Field name change to notice framwork. $result -> $action

- $result is renamed to $action to reflect changes to the notice framework since there is already another result-like field ($suppress_for) and there may be more in the future. - Slipped in a change to add connection information to notice emails too.
2025-10-02 06:38:20 +00:00 · 2011-10-21 14:01:39 -04:00 · 2011-10-21 14:01:39 -04:00 · 3900d88e60
commit 3900d88e60
parent 8661abe9d9
1 changed files with 18 additions and 10 deletions
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@ -148,7 +148,7 @@ export {
 		## from highest value (10) to lowest value (0).
 		priority: count                            &log &default=5;
 		## An action given to the notice if the predicate return true.
-		result:   Notice::Action                   &log &default=ACTION_NONE;
+		action:   Notice::Action                   &log &default=ACTION_NONE;
 		## The pred (predicate) field is a function that returns a boolean T 
 		## or F value.  If the predicate function return true, the action in 
 		## this record is applied to the notice that is given as an argument 
@ -169,25 +169,25 @@ export {
 		[$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); },
 		 $halt=T, $priority = 9],
 		[$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); },
-		 $result = ACTION_NO_SUPPRESS,
+		 $action = ACTION_NO_SUPPRESS,
 		 $priority = 9],
 		[$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); },
-		 $result = ACTION_ALARM,
+		 $action = ACTION_ALARM,
 		 $priority = 8],
 		[$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); },
-		 $result = ACTION_EMAIL,
+		 $action = ACTION_EMAIL,
 		 $priority = 8],
 		[$pred(n: Notice::Info) = { 
-		 	if (n$note in Notice::type_suppression_intervals) 
+			if (n$note in Notice::type_suppression_intervals) 
 				{
-		 		n$suppress_for=Notice::type_suppression_intervals[n$note];
+				n$suppress_for=Notice::type_suppression_intervals[n$note];
 				return T;
 				}
-		 	return F; 
+			return F; 
 		 },
-		 $result = ACTION_NONE,
+		 $action = ACTION_NONE,
 		 $priority = 8],
-		[$result = ACTION_LOG,
+		[$action = ACTION_LOG,
 		 $priority = 0],
 	} &redef;
 	
@ -357,6 +357,14 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
 	# The notice emails always start off with the human readable message.
 	email_text = string_cat(email_text, "\n", n$msg, "\n");

+	# Add information about the connection if it exists.
+	if ( n?$id )
+		email_text = cat(email_text, "Connection: ", 
+			n$id$orig_h, ":", n$id$orig_p, " -> ",
+			n$id$resp_h, ":", n$id$resp_p, "\n");
+	else if ( n?$src )
+		email_text = cat(email_text, "Address: ", n$src, "\n");
+	
 	# Add the extended information if it's requested.
 	if ( extend )
 		{
@ -466,7 +474,7 @@ function apply_policy(n: Notice::Info)
 		# If there's no predicate or the predicate returns F.
 		if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) )
 			{
-			add n$actions[ordered_policy[i]$result];
+			add n$actions[ordered_policy[i]$action];
 			add n$policy_items[int_to_count(i)];
 			
 			# If the predicate matched and there was a suppression interval,