Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 19:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Improved intel notices.

Browse source 
Intel notices are identified by a direction independent 3-tuple
(indicator, originator IP, responder IP). This allows notice
suppression. Additionally service and intel source are added to the
notice mail.
This commit is contained in:
Jan Grashoefer 2016-05-19 21:03:36 +02:00
parent cb33028702
commit a9ad41cdcc
1 changed files with 32 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

37
scripts/policy/frameworks/intel/do_notice.bro
View file

@ -6,14 +6,14 @@ module Intel;
export { export {
redef enum Notice::Type += { redef enum Notice::Type += {
## Intel::Notice is a notice that happens when an intelligence ## Intel::Notice is a notice that happens when an intelligence
## indicator is denoted to be notice-worthy. ## indicator is denoted to be notice-worthy.
Intel::Notice Intel::Notice
}; };
redef record Intel::MetaData += { redef record Intel::MetaData += {
## A boolean value to allow the data itself to represent ## A boolean value to allow the data itself to represent
## if the indicator that this metadata is attached to ## if the indicator that this metadata is attached to
## is notice worthy. ## is notice worthy.
do_notice: bool &default=F; do_notice: bool &default=F;
@ -29,15 +29,42 @@ event Intel::match(s: Seen, items: set[Item])
for ( item in items ) for ( item in items )
{ {
if ( item$meta$do_notice && if ( item$meta$do_notice &&
(! item$meta?$if_in || s$where == item$meta$if_in) ) (! item$meta?$if_in || s$where == item$meta$if_in) )
{ {
local n = Notice::Info($note=Intel::Notice, local n = Notice::Info($note=Intel::Notice,
$msg=fmt("Intel hit on %s at %s", s$indicator, s$where), $msg = fmt("Intel hit on %s at %s", s$indicator, s$where),
$sub=s$indicator); $sub = s$indicator);
local service_str = "";
if ( s?$conn ) if ( s?$conn )
{
n$conn = s$conn; n$conn = s$conn;
# Add identifier composed of indicator, originator's and responder's IP,
# without considering the direction of the flow.
local intel_id = s$indicator;
if( s$conn?$id )
{
if( s$conn$id$orig_h < s$conn$id$resp_h)
intel_id = cat(intel_id, s$conn$id$orig_h, s$conn$id$resp_h);
else
intel_id = cat(intel_id, s$conn$id$resp_h, s$conn$id$orig_h);
}
n$identifier = intel_id;
if ( s$conn?$service )
{
for ( service in s$conn$service )
service_str = cat(service_str, service, " ");
}
}
# Add additional information to the generated mail
local mail_ext = vector(
fmt("Service: %s\n", service_str),
fmt("Intel source: %s\n", item$meta$source));
n$email_body_sections = mail_ext;
NOTICE(n); NOTICE(n);
} }
} }