Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Field name change to notice framwork. $result -> $action

Browse source 
- $result is renamed to $action to reflect changes to the notice framework
  since there is already another result-like field ($suppress_for) and
  there may be more in the future.

- Slipped in a change to add connection information to notice emails too.
This commit is contained in:
Seth Hall 2011-10-21 14:01:39 -04:00
parent 8661abe9d9
commit 3900d88e60
1 changed files with 18 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

22
scripts/base/frameworks/notice/main.bro
View file

@ -148,7 +148,7 @@ export {
## from highest value (10) to lowest value (0). ## from highest value (10) to lowest value (0).
priority: count &log &default=5; priority: count &log &default=5;
## An action given to the notice if the predicate return true. ## An action given to the notice if the predicate return true.
result: Notice::Action &log &default=ACTION_NONE; action: Notice::Action &log &default=ACTION_NONE;
## The pred (predicate) field is a function that returns a boolean T ## The pred (predicate) field is a function that returns a boolean T
## or F value. If the predicate function return true, the action in ## or F value. If the predicate function return true, the action in
## this record is applied to the notice that is given as an argument ## this record is applied to the notice that is given as an argument
@ -169,13 +169,13 @@ export {
[$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); }, [$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); },
$halt=T, $priority = 9], $halt=T, $priority = 9],
[$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); }, [$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); },
$result = ACTION_NO_SUPPRESS, $action = ACTION_NO_SUPPRESS,
$priority = 9], $priority = 9],
[$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); }, [$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); },
$result = ACTION_ALARM, $action = ACTION_ALARM,
$priority = 8], $priority = 8],
[$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); }, [$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); },
$result = ACTION_EMAIL, $action = ACTION_EMAIL,
$priority = 8], $priority = 8],
[$pred(n: Notice::Info) = { [$pred(n: Notice::Info) = {
if (n$note in Notice::type_suppression_intervals) if (n$note in Notice::type_suppression_intervals)
@ -185,9 +185,9 @@ export {
} }
return F; return F;
}, },
$result = ACTION_NONE, $action = ACTION_NONE,
$priority = 8], $priority = 8],
[$result = ACTION_LOG, [$action = ACTION_LOG,
$priority = 0], $priority = 0],
} &redef; } &redef;
@ -357,6 +357,14 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
# The notice emails always start off with the human readable message. # The notice emails always start off with the human readable message.
email_text = string_cat(email_text, "\n", n$msg, "\n"); email_text = string_cat(email_text, "\n", n$msg, "\n");
# Add information about the connection if it exists.
if ( n?$id )
email_text = cat(email_text, "Connection: ",
n$id$orig_h, ":", n$id$orig_p, " -> ",
n$id$resp_h, ":", n$id$resp_p, "\n");
else if ( n?$src )
email_text = cat(email_text, "Address: ", n$src, "\n");
# Add the extended information if it's requested. # Add the extended information if it's requested.
if ( extend ) if ( extend )
{ {
@ -466,7 +474,7 @@ function apply_policy(n: Notice::Info)
# If there's no predicate or the predicate returns F. # If there's no predicate or the predicate returns F.
if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) ) if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) )
{ {
add n$actions[ordered_policy[i]$result]; add n$actions[ordered_policy[i]$action];
add n$policy_items[int_to_count(i)]; add n$policy_items[int_to_count(i)];
# If the predicate matched and there was a suppression interval, # If the predicate matched and there was a suppression interval,