diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log
new file mode 100644
index 0000000000..d4feda9392
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dce_rpc
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	rtt	named_pipe	endpoint	operation
+#types	time	string	addr	port	addr	port	interval	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.10.10.121	58774	10.10.10.100	49676	0.000758	49676	netlogon	NetrLogonSamLogonWithFlags
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log
new file mode 100644
index 0000000000..97fcc0b7e9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.10.10.121	58774	10.10.10.100	49676	netlogon_dce_rpc_auth_type	68	F	zeek	DCE_RPC
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log
new file mode 100644
index 0000000000..cb6a77ebf5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntlm
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	hostname	domainname	server_nb_computer_name	server_dns_computer_name	server_tree_name	success
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.10.10.121	58772	10.10.10.120	54784	-	-	-	CBTH-WS-2	CBTH-WS-2.blackclover.local	blackclover.local	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap b/testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap
new file mode 100644
index 0000000000..3de5d2c983
Binary files /dev/null and b/testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap differ
diff --git a/testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap b/testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap
new file mode 100644
index 0000000000..fc5574256b
Binary files /dev/null and b/testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap differ
diff --git a/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek
new file mode 100644
index 0000000000..03560c31e1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek
@@ -0,0 +1,7 @@
+# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_netlogon.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: btest-diff dce_rpc.log
+
+@load base/protocols/dce-rpc
+@load base/protocols/ntlm
+@load base/frameworks/notice/weird
diff --git a/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek
new file mode 100644
index 0000000000..6188eb10bb
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek
@@ -0,0 +1,5 @@
+# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_ntlm.pcap %INPUT
+# @TEST-EXEC: btest-diff ntlm.log
+
+@load base/protocols/dce-rpc
+@load base/protocols/ntlm