Copy docs into Zeek repo directly

This is based on commit 99e6942efec5feff50523f6b2a1f5868f19ab638 from the zeek-docs repo.
2025-10-15 21:18:20 +00:00 · 2025-09-15 15:52:18 -07:00 · 2025-09-15 15:52:18 -07:00 · adce4e604a
commit adce4e604a
parent 979a98c73c
1075 changed files with 169492 additions and 1 deletions
--- a/doc/frameworks/sqlite-read-events.zeek
+++ b/doc/frameworks/sqlite-read-events.zeek
@ -0,0 +1,40 @@
+@load frameworks/files/hash-all-files
+
+type Val: record {
+    hash: string;
+    description: string;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, r: Val)
+    {
+    print fmt("malware-hit with hash %s, description %s", r$hash, r$description);
+    }
+
+global malware_source = "/var/db/malware";
+
+event file_hash(f: fa_file, kind: string, hash: string)
+    {
+
+    # check all sha1 hashes
+    if ( kind=="sha1" )
+        {
+        Input::add_event(
+            [
+            $source=malware_source,
+            $name=hash,
+            $fields=Val,
+            $ev=line,
+            $want_record=T,
+            $config=table(
+                ["query"] = fmt("select * from malware_hashes where hash='%s';", hash)
+                ),
+            $reader=Input::READER_SQLITE
+            ]);
+        }
+    }
+
+event Input::end_of_data(name: string, source:string)
+    {
+    if ( source == malware_source )
+        Input::remove(name);
+    }