Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' of https://github.com/sfinlon/zeek

Browse source 
* 'master' of https://github.com/sfinlon/zeek:
  Fix CIF integration and add logging options to intel.log and added comments to code
This commit is contained in:
Johanna Amann 2019-07-03 01:46:26 -07:00
commit e382369091
4 changed files with 68 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
2.6-563 | 2019-07-03 01:57:40 -0700
* Fix CIF integration and add logging options to intel.log and added comments to code (sfinlon)
2.6-558 | 2019-07-01 01:27:50 -0700 2.6-558 | 2019-07-01 01:27:50 -0700
* GH-443: fix uses of timestamp 0 in cluster diagnostic logs * GH-443: fix uses of timestamp 0 in cluster diagnostic logs

2
VERSION
View file

@ -1 +1 @@
2.6-558 2.6-563

2
doc

@ -1 +1 @@
Subproject commit 8048e7bbe37a4b6fea3625090e359c052f3a21cc Subproject commit d08f22cdf179f4dfd7a49076e384a794a0d51a57

67
scripts/policy/integration/collective-intel/main.zeek
View file

@ -1,15 +1,66 @@
@load base/frameworks/intel @load base/frameworks/intel
module Intel; module Intel;
## These are some fields to add extended compatibility between Zeek and the ## This file adds mapping between the Collective Intelligence Framework (CIF) and Zeek.
## Collective Intelligence Framework.
export {
redef record Intel::MetaData += { redef record Intel::MetaData += {
## Maps to the Impact field in the Collective Intelligence Framework. ## Maps to the 'tags' fields in CIF
cif_impact: string &optional; cif_tags: string &optional;
## Maps to the Severity field in the Collective Intelligence Framework. ## Maps to the 'confidence' field in CIF
cif_severity: string &optional;
## Maps to the Confidence field in the Collective Intelligence Framework.
cif_confidence: double &optional; cif_confidence: double &optional;
## Maps to the 'source' field in CIF
cif_source: string &optional;
## Maps to the 'description' field in CIF
cif_description: string &optional;
## Maps to the 'firstseen' field in CIF
cif_firstseen: string &optional;
## Maps to the 'lastseen' field in CIF
cif_lastseen: string &optional;
}; };
## CIF record used for consistent formatting of CIF values.
type CIF: record {
## CIF tags observations, examples for tags are ``botnet`` or ``exploit``.
tags: string &optional &log;
## In CIF Confidence details the degree of certainty of a given observation.
confidence: double &optional &log;
## Source given in CIF.
source: string &optional &log;
## description given in CIF.
description: string &optional &log;
## First time the source observed the behavior.
firstseen: string &optional &log;
## Last time the source observed the behavior.
lastseen: string &optional &log;
};
redef record Info += {
cif: CIF &log &optional;
};
}
hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5
{
for ( item in items )
{
local tmp: CIF;
if ( item$meta?$cif_tags )
tmp$tags = item$meta$cif_tags;
if ( item$meta?$cif_confidence )
tmp$confidence = item$meta$cif_confidence;
if ( item$meta?$cif_source )
tmp$source = item$meta$cif_source;
if ( item$meta?$cif_description )
tmp$description = item$meta$cif_description;
if ( item$meta?$cif_firstseen )
tmp$firstseen = item$meta$cif_firstseen;
if ( item$meta?$cif_lastseen )
tmp$lastseen = item$meta$cif_lastseen;
info$cif = tmp;
}
}