d62245f6b 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -365,9 +365,8 @@ refine connection SSL_Conn += {
 							bro_analyzer()->Conn());
 			}
 
-		if ( ${rec.content_type} == HEARTBEAT )
-			BifEvent::generate_ssl_encrypted_heartbeat(bro_analyzer(),
-				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
+		BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.content_type}, ${rec.is_orig}, ${rec.length});
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index af220f39de..a31d257330 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -44,6 +44,8 @@ type SSLRecord(is_orig: bool) = record {
 	};
 
 	length : int = case version of {
+		# fail analyzer if the packet cannot be recognized as TLS.
+		UNKNOWN_VERSION -> 0;
 		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
 		default -> (head3 << 8) | head4;
 	};
@@ -748,6 +750,19 @@ refine connection SSL_Conn += {
 	function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
 					head2 : uint8, head3: uint8, head4: uint8) : int
 		%{
+		// re-check record layer version to be sure that we still are synchronized with
+		// the data stream
+		if ( record_layer_version_ != UNKNOWN_VERSION && record_layer_version_ != SSLv20 )
+			{
+			uint16 version = (head1<<8) | head2;
+			if ( version != SSLv30 && version != TLSv10 &&
+					 version != TLSv11 && version != TLSv12 )
+				{
+				bro_analyzer()->ProtocolViolation(fmt("Invalid version late in TLS connection. Packet reported version: %d", version));
+				return UNKNOWN_VERSION;
+				}
+			}
+
 		if ( record_layer_version_ != UNKNOWN_VERSION )
 			return record_layer_version_;
 

From 37dd3312564346bc2110c41270174b2ccded71a8 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 8 May 2014 16:34:44 -0700
Subject: [PATCH 069/136] Updating submodule(s).

 [nomail]
---
 CHANGES     | 24 ++++++++++++------------
 VERSION     |  2 +-
 aux/bro-aux |  2 +-
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1d141ae3d5..68beb70ada 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,24 +1,24 @@
 
-2.2-424 | 2014-05-08 16:32:29 -0700
+2.2-425 | 2014-05-08 16:34:44 -0700
 
-  * Fixing compiler warnings. (Robin Sommer)
+  * Fix reassembly of data w/ sizes beyond 32-bit capacities. (Jon Siwek)
 
-  * Update SNMP analyzer's DeliverPacket method signature. (Jon Siwek)
-    
-  * Fix reassembly of data w/ sizes beyond 32-bit capacities The main
-    change is that reassembly code (e.g. for TCP) now uses
-    int64/uint64 (signedness is situational) data types in place of
-    int types in order to support delivering data to analyzers that
-    pass 2GB thresholds.  There's also changes in logic that accompany
-    the change in data types, e.g. to fix TCP sequence space
-    arithmetic inconsistencies.
+    Reassembly code (e.g. for TCP) now uses int64/uint64 (signedness
+    is situational) data types in place of int types in order to
+    support delivering data to analyzers that pass 2GB thresholds.
+    There's also changes in logic that accompany the change in data
+    types, e.g. to fix TCP sequence space arithmetic inconsistencies.
 
     Another significant change is in the Analyzer API: the *Packet and
     *Undelivered methods now use a uint64 in place of an int for the
     relative sequence space offset parameter.
 
-    Addresses BIT-348. (Jon Siwek)
+    Addresses BIT-348. 
 
+  * Fixing compiler warnings. (Robin Sommer)
+    
+  * Update SNMP analyzer's DeliverPacket method signature. (Jon Siwek)
+    
 2.2-417 | 2014-05-07 10:59:22 -0500
 
   * Change handling of atypical OpenSSL error case in x509 verification. (Jon Siwek)
diff --git a/VERSION b/VERSION
index c43adf607d..ce1d2d112b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-424
+2.2-425
diff --git a/aux/bro-aux b/aux/bro-aux
index 5c0043d587..6dfc648d22 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 5c0043d587314c57070e5362762e3e0f6408c2be
+Subproject commit 6dfc648d22d234d2ba4b1cb0fc74cda2eb023d1e

From f0b244b8b0a3525c38469985557029ebf14139fb Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 14 May 2014 15:42:27 -0700
Subject: [PATCH 070/136] Add new features from other branch to the
 heartbleed-detector (and clean them up).

We should now quite reliably detect scans/attacks, even when encrypted and not succesful.
---
 scripts/policy/protocols/ssl/heartbleed.bro   | 151 ++++++++++++++++--
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |   2 +-
 .../notice-encrypted-short.log                |  12 ++
 .../notice-encrypted-success.log              |  12 ++
 .../notice-encrypted.log                      |   6 +-
 .../notice-heartbleed-success.log             |   8 +-
 .../tls/heartbleed-encrypted-short.pcap       | Bin 0 -> 4294 bytes
 .../Traces/tls/heartbleed-encrypted.pcap      | Bin 0 -> 6117 bytes
 .../policy/protocols/ssl/heartbleed.bro       |  10 +-
 9 files changed, 179 insertions(+), 22 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
 create mode 100644 testing/btest/Traces/tls/heartbleed-encrypted-short.pcap
 create mode 100644 testing/btest/Traces/tls/heartbleed-encrypted.pcap

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 5c5333a7a2..63fc2e72c9 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -7,11 +7,11 @@ module Heartbleed;
 
 export {
 	redef enum Notice::Type += {
-		## Indicates that a host performing a heartbleed attack.
+		## Indicates that a host performing a heartbleed attack or scan.
 		SSL_Heartbeat_Attack,
 		## Indicates that a host performing a heartbleed attack was probably successful.
 		SSL_Heartbeat_Attack_Success,
-		## Indicates we saw heartbeat requests with odd length. Probably an attack.
+		## Indicates we saw heartbeat requests with odd length. Probably an attack or scan.
 		SSL_Heartbeat_Odd_Length,
 		## Indicates we saw many heartbeat requests without an reply. Might be an attack.
 		SSL_Heartbeat_Many_Requests
@@ -25,14 +25,76 @@ redef SSL::disable_analyzer_after_detection=F;
 redef record SSL::Info += {
 	last_originator_heartbeat_request_size: count &optional;
 	last_responder_heartbeat_request_size: count &optional;
+
 	originator_heartbeats: count &default=0;
 	responder_heartbeats: count &default=0;
 
+	# Unencrypted connections - was an exploit attempt detected yet.
 	heartbleed_detected: bool &default=F;
-	};
+
+	# Count number of appdata packages and bytes exchanged so far.
+	enc_appdata_packages: count &default=0;
+	enc_appdata_bytes: count &default=0;
+};
+
+# TLS content types:
+const	CHANGE_CIPHER_SPEC = 20;
+const	ALERT = 21;
+const	HANDSHAKE = 22;
+const	APPLICATION_DATA = 23;
+const	HEARTBEAT = 24;
+const	V2_ERROR = 300;
+const	V2_CLIENT_HELLO = 301;
+const	V2_CLIENT_MASTER_KEY = 302;
+const	V2_SERVER_HELLO = 304;
+
+type min_length: record {
+	cipher: pattern;
+	min_length: count;
+};
+
+global min_lengths: vector of min_length = vector();
+global min_lengths_tls11: vector of min_length = vector();
+
+event bro_init()
+	{
+	# Minimum length a heartbeat packet must have for different cipher suites.
+	# Note - tls 1.1f and 1.0 have different lengths :(
+	# This should be all cipher suites usually supported by vulnerable servers.
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_256_GCM_SHA384$/, $min_length=43];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_128_GCM_SHA256$/, $min_length=43];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA384$/, $min_length=96];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA256$/, $min_length=80];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA256$/, $min_length=80];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=48];
+	min_lengths[|min_lengths|] = [$cipher=/_256_CBC_SHA$/, $min_length=48];
+	min_lengths[|min_lengths|] = [$cipher=/_128_CBC_SHA$/, $min_length=48];
+	min_lengths[|min_lengths|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=40];
+	min_lengths[|min_lengths|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=48];
+	min_lengths[|min_lengths|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=40];
+	min_lengths[|min_lengths|] = [$cipher=/_DES_CBC_SHA$/, $min_length=40];
+	min_lengths[|min_lengths|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=40];
+	min_lengths[|min_lengths|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
+	min_lengths[|min_lengths|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
+	min_lengths[|min_lengths|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
+	min_lengths[|min_lengths|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
+	}
 
 event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
 	{
+	if ( ! c?$ssl )
+		return;
+
 	if ( heartbeat_type == 1 )
 		{
 		local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
@@ -40,18 +102,27 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 		if ( payload_length > checklength )
 			{
 			c$ssl$heartbleed_detected = T;
-			NOTICE([$note=SSL_Heartbeat_Attack,
-				$msg=fmt("An TLS heartbleed attack was detected! Record length %d, payload length %d", length, payload_length),
+			NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
+				$msg=fmt("An TLS heartbleed attack was detected! Record length %d. Payload length %d", length, payload_length),
 				$conn=c,
 				$identifier=cat(c$uid, length, payload_length)
 				]);
 			}
+		else if ( is_orig )
+			{
+			NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
+				$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
+				$conn=c,
+				$n=length,
+				$identifier=cat(c$uid, length)
+				]);
+			}
 		}
 
 	if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
 		{
-			NOTICE([$note=SSL_Heartbeat_Attack_Success,
-				$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: %d", payload_length),
+			NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack_Success,
+				$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Message length: %d. Payload length: %d", length, payload_length),
 				$conn=c,
 				$identifier=c$uid
 				]);
@@ -65,9 +136,26 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 	else
 		++c$ssl$responder_heartbeats;
 
+	local duration = network_time() - c$start_time;
+
+	if ( c$ssl$enc_appdata_packages == 0 )
+			NOTICE([$note=SSL_Heartbeat_Attack,
+				$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_orig: %d", length, is_orig),
+				$conn=c,
+				$n=length,
+				$identifier=fmt("%s%s", c$uid, "early")
+				]);
+	else if ( duration < 1min )
+			NOTICE([$note=SSL_Heartbeat_Attack,
+				$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %d", length, is_orig, duration),
+				$conn=c,
+				$n=length,
+				$identifier=fmt("%s%s", c$uid, "early")
+				]);
+
 	if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
-				$msg=fmt("Seeing more than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
+				$msg=fmt("More than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
 				$conn=c,
 				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
 				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
@@ -75,7 +163,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 	if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 )
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
-				$msg=fmt("Server is sending more heartbleed responsed than requests were seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
+				$msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
 				$conn=c,
 				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
 				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
@@ -83,12 +171,38 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 	if ( is_orig && length < 19 )
 			NOTICE([$note=SSL_Heartbeat_Odd_Length,
-				$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d", length),
+				$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
 				$conn=c,
 				$n=length,
-				$identifier=cat(c$uid, length)
+				$identifier=fmt("%s-weak-%d", c$uid, length)
 				]);
 
+	# Examine request lengths based on used cipher...
+	local min_length_choice: vector of min_length;
+	if ( (c$ssl$version == "TLSv11") || (c$ssl$version == "TLSv12") ) # tls 1.1+ have different lengths for CBC
+		min_length_choice = min_lengths_tls11;
+	else
+		min_length_choice = min_lengths;
+
+	for ( i in min_length_choice )
+		{
+		if ( min_length_choice[i]$cipher in c$ssl$cipher )
+			{
+			if ( length < min_length_choice[i]$min_length )
+				{
+				NOTICE([$note=SSL_Heartbeat_Odd_Length,
+					$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d. Required length: %d. Cipher: %s. Cipher match: %s", length, min_length_choice[i]$min_length, c$ssl$cipher, min_length_choice[i]$cipher),
+					$conn=c,
+					$n=length,
+					$identifier=fmt("%s-weak-%d", c$uid, length)
+					]);
+				}
+
+			break;
+			}
+
+		}
+
 	if ( is_orig )
 		{
 		if ( c$ssl?$last_responder_heartbeat_request_size )
@@ -105,8 +219,8 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
 			{
 			NOTICE([$note=SSL_Heartbeat_Attack_Success,
-				$msg=fmt("An Encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d",
-					 c$ssl$last_originator_heartbeat_request_size, length),
+				$msg=fmt("An encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d. Time: %f",
+					c$ssl$last_originator_heartbeat_request_size, length, duration),
 				$conn=c,
 				$identifier=c$uid # only throw once per connection
 				]);
@@ -119,3 +233,14 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 			delete c$ssl$last_originator_heartbeat_request_size;
 		}
 	}
+
+event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+	{
+	if ( content_type == HEARTBEAT )
+		event ssl_encrypted_heartbeat(c, is_orig, length);
+	else if ( (content_type == APPLICATION_DATA) && (length > 0) )
+		{
+		++c$ssl$enc_appdata_packages;
+		c$ssl$enc_appdata_bytes += length;
+		}
+	}
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 8d62245f6b..2c242eb4cb 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -366,7 +366,7 @@ refine connection SSL_Conn += {
 			}
 
 		BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.content_type}, ${rec.is_orig}, ${rec.length});
+			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length});
 
 		return true;
 		%}
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
new file mode 100644
index 0000000000..a3812210d1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-05-14-22-40-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1398954957.074664	CXWv6p3arKYeMETxOg	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	162.219.2.166	4443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1398954957.074664	CXWv6p3arKYeMETxOg	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	162.219.2.166	4443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1398954957.145535	CXWv6p3arKYeMETxOg	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035	-	192.168.4.149	162.219.2.166	4443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-05-14-22-40-47
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
new file mode 100644
index 0000000000..95960e7e5c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-05-14-22-40-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1397169549.882425	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	107.170.241.107	443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1397169549.882425	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	107.170.241.107	443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-05-14-22-40-37
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
index dfe9dcec74..db96ffeeaf 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-30-19-34-39
+#open	2014-05-14-22-40-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-30-19-34-39
+1400106542.810248	CXWv6p3arKYeMETxOg	54.221.166.250	56323	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1	-	54.221.166.250	162.219.2.166	443	86	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-05-14-22-40-27
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
index 9722e20655..d96ddd42e1 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-24-18-30-54
+#open	2014-05-14-22-40-19
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1396976220.863714	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1396976220.918017	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-24-18-30-54
+1396976220.863714	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368. Payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1396976220.918017	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-05-14-22-40-19
diff --git a/testing/btest/Traces/tls/heartbleed-encrypted-short.pcap b/testing/btest/Traces/tls/heartbleed-encrypted-short.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..91942d52bb89b4d0fcc4f3be706f2a78d48cd34c
GIT binary patch
literal 4294
zcmaKv3p~_W8^_OoW(?!bAi4FATw?H_8rM`4$|dbumr7fkF$NQ6G&7P~xfF|a>7t8W
zZz;V(HY&B2t!BGQ+EltQ(pIdNEqW`qMc#8*a%uDVJfDwq=A7^IoagzSXU;TTI(3)?
zC}8Ywco+Z-4jR4;@!v5^8GHu+M+VH&JF}BZ@G#H%FBHI10N6)vumPJ2fV70N_lS&C
ze79NS%Z?2XZ==PPq~YNWuK*xX<f<?-nSx;oiZschR`eN#G)muZuL8W`7}+Ry)W-<j
z1v&ssYTFPZBM%y1-fh0v`;`OqaHmkyai^BmD4jx5P*iT(REy})6B)&=>7W8!Ar;xQ
zxLLB@AC3DCq&p_5<5n9wU<O9wU2KBLh*;#L0?c4qkWD3Gy8iK>AnM{)k=G{^b;uZa
z3`sIFwyB%5wSZbH7@EDvU0M6cOrHdMa^F>(_7!u?t)BL2rUDQl)siYojis}J6L19S
z;2Wu$R1VmI9a2rHg495&4|D)ssv;!=MJZiMlg^SFf%#w__zvX5GPz4tr4(Qb_JJip
zUaBFLmnut1Kn@mM8)yO=&;lAj0Z;)M43l6)UO)*@$N(b&MZkg(RiFZ9!Z~H23l}Rw
zS2ISI%fpS@5F!U5bf^~+1gHUZ2s42RQiJ(JSsVIXb-WJKD$KHYiz<9peM*HLJ2o_*
zO;VRXAUZLcHCTh2G|6I<n~*pF>0NT8HkByXYSD*?mEr$JOyG?ZTM-e}!5OO2o{Y)g
z{582W>-ECiVek2;4jvCKjLUJKv%+=z)>ZF?*}o3#1u*kKbr?f;W9*1<JJm}GP?rL#
zE1)hWQm6}v6giVZG6^G*$jah$LWN4RO!G|ZSHUnPIY1<5F_j1!l^jT+(n(%EOdUcC
z4HW4r{t}Kz;wFs7eI%haOe<n8npdJ5`}4T5A|CF}59dobQMemVB;kkgxf}@(_veQT
z_=0ezBVmsglj*kO5Vt6fSd24qUlBi=BZ|kp1QMPonit9+*~b%Y;)!s#C4|uo73O><
z!L%bB?HpK6Yv7QDhV$kzotXA(h|eZO8|cr}C3Hp|sl~;`*+lW9IB~oviA^YvX-b%k
zAC!ja=)?%cl4y<?I%Q8-Mx<cI6ElLz0dfka2H?CRDFws8kM3cY%Dm162AAEu(ea%k
zO*!QupLlfcyO+&Lt)5Pn&e2Z|hA#{RWLU9R^_cHjdwJj0vg_5F>PNLxoBr6AS{j~R
z)}Ct35ANQ!pxg0pza4GhL5<_C)U5BHSli_V==hwt!4x^_o;On{*nG`u^^HI2MV)nY
z=FsKAG>>bqaSgLJU+&3;18Wjf<Mq$rb#VqEL7RH@t?>WZ*AyvqwJ_>KB5xhD&e={Y
z#fG+ie)IQtvHM$sGVT1D%3?d#yHd^D4c(5WU*<(6=qsG#bsG<#zUt%q`~i_Yclpg#
z%gGn417-PJpJ-kGvAU_bZeZQP40Ah4%}ITmzFL3!e+%NBE8F8pP>xtp3h4=vLV7f!
z6GJ+ML;ykw=G{<@LLrmLB?KJ}OexBQB2~ePipj~zlQF^&O{!9KC|VV%{M9tt?8lGf
z-q&BL3tf7k_|hF>7W&wP0xOuL)$Ph^JWzT3&>Q_oh5m+6n;uohQo<Z9(4gRiQOeZn
zrYKFW;Yzd=r=(yjVBx$71u8W>Ss5c?aI}D`1S6tg$!8oe5*bcd5;kK&k}w_P2#F-d
z+13`xM~nn77Dw4|h0(S#!YDpB-X<nAj7aVu-#{Xgy9jd~{DZ8=)z23S@FlU52%(5C
zi6`KF!}OBR2So72ICp#v50B%BalTj_%L~OhT&_?Q3a<+;5#o{v9zJ$OR&t{Fp&SVU
zig+7i`66C4PaqNF!myELAAB#tN26rGby0kdfXl;$f~a^rOeh*z$%l7L5DHzz#EPK)
zc{pEy!?VSVtsUjTz40iD7<l@4To@9?4<B(Zwju0LUT0Bk2nJzUXi;dEHs_yoaYa#+
z)5R4@nAT_(8j+kcmM{#XBqtMzgwxmrfu&jh!w_=CF_R(U*brMT>Jv;`@kmFo<#Gtu
z@vWpZ`+v4__?*c*QHsU3aKFvyew)$#He3!2NCH~{JclO5fY3|R{kMWoYy+?{!Zv^b
zE$0P7+pM;F!$X@wxHmF<4{dF}Q~WFtH`)_|IzMW>7h$hPHnsDUsx10Z=Rch@x$|>>
z8~HBLl|SIUWpd{ansbq+>iTZK-?5%Ig7UV6bZVbVf#BA$x^;f~6_KPTih^xTUl{p`
z9UlGV9_em7_i$1D<INS4=ly1_ul(aRC1i<g-%PeZxkI+}P;Yr&v)O|6nW;N2KRgn+
zo@b%#OO^X2Zdt&y6LVYC-nnhgto+7)$LgeWPfyu-i+rwkF*4nyxFB!GZwJ%wH<^<2
z1GTH1J6NuU{)R;h&v|Sqo?YX<*NElz?oelRq<YA=+F5VEddll*QjA!cd%>z9+DLJK
z_k)v(|H*v#qU*`;KRp)P>s5FfM!(comzHYPy6*a`hTEpSFe;h}zn`#dWq@S>cFSrP
zo#s^IjK=ngSfNk-?nlcz=2ue&)L!KE6lA)SU#wc@dzYUtoBLpsdE}A1O`1=2-#ju>
z@acO97Jcm@c|IS#2-wv@rZZ1awd`NaQK?{MmCNd%8@|-L%XV?~Yq^pMJQ}p6oiv4}
zXURveHQrOkho4{WFZU=K;J##S*|}`(CS4s2q*^p(AM0Q3^7Z08!C;MPpQ^+tJLd-j
zJhk2ZHR<bJ4UzHY=d3;ahdfH29tvux)4os4spae|*k1KImOi6=WAq+xgD0zeBqdED
zrs@4Xwz-YLjqKO6EWfRucjfM2VZG+tNE^GL2e;irlpb7TuTuLt&`mGx4fpNOi_BVs
z9WR?EIu{6xghP}Ue-y9n%6Q>+xab-)_-MSSdExn5JM-JYGgtdIx%h4M6*6e0Gu|o}
z54gVk-~0FG{yzb$Oj*@)#t!+Ic|rl%^3<SQYm4t0y##Y&Tc0c?U$|3qrcWCy1wYPs
zxhyX%YU%mh6XjQ*m8Qz_56hc1vOj;wsEu5gZq<Mu928afhCzx>go;KlRAf`%lz^3k
zf9y@!eD-2*Sa6d1tkMau)MN04)QX5s@&MF97_w=^8i(Rf5Or}789Dw+EkQ&S>@sx}
zAA23axOXxrc28WSlHZH^M=on)4&GPM^_1PLyUi9@q@M6&$lcF!yp`J&|191Aq(^4<
zl7c<SZvuCJF?@RSt?WC!TIib%LqI|~CGq`W?~42-gxk-{8EOT25qraylqi+`k+ket
zdhDXo3--M;9As@ZrSTW-ORCQ1p>u6E#Kto<_3i_f#a|=uNR`QVKP<RoLyJq2x`I)}
z-SNBM17Ce5h`41o1{g5^$fgo8Ba3&4c*gjnL|p}=`I?i7=wM~=CsZ*21~@28pxI{J
zxe~zb>Y3lOTqiLh{7B2LtlMiYeH-EVTSm}^EtWrc&zYNZpBmR$@had3<Gi{ZZLRT}
z+Xt_57Ew3Ka@m)<d~DC3NH5hATkP(4RCOF^_ivP*ZugYWkNtZcc7C99W>d)bt8c7P
zGAv)(>6PL-kX&H7KCbfGa6`smQgfX8?u2Tm$m$iDCDl?p9^J_FmqO0*y05CP?Y4Jf
zI#<YCCsd=|qLIN0-p5}%W6MR2+QI7OKX$L3(H$tt36e7uchO174}OaFRPU>*Hm5$#
z%{Z5ea>p?KP>pFSV-+cVOl2)D7kk6Kp>AJI&}}bNSq~zXm|!3rN*38PVi5Q2Cx}S5
zisQN+A?m_v;P>8Xz1osipKI^kd5qMbP@F5n^(q3~cV=gl{}A~yJ`%Z2bR>Z|=n>ge
z5dgl$-y<TpKUoCf-cVMYBq)M7C>``OQMoA&gR<&HZi(7^W`_tJ^-6}_?<*_yGQD)I
zmk-G_zVCRyho`b4e3eC@w~29TH}}uu%rZ{?<Lw(!7#2>Xadl5SJ?nAXM^Ddz`AmfQ
z9Q=?^wmk|35$`Pg6fwa06GROhOdvXp5vBg*@ffG2ie)h{asw5oq$&}nDkMom!6>X{
lJXLg>gzbQ06bF7FPCvE5;g7}`0#BU;f1^)~F#*O%|3901`|bb$

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/heartbleed-encrypted.pcap b/testing/btest/Traces/tls/heartbleed-encrypted.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..dc32d689a2b0fa0ead4dc35f431e7a651c4786ce
GIT binary patch
literal 6117
zcmd6rc{tQt{KvoFnK8D(Sh6N#=_b|qP7NutWQovX3ZXQ{U^0eg2B~BxWJ&6_$`Vr1
zrgB?c)lDUYZWJLTOI=zi6~FTxaV^z-e$Vs!<2TQ9o}AM;uk-$V&N-jY`JTUTU&z8h
zIB4uQG6F#`sF3@3v}d~F&`R((TA($K@f-_ihJt=PO9ZlnAS2>{DKrQFr=Nav-cWWE
zChr**zSeWG`zhKv6T>C$NQWQ{PN*1%5fLNDe$qwTVJub{B`YBl$j~MTju_>Sk|D?x
zGR0qEpj4C&UwejasST9`^u|mXgVd<Ff61!f)`y~WK*plv+AwiwIhYA8(==0wg96R`
zDViGrT`HUib=s)_jj%v3RX_&BfN*i>F@T|E8u2di6G|+7{zIZ7)Ok;OGEp82L&?Cw
z30UkC<Xg-=`_vh`Zl7aC*)oR?ME{ZZetYLyjryfs#O^mz5TsnDTQ;vux=grCwoJ54
zu1pLPf^;FhG8sq=AXWf9Gay+AA_fNsli4gbJ($VnlQ~R2=q7|NA_R#+A`l)@fD|Dm
zNF2g|MhUbH2jj397=s;w!D6Fs+YXEzciYqjp=u|g3zFP2WkIBRF826^6NL{(g^d~s
zTowrygNhOzlEtAkaY#_0DMayT?PQb~mGm=W^22dr6iSrGVxf%~2-<+f(s+I3?AJ7B
z!qV`@(;j-mUA~*l4_(dqc&MK4JG6fI3TZIeuWUf2Celu7YZsYDR_^WCzZRnwrc!&<
zRw2N{L%0lVMX)LmB(NU11&4)T448osD-IDNAwn30H$x)v%aBN+*_o)HFj%RO2Z#h-
zR43Ltc2EL_#f2awVh=?e5yfNI<M6T=8#{_TB8OJQWF=^PI+t(m??<xZdy*;hkhy5P
zxU2?^$q3{!Nfs<`7N5>0nKQY3mKTdb=QBw(mN$pR@unCc`e<jYtnN6(oK5HPNEFf<
zF3XS34I$ZZ_)M-J(~~6_$K(bvxg>KlWR`*ig^Da%gdj^6E}`hTfT|v-Qjo<IJ-vl4
z$f^ly*V8CUh{EVZ(>4!93(*+2R1}t<;mPCxk)D2jbQar`&Sm&>$(~Fk64sdL5m*Sq
zM#54MXcxmo!Z1{{+~D`ucd!TAyq_&vr(W@U{+yY2vPDn!$J69!E0>16c_~_)lmW|_
zxG(aL>n_r&^Rbd{y;&^n{p?cda_ZeptAjKK>o4fQ#z$Y&4$N$KI{LAC@u8!ES;vM<
zb`RwsVK)1nA2s)Wo&8*8?LPVXi0$@CoTS8bW1n13eDK<ZP8!#}W*Nv~H56{_xvxK@
z-Kb!1n6K;CC@bsPZ{)Ns3wazym|eQLTDj?V0!`80#1}t6)!B61E&6fV@yc&2dJ~*C
z6>r38($X&p{d1XKx+kt8xX-=mw5ji_oB_=ffA6g4roVA+`D&7koVRw12+wRj%8<QM
z+wX2M;M2e*mMF!ZZ^eLv4(CK-I*>?At6-m~%Hl8xgop#bt4iU(0mPm}WYNlO903u-
zi_F8rLPEk=7*RzVC2{gNxp!?r+Y1ZAJmwp>uV|BoBjq=79T7G3zcq1+h<v!*tL4<1
zgXc~k|DfV4GFa(J?w6czDcEnS(l`x-6gh2mBMB1&1z0Udlt#iu!uFtIgNWeq-Vp>C
z1B03&UL0t`!4a1hgIEC?bP)2GObjfq;lt+#EY;OTqYn?=@;n}!%<%Wq4e)2P7$M{U
zPcI~5aC`s;iReY<$dmrv*yH=3<<B9R1@e9Txh#GN0!|#P98tQ?hs7f?#``cy!E_#p
z#p4AsJxO#1*oB_pz>xU<B)$)mG<HZF>1>uKosR;!%&mbeF4K?6;qyrTUV?7_&TU2-
zRXHE@W3%WS29xB^VTX{s{JDajEO5#=o?xngKyH9Pk4a*2NWiv$vA&}`Fg65L5df?Y
zA^Cf-S>A%ld1OQn^{X0=jLb)LGPN^*i`Dw>E(Vu9*<B1SpRxdL1qF#n9&;EB<02xE
zFl5PC0|Lh`_|EWW@B$`7c!3_e3^Y<uba{f9pv#~m%g2XeV)efdrL*XhN1`s~>4Nd(
z(edQb@ni-a2;w7}s2wu6nTT?%;?EX*Vjuva5d;Dla`kSKJGd@qKkX{nOQk?<gmJ2X
zv6Lv{;-SQL-9|QPjA36w3T9gtLQkBt%(*8t?cbKTRBmW;&x;GP*Wf12I2ScP)7`N8
z!J|@*0>xOR+L!Fl@k*a=5N5kMo9q!zH*7i_bf(&|{bghL3RR7ZDe8re_In=5T+a>?
zv!*Gw6s+ExC6w^B#5CDrb>s78LbnUA-1s*8YS@9(#pQLXwyiJvuI)EdOm|F^u-v`C
zX60ZmV)e(O1z3aohZ$!G&5P;tTyNd~^G%b+ky}I7n8U(Xd@*|IxLI@8bwS4*cK*XO
zi8S$ksz<T!FzE5wM0n$>-E0$Isv?rd-m%3;@r8n_>&H|GZvb)#6^X>n9L*uH;zTzI
zfeaElAte7_C6Kwu9I#*@f&BM50~rG(2V^02A)-g6EJicN#OnXI1ovMF=W=}cnSN1+
zZNg{L7&RX(6cwYx9o6<0wZ#oBTvPmL1^&%TVfO$@;-G3-HBp}$<06%ICaV05vxCW1
zgYK_g`C9F!c_Kk&X`BolKYJ4nog~(@p`|XAanaancu0M%VnY>@_m42gFd(k@^U$ll
zNFyQtw80b4#E@D0c*DXK4esH`G@KoZ@QsOanyhm#be{A^)!lf%wJE?wTk5QfL4c)<
z31VMmcvhiP>Op3~M(b1O>1!TPtBl-ki+2;t_8fVG#d-{1U>kEK`(~Q!+_#o=TJje~
z{T}h={J7zD`yJFAj3_ck!n(>bb2mJ0PceS;_+(o{0Hxrsix1EG(RA@2^1mk>xDW*D
z0z?Wuwz4ohf)hfp;2%U1ZID76(5oMQLX!Dm4w;x_R*Cm3pD=aJRba&-6;vPd8ndEz
zh}T$b0ddL&aR%G&djbPtO68|v3IwGE;~g=v>OYGpJTKn&_~VM|R>Q4B9FRGgvokgS
zdklL@$7um~3=X1gI7%nsLXco2aALND5wHJsuA`0_26ChJ&kRHJ%Gm8qkRd1BDnU%Z
zMuI!Kx~PqD?rzR=@kHxJihatUqf>U<BM+yZOOEejECUTY*QntVUuL=(cR@ulHD5+Z
zSkDKAn6~o0+)p|7^)20%CRqvD9Xl82m#<FItN&2X!S85RfBMjI<N=~#GaQe5AJcgX
zy`j5-8~Rc#Bq&pF=-Bz%spt(ov19TLeYd;d&aWtZFgAGd4gGDGT6bWoee-9l!R6FJ
zOJ{<#MD)4x#*N0G;f$`f#`XJ4`7?KXwU=9cX4m=^p*ue0O4!WW-#sXEvvMRTZ}y6s
z_knt)zh7~de|5@joBwMXa<&&|Us-_Zcyk#iGk~0zUY5Gb(X-*1k-0l>Nx$vcxK{(i
zKD#Zry>-IntaCTB68jZw8tCUOt=$bt>OHO(DnB&zP(F&!pc`&a?|Aj}dRThVmJSb(
z11CLqmc+e3v~X8iwnOQ)Pt1q+-yvTUZ{Er~(BK~5=0*+wn6g4xw|MWL=d*XY+q%@a
z9@mN$TI<5XGR<wa-g)kyPW2s7c~WrBZWrxUigjznqD$68`YV-bd5Z`&@l`f6s^Td|
zsb$;-rmcfsf|azzAIp-pnR&(`8EzsLa|_SuNt4xAmDF_+jW<R|UA%qkMP2zfQCq%f
z^V^G$l#IhAvc;9&7<Apab+%oziQaz9jYEpJA!}~A;BnKk`1skx{I?p0pF-PHYql$W
zS!vf%7wWz;3j5ETdd&>qq~Z<PPy5-CbDIN|j7;o^N&VLX=hPKN<)5r}%?BShuss2S
zZLpAn8SdzTcZ@8PF9Dz8o>m)Ib-b+WYfbOdwfaq8#VemtY_{h<rr)+zD0uUIZbNQt
zV<XkRraePH+w1bkAHu9XzK!#6AieLaAd0PhP%O3N-~*Gjx*p0~Y_893tE^PJydyx#
zMwVsmVn-h~Q%KPDaL%iEa{IMT%8|3ttK`(GB>OV%ygX5Ml6|xKR&;|;)zzgJtfX5)
z3Ws~MW6X+UPyCjb7_M?Td!I)qT>egC{qGh^`ws0D|GW+#bXziMk#dFR-LHmL&%YEX
zxK%v88Q-~0W_4RMB3-(wt5sU&^!>NpYKsrY)Qavd$=B-7$u<71F}yuhRe9(2SRuW8
zc4u7L)9FZ^ZfeNO8~a%J{T~^0;mYBKu1mW)mKxiQLuC+!dvRHX<+c}MJSi`~l^o6A
zYl0YFp0$gw)N-%%@1CvO4^jxbqU_EK2e+Xgq&P|N5s99pp3f7$o~J&PP>G)fj}F|)
zPXs-FEwzzXz@x(#%j=^j34G@ofiLJNl!zVrC2>eV+&Z1O+dZ5JKB~S=CyM-<_(ebr
zm`+S|0z_@2{^`UZ5dxG1Jb;#I4<lj3uL7dh4~dGf_QSz(;xg1~)S*^H@Ni>>yR^;I
zBOxclWA&ZWSzGY0+lz=uPCg}Pq-sHJMGW~<98IfpO=s@0Cvn-EubVt=#&!kyU4!w(
zS2QXV2!RI%`KSY9fH-TQ3oX;cEhT;vi1V2uuB4?Fm<z;d?VT)64v2$clp7DY{s4)V
zX<RySSim)%!Yv)+76wh`qDE_@B=mR0b#n&mR@a6Pf0?DkrzaURDyyBlS%X_MH{6Cu
z8%v$g={v#nzj&wFD|n}AoE)<goj}ZfHRYWq5$v{QC~=(x0SW}Oqh)FqfV{QS1jM`_
z5<wP-x-e=GSU~}C)KLPnW|2%&_vz#mil=Rx)zxvQy25bTz*d^N%tQ6weVN-HxU=<4
zLt9(j+))uC8wt=cFg;qPc{PPNBJis86tBJlUQIw(Yjf+kSIto&iomOmC<*-F;J%Rq
zRYXivuNC3RD*MyRoJx#T@E2t%^FAAMPQ|!0PCJFZo-aAm*r4ps%9Urk7@Ob5)<ls0
z&Rvu8xpMpC_GO_K*+b-y+Aasm43^wYN5x9M`{f$!6L{>&6ptnJT<o=)vId928kkc6
zQGF8uq64vLnPxss8WNaqH`)ANt1<KEk3TVfp#bv_&j98tqa^Udd@M}7!^_}#-gv9^
z>C~3>*tKHlgl1sEUu>gvfe8&iFo8MQ1m|7k*e?{6sNw!g;(h_K{)a^Ai4TbX5}y_R
z(kZaODYjFb!URr9ME3-pHMS?d=&OEn-ZjxF*piW?x6~ubdXI(T>Ms;Pchgf*6F!0o
z^?}dOGVLU2S1X|=^lY4BLL%CC4R}9);R``1Wf)M#T{|roNMi)DSyN<33uH^f+ImHk
TWuru)qF?G#7U**Om9GB*i_(ve

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro b/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
index 4a980bb895..52137adbd0 100644
--- a/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
@@ -6,8 +6,16 @@
 # @TEST-EXEC: mv notice.log notice-heartbleed-success.log
 # @TEST-EXEC: btest-diff notice-heartbleed-success.log
 
-# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted.pcap %INPUT
 # @TEST-EXEC: mv notice.log notice-encrypted.log
 # @TEST-EXEC: btest-diff notice-encrypted.log
 
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-encrypted-success.log
+# @TEST-EXEC: btest-diff notice-encrypted-success.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-short.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-encrypted-short.log
+# @TEST-EXEC: btest-diff notice-encrypted-short.log
+
 @load protocols/ssl/heartbleed

From 5bd0c3fcaffee977b4278e1b930a037774d07765 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 14 May 2014 15:45:47 -0700
Subject: [PATCH 071/136] move tls content types from heartbleed to consts.bro.
 Seems better to put them there...

