mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
3f02c0a67c
This introduces the following redefinable string constants, empty by
default:
- InputAscii::path_prefix
- InputBinary::path_prefix
- Intel::path_prefix
When using ASCII or binary reades in the Input/Intel Framework with an
input stream source that does not have an absolute path, these
constants cause Zeek to prefix the resulting paths accordingly. For
example, in the following the location on disk from which Zeek loads
the input becomes "/path/to/input/whitelist.data":
redef InputAscii::path_prefix = "/path/to/input";
event bro_init()
{
Input::add_table([$source="whitelist.data", ...]);
}
These path prefixes can be absolute or relative. When an input stream
source already uses an absolute path, this path is preserved and the
new variables have no effect (i.e., we do not affect configurations
already using absolute paths).
Since the Intel framework builds upon the Input framework, the first
two paths also affect Intel file locations. If this is undesirable,
the Intel::path_prefix variable allows specifying a separate path:
when its value is absolute, the resulting source seen by the Input
framework is absolute, therefore no further changes to the paths
happen.
56 lines
1.8 KiB
Text
56 lines
1.8 KiB
Text
##! Input handling for the intelligence framework. This script implements the
|
|
##! import of intelligence data from files using the input framework.
|
|
|
|
@load ./main
|
|
|
|
module Intel;
|
|
|
|
export {
|
|
## Intelligence files that will be read off disk. The files are
|
|
## reread every time they are updated so updates must be atomic
|
|
## with "mv" instead of writing the file in place.
|
|
const read_files: set[string] = {} &redef;
|
|
|
|
## An optional path prefix for intel files. This prefix can, but
|
|
## need not be, absolute. The default is to leave any filenames
|
|
## unchanged. This prefix has no effect if a read_file entry is
|
|
## an absolute path. This prefix gets applied _before_ entering
|
|
## the input framework, so if the prefix is absolute, the input
|
|
## framework won't munge it further. If it is relative, then
|
|
## any path_prefix specified in the input framework will apply
|
|
## additionally.
|
|
const path_prefix = "" &redef;
|
|
}
|
|
|
|
event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
|
|
{
|
|
Intel::insert(item);
|
|
}
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
if ( ! Cluster::is_enabled() ||
|
|
Cluster::local_node_type() == Cluster::MANAGER )
|
|
{
|
|
for ( a_file in read_files )
|
|
{
|
|
# Handle prefixing of the source file name. Note
|
|
# that this currently always uses the ASCII reader,
|
|
# so we know we're dealing with filenames.
|
|
local source = a_file;
|
|
|
|
# If we have a path prefix and the file doesn't
|
|
# already have an absolute path, prepend the prefix.
|
|
if ( |path_prefix| > 0 && sub_bytes(a_file, 0, 1) != "/" )
|
|
source = cat(rstrip(path_prefix, "/"), "/", a_file);
|
|
|
|
Input::add_event([$source=source,
|
|
$reader=Input::READER_ASCII,
|
|
$mode=Input::REREAD,
|
|
$name=cat("intel-", a_file),
|
|
$fields=Intel::Item,
|
|
$ev=Intel::read_entry]);
|
|
}
|
|
}
|
|
}
|
|
|