Convert more redef-able constants to runtime options

scripts/base/frameworks/dpd/main.bro

@@ -28,11 +28,11 @@ export {
 	};
 
 	## Analyzers which you don't want to throw 
-	const ignore_violations: set[Analyzer::Tag] = set() &redef;
+	option ignore_violations: set[Analyzer::Tag] = set();
 
 	## Ignore violations which go this many bytes into the connection.
 	## Set to 0 to never ignore protocol violations.
-	const ignore_violations_after = 10 * 1024 &redef;
+	option ignore_violations_after = 10 * 1024;
 }
 
 redef record connection += {

scripts/base/frameworks/files/main.bro

@@ -130,7 +130,7 @@ export {
 	const analyze_by_mime_type_automatically = T &redef;
 
 	## The default setting for file reassembly.
-	const enable_reassembler = T &redef;
+	option enable_reassembler = T;
 
 	## The default per-file reassembly buffer size.
 	const reassembly_buffer_size = 524288 &redef;

scripts/base/frameworks/notice/actions/add-geodata.bro

@@ -26,7 +26,7 @@ export {
 	
 	## Notice types which should have the "remote" location looked up.
 	## If GeoIP support is not built in, this does nothing.
-	const lookup_location_types: set[Notice::Type] = {} &redef;
+	option lookup_location_types: set[Notice::Type] = {};
 }
 
 hook policy(n: Notice::Info) &priority=10

scripts/base/frameworks/notice/actions/page.bro

@@ -14,7 +14,7 @@ export {
 	
 	## Email address to send notices with the :bro:enum:`Notice::ACTION_PAGE`
 	## action.
-	const mail_page_dest = "" &redef;
+	option mail_page_dest = "";
 }
 
 hook notice(n: Notice::Info) &priority=-5

scripts/base/frameworks/notice/main.bro

@@ -173,13 +173,13 @@ export {
 	};
 
 	## Ignored notice types.
-	const ignored_types: set[Notice::Type] = {} &redef;
+	option ignored_types: set[Notice::Type] = {};
 	## Emailed notice types.
-	const emailed_types: set[Notice::Type] = {} &redef;
+	option emailed_types: set[Notice::Type] = {};
 	## Alarmed notice types.
-	const alarmed_types: set[Notice::Type] = {} &redef;
+	option alarmed_types: set[Notice::Type] = {};
 	## Types that should be suppressed for the default suppression interval.
-	const not_suppressed_types: set[Notice::Type] = {} &redef;
+	option not_suppressed_types: set[Notice::Type] = {};
 	## This table can be used as a shorthand way to modify suppression
 	## intervals for entire notice types.
 	const type_suppression_intervals: table[Notice::Type] of interval = {} &redef;
@@ -190,7 +190,7 @@ export {
 	## Local system sendmail program.
 	##
 	## Note that this is overridden by the BroControl SendMail option.
-	const sendmail            = "/usr/sbin/sendmail" &redef;
+	option sendmail            = "/usr/sbin/sendmail";
 	## Email address to send notices with the
 	## :bro:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
 	## on rotation with :bro:enum:`Notice::ACTION_ALARM`.

scripts/base/frameworks/notice/weird.bro

@@ -255,14 +255,14 @@ export {
 
 	## To completely ignore a specific weird for a host, add the host
 	## and weird name into this set.
-	const ignore_hosts: set[addr, string] &redef;
+	option ignore_hosts: set[addr, string];
 
 	## Don't ignore repeats for weirds in this set.  For example,
 	## it's handy keeping track of clustered checksum errors.
-	const weird_do_not_ignore_repeats = {
+	option weird_do_not_ignore_repeats = {
 		"bad_IP_checksum", "bad_TCP_checksum", "bad_UDP_checksum",
 		"bad_ICMP_checksum",
-	} &redef;
+	};
 
 	## This table is used to track identifier and name pairs that should be
 	## temporarily ignored because the problem has already been reported.

