From 9157c37953f6667d70f5a75529e2b9ff1992899d Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 8 Aug 2016 16:12:20 -0700
Subject: [PATCH] Updating CHANGES, VERSION, NEWS.

Moved the log changes into the "changed functionality" section.
---
 CHANGES | 18 ++++++++++++
 NEWS    | 86 ++++++++++++++++++++++++++++++++++-----------------------
 VERSION |  2 +-
 3 files changed, 70 insertions(+), 36 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3f5d1e4e8b..de6c0b18a4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,22 @@
 
+2.4-905 | 2016-08-09 08:19:37 -0700
+
+  * GSSAPI analyzer now forwards authentication blobs more correctly.
+    (Seth Hall)
+
+  * The KRB analyzer now includes support for the PA_ENCTYPE_INFO2
+    pre-auth data type. (Seth Hall)
+
+  * Add an argument to "disable_analyzer" function to not do a
+    reporter message by default. (Seth Hall)
+
+2.4-902 | 2016-08-08 16:50:35 -0400
+
+  * Adding SMB analyzer. (Seth Hall, Vlad Grigorescu and many others)
+
+  * NetControl: allow reasons in remove_rule calls. Addresses BIT-1655
+    (Johanna Amann)
+
 2.4-893 | 2016-08-05 15:43:04 -0700
 
   * Remove -z/--analysis option. (Johanna Amann)
diff --git a/NEWS b/NEWS
index 82b55211b0..a05c6020e6 100644
--- a/NEWS
+++ b/NEWS
@@ -18,47 +18,16 @@ New Dependencies
 - When enabling Broker (which is disabled by default), Bro now requires
   version 0.14 of the C++ Actor Framework.
 
-Log Changes
------------
-
-- Connections
-
-  - The 'history' field gains two new flags: '^' indicates that Bro
-    heuristically flipped to direction of the connection. 't/T' indicates
-    the first TCP payload retransmission from originator or responder,
-    respectively.
-
-- DNS
-
-  - New 'rtt' field to indicate the round trip time between when a
-    request was sent and when a reply started.
-
-- SMTP
-
-  - New 'cc' field which includes the 'Cc' header from MIME messages
-    sent over SMTP.
-
-  - Changes in 'mailfrom' and 'rcptto' fields to remove some non-address
-    cruft that will tend to be found.  The main example is the change
-    from "<user@domain>" to "user@domain.com".
-
-- HTTP
-
-  - Removed 'filename' field.
-
-  - New 'orig_filenames' and 'resp_filenames' fields which each contain
-    a vector of filenames seen in entities transferred.
-
 New Functionality
 -----------------
 
-- SMB analyzer. This is the rewrite that has been in development for 
-  several years. The scripts are currently not loaded by default and 
-  must be loaded manually by loading policy/protocols/smb. The next 
+- SMB analyzer. This is the rewrite that has been in development for
+  several years. The scripts are currently not loaded by default and
+  must be loaded manually by loading policy/protocols/smb. The next
   release will load the smb scripts by default.
 
    - Implements SMB1+2.
-   - Fully integrated with the file analysis framework so that files 
+   - Fully integrated with the file analysis framework so that files
      transferred over SMB can be analyzed.
    - Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC
      analyzer.
@@ -70,6 +39,26 @@ New Functionality
 - Bro now includes the NetControl framework. The framework allows for easy
   interaction of Bro with hard- and software switches, firewalls, etc.
 
+- Bro's Intelligence Framework was refactored and new functionality
+  has been added:
+
+  - The framework now supports the new indicator type Intel::SUBNET.
+    As subnets are matched against seen addresses, the field 'matched'
+    was introduced to indicate which indicator type(s) caused the hit.
+
+  - The new function remove() allows to delete intelligence items.
+
+  - The intel framework now supports expiration of intelligence items.
+    Expiration can be configured by using Intel::item_expiration and
+    can be handled by using the item_expired() hook. The new script
+    do_expire.bro removes expired items.
+
+  - The new hook extend_match() allows extending the framework. The new
+    policy script whitelist.bro uses the hook to implement whitelisting.
+
+  - Intel notices are now suppressible and mails for intel notices now
+    list the identified services as well as the intel source.
+
 - There is a new file entropy analyzer for files.
 
 - Bro now supports the remote framebuffer protocol (RFB) that is used by
@@ -166,6 +155,33 @@ New Functionality
 Changed Functionality
 ---------------------
 
+- Log changes:
+
+    - Connections
+      * The 'history' field gains two new flags: '^' indicates that
+        Bro heuristically flipped to direction of the connection.
+        't/T' indicates the first TCP payload retransmission from
+        originator or responder, respectively.
+
+    - DNS
+      * New 'rtt' field to indicate the round trip time between when a
+        request was sent and when a reply started.
+
+    - SMTP
+      * New 'cc' field which includes the 'Cc' header from MIME
+        messages sent over SMTP.
+
+      * Changes in 'mailfrom' and 'rcptto' fields to remove some
+        non-address cruft that will tend to be found.  The main
+        example is the change from "<user@domain>" to
+        "user@domain.com".
+
+    - HTTP
+      * Removed 'filename' field.
+
+      * New 'orig_filenames' and 'resp_filenames' fields which each
+        contain a vector of filenames seen in entities transferred.
+
 - The BrokerComm and BrokerStore namespaces were renamed to Broker.
   The Broker "print" function was renamed to Broker::send_print, and
   "event" to "Broker::send_event".
diff --git a/VERSION b/VERSION
index df7d783653..daedcc6eac 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.4-893
+2.4-905