NetControl: add catch and release event when IPs are forgotten.

This adds an event that is raised once Catch & Release ceases the block management for an IP address because the IP has not been seen in traffic during the watch interval. This allows users who use their own logic on the top of catch and release know when they will have to start re-blocking the IP if it occurs in traffic again.
2025-10-06 00:28:21 +00:00 · 2016-07-28 16:28:07 -04:00 · 2016-07-28 16:28:07 -04:00 · 4ad5d9073a
commit 4ad5d9073a
parent 743e563dd9
4 changed files with 53 additions and 0 deletions
--- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro
@ -0,0 +1,26 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff netcontrol_catch_release.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/frameworks/netcontrol
+
+redef NetControl::catch_release_intervals = vector(1sec, 2sec, 2sec);
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+global pc: count = 0;
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	if ( ++pc == 1 )
+		NetControl::drop_address_catch_release(10.0.0.1);
+	}
+
+event NetControl::catch_release_forgotten(a: addr, bi: NetControl::BlockInfo)
+	{
+	print "Forgotten: ", a, bi;
+	}