---
 scripts/base/protocols/ssl/consts.bro       | 11 +++++++++++
 scripts/policy/protocols/ssl/heartbleed.bro | 15 ++-------------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index e1b366130f..da8bb28151 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -15,6 +15,17 @@ export {
 		[TLSv12] = "TLSv12",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
+	## TLS content types:
+	const	CHANGE_CIPHER_SPEC = 20;
+	const	ALERT = 21;
+	const	HANDSHAKE = 22;
+	const	APPLICATION_DATA = 23;
+	const	HEARTBEAT = 24;
+	const	V2_ERROR = 300;
+	const	V2_CLIENT_HELLO = 301;
+	const	V2_CLIENT_MASTER_KEY = 302;
+	const	V2_SERVER_HELLO = 304;
+
 	## Mapping between numeric codes and human readable strings for alert
 	## levels.
 	const alert_levels: table[count] of string = {
diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 63fc2e72c9..12087f1fc8 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -37,17 +37,6 @@ redef record SSL::Info += {
 	enc_appdata_bytes: count &default=0;
 };
 
-# TLS content types:
-const	CHANGE_CIPHER_SPEC = 20;
-const	ALERT = 21;
-const	HANDSHAKE = 22;
-const	APPLICATION_DATA = 23;
-const	HEARTBEAT = 24;
-const	V2_ERROR = 300;
-const	V2_CLIENT_HELLO = 301;
-const	V2_CLIENT_MASTER_KEY = 302;
-const	V2_SERVER_HELLO = 304;
-
 type min_length: record {
 	cipher: pattern;
 	min_length: count;
@@ -236,9 +225,9 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
 	{
-	if ( content_type == HEARTBEAT )
+	if ( content_type == SSL::HEARTBEAT )
 		event ssl_encrypted_heartbeat(c, is_orig, length);
-	else if ( (content_type == APPLICATION_DATA) && (length > 0) )
+	else if ( (content_type == SSL::APPLICATION_DATA) && (length > 0) )
 		{
 		++c$ssl$enc_appdata_packages;
 		c$ssl$enc_appdata_bytes += length;

From 746c07372924db6d80e93a5553e7241c670d27d0 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 14 May 2014 15:53:26 -0700
Subject: [PATCH 072/136] Replace errors when parsing x509 certs with weirds
 (as requested by Seth).

The one I did not replace is a malloc issue which I think really should
raise an error.
---
 src/file_analysis/analyzer/x509/X509.cc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 6e0f37e9c9..23cccc6030 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -46,7 +46,7 @@ bool file_analysis::X509::EndOfFile()
 	::X509* ssl_cert = d2i_X509(NULL, &cert_char, cert_data.size());
 	if ( ! ssl_cert )
 		{
-		reporter->Error("Could not parse X509 certificate (fuid %s)", GetFile()->GetID().c_str());
+		reporter->Weird(fmt("Could not parse X509 certificate (fuid %s)", GetFile()->GetID().c_str()));
 		return false;
 		}
 
@@ -171,7 +171,7 @@ StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
 		{
 		char tmp[120];
 		ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp));
-		reporter->Error("X509::GetExtensionFromBIO: %s", tmp);
+		reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp));
 		BIO_free_all(bio);
 		return 0;
 		}
@@ -279,7 +279,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		}
 
 	else
-		reporter->Error("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str());
+		reporter->Weird(fmt("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str()));
 	}
 
 void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
@@ -289,7 +289,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 	GENERAL_NAMES *altname = (GENERAL_NAMES*)X509V3_EXT_d2i(ext);
 	if ( ! altname )
 		{
-		reporter->Error("Could not parse subject alternative names. fuid %s", GetFile()->GetID().c_str());
+		reporter->Weird(fmt("Could not parse subject alternative names. fuid %s", GetFile()->GetID().c_str()));
 		return;
 		}
 
@@ -309,7 +309,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 			{
 			if ( ASN1_STRING_type(gen->d.ia5) != V_ASN1_IA5STRING )
 				{
-				reporter->Error("DNS-field does not contain an IA5String. fuid %s", GetFile()->GetID().c_str());
+				reporter->Weird(fmt("DNS-field does not contain an IA5String. fuid %s", GetFile()->GetID().c_str()));
 				continue;
 				}
 
@@ -356,7 +356,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 
 				else
 					{
-					reporter->Error("Weird IP address length %d in subject alternative name. fuid %s", gen->d.ip->length, GetFile()->GetID().c_str());
+					reporter->Weird(fmt("Weird IP address length %d in subject alternative name. fuid %s", gen->d.ip->length, GetFile()->GetID().c_str()));
 					continue;
 					}
 			}

From d88f8d77cb35917a2fe341c87750f1e13a9c5260 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Thu, 15 May 2014 09:47:20 -0400
Subject: [PATCH 073/136] Move seq to uint64 to match recent changes in seq
 processing.

---
 src/analyzer/protocol/radius/RADIUS.cc | 2 +-
 src/analyzer/protocol/radius/RADIUS.h  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/radius/RADIUS.cc b/src/analyzer/protocol/radius/RADIUS.cc
index e88bd40083..a73ab49ce2 100644
--- a/src/analyzer/protocol/radius/RADIUS.cc
+++ b/src/analyzer/protocol/radius/RADIUS.cc
@@ -30,7 +30,7 @@ void RADIUS_Analyzer::Done()
 	}
 
 void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data,
-	 			  bool orig, int seq, const IP_Hdr* ip, int caplen)
+	 			  bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/radius/RADIUS.h b/src/analyzer/protocol/radius/RADIUS.h
index 85f8f197a6..c0548a4b6f 100644
--- a/src/analyzer/protocol/radius/RADIUS.h
+++ b/src/analyzer/protocol/radius/RADIUS.h
@@ -24,7 +24,7 @@ public:
 	virtual void Done();
 	
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)

From a3e00322a28eef5c6a573bfe52df802b0a7caf4a Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Thu, 15 May 2014 11:18:00 -0400
Subject: [PATCH 074/136] Update test baselines.

---
 scripts/base/protocols/radius/main.bro        |  15 +-
 .../Baseline/core.print-bpf-filters/output2   |   9 +-
 .../canonified_loaded_scripts.log             |   9 +-
 .../canonified_loaded_scripts.log             |  12 +-
 .../all-events.log                            | 224 +++++++++---------
 .../smtp-events.log                           |  52 ++--
 6 files changed, 162 insertions(+), 159 deletions(-)

diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro
index 0b73ecc257..ab4cf16361 100644
--- a/scripts/base/protocols/radius/main.bro
+++ b/scripts/base/protocols/radius/main.bro
@@ -1,10 +1,9 @@
 ##! Implements base functionality for RADIUS analysis. Generates the radius.log file.
 
-# Generated by binpac_quickstart
-
 module RADIUS;
 
 @load ./consts.bro
+@load base/utils/addrs
 
 export {
 	redef enum Log::ID += { LOG };
@@ -77,9 +76,8 @@ event radius_message(c: connection, result: RADIUS::Message)
 		info$id  = c$id;
 		}
 	
-	switch ( result$code ) {
-		case 1:
-		# Acess-Request
+	switch ( RADIUS::msg_types[result$code] ) {
+		case "Access-Request":
 			if ( result?$attributes ) {
 				# User-Name
 				if ( !info?$username && 1 in result$attributes )
@@ -95,12 +93,10 @@ event radius_message(c: connection, result: RADIUS::Message)
 					info$connect_info = result$attributes[77][0];
 			}
 			break;
-		case 2:
-		# Access-Accept
+		case "Access-Accept":
 			info$result = "success";
 			break;
-		case 3:
-		# Access-Reject
+		case "Access-Reject":
 			info$result = "failed";
 			break;
 	}
@@ -116,5 +112,6 @@ event radius_message(c: connection, result: RADIUS::Message)
 function expire(t: table[count] of Info, idx: count): interval
 	 {
 	 t[idx]$result = "unknown";
+	 Log::write(RADIUS::LOG, t[idx]);
 	 return 0secs;
 	 }
\ No newline at end of file
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index f2825e6cb8..a803d83b91 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -2,6 +2,7 @@
 1 137
 1 161
 1 162
+1 1812
 1 20000
 1 21
 1 2123
@@ -41,8 +42,8 @@
 1 992
 1 993
 1 995
-45 and
-44 or
-45 port
+46 and
+45 or
+46 port
 32 tcp
-13 udp
+14 udp
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index c25c854779..8128554281 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-04-08-22-38-18
+#open	2014-05-15-14-10-48
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -38,15 +38,16 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Login.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
     build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
@@ -106,4 +107,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/broxygen.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2014-04-08-22-38-18
+#close	2014-05-15-14-10-48
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 488b74e111..03c299141c 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-04-08-22-38-27
+#open	2014-05-15-14-12-26
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -38,15 +38,16 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Login.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
     build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
@@ -210,6 +211,9 @@ scripts/base/init-default.bro
     scripts/base/protocols/modbus/consts.bro
     scripts/base/protocols/modbus/main.bro
   scripts/base/protocols/pop3/__load__.bro
+  scripts/base/protocols/radius/__load__.bro
+    scripts/base/protocols/radius/main.bro
+      scripts/base/protocols/radius/consts.bro
   scripts/base/protocols/snmp/__load__.bro
     scripts/base/protocols/snmp/main.bro
   scripts/base/protocols/smtp/__load__.bro
@@ -232,4 +236,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2014-04-08-22-38-27
+#close	2014-05-15-14-12-26
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index c964e793de..4ccfd356c9 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -1,62 +1,62 @@
          0.000000 bro_init
          0.000000 filter_change_tracking
 1254722767.492060 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_DNS
                   [2] aid: count         = 3
 
 1254722767.492060 ChecksumOffloading::check
 1254722767.492060 filter_change_tracking
 1254722767.492060 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.492060 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [3] len: count         = 34
 
 1254722767.492060 dns_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [2] query: string      = mail.patriots.in
                   [3] qtype: count       = 1
                   [4] qclass: count      = 1
 
 1254722767.492060 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
 
 1254722767.526085 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [3] len: count         = 100
 
 1254722767.526085 dns_CNAME_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs]
                   [3] name: string       = patriots.in
 
 1254722767.526085 dns_A_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs]
                   [3] a: addr            = 74.53.140.153
 
 1254722767.526085 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
 
 1254722767.529046 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.875996 connection_established
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.34695, service={^J^J}, addl=, hot=0, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.34695, service={^J^J}, addl=, hot=0, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -64,7 +64,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -72,7 +72,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -80,18 +80,18 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -99,7 +99,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -107,7 +107,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -115,7 +115,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -123,7 +123,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -131,7 +131,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -139,13 +139,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -153,13 +153,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -167,13 +167,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -181,13 +181,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -195,13 +195,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -209,16 +209,16 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.320203 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -226,286 +226,286 @@
                   [5] cont_resp: bool    = F
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=FROM, value="Gurpartap Singh" <gurpartap@patriots.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=TO, value=<raj_deol2002in@yahoo.co.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=SUBJECT, value=SMTP]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=DATE, value=Mon, 5 Oct 2009 11:36:07 +0530]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MESSAGE-ID, value=<000301ca4581$ef9e57f0$cedb07d0$@in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/mixed;^Iboundary="----=_NextPart_000_0004_01CA45B0.095693F0"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-MAILER, value=Microsoft Office Outlook 12.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=THREAD-INDEX, value=AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-LANGUAGE, value=en-us]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-HASHEDPUZZLE, value=SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-PUZZLEID, value={CAA37F59-1850-45C7-8540-AA27696B5398}]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/alternative;^Iboundary="----=_NextPart_001_0005_01CA45B0.095693F0"]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Icharset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/html;^Icharset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692786 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692786 file_new
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692786 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Iname="NEWS.txt"]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-DISPOSITION, value=attachment;^Ifilename="NEWS.txt"]
 
 1254722770.692823 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692823 file_new
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692823 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692823 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.695115 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.469814 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=17, num_bytes_ip=12486, flow_label=0], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0], start_time=1254722767.529046, duration=3.940768, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=17, num_bytes_ip=12486, flow_label=0], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0], start_time=1254722767.529046, duration=3.940768, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.494181 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.494181 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.494199 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=19, num_bytes_ip=15470, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965153, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=19, num_bytes_ip=15470, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965153, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.834628 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=11766, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305582, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=11766, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305582, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.834655 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.834655 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858316 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14670, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.32927, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14670, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.32927, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858334, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858334, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -513,13 +513,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT
@@ -527,24 +527,24 @@
                   [5] cont_resp: bool    = F
 
 1254722776.690444 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 net_done
                   [0] t: time            = 1254722776.690444
 
 1254722776.690444 ChecksumOffloading::check
 1254722776.690444 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 filter_change_tracking
 1254722776.690444 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.001519, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.001519, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 bro_done
 1254722776.690444 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
index 41872fda89..652628baa0 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
@@ -1,5 +1,5 @@
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -7,7 +7,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -15,7 +15,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -23,13 +23,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -37,7 +37,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -45,7 +45,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -53,7 +53,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -61,7 +61,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -69,7 +69,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -77,13 +77,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -91,13 +91,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -105,13 +105,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -119,13 +119,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -133,13 +133,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -147,13 +147,13 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -161,13 +161,13 @@
                   [5] cont_resp: bool    = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -175,13 +175,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT

From 9ab4744072d9944d74b379284335e26b17eda8f7 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Thu, 15 May 2014 11:49:03 -0400
Subject: [PATCH 075/136] Radius functionality and memleak test.

---
 .../scripts.base.protocols.radius.auth/radius.log |  10 ++++++++++
 testing/btest/Traces/radius/radius.trace          | Bin 0 -> 775 bytes
 testing/btest/core/leaks/radius.test              |  10 ++++++++++
 .../btest/scripts/base/protocols/radius/auth.test |   6 ++++++
 4 files changed, 26 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
 create mode 100644 testing/btest/Traces/radius/radius.trace
 create mode 100644 testing/btest/core/leaks/radius.test
 create mode 100644 testing/btest/scripts/base/protocols/radius/auth.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
new file mode 100644
index 0000000000..55e85cd1eb
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	radius
+#open	2014-05-15-15-24-25
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	remote_ip	connect_info	result
+#types	time	string	addr	port	addr	port	string	string	addr	string	string
+1217631137.916736	CXWv6p3arKYeMETxOg	10.0.0.1	1645	10.0.0.100	1812	John.McGuirk	00:14:22:e9:54:5e	-	-	success
+#close	2014-05-15-15-24-25
diff --git a/testing/btest/Traces/radius/radius.trace b/testing/btest/Traces/radius/radius.trace
new file mode 100644
index 0000000000000000000000000000000000000000..d0576f743e3bf70f740527d0f36de690b567aa6c
GIT binary patch
literal 775
zcmca|c+)~A1{MYw`2U}Qff2}AIC-)MM-VT=Rv;UM8DtYSGqx~Dvc1}IfP=x6fnhm=
z8w10C!DX|#fEs`}g)Ns|gkiGnDMnU??l=Ez^`E%g9n+jJ^_|<g`{gWbAXThv3=D^3
zY=I;LKO>)4eny_2Z?b!7W>L1Buz`WDp{1^YnXap&u9JnXg|j?Z$VAu3NY~X;*VIJU
z)RhgSlZgjNvfl9*W@2CvWJES3KuF{0z8x(pZMO<;2O8$jt>^@K;&%)$!*rlN5QaD(
z;uWwbIvE%o7#sxE7(gBXIgwq2EtjG6TopGfL+*!wl!+}#v1T8ACX{Yp(%sC#_W%F?
ze<16b93V~+;`T_*$;sDIP%ZVBU}R(vV-Zlx=9?8^r0>hPT6J@L`;?RbA;GOIHeDL+
z5#ol%OCOY&oR<(fc5y1R{v87q{$k-xhVNy|LC$3O%gb;B=t2<22<uY}?%=R42RRYs
zRB%{tvzKFJV_27!Z}IHb3j+gRW#gw;&D@-+AJ&*I_E%wIWKd!eIQg?|>h#A7E%xzR
z-*<dGxfeA$)YTpp8cuorX-}trRua>C3y?pHfd1?TdJ%*%qN5fX9Xu$}ktt@*#Kw^L
zdskM4Pwkt{BBwrls&rXgjU_rnq0xct41YFeMh2Dup`Az8B?&K=H4=*Ze#*}$IRP~R
F0sy&N+06g|

literal 0
HcmV?d00001

diff --git a/testing/btest/core/leaks/radius.test b/testing/btest/core/leaks/radius.test
new file mode 100644
index 0000000000..478912e8b2
--- /dev/null
+++ b/testing/btest/core/leaks/radius.test
@@ -0,0 +1,10 @@
+# Needs perftools support.
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/radius/radius.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+
+@load base/protocols/radius
diff --git a/testing/btest/scripts/base/protocols/radius/auth.test b/testing/btest/scripts/base/protocols/radius/auth.test
new file mode 100644
index 0000000000..9ec63dec0a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/radius/auth.test
@@ -0,0 +1,6 @@
+# This tests that a RADIUS authentication gets logged correctly
+
+# @TEST-EXEC: bro -b -r $TRACES/radius/radius.trace %INPUT
+# @TEST-EXEC: btest-diff radius.log
+
+@load base/protocols/radius
\ No newline at end of file

From 6bc914458b4685521c7fb51f448502ffbd15cdd8 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 15 May 2014 09:57:01 -0700
Subject: [PATCH 076/136] Add smtp starttls support

---
 scripts/base/protocols/smtp/files.bro         |   4 +-
 scripts/base/protocols/smtp/main.bro          |  11 ++++-
 src/analyzer/protocol/smtp/SMTP.cc            |  39 ++++++++++++++----
 src/analyzer/protocol/smtp/SMTP.h             |   6 +++
 src/analyzer/protocol/smtp/events.bif         |   8 ++++
 .../smtp.log                                  |  10 +++++
 .../ssl.log                                   |  10 +++++
 .../x509.log                                  |  12 ++++++
 testing/btest/Traces/tls/smtp-starttls.pcap   | Bin 0 -> 8693 bytes
 .../scripts/base/protocols/smtp/starttls.test |   6 +++
 10 files changed, 94 insertions(+), 12 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.starttls/smtp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.starttls/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.starttls/x509.log
 create mode 100644 testing/btest/Traces/tls/smtp-starttls.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smtp/starttls.test

diff --git a/scripts/base/protocols/smtp/files.bro b/scripts/base/protocols/smtp/files.bro
index f9ae2ab05f..352c2025a3 100644
--- a/scripts/base/protocols/smtp/files.bro
+++ b/scripts/base/protocols/smtp/files.bro
@@ -41,13 +41,13 @@ function describe_file(f: fa_file): string
 
 event bro_init() &priority=5
 	{
-	Files::register_protocol(Analyzer::ANALYZER_SMTP, 
+	Files::register_protocol(Analyzer::ANALYZER_SMTP,
 	                         [$get_file_handle = SMTP::get_file_handle,
 	                          $describe        = SMTP::describe_file]);
 	}
 
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
-	if ( c?$smtp )
+	if ( c?$smtp && !c$smtp$tls )
 		c$smtp$fuids[|c$smtp$fuids|] = f$id;
 	}
diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro
index d3bd8a97b4..58583d035b 100644
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@@ -49,7 +49,10 @@ export {
 		path:              vector of addr  &log &optional;
 		## Value of the User-Agent header from the client.
 		user_agent:        string          &log &optional;
-		
+
+		## Indicates that the connection has switched to using TLS
+		tls:               bool            &default=F;
+
 		## Indicates if the "Received: from" headers should still be
 		## processed.
 		process_received_from: bool        &default=T;
@@ -276,6 +279,12 @@ event connection_state_remove(c: connection) &priority=-5
 		smtp_message(c);
 	}
 
+event smtp_starttls(c: connection) &priority=5
+	{
+	if ( c?$smtp )
+		c$smtp$tls = T;
+	}
+
 function describe(rec: Info): string
 	{
 	if ( rec?$mailfrom && rec?$rcptto )
diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc
index c3fb21b6a4..e345d5368a 100644
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@@ -8,7 +8,7 @@
 #include "SMTP.h"
 #include "Event.h"
 #include "Reporter.h"
-#include "analyzer/protocol/tcp/ContentLine.h"
+#include "analyzer/Manager.h"
 
 #include "events.bif.h"
 
@@ -44,12 +44,12 @@ SMTP_Analyzer::SMTP_Analyzer(Connection* conn)
 	line_after_gap = 0;
 	mail = 0;
 	UpdateState(first_cmd, 0);
-	tcp::ContentLine_Analyzer* cl_orig = new tcp::ContentLine_Analyzer(conn, true);
+	cl_orig = new tcp::ContentLine_Analyzer(conn, true);
 	cl_orig->SetIsNULSensitive(true);
 	cl_orig->SetSkipPartial(true);
 	AddSupportAnalyzer(cl_orig);
 
-	tcp::ContentLine_Analyzer* cl_resp = new tcp::ContentLine_Analyzer(conn, false);
+	cl_resp = new tcp::ContentLine_Analyzer(conn, false);
 	cl_resp->SetIsNULSensitive(true);
 	cl_resp->SetSkipPartial(true);
 	AddSupportAnalyzer(cl_resp);
@@ -118,6 +118,13 @@ void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
 
+	// If an TLS transaction has been initiated, forward to child and abort.
+	if ( state == SMTP_IN_TLS )
+		{
+		ForwardStream(length, line, orig);
+		return;
+		}
+
 	// NOTE: do not use IsOrig() here, because of TURN command.
 	int is_sender = orig_is_sender ? orig : ! orig;
 
@@ -152,10 +159,6 @@ void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 	{
 	const char* end_of_line = line + length;
-	if ( state == SMTP_IN_TLS )
-		// Do not try to parse contents after STARTTLS/220.
-		return;
-
 	int cmd_len = 0;
 	const char* cmd = "";
 
@@ -380,6 +383,25 @@ void SMTP_Analyzer::NewCmd(const int cmd_code)
 		first_cmd = cmd_code;
 	}
 
+void SMTP_Analyzer::StartTLS()
+	{
+	// STARTTLS was succesful. Remove SMTP support analyzers, add SSL
+	// analyzer and throw event signifying the change.
+	state = SMTP_IN_TLS;
+	expect_sender = expect_recver = 1;
+	RemoveSupportAnalyzer(cl_orig);
+	RemoveSupportAnalyzer(cl_resp);
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+
+	ConnectionEvent(smtp_starttls, vl);
+	}
+
+
 
 // Here we keep a SMTP state machine and update it on each reply.
 // However, the purpose is NOT to check correctness of SMTP commands
@@ -740,8 +762,7 @@ void SMTP_Analyzer::UpdateState(const int cmd_code, const int reply_code)
 				break;
 
 			case 220:
-				state = SMTP_IN_TLS;
-				expect_sender = expect_recver = 1;
+				StartTLS();
 				break;
 
 			case 454:
diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h
index 8caaf846b8..30b14fed2f 100644
--- a/src/analyzer/protocol/smtp/SMTP.h
+++ b/src/analyzer/protocol/smtp/SMTP.h
@@ -7,6 +7,7 @@
 using namespace std;
 
 #include "analyzer/protocol/tcp/TCP.h"
+#include "analyzer/protocol/tcp/ContentLine.h"
 #include "analyzer/protocol/mime/MIME.h"
 
 #undef SMTP_CMD_DEF
@@ -74,6 +75,7 @@ protected:
 				int detail_len, const char* detail);
 	void UnexpectedCommand(const int cmd_code, const int reply_code);
 	void UnexpectedReply(const int cmd_code, const int reply_code);
+	void StartTLS();
 
 	bool orig_is_sender;
 	int expect_sender, expect_recver;
@@ -88,6 +90,10 @@ protected:
 					// after a gap
 
 	mime::MIME_Mail* mail;
+
+private:
+	tcp::ContentLine_Analyzer* cl_orig;
+	tcp::ContentLine_Analyzer* cl_resp;
 };
 
