Logging to stdout for use in a baseline doesn't work well when
there may be scripts that get loaded by default (in this case,
packet-filter) and also do logging. Instead just baseline against
the logs generated by the test in question.
- The action-filters don't work now because of a
meta-programming limitation so the notice policy
tuning is more manual by fully defining a PolicyItem.
- There are two default action cheats defined. ignore_types
and email_types are sets which will ignore or email
notices of those types.
This lets events be sent to bro that contain record arguments that
don't have to fill in all &optional record fields.
This corresponds to broccoli-python tests that were updated in
commit 8b87d8f61ef89162019cd4acc01be93700b0c588
- Defaults for all built-in asset tracking changed to LOCAL_HOSTS
- Added a tuning script for changing asset tracking
to ALL_HOSTS in all of the core scripts that do
asset tracking.
- Default Notice::policy files notices instead of alarming on them.
- Moved KnownHosts::Info back to export section because
the log_known_hosts event can't be defined in the
export section without it.
- Moved the Malware Hash Registry detection out of
the core HTTP protocol scripts and added it to the
all.bro script.
- Defaults for all built-in asset tracking changed to LOCAL_HOSTS
- Added a tuning script for changing asset tracking
to ALL_HOSTS in all of the core scripts that do
asset tracking.
- Default Notice::policy files notices instead of alarming on them.
- Moved KnownHosts::Info back to export section because
the log_known_hosts event can't be defined in the
export section without it.
- Moved the Malware Hash Registry detection out of
the core HTTP protocol scripts.
- Split enum values into two separate enums.
- Renamed to fit the enum naming convention.
- New global variable named default_asset_tracking
that changes default behavior of any script that
tracks assets, usually by storing some amount
of information about the network in memory.
- Changed enum values to determine hosts and directions.
- Fixed a bug in detecting mail clients.
- Fixed a couple of problems with vulnerable software detection.
- New variable "Software::asset_tracking" for
determining which software to track.
- Moved webmail detection into the smtp/software script.
- Added an option to detect mail clients based on
the actual TCP connection the mail was seen being
transferred over.
Originally docs were written right after parsing, but it changed to after
the bro_init event happens when I was experimenting with auto-documenting
logging streams by querying the LogMgr after bro_init. That experiment
dead-ended, and that location is bad for other reasons: the doc framework
may try to access BroObj's that have already been freed.
