From 8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 25 Apr 2012 14:38:11 -0400
Subject: [PATCH 1/4] Added Carrier Grade NAT CIDR and link local IPv6 to
 "private_address_space"

---
 scripts/base/utils/site.bro | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scripts/base/utils/site.bro b/scripts/base/utils/site.bro
index 4aeb70fe3f..e8db91f3d1 100644
--- a/scripts/base/utils/site.bro
+++ b/scripts/base/utils/site.bro
@@ -10,8 +10,10 @@ export {
 	const private_address_space: set[subnet] = {
 		10.0.0.0/8, 
 		192.168.0.0/16, 
+		172.16.0.0/12,  
+		100.64.0.0/10,  # RFC6598 Carrier Grade NAT
 		127.0.0.0/8, 
-		172.16.0.0/12
+		[fe80::]/16,
 	} &redef;
 
 	## Networks that are considered "local".

From c561a44326f696826011f5212501ca09251856fc Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 26 Apr 2012 10:45:28 -0400
Subject: [PATCH 2/4] Fixed a problem where cluster workers were still
 processing notices in some cases.

---
 scripts/base/frameworks/notice/cluster.bro | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro
index 281901cf31..087c3ead51 100644
--- a/scripts/base/frameworks/notice/cluster.bro
+++ b/scripts/base/frameworks/notice/cluster.bro
@@ -23,7 +23,10 @@ redef Cluster::worker2manager_events += /Notice::cluster_notice/;
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
 # The notice policy is completely handled by the manager and shouldn't be 
 # done by workers or proxies to save time for packet processing.
-redef policy = {};
+event bro_init() &priority=-11
+	{
+	Notice::policy = table();
+	}
 
 event Notice::begin_suppression(n: Notice::Info)
 	{

From 8f91ecee7197329ba7ddc0dbf4cf01831b86e17a Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 27 Apr 2012 01:24:41 -0400
Subject: [PATCH 3/4] Fixed IPv6 link local unicast CIDR and added	IPv6
 loopback to private address space.

---
 scripts/base/utils/site.bro | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/base/utils/site.bro b/scripts/base/utils/site.bro
index e8db91f3d1..e6afd1c6a5 100644
--- a/scripts/base/utils/site.bro
+++ b/scripts/base/utils/site.bro
@@ -13,7 +13,8 @@ export {
 		172.16.0.0/12,  
 		100.64.0.0/10,  # RFC6598 Carrier Grade NAT
 		127.0.0.0/8, 
-		[fe80::]/16,
+		[fe80::]/10,
+		[::1]/128,
 	} &redef;
 
 	## Networks that are considered "local".

From bff3cba129720f208a8931d59861b9e2ba841e83 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 27 Apr 2012 16:18:14 -0700
Subject: [PATCH 4/4] Add two more TLS extension values that we see in live
 traffic.

- origin_bound_certificates is a current draft
http://tools.ietf.org/html/draft-balfanz-tls-obc-01

- encrypted client certificates is a draft that
  expired yesterday.
http://tools.ietf.org/html/draft-agl-tls-encryptedclientcerts-00
---
 scripts/base/protocols/ssl/consts.bro | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 6c33e6e438..42989a4cb9 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -81,6 +81,8 @@ export {
 		[35] = "SessionTicket TLS",
 		[40] = "extended_random",
 		[13172] = "next_protocol_negotiation",
+		[13175] = "origin_bound_certificates",
+		[13180] = "encrypted_client_certificates",
 		[65281] = "renegotiation_info"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };