Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 08:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/frameworks/netcontrol/__load__.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/__load__.bro
=======================================
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/netcontrol/catch-and-release.bro </scripts/base/frameworks/netcontrol/catch-and-release.bro>`, :doc:`base/frameworks/netcontrol/drop.bro </scripts/base/frameworks/netcontrol/drop.bro>`, :doc:`base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>`, :doc:`base/frameworks/netcontrol/non-cluster.bro </scripts/base/frameworks/netcontrol/non-cluster.bro>`, :doc:`base/frameworks/netcontrol/plugins </scripts/base/frameworks/netcontrol/plugins/index>`, :doc:`base/frameworks/netcontrol/shunt.bro </scripts/base/frameworks/netcontrol/shunt.bro>`, :doc:`base/frameworks/netcontrol/types.bro </scripts/base/frameworks/netcontrol/types.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

343
doc/scripts/base/frameworks/netcontrol/catch-and-release.bro.rst
View file

@ -1,343 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/catch-and-release.bro
================================================
.. bro:namespace:: NetControl
Implementation of catch-and-release functionality for NetControl.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/netcontrol/drop.bro </scripts/base/frameworks/netcontrol/drop.bro>`, :doc:`base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>`
Summary
~~~~~~~
Runtime Options
###############
==================================================================================================== ====================================================================================
:bro:id:`NetControl::catch_release_warn_blocked_ip_encountered`: :bro:type:`bool` :bro:attr:`&redef` If true, catch and release warns if packets of an IP address are still seen after it
should have been blocked.
==================================================================================================== ====================================================================================
Redefinable Options
###################
==================================================================================== =====================================================================================
:bro:id:`NetControl::catch_release_intervals`: :bro:type:`vector` :bro:attr:`&redef` Time intervals for which subsequent drops of the same IP take
effect.
:bro:id:`NetControl::watch_connections`: :bro:type:`bool` :bro:attr:`&redef` If true, catch_release_seen is called on the connection originator in new_connection,
connection_established, partial_connection, connection_attempt, connection_rejected,
connection_reset and connection_pending
==================================================================================== =====================================================================================
Types
#####
============================================================= =========================================================================
:bro:type:`NetControl::BlockInfo`: :bro:type:`record` This record is used for storing information about current blocks that are
part of catch and release.
:bro:type:`NetControl::CatchReleaseActions`: :bro:type:`enum` The enum that contains the different kinds of messages that are logged by
catch and release.
:bro:type:`NetControl::CatchReleaseInfo`: :bro:type:`record` The record type that is used for representing and logging
============================================================= =========================================================================
Redefinitions
#############
===================================== =
:bro:type:`Log::ID`: :bro:type:`enum`
===================================== =
Events
######
===================================================================== ===================================================================================
:bro:id:`NetControl::catch_release_add`: :bro:type:`event`
:bro:id:`NetControl::catch_release_block_delete`: :bro:type:`event`
:bro:id:`NetControl::catch_release_block_new`: :bro:type:`event`
:bro:id:`NetControl::catch_release_delete`: :bro:type:`event`
:bro:id:`NetControl::catch_release_encountered`: :bro:type:`event`
:bro:id:`NetControl::catch_release_forgotten`: :bro:type:`event` Event is raised when catch and release cases management of an IP address because no
activity was seen within the watch_until period.
:bro:id:`NetControl::log_netcontrol_catch_release`: :bro:type:`event` Event that can be handled to access the :bro:type:`NetControl::CatchReleaseInfo`
record as it is sent on to the logging framework.
===================================================================== ===================================================================================
Functions
#########
========================================================================= ======================================================================================================
:bro:id:`NetControl::catch_release_seen`: :bro:type:`function` This function can be called to notify the catch and release script that activity by
an IP address was seen.
:bro:id:`NetControl::drop_address_catch_release`: :bro:type:`function` Stops all packets involving an IP address from being forwarded.
:bro:id:`NetControl::get_catch_release_info`: :bro:type:`function` Get the :bro:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
:bro:id:`NetControl::unblock_address_catch_release`: :bro:type:`function` Removes an address from being watched with catch and release.
========================================================================= ======================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: NetControl::catch_release_warn_blocked_ip_encountered
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``F``
If true, catch and release warns if packets of an IP address are still seen after it
should have been blocked.
Redefinable Options
###################
.. bro:id:: NetControl::catch_release_intervals
:Type: :bro:type:`vector` of :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default:
::
[10.0 mins, 1.0 hr, 1.0 day, 7.0 days]
Time intervals for which subsequent drops of the same IP take
effect.
.. bro:id:: NetControl::watch_connections
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
If true, catch_release_seen is called on the connection originator in new_connection,
connection_established, partial_connection, connection_attempt, connection_rejected,
connection_reset and connection_pending
Types
#####
.. bro:type:: NetControl::BlockInfo
:Type: :bro:type:`record`
block_until: :bro:type:`time` :bro:attr:`&optional`
Absolute time indicating until when a block is inserted using NetControl.
watch_until: :bro:type:`time`
Absolute time indicating until when an IP address is watched to reblock it.
num_reblocked: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Number of times an IP address was reblocked.
current_interval: :bro:type:`count`
Number indicating at which catch and release interval we currently are.
current_block_id: :bro:type:`string`
ID of the inserted block, if any.
location: :bro:type:`string` :bro:attr:`&optional`
User specified string.
This record is used for storing information about current blocks that are
part of catch and release.
.. bro:type:: NetControl::CatchReleaseActions
:Type: :bro:type:`enum`
.. bro:enum:: NetControl::INFO NetControl::CatchReleaseActions
Log lines marked with info are purely informational; no action was taken.
.. bro:enum:: NetControl::ADDED NetControl::CatchReleaseActions
A rule for the specified IP address already existed in NetControl (outside
of catch-and-release). Catch and release did not add a new rule, but is now
watching the IP address and will add a new rule after the current rule expires.
.. bro:enum:: NetControl::DROP NetControl::CatchReleaseActions
(present if :doc:`/scripts/base/frameworks/netcontrol/types.bro` is loaded)
Stop forwarding all packets matching the entity.
No additional arguments.
.. bro:enum:: NetControl::DROPPED NetControl::CatchReleaseActions
A drop was requested by catch and release.
An address was successfully blocked by catch and release.
.. bro:enum:: NetControl::UNBLOCK NetControl::CatchReleaseActions
An address was unblocked after the timeout expired.
.. bro:enum:: NetControl::FORGOTTEN NetControl::CatchReleaseActions
An address was forgotten because it did not reappear within the `watch_until` interval.
.. bro:enum:: NetControl::SEEN_AGAIN NetControl::CatchReleaseActions
A watched IP address was seen again; catch and release will re-block it.
The enum that contains the different kinds of messages that are logged by
catch and release.
.. bro:type:: NetControl::CatchReleaseInfo
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
The absolute time indicating when the action for this log-line occured.
rule_id: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The rule id that this log line refers to.
ip: :bro:type:`addr` :bro:attr:`&log`
The IP address that this line refers to.
action: :bro:type:`NetControl::CatchReleaseActions` :bro:attr:`&log`
