mirror of
https://github.com/zeek/zeek.git
synced 2025-10-16 13:38:19 +00:00
a803cae92e
- Basic API seems to works, but tests aren't updated yet. - Several scripts are available in policy/frameworks/intel that call the "seen" function to provide data into the intel framework to be tested. - Intel::policy is not done yet and needs to be discussed to figure out what it needs to have. - Running the intel framework and having it do something finally is really cool!
14 lines
291 B
Text
14 lines
291 B
Text
@load base/frameworks/intel
|
|
|
|
export {
|
|
redef enum Intel::Where += {
|
|
Conn::IN_ORIG,
|
|
Conn::IN_RESP,
|
|
};
|
|
}
|
|
|
|
event connection_established(c: connection)
|
|
{
|
|
Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);
|
|
Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
|
|
}
|