mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
2233521de7
BIT-1550 #merged * origin/topic/johanna/netcontrol: (72 commits) Update baselines and news Move prefixtable back to all IPv6 internal handling. NetControl: Add functions to search for rules affecting IPs/subnets Add check_subnet bif that allows exact membership test for subnet tables. Rewrite internal handling of rules. Add bif that allows searching for all matching subnets in table. Add signaling of succesful initialization of plugins to NetControl. Add rule hooks to the acld plugin. Add new logfiles for shunting and drops to netcontrol Extend NetControl logging and fix bugs. Update OpenFlow API and events. small acld plugin fix Revert "introduce &weaken attribute" Fix crash when printing type of recursive structures. Testcase for crash when a record contains a function referencing a record. Rename Pacf to NetControl fix acld plugin to use address instead of subnet (and add functions for conversion) implement quarantine miscelaneous missing bits and pieces Acld implementation for Pacf - Bro side. ...
69 lines
1.8 KiB
Text
69 lines
1.8 KiB
Text
##! Implementation of the shunt functionality for NetControl.
|
|
|
|
module NetControl;
|
|
|
|
@load ./main
|
|
|
|
export {
|
|
redef enum Log::ID += { SHUNT };
|
|
|
|
## Stops forwarding a uni-directional flow's packets to Bro.
|
|
##
|
|
## f: The flow to shunt.
|
|
##
|
|
## t: How long to leave the shunt in place, with 0 being indefinitly.
|
|
##
|
|
## location: An optional string describing where the shunt was triggered.
|
|
##
|
|
## Returns: The id of the inserted rule on succes and zero on failure.
|
|
global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : string;
|
|
|
|
type ShuntInfo: record {
|
|
## Time at which the recorded activity occurred.
|
|
ts: time &log;
|
|
## ID of the rule; unique during each Bro run
|
|
rule_id: string &log;
|
|
## Flow ID of the shunted flow
|
|
f: flow_id &log;
|
|
## Expiry time of the shunt
|
|
expire: interval &log;
|
|
## Location where the underlying action was triggered.
|
|
location: string &log &optional;
|
|
};
|
|
|
|
## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
|
|
## record as it is sent on to the logging framework.
|
|
global log_netcontrol_shunt: event(rec: ShuntInfo);
|
|
}
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt"]);
|
|
}
|
|
|
|
function shunt_flow(f: flow_id, t: interval, location: string &default="") : string
|
|
{
|
|
local flow = NetControl::Flow(
|
|
$src_h=addr_to_subnet(f$src_h),
|
|
$src_p=f$src_p,
|
|
$dst_h=addr_to_subnet(f$dst_h),
|
|
$dst_p=f$dst_p
|
|
);
|
|
local e: Entity = [$ty=FLOW, $flow=flow];
|
|
local r: Rule = [$ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location];
|
|
|
|
local id = add_rule(r);
|
|
|
|
# Error should already be logged
|
|
if ( id == "" )
|
|
return id;
|
|
|
|
local log = ShuntInfo($ts=network_time(), $rule_id=id, $f=f, $expire=t);
|
|
if ( location != "" )
|
|
log$location=location;
|
|
|
|
Log::write(SHUNT, log);
|
|
|
|
return id;
|
|
}
|
|
|