 } } // namespace analyzer::* 
diff --git a/src/analyzer/protocol/smtp/events.bif b/src/analyzer/protocol/smtp/events.bif
index 4a376bcbf8..33d4f683b1 100644
--- a/src/analyzer/protocol/smtp/events.bif
+++ b/src/analyzer/protocol/smtp/events.bif
@@ -98,3 +98,11 @@ event smtp_data%(c: connection, is_orig: bool, data: string%);
 ##
 ## .. bro:see:: smtp_data  smtp_request smtp_reply
 event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%);
+
+## Generated if a connection switched to using TLS using STARTTLS. After this event
+## no more SMTP events will be raised for the connection. See the SSL analyzer for
+## related SSL events.
+##
+## c: The connection
+##
+event smtp_starttls%(c: connection%);
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/smtp.log
new file mode 100644
index 0000000000..91b305783b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/smtp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#open	2014-05-15-16-56-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
+1400168396.898137	CXWv6p3arKYeMETxOg	192.168.4.149	54170	74.125.142.26	25	1	openssl.client.net	-	-	-	-	-	-	-	-	-	-	-	-	220 2.0.0 Ready to start TLS	74.125.142.26,192.168.4.149	-	(empty)
+#close	2014-05-15-16-56-36
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/ssl.log
new file mode 100644
index 0000000000..cec018c589
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-05-15-16-56-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1400168397.019290	CXWv6p3arKYeMETxOg	192.168.4.149	54170	74.125.142.26	25	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	-	-	-	T	FUE0dj3SWjQASC0bk3,FbPkr51wrSMIUT5Hib,FVW1o23Jjs8yenOhzb	(empty)	CN=mx.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-05-15-16-56-36
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/x509.log
new file mode 100644
index 0000000000..304728aeaa
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-05-15-16-56-36
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1400168397.069811	FUE0dj3SWjQASC0bk3	3	325D8297987D50B0	CN=mx.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1378726355.000000	1410262355.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	aspmx.l.google.com,alt1.aspmx.l.google.com,alt2.aspmx.l.google.com,alt3.aspmx.l.google.com,alt4.aspmx.l.google.com,gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,gmr-smtp-in.l.google.com,alt1.gmr-smtp-in.l.google.com,alt2.gmr-smtp-in.l.google.com,alt3.gmr-smtp-in.l.google.com,alt4.gmr-smtp-in.l.google.com,mx.google.com,aspmx2.googlemail.com,aspmx3.googlemail.com,aspmx4.googlemail.com,aspmx5.googlemail.com	-	-	-	F	-
+1400168397.069811	FbPkr51wrSMIUT5Hib	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1400168397.069811	FVW1o23Jjs8yenOhzb	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2014-05-15-16-56-36
diff --git a/testing/btest/Traces/tls/smtp-starttls.pcap b/testing/btest/Traces/tls/smtp-starttls.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d1d3812689aeeb3891a35c1b846e1f5a2c1aab98
GIT binary patch
literal 8693
zcmdT}c|4R|*gmru!q|;bmdTdLcxG%v5y@VREFme$mSr%bA|y&FEh-g7Di!tiR=jQ6
zp2}Maty*4bFKtL~LJ{9NV<}7CKfdpu@9B4bzd7eQ&voDDy6<z{r=#{t=^i2=gZ`(d
z2LJ->R6i4VESn(-T;XrjfX<q?>sJ&rLL6_nivc?TtgTL218WKZcriK0IeEj_dwD=P
zNl_7g55O^EPfvj;07SCLUj!0~OdyDfTjsG(p?73rFM4dJByfg()OvAyZ3xk)lzaq0
zpW@JkkdXzTd@t{ai`BCvMH(oSJ1}W>oe+H+nJ6ayL`m`iLWh<p$nOgfc^X7TZJ6K2
zyI+pvHw{4a=czIbc77*hpx5752pJ*z{zU~#AsA}Id|g!1DD<^vh_BC)uc>rmuGijP
z#3xEr3iR_8n~gD|mNG+mywJ#CW)LrmVdpW^lgkJTVPX7mW6a!)ZEhYO6vSkiV+;dE
zC_hRNLlsAUj5|RcWo6|{ez&rzG`KS6&y^X;Azu(;BSf47SB2Uzu4cx39|e)lU=}F!
zbJdGz=QzWS!HWrw=JO+&L6PCX(E?_4u%Op@T9DL$^TS9qE@?s}IuZwyIF$xTR8Ey4
z=1x=`AdzjEXC#N5pYT`;+=PCkHVhFjX%>bhendnV7Tv7_i0%lHZGssL4ojebk-&?O
zWAKCH7KaA~Ph!krnX{QJ6O75?m@(N#W^<|H=qnE=KRbqz35UZrF*EBO;!Jb$oar>v
zu5W^;%`8vP86LeoJ6A^=S6jR39-cOyULLk?)9rd+Fl-&YTwR=89eVkC3Rn00G_LO&
zF*M3YT&C`Y!PfaD*mGd8-4S0;>ZQO8$Q5eCf^FsKGYTS|p;I6-5NshLbiZ#=H4uBF
z69DreENa7IF{|X0FcvR|#9}Xut|r<dGJ6JMkpg2e2W=5H6JuhGS;2t|6Bq&>gD(h-
z6EK7%B76E!H-68K+ldj^q6yi-Av;>Xu(JlTlY$WaTmWz&_O_wy5X}Skj)F*MXcfYB
z_sWKm5RpbA5TTM1x=5t6f1Rc*-$4yn7B+rzUdI;amAMDsx)ffR-u%s@#t77$1fUSd
z@JYBXu7xY$;<yGr9_$0VK?GO?%mD|i0jqH~&cyX_9b6h00r|iZn1GeI94>~d;Nt)d
z$m3L;1jKPeTpyo+YvS_w7+f7!1A9RM2nE)_2(UpO$c4H+9cSSN_(WVAm%_<l7nlMJ
z!8Tw6L~&VM6qm$_Km=9;MIZ;p00kfm!~g}5Ko1eFgbgGBnFQdn#DOsclmb+s496q^
z9ZnX9ZYT+-i^2~TA&3YBk%trzA%HZHfnb`DBPw73H41@3q>w}iB192b9LPj6i9{d~
zNhBhHNF<`!1OkM(1gHQ1eo$K3$Php^+&ZWY-54SlN<O2FF-<UJW8g`ObX_QW1unFK
zjd2`qj5Rb830T4;H7Aig1kY+_`W^asW6i~wo^_vgDmfoZAs?%5-85A>CvD?bNq`#y
zAlm~Y2L>VsBLESk#!CPxRUkDMP}X2+l$BVTNMxaqd@=UiwCy{RxyLXnWsF{iV@5lb
zKoAiDm=j9^8$%&^kty;-FAtVHCW|`a^5PD{D#mb%4q|CznrM(DuQD(w2#$mL&#;LX
zgz@6S1qloXHm0UTWf@`Sm^q7O#5OYVgI!qj2D(`2h^E9O#ccy4!$Wv+(cytC8m53u
ziAqvu^5UZff#J~%@9^Ly1Aa;V>Q~=nk|cGIykltujbE2Z5CNn#f;52R;>0wVfv<Ja
zoliw(X7kqH`j@sg^6hM!&WoSyyCTI^q)oreg|xURn7*H~Fwrp%`<l4!ZF*PfpBD1D
zi?+V;u}Si)PceVhuu7A=$o;L+eqD}TQ~QtH{o5sN6&`UnX8E*KM`hO5$Hs5m+a+4#
zn3$q|UT&eDd^W>L!oKeKzSEz}uOIsov}?nZB;U<c@}>ma9rg19o&B%Q@Uz4wn_b<J
zHLklPVtM8bl@Bo?fjc*UKh{puUh+P4!MPq0n%D$;nK^0|4b~;krPz7+`*Eg)Rc|x`
zXEnd{N&4f<4(&fhPR*H^=+iT0_rJUi%L_ebmF;V*R=OTmmi*fLj73CskbY&%LE{J4
zXPnzZB*EO-mqy}ZX`~sLDkNN0n~ca5)2G0s5G4@?ei5-Wq7IrMOHL!I!j5v9Tp&LN
z@*VlhIVVjiFjBx`{^kYycQ1^7_riFj7h^-C0>dK>(4om7JbJKwb)o(Ln80TK#{{GQ
znqWNI1bS#x+{oUk_IWqTYvkJ~uaRe?yheWg=JnvMk)|k&5ws@U-H1?hPVF0pRz@0z
z=pzlA3>n74`m=^WAp2u}n0|jBBW9?F2?Q|~hK4Z_;eDSWyM_)<HV$lNP@LeG$%KK)
zy$4M`>(?)MLHwBBl$9dW$O?~F$gO+VToE17ppZ<q7vq{z0v2GBC}HIZgdQ>x1DHDM
zX_Dy}Emgt!357Q9TwB<Q#a~yPJiB0Qx!(#yObJb3kYz9__@%f$(sswuwf$eAw(|#T
zyPb2tw(G$HhmH*J03y_O3V}>`kU$h6U>Gu`PM(NOz_bfB3&#&E^*6jk{;Fe8uAz<*
zK;Xl?<UJi)D&3T$2Ojm@*W<49UBfqC!dW$M?cyT3_e0Nsdc&PD4F;=q9WHnuy>|SV
zbhz242VpN?<!_evA*EJz?OOJ=XUdDV%mq!4K2@;WwGU}*;TvCz3!;;(JhugFozj^$
zj@;_&$kvu?d%XmY_KHh1pvFC#J-73+8e_f3JdZQ`56<-B-H+A)m&4CB-ekM)DLkZ+
z|DxJ@Zcx-piJbfU57Q?tbxoMhVduYiY^TyNr7_A@VtwOrXNhd;!#6v6<V#+=SYo+S
z>&wo_daqmkzRKY=#(nba)r9uuxJuTfO`%~u4$I?`#C#p{$4(~Qrk+kqJe*tjFn(Ri
z;+(G43V<wzrIE={j2e538;NKUK7=T2+Tdc-S1QEisSd$B&$xKL097_7YaFHwLjp^i
z+`za)ByT}rB*WIGub>%YCM@{RL|D*FFk{TPuls*lJO8U>?b0JJ@qfh4wxH}wd;W;)
zcrJ75XXTi&YwS~=Z~Xgn=FRcVe%*o8Q|#%Pg#rl=H?N|bX$x|iKl;wQ`a&dCt|DOT
z)N^wjIjtV;S`D4q?-eU<wR%unox65>K25$*7{ObO-{z|8VkGN2F}{1`@*ayR2hAuO
z&b!ExKPGEEZTQy3itXHbfBqMy^U-N{t3FgL8e3ZJ@kG&OoqDBmpn6Syu~m@%N|W&5
zm6ghW+iP@q<Xm`_>MV0rud#ePL-v|^t_-=bB``5ZJIi%e{L7O~VmB1JZfYzlbG>Cx
z+P<BXf**gn?5Lg5t#Yf_Q%_s9wJ%dmGV}90rDPK_)y)1rx*;ySw`8s8#8z|++R%97
zj<EHaorgshO3Ef5N)A4KquTWsc^GlO%b`sulm{`40#yQ@fiWpGCXFP649`mx%%XRr
z8euHVu+X4TKVxE_fCa_D!WYaFpcE2H7#!dmh6+N3Sp%gk60_{rJ*b25bIhQ>j}bD)
z_rdgkV1V>&5a3Wb`Y9fRPi{gfFnvf#m7Q=zPhlr#NttG0ywBO=De2S7<LcBNZ7`*5
zf8LTa+3d%-X+GT=l@aGT0e2>AN6UQ-2wiM%y{S&2aw)YbC!}se1}}9_xi>o}qrQI8
z4RY3;<!u+Md8<f1SHj%oYkpL=Cs^j1w0Q43|J=99ZTgsf1)Rh-`#Y*~`ED0(TX%VN
zQv#;csd%5?=Dv(KTkrASL)+@J1ebFzv_$8~_b9bY`J+^3eKo)H-A3ZomQJIxoXM{)
zSB3fT9~Wyam`pLrr<NF<UrO4<oUwE+*J4F&b75r+r@r)C==asua|3brjS=Y)H6j)_
zUK|uz+I6FD>+MNmmMOG^%0ezf%hM<pkXFDmOfr;$hCV5fJKHc+3S56m0n+v|sO_KO
z#TaTs&+X(_B|>etbsenj&b2~qrxOddUmvXP=+F!+2NDr+c~QIA`0$Xxr7Qzj&)|rJ
zyjI@`!y`B-J}#JH8yqJH4+#$n6a@b~JR_mO*q8~M1=R&U=;X}7I0N1P6EXWQg{iBi
z2Vp;2l{CkCr_6aaC6e<x_SDks+H-pz&FCn$JxO{$bG)e7nmQlD5c7%WMV7A1=e!d+
zwJ0UFsG(y1fn%RiUuWt{7id3dO8;`?K=!pA*Qe1<6!MSku;0vdyYYFo?Il{yYy<A6
zOoP<K*+>3uo)>W!tUsgBp`d8;4{pD2SzKlI#p_=BHMh50?b2CT{p@DCa_kM)hT8kf
zN|bB7o>n&A4d8gZ@psEI=;msgc7-%lZ74EV2B&g}=GhWb-5ll}Rgt{5nN~b$QPrc9
z)HcpHfBD_iL*BeLKu7<vWwF9}_D4ENcNRJJ&0!<U7o4-ArYjfhO87v-TIb>V?_wif
zf9q427Hmb+Acb*k2>Yggw>0OW!y`?GjGNJpO}lG<QJ4`0NE)e!P+>$c5)_sHt-SDs
z$rBVPlowY7&LBHrc9<=N41WS_GG^YdF+>8*0BH;#9=4V&Su#jk4C8|N@Y*XVm=Ax&
z@c7{ZUR=VE-9lQi0xW(Z7wzgolgq#;r7Og4wTNB27Ml{%e7UK1vU*QTOQq`rTh6gF
zSTg;#SNh&XRi?7L-Z_Tsi&}nKzSg08ou5Cy>(772v6VT8w;L-Q+IIKjJ{1Kqr;}&j
zWPeIG{iy2AyHR(JAGGQ9@?};URhFVn^EiTCuSi_iJx6ym2mZTqsvP{EEMcZ3AUKhL
zk_{OPA${d+YNskStHd%(vdhm@eY{ez@Qc{(=^BaO-Q9fK9+Q3NmbvA0b0|@aXD-%m
z`vW$}Kal0Cnu$CVO<8{%N<5f*ckRy2(bf(v$14xr#n|iS%xfej<=q@pT7=oB)G-5=
z$?9Ds9OU^t4?R)zT1G9Ra#3?ZYuH**T7`#HeudWfb{8e)i%IDl-hW|6*7=&vT_jrR
z^hxPJaLqA>%O9uDPjbMD#gAJM<SKP9akE^Xp2@@~Cryg_b4rr)^Q{Y1az3rxbpK_p
zbXh#pGT-xFX=HjwG1s~6?>{ty0_V3iSVvyrX?<8jG~J@ha@L>z(BhM5dG~~BR!7i=
zQ@5U_dbzY_ttm2%3OvlXGsf{&N9L^@e<rOs-uTCN<;?wQAqoLs*S)T4Y-!p&dqMe(
z51#KyFZMVWOmHmvVsp4*59`_?gGn0bc7ZGf?_7`o`pXhVxncWG80kKYu6xAAxi(cs
zJ?@tqwsLg9MTn83B7W%n9im%0M4T`ZqMzJoK4!a&iuhq9#9#&i;E(~-hTZ~#Qt6mc
z5a|q1kkBjp@T%rKS~VinUIyM&+K{cO2b~XHeO2^&r+E2}6swXiGD=*HPW}n!#V0jW
zRo8zIJ-JYHi=pR%@|!K%<`d=aCoVRA!blD;S9M+Pw(z(jPXR&^2nbNu#3?KO(#eXC
z_f`X}J>}hQ=7dWpo!&aU|M-G<MaTc|jJ=#Z<)WEJVTg0;9RkpWH$bQjEn|eSC0~U1
zvb4cv%q<<3u><g4wxDd)KpA_9)`ZOe2@B#OK*+>F(bGATU#|7mO^$d!mvZ4;<h4~L
z4|9T6&tBbC9Yrs=CQ#AWlv1k>t_#Sxn@3(7Z<|YQm(;|+PS48Sdepk%J4HN&$FBJ2
z``wJM``mczv|I$WW2=>t|L{21A(3&X?95`tiDhq0OZ4L%^FQh@IQ=h?7<n=Mik-id
z!mX>~6}wH3^+YH8`ezgeKYO4edG27+4~r&W@0(nffKz*a>6fUtG(Yani0WT>Lm@@a
zJIlOpx@(QbAGesWSEj>H@$D1oZ1w#69!0E(O<RBb6OVXX1bO@Y{j#RSh<R|}hzmCy
z=IZBPGV24(gO|4;qNXSnUd94p8<ttV^wd!hQD!mvGs|iVLR5m0VDu$IWA>dy<83ut
zp8BZd{WV?1yWJ`J>=<7KF+*h5@)Q+3fo4$~ngHNdNvkjc<_}H)Za7SUDwF`51`>dN
z!7|Tk3o^S6BB6(n(l{yWjOf~l<`T=A(_GUhz0B-7c(J~|qg#cXHM7fzHb<?BJiml5
z7V@%V-Zq;PEeB^CtWUgnzUduv${wodi@OV$=IpmSYTQqoZ^(18@+sdMNy<5Lr8>b$
zqqL-Tezieun8d6ZVb40)y7ly1qB-rSr=9ayb>IJrmf6G!#WKzQ@Y;>rsebg^rB7Eb
zHl9F>eF7Kz`>2VLM&!8ah>JTJMy>5<)U5C)O7shNA!71b3W$P>MQvEr=2dx(f{3D~
z(;qd*0|*h(r_&d;Cgb*}&Tp(^p7=?Yoq3>kdf&tcN)CHJuA@JGv$rkd5;A@~N))Vx
zc2OG^yQGq@!q}A#j-5Lh#;y&;PGHf$c{S=R^BfN#<F;rS@F9jhG@ohqK+dvRCcMC=
z{k3@TkM5-8m3Y}-W*i;M8&dwJw9Vs71B%I}Q+@SXL+lqHdO+7nv$@_<^(q>9#*G#o
zg=pjA5ou|IM9+Xkcm5>W@!k_9jk;Qh7*Qz#7DCTZ8%DHuyYVQ9h-lS*qPd0$5v^6V
zkLc#4jr3OQ0}5l}bIPVlDZQNg-sbHUHDq(m5(@mg2oSbm{AQK33HjYKgx?uSipq4v
z@9tOq{OUzm=5Y;?O%LQfd`P~;j@LDFd{^z>$KQA)w&(8dw4}y~OEXKQFPBtgjnAon
zyxgSwpQ!zrx#O-AIn08~lc|LUP5x{4SDY-K`?-63xPP^5w(X)M`U~fy$kPqb)BeOB
z=BaT>yU^2)A)XcqJ(VRE{G&hEQ-nBi=}*LAd>hN#jKsGx9Y(MSM)3R32y)>c1N9;h
zB5PDcwQave-2Xd7)dUI%glwWV%tsHs$D<&koESTh6G9&qVSL8+<;152Cr`AGyIDg}
z`TXjIdhXYiPo>ZjoT0&fnui%QF7F=Epcy1(f2u44j6}*kZBh6~HXv-n0;gNjfdc19
i8WOnuXuVumXQ!fqA$*W`_eaP2Cd3-@7j*X#u>J=^-c#KG

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smtp/starttls.test b/testing/btest/scripts/base/protocols/smtp/starttls.test
new file mode 100644
index 0000000000..e3a114f572
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smtp/starttls.test
@@ -0,0 +1,6 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/smtp-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff smtp.log
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+
+@load base/protocols/smtp

From 388b8f92ec29e65a81cc577714bee73a5ae5a31d Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 15 May 2014 10:25:21 -0700
Subject: [PATCH 077/136] add starttls support for pop3

---
 src/analyzer/protocol/pop3/POP3.cc            |  38 +++++++++++++++---
 src/analyzer/protocol/pop3/POP3.h             |   6 ++-
 src/analyzer/protocol/pop3/events.bif         |   9 +----
 .../ssl.log                                   |  10 +++++
 .../x509.log                                  |  10 +++++
 testing/btest/Traces/tls/pop3-starttls.pcap   | Bin 0 -> 5841 bytes
 .../scripts/base/protocols/pop3/starttls.bro  |  20 +++++++++
 7 files changed, 78 insertions(+), 15 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log
 create mode 100644 testing/btest/Traces/tls/pop3-starttls.pcap
 create mode 100644 testing/btest/scripts/base/protocols/pop3/starttls.bro

diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc
index 1b6b4c53b6..01b6f1ad67 100644
--- a/src/analyzer/protocol/pop3/POP3.cc
+++ b/src/analyzer/protocol/pop3/POP3.cc
@@ -13,6 +13,7 @@
 #include "POP3.h"
 #include "Event.h"
 #include "Reporter.h"
+#include "analyzer/Manager.h"
 #include "analyzer/protocol/login/NVT.h"
 
 #include "events.bif.h"
@@ -41,15 +42,18 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn)
 	waitingForAuthentication = false;
 	requestForMultiLine = false;
 	multiLine = false;
-	backOff = false;
+	tls = false;
 
 	lastRequiredCommand = 0;
 	authLines = 0;
 
 	mail = 0;
 
-	AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true));
-	AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false));
+	cl_orig = new tcp::ContentLine_Analyzer(conn, true);
+	AddSupportAnalyzer(cl_orig);
+
+	cl_resp = new tcp::ContentLine_Analyzer(conn, false);
+	AddSupportAnalyzer(cl_resp);
 	}
 
 POP3_Analyzer::~POP3_Analyzer()
@@ -69,7 +73,13 @@ void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
-	if ( (TCP() && TCP()->IsPartial()) || backOff )
+	if ( tls )
+		{
+		ForwardStream(len, data, orig);
+		return;
+		}
+
+	if ( (TCP() && TCP()->IsPartial()) )
 		return;
 
 	BroString terminated_string(data, len, 1);
@@ -717,8 +727,8 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 			break;
 
 		case STLS:
-			backOff = true;
-			POP3Event(pop3_terminate, false, "Terminating due to TLS");
+			tls = true;
+			StartTLS();
 			return;
 
 		case QUIT:
@@ -804,6 +814,22 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 	}
 	}
 
+void POP3_Analyzer::StartTLS()
+	{
+	// STARTTLS was succesful. Remove support analyzers, add SSL
+	// analyzer and throw event signifying the change.
+	RemoveSupportAnalyzer(cl_orig);
+	RemoveSupportAnalyzer(cl_resp);
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+
+	ConnectionEvent(pop3_starttls, vl);
+	}
+
 void POP3_Analyzer::AuthSuccessfull()
 	{
 	if ( user.size() )
diff --git a/src/analyzer/protocol/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h
index ab535420e5..12fcfc2e57 100644
--- a/src/analyzer/protocol/pop3/POP3.h
+++ b/src/analyzer/protocol/pop3/POP3.h
@@ -10,6 +10,7 @@
 #include <algorithm>
 
 #include "analyzer/protocol/tcp/TCP.h"
+#include "analyzer/protocol/tcp/ContentLine.h"
 #include "analyzer/protocol/login/NVT.h"
 #include "analyzer/protocol/mime/MIME.h"
 
@@ -97,6 +98,7 @@ protected:
 	void BeginData();
 	void ProcessData(int length, const char* line);
 	void EndData();
+	void StartTLS();
 
 	vector<string> TokenizeLine(const string input, const char split);
 	int ParseCmd(string cmd);
@@ -108,7 +110,9 @@ protected:
 	list<string> cmds;
 
 private:
-	bool backOff;
+	bool tls;
+	tcp::ContentLine_Analyzer* cl_orig;
+	tcp::ContentLine_Analyzer* cl_resp;
 };
 
 } } // namespace analyzer::* 
diff --git a/src/analyzer/protocol/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif
index 7692c61f6b..970ae0186c 100644
--- a/src/analyzer/protocol/pop3/events.bif
+++ b/src/analyzer/protocol/pop3/events.bif
@@ -106,21 +106,14 @@ event pop3_unexpected%(c: connection, is_orig: bool,
 ##
 ## c: The connection.
 ##
-## is_orig: Always false.
-##
-## msg: A descriptive message why processing was stopped.
-##
 ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. note:: Currently, only the ``STARTLS`` command is recognized and
-##    triggers this.
-##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
-event pop3_terminate%(c: connection, is_orig: bool, msg: string%);
+event pop3_starttls%(c: connection%);
 
 ## Generated for successful authentications on POP3 connections.
 ##
diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log
new file mode 100644
index 0000000000..1eab1092ed
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-05-15-17-23-07
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1400173552.424910	CXWv6p3arKYeMETxOg	192.168.4.149	54775	192.168.4.149	110	TLSv12	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	-	-	-	-	T	FEdAw24VSam39HNlY5	(empty)	emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE	emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE	-	-
+#close	2014-05-15-17-23-07
diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log
new file mode 100644
index 0000000000..18194ddb9f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-05-15-17-23-07
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1400173552.426860	FEdAw24VSam39HNlY5	3	01	emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE	emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE	1178385788.000000	1493745788.000000	rsaEncryption	md5WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	F	-
+#close	2014-05-15-17-23-07
diff --git a/testing/btest/Traces/tls/pop3-starttls.pcap b/testing/btest/Traces/tls/pop3-starttls.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cd1b2a8bdf5b95e55f8a9855ebd2217a09bdbf69
GIT binary patch
literal 5841
zcmdUzc{r47AII-mZ4Jf@rYI9RBFi(wL}bZwqNwDc#ZlJmc{Nn1>}5$(T9mRREkcAA
zCr@ZmA+(XwMmd%`giez8ei&us^}g?a?>pCZU)Ma(+|TF!{=UE8eP6$49#$4+-~kbg
ze?~^ezJ2WD+H`Iu15<d34LlrX02rwa8v!FS0O%QF3N{`M0>3)5CNb=(0{qBG+yyw7
zX!sOIAP{jlL1F#(=X<c<h!B7=k!?RSOEmeJ!0*wZWzwqSkSkswF*Ot8jx$XmQwOer
z4W3RdsXl%tPp3HKriF<sypGENU|b)@!nCcPf-_>s&*5oH!?gV?&ck3b$bwq1!P9f{
z!2D@A429S6Gx+r^Sh<|(<K(*C*U81%jq9QAv)RSThiS4sAaDzF)yh?x%pkV9raEgO
zbBkL*kXryVzzt4jE@p99Y|cUsN1Ls!4Zk6pI&3X<mKK7rv^6;#w$V>W1Bx&f`Ufa^
zvW0WQ_$B|a&{`0N-ZGVij1V#~fMH{U7rHJhbQ%r=a&q`XxB1P|W=xd^q)k@kn8HsR
zONg}~Oo-IKN{AWc*h59w;Hk1{S~?8}CL|8!SA`|S*lm-i9}~)B`nhe|%=L8QdT#b(
z`fc7iCf9Zfxoe&Im*JTxWtn8H1m!kQWnwMl=tG^@7?X=%bbaeI9EL)3!s+jFKVbDN
zMZn<!4&c5L2x_u9=S__=MddZf#P=en16^KRe)lFBsrHrl^6g|p{5Am6Q3O>*=cDsb
zIx39HqjO>Do&?^&3oL^E?*Y3}HmZ)QpueDEC<&wieZT=xs01pA%Aztr3eZprN&v#B
z2D$)MLKRRNDul|Rb3i6I0X6|6pb6L@6&!^Jh$+fK)lg+r5fw#=;5b+eG{7OS1PGv1
zQ~;fU;sFUBMv_1R2mv~v0zp6q1Tcb!k+6XXAQAu!OBiTDpeUe#neg5Wz<`s5p$zHK
z=>qUUNeCf92n||*hX64k4q*x~{S?3ibI3R{o=hO&NO%%FrHFVUfq*062?RV2kH=%P
zaX5&$0jK|ef3Th1HbqftNbwgFZx1QenLU$%MOiVSD6wMtfN^{x$sj}!jE=FQ6x<rF
zI1PuPP?7xhdr^MGI8p=x(1i~#BoJyZD$tUgRoL&{9o3YZDq|nfBrUG&dH+C3{AQ8a
zFI*1*PU3**2+TVe%^Q{z_&BLV1ds{=DIbt>kqFWmB!ZBXKAJZi4xx~RRAS6y1}Qik
zkpz(NaFz%nL?+l0$uzvF8A}XKfENNZvQ?m;r;7)Riilx1glU47o<2@n-F&z#IwFDH
z5}}EV-(s398J|d)Fi{av_`aGDPD;vu^A@hJ(-y8<fRPUmrta#7%#o%b+6V{Xu(a8l
zh|W4`3Jber^DdF_*#BOmI3hZxQNU*O?BBwgjmThk2sFBjho`TTTY!`L1QD$NP-_HE
zexijq5+Fq2!~hb36UIlt9r363yvWa|vpqzUh~~6o$FmxDsLHsu92GmB)X%vk+&r&Z
z-^?CgSat63o1l#k>59fnH@(eC`MN$;T4meZi$-^8RRNtUZn@5?w#&{r*q$lApnp+Z
zO4ry^GoSr6J-0DT)<DFI(oTCj_iXFlFTH8mMq*2j#>yLKY)>dGDZ9zo7<(1BBZI-{
zEl|Hct3h6((lD_x+1!siM9SRPwWtvdNYmF~dz34mON;fLdn<6}pB=wGB`&22OC2EW
z)Qa$1KUmeSAvv?~Pr-~PRK8=mB#H86^S!?_2J*@8rAe3Pm!D5e30GZ)I8Z$guG0u#
zuD<$H>G1Ai{ooL!uP0k;*#2t>o&c*cD*`769g!I=tl2ao9svlIEVMDk92fK17#1Fp
zfF~Pa#W8-1LX?uC|EMOn0IsLIr;8KU4Vev-Hd~Y^MWm}ZbgdLVmbfM-tiGbO#X0W5
zOdUleyafAQff$~Lgr5(ir(OMO`pE;e2#~CL*=!~+<;PMzoe{qKRCv_?LZwFtfg*X`
zXcbhte_|2AeMpFar*}|>kU`EzrHThti-o@J*!jwz)aK}*FVge+iD+x$@}hjDHKsS3
z2C~iy?|tq&xcJ_66Wxv-+2;OlovCYAJO2K$Hg4$lUw3Si|9)wxxWsp%7R@m0@n<D@
zyV>RxH99fw??R=|@`&uA)H8452H7f9-J=?yLA{>dXsds|x~<%urq=T0l5T@`*gaL%
zp#85-ic%kk{OZ)#6irn1nPGaey<|pRN!3~Fl`DjmHOl?1KQlM_g_@?9RU7I_>&Rz(
zz8k1)b1@LznPGVBMuVTb<t3{0g%py^#)`{tpM;)aR8n%JE*w@T1Qj^yCJk)=hu7fU
zJfbUwnN#49y5${Xm}7jzyS?;Y{G8stX4bA>vu5`m^3l9-w6Uz#`pG@F%5s0>4ypBX
zl7-CWqK>a0_`U73{K9W5YLHdb9KE9DxBswLv1!)br?!2z;#Nl$o$8U=JXy^|9RjXv
z-<uPGe?&!GEYzkp3`E$OX|Uzu4UVbaxO$HG=J2*GkB&X6f7IuucviMX`aVCGOF3av
z^l)$XUUwh4P>$Zk3ulK)N^emW-YLnf&$Gg3X1uVw=Wei}G%pej6S{NzoPWjTmg?4v
zWtB+&sgTgL%Y>Egi|clNO)}E3vR>O`Bg=d>p!cP%Cf?&}e`sT!%c}y{Zp%GS3a&(u
z=3T&Fd1MlmxmoeW<LI2q+ebI`apBR87n=d_A|Pyp_o)_Z&YbH}p;dLuIX<jKwq6;(
zLNIRAeJ)<)`e{AdF?s7{g4+|dh|fQy%q*(WHIYFU2>bSKplh#u#qssEt}uHWT^!`>
zxbxO0OXH5y+TGqFBMv2>$feyqI^IL;Vozr0ot#GvT`t#dG2h*~tKBAid|j-A2(!wx
zwWDUvyi&*2s(P=o^(K{}O<0t(fUZ5`zG?jZ^tz@@(`V8}eT6rJjQ2&!cv;x*RjhBw
z+7?}RCa_~w!SF`q7DGSTw3I@QPFO<C{M-ElJ#x-2^!=I2o}2AlJWIEP?zt3K+i~@>
zg?3fQsf)|1Z=dS63l2`I_+Zf7?$+XXgbdHq+&9n7gJ|=H=cQ3)*5&tZ3!C#-{_9-9
z!C;onLbo>sed_FRYX09{pI)TjDeLRcGwQZSx-&Z3Yb9zUlE3PiI`$a*&*g0W>y^TJ
zt5uKAT<*~ek*Qu#^#XCQTb`bqEvoS>i<R}8Z0nO%6zcsqX=0vvk8WgItDT~V*4ytY
zPl$P1u~1j^Lw~yAvM#l?2&3}c1{?PsuAN7&h3G7;jsK;o^P%obd%c8ut#WFcZd4~{
zIR5gGw7Ddwt4wpZ=K>c4=X~F5eWp)Z?CV#j1n$2Q#FFcpVUhjXyE@wU`ZcbPn?&+Q
ziQVo^v#fT>EaR+}7x&uUZ(xM?dQlqGKBvgGc-v#F8$c)k%*UEAywSgH%V5Vh_6`{j
zTan4H1sc2gTamFo`<aYo(poRr(%4RDX|Pu0Bi7OsCz62(>@Tn}*3#ev*dx<$7z(!W
z-0v+-FUG-w5D)>d#{>ZT9wQDw1PH5X9ZEiMX|b123tdh0m}+!M$jr^dPjB4q&t4o9
zJhCrMP%U)<v!BlKE;TV<dQkk^mxpaN3Awq6@AqlE^Q^p$PrNzgT0To`1vfZcH_Bs?
zgz=UJH@f8pzj~&;6j|p~<>883Ht!x7vQ~k#BL$I%Em9)Q<@!xrzba-J2JYDZu!;_)
zj5bVw^-!6;arUjAn!~e@)T5m%4k~LKHL44qQ9En&puOoI)(`cqmiSAS9cpw4jw^He
z{S<m1v!)wbGudJ@d46lgy2iC$uxspr7GIiRF=kCK#_>8p1`1dU_rqejvbEE27z&r-
z6TVyAhjB1l&k+GQ4RF?BAl+C0i=P~KVE)nl0fNbF(G^Qv*7$jUdn~j3y0)&X(qL!W
z$0}R3fu{sJ70>2brKv646W(`2%fH=Ety`_7W%o@w#=@f}&%{oWaW2P_)AuqjSt&VI
zSub+O=~K=s=ihx3o)>VZSb8XX^@gG$Il3_=R=0*}yGFpGD$vLN!mgt)zmgMou1{N#
z@f&?^M%$Gc;qG;w?sCoPR+2CG-pj8V<i<>}zR}8G=+)xPB-44dfx-_;LfXuP?}S?G
zw<blMOg!j+<hpLGURT?~T&J>`+Y%02H3permYs)|O}4(flixC4b@x~%t+R#JFP&gL
zW?5e^<ZO#3fsL>#u`yQNz+wKSX*dkXsUEk!$Oq#{L+cfI1yn0vF5ZwFT!LO>T$t(X
z-LTqslZg3_?*6OC9@}H<-G%E-)*Ttkzus8Mth22%Yr$UD3xDXw)+_SCILl&4AP8#4
z22Xc@h0Qb^2IRC()LrC*>0ZQhe}8xmE;9A*5)-Cf=c0i^wd_>Gx4H>Nd!_Gw45B$y
ziT{%A>NM;}U$l}nYs7JRQ{|rhn2JMC#pG!89`LIe%R&o$mtS`PMq@HnG~OMQpRy2F
zGYy9UIp4ETybp6_VixMcA}@-`zHPE|*87;gtB3QaRn5BLyrwmF0qSf_HwxFAtowv4
z|9ZSE9DrFcfV%U4=*HG7-iLAWyMER^t8E$%19JFu7w;R@&C5cv&DCeN&(tN$ZGy=e
zHEh|DOJx7nwnG9sF?CVcdVO%c$+}rf_}An4Z2<kg26Y=vrJLRTGbiCGKZh6pwbA&g
zeDNoZ$8R?U$7Ir9MicauP11vLlCZb}r{EAxrqok5MLxcBo<q*>a7SQ+w=33ekL2g@
z>0v;BZjJAX;!%zy+!ajTZhr8`Z{Z0s=^2Z5^m`N95Be0f+bJ(AVh_<V(ULtso7k#9
z<zg-{8D(KqzGQqC&4wIRC>R?&(esZ)^K*E~D1%eLDtOArr2v3wSUttFPwW5vv;PEV
CitM2P

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/pop3/starttls.bro b/testing/btest/scripts/base/protocols/pop3/starttls.bro
new file mode 100644
index 0000000000..381e4769e8
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/pop3/starttls.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/pop3-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+
+@load base/protocols/conn
+@load base/protocols/ssl
+
+module POP3;
+
+const ports = {
+	110/tcp
+};
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_POP3, ports);
+	}
+
+

From 10cc44b37fe8e4257af02d48e2d50526afb7de1a Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 15 May 2014 10:53:11 -0700
Subject: [PATCH 078/136] Add tls flag to smtp.log. Will be set if a connection
 switched to startls.