The action that was taken in this log-line.
block_interval: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
The current block_interaval (for how long the address is blocked).
watch_interval: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
The current watch_interval (for how long the address will be watched and re-block if it reappears).
blocked_until: :bro:type:`time` :bro:attr:`&log` :bro:attr:`&optional`
The absolute time until which the address is blocked.
watched_until: :bro:type:`time` :bro:attr:`&log` :bro:attr:`&optional`
The absolute time until which the address will be monitored.
num_blocked: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Number of times that this address was blocked in the current cycle.
location: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The user specified location string.
message: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Additional informational string by the catch and release framework about this log-line.
The record type that is used for representing and logging
Events
######
.. bro:id:: NetControl::catch_release_add
:Type: :bro:type:`event` (a: :bro:type:`addr`, location: :bro:type:`string`)
.. bro:id:: NetControl::catch_release_block_delete
:Type: :bro:type:`event` (a: :bro:type:`addr`)
.. bro:id:: NetControl::catch_release_block_new
:Type: :bro:type:`event` (a: :bro:type:`addr`, b: :bro:type:`NetControl::BlockInfo`)
.. bro:id:: NetControl::catch_release_delete
:Type: :bro:type:`event` (a: :bro:type:`addr`, reason: :bro:type:`string`)
.. bro:id:: NetControl::catch_release_encountered
:Type: :bro:type:`event` (a: :bro:type:`addr`)
.. bro:id:: NetControl::catch_release_forgotten
:Type: :bro:type:`event` (a: :bro:type:`addr`, bi: :bro:type:`NetControl::BlockInfo`)
Event is raised when catch and release cases management of an IP address because no
activity was seen within the watch_until period.
:a: The address that is no longer being managed.
:bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block.
.. bro:id:: NetControl::log_netcontrol_catch_release
:Type: :bro:type:`event` (rec: :bro:type:`NetControl::CatchReleaseInfo`)
Event that can be handled to access the :bro:type:`NetControl::CatchReleaseInfo`
record as it is sent on to the logging framework.
Functions
#########
.. bro:id:: NetControl::catch_release_seen
:Type: :bro:type:`function` (a: :bro:type:`addr`) : :bro:type:`void`
This function can be called to notify the catch and release script that activity by
an IP address was seen. If the respective IP address is currently monitored by catch and
release and not blocked, the block will be reinstated. See the documentation of watch_new_connection
which events the catch and release functionality usually monitors for activity.
:a: The address that was seen and should be re-dropped if it is being watched.
.. bro:id:: NetControl::drop_address_catch_release
:Type: :bro:type:`function` (a: :bro:type:`addr`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`NetControl::BlockInfo`
Stops all packets involving an IP address from being forwarded. This function
uses catch-and-release functionality, where the IP address is only dropped for
a short amount of time that is incremented steadily when the IP is encountered
again.
In cluster mode, this function works on workers as well as the manager. On managers,
the returned :bro:see:`NetControl::BlockInfo` record will not contain the block ID,
which will be assigned on the manager.
:a: The address to be dropped.
:t: How long to drop it, with 0 being indefinitely.
:location: An optional string describing where the drop was triggered.
:returns: The :bro:see:`NetControl::BlockInfo` record containing information about
the inserted block.
.. bro:id:: NetControl::get_catch_release_info
:Type: :bro:type:`function` (a: :bro:type:`addr`) : :bro:type:`NetControl::BlockInfo`
Get the :bro:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
If the address is unknown to catch and release, the watch_until time will be set to 0.
In cluster mode, this function works on the manager and workers. On workers, the data will
lag slightly behind the manager; if you add a block, it will not be instantly available via
this function.
:a: The address to get information about.
:returns: The :bro:see:`NetControl::BlockInfo` record containing information about
the inserted block.
.. bro:id:: NetControl::unblock_address_catch_release
:Type: :bro:type:`function` (a: :bro:type:`addr`, reason: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`bool`
Removes an address from being watched with catch and release. Returns true if the
address was found and removed; returns false if it was unknown to catch and release.
If the address is currently blocked, and the block was inserted by catch and release,
the block is removed.
:a: The address to be unblocked.
:reason: A reason for the unblock.
:returns: True if the address was unblocked.

140
doc/scripts/base/frameworks/netcontrol/drop.bro.rst
View file

@ -1,140 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/drop.bro
===================================
.. bro:namespace:: NetControl
Implementation of the drop functionality for NetControl.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>`
Summary
~~~~~~~
Types
#####
==================================================== =
:bro:type:`NetControl::DropInfo`: :bro:type:`record`
==================================================== =
Redefinitions
#############
===================================== =
:bro:type:`Log::ID`: :bro:type:`enum`
===================================== =
Events
######
============================================================ =========================================================================
:bro:id:`NetControl::log_netcontrol_drop`: :bro:type:`event` Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
record as it is sent on to the logging framework.
============================================================ =========================================================================
Hooks
#####
======================================================== =======================================================================
:bro:id:`NetControl::drop_rule_policy`: :bro:type:`hook` Hook that allows the modification of rules passed to drop_* before they
are passed on.
======================================================== =======================================================================
Functions
#########
=========================================================== ======================================================================
:bro:id:`NetControl::drop_address`: :bro:type:`function` Stops all packets involving an IP address from being forwarded.
:bro:id:`NetControl::drop_connection`: :bro:type:`function` Stops all packets involving a connection address from being forwarded.
=========================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: NetControl::DropInfo
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time at which the recorded activity occurred.
rule_id: :bro:type:`string` :bro:attr:`&log`
ID of the rule; unique during each Bro run.
orig_h: :bro:type:`addr` :bro:attr:`&log`
The originator's IP address.
orig_p: :bro:type:`port` :bro:attr:`&log` :bro:attr:`&optional`
The originator's port number.
resp_h: :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&optional`
The responder's IP address.
resp_p: :bro:type:`port` :bro:attr:`&log` :bro:attr:`&optional`
The responder's port number.
expire: :bro:type:`interval` :bro:attr:`&log`
Expiry time of the shunt.
location: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Location where the underlying action was triggered.
Events
######
.. bro:id:: NetControl::log_netcontrol_drop
:Type: :bro:type:`event` (rec: :bro:type:`NetControl::DropInfo`)
Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
record as it is sent on to the logging framework.
Hooks
#####
.. bro:id:: NetControl::drop_rule_policy
:Type: :bro:type:`hook` (r: :bro:type:`NetControl::Rule`) : :bro:type:`bool`
Hook that allows the modification of rules passed to drop_* before they
are passed on. If one of the hooks uses break, the rule is ignored.
:r: The rule to be added.
Functions
#########
.. bro:id:: NetControl::drop_address
:Type: :bro:type:`function` (a: :bro:type:`addr`, t: :bro:type:`interval`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`string`
Stops all packets involving an IP address from being forwarded.
:a: The address to be dropped.
:t: How long to drop it, with 0 being indefinitely.
:location: An optional string describing where the drop was triggered.
:returns: The id of the inserted rule on success and zero on failure.
.. bro:id:: NetControl::drop_connection
:Type: :bro:type:`function` (c: :bro:type:`conn_id`, t: :bro:type:`interval`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`string`
Stops all packets involving a connection address from being forwarded.
:c: The connection to be dropped.
:t: How long to drop it, with 0 being indefinitely.
:location: An optional string describing where the drop was triggered.
:returns: The id of the inserted rule on success and zero on failure.

