Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

The hostname notice email extension works now.

Browse source
This commit is contained in:
Seth Hall 2011-12-16 10:59:30 -05:00
parent b66c73baaa
commit 8399d28c2e
2 changed files with 15 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

26
scripts/base/frameworks/notice/extend-email/hostnames.bro
View file

@ -2,13 +2,11 @@
module Notice;
function lookup_addr_wrapper(n: Info, a: addr): string
{
return when ( local name = lookup_addr(a) )
{
return name;
}
}
# We have to store references to the notices here because the when statement
# clones the frame which doesn't give us access to modify values outside
# of it's execution scope. (we get a clone of the notice instead of a
# reference to the original notice)
global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs;
event Notice::notice(n: Notice::Info) &priority=10
{
@ -22,26 +20,28 @@ event Notice::notice(n: Notice::Info) &priority=10
# I'm not recovering gracefully from the when statements because I want
# the notice framework to detect that something has exceeded the maximum
# allowed email delay and tell the user.
local uid = unique_id("");
tmp_notice_storage[uid] = n;
local output = "";
if ( n?$src )
{
add n$email_delay_tokens["hostnames-src"];
when ( local src_name = lookup_addr_wrapper(n, n$src) )
when ( local src_name = lookup_addr(n$src) )
{
output = string_cat("orig/src hostname: ", src_name, "\n");
n$email_body_sections[|n$email_body_sections|] = output;
delete n$email_delay_tokens["hostnames-src"];
tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-src"];
}
}
if ( n?$dst )
{
add n$email_delay_tokens["hostnames-dst"];
when ( local dst_name = lookup_addr_wrapper(n, n$dst) )
when ( local dst_name = lookup_addr(n$dst) )
{
output = string_cat("resp/dst hostname: ", dst_name, "\n");
n$email_body_sections[|n$email_body_sections|] = output;
delete n$email_delay_tokens["hostnames-dst"];
tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-dst"];
}
}
}

3
scripts/base/frameworks/notice/main.bro
View file

@ -409,9 +409,10 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
# Add the extended information if it's requested.
if ( extend )
{
email_text = string_cat(email_text, "\nEmail Extensions\n");
email_text = string_cat(email_text, "----------------\n");
for ( i in n$email_body_sections )
{
email_text = string_cat(email_text, "******************\n");
email_text = string_cat(email_text, n$email_body_sections[i], "\n");
}
}