Merge remote-tracking branch 'origin/topic/awelzel/add-community-id'

* origin/topic/awelzel/add-community-id:
  testing/external: Bump hashes for community_id addition
  NEWS: Add entry for Community ID
  policy: Import zeek-community-id scripts into protocols/conn frameworks/notice
  Add community_id_v1() based on corelight/zeek-community-id

scripts/base/init-bare.zeek

@@ -2034,6 +2034,7 @@ type gtp_delete_pdp_ctx_response_elements: record {
 
 # Prototypes of Zeek built-in functions.
 @load base/bif/zeek.bif
+@load base/bif/communityid.bif
 @load base/bif/stats.bif
 @load base/bif/reporter.bif
 @load base/bif/strings.bif

scripts/policy/frameworks/notice/community-id.zeek

@@ -0,0 +1,35 @@
+# Source this script in addition to protocols/conn/community-id
+# to add Community ID to notices.
+
+# Only support loading this if the main script is also loaded.
+@load base/protocols/conn
+@load base/frameworks/notice
+
+@ifdef ( CommunityID::seed )
+
+module CommunityID::Notice;
+
+export {
+	# Turn notice support on/off at runtime. When disabled,
+	# this still leaves the `community_id` string in the notice
+	# log, just unset.
+	option enabled: bool = T;
+
+	redef record Notice::Info += {
+		community_id: string &optional &log;
+	};
+}
+
+hook Notice::notice(n: Notice::Info)
+	{
+	if ( CommunityID::Notice::enabled && n?$conn && n$conn?$conn )
+		{
+		local info = n$conn$conn;
+		# This is set during new_connection(), so it should
+		# always be there, but better safe than sorry.
+		if ( info?$community_id )
+			n$community_id = info$community_id;
+		}
+	}
+
+@endif

scripts/policy/protocols/conn/community-id-logging.zeek

@@ -0,0 +1,26 @@
+##! Adds community hash IDs to conn.log.
+@load base/protocols/conn
+
+module CommunityID;
+
+export {
+	# An unsigned 16-bit number to seed our hashing
+	option seed: count = 0;
+
+	# Whether to add a base64 pass over the hash digest.
+	# Enabled by default, since it shortens the output.
+	option do_base64: bool = T;
+
+	# Add the ID string field to the connection log record.
+	redef record Conn::Info += {
+		community_id: string &optional &log;
+	};
+}
+
+module Conn;
+
+event new_connection(c: connection)
+	{
+	Conn::set_conn(c, F);  # likely first to access :-/
+	c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64);
+	}

scripts/site/local.zeek

@@ -90,6 +90,9 @@ redef digest_salt = "Please change this value.";
 # Extend email alerting to include hostnames
 @load policy/frameworks/notice/extend-email/hostnames
 
+# Extend the notice.log with Community ID hashes
+# @load policy/frameworks/notice/community-id
+
 # Enable logging of telemetry data into telemetry.log and
 # telemetry_histogram.log.
 @load frameworks/telemetry/log
@@ -98,6 +101,10 @@ redef digest_salt = "Please change this value.";
 # this might impact performance a bit.
 # @load policy/protocols/ssl/heartbleed
 
+# Uncomment the following line to enable logging of Community ID hashes in
+# the conn.log file.
+# @load policy/protocols/conn/community-id-logging
+
 # Uncomment the following line to enable logging of connection VLANs. Enabling
 # this adds two VLAN fields to the conn.log file.
 # @load policy/protocols/conn/vlan-logging

scripts/test-all-policy.zeek

@@ -66,6 +66,7 @@
 @load frameworks/files/hash-all-files.zeek
 @load frameworks/notice/__load__.zeek
 @load frameworks/notice/actions/drop.zeek
+@load frameworks/notice/community-id.zeek
 @load frameworks/notice/extend-email/hostnames.zeek
 @load files/x509/disable-certificate-events-known-certs.zeek
 @load frameworks/packet-filter/shunt.zeek
@@ -87,6 +88,7 @@
 @load misc/weird-stats.zeek
 @load misc/trim-trace-file.zeek
 @load misc/unknown-protocols.zeek
+@load protocols/conn/community-id-logging.zeek
 @load protocols/conn/known-hosts.zeek
 @load protocols/conn/known-services.zeek
 @load protocols/conn/mac-logging.zeek