From 496f6d49359d7d3fade72908b427825f0cb35d94 Mon Sep 17 00:00:00 2001 From: Aashish Sharma Date: Wed, 12 Aug 2020 10:13:27 -0700 Subject: [PATCH] Moved verb ACTION_DROP from policy/frameworks/netcontrol/catch-and-release.zeek to base/frameworks/notice/main.zeek. ACTION_DROP is not only part of catch-n-release subsystem. Also, historically ACTION_DROP has been bundled with ACTION_LOG, ACTION_ALARM, ACTION_EMAIL... and its helpful that this verb remains in base/frameworks/notice/main.zeek --- scripts/base/frameworks/notice/main.zeek | 4 ++++ scripts/policy/frameworks/notice/actions/drop.zeek | 5 ----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/scripts/base/frameworks/notice/main.zeek b/scripts/base/frameworks/notice/main.zeek index f3bc6bc8df..70c19c5883 100644 --- a/scripts/base/frameworks/notice/main.zeek +++ b/scripts/base/frameworks/notice/main.zeek @@ -44,6 +44,10 @@ export { ## ASCII version of the alarm log is emailed in bulk to the ## address(es) configured in :zeek:id:`Notice::mail_dest`. ACTION_ALARM, + ## Indicates that the notice results in a drop action. A drop + ## action can be nullzero, acld drop or a filter as per + ## configured in :zeek:see:`NetControl::acld_rule_policy`. + ACTION_DROP, }; ## Type that represents a set of actions. diff --git a/scripts/policy/frameworks/notice/actions/drop.zeek b/scripts/policy/frameworks/notice/actions/drop.zeek index 03862bac08..ad86c45a1c 100644 --- a/scripts/policy/frameworks/notice/actions/drop.zeek +++ b/scripts/policy/frameworks/notice/actions/drop.zeek @@ -8,11 +8,6 @@ module Notice; export { - redef enum Action += { - ## Drops the address via :zeek:see:`NetControl::drop_address_catch_release`. - ACTION_DROP - }; - redef record Info += { ## Indicate if the $src IP address was dropped and denied ## network access.