Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 04:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fixed more bugs with delayed emails.

Browse source
This commit is contained in:
Seth Hall 2011-12-15 15:57:42 -05:00
parent 667dcb251a
commit b66c73baaa
2 changed files with 19 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/frameworks/notice/extend-email/hostnames.bro
View file

@ -2,6 +2,14 @@
module Notice; module Notice;
function lookup_addr_wrapper(n: Info, a: addr): string
{
return when ( local name = lookup_addr(a) )
{
return name;
}
}
event Notice::notice(n: Notice::Info) &priority=10 event Notice::notice(n: Notice::Info) &priority=10
{ {
if ( ! n?$src && ! n?$dst ) if ( ! n?$src && ! n?$dst )
@ -19,9 +27,9 @@ event Notice::notice(n: Notice::Info) &priority=10
if ( n?$src ) if ( n?$src )
{ {
add n$email_delay_tokens["hostnames-src"]; add n$email_delay_tokens["hostnames-src"];
when ( local src_name = lookup_addr(n$src) ) when ( local src_name = lookup_addr_wrapper(n, n$src) )
{ {
output = string_cat("orig_h/src hostname: ", src_name, "\n"); output = string_cat("orig/src hostname: ", src_name, "\n");
n$email_body_sections[|n$email_body_sections|] = output; n$email_body_sections[|n$email_body_sections|] = output;
delete n$email_delay_tokens["hostnames-src"]; delete n$email_delay_tokens["hostnames-src"];
} }
@ -29,9 +37,9 @@ event Notice::notice(n: Notice::Info) &priority=10
if ( n?$dst ) if ( n?$dst )
{ {
add n$email_delay_tokens["hostnames-dst"]; add n$email_delay_tokens["hostnames-dst"];
when ( local dst_name = lookup_addr(n$dst) ) when ( local dst_name = lookup_addr_wrapper(n, n$dst) )
{ {
output = string_cat("resp_h/dst hostname: ", dst_name, "\n"); output = string_cat("resp/dst hostname: ", dst_name, "\n");
n$email_body_sections[|n$email_body_sections|] = output; n$email_body_sections[|n$email_body_sections|] = output;
delete n$email_delay_tokens["hostnames-dst"]; delete n$email_delay_tokens["hostnames-dst"];
} }

9
scripts/base/frameworks/notice/main.bro
View file

@ -96,7 +96,7 @@ export {
## expand on notices that are being emailed. The normal way to add text ## expand on notices that are being emailed. The normal way to add text
## is to extend the vector by handling the :bro:id:`Notice::notice` ## is to extend the vector by handling the :bro:id:`Notice::notice`
## event and modifying the notice in place. ## event and modifying the notice in place.
email_body_sections: vector of string &default=vector(); email_body_sections: vector of string &optional;
## Adding a string "token" to this set will cause the notice framework's ## Adding a string "token" to this set will cause the notice framework's
## built-in emailing functionality to delay sending the email until ## built-in emailing functionality to delay sending the email until
@ -371,7 +371,10 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
{ {
# If we still are within the max_email_delay, keep delaying. # If we still are within the max_email_delay, keep delaying.
if ( n$ts + max_email_delay > network_time() ) if ( n$ts + max_email_delay > network_time() )
{
schedule 1sec { delay_sending_email(n, dest, extend) }; schedule 1sec { delay_sending_email(n, dest, extend) };
return;
}
else else
{ {
event reporter_info(network_time(), event reporter_info(network_time(),
@ -503,7 +506,9 @@ function apply_policy(n: Notice::Info)
if ( ! n?$actions ) if ( ! n?$actions )
n$actions = set(); n$actions = set();
if ( ! n?$email_body_sections )
n$email_body_sections = vector();
if ( ! n?$email_delay_tokens ) if ( ! n?$email_delay_tokens )
n$email_delay_tokens = set(); n$email_delay_tokens = set();