From 6611d28920eb24db5c9b9511d8f0bc8374428933 Mon Sep 17 00:00:00 2001
From: Stephen Hosom <0xhosom@gmail.com>
Date: Thu, 10 May 2018 09:13:52 -0400
Subject: [PATCH] Fix for BIT-1927: notice/extend-email relocation

This is a fairly straightforward change. Previously, users had no
control over whether this script was loaded. By relocating it to
policy, users can now choose whether or not this is necessary
functionality without modifying core Bro scripts.
---
 scripts/base/frameworks/notice/__load__.bro                 | 6 +-----
 scripts/policy/frameworks/notice/__load__.bro               | 3 +++
 .../frameworks/notice/extend-email/hostnames.bro            | 2 +-
 scripts/site/local.bro                                      | 3 +++
 4 files changed, 8 insertions(+), 6 deletions(-)
 create mode 100644 scripts/policy/frameworks/notice/__load__.bro
 rename scripts/{base => policy}/frameworks/notice/extend-email/hostnames.bro (98%)

diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.bro
index bcf3cd6898..aea3d6d2f3 100644
--- a/scripts/base/frameworks/notice/__load__.bro
+++ b/scripts/base/frameworks/notice/__load__.bro
@@ -8,10 +8,6 @@
 @load ./actions/page
 @load ./actions/add-geodata
 
-# There shouldn't be any default overhead from loading these since they 
-# *should* only do anything when notices have the ACTION_EMAIL action applied.
-@load ./extend-email/hostnames
-
 # The cluster framework must be loaded first.
 @load base/frameworks/cluster
 
@@ -22,4 +18,4 @@
 @endif
 
 # Load here so that it can check whether clustering is enabled.
-@load ./actions/pp-alarms
\ No newline at end of file
+@load ./actions/pp-alarms
diff --git a/scripts/policy/frameworks/notice/__load__.bro b/scripts/policy/frameworks/notice/__load__.bro
new file mode 100644
index 0000000000..fef1dc894e
--- /dev/null
+++ b/scripts/policy/frameworks/notice/__load__.bro
@@ -0,0 +1,3 @@
+# There shouldn't be any default overhead from loading these since they
+# *should* only do anything when notices have the ACTION_EMAIL action applied.
+@load ./extend-email/hostnames
diff --git a/scripts/base/frameworks/notice/extend-email/hostnames.bro b/scripts/policy/frameworks/notice/extend-email/hostnames.bro
similarity index 98%
rename from scripts/base/frameworks/notice/extend-email/hostnames.bro
rename to scripts/policy/frameworks/notice/extend-email/hostnames.bro
index 18442f453d..d8dac39e43 100644
--- a/scripts/base/frameworks/notice/extend-email/hostnames.bro
+++ b/scripts/policy/frameworks/notice/extend-email/hostnames.bro
@@ -3,7 +3,7 @@
 ##! :bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a
 ##! DNS lookup.
 
-@load ../main
+@load base/frameworks/notice/main
 
 module Notice;
 
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index 9f8be4bc3b..5064d6a330 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -85,6 +85,9 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
 @load frameworks/files/detect-MHR
 
+# Extend email alerting to include hostnames
+@load policy/frameworks/notice/extend-email/hostnames
+
 # Uncomment the following line to enable detection of the heartbleed attack. Enabling
 # this might impact performance a bit.
 # @load policy/protocols/ssl/heartbleed