The intel framework can now indicate which node discovered a
hit on an intel item through the new "node" field in the
Intel::Seen data structure. On clusters, this field will
contain the name of the node where the hit was seen.
- policy/frameworks/intel/seen is the new location for the scripts
that push data into the intel framework for checking.
- The new policy/frameworks/intel/do_notice script adds an example
mechanism for data driven notices.
- Intel importing format has changed (refer to docs).
- All string matching is now case insensitive.
- SMTP intel script has been updated to extract email
addresses correctly.
- Small fix sneaking into the smtp base script to actually
extract individual email addresses in the To: field
correctly.
- Intel data distribution on clusters is now pushed in whole
by the manager when a worker connects. Additions after that point
are managed by the normal single-item distribution mechanism already
built into the intelligence framework.
- The manager maintains the complete "minimal" data store that the
workers use to do their matching so that full "minimal" data
distribution is very easy.
- Tests are cleaned up and work.
- Basic API seems to works, but tests aren't updated yet.
- Several scripts are available in policy/frameworks/intel that
call the "seen" function to provide data into the intel
framework to be tested.
- Intel::policy is not done yet and needs to be discussed to
figure out what it needs to have.
- Running the intel framework and having it do something finally
is really cool!
- All 5 intelligence tests pass.
- Some initial memory optimizations done.
- More work needs done to reduce duplicate data in memory.
- Input framework integration.
- Define files to read in the "Bro intelligence format" in Intel::read_files.
- Cluster transparency.
- DNS Zones are a fully supported data type.
- Queries for Intel::DOMAIN values will automatically check in DNS_ZONE intelligence.
- Log path's are generated in the scripting land
now. The default Log stream ID to path string
mapping works like this:
- Notice::LOG -> "notice"
- Notice::POLICY_LOG -> "notice_policy"
- TestModule::LOG -> "test_module"
- Logging streams updated across all of the shipped
scripts to be more user friendly. Instead of
the logging stream ID HTTP::HTTP, we now have
HTTP::LOG, etc.
- The priorities on some bro_init handlers have
been adjusted to make the process of applying
filters or disabling streams easier for users.
- policy/ renamed to scripts/
- By default BROPATH now contains:
- scripts/
- scripts/policy
- scripts/site
- *Nearly* all tests pass.
- All of scripts/base/ is loaded by main.cc
- Can be disabled by setting $BRO_NO_BASE_SCRIPTS
- Scripts in scripts/base/ don't use relative path loading to ease use of BRO_NO_BASE_SCRIPTS (to copy and paste that script).
- The scripts in scripts/base/protocols/ only (or soon will only) do logging and state building.
- The scripts in scripts/base/frameworks/ add functionality without causing any additional overhead.
- All "detection" activity happens through scripts in scripts/policy/.
- Communications framework modified temporarily to need an environment variable to actually enable (ENABLE_COMMUNICATION=1)
- This is so the communications framework can be loaded as part
of the base without causing trouble when it's not needed.
- This will be removed once a resolution to ticket #540 is reached.
2011-08-05 23:09:53 -04:00
Renamed from policy/frameworks/intel/base.bro (Browse further)
