Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/testing/btest/javascript/intel.js
Arne Welzel f0b9c59adb Add experimental JavaScript support when libnode is available 
zeek.on('zeek_init', () => {
        console.log('Hello, Zeek!');
    });

For interaction with external systems and HTTP APIs, JavaScript and the
Node.js ecosystem beat Zeek script. Make it more easily accessible by
including ZeekJS with Zeek directly.

When a recent enough libnode version is found on the build system, ZeekJS is
added as a builtin plugin. This behavior can be disabled via
``--disable-javascript``. Linux distributions providing such a package are
Ubuntu (22.10) and Debian (testing/bookworm) as libnode-dev.
Fedora provides it as nodejs-devel.

This plugin takes over loading of .js or .cjs files. When no such files
are provided to Zeek, Node and the V8 engine are not initialized and
should not get into the way.

This should be considered experimental.
2023-04-14 11:26:41 +02:00

33 lines
1.2 KiB
JavaScript
Raw Blame History

/*
* @TEST-DOC: Load intel data from a JSON file and populate via Intel::insert().
* @TEST-REQUIRES: $SCRIPTS/have-javascript
* @TEST-EXEC: zeek -b -Cr $TRACES/http/get.trace frameworks/intel/seen base/frameworks/intel base/protocols/http %INPUT
* @TEST-EXEC: zeek-cut < intel.log > intel.log.noheader
* @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff intel.log.noheader
*
* Following the intel file that we load via Intel::insert().
@TEST-START-FILE intel.json_lines
{"indicator": "141.142.228.5", "indicator_type": "Intel::ADDR", "meta": {"source": "json1"}}
{"indicator": "bro.org", "indicator_type": "Intel::DOMAIN", "meta": {"source": "json2"}}
@TEST-END-FILE
*/
const fs = require('fs');
zeek.on('zeek_init', () => {
// Hold the packet processing until we've read the intel file.
zeek.invoke('suspend_processing');
// This reads the full file into memory, but is still async.
// There's fs.createReadStream() for the piecewise consumption.
fs.readFile('./intel.json_lines', 'utf8', (err, data) => {
for (const l of data.split('\n')) {
if (l.length == 0)
continue;
zeek.invoke('Intel::insert', [JSON.parse(l)]);
}
/* Once all intel data is loaded, continue processing. */
zeek.invoke('continue_processing');
});
});
Reference in a new issue View git blame Copy permalink