Merge branch 'topic/jgras/intel-update' of https://github.com/J-Gras/bro into topic/seth/intel-update-merge

# Conflicts:
#	testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
#	testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-08-01-16-08-53
+#open	2016-06-15-19-16-09
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -203,6 +203,7 @@ scripts/base/init-default.bro
     scripts/base/frameworks/communication/main.bro
   scripts/base/frameworks/intel/__load__.bro
     scripts/base/frameworks/intel/main.bro
+    scripts/base/frameworks/intel/files.bro
     scripts/base/frameworks/intel/input.bro
   scripts/base/frameworks/sumstats/__load__.bro
     scripts/base/frameworks/sumstats/main.bro
@@ -312,4 +313,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-08-01-16-08-53
+#close	2016-06-15-19-16-09

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2014-09-23-16-13-39
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
-1411488819.555114	-	-	-	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-2	worker-1
-#close	2014-09-23-16-13-49
+#open	2016-06-15-19-11-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1466017887.060652	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-2	Intel::ADDR	worker-1	-	-	-
+#close	2016-06-15-19-11-36

testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output

@@ -0,0 +1,22 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2016-06-15-19-11-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1466017866.348490	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1466017867.349583	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1466017868.349656	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+#close	2016-06-15-19-11-12
+Trigger: 1.2.3.4
+Seen: 1.2.3.4
+Trigger: 1.2.3.4
+Seen: 1.2.3.4
+Trigger: 1.2.3.4
+Seen: 1.2.3.4
+Expired: 1.2.3.4
+Trigger: 1.2.3.4
+Trigger: 1.2.3.4
+Trigger: 1.2.3.4

testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2014-09-23-16-14-49
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
-1411488889.571819	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	SOMEWHERE	bro	source1
-1411488889.571819	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	source1
-#close	2014-09-23-16-14-49
+#open	2016-06-15-19-12-26
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1466017946.413077	-	-	-	-	-	e@mail.com	Intel::EMAIL	SOMEWHERE	bro	Intel::EMAIL	source1	-	-	-
+1466017946.413077	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+#close	2016-06-15-19-12-26

testing/btest/Baseline/scripts.base.frameworks.intel.match-subnet/output

@@ -0,0 +1,24 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2016-06-22-19-12-08
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1466622728.846581	-	-	-	-	-	192.168.1.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1466622728.846581	-	-	-	-	-	192.168.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::SUBNET	source1	-	-	-
+1466622728.846581	-	-	-	-	-	192.168.142.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR,Intel::SUBNET	source1	-	-	-
+#close	2016-06-22-19-12-08
+
+Seen: [indicator=192.168.1.1, indicator_type=Intel::ADDR, host=192.168.1.1, where=SOMEWHERE, node=bro, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
+Item: [indicator=192.168.1.1, indicator_type=Intel::ADDR, meta=[source=source1, desc=this host is just plain baaad, url=http://some-data-distributor.com/1]]
+
+Seen: [indicator=192.168.2.1, indicator_type=Intel::ADDR, host=192.168.2.1, where=SOMEWHERE, node=bro, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
+Item: [indicator=192.168.2.0/24, indicator_type=Intel::SUBNET, meta=[source=source1, desc=this subnetwork is just plain baaad, url=http://some-data-distributor.com/2]]
+
+Seen: [indicator=192.168.142.1, indicator_type=Intel::ADDR, host=192.168.142.1, where=SOMEWHERE, node=bro, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
+Item: [indicator=192.168.142.0/26, indicator_type=Intel::SUBNET, meta=[source=source1, desc=this subnetwork is inside, url=http://some-data-distributor.com/4]]
+Item: [indicator=192.168.142.0/24, indicator_type=Intel::SUBNET, meta=[source=source1, desc=this subnetwork is baaad, url=http://some-data-distributor.com/4]]
+Item: [indicator=192.168.142.1, indicator_type=Intel::ADDR, meta=[source=source1, desc=this host is just plain baaad, url=http://some-data-distributor.com/3]]
+Item: [indicator=192.168.128.0/18, indicator_type=Intel::SUBNET, meta=[source=source1, desc=this subnetwork might be baaad, url=http://some-data-distributor.com/5]]

testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log

@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2014-09-23-16-15-00
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
-1411488900.900403	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	worker-1	source1
-1411488900.900403	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	worker-1	source1
-1411488901.923543	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	worker-2	source1
-1411488901.923543	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	worker-2	source1
-#close	2014-09-23-16-15-09
+#open	2016-06-15-19-14-30
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1466018070.494693	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	worker-1	Intel::ADDR	source1	-	-	-
+1466018070.494693	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	worker-1	Intel::EMAIL	source1	-	-	-
+1466018071.505800	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	worker-2	Intel::ADDR	source1	-	-	-
+1466018071.505800	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	worker-2	Intel::EMAIL	source1	-	-	-
+#close	2016-06-15-19-14-39

testing/btest/Baseline/scripts.base.frameworks.intel.remove-item-cluster/manager-1..stdout

