New config options

Added config options for self-signed MISP/ignore certificate warnings and a cluster name for the MISP Source ID when adding sightings.

Zeek support for 3.1.1 and higher

Several updates to support Zeek v3.1.1 and higher. Removed older references to Bro functions.

Final release for Bro/Zeek 3.0 and lower

The next release will not be backwards compatible with Zeek 3.0 and lower. See Release 1.02.001 for Zeek 3.1 and higher.

Additional Metadata

This version includes additional metadata from indicator and content signature hits to help evaluate the activity remotely. Limit repeated low value indicator hits such as DNS requests and inbound scans.

Transparent Cluster Support

This version includes support to use the built in transparent cluster from the Intelligence Framework so that in clusters a single manager will download indicators rather than all workers.

Additional metadata is now included for hits - http, dns, ssl, smtp metadata is collected when a hit occurs.

Better Intel Item expiration

New features:

• Print and send to Slack the MISP event title and url for intel item hits.
• Bro version number is included with Slack signature download heartbeat.
  Fixes:
• Intel item expiration now working properly, deletion schedule adjusted.
• Correct fields for MISP title and url used.

Bro Package

Updated to support the Bro Package Manager https://packages.bro.org and now with support for the new MISP Network Activity->bro datatype for Bro signatures in addition to indicators. Prefix the content signature event with MISP: to include them in sightings reports.

Initial release

The first version of Dovehawk Bro module - includes support for downloading indicators from MISP and reporting sightings back to MISP with some additional metadata printed to the console.