input.zeek

Intel

Input handling for the intelligence framework. This script implements the import of intelligence data from files using the input framework.

Namespace: Intel
Imports: base/frameworks/intel/main.zeek

Summary

Redefinable Options

`Intel::path_prefix`: `string` `&redef`	An optional path prefix for intel files.
`Intel::read_files`: `set` `&redef`	Intelligence files that will be read off disk.

Events

`Intel::read_entry`: `event`	This event is raised each time the intel framework reads a new line from an intel file.
`Intel::read_error`: `event`	This event is raised each time the input framework detects an error while reading the intel file.

Detailed Interface

Redefinable Options

Intel::path_prefix 

Type: string
Attributes: &redef
Default: ""

An optional path prefix for intel files. This prefix can, but need not be, absolute. The default is to leave any filenames unchanged. This prefix has no effect if a read_file entry is an absolute path. This prefix gets applied _before_ entering the input framework, so if the prefix is absolute, the input framework won’t munge it further. If it is relative, then any path_prefix specified in the input framework will apply additionally.

Intel::read_files 

Type: set [string]
Attributes: &redef
Default: {}

Intelligence files that will be read off disk. The files are reread every time they are updated so updates must be atomic with “mv” instead of writing the file in place.

Events

Intel::read_entry 

Type: event (desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)

This event is raised each time the intel framework reads a new line from an intel file. It is used in the intel framework but can also be used in custom scripts for further checks.

Parameters

desc – The Input::EventDescription record which generated the event.
tpe – The type of input event.
item – The intel item being read (of type Intel::Item).

Intel::read_error 

Type: event (desc: Input::EventDescription, message: string, level: Reporter::Level)

This event is raised each time the input framework detects an error while reading the intel file. It can be used to implement further checks in custom scripts. Errors can be of different levels (information, warning, errors).

Parameters

desc – The Input::EventDescription record which generated the error.
message – An error message.
level – The Reporter::Level of the error.