@@ -0,0 +1,6 @@
+Purging 192.168.0.1.
+Purging 192.168.0.2.
+Removing 192.168.1.2 (source: source1).
+Removing 192.168.1.2 (source: source2).
+Purging 192.168.1.2.
+Logging intel hit!

testing/btest/Baseline/scripts.base.frameworks.intel.remove-item-cluster/manager-1.intel.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2016-06-15-19-10-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1466017809.810005	-	-	-	-	-	10.10.10.10	Intel::ADDR	Intel::IN_ANYWHERE	worker-1	Intel::ADDR	end	-	-	-
+#close	2016-06-15-19-10-19

testing/btest/Baseline/scripts.base.frameworks.intel.remove-item-cluster/worker-1..stdout

@@ -0,0 +1,5 @@
+Removing 192.168.1.2 (source: source1).
+Removing 192.168.1.2 (source: source2).
+Purging 192.168.0.1.
+Purging 192.168.0.2.
+Purging 192.168.1.2.

testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output

@@ -0,0 +1,25 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2016-06-15-19-09-12
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1466017751.936022	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1466017754.938975	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2,source1	-	-	-
+1466017754.938975	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
+1466017757.941783	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2,source1	-	-	-
+1466017757.941783	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
+#close	2016-06-15-19-09-18
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2016-06-15-19-09-18
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1466017757.941783	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 1.2.3.4 at SOMEWHERE	1.2.3.4	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1466017757.941783	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 4.3.2.1 at SOMEWHERE	4.3.2.1	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2016-06-15-19-09-18

testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log

@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-07-13-16-17-18
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
-1416942644.593119	CHhAvVGS1DHFjwGM9	192.168.4.149	49422	23.92.19.75	443	F0txuw2pvrkZOn04a8	application/pkix-cert	23.92.19.75:443/tcp	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2016-07-13-16-17-18
+#open	2016-06-15-19-08-03
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1416942644.593119	CXWv6p3arKYeMETxOg	192.168.4.149	49422	23.92.19.75	443	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	Fi6J8q3lDJpbQWAnvi	application/pkix-cert	23.92.19.75:443/tcp
+#close	2016-06-15-19-08-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-07-13-16-17-19
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
-1170717505.735416	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	FeCwNK3rzqPnZ7eBQ5	application/pkix-cert	194.127.84.106:443/tcp	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	source1
-1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	FeCwNK3rzqPnZ7eBQ5	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
-1170717508.883051	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	FjkLnG4s34DVZlaBNc	application/pkix-cert	194.127.84.106:443/tcp	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	source1
-1170717509.082241	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	FjkLnG4s34DVZlaBNc	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
-1170717511.909717	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	FQXAWgI2FB5STbrff	application/pkix-cert	194.127.84.106:443/tcp	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	source1
-1170717512.108799	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	FQXAWgI2FB5STbrff	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2016-07-13-16-17-19
+#open	2016-06-15-19-08-03
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1170717505.735416	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FeCwNK3rzqPnZ7eBQ5	application/pkix-cert	194.127.84.106:443/tcp
+1170717505.934612	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FeCwNK3rzqPnZ7eBQ5	-	-
+1170717508.883051	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FjkLnG4s34DVZlaBNc	application/pkix-cert	194.127.84.106:443/tcp
+1170717509.082241	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FjkLnG4s34DVZlaBNc	-	-
+1170717511.909717	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FQXAWgI2FB5STbrff	application/pkix-cert	194.127.84.106:443/tcp
+1170717512.108799	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FQXAWgI2FB5STbrff	-	-
+#close	2016-06-15-19-08-03

testing/btest/Baseline/scripts.policy.frameworks.intel.whitelisting/intel.log

@@ -0,0 +1,29 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2016-06-15-19-06-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1300475168.853899	CPbrpk1qSsw6ESzHV4	141.142.220.118	43927	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.854837	CIPOse170MGiRM1Qf4	141.142.220.118	40526	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.857956	CMXxB5GvmoxJFXdTa	141.142.220.118	32902	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.858713	Che1bq3i2rO3KD1Syg	141.142.220.118	59714	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.891644	CEle3f3zno26fFZkrh	141.142.220.118	58206	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.892414	CfTOmO0HKorjr8Zp7	141.142.220.118	59746	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.893988	Cab0vO1xNYSS2hJkle	141.142.220.118	45000	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.894787	Cx3C534wEyF3OvvcQe	141.142.220.118	48128	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.916183	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.918358	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.952296	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.952307	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.954820	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.975934	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.976436	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475168.979264	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475169.014593	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475169.014619	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
+#close	2016-06-15-19-06-02

