More script updates.

policy/software/base.bro

@@ -122,9 +122,9 @@ function parse_mozilla(unparsed_version: string,
 		software_name = "MSIE"; 
 		v = [$major=8,$minor=0];
 		}
-	else if ( /[cC]ompatible; MSIE [0-9\.]*/ in unparsed_version )
+	else if ( / MSIE [0-9\.]*b?[0-9]*;/ in unparsed_version )
 		{
-		parts = split_all(unparsed_version, /MSIE [0-9\.]*/);
+		parts = split_all(unparsed_version, /MSIE [0-9\.]*b?[0-9]*/);
 		if ( 2 in parts )
 			return parse(parts[2], host, software_type);
 		}
@@ -139,9 +139,9 @@ function parse_mozilla(unparsed_version: string,
 				v$addl = "Mobile";
 			}
 		}
-	else if ( /Firefox\/[0-9\.]*/ in unparsed_version )
+	else if ( /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/ in unparsed_version )
 		{
-		parts = split_all(unparsed_version, /Firefox\/[0-9\.]*/);
+		parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/);
 		if ( 2 in parts )
 			return parse(parts[2], host, software_type);
 		}
@@ -175,12 +175,6 @@ function parse_mozilla(unparsed_version: string,
 				v = parse(parts[2], host, software_type)$version;
 			}
 		}
-	else if ( /Thunderbird\/[0-9\.]*/ in unparsed_version )
-		{
-		parts = split_all(unparsed_version, /Thunderbird\/[0-9\.]*/);
-		if ( 2 in parts )
-			return parse(parts[2], host, software_type);
-		}
 
 	return [$ts=network_time(), $host=host, $name=software_name, $version=v,
 	        $software_type=software_type, $unparsed_version=unparsed_version];

policy/software/vulnerable.bro

@@ -4,7 +4,7 @@
 module Software;
 
 redef enum Notice::Type += {
-	VULNERABLE,
+	Vulnerable_Version,
 };
 
 export {
@@ -23,7 +23,7 @@ event log_software(rec: Info)
 	if ( rec$name in vulnerable_versions &&
 	     cmp_versions(rec$version, vulnerable_versions[rec$name]) < 1 )
 		{
-		print fmt("VULNERABLE %s", software_fmt(rec));
-		NOTICE([$note=VULNERABLE, $src=rec$host, $msg=software_fmt(rec)]);
+		print fmt("Vulnerable version of ", software_fmt(rec));
+		NOTICE([$note=Vulnerable_Version, $src=rec$host, $msg=software_fmt(rec)]);
 		}
 	}

policy/ssl.bro

@@ -159,10 +159,8 @@ global ssl_ports = {
 	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
 	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp,
 };
-
-redef dpd_config += {
-	[[ANALYZER_SSL, ANALYZER_SSL_BINPAC]] = [$ports = ssl_ports]
-};
+redef dpd_config += { [ANALYZER_SSL] = [$ports = ssl_ports] };
+redef dpd_config += { [ANALYZER_SSL_BINPAC] = [$ports = ssl_ports] };
 
 event bro_init()
 	{
@@ -221,7 +219,6 @@ function get_session_info(s: SSL_sessionID): SessionInfo
 
 event ssl_certificate(c: connection, cert: X509, is_server: bool)
 	{
-	print "hello?";
 	set_session(c);
 	
 	if ( [c$id$resp_h, c$id$resp_p, cert$subject] !in certs )

testing/btest/policy/software-known-version-parsing.bro

@@ -73,10 +73,13 @@ global matched_software: table[string] of Software::Info = {
 	["Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00"] =
 		[$name="Opera Mobi", $version=[$major=10,$minor=0], $host=0.0.0.0, $ts=ts],
 	["Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00"] =
-		[$name="Opera", $version=[$major=11,$minor=0], $host=0.0.0.0, $ts=ts],
+		[$name="Opera Mobi", $version=[$major=11,$minor=0], $host=0.0.0.0, $ts=ts],
 	["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"] =
 		[$name="MSIE", $version=[$major=7,$minor=0], $host=0.0.0.0, $ts=ts],
-	
+	["Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"] =
+		[$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $host=0.0.0.0, $ts=ts],
+	["Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)"] =
+		[$name="Netscape", $version=[$major=7,$minor=2], $host=0.0.0.0, $ts=ts],
 	
 	# This is an FTP client (found with CLNT command)
 	["Total Commander"] =