From a9ad41cdccdfecffc4dda453da3223d203f48658 Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Thu, 19 May 2016 21:03:36 +0200
Subject: [PATCH] Improved intel notices.

Intel notices are identified by a direction independent 3-tuple
(indicator, originator IP, responder IP). This allows notice
suppression. Additionally service and intel source are added to the
notice mail.
---
 scripts/policy/frameworks/intel/do_notice.bro | 37 ++++++++++++++++---
 1 file changed, 32 insertions(+), 5 deletions(-)

diff --git a/scripts/policy/frameworks/intel/do_notice.bro b/scripts/policy/frameworks/intel/do_notice.bro
index 89910ede32..ed859b468b 100644
--- a/scripts/policy/frameworks/intel/do_notice.bro
+++ b/scripts/policy/frameworks/intel/do_notice.bro
@@ -6,14 +6,14 @@ module Intel;
 
 export {
 	redef enum Notice::Type += {
-		## Intel::Notice is a notice that happens when an intelligence 
+		## Intel::Notice is a notice that happens when an intelligence
 		## indicator is denoted to be notice-worthy.
 		Intel::Notice
 	};
 
 	redef record Intel::MetaData += {
 		## A boolean value to allow the data itself to represent
-		## if the indicator that this metadata is attached to 
+		## if the indicator that this metadata is attached to
 		## is notice worthy.
 		do_notice: bool &default=F;
 
@@ -29,15 +29,42 @@ event Intel::match(s: Seen, items: set[Item])
 	for ( item in items )
 		{
 		if ( item$meta$do_notice &&
-		     (! item$meta?$if_in || s$where == item$meta$if_in) )
+			(! item$meta?$if_in || s$where == item$meta$if_in) )
 			{
 			local n = Notice::Info($note=Intel::Notice,
-			                       $msg=fmt("Intel hit on %s at %s", s$indicator, s$where),
-			                       $sub=s$indicator);
+				$msg = fmt("Intel hit on %s at %s", s$indicator, s$where),
+				$sub = s$indicator);
+			local service_str = "";
 
 			if ( s?$conn )
+				{
 				n$conn = s$conn;
 
+				# Add identifier composed of indicator, originator's and responder's IP,
+				# without considering the direction of the flow.
+				local intel_id = s$indicator;
+				if( s$conn?$id )
+					{
+					if( s$conn$id$orig_h < s$conn$id$resp_h)
+						intel_id = cat(intel_id, s$conn$id$orig_h, s$conn$id$resp_h);
+					else
+						intel_id = cat(intel_id, s$conn$id$resp_h, s$conn$id$orig_h);
+					}
+				n$identifier = intel_id;
+
+				if ( s$conn?$service )
+					{
+					for ( service in s$conn$service )
+						service_str = cat(service_str, service, " ");
+					}
+				}
+
+			# Add additional information to the generated mail
+			local mail_ext = vector(
+				fmt("Service: %s\n", service_str),
+				fmt("Intel source: %s\n", item$meta$source));
+			n$email_body_sections = mail_ext;
+
 			NOTICE(n);
 			}
 		}