Convert more redef-able constants to runtime options

scripts/policy/frameworks/dpd/detect-protocols.bro

@@ -21,7 +21,7 @@ export {
 
 	type dir: enum { NONE, INCOMING, OUTGOING, BOTH };
 
-	const valids: table[Analyzer::Tag, addr, port] of dir = {
+	option valids: table[Analyzer::Tag, addr, port] of dir = {
 		# A couple of ports commonly used for benign HTTP servers.
 
 		# For now we want to see everything.
@@ -37,23 +37,23 @@ export {
 		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella
 		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella
 		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella
-	} &redef;
+	};
 
 	# Set of analyzers for which we suppress Server_Found notices
 	# (but not Protocol_Found).  Along with avoiding clutter in the
 	# log files, this also saves memory because for these we don't
 	# need to remember which servers we already have reported, which
 	# for some can be a lot.
-	const suppress_servers: set [Analyzer::Tag] = {
+	option suppress_servers: set [Analyzer::Tag] = {
 		# Analyzer::ANALYZER_HTTP
-	} &redef;
+	};
 
 	# We consider a connection to use a protocol X if the analyzer for X
 	# is still active (i) after an interval of minimum_duration, or (ii)
 	# after a payload volume of minimum_volume, or (iii) at the end of the
 	# connection.
-	const minimum_duration = 30 secs &redef;
-	const minimum_volume = 4e3 &redef;	# bytes
+	option minimum_duration = 30 secs;
+	option minimum_volume = 4e3;	# bytes
 
 	# How often to check the size of the connection.
 	const check_interval = 5 secs;

scripts/policy/frameworks/files/detect-MHR.bro

@@ -15,18 +15,18 @@ export {
 	};
 
 	## File types to attempt matching against the Malware Hash Registry.
-	const match_file_types = /application\/x-dosexec/ |
+	option match_file_types = /application\/x-dosexec/ |
 	                         /application\/vnd.ms-cab-compressed/ |
 	                         /application\/pdf/ |
 	                         /application\/x-shockwave-flash/ |
 	                         /application\/x-java-applet/ |
 	                         /application\/jar/ |
-	                         /video\/mp4/ &redef;
+	                         /video\/mp4/;
 
 	## The Match notice has a sub message with a URL where you can get more
 	## information about the file. The %s will be replaced with the SHA-1
 	## hash of the file.
-	const match_sub_url = "https://www.virustotal.com/en/search/?query=%s" &redef;
+	option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";
 
 	## The malware hash registry runs each malware sample through several
 	## A/V engines.  Team Cymru returns a percentage to indicate how

scripts/policy/frameworks/intel/seen/x509.bro

@@ -6,7 +6,7 @@ module Intel;
 
 export {
         ## Enables the extraction of subject alternate names from the X509 SAN DNS field
-        const enable_x509_ext_subject_alternative_name = T &redef;
+        option enable_x509_ext_subject_alternative_name = T;
 }
 
 event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)

scripts/policy/frameworks/software/vulnerable.bro

@@ -29,11 +29,11 @@ export {
 
 	## The DNS zone where runtime vulnerable software updates will
 	## be loaded from.
-	const vulnerable_versions_update_endpoint = "" &redef;
+	option vulnerable_versions_update_endpoint = "";
 
 	## The interval at which vulnerable versions should grab updates
 	## over DNS.
-	const vulnerable_versions_update_interval = 1hr &redef;
+	option vulnerable_versions_update_interval = 1hr;
 
 	## This is a table of software versions indexed by the name of the
 	## software and a set of version ranges that are declared to be

scripts/policy/misc/capture-loss.bro

@@ -38,7 +38,7 @@ export {
 	};
 	
 	## The interval at which capture loss reports are created.
-	const watch_interval = 15mins &redef;
+	option watch_interval = 15mins;
 	
 	## The percentage of missed data that is considered "too much" 
 	## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be

scripts/policy/misc/dump-events.bro

@@ -11,7 +11,7 @@ export {
 
 	## Only include events matching the given pattern into output. By default, the
 	## pattern matches all events.
-	const include = /.*/ &redef;
+	option include = /.*/;
 }
 
 event new_event(name: string, args: call_argument_vector)

scripts/policy/protocols/conn/known-hosts.bro

@@ -29,7 +29,7 @@ export {
 	
 	## The hosts whose existence should be logged and tracked.
 	## See :bro:type:`Host` for possible choices.
-	const host_tracking = LOCAL_HOSTS &redef;
+	option host_tracking = LOCAL_HOSTS;
 	
 	## Holds the set of all known hosts.  Keys in the store are addresses
 	## and their associated value will always be the "true" boolean.
@@ -44,7 +44,7 @@ export {
 
 	## The timeout interval to use for operations against
 	## :bro:see:`Known::host_store`.
-	const host_store_timeout = 15sec &redef;
+	option host_store_timeout = 15sec;
 
 	## The set of all known addresses to store for preventing duplicate 
 	## logging of addresses.  It can also be used from other scripts to 

scripts/policy/protocols/conn/known-services.bro

@@ -35,7 +35,7 @@ export {
 	
 	## The hosts whose services should be tracked and logged.
 	## See :bro:type:`Host` for possible choices.
-	const service_tracking = LOCAL_HOSTS &redef;
+	option service_tracking = LOCAL_HOSTS;
 
 	type AddrPortPair: record {
 		host: addr;
@@ -56,7 +56,7 @@ export {
 
 	## The timeout interval to use for operations against
 	## :bro:see:`Known::service_store`.
-	const service_store_timeout = 15sec &redef;
+	option service_store_timeout = 15sec;
 
