intel: Add indicator_inserted and indicator_removed hooks

This change adds two new hooks to the Intel framework that can be used
to intercept added and removed indicators and their type.

These hooks are fairly low-level. One immediate use-case is to count the
number of indicators loaded per Intel::Type and enable and disable the
corresponding event groups of the intel/seen scripts.

I attempted to gauge the overhead and while it's definitely there, loading
a file with ~500k DOMAIN entries takes somewhere around ~0.5 seconds hooks
when populated via the min_data_store store mechanism. While that
doesn't sound great, it actually takes the manager on my system 2.5
seconds to serialize and Cluster::publish() the min_data_store alone
and its doing that serially for every active worker. Mostly to say that
the bigger overhead in that area on the manager doing redundant work
per worker.

Co-authored-by: Mohan Dhawan <mohan@corelight.com>

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-indicator-inserted/addr-indicator.manager..stdout

@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+insert_addr, 1.2.3.4, from-manager
+Intel::indicator_inserted, 1.2.3.4, Intel::ADDR
+Intel::indicator_inserted, 1.2.3.5, Intel::ADDR
+Intel::indicator_removed, 1.2.3.4, Intel::ADDR
+Intel::indicator_removed, 1.2.3.5, Intel::ADDR
+====
+insert_addr, 1.2.3.4, from-manager
+Intel::indicator_inserted, 1.2.3.4, Intel::ADDR
+Intel::indicator_inserted, 1.2.3.5, Intel::ADDR
+Intel::indicator_removed, 1.2.3.4, Intel::ADDR
+Intel::indicator_removed, 1.2.3.5, Intel::ADDR
+publish_do_terminate()

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-indicator-inserted/addr-indicator.worker-1..stdout

@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Intel::indicator_inserted, 1.2.3.4, Intel::ADDR
+insert_addr, 1.2.3.4, from-worker
+insert_addr, 1.2.3.5, from-worker
+Intel::indicator_inserted, 1.2.3.5, Intel::ADDR
+insert_addr, 1.2.3.5, from-manager
+Intel::indicator_removed, 1.2.3.4, Intel::ADDR
+Intel::indicator_removed, 1.2.3.5, Intel::ADDR
+====
+Intel::indicator_inserted, 1.2.3.4, Intel::ADDR
+insert_addr, 1.2.3.4, from-worker
+insert_addr, 1.2.3.5, from-worker
+Intel::indicator_inserted, 1.2.3.5, Intel::ADDR
+insert_addr, 1.2.3.5, from-manager
+Intel::indicator_removed, 1.2.3.4, Intel::ADDR
+Intel::indicator_removed, 1.2.3.5, Intel::ADDR

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-indicator-inserted/addr-indicator.worker-2..stdout

@@ -0,0 +1,18 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Intel::indicator_inserted, 1.2.3.4, Intel::ADDR
+Intel::indicator_inserted, 1.2.3.5, Intel::ADDR
+remove_addr, 1.2.3.4, from-manager
+remove_addr, 1.2.3.5, from-manager
+remove_addr, 1.2.3.4, from-worker
+remove_addr, 1.2.3.5, from-worker
+Intel::indicator_removed, 1.2.3.4, Intel::ADDR
+Intel::indicator_removed, 1.2.3.5, Intel::ADDR
+====
+Intel::indicator_inserted, 1.2.3.4, Intel::ADDR
+Intel::indicator_inserted, 1.2.3.5, Intel::ADDR
+remove_addr, 1.2.3.4, from-manager
+remove_addr, 1.2.3.5, from-manager
+remove_addr, 1.2.3.4, from-worker
+remove_addr, 1.2.3.5, from-worker
+Intel::indicator_removed, 1.2.3.4, Intel::ADDR
+Intel::indicator_removed, 1.2.3.5, Intel::ADDR

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-indicator-inserted/software-indicator.manager..stdout

@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+insert_software, software-1.2.3.4, from-manager
+Intel::indicator_inserted, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_inserted, software-1.2.3.5, Intel::SOFTWARE
+Intel::indicator_removed, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_removed, software-1.2.3.5, Intel::SOFTWARE
+====
+insert_software, software-1.2.3.4, from-manager
+Intel::indicator_inserted, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_inserted, software-1.2.3.5, Intel::SOFTWARE
+Intel::indicator_removed, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_removed, software-1.2.3.5, Intel::SOFTWARE
+publish_do_terminate()

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-indicator-inserted/software-indicator.worker-1..stdout