81
doc/scripts/base/frameworks/netcontrol/index.rst
View file

@ -1,81 +0,0 @@
:orphan:
Package: base/frameworks/netcontrol
===================================
The NetControl framework provides a way for Bro to interact with networking
hard- and software, e.g. for dropping and shunting IP addresses/connections,
etc.
:doc:`/scripts/base/frameworks/netcontrol/__load__.bro`
:doc:`/scripts/base/frameworks/netcontrol/types.bro`
This file defines the types that are used by the NetControl framework.
The most important type defined in this file is :bro:see:`NetControl::Rule`,
which is used to describe all rules that can be expressed by the NetControl framework.
:doc:`/scripts/base/frameworks/netcontrol/main.bro`
Bro's NetControl framework.
This plugin-based framework allows to control the traffic that Bro monitors
as well as, if having access to the forwarding path, the traffic the network
forwards. By default, the framework lets everything through, to both Bro
itself as well as on the network. Scripts can then add rules to impose
restrictions on entities, such as specific connections or IP addresses.
This framework has two APIs: a high-level and low-level. The high-level API
provides convenience functions for a set of common operations. The
low-level API provides full flexibility.
:doc:`/scripts/base/frameworks/netcontrol/plugin.bro`
This file defines the plugin interface for NetControl.
:doc:`/scripts/base/frameworks/netcontrol/plugins/__load__.bro`
:doc:`/scripts/base/frameworks/netcontrol/plugins/debug.bro`
Debugging plugin for the NetControl framework, providing insight into
executed operations.
:doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.bro`
OpenFlow plugin for the NetControl framework.
:doc:`/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro`
NetControl plugin for the process-level PacketFilter that comes with
Bro. Since the PacketFilter in Bro is quite limited in scope
and can only add/remove filters for addresses, this is quite
limited in scope at the moment.
:doc:`/scripts/base/frameworks/netcontrol/plugins/broker.bro`
Broker plugin for the NetControl framework. Sends the raw data structures
used in NetControl on to Broker to allow for easy handling, e.g., of
command-line scripts.
:doc:`/scripts/base/frameworks/netcontrol/plugins/acld.bro`
Acld plugin for the netcontrol framework.
:doc:`/scripts/base/frameworks/netcontrol/drop.bro`
Implementation of the drop functionality for NetControl.
:doc:`/scripts/base/frameworks/netcontrol/shunt.bro`
Implementation of the shunt functionality for NetControl.
:doc:`/scripts/base/frameworks/netcontrol/catch-and-release.bro`
Implementation of catch-and-release functionality for NetControl.
:doc:`/scripts/base/frameworks/netcontrol/non-cluster.bro`