 	## Tracks the set of daily-detected services for preventing the logging
 	## of duplicates, but can also be inspected by other scripts for

scripts/policy/protocols/http/software.bro

@@ -15,7 +15,7 @@ export {
 	};
 
 	## The pattern of HTTP User-Agents which you would like to ignore.
-	const ignored_user_agents = /NO_DEFAULT/ &redef;
+	option ignored_user_agents = /NO_DEFAULT/;
 }
 
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2

scripts/policy/protocols/modbus/track-memmap.bro

@@ -12,7 +12,7 @@ export {
 	redef enum Log::ID += { Modbus::REGISTER_CHANGE_LOG };
 
 	## The hosts that should have memory mapping enabled.
-	const track_memmap: Host = ALL_HOSTS &redef;
+	option track_memmap: Host = ALL_HOSTS;
 
 	type MemmapInfo: record {
 		## Timestamp for the detected register change.

scripts/policy/protocols/smtp/blocklists.bro

@@ -17,7 +17,7 @@ export {
 
 	# This matches content in SMTP error messages that indicate some
 	# block list doesn't like the connection/mail.
-	const blocklist_error_messages = 
+	option blocklist_error_messages =
 		  /spamhaus\.org\//
 		| /sophos\.com\/security\//
 		| /spamcop\.net\/bl/
@@ -32,7 +32,7 @@ export {
 		| /rbl\.knology\.net\//
 		| /intercept\.datapacket\.net\//
 		| /uceprotect\.net\//
-		| /hostkarma\.junkemailfilter\.com\// &redef;
+		| /hostkarma\.junkemailfilter\.com\//;
 	
 }
 

scripts/policy/protocols/smtp/software.bro

@@ -33,17 +33,17 @@ export {
 	## with incorrect data.  If you would like to detect mail clients for
 	## incoming messages (network traffic originating from a non-local
 	## address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.
-	const detect_clients_in_messages_from = LOCAL_HOSTS &redef;
+	option detect_clients_in_messages_from = LOCAL_HOSTS;
 	
 	## A regular expression to match USER-AGENT-like headers to find if a 
 	## message was sent with a webmail interface.
-	const webmail_user_agents = 
+	option webmail_user_agents =
 	                     /^iPlanet Messenger/ 
 	                   | /^Sun Java\(tm\) System Messenger Express/
 	                   | /\(IMP\)/  # Horde Internet Messaging Program
 	                   | /^SquirrelMail/
 	                   | /^NeoMail/ 
-	                   | /ZimbraWebClient/ &redef;
+	                   | /ZimbraWebClient/;
 }
 
 event mime_one_header(c: connection, h: mime_header_rec) &priority=4

scripts/policy/protocols/ssh/interesting-hostnames.bro

@@ -17,14 +17,14 @@ export {
 	};
 	
 	## Strange/bad host names to see successful SSH logins from or to.
-	const interesting_hostnames =
+	option interesting_hostnames =
 			/^d?ns[0-9]*\./ |
 			/^smtp[0-9]*\./ |
 			/^mail[0-9]*\./ |
 			/^pop[0-9]*\./  |
 			/^imap[0-9]*\./ |
 			/^www[0-9]*\./  |
-			/^ftp[0-9]*\./  &redef;
+			/^ftp[0-9]*\./;
 }
 
 function check_ssh_hostname(id: conn_id, uid: string, host: addr)

scripts/policy/protocols/ssl/extract-certs-pem.bro

@@ -19,7 +19,7 @@ export {
 	## Control if host certificates offered by the defined hosts
 	## will be written to the PEM certificates file.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
-	const extract_certs_pem = LOCAL_HOSTS &redef;
+	option extract_certs_pem = LOCAL_HOSTS;
 }
 
 # This is an internally maintained variable to prevent relogging of

scripts/policy/protocols/ssl/known-certs.bro

@@ -29,7 +29,7 @@ export {
 	
 	## The certificates whose existence should be logged and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
-	const cert_tracking = LOCAL_HOSTS &redef;
+	option cert_tracking = LOCAL_HOSTS;
 
 	## Toggles between different implementations of this script.
 	## When true, use a Broker data store, else use a regular Bro set
@@ -52,11 +52,11 @@ export {
 
 	## The expiry interval of new entries in :bro:see:`Known::cert_store`.
 	## This also changes the interval at which certs get logged.
-	const cert_store_expiry = 1day &redef;
+	option cert_store_expiry = 1day;
 
 	## The timeout interval to use for operations against
 	## :bro:see:`Known::cert_store`.
-	const cert_store_timeout = 15sec &redef;
+	option cert_store_timeout = 15sec;
 
 	## The set of all known certificates to store for preventing duplicate 
 	## logging. It can also be used from other scripts to 

scripts/policy/protocols/ssl/notary.bro

@@ -12,7 +12,7 @@ export {
 	};
 
 	## The notary domain to query.
-	const domain = "notary.icsi.berkeley.edu" &redef;
+	option domain = "notary.icsi.berkeley.edu";
 }
 
 redef record SSL::Info += {

scripts/policy/protocols/ssl/weak-keys.bro

@@ -42,7 +42,7 @@ export {
 
 	## Warn if a server negotiates an unsafe cipher suite. By default, we only warn when
 	## encountering old export cipher suites, or RC4 (see RFC7465).
-	const unsafe_ciphers_regex = /(_EXPORT_)|(_RC4_)/ &redef;
+	option unsafe_ciphers_regex = /(_EXPORT_)|(_RC4_)/;
 }
 
 # We check key lengths only for DSA or RSA certificates. For others, we do