---
 scripts/base/protocols/smtp/main.bro          |   3 +-
 .../smtp.log                                  |  10 +-
 .../smtp.log                                  |  10 +-
 .../smtp.log                                  |  10 +-
 .../all-events.log                            | 190 +++++++++---------
 .../smtp-events.log                           |  50 ++---
 6 files changed, 136 insertions(+), 137 deletions(-)

diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro
index 58583d035b..bee5d5f1ab 100644
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@@ -51,8 +51,7 @@ export {
 		user_agent:        string          &log &optional;
 
 		## Indicates that the connection has switched to using TLS
-		tls:               bool            &default=F;
-
+		tls:               bool            &log &default=F;
 		## Indicates if the "Received: from" headers should still be
 		## processed.
 		process_received_from: bool        &default=T;
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
index 27791f873d..6a22c5d57f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smtp
-#open	2014-04-01-23-15-59
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	fuids
-#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
-1078232255.642953	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	208.191.73.21	<nhfjenna_neumann@lycos.com>	<thenightwatch@t-online.de>	Tue, 2 Mar 2004 13:57:49 +0100	Sybille Ostermann <nhfjenna_neumann@lycos.com>	thenightwatch@t-online.de	-	-	-	Hier sind die dicken Girls hemmungloser denn je.. grcu	-	from mail.iosphere.net (mail.iosphere.net [216.58.97.33]) by mail.netsync.net with esmtp; Mrz, 02 2004 12:55:34 -0700	-	250 Message accepted.	254.228.86.79,79.26.245.236,216.58.97.33	Microsoft Outlook Build 10.0.2616	FVS9k93PUgScEUCOjd
-#close	2014-04-01-23-15-59
+#open	2014-05-15-17-52-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
+1078232255.642953	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	208.191.73.21	<nhfjenna_neumann@lycos.com>	<thenightwatch@t-online.de>	Tue, 2 Mar 2004 13:57:49 +0100	Sybille Ostermann <nhfjenna_neumann@lycos.com>	thenightwatch@t-online.de	-	-	-	Hier sind die dicken Girls hemmungloser denn je.. grcu	-	from mail.iosphere.net (mail.iosphere.net [216.58.97.33]) by mail.netsync.net with esmtp; Mrz, 02 2004 12:55:34 -0700	-	250 Message accepted.	254.228.86.79,79.26.245.236,216.58.97.33	Microsoft Outlook Build 10.0.2616	F	FVS9k93PUgScEUCOjd
+#close	2014-05-15-17-52-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
index 0fcd5e98f6..23d1d05d1e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smtp
-#open	2014-04-01-23-16-17
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	fuids
-#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
-1254722768.219663	CjhGID4nQcgTWjvg4c	10.10.1.4	1470	74.53.140.153	25	1	GP	<gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	Mon, 5 Oct 2009 11:36:07 +0530	"Gurpartap Singh" <gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	-	<000301ca4581$ef9e57f0$cedb07d0$@in>	-	SMTP	-	-	-	250 OK id=1Mugho-0003Dg-Un	74.53.140.153,10.10.1.4	Microsoft Office Outlook 12.0	Fel9gs4OtNEV6gUJZ5,Ft4M3f2yMvLlmwtbq9,FL9Y0d45OI4LpS6fmh
-#close	2014-04-01-23-16-17
+#open	2014-05-15-17-52-20
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
+1254722768.219663	CjhGID4nQcgTWjvg4c	10.10.1.4	1470	74.53.140.153	25	1	GP	<gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	Mon, 5 Oct 2009 11:36:07 +0530	"Gurpartap Singh" <gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	-	<000301ca4581$ef9e57f0$cedb07d0$@in>	-	SMTP	-	-	-	250 OK id=1Mugho-0003Dg-Un	74.53.140.153,10.10.1.4	Microsoft Office Outlook 12.0	F	Fel9gs4OtNEV6gUJZ5,Ft4M3f2yMvLlmwtbq9,FL9Y0d45OI4LpS6fmh
+#close	2014-05-15-17-52-20
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/smtp.log
index 91b305783b..a8f2a95678 100644
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/smtp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smtp
-#open	2014-05-15-16-56-36
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	fuids
-#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
-1400168396.898137	CXWv6p3arKYeMETxOg	192.168.4.149	54170	74.125.142.26	25	1	openssl.client.net	-	-	-	-	-	-	-	-	-	-	-	-	220 2.0.0 Ready to start TLS	74.125.142.26,192.168.4.149	-	(empty)
-#close	2014-05-15-16-56-36
+#open	2014-05-15-17-52-23
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
+1400168396.898137	CXWv6p3arKYeMETxOg	192.168.4.149	54170	74.125.142.26	25	1	openssl.client.net	-	-	-	-	-	-	-	-	-	-	-	-	220 2.0.0 Ready to start TLS	74.125.142.26,192.168.4.149	-	T	(empty)
+#close	2014-05-15-17-52-23
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index c964e793de..fbb041fe41 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -64,7 +64,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -72,7 +72,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -80,18 +80,18 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -99,7 +99,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -107,7 +107,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -115,7 +115,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -123,7 +123,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -131,7 +131,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -139,13 +139,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -153,13 +153,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -167,13 +167,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -181,13 +181,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -195,13 +195,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -209,16 +209,16 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.320203 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -226,189 +226,189 @@
                   [5] cont_resp: bool    = F
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=FROM, value="Gurpartap Singh" <gurpartap@patriots.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=TO, value=<raj_deol2002in@yahoo.co.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=SUBJECT, value=SMTP]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=DATE, value=Mon, 5 Oct 2009 11:36:07 +0530]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MESSAGE-ID, value=<000301ca4581$ef9e57f0$cedb07d0$@in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/mixed;^Iboundary="----=_NextPart_000_0004_01CA45B0.095693F0"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-MAILER, value=Microsoft Office Outlook 12.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=THREAD-INDEX, value=AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-LANGUAGE, value=en-us]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-HASHEDPUZZLE, value=SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-PUZZLEID, value={CAA37F59-1850-45C7-8540-AA27696B5398}]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/alternative;^Iboundary="----=_NextPart_001_0005_01CA45B0.095693F0"]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Icharset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/html;^Icharset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692786 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692786 file_new
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692786 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Iname="NEWS.txt"]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-DISPOSITION, value=attachment;^Ifilename="NEWS.txt"]
 
 1254722770.692823 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692823 file_new
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692823 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692823 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.695115 new_connection
@@ -416,96 +416,96 @@
 
 1254722771.469814 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=17, num_bytes_ip=12486, flow_label=0], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0], start_time=1254722767.529046, duration=3.940768, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=17, num_bytes_ip=12486, flow_label=0], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0], start_time=1254722767.529046, duration=3.940768, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.494181 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.494181 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.494199 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=19, num_bytes_ip=15470, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965153, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=19, num_bytes_ip=15470, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965153, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.834628 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=11766, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305582, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=11766, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305582, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.834655 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.834655 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858316 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14670, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.32927, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14670, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.32927, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858334, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858334, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -513,13 +513,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT
@@ -538,7 +538,7 @@
 
 1254722776.690444 filter_change_tracking
 1254722776.690444 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 connection_state_remove
                   [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
index 41872fda89..bf8880abd8 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
@@ -7,7 +7,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -15,7 +15,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -23,13 +23,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -37,7 +37,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -45,7 +45,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -53,7 +53,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -61,7 +61,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -69,7 +69,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -77,13 +77,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -91,13 +91,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -105,13 +105,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -119,13 +119,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -133,13 +133,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -147,13 +147,13 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -161,13 +161,13 @@
                   [5] cont_resp: bool    = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -175,13 +175,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT

From b36df2a272f44ad398d80a087d3d76acf4d623f3 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 15 May 2014 11:48:11 -0700
Subject: [PATCH 079/136] Updating submodule(s).

 [nomail]
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index 3b3e189dab..7e15efe9d2 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 3b3e189dab3801cd0474dfdd376d9de633cd3766
+Subproject commit 7e15efe9d28d46bfa662fcdd1cbb15ce1db285c9

From dad8c9a74d021087c896ccc090b85a8fce26e866 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 15 May 2014 21:00:37 -0400
Subject: [PATCH 080/136] Update for the active http test to force it to use
 ipv4.

It was having trouble because the httpd.py script would start up
a webserver on ipv4 but on some platforms and with some versions
of curl "localhost" will attempt to connect to ::1.
---
 testing/btest/scripts/base/utils/active-http.test | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/testing/btest/scripts/base/utils/active-http.test b/testing/btest/scripts/base/utils/active-http.test
index 377c0dfd7b..442d5b9e06 100644
--- a/testing/btest/scripts/base/utils/active-http.test
+++ b/testing/btest/scripts/base/utils/active-http.test
@@ -1,7 +1,7 @@
 # @TEST-REQUIRES: which python
 # @TEST-REQUIRES: which curl
 #
-# @TEST-EXEC: btest-bg-run httpd python $SCRIPTS/httpd.py --max 1
+# @TEST-EXEC: btest-bg-run httpd python $SCRIPTS/httpd.py --max 1 --addr=127.0.0.1
 # @TEST-EXEC: sleep 3
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
 # @TEST-EXEC: btest-bg-wait 15
@@ -13,7 +13,7 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	local req = ActiveHTTP::Request($url="localhost:32123");
+	local req = ActiveHTTP::Request($url="127.0.0.1:32123");
 
 	when ( local resp = ActiveHTTP::request(req) )
 		{

From 55d0c6f7fa486365fc365c9dabb52578787cb616 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 16 May 2014 10:29:37 -0700
Subject: [PATCH 081/136] Implement verification of OCSP replies.

The OpenSSL code to do that is a nightmare.
---
 scripts/base/init-bare.bro                    |   2 +-
 src/file_analysis/analyzer/x509/functions.bif | 300 ++++++++++++++----
 .../.stdout                                   |   1 +
 .../base/protocols/ssl/ocsp-stapling.test     |   5 +
 4 files changed, 247 insertions(+), 61 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f68132e280..d5017a5f89 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2812,7 +2812,7 @@ export {
 	## Result of an X509 certificate chain verification
 	type Result: record {
 		## OpenSSL result code
-		result:	count;
+		result:	int;
 		## Result as string
 		result_string: string;
 		## References to the final certificate chain, if verification successful. End-host certificate is first.
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 1fa81a0fd0..2a517f6154 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -5,6 +5,7 @@
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 #include <openssl/x509_vfy.h>
+#include <openssl/ocsp.h>
 
 // This is the indexed map of X509 certificate stores.
 static map<Val*, X509_STORE*> x509_stores;
@@ -34,6 +35,68 @@ RecordVal* x509_error_record(uint64_t num, const char* reason)
 	return rrecord;
 	}
 
+X509_STORE* x509_get_root_store(TableVal* root_certs)
+	{
+	// If this certificate store was built previously, just reuse the old one.
+	if ( x509_stores.count(root_certs) > 0 )
+		return x509_stores[root_certs];
+
+	X509_STORE* ctx = X509_STORE_new();
+	ListVal* idxs = root_certs->ConvertToPureList();
+
+	// Build the validation store
+	for ( int i = 0; i < idxs->Length(); ++i )
+		{
+		Val* key = idxs->Index(i);
+		StringVal *sv = root_certs->Lookup(key)->AsStringVal();
+		assert(sv);
+		const uint8* data = sv->Bytes();
+		X509* x = d2i_X509_(NULL, &data, sv->Len());
+		if ( ! x )
+			{
+			builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_get_error(),NULL)));
+			return 0;
+			}
+
+		X509_STORE_add_cert(ctx, x);
+		}
+
+	delete idxs;
+
+	// Save the newly constructed certificate store into the cacheing map.
+	x509_stores[root_certs] = ctx;
+
+	return ctx;
+	}
+
+// get all cretificates starting at the second one (assuming the first one is the host certificate)
+STACK_OF(X509)* x509_get_untrusted_stack(VectorVal* certs_vec)
+	{
+	STACK_OF(X509)* untrusted_certs = sk_X509_new_null();
+	if ( ! untrusted_certs )
+		{
+		builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_get_error(),NULL)));
+		return 0;
+		}
+
+	for ( int i = 1; i < (int) certs_vec->Size(); ++i ) // start at 1 - 0 is host cert
+		{
+		Val *sv = certs_vec->Lookup(i);
+		// Fixme: check type
+		X509* x = ((file_analysis::X509Val*) sv)->GetCertificate();
+		if ( ! x )
+			{
+			sk_X509_free(untrusted_certs);
+			builtin_error(fmt("No certificate in opaque in stack"));
+			return 0;
+			}
+
+		sk_X509_push(untrusted_certs, x);
+		}
+
+	return untrusted_certs;
+	}
+
 %%}
 
 ## Parses a certificate into an X509::Certificate structure.
@@ -86,27 +149,28 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 	return ext_val;
 	%}
 
-
-## Verifies a certificate.
+## Verifies an OCSP reply.
 ##
-## certs: Specifies a certificate chain that is being used to validate
-##        the given certificate against the root store given in *root_certs*.
-##        The host certificate has to be at index 0.
+## certs: Specifies the certificate chain to use. Server certificate first.
+##
+## ocsp_reply: the ocsp reply to validate
 ##
 ## root_certs: A list of root certificates to validate the certificate chain
 ##
 ## verify_time: Time for the validity check of the certificates.
 ##
 ## Returns: A record of type X509::Result containing the result code of the verify
-##          operation. In case of success also returns the full certificate chain.
+##          operation.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse
-##              x509_get_certificate_string
-function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
+##              x509_get_certificate_string x509_verify
+function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
-	X509_STORE* ctx = 0;
-	int i = 0;
+	BIO* bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
+	if ( !ctx )
+		return x509_error_record(-1, "Problem initializing root store");
 
 	VectorVal *certs_vec = certs->AsVectorVal();
 	if ( certs_vec->Size() < 1 )
@@ -126,38 +190,172 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 
 	file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv;
 
-	// If this certificate store was built previously, just reuse the old one.
-	if ( x509_stores.count(root_certs) > 0 )
-		ctx = x509_stores[root_certs];
-
-	if ( ! ctx ) // lookup to see if we have this one built already!
+	X509* cert = cert_handle->GetCertificate();
+	if ( ! cert )
 		{
-		ctx = X509_STORE_new();
-		TableVal* root_certs2 = root_certs->AsTableVal();
-		ListVal* idxs = root_certs2->ConvertToPureList();
-
-		// Build the validation store
-		for ( i = 0; i < idxs->Length(); ++i )
-			{
-			Val* key = idxs->Index(i);
-			StringVal *sv = root_certs2->Lookup(key)->AsStringVal();
-			const uint8* data = sv->Bytes();
-			X509* x = d2i_X509_(NULL, &data, sv->Len());
-			if ( ! x )
-				{
-				builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
-				return x509_error_record((uint64) ERR_get_error(), ERR_error_string(ERR_peek_last_error(),NULL));
-				}
-
-			X509_STORE_add_cert(ctx, x);
-			}
-
-		delete idxs;
-
-		// Save the newly constructed certificate store into the cacheing map.
-		x509_stores[root_certs] = ctx;
+		builtin_error(fmt("No certificate in opaque"));
+		return x509_error_record(-1, "No certificate in opaque");
 		}
 
+	const unsigned char* start = ocsp_reply->Bytes();
+
+	OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len());
+	if ( !resp )
+		return x509_error_record(-1, "Could not parse OCSP response");
+
+	int status = OCSP_response_status(resp);
+	if ( status != OCSP_RESPONSE_STATUS_SUCCESSFUL )
+		return x509_error_record(-2, OCSP_response_status_str(status));
+
+	OCSP_BASICRESP *basic = OCSP_response_get1_basic(resp);
+	if ( !basic )
+		return x509_error_record(-1, "Could not parse OCSP response");
+
+
+	STACK_OF(X509)* untrusted_certs = x509_get_untrusted_stack(certs_vec);
+	if ( !untrusted_certs )
+		return x509_error_record(-1, "Problem initializing list of untrusted certificates");
+
+	// the following code took me _forever_ to get right.
+	// The OCSP_basic_verify command takes a list of certificates. However (which is not immediately
+	// visible or understandable), those are only used to find the signer certificate. They are _not_
+	// used for chain building during the actual verification (this would be stupid). But - if we sneakily
+	// inject the certificates in the certificate list of the OCSP reply, they actually are used during
+	// the lookup.
+	// Yay.
+	X509* issuer_certificate = 0;
+	for ( int i = 0; i < sk_X509_num(untrusted_certs); i++)
+		{
+		sk_X509_push(basic->certs, sk_X509_value(untrusted_certs, i));
+		if ( X509_NAME_cmp(X509_get_issuer_name(cert), X509_get_subject_name(sk_X509_value(untrusted_certs, i))) )
+			issuer_certificate = sk_X509_value(untrusted_certs, i);
+		}
+
+	// Because we actually want to be able to give nice error messages that show why we were
+	// not able to verify the OCSP response - do our own verification logic first.
+	X509_STORE_CTX csc;
+	X509_STORE_CTX_init(&csc, ctx, sk_X509_value(basic->certs, 0), basic->certs);
+	X509_STORE_CTX_set_time(&csc, 0, (time_t) verify_time);
+	X509_STORE_CTX_set_purpose(&csc, X509_PURPOSE_OCSP_HELPER);
+
+	int result = X509_verify_cert(&csc);
+	if ( result != 1 )
+		{
+		const char *reason = X509_verify_cert_error_string(csc.error);
+		X509_STORE_CTX_cleanup(&csc);
+		sk_X509_free(untrusted_certs);
+		return x509_error_record(result, X509_verify_cert_error_string(csc.error));
+		}
+
+	int out = OCSP_basic_verify(basic, NULL, ctx, 0);
+	if ( result < 1 )
+		{
+		X509_STORE_CTX_cleanup(&csc);
+		sk_X509_free(untrusted_certs);
+		return x509_error_record(out, ERR_error_string(ERR_get_error(),NULL));
+		}
+
+	// ok, now we verified the OCSP response. This means that we have a valid chain tying it
+	// to a root that we trust and that the signature also hopefully is valid. This does not yet
+	// mean that the ocsp response actually matches the certificate the server send us or that
+	// the OCSP response even says that the certificate is valid.
+
+	// let's start this out by checking that the response is actually for the certificate we want
+	// to validate and not for something completely unrelated that the server is trying to trick us
+	// into accepting.
+	OCSP_CERTID *certid;
+	if ( issuer_certificate )
+		certid = OCSP_cert_to_id(NULL, cert, issuer_certificate);
+	else
+		{
+		// issuer not in list sent by server, check store
+		X509_OBJECT obj;
+		int lookup = X509_STORE_get_by_subject(&csc, X509_LU_X509, X509_get_subject_name(cert), &obj);
+		if ( lookup <= 0)
+			{
+			sk_X509_free(untrusted_certs);
+			X509_STORE_CTX_cleanup(&csc);
+			return x509_error_record(lookup, "Could not find issuer of host certificate");
+			}
+			certid = OCSP_cert_to_id(NULL, cert, obj.data.x509);
+		}
+
+	sk_X509_free(untrusted_certs);
+	X509_STORE_CTX_cleanup(&csc);
+
+	if ( !certid )
+		return x509_error_record(-1, "Certificate ID construction failed");
+
+	// for now, assume we have one reply...
+	OCSP_SINGLERESP *single = sk_OCSP_SINGLERESP_value(basic->tbsResponseData->responses, 0);
+	if ( !single )
+		return x509_error_record(-1, "Could not lookup OCSP response information");
+
+	if ( !OCSP_id_cmp(certid, single->certId) )
+		return x509_error_record(-1, "OCSP reply is not for host certificate");
+
+	// next - check freshness of proof...
+	if ( !ASN1_GENERALIZEDTIME_check(single->thisUpdate) || !ASN1_GENERALIZEDTIME_check(single->nextUpdate) )
+		return x509_error_record(-1, "OCSP reply contains invalid dates");
+
+	// now - nearly done. Check freshness and status code.
+	// There is a function to check the freshness of the ocsp reply in the ocsp code of OpenSSL. But - it only
+	// supports comparing it against the current time, not against arbitrary times. Hence it is kind of unusable
+	// for us...
+	// Well, we will do it manually.
+	time_t vtime = (time_t) verify_time;
+	if ( X509_cmp_time(single->thisUpdate, &vtime) > 0 )
+		return x509_error_record(-1, "OCSP reply specifies time in future");
+
+	if ( X509_cmp_time(single->nextUpdate, &vtime) < 0 )
+		return x509_error_record(-1, "OCSP reply expired");
+
+	if ( single->certStatus->type != V_OCSP_CERTSTATUS_GOOD )
+		return x509_error_record(-1, OCSP_cert_status_str(single->certStatus->type));
+
+	return x509_error_record(1, OCSP_cert_status_str(single->certStatus->type));
+	%}
+
+## Verifies a certificate.
+##
+## certs: Specifies a certificate chain that is being used to validate
+##        the given certificate against the root store given in *root_certs*.
+##        The host certificate has to be at index 0.
+##
+## root_certs: A list of root certificates to validate the certificate chain
+##
+## verify_time: Time for the validity check of the certificates.
+##
+## Returns: A record of type X509::Result containing the result code of the verify
+##          operation. In case of success also returns the full certificate chain.
+##
+## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
+##              x509_ext_subject_alternative_name x509_parse
+##              x509_get_certificate_string x509_ocsp_verify
+function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
+	%{
+	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
+	if ( !ctx )
+		return x509_error_record(-1, "Problem initializing root store");
+
+	VectorVal *certs_vec = certs->AsVectorVal();
+	if ( !certs_vec || certs_vec->Size() < 1 )
+		{
+		reporter->Error("No certificates given in vector");
+		return x509_error_record(-1, "no certificates");
+		}
+
+	// host certificate
+	unsigned int index = 0; // to prevent overloading to 0pointer
+	Val *sv = certs_vec->Lookup(index);
+	if ( !sv )
+		{
+		builtin_error("undefined value in certificate vector");
+		return x509_error_record(-1, "undefined value in certificate vector");
+		}
+
+	file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv;
+
 	X509* cert = cert_handle->GetCertificate();
 	if ( ! cert )
 		{
@@ -165,27 +363,9 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		return x509_error_record(-1, "No certificate in opaque");
 		}
 
-	STACK_OF(X509)* untrusted_certs = sk_X509_new_null();
-	if ( ! untrusted_certs )
-		{
-		builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
-		return x509_error_record((uint64) ERR_get_error(), ERR_error_string(ERR_peek_last_error(),NULL));
-		}
-
-	for ( i = 1; i < (int) certs_vec->Size(); ++i ) // start at 1 - 0 is host cert
-		{
-		Val *sv = certs_vec->Lookup(i);
-		// Fixme: check type
-		X509* x = ((file_analysis::X509Val*) sv)->GetCertificate();
-		if ( ! x )
-			{
-			sk_X509_free(untrusted_certs);
-			builtin_error(fmt("No certificate in opaque in stack"));
-			return x509_error_record(-1, "No certificate in opaque");
-			}
-
-		sk_X509_push(untrusted_certs, x);
-		}
+	STACK_OF(X509)* untrusted_certs = x509_get_untrusted_stack(certs_vec);
+	if ( !untrusted_certs )
+		return x509_error_record(-1, "Problem initializing list of untrusted certificates");
 
 	X509_STORE_CTX csc;
 	X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
index a8735f6d41..527e63f4b9 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
@@ -1 +1,2 @@
 F, 1995
+[result=1, result_string=good, chain_certs=<uninitialized>]
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
index b50f04a92e..1114335811 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@@ -3,5 +3,10 @@
 
 event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
 	{
+	local chain: vector of opaque of x509 = vector();
+	for ( i in c$ssl$cert_chain )
+		chain[i] = c$ssl$cert_chain[i]$x509$handle;
+
 	print is_orig, |response|;
+	print x509_ocsp_verify(chain, response, SSL::root_certs);
 	}

From 25bd2c8d00a1927a66dbb375d0044510b38dc797 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 16 May 2014 12:58:21 -0500
Subject: [PATCH 082/136] Minor updates to cluster config docs

Incorporated some feedback from Jeannette, and temporarily removed
the PF_RING ZC section.
---
 doc/configuration/index.rst | 83 +++++++++++--------------------------
 1 file changed, 24 insertions(+), 59 deletions(-)

diff --git a/doc/configuration/index.rst b/doc/configuration/index.rst
index 07b46c9d0d..912b0332d8 100644
--- a/doc/configuration/index.rst
+++ b/doc/configuration/index.rst
@@ -9,38 +9,38 @@ Cluster Configuration
 
 A *Bro Cluster* is a set of systems jointly analyzing the traffic of
 a network link in a coordinated fashion.  You can operate such a setup from
-a central manager system easily using BroControl, because BroControl
+a central manager system easily using BroControl because BroControl
 hides much of the complexity of the multi-machine installation.
 
 This section gives examples of how to setup common cluster configurations
-using BroControl (for a full reference on BroControl, see the
-:doc:`BroControl <../components/broctl/README>` documentation).
+using BroControl.  For a full reference on BroControl, see the
+:doc:`BroControl <../components/broctl/README>` documentation.
 
 
 Preparing to Setup a Cluster
 ============================
 
-When setting up a cluster, the same user account (in this document, we refer
-to this user as the "Bro user") must be set up on all hosts, and this user
-must have ssh access from the manager to all machines in the cluster,
-and it must work without being prompted for a password/passphrase (for
-example, using ssh public key authentication). Finally, on the worker nodes,
-this user must have access to the target network interface in promiscuous mode.
+In this document we refer to the user account used to set up the cluster
+as the "Bro user".  When setting up a cluster the Bro user must be set up
+on all hosts, and this user must have ssh access from the manager to all
+machines in the cluster, and it must work without being prompted for a
+password/passphrase (for example, using ssh public key authentication).
+Finally, on the worker nodes, this user must have access to the target
+network interface in promiscuous mode.
 
-Additionally, you need to have some storage available on all
-hosts under the same path, which we will call the cluster's *prefix* path.
-In this document, we refer to this directory as ``<prefix>`` (if you build
-Bro from source, then ``<prefix>`` is the directory specified
-with the ``--prefix`` configure option, or ``/usr/local/bro`` by default).
-The Bro user must be able to either create this directory or, where it
-already exists, must have write permission inside this directory
-on all hosts.
+Additional storage must be available on all hosts under the same path,
+which we will call the cluster's prefix path.  We refer to this directory
+as ``<prefix>``.  If you build Bro from source, then ``<prefix>`` is
+the directory specified with the ``--prefix`` configure option,
+or ``/usr/local/bro`` by default.  The Bro user must be able to either
+create this directory or, where it already exists, must have write
+permission inside this directory on all hosts.
 
 When trying to decide how to configure the Bro nodes, keep in mind that
 there can be multiple Bro instances running on the same host.  For example,
 it's possible to run a proxy and the manager on the same host.  However, it is
-recommended to run workers on a different machine than the manager (because
-workers can consume a lot of CPU resources).  The maximum recommended
+recommended to run workers on a different machine than the manager because
+workers can consume a lot of CPU resources.  The maximum recommended
 number of workers to run on a machine should be one or two less than
 the number of CPU cores available on that machine.  Using a load-balancing
 method (such as PF_RING) along with CPU pinning can decrease the load on
@@ -54,11 +54,11 @@ With all prerequisites in place, perform the following steps to setup
 a Bro cluster (do this as the Bro user on the manager host only):
 
 - Edit the BroControl configuration file, ``<prefix>/etc/broctl.cfg``,
-  and adjust any BroControl options that are needed for your environment.
-  Most likely you may want to adjust the value of the ``MailTo`` and
-  ``LogRotationInterval`` options.  A complete reference of all BroControl
-  options can be found in the :doc:`BroControl <../components/broctl/README>`
-  documentation.
+  and change the value of any BroControl options to be more suitable for
+  your environment.  You will most likely want to change the value of
+  the ``MailTo`` and ``LogRotationInterval`` options.  A complete
+  reference of all BroControl options can be found in the
+  :doc:`BroControl <../components/broctl/README>` documentation.
 
 - Edit the BroControl node configuration file, ``<prefix>/etc/node.cfg``
   to define where manager, proxies, and workers are to run.  For a cluster
@@ -252,38 +252,3 @@ same packets multiple times with different tools.
        lb_method=pf_ring
        lb_procs=10
 
-
-Using PF_RING ZC with zbalance_ipc
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-You must have a license for the ZC PF_RING-aware driver in order to do this.
-You can load balance between multiple applications and sniff the
-same packets multiple times with different tools.
-
-1. Load the ZC PF_RING-aware NIC driver (i.e. ixgbe) on each worker host.
-2. Run "ethtool -L zc:eth0 1" (this will establish 1 RSS queues on your NIC)
-   on each worker host.
-3. Run the zbalance_ipc command on each worker host.  For example::
-
-       zbalance_ipc -c 21 -i zc:eth0 -n 10
-
-   Make sure that your cluster ID (21 in this example) matches the interface
-   name you specify in the node.cfg file.  Also make sure that the number
-   of processes you're balancing across (10 in this example) matches
-   the lb_procs option in the node.cfg file.
-4. If you are load balancing to other processes, you can use the
-   pfringdnafirstappinstance variable in broctl.cfg to set the first
-   application instance that Bro should use.  For example, if you are running
-   zbalance_ipc with "-n 10,4" you would set
-   pfringdnafirstappinstance=4.  Unfortunately that's still a global setting
-   in broctl.cfg at the moment but we may change that to something you can
-   set in node.cfg eventually.
-5. On the manager, configure your worker(s) in node.cfg::
-
-       [worker-1]
-       type=worker
-       host=10.0.0.50
-       interface=zc:eth0
-       lb_method=pf_ring
-       lb_procs=10
-

From d9e7ac6e92039fc1de64e0a86e527260b4011271 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 16 May 2014 11:21:26 -0700
Subject: [PATCH 083/136] Add policy script adding ocsp validation to ssl.log

---
 .../policy/protocols/ssl/validate-ocsp.bro    | 63 +++++++++++++++++++
 .../ssl.log                                   | 10 +++
 .../policy/protocols/ssl/validate-ocsp.bro    |  4 ++
 3 files changed, 77 insertions(+)
 create mode 100644 scripts/policy/protocols/ssl/validate-ocsp.bro
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro

diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
new file mode 100644
index 0000000000..130bff92c3
--- /dev/null
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -0,0 +1,63 @@
+##! Perform OCSP response validation
+
+@load base/frameworks/notice
+@load base/protocols/ssl
+
+module SSL;
+
+export {
+	redef enum Notice::Type += {
+		## This indicates that the OCSP response was not deemed
+		## to be valid.
+		Invalid_Ocsp_Response
+	};
+
+	redef record Info += {
+		## Result of ocsp validation for this connection
+		ocsp_status: string &log &optional;
+
+		## ocsp response as string.
+		ocsp_response: string &optional;
+	};
+
+	## MD5 hash values for recently validated chains along with the
+	## ocsp validation status  are kept in this table to avoid constant
+	## validation every time the same certificate chain is seen.
+	global recently_ocsp_validated: table[string] of string = table()
+		&read_expire=5mins &synchronized &redef;
+}
+
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3
+	{
+	c$ssl$ocsp_response = response;
+	}
+
+event ssl_established(c: connection) &priority=3
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
+		return;
+
+	local chain: vector of opaque of x509 = vector();
+	for ( i in c$ssl$cert_chain )
+		chain[i] = c$ssl$cert_chain[i]$x509$handle;
+
+	local reply_id = cat(md5_hash(c$ssl$ocsp_response), join_string_vec(c$ssl$cert_chain_fuids, "."));
+
+	if ( reply_id in recently_ocsp_validated )
+		{
+		c$ssl$ocsp_status = recently_ocsp_validated[reply_id];
+		return;
+		}
+
+	local result = x509_ocsp_verify(chain, c$ssl$ocsp_response, root_certs);
+	c$ssl$ocsp_status = result$result_string;
+	recently_ocsp_validated[reply_id] = result$result_string;
+
+	if( result$result_string != "good" )
+		{
+		local message = fmt("OCSP response validation failed with (%s)", result$result_string);
+		NOTICE([$note=Invalid_Ocsp_Response, $msg=message,
+		        $sub=c$ssl$subject, $conn=c,
+		        $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$ocsp_status)]);
+		}
+	}
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log
new file mode 100644
index 0000000000..4aa18abb22
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-05-16-18-20-51
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	ocsp_status
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
+1398367809.790512	CXWv6p3arKYeMETxOg	192.168.4.149	56253	131.253.61.82	443	TLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp384r1	-	-	-	T	Fr1vuhmDOykX05Vj1,FlFGqI1PyTt7Vuo8E9,FSASzpV1NMIvbQ1W9	(empty)	CN=login.live.com,OU=MSA,O=Microsoft Corporation,street=1 Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=Private Organization,1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=	#13025553CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	good
+#close	2014-05-16-18-20-51
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro
new file mode 100644
index 0000000000..b0392f9c27
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load protocols/ssl/validate-ocsp

From 5db240f29186c11f5fdc51a51c40e7836db6ace4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 16 May 2014 11:23:44 -0700
Subject: [PATCH 084/136] update baselines & add ocsp leak check

---
 testing/btest/core/leaks/x509_ocsp_verify.bro | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 testing/btest/core/leaks/x509_ocsp_verify.bro

diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.bro
new file mode 100644
index 0000000000..1b21e8609a
--- /dev/null
+++ b/testing/btest/core/leaks/x509_ocsp_verify.bro
@@ -0,0 +1,19 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+
+@load base/protocols/ssl
+
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+	{
+	local chain: vector of opaque of x509 = vector();
+	for ( i in c$ssl$cert_chain )
+		chain[i] = c$ssl$cert_chain[i]$x509$handle;
+
+	print x509_ocsp_verify(chain, response, SSL::root_certs);
+	}

From e749f178217a5f6d1b613bd55e93afebeb3b35be Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 16 May 2014 11:29:47 -0700
Subject: [PATCH 085/136] small test update & script fix

---
 scripts/policy/protocols/ssl/validate-ocsp.bro | 2 +-
 scripts/test-all-policy.bro                    | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 130bff92c3..a4965aa41d 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -34,7 +34,7 @@ event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority
 
 event ssl_established(c: connection) &priority=3
 	{
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || !c$ssl?$ocsp_response )
 		return;
 
 	local chain: vector of opaque of x509 = vector();
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 43dc6b9dce..5ab596dbfb 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -90,6 +90,7 @@
 @load protocols/ssl/log-hostcerts-only.bro
 #@load protocols/ssl/notary.bro
 @load protocols/ssl/validate-certs.bro
+@load protocols/ssl/validate-ocsp.bro
 @load protocols/ssl/weak-keys.bro
 @load tuning/__load__.bro
 @load tuning/defaults/__load__.bro

From 08266b409d3c04c1f977160cd814efee10927b66 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 16 May 2014 13:59:28 -0500
Subject: [PATCH 086/136] Minor update to cluster config docs

Forgot to add one small change in previous commit.
---
 doc/configuration/index.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/configuration/index.rst b/doc/configuration/index.rst
index 912b0332d8..7ffdde31b7 100644
--- a/doc/configuration/index.rst
+++ b/doc/configuration/index.rst
@@ -25,7 +25,7 @@ as the "Bro user".  When setting up a cluster the Bro user must be set up
 on all hosts, and this user must have ssh access from the manager to all
 machines in the cluster, and it must work without being prompted for a
 password/passphrase (for example, using ssh public key authentication).
-Finally, on the worker nodes, this user must have access to the target
+Also, on the worker nodes this user must have access to the target
 network interface in promiscuous mode.
 
