Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add experimental JavaScript support when libnode is available

Browse source 
zeek.on('zeek_init', () => {
        console.log('Hello, Zeek!');
    });

For interaction with external systems and HTTP APIs, JavaScript and the
Node.js ecosystem beat Zeek script. Make it more easily accessible by
including ZeekJS with Zeek directly.

When a recent enough libnode version is found on the build system, ZeekJS is
added as a builtin plugin. This behavior can be disabled via
``--disable-javascript``. Linux distributions providing such a package are
Ubuntu (22.10) and Debian (testing/bookworm) as libnode-dev.
Fedora provides it as nodejs-devel.

This plugin takes over loading of .js or .cjs files. When no such files
are provided to Zeek, Node and the V8 engine are not initialized and
should not get into the way.

This should be considered experimental.
This commit is contained in:
Arne Welzel 2023-03-18 17:42:08 +01:00
parent 5db2e5fd8e
commit f0b9c59adb
24 changed files with 205 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

33
testing/btest/javascript/intel.js Normal file
View file

@ -0,0 +1,33 @@
/*
* @TEST-DOC: Load intel data from a JSON file and populate via Intel::insert().
* @TEST-REQUIRES: $SCRIPTS/have-javascript
* @TEST-EXEC: zeek -b -Cr $TRACES/http/get.trace frameworks/intel/seen base/frameworks/intel base/protocols/http %INPUT
* @TEST-EXEC: zeek-cut < intel.log > intel.log.noheader
* @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff intel.log.noheader
*
* Following the intel file that we load via Intel::insert().
@TEST-START-FILE intel.json_lines
{"indicator": "141.142.228.5", "indicator_type": "Intel::ADDR", "meta": {"source": "json1"}}
{"indicator": "bro.org", "indicator_type": "Intel::DOMAIN", "meta": {"source": "json2"}}
@TEST-END-FILE
*/
const fs = require('fs');
zeek.on('zeek_init', () => {
// Hold the packet processing until we've read the intel file.
zeek.invoke('suspend_processing');
// This reads the full file into memory, but is still async.
// There's fs.createReadStream() for the piecewise consumption.
fs.readFile('./intel.json_lines', 'utf8', (err, data) => {
for (const l of data.split('\n')) {
if (l.length == 0)
continue;
zeek.invoke('Intel::insert', [JSON.parse(l)]);
}
/* Once all intel data is loaded, continue processing. */
zeek.invoke('continue_processing');
});
});