diff --git a/scripts/policy/frameworks/intel/conn-established.bro b/scripts/policy/frameworks/intel/conn-established.bro index 7d0007d20f..a2e67b292b 100644 --- a/scripts/policy/frameworks/intel/conn-established.bro +++ b/scripts/policy/frameworks/intel/conn-established.bro @@ -1,11 +1,5 @@ @load base/frameworks/intel - -export { - redef enum Intel::Where += { - Conn::IN_ORIG, - Conn::IN_RESP, - }; -} +@load ./where-locations event connection_established(c: connection) { diff --git a/scripts/policy/frameworks/intel/dns.bro b/scripts/policy/frameworks/intel/dns.bro index 3e2078b29b..a0dee47acf 100644 --- a/scripts/policy/frameworks/intel/dns.bro +++ b/scripts/policy/frameworks/intel/dns.bro @@ -1,11 +1,5 @@ @load base/frameworks/intel - -export { - redef enum Intel::Where += { - DNS::IN_REQUEST, - DNS::IN_RESPONSE, - }; -} +@load ./where-locations event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) { diff --git a/scripts/policy/frameworks/intel/http-host-header.bro b/scripts/policy/frameworks/intel/http-host-header.bro index 590f1f1e3e..f16b1628aa 100644 --- a/scripts/policy/frameworks/intel/http-host-header.bro +++ b/scripts/policy/frameworks/intel/http-host-header.bro @@ -1,10 +1,5 @@ @load base/frameworks/intel - -export { - redef enum Intel::Where += { - HTTP::IN_HOST_HEADER, - }; -} +@load ./where-locations event http_header(c: connection, is_orig: bool, name: string, value: string) { diff --git a/scripts/policy/frameworks/intel/http-url.bro b/scripts/policy/frameworks/intel/http-url.bro index d5013b3252..7c4086a7e6 100644 --- a/scripts/policy/frameworks/intel/http-url.bro +++ b/scripts/policy/frameworks/intel/http-url.bro @@ -1,10 +1,5 @@ @load base/frameworks/intel - -export { - redef enum Intel::Where += { - HTTP::IN_URL, - }; -} +@load ./where-locations event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) { diff --git a/scripts/policy/frameworks/intel/ssl.bro b/scripts/policy/frameworks/intel/ssl.bro index 9a27e40c46..394df63020 100644 --- a/scripts/policy/frameworks/intel/ssl.bro +++ b/scripts/policy/frameworks/intel/ssl.bro @@ -1,13 +1,5 @@ @load base/frameworks/intel - -export { - redef enum Intel::Where += { - SSL::IN_SERVER_CERT, - SSL::IN_CLIENT_CERT, - SSL::IN_SERVER_NAME, - }; -} - +@load ./where-locations event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) { diff --git a/scripts/policy/frameworks/intel/user-agents.bro b/scripts/policy/frameworks/intel/user-agents.bro new file mode 100644 index 0000000000..693738a431 --- /dev/null +++ b/scripts/policy/frameworks/intel/user-agents.bro @@ -0,0 +1,20 @@ +@load base/frameworks/intel +@load ./where-locations + +event http_header(c: connection, is_orig: bool, name: string, value: string) + { + if ( is_orig && name == "USER-AGENT" ) + Intel::seen([$str=value, + $str_type=Intel::USER_AGENT, + $conn=c, + $where=HTTP::IN_USER_AGENT_HEADER]); + } + +event mime_end_entity(c: connection) + { + if ( c?$smtp && c$smtp?$user_agent ) + Intel::seen([$str=c$smtp$user_agent, + $str_type=Intel::USER_AGENT, + $conn=c, + $where=SMTP::IN_HEADER]); + } diff --git a/scripts/policy/frameworks/intel/where-locations.bro b/scripts/policy/frameworks/intel/where-locations.bro new file mode 100644 index 0000000000..e6faec6809 --- /dev/null +++ b/scripts/policy/frameworks/intel/where-locations.bro @@ -0,0 +1,22 @@ +@load base/frameworks/intel + +export { + redef enum Intel::Where += { + Conn::IN_ORIG, + Conn::IN_RESP, + DNS::IN_REQUEST, + DNS::IN_RESPONSE, + HTTP::IN_HOST_HEADER, + HTTP::IN_USER_AGENT_HEADER, + HTTP::IN_URL, + SMTP::IN_MAIL_FROM, + SMTP::IN_RCPT_TO, + SMTP::IN_FROM, + SMTP::IN_TO, + SMTP::IN_CC, + SSL::IN_SERVER_CERT, + SSL::IN_CLIENT_CERT, + SSL::IN_SERVER_NAME, + SMTP::IN_HEADER, + }; +}