 Additional storage must be available on all hosts under the same path,

From 8c3cf8921ab614bc1104505b8ecb092d9169d300 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 16 May 2014 14:10:32 -0500
Subject: [PATCH 087/136] Disable all default AppStat plugins except facebook.

The scripts for the others still remain and can be loaded explicitly,
but they reportedly may produce figures that are far from correct.

Addresses BIT-1171.
---
 CHANGES                                            |  6 ++++++
 VERSION                                            |  2 +-
 scripts/policy/misc/app-stats/plugins/__load__.bro | 10 +++++-----
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index baa5e2d5ed..05d828ce10 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.2-444 | 2014-05-16 14:10:32 -0500
+
+  * Disable all default AppStat plugins except facebook. (Jon Siwek)
+
+  * Update for the active http test to force it to use ipv4. (Seth Hall)
+
 2.2-441 | 2014-05-15 11:29:56 -0700
 
   * A new RADIUS analyzer. (Vlad Grigorescu)
diff --git a/VERSION b/VERSION
index 6bbbe142e8..857a0fc928 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-441
+2.2-444
diff --git a/scripts/policy/misc/app-stats/plugins/__load__.bro b/scripts/policy/misc/app-stats/plugins/__load__.bro
index 7a3ea2da81..64126764fb 100644
--- a/scripts/policy/misc/app-stats/plugins/__load__.bro
+++ b/scripts/policy/misc/app-stats/plugins/__load__.bro
@@ -1,6 +1,6 @@
 @load ./facebook
-@load ./gmail
-@load ./google
-@load ./netflix
-@load ./pandora
-@load ./youtube
\ No newline at end of file
+#@load ./gmail
+#@load ./google
+#@load ./netflix
+#@load ./pandora
+#@load ./youtube

From 9b82028f8cfe2de7d52b182a1b7fadfe022e6b73 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 16 May 2014 14:43:58 -0500
Subject: [PATCH 088/136] Update a broctl option name in cluster config doc

---
 doc/configuration/index.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/configuration/index.rst b/doc/configuration/index.rst
index 7ffdde31b7..ac74e64373 100644
--- a/doc/configuration/index.rst
+++ b/doc/configuration/index.rst
@@ -237,10 +237,10 @@ same packets multiple times with different tools.
    of processes you're balancing across (10 in this example) matches
    the lb_procs option in the node.cfg file.
 4. If you are load balancing to other processes, you can use the
-   pfringdnafirstappinstance variable in broctl.cfg to set the first
+   pfringfirstappinstance variable in broctl.cfg to set the first
    application instance that Bro should use.  For example, if you are running
    pfdnacluster_master with "-n 10,4" you would set
-   pfringdnafirstappinstance=4.  Unfortunately that's still a global setting
+   pfringfirstappinstance=4.  Unfortunately that's still a global setting
    in broctl.cfg at the moment but we may change that to something you can
    set in node.cfg eventually.
 5. On the manager, configure your worker(s) in node.cfg::

From d230eed7f83173fa6acf805871a8453074f3de99 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 16 May 2014 16:05:03 -0500
Subject: [PATCH 089/136] Fix a doc build warning

---
 scripts/base/utils/addrs.bro | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro
index 9ebd35bbb1..9e33e6d585 100644
--- a/scripts/base/utils/addrs.bro
+++ b/scripts/base/utils/addrs.bro
@@ -120,11 +120,11 @@ function addr_to_uri(a: addr): string
 		return fmt("[%s]", a);
 	}
 
-## Given a string, extracts the hex digits and returns a MAC address in the
-## format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex digits,
-## an empty string is returned.
+## Given a string, extracts the hex digits and returns a MAC address in
+## the format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex
+## digits, an empty string is returned.
 ##
-## a: the string to normalize
+## a: the string to normalize.
 ##
 ## Returns: a normalized MAC address, or an empty string in the case of an error.
 function normalize_mac(a: string): string

From d242f6986f460702faa69a0fc3c27bf1d48820e7 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 16 May 2014 14:52:19 -0700
Subject: [PATCH 090/136] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index c44ec9c13d..73f4307742 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit c44ec9c13d87b8589d6f1549b9c523130fcc2a39
+Subproject commit 73f4307742bb8841017ee1b4eb5927674bc5f792

From bb7781d2f6635456770834f4b65487980c26a57b Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 16 May 2014 16:53:56 -0500
Subject: [PATCH 091/136] Update some doc tests and line numbers

---
 doc/scripting/index.rst                       |  2 +-
 ...licy_frameworks_files_detect-MHR_bro.btest | 39 ++++++++++++-------
 ...cy_frameworks_files_detect-MHR_bro@4.btest | 39 ++++++++++++-------
 ...icy_protocols_ssl_expiring-certs_bro.btest |  2 +-
 4 files changed, 50 insertions(+), 32 deletions(-)

diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index b12330ceb4..d92314e41e 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -87,7 +87,7 @@ Up until this point, the script has merely done some basic setup.  With the next
 the script starts to define instructions to take in a given event.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
-   :lines: 38-62
+   :lines: 38-71
 
 The workhorse of the script is contained in the event handler for
 ``file_hash``.  The :bro:see:`file_hash` event allows scripts to access
diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest
index 709fea1fba..bcf6ccd309 100644
--- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest
@@ -39,28 +39,37 @@ export {
 	const notice_threshold = 10 &redef;
 }
 
-event file_hash(f: fa_file, kind: string, hash: string)
+function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
 	{
-	if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
+	local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
+
+	when ( local MHR_result = lookup_hostname_txt(hash_domain) )
 		{
-		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
-		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
+		# Data is returned as "<dateFirstDetected> <detectionRate>"
+		local MHR_answer = split1(MHR_result, / /);
+
+		if ( |MHR_answer| == 2 )
 			{
-			# Data is returned as "<dateFirstDetected> <detectionRate>"
-			local MHR_answer = split1(MHR_result, / /);
-			if ( |MHR_answer| == 2 )
+			local mhr_detect_rate = to_count(MHR_answer[2]);
+
+			if ( mhr_detect_rate >= notice_threshold )
 				{
 				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
-				local mhr_detect_rate = to_count(MHR_answer[2]);
-
 				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
-				if ( mhr_detect_rate >= notice_threshold )
-					{
-					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
-					local virustotal_url = fmt(match_sub_url, hash);
-					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
-					}
+				local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
+				local virustotal_url = fmt(match_sub_url, hash);
+				# We don't have the full fa_file record here in order to
+				# avoid the "when" statement cloning it (expensive!).
+				local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
+				Notice::populate_file_info2(fi, n);
+				NOTICE(n);
 				}
 			}
 		}
 	}
+
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
+		do_mhr_lookup(hash, Notice::create_file_info(f));
+	}
diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
index 31b94783d9..be9619fa1c 100644
--- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
@@ -2,28 +2,37 @@
 
 detect-MHR.bro
 
-event file_hash(f: fa_file, kind: string, hash: string)
+function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
 	{
-	if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
+	local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
+
+	when ( local MHR_result = lookup_hostname_txt(hash_domain) )
 		{
-		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
-		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
+		# Data is returned as "<dateFirstDetected> <detectionRate>"
+		local MHR_answer = split1(MHR_result, / /);
+
+		if ( |MHR_answer| == 2 )
 			{
-			# Data is returned as "<dateFirstDetected> <detectionRate>"
-			local MHR_answer = split1(MHR_result, / /);
-			if ( |MHR_answer| == 2 )
+			local mhr_detect_rate = to_count(MHR_answer[2]);
+
+			if ( mhr_detect_rate >= notice_threshold )
 				{
 				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
-				local mhr_detect_rate = to_count(MHR_answer[2]);
-
 				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
-				if ( mhr_detect_rate >= notice_threshold )
-					{
-					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
-					local virustotal_url = fmt(match_sub_url, hash);
-					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
-					}
+				local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
+				local virustotal_url = fmt(match_sub_url, hash);
+				# We don't have the full fa_file record here in order to
+				# avoid the "when" statement cloning it (expensive!).
+				local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
+				Notice::populate_file_info2(fi, n);
+				NOTICE(n);
 				}
 			}
 		}
 	}
+
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
+		do_mhr_lookup(hash, Notice::create_file_info(f));
+	}
diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest
index aff7dffff7..08661d0ea8 100644
--- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest
@@ -5,4 +5,4 @@ expiring-certs.bro
 		NOTICE([$note=Certificate_Expires_Soon,
 		        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
 		        $conn=c, $suppress_for=1day,
-		        $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
+		        $fuid=fuid]);

From 65ea4f9862ab299ce1fd842a426f8572ac70cf37 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 16 May 2014 14:56:19 -0700
Subject: [PATCH 092/136] Replacing TODO in NEWS.

---
 NEWS | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 7a68bfbf4b..b95387091a 100644
--- a/NEWS
+++ b/NEWS
@@ -68,10 +68,13 @@ Changed Functionality
   signatures.
 
 - Bro no longer special-cases SYN/FIN/RST-filtered traces by not
-  reporting missing data. The old behavior can be reverted by
-  redef'ing "detect_filtered_trace".
+  reporting missing data. Instead, if Bro never sees any data segments
+  for analyzed TCP connections, the new
+  base/misc/find-filtered-trace.bro script will log a warning in
+  reporter.log and to stderr.
 
-  TODO: Update if we add a detector for filtered traces.
+  The old behavior can be reverted by redef'ing
+  "detect_filtered_trace".
 
 - We have removed the packet sorter component.
 

From fae092639db7202aa4454b684c1bea68a06b885d Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 19 May 2014 08:39:04 -0500
Subject: [PATCH 093/136] Fix some doc build warnings

Removed references to pop3_terminate (that event was removed in a previous
commit).
---
 src/analyzer/protocol/pop3/events.bif | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/analyzer/protocol/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif
index 970ae0186c..a0a3e1e18d 100644
--- a/src/analyzer/protocol/pop3/events.bif
+++ b/src/analyzer/protocol/pop3/events.bif
@@ -13,7 +13,7 @@
 ## arg: The argument to the command.
 ##
 ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
-##    pop3_terminate pop3_unexpected
+##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -38,7 +38,7 @@ event pop3_request%(c: connection, is_orig: bool,
 ## msg: The textual description the server sent along with *cmd*.
 ##
 ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success  pop3_request
-##    pop3_terminate pop3_unexpected
+##    pop3_unexpected
 ##
 ## .. todo:: This event is receiving odd parameters, should unify.
 ##
@@ -63,7 +63,7 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
 ## data: The data sent.
 ##
 ## .. bro:see::  pop3_login_failure pop3_login_success pop3_reply pop3_request
-##    pop3_terminate pop3_unexpected
+##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -87,7 +87,6 @@ event pop3_data%(c: connection, is_orig: bool, data: string%);
 ## detail: The input that triggered the event.
 ##
 ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
-##    pop3_terminate
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -129,7 +128,7 @@ event pop3_starttls%(c: connection%);
 ##
 ## password: The password used for authentication.
 ##
-## .. bro:see:: pop3_data pop3_login_failure  pop3_reply pop3_request pop3_terminate
+## .. bro:see:: pop3_data pop3_login_failure  pop3_reply pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -153,7 +152,7 @@ event pop3_login_success%(c: connection, is_orig: bool,
 ##
 ## password: The password attempted for authentication.
 ##
-## .. bro:see:: pop3_data  pop3_login_success pop3_reply pop3_request pop3_terminate
+## .. bro:see:: pop3_data  pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol

From 2738ce6292afa48bc8cef6ca3e3dc7ad72ac337f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 19 May 2014 12:25:41 -0500
Subject: [PATCH 094/136] Fix a doc reference to ssl_encrypted_heartbeat.

That event isn't exported, instead the content type of
ssl_encrypted_data, which is exported, can be inspected for heartbeats.
---
 src/analyzer/protocol/ssl/events.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index bb966d4b66..1503c5833e 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -262,7 +262,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##          if payload_length and actual packet length disagree.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
-##    ssl_alert ssl_encrypted_heartbeat
+##    ssl_alert ssl_encrypted_data
 event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
 
 ## Generated for SSL/TLS messages that are sent after session encryption

From c7599befb91817230cb0eedddc58da4ab294bf8f Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 19 May 2014 12:54:15 -0500
Subject: [PATCH 095/136] Fix a couple of doc build warnings

---
 src/analyzer/protocol/ssl/events.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index bb966d4b66..1503c5833e 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -262,7 +262,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##          if payload_length and actual packet length disagree.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
-##    ssl_alert ssl_encrypted_heartbeat
+##    ssl_alert ssl_encrypted_data
 event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
 
 ## Generated for SSL/TLS messages that are sent after session encryption

From 2c35bcf709ca25327026551a1946d8de25471ab8 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 19 May 2014 11:31:30 -0700
Subject: [PATCH 096/136] change validation return value from count to int.
 Scripts already had been updated, I forgot the function returns..

---
 src/file_analysis/analyzer/x509/functions.bif | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 8a03c5fa63..65aa22061f 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -29,7 +29,7 @@ RecordVal* x509_error_record(uint64_t num, const char* reason)
 	{
 	RecordVal* rrecord = new RecordVal(BifType::Record::X509::Result);
 
-	rrecord->Assign(0, new Val(num, TYPE_COUNT));
+	rrecord->Assign(0, new Val(num, TYPE_INT));
 	rrecord->Assign(1, new StringVal(reason));
 
 	return rrecord;
@@ -425,7 +425,7 @@ x509_verify_chainerror:
 
 	RecordVal* rrecord = new RecordVal(BifType::Record::X509::Result);
 
-	rrecord->Assign(0, new Val((uint64) csc.error, TYPE_COUNT));
+	rrecord->Assign(0, new Val((uint64) csc.error, TYPE_INT));
 	rrecord->Assign(1, new StringVal(X509_verify_cert_error_string(csc.error)));
 
 	if ( chainVector )

From b0644270c35052911a648a309ca2fec10c10ad0a Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 19 May 2014 14:12:13 -0500
Subject: [PATCH 097/136] Update submodules and NEWS.

---
 NEWS       | 50 ++++++++++++++++++++++++++++++++++++++------------
 aux/broctl |  2 +-
 2 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/NEWS b/NEWS
index b95387091a..731e1bb1d6 100644
--- a/NEWS
+++ b/NEWS
@@ -7,8 +7,6 @@ their own ``CHANGES``.)
 Bro 2.3
 =======
 
-[In progress]
-
 Dependencies
 ------------
 
@@ -31,23 +29,43 @@ New Functionality
   and "file-mime" gives the MIME type string of content that matches
   the magic and an optional strength value for the match. (See also
   "Changed Functionality" below for changes due to switching from
-  using libmagic to such wsignatures.)
+  using libmagic to such signatures.)
 
 - A new built-in function, "file_magic", can be used to get all file
   magic matches and their corresponding strength against a given chunk
   of data.
 
-- The SSL analyzer now has support heartbeats as well as for a few
+- The SSL analyzer now supports heartbeats as well as a few
   extensions, including server_name, alpn, and ec-curves.
 
 - The SSL analyzer comes with Heartbleed detector script in
-  protocols/ssl/heartbleed.bro.
+  protocols/ssl/heartbleed.bro.  Note that loading this script changes
+  the default value of "SSL::disable_analyzer_after_detection" from true
+  to false to prevent encrypted heartbeats from being ignored.
 
 - The X509 analyzer can now perform OSCP validation.
 
-- Bro now analyzers for SNMP and Radius, which produce corresponding
+- Bro now has analyzers for SNMP and Radius, which produce corresponding
   snmp.log and radius.log output (as well as various events of course).
 
+- BroControl has a new option "BroPort" which allows a user to specify
+  the starting port number for Bro.
+
+- BroControl has a new option "StatsLogExpireInterval" which allows a
+  user to specify when entries in the stats.log file expire.
+
+- BroControl has a new option "PFRINGClusterType" which allows a user
+  to specify a PF_RING cluster type.
+
+- BroControl now supports PF_RING+DNA.  There is also a new option
+  "PFRINGFirstAppInstance" that allows a user to specify the starting
+  application instance number for processes running on a DNA cluster.
+  See the BroControl documentation for more details.
+
+- BroControl now warns a user to run "broctl install" if Bro has
+  been upgraded or if the broctl or node configuration has changed
+  since the most recent install.
+
 Changed Functionality
 ---------------------
 
@@ -71,16 +89,14 @@ Changed Functionality
   reporting missing data. Instead, if Bro never sees any data segments
   for analyzed TCP connections, the new
   base/misc/find-filtered-trace.bro script will log a warning in
-  reporter.log and to stderr.
-
-  The old behavior can be reverted by redef'ing
-  "detect_filtered_trace".
+  reporter.log and to stderr.  The old behavior can be reverted by
+  redef'ing "detect_filtered_trace".
 
 - We have removed the packet sorter component.
 
 - Bro no longer uses libmagic to identify file types but instead now
   comes with its own signature library (which initially is still
-  derived from libmagic;s database). This leads to a number of further
+  derived from libmagic's database). This leads to a number of further
   changes with regards to MIME types:
 
     * The second parameter of the "identify_data" built-in function
@@ -95,7 +111,7 @@ Changed Functionality
       in Bro as magic databases are no longer used/installed.
 
     * Removed "binary" and "octet-stream" mime type detections. They
-      don' provide any more information than an uninitialized
+      don't provide any more information than an uninitialized
       mime_type field.
 
     * The "fa_file" record now contains a "mime_types" field that
@@ -106,6 +122,16 @@ Changed Functionality
 - dns_TXT_reply() now supports more than one string entry by receiving
   a vector of strings.
 
+- BroControl now runs the "exec" and "df" broctl commands only once
+  per host, instead of once per Bro node.  The output of these
+  commands has been changed slightly to include both the host and
+  node names.
+
+- Several performance improvements were made.  Particular emphasis
+  was put on the File Analysis system, which generally will now emit
+  far fewer file handle request events due to protocol analyzers now
+  caching that information internally.
+
 Bro 2.2
 =======
 
diff --git a/aux/broctl b/aux/broctl
index 73f4307742..7e5cf52a9e 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 73f4307742bb8841017ee1b4eb5927674bc5f792
+Subproject commit 7e5cf52a9ef98c7e4d9f0225b082b518f871f728

From aee708c70359c4c7bfcc20ecf466c1dcde70c146 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 19 May 2014 15:31:33 -0500
Subject: [PATCH 098/136] Change record ctors to only allow
 record-field-assignment expressions.

Previously, any expression that evaluates to a record may have been used
in a record ctor's expression list.  This didn't work in all cases,
doesn't provide any unique functionality that can't be done otherwise,
and is possibly a path to introducing subtle scripting errors.

BIT-1192 #closed
---
 CHANGES                                       |  5 ++++
 VERSION                                       |  2 +-
 src/Expr.cc                                   | 29 +++++--------------
 .../Baseline/language.record-bad-ctor2/out    |  1 +
 testing/btest/language/record-bad-ctor2.bro   | 16 ++++++++++
 5 files changed, 30 insertions(+), 23 deletions(-)
 create mode 100644 testing/btest/Baseline/language.record-bad-ctor2/out
 create mode 100644 testing/btest/language/record-bad-ctor2.bro

diff --git a/CHANGES b/CHANGES
index f1da6b44d6..4e860d7eca 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.2-478 | 2014-05-19 15:31:33 -0500
+
+  * Change record ctors to only allow record-field-assignment
+    expressions. (Jon Siwek)
+
 2.2-477 | 2014-05-19 14:13:00 -0500
 
   * Fix X509::Result record's "result" field to be set internally as type int instead of type count. (Bernhard Amann)
diff --git a/VERSION b/VERSION
index 142d07f16f..1754da8f31 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-477
+2.2-478
diff --git a/src/Expr.cc b/src/Expr.cc
index b3a4b8b096..8d757fd2dd 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -3398,8 +3398,8 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
 	if ( IsError() )
 		return;
 
-	// Spin through the list, which should be comprised of
-	// either record's or record-field-assign, and build up a
+	// Spin through the list, which should be comprised only of
+	// record-field-assign expressions, and build up a
 	// record type to associate with this constructor.
 	type_decl_list* record_types = new type_decl_list;
 
@@ -3409,32 +3409,17 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
 		Expr* e = exprs[i];
 		BroType* t = e->Type();
 
-		if ( e->Tag() == EXPR_FIELD_ASSIGN )
-			{
-			FieldAssignExpr* field = (FieldAssignExpr*) e;
-
-			BroType* field_type = field->Type()->Ref();
-			char* field_name = copy_string(field->FieldName());
-
-			record_types->append(new TypeDecl(field_type, field_name));
-			continue;
-			}
-
-		if ( t->Tag() != TYPE_RECORD )
+		if ( e->Tag() != EXPR_FIELD_ASSIGN )
 			{
 			Error("bad type in record constructor", e);
 			SetError();
 			continue;
 			}
 
-		// It's a record - add in its fields.
-		const RecordType* rt = t->AsRecordType();
-		int n = rt->NumFields();
-		for ( int j = 0; j < n; ++j )
-			{
-			const TypeDecl* td = rt->FieldDecl(j);
-			record_types->append(new TypeDecl(td->type->Ref(), td->id));
-			}
+		FieldAssignExpr* field = (FieldAssignExpr*) e;
+		BroType* field_type = field->Type()->Ref();
+		char* field_name = copy_string(field->FieldName());
+		record_types->append(new TypeDecl(field_type, field_name));
 		}
 
 	SetType(new RecordType(record_types));
diff --git a/testing/btest/Baseline/language.record-bad-ctor2/out b/testing/btest/Baseline/language.record-bad-ctor2/out
new file mode 100644
index 0000000000..d5ce540dd8
--- /dev/null
+++ b/testing/btest/Baseline/language.record-bad-ctor2/out
@@ -0,0 +1 @@
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor2/record-bad-ctor2.bro, line 14: bad type in record constructor ([[$cmd=echo hi]] and [$cmd=echo hi])
diff --git a/testing/btest/language/record-bad-ctor2.bro b/testing/btest/language/record-bad-ctor2.bro
new file mode 100644
index 0000000000..7941c38860
--- /dev/null
+++ b/testing/btest/language/record-bad-ctor2.bro
@@ -0,0 +1,16 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+# Record ctor's expression list shouldn't accept "expressions that
+# eval in to record".  The expression list should only be comprised of
+# record-field-assignment expressions.
+
+type myrec: record {
+	cmd: string;
+	stdin: string &default="";
+	read_files: string &optional;
+};
+
+local bad = myrec([$cmd="echo hi"]);
+
+print bad;

From 604072f76226f6af4b9d1cbd1cb3e22dcc24e905 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 19 May 2014 14:36:36 -0700
Subject: [PATCH 099/136] openssl / x509 memory leak issues.

initialization had a small leak (static size), verify had none, ocsp_verify had tons.

I hope this was all...
---
 src/file_analysis/analyzer/x509/functions.bif | 184 +++++++++++-------
 1 file changed, 112 insertions(+), 72 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 65aa22061f..0192a9b3d9 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -25,12 +25,14 @@ X509* d2i_X509_(X509** px, const u_char** in, int len)
 	}
 
 // construct an error record
-RecordVal* x509_error_record(uint64_t num, const char* reason)
+RecordVal* x509_result_record(uint64_t num, const char* reason, Val* chainVector = 0)
 	{
 	RecordVal* rrecord = new RecordVal(BifType::Record::X509::Result);
 
 	rrecord->Assign(0, new Val(num, TYPE_INT));
 	rrecord->Assign(1, new StringVal(reason));
+	if ( chainVector )
+		rrecord->Assign(2, chainVector);
 
 	return rrecord;
 	}
@@ -59,6 +61,7 @@ X509_STORE* x509_get_root_store(TableVal* root_certs)
 			}
 
 		X509_STORE_add_cert(ctx, x);
+		X509_free(x);
 		}
 
 	delete idxs;
@@ -169,16 +172,17 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 ##              x509_get_certificate_string x509_verify
 function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
-	BIO* bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+	RecordVal* rval = 0;
 	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
 	if ( ! ctx )
-		return x509_error_record(-1, "Problem initializing root store");
+		return x509_result_record(-1, "Problem initializing root store");
+
 
 	VectorVal *certs_vec = certs->AsVectorVal();
 	if ( certs_vec->Size() < 1 )
 		{
 		reporter->Error("No certificates given in vector");
-		return x509_error_record(-1, "no certificates");
+		return x509_result_record(-1, "no certificates");
 		}
 
 	// host certificate
@@ -187,7 +191,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	if ( ! sv )
 		{
 		builtin_error("undefined value in certificate vector");
-		return x509_error_record(-1, "undefined value in certificate vector");
+		return x509_result_record(-1, "undefined value in certificate vector");
 		}
 
 	file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv;
@@ -196,27 +200,46 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	if ( ! cert )
 		{
 		builtin_error(fmt("No certificate in opaque"));
-		return x509_error_record(-1, "No certificate in opaque");
+		return x509_result_record(-1, "No certificate in opaque");
 		}
 
 	const unsigned char* start = ocsp_reply->Bytes();
 
-	OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len());
-	if ( ! resp )
-		return x509_error_record(-1, "Could not parse OCSP response");
-
-	int status = OCSP_response_status(resp);
-	if ( status != OCSP_RESPONSE_STATUS_SUCCESSFUL )
-		return x509_error_record(-2, OCSP_response_status_str(status));
-
-	OCSP_BASICRESP *basic = OCSP_response_get1_basic(resp);
-	if ( ! basic )
-		return x509_error_record(-1, "Could not parse OCSP response");
-
-
 	STACK_OF(X509)* untrusted_certs = x509_get_untrusted_stack(certs_vec);
 	if ( ! untrusted_certs )
-		return x509_error_record(-1, "Problem initializing list of untrusted certificates");
+		return x509_result_record(-1, "Problem initializing list of untrusted certificates");
+
+	// from here, always goto cleanup. Initialize all other required variables...
+	time_t vtime = (time_t) verify_time;
+  OCSP_BASICRESP *basic = 0;
+	OCSP_SINGLERESP *single = 0;
+	X509_STORE_CTX *csc = 0;
+	OCSP_CERTID *certid = 0;
+	int status = -1;
+	int out = -1;
+	int result = -1;
+	X509* issuer_certificate = 0;
+	OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len());
+	if ( ! resp )
+		{
+		rval = x509_result_record(-1, "Could not parse OCSP response");
+		goto x509_ocsp_cleanup;
+		}
+
+	status = OCSP_response_status(resp);
+	if ( status != OCSP_RESPONSE_STATUS_SUCCESSFUL )
+		{
+		rval = x509_result_record(-2, OCSP_response_status_str(status));
+		goto x509_ocsp_cleanup;
+		}
+
+	basic = OCSP_response_get1_basic(resp);
+	if ( ! basic )
+		{
+		rval = x509_result_record(-1, "Could not parse OCSP response");
+		goto x509_ocsp_cleanup;
+		}
+
 
 	// the following code took me _forever_ to get right.
 	// The OCSP_basic_verify command takes a list of certificates. However (which is not immediately
@@ -225,10 +248,10 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	// inject the certificates in the certificate list of the OCSP reply, they actually are used during
 	// the lookup.
 	// Yay.
-	X509* issuer_certificate = 0;
+	issuer_certificate = 0;
 	for ( int i = 0; i < sk_X509_num(untrusted_certs); i++)
 		{
-		sk_X509_push(basic->certs, sk_X509_value(untrusted_certs, i));
+		sk_X509_push(basic->certs, X509_dup(sk_X509_value(untrusted_certs, i)));
 
 		if ( X509_NAME_cmp(X509_get_issuer_name(cert), X509_get_subject_name(sk_X509_value(untrusted_certs, i))) )
 			issuer_certificate = sk_X509_value(untrusted_certs, i);
@@ -236,28 +259,27 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 
 	// Because we actually want to be able to give nice error messages that show why we were
 	// not able to verify the OCSP response - do our own verification logic first.
-	X509_STORE_CTX csc;
-	X509_STORE_CTX_init(&csc, ctx, sk_X509_value(basic->certs, 0), basic->certs);
-	X509_STORE_CTX_set_time(&csc, 0, (time_t) verify_time);
-	X509_STORE_CTX_set_purpose(&csc, X509_PURPOSE_OCSP_HELPER);
+	csc = X509_STORE_CTX_new();
+	X509_STORE_CTX_init(csc, ctx, sk_X509_value(basic->certs, 0), basic->certs);
+	X509_STORE_CTX_set_time(csc, 0, (time_t) verify_time);
+	X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_OCSP_HELPER);
 
-	int result = X509_verify_cert(&csc);
+	result = X509_verify_cert(csc);
 	if ( result != 1 )
 		{
-		const char *reason = X509_verify_cert_error_string(csc.error);
-		X509_STORE_CTX_cleanup(&csc);
-		sk_X509_free(untrusted_certs);
-		return x509_error_record(result, X509_verify_cert_error_string(csc.error));
+		const char *reason = X509_verify_cert_error_string((*csc).error);
+		rval = x509_result_record(result, X509_verify_cert_error_string((*csc).error));
+		goto x509_ocsp_cleanup;
 		}
 
-	int out = OCSP_basic_verify(basic, NULL, ctx, 0);
+	out = OCSP_basic_verify(basic, NULL, ctx, 0);
 	if ( result < 1 )
 		{
-		X509_STORE_CTX_cleanup(&csc);
-		sk_X509_free(untrusted_certs);
-		return x509_error_record(out, ERR_error_string(ERR_get_error(),NULL));
+		rval = x509_result_record(out, ERR_error_string(ERR_get_error(),NULL));
+		goto x509_ocsp_cleanup;
 		}
 
