From 3900d88e60c24b87fe3f2350d52e6df08730e944 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 21 Oct 2011 14:01:39 -0400 Subject: [PATCH] Field name change to notice framwork. $result -> $action - $result is renamed to $action to reflect changes to the notice framework since there is already another result-like field ($suppress_for) and there may be more in the future. - Slipped in a change to add connection information to notice emails too. --- scripts/base/frameworks/notice/main.bro | 28 ++++++++++++++++--------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index bcb90677d4..98a7f44ef4 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -148,7 +148,7 @@ export { ## from highest value (10) to lowest value (0). priority: count &log &default=5; ## An action given to the notice if the predicate return true. - result: Notice::Action &log &default=ACTION_NONE; + action: Notice::Action &log &default=ACTION_NONE; ## The pred (predicate) field is a function that returns a boolean T ## or F value. If the predicate function return true, the action in ## this record is applied to the notice that is given as an argument @@ -169,25 +169,25 @@ export { [$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); }, $halt=T, $priority = 9], [$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); }, - $result = ACTION_NO_SUPPRESS, + $action = ACTION_NO_SUPPRESS, $priority = 9], [$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); }, - $result = ACTION_ALARM, + $action = ACTION_ALARM, $priority = 8], [$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); }, - $result = ACTION_EMAIL, + $action = ACTION_EMAIL, $priority = 8], [$pred(n: Notice::Info) = { - if (n$note in Notice::type_suppression_intervals) + if (n$note in Notice::type_suppression_intervals) { - n$suppress_for=Notice::type_suppression_intervals[n$note]; + n$suppress_for=Notice::type_suppression_intervals[n$note]; return T; } - return F; + return F; }, - $result = ACTION_NONE, + $action = ACTION_NONE, $priority = 8], - [$result = ACTION_LOG, + [$action = ACTION_LOG, $priority = 0], } &redef; @@ -356,6 +356,14 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool) # The notice emails always start off with the human readable message. email_text = string_cat(email_text, "\n", n$msg, "\n"); + + # Add information about the connection if it exists. + if ( n?$id ) + email_text = cat(email_text, "Connection: ", + n$id$orig_h, ":", n$id$orig_p, " -> ", + n$id$resp_h, ":", n$id$resp_p, "\n"); + else if ( n?$src ) + email_text = cat(email_text, "Address: ", n$src, "\n"); # Add the extended information if it's requested. if ( extend ) @@ -466,7 +474,7 @@ function apply_policy(n: Notice::Info) # If there's no predicate or the predicate returns F. if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) ) { - add n$actions[ordered_policy[i]$result]; + add n$actions[ordered_policy[i]$action]; add n$policy_items[int_to_count(i)]; # If the predicate matched and there was a suppression interval,