[Bro-Dev] Updating NEWS for 2.5
Jan Grashöfer
jan.grashoefer at gmail.com
Tue Aug 9 07:23:01 PDT 2016
> Could folks take a look at NEWS and see what's missing?
> ...
> - Document the recent intel framework updates.
For the NEWS (all changes, feel free to cut down):
+++
- Bro's Intelligence Framework was refactored and new functionality
has been added:
- The intel framework now supports the new indicator type
Intel::SUBNET. As subnets are matched against seen addresses,
the field 'matched' was introduced to indicate which indicator
type(s) caused the hit.
- The new function remove() allows to delete intelligence items.
- The intel framework now supports expiration of intelligence items.
Expiration can be configured by using Intel::item_expiration and
can be handled by using the item_expired() hook. The new script
do_expire.bro removes expired items.
- The new hook extend_match() allows extending the framework. The new
policy script whitelist.bro uses the hook to implement whitelisting.
- Intel notices are now suppressible and mails for intel notices now
list the identified services as well as the intel source.
+++
Additionally I talked to Seth about documentation of the new features.
He suggested to write a blog post. I've already started but as I am
quite busy at the moment it will take some more time.
Best regards,
Jan
More information about the bro-dev
mailing list