+
 	// ok, now we verified the OCSP response. This means that we have a valid chain tying it
 	// to a root that we trust and that the signature also hopefully is valid. This does not yet
 	// mean that the ocsp response actually matches the certificate the server send us or that
@@ -266,7 +288,6 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	// let's start this out by checking that the response is actually for the certificate we want
 	// to validate and not for something completely unrelated that the server is trying to trick us
 	// into accepting.
-	OCSP_CERTID *certid;
 
 	if ( issuer_certificate )
 		certid = OCSP_cert_to_id(NULL, cert, issuer_certificate);
@@ -274,52 +295,80 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		{
 		// issuer not in list sent by server, check store
 		X509_OBJECT obj;
-		int lookup = X509_STORE_get_by_subject(&csc, X509_LU_X509, X509_get_subject_name(cert), &obj);
+		int lookup = X509_STORE_get_by_subject(csc, X509_LU_X509, X509_get_subject_name(cert), &obj);
 		if ( lookup <= 0)
 			{
-			sk_X509_free(untrusted_certs);
-			X509_STORE_CTX_cleanup(&csc);
-			return x509_error_record(lookup, "Could not find issuer of host certificate");
+			rval = x509_result_record(lookup, "Could not find issuer of host certificate");
+			goto x509_ocsp_cleanup;
 			}
 
 		certid = OCSP_cert_to_id(NULL, cert, obj.data.x509);
 		}
 
-	sk_X509_free(untrusted_certs);
-	X509_STORE_CTX_cleanup(&csc);
 
 	if ( ! certid )
-		return x509_error_record(-1, "Certificate ID construction failed");
+		{
+		rval = x509_result_record(-1, "Certificate ID construction failed");
+		goto x509_ocsp_cleanup;
+		}
 
 	// for now, assume we have one reply...
-	OCSP_SINGLERESP *single = sk_OCSP_SINGLERESP_value(basic->tbsResponseData->responses, 0);
+	single = sk_OCSP_SINGLERESP_value(basic->tbsResponseData->responses, 0);
 	if ( ! single )
-		return x509_error_record(-1, "Could not lookup OCSP response information");
+		{
+		rval = x509_result_record(-1, "Could not lookup OCSP response information");
+		goto x509_ocsp_cleanup;
+		}
 
 	if ( ! OCSP_id_cmp(certid, single->certId) )
-		return x509_error_record(-1, "OCSP reply is not for host certificate");
+		return x509_result_record(-1, "OCSP reply is not for host certificate");
 
 	// next - check freshness of proof...
 	if ( ! ASN1_GENERALIZEDTIME_check(single->thisUpdate) || ! ASN1_GENERALIZEDTIME_check(single->nextUpdate) )
-		return x509_error_record(-1, "OCSP reply contains invalid dates");
+		{
+		rval = x509_result_record(-1, "OCSP reply contains invalid dates");
+		goto x509_ocsp_cleanup;
+		}
 
 	// now - nearly done. Check freshness and status code.
 	// There is a function to check the freshness of the ocsp reply in the ocsp code of OpenSSL. But - it only
 	// supports comparing it against the current time, not against arbitrary times. Hence it is kind of unusable
 	// for us...
 	// Well, we will do it manually.
-	time_t vtime = (time_t) verify_time;
+
 
 	if ( X509_cmp_time(single->thisUpdate, &vtime) > 0 )
-		return x509_error_record(-1, "OCSP reply specifies time in future");
+		rval = x509_result_record(-1, "OCSP reply specifies time in future");
+	else if ( X509_cmp_time(single->nextUpdate, &vtime) < 0 )
+		rval = x509_result_record(-1, "OCSP reply expired");
+	else if ( single->certStatus->type != V_OCSP_CERTSTATUS_GOOD )
+		rval = x509_result_record(-1, OCSP_cert_status_str(single->certStatus->type));
 
-	if ( X509_cmp_time(single->nextUpdate, &vtime) < 0 )
-		return x509_error_record(-1, "OCSP reply expired");
+	// if we have no error so far, we are done.
+	if ( !rval )
+		rval = x509_result_record(1, OCSP_cert_status_str(single->certStatus->type));
 
-	if ( single->certStatus->type != V_OCSP_CERTSTATUS_GOOD )
-		return x509_error_record(-1, OCSP_cert_status_str(single->certStatus->type));
+x509_ocsp_cleanup:
 
-	return x509_error_record(1, OCSP_cert_status_str(single->certStatus->type));
+	if ( untrusted_certs )
+		sk_X509_free(untrusted_certs);
+
+	if ( resp )
+		OCSP_RESPONSE_free(resp);
+
+	if ( basic )
+		OCSP_BASICRESP_free(basic);
+
+	if ( csc )
+		{
+		X509_STORE_CTX_cleanup(csc);
+		X509_STORE_CTX_free(csc);
+		}
+
+	if ( certid )
+		OCSP_CERTID_free(certid);
+
+	return rval;
 	%}
 
 ## Verifies a certificate.
@@ -342,13 +391,14 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 	%{
 	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
 	if ( ! ctx )
-		return x509_error_record(-1, "Problem initializing root store");
+		return x509_result_record(-1, "Problem initializing root store");
+
 
 	VectorVal *certs_vec = certs->AsVectorVal();
 	if ( ! certs_vec || certs_vec->Size() < 1 )
 		{
 		reporter->Error("No certificates given in vector");
-		return x509_error_record(-1, "no certificates");
+		return x509_result_record(-1, "no certificates");
 		}
 
 	// host certificate
@@ -357,21 +407,20 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 	if ( !sv )
 		{
 		builtin_error("undefined value in certificate vector");
-		return x509_error_record(-1, "undefined value in certificate vector");
+		return x509_result_record(-1, "undefined value in certificate vector");
 		}
-
 	file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv;
 
 	X509* cert = cert_handle->GetCertificate();
 	if ( ! cert )
 		{
 		builtin_error(fmt("No certificate in opaque"));
-		return x509_error_record(-1, "No certificate in opaque");
+		return x509_result_record(-1, "No certificate in opaque");
 		}
 
 	STACK_OF(X509)* untrusted_certs = x509_get_untrusted_stack(certs_vec);
 	if ( ! untrusted_certs )
-		return x509_error_record(-1, "Problem initializing list of untrusted certificates");
+		return x509_result_record(-1, "Problem initializing list of untrusted certificates");
 
 	X509_STORE_CTX csc;
 	X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs);
@@ -406,11 +455,8 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 			else
 				{
 				reporter->InternalWarning("OpenSSL returned null certificate");
-
-				for ( int j = i + 1; i < num_certs; ++j )
-					X509_free(sk_X509_value(chain, j));
-
-				break;
+				sk_X509_pop_free(chain, X509_free);
+				goto x509_verify_chainerror;
 				}
 			}
 
@@ -423,13 +469,7 @@ x509_verify_chainerror:
 
 	sk_X509_free(untrusted_certs);
 
-	RecordVal* rrecord = new RecordVal(BifType::Record::X509::Result);
-
-	rrecord->Assign(0, new Val((uint64) csc.error, TYPE_INT));
-	rrecord->Assign(1, new StringVal(X509_verify_cert_error_string(csc.error)));
-
-	if ( chainVector )
-		rrecord->Assign(2, chainVector);
+	RecordVal* rrecord = x509_result_record(csc.error, X509_verify_cert_error_string(csc.error), chainVector);
 
 	return rrecord;
 	%}

From daab3145fa5c2bd12b79ce899c36000390661c2b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 19 May 2014 16:36:50 -0500
Subject: [PATCH 100/136] Update submodules, CHANGES, VERSION.

---
 CHANGES      | 4 ++++
 VERSION      | 2 +-
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/btest    | 2 +-
 7 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4e860d7eca..49ea6b6c79 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-beta | 2014-05-19 16:36:50 -0500
+
+  * Release 2.3-beta
+
 2.2-478 | 2014-05-19 15:31:33 -0500
 
   * Change record ctors to only allow record-field-assignment
diff --git a/VERSION b/VERSION
index 1754da8f31..7ea57c3270 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-478
+2.3-beta
diff --git a/aux/binpac b/aux/binpac
index b0877edc68..ec1e052afd 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit b0877edc68af6ae08face528fc411c8ce21f2e30
+Subproject commit ec1e052afd5a8cd3d1d2cbb28fcd688018e379a5
diff --git a/aux/bro-aux b/aux/bro-aux
index 6dfc648d22..5721df4f5f 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 6dfc648d22d234d2ba4b1cb0fc74cda2eb023d1e
+Subproject commit 5721df4f5f6fa84de6257cca6582a28e45831786
diff --git a/aux/broccoli b/aux/broccoli
index 561ccdd6ed..c2f5dd2cb7 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 561ccdd6edec4ac5540f3d5565aefb59e7510634
+Subproject commit c2f5dd2cb7876158fdf9721aebd22567db840db1
diff --git a/aux/broctl b/aux/broctl
index 7e5cf52a9e..b70abacfeb 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 7e5cf52a9ef98c7e4d9f0225b082b518f871f728
+Subproject commit b70abacfebb7949bd031aa43182f2c9732bbcec1
diff --git a/aux/btest b/aux/btest
index 4e2ec35917..4da1bd2403 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 4e2ec35917acb883c7d2ab19af487f3863c687ae
+Subproject commit 4da1bd24038d4977e655f2b210f34e37f0b73b78

From 360a93badb6ce3ca55886c379e96cc1906cf067d Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 19 May 2014 14:43:46 -0700
Subject: [PATCH 101/136] clean up openssl data structures on exit

---
 src/file_analysis/analyzer/x509/functions.bif | 2 +-
 src/main.cc                                   | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 0192a9b3d9..6cf28eae05 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -211,7 +211,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 
 	// from here, always goto cleanup. Initialize all other required variables...
 	time_t vtime = (time_t) verify_time;
-  OCSP_BASICRESP *basic = 0;
+	OCSP_BASICRESP *basic = 0;
 	OCSP_SINGLERESP *single = 0;
 	X509_STORE_CTX *csc = 0;
 	OCSP_CERTID *certid = 0;
diff --git a/src/main.cc b/src/main.cc
index 10b66083a8..68f1d46547 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -1174,6 +1174,10 @@ int main(int argc, char** argv)
 
 		sqlite3_shutdown();
 
+		ERR_free_strings();
+		EVP_cleanup();
+		CRYPTO_cleanup_all_ex_data();
+
 		// Close files after net_delete(), because net_delete()
 		// might write to connection content files.
 		BroFile::CloseCachedFiles();

From d42135710440c5f937a82bc519621e7f6a21e7dd Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 19 May 2014 19:39:43 -0500
Subject: [PATCH 102/136] Fix typos and formatting in event and BiF
 documentation

---
 src/analyzer/protocol/dns/events.bif          |  7 +--
 src/analyzer/protocol/pop3/events.bif         | 12 ++---
 src/analyzer/protocol/radius/events.bif       | 15 ++++---
 src/analyzer/protocol/smtp/events.bif         |  8 ++--
 src/analyzer/protocol/snmp/events.bif         | 26 +++++------
 src/analyzer/protocol/ssl/events.bif          | 45 ++++++++++---------
 src/event.bif                                 | 10 ++---
 src/file_analysis/analyzer/x509/events.bif    |  6 +--
 src/file_analysis/analyzer/x509/functions.bif | 23 +++++-----
 9 files changed, 78 insertions(+), 74 deletions(-)

diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index efa0807fd1..c5506046d0 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -367,7 +367,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ##
 ## ans: The type-independent part of the parsed answer record.
 ##
-## str: The textual information returned by the reply.
+## strs: The textual information returned by the reply.
 ##
 ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
@@ -392,6 +392,8 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_
 ##
 ## ans: The type-independent part of the parsed answer record.
 ##
+## target: TODO
+##
 ## priority: Priority of the SRV response.
 ##
 ## weight: Weight of the SRV response.
@@ -408,8 +410,7 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_
 event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count%);
 
 ## Generated on DNS reply resource records when the type of record is not one
-## that Bro knows how to parse and generate another more specific specific
-## event.
+## that Bro knows how to parse and generate another more specific event.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
 ##    transport-layer session being analyzed.
diff --git a/src/analyzer/protocol/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif
index a0a3e1e18d..74cf1f6f68 100644
--- a/src/analyzer/protocol/pop3/events.bif
+++ b/src/analyzer/protocol/pop3/events.bif
@@ -37,7 +37,7 @@ event pop3_request%(c: connection, is_orig: bool,
 ##
 ## msg: The textual description the server sent along with *cmd*.
 ##
-## .. bro:see:: pop3_data pop3_login_failure pop3_login_success  pop3_request
+## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: This event is receiving odd parameters, should unify.
@@ -62,7 +62,7 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
 ##
 ## data: The data sent.
 ##
-## .. bro:see::  pop3_login_failure pop3_login_success pop3_reply pop3_request
+## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -105,8 +105,8 @@ event pop3_unexpected%(c: connection, is_orig: bool,
 ##
 ## c: The connection.
 ##
-## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
-##    pop3_unexpected
+## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
+##    pop3_request pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -128,7 +128,7 @@ event pop3_starttls%(c: connection%);
 ##
 ## password: The password used for authentication.
 ##
-## .. bro:see:: pop3_data pop3_login_failure  pop3_reply pop3_request
+## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -152,7 +152,7 @@ event pop3_login_success%(c: connection, is_orig: bool,
 ##
 ## password: The password attempted for authentication.
 ##
-## .. bro:see:: pop3_data  pop3_login_success pop3_reply pop3_request
+## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
diff --git a/src/analyzer/protocol/radius/events.bif b/src/analyzer/protocol/radius/events.bif
index 797d59a0d3..9382169d47 100644
--- a/src/analyzer/protocol/radius/events.bif
+++ b/src/analyzer/protocol/radius/events.bif
@@ -3,10 +3,9 @@
 ## See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
 ## information about RADIUS.
 ##
-## c: The connection
-## msg_type: The value of the code field (1 == Access-Request, 2 == Access-Accept, etc.)
-## trans_id: The RADIUS transaction identifier
-## authenticator: The value of the authenticator field
+## c: The connection.
+##
+## result: TODO
 ##
 event radius_message%(c: connection, result: RADIUS::Message%);
 
@@ -15,9 +14,11 @@ event radius_message%(c: connection, result: RADIUS::Message%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
 ## information about RADIUS.
 ##
-## c: The connection
-## attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.)
-## authenticator: The value of the authenticator field
+## c: The connection.
+##
+## attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.).
+##
+## value: TODO
 ##
 event radius_attribute%(c: connection, attr_type: count, value: string%);
 
diff --git a/src/analyzer/protocol/smtp/events.bif b/src/analyzer/protocol/smtp/events.bif
index 7244fa389e..cffe3ba202 100644
--- a/src/analyzer/protocol/smtp/events.bif
+++ b/src/analyzer/protocol/smtp/events.bif
@@ -99,10 +99,10 @@ event smtp_data%(c: connection, is_orig: bool, data: string%);
 ## .. bro:see:: smtp_data  smtp_request smtp_reply
 event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%);
 
-## Generated if a connection switched to using TLS using STARTTLS. After this event
-## no more SMTP events will be raised for the connection. See the SSL analyzer for
-## related SSL events, which will now be generated.
+## Generated if a connection switched to using TLS using STARTTLS. After this
+## event no more SMTP events will be raised for the connection. See the SSL
+## analyzer for related SSL events, which will now be generated.
 ##
-## c: The connection
+## c: The connection.
 ##
 event smtp_starttls%(c: connection%);
diff --git a/src/analyzer/protocol/snmp/events.bif b/src/analyzer/protocol/snmp/events.bif
index 579ccc4640..6105552342 100644
--- a/src/analyzer/protocol/snmp/events.bif
+++ b/src/analyzer/protocol/snmp/events.bif
@@ -1,6 +1,6 @@
 ## An SNMP ``GetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -14,7 +14,7 @@ event snmp_get_request%(c: connection, is_orig: bool, header: SNMP::Header,
 ## An SNMP ``GetNextRequest-PDU`` message from either :rfc:`1157` or
 ## :rfc:`3416`.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -28,7 +28,7 @@ event snmp_get_next_request%(c: connection, is_orig: bool,
 ## An SNMP ``GetResponse-PDU`` message from :rfc:`1157` or a
 ## ``Response-PDU`` from :rfc:`3416`.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -41,7 +41,7 @@ event snmp_response%(c: connection, is_orig: bool, header: SNMP::Header,
 
 ## An SNMP ``SetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -54,7 +54,7 @@ event snmp_set_request%(c: connection, is_orig: bool, header: SNMP::Header,
 
 ## An SNMP ``Trap-PDU`` message from :rfc:`1157`.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -67,7 +67,7 @@ event snmp_trap%(c: connection, is_orig: bool, header: SNMP::Header,
 
 ## An SNMP ``GetBulkRequest-PDU`` message from :rfc:`3416`.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -80,7 +80,7 @@ event snmp_get_bulk_request%(c: connection, is_orig: bool,
 
 ## An SNMP ``InformRequest-PDU`` message from :rfc:`3416`.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -93,7 +93,7 @@ event snmp_inform_request%(c: connection, is_orig: bool, header: SNMP::Header,
 
 ## An SNMP ``SNMPv2-Trap-PDU`` message from :rfc:`1157`.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -106,7 +106,7 @@ event snmp_trapV2%(c: connection, is_orig: bool, header: SNMP::Header,
 
 ## An SNMP ``Report-PDU`` message from :rfc:`3416`.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -119,7 +119,7 @@ event snmp_report%(c: connection, is_orig: bool, header: SNMP::Header,
 
 ## An SNMP PDU message of unknown type.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -133,7 +133,7 @@ event snmp_unknown_pdu%(c: connection, is_orig: bool, header: SNMP::Header,
 ## An SNMPv3 ``ScopedPDUData`` of unknown type (neither plaintext or
 ## an encrypted PDU was in the datagram).
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -146,7 +146,7 @@ event snmp_unknown_scoped_pdu%(c: connection, is_orig: bool,
 
 ## An SNMPv3 encrypted PDU message.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
@@ -156,7 +156,7 @@ event snmp_encrypted_pdu%(c: connection, is_orig: bool, header: SNMP::Header%);
 
 ## A datagram with an unknown SNMP version.
 ##
-## c: The connection overwhich the SNMP datagram is sent.
+## c: The connection over which the SNMP datagram is sent.
 ##
 ## is_orig: The endpoint which sent the SNMP datagram.
 ##
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 1503c5833e..0959aeca65 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -86,8 +86,8 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
 ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
-## defined in :rfc:`4492` and sent by the client in the initial handshake. It gives
-## the list of elliptic curves supported by the client.
+## defined in :rfc:`4492` and sent by the client in the initial handshake. It
+## gives the list of elliptic curves supported by the client.
 ##
 ## c: The connection.
 ##
@@ -118,13 +118,13 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
-## Generated if a named curve is chosen by the server for an SSL/TLS connection. The
-## curve is sent by the server in the ServerKeyExchange message as defined in
-## :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
+## Generated if a named curve is chosen by the server for an SSL/TLS connection.
+## The curve is sent by the server in the ServerKeyExchange message as defined
+## in :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
 ##
 ## c: The connection.
 ##
-## point_formats: List of supported point formats.
+## curve: The curve.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
@@ -151,7 +151,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
 ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
 ## the initial handshake. It contains the list of client supported application
-## protocols by the client or the server, respectovely.
+## protocols by the client or the server, respectively.
 ##
 ## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts.
 ##
@@ -169,15 +169,15 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
 
 ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
 ## defined in :rfc:`3546` and sent by the client in the initial handshake. It
-## contains the name of the server it is contacting. This information can be used
-## by the server to choose the correct certificate for the host the client wants to
-## contact.
+## contains the name of the server it is contacting. This information can be
+## used by the server to choose the correct certificate for the host the client
+## wants to contact.
 ##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
-## protocols: List of supported application layer protocols.
+## names: Name of server.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
@@ -244,9 +244,9 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
 
-## Generated for SSL/TLS heartbeat messages that are sent before session encryption
-## starts. Generally heartbeat messages should rarely be seen in normal TLS traffic.
-## Heartbeats are described in :rfc:`6520`.
+## Generated for SSL/TLS heartbeat messages that are sent before session
+## encryption starts. Generally heartbeat messages should rarely be seen in
+## normal TLS traffic. Heartbeats are described in :rfc:`6520`.
 ##
 ## c: The connection.
 ##
@@ -254,12 +254,13 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## length: length of the entire heartbeat message.
 ##
-## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
+## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response.
 ##
-## payload_length: length of the payload of the heartbeat message, according to packet field
+## payload_length: length of the payload of the heartbeat message, according to
+##                 packet field.
 ##
-## payload: payload contained in the heartbeat message. Size can differ from payload_length,
-##          if payload_length and actual packet length disagree.
+## payload: payload contained in the heartbeat message. Size can differ from
+##          payload_length, if payload_length and actual packet length disagree.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_encrypted_data
@@ -269,13 +270,13 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ## started.
 ##
 ## Note that :bro:id:`SSL::disable_analyzer_after_detection` has to be changed
-## from its default to false for this this event to be generated.  
+## from its default to false for this event to be generated.  
 ##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
-## content type: message type as reported by TLS session layer
+## content_type: message type as reported by TLS session layer.
 ##
 ## length: length of the entire heartbeat message.
 ##
@@ -284,8 +285,8 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, length: count%);
 
 ## This event contains the OCSP response contained in a Certificate Status Request
-## message, when the client requested OCSP stapling and the server supports it. See
-## description in :rfc:`6066`
+## message, when the client requested OCSP stapling and the server supports it.
+## See description in :rfc:`6066`.
 ##
 ## c: The connection.
 ##
diff --git a/src/event.bif b/src/event.bif
index 7e49378fcc..4006888eab 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -360,9 +360,9 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 ##
 ## .. note::
 ##
-##    Bro comes with a script :doc:`/scripts/policy/misc/capture-loss.bro` that uses
-##    this event to estimate packet loss and report when a predefined threshold
-##    is exceeded.
+##    Bro comes with a script :doc:`/scripts/policy/misc/capture-loss.bro` that
+##    uses this event to estimate packet loss and report when a predefined
+##    threshold is exceeded.
 event gap_report%(dt: interval, info: gap_info%);
 
 ## Generated when a protocol analyzer confirms that a connection is indeed
@@ -1011,8 +1011,8 @@ event dns_mapping_lost_name%(dm: dns_mapping%);
 ##    dns_mapping_valid
 event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%);
 
-## A meta event generated for events that Bro raises. This will report all events
-## for which at least one handler is defined.
+## A meta event generated for events that Bro raises. This will report all
+## events for which at least one handler is defined.
 ##
 ## Note that handling this meta event is expensive and should be limited to
 ## debugging purposes.
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index a6db8fac44..fcdeaa31d1 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -43,9 +43,9 @@ event x509_extension%(f: fa_file, ext: X509::Extension%);
 event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 
 ## Generated for the X509 subject alternative name extension seen in a certificate.
-## This extension can be used to allow additional entities to be bound to the subject
-## of the certificate. Usually it is used to specify one or multiple DNS names for 
-## which a certificate is valid.
+## This extension can be used to allow additional entities to be bound to the
+## subject of the certificate. Usually it is used to specify one or multiple DNS
+## names for which a certificate is valid.
 ##
 ## f: The file.
 ##
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 6cf28eae05..b02ce5eea2 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -106,9 +106,9 @@ STACK_OF(X509)* x509_get_untrusted_stack(VectorVal* certs_vec)
 
 ## Parses a certificate into an X509::Certificate structure.
 ##
-## cert: The X509 certificicate opaque handle
+## cert: The X509 certificate opaque handle.
 ##
-## Returns: A X509::Certificate structure
+## Returns: A X509::Certificate structure.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_verify
@@ -123,13 +123,13 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate
 
 ## Returns the string form of a certificate.
 ##
-## cert: The X509 certificate opaque handle
+## cert: The X509 certificate opaque handle.
 ##
 ## pem: A boolean that specifies if the certificate is returned
 ##      in pem-form (true), or as the raw ASN1 encoded binary
 ##      (false).
 ##
-## Returns: X509 certificate as a string
+## Returns: X509 certificate as a string.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
@@ -158,14 +158,14 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 ##
 ## certs: Specifies the certificate chain to use. Server certificate first.
 ##
-## ocsp_reply: the ocsp reply to validate
+## ocsp_reply: the ocsp reply to validate.
 ##
-## root_certs: A list of root certificates to validate the certificate chain
+## root_certs: A list of root certificates to validate the certificate chain.
 ##
 ## verify_time: Time for the validity check of the certificates.
 ##
-## Returns: A record of type X509::Result containing the result code of the verify
-##          operation.
+## Returns: A record of type X509::Result containing the result code of the
+##          verify operation.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse
@@ -377,12 +377,13 @@ x509_ocsp_cleanup:
 ##        the given certificate against the root store given in *root_certs*.
 ##        The host certificate has to be at index 0.
 ##
-## root_certs: A list of root certificates to validate the certificate chain
+## root_certs: A list of root certificates to validate the certificate chain.
 ##
 ## verify_time: Time for the validity check of the certificates.
 ##
-## Returns: A record of type X509::Result containing the result code of the verify
-##          operation. In case of success also returns the full certificate chain.
+## Returns: A record of type X509::Result containing the result code of the
+##          verify operation. In case of success also returns the full
+##          certificate chain.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse

From 11d2d8e549a6a7707db598c794a508bd0b27e100 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 19 May 2014 21:14:07 -0500
Subject: [PATCH 103/136] Remove remaining references to BROMAGIC

---
 doc/conf.py.in                    | 1 -
 doc/quickstart/index.rst          | 2 +-
 testing/btest/btest.cfg           | 1 -
 testing/external/subdir-btest.cfg | 1 -
 4 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/doc/conf.py.in b/doc/conf.py.in
index 91e16452f3..9720d12ade 100644
--- a/doc/conf.py.in
+++ b/doc/conf.py.in
@@ -38,7 +38,6 @@ extensions += ["broxygen"]
 bro_binary = os.path.abspath("@CMAKE_SOURCE_DIR@/build/src/bro")
 broxygen_cache="@BROXYGEN_CACHE_DIR@"
 os.environ["BROPATH"] = "@BROPATH@"
-os.environ["BROMAGIC"] = "@BROMAGIC@"
 # ----- End of Broxygen configuration. -----
 
 # -- General configuration -----------------------------------------------------
diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index 19add23bd4..b506eb95c2 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -426,7 +426,7 @@ Running Bro Without Installing
 
 For developers that wish to run Bro directly from the ``build/``
 directory (i.e., without performing ``make install``), they will have
-to first adjust ``BROPATH`` and ``BROMAGIC`` to look for scripts and
+to first adjust ``BROPATH`` to look for scripts and
 additional files inside the build directory.  Sourcing either
 ``build/bro-path-dev.sh`` or ``build/bro-path-dev.csh`` as appropriate
 for the current shell accomplishes this and also augments your
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 0130cb6e1d..e750cd0199 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -8,7 +8,6 @@ PartFinalizer   = btest-diff-rst
 
 [environment]
 BROPATH=`bash -c %(testbase)s/../../build/bro-path-dev`
-BROMAGIC=%(testbase)s/../../magic/database
 BRO_SEED_FILE=%(testbase)s/random.seed
 TZ=UTC
 LC_ALL=C
diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg
index f68849314e..f79c432445 100644
--- a/testing/external/subdir-btest.cfg
+++ b/testing/external/subdir-btest.cfg
@@ -7,7 +7,6 @@ IgnoreFiles = *.tmp *.swp #* *.trace .gitignore *.skeleton
 
 [environment]
 BROPATH=`bash -c %(testbase)s/../../../build/bro-path-dev`:%(testbase)s/../scripts
-BROMAGIC=%(testbase)s/../../../magic/database
 BRO_SEED_FILE=%(testbase)s/../random.seed
 TZ=UTC
 LC_ALL=C

From d92d84131440e1e00da5c79243617f015de23cc5 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 20 May 2014 10:30:41 -0500
Subject: [PATCH 104/136] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index b70abacfeb..3204daff74 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit b70abacfebb7949bd031aa43182f2c9732bbcec1
+Subproject commit 3204daff74e1c188934ad34c575477ee91542a38

From 1253b7cb8aa73cf6aa2c0eea6d85848b292f2d27 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 20 May 2014 08:33:44 -0700
Subject: [PATCH 105/136] intel framework plugin for ssl server_name extension
 was not updated after api changes :(

Thank you Justin.
---
 scripts/policy/frameworks/intel/seen/ssl.bro | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/scripts/policy/frameworks/intel/seen/ssl.bro b/scripts/policy/frameworks/intel/seen/ssl.bro
index c41dbbdbe1..70c70f5b71 100644
--- a/scripts/policy/frameworks/intel/seen/ssl.bro
+++ b/scripts/policy/frameworks/intel/seen/ssl.bro
@@ -2,10 +2,9 @@
 @load base/protocols/ssl
 @load ./where-locations
 
-event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
 	{
-	if ( is_orig && SSL::extensions[code] == "server_name" && 
-	     c?$ssl && c$ssl?$server_name )
+	if ( is_orig && c?$ssl && c$ssl?$server_name )
 		Intel::seen([$indicator=c$ssl$server_name,
 		             $indicator_type=Intel::DOMAIN,
 		             $conn=c,

From 96f71c24d874b0287a70d8b9eb0adf3ec8947f12 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 20 May 2014 09:28:33 -0700
Subject: [PATCH 106/136] include a few more tls changes that we might want to
 mention in news

---
 NEWS | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index 731e1bb1d6..b6754e1389 100644
--- a/NEWS
+++ b/NEWS
@@ -43,6 +43,8 @@ New Functionality
   the default value of "SSL::disable_analyzer_after_detection" from true
   to false to prevent encrypted heartbeats from being ignored.
 
+- StartTLS is now supported for SMTP and POP3.
+
 - The X509 analyzer can now perform OSCP validation.
 
 - Bro now has analyzers for SNMP and Radius, which produce corresponding
@@ -82,9 +84,15 @@ Changed Functionality
 
       event x509_extension(c: connection, is_orig: bool, cert: X509, ext: X509_extension_info);
 
+- In addition, there are several new, more specialized events for a
+  number of x509 extensions.
+
 - Generally, all x509 events and handling functions have changed their
   signatures.
 
+- X509 certificate verification now returns the complete certificate
+  chain that was used for verification.
+
 - Bro no longer special-cases SYN/FIN/RST-filtered traces by not
   reporting missing data. Instead, if Bro never sees any data segments
   for analyzed TCP connections, the new

From 3874286ff7c92a90d89e91b84f556300d9c6eac0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 20 May 2014 12:45:30 -0500
Subject: [PATCH 107/136] Update CHANGES, VERSION, submodules.

---
 CHANGES    | 18 +++++++-----------
 VERSION    |  2 +-
 aux/broctl |  2 +-
 3 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6833811691..ba02da81ff 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,15 +1,4 @@
 
-2.3-beta-6 | 2014-05-20 10:55:35 -0500
-
-  * Update intel framework plugin for ssl server_name extension API
-    changes. (Bernhard Amann, Justin Azoff)
-
-2.3-beta-3 | 2014-05-20 10:16:50 -0500
-
-  * Remove remaining references to BROMAGIC (Daniel Thayer)
-
-  * Fix typos and formatting in event and BiF documentation (Daniel Thayer)
-
 2.3-beta | 2014-05-19 16:36:50 -0500
 
   * Release 2.3-beta
@@ -18,6 +7,13 @@
 
   * Fixes for OCSP & x509 analysis memory leak issues. (Bernhard Amann)
 
+  * Remove remaining references to BROMAGIC (Daniel Thayer)
+
+  * Fix typos and formatting in event and BiF documentation (Daniel Thayer)
+
+  * Update intel framework plugin for ssl server_name extension API
+    changes. (Bernhard Amann, Justin Azoff)
+
 2.2-478 | 2014-05-19 15:31:33 -0500
 
   * Change record ctors to only allow record-field-assignment
diff --git a/VERSION b/VERSION
index 8e4b4c9121..7ea57c3270 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-beta-6
+2.3-beta
diff --git a/aux/broctl b/aux/broctl
index 3204daff74..ca3b124212 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 3204daff74e1c188934ad34c575477ee91542a38
+Subproject commit ca3b12421269fce655028c05939e0ff2ee82ca2d

From b16322aefbe09008fa6f68df3d91bed0cf2416e2 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 21 May 2014 10:50:31 -0700
Subject: [PATCH 108/136] fix expression errors in x509 policy scrips when
 unparseable data is in certificate chain.

