Added hook to allow extending the intel log.

The extension mechanism is basically the one that Seth introduced with his intel extensions. The main difference lies in using a hook instead of an event. An example policy implements whitelisting.
2025-10-11 11:08:20 +00:00 · 2016-05-11 23:27:51 +02:00 · 2016-05-11 23:27:51 +02:00 · cb33028702
commit cb33028702
parent 859eb5eac7
5 changed files with 118 additions and 2 deletions
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@ -165,6 +165,19 @@ export {
 	## data within the intelligence framework.
 	global match: event(s: Seen, items: set[Item]);

+	## This hook can be used to extend the intel log by adding data to the
+	## Info record. The default information is added with a priority of 5.
+	##
+	## info: The Info record that will be logged.
+	##
+	## s: Information about the data seen.
+	##
+	## items: The intel items that match the seen data.
+	##
+	## In case the hook execution is terminated using break, the match will
+	## not be logged.
+	global extend_match: hook(info: Info, s: Seen, items: set[Item]);
+
 	global log_intel: event(rec: Info);
 }

@ -306,6 +319,12 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5
 	{
 	local info = Info($ts=network_time(), $seen=s, $matched=TypeSet());

+	if ( hook extend_match(info, s, items) )
+		Log::write(Intel::LOG, info);
+	}
+
+hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5
+	{
 	if ( s?$f )
 		{
 		s$fuid = s$f$id;
@ -340,8 +359,6 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5
 		add info$sources[item$meta$source];
 		add info$matched[item$indicator_type];
 		}
-
-	Log::write(Intel::LOG, info);
 	}

 function insert(item: Item)