NetControl: add catch and release event when IPs are forgotten.

This adds an event that is raised once Catch & Release ceases the block management for an IP address because the IP has not been seen in traffic during the watch interval. This allows users who use their own logic on the top of catch and release know when they will have to start re-blocking the IP if it occurs in traffic again.
2025-10-02 06:38:20 +00:00 · 2016-07-28 16:28:07 -04:00 · 2016-07-28 16:28:07 -04:00 · 4ad5d9073a
commit 4ad5d9073a
parent 743e563dd9
4 changed files with 53 additions and 0 deletions
--- a/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro
@ -125,6 +125,14 @@ export {
 	##          the inserted block.
 	global get_catch_release_info: function(a: addr) : BlockInfo;

+	## Event is raised when catch and release cases management of an IP address because no
+	## activity was seen within the watch_until period.
+	##
+	## a: The address that is no longer being managed.
+	##
+	## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block.
+	global catch_release_forgotten: event(a: addr, bi: BlockInfo);
+
 	## If true, catch_release_seen is called on the connection originator in new_connection,
 	## connection_established, partial_connection, connection_attempt, connection_rejected,
 	## connection_reset and connection_pending
@ -198,6 +206,8 @@ function per_block_interval(t: table[addr] of BlockInfo, idx: addr): interval
 		{
 		local log = populate_log_record(idx, t[idx], FORGOTTEN);
 		Log::write(CATCH_RELEASE, log);
+
+		event NetControl::catch_release_forgotten(idx, t[idx]);
 		}
@endif