---
 scripts/policy/protocols/ssl/extract-certs-pem.bro | 2 +-
 scripts/policy/protocols/ssl/validate-certs.bro    | 5 +++--
 scripts/policy/protocols/ssl/validate-ocsp.bro     | 5 ++++-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/protocols/ssl/extract-certs-pem.bro b/scripts/policy/protocols/ssl/extract-certs-pem.bro
index 549c6943e6..22de3bfb84 100644
--- a/scripts/policy/protocols/ssl/extract-certs-pem.bro
+++ b/scripts/policy/protocols/ssl/extract-certs-pem.bro
@@ -29,7 +29,7 @@ global extracted_certs: set[string] = set() &read_expire=1hr &redef;
 
 event ssl_established(c: connection) &priority=5
 	{
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || !c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index de22e2d30d..205bf6808e 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -36,7 +36,8 @@ event ssl_established(c: connection) &priority=3
 	local chain: vector of opaque of x509 = vector();
 	for ( i in c$ssl$cert_chain )
 		{
-		chain[i] = c$ssl$cert_chain[i]$x509$handle;
+		if ( c$ssl$cert_chain[i]?$x509 )
+			chain[i] = c$ssl$cert_chain[i]$x509$handle;
 		}
 
 	if ( chain_id in recently_validated_certs )
@@ -49,7 +50,7 @@ event ssl_established(c: connection) &priority=3
 		c$ssl$validation_status = result$result_string;
 		recently_validated_certs[chain_id] = result$result_string;
 		}
-		
+
 	if ( c$ssl$validation_status != "ok" )
 		{
 		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 70205c5a49..01b6853226 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -39,7 +39,10 @@ event ssl_established(c: connection) &priority=3
 
 	local chain: vector of opaque of x509 = vector();
 	for ( i in c$ssl$cert_chain )
-		chain[i] = c$ssl$cert_chain[i]$x509$handle;
+		{
+		if ( c$ssl$cert_chain[i]?$x509 )
+			chain[i] = c$ssl$cert_chain[i]$x509$handle;
+		}
 
 	local reply_id = cat(md5_hash(c$ssl$ocsp_response), join_string_vec(c$ssl$cert_chain_fuids, "."));
 

From ff00c0786af01bddc8aa5b455edbb214ff06c4e7 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 21 May 2014 11:01:33 -0700
Subject: [PATCH 109/136] a few more small fixes for chains containing broken
 certs.

---
 scripts/base/protocols/ssl/files.bro            | 4 ++--
 scripts/policy/protocols/ssl/known-certs.bro    | 2 +-
 scripts/policy/protocols/ssl/validate-certs.bro | 2 +-
 src/file_analysis/analyzer/x509/functions.bif   | 4 +++-
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index fbdd6e454e..ae0957e00f 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -121,13 +121,13 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 event ssl_established(c: connection) &priority=6
 	{
 	# update subject and issuer information
-	if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 )
+	if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 )
 		{
 		c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject;
 		c$ssl$issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
 		}
 
-	if ( c$ssl?$client_cert_chain && |c$ssl$client_cert_chain| > 0 )
+	if ( c$ssl?$client_cert_chain && |c$ssl$client_cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 )
 		{
 		c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
 		c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;
diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro
index 739b11e767..a3b91953de 100644
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@@ -48,7 +48,7 @@ event bro_init() &priority=5
 
 event ssl_established(c: connection) &priority=3
 	{
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 || ! c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	local fuid = c$ssl$cert_chain_fuids[0];
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 205bf6808e..b06266e089 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -28,7 +28,7 @@ export {
 event ssl_established(c: connection) &priority=3
 	{
 	# If there aren't any certs we can't very well do certificate validation.
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || !c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	local chain_id = join_string_vec(c$ssl$cert_chain_fuids, ".");
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index b02ce5eea2..aaca64585a 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -86,8 +86,10 @@ STACK_OF(X509)* x509_get_untrusted_stack(VectorVal* certs_vec)
 		{
 		Val *sv = certs_vec->Lookup(i);
 
-		// Fixme: check type
+		if ( !sv )
+			continue;
 
+		// Fixme: check type
 		X509* x = ((file_analysis::X509Val*) sv)->GetCertificate();
 		if ( ! x )
 			{

From 9a8fc7a47d64ced8d9924e16c648c954c5050029 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 21 May 2014 11:12:19 -0700
Subject: [PATCH 110/136] and more tiny ssl script fixes

---
 scripts/base/protocols/ssl/files.bro        | 2 +-
 scripts/policy/protocols/ssl/heartbleed.bro | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index ae0957e00f..6e75ffa299 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -127,7 +127,7 @@ event ssl_established(c: connection) &priority=6
 		c$ssl$issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
 		}
 
-	if ( c$ssl?$client_cert_chain && |c$ssl$client_cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 )
+	if ( c$ssl?$client_cert_chain && |c$ssl$client_cert_chain| > 0 && c$ssl$client_cert_chain[0]?$x509 )
 		{
 		c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
 		c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;
diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index b1dfff867d..77a5e9832a 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -136,7 +136,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 				]);
 	else if ( duration < 1min )
 			NOTICE([$note=SSL_Heartbeat_Attack,
-				$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %d", length, is_orig, duration),
+				$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %s", length, is_orig, duration),
 				$conn=c,
 				$n=length,
 				$identifier=fmt("%s%s", c$uid, "early")
@@ -225,6 +225,9 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
 	{
+	if ( !c?$ssl )
+		return;
+
 	if ( content_type == SSL::HEARTBEAT )
 		event ssl_encrypted_heartbeat(c, is_orig, length);
 	else if ( (content_type == SSL::APPLICATION_DATA) && (length > 0) )

From cb2eb0228ba7a11164e6be2fd89ade2c9982a0b3 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 21 May 2014 11:24:47 -0700
Subject: [PATCH 111/136] last ssl fixes - missed three more.

This is the last one, I promise.
---
 scripts/policy/protocols/ssl/expiring-certs.bro | 3 ++-
 scripts/policy/protocols/ssl/notary.bro         | 2 +-
 scripts/policy/protocols/ssl/weak-keys.bro      | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro
index 9c02c63784..4c11c5cef9 100644
--- a/scripts/policy/protocols/ssl/expiring-certs.bro
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -38,7 +38,8 @@ event ssl_established(c: connection) &priority=3
 	{
 	# If there are no certificates or we are not interested in the server, just return.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
-		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
+	    ! addr_matches_host(c$id$resp_h, notify_certs_expiration) ||
+	    ! c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	local fuid = c$ssl$cert_chain_fuids[0];
diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.bro
index 3646a4d43e..b89f71ba89 100644
--- a/scripts/policy/protocols/ssl/notary.bro
+++ b/scripts/policy/protocols/ssl/notary.bro
@@ -39,7 +39,7 @@ function clear_waitlist(digest: string)
 
 event ssl_established(c: connection) &priority=3
 	{
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$sha1 )
 		return;
 
 	local digest = c$ssl$cert_chain[0]$sha1;
diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
index 47bb7a8316..f11fb9da5e 100644
--- a/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -37,7 +37,8 @@ event ssl_established(c: connection) &priority=3
 	{
 	# If there are no certificates or we are not interested in the server, just return.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
-	     ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
+	     ! addr_matches_host(c$id$resp_h, notify_weak_keys) ||
+	     ! c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	local fuid = c$ssl$cert_chain_fuids[0];

From 2dc6dc8d867fa7dfd5939ebd9d39372b7d15401f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 22 May 2014 14:55:08 -0500
Subject: [PATCH 112/136] Remove a duplicate unit test baseline dir.

It overlaps with the lowercased version of the same dir on case
insensitive systems, which has interesting repercussions.
---
 testing/btest/Baseline/BiFs.count_to_addr/out | 4 ----
 1 file changed, 4 deletions(-)
 delete mode 100644 testing/btest/Baseline/BiFs.count_to_addr/out

diff --git a/testing/btest/Baseline/BiFs.count_to_addr/out b/testing/btest/Baseline/BiFs.count_to_addr/out
deleted file mode 100644
index 1254fd94f1..0000000000
--- a/testing/btest/Baseline/BiFs.count_to_addr/out
+++ /dev/null
@@ -1,4 +0,0 @@
-0.0.0.1
-48.21.133.122
-255.255.255.255
-0.0.0.0

From ad6c58ce437135bc373f31f05d53bc14f83e8817 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 27 May 2014 09:30:17 -0500
Subject: [PATCH 113/136] Fix an "unused value" warning.

---
 src/Expr.cc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 8d757fd2dd..65a19ea2e8 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -3407,7 +3407,6 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
 	loop_over_list(exprs, i)
 		{
 		Expr* e = exprs[i];
-		BroType* t = e->Type();
 
 		if ( e->Tag() != EXPR_FIELD_ASSIGN )
 			{

From ed7273ccf171af53bcba4fc9ca11bce20c784f98 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 28 May 2014 14:52:32 -0500
Subject: [PATCH 114/136] Fix reference counting bug in table coercion
 expressions.

---
 src/Expr.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 65a19ea2e8..4a29c11cb5 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -4330,7 +4330,7 @@ Val* TableCoerceExpr::Fold(Val* v) const
 	if ( tv->Size() > 0 )
 		Internal("coercion of non-empty table/set");
 
-	return new TableVal(Type()->Ref()->AsTableType(), tv->Attrs());
+	return new TableVal(Type()->AsTableType(), tv->Attrs());
 	}
 
 IMPLEMENT_SERIAL(TableCoerceExpr, SER_TABLE_COERCE_EXPR);

From 8383828b02adfe661196d014c19ac18dddcb7806 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 28 May 2014 14:55:24 -0500
Subject: [PATCH 115/136] Fix potential mem leak in remote function/event
 unserialization.

I say potential because a code path to get in the required state is
not obvious (if one even exists).
---
 CHANGES                 | 11 +++++++++++
 VERSION                 |  2 +-
 src/RemoteSerializer.cc |  2 ++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index a6d443053d..72a1ab1414 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,15 @@
 
+2.3-beta-4 | 2014-05-28 14:55:24 -0500
+
+  * Fix potential mem leak in remote function/event unserialization.
+    (Jon Siwek)
+
+  * Fix reference counting bug in table coercion expressions (Jon Siwek)
+
+  * Fix an "unused value" warning. (Jon Siwek)
+
+  * Remove a duplicate unit test baseline dir. (Jon Siwek)
+
 2.3-beta | 2014-05-19 16:36:50 -0500
 
   * Release 2.3-beta
diff --git a/VERSION b/VERSION
index 7ea57c3270..b0326c75df 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-beta
+2.3-beta-4
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 99ec3d7c1e..675eb37fac 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -2833,6 +2833,7 @@ void RemoteSerializer::GotEvent(const char* name, double time,
 	if ( ! current_peer )
 		{
 		Error("unserialized event from unknown peer");
+		delete_vals(args);
 		return;
 		}
 
@@ -2882,6 +2883,7 @@ void RemoteSerializer::GotFunctionCall(const char* name, double time,
 	if ( ! current_peer )
 		{
 		Error("unserialized function from unknown peer");
+		delete_vals(args);
 		return;
 		}
 

From 8ec8dfa7052df4efff890c8a7528d6b38f01cee4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 29 May 2014 15:34:42 -0500
Subject: [PATCH 116/136] Fix misc/load-balancing.bro's reference to
 PacketFilter::sampling_filter

BIT-1197 #close
---
 CHANGES                                | 5 +++++
 VERSION                                | 2 +-
 scripts/policy/misc/load-balancing.bro | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 72a1ab1414..905d0a15a8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.3-beta-5 | 2014-05-29 15:34:42 -0500
+
+  * Fix misc/load-balancing.bro's reference to
+    PacketFilter::sampling_filter (Jon Siwek)
+
 2.3-beta-4 | 2014-05-28 14:55:24 -0500
 
   * Fix potential mem leak in remote function/event unserialization.
diff --git a/VERSION b/VERSION
index b0326c75df..3f0af0e6cb 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-beta-4
+2.3-beta-5
diff --git a/scripts/policy/misc/load-balancing.bro b/scripts/policy/misc/load-balancing.bro
index c2adf23f09..ba770ae1af 100644
--- a/scripts/policy/misc/load-balancing.bro
+++ b/scripts/policy/misc/load-balancing.bro
@@ -82,7 +82,7 @@ event bro_init() &priority=5
 			++lb_proc_track[that_node$ip, that_node$interface];
 			if ( total_lb_procs > 1 )
 				{
-				that_node$lb_filter = PacketFilter::sample_filter(total_lb_procs, this_lb_proc);
+				that_node$lb_filter = PacketFilter::sampling_filter(total_lb_procs, this_lb_proc);
 				Communication::nodes[no]$capture_filter = that_node$lb_filter;
 				}
 			}

From bb09de782829293863b593c2d30bba98f1f198af Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 30 May 2014 15:31:33 -0700
Subject: [PATCH 117/136] Make buffer for certificate subjects bigger. Flush
 buffer between reads (in case we still get something with a longer subject).

Addresses BIT-1195
---
 src/file_analysis/analyzer/x509/X509.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 23cccc6030..7aa8d0b7e4 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -88,7 +88,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 	{
 	::X509* ssl_cert = cert_val->GetCertificate();
 
-	char buf[256]; // we need a buffer for some of the openssl functions
+	char buf[1024]; // we need a buffer for some of the openssl functions
 	memset(buf, 0, sizeof(buf));
 
 	RecordVal* pX509Cert = new RecordVal(BifType::Record::X509::Certificate);
@@ -98,10 +98,12 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 	i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
 	int len = BIO_read(bio, &(*buf), sizeof(buf));
 	pX509Cert->Assign(1, new StringVal(len, buf));
+	BIO_reset(bio);
 
 	X509_NAME_print_ex(bio, X509_get_subject_name(ssl_cert), 0, XN_FLAG_RFC2253);
 	len = BIO_gets(bio, &(*buf), sizeof(buf));
 	pX509Cert->Assign(2, new StringVal(len, buf));
+	BIO_reset(bio);
 	X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
 	len = BIO_gets(bio, &(*buf), sizeof(buf));
 	pX509Cert->Assign(3, new StringVal(len, buf));

From fa2de9cc08a17462211bac6da6638ace721a631d Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 30 May 2014 15:37:52 -0700
Subject: [PATCH 118/136] update test baseline

---
 .../scripts.policy.protocols.ssl.validate-ocsp/ssl.log      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log
index 4aa18abb22..33b589d9ac 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-05-16-18-20-51
+#open	2014-05-30-22-37-19
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	ocsp_status
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
-1398367809.790512	CXWv6p3arKYeMETxOg	192.168.4.149	56253	131.253.61.82	443	TLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp384r1	-	-	-	T	Fr1vuhmDOykX05Vj1,FlFGqI1PyTt7Vuo8E9,FSASzpV1NMIvbQ1W9	(empty)	CN=login.live.com,OU=MSA,O=Microsoft Corporation,street=1 Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=Private Organization,1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=	#13025553CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	good
-#close	2014-05-16-18-20-51
+1398367809.790512	CXWv6p3arKYeMETxOg	192.168.4.149	56253	131.253.61.82	443	TLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp384r1	-	-	-	T	Fr1vuhmDOykX05Vj1,FlFGqI1PyTt7Vuo8E9,FSASzpV1NMIvbQ1W9	(empty)	CN=login.live.com,OU=MSA,O=Microsoft Corporation,street=1 Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=Private Organization,1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553	CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	good
+#close	2014-05-30-22-37-19

From f0795b91d1a1164c3aea21efde83a50e0c243ddd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 3 Jun 2014 12:48:41 -0500
Subject: [PATCH 119/136] Update submodule.

---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index ca3b124212..1e55bff2df 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit ca3b12421269fce655028c05939e0ff2ee82ca2d
+Subproject commit 1e55bff2df49fe7dc3bd54e21050b39530eeb714

From 1d508742560281ccd44a52b285fe5672f71afeb7 Mon Sep 17 00:00:00 2001
From: Matthias Vallentin <vallentin@icir.org>
Date: Thu, 5 Jun 2014 15:42:31 +0200
Subject: [PATCH 120/136] Use full digest length instead of just one byte.

When our universal hash function fell back to MD5 for inputs larger than
supported by H3, the computation only returned the first byte of the MD5 result
instead of as many bytes as needed to cover sizeof(Hasher::digest).
---
 src/probabilistic/Hasher.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/probabilistic/Hasher.cc b/src/probabilistic/Hasher.cc
index 1f5f0910ba..0f209bfb5b 100644
--- a/src/probabilistic/Hasher.cc
+++ b/src/probabilistic/Hasher.cc
@@ -108,7 +108,7 @@ Hasher::digest UHF::hash(const void* x, size_t n) const
 
 	MD5(d, 16, d);
 
-	return d[0];
+	return *reinterpret_cast<const Hasher::digest*>(d);
 	}
 
 DefaultHasher::DefaultHasher(size_t k, size_t seed)

From 673607f9a7167f4265c43b22ad34f22c2bd3f577 Mon Sep 17 00:00:00 2001
From: Matthias Vallentin <vallentin@icir.org>
Date: Thu, 5 Jun 2014 16:02:25 +0200
Subject: [PATCH 121/136] Switch to double hashing.

For large k, standard hashing imposes an unnecessary overhead. By switchting to
double hashing, we invoke the hash function code at most two times.
---
 src/probabilistic/bloom-filter.bif | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/probabilistic/bloom-filter.bif b/src/probabilistic/bloom-filter.bif
index 26865f160d..3e6b89fa4f 100644
--- a/src/probabilistic/bloom-filter.bif
+++ b/src/probabilistic/bloom-filter.bif
@@ -44,7 +44,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count,
 	size_t optimal_k = BasicBloomFilter::K(cells, capacity);
 	size_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
                                  name->Len());
-	const Hasher* h = new DefaultHasher(optimal_k, seed);
+	const Hasher* h = new DoubleHasher(optimal_k, seed);
 
 	return new BloomFilterVal(new BasicBloomFilter(h, cells));
 	%}
@@ -84,7 +84,7 @@ function bloomfilter_basic_init2%(k: count, cells: count,
 
 	size_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
 				       name->Len());
-	const Hasher* h = new DefaultHasher(k, seed);
+	const Hasher* h = new DoubleHasher(k, seed);
 
 	return new BloomFilterVal(new BasicBloomFilter(h, cells));
 	%}

From 2a20e4a5e222fd822e5c8d83b9ee0743ec082dda Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 5 Jun 2014 13:13:12 -0500
Subject: [PATCH 122/136] Move scripting tutorial out of reference section

---
 doc/index.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/index.rst b/doc/index.rst
index 8d479d2a25..6161ee1ff8 100644
--- a/doc/index.rst
+++ b/doc/index.rst
@@ -31,6 +31,7 @@ Using Bro Section
    httpmonitor/index.rst
    broids/index.rst
    mimestats/index.rst
+   scripting/index.rst
 
 ..
 
@@ -40,7 +41,6 @@ Reference Section
 .. toctree::
    :maxdepth: 2
 
-   scripting/index.rst
    frameworks/index.rst
    script-reference/index.rst
    components/index.rst

From 85f5c05b95975db5f784a159b7a7c26463b60978 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 5 Jun 2014 13:17:52 -0700
Subject: [PATCH 123/136] add new TLS extension type numbers from IANA

---
 scripts/base/protocols/ssl/consts.bro | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 6b40fe8510..969527ed69 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -94,6 +94,10 @@ export {
 		[16] = "application_layer_protocol_negotiation",
 		[17] = "status_request_v2",
 		[18] = "signed_certificate_timestamp",
+		[19] = "client_certificate_type",
+		[20] = "server_certificate_type",
+		[21] = "padding", # temporary till 2015-03-12
+		[22] = "encrypt_then_mac", # temporary till 2015-06-05
 		[35] = "SessionTicket TLS",
 		[40] = "extended_random",
 		[13172] = "next_protocol_negotiation",

From f6156834600bbabfe67e064f61f7a084e521348a Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 6 Jun 2014 10:37:17 -0500
Subject: [PATCH 124/136] Update line numbers for a doc example

---
 doc/scripting/index.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index d92314e41e..60279f65c9 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -1222,7 +1222,7 @@ from the connection relative to the behavior that has been observed by
 Bro.  
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ssl/expiring-certs.bro
-   :lines: 60-63
+   :lines: 61-64
 
 In the :doc:`/scripts/policy/protocols/ssl/expiring-certs.bro` script
 which identifies when SSL certificates are set to expire and raises

From de93a5796eef6fadfc943592a40e269850654f79 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 6 Jun 2014 11:28:46 -0500
Subject: [PATCH 125/136] Update line numbers mentioned in scripting tutorial

---
 doc/scripting/index.rst | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index 60279f65c9..b87b01d9f7 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -95,7 +95,7 @@ the information associated with a file for which Bro's file analysis framework h
 generated a hash.  The event handler is passed the file itself as ``f``, the type of digest
 algorithm used as ``kind`` and the hash generated as ``hash``.
 
-On line 3, an ``if`` statement is used to check for the correct type of hash, in this case
+On line 34, an ``if`` statement is used to check for the correct type of hash, in this case
 a SHA1 hash.  It also checks for a mime type we've defined as being of interest as defined in the
 constant ``match_file_types``.  The comparison is made against the expression ``f$mime_type``, which uses
 the ``$`` dereference operator to check the value ``mime_type`` inside the variable ``f``.  Once both
@@ -113,22 +113,22 @@ this event continues and upon receipt of the values returned by
 the malware was first detected and the detection rate by splitting on an text space
 and storing the values returned in a local table variable.  In line 12, if the table
 returned by ``split1`` has two entries, indicating a successful split, we store the detection
-date in ``mhr_first_detected`` and the rate in ``mhr_detect_rate`` on lines 14 and 15 respectively
+date in ``mhr_first_detected`` and the rate in ``mhr_detect_rate`` on lines 18 and 14 respectively
 using the appropriate conversion functions.  From this point on, Bro knows it has seen a file
 transmitted which has a hash that has been seen by the Team Cymru Malware Hash Registry, the rest
 of the script is dedicated to producing a notice.
 
-On line 17, the detection time is processed into a string representation and stored in
+On line 19, the detection time is processed into a string representation and stored in
 ``readable_first_detected``.  The script then compares the detection rate against the
 ``notice_threshold`` that was defined earlier.  If the detection rate is high enough, the script
-creates a concise description of the notice on line 22, a possible URL to check the sample against
+creates a concise description of the notice on line 20, a possible URL to check the sample against
 ``virustotal.com``'s database, and makes the call to :bro:id:`NOTICE` to hand the relevant information
 off to the Notice framework.
 
-In approximately 25 lines of code, Bro provides an amazing
+In approximately a few dozen lines of code, Bro provides an amazing
 utility that would be incredibly difficult to implement and deploy
-with other products.  In truth, claiming that Bro does this in 25
-lines is a misdirection; there is a truly massive number of things
+with other products.  In truth, claiming that Bro does this in such a small
+number of lines is a misdirection; there is a truly massive number of things
 going on behind-the-scenes in Bro, but it is the inclusion of the
 scripting language that gives analysts access to those underlying
 layers in a succinct and well defined manner.
@@ -657,7 +657,7 @@ using a 20 bit subnet mask.
 
 Because this is a script that doesn't use any kind of network
 analysis, we can handle the event :bro:id:`bro_init` which is always
-generated by Bro's core upon startup.  On lines six and seven, two
+generated by Bro's core upon startup.  On lines five and six, two
 locally scoped vectors are created to hold our lists of subnets and IP
 addresses respectively.  Then, using a set of nested ``for`` loops, we
 iterate over every subnet and every IP address and use an ``if``
@@ -760,7 +760,7 @@ string against which it will be tested to be on the right.
 In the sample above, two local variables are declared to hold our
 sample sentence and regular expression.  Our regular expression in
 this case will return true if the string contains either the word
-``quick`` or the word ``fox``. The ``if`` statement on line six uses
+``quick`` or the word ``fox``. The ``if`` statement on line eight uses
 embedded matching and the ``in`` operator to check for the existence
 of the pattern within the string.  If the statement resolves to true,
 :bro:id:`split` is called to break the string into separate pieces.
@@ -1001,7 +1001,7 @@ filename for the current call to ``Log::write``. The definition for
 this function has to take as its parameters a ``Log::ID`` called id, a
 string called ``path`` and the appropriate record type for the logs called
 ``rec``.  You can see the definition of ``mod5`` used in this example on
-line one conforms to that requirement.  The function simply returns
+line 38 conforms to that requirement.  The function simply returns
 ``factor-mod5`` if the factorial is divisible evenly by 5, otherwise, it
 returns ``factor-non5``.  In the additional ``bro_init`` event
 handler, we define a locally scoped ``Log::Filter`` and assign it a
@@ -1153,7 +1153,7 @@ possible while staying concise.
 
 While much of the script relates to the actual detection, the parts
 specific to the Notice Framework are actually quite interesting in
-themselves.  On line 18 the script's ``export`` block adds the value
+themselves.  On line 13 the script's ``export`` block adds the value
 ``SSH::Interesting_Hostname_Login`` to the enumerable constant
 ``Notice::Type`` to indicate to the Bro core that a new type of notice
 is being defined.  The script then calls ``NOTICE`` and defines the

From 005b7d60c9286dc00f014a7cac23fddf4c7d65f3 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 6 Jun 2014 12:15:38 -0700
Subject: [PATCH 126/136] re-add notice suppression for expiring certificates

---
 scripts/policy/protocols/ssl/expiring-certs.bro | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro
index 9428923331..04ebeb3c5a 100644
--- a/scripts/policy/protocols/ssl/expiring-certs.bro
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -39,27 +39,31 @@ event ssl_established(c: connection) &priority=3
 	# If there are no certificates or we are not interested in the server, just return.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
 	     ! addr_matches_host(c$id$resp_h, notify_certs_expiration) ||
-	     ! c$ssl$cert_chain[0]?$x509 )
+	     ! c$ssl$cert_chain[0]?$x509 || ! c$ssl$cert_chain[0]?$sha1 )
 		return;
 
 	local fuid = c$ssl$cert_chain_fuids[0];
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
+	local hash = c$ssl$cert_chain[0]$sha1;
 	
 	if ( cert$not_valid_before > network_time() )
 		NOTICE([$note=Certificate_Not_Valid_Yet,
 		        $conn=c, $suppress_for=1day,
 		        $msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash),
 		        $fuid=fuid]);
 	
 	else if ( cert$not_valid_after < network_time() )
 		NOTICE([$note=Certificate_Expired,
 		        $conn=c, $suppress_for=1day,
 		        $msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash),
 		        $fuid=fuid]);
 	
 	else if ( cert$not_valid_after - notify_when_cert_expiring_in < network_time() )
 		NOTICE([$note=Certificate_Expires_Soon,
 		        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
 		        $conn=c, $suppress_for=1day,
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash),
 		        $fuid=fuid]);
 	}

From 67c0cc118d08813d80e177d9dc7f18b2817cc3c4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 6 Jun 2014 12:50:54 -0700
Subject: [PATCH 127/136] Add two more ssl events - one triggered for each
 handshake message and one triggered for the tls change cipherspec message.

Also - fix small bug. In case SSL::disable_analyzer_after_detection was set
to F, the ssl_established event would fire after each data packet after the
session is established.
---
 scripts/base/protocols/ssl/consts.bro         | 15 +++++++
 src/analyzer/protocol/ssl/events.bif          | 36 +++++++++++++--
 src/analyzer/protocol/ssl/ssl-analyzer.pac    | 36 ++++++++++++++-
 .../.stdout                                   | 45 +++++++++++++++++++
 .../base/protocols/ssl/handshake-events.test  | 28 ++++++++++++
 5 files changed, 155 insertions(+), 5 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout
 create mode 100644 testing/btest/scripts/base/protocols/ssl/handshake-events.test

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 969527ed69..a19aaecbe5 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -26,6 +26,21 @@ export {
 	const V2_CLIENT_MASTER_KEY = 302;
 	const V2_SERVER_HELLO = 304;
 
+	## TLS Handshake types:
+	const HELLO_REQUEST       = 0;
+	const CLIENT_HELLO        = 1;
+	const SERVER_HELLO        = 2;
+	const SESSION_TICKET      = 4; # RFC 5077
+	const CERTIFICATE         = 11;
+	const SERVER_KEY_EXCHANGE = 12;
+	const CERTIFICATE_REQUEST = 13;
+	const SERVER_HELLO_DONE   = 14;
+	const CERTIFICATE_VERIFY  = 15;
+	const CLIENT_KEY_EXCHANGE = 16;
+	const FINISHED            = 20;
+	const CERTIFICATE_URL     = 21; # RFC 3546
+	const CERTIFICATE_STATUS  = 22; # RFC 3546
+
 	## Mapping between numeric codes and human readable strings for alert
 	## levels.
 	const alert_levels: table[count] of string = {
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 593ab0fe85..4af0fe2a3f 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -24,8 +24,9 @@
 ##          standardized as part of the SSL/TLS protocol. The
 ##          :bro:id:`SSL::cipher_desc` table maps them to descriptive names.
 ##
-## .. bro:see:: ssl_alert  ssl_established ssl_extension ssl_server_hello
-##    ssl_session_ticket_handshake x509_certificate
+## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+##    ssl_session_ticket_handshake x509_certificate ssl_handshake_message
+##    ssl_change_cipher_spec
 event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
@@ -59,7 +60,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
-##    ssl_dh_server_params
+##    ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -270,7 +271,7 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ## started.
 ##
 ## Note that :bro:id:`SSL::disable_analyzer_after_detection` has to be changed
-## from its default to false for this event to be generated.  
+## from its default to false for this event to be generated.
 ##
 ## c: The connection.
 ##
@@ -294,3 +295,30 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, len
 ##
 ## response: OCSP data.
 event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
+
+## This event is raised for each unencrypted SSL/TLS handshake message
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## msg_type: type of the handshake message that was seen
+##
+## length: length of the handshake message that was seen
+##
+## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+##    ssl_session_ticket_handshake x509_certificate ssl_client_hello
+##    ssl_change_cipher_spec
+event ssl_handshake_message%(c: connection, is_orig: bool, msg_type: count, length: count%);
+
+## This event is raised when a SSL/TLS ChangeCipherSpec message is encountered
+## before encryption begins. Traffic will be encrypted following this message.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+##    ssl_session_ticket_handshake x509_certificate ssl_client_hello
+##    ssl_handshake_message
+event ssl_change_cipher_spec%(c: connection, is_orig: bool%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 2c242eb4cb..64d5d78df6 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -86,6 +86,14 @@ function version_ok(vers : uint16) : bool
 
 refine connection SSL_Conn += {
 
+	%member{
+		int established_;
+	%}
+
+	%init{
+		established_ = false;
+	%}
+
 	%cleanup{
 	%}
 
@@ -359,8 +367,10 @@ refine connection SSL_Conn += {
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
 		 if ( client_state_ == STATE_ENCRYPTED &&
-		      server_state_ == STATE_ENCRYPTED )
+		      server_state_ == STATE_ENCRYPTED &&
+		      established_ == false )
 			{
+			established_ = true;
 			BifEvent::generate_ssl_established(bro_analyzer(),
 							bro_analyzer()->Conn());
 			}
@@ -421,6 +431,22 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
+	function proc_ccs(rec: SSLRecord) : bool
+		%{
+		BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.is_orig});
+
+		return true;
+		%}
+
+	function proc_handshake(rec: SSLRecord, msg_type: uint8, length: uint24) : bool
+		%{
+		BifEvent::generate_ssl_handshake_message(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.is_orig}, msg_type, to_int()(length));
+
+		return true;
+		%}
+
 };
 
 refine typeattr Alert += &let {
@@ -517,3 +543,11 @@ refine typeattr EcServerKeyExchange += &let {
 refine typeattr DhServerKeyExchange += &let {
 	proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
 };
+
+refine typeattr ChangeCipherSpec += &let {
+	proc : bool = $context.connection.proc_ccs(rec);
+};
+
+refine typeattr Handshake += &let {
+	proc : bool = $context.connection.proc_handshake(rec, msg_type, length);
+};
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout
new file mode 100644
index 0000000000..c7e3a43cbe
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout
@@ -0,0 +1,45 @@
+Handshake, 192.168.1.105, 74.125.224.79, T, 1, 169
+Handshake, 192.168.1.105, 74.125.224.79, F, 2, 81
+Handshake, 192.168.1.105, 74.125.224.79, F, 11, 1620
+Handshake, 192.168.1.105, 74.125.224.79, F, 12, 199
+Handshake, 192.168.1.105, 74.125.224.79, F, 14, 0
+Handshake, 192.168.1.105, 74.125.224.79, T, 16, 66
+CCS, 192.168.1.105, 74.125.224.79, T
+Encrypted data, 192.168.1.105, 74.125.224.79, T, 22, 72
+Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 48
+Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 387
+Handshake, 192.168.1.105, 74.125.224.79, F, 4, 170
+CCS, 192.168.1.105, 74.125.224.79, F
+Established, 192.168.1.105, 74.125.224.79
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 22, 36
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 40
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 248
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 161
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 33
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 148
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 46
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 135
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 59
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 245
+Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 92
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 75
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32
diff --git a/testing/btest/scripts/base/protocols/ssl/handshake-events.test b/testing/btest/scripts/base/protocols/ssl/handshake-events.test
new file mode 100644
index 0000000000..0dd8725b11
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/handshake-events.test
@@ -0,0 +1,28 @@
+# This tests events not covered by other tests
+
+# @TEST-EXEC: bro -b -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ssl
+
+redef SSL::disable_analyzer_after_detection=F;
+
+event ssl_established(c: connection)
+	{
+	print "Established", c$id$orig_h, c$id$resp_h;
+	}
+
+event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count)
+	{
+	print "Handshake", c$id$orig_h, c$id$resp_h, is_orig, msg_type, length;
+	}
+
+event ssl_change_cipher_spec(c: connection, is_orig: bool)
+	{
+	print "CCS", c$id$orig_h, c$id$resp_h, is_orig;
+	}
+
+event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+	{
+	print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, content_type, length;
+	}

From edc2774ba8e3cf2641cb4235795f90d0d83359ad Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 6 Jun 2014 16:55:34 -0500
Subject: [PATCH 128/136] Removed a table from the scripting tutorial

---
 doc/scripting/index.rst | 54 ++---------------------------------------
 1 file changed, 2 insertions(+), 52 deletions(-)

diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index b87b01d9f7..f0e113a762 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -1074,7 +1074,8 @@ make a call to :bro:id:`NOTICE` supplying it with an appropriate
 :bro:type:`Notice::Info` record.  Often times the call to ``NOTICE``
 includes just the ``Notice::Type``, and a concise message.  There are
 however, significantly more options available when raising notices as
-seen in the table below.  The only field in the table below whose
+seen in the definition of :bro:type:`Notice::Info`.  The only field in
+``Notice::Info`` whose
 attributes make it a required field is the ``note`` field.  Still,
 good manners are always important and including a concise message in
 ``$msg`` and, where necessary, the contents of the connection record
@@ -1086,57 +1087,6 @@ that are commonly included, ``$identifier`` and ``$suppress_for`` are
 built around the automated suppression feature of the Notice Framework
 which we will cover shortly.  
 
