diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 63d2f35562..5756d75ea3 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -199,9 +199,10 @@ rest_target(${psd} policy/frameworks/files/hash-all-files.bro) rest_target(${psd} policy/frameworks/intel/do_notice.bro) rest_target(${psd} policy/frameworks/intel/seen/conn-established.bro) rest_target(${psd} policy/frameworks/intel/seen/dns.bro) -rest_target(${psd} policy/frameworks/intel/seen/http-host-header.bro) +rest_target(${psd} policy/frameworks/intel/seen/file-hashes.bro) +rest_target(${psd} policy/frameworks/intel/seen/file-names.bro) +rest_target(${psd} policy/frameworks/intel/seen/http-headers.bro) rest_target(${psd} policy/frameworks/intel/seen/http-url.bro) -rest_target(${psd} policy/frameworks/intel/seen/http-user-agents.bro) rest_target(${psd} policy/frameworks/intel/seen/smtp-url-extraction.bro) rest_target(${psd} policy/frameworks/intel/seen/smtp.bro) rest_target(${psd} policy/frameworks/intel/seen/ssl.bro) diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 94ff8103a8..b3dcfda00d 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -104,13 +104,13 @@ export { ## If a file was associated with this intelligence hit, ## this is the uid for the file. - fuid: string &log &optional; + fuid: string &log &optional; ## A mime type if the intelligence hit is related to a file. ## If the $f field is provided this will be automatically filled out. - file_mime_type: string &log &optional; + file_mime_type: string &log &optional; ## Frequently files can be "described" to give a bit more context. ## If the $f field is provided this field will be automatically filled out. - file_desc: string &log &optional; + file_desc: string &log &optional; ## Where the data was seen. seen: Seen &log; @@ -265,22 +265,25 @@ function has_meta(check: MetaData, metas: set[MetaData]): bool event Intel::match(s: Seen, items: set[Item]) &priority=5 { - if ( s$f?$conns && |s$f$conns| == 1 ) - { - for ( cid in s$f$conns ) - s$conn = s$f$conns[cid]; - } - local info = Info($ts=network_time(), $seen=s); - if ( ! info?$fuid ) - info$fuid = s$f$id; + if ( s?$f ) + { + if ( s$f?$conns && |s$f$conns| == 1 ) + { + for ( cid in s$f$conns ) + s$conn = s$f$conns[cid]; + } - if ( ! info?$file_mime_type && s$f?$mime_type ) - info$file_mime_type = s$f$mime_type; + if ( ! info?$fuid ) + info$fuid = s$f$id; - if ( ! info?$file_desc ) - info$file_desc = Files::describe(s$f); + if ( ! info?$file_mime_type && s$f?$mime_type ) + info$file_mime_type = s$f$mime_type; + + if ( ! info?$file_desc ) + info$file_desc = Files::describe(s$f); + } if ( s?$conn ) { diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 7d582bf82f..63b9b5998c 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -18,9 +18,10 @@ @load frameworks/intel/seen/__load__.bro @load frameworks/intel/seen/conn-established.bro @load frameworks/intel/seen/dns.bro -@load frameworks/intel/seen/http-host-header.bro +@load frameworks/intel/seen/file-hashes.bro +@load frameworks/intel/seen/file-names.bro +@load frameworks/intel/seen/http-headers.bro @load frameworks/intel/seen/http-url.bro -@load frameworks/intel/seen/http-user-agents.bro @load frameworks/intel/seen/smtp-url-extraction.bro @load frameworks/intel/seen/smtp.bro @load frameworks/intel/seen/ssl.bro diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log index 00871e7d93..27a1f2d2f8 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path intel -#open 2013-07-19-17-05-48 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where sources -#types time string addr port addr port string enum enum table[string] -1374253548.038580 - - - - - 123.123.123.123 Intel::ADDR Intel::IN_ANYWHERE worker-1 -#close 2013-07-19-17-05-57 +#open 2013-08-14-03-46-32 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where sources +#types time string addr port addr port string string string string enum enum table[string] +1376451992.872806 - - - - - - - - 123.123.123.123 Intel::ADDR Intel::IN_ANYWHERE worker-1 +#close 2013-08-14-03-46-42 diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log index 8c01ae5c27..ea57d77b18 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path intel -#open 2013-07-19-17-04-26 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where sources -#types time string addr port addr port string enum enum table[string] -1374253466.857185 - - - - - e@mail.com Intel::EMAIL SOMEWHERE source1 -1374253466.857185 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE source1 -#close 2013-07-19-17-04-26 +#open 2013-08-14-03-47-03 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where sources +#types time string addr port addr port string string string string enum enum table[string] +1376452023.137179 - - - - - - - - e@mail.com Intel::EMAIL SOMEWHERE source1 +1376452023.137179 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE source1 +#close 2013-08-14-03-47-03 diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log index 70d92a3604..bf9aa50fef 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path intel -#open 2013-07-19-17-06-57 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where sources -#types time string addr port addr port string enum enum table[string] -1374253617.312158 - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST source1 -1374253617.312158 - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST source1 -1374253618.332565 - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST source1 -1374253618.332565 - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST source1 -#close 2013-07-19-17-07-06 +#open 2013-08-14-03-47-23 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where sources +#types time string addr port addr port string string string string enum enum table[string] +1376452043.835810 - - - - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST source1 +1376452043.835810 - - - - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST source1 +1376452044.855238 - - - - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST source1 +1376452044.855238 - - - - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST source1 +#close 2013-08-14-03-47-32