scripts/base/frameworks/signatures/main.bro

@@ -104,7 +104,7 @@ export {
 	} &redef &default = SIG_ALARM;
 
 	## Signature IDs that should always be ignored.
-	const ignored_ids = /NO_DEFAULT_MATCHES/ &redef;
+	option ignored_ids = /NO_DEFAULT_MATCHES/;
 	
 	## Generate a notice if, for a pair [orig, signature], the number of
 	## different responders has reached one of the thresholds.
@@ -120,7 +120,7 @@ export {
 	
 	## The interval between when :bro:enum:`Signatures::Signature_Summary`
 	## notices are generated.
-	const summary_interval = 1 day &redef;
+	option summary_interval = 1 day;
 
 	## This event can be handled to access/alter data about to be logged
 	## to the signature logging stream.

scripts/base/frameworks/software/main.bro

@@ -68,7 +68,7 @@ export {
 	
 	## Hosts whose software should be detected and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
-	const asset_tracking = LOCAL_HOSTS &redef;
+	option asset_tracking = LOCAL_HOSTS;
 
 	## Other scripts should call this function when they detect software.
 	##

scripts/base/protocols/conn/contents.bro

@@ -18,7 +18,7 @@ module Conn;
 export {
 	## The prefix given to files containing extracted connections as they
 	## are opened on disk.
-	const extraction_prefix = "contents" &redef;
+	option extraction_prefix = "contents";
 	
 	## If this variable is set to ``T``, then all contents of all
 	## connections will be extracted.

scripts/base/protocols/conn/inactivity.bro

@@ -6,15 +6,15 @@ module Conn;
 export {
 	## Define inactivity timeouts by the service detected being used over
 	## the connection.
-	const analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = {
+	option analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = {
 		# For interactive services, allow longer periods of inactivity.
 		[[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs,
-	} &redef;
+	};
 	
 	## Define inactivity timeouts based on common protocol ports.
-	const port_inactivity_timeouts: table[port] of interval = {
+	option port_inactivity_timeouts: table[port] of interval = {
 		[[21/tcp, 22/tcp, 23/tcp, 513/tcp]] = 1 hrs,
-	} &redef;
+	};
 	
 }
 	

scripts/base/protocols/dce-rpc/main.bro

@@ -28,11 +28,11 @@ export {
 
 	## These are DCE-RPC operations that are ignored, typically due to
 	## the operations being noisy and low value on most networks.
-	const ignored_operations: table[string] of set[string] = {
+	option ignored_operations: table[string] of set[string] = {
 		["winreg"] = set("BaseRegCloseKey", "BaseRegGetVersion", "BaseRegOpenKey", "BaseRegQueryValue", "BaseRegDeleteKeyEx", "OpenLocalMachine", "BaseRegEnumKey", "OpenClassesRoot"),
 		["spoolss"] = set("RpcSplOpenPrinter", "RpcClosePrinter"),
 		["wkssvc"] = set("NetrWkstaGetInfo"),
-	} &redef;
+	};
 
 	type State: record {
 		uuid       : string &optional;

scripts/base/protocols/dns/main.bro

@@ -118,12 +118,12 @@ export {
 	## is reached (this shouldn't happen unless either the DNS server/resolver
 	## is broken, Bro is not seeing all the DNS traffic, or an AXFR query
 	## response is ongoing).
-	const max_pending_msgs = 50 &redef;
+	option max_pending_msgs = 50;
 
 	## Give up trying to match pending DNS queries or replies across all
 	## query/transaction IDs once there is at least one unmatched query or
 	## reply across this number of different query IDs.
-	const max_pending_query_ids = 50 &redef;
+	option max_pending_query_ids = 50;
 
 	## A record type which tracks the status of DNS queries for a given
 	## :bro:type:`connection`.

scripts/base/protocols/ftp/utils-commands.bro

@@ -18,7 +18,7 @@ export {
 	type PendingCmds: table[count] of CmdArg;
 	
