Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 01:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

add whitelist and redirect high-level functions

Browse source
This commit is contained in:
Johanna Amann 2015-06-01 15:57:58 -07:00
parent 2f1ebed2e9
commit ae18062761
5 changed files with 66 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

46
scripts/base/frameworks/pacf/main.bro
View file

@ -57,6 +57,30 @@ export {
## Returns: The id of the inserted rule on succes and zero on failure. ## Returns: The id of the inserted rule on succes and zero on failure.
global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : string; global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : string;
## Allows all traffic involving a specific IP address from being forwarded.
##
## a: The address to be whitelistet.
##
## t: How long to whitelist it, with 0 being indefinitly.
##
## location: An optional string describing where the drop was triggered.
##
## Returns: The id of the inserted rule on succes and zero on failure.
global whitelist_address: function(a: addr, t: interval, location: string &default="") : string;
## Redirects an uni-directional flow to another port.
##
## f: The flow to redirect.
##
## out_port: Port to redirect the flow to
##
## t: How long to leave the redirect in place, with 0 being indefinitly.
##
## location: An optional string describing where the shunt was triggered.
##
## Returns: The id of the inserted rule on succes and zero on failure.
global redirect_flow: function(f: flow_id, out_port: count, t: interval, location: string &default="") : string;
## Removes all rules for an entity. ## Removes all rules for an entity.
## ##
## e: The entity. Note that this will be directly to entities of existing ## e: The entity. Note that this will be directly to entities of existing
@ -293,6 +317,14 @@ function drop_address(a: addr, t: interval, location: string &default="") : stri
return add_rule(r); return add_rule(r);
} }
function whitelist_address(a: addr, t: interval, location: string &default="") : string
{
local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location];
return add_rule(r);
}
function shunt_flow(f: flow_id, t: interval, location: string &default="") : string function shunt_flow(f: flow_id, t: interval, location: string &default="") : string
{ {
local flow = Pacf::Flow( local flow = Pacf::Flow(
@ -307,6 +339,20 @@ function shunt_flow(f: flow_id, t: interval, location: string &default="") : str
return add_rule(r); return add_rule(r);
} }
function redirect_flow(f: flow_id, out_port: count, t: interval, location: string &default="") : string
{
local flow = Pacf::Flow(
$src_h=addr_to_subnet(f$src_h),
$src_p=f$src_p,
$dst_h=addr_to_subnet(f$dst_h),
$dst_p=f$dst_p
);
local e: Entity = [$ty=FLOW, $flow=flow];
local r: Rule = [$ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $c=out_port];
return add_rule(r);
}
function reset(e: Entity) function reset(e: Entity)
{ {
print "Pacf::reset not implemented yet"; print "Pacf::reset not implemented yet";

17
scripts/base/frameworks/pacf/types.bro
View file

@ -2,6 +2,9 @@
module Pacf; module Pacf;
export { export {
const default_priority: int = +0 &redef;
const whitelist_priority: int = +5 &redef;
## Type of a :bro:id:`Entity` for defining an action. ## Type of a :bro:id:`Entity` for defining an action.
type EntityType: enum { type EntityType: enum {
ADDRESS, ##< Activity involving a specific IP address. ADDRESS, ##< Activity involving a specific IP address.
@ -45,11 +48,6 @@ export {
## No arguments. ## No arguments.
DROP, DROP,
## Begin rate-limiting flows matching entity.
##
## d: Percent of available bandwidth.
LIMIT,
## Begin modifying all packets matching entity. ## Begin modifying all packets matching entity.
## ##
## .. todo:: ## .. todo::
@ -62,11 +60,6 @@ export {
## c: output port to redirect traffic to. ## c: output port to redirect traffic to.
REDIRECT, REDIRECT,
## Begin sampling all flows matching entity.
##
## d: Probability to include a flow between 0 and 1.
SAMPLE,
## Whitelists all packets of an entity, meaning no restrictions will be applied. ## Whitelists all packets of an entity, meaning no restrictions will be applied.
## While whitelisting is the default if no rule matches an this can type can be ## While whitelisting is the default if no rule matches an this can type can be
## used to override lower-priority rules that would otherwise take effect for the ## used to override lower-priority rules that would otherwise take effect for the
@ -93,7 +86,7 @@ export {
target: TargetType; ##< Where to apply rule. target: TargetType; ##< Where to apply rule.
entity: Entity; ##< Entity to apply rule to. entity: Entity; ##< Entity to apply rule to.
expire: interval &optional; ##< Timeout after which to expire the rule. expire: interval &optional; ##< Timeout after which to expire the rule.
priority: int &default=+0; ##< Priority if multiple rules match an entity (larger value is higher priority). priority: int &default=default_priority; ##< Priority if multiple rules match an entity (larger value is higher priority).
location: string &optional; ##< Optional string describing where/what installed the rule. location: string &optional; ##< Optional string describing where/what installed the rule.
c: count &optional; ##< Argument for rule types requiring an count argument. c: count &optional; ##< Argument for rule types requiring an count argument.
@ -115,6 +108,4 @@ export {
packet_count: count &optional; ##< number of packets exchanged over connections matched by the rule packet_count: count &optional; ##< number of packets exchanged over connections matched by the rule
byte_count: count &optional; ##< total bytes exchanged over connections matched by the rule byte_count: count &optional; ##< total bytes exchanged over connections matched by the rule
}; };
} }

4
testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout
View file

@ -1,5 +1,9 @@
pacf debug (Debug-All): init pacf debug (Debug-All): init
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_id=1] pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_id=1]
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_id=1] pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_id=1]
pacf debug (Debug-All): add_rule: [ty=Pacf::WHITELIST, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_id=1]
pacf debug (Debug-All): add_rule: [ty=Pacf::REDIRECT, target=Pacf::FORWARD, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=5, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=5, cid=5, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_id=1] pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::WHITELIST, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::REDIRECT, target=Pacf::FORWARD, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=5, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=5, cid=5, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_id=1] pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_id=1]

12
testing/btest/Baseline/scripts.base.frameworks.pacf.basic/pacf.log
View file

@ -3,16 +3,24 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path pacf #path pacf
#open 2015-05-28-23-57-41 #open 2015-06-01-22-57-07
#fields ts category cmd state action target entity_type entity msg location plugin #fields ts category cmd state action target entity_type entity msg location plugin
#types time enum string enum string enum string string string string string #types time enum string enum string enum string string string string string
0.000000 Pacf::MESSAGE - - - - - - activated plugin with priority 0 - Debug-All 0.000000 Pacf::MESSAGE - - - - - - activated plugin with priority 0 - Debug-All
1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All 1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::WHITELIST Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::REDIRECT Pacf::FORWARD Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All 1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::WHITELIST Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::REDIRECT Pacf::FORWARD Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::WHITELIST Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::REDIRECT Pacf::FORWARD Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::WHITELIST Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::REDIRECT Pacf::FORWARD Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
#close 2015-05-28-23-57-41 #close 2015-06-01-22-57-07

2
testing/btest/scripts/base/frameworks/pacf/basic.bro
View file

@ -15,4 +15,6 @@ event connection_established(c: connection)
local id = c$id; local id = c$id;
Pacf::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 30sec); Pacf::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 30sec);
Pacf::drop_address(id$orig_h, 15sec); Pacf::drop_address(id$orig_h, 15sec);
Pacf::whitelist_address(id$orig_h, 15sec);
Pacf::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 30sec);
} }