mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 08:38:20 +00:00
496f6d4935
ACTION_DROP is not only part of catch-n-release subsystem. Also, historically ACTION_DROP has been bundled with ACTION_LOG, ACTION_ALARM, ACTION_EMAIL... and its helpful that this verb remains in base/frameworks/notice/main.zeek
31 lines
847 B
Text
31 lines
847 B
Text
##! This script extends the built in notice code to implement the IP address
|
|
##! dropping functionality.
|
|
|
|
@load base/frameworks/notice/main
|
|
@load base/frameworks/netcontrol
|
|
@load policy/frameworks/netcontrol/catch-and-release
|
|
|
|
module Notice;
|
|
|
|
export {
|
|
redef record Info += {
|
|
## Indicate if the $src IP address was dropped and denied
|
|
## network access.
|
|
dropped: bool &log &default=F;
|
|
};
|
|
}
|
|
|
|
hook notice(n: Notice::Info) &priority=-5
|
|
{
|
|
if ( ACTION_DROP in n$actions )
|
|
{
|
|
local ci = NetControl::get_catch_release_info(n$src);
|
|
if ( ci$watch_until == double_to_time(0) )
|
|
{
|
|
# we have not seen this one yet. Drop it.
|
|
local addl = n?$msg ? fmt("ACTION_DROP: %s", n?$msg) : "ACTION_DROP";
|
|
local res = NetControl::drop_address_catch_release(n$src, addl);
|
|
n$dropped = res$watch_until != double_to_time(0);
|
|
}
|
|
}
|
|
}
|