Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix CIF integration and add logging options to intel.log and added comments to code

Browse source
This commit is contained in:
sfinlon 2019-07-01 22:46:31 -04:00
parent 23a1815e29
commit fe46035366
1 changed files with 65 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

75
scripts/policy/integration/collective-intel/main.zeek
View file

@ -3,13 +3,68 @@
module Intel; module Intel;
## These are some fields to add extended compatibility between Zeek and the ## This file adds mapping between the Collective Intelligence Framework (CIF) and Zeek.
## Collective Intelligence Framework.
redef record Intel::MetaData += { export {
## Maps to the Impact field in the Collective Intelligence Framework. redef record Intel::MetaData += {
cif_impact: string &optional; ## Maps to the 'tags' fields in CIF
## Maps to the Severity field in the Collective Intelligence Framework. cif_tags: string &optional;
cif_severity: string &optional; ## Maps to the 'confidence' field in CIF
## Maps to the Confidence field in the Collective Intelligence Framework. cif_confidence: double &optional;
cif_confidence: double &optional; ## Maps to the 'source' field in CIF
}; cif_source: string &optional;
## Maps to the 'description' field in CIF
cif_description: string &optional;
## Maps to the 'firstseen' field in CIF
cif_firstseen: string &optional;
## Maps to the 'lastseen' field in CIF
cif_lastseen: string &optional;
};
type CIF: record {
## This creates a CIF record to append the CIF values for more consistent formatting
tags: string &optional &log;
confidence: double &optional &log;
source: string &optional &log;
description: string &optional &log;
firstseen: string &optional &log;
lastseen: string &optional &log;
};
redef record Info += {
## Adds the CIF record to the Info record
cif: CIF &log &optional;
};
}
hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5
{
for ( item in items )
{
## Creates a local CIF record to assign data to
local tmp: CIF;
## Checks to see if the cif_tags field is populated and add it to the local record
if ( item$meta?$cif_tags )
tmp$tags = item$meta$cif_tags;
## Checks to see if the cif_confidence field is populated and add it to the local record
if ( item$meta?$cif_confidence )
tmp$confidence = item$meta$cif_confidence;
## Checks to see if the cif_source field is populated and add it to the local record
if ( item$meta?$cif_source )
tmp$source = item$meta$cif_source;
## Checks to see if the cif_description field is populated and add it to the local record
if ( item$meta?$cif_description )
tmp$description = item$meta$cif_description;
## Checks to see if the cif_firstseen field is populated and add it to the local record
if ( item$meta?$cif_firstseen )
tmp$firstseen = item$meta$cif_firstseen;
## Checks to see if the cif_lastseen field is populated and add it to the local record
if ( item$meta?$cif_lastseen )
tmp$lastseen = item$meta$cif_lastseen;
## Add the local CIF record to the Info CIF placeholder, so it wil be added to intel.log
info$cif = tmp;
}
}