-.. todo::
-
-    Once the link to ``Notice::Info`` work I think we should take out
-    the table. That's too easy to get out of date.
-
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| Field               | Type                                                             | Attributes     | Use                                    |
-+=====================+==================================================================+================+========================================+
-| ts                  | time                                                             | &log &optional | The time of the notice                 |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| uid                 | string                                                           | &log &optional | A unique connection ID                 |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| id                  | conn_id                                                          | &log &optional | A 4-tuple to identify endpoints        |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| conn                | connection                                                       | &optional      | Shorthand for the uid and id           |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| iconn               | icmp_conn                                                        | &optional      | Shorthand for the uid and id           |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| proto               | transport_proto                                                  | &log &optional | Transport protocol                     |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| note                | Notice::Type                                                     | &log           | The Notice::Type of the notice         |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| msg                 | string                                                           | &log &optional | Human readable message                 |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| sub                 | string                                                           | &log &optional | Human readable message                 |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| src                 | addr                                                             | &log &optional | Source address if no conn_id           |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| dst                 | addr                                                             | &log &optional | Destination addr if no conn_id         |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| p                   | port                                                             | &log &optional | Port if no conn_id                     |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| n                   | count                                                            | &log &optional | Count or status code                   |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| src_peer            | event_peer                                                       | &log &optional | Peer that raised the notice            |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| peer_descr          | string                                                           | &log &optional | Text description of the src_peer       |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| actions             | set[Notice::Action]                                              | &log &optional | Actions applied to the notice          |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| policy_items        | set[count]                                                       | &log &optional | Policy items that have been applied    |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| email_body_sections | vector                                                           | &optional       | Body of the email for email notices.  |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| email_delay_tokens  | set[string]                                                      | &optional      | Delay functionality for email notices. |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| identifier          | string                                                           | &optional      | A unique string identifier             |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| suppress_for        | interval                                                         | &log &optional | Length of time to suppress a notice.   |
-+---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-
 One of the default policy scripts raises a notice when an SSH login
 has been heuristically detected and the originating hostname is one
 that would raise suspicion.  Effectively, the script attempts to

From 95c7128d710872f2dc9c50a74c7d310ec1cba2bc Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Sat, 7 Jun 2014 12:31:32 -0500
Subject: [PATCH 129/136] Update some info in the docs

---
 doc/quickstart/index.rst                      | 20 +++++++++----------
 .../framework_notice_shortcuts_01.bro         |  3 +--
 .../framework_notice_shortcuts_02.bro         |  1 -
 doc/scripting/index.rst                       |  4 ++--
 scripts/base/frameworks/notice/main.bro       |  3 ++-
 ...ng_framework_notice_shortcuts_01_bro.btest |  3 +--
 ...ng_framework_notice_shortcuts_02_bro.btest |  1 -
 7 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index b506eb95c2..173373c769 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -234,7 +234,7 @@ is valid before installing it and then restarting the Bro instance:
 .. console::
 
    [BroControl] > check
-   bro is ok.
+   bro scripts are ok.
    [BroControl] > install
    removing old policies in /usr/local/bro/spool/policy/site ... done.
    removing old policies in /usr/local/bro/spool/policy/auto ... done.
@@ -250,15 +250,15 @@ is valid before installing it and then restarting the Bro instance:
 
 Now that the SSL notice is ignored, let's look at how to send an email on
 the SSH notice.  The notice framework has a similar option called
-``emailed_types``, but that can't differentiate between SSH servers and we
-only want email for logins to certain ones.  Then we come to the ``PolicyItem``
-record and ``policy`` set and realize that those are actually what get used
-to implement the simple functionality of ``ignored_types`` and
+``emailed_types``, but using that would generate email for all SSH servers and
+we only want email for logins to certain ones.  There is a ``policy`` hook
+that is actually what is used to implement the simple functionality of
+``ignored_types`` and
 ``emailed_types``, but it's extensible such that the condition and action taken
 on notices can be user-defined.
 
-In ``local.bro``, let's add a new ``PolicyItem`` record to the ``policy`` set
-that only takes the email action for SSH logins to a defined set of servers:
+In ``local.bro``, let's define a new ``policy`` hook handler body
+that takes the email action for SSH logins only for a defined set of servers:
 
 .. code:: bro
 
@@ -276,9 +276,9 @@ that only takes the email action for SSH logins to a defined set of servers:
 
 You'll just have to trust the syntax for now, but what we've done is
 first declare our own variable to hold a set of watched addresses,
-``watched_servers``; then added a record to the policy that will generate
-an email on the condition that the predicate function evaluates to true, which
-is whenever the notice type is an SSH login and the responding host stored
+``watched_servers``; then added a hook handler body to the policy that will
+generate an email whenever the notice type is an SSH login and the responding
+host stored
 inside the ``Info`` record's connection field is in the set of watched servers.
 
 .. note:: Record field member access is done with the '$' character
diff --git a/doc/scripting/framework_notice_shortcuts_01.bro b/doc/scripting/framework_notice_shortcuts_01.bro
index cd51abd5b5..e637ce903e 100644
--- a/doc/scripting/framework_notice_shortcuts_01.bro
+++ b/doc/scripting/framework_notice_shortcuts_01.bro
@@ -2,7 +2,6 @@
 @load base/protocols/ssh/
 
 redef Notice::emailed_types += {
-    SSH::Interesting_Hostname_Login,
-    SSH::Login
+    SSH::Interesting_Hostname_Login
 };
 
diff --git a/doc/scripting/framework_notice_shortcuts_02.bro b/doc/scripting/framework_notice_shortcuts_02.bro
index ac427ac8b7..a3301d138b 100644
--- a/doc/scripting/framework_notice_shortcuts_02.bro
+++ b/doc/scripting/framework_notice_shortcuts_02.bro
@@ -3,5 +3,4 @@
 
 redef Notice::type_suppression_intervals += {
     [SSH::Interesting_Hostname_Login] = 1day,
-    [SSH::Login] = 12hrs,
 };
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index f0e113a762..ba7e2b8d84 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -1252,8 +1252,8 @@ in the call to ``NOTICE``.
 
 .. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_01.bro
 
-The Notice Policy shortcut above adds the ``Notice::Types`` of
-SSH::Interesting_Hostname_Login and SSH::Login to the
+The Notice Policy shortcut above adds the ``Notice::Type`` of
+SSH::Interesting_Hostname_Login to the
 Notice::emailed_types set while the shortcut below alters the length
 of time for which those notices will be suppressed.
 
diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro
index 8bf42a33e0..4790245de0 100644
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@@ -20,7 +20,8 @@ export {
 	## category along with the specific notice separating words with
 	## underscores and using leading capitals on each word except for
 	## abbreviations which are kept in all capitals.  For example,
-	## SSH::Login is for heuristically guessed successful SSH logins.
+	## SSH::Password_Guessing is for hosts that have crossed a threshold of
+	## heuristically determined failed SSH logins.
 	type Type: enum {
 		## Notice reporting a count of how often a notice occurred.
 		Tally,
diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest
index 0202fa3a28..7a0eaf5cb4 100644
--- a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest
@@ -6,7 +6,6 @@ framework_notice_shortcuts_01.bro
 @load base/protocols/ssh/
 
 redef Notice::emailed_types += {
-    SSH::Interesting_Hostname_Login,
-    SSH::Login
+    SSH::Interesting_Hostname_Login
 };
 
diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest
index 266a2e1fbb..0e92c5ea32 100644
--- a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest
@@ -7,5 +7,4 @@ framework_notice_shortcuts_02.bro
 
 redef Notice::type_suppression_intervals += {
     [SSH::Interesting_Hostname_Login] = 1day,
-    [SSH::Login] = 12hrs,
 };

From 745e28741460c4a8c527d8a576088051dbcb9158 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Sat, 7 Jun 2014 13:13:44 -0500
Subject: [PATCH 130/136] Fix a broken link in the docs

Use quoting in docs to avoid HTML links being generated when docs are built.
---
 doc/scripting/index.rst | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index ba7e2b8d84..932821a8a2 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -947,7 +947,7 @@ Logging Framework when ``Log::write`` is called.  Were there to be
 any name value pairs without the ``&log`` attribute, those fields
 would simply be ignored during logging but remain available for the
 lifespan of the variable.  The next step is to create the logging
-stream with :bro:id:`Log::create_stream` which takes a Log::ID and a
+stream with :bro:id:`Log::create_stream` which takes a ``Log::ID`` and a
 record as its arguments.  In this example, on line 25, we call the
 ``Log::create_stream`` method and pass ``Factor::LOG`` and the
 ``Factor::Info`` record as arguments. From here on out, if we issue
@@ -1253,8 +1253,8 @@ in the call to ``NOTICE``.
 .. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_01.bro
 
 The Notice Policy shortcut above adds the ``Notice::Type`` of
-SSH::Interesting_Hostname_Login to the
-Notice::emailed_types set while the shortcut below alters the length
+``SSH::Interesting_Hostname_Login`` to the
+``Notice::emailed_types`` set while the shortcut below alters the length
 of time for which those notices will be suppressed.
 
 .. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_02.bro

From e616554ab8a475d3b33463353ad0fa9a8645d0d9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 10 Jun 2014 13:38:32 -0500
Subject: [PATCH 131/136] Fix use-after-free in some cases of reassigning a
 table index.

Specifically observed when redef'ing the same index of a table that uses
subnets as indices, though the bug seems like it applies more generally
to anytime TableVal::Assign is provided with just the HashKey parameter
and not the index Val.

Addresses BIT-1202.
---
 src/Val.cc                                      | 11 ++++++++---
 .../language.redef-same-prefixtable-idx/out     |  4 ++++
 .../language/redef-same-prefixtable-idx.bro     | 17 +++++++++++++++++
 3 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Baseline/language.redef-same-prefixtable-idx/out
 create mode 100644 testing/btest/language/redef-same-prefixtable-idx.bro

diff --git a/src/Val.cc b/src/Val.cc
index 2d75680182..6503cd486f 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1471,13 +1471,19 @@ int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
 		}
 
 	TableEntryVal* new_entry_val = new TableEntryVal(new_val);
+	HashKey k_copy(k->Key(), k->Size(), k->Hash());
 	TableEntryVal* old_entry_val = AsNonConstTable()->Insert(k, new_entry_val);
+	// If the dictionary index already existed, the insert may free up the
+	// memory allocated to the key bytes, so have to assume k is invalid
+	// from here on out.
+	delete k;
+	k = 0;
 
 	if ( subnets )
 		{
 		if ( ! index )
 			{
-			Val* v = RecoverIndex(k);
+			Val* v = RecoverIndex(&k_copy);
 			subnets->Insert(v, new_entry_val);
 			Unref(v);
 			}
@@ -1489,7 +1495,7 @@ int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
 		{
 		Val* rec_index = 0;
 		if ( ! index )
-			index = rec_index = RecoverIndex(k);
+			index = rec_index = RecoverIndex(&k_copy);
 
 		if ( new_val )
 			{
@@ -1547,7 +1553,6 @@ int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
 	if ( old_entry_val && attrs && attrs->FindAttr(ATTR_EXPIRE_CREATE) )
 		new_entry_val->SetExpireAccess(old_entry_val->ExpireAccessTime());
 
-	delete k;
 	if ( old_entry_val )
 		{
 		old_entry_val->Unref();
diff --git a/testing/btest/Baseline/language.redef-same-prefixtable-idx/out b/testing/btest/Baseline/language.redef-same-prefixtable-idx/out
new file mode 100644
index 0000000000..aa6f21177a
--- /dev/null
+++ b/testing/btest/Baseline/language.redef-same-prefixtable-idx/out
@@ -0,0 +1,4 @@
+{
+[3.0.0.0/8] = 2.0.0.0/8
+}
+2.0.0.0/8
diff --git a/testing/btest/language/redef-same-prefixtable-idx.bro b/testing/btest/language/redef-same-prefixtable-idx.bro
new file mode 100644
index 0000000000..13cf27cc0f
--- /dev/null
+++ b/testing/btest/language/redef-same-prefixtable-idx.bro
@@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+const my_table: table[subnet] of subnet &redef;
+
+redef my_table[3.0.0.0/8] = 1.0.0.0/8;
+redef my_table[3.0.0.0/8] = 2.0.0.0/8;
+
+# The above is basically a shorthand for:
+# redef my_table += { [3.0.0.0/8] = 1.0.0.0/8 };
+# redef my_table += { [3.0.0.0/8] = 2.0.0.0/8 };
+
+event bro_init()
+	{
+	print my_table;
+	print my_table[3.0.0.0/8];
+	}

From 9301ef5a4fd0baf170ba778ddaf5e29c743c8a94 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 10 Jun 2014 16:47:26 -0700
Subject: [PATCH 132/136] Fixing SMTP state tracking.

This fixes the case that an SMTP session has multiple mails sent from
the originator but we miss the server's response (e.g., because we
don't see server side packets at all).
---
 scripts/base/protocols/smtp/main.bro          |  57 ++++++++++--------
 .../smtp.log                                  |  11 ++++
 .../all-events.log                            |  26 ++++----
 .../smtp-events.log                           |  26 ++++----
 testing/btest/Traces/smtp-one-side-only.trace | Bin 0 -> 20120 bytes
 .../scripts/base/protocols/smtp/one-side.test |   4 ++
 6 files changed, 73 insertions(+), 51 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.one-side/smtp.log
 create mode 100644 testing/btest/Traces/smtp-one-side-only.trace
 create mode 100644 testing/btest/scripts/base/protocols/smtp/one-side.test

diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro
index add11f9c09..b54ac977dd 100644
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@@ -58,31 +58,31 @@ export {
 		## Indicates if client activity has been seen, but not yet logged.
 		has_client_activity:  bool            &default=F;
 	};
-	
+
 	type State: record {
 		helo:                     string    &optional;
 		## Count the number of individual messages transmitted during
 		## this SMTP session.  Note, this is not the number of
 		## recipients, but the number of message bodies transferred.
 		messages_transferred:     count     &default=0;
-		
+
 		pending_messages:         set[Info] &optional;
 	};
-	
+
 	## Direction to capture the full "Received from" path.
 	##    REMOTE_HOSTS - only capture the path until an internal host is found.
 	##    LOCAL_HOSTS - only capture the path until the external host is discovered.
 	##    ALL_HOSTS - always capture the entire path.
 	##    NO_HOSTS - never capture the path.
 	const mail_path_capture = ALL_HOSTS &redef;
-	
+
 	## Create an extremely shortened representation of a log line.
 	global describe: function(rec: Info): string;
 
 	global log_smtp: event(rec: Info);
 }
 
-redef record connection += { 
+redef record connection += {
 	smtp:       Info  &optional;
 	smtp_state: State &optional;
 };
@@ -95,7 +95,7 @@ event bro_init() &priority=5
 	Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
 	}
-	
+
 function find_address_in_smtp_header(header: string): string
 {
 	local ips = find_ip_addresses(header);
@@ -116,17 +116,17 @@ function new_smtp_log(c: connection): Info
 	l$ts=network_time();
 	l$uid=c$uid;
 	l$id=c$id;
-	# The messages_transferred count isn't incremented until the message is 
+	# The messages_transferred count isn't incremented until the message is
 	# finished so we need to increment the count by 1 here.
 	l$trans_depth = c$smtp_state$messages_transferred+1;
-	
+
 	if ( c$smtp_state?$helo )
 		l$helo = c$smtp_state$helo;
-	
+
 	# The path will always end with the hosts involved in this connection.
 	# The lower values in the vector are the end of the path.
 	l$path = vector(c$id$resp_h, c$id$orig_h);
-	
+
 	return l;
 	}
 
@@ -134,7 +134,7 @@ function set_smtp_session(c: connection)
 	{
 	if ( ! c?$smtp_state )
 		c$smtp_state = [];
-	
+
 	if ( ! c?$smtp )
 		c$smtp = new_smtp_log(c);
 	}
@@ -142,17 +142,17 @@ function set_smtp_session(c: connection)
 function smtp_message(c: connection)
 	{
 	if ( c$smtp$has_client_activity )
+		{
 		Log::write(SMTP::LOG, c$smtp);
+		c$smtp = new_smtp_log(c);
+		}
 	}
-	
+
 event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &priority=5
 	{
 	set_smtp_session(c);
 	local upper_command = to_upper(command);
 
-	if ( upper_command != "QUIT" )
-		c$smtp$has_client_activity = T;
-	
 	if ( upper_command == "HELO" || upper_command == "EHLO" )
 		{
 		c$smtp_state$helo = arg;
@@ -161,23 +161,28 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &
 
 	else if ( upper_command == "RCPT" && /^[tT][oO]:/ in arg )
 		{
-		if ( ! c$smtp?$rcptto ) 
+		if ( ! c$smtp?$rcptto )
 			c$smtp$rcptto = set();
 		add c$smtp$rcptto[split1(arg, /:[[:blank:]]*/)[2]];
+		c$smtp$has_client_activity = T;
 		}
 
 	else if ( upper_command == "MAIL" && /^[fF][rR][oO][mM]:/ in arg )
 		{
+		# Flush last message in case we didn't see the server's acknowledgement.
+		smtp_message(c);
+
 		local partially_done = split1(arg, /:[[:blank:]]*/)[2];
 		c$smtp$mailfrom = split1(partially_done, /[[:blank:]]?/)[1];
+		c$smtp$has_client_activity = T;
 		}
 	}
-	
+
 event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
                  msg: string, cont_resp: bool) &priority=5
 	{
 	set_smtp_session(c);
-	
+
 	# This continually overwrites, but we want the last reply,
 	# so this actually works fine.
 	c$smtp$last_reply = fmt("%d %s", code, msg);
@@ -198,7 +203,6 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
 event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 	{
 	if ( ! c?$smtp ) return;
-	c$smtp$has_client_activity = T;
 
 	if ( h$name == "MESSAGE-ID" )
 		c$smtp$msg_id = h$value;
@@ -241,19 +245,19 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 		if ( 1 in addresses )
 			c$smtp$x_originating_ip = to_addr(addresses[1]);
 		}
-	
+
 	else if ( h$name == "X-MAILER" ||
 	          h$name == "USER-AGENT" ||
 	          h$name == "X-USER-AGENT" )
 		c$smtp$user_agent = h$value;
 	}
-	
-# This event handler builds the "Received From" path by reading the 
+
+# This event handler builds the "Received From" path by reading the
 # headers in the mail
 event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 	{
 	# If we've decided that we're done watching the received headers for
-	# whatever reason, we're done.  Could be due to only watching until 
+	# whatever reason, we're done.  Could be due to only watching until
 	# local addresses are seen in the received from headers.
 	if ( ! c?$smtp || h$name != "RECEIVED" || ! c$smtp$process_received_from )
 		return;
@@ -263,7 +267,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 		return;
 	local ip = to_addr(text_ip);
 
-	if ( ! addr_matches_host(ip, mail_path_capture) && 
+	if ( ! addr_matches_host(ip, mail_path_capture) &&
 	     ! Site::is_private_addr(ip) )
 		{
 		c$smtp$process_received_from = F;
@@ -280,8 +284,11 @@ event connection_state_remove(c: connection) &priority=-5
 
 event smtp_starttls(c: connection) &priority=5
 	{
-	if ( c?$smtp )
+	if ( c?$smtp ) 
+		{
 		c$smtp$tls = T;
+		c$smtp$has_client_activity = T;
+		}
 	}
 
 function describe(rec: Info): string
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.one-side/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.one-side/smtp.log
new file mode 100644
index 0000000000..0bdb7bf69a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.one-side/smtp.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#open	2014-06-11-00-56-57
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
+1402446189.935267	CXWv6p3arKYeMETxOg	192.150.187.22	57722	192.150.186.11	25	1	enzo.icir.org	<robin@icir.org>	<robin@icir.org>	-	robin@icir.org	robin@icir.org	-	-	-	Hello1!	-	-	-	-	192.150.186.11,192.150.187.22	-	F	(empty)
+1402446189.993233	CXWv6p3arKYeMETxOg	192.150.187.22	57722	192.150.186.11	25	1	enzo.icir.org	<robin@icir.org>	<rsommer@lbl.gov>	-	robin@icir.org	rsommer@lbl.gov	-	-	-	Hello2!	-	-	-	-	192.150.186.11,192.150.187.22	-	F	(empty)
+#close	2014-06-11-00-56-57
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 44422756e3..b8f576e497 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -91,7 +91,7 @@
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -99,7 +99,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -107,7 +107,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -115,7 +115,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -123,7 +123,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -131,7 +131,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -139,13 +139,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -153,13 +153,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -167,13 +167,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -181,7 +181,7 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
index d097e840dd..23ef5aa03a 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
@@ -29,7 +29,7 @@
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -37,7 +37,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -45,7 +45,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -53,7 +53,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -61,7 +61,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -69,7 +69,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -77,13 +77,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -91,13 +91,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -105,13 +105,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -119,7 +119,7 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
diff --git a/testing/btest/Traces/smtp-one-side-only.trace b/testing/btest/Traces/smtp-one-side-only.trace
new file mode 100644
index 0000000000000000000000000000000000000000..1ac9578090d6c0c40598806bd4761ac8c826e93e
GIT binary patch
literal 20120
zcmeI4QD|FL9L7)6ZkBXOw<4u;y4}X&P+Z!i^I=(Av(08@(01A~%TT;Yylbu`xih(S
zSP}cMJ?u%@WD|Vp-hA+BOJAm9RVIiasCy8R!PXT8ndpN}5vBhB=dMTYNf$Y%4`uK#
zJ#Z4v{l0U5`EofAAG!X;<x2t9#8&@SRv2r57llg~$KLxc#E!rm2Wxxl*ZrS;*uKXN
zZfRzNjP;pMCRuXx?d1H0kJ{%iTy42I&9-0M_WgNWJR2x&U3!zTK+~p5Q=mC`EOO;j
ze7~Ww@c~qhT@SH?@ES*r@?LWfS3WE$zdJkE`S;9LwzxC}N)4WBmvj0ED(>nJ*Hesg
z#Z;|gBrhrc2#Uj~m>mqWW3W9OHG3Q~ySZX)O~nq_<5{uCpHR`t<sHK+PCHRMYnP%<
zX)+W<m*<DWEC&WSYFv(+J=|rd<nqDn+@k|C9qi81`@-c0-*?*18>#0;hZB7zCu0|r
zt7Zd6*`Bug_x1Glc)lMW53?7*5=V{ih#BL)k4wJafbS&teOvh6MBh^Oq-%_i*0_3J
z^Dl+j5ZK_T@k*F+?$sxG{Q_R+xz`)QYXQApPP=JOci}{s#UqRlSvS&U_M-0R&q}(#
zf$lZ<%<puZ5W0(?JCZ6ng@ob977C6#weO8hWnQteZo(L{@_8rL846CU=Z`Merbp-q
zodyAljRrLD5<*AlGzd^^G@#Kpj$%Wx(I7yv(SSxz8;T9ZMuPywMgtl>Z74Pr8w~;!
z8x3gmw4vBgY%~Z^Y&4+J(}rS0vC$wvvC)7=PaBF2#YUX~wr~D|21$2-@gX-z0-feQ
zY>?a<@i$2RyulkJ(7svD_!}e>6h!rp;qDb1jcz<=myLo|E~h6g<5aqAl&zv`oU+}V
zarAXJ=M;CtTLt%I-p)irLHNh`e7n1~UU@6Qi%k#u<5T?_;`5Kcyj5w30@7IF|I1r3
z&v#e6mAwdEDjafb*{Hdn`%0y;>L0UnU5|0!cUEIt*^a*dmAA@Hp<tDg`Aj}K>AW`J
znN<f`>$SJ~xLMqPlgnGcY|P)@syvKlUVEzu@OD7W@LY>G<eO+YZT6$?4?jz~ZJ>Jw
z+glA^iko-@b?daZ{C5=!`s-V9s&8q3Y3YGS=yV8d^uu0f&*B=|yg;EkA#|$5#Ck#}
zP^eA_ohmW0p3n&ts+0R19iGtR^-t(e^Aq}_?}Xmgn7P*pT@|2j{e4c;cQ2|h=-yR{
ziS>j|pirF<I#ps~J)sjQR40T^m6%vh=mZMY387OZCe{-=fkJh%PIP!e@2`JCKfq7u
z3;q*&`0~9@=<D1NU9Oq{v7XQg6si+Kr%Ft$Cv*aZ>V(j#5)<nQoj{>FA#|$5#Ck#}
zP^eA_ohq@r>+yu1f)jcVG|X_wEtf#VJcK9oTZjB7^oIicgpLiftiR<lL5&N|&jK#n
z=o~9o%rHOKpyyQQx3iwX{M>%RpPwDSLw-Jy+E+)RB{lKtl<kIssQc7c-mkA6T&qI1
r*Bs=!-IDGS=vHU8!S9ZVUtp_nT~s_=UopiMqmp736qm8jB`f|5hn^y3

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smtp/one-side.test b/testing/btest/scripts/base/protocols/smtp/one-side.test
new file mode 100644
index 0000000000..cffbe1d173
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smtp/one-side.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -r $TRACES/smtp-one-side-only.trace %INPUT
+# @TEST-EXEC: btest-diff smtp.log
+
+@load base/protocols/smtp

From da8a1d2489fe4210ceb0f739118cf3dc264e7284 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 11 Jun 2014 12:10:20 -0500
Subject: [PATCH 133/136] Remove unused --with-libmagic configure option.

---
 configure | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/configure b/configure
index 5af2f25c8f..35095c333a 100755
--- a/configure
+++ b/configure
@@ -50,7 +50,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-flex=PATH       path to flex executable
     --with-bison=PATH      path to bison executable
     --with-perl=PATH       path to perl executable
-    --with-libmagic=PATH   path to libmagic install root
 
   Optional Packages in Non-Standard Locations:
     --with-geoip=PATH      path to the libGeoIP install root
@@ -211,9 +210,6 @@ while [ $# -ne 0 ]; do
         --with-perl=*)
             append_cache_entry PERL_EXECUTABLE PATH $optarg
             ;;
-        --with-libmagic=*)
-            append_cache_entry LibMagic_ROOT_DIR PATH $optarg
-            ;;
         --with-geoip=*)
             append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg
             ;;

From 5ebda7cc09ae382235b5528b8e777f69279bbfda Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 11 Jun 2014 12:31:38 -0500
Subject: [PATCH 134/136] Fix doc/test that broke due to a Bro script change.

---
 CHANGES                                                     | 6 ++++++
 VERSION                                                     | 2 +-
 doc/scripting/index.rst                                     | 2 +-
 .../output                                                  | 1 +
 ...de-scripts_policy_protocols_ssl_expiring-certs_bro.btest | 1 +
 5 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index ca4e06be2c..e6395e5b31 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.3-beta-22 | 2014-06-11 12:31:38 -0500
+
+  * Fix doc/test that broke due to a Bro script change. (Jon Siwek)
+
+  * Remove unused --with-libmagic configure option. (Jon Siwek)
+
 2.3-beta-20 | 2014-06-10 18:16:51 -0700
 
   * Fix use-after-free in some cases of reassigning a table index.
diff --git a/VERSION b/VERSION
index 0129370024..9f7e30ad0f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-beta-20
+2.3-beta-22
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index d92314e41e..f994079ded 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -1222,7 +1222,7 @@ from the connection relative to the behavior that has been observed by
 Bro.  
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ssl/expiring-certs.bro
-   :lines: 60-63
+   :lines: 64-68
 
 In the :doc:`/scripts/policy/protocols/ssl/expiring-certs.bro` script
 which identifies when SSL certificates are set to expire and raises
diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssl_expiring-certs_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssl_expiring-certs_bro/output
index 08661d0ea8..cc2d8817bd 100644
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssl_expiring-certs_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssl_expiring-certs_bro/output
@@ -5,4 +5,5 @@ expiring-certs.bro
 		NOTICE([$note=Certificate_Expires_Soon,
 		        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
 		        $conn=c, $suppress_for=1day,
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash),
 		        $fuid=fuid]);
diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest
index 08661d0ea8..cc2d8817bd 100644
--- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest
@@ -5,4 +5,5 @@ expiring-certs.bro
 		NOTICE([$note=Certificate_Expires_Soon,
 		        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
 		        $conn=c, $suppress_for=1day,
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash),
 		        $fuid=fuid]);

From 5e23e57025e24848359a4d78828d10b133348938 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 12 Jun 2014 00:33:55 -0500
Subject: [PATCH 135/136] Fix minor formatting issues in script docs

---
 scripts/base/frameworks/logging/writers/ascii.bro | 10 +++++-----
 scripts/base/frameworks/signatures/main.bro       |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
index 50ce450bce..5f59229f7f 100644
--- a/scripts/base/frameworks/logging/writers/ascii.bro
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -26,20 +26,20 @@ export {
 	## This option is also available as a per-filter ``$config`` option.
 	const use_json = F &redef;
 
-	## Format of timestamps when writing out JSON. By default, the JSON formatter will
-	## use double values for timestamps which represent the number of seconds from the
-	## UNIX epoch.
+	## Format of timestamps when writing out JSON. By default, the JSON
+	## formatter will use double values for timestamps which represent the
+	## number of seconds from the UNIX epoch.
 	const json_timestamps: JSON::TimestampFormat = JSON::TS_EPOCH &redef;
 
 	## If true, include lines with log meta information such as column names
 	## with types, the values of ASCII logging options that are in use, and
 	## the time when the file was opened and closed (the latter at the end).
-        ##
+	##
 	## If writing in JSON format, this is implicitly disabled.
 	const include_meta = T &redef;
 
 	## Prefix for lines with meta information.
-        ##
+	##
 	## This option is also available as a per-filter ``$config`` option.
 	const meta_prefix = "#" &redef;
 
diff --git a/scripts/base/frameworks/signatures/main.bro b/scripts/base/frameworks/signatures/main.bro
index f293237acc..5b233d1db1 100644
--- a/scripts/base/frameworks/signatures/main.bro
+++ b/scripts/base/frameworks/signatures/main.bro
@@ -71,7 +71,7 @@ export {
 		## to be logged has occurred.
 		ts:         time         &log;
 		## A unique identifier of the connection which triggered the
-		## signature match event
+		## signature match event.
 		uid:        string       &log &optional;
 		## The host which triggered the signature match event.
 		src_addr:   addr         &log &optional;

From 5d7b3f850be483c99b6c123387798f408041d825 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 16 Jun 2014 09:48:25 -0500
Subject: [PATCH 136/136] Updating CHANGES and VERSION.

---
 CHANGES    | 4 ++++
 VERSION    | 2 +-
 aux/broctl | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index bb6e27992d..254ce62a0f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3 | 2014-06-16 09:48:25 -0500
+
+  * Release 2.3.
+
 2.3-beta-33 | 2014-06-12 11:59:28 -0500
 
   * Documentation improvements/fixes. (Daniel Thayer)
diff --git a/VERSION b/VERSION
index 1b87a0fb5c..bb576dbde1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-beta-33
+2.3
diff --git a/aux/broctl b/aux/broctl
index 1e55bff2df..8a13886f32 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 1e55bff2df49fe7dc3bd54e21050b39530eeb714
+Subproject commit 8a13886f322f3b618832c0ca3976e07f686d14da