mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 07:08:19 +00:00
22 lines
449 B
Text
22 lines
449 B
Text
# $Id:$
|
|
#
|
|
# Changes the class for addresses that have generated alerts.
|
|
|
|
@load time-machine
|
|
@load notice
|
|
@load scan
|
|
|
|
event notice_alarm(n: notice_info, action: NoticeAction)
|
|
{
|
|
if ( ! n?$src )
|
|
return;
|
|
|
|
if ( n?$conn && is_external_connection(n$conn) )
|
|
return;
|
|
|
|
local class = "alarm";
|
|
if ( n$note == Scan::AddressScan || n$note == Scan::PortScan )
|
|
class = "scanner";
|
|
|
|
TimeMachine::set_class(n$src, class, TimeMachine::BOTH, "tm-class");
|
|
}
|