Restructuring the scripts that feed data into the intel framework slightly.

2025-10-05 16:18:19 +00:00 · 2012-09-28 13:25:37 -04:00 · 2012-09-28 13:25:37 -04:00 · 0bcedcd204
commit 0bcedcd204
parent 2366b21787
7 changed files with 47 additions and 35 deletions
--- a/scripts/policy/frameworks/intel/conn-established.bro
+++ b/scripts/policy/frameworks/intel/conn-established.bro
@ -1,11 +1,5 @@
@load base/frameworks/intel
-
-export {
-	redef enum Intel::Where += {
-		Conn::IN_ORIG,
-		Conn::IN_RESP,
-	};
-}
+@load ./where-locations

 event connection_established(c: connection)
 	{
--- a/scripts/policy/frameworks/intel/dns.bro
+++ b/scripts/policy/frameworks/intel/dns.bro
@ -1,11 +1,5 @@
@load base/frameworks/intel
-
-export {
-	redef enum Intel::Where += {
-		DNS::IN_REQUEST,
-		DNS::IN_RESPONSE,
-	};
-}
+@load ./where-locations

 event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
 	{
--- a/scripts/policy/frameworks/intel/http-host-header.bro
+++ b/scripts/policy/frameworks/intel/http-host-header.bro
@ -1,10 +1,5 @@
@load base/frameworks/intel
-
-export {
-	redef enum Intel::Where += {
-		HTTP::IN_HOST_HEADER,
-	};
-}
+@load ./where-locations

 event http_header(c: connection, is_orig: bool, name: string, value: string)
 	{
--- a/scripts/policy/frameworks/intel/http-url.bro
+++ b/scripts/policy/frameworks/intel/http-url.bro
@ -1,10 +1,5 @@
@load base/frameworks/intel
-
-export {
-	redef enum Intel::Where += {
-		HTTP::IN_URL,
-	};
-}
+@load ./where-locations

 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
 	{
--- a/scripts/policy/frameworks/intel/ssl.bro
+++ b/scripts/policy/frameworks/intel/ssl.bro
@ -1,13 +1,5 @@
@load base/frameworks/intel
-
-export {
-	redef enum Intel::Where += {
-		SSL::IN_SERVER_CERT,
-		SSL::IN_CLIENT_CERT,
-		SSL::IN_SERVER_NAME,
-	};
-}
-
+@load ./where-locations

 event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string)
 	{
--- a/scripts/policy/frameworks/intel/user-agents.bro
+++ b/scripts/policy/frameworks/intel/user-agents.bro
@ -0,0 +1,20 @@
+@load base/frameworks/intel
+@load ./where-locations
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+	{
+	if ( is_orig && name == "USER-AGENT" )
+		Intel::seen([$str=value,
+		             $str_type=Intel::USER_AGENT,
+		             $conn=c,
+		             $where=HTTP::IN_USER_AGENT_HEADER]);
+	}
+
+event mime_end_entity(c: connection)
+	{
+	if ( c?$smtp && c$smtp?$user_agent )
+		Intel::seen([$str=c$smtp$user_agent,
+		             $str_type=Intel::USER_AGENT,
+		             $conn=c,
+		             $where=SMTP::IN_HEADER]);
+	}
--- a/scripts/policy/frameworks/intel/where-locations.bro
+++ b/scripts/policy/frameworks/intel/where-locations.bro
@ -0,0 +1,22 @@
+@load base/frameworks/intel
+
+export {
+	redef enum Intel::Where += {
+		Conn::IN_ORIG,
+		Conn::IN_RESP,
+		DNS::IN_REQUEST,
+		DNS::IN_RESPONSE,
+		HTTP::IN_HOST_HEADER,
+		HTTP::IN_USER_AGENT_HEADER,
+		HTTP::IN_URL,
+		SMTP::IN_MAIL_FROM,
+		SMTP::IN_RCPT_TO,
+		SMTP::IN_FROM,
+		SMTP::IN_TO,
+		SMTP::IN_CC,
+		SSL::IN_SERVER_CERT,
+		SSL::IN_CLIENT_CERT,
+		SSL::IN_SERVER_NAME,
+		SMTP::IN_HEADER,
+	};
+}