Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Make Flow a separate, more flexible type in PACF.

Browse source 
This allows the use of wildcards, etc. in rules and removes the need
for a few entity types that were separate so far.
This commit is contained in:
Johanna Amann 2015-05-12 13:37:16 -07:00
parent a51ee45e05
commit ed65fdb6ba
6 changed files with 101 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

10
scripts/base/frameworks/pacf/main.bro
View file

@ -265,7 +265,7 @@ function entity_to_info(info: Info, e: Entity)
info$entity_type = fmt("%s", e$ty);
switch ( e$ty ) {
case ADDRESS, ORIGINATOR, RESPONDER:
case ADDRESS:
info$entity = fmt("%s", e$ip);
break;
@ -364,7 +364,13 @@ function drop_address(a: addr, t: interval, location: string &default="") : bool
function shunt_flow(f: flow_id, t: interval, location: string &default="") : bool
{
local e: Entity = [$ty=FLOW, $flow=f];
local flow = Pacf::Flow(
$src_h=addr_to_subnet(f$src_h),
$src_p=f$src_p,
$dst_h=addr_to_subnet(f$dst_h),
$dst_p=f$dst_p
);
local e: Entity = [$ty=FLOW, $flow=flow];
local r: Rule = [$ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location];
local id = add_rule(r);