- Split Item into Item and QueryItem as suggested by Robin.
- QueryItem now has $and_tags and $or_tags. Each
acts as AND or OR for the given tags against
each relevant metadata value.
- 'insert' turned into a function and new insert_event created.
- First use of intelligence framework in HTTP analysis.
- Removed reverse dependency of mime loading smtp.
- Extracting filename correctly now.
- Now copes with mime_end_entity dual firing bug.
- File hashing interface more similar to other file
hashing interfaces.
- New notice for when a hash is calculated.
- Removed the net_stats_update event.
- Created a net_stats function for building and retrieving the
current network statistics.
- Removed the internal timer for firing the net_stats_update event
along with the global heartbeat_interval variable.
- Updated the netstats script to use the new BiF.
- Updated the stats script to use the new BiF.
- The action-filters don't work now because of a
meta-programming limitation so the notice policy
tuning is more manual by fully defining a PolicyItem.
- There are two default action cheats defined. ignore_types
and email_types are sets which will ignore or email
notices of those types.
- Defaults for all built-in asset tracking changed to LOCAL_HOSTS
- Added a tuning script for changing asset tracking
to ALL_HOSTS in all of the core scripts that do
asset tracking.
- Default Notice::policy files notices instead of alarming on them.
- Moved KnownHosts::Info back to export section because
the log_known_hosts event can't be defined in the
export section without it.
- Moved the Malware Hash Registry detection out of
the core HTTP protocol scripts and added it to the
all.bro script.
- Split enum values into two separate enums.
- Renamed to fit the enum naming convention.
- New global variable named default_asset_tracking
that changes default behavior of any script that
tracks assets, usually by storing some amount
of information about the network in memory.
- Changed enum values to determine hosts and directions.
- Fixed a bug in detecting mail clients.
- Fixed a couple of problems with vulnerable software detection.
- New variable "Software::asset_tracking" for
determining which software to track.
- Moved webmail detection into the smtp/software script.
- Added an option to detect mail clients based on
the actual TCP connection the mail was seen being
transferred over.
- Notices are generated in the cases of being unable
to compile or install a new filter.
- A PacketFilter::install() function is now exported
so that external scripts can update the packet
filter.
- Fixed bug with new sessions accidently being created
just after logging which caused a lot of empty records
to be logged.
- Readded the HTTP::MD5 notice for when an MD5 sum is
calculated for HTTP response bodies.
- Fixed bug with extracting value from content-length
headers.
- Flushing values from md5 sum generation more reliably
to avoid leaking memory.
- The all.bro script loads tuning/defaults which is
commonly applied tuning.
- Other less common tuning can be placed in the tuning/
directory directly.
