Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-15 04:58:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

NetControl: allow reasons in remove_rule calls.

Browse source 
This adds the capability for the user to attach a reason when removing
or destroying a rule. The message will both be logged in netcontrol.log
and forwarded to the responsible plugins.

Addresses BIT-1655
This commit is contained in:
Johanna Amann 2016-08-05 10:47:58 -07:00
parent 9d9c7bafd3
commit 4f1a2c7b62
21 changed files with 129 additions and 115 deletions
Download patch file Download diff file Expand all files Collapse all files

32
testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
View file

@ -3,21 +3,21 @@
#empty_field (empty)
#unset_field -
#path netcontrol
#open 2016-07-13-16-15-31
#open 2016-08-05-17-46-57
#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin
#types time string enum string enum string enum string string string string int interval string string
1468426531.690018 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All
1468426531.690018 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All
1468426531.690018 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - -
1468426534.768038 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 - Debug-All
1468426534.768038 worker-1:2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1468426534.768038 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 - Debug-All
1468426534.768038 worker-1:2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1468426534.868423 worker-1:2 NetControl::RULE EXPIRE NetControl::TIMEOUT NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1468426534.868423 worker-1:2 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1468426534.870147 worker-1:2 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1468426536.256898 2 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 - Debug-All
1468426536.256898 2 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 - Debug-All
1468426536.256898 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 3600.000000 Re-drop by catch-and-release: Debug-All
1468426536.256898 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 3600.000000 Re-drop by catch-and-release: Debug-All
#close 2016-07-13-16-15-36
1470419217.355712 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All
1470419217.355712 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All
1470419217.355712 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - -
1470419220.470685 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 - Debug-All
1470419220.470685 worker-1:2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1470419220.470685 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 - Debug-All
1470419220.470685 worker-1:2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1470419220.570873 worker-1:2 NetControl::RULE EXPIRE NetControl::TIMEOUT NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1470419220.570873 worker-1:2 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1470419220.572465 worker-1:2 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 - Debug-All
1470419221.963109 2 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - reason here 0 600.000000 - Debug-All
1470419221.963109 2 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 - Debug-All
1470419221.963109 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 3600.000000 Re-drop by catch-and-release: Debug-All
1470419221.963109 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 3600.000000 Re-drop by catch-and-release: Debug-All
#close 2016-08-05-17-47-02

22
testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
View file

@ -3,16 +3,16 @@
#empty_field (empty)
#unset_field -
#path netcontrol_catch_release
#open 2016-07-13-16-15-34
#open 2016-08-05-17-47-19
#fields ts rule_id ip action block_interval watch_interval blocked_until watched_until num_blocked location message
#types time string addr enum interval interval time time count string string
1468426534.768038 2 192.168.18.50 NetControl::DROP 600.000000 3600.000000 1468427134.768038 1468430134.768038 1 - -
1468426534.768038 2 192.168.18.50 NetControl::DROPPED 600.000000 3600.000000 1468427134.768038 1468430134.768038 1 - -
1468426534.768038 worker-1:2 8.8.8.8 NetControl::ADDED 600.000000 3600.000000 - 1468430134.768038 1 - Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.
1468426534.868423 worker-1:2 8.8.8.8 NetControl::UNBLOCK 600.000000 3600.000000 - 1468430134.768038 1 - -
1468426536.256898 2 192.168.18.50 NetControl::INFO 600.000000 3600.000000 1468427134.768038 1468430134.768038 1 - Block seen while in rule_entities. No action taken.
1468426536.256898 2 192.168.18.50 NetControl::UNBLOCK 600.000000 3600.000000 1468427134.768038 1468430134.768038 1 - -
1468426536.256898 4 8.8.8.8 NetControl::SEEN_AGAIN 3600.000000 86400.000000 1468430136.256898 1468512936.256898 2 - -
1468426536.256898 4 8.8.8.8 NetControl::DROPPED 3600.000000 86400.000000 1468430136.256898 1468512936.256898 2 - -
1468426534.288954 2 192.168.18.50 NetControl::INFO 600.000000 3600.000000 1468427134.768038 1468430134.768038 1 - Already blocked using catch-and-release - ignoring duplicate
#close 2016-07-13-16-15-36
1470419239.093089 2 192.168.18.50 NetControl::DROP 600.000000 3600.000000 1470419839.093089 1470422839.093089 1 - -
1470419239.093089 2 192.168.18.50 NetControl::DROPPED 600.000000 3600.000000 1470419839.093089 1470422839.093089 1 - -
1470419239.093089 worker-1:2 8.8.8.8 NetControl::ADDED 600.000000 3600.000000 - 1470422839.093089 1 - Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.
1470419239.193930 worker-1:2 8.8.8.8 NetControl::UNBLOCK 600.000000 3600.000000 - 1470422839.093089 1 - -
1470419240.599721 2 192.168.18.50 NetControl::INFO 600.000000 3600.000000 1470419839.093089 1470422839.093089 1 - Block seen while in rule_entities. No action taken.
1470419240.599721 2 192.168.18.50 NetControl::UNBLOCK 600.000000 3600.000000 1470419839.093089 1470422839.093089 1 - reason here
1470419240.599721 4 8.8.8.8 NetControl::SEEN_AGAIN 3600.000000 86400.000000 1470422840.599721 1470505640.599721 2 - -
1470419240.599721 4 8.8.8.8 NetControl::DROPPED 3600.000000 86400.000000 1470422840.599721 1470505640.599721 2 - -
1470419238.504810 2 192.168.18.50 NetControl::INFO 600.000000 3600.000000 1470419839.093089 1470422839.093089 1 - Already blocked using catch-and-release - ignoring duplicate
#close 2016-08-05-17-47-20