mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
42e4072673
This does not really have many user-facing changes. The one big change is that users now should initialize plugins in the NetControl::init() event instead of bro_init. Once all plugins finished initializing and the NetControl framework starts operations, the NetControl::init_done() event is raised. Rules that are sent to NetControl before the plugins have finished initializing are ignored - this is important when several plugins that require external connections have to be initialized at the beginning. Without this delay, rules could end up at the wrong plugin.
27 lines
765 B
Text
27 lines
765 B
Text
# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
|
|
# @TEST-EXEC: btest-diff netcontrol.log
|
|
|
|
@load base/frameworks/netcontrol
|
|
|
|
event NetControl::init()
|
|
{
|
|
local netcontrol_debug = NetControl::create_debug(T);
|
|
NetControl::activate(netcontrol_debug, 0);
|
|
}
|
|
|
|
event connection_established(c: connection)
|
|
{
|
|
local id = c$id;
|
|
NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 30sec);
|
|
NetControl::drop_address(id$orig_h, 15sec);
|
|
NetControl::whitelist_address(id$orig_h, 15sec);
|
|
NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 30sec);
|
|
}
|
|
|
|
hook NetControl::rule_policy(r: NetControl::Rule)
|
|
{
|
|
if ( r$expire == 15sec )
|
|
break;
|
|
|
|
r$entity$flow$src_h = 0.0.0.0/0;
|
|
}
|