 	## Possible response codes for a wide variety of FTP commands.
-	const cmd_reply_code: set[string, count] = {
+	option cmd_reply_code: set[string, count] = {
 		# According to RFC 959
 		["<init>", [120, 220, 421]],
 		["USER", [230, 331, 332, 421, 530, 500, 501]],
@@ -72,7 +72,7 @@ export {
 		["<init>", 0],    # unexpected command-reply pair
 		["<missing>", 0], # unexpected command-reply pair
 		["QUIT", 0],      # unexpected command-reply pair
-	} &redef;
+	};
 }
 
 function add_pending_cmd(pc: PendingCmds, cmd: string, arg: string): CmdArg

scripts/base/protocols/http/main.bro

@@ -96,7 +96,7 @@ export {
 	};
 
 	## A list of HTTP headers typically used to indicate proxied requests.
-	const proxy_headers: set[string] = {
+	option proxy_headers: set[string] = {
 		"FORWARDED",
 		"X-FORWARDED-FOR",
 		"X-FORWARDED-FROM",
@@ -104,7 +104,7 @@ export {
 		"VIA",
 		"XROXY-CONNECTION",
 		"PROXY-CONNECTION",
-	} &redef;
+	};
 
 	## A list of HTTP methods. Other methods will generate a weird. Note
 	## that the HTTP analyzer will only accept methods consisting solely

scripts/base/protocols/ntlm/main.bro

@@ -33,7 +33,7 @@ export {
 	};
 
 	## DOS and NT status codes that indicate authentication failure.
-	const auth_failure_statuses: set[count] = {
+	option auth_failure_statuses: set[count] = {
 		0x052e0001, # logonfailure
 		0x08c00002, # badClient
 		0x08c10002, # badLogonTime
@@ -46,7 +46,7 @@ export {
 		0xC0000070, # INVALID_WORKSTATION
 		0xC0000071, # PASSWORD_EXPIRED
 		0xC0000072, # ACCOUNT_DISABLED
-	} &redef;
+	};
 }
 
 redef DPD::ignore_violations += { Analyzer::ANALYZER_NTLM };

scripts/base/protocols/rdp/main.bro

@@ -58,11 +58,11 @@ export {
 
 	## If true, detach the RDP analyzer from the connection to prevent
 	## continuing to process encrypted traffic.
-	const disable_analyzer_after_detection = F &redef;
+	option disable_analyzer_after_detection = F;
 
 	## The amount of time to monitor an RDP session from when it is first 
 	## identified. When this interval is reached, the session is logged.
-	const rdp_check_interval = 10secs &redef;
+	option rdp_check_interval = 10secs;
 
 	## Event that can be handled to access the rdp record as it is sent on
 	## to the logging framework.

scripts/base/protocols/smtp/main.bro

@@ -76,7 +76,7 @@ export {
 	##    LOCAL_HOSTS - only capture the path until the external host is discovered.
 	##    ALL_HOSTS - always capture the entire path.
 	##    NO_HOSTS - never capture the path.
-	const mail_path_capture = ALL_HOSTS &redef;
+	option mail_path_capture = ALL_HOSTS;
 
 	## Create an extremely shortened representation of a log line.
 	global describe: function(rec: Info): string;

scripts/base/protocols/ssh/main.bro

@@ -50,12 +50,12 @@ export {
 
 	## The set of compression algorithms. We can't accurately determine
 	## authentication success or failure when compression is enabled.
-	const compression_algorithms = set("zlib", "zlib@openssh.com") &redef;
+	option compression_algorithms = set("zlib", "zlib@openssh.com");
 
 	## If true, after detection detach the SSH analyzer from the connection
 	## to prevent continuing to process encrypted traffic. Helps with performance
 	## (especially with large file transfers).
-	const disable_analyzer_after_detection = T &redef;
+	option disable_analyzer_after_detection = T;
 
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.

scripts/base/protocols/ssl/main.bro

@@ -91,12 +91,12 @@ export {
 	## The Certificate Transparency log bundle. By default, the ct-list.bro
 	## script sets this to the current list of known logs. Entries
 	## are indexed by (binary) log-id.
-	const ct_logs: table[string] of CTInfo = {} &redef;
+	option ct_logs: table[string] of CTInfo = {};
 
 	## If true, detach the SSL analyzer from the connection to prevent
 	## continuing to process encrypted traffic. Helps with performance
 	## (especially with large file transfers).
-	const disable_analyzer_after_detection = T &redef;
+	option disable_analyzer_after_detection = T;
 
 	## Delays an SSL record for a specific token: the record will not be
 	## logged as long as the token exists or until 15 seconds elapses.

scripts/policy/frameworks/dpd/detect-protocols.bro

@@ -21,7 +21,7 @@ export {
 
 	type dir: enum { NONE, INCOMING, OUTGOING, BOTH };
 
-	const valids: table[Analyzer::Tag, addr, port] of dir = {
+	option valids: table[Analyzer::Tag, addr, port] of dir = {
 		# A couple of ports commonly used for benign HTTP servers.
 
 		# For now we want to see everything.
@@ -37,23 +37,23 @@ export {
 		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella
 		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella
 		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella
-	} &redef;
+	};
 
 	# Set of analyzers for which we suppress Server_Found notices
 	# (but not Protocol_Found).  Along with avoiding clutter in the
 	# log files, this also saves memory because for these we don't
 	# need to remember which servers we already have reported, which
 	# for some can be a lot.
-	const suppress_servers: set [Analyzer::Tag] = {
+	option suppress_servers: set [Analyzer::Tag] = {
 		# Analyzer::ANALYZER_HTTP
-	} &redef;
+	};
 
 	# We consider a connection to use a protocol X if the analyzer for X
 	# is still active (i) after an interval of minimum_duration, or (ii)
 	# after a payload volume of minimum_volume, or (iii) at the end of the
 	# connection.
-	const minimum_duration = 30 secs &redef;
-	const minimum_volume = 4e3 &redef;	# bytes
+	option minimum_duration = 30 secs;
+	option minimum_volume = 4e3;	# bytes
 
 	# How often to check the size of the connection.
 	const check_interval = 5 secs;

scripts/policy/frameworks/files/detect-MHR.bro

@@ -15,18 +15,18 @@ export {
 	};
 
 	## File types to attempt matching against the Malware Hash Registry.
-	const match_file_types = /application\/x-dosexec/ |
+	option match_file_types = /application\/x-dosexec/ |
 	                         /application\/vnd.ms-cab-compressed/ |
 	                         /application\/pdf/ |
 	                         /application\/x-shockwave-flash/ |
 	                         /application\/x-java-applet/ |
 	                         /application\/jar/ |
-	                         /video\/mp4/ &redef;
+	                         /video\/mp4/;
 
 	## The Match notice has a sub message with a URL where you can get more
 	## information about the file. The %s will be replaced with the SHA-1
 	## hash of the file.
-	const match_sub_url = "https://www.virustotal.com/en/search/?query=%s" &redef;
+	option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";
 
 	## The malware hash registry runs each malware sample through several
 	## A/V engines.  Team Cymru returns a percentage to indicate how

scripts/policy/frameworks/intel/seen/x509.bro

@@ -6,7 +6,7 @@ module Intel;
 
 export {
         ## Enables the extraction of subject alternate names from the X509 SAN DNS field
-        const enable_x509_ext_subject_alternative_name = T &redef;
+        option enable_x509_ext_subject_alternative_name = T;
 }
 
 event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)

scripts/policy/frameworks/software/vulnerable.bro

@@ -29,11 +29,11 @@ export {
 
 	## The DNS zone where runtime vulnerable software updates will
 	## be loaded from.
-	const vulnerable_versions_update_endpoint = "" &redef;
+	option vulnerable_versions_update_endpoint = "";
 
 	## The interval at which vulnerable versions should grab updates
 	## over DNS.
-	const vulnerable_versions_update_interval = 1hr &redef;
+	option vulnerable_versions_update_interval = 1hr;
 
 	## This is a table of software versions indexed by the name of the
 	## software and a set of version ranges that are declared to be

scripts/policy/misc/capture-loss.bro

@@ -38,7 +38,7 @@ export {
 	};
 	
 	## The interval at which capture loss reports are created.
-	const watch_interval = 15mins &redef;
+	option watch_interval = 15mins;
 	
 	## The percentage of missed data that is considered "too much" 
 	## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be

scripts/policy/misc/dump-events.bro

@@ -11,7 +11,7 @@ export {
 
 	## Only include events matching the given pattern into output. By default, the
 	## pattern matches all events.
-	const include = /.*/ &redef;
+	option include = /.*/;
 }
 
 event new_event(name: string, args: call_argument_vector)

scripts/policy/protocols/conn/known-hosts.bro

@@ -29,7 +29,7 @@ export {
 	
 	## The hosts whose existence should be logged and tracked.
 	## See :bro:type:`Host` for possible choices.
-	const host_tracking = LOCAL_HOSTS &redef;
+	option host_tracking = LOCAL_HOSTS;
 	
 	## Holds the set of all known hosts.  Keys in the store are addresses
 	## and their associated value will always be the "true" boolean.
@@ -44,7 +44,7 @@ export {
 
 	## The timeout interval to use for operations against
 	## :bro:see:`Known::host_store`.
-	const host_store_timeout = 15sec &redef;
+	option host_store_timeout = 15sec;
 
 	## The set of all known addresses to store for preventing duplicate 
 	## logging of addresses.  It can also be used from other scripts to 

scripts/policy/protocols/conn/known-services.bro

@@ -35,7 +35,7 @@ export {
 	
 	## The hosts whose services should be tracked and logged.
 	## See :bro:type:`Host` for possible choices.
-	const service_tracking = LOCAL_HOSTS &redef;
+	option service_tracking = LOCAL_HOSTS;
 
 	type AddrPortPair: record {
 		host: addr;
@@ -56,7 +56,7 @@ export {
 
 	## The timeout interval to use for operations against
 	## :bro:see:`Known::service_store`.
-	const service_store_timeout = 15sec &redef;
+	option service_store_timeout = 15sec;
 
 	## Tracks the set of daily-detected services for preventing the logging
 	## of duplicates, but can also be inspected by other scripts for

scripts/policy/protocols/http/software.bro

@@ -15,7 +15,7 @@ export {
 	};
 
 	## The pattern of HTTP User-Agents which you would like to ignore.
-	const ignored_user_agents = /NO_DEFAULT/ &redef;
+	option ignored_user_agents = /NO_DEFAULT/;
 }
 
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2

scripts/policy/protocols/modbus/track-memmap.bro

@@ -12,7 +12,7 @@ export {
 	redef enum Log::ID += { Modbus::REGISTER_CHANGE_LOG };
 
 	## The hosts that should have memory mapping enabled.
-	const track_memmap: Host = ALL_HOSTS &redef;
+	option track_memmap: Host = ALL_HOSTS;
 
 	type MemmapInfo: record {
 		## Timestamp for the detected register change.

scripts/policy/protocols/smtp/blocklists.bro

@@ -17,7 +17,7 @@ export {
 
 	# This matches content in SMTP error messages that indicate some
 	# block list doesn't like the connection/mail.
-	const blocklist_error_messages = 
+	option blocklist_error_messages =
 		  /spamhaus\.org\//
 		| /sophos\.com\/security\//
 		| /spamcop\.net\/bl/
@@ -32,7 +32,7 @@ export {
 		| /rbl\.knology\.net\//
 		| /intercept\.datapacket\.net\//
 		| /uceprotect\.net\//
-		| /hostkarma\.junkemailfilter\.com\// &redef;
+		| /hostkarma\.junkemailfilter\.com\//;
 	
