Merge branch 'topic/mohan/intel-event-groups' of https://github.com/Mohan-Dhawan/zeek

* 'topic/mohan/intel-event-groups' of https://github.com/Mohan-Dhawan/zeek: coalesce smtp handlers for ADDR Add fine-grained groups for Intel events
2025-10-02 06:38:20 +00:00 · 2025-04-29 15:00:44 +02:00 · 2025-04-29 15:00:44 +02:00 · d5e1dc27c6
commit d5e1dc27c6
parent 5bf660a9ce 36c4d112c8
13 changed files with 106 additions and 67 deletions
--- a/scripts/policy/frameworks/intel/seen/http-headers.zeek
+++ b/scripts/policy/frameworks/intel/seen/http-headers.zeek
@ -2,54 +2,72 @@
@load ./where-locations
@load base/utils/addrs

-event http_header(c: connection, is_orig: bool, name: string, value: string)
+event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::ADDR"
 	{
-	if ( is_orig )
+	if ( ! is_orig )
+		return;
+
+	switch ( name )
 		{
-		switch ( name )
+		case "HOST":
+		# Remove the occasional port value that shows up here.
+		local host = gsub(value, /:[[:digit:]]+$/, "");
+		if ( is_valid_ip(host) )
+			Intel::seen([$host=to_addr(host),
+				     $indicator_type=Intel::ADDR,
+				     $conn=c,
+				     $where=HTTP::IN_HOST_HEADER]);
+		break;
+
+		case "X-FORWARDED-FOR":
+		if ( is_valid_ip(value) )
 			{
-			case "HOST":
-			# Remove the occasional port value that shows up here.
-			local host = gsub(value, /:[[:digit:]]+$/, "");
-			if ( is_valid_ip(host) )
-				Intel::seen([$host=to_addr(host),
-					     $indicator_type=Intel::ADDR,
-					     $conn=c,
-					     $where=HTTP::IN_HOST_HEADER]);
-			else
-				Intel::seen([$indicator=host,
-					     $indicator_type=Intel::DOMAIN,
-					     $conn=c,
-					     $where=HTTP::IN_HOST_HEADER]);
-			break;
-
-			case "REFERER":
-			Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
-			             $indicator_type=Intel::URL,
-			             $conn=c,
-			             $where=HTTP::IN_REFERRER_HEADER]);
-			break;
-
-			case "X-FORWARDED-FOR":
-			if ( is_valid_ip(value) )
+			local addrs = extract_ip_addresses(value);
+			for ( i in addrs )
 				{
-				local addrs = extract_ip_addresses(value);
-				for ( i in addrs )
-					{
-					Intel::seen([$host=to_addr(addrs[i]),
-					             $indicator_type=Intel::ADDR,
-					             $conn=c,
-					             $where=HTTP::IN_X_FORWARDED_FOR_HEADER]);
-					}
+				Intel::seen([$host=to_addr(addrs[i]),
+				             $indicator_type=Intel::ADDR,
+				             $conn=c,
+				             $where=HTTP::IN_X_FORWARDED_FOR_HEADER]);
 				}
-			break;
-
-			case "USER-AGENT":
-			Intel::seen([$indicator=value,
-			             $indicator_type=Intel::SOFTWARE,
-			             $conn=c,
-			             $where=HTTP::IN_USER_AGENT_HEADER]);
-			break;
 			}
+		break;
 		}
 	}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::DOMAIN"
+	{
+	if ( ! is_orig || name != "HOST" )
+	    return;
+
+	# Remove the occasional port value that shows up here.
+	local host = gsub(value, /:[[:digit:]]+$/, "");
+	if ( ! is_valid_ip(host) )
+		Intel::seen([$indicator=host,
+			     $indicator_type=Intel::DOMAIN,
+			     $conn=c,
+			     $where=HTTP::IN_HOST_HEADER]);
+	}
+
+
+event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::URL"
+	{
+	if ( ! is_orig || name != "REFERER" )
+	    return;
+
+	Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
+	             $indicator_type=Intel::URL,
+	             $conn=c,
+	             $where=HTTP::IN_REFERRER_HEADER]);
+	}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::SOFTWARE"
+	{
+	if ( ! is_orig || name != "USER-AGENT" )
+	    return;
+
+	Intel::seen([$indicator=value,
+	             $indicator_type=Intel::SOFTWARE,
+	             $conn=c,
+	             $where=HTTP::IN_USER_AGENT_HEADER]);
+	}