zeek/scripts/base/frameworks
Arne Welzel 0e191b25fe intel: Add indicator_inserted and indicator_removed hooks
This change adds two new hooks to the Intel framework that can be used
to intercept added and removed indicators and their type.

These hooks are fairly low-level. One immediate use-case is to count the
number of indicators loaded per Intel::Type and enable and disable the
corresponding event groups of the intel/seen scripts.

I attempted to gauge the overhead and while it's definitely there, loading
a file with ~500k DOMAIN entries takes somewhere around ~0.5 seconds hooks
when populated via the min_data_store store mechanism. While that
doesn't sound great, it actually takes the manager on my system 2.5
seconds to serialize and Cluster::publish() the min_data_store alone
and its doing that serially for every active worker. Mostly to say that
the bigger overhead in that area on the manager doing redundant work
per worker.

Co-authored-by: Mohan Dhawan <mohan@corelight.com>
(cherry picked from commit 3366d81e98ef381d843f6d76628834fdcd622e25)
2025-05-16 12:02:51 +02:00
..
analyzer Add logging of disabled analyzers to analyzer.log 2024-07-09 18:22:43 +02:00
broker Remove Broker metrics configuration values and methods 2024-05-31 13:30:31 -07:00
cluster Management framework: propagate metrics port from agent 2024-07-08 23:05:24 -07:00
config Revert "Merge remote-tracking branch 'origin/topic/vern/at-if-analyze'" 2023-05-31 09:20:33 +02:00
control annotate base scripts with &is_used as needed 2022-05-26 17:39:17 -07:00
files Fix cid propagation into files.log 2024-04-29 14:13:19 +01:00
input More bro-to-zeek renaming in scripts and other files 2019-05-16 02:36:41 -05:00
intel intel: Add indicator_inserted and indicator_removed hooks 2025-05-16 12:02:51 +02:00
logging logging: Do not keep delay state persistent 2023-11-29 11:53:11 +01:00
netcontrol Netcontrol: add rule_added_policy 2024-02-05 18:52:27 +00:00
notice http: Prevent request/response de-synchronization and unbounded state growth 2023-08-28 15:02:58 +02:00
openflow Revert "Merge remote-tracking branch 'origin/topic/vern/at-if-analyze'" 2023-05-31 09:20:33 +02:00
packet-filter Add PacketFilter::remove_exclude function 2024-04-17 21:25:35 +00:00
reporter Support for log filter policy hooks 2020-09-30 12:32:45 -07:00
signatures allow signature actions to be dynamically updated 2023-07-13 17:25:32 -07:00
software frameworks/software: Fix stale value used for stripping 2023-11-17 14:37:28 +01:00
spicy Merge remote-tracking branch 'origin/topic/robin/gh-3881-spicy-ports' 2024-08-30 13:26:16 -07:00
sumstats Remove script functions marked as unused (6.1 deprecations) 2023-06-14 10:07:22 -07:00
supervisor Management framework: add metrics port in management & Supervisor node records 2024-07-08 23:05:24 -07:00
telemetry telemetry: Deprecate prometheus.zeek policy script 2024-07-23 10:05:46 +02:00
tunnels Add GTPv1 packet analyzer, disable old analyzer 2021-11-23 19:36:50 -07:00