 }
 

scripts/policy/protocols/smtp/software.bro

@@ -33,17 +33,17 @@ export {
 	## with incorrect data.  If you would like to detect mail clients for
 	## incoming messages (network traffic originating from a non-local
 	## address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.
-	const detect_clients_in_messages_from = LOCAL_HOSTS &redef;
+	option detect_clients_in_messages_from = LOCAL_HOSTS;
 	
 	## A regular expression to match USER-AGENT-like headers to find if a 
 	## message was sent with a webmail interface.
-	const webmail_user_agents = 
+	option webmail_user_agents =
 	                     /^iPlanet Messenger/ 
 	                   | /^Sun Java\(tm\) System Messenger Express/
 	                   | /\(IMP\)/  # Horde Internet Messaging Program
 	                   | /^SquirrelMail/
 	                   | /^NeoMail/ 
-	                   | /ZimbraWebClient/ &redef;
+	                   | /ZimbraWebClient/;
 }
 
 event mime_one_header(c: connection, h: mime_header_rec) &priority=4

scripts/policy/protocols/ssh/interesting-hostnames.bro

@@ -17,14 +17,14 @@ export {
 	};
 	
 	## Strange/bad host names to see successful SSH logins from or to.
-	const interesting_hostnames =
+	option interesting_hostnames =
 			/^d?ns[0-9]*\./ |
 			/^smtp[0-9]*\./ |
 			/^mail[0-9]*\./ |
 			/^pop[0-9]*\./  |
 			/^imap[0-9]*\./ |
 			/^www[0-9]*\./  |
-			/^ftp[0-9]*\./  &redef;
+			/^ftp[0-9]*\./;
 }
 
 function check_ssh_hostname(id: conn_id, uid: string, host: addr)

scripts/policy/protocols/ssl/extract-certs-pem.bro

@@ -19,7 +19,7 @@ export {
 	## Control if host certificates offered by the defined hosts
 	## will be written to the PEM certificates file.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
-	const extract_certs_pem = LOCAL_HOSTS &redef;
+	option extract_certs_pem = LOCAL_HOSTS;
 }
 
 # This is an internally maintained variable to prevent relogging of

scripts/policy/protocols/ssl/known-certs.bro

@@ -29,7 +29,7 @@ export {
 	
 	## The certificates whose existence should be logged and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
-	const cert_tracking = LOCAL_HOSTS &redef;
+	option cert_tracking = LOCAL_HOSTS;
 
 	## Toggles between different implementations of this script.
 	## When true, use a Broker data store, else use a regular Bro set
@@ -52,11 +52,11 @@ export {
 
 	## The expiry interval of new entries in :bro:see:`Known::cert_store`.
 	## This also changes the interval at which certs get logged.
-	const cert_store_expiry = 1day &redef;
+	option cert_store_expiry = 1day;
 
 	## The timeout interval to use for operations against
 	## :bro:see:`Known::cert_store`.
-	const cert_store_timeout = 15sec &redef;
+	option cert_store_timeout = 15sec;
 
 	## The set of all known certificates to store for preventing duplicate 
 	## logging. It can also be used from other scripts to 

scripts/policy/protocols/ssl/notary.bro

@@ -12,7 +12,7 @@ export {
 	};
 
 	## The notary domain to query.
-	const domain = "notary.icsi.berkeley.edu" &redef;
+	option domain = "notary.icsi.berkeley.edu";
 }
 
 redef record SSL::Info += {

scripts/policy/protocols/ssl/weak-keys.bro

@@ -42,7 +42,7 @@ export {
 
 	## Warn if a server negotiates an unsafe cipher suite. By default, we only warn when
 	## encountering old export cipher suites, or RC4 (see RFC7465).
-	const unsafe_ciphers_regex = /(_EXPORT_)|(_RC4_)/ &redef;
+	option unsafe_ciphers_regex = /(_EXPORT_)|(_RC4_)/;
 }
 
 # We check key lengths only for DSA or RSA certificates. For others, we do