testing/btest/scripts/base/frameworks/intel/expire-item.bro

@@ -0,0 +1,46 @@
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 7
+# @TEST-EXEC: cat broproc/intel.log > output
+# @TEST-EXEC: cat broproc/.stdout >> output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+1.2.3.4	Intel::ADDR	source1	this host is bad	http://some-data-distributor.com/1
+# @TEST-END-FILE
+
+@load frameworks/communication/listen
+@load frameworks/intel/do_expire
+
+redef Intel::read_files += { "../intel.dat" };
+redef enum Intel::Where += { SOMEWHERE };
+redef Intel::item_expiration = 3sec;
+redef table_expire_interval = 1sec;
+
+global runs = 0;
+event do_it()
+	{
+	print "Trigger: 1.2.3.4";
+	Intel::seen([$host=1.2.3.4,
+	             $where=SOMEWHERE]);
+
+	++runs;
+	if ( runs < 6 )
+		schedule 1sec { do_it() };
+	}
+
+event Intel::match(s: Intel::Seen, items: set[Intel::Item])
+	{
+	print fmt("Seen: %s", s$indicator);
+	}
+
+hook Intel::item_expired(indicator: string, indicator_type: Intel::Type,
+	metas: set[Intel::MetaData])
+	{
+	print fmt("Expired: %s", indicator);
+	}
+
+event bro_init() &priority=-10
+	{
+	schedule 1sec { do_it() };
+	}

testing/btest/scripts/base/frameworks/intel/match-subnet.bro

@@ -0,0 +1,51 @@
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: cat broproc/intel.log > output
+# @TEST-EXEC: cat broproc/.stdout >> output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+192.168.1.1	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1
+192.168.2.0/24	Intel::SUBNET	source1	this subnetwork is just plain baaad	http://some-data-distributor.com/2
+192.168.142.1	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/3
+192.168.142.0/24	Intel::SUBNET	source1	this subnetwork is baaad	http://some-data-distributor.com/4
+192.168.142.0/26	Intel::SUBNET	source1	this subnetwork is inside	http://some-data-distributor.com/4
+192.168.128.0/18	Intel::SUBNET	source1	this subnetwork might be baaad	http://some-data-distributor.com/5
+# @TEST-END-FILE
+
+@load frameworks/communication/listen
+
+redef Intel::read_files += { "../intel.dat" };
+redef enum Intel::Where += { SOMEWHERE };
+
+event do_it()
+	{
+	Intel::seen([$host=192.168.1.1,
+	             $where=SOMEWHERE]);
+	Intel::seen([$host=192.168.2.1,
+	             $where=SOMEWHERE]);
+	Intel::seen([$host=192.168.142.1,
+	             $where=SOMEWHERE]);
+	}
+
+event bro_init() &priority=-10
+	{
+	schedule 1sec { do_it() };
+	}
+
+global log_lines = 0;
+event Intel::log_intel(rec: Intel::Info)
+	{
+	++log_lines;
+	if ( log_lines == 2 )
+		terminate();
+	}
+
+event Intel::match(s: Intel::Seen, items: set[Intel::Item])
+	{
+	print "";
+	print fmt("Seen: %s", s);
+	for ( item in items )
+		print fmt("Item: %s", item);
+	}

testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro

@@ -0,0 +1,88 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff manager-1/intel.log
+
+# @TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
+};
+# @TEST-END-FILE
+
+@load base/frameworks/control
+
+module Intel;
+
+redef Log::default_rotation_interval=0sec;
+
+event test_manager()
+	{
+	Intel::remove([$indicator="192.168.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+	Intel::seen([$host=192.168.0.1, $where=Intel::IN_ANYWHERE]);
+	Intel::remove([$indicator="192.168.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]], T);
+	Intel::seen([$host=192.168.0.2, $where=Intel::IN_ANYWHERE]);
+	}
+
+event test_worker()
+	{
+	Intel::remove([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+	Intel::remove([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source2"]]);
+	Intel::seen([$host=192.168.1.2, $where=Intel::IN_ANYWHERE]);
+	# Trigger shutdown by matching data that should be present
+	Intel::seen([$host=10.10.10.10, $where=Intel::IN_ANYWHERE]);
+	}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	# Insert the data once all workers are connected.
+	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 1 )
+		{
+		Intel::insert([$indicator="192.168.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+		Intel::insert([$indicator="192.168.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+		Intel::insert([$indicator="192.168.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source2"]]);
+		Intel::insert([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+		Intel::insert([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source2"]]);
+		Intel::insert([$indicator="10.10.10.10", $indicator_type=Intel::ADDR, $meta=[$source="end"]]);
+
+		event test_manager();
+		}
+	}
+
+global worker_data = 0;
+event Intel::cluster_new_item(item: Intel::Item)
+	{
+	# Run test on worker-1 when all items have been inserted
+	if ( Cluster::node == "worker-1" )
+		{
+		++worker_data;
+		if ( worker_data == 4 )
+			event test_worker();
+		}
+	}
+
+event Intel::remove_item(item: Item, purge_indicator: bool)
+	{
+	print fmt("Removing %s (source: %s).", item$indicator, item$meta$source);
+	}
+
+event purge_item(item: Item)
+	{
+	print fmt("Purging %s.", item$indicator);
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	print "Logging intel hit!";
+	event Control::shutdown_request();
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	# Cascading termination
+	terminate_communication();
+	}

