mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 07:38:19 +00:00
60a305c111
- Split Item into Item and QueryItem as suggested by Robin. - QueryItem now has $and_tags and $or_tags. Each acts as AND or OR for the given tags against each relevant metadata value. - 'insert' turned into a function and new insert_event created. - First use of intelligence framework in HTTP analysis.
20 lines
No EOL
490 B
Text
20 lines
No EOL
490 B
Text
##! Intelligence based HTTP detections.
|
|
|
|
@load intel
|
|
@load http/utils
|
|
|
|
module HTTP;
|
|
|
|
event log_http(rec: Info)
|
|
{
|
|
local url = HTTP::build_url(rec);
|
|
local query = [$str=url, $subtype="url", $or_tags=set("malicious", "malware")];
|
|
if ( Intel::matcher(query) )
|
|
{
|
|
local msg = fmt("%s accessed a malicious URL from the intelligence framework", rec$id$orig_h);
|
|
NOTICE([$note=Intel::Detection,
|
|
$msg=msg,
|
|
$sub=HTTP::build_url_http(rec),
|
|
$id=rec$id]);
|
|
}
|
|
} |