- Removed the ProtocolViolation notice. I'd like to hear
if someone actually used that notice for something.
- Folded the dyn-disable functionality into the dpd/base script.
- Other small cleanup.
- Fixed a pretty major eternal looping bug in the SSL analyzer and
a few other parsing problems.
- New core scripts and log for SSL connection analysis.
- New known-certs script for logging certificate assets.
- The action-filters don't work now because of a
meta-programming limitation so the notice policy
tuning is more manual by fully defining a PolicyItem.
- There are two default action cheats defined. ignore_types
and email_types are sets which will ignore or email
notices of those types.
- Defaults for all built-in asset tracking changed to LOCAL_HOSTS
- Added a tuning script for changing asset tracking
to ALL_HOSTS in all of the core scripts that do
asset tracking.
- Default Notice::policy files notices instead of alarming on them.
- Moved KnownHosts::Info back to export section because
the log_known_hosts event can't be defined in the
export section without it.
- Moved the Malware Hash Registry detection out of
the core HTTP protocol scripts and added it to the
all.bro script.
- The all.bro script loads tuning/defaults which is
commonly applied tuning.
- Other less common tuning can be placed in the tuning/
directory directly.
