mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
597a4d6704
- policy/ renamed to scripts/ - By default BROPATH now contains: - scripts/ - scripts/policy - scripts/site - *Nearly* all tests pass. - All of scripts/base/ is loaded by main.cc - Can be disabled by setting $BRO_NO_BASE_SCRIPTS - Scripts in scripts/base/ don't use relative path loading to ease use of BRO_NO_BASE_SCRIPTS (to copy and paste that script). - The scripts in scripts/base/protocols/ only (or soon will only) do logging and state building. - The scripts in scripts/base/frameworks/ add functionality without causing any additional overhead. - All "detection" activity happens through scripts in scripts/policy/. - Communications framework modified temporarily to need an environment variable to actually enable (ENABLE_COMMUNICATION=1) - This is so the communications framework can be loaded as part of the base without causing trouble when it's not needed. - This will be removed once a resolution to ticket #540 is reached.
17 lines
No EOL
460 B
Text
17 lines
No EOL
460 B
Text
##! Intelligence based HTTP detections.
|
|
|
|
module HTTP;
|
|
|
|
event log_http(rec: Info)
|
|
{
|
|
local url = HTTP::build_url(rec);
|
|
local query = [$str=url, $subtype="url", $or_tags=set("malicious", "malware")];
|
|
if ( Intel::matcher(query) )
|
|
{
|
|
local msg = fmt("%s accessed a malicious URL from the intelligence framework", rec$id$orig_h);
|
|
NOTICE([$note=Intel::Detection,
|
|
$msg=msg,
|
|
$sub=HTTP::build_url_http(rec),
|
|
$id=rec$id]);
|
|
}
|
|
} |