mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
cb33028702
The extension mechanism is basically the one that Seth introduced with his intel extensions. The main difference lies in using a hook instead of an event. An example policy implements whitelisting.
30 lines
473 B
Text
30 lines
473 B
Text
|
|
@load base/frameworks/intel
|
|
@load base/frameworks/notice
|
|
|
|
module Intel;
|
|
|
|
export {
|
|
redef record Intel::MetaData += {
|
|
## Add a field to indicate if this is a whitelisted item.
|
|
whitelist: bool &default=F;
|
|
};
|
|
}
|
|
|
|
hook Intel::extend_match(info: Info, s: Seen, items: set[Item]) &priority=9
|
|
{
|
|
local whitelisted = F;
|
|
for ( item in items )
|
|
{
|
|
if ( item$meta$whitelist )
|
|
{
|
|
whitelisted = T;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if ( whitelisted )
|
|
# Prevent logging
|
|
break;
|
|
}
|
|
|