Merge branch 'topic/jgras/intel-update' of https://github.com/J-Gras/bro into topic/seth/intel-update-merge

# Conflicts: # testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log # testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
2025-10-13 03:58:20 +00:00 · 2016-08-02 15:50:43 -04:00 · 2016-08-02 15:50:43 -04:00 · d6a7322a75
commit d6a7322a75
parent 3adad5e19a a7d3f530fa
27 changed files with 905 additions and 197 deletions
--- a/scripts/policy/frameworks/intel/do_expire.bro
+++ b/scripts/policy/frameworks/intel/do_expire.bro
@ -0,0 +1,14 @@
+##! This script enables expiration for intelligence items.
+
+@load base/frameworks/intel
+
+module Intel;
+
+redef item_expiration = 10min;
+
+hook item_expired(indicator: string, indicator_type: Type,
+	metas: set[MetaData]) &priority=-10
+	{
+	# Trigger removal of the expired item.
+	break;
+	}
--- a/scripts/policy/frameworks/intel/do_notice.bro
+++ b/scripts/policy/frameworks/intel/do_notice.bro
@ -1,3 +1,4 @@
+##! This script enables notice generation for intelligence matches.

@load base/frameworks/intel
@load base/frameworks/notice
@ -6,14 +7,14 @@ module Intel;

 export {
 	redef enum Notice::Type += {
-		## Intel::Notice is a notice that happens when an intelligence 
+		## Intel::Notice is a notice that happens when an intelligence
 		## indicator is denoted to be notice-worthy.
 		Intel::Notice
 	};

 	redef record Intel::MetaData += {
 		## A boolean value to allow the data itself to represent
-		## if the indicator that this metadata is attached to 
+		## if the indicator that this metadata is attached to
 		## is notice worthy.
 		do_notice: bool &default=F;

@ -29,15 +30,42 @@ event Intel::match(s: Seen, items: set[Item])
 	for ( item in items )
 		{
 		if ( item$meta$do_notice &&
-		     (! item$meta?$if_in || s$where == item$meta$if_in) )
+			(! item$meta?$if_in || s$where == item$meta$if_in) )
 			{
 			local n = Notice::Info($note=Intel::Notice,
-			                       $msg=fmt("Intel hit on %s at %s", s$indicator, s$where),
-			                       $sub=s$indicator);
+				$msg = fmt("Intel hit on %s at %s", s$indicator, s$where),
+				$sub = s$indicator);
+			local service_str = "";

 			if ( s?$conn )
+				{
 				n$conn = s$conn;

+				# Add identifier composed of indicator, originator's and responder's IP,
+				# without considering the direction of the flow.
+				local intel_id = s$indicator;
+				if( s$conn?$id )
+					{
+					if( s$conn$id$orig_h < s$conn$id$resp_h)
+						intel_id = cat(intel_id, s$conn$id$orig_h, s$conn$id$resp_h);
+					else
+						intel_id = cat(intel_id, s$conn$id$resp_h, s$conn$id$orig_h);
+					}
+				n$identifier = intel_id;
+
+				if ( s$conn?$service )
+					{
+					for ( service in s$conn$service )
+						service_str = cat(service_str, service, " ");
+					}
+				}
+
+			# Add additional information to the generated mail
+			local mail_ext = vector(
+				fmt("Service: %s\n", service_str),
+				fmt("Intel source: %s\n", item$meta$source));
+			n$email_body_sections = mail_ext;
+
 			NOTICE(n);
 			}
 		}
--- a/scripts/policy/frameworks/intel/whitelist.bro
+++ b/scripts/policy/frameworks/intel/whitelist.bro
@ -0,0 +1,30 @@
+##! This script enables whitelisting for intelligence items.
+
+@load base/frameworks/intel
+
+module Intel;
+
+export {
+	redef record Intel::MetaData += {
+		## A boolean value to indicate whether the item is whitelisted.
+		whitelist: bool &default=F;
+	};
+}
+
+hook Intel::extend_match(info: Info, s: Seen, items: set[Item]) &priority=9
+	{
+	local whitelisted = F;
+	for ( item in items )
+		{
+		if ( item$meta$whitelist )
+			{
+			whitelisted = T;
+			break;
+			}
+		}
+	
+	if ( whitelisted )
+		# Prevent logging
+		break;
+	}
+