File: whitelisting.bro

package info (click to toggle)
bro 2.5-1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 78,640 kB
  • sloc: ansic: 126,302; cpp: 95,205; yacc: 2,528; lex: 1,819; sh: 793; python: 700; makefile: 134
file content (39 lines) | stat: -rw-r--r-- 1,011 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# @TEST-EXEC: bro -Cr $TRACES/wikipedia.trace %INPUT
# @TEST-EXEC: btest-diff intel.log

#@TEST-START-FILE intel.dat
#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
upload.wikimedia.org	Intel::DOMAIN	source1	somehow bad	http://some-data-distributor.com/1
meta.wikimedia.org	Intel::DOMAIN	source1	also bad	http://some-data-distributor.com/1
#@TEST-END-FILE

#@TEST-START-FILE whitelist.dat
#fields	indicator	indicator_type	meta.source	meta.desc	meta.whitelist	meta.url
meta.wikimedia.org	Intel::DOMAIN	source2	also bad	T	http://some-data-distributor.com/1
#@TEST-END-FILE

@load base/frameworks/intel
@load frameworks/intel/whitelist
@load frameworks/intel/seen

redef Intel::read_files += {
	"intel.dat",
	"whitelist.dat",
};

global total_files_read = 0;

event bro_init()
	{
	suspend_processing();
	}

event Input::end_of_data(name: string, source: string)
	{
	# Wait until both intel files are read.
	if ( /^intel-/ in name && (++total_files_read == 2) )
		{
		continue_processing();
		}
	}