---

global INTEL_LOG = "/tmp/zeek_block_intel.log";

function log_event(msg: string)
{
    local f = open_for_append(INTEL_LOG);
    print f, msg;
    close(f);
}

event http_header(c: connection, is_orig: bool, name: string, value: string)
{
    if ( is_orig && name == "HOST" && /zapret\.telegram/ in value )
    {
        log_event(fmt("HTTP_HOST_HEADER:%s", value));
        print fmt("[ZEEK] DETECTED zapret.telegram host: %s", value);
    }
    
    if ( is_orig && name == "USER-AGENT" && /Windows PowerShell/ in value )
    {
        log_event(fmt("HTTP_UA:%s", value));
        print fmt("[ZEEK] DETECTED PowerShell UA: %s", value);
    }
}

event connection_established(c: connection)
{
    if ( c$id$resp_p == 21/tcp )
    {
        log_event(fmt("FTP_PORT:%s->%s", c$id$resp_h, c$id$orig_h));
        print fmt("[ZEEK] FTP DETECTED %s", c$id$orig_h);
    }
}

# Дополнительно: логирование всех HTTP-запросов для отладки
event http_request(c: connection, method: string,
                   original_URI: string, unescaped_URI: string,
                   version: string)
{
    # Отладочный вывод - увидите все HTTP-запросы
    if ( c?$http && c$http?$host )
        print fmt("[DEBUG] HTTP: %s %s %s", method, original_URI, c$http$host);
    else
        print fmt("[DEBUG] HTTP: %s %s (no host field)", method, original_URI);
}