mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
7eb849ddf4
This change adds two new hooks to the Intel framework that can be used to intercept added and removed indicators and their type. These hooks are fairly low-level. One immediate use-case is to count the number of indicators loaded per Intel::Type and enable and disable the corresponding event groups of the intel/seen scripts. I attempted to gauge the overhead and while it's definitely there, loading a file with ~500k DOMAIN entries takes somewhere around ~0.5 seconds hooks when populated via the min_data_store store mechanism. While that doesn't sound great, it actually takes the manager on my system 2.5 seconds to serialize and Cluster::publish() the min_data_store alone and its doing that serially for every active worker. Mostly to say that the bigger overhead in that area on the manager doing redundant work per worker. Co-authored-by: Mohan Dhawan <mohan@corelight.com> |
||
|---|---|---|
| .. | ||
| __load__.zeek | ||
| cluster.zeek | ||
| files.zeek | ||
| input.zeek | ||
| main.zeek | ||
| README | ||
The intelligence framework provides a way to store and query intelligence data (such as IP addresses or strings). Metadata can also be associated with the intelligence.