testing/btest/scripts/base/frameworks/intel/updated-match.bro

@@ -0,0 +1,62 @@
+# @TEST-SERIALIZE: comm
+
+# @TEST-EXEC: cp intel1.dat intel.dat
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: sleep 2
+# @TEST-EXEC: cp intel2.dat intel.dat
+# @TEST-EXEC: sleep 2
+# @TEST-EXEC: cp intel3.dat intel.dat
+# @TEST-EXEC: btest-bg-wait 6
+# @TEST-EXEC: cat broproc/intel.log > output
+# @TEST-EXEC: cat broproc/notice.log >> output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE intel1.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url	meta.do_notice
+1.2.3.4	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1234	F
+# @TEST-END-FILE
+
+# @TEST-START-FILE intel2.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url	meta.do_notice
+1.2.3.4	Intel::ADDR	source2	this host is just plain baaad	http://some-data-distributor.com/1234	F
+4.3.2.1	Intel::ADDR	source2	this host might also be baaad	http://some-data-distributor.com/4321	F
+# @TEST-END-FILE
+
+# @TEST-START-FILE intel3.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url	meta.do_notice
+1.2.3.4	Intel::ADDR	source2	this host is just plain baaad	http://some-data-distributor.com/1234	T
+4.3.2.1	Intel::ADDR	source2	this host might also be baaad	http://some-data-distributor.com/4321	T
+# @TEST-END-FILE
+
+@load base/frameworks/communication # let network-time run
+@load frameworks/intel/do_notice
+
+redef exit_only_after_terminate = T;
+redef Intel::read_files += { "../intel.dat" };
+redef enum Intel::Where += { SOMEWHERE };
+
+global runs = 0;
+event do_it()
+	{
+	Intel::seen([$host=1.2.3.4,
+	             $where=SOMEWHERE]);
+	Intel::seen([$host=4.3.2.1,
+	             $where=SOMEWHERE]);
+
+	++runs;
+	if ( runs < 3 )
+		schedule 3sec { do_it() };
+	}
+
+global log_lines = 0;
+event Intel::log_intel(rec: Intel::Info)
+	{
+	++log_lines;
+	if ( log_lines == 5 )
+		terminate();
+	}
+
+event bro_init() &priority=-10
+	{
+	schedule 1sec { do_it() };
+	}

testing/btest/scripts/policy/frameworks/intel/seen/certs.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/tls/ecdsa-cert.pcap %INPUT
+# @TEST-EXEC: bro -Cr $TRACES/tls/ecdsa-cert.pcap %INPUT
 # @TEST-EXEC: cat intel.log > intel-all.log
 # @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: cat intel.log >> intel-all.log

testing/btest/scripts/policy/frameworks/intel/whitelisting.bro

@@ -0,0 +1,39 @@
+# @TEST-EXEC: bro -Cr $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-diff intel.log
+
+#@TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+upload.wikimedia.org	Intel::DOMAIN	source1	somehow bad	http://some-data-distributor.com/1
+meta.wikimedia.org	Intel::DOMAIN	source1	also bad	http://some-data-distributor.com/1
+#@TEST-END-FILE
+
+#@TEST-START-FILE whitelist.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.whitelist	meta.url
+meta.wikimedia.org	Intel::DOMAIN	source2	also bad	T	http://some-data-distributor.com/1
+#@TEST-END-FILE
+
+@load base/frameworks/intel
+@load frameworks/intel/whitelist
+@load frameworks/intel/seen
+
+redef Intel::read_files += {
+	"intel.dat",
+	"whitelist.dat",
+};
+
+global total_files_read = 0;
+
+event bro_init()
+	{
+	suspend_processing();
+	}
+
+event Input::end_of_data(name: string, source: string)
+	{
+	# Wait until both intel files are read.
+	if ( /^intel-/ in name && (++total_files_read == 2) )
+		{
+		continue_processing();
+		}
+	}
+