diff --git a/scripts/base/frameworks/pacf/plugins/__load__.bro b/scripts/base/frameworks/pacf/plugins/__load__.bro index 8eda6f9b97..f3468e0b83 100644 --- a/scripts/base/frameworks/pacf/plugins/__load__.bro +++ b/scripts/base/frameworks/pacf/plugins/__load__.bro @@ -1,2 +1,3 @@ @load ./debug @load ./openflow +@load ./packetfilter diff --git a/scripts/base/frameworks/pacf/plugins/packetfilter.bro b/scripts/base/frameworks/pacf/plugins/packetfilter.bro new file mode 100644 index 0000000000..dbf6ba1136 --- /dev/null +++ b/scripts/base/frameworks/pacf/plugins/packetfilter.bro @@ -0,0 +1,115 @@ +# PACF plugin for the PacketFilter handling that comes with +# Bro. Since the PacketFilter in Bro is quite limited in scope +# and can only add/remove filters for addresses, this is quite +# limited in scope at the moment. + +module Pacf; + +export { + ## Instantiates the packetfilter plugin. + global create_packetfilter: function() : PluginState; +} + +# Check if we can handle this rule. If it specifies ports or +# anything Bro cannot handle, simply ignore it for now. +function packetfilter_check_rule(r: Rule) : bool + { + if ( r$ty != DROP ) + return F; + + if ( r$target != MONITOR ) + return F; + + local e = r$entity; + if ( e$ty == ADDRESS ) + return T; + + if ( e$ty != FLOW ) # everything else requires ports or MAC stuff + return F; + + if ( e$flow?$src_p || e$flow?$dst_p || e$flow?$src_m || e$flow?$dst_m ) + return F; + + return T; + } + + +function packetfilter_add_rule(p: PluginState, r: Rule) : bool + { + if ( ! packetfilter_check_rule(r) ) + return F; + + local e = r$entity; + if ( e$ty == ADDRESS ) + { + install_src_net_filter(e$ip, 0, 1.0); + install_dst_net_filter(e$ip, 0, 1.0); + return T; + } + + if ( e$ty == FLOW ) + { + local f = e$flow; + if ( f?$src_h ) + install_src_net_filter(f$src_h, 0, 1.0); + if ( f?$dst_h ) + install_dst_net_filter(f$dst_h, 0, 1.0); + + return T; + } + + return F; + } + +function packetfilter_remove_rule(p: PluginState, r: Rule) : bool + { + if ( ! packetfilter_check_rule(r) ) + return F; + + local e = r$entity; + if ( e$ty == ADDRESS ) + { + uninstall_src_net_filter(e$ip); + uninstall_dst_net_filter(e$ip); + return T; + } + + if ( e$ty == FLOW ) + { + local f = e$flow; + if ( f?$src_h ) + uninstall_src_net_filter(f$src_h); + if ( f?$dst_h ) + uninstall_dst_net_filter(f$dst_h); + + return T; + } + + return F; + } + +function packetfilter_name(p: PluginState) : string + { + return "PACF plugin for the Bro packetfilter"; + } + +global packetfilter_plugin = Plugin( + $name=packetfilter_name, + $can_expire = F, +# $init = packetfilter_init, +# $done = packetfilter_done, + $add_rule = packetfilter_add_rule, + $remove_rule = packetfilter_remove_rule +# $add_notification = packetfilter_add_notification, +# $remove_notification = packetfilter_remove_notification, +# $transaction_begin = packetfilter_transaction_begin, +# $transaction_end = packetfilter_transaction_end + ); + +function create_packetfilter() : PluginState + { + local p: PluginState = [$plugin=packetfilter_plugin]; + + return p; + } + diff --git a/testing/btest/Baseline/scripts.base.frameworks.pacf.packetfilter/conn.log b/testing/btest/Baseline/scripts.base.frameworks.pacf.packetfilter/conn.log new file mode 100644 index 0000000000..1f51ecc2fd --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.pacf.packetfilter/conn.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2015-05-12-22-11-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1254722767.492060 CXWv6p3arKYeMETxOg 10.10.1.4 56166 10.10.1.1 53 udp dns 0.034025 34 100 SF - - 0 Dd 1 62 1 128 (empty) +1254722767.529046 CjhGID4nQcgTWjvg4c 10.10.1.4 1470 74.53.140.153 25 tcp - 0.346950 0 0 S1 - - 0 Sh 1 48 1 48 (empty) +1254722776.690444 CCvvfg3TEfuqmmG4bh 10.10.1.20 138 10.10.1.255 138 udp - - - - S0 - - 0 D 1 229 0 0 (empty) +#close 2015-05-12-22-11-25 diff --git a/testing/btest/scripts/base/frameworks/pacf/packetfilter.bro b/testing/btest/scripts/base/frameworks/pacf/packetfilter.bro new file mode 100644 index 0000000000..9076fbbb1f --- /dev/null +++ b/testing/btest/scripts/base/frameworks/pacf/packetfilter.bro @@ -0,0 +1,18 @@ +# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT +# @TEST-EXEC: btest-diff conn.log + +@load base/frameworks/pacf + +event bro_init() + { + local pacf_packetfilter = Pacf::create_packetfilter(); + Pacf::activate(pacf_packetfilter, 0); + } + +event connection_established(c: connection) + { + local e = Pacf::Entity($ty=Pacf::ADDRESS, $ip=addr_to_subnet(c$id$orig_h)); + local r = Pacf::Rule($ty=Pacf::DROP, $target=Pacf::MONITOR, $entity=e, $expire=10min); + + Pacf::add_rule(r); + }