Merge remote-tracking branch 'origin/master' into topic/johanna/gh-859

scripts/policy/frameworks/files/detect-MHR.zeek

@@ -26,7 +26,7 @@ export {
 	## The Match notice has a sub message with a URL where you can get more
 	## information about the file. The %s will be replaced with the SHA-1
 	## hash of the file.
-	option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";
+	option match_sub_url = "https://www.virustotal.com/gui/search/%s";
 
 	## The malware hash registry runs each malware sample through several
 	## A/V engines.  Team Cymru returns a percentage to indicate how

scripts/policy/frameworks/notice/extend-email/hostnames.zeek

@@ -13,13 +13,14 @@ module Notice;
 # reference to the original notice)
 global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs;
 
-hook notice(n: Notice::Info) &priority=10
+# Run after e-mail address is set, but before e-mail is sent.
+hook notice(n: Notice::Info) &priority=-1
 	{
 	if ( ! n?$src && ! n?$dst )
 		return;
 
 	# This should only be done for notices that are being sent to email.
-	if ( ACTION_EMAIL !in n$actions )
+	if ( ! n?$email_dest )
 		return;
 
 	# I'm not recovering gracefully from the when statements because I want