From f8b06becd2806f2ee16d3035e3d8b14053cac0be Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Mon, 26 Apr 2021 21:40:27 -0500
Subject: [PATCH] Add a new field to the notice, which defines where to send
 the e-mail

---
 .../notice/actions/email_admin.zeek           |  7 +----
 .../base/frameworks/notice/actions/page.zeek  |  9 ++-----
 scripts/base/frameworks/notice/main.zeek      | 10 ++++++-
 .../notice/extend-email/hostnames.zeek        | 27 +++----------------
 4 files changed, 16 insertions(+), 37 deletions(-)

diff --git a/scripts/base/frameworks/notice/actions/email_admin.zeek b/scripts/base/frameworks/notice/actions/email_admin.zeek
index 02b25d7c21..96dd40dbb5 100644
--- a/scripts/base/frameworks/notice/actions/email_admin.zeek
+++ b/scripts/base/frameworks/notice/actions/email_admin.zeek
@@ -30,11 +30,6 @@ hook notice(n: Notice::Info) &priority=-5
 			email = fmt("%s, %s", email, Site::get_emails(n$dst));
 		
 		if ( email != "" )
-			email_notice_to(n, email, T);
+			n$email_dest = email;
 		}
 	}
-
-# If hostnames.zeek was loaded first, add ourselves
-@ifdef ( email_with_hostnames_types )
-redef email_with_hostnames_types += { ACTION_EMAIL_ADMIN };
-@endif
diff --git a/scripts/base/frameworks/notice/actions/page.zeek b/scripts/base/frameworks/notice/actions/page.zeek
index 0a83a8d4bc..473afbeb3a 100644
--- a/scripts/base/frameworks/notice/actions/page.zeek
+++ b/scripts/base/frameworks/notice/actions/page.zeek
@@ -17,13 +17,8 @@ export {
 	option mail_page_dest = "";
 }
 
-hook notice(n: Notice::Info) &priority=-5
+hook notice(n: Notice::Info) &priority=-6
 	{
 	if ( ACTION_PAGE in n$actions )
-		email_notice_to(n, mail_page_dest, F);
+		n$email_dest = mail_page_dest;
 	}
-
-# If hostnames.zeek was loaded first, add ourselves
-@ifdef ( email_with_hostnames_types )
-redef email_with_hostnames_types += { ACTION_PAGE };
-@endif
diff --git a/scripts/base/frameworks/notice/main.zeek b/scripts/base/frameworks/notice/main.zeek
index cc43ec331d..6dd953cb9e 100644
--- a/scripts/base/frameworks/notice/main.zeek
+++ b/scripts/base/frameworks/notice/main.zeek
@@ -136,6 +136,9 @@ export {
 		## The actions which have been applied to this notice.
 		actions:        ActionSet      &log &default=ActionSet();
 
+		## The email address where to send this notice
+		email_dest:     string         &log &optional;
+
 		## By adding chunks of text into this element, other scripts
 		## can expand on notices that are being emailed.  The normal
 		## way to add text is to extend the vector by handling the
@@ -512,8 +515,13 @@ hook Notice::policy(n: Notice::Info) &priority=10
 
 hook Notice::notice(n: Notice::Info) &priority=-5
 	{
-	if ( ACTION_EMAIL in n$actions )
+	# Send to requested address if set
+	if ( n?$email_dest )
+		email_notice_to(n, n$email_dest, T);
+	# Otherwise Send to default address
+	else if ( ACTION_EMAIL in n$actions )
 		email_notice_to(n, mail_dest, T);
+
 	if ( ACTION_LOG in n$actions )
 		Log::write(Notice::LOG, n);
 	if ( ACTION_ALARM in n$actions )
diff --git a/scripts/policy/frameworks/notice/extend-email/hostnames.zeek b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek
index 9d079d80af..8e28200e1c 100644
--- a/scripts/policy/frameworks/notice/extend-email/hostnames.zeek
+++ b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek
@@ -1,34 +1,25 @@
-##! Loading this script extends the emails that Zeek sends
+##! Loading this script extends the :zeek:enum:`Notice::ACTION_EMAIL` action
 ##! by appending to the email the hostnames associated with
 ##! :zeek:type:`Notice::Info`'s *src* and *dst* fields as determined by a
-##! DNS lookup. This is enabled for the :zeek:enum:`Notice::ACTION_EMAIL`
-##! action by default, and :zeek:enum:`Notice::ACTION_EMAIL_ADMIN` and
-##! :zeek:enum:`Notice::ACTION_PAGE` if their scripts are loaded.
+##! DNS lookup.
 
 @load base/frameworks/notice/main
 
 module Notice;
 
-export {
-	## The Notice action types whose e-mails will be extended with hostnames.
-	## :zeek:see:`Notice::Action`
-	option email_with_hostnames_types: set[Notice::Action] = {ACTION_EMAIL};
-}
-
 # We have to store references to the notices here because the when statement
 # clones the frame which doesn't give us access to modify values outside
 # of it's execution scope. (we get a clone of the notice instead of a
 # reference to the original notice)
 global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs;
 
-hook notice(n: Notice::Info) &priority=10
+hook notice(n: Notice::Info) &priority=-10
 	{
 	if ( ! n?$src && ! n?$dst )
 		return;
 
 	# This should only be done for notices that are being sent to email.
-	# We calculate the intersection, and don't do anything if it's empty.
-	if ( |n$actions & email_with_hostnames_types| == 0 )
+	if ( ! n?$email_dest )
 		return;
 
 	# I'm not recovering gracefully from the when statements because I want
@@ -59,13 +50,3 @@ hook notice(n: Notice::Info) &priority=10
 			}
 		}
 	}
-
-# If page.zeek was loaded first, add that action
-@ifdef ( ACTION_PAGE )
-redef email_with_hostnames_types += { ACTION_PAGE };
-@endif
-
-# If email_admin.zeek was loaded first, add that action
-@ifdef ( ACTION_EMAIL_ADMIN )
-redef email_with_hostnames_types += { ACTION_EMAIL_ADMIN };
-@endif