544
doc/scripts/base/frameworks/netcontrol/main.bro.rst
View file

@ -1,544 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/main.bro
===================================
.. bro:namespace:: NetControl
Bro's NetControl framework.
This plugin-based framework allows to control the traffic that Bro monitors
as well as, if having access to the forwarding path, the traffic the network
forwards. By default, the framework lets everything through, to both Bro
itself as well as on the network. Scripts can then add rules to impose
restrictions on entities, such as specific connections or IP addresses.
This framework has two APIs: a high-level and low-level. The high-level API
provides convenience functions for a set of common operations. The
low-level API provides full flexibility.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/plugin.bro </scripts/base/frameworks/netcontrol/plugin.bro>`, :doc:`base/frameworks/netcontrol/types.bro </scripts/base/frameworks/netcontrol/types.bro>`
Summary
~~~~~~~
Types
#####
====================================================== =================================================================
:bro:type:`NetControl::Info`: :bro:type:`record` The record type defining the column fields of the NetControl log.
:bro:type:`NetControl::InfoCategory`: :bro:type:`enum` Type of an entry in the NetControl log.
:bro:type:`NetControl::InfoState`: :bro:type:`enum` State of an entry in the NetControl log.
====================================================== =================================================================
Redefinitions
#############
================================================ ==========================================
:bro:type:`Log::ID`: :bro:type:`enum` The framework's logging stream identifier.
:bro:type:`NetControl::Rule`: :bro:type:`record`
================================================ ==========================================
Events
######
======================================================= ===========================================================================
:bro:id:`NetControl::init`: :bro:type:`event` Event that is used to initialize plugins.
:bro:id:`NetControl::init_done`: :bro:type:`event` Event that is raised once all plugins activated in ``NetControl::init``
have finished their initialization.
:bro:id:`NetControl::log_netcontrol`: :bro:type:`event` Event that can be handled to access the :bro:type:`NetControl::Info`
record as it is sent on to the logging framework.
:bro:id:`NetControl::rule_added`: :bro:type:`event` Confirms that a rule was put in place by a plugin.
:bro:id:`NetControl::rule_destroyed`: :bro:type:`event` This event is raised when a rule is deleted from the NetControl framework,
because it is no longer in use.
:bro:id:`NetControl::rule_error`: :bro:type:`event` Reports an error when operating on a rule.
:bro:id:`NetControl::rule_exists`: :bro:type:`event` Signals that a rule that was supposed to be put in place was already
existing at the specified plugin.
:bro:id:`NetControl::rule_new`: :bro:type:`event` This event is raised when a new rule is created by the NetControl framework
due to a call to add_rule.
:bro:id:`NetControl::rule_removed`: :bro:type:`event` Reports that a plugin reports a rule was removed due to a
remove_rule function call.
:bro:id:`NetControl::rule_timeout`: :bro:type:`event` Reports that a rule was removed from a plugin due to a timeout.
======================================================= ===========================================================================
Hooks
#####
=================================================== =========================================================================
:bro:id:`NetControl::rule_policy`: :bro:type:`hook` Hook that allows the modification of rules passed to add_rule before they
are passed on to the plugins.
=================================================== =========================================================================
Functions
#########
============================================================= ==============================================================================================
:bro:id:`NetControl::activate`: :bro:type:`function` Activates a plugin.
:bro:id:`NetControl::add_rule`: :bro:type:`function` Installs a rule.
:bro:id:`NetControl::clear`: :bro:type:`function` Flushes all state by calling :bro:see:`NetControl::remove_rule` on all currently active rules.
:bro:id:`NetControl::delete_rule`: :bro:type:`function` Deletes a rule without removing it from the backends to which it has been
added before.
:bro:id:`NetControl::find_rules_addr`: :bro:type:`function` Searches all rules affecting a certain IP address.
:bro:id:`NetControl::find_rules_subnet`: :bro:type:`function` Searches all rules affecting a certain subnet.
:bro:id:`NetControl::plugin_activated`: :bro:type:`function` Function called by plugins once they finished their activation.
:bro:id:`NetControl::quarantine_host`: :bro:type:`function` Quarantines a host.
:bro:id:`NetControl::redirect_flow`: :bro:type:`function` Redirects a uni-directional flow to another port.
:bro:id:`NetControl::remove_rule`: :bro:type:`function` Removes a rule.
:bro:id:`NetControl::whitelist_address`: :bro:type:`function` Allows all traffic involving a specific IP address to be forwarded.
:bro:id:`NetControl::whitelist_subnet`: :bro:type:`function` Allows all traffic involving a specific IP subnet to be forwarded.
============================================================= ==============================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: NetControl::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time at which the recorded activity occurred.
rule_id: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
ID of the rule; unique during each Bro run.
category: :bro:type:`NetControl::InfoCategory` :bro:attr:`&log` :bro:attr:`&optional`
Type of the log entry.
cmd: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The command the log entry is about.
state: :bro:type:`NetControl::InfoState` :bro:attr:`&log` :bro:attr:`&optional`
State the log entry reflects.
action: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
String describing an action the entry is about.
target: :bro:type:`NetControl::TargetType` :bro:attr:`&log` :bro:attr:`&optional`
The target type of the action.
entity_type: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Type of the entity the log entry is about.
entity: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
String describing the entity the log entry is about.
mod: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
String describing the optional modification of the entry (e.h. redirect)
msg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
String with an additional message.
priority: :bro:type:`int` :bro:attr:`&log` :bro:attr:`&optional`
Number describing the priority of the log entry.
expire: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
Expiry time of the log entry.
location: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Location where the underlying action was triggered.
plugin: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Plugin triggering the log entry.
The record type defining the column fields of the NetControl log.
.. bro:type:: NetControl::InfoCategory
:Type: :bro:type:`enum`
.. bro:enum:: NetControl::MESSAGE NetControl::InfoCategory
A log entry reflecting a framework message.
.. bro:enum:: NetControl::ERROR NetControl::InfoCategory
A log entry reflecting a framework message.
.. bro:enum:: NetControl::RULE NetControl::InfoCategory
A log entry about a rule.
Type of an entry in the NetControl log.
.. bro:type:: NetControl::InfoState
:Type: :bro:type:`enum`
.. bro:enum:: NetControl::REQUESTED NetControl::InfoState
The request to add/remove a rule was sent to the respective backend.
.. bro:enum:: NetControl::SUCCEEDED NetControl::InfoState
A rule was successfully added by a backend.
.. bro:enum:: NetControl::EXISTS NetControl::InfoState
A backend reported that a rule was already existing.
.. bro:enum:: NetControl::FAILED NetControl::InfoState
A rule addition failed.
.. bro:enum:: NetControl::REMOVED NetControl::InfoState
A rule was successfully removed by a backend.
.. bro:enum:: NetControl::TIMEOUT NetControl::InfoState
A rule timeout was triggered by the NetControl framework or a backend.
State of an entry in the NetControl log.
Events
######
.. bro:id:: NetControl::init
:Type: :bro:type:`event` ()
Event that is used to initialize plugins. Place all plugin initialization
related functionality in this event.
.. bro:id:: NetControl::init_done
:Type: :bro:type:`event` ()
Event that is raised once all plugins activated in ``NetControl::init``
have finished their initialization.
.. bro:id:: NetControl::log_netcontrol
:Type: :bro:type:`event` (rec: :bro:type:`NetControl::Info`)
Event that can be handled to access the :bro:type:`NetControl::Info`
record as it is sent on to the logging framework.
.. bro:id:: NetControl::rule_added
:Type: :bro:type:`event` (r: :bro:type:`NetControl::Rule`, p: :bro:type:`NetControl::PluginState`, msg: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`)
Confirms that a rule was put in place by a plugin.
:r: The rule now in place.
:p: The state for the plugin that put it into place.
:msg: An optional informational message by the plugin.
.. bro:id:: NetControl::rule_destroyed
:Type: :bro:type:`event` (r: :bro:type:`NetControl::Rule`)
This event is raised when a rule is deleted from the NetControl framework,
because it is no longer in use. This can be caused by the fact that a rule
was removed by all plugins to which it was added, by the fact that it timed out
or due to rule errors.
To get the cause of a rule remove, catch the rule_removed, rule_timeout and
rule_error events.
.. bro:id:: NetControl::rule_error
:Type: :bro:type:`event` (r: :bro:type:`NetControl::Rule`, p: :bro:type:`NetControl::PluginState`, msg: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`)
Reports an error when operating on a rule.
:r: The rule that encountered an error.
:p: The state for the plugin that reported the error.
:msg: An optional informational message by the plugin.
.. bro:id:: NetControl::rule_exists
:Type: :bro:type:`event` (r: :bro:type:`NetControl::Rule`, p: :bro:type:`NetControl::PluginState`, msg: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`)
Signals that a rule that was supposed to be put in place was already
existing at the specified plugin. Rules that already have been existing
continue to be tracked like normal, but no timeout calls will be sent
to the specified plugins. Removal of the rule from the hardware can
still be forced by manually issuing a remove_rule call.
:r: The rule that was already in place.
:p: The plugin that reported that the rule already was in place.
:msg: An optional informational message by the plugin.
.. bro:id:: NetControl::rule_new
:Type: :bro:type:`event` (r: :bro:type:`NetControl::Rule`)
This event is raised when a new rule is created by the NetControl framework
due to a call to add_rule. From this moment, until the rule_destroyed event
is raised, the rule is tracked internally by the NetControl framework.
Note that this event does not mean that a rule was successfully added by
any backend; it just means that the rule has been accepted and addition
to the specified backend is queued. To get information when rules are actually
installed by the hardware, use the rule_added, rule_exists, rule_removed, rule_timeout
and rule_error events.
.. bro:id:: NetControl::rule_removed
:Type: :bro:type:`event` (r: :bro:type:`NetControl::Rule`, p: :bro:type:`NetControl::PluginState`, msg: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`)
Reports that a plugin reports a rule was removed due to a
remove_rule function call.
:r: The rule now removed.
:p: The state for the plugin that had the rule in place and now
removed it.
:msg: An optional informational message by the plugin.
.. bro:id:: NetControl::rule_timeout
:Type: :bro:type:`event` (r: :bro:type:`NetControl::Rule`, i: :bro:type:`NetControl::FlowInfo`, p: :bro:type:`NetControl::PluginState`)
Reports that a rule was removed from a plugin due to a timeout.
:r: The rule now removed.
:i: Additional flow information, if supported by the protocol.
:p: The state for the plugin that had the rule in place and now
removed it.
:msg: An optional informational message by the plugin.
Hooks
#####
.. bro:id:: NetControl::rule_policy
:Type: :bro:type:`hook` (r: :bro:type:`NetControl::Rule`) : :bro:type:`bool`
Hook that allows the modification of rules passed to add_rule before they
are passed on to the plugins. If one of the hooks uses break, the rule is
ignored and not passed on to any plugin.
:r: The rule to be added.
Functions
#########
.. bro:id:: NetControl::activate
:Type: :bro:type:`function` (p: :bro:type:`NetControl::PluginState`, priority: :bro:type:`int`) : :bro:type:`void`
Activates a plugin.
:p: The plugin to activate.
:priority: The higher the priority, the earlier this plugin will be checked
whether it supports an operation, relative to other plugins.
.. bro:id:: NetControl::add_rule
:Type: :bro:type:`function` (r: :bro:type:`NetControl::Rule`) : :bro:type:`string`
Installs a rule.
:r: The rule to install.
:returns: If successful, returns an ID string unique to the rule that can
later be used to refer to it. If unsuccessful, returns an empty
string. The ID is also assigned to ``r$id``. Note that
"successful" means "a plugin knew how to handle the rule", it
doesn't necessarily mean that it was indeed successfully put in
place, because that might happen asynchronously and thus fail
only later.
.. bro:id:: NetControl::clear
:Type: :bro:type:`function` () : :bro:type:`void`
Flushes all state by calling :bro:see:`NetControl::remove_rule` on all currently active rules.
.. bro:id:: NetControl::delete_rule
:Type: :bro:type:`function` (id: :bro:type:`string`, reason: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`bool`
Deletes a rule without removing it from the backends to which it has been
added before. This means that no messages will be sent to the switches to which
the rule has been added; if it is not removed from them by a separate mechanism,
it will stay installed and not be removed later.
:id: The rule to delete, specified as the ID returned by :bro:see:`NetControl::add_rule`.
:reason: Optional string argument giving information on why the rule was deleted.
:returns: True if removal is successful, or sent to manager.
False if the rule could not be found.
.. bro:id:: NetControl::find_rules_addr
:Type: :bro:type:`function` (ip: :bro:type:`addr`) : :bro:type:`vector` of :bro:type:`NetControl::Rule`
Searches all rules affecting a certain IP address.
This function works on both the manager and workers of a cluster. Note that on
the worker, the internal rule variables (starting with _) will not reflect the
current state.
:ip: The ip address to search for.
:returns: vector of all rules affecting the IP address.
.. bro:id:: NetControl::find_rules_subnet
:Type: :bro:type:`function` (sn: :bro:type:`subnet`) : :bro:type:`vector` of :bro:type:`NetControl::Rule`
Searches all rules affecting a certain subnet.
A rule affects a subnet, if it covers the whole subnet. Note especially that
this function will not reveal all rules that are covered by a subnet.
For example, a search for 192.168.17.0/8 will reveal a rule that exists for
192.168.0.0/16, since this rule affects the subnet. However, it will not reveal
a more specific rule for 192.168.17.1/32, which does not directy affect the whole
subnet.
This function works on both the manager and workers of a cluster. Note that on
the worker, the internal rule variables (starting with _) will not reflect the
current state.
:sn: The subnet to search for.
:returns: vector of all rules affecting the subnet.
.. bro:id:: NetControl::plugin_activated
:Type: :bro:type:`function` (p: :bro:type:`NetControl::PluginState`) : :bro:type:`void`
Function called by plugins once they finished their activation. After all
plugins defined in bro_init finished to activate, rules will start to be sent
to the plugins. Rules that scripts try to set before the backends are ready
will be discarded.
.. bro:id:: NetControl::quarantine_host
:Type: :bro:type:`function` (infected: :bro:type:`addr`, dns: :bro:type:`addr`, quarantine: :bro:type:`addr`, t: :bro:type:`interval`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`vector` of :bro:type:`string`
Quarantines a host. This requires a special quarantine server, which runs a HTTP server explaining
the quarantine and a DNS server which resolves all requests to the quarantine server. DNS queries
from the host to the network DNS server will be rewritten and will be sent to the quarantine server
instead. Only http communication infected to quarantinehost is allowed. All other network communication
is blocked.
:infected: the host to quarantine.
:dns: the network dns server.
:quarantine: the quarantine server running a dns and a web server.
:t: how long to leave the quarantine in place.
:returns: Vector of inserted rules on success, empty list on failure.
.. bro:id:: NetControl::redirect_flow
:Type: :bro:type:`function` (f: :bro:type:`flow_id`, out_port: :bro:type:`count`, t: :bro:type:`interval`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`string`
Redirects a uni-directional flow to another port.
:f: The flow to redirect.
:out_port: Port to redirect the flow to.
:t: How long to leave the redirect in place, with 0 being indefinitely.
:location: An optional string describing where the redirect was triggered.
:returns: The id of the inserted rule on success and zero on failure.
.. bro:id:: NetControl::remove_rule
:Type: :bro:type:`function` (id: :bro:type:`string`, reason: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`bool`
Removes a rule.
:id: The rule to remove, specified as the ID returned by :bro:see:`NetControl::add_rule`.
:reason: Optional string argument giving information on why the rule was removed.
:returns: True if successful, the relevant plugin indicated that it knew
how to handle the removal. Note that again "success" means the
plugin accepted the removal. It might still fail to put it
into effect, as that might happen asynchronously and thus go
wrong at that point.
.. bro:id:: NetControl::whitelist_address
:Type: :bro:type:`function` (a: :bro:type:`addr`, t: :bro:type:`interval`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`string`
Allows all traffic involving a specific IP address to be forwarded.
:a: The address to be whitelisted.
:t: How long to whitelist it, with 0 being indefinitely.
:location: An optional string describing whitelist was triddered.
:returns: The id of the inserted rule on success and zero on failure.
.. bro:id:: NetControl::whitelist_subnet
:Type: :bro:type:`function` (s: :bro:type:`subnet`, t: :bro:type:`interval`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`string`
Allows all traffic involving a specific IP subnet to be forwarded.
:s: The subnet to be whitelisted.
:t: How long to whitelist it, with 0 being indefinitely.
:location: An optional string describing whitelist was triddered.
:returns: The id of the inserted rule on success and zero on failure.

16
doc/scripts/base/frameworks/netcontrol/non-cluster.bro.rst
View file

@ -1,16 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/non-cluster.bro
==========================================
.. bro:namespace:: NetControl
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

137
doc/scripts/base/frameworks/netcontrol/plugin.bro.rst
View file

@ -1,137 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/plugin.bro
=====================================
.. bro:namespace:: NetControl
This file defines the plugin interface for NetControl.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/types.bro </scripts/base/frameworks/netcontrol/types.bro>`
Summary
~~~~~~~
Types
#####
======================================================= =====================================================
:bro:type:`NetControl::Plugin`: :bro:type:`record` Definition of a plugin.
:bro:type:`NetControl::PluginState`: :bro:type:`record` This record keeps the per instance state of a plugin.
======================================================= =====================================================
Redefinitions
#############
======================================================= ========================================================================
:bro:type:`NetControl::PluginState`: :bro:type:`record` Table for a plugin to store instance-specific configuration information.
======================================================= ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: NetControl::Plugin
:Type: :bro:type:`record`
name: :bro:type:`function` (state: :bro:type:`NetControl::PluginState`) : :bro:type:`string`
Returns a descriptive name of the plugin instance, suitable for use in logging
messages. Note that this function is not optional.
can_expire: :bro:type:`bool`
If true, plugin can expire rules itself. If false, the NetControl
framework will manage rule expiration.
init: :bro:type:`function` (state: :bro:type:`NetControl::PluginState`) : :bro:type:`void` :bro:attr:`&optional`
One-time initialization function called when plugin gets registered, and
before any other methods are called.
If this function is provided, NetControl assumes that the plugin has to
perform, potentially lengthy, initialization before the plugin will become
active. In this case, the plugin has to call ``NetControl::plugin_activated``,
once initialization finishes.
done: :bro:type:`function` (state: :bro:type:`NetControl::PluginState`) : :bro:type:`void` :bro:attr:`&optional`
One-time finalization function called when a plugin is shutdown; no further
functions will be called afterwords.
add_rule: :bro:type:`function` (state: :bro:type:`NetControl::PluginState`, r: :bro:type:`NetControl::Rule`) : :bro:type:`bool` :bro:attr:`&optional`
Implements the add_rule() operation. If the plugin accepts the rule,
it returns true, false otherwise. The rule will already have its
``id`` field set, which the plugin may use for identification
purposes.
remove_rule: :bro:type:`function` (state: :bro:type:`NetControl::PluginState`, r: :bro:type:`NetControl::Rule`, reason: :bro:type:`string`) : :bro:type:`bool` :bro:attr:`&optional`
Implements the remove_rule() operation. This will only be called for
rules that the plugin has previously accepted with add_rule(). The
``id`` field will match that of the add_rule() call. Generally,
a plugin that accepts an add_rule() should also accept the
remove_rule().
Definition of a plugin.
Generally a plugin needs to implement only what it can support. By
returning failure, it indicates that it can't support something and
the framework will then try another plugin, if available; or inform the
that the operation failed. If a function isn't implemented by a plugin,
that's considered an implicit failure to support the operation.
If plugin accepts a rule operation, it *must* generate one of the reporting
events ``rule_{added,remove,error}`` to signal if it indeed worked out;
this is separate from accepting the operation because often a plugin
will only know later (i.e., asynchronously) if that was an error for
something it thought it could handle.
.. bro:type:: NetControl::PluginState
:Type: :bro:type:`record`
config: :bro:type:`table` [:bro:type:`string`] of :bro:type:`string` :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional`
Table for a plugin to store custom, instance-specific state.
_id: :bro:type:`count` :bro:attr:`&optional`
Unique plugin identifier -- used for backlookup of plugins from Rules. Set internally.
_priority: :bro:type:`int` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Set internally.
_activated: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Set internally. Signifies if the plugin has returned that it has activated successfully.
plugin: :bro:type:`NetControl::Plugin` :bro:attr:`&optional`
The plugin that the state belongs to. (Defined separately
because of cyclic type dependency.)
of_controller: :bro:type:`OpenFlow::Controller` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.bro` is loaded)
OpenFlow controller for NetControl OpenFlow plugin.
of_config: :bro:type:`NetControl::OfConfig` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.bro` is loaded)
OpenFlow configuration record that is passed on initialization.
broker_config: :bro:type:`NetControl::BrokerConfig` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.bro` is loaded)
OpenFlow controller for NetControl Broker plugin.
broker_id: :bro:type:`count` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.bro` is loaded)
The ID of this broker instance - for the mapping to PluginStates.
acld_config: :bro:type:`NetControl::AcldConfig` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.bro` is loaded)
acld_id: :bro:type:`count` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.bro` is loaded)
The ID of this acld instance - for the mapping to PluginStates.
This record keeps the per instance state of a plugin.
Individual plugins commonly extend this record to suit their needs.

