mirror of
https://github.com/zeek/zeek.git
synced 2025-10-13 12:08:20 +00:00
2d85ab9818
- Duplicate notices are discovered with the new Notice::Info field $identifier. It's a string that is left up to the notice implementor to define which would indicate a fundamentally duplicate notice. The field is optional and if it's not included it's not possible for notice suppression to take place. - Duplicate notices are suppressed by default for the interval defined by the Notice::default_suppression_interval variable (1 hour by default). - A new notice action was defined ACTION_NO_SUPPRESS to prevent suppression for a specific notice instance. A convenience set named not_suppressed_types was also created to not suppress entire notice types. - A new field was added to the PolicyItem type to modify the length of time a notice should be suppressed if the predicate matches. The field is named $suppress_for. This name makes the code more readable like this: $suppress_for = 1day - New events were created to give visibility into the notice framework's suppression activity. - event Notice::begin_suppression(n: Notice::Info) - event Notice::suppressed(n: Notice::Info) - event Notice::end_suppression(n: Notice::Info) - The suppression.bro script doesn't have a baseline because it is causing a segfault in Bro. This one test is the reason that this is being integrated into a branch instead of master.
16 lines
No EOL
358 B
Text
16 lines
No EOL
358 B
Text
# @TEST-EXEC: bro -b %INPUT
|
|
# @TEST-EXEC: btest-diff notice.log
|
|
|
|
@load base/frameworks/notice
|
|
|
|
redef enum Notice::Type += {
|
|
Test_Notice,
|
|
};
|
|
|
|
redef Notice::not_suppressed_types += { Test_Notice };
|
|
|
|
event bro_init()
|
|
{
|
|
NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]);
|
|
NOTICE([$note=Test_Notice, $msg="another test", $identifier="static"]);
|
|
} |