mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
a994be9eeb
* origin/topic/seth/zeek_init: Some more testing fixes. Update docs and tests for bro_(init|done) -> zeek_(init|done) Implement the zeek_init handler.
110 lines
3.2 KiB
Text
110 lines
3.2 KiB
Text
##! Implementation of the drop functionality for NetControl.
|
|
|
|
module NetControl;
|
|
|
|
@load ./main
|
|
|
|
export {
|
|
redef enum Log::ID += { DROP };
|
|
|
|
## Stops all packets involving an IP address from being forwarded.
|
|
##
|
|
## a: The address to be dropped.
|
|
##
|
|
## t: How long to drop it, with 0 being indefinitely.
|
|
##
|
|
## location: An optional string describing where the drop was triggered.
|
|
##
|
|
## Returns: The id of the inserted rule on success and zero on failure.
|
|
global drop_address: function(a: addr, t: interval, location: string &default="") : string;
|
|
|
|
## Stops all packets involving a connection address from being forwarded.
|
|
##
|
|
## c: The connection to be dropped.
|
|
##
|
|
## t: How long to drop it, with 0 being indefinitely.
|
|
##
|
|
## location: An optional string describing where the drop was triggered.
|
|
##
|
|
## Returns: The id of the inserted rule on success and zero on failure.
|
|
global drop_connection: function(c: conn_id, t: interval, location: string &default="") : string;
|
|
|
|
type DropInfo: record {
|
|
## Time at which the recorded activity occurred.
|
|
ts: time &log;
|
|
## ID of the rule; unique during each Bro run.
|
|
rule_id: string &log;
|
|
orig_h: addr &log; ##< The originator's IP address.
|
|
orig_p: port &log &optional; ##< The originator's port number.
|
|
resp_h: addr &log &optional; ##< The responder's IP address.
|
|
resp_p: port &log &optional; ##< The responder's port number.
|
|
## Expiry time of the shunt.
|
|
expire: interval &log;
|
|
## Location where the underlying action was triggered.
|
|
location: string &log &optional;
|
|
};
|
|
|
|
## Hook that allows the modification of rules passed to drop_* before they
|
|
## are passed on. If one of the hooks uses break, the rule is ignored.
|
|
##
|
|
## r: The rule to be added.
|
|
global NetControl::drop_rule_policy: hook(r: Rule);
|
|
|
|
## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
|
|
## record as it is sent on to the logging framework.
|
|
global log_netcontrol_drop: event(rec: DropInfo);
|
|
}
|
|
|
|
event zeek_init() &priority=5
|
|
{
|
|
Log::create_stream(NetControl::DROP, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop"]);
|
|
}
|
|
|
|
function drop_connection(c: conn_id, t: interval, location: string &default="") : string
|
|
{
|
|
local e: Entity = [$ty=CONNECTION, $conn=c];
|
|
local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
|
|
|
|
if ( ! hook NetControl::drop_rule_policy(r) )
|
|
return "";
|
|
|
|
local id = add_rule(r);
|
|
|
|
# Error should already be logged
|
|
if ( id == "" )
|
|
return id;
|
|
|
|
local log = DropInfo($ts=network_time(), $rule_id=id, $orig_h=c$orig_h, $orig_p=c$orig_p, $resp_h=c$resp_h, $resp_p=c$resp_p, $expire=t);
|
|
|
|
if ( location != "" )
|
|
log$location=location;
|
|
|
|
Log::write(DROP, log);
|
|
|
|
return id;
|
|
}
|
|
|
|
function drop_address(a: addr, t: interval, location: string &default="") : string
|
|
{
|
|
local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
|
|
local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
|
|
|
|
if ( ! hook NetControl::drop_rule_policy(r) )
|
|
return "";
|
|
|
|
local id = add_rule(r);
|
|
|
|
# Error should already be logged
|
|
if ( id == "" )
|
|
return id;
|
|
|
|
local log = DropInfo($ts=network_time(), $rule_id=id, $orig_h=a, $expire=t);
|
|
|
|
if ( location != "" )
|
|
log$location=location;
|
|
|
|
Log::write(DROP, log);
|
|
|
|
return id;
|
|
}
|
|
|