From 4ad5d9073a30e828d92f89d0f5d94f5e90a8da6e Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 28 Jul 2016 16:28:07 -0400 Subject: [PATCH] NetControl: add catch and release event when IPs are forgotten. This adds an event that is raised once Catch & Release ceases the block management for an IP address because the IP has not been seen in traffic during the watch interval. This allows users who use their own logic on the top of catch and release know when they will have to start re-blocking the IP if it occurs in traffic again. --- .../netcontrol/catch-and-release.bro | 10 +++++++ .../.stdout | 4 +++ .../netcontrol_catch_release.log | 13 ++++++++++ .../catch-and-release-forgotten.bro | 26 +++++++++++++++++++ 4 files changed, 53 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/.stdout create mode 100644 testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/netcontrol_catch_release.log create mode 100644 testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro index e9c1100887..4b99b70606 100644 --- a/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -125,6 +125,14 @@ export { ## the inserted block. global get_catch_release_info: function(a: addr) : BlockInfo; + ## Event is raised when catch and release cases management of an IP address because no + ## activity was seen within the watch_until period. + ## + ## a: The address that is no longer being managed. + ## + ## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block. + global catch_release_forgotten: event(a: addr, bi: BlockInfo); + ## If true, catch_release_seen is called on the connection originator in new_connection, ## connection_established, partial_connection, connection_attempt, connection_rejected, ## connection_reset and connection_pending @@ -198,6 +206,8 @@ function per_block_interval(t: table[addr] of BlockInfo, idx: addr): interval { local log = populate_log_record(idx, t[idx], FORGOTTEN); Log::write(CATCH_RELEASE, log); + + event NetControl::catch_release_forgotten(idx, t[idx]); } @endif diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/.stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/.stdout new file mode 100644 index 0000000000..b89aac45d2 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/.stdout @@ -0,0 +1,4 @@ +netcontrol debug (Debug-All): init +netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=10.0.0.1/32, mac=], expire=1.0 sec, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] +netcontrol debug (Debug-All): remove_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=10.0.0.1/32, mac=], expire=1.0 sec, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _no_expire_plugins={\x0a\x0a}, _added=T] +Forgotten: , 10.0.0.1, [block_until=1254722768.49206, watch_until=1254722769.49206, num_reblocked=0, current_interval=0, current_block_id=2, location=] diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/netcontrol_catch_release.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/netcontrol_catch_release.log new file mode 100644 index 0000000000..2cef1845e1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-forgotten/netcontrol_catch_release.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path netcontrol_catch_release +#open 2016-07-28-20-25-46 +#fields ts rule_id ip action block_interval watch_interval blocked_until watched_until num_blocked location message +#types time string addr enum interval interval time time count string string +1254722767.492060 2 10.0.0.1 NetControl::DROP 1.000000 2.000000 1254722768.492060 1254722769.492060 1 - - +1254722767.492060 2 10.0.0.1 NetControl::DROPPED 1.000000 2.000000 1254722768.492060 1254722769.492060 1 - - +1254722768.565386 2 10.0.0.1 NetControl::UNBLOCK 1.000000 2.000000 1254722768.492060 1254722769.492060 1 - - +1437831776.764391 2 10.0.0.1 NetControl::FORGOTTEN 1.000000 2.000000 1254722768.492060 1254722769.492060 1 - - +#close 2016-07-28-20-25-46 diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro new file mode 100644 index 0000000000..dd5e71f1fe --- /dev/null +++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro @@ -0,0 +1,26 @@ +# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT +# @TEST-EXEC: btest-diff netcontrol_catch_release.log +# @TEST-EXEC: btest-diff .stdout + +@load base/frameworks/netcontrol + +redef NetControl::catch_release_intervals = vector(1sec, 2sec, 2sec); + +event NetControl::init() + { + local netcontrol_debug = NetControl::create_debug(T); + NetControl::activate(netcontrol_debug, 0); + } + +global pc: count = 0; + +event new_packet(c: connection, p: pkt_hdr) + { + if ( ++pc == 1 ) + NetControl::drop_address_catch_release(10.0.0.1); + } + +event NetControl::catch_release_forgotten(a: addr, bi: NetControl::BlockInfo) + { + print "Forgotten: ", a, bi; + }