Some script reorg and a new intel extension script.

- policy/frameworks/intel/seen is the new location for the scripts
    that push data into the intel framework for checking.

  - The new policy/frameworks/intel/do_notice script adds an example
    mechanism for data driven notices.

doc/intel.rst

@@ -27,7 +27,7 @@ Quick Start
 Load the package of scripts that sends data into the Intelligence
 Framework to be checked by loading this script in local.bro::
 
-	@load policy/frameworks/intel
+	@load policy/frameworks/intel/seen
 
 Refer to the "Loading Intelligence" section below to see the format
 for Intelligence Framework text files, then load those text files with
@@ -100,7 +100,7 @@ The full package of hook scripts that Bro ships with for sending this
 "seen" data into the intelligence framework can be loading by adding
 this line to local.bro::
 
-	@load policy/frameworks/intel
+	@load policy/frameworks/intel/seen
 
 Intelligence Matches
 ********************

doc/scripts/DocSourcesList.cmake

@@ -183,15 +183,16 @@ rest_target(${psd} policy/frameworks/control/controllee.bro)
 rest_target(${psd} policy/frameworks/control/controller.bro)
 rest_target(${psd} policy/frameworks/dpd/detect-protocols.bro)
 rest_target(${psd} policy/frameworks/dpd/packet-segment-logging.bro)
-rest_target(${psd} policy/frameworks/intel/conn-established.bro)
-rest_target(${psd} policy/frameworks/intel/dns.bro)
-rest_target(${psd} policy/frameworks/intel/http-host-header.bro)
-rest_target(${psd} policy/frameworks/intel/http-url.bro)
-rest_target(${psd} policy/frameworks/intel/http-user-agents.bro)
-rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro)
-rest_target(${psd} policy/frameworks/intel/smtp.bro)
-rest_target(${psd} policy/frameworks/intel/ssl.bro)
-rest_target(${psd} policy/frameworks/intel/where-locations.bro)
+rest_target(${psd} policy/frameworks/intel/do_notice.bro)
+rest_target(${psd} policy/frameworks/intel/seen/conn-established.bro)
+rest_target(${psd} policy/frameworks/intel/seen/dns.bro)
+rest_target(${psd} policy/frameworks/intel/seen/http-host-header.bro)
+rest_target(${psd} policy/frameworks/intel/seen/http-url.bro)
+rest_target(${psd} policy/frameworks/intel/seen/http-user-agents.bro)
+rest_target(${psd} policy/frameworks/intel/seen/smtp-url-extraction.bro)
+rest_target(${psd} policy/frameworks/intel/seen/smtp.bro)
+rest_target(${psd} policy/frameworks/intel/seen/ssl.bro)
+rest_target(${psd} policy/frameworks/intel/seen/where-locations.bro)
 rest_target(${psd} policy/frameworks/packet-filter/shunt.bro)
 rest_target(${psd} policy/frameworks/software/version-changes.bro)
 rest_target(${psd} policy/frameworks/software/vulnerable.bro)

scripts/base/frameworks/intel/main.bro

@@ -63,9 +63,6 @@ export {
 		IN_ANYWHERE,
 	};
 
-	## The $host field and combination of $str and $str_type fields are mutually 
-	## exclusive.  These records *must* represent either an IP address being
-	## seen or a string being seen.
 	type Seen: record {
 		## The string if the data is about a string.
 		indicator:       string        &log &optional;

scripts/policy/frameworks/intel/do_notice.bro

@@ -0,0 +1,44 @@
+
+@load base/frameworks/intel
+@load base/frameworks/notice
+
+module Intel;
+
+export {
+	redef enum Notice::Type += {
+		## Intel::Notice is a notice that happens when an intelligence 
+		## indicator is denoted to be notice-worthy.
+		Intel::Notice
+	};
+
+	redef record Intel::MetaData += {
+		## A boolean value to allow the data itself to represent
+		## if the indicator that this metadata is attached to 
+		## is notice worthy.
+		do_notice: bool &default=F;
+
+		## Restrictions on when notices are created to only create
+		## them if the do_notice field is T and the notice was
+		## seen in the indicated location.
+		if_in: Intel::Where &optional;
+	};
+}
+
+event Intel::match(s: Seen, items: set[Item])
+	{
+	for ( item in items )
+		{
+		if ( item$meta$do_notice &&
+		     (! item$meta?$if_in || s$where == item$meta$if_in) )
+			{
+			local n = Notice::Info($note=Intel::Notice,
+			                       $msg=fmt("Intel hit on %s at %s", s$indicator, s$where),
+			                       $sub=s$indicator);
+
+			if ( s?$conn )
+				n$conn = s$conn;
+
+			NOTICE(n);
+			}
+		}
+	}

scripts/test-all-policy.bro

@@ -14,16 +14,17 @@
 # @load frameworks/control/controller.bro
 @load frameworks/dpd/detect-protocols.bro
 @load frameworks/dpd/packet-segment-logging.bro
-@load frameworks/intel/__load__.bro
-@load frameworks/intel/conn-established.bro
-@load frameworks/intel/dns.bro
-@load frameworks/intel/http-host-header.bro
-@load frameworks/intel/http-url.bro
-@load frameworks/intel/http-user-agents.bro
-@load frameworks/intel/smtp-url-extraction.bro
-@load frameworks/intel/smtp.bro
-@load frameworks/intel/ssl.bro
-@load frameworks/intel/where-locations.bro
+@load frameworks/intel/do_notice.bro
+@load frameworks/intel/seen/__load__.bro
+@load frameworks/intel/seen/conn-established.bro
+@load frameworks/intel/seen/dns.bro
+@load frameworks/intel/seen/http-host-header.bro
+@load frameworks/intel/seen/http-url.bro
+@load frameworks/intel/seen/http-user-agents.bro
+@load frameworks/intel/seen/smtp-url-extraction.bro
+@load frameworks/intel/seen/smtp.bro
+@load frameworks/intel/seen/ssl.bro
+@load frameworks/intel/seen/where-locations.bro
 @load frameworks/packet-filter/shunt.bro
 @load frameworks/software/version-changes.bro
 @load frameworks/software/vulnerable.bro