Convert more redef-able constants to runtime options

scripts/policy/frameworks/dpd/detect-protocols.bro

@@ -21,7 +21,7 @@ export {
 
 	type dir: enum { NONE, INCOMING, OUTGOING, BOTH };
 
-	const valids: table[Analyzer::Tag, addr, port] of dir = {
+	option valids: table[Analyzer::Tag, addr, port] of dir = {
 		# A couple of ports commonly used for benign HTTP servers.
 
 		# For now we want to see everything.
@@ -37,23 +37,23 @@ export {
 		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella
 		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella
 		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella
-	} &redef;
+	};
 
 	# Set of analyzers for which we suppress Server_Found notices
 	# (but not Protocol_Found).  Along with avoiding clutter in the
 	# log files, this also saves memory because for these we don't
 	# need to remember which servers we already have reported, which
 	# for some can be a lot.
-	const suppress_servers: set [Analyzer::Tag] = {
+	option suppress_servers: set [Analyzer::Tag] = {
 		# Analyzer::ANALYZER_HTTP
-	} &redef;
+	};
 
 	# We consider a connection to use a protocol X if the analyzer for X
 	# is still active (i) after an interval of minimum_duration, or (ii)
 	# after a payload volume of minimum_volume, or (iii) at the end of the
 	# connection.
-	const minimum_duration = 30 secs &redef;
-	const minimum_volume = 4e3 &redef;	# bytes
+	option minimum_duration = 30 secs;
+	option minimum_volume = 4e3;	# bytes
 
 	# How often to check the size of the connection.
 	const check_interval = 5 secs;

scripts/policy/frameworks/files/detect-MHR.bro

@@ -15,18 +15,18 @@ export {
 	};
 
 	## File types to attempt matching against the Malware Hash Registry.
-	const match_file_types = /application\/x-dosexec/ |
+	option match_file_types = /application\/x-dosexec/ |
 	                         /application\/vnd.ms-cab-compressed/ |
 	                         /application\/pdf/ |
 	                         /application\/x-shockwave-flash/ |
 	                         /application\/x-java-applet/ |
 	                         /application\/jar/ |
-	                         /video\/mp4/ &redef;
+	                         /video\/mp4/;
 
 	## The Match notice has a sub message with a URL where you can get more
 	## information about the file. The %s will be replaced with the SHA-1
 	## hash of the file.
-	const match_sub_url = "https://www.virustotal.com/en/search/?query=%s" &redef;
+	option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";
 
 	## The malware hash registry runs each malware sample through several
 	## A/V engines.  Team Cymru returns a percentage to indicate how

scripts/policy/frameworks/intel/seen/x509.bro

@@ -6,7 +6,7 @@ module Intel;
 
 export {
         ## Enables the extraction of subject alternate names from the X509 SAN DNS field
-        const enable_x509_ext_subject_alternative_name = T &redef;
+        option enable_x509_ext_subject_alternative_name = T;
 }
 
 event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)

scripts/policy/frameworks/software/vulnerable.bro

@@ -29,11 +29,11 @@ export {
 
 	## The DNS zone where runtime vulnerable software updates will
 	## be loaded from.
-	const vulnerable_versions_update_endpoint = "" &redef;
+	option vulnerable_versions_update_endpoint = "";
 
 	## The interval at which vulnerable versions should grab updates
 	## over DNS.
-	const vulnerable_versions_update_interval = 1hr &redef;
+	option vulnerable_versions_update_interval = 1hr;
 
 	## This is a table of software versions indexed by the name of the
 	## software and a set of version ranges that are declared to be