[Bro-Dev] Updating NEWS for 2.5

Michał Purzyński michalpurzynski1 at gmail.com
Tue Aug 9 08:38:26 PDT 2016 

Since the changes are impressive, a blog post would be a great idea indeed. Bro is first (?) on the market (again!) to come up with something like this :)

Such post should describe all new Intel framework feature and give examples how to use them.

> On 09 Aug 2016, at 17:21, Robin Sommer <robin at icir.org> wrote:
> 
> Thanks, will add.
> 
> Robin
> 
> On Tue, Aug 09, 2016 at 16:23 +0200, you wrote:
> 
>>> Could folks take a look at NEWS and see what's missing?
>>> ...
>>>    - Document the recent intel framework updates.
>> 
>> For the NEWS (all changes, feel free to cut down):
>> 
>> +++
>> - Bro's Intelligence Framework was refactored and new functionality
>>  has been added:
>> 
>>  - The intel framework now supports the new indicator type
>>    Intel::SUBNET. As subnets are matched against seen addresses,
>>    the field 'matched' was introduced to indicate which indicator
>>    type(s) caused the hit.
>> 
>>  - The new function remove() allows to delete intelligence items.
>> 
>>  - The intel framework now supports expiration of intelligence items.
>>    Expiration can be configured by using Intel::item_expiration and
>>    can be handled by using the item_expired() hook. The new script
>>    do_expire.bro removes expired items.
>> 
>>  - The new hook extend_match() allows extending the framework. The new
>>    policy script whitelist.bro uses the hook to implement whitelisting.
>> 
>>  - Intel notices are now suppressible and mails for intel notices now
>>    list the identified services as well as the intel source.
>> +++
>> 
>> Additionally I talked to Seth about documentation of the new features.
>> He suggested to write a blog post. I've already started but as I am
>> quite busy at the moment it will take some more time.
>> 
>> Best regards,
>> Jan
>> _______________________________________________
>> bro-dev mailing list
>> bro-dev at bro.org
>> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
> 
> 
> -- 
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

More information about the bro-dev mailing list