---

global INTEL_LOG = "/tmp/zeek_block_intel.log";

# --- HTTP: блокировка по Host и User-Agent ---
event http_request(c: connection, method: string,
                   original_URI: string, unescaped_URI: string,
                   version: string)
{
    # Блокировка по HTTP Host
    if ( c$http?$host ) {
        local host = c$http$host;
        if ( /zapret\.telegram/ in host ) {
            local f1 = open_for_append(INTEL_LOG);
            print f1, fmt("HTTP_HOST:%s", host);
            close(f1);
            print fmt("[ZEEK] DETECT HTTP_HOST: %s", host);
        }
    }

    # Блокировка по User-Agent (Windows PowerShell)
    if ( c$http?$user_agent ) {
        local ua = c$http$user_agent;
        if ( /Windows PowerShell/ in ua ) {
            local f2 = open_for_append(INTEL_LOG);
            print f2, "HTTP_USERAGENT:Windows PowerShell";
            close(f2);
            print fmt("[ZEEK] DETECT UA: %s", ua);
        }
    }
}

# --- FTP: блокировка по TCP-соединению на порт 21 ---
# (используем connection_established т.к. ftp.log может не создаваться)
event connection_established(c: connection)
{
    if ( c$id$resp_p == 21/tcp ) {
        local f3 = open_for_append(INTEL_LOG);
        print f3, "FTP_PORT:21";
        close(f3);
        print fmt("[ZEEK] DETECT FTP from %s", c$id$orig_h);
    }
}