@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Intel::indicator_inserted, software-1.2.3.4, Intel::SOFTWARE
+insert_software, software-1.2.3.4, from-worker
+insert_software, software-1.2.3.5, from-worker
+Intel::indicator_inserted, software-1.2.3.5, Intel::SOFTWARE
+insert_software, software-1.2.3.5, from-manager
+Intel::indicator_removed, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_removed, software-1.2.3.5, Intel::SOFTWARE
+====
+Intel::indicator_inserted, software-1.2.3.4, Intel::SOFTWARE
+insert_software, software-1.2.3.4, from-worker
+insert_software, software-1.2.3.5, from-worker
+Intel::indicator_inserted, software-1.2.3.5, Intel::SOFTWARE
+insert_software, software-1.2.3.5, from-manager
+Intel::indicator_removed, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_removed, software-1.2.3.5, Intel::SOFTWARE

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-indicator-inserted/software-indicator.worker-2..stdout

@@ -0,0 +1,18 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Intel::indicator_inserted, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_inserted, software-1.2.3.5, Intel::SOFTWARE
+remove_software, software-1.2.3.4, from-manager
+remove_software, software-1.2.3.5, from-manager
+remove_software, software-1.2.3.4, from-worker
+remove_software, software-1.2.3.5, from-worker
+Intel::indicator_removed, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_removed, software-1.2.3.5, Intel::SOFTWARE
+====
+Intel::indicator_inserted, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_inserted, software-1.2.3.5, Intel::SOFTWARE
+remove_software, software-1.2.3.4, from-manager
+remove_software, software-1.2.3.5, from-manager
+remove_software, software-1.2.3.4, from-worker
+remove_software, software-1.2.3.5, from-worker
+Intel::indicator_removed, software-1.2.3.4, Intel::SOFTWARE
+Intel::indicator_removed, software-1.2.3.5, Intel::SOFTWARE

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-indicator-inserted/subnet-indicator.manager..stdout

@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+insert_subnet, 1.2.3.4/32, from-manager
+Intel::indicator_inserted, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_inserted, 1.2.3.5/32, Intel::SUBNET
+Intel::indicator_removed, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_removed, 1.2.3.5/32, Intel::SUBNET
+====
+insert_subnet, 1.2.3.4/32, from-manager
+Intel::indicator_inserted, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_inserted, 1.2.3.5/32, Intel::SUBNET
+Intel::indicator_removed, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_removed, 1.2.3.5/32, Intel::SUBNET
+publish_do_terminate()

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-indicator-inserted/subnet-indicator.worker-1..stdout

@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Intel::indicator_inserted, 1.2.3.4/32, Intel::SUBNET
+insert_subnet, 1.2.3.4/32, from-worker
+insert_subnet, 1.2.3.5/32, from-worker
+Intel::indicator_inserted, 1.2.3.5/32, Intel::SUBNET
+insert_subnet, 1.2.3.5/32, from-manager
+Intel::indicator_removed, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_removed, 1.2.3.5/32, Intel::SUBNET
+====
+Intel::indicator_inserted, 1.2.3.4/32, Intel::SUBNET
+insert_subnet, 1.2.3.4/32, from-worker
+insert_subnet, 1.2.3.5/32, from-worker
+Intel::indicator_inserted, 1.2.3.5/32, Intel::SUBNET
+insert_subnet, 1.2.3.5/32, from-manager
+Intel::indicator_removed, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_removed, 1.2.3.5/32, Intel::SUBNET

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-indicator-inserted/subnet-indicator.worker-2..stdout

@@ -0,0 +1,18 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Intel::indicator_inserted, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_inserted, 1.2.3.5/32, Intel::SUBNET
+remove_subnet, 1.2.3.4/32, from-manager
+remove_subnet, 1.2.3.5/32, from-manager
+remove_subnet, 1.2.3.4/32, from-worker
+remove_subnet, 1.2.3.5/32, from-worker
+Intel::indicator_removed, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_removed, 1.2.3.5/32, Intel::SUBNET
+====
+Intel::indicator_inserted, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_inserted, 1.2.3.5/32, Intel::SUBNET
+remove_subnet, 1.2.3.4/32, from-manager
+remove_subnet, 1.2.3.5/32, from-manager
+remove_subnet, 1.2.3.4/32, from-worker
+remove_subnet, 1.2.3.5/32, from-worker
+Intel::indicator_removed, 1.2.3.4/32, Intel::SUBNET
+Intel::indicator_removed, 1.2.3.5/32, Intel::SUBNET