From 1439c244fc06f7e5fbd655d39a846f57622a5567 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 2 Jun 2015 14:23:25 -0700 Subject: [PATCH] add hook to pacf that allows users to modify all rules or implement whitelists or similar. --- scripts/base/frameworks/pacf/main.bro | 10 +++++++ .../pacf.log | 18 +++++++++++++ .../scripts/base/frameworks/pacf/hook.bro | 27 +++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.pacf.hook/pacf.log create mode 100644 testing/btest/scripts/base/frameworks/pacf/hook.bro diff --git a/scripts/base/frameworks/pacf/main.bro b/scripts/base/frameworks/pacf/main.bro index 93e835bc29..dc21b99665 100644 --- a/scripts/base/frameworks/pacf/main.bro +++ b/scripts/base/frameworks/pacf/main.bro @@ -159,6 +159,13 @@ export { ## msg: An optional informational message by the plugin. global rule_error: event(r: Rule, p: PluginState, msg: string &default=""); + ## Hook that allows the modification of rules passed to add_rule before they + ## are passed on to the plugins. If one of the hooks uses break, the rule is + ## ignored and not passed on to any plugin. + ## + ## r: The rule to be added + global Pacf::rule_policy: hook(r: Rule); + ## Type of an entry in the PACF log. type InfoCategory: enum { ## A log entry reflecting a framework message. @@ -402,6 +409,9 @@ function add_rule_impl(rule: Rule) : string if ( ! rule?$id || rule$id == "" ) rule$id = cat(rule$cid); + if ( ! hook Pacf::rule_policy(rule) ) + return ""; + local accepted = F; local priority: int = +0; local r = rule; diff --git a/testing/btest/Baseline/scripts.base.frameworks.pacf.hook/pacf.log b/testing/btest/Baseline/scripts.base.frameworks.pacf.hook/pacf.log new file mode 100644 index 0000000000..1725aa4918 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.pacf.hook/pacf.log @@ -0,0 +1,18 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path pacf +#open 2015-06-02-21-23-05 +#fields ts category cmd state action target entity_type entity msg location plugin +#types time enum string enum string enum string string string string string +0.000000 Pacf::MESSAGE - - - - - - activated plugin with priority 0 - Debug-All +1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 0.0.0.0/0/1470->74.53.140.153/32/25 - (empty) Debug-All +1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::REDIRECT Pacf::FORWARD Pacf::FLOW 0.0.0.0/0/1470->74.53.140.153/32/25 - (empty) Debug-All +1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 0.0.0.0/0/1470->74.53.140.153/32/25 - (empty) Debug-All +1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::REDIRECT Pacf::FORWARD Pacf::FLOW 0.0.0.0/0/1470->74.53.140.153/32/25 - (empty) Debug-All +1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::REDIRECT Pacf::FORWARD Pacf::FLOW 0.0.0.0/0/1470->74.53.140.153/32/25 - (empty) Debug-All +1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 0.0.0.0/0/1470->74.53.140.153/32/25 - (empty) Debug-All +1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::REDIRECT Pacf::FORWARD Pacf::FLOW 0.0.0.0/0/1470->74.53.140.153/32/25 - (empty) Debug-All +1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 0.0.0.0/0/1470->74.53.140.153/32/25 - (empty) Debug-All +#close 2015-06-02-21-23-05 diff --git a/testing/btest/scripts/base/frameworks/pacf/hook.bro b/testing/btest/scripts/base/frameworks/pacf/hook.bro new file mode 100644 index 0000000000..e31237d934 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/pacf/hook.bro @@ -0,0 +1,27 @@ +# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT +# @TEST-EXEC: btest-diff pacf.log + +@load base/frameworks/pacf + +event bro_init() + { + local pacf_debug = Pacf::create_debug(T); + Pacf::activate(pacf_debug, 0); + } + +event connection_established(c: connection) + { + local id = c$id; + Pacf::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 30sec); + Pacf::drop_address(id$orig_h, 15sec); + Pacf::whitelist_address(id$orig_h, 15sec); + Pacf::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 30sec); + } + +hook Pacf::rule_policy(r: Pacf::Rule) + { + if ( r$expire == 15sec ) + break; + + r$entity$flow$src_h = 0.0.0.0/0; + }