Update some info in the docs

doc/quickstart/index.rst

@@ -234,7 +234,7 @@ is valid before installing it and then restarting the Bro instance:
 .. console::
 
    [BroControl] > check
-   bro is ok.
+   bro scripts are ok.
    [BroControl] > install
    removing old policies in /usr/local/bro/spool/policy/site ... done.
    removing old policies in /usr/local/bro/spool/policy/auto ... done.
@@ -250,15 +250,15 @@ is valid before installing it and then restarting the Bro instance:
 
 Now that the SSL notice is ignored, let's look at how to send an email on
 the SSH notice.  The notice framework has a similar option called
-``emailed_types``, but that can't differentiate between SSH servers and we
+``emailed_types``, but using that would generate email for all SSH servers and
-only want email for logins to certain ones.  Then we come to the ``PolicyItem``
+we only want email for logins to certain ones.  There is a ``policy`` hook
-record and ``policy`` set and realize that those are actually what get used
+that is actually what is used to implement the simple functionality of
-to implement the simple functionality of ``ignored_types`` and
+``ignored_types`` and
 ``emailed_types``, but it's extensible such that the condition and action taken
 on notices can be user-defined.
 
-In ``local.bro``, let's add a new ``PolicyItem`` record to the ``policy`` set
+In ``local.bro``, let's define a new ``policy`` hook handler body
-that only takes the email action for SSH logins to a defined set of servers:
+that takes the email action for SSH logins only for a defined set of servers:
 
 .. code:: bro
 
@@ -276,9 +276,9 @@ that only takes the email action for SSH logins to a defined set of servers:
 
 You'll just have to trust the syntax for now, but what we've done is
 first declare our own variable to hold a set of watched addresses,
-``watched_servers``; then added a record to the policy that will generate
+``watched_servers``; then added a hook handler body to the policy that will
-an email on the condition that the predicate function evaluates to true, which
+generate an email whenever the notice type is an SSH login and the responding
-is whenever the notice type is an SSH login and the responding host stored
+host stored
 inside the ``Info`` record's connection field is in the set of watched servers.
 
 .. note:: Record field member access is done with the '$' character

doc/scripting/framework_notice_shortcuts_01.bro

@@ -2,7 +2,6 @@
 @load base/protocols/ssh/
 
 redef Notice::emailed_types += {
-    SSH::Interesting_Hostname_Login,
+    SSH::Interesting_Hostname_Login
-    SSH::Login
 };
 

doc/scripting/framework_notice_shortcuts_02.bro

@@ -3,5 +3,4 @@
 
 redef Notice::type_suppression_intervals += {
     [SSH::Interesting_Hostname_Login] = 1day,
-    [SSH::Login] = 12hrs,
 };

doc/scripting/index.rst

@@ -1252,8 +1252,8 @@ in the call to ``NOTICE``.
 
 .. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_01.bro
 
-The Notice Policy shortcut above adds the ``Notice::Types`` of
+The Notice Policy shortcut above adds the ``Notice::Type`` of
-SSH::Interesting_Hostname_Login and SSH::Login to the
+SSH::Interesting_Hostname_Login to the
 Notice::emailed_types set while the shortcut below alters the length
 of time for which those notices will be suppressed.
 

scripts/base/frameworks/notice/main.bro

@@ -20,7 +20,8 @@ export {
 	## category along with the specific notice separating words with
 	## underscores and using leading capitals on each word except for
 	## abbreviations which are kept in all capitals.  For example,
-	## SSH::Login is for heuristically guessed successful SSH logins.
+	## SSH::Password_Guessing is for hosts that have crossed a threshold of
+	## heuristically determined failed SSH logins.
 	type Type: enum {
 		## Notice reporting a count of how often a notice occurred.
 		Tally,

testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest

@@ -6,7 +6,6 @@ framework_notice_shortcuts_01.bro
 @load base/protocols/ssh/
 
 redef Notice::emailed_types += {
-    SSH::Interesting_Hostname_Login,
+    SSH::Interesting_Hostname_Login
-    SSH::Login
 };
 

testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest

@@ -7,5 +7,4 @@ framework_notice_shortcuts_02.bro
 
 redef Notice::type_suppression_intervals += {
     [SSH::Interesting_Hostname_Login] = 1day,
-    [SSH::Login] = 12hrs,
 };