From 2f748257851622489c8bef14b7f68a6f3edda9ca Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 27 May 2016 08:51:06 -0700 Subject: [PATCH] NetControl: fix several small logging issues forgotten messages are only logged on the manager (or standalone host) now. Logs are not written by default anymore when Bro encounters traffic that should have been blocked. --- .../frameworks/netcontrol/catch-and-release.bro | 16 ++++++++++++++++ .../netcontrol/catch-and-release-cluster.bro | 1 + 2 files changed, 17 insertions(+) diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro index 7160ee8c72..f47edd8794 100644 --- a/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -107,6 +107,10 @@ export { ## connection_reset and connection_pending const watch_connections = T &redef; + ## If true, catch and release warns if packets of an IP address are still seen after it + ## should have been blocked. + const catch_release_warn_blocked_ip_encountered = F &redef; + ## Time intervals for which a subsequent drops of the same IP take ## effect. const catch_release_intervals: vector of interval = vector(10min, 1hr, 24hrs, 7days) &redef; @@ -123,6 +127,9 @@ export { global catch_release_encountered: event(a: addr); } +# set that is used to only send seen notifications to the master every ~30 seconds. +global catch_release_recently_notified: set[addr] &create_expire=30secs; + event bro_init() &priority=5 { Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release"]); @@ -163,11 +170,13 @@ function per_block_interval(t: table[addr] of BlockInfo, idx: addr): interval if ( remaining_time < 0secs ) remaining_time = 0secs; +@if ( ! Cluster::is_enabled() || ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) ) if ( remaining_time == 0secs ) { local log = populate_log_record(idx, t[idx], FORGOTTEN); Log::write(CATCH_RELEASE, log); } +@endif return remaining_time; } @@ -379,6 +388,9 @@ function catch_release_seen(a: addr) if ( [e,DROP] in rule_entities ) { + if ( catch_release_warn_blocked_ip_encountered == F ) + return; + # This should be blocked - block has not been applied yet by hardware? Ignore for the moment... log = populate_log_record(a, bi, INFO); log$action = INFO; @@ -415,7 +427,11 @@ function catch_release_seen(a: addr) event NetControl::catch_release_block_new(a, bi); @endif @if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER ) + if ( a in catch_release_recently_notified ) + return; + event NetControl::catch_release_encountered(a); + add catch_release_recently_notified[a]; @endif return; diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro index 4175f23a0e..83a66b35ca 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro @@ -20,6 +20,7 @@ redef Cluster::nodes = { redef Log::default_rotation_interval = 0secs; @load base/frameworks/netcontrol +redef NetControl::catch_release_warn_blocked_ip_encountered = T; global ready_for_data_1: event(); global ready_for_data_2: event();