@load tcp
@load irc

module IrcHosts;

export  {
    # Define a NOTICE type for our alert.
    redef enum Notice += {
        ConnectionSeen
    };
}

# Set of all addresses seen on IRC.
global hosts: set[addr] &persistent &read_expire=7days;

# Generated when a message is posted to a channel.
event irc_privmsg_message(c: connection, source: string, target: string, message: string)
    {
    # Find numerical addresses.
    local num_addrs = find_all(message, /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/);
    for ( a in num_addrs )
        {
        print a;
        local ip = to_addr(a);
        add hosts[ip];
        }
    }

# Generated when a connection has been fully established.
event connection_established(c: connection)
    {
    if ( c$id$resp_h !in hosts )
        return;
    
    NOTICE([$note=ConnectionSeen, $conn=c, 
            $msg=fmt("%s established connection to host %s seen on IRC", 
            c$id$orig_h, c$id$resp_h)]);
    }