mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
intel/seen/manage-event-groups: Policy script for toggling intel event groups
Co-authored-by: Mohan Dhawan <mohan@corelight.com> (cherry picked from commit e90f947bee572189a82ed81f91c505d9db474588)
This commit is contained in:
Arne Welzel
parent
0e191b25fe
commit
e5367ba820
6 changed files with 259 additions and 0 deletions
|
|
@ -0,0 +1,71 @@
|
|||
@load frameworks/intel/seen
|
||||
@load base/frameworks/reporter
|
||||
|
||||
module Intel;
|
||||
|
||||
export {
|
||||
## Whether Intel event groups for the seen scripts are managed.
|
||||
##
|
||||
## When loading this script, by default, all :zeek:see:`Intel::Type`
|
||||
## event groups are disabled at startup and only enabled when indicators
|
||||
## of corresponding types are loaded into the Intel framework's store.
|
||||
## This allows to load the ``frameworks/intel/seen`` scripts by default,
|
||||
## without incurring overhead when no indicators are loaded.
|
||||
##
|
||||
## One caveat is that the :zeek:see:`Intel::seen_policy` hook will not
|
||||
## be invoked for indicator types that are not at all in the Intel
|
||||
## framework's store. You should not load this script, set this variable
|
||||
## to ``F``, or insert dummy values of the types using
|
||||
## :zeek:see:`Intel::insert`.
|
||||
const manage_seen_event_groups = T &redef;
|
||||
}
|
||||
|
||||
global intel_type_counts: table[Intel::Type] of count &default=0;
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
# If the feature is disabled, don't act.
|
||||
if ( ! manage_seen_event_groups )
|
||||
return;
|
||||
|
||||
# Disable all Intel related event groups at startup. These
|
||||
# are enabled again as soon as at least one indicator of the
|
||||
# type is inserted.
|
||||
for ( name in enum_names(Intel::Type) )
|
||||
{
|
||||
if ( has_event_group(name) )
|
||||
disable_event_group(name);
|
||||
}
|
||||
}
|
||||
|
||||
hook Intel::indicator_inserted(v: string, t: Intel::Type)
|
||||
{
|
||||
++intel_type_counts[t];
|
||||
|
||||
if ( ! manage_seen_event_groups )
|
||||
return;
|
||||
|
||||
local name = cat(t);
|
||||
|
||||
if ( intel_type_counts[t] == 1 )
|
||||
{
|
||||
if ( has_event_group(name) )
|
||||
enable_event_group(name);
|
||||
}
|
||||
}
|
||||
|
||||
hook Intel::indicator_removed(v: string, t: Intel::Type)
|
||||
{
|
||||
--intel_type_counts[t];
|
||||
|
||||
if ( ! manage_seen_event_groups )
|
||||
return;
|
||||
|
||||
local name = cat(t);
|
||||
|
||||
if ( intel_type_counts[t] == 0 )
|
||||
{
|
||||
if ( has_event_group(name) )
|
||||
disable_event_group(name);
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue