diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro index e9c1100887..4b99b70606 100644 --- a/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -125,6 +125,14 @@ export { ## the inserted block. global get_catch_release_info: function(a: addr) : BlockInfo; + ## Event is raised when catch and release cases management of an IP address because no + ## activity was seen within the watch_until period. + ## + ## a: The address that is no longer being managed. + ## + ## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block. + global catch_release_forgotten: event(a: addr, bi: BlockInfo); + ## If true, catch_release_seen is called on the connection originator in new_connection, ## connection_established, partial_connection, connection_attempt, connection_rejected, ## connection_reset and connection_pending @@ -198,6 +206,8 @@ function per_block_interval(t: table[addr] of BlockInfo, idx: addr): interval { local log = populate_log_record(idx, t[idx], FORGOTTEN); Log::write(CATCH_RELEASE, log); + + event NetControl::catch_release_forgotten(idx, t[idx]); } @endif diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/.stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/.stdout new file mode 100644 index 0000000000..b89aac45d2 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/.stdout @@ -0,0 +1,4 @@ +netcontrol debug (Debug-All): init +netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=10.0.0.1/32, mac=], expire=1.0 sec, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] +netcontrol debug (Debug-All): remove_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=10.0.0.1/32, mac=], expire=1.0 sec, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _no_expire_plugins={\x0a\x0a}, _added=T] +Forgotten: , 10.0.0.1, [block_until=1254722768.49206, watch_until=1254722769.49206, num_reblocked=0, current_interval=0, current_block_id=2, location=] diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/netcontrol_catch_release.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/netcontrol_catch_release.log new file mode 100644 index 0000000000..2cef1845e1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/netcontrol_catch_release.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path netcontrol_catch_release +#open 2016-07-28-20-25-46 +#fields ts rule_id ip action block_interval watch_interval blocked_until watched_until num_blocked location message +#types time string addr enum interval interval time time count string string +1254722767.492060 2 10.0.0.1 NetControl::DROP 1.000000 2.000000 1254722768.492060 1254722769.492060 1 - - +1254722767.492060 2 10.0.0.1 NetControl::DROPPED 1.000000 2.000000 1254722768.492060 1254722769.492060 1 - - +1254722768.565386 2 10.0.0.1 NetControl::UNBLOCK 1.000000 2.000000 1254722768.492060 1254722769.492060 1 - - +1437831776.764391 2 10.0.0.1 NetControl::FORGOTTEN 1.000000 2.000000 1254722768.492060 1254722769.492060 1 - - +#close 2016-07-28-20-25-46 diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro new file mode 100644 index 0000000000..dd5e71f1fe --- /dev/null +++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro @@ -0,0 +1,26 @@ +# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT +# @TEST-EXEC: btest-diff netcontrol_catch_release.log +# @TEST-EXEC: btest-diff .stdout + +@load base/frameworks/netcontrol + +redef NetControl::catch_release_intervals = vector(1sec, 2sec, 2sec); + +event NetControl::init() + { + local netcontrol_debug = NetControl::create_debug(T); + NetControl::activate(netcontrol_debug, 0); + } + +global pc: count = 0; + +event new_packet(c: connection, p: pkt_hdr) + { + if ( ++pc == 1 ) + NetControl::drop_address_catch_release(10.0.0.1); + } + +event NetControl::catch_release_forgotten(a: addr, bi: NetControl::BlockInfo) + { + print "Forgotten: ", a, bi; + }