14
doc/scripts/base/frameworks/netcontrol/plugins/__load__.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/__load__.bro
===============================================
:Imports: :doc:`base/frameworks/netcontrol/plugins/acld.bro </scripts/base/frameworks/netcontrol/plugins/acld.bro>`, :doc:`base/frameworks/netcontrol/plugins/broker.bro </scripts/base/frameworks/netcontrol/plugins/broker.bro>`, :doc:`base/frameworks/netcontrol/plugins/debug.bro </scripts/base/frameworks/netcontrol/plugins/debug.bro>`, :doc:`base/frameworks/netcontrol/plugins/openflow.bro </scripts/base/frameworks/netcontrol/plugins/openflow.bro>`, :doc:`base/frameworks/netcontrol/plugins/packetfilter.bro </scripts/base/frameworks/netcontrol/plugins/packetfilter.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

162
doc/scripts/base/frameworks/netcontrol/plugins/acld.bro.rst
View file

@ -1,162 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/acld.bro
===========================================
.. bro:namespace:: NetControl
Acld plugin for the netcontrol framework.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>`, :doc:`base/frameworks/netcontrol/plugin.bro </scripts/base/frameworks/netcontrol/plugin.bro>`
Summary
~~~~~~~
Types
#####
====================================================== =
:bro:type:`NetControl::AclRule`: :bro:type:`record`
:bro:type:`NetControl::AcldConfig`: :bro:type:`record`
====================================================== =
Redefinitions
#############
======================================================= =
:bro:type:`NetControl::PluginState`: :bro:type:`record`
======================================================= =
Events
######
========================================================== =======================================
:bro:id:`NetControl::acld_add_rule`: :bro:type:`event` Events that are sent from us to Broker.
:bro:id:`NetControl::acld_remove_rule`: :bro:type:`event`
:bro:id:`NetControl::acld_rule_added`: :bro:type:`event` Events that are sent from Broker to us.
:bro:id:`NetControl::acld_rule_error`: :bro:type:`event`
:bro:id:`NetControl::acld_rule_exists`: :bro:type:`event`
:bro:id:`NetControl::acld_rule_removed`: :bro:type:`event`
========================================================== =======================================
Hooks
#####
======================================================== ==============================================================
:bro:id:`NetControl::acld_rule_policy`: :bro:type:`hook` Hook that is called after a rule is converted to an acld rule.
======================================================== ==============================================================
Functions
#########
======================================================= =============================
:bro:id:`NetControl::create_acld`: :bro:type:`function` Instantiates the acld plugin.
======================================================= =============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: NetControl::AclRule
:Type: :bro:type:`record`
command: :bro:type:`string`
cookie: :bro:type:`count`
arg: :bro:type:`string`
comment: :bro:type:`string` :bro:attr:`&optional`
.. bro:type:: NetControl::AcldConfig
:Type: :bro:type:`record`
acld_topic: :bro:type:`string`
The acld topic to send events to.
acld_host: :bro:type:`addr`
Broker host to connect to.
acld_port: :bro:type:`port`
Broker port to connect to.
monitor: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Do we accept rules for the monitor path? Default false.
forward: :bro:type:`bool` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`
Do we accept rules for the forward path? Default true.
check_pred: :bro:type:`function` (p: :bro:type:`NetControl::PluginState`, r: :bro:type:`NetControl::Rule`) : :bro:type:`bool` :bro:attr:`&optional`
Predicate that is called on rule insertion or removal.
:p: Current plugin state.
:r: The rule to be inserted or removed.
:returns: T if the rule can be handled by the current backend, F otherwise.
Events
######
.. bro:id:: NetControl::acld_add_rule
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, ar: :bro:type:`NetControl::AclRule`)
Events that are sent from us to Broker.
.. bro:id:: NetControl::acld_remove_rule
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, ar: :bro:type:`NetControl::AclRule`)
.. bro:id:: NetControl::acld_rule_added
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, msg: :bro:type:`string`)
Events that are sent from Broker to us.
.. bro:id:: NetControl::acld_rule_error
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, msg: :bro:type:`string`)
.. bro:id:: NetControl::acld_rule_exists
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, msg: :bro:type:`string`)
.. bro:id:: NetControl::acld_rule_removed
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, msg: :bro:type:`string`)
Hooks
#####
.. bro:id:: NetControl::acld_rule_policy
:Type: :bro:type:`hook` (p: :bro:type:`NetControl::PluginState`, r: :bro:type:`NetControl::Rule`, ar: :bro:type:`NetControl::AclRule`) : :bro:type:`bool`
Hook that is called after a rule is converted to an acld rule.
The hook may modify the rule before it is sent to acld.
Setting the acld command to F will cause the rule to be rejected
by the plugin.
:p: Current plugin state.
:r: The rule to be inserted or removed.
:ar: The acld rule to be inserted or removed.
Functions
#########
.. bro:id:: NetControl::create_acld
:Type: :bro:type:`function` (config: :bro:type:`NetControl::AcldConfig`) : :bro:type:`NetControl::PluginState`
Instantiates the acld plugin.

129
doc/scripts/base/frameworks/netcontrol/plugins/broker.bro.rst
View file

@ -1,129 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/broker.bro
=============================================
.. bro:namespace:: NetControl
Broker plugin for the NetControl framework. Sends the raw data structures
used in NetControl on to Broker to allow for easy handling, e.g., of
command-line scripts.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>`, :doc:`base/frameworks/netcontrol/plugin.bro </scripts/base/frameworks/netcontrol/plugin.bro>`
Summary
~~~~~~~
Types
#####
======================================================== ===============================================================================================
:bro:type:`NetControl::BrokerConfig`: :bro:type:`record` This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`.
======================================================== ===============================================================================================
Redefinitions
#############
======================================================= =
:bro:type:`NetControl::PluginState`: :bro:type:`record`
======================================================= =
Events
######
============================================================ =
:bro:id:`NetControl::broker_add_rule`: :bro:type:`event`
:bro:id:`NetControl::broker_remove_rule`: :bro:type:`event`
:bro:id:`NetControl::broker_rule_added`: :bro:type:`event`
:bro:id:`NetControl::broker_rule_error`: :bro:type:`event`
:bro:id:`NetControl::broker_rule_exists`: :bro:type:`event`
:bro:id:`NetControl::broker_rule_removed`: :bro:type:`event`
:bro:id:`NetControl::broker_rule_timeout`: :bro:type:`event`
============================================================ =
Functions
#########
========================================================= ===============================
:bro:id:`NetControl::create_broker`: :bro:type:`function` Instantiates the broker plugin.
========================================================= ===============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: NetControl::BrokerConfig
:Type: :bro:type:`record`
topic: :bro:type:`string` :bro:attr:`&optional`
The broker topic to send events to.
host: :bro:type:`addr` :bro:attr:`&optional`
Broker host to connect to.
bport: :bro:type:`port` :bro:attr:`&optional`
Broker port to connect to.
monitor: :bro:type:`bool` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`
Do we accept rules for the monitor path? Default true.
forward: :bro:type:`bool` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`
Do we accept rules for the forward path? Default true.
check_pred: :bro:type:`function` (p: :bro:type:`NetControl::PluginState`, r: :bro:type:`NetControl::Rule`) : :bro:type:`bool` :bro:attr:`&optional`
Predicate that is called on rule insertion or removal.
:p: Current plugin state.
:r: The rule to be inserted or removed.
:returns: T if the rule can be handled by the current backend, F otherwise.
This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`.
Events
######
.. bro:id:: NetControl::broker_add_rule
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`)
.. bro:id:: NetControl::broker_remove_rule
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, reason: :bro:type:`string`)
.. bro:id:: NetControl::broker_rule_added
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, msg: :bro:type:`string`)
.. bro:id:: NetControl::broker_rule_error
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, msg: :bro:type:`string`)
.. bro:id:: NetControl::broker_rule_exists
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, msg: :bro:type:`string`)
.. bro:id:: NetControl::broker_rule_removed
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, msg: :bro:type:`string`)
.. bro:id:: NetControl::broker_rule_timeout
:Type: :bro:type:`event` (id: :bro:type:`count`, r: :bro:type:`NetControl::Rule`, i: :bro:type:`NetControl::FlowInfo`)
Functions
#########
.. bro:id:: NetControl::create_broker
:Type: :bro:type:`function` (config: :bro:type:`NetControl::BrokerConfig`, can_expire: :bro:type:`bool`) : :bro:type:`NetControl::PluginState`
Instantiates the broker plugin.

