base/frameworks/intel/input.zeek

Intel

Input handling for the intelligence framework. This script implements the import of intelligence data from files using the input framework.

Namespace:

Intel

Imports:

base/frameworks/intel/main.zeek

Summary

Redefinable Options

Intel::path_prefix: string &redef

An optional path prefix for intel files.

Intel::read_files: set &redef

Intelligence files that will be read off disk.

Events

Intel::read_entry: event

This event is raised each time the intel framework reads a new line from an intel file.

Intel::read_error: event

This event is raised each time the input framework detects an error while reading the intel file.

Detailed Interface

Redefinable Options

Intel::path_prefix
Type:

string

Attributes:

&redef

Default:

""

An optional path prefix for intel files. This prefix can, but need not be, absolute. The default is to leave any filenames unchanged. This prefix has no effect if a read_file entry is an absolute path. This prefix gets applied _before_ entering the input framework, so if the prefix is absolute, the input framework won’t munge it further. If it is relative, then any path_prefix specified in the input framework will apply additionally.

Intel::read_files
Type:

set [string]

Attributes:

&redef

Default:

{}

Intelligence files that will be read off disk. The files are reread every time they are updated so updates must be atomic with “mv” instead of writing the file in place.

Events

Intel::read_entry
Type:

event (desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)

This event is raised each time the intel framework reads a new line from an intel file. It is used in the intel framework but can also be used in custom scripts for further checks.

Parameters:
Intel::read_error
Type:

event (desc: Input::EventDescription, message: string, level: Reporter::Level)

This event is raised each time the input framework detects an error while reading the intel file. It can be used to implement further checks in custom scripts. Errors can be of different levels (information, warning, errors).

Parameters: