Merge pull request #35 from corelight/develop

Export notice types
corelight · Dec 20, 2021 · 42c96af · 42c96af
2 parents 301836f + d6ca3be
commit 42c96af
Showing 1 changed file with 21 additions and 20 deletions.
diff --git a/scripts/CVE_2021_44228.zeek b/scripts/CVE_2021_44228.zeek
@@ -1,12 +1,32 @@
 module CVE_2021_44228;
 @load-sigs ./ldap_java.sig
 
-redef enum Notice::Type += {
+export {
+    redef enum Notice::Type += {
         LOG4J_ATTEMPT_HEADER,
         LOG4J_LDAP_JAVA,
         LOG4J_SUCCESS
     };
 
+    option log = T;
+    # redef'd when running tests with btest. Leave as `F`.
+    option run_tests = F;
+
+    # Can be domains or addrs, so just have it be a string.
+    option ignorable_target_hosts: set[string] = {};
+    # Ignore hosts known to be benign & scanning for this behavior.
+    option ignorable_orig_hosts: set[addr] = {};
+    # Ignore resp hosts. `ignorable_orig_hosts` is probably what you want. This
+    # would be for (1) ignoring internal honeypots that you know will look
+    # "exploitable" or a known "malicious" server attempting to exploit
+    # vulnerable Java clients.
+    option ignorable_resp_hosts: set[addr] = {};
+
+    # Try to normalize payloads to improve change of successfully retrieving the
+    # payload information.
+    option try_normalize = T;
+}
+
 redef enum HTTP::Tags += {
         LOG4J_RCE
     };
@@ -47,25 +67,6 @@ global exploit_pattern: pattern = /\$\{[^@][^}]+:[^}]+\}/;
 
 # Stack used for `normalize`. Shouldn't be used outside of that function.
 global stack: vector of string;
-export {
-    option log = T;
-    # redef'd when running tests with btest. Leave as `F`.
-    option run_tests = F;
-
-    # Can be domains or addrs, so just have it be a string.
-    option ignorable_target_hosts: set[string] = {};
-    # Ignore hosts known to be benign & scanning for this behavior.
-    option ignorable_orig_hosts: set[addr] = {};
-    # Ignore resp hosts. `ignorable_orig_hosts` is probably what you want. This
-    # would be for (1) ignoring internal honeypots that you know will look
-    # "exploitable" or a known "malicious" server attempting to exploit
-    # vulnerable Java clients.
-    option ignorable_resp_hosts: set[addr] = {};
-
-    # Try to normalize payloads to improve change of successfully retrieving the
-    # payload information.
-    option try_normalize = T;
-}
 
 function peek(): string
     {