37
doc/scripts/base/frameworks/netcontrol/plugins/debug.bro.rst
View file

@ -1,37 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/debug.bro
============================================
.. bro:namespace:: NetControl
Debugging plugin for the NetControl framework, providing insight into
executed operations.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>`, :doc:`base/frameworks/netcontrol/plugin.bro </scripts/base/frameworks/netcontrol/plugin.bro>`
Summary
~~~~~~~
Functions
#########
======================================================== =========================================================
:bro:id:`NetControl::create_debug`: :bro:type:`function` Instantiates a debug plugin for the NetControl framework.
======================================================== =========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: NetControl::create_debug
:Type: :bro:type:`function` (do_something: :bro:type:`bool`) : :bro:type:`NetControl::PluginState`
Instantiates a debug plugin for the NetControl framework. The debug
plugin simply logs the operations it receives.
:do_something: If true, the plugin will claim it supports all operations; if
false, it will indicate it doesn't support any.

36
doc/scripts/base/frameworks/netcontrol/plugins/index.rst
View file

@ -1,36 +0,0 @@
:orphan:
Package: base/frameworks/netcontrol/plugins
===========================================
Plugins for the NetControl framework.
:doc:`/scripts/base/frameworks/netcontrol/plugins/__load__.bro`
:doc:`/scripts/base/frameworks/netcontrol/plugins/debug.bro`
Debugging plugin for the NetControl framework, providing insight into
executed operations.
:doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.bro`
OpenFlow plugin for the NetControl framework.
:doc:`/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro`
NetControl plugin for the process-level PacketFilter that comes with
Bro. Since the PacketFilter in Bro is quite limited in scope
and can only add/remove filters for addresses, this is quite
limited in scope at the moment.
:doc:`/scripts/base/frameworks/netcontrol/plugins/broker.bro`
Broker plugin for the NetControl framework. Sends the raw data structures
used in NetControl on to Broker to allow for easy handling, e.g., of
command-line scripts.
:doc:`/scripts/base/frameworks/netcontrol/plugins/acld.bro`
Acld plugin for the netcontrol framework.

158
doc/scripts/base/frameworks/netcontrol/plugins/openflow.bro.rst
View file

@ -1,158 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/openflow.bro
===============================================
.. bro:namespace:: NetControl
OpenFlow plugin for the NetControl framework.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>`, :doc:`base/frameworks/netcontrol/plugin.bro </scripts/base/frameworks/netcontrol/plugin.bro>`, :doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
Summary
~~~~~~~
Redefinable Options
###################
======================================================================================= ===============================================================================
:bro:id:`NetControl::openflow_flow_timeout`: :bro:type:`interval` :bro:attr:`&redef` The time interval after we consider a flow timed out.
:bro:id:`NetControl::openflow_message_timeout`: :bro:type:`interval` :bro:attr:`&redef` The time interval after which an openflow message is considered to be timed out
and we delete it from our internal tracking.
======================================================================================= ===============================================================================
Types
#####
==================================================== =================================================================================================
:bro:type:`NetControl::OfConfig`: :bro:type:`record` This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`.
:bro:type:`NetControl::OfTable`: :bro:type:`record`
==================================================== =================================================================================================
Redefinitions
#############
======================================================= =
:bro:type:`NetControl::PluginState`: :bro:type:`record`
======================================================= =
Functions
#########
=========================================================== =============================================================
:bro:id:`NetControl::create_openflow`: :bro:type:`function` Instantiates an openflow plugin for the NetControl framework.
=========================================================== =============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: NetControl::openflow_flow_timeout
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``1.0 day``
The time interval after we consider a flow timed out. This should be fairly high (or
even disabled) if you expect a lot of long flows. However, one also will have state
buildup for quite a while if keeping this around...
.. bro:id:: NetControl::openflow_message_timeout
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``20.0 secs``
The time interval after which an openflow message is considered to be timed out
and we delete it from our internal tracking.
Types
#####
.. bro:type:: NetControl::OfConfig
:Type: :bro:type:`record`
monitor: :bro:type:`bool` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`
Accept rules that target the monitor path.
forward: :bro:type:`bool` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`
Accept rules that target the forward path.
idle_timeout: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Default OpenFlow idle timeout.
table_id: :bro:type:`count` :bro:attr:`&optional`
Default OpenFlow table ID.
priority_offset: :bro:type:`int` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function.
check_pred: :bro:type:`function` (p: :bro:type:`NetControl::PluginState`, r: :bro:type:`NetControl::Rule`) : :bro:type:`bool` :bro:attr:`&optional`
Predicate that is called on rule insertion or removal.
:p: Current plugin state.
:r: The rule to be inserted or removed.
:returns: T if the rule can be handled by the current backend, F otherwise.
match_pred: :bro:type:`function` (p: :bro:type:`NetControl::PluginState`, e: :bro:type:`NetControl::Entity`, m: :bro:type:`vector` of :bro:type:`OpenFlow::ofp_match`) : :bro:type:`vector` of :bro:type:`OpenFlow::ofp_match` :bro:attr:`&optional`
This predicate is called each time an OpenFlow match record is created.
The predicate can modify the match structure before it is sent on to the
device.
:p: Current plugin state.
:r: The rule to be inserted or removed.
:m: The openflow match structures that were generated for this rules.
:returns: The modified OpenFlow match structures that will be used in place of the structures passed in m.
flow_mod_pred: :bro:type:`function` (p: :bro:type:`NetControl::PluginState`, r: :bro:type:`NetControl::Rule`, m: :bro:type:`OpenFlow::ofp_flow_mod`) : :bro:type:`OpenFlow::ofp_flow_mod` :bro:attr:`&optional`
This predicate is called before a FlowMod message is sent to the OpenFlow
device. It can modify the FlowMod message before it is passed on.
:p: Current plugin state.
:r: The rule to be inserted or removed.
:m: The OpenFlow FlowMod message.
:returns: The modified FlowMod message that is used in lieu of m.
This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`.
.. bro:type:: NetControl::OfTable
:Type: :bro:type:`record`
p: :bro:type:`NetControl::PluginState`
r: :bro:type:`NetControl::Rule`
c: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
packet_count: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
byte_count: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
duration_sec: :bro:type:`double` :bro:attr:`&default` = ``0.0`` :bro:attr:`&optional`
Functions
#########
.. bro:id:: NetControl::create_openflow
:Type: :bro:type:`function` (controller: :bro:type:`OpenFlow::Controller`, config: :bro:type:`NetControl::OfConfig` :bro:attr:`&default` = ``[]`` :bro:attr:`&optional`) : :bro:type:`NetControl::PluginState`
Instantiates an openflow plugin for the NetControl framework.

34
doc/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro.rst
View file

@ -1,34 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/packetfilter.bro
===================================================
.. bro:namespace:: NetControl
NetControl plugin for the process-level PacketFilter that comes with
Bro. Since the PacketFilter in Bro is quite limited in scope
and can only add/remove filters for addresses, this is quite
limited in scope at the moment.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/plugin.bro </scripts/base/frameworks/netcontrol/plugin.bro>`
Summary
~~~~~~~
Functions
#########
=============================================================== =====================================
:bro:id:`NetControl::create_packetfilter`: :bro:type:`function` Instantiates the packetfilter plugin.
=============================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: NetControl::create_packetfilter
:Type: :bro:type:`function` () : :bro:type:`NetControl::PluginState`
Instantiates the packetfilter plugin.

93
doc/scripts/base/frameworks/netcontrol/shunt.bro.rst
View file

@ -1,93 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/shunt.bro
====================================
.. bro:namespace:: NetControl
Implementation of the shunt functionality for NetControl.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>`
Summary
~~~~~~~
Types
#####
===================================================== =
:bro:type:`NetControl::ShuntInfo`: :bro:type:`record`
===================================================== =
Redefinitions
#############
===================================== =
:bro:type:`Log::ID`: :bro:type:`enum`
===================================== =
Events
######
============================================================= =========================================================================
:bro:id:`NetControl::log_netcontrol_shunt`: :bro:type:`event` Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
record as it is sent on to the logging framework.
============================================================= =========================================================================
Functions
#########
====================================================== =========================================================
:bro:id:`NetControl::shunt_flow`: :bro:type:`function` Stops forwarding a uni-directional flow's packets to Bro.
====================================================== =========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: NetControl::ShuntInfo
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time at which the recorded activity occurred.
rule_id: :bro:type:`string` :bro:attr:`&log`
ID of the rule; unique during each Bro run.
f: :bro:type:`flow_id` :bro:attr:`&log`
Flow ID of the shunted flow.
expire: :bro:type:`interval` :bro:attr:`&log`
Expiry time of the shunt.
location: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Location where the underlying action was triggered.
Events
######
.. bro:id:: NetControl::log_netcontrol_shunt
:Type: :bro:type:`event` (rec: :bro:type:`NetControl::ShuntInfo`)
Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
record as it is sent on to the logging framework.
Functions
#########
.. bro:id:: NetControl::shunt_flow
:Type: :bro:type:`function` (f: :bro:type:`flow_id`, t: :bro:type:`interval`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`string`
Stops forwarding a uni-directional flow's packets to Bro.
:f: The flow to shunt.
:t: How long to leave the shunt in place, with 0 being indefinitely.
:location: An optional string describing where the shunt was triggered.
:returns: The id of the inserted rule on success and zero on failure.

