mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Field name change to notice framwork. $result -> $action
- $result is renamed to $action to reflect changes to the notice framework since there is already another result-like field ($suppress_for) and there may be more in the future. - Slipped in a change to add connection information to notice emails too.
This commit is contained in:
Seth Hall
parent
8661abe9d9
commit
3900d88e60
1 changed files with 18 additions and 10 deletions
|
|
@ -148,7 +148,7 @@ export {
|
|||
## from highest value (10) to lowest value (0).
|
||||
priority: count &log &default=5;
|
||||
## An action given to the notice if the predicate return true.
|
||||
result: Notice::Action &log &default=ACTION_NONE;
|
||||
action: Notice::Action &log &default=ACTION_NONE;
|
||||
## The pred (predicate) field is a function that returns a boolean T
|
||||
## or F value. If the predicate function return true, the action in
|
||||
## this record is applied to the notice that is given as an argument
|
||||
|
|
@ -169,13 +169,13 @@ export {
|
|||
[$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); },
|
||||
$halt=T, $priority = 9],
|
||||
[$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); },
|
||||
$result = ACTION_NO_SUPPRESS,
|
||||
$action = ACTION_NO_SUPPRESS,
|
||||
$priority = 9],
|
||||
[$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); },
|
||||
$result = ACTION_ALARM,
|
||||
$action = ACTION_ALARM,
|
||||
$priority = 8],
|
||||
[$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); },
|
||||
$result = ACTION_EMAIL,
|
||||
$action = ACTION_EMAIL,
|
||||
$priority = 8],
|
||||
[$pred(n: Notice::Info) = {
|
||||
if (n$note in Notice::type_suppression_intervals)
|
||||
|
|
@ -185,9 +185,9 @@ export {
|
|||
}
|
||||
return F;
|
||||
},
|
||||
$result = ACTION_NONE,
|
||||
$action = ACTION_NONE,
|
||||
$priority = 8],
|
||||
[$result = ACTION_LOG,
|
||||
[$action = ACTION_LOG,
|
||||
$priority = 0],
|
||||
} &redef;
|
||||
|
||||
|
|
@ -357,6 +357,14 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
|
|||
# The notice emails always start off with the human readable message.
|
||||
email_text = string_cat(email_text, "\n", n$msg, "\n");
|
||||
|
||||
# Add information about the connection if it exists.
|
||||
if ( n?$id )
|
||||
email_text = cat(email_text, "Connection: ",
|
||||
n$id$orig_h, ":", n$id$orig_p, " -> ",
|
||||
n$id$resp_h, ":", n$id$resp_p, "\n");
|
||||
else if ( n?$src )
|
||||
email_text = cat(email_text, "Address: ", n$src, "\n");
|
||||
|
||||
# Add the extended information if it's requested.
|
||||
if ( extend )
|
||||
{
|
||||
|
|
@ -466,7 +474,7 @@ function apply_policy(n: Notice::Info)
|
|||
# If there's no predicate or the predicate returns F.
|
||||
if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) )
|
||||
{
|
||||
add n$actions[ordered_policy[i]$result];
|
||||
add n$actions[ordered_policy[i]$action];
|
||||
add n$policy_items[int_to_count(i)];
|
||||
|
||||
# If the predicate matched and there was a suppression interval,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue