Adds a "node" field to Intel::Seen struture and intel.log.

The intel framework can now indicate which node discovered a hit on an intel item through the new "node" field in the Intel::Seen data structure. On clusters, this field will contain the name of the node where the hit was seen.
2025-10-15 13:08:20 +00:00 · 2014-09-23 12:23:39 -04:00 · 2014-09-23 12:23:39 -04:00 · 8d283db63b
commit 8d283db63b
parent d226fef723
4 changed files with 27 additions and 19 deletions
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@ -81,6 +81,9 @@ export {
 		## Where the data was discovered.
 		where:           Where         &log;
 		
+		## The name of the node where the match was discovered.
+		node:            string        &optional &log;
+
 		## If the data was discovered within a connection, the 
 		## connection record should go here to give context to the data.
 		conn:            connection    &optional;
@ -240,6 +243,11 @@ function Intel::seen(s: Seen)
 			s$indicator_type = Intel::ADDR;
 			}

+		if ( ! s?$node )
+			{
+			s$node = peer_description;
+			}
+
 		if ( have_full_data )
 			{
 			local items = get_items(s);