mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 09:38:19 +00:00
641154f8e8
- FileAnalysis::Info is now just a record used for logging, the fa_file record type is defined in init-bare.bro as the analogue to a connection record. - Starting to transfer policy hook triggers and analyzer results to events.
33 lines
814 B
Text
33 lines
814 B
Text
@load base/frameworks/intel
|
|
@load base/protocols/smtp/file-analysis
|
|
@load base/utils/urls
|
|
@load ./where-locations
|
|
|
|
event intel_mime_data(f: fa_file, data: string)
|
|
{
|
|
if ( ! f?$conns ) return;
|
|
|
|
for ( cid in f$conns )
|
|
{
|
|
local c: connection = f$conns[cid];
|
|
local urls = find_all_urls_without_scheme(data);
|
|
for ( url in urls )
|
|
{
|
|
Intel::seen([$str=url,
|
|
$str_type=Intel::URL,
|
|
$conn=c,
|
|
$where=SMTP::IN_MESSAGE]);
|
|
}
|
|
}
|
|
}
|
|
|
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
|
|
&priority=5
|
|
{
|
|
if ( trig != FileAnalysis::TRIGGER_NEW ) return;
|
|
if ( ! f?$source ) return;
|
|
if ( f$source != "SMTP" ) return;
|
|
|
|
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_DATA_EVENT,
|
|
$stream_event=intel_mime_data]);
|
|
}
|