mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
44 lines
1 KiB
Text
44 lines
1 KiB
Text
|
|
@load base/frameworks/intel
|
|
@load base/frameworks/notice
|
|
|
|
module Intel;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## Intel::Notice is a notice that happens when an intelligence
|
|
## indicator is denoted to be notice-worthy.
|
|
Intel::Notice
|
|
};
|
|
|
|
redef record Intel::MetaData += {
|
|
## A boolean value to allow the data itself to represent
|
|
## if the indicator that this metadata is attached to
|
|
## is notice worthy.
|
|
do_notice: bool &default=F;
|
|
|
|
## Restrictions on when notices are created to only create
|
|
## them if the *do_notice* field is T and the notice was
|
|
## seen in the indicated location.
|
|
if_in: Intel::Where &optional;
|
|
};
|
|
}
|
|
|
|
event Intel::match(s: Seen, items: set[Item])
|
|
{
|
|
for ( item in items )
|
|
{
|
|
if ( item$meta$do_notice &&
|
|
(! item$meta?$if_in || s$where == item$meta$if_in) )
|
|
{
|
|
local n = Notice::Info($note=Intel::Notice,
|
|
$msg=fmt("Intel hit on %s at %s", s$indicator, s$where),
|
|
$sub=s$indicator);
|
|
|
|
if ( s?$conn )
|
|
n$conn = s$conn;
|
|
|
|
NOTICE(n);
|
|
}
|
|
}
|
|
}
|