296
doc/scripts/base/frameworks/netcontrol/types.bro.rst
View file

@ -1,296 +0,0 @@
:tocdepth: 3
base/frameworks/netcontrol/types.bro
====================================
.. bro:namespace:: NetControl
This file defines the types that are used by the NetControl framework.
The most important type defined in this file is :bro:see:`NetControl::Rule`,
which is used to describe all rules that can be expressed by the NetControl framework.
:Namespace: NetControl
Summary
~~~~~~~
Runtime Options
###############
========================================================================== ======================================================
:bro:id:`NetControl::default_priority`: :bro:type:`int` :bro:attr:`&redef` The default priority that is used when creating rules.
========================================================================== ======================================================
Redefinable Options
###################
============================================================================ ====================================================================================
:bro:id:`NetControl::whitelist_priority`: :bro:type:`int` :bro:attr:`&redef` The default priority that is used when using the high-level functions to
push whitelist entries to the backends (:bro:see:`NetControl::whitelist_address` and
:bro:see:`NetControl::whitelist_subnet`).
============================================================================ ====================================================================================
Types
#####
==================================================== ====================================================================================================
:bro:type:`NetControl::Entity`: :bro:type:`record` Type defining the entity a rule is operating on.
:bro:type:`NetControl::EntityType`: :bro:type:`enum` Type defining the entity that a rule applies to.
:bro:type:`NetControl::Flow`: :bro:type:`record` Flow is used in :bro:type:`NetControl::Entity` together with :bro:enum:`NetControl::FLOW` to specify
a uni-directional flow that a rule applies to.
:bro:type:`NetControl::FlowInfo`: :bro:type:`record` Information of a flow that can be provided by switches when the flow times out.
:bro:type:`NetControl::FlowMod`: :bro:type:`record` Type for defining a flow modification action.
:bro:type:`NetControl::Rule`: :bro:type:`record` A rule for the framework to put in place.
:bro:type:`NetControl::RuleType`: :bro:type:`enum` Type of rules that the framework supports.
:bro:type:`NetControl::TargetType`: :bro:type:`enum` Type defining the target of a rule.
==================================================== ====================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: NetControl::default_priority
:Type: :bro:type:`int`
:Attributes: :bro:attr:`&redef`
:Default: ``0``
The default priority that is used when creating rules.
Redefinable Options
###################
.. bro:id:: NetControl::whitelist_priority
:Type: :bro:type:`int`
:Attributes: :bro:attr:`&redef`
:Default: ``5``
The default priority that is used when using the high-level functions to
push whitelist entries to the backends (:bro:see:`NetControl::whitelist_address` and
:bro:see:`NetControl::whitelist_subnet`).
Note that this priority is not automatically used when manually creating rules
that have a :bro:see:`NetControl::RuleType` of :bro:enum:`NetControl::WHITELIST`.
Types
#####
.. bro:type:: NetControl::Entity
:Type: :bro:type:`record`
ty: :bro:type:`NetControl::EntityType`
Type of entity.
conn: :bro:type:`conn_id` :bro:attr:`&optional`
Used with :bro:enum:`NetControl::CONNECTION`.
flow: :bro:type:`NetControl::Flow` :bro:attr:`&optional`
Used with :bro:enum:`NetControl::FLOW`.
ip: :bro:type:`subnet` :bro:attr:`&optional`
Used with :bro:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet.
mac: :bro:type:`string` :bro:attr:`&optional`
Used with :bro:enum:`NetControl::MAC`.
Type defining the entity a rule is operating on.
.. bro:type:: NetControl::EntityType
:Type: :bro:type:`enum`
.. bro:enum:: NetControl::ADDRESS NetControl::EntityType
Activity involving a specific IP address.
.. bro:enum:: NetControl::CONNECTION NetControl::EntityType
Activity involving all of a bi-directional connection's activity.
.. bro:enum:: NetControl::FLOW NetControl::EntityType
Activity involving a uni-directional flow's activity. Can contain wildcards.
.. bro:enum:: NetControl::MAC NetControl::EntityType
Activity involving a MAC address.
Type defining the entity that a rule applies to.
.. bro:type:: NetControl::Flow
:Type: :bro:type:`record`
src_h: :bro:type:`subnet` :bro:attr:`&optional`
The source IP address/subnet.
src_p: :bro:type:`port` :bro:attr:`&optional`
The source port number.
dst_h: :bro:type:`subnet` :bro:attr:`&optional`
The destination IP address/subnet.
dst_p: :bro:type:`port` :bro:attr:`&optional`
The destination port number.
src_m: :bro:type:`string` :bro:attr:`&optional`
The source MAC address.
dst_m: :bro:type:`string` :bro:attr:`&optional`
The destination MAC address.
Flow is used in :bro:type:`NetControl::Entity` together with :bro:enum:`NetControl::FLOW` to specify
a uni-directional flow that a rule applies to.
If optional fields are not set, they are interpreted as wildcarded.
.. bro:type:: NetControl::FlowInfo
:Type: :bro:type:`record`
duration: :bro:type:`interval` :bro:attr:`&optional`
Total duration of the rule.
packet_count: :bro:type:`count` :bro:attr:`&optional`
Number of packets exchanged over connections matched by the rule.
byte_count: :bro:type:`count` :bro:attr:`&optional`
Total bytes exchanged over connections matched by the rule.
Information of a flow that can be provided by switches when the flow times out.
Currently this is heavily influenced by the data that OpenFlow returns by default.
That being said - their design makes sense and this is probably the data one
can expect to be available.
.. bro:type:: NetControl::FlowMod
:Type: :bro:type:`record`
src_h: :bro:type:`addr` :bro:attr:`&optional`
The source IP address.
src_p: :bro:type:`count` :bro:attr:`&optional`
The source port number.
dst_h: :bro:type:`addr` :bro:attr:`&optional`
The destination IP address.
dst_p: :bro:type:`count` :bro:attr:`&optional`
The destination port number.
src_m: :bro:type:`string` :bro:attr:`&optional`
The source MAC address.
dst_m: :bro:type:`string` :bro:attr:`&optional`
The destination MAC address.
redirect_port: :bro:type:`count` :bro:attr:`&optional`
Type for defining a flow modification action.
.. bro:type:: NetControl::Rule
:Type: :bro:type:`record`
ty: :bro:type:`NetControl::RuleType`
Type of rule.
target: :bro:type:`NetControl::TargetType`
Where to apply rule.
entity: :bro:type:`NetControl::Entity`
Entity to apply rule to.
expire: :bro:type:`interval` :bro:attr:`&optional`
Timeout after which to expire the rule.
priority: :bro:type:`int` :bro:attr:`&default` = :bro:see:`NetControl::default_priority` :bro:attr:`&optional`
Priority if multiple rules match an entity (larger value is higher priority).
location: :bro:type:`string` :bro:attr:`&optional`
Optional string describing where/what installed the rule.
out_port: :bro:type:`count` :bro:attr:`&optional`
Argument for :bro:enum:`NetControl::REDIRECT` rules.
mod: :bro:type:`NetControl::FlowMod` :bro:attr:`&optional`
Argument for :bro:enum:`NetControl::MODIFY` rules.
id: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`
Internally determined unique ID for this rule. Will be set when added.
cid: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Internally determined unique numeric ID for this rule. Set when added.
_plugin_ids: :bro:type:`set` [:bro:type:`count`] :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/main.bro` is loaded)
Internally set to the plugins handling the rule.
_active_plugin_ids: :bro:type:`set` [:bro:type:`count`] :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/main.bro` is loaded)
Internally set to the plugins on which the rule is currently active.
_no_expire_plugins: :bro:type:`set` [:bro:type:`count`] :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/main.bro` is loaded)
Internally set to plugins where the rule should not be removed upon timeout.
_added: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/main.bro` is loaded)
Track if the rule was added successfully by all responsible plugins.
A rule for the framework to put in place. Of all rules currently in
place, the first match will be taken, sorted by priority. All
further rules will be ignored.
.. bro:type:: NetControl::RuleType
:Type: :bro:type:`enum`
.. bro:enum:: NetControl::DROP NetControl::RuleType
Stop forwarding all packets matching the entity.
No additional arguments.
.. bro:enum:: NetControl::MODIFY NetControl::RuleType
Modify all packets matching entity. The packets
will be modified according to the `mod` entry of
the rule.
.. bro:enum:: NetControl::REDIRECT NetControl::RuleType
Redirect all packets matching entity to a different switch port,
given in the `out_port` argument of the rule.
.. bro:enum:: NetControl::WHITELIST NetControl::RuleType
Whitelists all packets of an entity, meaning no restrictions will be applied.
While whitelisting is the default if no rule matches, this type can be
used to override lower-priority rules that would otherwise take effect for the
entity.
Type of rules that the framework supports. Each type lists the extra
:bro:type:`NetControl::Rule` fields it uses, if any.
Plugins may extend this type to define their own.
.. bro:type:: NetControl::TargetType
:Type: :bro:type:`enum`
.. bro:enum:: NetControl::FORWARD NetControl::TargetType
.. bro:enum:: NetControl::MONITOR NetControl::TargetType
Type defining the target of a rule.
Rules can either be applied to the forward path, affecting all network traffic, or
on the monitor path, only affecting the traffic that is sent to Bro. The second
is mostly used for shunting, which allows Bro to tell the networking hardware that
it wants to no longer see traffic that it identified as benign.