From 1011abd5e06c3315ca2ac95f8f4513d8178d4755 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Tue, 6 Aug 2019 11:15:47 +0200
Subject: [PATCH 1/3] move event Intel::read_entry to export block

---
 scripts/base/frameworks/intel/input.zeek | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/scripts/base/frameworks/intel/input.zeek b/scripts/base/frameworks/intel/input.zeek
index 4dfa011fad..1d5dd51673 100644
--- a/scripts/base/frameworks/intel/input.zeek
+++ b/scripts/base/frameworks/intel/input.zeek
@@ -20,12 +20,13 @@ export {
 	## any path_prefix specified in the input framework will apply
 	## additionally.
 	const path_prefix = "" &redef;
-}
 
-event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
-	{
-	Intel::insert(item);
-	}
+	event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
+		{
+		Intel::insert(item);
+		}
+
+}
 
 event zeek_init() &priority=5
 	{

From 8e418d3c7be3f05738a95eff7516acca34f6b387 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Tue, 6 Aug 2019 11:23:48 +0200
Subject: [PATCH 2/3] add an empty read_error event to the intel framework (in
 the export block, so that users can implement further checks with it)

---
 scripts/base/frameworks/intel/input.zeek | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/base/frameworks/intel/input.zeek b/scripts/base/frameworks/intel/input.zeek
index 1d5dd51673..0a61a0a052 100644
--- a/scripts/base/frameworks/intel/input.zeek
+++ b/scripts/base/frameworks/intel/input.zeek
@@ -26,6 +26,9 @@ export {
 		Intel::insert(item);
 		}
 
+	event Intel::read_error(desc: Input::EventDescription, message: string, level: Reporter::Level)
+		{
+		}
 }
 
 event zeek_init() &priority=5
@@ -50,7 +53,8 @@ event zeek_init() &priority=5
 			                  $mode=Input::REREAD,
 			                  $name=cat("intel-", a_file),
 			                  $fields=Intel::Item,
-			                  $ev=Intel::read_entry]);
+			                  $ev=Intel::read_entry,
+					  $error_ev=Intel::read_error]);
 			}
 		}
 	}

From f93e41fd3f34cc95630cb236e5975af370db59b9 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Wed, 7 Aug 2019 10:32:36 +0200
Subject: [PATCH 3/3] minor restyle and add comments

---
 scripts/base/frameworks/intel/input.zeek | 35 +++++++++++++++++++-----
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/scripts/base/frameworks/intel/input.zeek b/scripts/base/frameworks/intel/input.zeek
index 0a61a0a052..49ab260e23 100644
--- a/scripts/base/frameworks/intel/input.zeek
+++ b/scripts/base/frameworks/intel/input.zeek
@@ -21,16 +21,37 @@ export {
 	## additionally.
 	const path_prefix = "" &redef;
 
-	event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
-		{
-		Intel::insert(item);
-		}
+	## This event is raised each time the intel framework reads a new line
+	## from an intel file. It is used in the intel framework but can
+	## also be used in custom scripts for further checks.
+	##
+	## desc: The :zeek:type:`Input::EventDescription` record which generated the event.
+	##
+	## tpe: The type of input event.
+	##
+	## item: The intel item being read (of type :zeek:type:`Intel::Item`).
+	##
+	global read_entry: event(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item);
 
-	event Intel::read_error(desc: Input::EventDescription, message: string, level: Reporter::Level)
-		{
-		}
+	## This event is raised each time the input framework detects an error
+	## while reading the intel file. It can be used to implement further checks
+	## in custom scripts. Errors can be of different levels (information, warning, errors).
+	##
+	## desc: The :zeek:type:`Input::EventDescription` record which generated the error.
+	##
+	## message: An error message.
+	##
+	## level: The :zeek:type:`Reporter::Level` of the error.
+	##
+	global read_error: event(desc: Input::EventDescription, message: string, level: Reporter::Level);
 }
 
+event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
+	{
+	Intel::insert(item);
+	}
+
+
 event zeek_init() &priority=5
 	{
 	if ( ! Cluster::is_enabled() ||