The changes notes above don't mention the
<addl> field. Is that just
an oversight in the notes,
Yes, just an oversight in the notes.
Will <service> still contain port numbers? Or
will "other-nnnnn" become
simply "other"? (that would be my preference)
Good point. As implemented, it continues to be other-nnnnn, but I think
just plain "other" makes more sense, since we now can finally cleanly separate
the notion of service from the notion of port.
Although I don't know what the "neighbor
net" U flag even means, I wonder
if this is the time to drop that, as the BRO manual says the whole notion
The notion of "neighbor" is still used a bit in the policy scripts
(in scan.bro, in particular - different rules apply to scan detection
for activity from neighbors than from others), but arguably this should
be structured in a different fashion (a general notion of networks that
are allowed to scan), and in fact this has bitten us operationally in
the past, when a infected neighbor scanned us.
Thanks for the suggestions!